Unable to Configure Multiple Backends on the Same Port in TCP CRD

[Raj-prateek]

We are experiencing an issue with the TCP Custom Resource Definition (CRD) in HAProxy. Specifically, we are unable to configure multiple backends on the same port. This functionality is crucial for our use case where we need to route traffic to different backends based on specific criteria (e.g., SNI).

What we want?

global
    log stdout format raw local0
    maxconn 2000

defaults
    log global
    mode tcp
    option tcplog
    timeout connect 5000ms
    timeout client 50000ms
    timeout server 50000ms

frontend ft_tcp
    bind *:8000
    mode tcp
    tcp-request inspect-delay 5s
    tcp-request content accept if { req_ssl_hello_type 1 }

    acl host_backend1 req_ssl_sni -i backend1.example.com
    acl host_backend2 req_ssl_sni -i backend2.example.com

    use_backend bk_tcp_backend1 if host_backend1
    use_backend bk_tcp_backend2 if host_backend2

backend bk_tcp_backend1
    mode tcp
    option independent_streams
    timeout tunnel 1h
    server srv1 10.0.0.1:443 check
    server srv2 10.0.0.2:443 check

backend bk_tcp_backend2
    mode tcp
    option independent_streams
    timeout tunnel 30m
    server srv1 10.0.0.3:443 check
    server srv2 10.0.0.4:443 check

But current tcp crd configuration are stricly binded to 1 service which is making it impossible to do the change.

apiVersion: ingress.v1.haproxy.org/v1
kind: TCP
metadata:
  name: example-service1-tcp
spec:
  - name: example-tcp
    frontend:
      name: example-frontend
      binds:
        - name: bind1
          port: 8000
    service:
      name: example-service1
      port: 3000

Can you please suggest any example?

[oktalz]

hi @Raj-prateek

Can you please suggest any example?

no, not at the moment, TCP CRD is tied to one service per port.

its not done due to some limitation, but more that we started with what you could do tcp configmap option plus some issues and PRs that were open to extend it.

In general, yes, it seems that we could expand it add support for your use case.

I added enhancement label so we can discuss it, this is definitely a valid use case

[Raj-prateek]

Hello @oktalz
1 more question related to new TCP CRD. Is that possible to add strict TCP configuration lookup.

I will give you an example:
We have 2 haproxy pointing to 2 different apps. We are merging 2 apps into 1 and now its an issue. As new haproxy, will look into the same namespace and how can we make it differentaiting ? and let h1 to handle tcp config from tcp1 and h2 from tcp2 in the same namespace.

[clement0210]

Hello @oktalz,

Any feedback on the last message posted from @Raj-prateek? I have the same requirement in my side

[oktalz]

We have 2 haproxy pointing to 2 different apps. We are merging 2 apps into 1 and now its an issue. As new haproxy, will look into the same namespace and how can we make it differentaiting ? and let h1 to handle tcp config from tcp1 and h2 from tcp2 in the same namespace.

@Raj-prateek , @clement0210 we can add ingress class to tcp resource, that would use same behavior as for ingress objects.
would that be OK?

[Raj-prateek]

Yes this will work 👍🏽 @oktalz.

[Raj-prateek]

Hi @oktalz
Can you please provide us an ETA when the above enhancement will be delivered?

[oktalz]

@Raj-prateek we are working on it, but no ETA
it is planned to be implemented relatively soon. (I know it vague answer but its best one i can provide now)

[Raj-prateek]

Any update on the above request @oktalz ?

[hdurand0710]

@Raj-prateek
MRs have been merged and it will be available in the next 3.0 release.