feature(haproxy): add haproxy-ingress concurrently with nginx during migration

2026-05-06 00:17:27 +00:00 · 2026-04-15 11:14:59 +02:00
parent b7b5f2e74e
commit 2af0f825ea
7 changed files with 125 additions and 3 deletions
--- a/charts/wonderwall-forward-auth/templates/ingress.yaml
+++ b/charts/wonderwall-forward-auth/templates/ingress.yaml
@@ -3,6 +3,7 @@ apiVersion: networking.k8s.io/v1
 kind: Ingress
 metadata:
  annotations:
+    # nginx-specific; ignored by HAProxy. Remove when nginx is decommissioned.
    nginx.ingress.kubernetes.io/proxy-buffer-size: 16k
    nginx.ingress.kubernetes.io/enable-global-auth: "false"
  labels:
@@ -21,3 +22,30 @@ spec:
                  number: 80
            path: /
            pathType: ImplementationSpecific
+{{- range .Values.additionalIngressClassNames }}
+---
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  annotations:
+    nginx.ingress.kubernetes.io/proxy-buffer-size: 16k
+    nginx.ingress.kubernetes.io/enable-global-auth: "false"
+    prometheus.io/path: /oauth2/ping
+    prometheus.io/scrape: "true"
+  labels:
+    {{- include "wonderwall-forward-auth.labels" $ | nindent 4 }}
+  name: {{ include "wonderwall-forward-auth.fullname" $ }}-{{ . }}
+spec:
+  ingressClassName: {{ . }}
+  rules:
+    - host: {{ $.Values.sso.domain }}
+      http:
+        paths:
+          - backend:
+              service:
+                name: {{ include "wonderwall-forward-auth.fullname" $ }}
+                port:
+                  number: 80
+            path: /
+            pathType: ImplementationSpecific
+{{- end }}
--- a/charts/wonderwall-forward-auth/templates/networkpolicy.yaml
+++ b/charts/wonderwall-forward-auth/templates/networkpolicy.yaml
@@ -28,6 +28,15 @@ spec:
          podSelector:
            matchLabels:
              nais.io/ingressClass: {{ .Values.ingressClassName }}
+    {{- range .Values.additionalIngressClassNames }}
+    - from:
+        - namespaceSelector:
+            matchLabels:
+              kubernetes.io/metadata.name: nais-system
+          podSelector:
+            matchLabels:
+              nais.io/ingressClass: {{ . }}
+    {{- end }}
  podSelector:
    matchLabels:
      {{- include "wonderwall-forward-auth.selectorLabels" . | nindent 6 }}
--- a/charts/wonderwall-forward-auth/values.yaml
+++ b/charts/wonderwall-forward-auth/values.yaml
@@ -22,7 +22,11 @@ replicas:
  max: 4
 podDisruptionBudget:
  maxUnavailable: 1
-ingressClassName: nais-ingress-fa
+ingressClassName: external-fa-haproxy
+# Additional ingress class names for dual-controller operation during nginx-to-HAProxy migration.
+# Remove when nginx is decommissioned.
+additionalIngressClassNames:
+  - nais-ingress-fa
 otel:
  endpoint: http://opentelemetry-management-collector.nais-system:4317

--- a/charts/wonderwall/templates/fa-ingress.yaml
+++ b/charts/wonderwall/templates/fa-ingress.yaml
@@ -3,6 +3,7 @@ apiVersion: networking.k8s.io/v1
 kind: Ingress
 metadata:
  annotations:
+    # nginx-specific; ignored by HAProxy. Remove when nginx is decommissioned.
    nginx.ingress.kubernetes.io/proxy-buffer-size: 16k
    nginx.ingress.kubernetes.io/enable-global-auth: "false"
    prometheus.io/path: /oauth2/ping
@@ -23,4 +24,31 @@ spec:
                  number: 80
            path: /
            pathType: ImplementationSpecific
+{{- range .Values.azure.forwardAuth.additionalIngressClassNames }}
+---
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  annotations:
+    nginx.ingress.kubernetes.io/proxy-buffer-size: 16k
+    nginx.ingress.kubernetes.io/enable-global-auth: "false"
+    prometheus.io/path: /oauth2/ping
+    prometheus.io/scrape: "true"
+  labels:
+    {{- include "wonderwall.labelsForwardAuth" $ | nindent 4 }}
+  name: {{ include "wonderwall.fullname" $ }}-fa-{{ . }}
+spec:
+  ingressClassName: {{ . }}
+  rules:
+    - host: {{ $.Values.azure.forwardAuth.ssoDomain }}
+      http:
+        paths:
+          - backend:
+              service:
+                name: {{ include "wonderwall.fullname" $ }}-fa
+                port:
+                  number: 80
+            path: /
+            pathType: ImplementationSpecific
+{{- end }}
 {{- end }}
--- a/charts/wonderwall/templates/idporten-ingress.yaml
+++ b/charts/wonderwall/templates/idporten-ingress.yaml
@@ -3,6 +3,7 @@ apiVersion: networking.k8s.io/v1
 kind: Ingress
 metadata:
  annotations:
+    # nginx-specific; ignored by HAProxy. Remove when nginx is decommissioned.
    nginx.ingress.kubernetes.io/proxy-buffer-size: 16k
    prometheus.io/path: /oauth2/ping
    prometheus.io/scrape: "true"
@@ -22,4 +23,30 @@ spec:
                  number: 80
            path: /
            pathType: ImplementationSpecific
+{{- range .Values.idporten.additionalIngressClassNames }}
+---
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  annotations:
+    nginx.ingress.kubernetes.io/proxy-buffer-size: 16k
+    prometheus.io/path: /oauth2/ping
+    prometheus.io/scrape: "true"
+  labels:
+    {{- include "wonderwall.labelsIdporten" $ | nindent 4 }}
+  name: {{ include "wonderwall.fullname" $ }}-idporten-{{ . }}
+spec:
+  ingressClassName: {{ . }}
+  rules:
+    - host: {{ $.Values.idporten.ssoServerHost }}
+      http:
+        paths:
+          - backend:
+              service:
+                name: {{ include "wonderwall.fullname" $ }}-idporten
+                port:
+                  number: 80
+            path: /
+            pathType: ImplementationSpecific
+{{- end }}
 {{ end }}
--- a/charts/wonderwall/templates/networkpolicy.yaml
+++ b/charts/wonderwall/templates/networkpolicy.yaml
@@ -44,6 +44,15 @@ spec:
          podSelector:
            matchLabels:
              nais.io/ingressClass: {{ .Values.azure.forwardAuth.ingressClassName }}
+    {{- range .Values.azure.forwardAuth.additionalIngressClassNames }}
+    - from:
+        - namespaceSelector:
+            matchLabels:
+              kubernetes.io/metadata.name: nais-system
+          podSelector:
+            matchLabels:
+              nais.io/ingressClass: {{ . }}
+    {{- end }}
    - from:
        - namespaceSelector:
            matchLabels:
@@ -51,6 +60,15 @@ spec:
          podSelector:
            matchLabels:
              nais.io/ingressClass: {{ .Values.idporten.ingressClassName }}
+    {{- range .Values.idporten.additionalIngressClassNames }}
+    - from:
+        - namespaceSelector:
+            matchLabels:
+              kubernetes.io/metadata.name: nais-system
+          podSelector:
+            matchLabels:
+              nais.io/ingressClass: {{ . }}
+    {{- end }}
    - from:
        - namespaceSelector:
            matchLabels:
--- a/charts/wonderwall/values.yaml
+++ b/charts/wonderwall/values.yaml
@@ -26,7 +26,11 @@ azure:
    replicasMin: 2
    replicasMax: 4
    clientSecretName: azure-sso-server
-    ingressClassName: nais-ingress-fa
+    ingressClassName: external-fa-haproxy
+    # Additional ingress class names for dual-controller operation during nginx-to-HAProxy migration.
+    # Remove when nginx is decommissioned.
+    additionalIngressClassNames:
+      - nais-ingress-fa
    # 256 bits key, in standard base64 encoding
    sessionCookieEncryptionKey:
    sessionCookieName: forwardauth
@@ -40,7 +44,11 @@ idporten:
  clientAccessTokenLifetime: 3600
  clientSessionLifetime: 21600
  clientSecretName: idporten-sso-server
-  ingressClassName: nais-ingress-external
+  ingressClassName: external-haproxy
+  # Additional ingress class names for dual-controller operation during nginx-to-HAProxy migration.
+  # Remove when nginx is decommissioned.
+  additionalIngressClassNames:
+    - nais-ingress-external
  openidAcrValues: idporten-loa-high
  openidLocale: nb
  openidPostLogoutRedirectURL: