Skip to content
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
11 changes: 6 additions & 5 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -7,7 +7,7 @@ Designed for a GitOps workflow where infrastructure operators commit `haproxy.cf
## Architecture

```
┌─────────────────────────┐ poll / webhook ┌──────────────────────┐
┌─────────────────────────┐ poll ┌──────────────────────┐
│ GitHub Repo │◄────────────────────│ FluxCD │
│ (haproxy.cfg) │ GitRepository │ (K8s cluster) │
└─────────────────────────┘ │ Kustomization │
Expand All @@ -30,10 +30,11 @@ Designed for a GitOps workflow where infrastructure operators commit `haproxy.cf

## Features

- **GitOps-native**: FluxCD handles Git polling, webhooks, and Secret synchronization
- **GitOps-native**: FluxCD polls Git and syncs haproxy.cfg into a Kubernetes Secret
- **One-way architecture**: Clusters are not publicly accessible — Flux pulls from GitHub; no direct cluster-to-external communication is required
- **Config validation**: Pre-validates `haproxy.cfg` via the Dataplane API `only_validate` endpoint before applying
- **SPIFFE/SPIRE mTLS**: Automatic workload identity and certificate rotation between K8s and the bare-metal load balancer
- **Vault integration**: VSO (Vault Secrets Operator) for PKI certificate issuance and credential syncing
- **Static TLS**: Alternative to SPIRE — mount cert files from a pre-provisioned Secret
- **Environment promotion**: `latest` (dev) → `stable` (production) using Flux Kustomize overlays
- **Kubernetes Events**: Accept/reject status emitted as Events on the config Secret for observability
- **Leader election**: Safe multi-replica deployment with controller-runtime leader election
Expand Down Expand Up @@ -79,9 +80,9 @@ See `charts/haproxy-operator/values.yaml` for the full set of Helm values.

When SPIRE is enabled (`spire.enabled=true`), the operator obtains X.509 SVIDs from the local SPIRE Agent for mTLS with the Dataplane API. No manual certificate distribution required — both the operator pod and the HAProxy host authenticate via their SPIFFE identities.

### Vault PKI (via VSO)
### Static TLS Certificates

When Vault is enabled (`vault.enabled=true`), the Helm chart creates VSO `VaultPKISecret` CRs that issue and auto-rotate TLS certificates from the `pki-sica-v2` intermediate CA.
When SPIRE is not enabled, the operator mounts TLS certificates from a Kubernetes Secret (`haproxy-operator-tls`). Pre-provision this Secret with `ca.crt`, `tls.crt`, and `tls.key` for mTLS communication with the Dataplane API.

## Project Structure

Expand Down
4 changes: 0 additions & 4 deletions charts/haproxy-operator/templates/deployment.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -100,11 +100,7 @@ spec:
{{- if not .Values.spire.enabled }}
- name: tls
secret:
{{- if .Values.vault.enabled }}
secretName: {{ .Values.vault.pki.secretName }}
{{- else }}
secretName: haproxy-operator-tls
Comment thread
kphunter marked this conversation as resolved.
{{- end }}
{{- end }}
{{- if .Values.spire.enabled }}
- name: spire-agent-socket
Expand Down
23 changes: 0 additions & 23 deletions charts/haproxy-operator/templates/vault-pki.yaml

This file was deleted.

19 changes: 0 additions & 19 deletions charts/haproxy-operator/templates/vault-static.yaml

This file was deleted.

21 changes: 1 addition & 20 deletions charts/haproxy-operator/values.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -22,7 +22,7 @@ secretKey: haproxy.cfg
dataplane:
url: "https://haproxy:5555/v3"
insecure: false
# Paths inside the pod where certs are mounted (by VSO or SPIRE).
# Paths inside the pod where static TLS certs are mounted (used when SPIRE is disabled).
caCertPath: /etc/haproxy-operator/tls/ca.crt
clientCertPath: /etc/haproxy-operator/tls/tls.crt
clientKeyPath: /etc/haproxy-operator/tls/tls.key
Expand All @@ -38,25 +38,6 @@ spire:
enabled: false
socketPath: "unix:///run/spire/agent.sock"

# Vault Secrets Operator (VSO) integration.
# Creates VaultStaticSecret / VaultPKISecret CRs that sync certs into K8s Secrets.
vault:
enabled: false
# VaultAuth CR name (created by flux-fleet base manifests).
authRef: vault-auth
pki:
mount: pki-sica-v2
role: pki
commonName: haproxy-operator.tlu.bcit.ca
ttl: 72h
# Secret name where VSO writes the issued certificate.
secretName: haproxy-operator-tls
static:
# For Dataplane API basic-auth credentials stored in Vault KV.
enabled: false
mount: tlu-infrastructure
path: haproxy-operator/dataplane-credentials
secretName: haproxy-operator-dataplane-auth

leaderElection:
enabled: true
Expand Down
Loading
Loading