Secure backends parameters cause a SIGSEGV

[hkmo99]

Description of the problem

Adding secure backends parameters causes a SIGSEGV: segmentation violation. Is there a fix or workaround for this issue?

Logs

I0127 03:39:22.152006       7 launch.go:343]
Name:       HAProxy
Release:    v0.14.5
Build:      git-7e2c578
Repository: https://github.com/jcmoraisjr/haproxy-ingress
I0127 03:39:22.152195       7 launch.go:347] watching for ingress resources with 'kubernetes.io/ingress.class' annotation: haproxy
I0127 03:39:22.152213       7 launch.go:354] watching for ingress resources with IngressClass' controller name: haproxy-ingress.github.io/controller
I0127 03:39:22.152229       7 launch.go:359] ignoring ingress resources without any class reference - --watch-ingress-without-class is false
I0127 03:39:22.152244       7 launch.go:371] watching for Gateway API resources - --watch-gateway is true
I0127 03:39:22.152262       7 launch.go:385] running embedded haproxy, mode is daemon
I0127 03:39:22.152281       7 launch.go:389] watching endpointslices - --enable-endpointslices-api is true
I0127 03:39:22.152923       7 launch.go:780] Creating API client for https://10.96.0.1:443
I0127 03:39:22.166259       7 launch.go:800] Running in Kubernetes Cluster version v1.27 (v1.27.4) - git (clean) commit fa3d7990104d7c1f16943a67f11b154b71f6a132 - platform linux/amd64
I0127 03:39:22.179037       7 launch.go:416] watching for global config options from configmap 'ingress-controller/haproxy-ingress' - --configmap was defined
I0127 03:39:22.184317       7 launch.go:521] using 2 distinct annotations prefix, with the following precedence: haproxy-ingress.github.io, ingress.kubernetes.io
W0127 03:39:22.195386       7 listers.go:170] gateway API 'networking.x-k8s.io/v1alpha1' was not found, skipping
W0127 03:39:22.198422       7 listers.go:183] watching 'gateway.networking.k8s.io/v1alpha2'
I0127 03:39:22.842507       7 listers.go:214] loading object cache...
W0127 03:39:22.857796       7 cache.go:805] error reading GatewayClass v1alpha2 'haproxy': gatewayclass.gateway.networking.k8s.io "haproxy" not found
I0127 03:39:23.150580       7 listers.go:284] cache successfully synced
I0127 03:39:23.150605       7 controller.go:87] HAProxy Ingress successfully initialized
I0127 03:39:23.150648       7 controller.go:339] starting haproxy update id=1
I0127 03:39:23.150885       7 leaderelection.go:248] attempting to acquire leader lease ingress-controller/ingress-controller-leader-haproxy...
I0127 03:39:23.151046       7 status.go:132] skipping Ingress status update (I am not the current leader)
I0127 03:39:23.152777       7 converters.go:67] applying 24 change notifications: [update/global add/IngressClass:haproxy add/GatewayClass:haproxy add/HTTPRoute:default/httpbin-service1-vs-cluster-1-httproute update/Endpoints:default/httpbin-service1-vs-cluster-1-proxy update/Endpoints:default/httpbin-service1-vs-cluster-1-proxy update/Endpoints:default/kubernetes update/Endpoints:ingress-controller/haproxy-ingress update/Endpoints:kube-system/kube-dns add/Service:default/httpbin-service1-vs-cluster-1-proxy add/Service:default/kubernetes add/Service:ingress-controller/haproxy-ingress add/Service:kube-system/kube-dns add/Secret:default/haproxy-tls-secret add/Secret:ingress-controller/ca-secret add/Secret:ingress-controller/sh.helm.release.v1.haproxy-ingress.v1 add/Secret:ingress-controller/sh.helm.release.v1.haproxy-ingress.v2 add/Secret:ingress-controller/sh.helm.release.v1.haproxy-ingress.v3 add/Secret:ingress-controller/sh.helm.release.v1.haproxy-ingress.v4 add/Secret:ingress-controller/sh.helm.release.v1.haproxy-ingress.v5 add/Secret:ingress-controller/sh.helm.release.v1.haproxy-ingress.v6 add/ConfigMap:ingress-controller/haproxy-ingress add/ConfigMap:ingress-controller/ingress-controller-leader-haproxy add/ConfigMap:ingress-controller/kube-root-ca.crt]
panic: runtime error: invalid memory address or nil pointer dereference
[signal SIGSEGV: segmentation violation code=0x1 addr=0x0 pc=0x1570a14]

goroutine 186 [running]:
github.com/jcmoraisjr/haproxy-ingress/pkg/converters/ingress/annotations.(*updater).buildBackendProtocol(0xc0003c9680, 0xc00076b7c8)
        /src/pkg/converters/ingress/annotations/backend.go:839 +0xa74
github.com/jcmoraisjr/haproxy-ingress/pkg/converters/ingress/annotations.(*updater).UpdateBackendConfig(0x0?, 0xc0003a8000, 0xc000016c30)
        /src/pkg/converters/ingress/annotations/updater.go:249 +0x214
github.com/jcmoraisjr/haproxy-ingress/pkg/converters/ingress.(*converter).ReadAnnotations(0xc000692b40, 0xc0002e7440?, {0xc0003062d8, 0x1, 0x1?}, {0xc000016270, 0x1, 0x10?})
        /src/pkg/converters/ingress/ingress.go:118 +0x21c
github.com/jcmoraisjr/haproxy-ingress/pkg/converters/gateway.(*converter).syncHTTPRouteGateway(0xc00076be00, 0xc0002e6de0, 0xc0002ce000, 0xc0002e7440, 0xc00076bbf8?, 0x0)
        /src/pkg/converters/gateway/gateway.go:189 +0x63a
github.com/jcmoraisjr/haproxy-ingress/pkg/converters/gateway.(*converter).syncHTTPRoute(0xc00076be00, 0x1?, 0xc0002ce000)
        /src/pkg/converters/gateway/gateway.go:160 +0x40f
github.com/jcmoraisjr/haproxy-ingress/pkg/converters/gateway.(*converter).Sync(0xc00076be00, 0x18?)
        /src/pkg/converters/gateway/gateway.go:91 +0x1b4
github.com/jcmoraisjr/haproxy-ingress/pkg/converters.(*converters).Sync(0xc00076bf08)
        /src/pkg/converters/converters.go:76 +0x591
github.com/jcmoraisjr/haproxy-ingress/pkg/controller.(*HAProxyController).syncIngress(0xc0002aacc0, {0x0?, 0x3fe0000000000000?})
        /src/pkg/controller/controller.go:342 +0x23c
github.com/jcmoraisjr/haproxy-ingress/pkg/utils.(*queue).Run(0xc0000baba0)
        /src/pkg/utils/queue.go:143 +0x182
created by github.com/jcmoraisjr/haproxy-ingress/pkg/controller.(*HAProxyController).startServices
        /src/pkg/controller/controller.go:182 +0xaa

Expected behavior

Those parameters should properly generate the backend servers with the SSL options like below:

 server srv002 192.168.76.2:31590 weight 128 no-sslv3 no-tlsv10 no-tlsv11 no-tls-tickets check-ssl inter 2s ssl verify required ca-file /etc/ssl/certs/rootCA.crt sni req.hdr(host)

Steps to reproduce the problem

1. kubectl edit ConfigMap "haproxy-ingress" -n ingress-controller

##Add the following parameters
secure-backends: "true"
secure-sni: "host"
secure-verify-ca-secret: "ca-secret"

2. Save
3. Logs

k logs $(kubectl get pods -n ingress-controller -o=jsonpath='{.items[0].metadata.name}')  -n ingress-controller

Environment information

HAProxy Ingress version: v0.14.5

Global options

kubectl edit ConfigMap "haproxy-ingress" -n ingress-controller

apiVersion: v1
data:
  healthz-port: "10253"
  http-port: "80"
  https-port: "443"
  secure-backends: "true"
  secure-sni: "host"
  secure-verify-ca-secret: "ca-secret"
  ssl-redirect: "false"
  stats-port: "1936"
kind: ConfigMap
metadata:
  annotations:
    meta.helm.sh/release-name: haproxy-ingress
    meta.helm.sh/release-namespace: ingress-controller
  labels:
    app.kubernetes.io/instance: haproxy-ingress
    app.kubernetes.io/managed-by: Helm
    app.kubernetes.io/name: haproxy-ingress
    app.kubernetes.io/version: v0.14.5
    helm.sh/chart: haproxy-ingress-0.14.5
  name: haproxy-ingress
  namespace: ingress-controller

 kubectl get secret ca-secret -n ingress-controller -o yaml

apiVersion: v1
data:
  ca.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUNDVENDQWErZ0F3SUJBZ0lVWlkrTkhpUmx4YzFaYTBQMk9hRm9LK2VwODZZd0NnkRFVQpNQklHQTF****
kind: Secret
metadata:
  name: ca-secret
  namespace: ingress-controller
type: Opaque

[github-actions]

This issue got stale and will be closed in 7 days.

[jcmoraisjr]

Hi thanks for all the reports, I'm already taking care of them.

Regarding the sigsegv in this issue, it happens because the secure related config keys were not designed to be used as global, the controller is crashing when trying to read the namespace of the secret. In the mean time you can address this by using these configs in the ingress or the service resource instead, as annotations.

[jcmoraisjr]

Fix was already merge and will be available in the next v0.12, v0.13, v0.14 and v0.15 versions.