minor cleanups, support for sni based routing in certain scenarios

Signed-off-by: Travis Glenn Hansen <[email protected]>

Author: travisghansen

src/KubernetesPfSenseController/Plugin/CommonTrait.php

@@ -101,6 +101,7 @@ private function getWatchCallback($stateKey, $options = [])
 
             $key = $stateKey;
             $items = &$this->state[$key];
+            $oldItem = null;
 
             $item = $event['object'];
             unset($item['kind']);

src/KubernetesPfSenseController/Plugin/DNSHAProxyIngressProxy.php

@@ -147,8 +147,14 @@ public function doAction()
         $managedHosts = $store['managed_hosts'] ?? [];
 
         foreach ($managedFrontends as $frontendName => $frontendDetails) {
-            $primaryFrontendName = $haProxyConfig->getFrontend($frontendName)['primary_frontend'];
-            $hostName = $pluginConfig['frontends'][$primaryFrontendName]['hostname'];
+            $primaryFrontendName = $haProxyConfig->getFrontend($frontendName)['primary_frontend'] ?? null;
+            if (empty($primaryFrontendName)) {
+                continue;
+            }
+            $hostName = $pluginConfig['frontends'][$primaryFrontendName]['hostname'] ?? null;
+            if (empty($hostName)) {
+                continue;
+            }
 
             $ingress = KubernetesUtils::getResourceByNamespaceName($this->state['ingresses'], $frontendDetails['resource']['namespace'], $frontendDetails['resource']['name']);
             if (!empty($ingress)) {

src/KubernetesPfSenseController/Plugin/HAProxyIngressProxy.php

@@ -177,6 +177,31 @@ public function doAction()
                 continue;
             }
 
+            // get the type of the shared frontend
+            // NOTE the below do NOT correlate 100% with what is shown on the 'type' column of the 'frontends' tab.
+            // 'https' for example is actually http + ssl offloading checked
+            /*
+            <option value="http">http / https(offloading)</option>
+            <option value="https">ssl / https(TCP mode)</option>
+            <option value="tcp">tcp</option>
+            */
+
+            /**
+             * http - can do l7 rules such as headers, path, etc
+             * https - can only do sni rules
+             * tcp - cannot be used with this application
+             */
+            $sharedFrontend = $haProxyConfig->getFrontend($sharedFrontendName);
+            switch ($sharedFrontend['type']) {
+                case "http":
+                case "https":
+                    // move along
+                    break;
+                default:
+                    $this->log("WARN ${sharedFrontendName} is not a supported type");
+                    continue 2;
+            }
+
             if (!$haProxyConfig->frontendExists($sharedFrontendName)) {
                 if (!in_array($sharedFrontendName, $frontendWarning)) {
                     //$frontendWarning[] = $sharedFrontendName;
@@ -217,7 +242,7 @@ public function doAction()
                     //$serviceName = $path['backend']['serviceName'];
                     //$servicePort = $path['backend']['servicePort'];
 
-                    $path = $path['path'];
+                    $path = $path['path'] ?? "";
                     if (empty($path)) {
                         $path = '/';
                     }
@@ -226,9 +251,27 @@ public function doAction()
                     $acl = [];
                     $acl['name'] = $aclName;
                     $acl['expression'] = 'custom';
-                    $acl['value'] = "hdr(host) -i ${host} path_beg -i ${path}";
-
-                    $frontend['ha_acls']['item'][] = $acl;
+                    // alter this based on shared frontend type
+                    // if tcp/ssl then do sni-based rule
+                    // https://stackoverflow.com/questions/33085240/haproxy-sni-vs-http-host-acl-check-performance
+                    // req_ssl_sni (types https and tcp both equate to type tcp in the haproxy config), type tcp requires this variant
+                    // ssl_fc_sni (this can be used only with type http)
+                    switch ($sharedFrontend['type']) {
+                        case "http":
+                            $acl['value'] = "hdr(host) -i ${host} path_beg -i ${path}";
+                            $frontend['ha_acls']['item'][] = $acl;
+                            break;
+                        case "https":
+                            $this->log("WARN unexpected behavior may occur when using a shared frontend of type https, path-based routing will not work and ssl offloading must be enabled");
+                            $acl['value'] = "req_ssl_sni -i ${host}";
+                            $frontend['ha_acls']['item'][] = $acl;
+                            break;
+                        default:
+                            // should never get here based on checks above, but just in case
+                            $this->log("WARN unsupported shared frontend type: ".$sharedFrontend['type']);
+                            continue 3;
+                            break;
+                    }
                 }
 
                 // new action (tied to acl)

src/KubernetesPfSenseController/Plugin/KubernetesUtils.php

@@ -193,7 +193,7 @@ public static function putListItem(&$list, $item)
      */
     public static function getServiceIp($service)
     {
-        return $service['status']['loadBalancer']['ingress'][0]['ip'];
+        return $service['status']['loadBalancer']['ingress'][0]['ip'] ?? null;
     }
 
     /**

src/KubernetesPfSenseController/Plugin/MetalLB.php

@@ -104,7 +104,7 @@ public function postReadWatches()
      */
     public function doAction()
     {
-        $metalConfig = $this->state['metallb-config'];
+        $metalConfig = $this->state['metallb-config'] ?? [];
         $pluginConfig = $this->getConfig();
 
         if (empty($metalConfig)) {