Skip to content

TCP CRD: Enable multiple backends on the same frontend port by allowing backend-only TCP objects #718

New issue
New issue
Open
Open
TCP CRD: Enable multiple backends on the same frontend port by allowing backend-only TCP objects#718
@cfabriziohivemq

Description

@cfabriziohivemq
cfabriziohivemq
opened on May 7, 2025

This is more of a feature request than an issue. I would like the ability to create a backend using the TCP CRD without requiring a frontend. This would allow a scenario where one listener on a specific port can serve multiple backends.

Example
Consider a broker traffic serving the MQTTS port 8883

apiVersion: ingress.v1.haproxy.org/v1
kind: TCP
metadata:
  name: broker01-service-tcp
  annotations:
    ingress.class: haproxy
spec:
  - name: broker01-tcp
    frontend:
      name: broker01-frontend
      tcplog: true
      clitcpka: enabled
      tcp_request_rule_list:
        - type: inspect-delay
          timeout: 5000
          index: 0
        - cond: if
          cond_test: "{ req_ssl_hello_type 1 }"
          action: accept
          type: content
          index: 1
      backend_switching_rule_list:
        - cond: if
          cond_test: "{ req_ssl_sni -i broker01.example.com }"
          index: 0
          name: default_broker-mqtt_broker-mqtts-0
      binds:
        - name: mqtts
          port: 8883
          accept_proxy: true
    service:
      name: nginx-reject-all-service
      port: 30000
    services:
      - name: broker-mqtt
        port: 8883

This configuration generates the following HAProxy configuration:

frontend tcpcr_default_broker01-frontend
  mode tcp
  bind :8883 name mqtts accept-proxy
  option tcplog
  option clitcpka
  tcp-request inspect-delay 5000
  tcp-request content accept if { req_ssl_hello_type 1 }
  use_backend default_broker-mqtt_broker-mqtts-0 if { req_ssl_sni -i broker01.example.com }
  default_backend default_nginx-reject-all-service_broker-mqtts-0


backend default_broker-mqtt_broker-mqtts-0
  mode tcp
  balance roundrobin
  option srvtcpka
  option httpchk
  http-check send meth GET uri /api/v1/health/readiness
  default-server check port 9090
  server SRV_1 100.64.100.72:8883 enabled

As noted, the frontend listens on port 8883. Therefore I cannot create any additional TCP objects that bind to the same port.
Is it possible to omit the frontend part of the CRD and only create the backend?
Is there a workaround to achieve this using the current CRD?

Activity

stale

stale commented on Jun 6, 2025

@stale
stalebot
on Jun 6, 2025

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

stale
added
stale
on Jun 6, 2025
oktalz
removed
stale
on Jun 11, 2025
jsturmics

jsturmics commented on Jun 19, 2025

@jsturmics
jsturmics
on Jun 19, 2025

As a workaround I've done this by creating new frontends on a random port. But that's not a good solution. Ideally, the TCP CRD would let you define frontend/backend resources independently.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

      Development

      No branches or pull requests

        Participants

        @oktalz@cfabriziohivemq@jsturmics

        Issue actions
          TCP CRD: Enable multiple backends on the same frontend port by allowing backend-only TCP objects · Issue #718 · haproxytech/kubernetes-ingress