DOC/MEDIUM: add example for HTTPS offload

Author: hdurand0710

.aspell.yml

@@ -28,6 +28,7 @@ allowed:
   - huggate
   - hugconf
   - httproute
+  - https
   - init
   - json
   - keymap

example/http-route/hello-world-https-offload/README.md

@@ -0,0 +1,134 @@
+# curl --header "Host: offload.haproxy.local" --resolve "offload.haproxy.local":31443:172.18.0.2 https://offload.haproxy.local:31443/hostname -k -v
+
+# Hello World HTTPRoute with HTTPS offload Example
+
+This example demonstrates how to use an HTTPRoute to expose simple "hello world" applications through the HAProxy Kubernetes Gateway, with HTTPS offload.
+
+
+
+## What is being deployed
+
+This example deploys the following resources:
+
+* A **GatewayClass** named `haproxy` that defines a class of Gateways that can be provisioned by the HAProxy Kubernetes Gateway.
+* A **Gateway** named `hug-gateway` that requests a listener on port `31080` for HTTP traffic.
+* An **HTTPRoute** that directs traffic for `offload.haproxy.local` to the service `hello-world-offload`
+* One **Deployment** and **Service** for the echo applications:
+  * `hello-world-offload`: A simple echo server
+* A **Secret** `offload`
+
+## How to deploy in a `test` namepace
+
+```bash
+kubectl create ns test
+kubectl apply -f -n test .
+```
+
+## How to check if the result is correct
+
+### POD
+
+```sh
+$ cat /usr/local/hug/maps/link1_test_hug-gateway_https/path_prefix.map
+https.haproxy.local/ link1_test_hello-world-offload_443__
+```
+
+### curl
+
+### From the Hug pod
+Use `curl` to send a request to the services through the Gateway.
+
+```sh
+curl --header "Host: offload.haproxy.local" --resolve "offload.haproxy.local":31443:127.0.0.1 https://offload.haproxy.local:31443/hostname -k
+```
+
+You should see a response from the services, confirming that the traffic was routed correctly.
+
+```sh
+hello-world-offload-c6b56955d-4hjld
+```
+
+### From outside the cluster
+
+Assuming that a NodePort Service like
+
+```yaml
+apiVersion: v1
+kind: Service
+metadata:
+  name: haproxy-unified-gateway
+  namespace: haproxy-unified-gateway
+spec:
+  selector:
+    run: haproxy-unified-gateway
+  type: NodePort
+  ports:
+    - name: http
+      port: 31080
+      targetPort: 31080
+      # nodePort is needed for NodePort service type
+      nodePort: 31080
+      protocol: TCP
+    - name: https
+      port: 31443
+      targetPort: 31443
+      # nodePort is needed for NodePort service type
+      nodePort: 31443
+      protocol: TCP
+    - name: stat
+      port: 31024
+      targetPort: 31024
+```
+
+Use `curl` to send a request to the services through the Gateway.
+
+```sh
+curl --header "Host: offload.haproxy.local" --resolve "offload.haproxy.local":31443:<node IP> https://offload.haproxy.local:31443/hostname -k
+```
+
+You should see a response from the services, confirming that the traffic was routed correctly.
+
+```sh
+hello-world-offload-c6b56955d-4hjld
+```
+
+### haproxy.cfg
+You can also check the generated `haproxy.cfg`.
+
+```
+cat /usr/local/hug/haproxy.cfg
+```
+
+```sh
+frontend link1_test_hug-gateway_https from haproxytech # {"hug":{"Gateway":{"test/hug-gateway":{"Generation":1,"LinkID":"link1"}}}}
+  mode http
+  bind 0.0.0.0:31443 name v4 ssl crt-list /usr/local/hug/certlists/test_hug-gateway_https.list
+  bind [::]:31443 name v6 ssl crt-list /usr/local/hug/certlists/test_hug-gateway_https.list
+  acl route_is_json var(txn.route),bytes(0,1) -m str { # {"hug":"for lua routing"}
+  http-request set-var(txn.base) base
+  http-request set-var(txn.path) path
+  http-request set-var(txn.host) req.hdr(Host),host_only
+  http-request set-var(txn.route) base,map(/usr/local/hug/maps/link1_test_hug-gateway_https/path_exact.map) # {"hug":"exact domain + exact path"}
+  http-request set-var(txn.route,ifnotexists) path,map(/usr/local/hug/maps/link1_test_hug-gateway_https/path_exact.map) # {"hug":"any domain + exact path"}
+  http-request set-var(txn.route,ifnotexists) base,map_beg(/usr/local/hug/maps/link1_test_hug-gateway_https/path_prefix.map) # {"hug":"exact domain + path prefix"}
+  http-request set-var(txn.route,ifnotexists) path,map_beg(/usr/local/hug/maps/link1_test_hug-gateway_https/path_prefix.map) # {"hug":"exact domain + path prefix"}
+  http-request set-var(txn.route,ifnotexists) base,map_end(/usr/local/hug/maps/link1_test_hug-gateway_https/domain_wildcard_path_exact.map) # {"hug":"domain wildcard + exact path"}
+  http-request set-var(txn.route,ifnotexists) path,map_reg(/usr/local/hug/maps/link1_test_hug-gateway_https/path_regex.map) # {"hug":"any domain + path regex"}
+  http-request set-var(txn.route,ifnotexists) base,map_reg(/usr/local/hug/maps/link1_test_hug-gateway_https/path_regex.map) # {"hug":"domain wildcard + path prefix or regex, exact domain + path regex"}
+  http-request lua.route if route_is_json # {"hug":"lua routing"}
+  use_backend %[var(txn.backend)] if route_is_json
+  use_backend %[var(txn.route)]
+  default_backend backend_not_found
+```
+Note the `bind` doing HTTPS termination.
+
+```sh
+backend link1_test_hello-world-offload_80__ from haproxytech # {"hug":{"HTTPRoute":{"test/route-hello-world-offload":{"Generation":2,"LinkID":"link1"}}}}
+  mode http
+  balance roundrobin
+  option forwardfor
+  no option abortonclose
+  timeout server 50000
+  default-server check
+  server SRV_8f3e9904fc22b571a9e21e8b158c09f79153cb9b 10.244.0.7:8888 enabled
+```

example/http-route/hello-world-https-offload/echo-https.yaml

@@ -0,0 +1,42 @@
+kind: Deployment
+apiVersion: apps/v1
+metadata:
+  name: hello-world-offload
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: hello-world-offload
+  template:
+    metadata:
+      labels:
+        app: hello-world-offload
+    spec:
+      containers:
+        - name: http-echo
+          image: "haproxytech/http-echo:latest"
+          imagePullPolicy: Never
+          ports:
+            - name: http
+              containerPort: 8888
+              protocol: TCP
+            - name: https
+              containerPort: 8443
+              protocol: TCP
+---
+kind: Service
+apiVersion: v1
+metadata:
+  name: hello-world-offload
+spec:
+  ports:
+    - name: http
+      protocol: TCP
+      port: 80
+      targetPort: http
+    - name: https
+      protocol: TCP
+      port: 443
+      targetPort: https
+  selector:
+    app: hello-world-offload

example/http-route/hello-world-https-offload/gateway.yaml

@@ -0,0 +1,28 @@
+apiVersion: gateway.networking.k8s.io/v1
+kind: Gateway
+metadata:
+  name: hug-gateway
+spec:
+  gatewayClassName: haproxy
+  listeners:
+  - name: http
+    port: 31080
+    protocol: HTTP
+    allowedRoutes:
+      kinds:
+      - group: gateway.networking.k8s.io
+        kind: HTTPRoute
+    hostname: "*.haproxy.local"
+  - name: https
+    protocol: HTTPS
+    port: 31443
+    tls:
+      certificateRefs:
+      - kind: Secret
+        group: ""
+        name: offload
+    allowedRoutes:
+      kinds:
+      - group: gateway.networking.k8s.io
+        kind: HTTPRoute
+    hostname: "*.haproxy.local"

example/http-route/hello-world-https-offload/gatewayclass.yaml

@@ -0,0 +1,6 @@
+apiVersion: gateway.networking.k8s.io/v1
+kind: GatewayClass
+metadata:
+  name: haproxy
+spec:
+  controllerName: gate.haproxy.org/hug

example/http-route/hello-world-https-offload/route-https.yaml

@@ -0,0 +1,19 @@
+apiVersion: gateway.networking.k8s.io/v1
+kind: HTTPRoute
+metadata:
+  name: route-hello-world-offload
+spec:
+  parentRefs:
+  - name: hug-gateway
+    sectionName: https
+  hostnames:
+  - "offload.haproxy.local"
+  rules:
+  - matches:
+    - path:
+        type: PathPrefix
+        value: /
+    backendRefs:
+    - name: hello-world-offload
+      port: 80
+---

example/http-route/hello-world-https-offload/secret-offload.yaml

@@ -0,0 +1,11 @@
+apiVersion: v1
+data:
+  tls.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURGVENDQWYyZ0F3SUJBZ0lVWVhhTVN4QXAyVFVUY1FzVFBjVHFWUW1kNmpZd0RRWUpLb1pJaHZjTkFRRUwKQlFBd0dqRVlNQllHQTFVRUF3d1BiMlptYkc5aFpDNW9ZWEJ5YjNoNU1CNFhEVEkxTURneU1URTFNamMxTjFvWApEVEkyTURneU1URTFNamMxTjFvd0dqRVlNQllHQTFVRUF3d1BiMlptYkc5aFpDNW9ZWEJ5YjNoNU1JSUJJakFOCkJna3Foa2lHOXcwQkFRRUZBQU9DQVE4QU1JSUJDZ0tDQVFFQXlLRHloS1BlTjh6V2pKdTFUdkhDcDA5ZzBDc1gKVWNvYzAyd0tKOVZqdW9VN0djRmRnWUx3UitRU1JJUWhrZEFYV25jdHpES25zNVVhblBEM0Y3SG5DM1krandNTgpZNFFOV0k0a0Z1Uk55RlRhTzV0cTRYSDk3WXRObmtFa1dOWGdUd0I5WFY0Y1duUWc3NmkrbDZkSDFBczI5aWtQClZVMzZqMVdVS3lINFlhbzlWNDZBWklCbE1IenltdW1HUzYyRVIrY0M4TTdsMlNwS1NHajl4TzROd0hzU1U5Z3AKQmhPTjFOY0NmSXN0elNHRFRBTjdxa2p0U0RpTjZXWGFobHRVM1RvYjZvZkI4Ukc0bVA3UGt1YzZIOHl4R3JwbQpLSUhRQkdsVHVUeHNSd3NiaktDSTY3dG1DY2VkYWlKemllS0JPbStaUExhQ002M2lpSVh6bTVlazR3SURBUUFCCm8xTXdVVEFkQmdOVkhRNEVGZ1FVY2NSNmtRMEJmc3NVUVUxdXFtS2x0eVdjVkRnd0h3WURWUjBqQkJnd0ZvQVUKY2NSNmtRMEJmc3NVUVUxdXFtS2x0eVdjVkRnd0R3WURWUjBUQVFIL0JBVXdBd0VCL3pBTkJna3Foa2lHOXcwQgpBUXNGQUFPQ0FRRUF4T3lCdUk1ZGxNdUZqQ2NIa2VySzZjcUY1T2NaY2p4eTRqM0J6NmtBZnV0Um1EYkNqU25rCjEvZUpISllhZWVmbnpYbWZXVXdyYzlFVWNWWVp3UDVWUXhnM3BEMklPbEE1RTNtZFc4OWkvM2tGUER6MUZOc2oKN0NVZUoyR3o3ZHBIbzh6UGcvcVV0bE9pbkdSV1BsN1lldTlHQjUxTTZYOEFRci9JVGxEa2dnRDF1T3pmakEvcgo0aE0rdG9KN2gvejd2ZnNjWWYvN2dlQWFFUVNRMVFiOVNDSjRFOGxsb1RiRnI3ZFZWMGFxV2J2b1ZSN3g0bUJyCkdDSTVSSmxFUGZZTDNyM21uSHFJZnJHdFBvN2lIa20xcisyRUQ4cnZvU3JhUGJSbmpSSStvcEhLSHBwTlpSMmkKMDQ0U01xcWZDMGNienRmVndRV1NIcnpqcmVaL1JHWmxZUT09Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K
+  tls.key: LS0tLS1CRUdJTiBQUklWQVRFIEtFWS0tLS0tCk1JSUV2d0lCQURBTkJna3Foa2lHOXcwQkFRRUZBQVNDQktrd2dnU2xBZ0VBQW9JQkFRRElvUEtFbzk0M3pOYU0KbTdWTzhjS25UMkRRS3hkUnloelRiQW9uMVdPNmhUc1p3VjJCZ3ZCSDVCSkVoQ0dSMEJkYWR5M01NcWV6bFJxYwo4UGNYc2VjTGRqNlBBdzFqaEExWWppUVc1RTNJVk5vN20ycmhjZjN0aTAyZVFTUlkxZUJQQUgxZFhoeGFkQ0R2CnFMNlhwMGZVQ3piMktROVZUZnFQVlpRcklmaGhxajFYam9Ca2dHVXdmUEthNllaTHJZUkg1d0x3enVYWktrcEkKYVAzRTdnM0FleEpUMkNrR0U0M1Uxd0o4aXkzTklZTk1BM3VxU08xSU9JM3BaZHFHVzFUZE9odnFoOEh4RWJpWQovcytTNXpvZnpMRWF1bVlvZ2RBRWFWTzVQR3hIQ3h1TW9JanJ1MllKeDUxcUluT0o0b0U2YjVrOHRvSXpyZUtJCmhmT2JsNlRqQWdNQkFBRUNnZ0VBT3VQcmEvM0J5N1ZId093dnN5V0owcHlkT1YxOHNkaFd6OFJsMHIxelVadXIKOW1wbzdRd25SYUx2cmNidko2TGlSLzYxcGJ1MHVDVHJNK2dUVDVRNzBvUjU1bmFwNW0wcmtiUGZhZ3pIdkNjVQpDKzBaMldVaGVTbXJ0ZWsvSndoWW1EZjNsSUY4Wnh5eFVrZkE4amo2LzRYdk15Qm9UTXpmNEZUcGNpTzlpY1R0CjRxbVZzRUY1VDdzaGZEOThYTEdwOUttYmdsczlWekI0aVBOcFF4ckgwakMzYmYvK3lyS1BHZStIa3dVR1BmdEMKQVRUTkpLQWF1QURScStHK1NWMDYrOXNheWgzYTNIS2d6dTRGaDM0RmRxTTZRTmkwSktwd04rM0JtQm1YUmRIMwpxYXB5Vmo0V2o5ZlJmNHpSSVB5RVkyV3oxZ2NyVm4yWTUrMlhPeFprMlFLQmdRRCtKMEZ5N2J2Z1BqUW00ZUpaCmxQNWM4bHptVHo2OE1Dc2M3QVJJUVU2VlBXb1JDV3NqR1JPYVIzckZrejNJdVp1ekNvN2ZUbldHVjkxTXRGeWwKR2gxYVFxQXlCcFNoUmhoaFFNOTlSblFNRVlTdjNidG9SQnBtNVdQeTJWM2Y1V3lPOXpJVUdlS0xqYUFVdnM4cQpicWZvTUdNenptb3VyNEtXLzZLckExeHFOd0tCZ1FES0ZpRytwUVhrZDE1Z3c0cWVzUXFZYm96cTM4ZW82blcyClluTDQyQnpsampsendRRkpjSlRoWVcvQTV5cEZ1U2duZDlWVGoxbVF6YTdLbVllMWxuWGtxSXZueFlVUFhTVGsKMHdzdlcrN0lSUks0NlBWbHBiZU5FdHV0c0Rtd0VTdlJNSkl2KzdHeENFNVNQR05rWThZWTZmbkdrVGVxOXpPZQowZzlvNVkzVXRRS0JnUURFVHhRSnJzRm9nd09MYVB5S0QwQ3VFSEpiWHFocGVaZERmcllNRFkyaVRzNm5uQ3ZKCjcydXB4ajU1YjdMUVlUVjNoTmM0ZXdUaUlPb0pmbUwxRUFmT0dScGRxYUdTTkc5T1oxNGRPSmNZWDB1cS84enEKeTNmTk5MQVArMys4R2h6UkRQVDhlOFgxM3czZ0dFWXlVMGlVV3hPMUIySVM3M1FpS0JEQW9SYjMzd0tCZ1FDbwppQUtHV2x0cXFENFdGcDFCTU1aMFR5WElMdTMwcWV1WE9jMUdSL3o1V0Q0RGtmOC92dHI2aHViTENqM1B2ZFdGCjdNTUVsN1VMTk8xRFd2eTViSXhQTUZ6VTRuM1FUVTZhWW9LZWNWM1d1UHdmSjNDWDM3Y091SjVwNEdDTHZCWTkKcy9NR2Z6STJRSVlJd1FIbTArcCtGb3JPbFliR1ZyZy9DRkgvbWdsSlRRS0JnUURRc2NtN0ZQVGo3RFh2QzYraQpxQVNadUZNcWQxVjlYVFBtdDFxZmlDekgrODFqTVZnOHE2eE5lQVhMTVhCV0pjSjRKcXJMTnlBSUx4M1ZZeWUzCmtWcDJsVFUzUFVyZUZBL0UvbWxLZk45cUszblVUZDhibjF1aExSZFRkYmZpOE9URzArQ2ZxSTN1WjUrWnJwWjMKU3BSRys3Mnc5TWV2cFdNcU90UFVObWpBWWc9PQotLS0tLUVORCBQUklWQVRFIEtFWS0tLS0tCg==
+kind: Secret
+metadata:
+  name: offload
+type: kubernetes.io/tls
+
+
+## CN offload.haproxy