commit fda26c52376dcd93953a5e2232fe5ee4dd4d3dc6
author Andrey Shestakov <ashestakov@mirantis.com> Mon Jan 22 23:45:24 2018 +0200
committer Andrey Shestakov <ashestakov@mirantis.com> Mon Jan 22 23:45:24 2018 +0200
tree 80cc9eb1b8d444f7387d87f88c5ff43cee9c04dd
parent 9f2f2c2e48f3c259fdcb3d73c390a1606af109ad

Change SSL check options in haproxy for k8s apiserver.

Haproxy option ssl-hello-chk provides simple SSLv3 check for https backend,
SSLv3 is not supported by k8s apiserver, which causes a lot of errors in log
like: "http: TLS handshake error from ...:
tls:client offered an unsupported, maximum protocol version of 300".

This patch chenges check type in haproxy to "check-ssl".

Change-Id: Ib30251593fe64a377781ebabc9a7fd3e71df4254

haproxy/proxy/listen/kubernetes/apiserver.yml

diff --git a/haproxy/proxy/listen/kubernetes/apiserver.yml b/haproxy/proxy/listen/kubernetes/apiserver.yml
index 8dfcb35..950765f 100644
--- a/haproxy/proxy/listen/kubernetes/apiserver.yml
+++ b/haproxy/proxy/listen/kubernetes/apiserver.yml
@@ -4,8 +4,6 @@
       listen:
         k8s_secure:
           type: kubernetes
-          options:
-            - ssl-hello-chk
           binds:
           - address: ${_param:cluster_vip_address}
             port: 443
@@ -13,15 +11,15 @@
           - name: ${_param:cluster_node01_hostname}
             host: ${_param:cluster_node01_address}
             port: 6443
-            params: check
+            params: check check-ssl verify none
           - name: ${_param:cluster_node02_hostname}
             host: ${_param:cluster_node02_address}
             port: 6443
-            params: check
+            params: check check-ssl verify none
           - name: ${_param:cluster_node03_hostname}
             host: ${_param:cluster_node03_address}
             port: 6443
-            params: check
+            params: check check-ssl verify none
           timeout:
             server: 10m
             client: 10m