force_tlsv... configurations require DataPlane API restart to take effect

[cepitacio]

When adding or updating bind resources with any force_tlsv... configuration (e.g., force_tlsv12, force_tlsv13, etc.) through the HAProxy DataPlane API, the changes do not take effect unless the DataPlane API service is restarted.

Querying the configuration after committing the transaction and reloading HAProxy does not show the force_tlsv... fields as active. Restarting the DataPlane API service resolves the issue. This occurs consistently, regardless of whether the resource is created using POST or updated using PUT.

Reproduced on HAproxy Data Plane API version:

v2.9.2
v2.9.8

Steps to reproduce:

export VERSION=$(curl -X GET "http://ip:port/v2/services/haproxy/configuration/version" -u 'user:pass!')

export TRANSACTION=$(curl -X POST -u 'user:pass!' -H "Content-Type: application/json" "http://ip:port/v2/services/haproxy/transactions?version=$VERSION" | jq -r '.id')

curl -X PUT "http://ip:port/v2/services/haproxy/configuration/binds/bind_test?transaction_id=$TRANSACTION&parent_name=parent_test&parent_type=frontend" \
  -H "Content-Type: application/json" \
  -d '{
    "name": "bind_test",
    "address": "ip",
    "port": 443,
    "parent_name": "parent_test",
    "parent_type": "frontend",
    "force_tlsv13": true,
    "force_tlsv12": true,
    "ssl": true,
    "ssl_certificate": "/path/to/certificate.pem",
    "transparent": true
  }' \
  -u 'user:pass'

curl -X PUT -u 'user:pass' -H "Content-Type: application/json" "http://ip:port/v2/services/haproxy/transactions/$TRANSACTION"

Result even after reload:

curl -X GET "http://ip:port/v2/services/haproxy/configuration/binds/bind_test?parent_name=parent_test&parent_type=frontend" -u 'user:pass'
{"_version":41,"data":{"name":"bind_test","ssl":true,"ssl_certificate":"/path/to/certificate.pem","address":"ip","port":443}}

Result after restart:

curl -X GET "http://ip:port/v2/services/haproxy/configuration/binds/bind_test?parent_name=parent_test&parent_type=frontend" -u 'user:pass'
{"_version":41,"data":{"force_tlsv12":true,"force_tlsv13":true,"name":"bind_test","ssl":true,"ssl_certificate":"/path/to/certificate.pem","address":"ip","port":443}}

[mjuraga]

Hi thank you for the report, we'll take a look at this.

[oliwer]

@cepitacio I have not been able to reproduce this yet on master, but just to make sure: have you checked your logs when doing this? Are the reloads working? Because in some cases a reload might fail but the API still responds OK.

[cepitacio]

@oliwer the dataplane api is reloading successfully

I just ran this:

export VERSION=$(curl -X GET "http://ip:port/v2/services/haproxy/configuration/version" -u 'user:pass')

export TRANSACTION=$(curl -X POST -u 'user:pass' -H "Content-Type: application/json" "http://ip:port/v2/services/haproxy/transactions?version=$VERSION" | jq -r '.id')

curl -X POST "http://ip:port/v2/services/haproxy/configuration/binds?transaction_id=$TRANSACTION&parent_name=parent_test&parent_type=frontend" \
  -H "Content-Type: application/json" \
  -d '{
    "name": "bind_test",
    "address": "1.2.3.4",
    "port": 443,
    "parent_name": "parent_test",
    "parent_type": "frontend",
    "force_tlsv13": true,
    "force_tlsv12": true,
    "ssl": true,
    "ssl_certificate": "/path/to/certificate.pem",
    "transparent": true
  }' \
  -u 'user:pass'

curl -X PUT -u 'user:pass' -H "Content-Type: application/json" "http://ip:port/v2/services/haproxy/transactions/$TRANSACTION"

Bind was added and resulted:

frontend parent_test
  mode http
  bind 1.2.3.4:443 name bind_test crt /path/to/certificate.pem ssl transparent force-tlsv12 force-tlsv13  
  default_backend backend_test

Here are the logs when running above command:

time="2025-02-06T18:50:11-08:00" level=info msg="10.194.165.201 - - [06/Feb/2025:18:50:11 -0800] \"GET /v2/services/haproxy/configuration/version HTTP/1.1\" 200 3 \"-\" \"curl/8.7.1\""
time="2025-02-06T18:50:11-08:00" level=info msg="10.194.165.201 - - [06/Feb/2025:18:50:11 -0800] \"POST /v2/services/haproxy/transactions?version=33 HTTP/1.1\" 201 83 \"-\" \"curl/8.7.1\""
time="2025-02-06T18:50:11-08:00" level=info msg="10.194.165.201 - - [06/Feb/2025:18:50:11 -0800] \"POST /v2/services/haproxy/configuration/binds?transaction_id=efa7e201-2e6f-41bf-bb62-b42a0f804efd&parent_name=parent_test&parent_type=frontend HTTP/1.1\" 202 189 \"-\" \"curl/8.7.1\""
time="2025-02-06T18:50:12-08:00" level=info msg="10.194.165.201 - - [06/Feb/2025:18:50:12 -0800] \"PUT /v2/services/haproxy/transactions/efa7e201-2e6f-41bf-bb62-b42a0f804efd HTTP/1.1\" 202 79 \"-\" \"curl/8.7.1\""
time="2025-02-06T18:50:12-08:00" level=debug msg="Scheduling a new reload..." reload_id=2025-02-06-10
time="2025-02-06T18:50:15-08:00" level=debug msg="Reload started" reload_id=2025-02-06-10
time="2025-02-06T18:50:15-08:00" level=debug msg="Reload successful" reload_id=2025-02-06-10
time="2025-02-06T18:50:15-08:00" level=debug msg="Reload finished in 55.446902ms" reload_id=2025-02-06-10
time="2025-02-06T18:50:15-08:00" level=debug msg="Handling reload completed, waiting for new requests" reload_id=2025-02-06-10

I ran:

 curl -X GET "http://ip:port/v2/services/haproxy/configuration/binds/bind_test?parent_name=parent_test&parent_type=frontend" -u 'user:pass'

Result: force-tlsv12 force-tlsv13 does not return.

{"_version":34,"data":{"name":"bind_test","ssl":true,"ssl_certificate":"/path/to/certificate.pem","transparent":true,"address":"1.2.3.4","port":443}}

I even tried to reload dataplane api again but I get the same result.

After restarting dataplane api I get:

{"_version":34,"data":{"force_tlsv12":true,"force_tlsv13":true,"name":"bind_test","ssl":true,"ssl_certificate":"/path/to/certificate.pem","transparent":true,"address":"1.2.3.4","port":443}}

[oliwer]

Thanks! I managed to reproduce, and I have a lead: there seems to be a type mismatch between BindOptionWord and ServerOptionWord.

[mjuraga]

This should be fixed in the latest releases.