Issue with HAProxy Proxy Protocol and Port Forwarding on Kubernetes

MySQL & MariaDB Percona XtraDB Cluster 8.x
1

Hello Percona Community,

I am experiencing a challenging issue with Percona XtraDB Cluster in a Kubernetes environment, where I’m using HAProxy as a load balancer. My goal is to enable client IP preservation for better security and logging. However, I’m facing connectivity problems when using SQL Workbench/J via port forwarding.

Environment:

  • Kubernetes Cluster 1.26
  • Percona XtraDB Cluster 8.0.34-26.1
  • HAProxy used as a SQL load balancer
  • SQL Workbench/J for database management

Configuration:

  • PXC and HAProxy set up via Helm Chart
  • Enabled the proxy protocol in PXC with proxy_protocol_networks = *.
  • HAProxy is set up with the default configurations.
  • Ingress is configured to route url.com:3306 to the HAProxy service on port 3306.

Working Scenario:

  • When I connect using SQL Workbench/J through the Ingress (by accessing url.com:3306), it works without issues. I presume this is because the Ingress correctly adds the proxy protocol header.

Problematic Scenario:

  • The problem arises when I attempt to connect through a port-forwarded local port 33066 to the HAProxy service on port 3306. In this case, SQL Workbench/J fails to connect via localhost:33066.

Troubleshooting Done:

  • I’ve ensured that the proxy-protocol is working. Open connections are correctly displayed as their client IPs and not the IP of the HAProxy service.
  • All network policies and firewall rules have been checked to ensure proper traffic flow.
  • Without proxy_protocol_networks = * the port-forwarding method works without problems.

Questions:

  1. Why is there a difference in behavior between the Ingress and local port-forwarding methods, even though they both target the HAProxy service on the same port?
  2. Is there a way to configure HAProxy or Kubernetes port-forwarding to add the proxy protocol headers when using SQL Workbench/J?
  3. Are there any recommended practices for configuring HAProxy in a Kubernetes environment to handle both proxy protocol and non-proxy protocol connections simultaneously?

I would greatly appreciate any insights or suggestions from the community on how to resolve this connectivity issue.

Thank you!

2 Likes