Using edge / proxy node certificate identity

I’m using haproxy as a bastion server / cluster gateway, as only some of the nodes in my network have direct access to the external network. My internal nodes are part of a kubernetes cluster, and need to be able to pull images from a private registry external to my cluster which requires certificate identities.

k8s cluster internal node -> haproxy on edge node -> docker registry

I’m trying to configure my back_end in my haproxy.cfg to route to the docker registry, and update the request with the certificate identity of the edge node. (Internal node does not have certs acceptable to the docker registry, and I’ve not been allowed to host the external node’s certs on the internal node.) What I have right now looks like the below…

frontend ft_ssl
   bind <boxIP>:443
   mode http
   default_backend bk_global_import_registry_certs

backend bk_global_import_registry_certs
   mode http
   balance roundrobin
   server registry_alias-0 <registryIP>:443 ssl ca-file fullyqualified/ca.crt crt fullyqualified/file.pem check
   server registry_alias-1 <registryIP2>:443 ssl ca-file fullyqualified/ca.crt crt fullyqualified/file.pem check

I currently have the HTTPS_PROXY setting in /etc/systemd/system/docker.service.d/http-proxy.conf and am getting a 400 Bad Request. Scrubbed log message below, with only changes as removal of IPs or typos.

InternalIP:randomPort [09/Jul/2019:13:28:08.659] ft_ssl bk_global_import_registry_certs 0/0/10/5/15 400 350 – – —- 1/1/0/0/0 0/0 {} “CONNECT externalFQDN:443 HTTP/1.1”

For those looking at this via the kubernetes or docker tags, I also considered setting up a pull-through cache, but realized this only works with Docker’s public registry – see open Docker GitHub issue 1431 for other folks trying to find ways to get past that, as well.

Source: StackOverflow