List order is reversed in backend crd v3

[WinterNis]

Summary

Hello 👋

When using CRD v3 (ingress.v3.haproxy.org/v3/Backend), list order for http_request_rule_list, acl_list, etc is reversed. Maybe it’s expected but the documentation does not explicitly state it ?
I would have expected rules to be declared in the same order as defined in the custom resource.

Ingress Controller version: 3.2.1
Helm chart version: 1.72.0

Details

Here a simple set of resources to reproduce the behavior.

Note: the actual haproxy configuration makes no functional sense, it is simply here to demonstrate the issue.

apiVersion: v1
kind: Service
metadata:
  name: foo
  namespace: default
spec:
  ports:
    - name: http
      protocol: TCP
      port: 80
      targetPort: 8080

---

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  annotations:
    cr-backend: default/foo
  name: foo
  namespace: default
spec:
  ingressClassName: haproxy
  rules:
    - host: foo.com
      http:
        paths:
          - backend:
              service:
                name: foo
                port:
                  name: http
            path: /
            pathType: Prefix

---

apiVersion: "ingress.v3.haproxy.org/v3"
kind: Backend
metadata:
  name: foo
  namespace: default
spec:
  name: foo
  stick_table:
    type: ip
    size: 100000
    expire: 300000
    store: http_req_rate(1s)
  acl_list:
    - acl_name: acl_1
      criterion: sc_http_req_rate(0)
      value: "gt 1"
    - acl_name: acl_2
      criterion: sc_http_req_rate(0)
      value: "gt 2"
    - acl_name: acl_3
      criterion: sc_http_req_rate(0)
      value: "gt 3"
  http_request_rule_list:
    - type: deny
      cond: unless
      cond_test: "{ req.hdr(HEADER-1) -m found }"
    - type: deny
      cond: unless
      cond_test: "{ req.hdr(HEADER-2) -m found }"
    - type: deny
      cond: unless
      cond_test: "{ req.hdr(HEADER-3) -m found }"

This will produce the following haproxy configuration for the backend:

backend default_svc_foo_http
  mode http
  acl acl_3 sc_http_req_rate(0) gt 3
  acl acl_2 sc_http_req_rate(0) gt 2
  acl acl_1 sc_http_req_rate(0) gt 1
  http-request deny unless { req.hdr(HEADER-3) -m found }
  http-request deny unless { req.hdr(HEADER-2) -m found }
  http-request deny unless { req.hdr(HEADER-1) -m found }
  stick-table type ip size 100000 expire 300000 store http_req_rate(1s)

We can see that rules in acl and http request list are inserted on the reverse order of their definition. Is that expected ?

I think with CRD v1 we could handle that with index, but with crdv3 there is no index anymore.

Also, stick table is defined at the end, but it would probably be clearer to define it at the top ?

[WinterNis]

Hi 👋

I allow myself to up this issue.

Note that I do not mean to aggressively push for a fix 😅
We simply would like to know if this behaviour is indeed a bug, or is expected when using crd V3.

This will impact our decision to use CRDs v3 (or not) in the future, as handling ordered instructions in a revere order seems quite unpractical in term of maintenance.

[hdurand0710]

Hi @WinterNis
You are right and this is not the goal intended. Let us change this.
I'm working on it and let you know when it's ready.

[WinterNis]

Thank you very much for the confirmation that it’s "only" a bug :)

[hdurand0710]

A fix is ready, waiting for review. Will keep you posted.

[hdurand0710]

Fixed in commit dbc3a21. It will be available in the next 3.2 release.

[WinterNis]

Awesome ! Thanks a lot !