Template generates redirect line exceeding HAProxy's 64-word parser limit

[jansdhillon]

This appears to be related to #404, which reported HAProxy config validation failures in cross-model relations.

Problem

When multiple haproxy-route relations provide allow_http data in their relation databags, the template generates a single redirect line that exceeds HAProxy's hardcoded 64-word parser limit.

Error

[ALERT] (215952) : config : parsing [/etc/haproxy/haproxy.cfg:52]: too many words, truncating after word 64, position 436: </repository>.
[ALERT] (215952) : config : Error(s) found in configuration file : /etc/haproxy/haproxy.cfg
[ALERT] (215952) : config : Fatal errors found in configuration.

Generated Config

The template in haproxy-operator/templates/haproxy_route.cfg.j2 lines 12-13 generates:

# Redirect HTTP to HTTPS
http-request redirect scheme https unless { ssl_fc } {% for acl in acls_for_allow_http %} || {{ acl }}{% endfor %}

With 7 relations providing allow_http in their databags, this produces a single line with 64+ words:

http-request redirect scheme https unless { ssl_fc }  || { req.hdr(host),field(1,:) -i landscape.local } { path_beg -i /message-system /attachment } || { req.hdr(host),field(1,:) -i landscape.local } { path_beg -i /ping } || { req.hdr(host),field(1,:) -i landscape.local } { path_beg -i /upload } || { req.hdr(host),field(1,:) -i landscape.local } { path_beg -i /api } || { req.hdr(host),field(1,:) -i landscape.local } { path_beg -i / /repository /hash-id-databases } !{ path_beg -i /metrics }

This hits HAProxy's 64-word limit at position 436.

Reproduction

Create 7+ haproxy-route relations where the requirer charms set allow_http in their relation databags (routes that should remain accessible over HTTP). When haproxy-operator concatenates all the allow_http ACLs from all relations into a single redirect rule, the line exceeds the parser limit.

Root Cause

The template concatenates all allow_http ACLs into a single line using || ... operators. HAProxy's parser has a hardcoded 64-word limit per line that cannot be changed without recompiling.

Suggested Fix

Split the single redirect rule into multiple statements:

{% for acl in acls_for_allow_http %}
http-request redirect scheme https unless { ssl_fc } {{ acl }}
{% endfor %}

Or use a different approach that doesn't concatenate all ACLs on one line.

[syncronize-issues-to-jira]

Thank you for reporting your feedback to us!

The internal ticket has been created: https://warthogs.atlassian.net/browse/ISD-5329.

This message was autogenerated

[alexdlukens]

Confirmed that this is impacting ingress-ps7-landscape-canonical-com on haproxy 2.8/edge rev302

snippet from journalctl: https://pastebin.canonical.com/p/qWm3Xj8pT6/
context around line 45 in haproxy config: https://pastebin.canonical.com/p/XsxgxF8wyN/

and related to ISREQ-488