MINOR: add quic support

haproxytech · Feb 15, 2024 · 67f3666 · 67f3666
1 parent 40f79b0
commit 67f3666
Show file tree

Hide file tree

Showing 16 changed files with 244 additions and 27 deletions.
diff --git a/crs/api/ingress/v1/backend.go b/crs/api/ingress/v1/backend.go
@@ -22,7 +22,7 @@ import (
 
 // +genclient
 // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
-// +kubebuilder:metadata:annotations="haproxy.org/client-native=v5.1.2"
+// +kubebuilder:metadata:annotations="haproxy.org/client-native=v5.1.3-0.20240213005611-75890279f890"
 
 // Backend is a specification for a Backend resource
 type Backend struct {

diff --git a/crs/api/ingress/v1/defaults.go b/crs/api/ingress/v1/defaults.go
@@ -22,7 +22,7 @@ import (
 
 // +genclient
 // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
-// +kubebuilder:metadata:annotations="haproxy.org/client-native=v5.1.2"
+// +kubebuilder:metadata:annotations="haproxy.org/client-native=v5.1.3-0.20240213005611-75890279f890"
 
 // Defaults is a specification for a Defaults resource
 type Defaults struct {

diff --git a/crs/api/ingress/v1/global.go b/crs/api/ingress/v1/global.go
@@ -22,7 +22,7 @@ import (
 
 // +genclient
 // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
-// +kubebuilder:metadata:annotations="haproxy.org/client-native=v5.1.2"
+// +kubebuilder:metadata:annotations="haproxy.org/client-native=v5.1.3-0.20240213005611-75890279f890"
 // +kubebuilder:validation:XValidation:rule="!has(self.spec.config.default_path)", message="spec.config.default_path is set by ingress controller internally"
 // +kubebuilder:validation:XValidation:rule="!has(self.spec.config.master__dash__worker)", message="spec.config.master-worker is set by ingress controller internally"
 // +kubebuilder:validation:XValidation:rule="!has(self.spec.config.pidfile)", message="spec.config.pidfile is set by ingress controller internally"

diff --git a/crs/definition/ingress.v1.haproxy.org_backends.yaml b/crs/definition/ingress.v1.haproxy.org_backends.yaml
@@ -4,7 +4,7 @@ kind: CustomResourceDefinition
 metadata:
   annotations:
     controller-gen.kubebuilder.io/version: v0.14.0
-    haproxy.org/client-native: v5.1.2
+    haproxy.org/client-native: v5.1.3-0.20240213005611-75890279f890
   name: backends.ingress.v1.haproxy.org
 spec:
   group: ingress.v1.haproxy.org

diff --git a/crs/definition/ingress.v1.haproxy.org_defaults.yaml b/crs/definition/ingress.v1.haproxy.org_defaults.yaml
@@ -4,7 +4,7 @@ kind: CustomResourceDefinition
 metadata:
   annotations:
     controller-gen.kubebuilder.io/version: v0.14.0
-    haproxy.org/client-native: v5.1.2
+    haproxy.org/client-native: v5.1.3-0.20240213005611-75890279f890
   name: defaults.ingress.v1.haproxy.org
 spec:
   group: ingress.v1.haproxy.org

diff --git a/crs/definition/ingress.v1.haproxy.org_globals.yaml b/crs/definition/ingress.v1.haproxy.org_globals.yaml
@@ -4,7 +4,7 @@ kind: CustomResourceDefinition
 metadata:
   annotations:
     controller-gen.kubebuilder.io/version: v0.14.0
-    haproxy.org/client-native: v5.1.2
+    haproxy.org/client-native: v5.1.3-0.20240213005611-75890279f890
   name: globals.ingress.v1.haproxy.org
 spec:
   group: ingress.v1.haproxy.org

diff --git a/go.mod b/go.mod
@@ -9,7 +9,7 @@ require (
 	github.com/google/renameio v1.0.1
 	github.com/haproxytech/client-native/v2 v2.5.2-0.20220126142624-4a2781a21376
 	github.com/haproxytech/client-native/v3 v3.1.2-0.20230607075433-231591da68ed
-	github.com/haproxytech/client-native/v5 v5.1.2
+	github.com/haproxytech/client-native/v5 v5.1.3-0.20240213005611-75890279f890
 	github.com/haproxytech/config-parser/v5 v5.1.0
 	github.com/jessevdk/go-flags v1.4.0
 	github.com/pires/go-proxyproto v0.7.0
@@ -37,15 +37,15 @@ require (
 	github.com/evanphx/json-patch v5.9.0+incompatible // indirect
 	github.com/evanphx/json-patch/v5 v5.7.0 // indirect
 	github.com/go-logr/logr v1.4.1 // indirect
-	github.com/go-openapi/analysis v0.22.0 // indirect
+	github.com/go-openapi/analysis v0.22.2 // indirect
 	github.com/go-openapi/errors v0.21.0 // indirect
 	github.com/go-openapi/jsonpointer v0.20.2 // indirect
 	github.com/go-openapi/jsonreference v0.20.4 // indirect
-	github.com/go-openapi/loads v0.21.3 // indirect
-	github.com/go-openapi/spec v0.20.13 // indirect
-	github.com/go-openapi/strfmt v0.21.10 // indirect
+	github.com/go-openapi/loads v0.21.5 // indirect
+	github.com/go-openapi/spec v0.20.14 // indirect
+	github.com/go-openapi/strfmt v0.22.0 // indirect
 	github.com/go-openapi/swag v0.22.9 // indirect
-	github.com/go-openapi/validate v0.22.4 // indirect
+	github.com/go-openapi/validate v0.23.0 // indirect
 	github.com/gofrs/flock v0.8.1 // indirect
 	github.com/gogo/protobuf v1.3.2 // indirect
 	github.com/golang/protobuf v1.5.3 // indirect

diff --git a/go.sum b/go.sum
@@ -34,8 +34,8 @@ github.com/fsnotify/fsnotify v1.7.0 h1:8JEhPFa5W2WU7YfeZzPNqzMP6Lwt7L2715Ggo0nos
 github.com/fsnotify/fsnotify v1.7.0/go.mod h1:40Bi/Hjc2AVfZrqy+aj+yEI+/bRxZnMJyTJwOpGvigM=
 github.com/globalsign/mgo v0.0.0-20180905125535-1ca0a4f7cbcb/go.mod h1:xkRDCp4j0OGD1HRkm4kmhM+pmpv3AKq5SU7GMg4oO/Q=
 github.com/globalsign/mgo v0.0.0-20181015135952-eeefdecb41b8/go.mod h1:xkRDCp4j0OGD1HRkm4kmhM+pmpv3AKq5SU7GMg4oO/Q=
-github.com/go-faker/faker/v4 v4.2.0 h1:dGebOupKwssrODV51E0zbMrv5e2gO9VWSLNC1WDCpWg=
-github.com/go-faker/faker/v4 v4.2.0/go.mod h1:F/bBy8GH9NxOxMInug5Gx4WYeG6fHJZ8Ol/dhcpRub4=
+github.com/go-faker/faker/v4 v4.3.0 h1:UXOW7kn/Mwd0u6MR30JjUKVzguT20EB/hBOddAAO+DY=
+github.com/go-faker/faker/v4 v4.3.0/go.mod h1:F/bBy8GH9NxOxMInug5Gx4WYeG6fHJZ8Ol/dhcpRub4=
 github.com/go-logr/logr v1.4.1 h1:pKouT5E8xu9zeFC39JXRDukb6JFQPXM5p5I91188VAQ=
 github.com/go-logr/logr v1.4.1/go.mod h1:9T104GzyrTigFIr8wt5mBrctHMim0Nb2HLGrmQ40KvY=
 github.com/go-logr/zapr v1.2.4 h1:QHVo+6stLbfJmYGkQ7uGHUCu5hnAFAj6mDe6Ea0SeOo=
@@ -47,8 +47,8 @@ github.com/go-openapi/analysis v0.19.2/go.mod h1:3P1osvZa9jKjb8ed2TPng3f0i/UY9sn
 github.com/go-openapi/analysis v0.19.4/go.mod h1:3P1osvZa9jKjb8ed2TPng3f0i/UY9snX6gxi44djMjk=
 github.com/go-openapi/analysis v0.19.5/go.mod h1:hkEAkxagaIvIP7VTn8ygJNkd4kAYON2rCu0v0ObL0AU=
 github.com/go-openapi/analysis v0.19.10/go.mod h1:qmhS3VNFxBlquFJ0RGoDtylO9y4pgTAUNE9AEEMdlJQ=
-github.com/go-openapi/analysis v0.22.0 h1:wQ/d07nf78HNj4u+KiSY0sT234IAyePPbMgpUjUJQR0=
-github.com/go-openapi/analysis v0.22.0/go.mod h1:acDnkkCI2QxIo8sSIPgmp1wUlRohV7vfGtAIVae73b0=
+github.com/go-openapi/analysis v0.22.2 h1:ZBmNoP2h5omLKr/srIC9bfqrUGzT6g6gNv03HE9Vpj0=
+github.com/go-openapi/analysis v0.22.2/go.mod h1:pDF4UbZsQTo/oNuRfAWWd4dAh4yuYf//LYorPTjrpvo=
 github.com/go-openapi/errors v0.17.0/go.mod h1:LcZQpmvG4wyF5j4IhA73wkLFQg+QJXOQHVjmcZxhka0=
 github.com/go-openapi/errors v0.18.0/go.mod h1:LcZQpmvG4wyF5j4IhA73wkLFQg+QJXOQHVjmcZxhka0=
 github.com/go-openapi/errors v0.19.2/go.mod h1:qX0BLWsyaKfvhluLejVpVNwNRdXZhEbTA4kxxpKBC94=
@@ -74,8 +74,8 @@ github.com/go-openapi/loads v0.19.0/go.mod h1:72tmFy5wsWx89uEVddd0RjRWPZm92WRLhf
 github.com/go-openapi/loads v0.19.2/go.mod h1:QAskZPMX5V0C2gvfkGZzJlINuP7Hx/4+ix5jWFxsNPs=
 github.com/go-openapi/loads v0.19.3/go.mod h1:YVfqhUCdahYwR3f3iiwQLhicVRvLlU/WO5WPaZvcvSI=
 github.com/go-openapi/loads v0.19.5/go.mod h1:dswLCAdonkRufe/gSUC3gN8nTSaB9uaS2es0x5/IbjY=
-github.com/go-openapi/loads v0.21.3 h1:8sSH2FIm/SnbDUGv572md4YqVMFne/a9Eubvcd3anew=
-github.com/go-openapi/loads v0.21.3/go.mod h1:Y3aMR24iHbKHppOj91nQ/SHc0cuPbAr4ndY4a02xydc=
+github.com/go-openapi/loads v0.21.5 h1:jDzF4dSoHw6ZFADCGltDb2lE4F6De7aWSpe+IcsRzT0=
+github.com/go-openapi/loads v0.21.5/go.mod h1:PxTsnFBoBe+z89riT+wYt3prmSBP6GDAQh2l9H1Flz8=
 github.com/go-openapi/runtime v0.0.0-20180920151709-4f900dc2ade9/go.mod h1:6v9a6LTXWQCdL8k1AO3cvqx5OtZY/Y9wKTgaoP6YRfA=
 github.com/go-openapi/runtime v0.19.0/go.mod h1:OwNfisksmmaZse4+gpV3Ne9AyMOlP1lt4sK4FXt0O64=
 github.com/go-openapi/runtime v0.19.4/go.mod h1:X277bwSUBxVlCYR3r7xgZZGKVvBd/29gLDlFGtJ8NL4=
@@ -86,17 +86,17 @@ github.com/go-openapi/spec v0.19.2/go.mod h1:sCxk3jxKgioEJikev4fgkNmwS+3kuYdJtcs
 github.com/go-openapi/spec v0.19.3/go.mod h1:FpwSN1ksY1eteniUU7X0N/BgJ7a4WvBFVA8Lj9mJglo=
 github.com/go-openapi/spec v0.19.6/go.mod h1:Hm2Jr4jv8G1ciIAo+frC/Ft+rR2kQDh8JHKHb3gWUSk=
 github.com/go-openapi/spec v0.19.7/go.mod h1:Hm2Jr4jv8G1ciIAo+frC/Ft+rR2kQDh8JHKHb3gWUSk=
-github.com/go-openapi/spec v0.20.13 h1:XJDIN+dLH6vqXgafnl5SUIMnzaChQ6QTo0/UPMbkIaE=
-github.com/go-openapi/spec v0.20.13/go.mod h1:8EOhTpBoFiask8rrgwbLC3zmJfz4zsCUueRuPM6GNkw=
+github.com/go-openapi/spec v0.20.14 h1:7CBlRnw+mtjFGlPDRZmAMnq35cRzI91xj03HVyUi/Do=
+github.com/go-openapi/spec v0.20.14/go.mod h1:8EOhTpBoFiask8rrgwbLC3zmJfz4zsCUueRuPM6GNkw=
 github.com/go-openapi/strfmt v0.17.0/go.mod h1:P82hnJI0CXkErkXi8IKjPbNBM6lV6+5pLP5l494TcyU=
 github.com/go-openapi/strfmt v0.18.0/go.mod h1:P82hnJI0CXkErkXi8IKjPbNBM6lV6+5pLP5l494TcyU=
 github.com/go-openapi/strfmt v0.19.0/go.mod h1:+uW+93UVvGGq2qGaZxdDeJqSAqBqBdl+ZPMF/cC8nDY=
 github.com/go-openapi/strfmt v0.19.2/go.mod h1:0yX7dbo8mKIvc3XSKp7MNfxw4JytCfCD6+bY1AVL9LU=
 github.com/go-openapi/strfmt v0.19.3/go.mod h1:0yX7dbo8mKIvc3XSKp7MNfxw4JytCfCD6+bY1AVL9LU=
 github.com/go-openapi/strfmt v0.19.4/go.mod h1:eftuHTlB/dI8Uq8JJOyRlieZf+WkkxUuk0dgdHXr2Qk=
 github.com/go-openapi/strfmt v0.19.5/go.mod h1:eftuHTlB/dI8Uq8JJOyRlieZf+WkkxUuk0dgdHXr2Qk=
-github.com/go-openapi/strfmt v0.21.10 h1:JIsly3KXZB/Qf4UzvzJpg4OELH/0ASDQsyk//TTBDDk=
-github.com/go-openapi/strfmt v0.21.10/go.mod h1:vNDMwbilnl7xKiO/Ve/8H8Bb2JIInBnH+lqiw6QWgis=
+github.com/go-openapi/strfmt v0.22.0 h1:Ew9PnEYc246TwrEspvBdDHS4BVKXy/AOVsfqGDgAcaI=
+github.com/go-openapi/strfmt v0.22.0/go.mod h1:HzJ9kokGIju3/K6ap8jL+OlGAbjpSv27135Yr9OivU4=
 github.com/go-openapi/swag v0.17.0/go.mod h1:AByQ+nYG6gQg71GINrmuDXCPWdL640yX49/kXLo40Tg=
 github.com/go-openapi/swag v0.18.0/go.mod h1:AByQ+nYG6gQg71GINrmuDXCPWdL640yX49/kXLo40Tg=
 github.com/go-openapi/swag v0.19.2/go.mod h1:POnQmlKehdgb5mhVOsnJFsivZCEZ/vjK9gh66Z9tfKk=
@@ -107,8 +107,8 @@ github.com/go-openapi/swag v0.22.9/go.mod h1:3/OXnFfnMAwBD099SwYRk7GD3xOrr1iL7d/
 github.com/go-openapi/validate v0.18.0/go.mod h1:Uh4HdOzKt19xGIGm1qHf/ofbX1YQ4Y+MYsct2VUrAJ4=
 github.com/go-openapi/validate v0.19.2/go.mod h1:1tRCw7m3jtI8eNWEEliiAqUIcBztB2KDnRCRMUi7GTA=
 github.com/go-openapi/validate v0.19.3/go.mod h1:90Vh6jjkTn+OT1Eefm0ZixWNFjhtOH7vS9k0lo6zwJo=
-github.com/go-openapi/validate v0.22.4 h1:5v3jmMyIPKTR8Lv9syBAIRxG6lY0RqeBPB1LKEijzk8=
-github.com/go-openapi/validate v0.22.4/go.mod h1:qm6O8ZIcPVdSY5219468Jv7kBdGvkiZLPOmqnqTUZ2A=
+github.com/go-openapi/validate v0.23.0 h1:2l7PJLzCis4YUGEoW6eoQw3WhyM65WSIcjX6SQnlfDw=
+github.com/go-openapi/validate v0.23.0/go.mod h1:EeiAZ5bmpSIOJV1WLfyYF9qp/B1ZgSaEpHTJHtN5cbE=
 github.com/go-sql-driver/mysql v1.5.0/go.mod h1:DCzpHaOWr8IXmIStZouvnhqoel9Qv2LBy8hT2VhHyBg=
 github.com/go-stack/stack v1.8.0/go.mod h1:v0f6uXyyMGvRgIKkXu+yp6POWl0qKG85gN/melR3HDY=
 github.com/go-task/slim-sprig v0.0.0-20230315185526-52ccab3ef572 h1:tfuBGBXKqDEevZMzYi5KSi8KkcZtzBcTgAUUtapy0OI=
@@ -172,8 +172,8 @@ github.com/haproxytech/client-native/v2 v2.5.2-0.20220126142624-4a2781a21376 h1:
 github.com/haproxytech/client-native/v2 v2.5.2-0.20220126142624-4a2781a21376/go.mod h1:MTl8dabMibEE9ytnR1uPOFbcJ7XtYKEhxnBcqBP8kXM=
 github.com/haproxytech/client-native/v3 v3.1.2-0.20230607075433-231591da68ed h1:qjKxpoe4wYQmpGrrooqau88Fgusy9VQfulpXghBDqx8=
 github.com/haproxytech/client-native/v3 v3.1.2-0.20230607075433-231591da68ed/go.mod h1:xRVluo27FAjK4ag33+jUfpnNf9olXQlTRHUl3VMvq98=
-github.com/haproxytech/client-native/v5 v5.1.2 h1:dKENRtRzkzWWw7s/sF8/3Suz8soQXVd5KHoTJN/HS7o=
-github.com/haproxytech/client-native/v5 v5.1.2/go.mod h1:0jS6IZLjDDYxpbJGnomwqWrDh2a0/EsvyQXG6sEUVe4=
+github.com/haproxytech/client-native/v5 v5.1.3-0.20240213005611-75890279f890 h1:3C4xBxJ2G/M5dIzqUwtYG53eJjlhmaEZJskGnP/BATc=
+github.com/haproxytech/client-native/v5 v5.1.3-0.20240213005611-75890279f890/go.mod h1:p2nO/UaaNpT6oHfZ+FrICKt7UlRLa5yqE/COUy79qK4=
 github.com/haproxytech/config-parser/v4 v4.0.0-rc2.0.20220126135717-1dd35f8b7a52/go.mod h1:pEuHx+aFhn0lIdvAg1OaawQfeRkpq1I8HzjtZN4/PLI=
 github.com/haproxytech/config-parser/v5 v5.1.0 h1:gdifNXscsx4x++GQWw9Oj3JDpJMgSLtCiXgdQqxsYQU=
 github.com/haproxytech/config-parser/v5 v5.1.0/go.mod h1:iy8nBB1eopwYbyeh3FQpjxZUxfcIDyTV9bW0F1t+cVA=

diff --git a/pkg/annotations/common/main.go b/pkg/annotations/common/main.go
@@ -62,6 +62,7 @@ var DefaultValues = map[string]string{
 	"scale-server-slots":     "42",
 	"client-crt-optional":    "false",
 	"tls-alpn":               "h2,http/1.1",
+	"quic-alt-svc-max-age":   "60",
 }
 
 // Returns the first annotation value in the set of maps of annotations along with the indice of which map in argument provided the value.

diff --git a/pkg/controller/handler.go b/pkg/controller/handler.go
@@ -54,13 +54,31 @@ func (c *HAProxyController) initHandlers() {
 		c.updateStatusManager,
 	}
 
-	c.updateHandlers = append(c.updateHandlers, handler.Refresh{})
+	defer func() { c.updateHandlers = append(c.updateHandlers, handler.Refresh{}) }()
 
 	c.beforeUpdateHandlers = []UpdateHandler{}
 	// Need to be before Refresh. If after, maps are refreshed without pprof content
 	if c.osArgs.PprofEnabled {
 		c.beforeUpdateHandlers = append(c.beforeUpdateHandlers, handler.Pprof{})
 	}
+
+	if !c.osArgs.DisableQuic {
+		c.updateHandlers = append(c.updateHandlers, &handler.Quic{
+			IPv4:     !c.osArgs.DisableIPV4,
+			AddrIPv4: c.osArgs.IPV4BindAddr,
+			IPv6:     !c.osArgs.DisableIPV6,
+			AddrIPv6: c.osArgs.IPV6BindAddr,
+			Port:     c.osArgs.HTTPSBindPort,
+			CertDir:  c.haproxy.Certs.FrontendDir,
+			QuicAnnouncePort: func() int64 {
+				if c.osArgs.QuicAnnouncePort != 0 {
+					return c.osArgs.QuicAnnouncePort
+				}
+				return c.osArgs.HTTPSBindPort
+			}(),
+			MaxAge: "0",
+		})
+	}
 }
 
 func (c *HAProxyController) startupHandlers() error {

diff --git a/pkg/handler/quic.go b/pkg/handler/quic.go
@@ -0,0 +1,153 @@
+package handler
+
+import (
+	"fmt"
+
+	"github.com/haproxytech/client-native/v5/models"
+	"github.com/haproxytech/kubernetes-ingress/pkg/annotations"
+	"github.com/haproxytech/kubernetes-ingress/pkg/annotations/common"
+	"github.com/haproxytech/kubernetes-ingress/pkg/haproxy"
+	"github.com/haproxytech/kubernetes-ingress/pkg/haproxy/instance"
+	"github.com/haproxytech/kubernetes-ingress/pkg/haproxy/rules"
+	"github.com/haproxytech/kubernetes-ingress/pkg/store"
+	"github.com/haproxytech/kubernetes-ingress/pkg/utils"
+)
+
+const (
+	QUIC4BIND = "quicv4"
+	QUIC6BIND = "quicv6"
+)
+
+type Quic struct {
+	AddrIPv4         string
+	AddrIPv6         string
+	IPv4             bool
+	IPv6             bool
+	Port             int64
+	CertDir          string
+	QuicAnnouncePort int64
+	MaxAge           string
+}
+
+func (q *Quic) Update(k store.K8s, h haproxy.HAProxy, a annotations.Annotations) (err error) {
+	var errs utils.Errors
+	defer func() {
+		err = errs.Result()
+	}()
+	var bindv4Present, bindv6Present bool
+	binds, errBindsGet := h.FrontendBindsGet(h.FrontHTTPS)
+	if errBindsGet != nil {
+		errs.Add(errBindsGet)
+		return
+	}
+
+	for _, bind := range binds {
+		bindv4Present = bindv4Present || bind.Name == QUIC4BIND
+		bindv6Present = bindv6Present || bind.Name == QUIC6BIND
+	}
+
+	ipv4Func := func() {
+		if bindv4Present {
+			return
+		}
+
+		errFrontendBindCreate := h.FrontendBindCreate(h.FrontHTTPS, models.Bind{
+			Address: func() (addr string) {
+				addr = "quic4@" + q.AddrIPv4
+				return
+			}(),
+			Port: utils.PtrInt64(q.Port),
+			BindParams: models.BindParams{
+				Name:           QUIC4BIND,
+				Ssl:            true,
+				SslCertificate: q.CertDir,
+				Alpn:           "h3",
+			},
+		})
+		errs.Add(errFrontendBindCreate)
+		instance.ReloadIf(errFrontendBindCreate == nil, "quic binding v4 created")
+	}
+
+	ipv6Func := func() {
+		if bindv6Present {
+			return
+		}
+		errFrontendBindCreate := h.FrontendBindCreate(h.FrontHTTPS, models.Bind{
+			Address: func() (addr string) {
+				addr = "quic6@" + q.AddrIPv6
+				return
+			}(),
+			Port: utils.PtrInt64(q.Port),
+			BindParams: models.BindParams{
+				Name:           QUIC6BIND,
+				Ssl:            true,
+				SslCertificate: q.CertDir,
+				Alpn:           "h3",
+			},
+		})
+		errs.Add(errFrontendBindCreate)
+		instance.ReloadIf(errFrontendBindCreate == nil, "quic binding v6 created")
+	}
+
+	ipv4DeleteFunc := func() {
+		if !bindv4Present {
+			return
+		}
+		errFrontendBindDelete := h.FrontendBindDelete(h.FrontHTTPS, QUIC4BIND)
+		errs.Add(errFrontendBindDelete)
+		instance.ReloadIf(errFrontendBindDelete == nil, "quic binding v4 removed")
+	}
+
+	ipv6DeleteFunc := func() {
+		if !bindv6Present {
+			return
+		}
+		errFrontendBindDelete := h.FrontendBindDelete(h.FrontHTTPS, QUIC6BIND)
+		errs.Add(errFrontendBindDelete)
+		instance.ReloadIf(errFrontendBindDelete == nil, "quic binding v6 removed")
+	}
+
+	maxAge := common.GetValue("quic-alt-svc-max-age", k.ConfigMaps.Main.Annotations)
+	updatedMaxAge := maxAge != q.MaxAge
+	if updatedMaxAge {
+		instance.Reload("quic max age updated from %s to %s", q.MaxAge, maxAge)
+		q.MaxAge = maxAge
+	}
+
+	nsSslCertificateAnn, nameSslCertificateAnn, err := common.GetK8sPath("ssl-certificate", k.ConfigMaps.Main.Annotations)
+	if err != nil || (nameSslCertificateAnn == "") {
+		errs.Add(err)
+		ipv4Func = ipv4DeleteFunc
+		ipv6Func = ipv6DeleteFunc
+	} else {
+		namespaceSslCertificate := k.Namespaces[nsSslCertificateAnn]
+		var sslSecret *store.Secret
+		if namespaceSslCertificate != nil {
+			sslSecret = namespaceSslCertificate.Secret[nameSslCertificateAnn]
+		}
+
+		if sslSecret == nil || sslSecret.Status == store.DELETED {
+			ipv4Func = ipv4DeleteFunc
+			ipv6Func = ipv6DeleteFunc
+		} else {
+			logger.Debug("quic redirect rule to be created")
+			errs.Add(h.AddRule(h.FrontHTTPS, rules.RequestRedirectQuic{}, false))
+			logger.Debug("quic set header rule to be created")
+			errs.Add(h.AddRule(h.FrontHTTPS, rules.SetHdr{
+				HdrName:   "alt-svc",
+				Response:  true,
+				HdrFormat: fmt.Sprintf("\"h3=\\\":%d\\\";ma="+maxAge+";\"", q.QuicAnnouncePort),
+			}, false))
+		}
+	}
+
+	if q.IPv4 {
+		ipv4Func()
+	}
+
+	if q.IPv6 {
+		ipv6Func()
+	}
+
+	return
+}
diff --git a/pkg/haproxy/api/api.go b/pkg/haproxy/api/api.go
@@ -51,6 +51,7 @@ type HAProxyClient interface { //nolint:interfacebloat
 	FrontendBindsGet(frontend string) (models.Binds, error)
 	FrontendBindCreate(frontend string, bind models.Bind) error
 	FrontendBindEdit(frontend string, bind models.Bind) error
+	FrontendBindDelete(frontend string, bind string) error
 	FrontendHTTPRequestRuleCreate(frontend string, rule models.HTTPRequestRule, ingressACL string) error
 	FrontendHTTPResponseRuleCreate(frontend string, rule models.HTTPResponseRule, ingressACL string) error
 	FrontendTCPRequestRuleCreate(frontend string, rule models.TCPRequestRule, ingressACL string) error

diff --git a/pkg/haproxy/api/frontend.go b/pkg/haproxy/api/frontend.go
@@ -156,6 +156,15 @@ func (c *clientNative) FrontendBindEdit(frontend string, bind models.Bind) error
 	return configuration.EditBind(bind.Name, "frontend", frontend, &bind, c.activeTransaction, 0)
 }
 
+func (c *clientNative) FrontendBindDelete(frontend string, bind string) error {
+	configuration, err := c.nativeAPI.Configuration()
+	if err != nil {
+		return err
+	}
+	c.activeTransactionHasChanges = true
+	return configuration.DeleteBind(bind, "frontend", frontend, c.activeTransaction, 0)
+}
+
 func (c *clientNative) FrontendHTTPRequestRuleCreate(frontend string, rule models.HTTPRequestRule, ingressACL string) error {
 	configuration, err := c.nativeAPI.Configuration()
 	if err != nil {

diff --git a/pkg/haproxy/env/defaults.go b/pkg/haproxy/env/defaults.go
@@ -68,6 +68,7 @@ func SetGlobal(global *models.Global, logTargets *models.LogTargets, env Env) {
 	global.DefaultPath = &models.GlobalDefaultPath{
 		Type: "config",
 	}
+	global.LimitedQuic = true
 }
 
 // SetDefaults will set default values for Defaults section config.