Adding haproxy and profile for lnxocp03 and removing unused profile for lnxocp04

telpelt · telpelt · commit a7cf9656ac40 · 2023-11-07T15:12:46.000+01:00
diff --git a/libvirt/haproxy/haproxy_lnxocp03.cfg b/libvirt/haproxy/haproxy_lnxocp03.cfg
@@ -0,0 +1,183 @@
+#---------------------------------------------------------------------
+# Configuration for CI environment.
+#---------------------------------------------------------------------
+
+#---------------------------------------------------------------------
+# Global settings
+#---------------------------------------------------------------------
+global
+    log 127.0.0.1:514  local2 info
+    chroot      /var/lib/haproxy
+    pidfile     /var/run/haproxy.pid
+    maxconn     4000
+    user        haproxy
+    group       haproxy
+    daemon
+
+    # turn on stats unix socket
+    stats socket /var/lib/haproxy/stats
+
+    # utilize system-wide crypto-policies
+    ssl-default-bind-ciphers PROFILE=SYSTEM
+    ssl-default-server-ciphers PROFILE=SYSTEM
+
+#---------------------------------------------------------------------
+# common defaults that all the 'listen' and 'backend' sections will
+# use if not designated in their block
+#---------------------------------------------------------------------
+defaults
+    mode                    http
+    log                     global
+    option                  httplog
+    option http-server-close
+
+    option                  redispatch
+    retries                 3
+    timeout http-request    10s
+    timeout queue           1m
+    timeout connect         10s
+    timeout client          1m
+    timeout server          1m
+    timeout http-keep-alive 10s
+    timeout check           10s
+    maxconn                 3000
+
+#---------------------------------------------------------------------
+# API frontend which proxys to the created master nodes
+#---------------------------------------------------------------------
+frontend api-all
+    mode        tcp
+    option      tcplog
+
+    bind        *:6443
+
+    tcp-request inspect-delay 5s
+    tcp-request content accept if { req_ssl_hello_type 1 }
+
+    acl 00-api req_ssl_sni -m end .libvirt-s390x-3-0
+    use_backend masters-00 if 00-api
+
+    acl 00-api-ci req_ssl_sni -m end .libvirt-s390x-3-0.ci
+    use_backend masters-00 if 00-api-ci
+
+    acl 01-api req_ssl_sni -m end .libvirt-s390x-3-1
+    use_backend masters-01 if 01-api
+
+    acl 01-api-ci req_ssl_sni -m end .libvirt-s390x-3-1.ci
+    use_backend masters-01 if 01-api-ci
+
+#---------------------------------------------------------------------
+# HTTP frontend which proxys to the created worker nodes
+#---------------------------------------------------------------------
+frontend http-all
+    bind *:80
+
+    option forwardfor       except 127.0.0.0/8
+
+    acl 00-http hdr(host) -m end .libvirt-s390x-3-0
+    use_backend http-workers-00 if 00-http
+
+    acl 00-http-ci hdr(host) -m end .libvirt-s390x-3-0.ci
+    use_backend http-workers-00 if 00-http-ci
+
+    acl 01-http hdr(host) -m end .libvirt-s390x-3-1
+    use_backend http-workers-01 if 01-http
+
+    acl 01-http-ci hdr(host) -m end .libvirt-s390x-3-1.ci
+    use_backend http-workers-01 if 01-http-ci
+
+#---------------------------------------------------------------------
+# HTTPS frontend which proxys to the created worker nodes
+#---------------------------------------------------------------------
+frontend https-all
+    mode        tcp
+    option      tcplog
+
+    bind        *:443
+
+    tcp-request inspect-delay 5s
+    tcp-request content accept if { req_ssl_hello_type 1 }
+
+    acl 00-https req_ssl_sni -m end .libvirt-s390x-3-0
+    use_backend https-workers-00 if 00-https
+
+    acl 00-https-ci req_ssl_sni -m end .libvirt-s390x-3-0.ci
+    use_backend https-workers-00 if 00-https-ci
+
+    acl 01-https req_ssl_sni -m end .libvirt-s390x-3-1
+    use_backend https-workers-01 if 01-https
+
+    acl 01-https-ci req_ssl_sni -m end .libvirt-s390x-3-1.ci
+    use_backend https-workers-01 if 01-https-ci
+
+#---------------------------------------------------------------------
+# Master node backends for serving API traffic
+#---------------------------------------------------------------------
+backend masters-00
+    mode        tcp
+    balance     roundrobin
+    server      bootstrap 192.168.126.10:6443 check
+    server      master1 192.168.126.11:6443 check
+    server      master2 192.168.126.12:6443 check
+    server      master3 192.168.126.13:6443 check
+backend masters-01
+    mode        tcp
+    balance     roundrobin
+    server      bootstrap 192.168.1.10:6443 check
+    server      master1 192.168.1.11:6443 check
+    server      master2 192.168.1.12:6443 check
+    server      master3 192.168.1.13:6443 check
+
+#---------------------------------------------------------------------
+# Worker node backends for serving HTTP service endpoints
+#---------------------------------------------------------------------
+backend http-workers-00
+    option forwardfor       except 127.0.0.0/8
+    balance     roundrobin
+    server      master1 192.168.126.11:80 check
+    server      master2 192.168.126.12:80 check
+    server      master3 192.168.126.13:80 check
+    server      worker1 192.168.126.51:80 check
+    server      worker2 192.168.126.52:80 check
+backend http-workers-01
+    option forwardfor       except 127.0.0.0/8
+    balance     roundrobin
+    server      master1 192.168.1.11:80 check
+    server      master2 192.168.1.12:80 check
+    server      master3 192.168.1.13:80 check
+    server      worker1 192.168.1.51:80 check
+    server      worker2 192.168.1.52:80 check
+
+#---------------------------------------------------------------------
+# Debug node
+#---------------------------------------------------------------------
+#backend node
+#    option forwardfor       except 127.0.0.0/8
+#    server      node 127.0.0.1:8080 check
+
+#---------------------------------------------------------------------
+# Worker node backends for serving HTTPS service endpoints
+#---------------------------------------------------------------------
+backend https-workers-00
+    mode        tcp
+    balance     roundrobin
+    server      master1 192.168.126.11:443 check
+    server      master2 192.168.126.12:443 check
+    server      master3 192.168.126.13:443 check
+    server      worker1 192.168.126.51:443 check
+    server      worker2 192.168.126.52:443 check
+backend https-workers-01
+    mode        tcp
+    balance     roundrobin
+    server      master1 192.168.1.11:443 check
+    server      master2 192.168.1.12:443 check
+    server      master3 192.168.1.13:443 check
+    server      worker1 192.168.1.51:443 check
+    server      worker2 192.168.1.52:443 check
+
+#---------------------------------------------------------------------
+# Debug node https
+#---------------------------------------------------------------------
+#backend node-https
+#    mode        tcp
+#    server      node 127.0.0.1:8443 check
diff --git a/libvirt/tunnel/profile_lnxocp03.yaml b/libvirt/tunnel/profile_lnxocp03.yaml
@@ -1,14 +1,23 @@
 profile:
   arch: "s390x"
-  cluster_capacity: 0
+  cluster_capacity: 2
   cluster_id: 0
   environment: "bastion-z"
 libvirt:
   bastion-port: 16512
   target-port: 16509
+api:
+  bastion-port: 6446
+  target-port: 6443
 http:
   bastion-port: 8083
   target-port: 80
 https:
   bastion-port: 8446
   target-port: 443
+bastion0ssh:
+  bastion-port: 1076
+  target-port: 22
+bastion1ssh:
+  bastion-port: 1077
+  target-port: 22
