tf added new nlb and route53 entry for vpro cloud orch (#703)

palade · sunil-parida · web-flow · commit 2ceb3a51f109 · 2025-08-21T07:05:39.000Z
Co-authored-by: Sunil Parida &lt;sunil.kumar.parida@intel.com&gt;
diff --git a/pod-configs/module/orch-route53/main.tf b/pod-configs/module/orch-route53/main.tf
@@ -7,6 +7,7 @@ locals {
   traefik_lb_name  = substr(sha256("${var.orch_name}-traefik"), 0, 32)
   argocd_lb_name   = substr(sha256("${var.orch_name}-argocd"), 0, 32)
   traefik2_lb_name = substr(sha256("${var.orch_name}-traefik2"), 0, 32)
+  traefik3_lb_name = substr(sha256("${var.orch_name}-traefik3"), 0, 32)
 }
 
 data "aws_route53_zone" "parent_public" {
@@ -85,6 +86,11 @@ data "aws_lb" "traefik2" {
   name  = "${local.traefik2_lb_name}"
 }
 
+data "aws_lb" "traefik3" {
+  count = var.lb_created ? 1 : 0
+  name  = "${local.traefik3_lb_name}"
+}
+
 resource "aws_route53_record" "traetik_public" {
   depends_on   = [aws_route53_zone.orch_public]
   count        = var.lb_created ? 1 : 0
@@ -197,6 +203,34 @@ resource "aws_route53_record" "traefik2_private" {
   }
 }
 
+resource "aws_route53_record" "traefik3_public" {
+  depends_on   = [aws_route53_zone.orch_public]
+  count        = var.lb_created ? 1 : 0
+  zone_id      = var.create_root_domain ? aws_route53_zone.orch_public[0].zone_id : data.aws_route53_zone.orch_public[0].zone_id
+  name         = "traefik3.${local.orch_zone}"
+  type         = "A"
+
+  alias {
+    name                   = data.aws_lb.traefik3[count.index].dns_name
+    evaluate_target_health = true
+    zone_id                = data.aws_lb.traefik3[count.index].zone_id
+  }
+}
+
+resource "aws_route53_record" "traefik3_private" {
+  depends_on   = [aws_route53_zone.orch_private]
+  count        = var.lb_created ? 1 : 0
+  zone_id      = var.create_root_domain ? aws_route53_zone.orch_private[0].zone_id : data.aws_route53_zone.orch_private[0].zone_id
+  name         = "traefik3.${local.orch_zone}"
+  type         = "A"
+
+  alias {
+    name                   = data.aws_lb.traefik3[count.index].dns_name
+    evaluate_target_health = true
+    zone_id                = data.aws_lb.traefik3[count.index].zone_id
+  }
+}
+
 resource "aws_route53_record" "public_hostname" {
   for_each = toset(var.hostname)
   name     = "${each.value}.${local.orch_zone}"
@@ -232,3 +266,21 @@ resource "aws_route53_record" "private_hostname_traefik2" {
   type     = "CNAME"
   records  = ["traefik2.${local.orch_zone}"]
 }
+
+resource "aws_route53_record" "public_hostname_traefik3" {
+  for_each = toset(var.traefik3_hostname)
+  name     = "${each.value}.${local.orch_zone}"
+  zone_id  = var.create_root_domain ? aws_route53_zone.orch_public[0].zone_id : data.aws_route53_zone.orch_public[0].zone_id
+  ttl      = 900
+  type     = "CNAME"
+  records  = ["traefik3.${local.orch_zone}"]
+}
+
+resource "aws_route53_record" "private_hostname_traefik3" {
+  for_each = toset(var.traefik3_hostname)
+  name     = "${each.value}.${local.orch_zone}"
+  zone_id  = var.create_root_domain ? aws_route53_zone.orch_private[0].zone_id : data.aws_route53_zone.orch_private[0].zone_id
+  ttl      = 900
+  type     = "CNAME"
+  records  = ["traefik3.${local.orch_zone}"]
+}
diff --git a/pod-configs/module/orch-route53/variable.tf b/pod-configs/module/orch-route53/variable.tf
@@ -39,7 +39,6 @@ variable "hostname" {
     "log-query",
     "metadata",
     "metrics-node",
-    "mps",
     "mps-wss",
     "observability-admin",
     "observability-ui",
@@ -68,6 +67,12 @@ variable "traefik2_hostname" {
     "tinkerbell-nginx"]
 }
 
+variable "traefik3_hostname" {
+  type    = list(string)
+  default = [
+    "mps"]
+}
+
 variable "lb_created" {
   type        = bool
   description = "Whether the LBs for the Orchestrator are created. The CNAME of {orch_name}.{parent_zone} will be created if it is true."
diff --git a/pod-configs/orchestrator/orch-load-balancer/README.md b/pod-configs/orchestrator/orch-load-balancer/README.md
@@ -20,6 +20,7 @@ This module defines the following:
 
 - **Traefik ALB**: Main application load balancer for HTTP/HTTPS traffic
 - **Traefik2 NLB**: Optional network load balancer (created when `create_traefik2_load_balancer = true`)
+- **Traefik3 NLB**: Optional network load balancer for vPRO (created when `create_traefik3_load_balancer = true`)
 - **ArgoCD ALB**: Optional dedicated load balancer for ArgoCD and Gitea (created when `create_argocd_load_balancer = true`)
 
 ### Security
diff --git a/pod-configs/orchestrator/orch-load-balancer/main.tf b/pod-configs/orchestrator/orch-load-balancer/main.tf
@@ -95,6 +95,16 @@ locals {
       enable_health_check = true
     }
   }
+
+  vpro_ports = {
+    "vpro" : {
+      listen              = 4433
+      target              = 4433
+      type                = "ip"
+      protocol            = "TCP"
+      enable_health_check = true
+    }
+  }
 }
 
 module "traefik_load_balancer" {
@@ -125,6 +135,21 @@ module "traefik2_load_balancer" {
   enable_deletion_protection = var.enable_deletion_protection
 }
 
+module "traefik3_load_balancer" {
+  count = var.create_traefik3_load_balancer ? 1 : 0
+
+  source                     = "../../module/load-balancer"
+  name                       = "traefik3"
+  type                       = "network"
+  internal                   = var.internal
+  vpc_id                     = local.vpc_id
+  cluster_name               = var.cluster_name
+  subnets                    = local.public_subnet_ids
+  ip_allow_list              = local.ip_allow_list
+  ports                      = local.vpro_ports
+  enable_deletion_protection = var.enable_deletion_protection
+}
+
 # This block executes only when `create_argocd_load_balancer` is set to true
 # Dedicated load balancer is necessary for integration env
 module "argocd_load_balancer" {
@@ -166,6 +191,12 @@ module "traefik_lb_target_group_binding" {
       servicePort      = 443
       target_id        = module.traefik2_load_balancer[0].target_groups["https"].arn
     },
+    "traefik-vpro" : {
+      serviceNamespace = "orch-gateway"
+      serviceName      = "traefik"
+      servicePort      = 4433
+      target_id        = module.traefik3_load_balancer[0].target_groups["vpro"].arn
+    },
     "argocd" : {
       serviceNamespace = "argocd"
       serviceName      = "argocd-server"
@@ -200,6 +231,10 @@ module "aws_lb_security_group_roles" {
     "gitea": {
       port = 3000,
       security_group_id = module.argocd_load_balancer[0].lb_sg_id
+    },
+    "vpro": {
+      port = 4433,
+      security_group_id = module.traefik3_load_balancer[0].lb_sg_id
     }
   }
 }
diff --git a/pod-configs/orchestrator/orch-load-balancer/variable.tf b/pod-configs/orchestrator/orch-load-balancer/variable.tf
@@ -48,6 +48,12 @@ variable "create_traefik2_load_balancer" {
   default     = true
 }
 
+variable "create_traefik3_load_balancer" {
+  type        = bool
+  description = "Set true to create dedicated load balancer for traefik3"
+  default     = true
+}
+
 variable "create_argocd_load_balancer" {
   type        = bool
   description = "Set true to create dedicated load balancer for infra service like ArgoCD and Gitea"
