Skip to content
Closed
Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
18 commits
Select commit Hold shift + click to select a range
367c483
feat: Add HAProxy Ingress controller configuration
sandeepbh5 Jan 29, 2026
c8f04d1
Merge branch 'main' into tmp-ingress2haprxy
sandeepbh5 Jan 29, 2026
672f171
chore: Update dev cluster to track tmp-ingress2haprxy branch for testing
sandeepbh5 Jan 29, 2026
2f679b2
fix resource error
punam20 Jan 29, 2026
a321c0c
fix: Correct HAProxy configuration syntax and security context
sandeepbh5 Jan 29, 2026
27bc9a5
fix: Make HTTPS binding optional and fix HTTP 429 content-length
sandeepbh5 Jan 29, 2026
94c73d0
fix: Complete HAProxy configuration with working backend routing
sandeepbh5 Jan 29, 2026
b160790
fix: Enhance HAProxy configuration with improved resolver settings an…
sandeepbh5 Jan 29, 2026
b22770e
fix: Remove nginx ingress rate limit configuration and enable HAProxy…
sandeepbh5 Jan 29, 2026
0e1b544
fix: Reorder infra-onboarding sync wave to deploy before nginx-ingres…
sandeepbh5 Jan 29, 2026
12ea713
fix: Correct sync wave ordering for certificate dependency chain
sandeepbh5 Jan 29, 2026
275bc6d
feat: Add HAProxy Ingress configuration for Tinkerbell service
sandeepbh5 Jan 30, 2026
c87d1bf
Update haproxy-ingress-tinkerbell.yaml
punam20 Jan 30, 2026
4f49349
Update haproxy-ingress-tinkerbell.yaml
punam20 Jan 30, 2026
1fd0a0b
Merge branch 'main' into tmp-ingress2haprxy
punam20 Jan 30, 2026
0696dd8
Update haproxy-ingress-tinkerbell.tpl
punam20 Jan 30, 2026
14ccea2
fix: Move copy-ca-cert-boots-to-infra from 1400 → 1120 to create boot…
sandeepbh5 Jan 30, 2026
8419b39
fix: Revert orch-svc-serviceaccount app, rely on infra-core wave 1000
sandeepbh5 Jan 30, 2026
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
6 changes: 6 additions & 0 deletions argocd/applications/configs/haproxy-ingress-tinkerbell.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,6 @@
# SPDX-FileCopyrightText: 2025 Intel Corporation
#
# SPDX-License-Identifier: Apache-2.0

# HAProxy Ingress for Tinkerbell service (wave 1300+, after tinkerbell service exists)
commonName: tinkerbell-nginx.{{ .Values.argo.clusterDomain }}
159 changes: 159 additions & 0 deletions argocd/applications/configs/ingress-haproxy.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,159 @@
# SPDX-FileCopyrightText: 2025 Intel Corporation
#
# SPDX-License-Identifier: Apache-2.0

---
kind: Deployment
replicaCount: 1

image:
repository: haproxytech/haproxy-alpine
pullPolicy: IfNotPresent

# HAProxy daemon configuration
# ref: https://www.haproxy.org/download/2.6/doc/configuration.txt
# https://wiki.mozilla.org/Security/Server_Side_TLS
# The first cipher suite below is approved to be used by BIOS in the EN; it is NOT available in the Golang crypto library.
# The remaining three cipher suites are approved for all other clients.
config: |
global
log stdout format raw local0
maxconn 2048
ssl-default-bind-ciphers DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:TLS_AES_256_GCM_SHA384
ssl-default-bind-options ssl-min-ver TLSv1.2 no-tls-tickets
tune.ssl.default-dh-param 2048

resolvers kube_resolver
nameserver kube_dns 10.96.0.10:53
accepted_payload_size 8192
hold valid 10s
hold nx 5s
hold refused 5s
hold timeout 5s
hold other 30s

defaults
log global
mode http
option httplog
option dontlognull
timeout connect 5000
timeout client 50000
timeout server 50000
option forwardfor except 127.0.0.0/8
option http-server-close
# Rate limiting configuration
# Return 429 Too Many Requests for rate-limited connections
errorfile 429 /usr/local/etc/haproxy/includes/429.http

frontend fe_main
bind :80
mode http
option httpclose
option forwardfor
# Rate limiting: store client IP in stick-table (limits per IP address)
# Track IP for connection rate limiting (100 connections per 10 seconds)
stick-table type ip size 100k expire 10s store conn_cur,conn_rate(10s),http_req_rate(10s)
http-request track-sc0 src
# Reject if connection rate exceeds 100 connections per 10 seconds
http-request deny status 429 if { sc_conn_cur(0) gt 100 }
# Reject if request rate exceeds 1000 requests per 10 seconds
http-request deny status 429 if { sc_http_req_rate(0) gt 1000 }
# Route health checks to stats endpoint
use_backend be_health if { path -i /health }
default_backend be_main

backend be_main
mode http
balance roundrobin
option http-server-close
# URL rewriting: strip /tink-stack prefix from requests
# This matches nginx rewrite-target: /$2 behavior
# Example: /tink-stack/v1/api → /v1/api at backend
http-request set-path %[path,regsub(^/tink-stack/,/)] if { path_beg /tink-stack/ }
http-request set-path / if { path -i /tink-stack }
# Route to tinkerbell service (handles Kubernetes service discovery)
# Use dynamic DNS resolution to handle service startup timing issues
# check inter 5s fall 3 rise 2 enabled waits for service to be available
server tinkerbell tinkerbell.orch-infra.svc.cluster.local:8080 resolvers kube_resolver check inter 5s fall 3 rise 2

# Health check endpoint for Kubernetes probes
backend be_health
mode http
stats enable
stats uri /health
stats refresh 10s

# Hardcoded DH parameters file (mounted via includes)
# Base64-decoded from ingress-nginx configuration
includes:
dhparam.pem: |
-----BEGIN DH PARAMETERS-----
MIICCAKCAgEAtOOs/XUE+A0/TmQuUnVSuRSo8KK9qfias1H8TVdPfeD3Nl0o/4Km
OBFG62ODsvb9E1m3axcLvBlZJ9M/4baQzn9XxDmUrl0xcHwmFekvWLCOs2ldRqtA
jZ2hpSyMmKnwlVBAjmhxxjFRdvVl215P3PV2Gf8KenGz8PUFzFkQD4ts5h9783sE
2ZERrSjqqHArV9ML2l3fAqHA/TRLFWNZhgmPJrabpg5rRkJqhs6onxfpIQ+I56ND
g+bPm/0OW78wauuqLNo43kCtx1tU+tQfwYtxLS5cHbRGRAC3nu+C3wsgUt1FXsdq
PMM6abqObPVaM7+GnDRgFppgwEb/5mysum9sfq8ryeqn0MagiKEGoFZC4vgcZs8T
I9SO2YYLQVr+mdbpvftuQKYbY1Thqj9JTOqdPMvcEsHaw9L7hTFuE7K9w/tAZED
URQxIhULPmhr+tHXnkbS2FG4yXgUgkYIEcDLcE6MpkBR+Qy6KSQtjAFoNkAqAH2U
/5pq29H2+l8HkjHBhTKwqZGv0+oYFZ4PYHkqiyuHGdF/CR3IgI80Gu/akTEophqP
QroSxdSBSKZjTnfaFyA++UFXr0Xe7bikiq0eNYrjrA559ZPK6kLVrkbP04hUs5fa
ujYbCPE4rMUsEfw/AMukSysuVlhsoWa16P+VejmOA2fQvp2ENCNq/c6M68CAQE=
-----END DH PARAMETERS-----
429.http: |
HTTP/1.1 429 Too Many Requests
Content-Type: text/plain
Content-Length: 18

Too Many Requests

# Service configuration
# ref: https://kubernetes.io/docs/concepts/services-networking/service/
service:
type: ClusterIP
annotations: {}
nodePorts: {}
# http: 32080

Check warning on line 117 in argocd/applications/configs/ingress-haproxy.yaml

View workflow job for this annotation

GitHub Actions / Lint YAML

117:5 [comments-indentation] comment not indented like content
# https: 32443

resources: null

securityContext:
runAsNonRoot: false
runAsUser: 0
allowPrivilegeEscalation: true
capabilities:
drop:
- ALL
add:
- NET_BIND_SERVICE
seccompProfile:
type: RuntimeDefault

livenessProbe:
failureThreshold: 3
initialDelaySeconds: 10
periodSeconds: 10
successThreshold: 1
httpGet:
path: /health
port: 80
timeoutSeconds: 1

readinessProbe:
failureThreshold: 3
initialDelaySeconds: 5
periodSeconds: 5
successThreshold: 1
httpGet:
path: /health
port: 80
timeoutSeconds: 1

# Additional secrets to mount as volumes
# This is expected to be an array of dictionaries specifying the volume name, secret name and mount path
mountedSecrets:
- volumeName: tls-boots
secretName: tls-boots
mountPath: /usr/local/etc/ssl/certs
7 changes: 7 additions & 0 deletions argocd/applications/custom/haproxy-ingress-tinkerbell.tpl
Original file line number Diff line number Diff line change
@@ -0,0 +1,7 @@
# SPDX-FileCopyrightText: 2025 Intel Corporation
#
# SPDX-License-Identifier: Apache-2.0
commonName: tinkerbell-nginx.{{ .Values.argo.clusterDomain }}
# HAProxy Ingress for Tinkerbell - created after tinkerbell service exists
haproxyIngress:
enabled: true
25 changes: 25 additions & 0 deletions argocd/applications/custom/ingress-haproxy.tpl
Original file line number Diff line number Diff line change
@@ -0,0 +1,25 @@
# SPDX-FileCopyrightText: 2025 Intel Corporation
#
# SPDX-License-Identifier: Apache-2.0

controller:
{{- if eq .Values.argo.traefikSvcType "NodePort" }}
service:
type: NodePort
nodePorts:
https: 31443
{{- end}}
{{- if .Values.argo.resources.ingressHaproxy.controller.root }}
resources:
{{- toYaml .Values.argo.resources.ingressHaproxy.controller.root | nindent 4 }}
{{- else }}
resources: null
{{- end }}
admissionWebhooks:
createSecretJob:
{{- if .Values.argo.resources.ingressHaproxy.controller.admissionWebhooks.createSecretJob }}
resources:
{{- toYaml .Values.argo.resources.ingressHaproxy.controller.admissionWebhooks.createSecretJob | nindent 8 }}
{{- else }}
resources: null
{{- end }}
12 changes: 4 additions & 8 deletions argocd/applications/custom/nginx-ingress-pxe-boots.tpl
Original file line number Diff line number Diff line change
Expand Up @@ -4,11 +4,7 @@

# Common name and DNS SAN of the self-signed TLS certificate
commonName: tinkerbell-nginx.{{ .Values.argo.clusterDomain }}
nginxIngressRateLimit:
{{- if .Values.argo.nginxIngressRate }}
rps: {{ .Values.argo.nginxIngressRate.rps | default 500 }}
connections: {{ .Values.argo.nginxIngressRate.connections | default 70}}
{{- else }}
rps: 500
connections: 70
{{- end }}
# Enable HAProxy ingress instead of nginx
# Disabled at wave 1100 - cert/issuer only. Ingress created separately at wave 1300+
haproxyIngress:
enabled: false
Original file line number Diff line number Diff line change
Expand Up @@ -5,7 +5,7 @@
{{- $appName := "copy-ca-cert-boots-to-infra" }}
{{- $chartName := "copy-secret" }}
{{- $namespace := "orch-infra" }}
{{- $syncWave := "1400" }}
{{- $syncWave := "1120" }}
---
{{- if (index .Values.argo.enabled $appName) }}
apiVersion: argoproj.io/v1alpha1
Expand Down
52 changes: 52 additions & 0 deletions argocd/applications/templates/haproxy-ingress-tinkerbell.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,52 @@
# SPDX-FileCopyrightText: 2025 Intel Corporation
#
# SPDX-License-Identifier: Apache-2.0

{{- $appName := "haproxy-ingress-tinkerbell" }}
{{- $namespace := "orch-infra" }}
{{- $syncWave := "1300" }}
---
{{- if (index .Values.argo.enabled $appName) }}
apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
annotations:
argocd.argoproj.io/sync-wave: "{{ $syncWave }}"
name: {{$appName}}
namespace: {{ required "A valid namespace entry required!" .Values.argo.namespace }}
finalizers:
- resources-finalizer.argocd.argoproj.io
spec:
project: {{ required "A valid projectName entry required!" .Values.argo.project }}
sources:
- repoURL: https://github.com/open-edge-platform/orch-utils.git
path: charts/{{$appName}}
targetRevision: tmp-nginx2haproxy
helm:
releaseName: {{$appName}}
valuesObject:
{{- $customFile := printf "custom/%s.tpl" $appName }}
{{- $customConfig := tpl (.Files.Get $customFile) . | fromYaml }}
{{- $baseFile := printf "configs/%s.yaml" $appName }}
{{- $baseConfig := .Files.Get $baseFile|fromYaml}}
{{- $overwrite := (get .Values.postCustomTemplateOverwrite $appName ) | default dict }}
{{- mergeOverwrite $baseConfig $customConfig $overwrite | toYaml | nindent 10 }}
destination:
namespace: {{$namespace}}
server: {{ required "A valid targetServer entry required!" .Values.argo.targetServer }}
syncPolicy:
{{- if .Values.argo.autosync }}
automated:
prune: true
selfHeal: true
retry:
limit: 5
backoff:
duration: 5s
maxDuration: 3m0s
factor: 2
{{- end }}
syncOptions:
- CreateNamespace=true
- ApplyOutOfSyncOnly=true
{{- end }}
2 changes: 1 addition & 1 deletion argocd/applications/templates/infra-core.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -4,7 +4,7 @@

{{- $appName := "infra-core" }}
{{- $namespace := "orch-infra" }}
{{- $syncWave := "2000" }}
{{- $syncWave := "1000" }}
---
{{- if (index .Values.argo.enabled $appName) }}
apiVersion: argoproj.io/v1alpha1
Expand Down
2 changes: 1 addition & 1 deletion argocd/applications/templates/infra-onboarding.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -4,7 +4,7 @@

{{- $appName := "infra-onboarding" }}
{{- $namespace := "orch-infra" }}
{{- $syncWave := "2100" }}
{{- $syncWave := "1150" }}
---
{{- if (index .Values.argo.enabled $appName) }}
apiVersion: argoproj.io/v1alpha1
Expand Down
52 changes: 52 additions & 0 deletions argocd/applications/templates/ingress-haproxy.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,52 @@
# SPDX-FileCopyrightText: 2025 Intel Corporation
#
# SPDX-License-Identifier: Apache-2.0

{{- $appName := "ingress-haproxy" }}
{{- $namespace := "orch-boots" }}
{{- $syncWave := "1100" }}
---
{{- if (index .Values.argo.enabled $appName) }}
apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
annotations:
argocd.argoproj.io/sync-wave: "{{ $syncWave }}"
name: {{$appName}}
namespace: {{ required "A valid namespace entry required!" .Values.argo.namespace }}
finalizers:
- resources-finalizer.argocd.argoproj.io
spec:
project: {{ required "A valid projectName entry required!" .Values.argo.project }}
sources:
- repoURL: https://haproxytech.github.io/helm-charts
chart: haproxy
targetRevision: 1.27.0
helm:
releaseName: {{$appName}}
valuesObject:
{{- $customFile := printf "custom/%s.tpl" $appName }}
{{- $customConfig := tpl (.Files.Get $customFile) . | fromYaml }}
{{- $baseFile := printf "configs/%s.yaml" $appName }}
{{- $baseConfig := .Files.Get $baseFile|fromYaml}}
{{- $overwrite := (get .Values.postCustomTemplateOverwrite $appName ) | default dict }}
{{- mergeOverwrite $baseConfig $customConfig $overwrite | toYaml | nindent 10 }}
destination:
namespace: {{$namespace}}
server: {{ required "A valid targetServer entry required!" .Values.argo.targetServer }}
syncPolicy:
{{- if .Values.argo.autosync }}
automated:
prune: true
selfHeal: true
retry:
limit: 5
backoff:
duration: 5s
maxDuration: 3m0s
factor: 2
{{- end }}
syncOptions:
- CreateNamespace=true
- ApplyOutOfSyncOnly=true
{{- end }}
8 changes: 4 additions & 4 deletions argocd/applications/templates/nginx-ingress-pxe-boots.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -4,7 +4,7 @@

{{- $appName := "nginx-ingress-pxe-boots" }}
{{- $namespace := "orch-boots" }}
{{- $syncWave := "1200" }}
{{- $syncWave := "1100" }}
---
{{- if (index .Values.argo.enabled $appName) }}
apiVersion: argoproj.io/v1alpha1
Expand All @@ -19,9 +19,9 @@ metadata:
spec:
project: {{ required "A valid projectName entry required!" .Values.argo.project }}
sources:
- repoURL: {{ required "A valid chartRepoURL entry required!" .Values.argo.chartRepoURL }}
chart: common/charts/{{$appName}}
targetRevision: 25.2.1
- repoURL: https://github.com/open-edge-platform/orch-utils.git
path: charts/{{$appName}}
targetRevision: tmp-nginx2haproxy
helm:
releaseName: {{$appName}}
valuesObject:
Expand Down
Loading
Loading