open-edge-platform · sandeepbh5 · Jan 29, 2026 · Jan 29, 2026 · Jan 29, 2026 · Jan 29, 2026
@@ -0,0 +1,6 @@
+# SPDX-FileCopyrightText: 2025 Intel Corporation
+#
+# SPDX-License-Identifier: Apache-2.0
+
+# HAProxy Ingress for Tinkerbell service (wave 1300+, after tinkerbell service exists)
+commonName: tinkerbell-nginx.{{ .Values.argo.clusterDomain }}
@@ -0,0 +1,159 @@
+# SPDX-FileCopyrightText: 2025 Intel Corporation
+#
+# SPDX-License-Identifier: Apache-2.0
+
+---
+kind: Deployment
+replicaCount: 1
+
+image:
+  repository: haproxytech/haproxy-alpine
+  pullPolicy: IfNotPresent
+
+# HAProxy daemon configuration
+# ref: https://www.haproxy.org/download/2.6/doc/configuration.txt
+# https://wiki.mozilla.org/Security/Server_Side_TLS
+# The first cipher suite below is approved to be used by BIOS in the EN; it is NOT available in the Golang crypto library.
+# The remaining three cipher suites are approved for all other clients.
+config: |
+  global
+    log stdout format raw local0
+    maxconn 2048
+    ssl-default-bind-ciphers DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:TLS_AES_256_GCM_SHA384
+    ssl-default-bind-options ssl-min-ver TLSv1.2 no-tls-tickets
+    tune.ssl.default-dh-param 2048
+
+  resolvers kube_resolver
+    nameserver kube_dns 10.96.0.10:53
+    accepted_payload_size 8192
+    hold valid 10s
+    hold nx 5s
+    hold refused 5s
+    hold timeout 5s
+    hold other 30s
+
+  defaults
+    log global
+    mode http
+    option httplog
+    option dontlognull
+    timeout connect 5000
+    timeout client 50000
+    timeout server 50000
+    option forwardfor except 127.0.0.0/8
+    option http-server-close
+    # Rate limiting configuration
+    # Return 429 Too Many Requests for rate-limited connections
+    errorfile 429 /usr/local/etc/haproxy/includes/429.http
+
+  frontend fe_main
+    bind :80
+    mode http
+    option httpclose
+    option forwardfor
+    # Rate limiting: store client IP in stick-table (limits per IP address)
+    # Track IP for connection rate limiting (100 connections per 10 seconds)
+    stick-table type ip size 100k expire 10s store conn_cur,conn_rate(10s),http_req_rate(10s)
+    http-request track-sc0 src
+    # Reject if connection rate exceeds 100 connections per 10 seconds
+    http-request deny status 429 if { sc_conn_cur(0) gt 100 }
+    # Reject if request rate exceeds 1000 requests per 10 seconds
+    http-request deny status 429 if { sc_http_req_rate(0) gt 1000 }
+    # Route health checks to stats endpoint
+    use_backend be_health if { path -i /health }
+    default_backend be_main
+
+  backend be_main
+    mode http
+    balance roundrobin
+    option http-server-close
+    # URL rewriting: strip /tink-stack prefix from requests
+    # This matches nginx rewrite-target: /$2 behavior
+    # Example: /tink-stack/v1/api → /v1/api at backend
+    http-request set-path %[path,regsub(^/tink-stack/,/)] if { path_beg /tink-stack/ }
+    http-request set-path / if { path -i /tink-stack }
+    # Route to tinkerbell service (handles Kubernetes service discovery)
+    # Use dynamic DNS resolution to handle service startup timing issues
+    # check inter 5s fall 3 rise 2 enabled waits for service to be available
+    server tinkerbell tinkerbell.orch-infra.svc.cluster.local:8080 resolvers kube_resolver check inter 5s fall 3 rise 2
+
+  # Health check endpoint for Kubernetes probes
+  backend be_health
+    mode http
+    stats enable
+    stats uri /health
+    stats refresh 10s
+
+# Hardcoded DH parameters file (mounted via includes)
+# Base64-decoded from ingress-nginx configuration
+includes:
+  dhparam.pem: |
+    -----BEGIN DH PARAMETERS-----
+    MIICCAKCAgEAtOOs/XUE+A0/TmQuUnVSuRSo8KK9qfias1H8TVdPfeD3Nl0o/4Km
+    OBFG62ODsvb9E1m3axcLvBlZJ9M/4baQzn9XxDmUrl0xcHwmFekvWLCOs2ldRqtA
+    jZ2hpSyMmKnwlVBAjmhxxjFRdvVl215P3PV2Gf8KenGz8PUFzFkQD4ts5h9783sE
+    2ZERrSjqqHArV9ML2l3fAqHA/TRLFWNZhgmPJrabpg5rRkJqhs6onxfpIQ+I56ND
+    g+bPm/0OW78wauuqLNo43kCtx1tU+tQfwYtxLS5cHbRGRAC3nu+C3wsgUt1FXsdq
+    PMM6abqObPVaM7+GnDRgFppgwEb/5mysum9sfq8ryeqn0MagiKEGoFZC4vgcZs8T
+    I9SO2YYLQVr+mdbpvftuQKYbY1Thqj9JTOqdPMvcEsHaw9L7hTFuE7K9w/tAZED
+    URQxIhULPmhr+tHXnkbS2FG4yXgUgkYIEcDLcE6MpkBR+Qy6KSQtjAFoNkAqAH2U
+    /5pq29H2+l8HkjHBhTKwqZGv0+oYFZ4PYHkqiyuHGdF/CR3IgI80Gu/akTEophqP
+    QroSxdSBSKZjTnfaFyA++UFXr0Xe7bikiq0eNYrjrA559ZPK6kLVrkbP04hUs5fa
+    ujYbCPE4rMUsEfw/AMukSysuVlhsoWa16P+VejmOA2fQvp2ENCNq/c6M68CAQE=
+    -----END DH PARAMETERS-----
+  429.http: |
+    HTTP/1.1 429 Too Many Requests
+    Content-Type: text/plain
+    Content-Length: 18
+
+    Too Many Requests
+
+# Service configuration
+# ref: https://kubernetes.io/docs/concepts/services-networking/service/
+service:
+  type: ClusterIP
+  annotations: {}
+  nodePorts: {}
+    # http: 32080
+    # https: 32443
+
+resources: null
+
+securityContext:
+  runAsNonRoot: false
+  runAsUser: 0
+  allowPrivilegeEscalation: true
+  capabilities:
+    drop:
+      - ALL
+    add:
+      - NET_BIND_SERVICE
+  seccompProfile:
+    type: RuntimeDefault
+
+livenessProbe:
+  failureThreshold: 3
+  initialDelaySeconds: 10
+  periodSeconds: 10
+  successThreshold: 1
+  httpGet:
+    path: /health
+    port: 80
+  timeoutSeconds: 1
+
+readinessProbe:
+  failureThreshold: 3
+  initialDelaySeconds: 5
+  periodSeconds: 5
+  successThreshold: 1
+  httpGet:
+    path: /health
+    port: 80
+  timeoutSeconds: 1
+
+# Additional secrets to mount as volumes
+# This is expected to be an array of dictionaries specifying the volume name, secret name and mount path
+mountedSecrets:
+  - volumeName: tls-boots
+    secretName: tls-boots
+    mountPath: /usr/local/etc/ssl/certs
@@ -0,0 +1,7 @@
+# SPDX-FileCopyrightText: 2025 Intel Corporation
+#
+# SPDX-License-Identifier: Apache-2.0
+commonName: tinkerbell-nginx.{{ .Values.argo.clusterDomain }}
+# HAProxy Ingress for Tinkerbell - created after tinkerbell service exists
+haproxyIngress:
+  enabled: true
@@ -0,0 +1,25 @@
+# SPDX-FileCopyrightText: 2025 Intel Corporation
+#
+# SPDX-License-Identifier: Apache-2.0
+
+controller:
+{{- if eq .Values.argo.traefikSvcType "NodePort" }}
+  service:
+    type: NodePort
+    nodePorts:
+      https: 31443
+{{- end}}
+{{- if .Values.argo.resources.ingressHaproxy.controller.root }}
+  resources:
+    {{- toYaml .Values.argo.resources.ingressHaproxy.controller.root | nindent 4 }}
+{{- else }}
+  resources: null
+{{- end }}
+  admissionWebhooks:
+    createSecretJob:
+{{- if .Values.argo.resources.ingressHaproxy.controller.admissionWebhooks.createSecretJob }}
+      resources:
+        {{- toYaml .Values.argo.resources.ingressHaproxy.controller.admissionWebhooks.createSecretJob | nindent 8 }}
+{{- else }}
+      resources: null
+{{- end }}
@@ -4,11 +4,7 @@
 
 # Common name and DNS SAN of the self-signed TLS certificate
 commonName: tinkerbell-nginx.{{ .Values.argo.clusterDomain }}
-nginxIngressRateLimit:
-{{- if .Values.argo.nginxIngressRate }}
-  rps: {{ .Values.argo.nginxIngressRate.rps | default 500 }}
-  connections: {{ .Values.argo.nginxIngressRate.connections | default 70}}
-{{- else }}
-  rps: 500
-  connections: 70
-{{- end }}
+# Enable HAProxy ingress instead of nginx
+# Disabled at wave 1100 - cert/issuer only. Ingress created separately at wave 1300+
+haproxyIngress:
+  enabled: false
@@ -5,7 +5,7 @@
 {{- $appName        := "copy-ca-cert-boots-to-infra" }}
 {{- $chartName      := "copy-secret" }}
 {{- $namespace      := "orch-infra" }}
-{{- $syncWave       := "1400" }}
+{{- $syncWave       := "1120" }}
 ---
 {{- if (index .Values.argo.enabled $appName) }}
 apiVersion: argoproj.io/v1alpha1

@@ -0,0 +1,52 @@
+# SPDX-FileCopyrightText: 2025 Intel Corporation
+#
+# SPDX-License-Identifier: Apache-2.0
+
+{{- $appName        := "haproxy-ingress-tinkerbell" }}
+{{- $namespace      := "orch-infra" }}
+{{- $syncWave       := "1300" }}
+---
+{{- if (index .Values.argo.enabled $appName) }}
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  annotations:
+    argocd.argoproj.io/sync-wave: "{{ $syncWave }}"
+  name: {{$appName}}
+  namespace: {{ required "A valid namespace entry required!" .Values.argo.namespace }}
+  finalizers:
+    - resources-finalizer.argocd.argoproj.io
+spec:
+  project: {{ required "A valid projectName entry required!" .Values.argo.project }}
+  sources:
+    - repoURL: https://github.com/open-edge-platform/orch-utils.git
+      path: charts/{{$appName}}
+      targetRevision: tmp-nginx2haproxy
+      helm:
+        releaseName: {{$appName}}
+        valuesObject:
+          {{- $customFile := printf "custom/%s.tpl" $appName }}
+          {{- $customConfig := tpl (.Files.Get $customFile) . | fromYaml }}
+          {{- $baseFile := printf "configs/%s.yaml" $appName }}
+          {{- $baseConfig := .Files.Get $baseFile|fromYaml}}
+          {{- $overwrite := (get .Values.postCustomTemplateOverwrite $appName ) | default dict }}
+          {{- mergeOverwrite $baseConfig $customConfig $overwrite | toYaml | nindent 10 }}
+  destination:
+    namespace: {{$namespace}}
+    server: {{ required "A valid targetServer entry required!" .Values.argo.targetServer }}
+  syncPolicy:
+    {{- if .Values.argo.autosync }}
+    automated:
+      prune: true
+      selfHeal: true
+    retry:
+      limit: 5
+      backoff:
+        duration: 5s
+        maxDuration: 3m0s
+        factor: 2
+    {{- end }}
+    syncOptions:
+      - CreateNamespace=true
+      - ApplyOutOfSyncOnly=true
+{{- end }}
@@ -4,7 +4,7 @@
 
 {{- $appName        := "infra-core" }}
 {{- $namespace      := "orch-infra" }}
-{{- $syncWave       := "2000" }}
+{{- $syncWave       := "1000" }}
 ---
 {{- if (index .Values.argo.enabled $appName) }}
 apiVersion: argoproj.io/v1alpha1

@@ -4,7 +4,7 @@
 
 {{- $appName        := "infra-onboarding" }}
 {{- $namespace      := "orch-infra" }}
-{{- $syncWave       := "2100" }}
+{{- $syncWave       := "1150" }}
 ---
 {{- if (index .Values.argo.enabled $appName) }}
 apiVersion: argoproj.io/v1alpha1

@@ -0,0 +1,52 @@
+# SPDX-FileCopyrightText: 2025 Intel Corporation
+#
+# SPDX-License-Identifier: Apache-2.0
+
+{{- $appName        := "ingress-haproxy" }}
+{{- $namespace      := "orch-boots" }}
+{{- $syncWave       := "1100" }}
+---
+{{- if (index .Values.argo.enabled $appName) }}
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  annotations:
+    argocd.argoproj.io/sync-wave: "{{ $syncWave }}"
+  name: {{$appName}}
+  namespace: {{ required "A valid namespace entry required!" .Values.argo.namespace }}
+  finalizers:
+    - resources-finalizer.argocd.argoproj.io
+spec:
+  project: {{ required "A valid projectName entry required!" .Values.argo.project }}
+  sources:
+    - repoURL: https://haproxytech.github.io/helm-charts
+      chart: haproxy
+      targetRevision: 1.27.0
+      helm:
+        releaseName: {{$appName}}
+        valuesObject:
+          {{- $customFile := printf "custom/%s.tpl" $appName }}
+          {{- $customConfig := tpl (.Files.Get $customFile) . | fromYaml }}
+          {{- $baseFile := printf "configs/%s.yaml" $appName }}
+          {{- $baseConfig := .Files.Get $baseFile|fromYaml}}
+          {{- $overwrite := (get .Values.postCustomTemplateOverwrite $appName ) | default dict }}
+          {{- mergeOverwrite $baseConfig $customConfig $overwrite | toYaml | nindent 10 }}
+  destination:
+    namespace: {{$namespace}}
+    server: {{ required "A valid targetServer entry required!" .Values.argo.targetServer }}
+  syncPolicy:
+    {{- if .Values.argo.autosync }}
+    automated:
+      prune: true
+      selfHeal: true
+    retry:
+      limit: 5
+      backoff:
+        duration: 5s
+        maxDuration: 3m0s
+        factor: 2
+    {{- end }}
+    syncOptions:
+      - CreateNamespace=true
+      - ApplyOutOfSyncOnly=true
+{{- end }}
@@ -4,7 +4,7 @@
 
 {{- $appName        := "nginx-ingress-pxe-boots" }}
 {{- $namespace      := "orch-boots" }}
-{{- $syncWave       := "1200" }}
+{{- $syncWave       := "1100" }}
 ---
 {{- if (index .Values.argo.enabled $appName) }}
 apiVersion: argoproj.io/v1alpha1
@@ -19,9 +19,9 @@ metadata:
 spec:
   project: {{ required "A valid projectName entry required!" .Values.argo.project }}
   sources:
-    - repoURL: {{ required "A valid chartRepoURL entry required!" .Values.argo.chartRepoURL }}
-      chart: common/charts/{{$appName}}
-      targetRevision: 25.2.1
+    - repoURL: https://github.com/open-edge-platform/orch-utils.git
+      path: charts/{{$appName}}
+      targetRevision: tmp-nginx2haproxy
       helm:
         releaseName: {{$appName}}
         valuesObject: