[donotMerge] test Add HAProxy Ingress controller configuration#1383
Closed
sandeepbh5 wants to merge 18 commits intomainfrom
Closed
[donotMerge] test Add HAProxy Ingress controller configuration#1383sandeepbh5 wants to merge 18 commits intomainfrom
sandeepbh5 wants to merge 18 commits intomainfrom
Conversation
- Add ingress-haproxy Application template with haproxytech/haproxy 1.27.0 - Add base HAProxy configuration with URL rewriting and rate limiting - Add environment-specific overrides template - Disable ingress-nginx in enable-platform and enable-platform-vpro profiles - Update nginx-ingress-pxe-boots template condition for new controller Path rewriting: Maintained via http-request set-path Rate limiting: Improved from 1 req/sec (nginx) to ~100 req/sec (haproxy) globally Related to ITEP-84333
sandeepbh5
requested review from
Ram-srini,
SushilLakra,
cjnolan,
damiankopyto,
garyloug,
guptagunjan,
krishnajs,
palade,
rranjan3,
scottmbaker,
shankarsrinivas1,
soniabha-intc,
sunil-parida and
sys-orch-approve
as code owners
- Point deployRepoRevision from 'main' to 'tmp-ingress2haprxy' - Allows testing of ingress-haproxy migration before merging to main - Will revert to 'main' after migration is validated
Signed-off-by: Biswal, Punam <punam.biswal@intel.com>
- Remove unsupported 'tune.ssl.dh-param-file' directive (HAProxy 3.2.9 doesn't support it) - Fix HTTP 429 error page content-length (24 bytes, not 28) - Fix rate limiting syntax: change 'http-request reject' to 'http-request deny status' - Add HTTP binding (port 80) in addition to HTTPS (port 443) - Add security context to satisfy Kyverno restricted policy - Set runAsNonRoot: false (HAProxy needs to bind to ports 80/443) - Add NET_BIND_SERVICE capability These changes fix CrashLoopBackOff errors in HAProxy pod
- Add 'optional' keyword to HTTPS binding to allow startup without cert - Fix HTTP 429 error page content-length to 18 bytes (actual payload size) - This allows HAProxy to start on HTTP while certificate is configured separately
Key changes: - Add document start marker (---) - Remove HTTPS binding (no certificate available on startup) - Add tinkerbell service backend: tinkerbell.orch-infra.svc.cluster.local:8080 - Simplify 429 error page (remove Cache-Control and Connection headers) - Fix content-length for 429 error page to 18 bytes - Change health probes from tcpSocket:443 to httpGet:/ on port 80 - Fix YAML structure (probes outside securityContext) This configuration allows HAProxy to: 1. Start without TLS certificate errors 2. Route traffic to tinkerbell service in orch-infra namespace 3. Perform health checks on HTTP port 80 4. Strip /tink-stack prefix and forward to backend 5. Apply rate limiting (1000 req/10s, 100 connections/10s per IP)
…d health check routing
…s-pxe-boots This resolves the circular dependency where nginx-ingress-pxe-boots was creating an ingress with tinkerbell backend before the service existed. New deployment order: - Wave 1100: ingress-haproxy (HAProxy controller) - Wave 1150: infra-onboarding (deploys tinkerbell service) - Wave 1200: nginx-ingress-pxe-boots (ingress with existing backend) Fixes: nginx-ingress-pxe-boots stuck in Progressing state
Move nginx-ingress-pxe-boots from wave 1200 → 1100 so it creates tls-boots secret BEFORE infra-onboarding (wave 1150) needs boots-ca-cert. Wave ordering: - 1100: nginx-ingress-pxe-boots creates tls-boots Certificate resource - 1140: copy-ca-cert-boots-to-infra copies tls-boots → boots-ca-cert (ExternalSecret) - 1150: infra-onboarding deploys with boots-ca-cert available for dkam This fixes dkam CrashLoopBackOff due to missing /etc/ssl/boots-ca-cert/ca.crt
fix the typo in targetRevision
added commonName: tinkerbell-nginx.{{ .Values.argo.clusterDomain }}
…s-ca-cert before dkam starts at wave 1150 Wave ordering: - 1100: nginx-ingress-pxe-boots creates tls-boots cert - 1120: copy-ca-cert-boots-to-infra copies tls-boots → boots-ca-cert (ExternalSecret) - 1150: infra-onboarding deploys with dkam having cert available This ensures dkam doesn't crash due to missing /etc/ssl/boots-ca-cert/ca.crt
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Description
Path rewriting: Maintained via http-request set-path
Rate limiting: Improved from 1 req/sec (nginx) to ~100 req/sec (haproxy) globally
Fixes # (issue)
Any Newly Introduced Dependencies
HAProxy
How Has This Been Tested?
Coder
Checklist: