Support running with external loadbalancer (#1825)

cybertron · web-flow · commit 5901c757aee8 · 2025-12-18T16:13:58.000Z
diff --git a/06_create_cluster.sh b/06_create_cluster.sh
@@ -29,6 +29,10 @@ if [[ ! -z "$INSTALLER_PROXY" ]]; then
   fi
 fi
 
+if [ -n "$EXTERNAL_LOADBALANCER" ]; then
+  ./external_loadbalancer.sh &
+fi
+
 # Call openshift-installer to deploy the bootstrap node and masters
 create_cluster ${OCP_DIR}
 
diff --git a/common.sh b/common.sh
@@ -385,6 +385,13 @@ export TEST_CUSTOM_MAO=${TEST_CUSTOM_MAO:-false}
 # (Currently this just expects a non-empty value, the IP is fixed to .9)
 export ENABLE_BOOTSTRAP_STATIC_IP=${ENABLE_BOOTSTRAP_STATIC_IP:-}
 
+export EXTERNAL_LOADBALANCER=${EXTERNAL_LOADBALANCER:-}
+
+if [ -n "$EXTERNAL_LOADBALANCER" -a -z "$ENABLE_BOOTSTRAP_STATIC_IP" ]; then
+  error "EXTERNAL_LOADBALANCER requires ENABLE_BOOTSTRAP_STATIC_IP to be set as well"
+  exit 1
+fi
+
 # TODO(bnemec): Once https://github.com/ansible/ansible/pull/75537 merges this
 # can be removed.
 ALMA_PYTHON_OVERRIDE=
diff --git a/config_example.sh b/config_example.sh
@@ -427,6 +427,16 @@ set -x
 # When set to any value this will cause dev-scripts to include duplicate nics
 # on the primary network. This is intended for testing bonded network configs
 # and may not work without a bond config.
+# export BOND_PRIMARY_INTERFACE=1
+
+# EXTERNAL_LOADBALANCER -
+# When set to any value this will cause dev-scripts to configure an haproxy
+# loadbalancer on the host and configure the cluster to use it instead of the
+# internal loadbalancer.
+# Because of the way the loadbalancer config is written, this only works when
+# using single stack (either ipv4 or ipv6) and a static bootstrap IP (see the
+# ENABLE_BOOTSTRAP_STATIC_IP option above).
+# export EXTERNAL_LOADBALANCER=1
 
 ################################################################################
 ## VM Settings
diff --git a/external_loadbalancer.sh b/external_loadbalancer.sh
@@ -9,6 +9,7 @@ source utils.sh
 
 sudo firewall-cmd --zone=libvirt --add-port=6443/tcp
 sudo firewall-cmd --zone=libvirt --add-port=8080/tcp
+sudo firewall-cmd --zone=libvirt --add-port=22623/tcp
 
 haproxy_config="${WORKING_DIR}/haproxy.cfg"
 echo $haproxy_config
@@ -21,13 +22,15 @@ then
      master2=$(nth_ip $EXTERNAL_SUBNET_V6 22)
      worker0=$(nth_ip $EXTERNAL_SUBNET_V6 23)
      worker1=$(nth_ip $EXTERNAL_SUBNET_V6 24)
+     bootstrap=$(nth_ip $EXTERNAL_SUBNET_V6 9)
 else
 
      master0=$(nth_ip $EXTERNAL_SUBNET_V4 20)
      master1=$(nth_ip $EXTERNAL_SUBNET_V4 21)
      master2=$(nth_ip $EXTERNAL_SUBNET_V4 22)
      worker0=$(nth_ip $EXTERNAL_SUBNET_V4 23)
      worker1=$(nth_ip $EXTERNAL_SUBNET_V4 24)
+     bootstrap=$(nth_ip $EXTERNAL_SUBNET_V4 9)
 fi
 
 cat << EOF > "$haproxy_config"
@@ -43,13 +46,23 @@ frontend main
 frontend ingress
     bind :::8080  v4v6
     default_backend ingress
+frontend https
+    bind :::443 v4v6
+    default_backend https
+frontend mcs
+    bind :::22623 v4v6
+    default_backend mcs
+frontend ironic
+    bind :::6385 v4v6
+    default_backend ironic
 backend api
     option  httpchk GET /readyz HTTP/1.0
     option  log-health-checks
     balance roundrobin
     server master-0 ${master0}:6443 check check-ssl inter 1s fall 2 rise 3 verify none
     server master-1 ${master1}:6443 check check-ssl inter 1s fall 2 rise 3 verify none
     server master-2 ${master2}:6443 check check-ssl inter 1s fall 2 rise 3 verify none
+    server bootstrap ${bootstrap}:6443 check check-ssl inter 1s fall 2 rise 3 verify none
 backend ingress
     option  httpchk GET /healthz/ready  HTTP/1.0
     option  log-health-checks
@@ -59,6 +72,36 @@ backend ingress
     server master-2 ${master2}:80 check check-ssl port 1936 inter 1s fall 2 rise 3 verify none
     server w-0 ${worker0}:80 check check-ssl port 1936 inter 1s fall 2 rise 3 verify none
     server w-1 ${worker1}:80 check check-ssl port 1936 inter 1s fall 2 rise 3 verify none
+backend https
+    option  httpchk GET /healthz/ready  HTTP/1.0
+    option  log-health-checks
+    balance roundrobin
+    server master-0 ${master0}:443 check check-ssl port 1936 inter 1s fall 2 rise 3 verify none
+    server master-1 ${master1}:443 check check-ssl port 1936 inter 1s fall 2 rise 3 verify none
+    server master-2 ${master2}:443 check check-ssl port 1936 inter 1s fall 2 rise 3 verify none
+    server w-0 ${worker0}:443 check check-ssl port 1936 inter 1s fall 2 rise 3 verify none
+    server w-1 ${worker1}:443 check check-ssl port 1936 inter 1s fall 2 rise 3 verify none
+    server bootstrap ${bootstrap}:443 check check-ssl port 1936 inter 1s fall 2 rise 3 verify none
+backend mcs
+    option  httpchk GET /config/master  HTTP/1.0
+    option  log-health-checks
+    balance roundrobin
+    server master-0 ${master0}:22623 check check-ssl inter 1s fall 2 rise 3 verify none
+    server master-1 ${master1}:22623 check check-ssl inter 1s fall 2 rise 3 verify none
+    server master-2 ${master2}:22623 check check-ssl inter 1s fall 2 rise 3 verify none
+    server w-0 ${worker0}:22623 check check-ssl inter 1s fall 2 rise 3 verify none
+    server w-1 ${worker1}:22623 check check-ssl inter 1s fall 2 rise 3 verify none
+    server bootstrap ${bootstrap}:22623 check check-ssl inter 1s fall 2 rise 3 verify none
+backend ironic
+    option  httpchk GET /v1  HTTP/1.0
+    option  log-health-checks
+    balance roundrobin
+    server master-0 ${master0}:6385 check check-ssl inter 30s fall 2 rise 3 verify none
+    server master-1 ${master1}:6385 check check-ssl inter 30s fall 2 rise 3 verify none
+    server master-2 ${master2}:6385 check check-ssl inter 30s fall 2 rise 3 verify none
+    server w-0 ${worker0}:6385 check check-ssl inter 1s fall 2 rise 3 verify none
+    server w-1 ${worker1}:6385 check check-ssl inter 1s fall 2 rise 3 verify none
+    server bootstrap ${bootstrap}:6385 check check-ssl inter 30s fall 2 rise 3 verify none
 EOF
 
 sudo podman run -d  --net host -v "${WORKING_DIR}":/etc/haproxy/:z --entrypoint bash --name extlb quay.io/openshift/origin-haproxy-router  -c 'haproxy -f /etc/haproxy/haproxy.cfg'
diff --git a/network.sh b/network.sh
@@ -253,12 +253,20 @@ function get_vips() {
     #
     if [[ -n "${EXTERNAL_SUBNET_V4}" ]]; then
         API_VIPS_V4=$(dig +noall +answer "api.${CLUSTER_DOMAIN}" @$(network_ip ${BAREMETAL_NETWORK_NAME}) | awk '{print $NF}')
-        INGRESS_VIPS_V4=$(nth_ip $EXTERNAL_SUBNET_V4 4)
+        if [ -z "$EXTERNAL_LOADBALANCER" ]; then
+          INGRESS_VIPS_V4=$(nth_ip $EXTERNAL_SUBNET_V4 4)
+        else
+          INGRESS_VIPS_V4=$(nth_ip $EXTERNAL_SUBNET_V4 1)
+        fi
     fi
 
     if [[ -n "${EXTERNAL_SUBNET_V6}" ]]; then
         API_VIPS_V6=$(dig -t AAAA +noall +answer "api.${CLUSTER_DOMAIN}" @$(network_ip ${BAREMETAL_NETWORK_NAME}) | awk '{print $NF}')
-        INGRESS_VIPS_V6=$(nth_ip $EXTERNAL_SUBNET_V6 4)
+        if [ -z "$EXTERNAL_LOADBALANCER" ]; then
+          INGRESS_VIPS_V6=$(nth_ip $EXTERNAL_SUBNET_V6 4)
+        else
+          INGRESS_VIPS_V6=$(nth_ip $EXTERNAL_SUBNET_V6 1)
+        fi
     fi
 
     if [[ "$IP_STACK" == "v4" || "$IP_STACK" == "v4v6" ]]; then
diff --git a/ocp_install_env.sh b/ocp_install_env.sh
@@ -191,6 +191,15 @@ function setVIPs() {
     esac
 }
 
+function loadbalancer_type() {
+    if [ -n "$EXTERNAL_LOADBALANCER" ]; then
+cat <<EOF
+    loadBalancer:
+      type: UserManaged
+EOF
+    fi
+}
+
 function featureSet() {
     if [[ -n "$FEATURE_SET" ]]; then
 cat <<EOF
@@ -395,6 +404,7 @@ $(cluster_os_image)
 $(setVIPs apivips)
 $(setVIPs ingressvips)
 $(dnsvip)
+$(loadbalancer_type)
     hosts:
 EOF
 
diff --git a/vm_setup_vars.yml b/vm_setup_vars.yml
@@ -59,6 +59,13 @@ dns_extrahosts:
     hostnames:
       - "virthost"
 
+dns_externalhosts:
+  - ip: "{{ baremetal_network_cidr | nthhost(1) }}"
+    hostnames:
+      - "virthost"
+      - "api"
+      - "api-int"
+
 network_config_folder: "{{ lookup('env', 'NETWORK_CONFIG_FOLDER') | default(false) }}"
 hosts_config: "{{ lookup('template', network_config_folder + '/hosts.yaml', errors='ignore') | default('[]', true) | from_yaml }}"
 dns_customhosts: "{{ [] if not network_config_folder else hosts_config }}"
@@ -88,7 +95,7 @@ external_network:
       - 65535
     domain: "{{ cluster_domain }}"
     dns:
-      hosts: "{{ dns_extrahosts + dns_customhosts + dns_dualstackhost if lookup('env', 'EXTERNAL_SUBNET_V6') else dns_extrahosts + dns_customhosts }}"
+      hosts: "{{ dns_externalhosts + dns_customhosts if lookup('env', 'EXTERNAL_LOADBALANCER') else dns_extrahosts + dns_customhosts + dns_dualstackhost if lookup('env', 'EXTERNAL_SUBNET_V6') else dns_extrahosts + dns_customhosts }}"
       forwarders:
         - domain: "apps.{{ cluster_domain }}"
           addr: "127.0.0.1"
