aboutsummaryrefslogtreecommitdiffstats
path: root/kubernetes/aai/resources
diff options
context:
space:
mode:
Diffstat (limited to 'kubernetes/aai/resources')
-rw-r--r--kubernetes/aai/resources/config/haproxy/haproxy-pluggable-security.cfg29
-rw-r--r--kubernetes/aai/resources/config/haproxy/haproxy.cfg35
2 files changed, 48 insertions, 16 deletions
diff --git a/kubernetes/aai/resources/config/haproxy/haproxy-pluggable-security.cfg b/kubernetes/aai/resources/config/haproxy/haproxy-pluggable-security.cfg
index 6e7acef17f..1266d4e1c0 100644
--- a/kubernetes/aai/resources/config/haproxy/haproxy-pluggable-security.cfg
+++ b/kubernetes/aai/resources/config/haproxy/haproxy-pluggable-security.cfg
@@ -17,6 +17,8 @@ global
log /dev/log local0
stats socket /usr/local/etc/haproxy/haproxy.socket mode 660 level admin
stats timeout 30s
+ # it is required else pod will not come up
+ maxconn 50000
user root
group root
daemon
@@ -38,7 +40,8 @@ defaults
mode http
option httplog
option ssl-hello-chk
- option httpchk GET /aai/util/echo HTTP/1.1\r\nHost:\ aai\r\nX-TransactionId:\ haproxy-0111\r\nX-FromAppId:\ haproxy\r\nAccept:\ application/json\r\nAuthorization:\ Basic\ YWFpQGFhaS5vbmFwLm9yZzpkZW1vMTIzNDU2IQ==
+ option httpchk
+ http-check send meth GET uri /aai/util/echo ver HTTP/1.1 hdr Host aai hdr X-TransactionId haproxy-0111 hdr X-FromAppId haproxy hdr Accept application/json hdr Authorization 'Basic QUFJOkFBSQ=='
default-server init-addr none
# option dontlognull
# errorfile 400 /etc/haproxy/errors/400.http
@@ -59,6 +62,12 @@ defaults
timeout server 480000
timeout http-keep-alive 30000
+frontend stats
+ bind *:8448
+ http-request use-service prometheus-exporter if { path /metrics }
+ stats enable
+ stats uri /stats
+ stats refresh 10s
frontend IST_8443
mode http
@@ -73,6 +82,10 @@ frontend IST_8443
capture response header Host len 100
option log-separate-errors
option forwardfor
+
+ http-request set-header X-Forwarded-Proto https
+ http-request add-header X-Forwarded-Port 8443
+
http-request set-header X-Forwarded-Proto https if { ssl_fc }
http-request set-header X-AAI-Client-SSL TRUE if { ssl_c_used }
http-request set-header X-AAI-SSL %[ssl_fc]
@@ -97,9 +110,6 @@ frontend IST_8443
{{- end }}
{{- end }}
- reqadd X-Forwarded-Proto:\ https
- reqadd X-Forwarded-Port:\ 8443
-
#######################
#ACLS FOR PORT 8446####
#######################
@@ -107,9 +117,10 @@ frontend IST_8443
acl is_Port_8446_generic path_reg -i ^/aai/v[0-9]+/search/generic-query$
acl is_Port_8446_nodes path_reg -i ^/aai/v[0-9]+/search/nodes-query$
acl is_Port_8446_version path_reg -i ^/aai/v[0-9]+/query$
+ acl is_dsl path_reg -i ^/aai/v[0-9]+/dsl$
acl is_named-query path_beg -i /aai/search/named-query
acl is_search-model path_beg -i /aai/search/model
- use_backend IST_AAI_8446 if is_Port_8446_generic or is_Port_8446_nodes or is_Port_8446_version or is_named-query or is_search-model
+ use_backend IST_AAI_8446 if is_Port_8446_generic or is_Port_8446_nodes or is_Port_8446_version or is_named-query or is_search-model or is_dsl
default_backend IST_Default_8447
@@ -120,9 +131,11 @@ frontend IST_8443
backend IST_Default_8447
balance roundrobin
+ stick-table type string len 100 size 200k expire 2m
+ stick on path
http-request set-header X-Forwarded-Port %[src_port]
http-response set-header Strict-Transport-Security max-age=16000000;\ includeSubDomains;\ preload;
- server aai-resources.{{.Release.Namespace}} aai-resources.{{.Release.Namespace}}.svc.cluster.local:8447 resolvers kubernetes check check-ssl port 8447 ssl verify none
+ server-template aai-resources.{{.Release.Namespace}} {{$.Values.haproxy.replicas.aaiResources}} aai-resources.{{.Release.Namespace}}.svc.cluster.local:8447 resolvers kubernetes check check-ssl port 8447 ssl verify none
#######################
@@ -131,9 +144,11 @@ backend IST_Default_8447
backend IST_AAI_8446
balance roundrobin
+ stick-table type string len 100 size 200k expire 2m
+ stick on path
http-request set-header X-Forwarded-Port %[src_port]
http-response set-header Strict-Transport-Security max-age=16000000;\ includeSubDomains;\ preload;
- server aai-traversal.{{.Release.Namespace}} aai-traversal.{{.Release.Namespace}}.svc.cluster.local:8446 resolvers kubernetes check check-ssl port 8446 ssl verify none
+ server-template aai-traversal.{{.Release.Namespace}} {{$.Values.haproxy.replicas.aaiTraversal}} aai-traversal.{{.Release.Namespace}}.svc.cluster.local:8446 resolvers kubernetes check check-ssl port 8446 ssl verify none
listen IST_AAI_STATS
mode http
diff --git a/kubernetes/aai/resources/config/haproxy/haproxy.cfg b/kubernetes/aai/resources/config/haproxy/haproxy.cfg
index 1accff9935..fe1715b734 100644
--- a/kubernetes/aai/resources/config/haproxy/haproxy.cfg
+++ b/kubernetes/aai/resources/config/haproxy/haproxy.cfg
@@ -17,6 +17,10 @@ global
log /dev/log local0
stats socket /usr/local/etc/haproxy/haproxy.socket mode 660 level admin
stats timeout 30s
+ # it is required else pod will not come up
+ maxconn 50000
+ user root
+ group root
daemon
#################################
# Default SSL material locations#
@@ -38,7 +42,8 @@ defaults
{{- if ( include "common.needTLS" .) }}
option ssl-hello-chk
{{- end }}
- option httpchk GET /aai/util/echo HTTP/1.1\r\nHost:\ aai\r\nX-TransactionId:\ haproxy-0111\r\nX-FromAppId:\ haproxy\r\nAccept:\ application/json\r\nAuthorization:\ Basic\ QUFJOkFBSQ==
+ option httpchk
+ http-check send meth GET uri /aai/util/echo ver HTTP/1.1 hdr Host aai hdr X-TransactionId haproxy-0111 hdr X-FromAppId haproxy hdr Accept application/json hdr Authorization 'Basic QUFJOkFBSQ=='
default-server init-addr none
# option dontlognull
# errorfile 400 /etc/haproxy/errors/400.http
@@ -59,6 +64,12 @@ defaults
timeout server 480000
timeout http-keep-alive 30000
+frontend stats
+ bind *:8448
+ http-request use-service prometheus-exporter if { path /metrics }
+ stats enable
+ stats uri /stats
+ stats refresh 10s
frontend IST_8080
mode http
@@ -73,8 +84,8 @@ frontend IST_8080
option log-separate-errors
option forwardfor
http-request set-header X-Forwarded-Proto http
- reqadd X-Forwarded-Proto:\ http
- reqadd X-Forwarded-Port:\ 8080
+ http-request set-header X-Forwarded-Proto http
+ http-request add-header X-Forwarded-Port 8080
#######################
#ACLS FOR PORT 8446####
@@ -104,6 +115,10 @@ frontend IST_8443
capture response header Host len 100
option log-separate-errors
option forwardfor
+
+ http-request set-header X-Forwarded-Proto https
+ http-request add-header X-Forwarded-Port 8443
+
http-request set-header X-Forwarded-Proto https if { ssl_fc }
http-request set-header X-AAI-Client-SSL TRUE if { ssl_c_used }
http-request set-header X-AAI-SSL %[ssl_fc]
@@ -128,8 +143,6 @@ frontend IST_8443
{{- end }}
{{- end }}
- reqadd X-Forwarded-Proto:\ https
- reqadd X-Forwarded-Port:\ 8443
{{- end }}
#######################
@@ -152,12 +165,14 @@ frontend IST_8443
backend IST_Default_8447
balance roundrobin
+ stick-table type string len 100 size 200k expire 2m
+ stick on path
http-request set-header X-Forwarded-Port %[src_port]
http-response set-header Strict-Transport-Security max-age=16000000;\ includeSubDomains;\ preload;
{{- if ( include "common.needTLS" .) }}
- server aai-resources.{{.Release.Namespace}} aai-resources.{{.Release.Namespace}}.svc.cluster.local:8447 resolvers kubernetes check check-ssl port 8447 ssl verify none
+ server-template aai-resources.{{.Release.Namespace}} {{$.Values.haproxy.replicas.aaiResources}} aai-resources.{{.Release.Namespace}}.svc.cluster.local:8447 resolvers kubernetes check check-ssl port 8447 ssl verify none
{{- else }}
- server aai-resources.{{.Release.Namespace}} aai-resources.{{.Release.Namespace}}.svc.cluster.local:8447 resolvers kubernetes check port 8447
+ server-template aai-resources.{{.Release.Namespace}} {{$.Values.haproxy.replicas.aaiResources}} aai-resources.{{.Release.Namespace}}.svc.cluster.local:8447 resolvers kubernetes check port 8447
{{- end }}
#######################
@@ -166,10 +181,12 @@ backend IST_Default_8447
backend IST_AAI_8446
balance roundrobin
+ stick-table type string len 100 size 200k expire 2m
+ stick on path
http-request set-header X-Forwarded-Port %[src_port]
http-response set-header Strict-Transport-Security max-age=16000000;\ includeSubDomains;\ preload;
{{- if ( include "common.needTLS" .) }}
- server aai-traversal.{{.Release.Namespace}} aai-traversal.{{.Release.Namespace}}.svc.cluster.local:8446 resolvers kubernetes check check-ssl port 8446 ssl verify none
+ server-template aai-traversal.{{.Release.Namespace}} {{$.Values.haproxy.replicas.aaiTraversal}} aai-traversal.{{.Release.Namespace}}.svc.cluster.local:8446 resolvers kubernetes check check-ssl port 8446 ssl verify none
{{- else }}
- server aai-traversal.{{.Release.Namespace}} aai-traversal.{{.Release.Namespace}}.svc.cluster.local:8446 resolvers kubernetes check port 8446
+ server-template aai-traversal.{{.Release.Namespace}} {{$.Values.haproxy.replicas.aaiTraversal}} aai-traversal.{{.Release.Namespace}}.svc.cluster.local:8446 resolvers kubernetes check port 8446
{{- end }}