From 147a21084b380ec535982ee5af8e66025e1f77aa Mon Sep 17 00:00:00 2001 From: leila Date: Wed, 16 Nov 2022 19:42:09 -0500 Subject: [AAI] AAI HAProxy image update Update AAI haproxy to 1.9.6 Make AAI init container resources configurable Implementing stick tables to avoid concurrency issues raised by using janugraph against eventually consistent storage backend(cassandra) Issue-ID: AAI-3602 Signed-off-by: leila Change-Id: I6b1c7bf3a378c410df0a9bb01d304e56e979c3b5 --- .../config/haproxy/haproxy-pluggable-security.cfg | 29 +++++++++++++----- .../aai/resources/config/haproxy/haproxy.cfg | 35 ++++++++++++++++------ 2 files changed, 48 insertions(+), 16 deletions(-) (limited to 'kubernetes/aai/resources/config/haproxy') diff --git a/kubernetes/aai/resources/config/haproxy/haproxy-pluggable-security.cfg b/kubernetes/aai/resources/config/haproxy/haproxy-pluggable-security.cfg index 6e7acef17f..1266d4e1c0 100644 --- a/kubernetes/aai/resources/config/haproxy/haproxy-pluggable-security.cfg +++ b/kubernetes/aai/resources/config/haproxy/haproxy-pluggable-security.cfg @@ -17,6 +17,8 @@ global log /dev/log local0 stats socket /usr/local/etc/haproxy/haproxy.socket mode 660 level admin stats timeout 30s + # it is required else pod will not come up + maxconn 50000 user root group root daemon @@ -38,7 +40,8 @@ defaults mode http option httplog option ssl-hello-chk - option httpchk GET /aai/util/echo HTTP/1.1\r\nHost:\ aai\r\nX-TransactionId:\ haproxy-0111\r\nX-FromAppId:\ haproxy\r\nAccept:\ application/json\r\nAuthorization:\ Basic\ YWFpQGFhaS5vbmFwLm9yZzpkZW1vMTIzNDU2IQ== + option httpchk + http-check send meth GET uri /aai/util/echo ver HTTP/1.1 hdr Host aai hdr X-TransactionId haproxy-0111 hdr X-FromAppId haproxy hdr Accept application/json hdr Authorization 'Basic QUFJOkFBSQ==' default-server init-addr none # option dontlognull # errorfile 400 /etc/haproxy/errors/400.http @@ -59,6 +62,12 @@ defaults timeout server 480000 timeout http-keep-alive 30000 +frontend stats + bind *:8448 + http-request use-service prometheus-exporter if { path /metrics } + stats enable + stats uri /stats + stats refresh 10s frontend IST_8443 mode http @@ -73,6 +82,10 @@ frontend IST_8443 capture response header Host len 100 option log-separate-errors option forwardfor + + http-request set-header X-Forwarded-Proto https + http-request add-header X-Forwarded-Port 8443 + http-request set-header X-Forwarded-Proto https if { ssl_fc } http-request set-header X-AAI-Client-SSL TRUE if { ssl_c_used } http-request set-header X-AAI-SSL %[ssl_fc] @@ -97,9 +110,6 @@ frontend IST_8443 {{- end }} {{- end }} - reqadd X-Forwarded-Proto:\ https - reqadd X-Forwarded-Port:\ 8443 - ####################### #ACLS FOR PORT 8446#### ####################### @@ -107,9 +117,10 @@ frontend IST_8443 acl is_Port_8446_generic path_reg -i ^/aai/v[0-9]+/search/generic-query$ acl is_Port_8446_nodes path_reg -i ^/aai/v[0-9]+/search/nodes-query$ acl is_Port_8446_version path_reg -i ^/aai/v[0-9]+/query$ + acl is_dsl path_reg -i ^/aai/v[0-9]+/dsl$ acl is_named-query path_beg -i /aai/search/named-query acl is_search-model path_beg -i /aai/search/model - use_backend IST_AAI_8446 if is_Port_8446_generic or is_Port_8446_nodes or is_Port_8446_version or is_named-query or is_search-model + use_backend IST_AAI_8446 if is_Port_8446_generic or is_Port_8446_nodes or is_Port_8446_version or is_named-query or is_search-model or is_dsl default_backend IST_Default_8447 @@ -120,9 +131,11 @@ frontend IST_8443 backend IST_Default_8447 balance roundrobin + stick-table type string len 100 size 200k expire 2m + stick on path http-request set-header X-Forwarded-Port %[src_port] http-response set-header Strict-Transport-Security max-age=16000000;\ includeSubDomains;\ preload; - server aai-resources.{{.Release.Namespace}} aai-resources.{{.Release.Namespace}}.svc.cluster.local:8447 resolvers kubernetes check check-ssl port 8447 ssl verify none + server-template aai-resources.{{.Release.Namespace}} {{$.Values.haproxy.replicas.aaiResources}} aai-resources.{{.Release.Namespace}}.svc.cluster.local:8447 resolvers kubernetes check check-ssl port 8447 ssl verify none ####################### @@ -131,9 +144,11 @@ backend IST_Default_8447 backend IST_AAI_8446 balance roundrobin + stick-table type string len 100 size 200k expire 2m + stick on path http-request set-header X-Forwarded-Port %[src_port] http-response set-header Strict-Transport-Security max-age=16000000;\ includeSubDomains;\ preload; - server aai-traversal.{{.Release.Namespace}} aai-traversal.{{.Release.Namespace}}.svc.cluster.local:8446 resolvers kubernetes check check-ssl port 8446 ssl verify none + server-template aai-traversal.{{.Release.Namespace}} {{$.Values.haproxy.replicas.aaiTraversal}} aai-traversal.{{.Release.Namespace}}.svc.cluster.local:8446 resolvers kubernetes check check-ssl port 8446 ssl verify none listen IST_AAI_STATS mode http diff --git a/kubernetes/aai/resources/config/haproxy/haproxy.cfg b/kubernetes/aai/resources/config/haproxy/haproxy.cfg index 1accff9935..fe1715b734 100644 --- a/kubernetes/aai/resources/config/haproxy/haproxy.cfg +++ b/kubernetes/aai/resources/config/haproxy/haproxy.cfg @@ -17,6 +17,10 @@ global log /dev/log local0 stats socket /usr/local/etc/haproxy/haproxy.socket mode 660 level admin stats timeout 30s + # it is required else pod will not come up + maxconn 50000 + user root + group root daemon ################################# # Default SSL material locations# @@ -38,7 +42,8 @@ defaults {{- if ( include "common.needTLS" .) }} option ssl-hello-chk {{- end }} - option httpchk GET /aai/util/echo HTTP/1.1\r\nHost:\ aai\r\nX-TransactionId:\ haproxy-0111\r\nX-FromAppId:\ haproxy\r\nAccept:\ application/json\r\nAuthorization:\ Basic\ QUFJOkFBSQ== + option httpchk + http-check send meth GET uri /aai/util/echo ver HTTP/1.1 hdr Host aai hdr X-TransactionId haproxy-0111 hdr X-FromAppId haproxy hdr Accept application/json hdr Authorization 'Basic QUFJOkFBSQ==' default-server init-addr none # option dontlognull # errorfile 400 /etc/haproxy/errors/400.http @@ -59,6 +64,12 @@ defaults timeout server 480000 timeout http-keep-alive 30000 +frontend stats + bind *:8448 + http-request use-service prometheus-exporter if { path /metrics } + stats enable + stats uri /stats + stats refresh 10s frontend IST_8080 mode http @@ -73,8 +84,8 @@ frontend IST_8080 option log-separate-errors option forwardfor http-request set-header X-Forwarded-Proto http - reqadd X-Forwarded-Proto:\ http - reqadd X-Forwarded-Port:\ 8080 + http-request set-header X-Forwarded-Proto http + http-request add-header X-Forwarded-Port 8080 ####################### #ACLS FOR PORT 8446#### @@ -104,6 +115,10 @@ frontend IST_8443 capture response header Host len 100 option log-separate-errors option forwardfor + + http-request set-header X-Forwarded-Proto https + http-request add-header X-Forwarded-Port 8443 + http-request set-header X-Forwarded-Proto https if { ssl_fc } http-request set-header X-AAI-Client-SSL TRUE if { ssl_c_used } http-request set-header X-AAI-SSL %[ssl_fc] @@ -128,8 +143,6 @@ frontend IST_8443 {{- end }} {{- end }} - reqadd X-Forwarded-Proto:\ https - reqadd X-Forwarded-Port:\ 8443 {{- end }} ####################### @@ -152,12 +165,14 @@ frontend IST_8443 backend IST_Default_8447 balance roundrobin + stick-table type string len 100 size 200k expire 2m + stick on path http-request set-header X-Forwarded-Port %[src_port] http-response set-header Strict-Transport-Security max-age=16000000;\ includeSubDomains;\ preload; {{- if ( include "common.needTLS" .) }} - server aai-resources.{{.Release.Namespace}} aai-resources.{{.Release.Namespace}}.svc.cluster.local:8447 resolvers kubernetes check check-ssl port 8447 ssl verify none + server-template aai-resources.{{.Release.Namespace}} {{$.Values.haproxy.replicas.aaiResources}} aai-resources.{{.Release.Namespace}}.svc.cluster.local:8447 resolvers kubernetes check check-ssl port 8447 ssl verify none {{- else }} - server aai-resources.{{.Release.Namespace}} aai-resources.{{.Release.Namespace}}.svc.cluster.local:8447 resolvers kubernetes check port 8447 + server-template aai-resources.{{.Release.Namespace}} {{$.Values.haproxy.replicas.aaiResources}} aai-resources.{{.Release.Namespace}}.svc.cluster.local:8447 resolvers kubernetes check port 8447 {{- end }} ####################### @@ -166,10 +181,12 @@ backend IST_Default_8447 backend IST_AAI_8446 balance roundrobin + stick-table type string len 100 size 200k expire 2m + stick on path http-request set-header X-Forwarded-Port %[src_port] http-response set-header Strict-Transport-Security max-age=16000000;\ includeSubDomains;\ preload; {{- if ( include "common.needTLS" .) }} - server aai-traversal.{{.Release.Namespace}} aai-traversal.{{.Release.Namespace}}.svc.cluster.local:8446 resolvers kubernetes check check-ssl port 8446 ssl verify none + server-template aai-traversal.{{.Release.Namespace}} {{$.Values.haproxy.replicas.aaiTraversal}} aai-traversal.{{.Release.Namespace}}.svc.cluster.local:8446 resolvers kubernetes check check-ssl port 8446 ssl verify none {{- else }} - server aai-traversal.{{.Release.Namespace}} aai-traversal.{{.Release.Namespace}}.svc.cluster.local:8446 resolvers kubernetes check port 8446 + server-template aai-traversal.{{.Release.Namespace}} {{$.Values.haproxy.replicas.aaiTraversal}} aai-traversal.{{.Release.Namespace}}.svc.cluster.local:8446 resolvers kubernetes check port 8446 {{- end }} -- cgit 1.2.3-korg