Merge pull request #654 from mlibrary/haproxy-check-kubeapi-https-ins…

…tead-of-tcp Make HAProxy better at knowing when to pull kubernetes controller nodes from load balancing
mlibrary · Jan 26, 2024 · 8067f9b · 8067f9b
2 parents 8a2fd3e + 8532d66
commit 8067f9b
Show file tree

Hide file tree

Showing 3 changed files with 13 additions and 38 deletions.
diff --git a/manifests/profile/kubernetes/destination_port/api.pp b/manifests/profile/kubernetes/destination_port/api.pp
@@ -1,4 +1,4 @@
-# Copyright (c) 2020 The Regents of the University of Michigan.
+# Copyright (c) 2020, 2024 The Regents of the University of Michigan.
 # All Rights Reserved. Licensed according to the terms of the Revised
 # BSD License. See LICENSE.txt for details.
 
@@ -8,7 +8,7 @@
   @@concat_fragment { "haproxy kubernetes api ${::hostname}":
     target  => '/etc/haproxy/services.d/api.cfg',
     order   => '02',
-    content => "  server ${::hostname} ${::ipaddress}:6443 check\n",
+    content => "  server ${::hostname} ${::ipaddress}:6443 check ssl verify none\n",
     tag     => "${cluster_name}_haproxy_kubernetes_api",
   }
 }
diff --git a/spec/classes/profile/kubernetes/destination_port_spec.rb b/spec/classes/profile/kubernetes/destination_port_spec.rb
@@ -1,16 +1,18 @@
 # frozen_string_literal: true
 
-# Copyright (c) 2020 The Regents of the University of Michigan.
+# Copyright (c) 2020, 2024 The Regents of the University of Michigan.
 # All Rights Reserved. Licensed according to the terms of the Revised
 # BSD License. See LICENSE.txt for details.
 require 'spec_helper'
 
 [
-  ['api',        6443],
-  ['etcd',       2379],
-  ['https_alt', 31443],
-  ['gelf_tcp',  32201],
-].each do |service, port|
+  ['api',        6443, 'check ssl verify none'],
+  ['etcd',       2379, 'check'],
+  ['http',      30080, 'check send-proxy'],
+  ['https',     30443, 'check send-proxy'],
+  ['https_alt', 31443, 'check'],
+  ['gelf_tcp',  32201, 'check'],
+].each do |service, port, options|
   describe "nebula::profile::kubernetes::destination_port::#{service}" do
     on_supported_os.each do |os, os_facts|
       context "on #{os}" do
@@ -26,35 +28,7 @@
             is_expected.to contain_concat_fragment("haproxy kubernetes #{service.tr('_', ' ')} #{facts[:hostname]}")
               .with_target("/etc/haproxy/services.d/#{service}.cfg")
               .with_order('02')
-              .with_content("  server #{facts[:hostname]} #{facts[:ipaddress]}:#{port} check\n")
-              .with_tag("first_cluster_haproxy_kubernetes_#{service}")
-          end
-        end
-      end
-    end
-  end
-end
-
-[
-  ['http',      30080],
-  ['https',     30443],
-].each do |service, port|
-  describe "nebula::profile::kubernetes::destination_port::#{service}" do
-    on_supported_os.each do |os, os_facts|
-      context "on #{os}" do
-        let(:hiera_config) { 'spec/fixtures/hiera/kubernetes/first_cluster_config.yaml' }
-        let(:facts) { os_facts }
-
-        it { is_expected.to compile }
-
-        describe 'exported resources' do
-          subject { exported_resources }
-
-          it do
-            is_expected.to contain_concat_fragment("haproxy kubernetes #{service.tr('_', ' ')} #{facts[:hostname]}")
-              .with_target("/etc/haproxy/services.d/#{service}.cfg")
-              .with_order('02')
-              .with_content("  server #{facts[:hostname]} #{facts[:ipaddress]}:#{port} check send-proxy\n")
+              .with_content("  server #{facts[:hostname]} #{facts[:ipaddress]}:#{port} #{options}\n")
               .with_tag("first_cluster_haproxy_kubernetes_#{service}")
           end
         end

diff --git a/templates/profile/kubernetes/haproxy/services.d/api.cfg.erb b/templates/profile/kubernetes/haproxy/services.d/api.cfg.erb
@@ -7,5 +7,6 @@ frontend kubernetes-api-front
 
 backend kubernetes-api-back
   mode tcp
-  option tcp-check
   balance roundrobin
+  option httpchk HEAD /
+  http-check expect status 403