#--------------------------------------------------------------------- # Configuration for CI environment. #--------------------------------------------------------------------- #--------------------------------------------------------------------- # Global settings #--------------------------------------------------------------------- global log 127.0.0.1:514 local2 info chroot /var/lib/haproxy pidfile /var/run/haproxy.pid maxconn 4000 user haproxy group haproxy daemon # turn on stats unix socket stats socket /var/lib/haproxy/stats # utilize system-wide crypto-policies ssl-default-bind-ciphers PROFILE=SYSTEM ssl-default-server-ciphers PROFILE=SYSTEM #--------------------------------------------------------------------- # common defaults that all the 'listen' and 'backend' sections will # use if not designated in their block #--------------------------------------------------------------------- defaults mode http log global option httplog option http-server-close option redispatch retries 3 timeout http-request 10s timeout queue 1m timeout connect 10s timeout client 1m timeout server 1m timeout http-keep-alive 10s timeout check 10s maxconn 3000 #--------------------------------------------------------------------- # API frontend which proxys to the created master nodes #--------------------------------------------------------------------- frontend api-all mode tcp option tcplog bind *:6443 tcp-request inspect-delay 5s tcp-request content accept if { req_ssl_hello_type 1 } acl 00-api req_ssl_sni -m end .libvirt-ppc64le-1-0 use_backend masters-00 if 00-api acl 00-api-ci req_ssl_sni -m end .libvirt-ppc64le-1-0.ci use_backend masters-00 if 00-api-ci acl 01-api req_ssl_sni -m end .libvirt-ppc64le-1-1 use_backend masters-01 if 01-api acl 01-api-ci req_ssl_sni -m end .libvirt-ppc64le-1-1.ci use_backend masters-01 if 01-api-ci acl 02-api req_ssl_sni -m end .libvirt-ppc64le-1-2 use_backend masters-02 if 02-api acl 02-api-ci req_ssl_sni -m end .libvirt-ppc64le-1-2.ci use_backend masters-02 if 02-api-ci acl 03-api req_ssl_sni -m end .libvirt-ppc64le-1-3 use_backend masters-03 if 03-api acl 03-api-ci req_ssl_sni -m end .libvirt-ppc64le-1-3.ci use_backend masters-03 if 03-api-ci #--------------------------------------------------------------------- # HTTP frontend which proxys to the created worker nodes #--------------------------------------------------------------------- frontend http-all bind *:80 option forwardfor except 127.0.0.0/8 acl 00-http hdr(host) -m end .libvirt-ppc64le-1-0 use_backend http-workers-00 if 00-http acl 00-http-ci hdr(host) -m end .libvirt-ppc64le-1-0.ci use_backend http-workers-00 if 00-http-ci acl 01-http hdr(host) -m end .libvirt-ppc64le-1-1 use_backend http-workers-01 if 01-http acl 01-http-ci hdr(host) -m end .libvirt-ppc64le-1-1.ci use_backend http-workers-01 if 01-http-ci acl 02-http hdr(host) -m end .libvirt-ppc64le-1-2 use_backend http-workers-02 if 02-http acl 02-http-ci hdr(host) -m end .libvirt-ppc64le-1-2.ci use_backend http-workers-02 if 02-http-ci acl 03-http hdr(host) -m end .libvirt-ppc64le-1-3 use_backend http-workers-03 if 03-http acl 03-http-ci hdr(host) -m end .libvirt-ppc64le-1-3.ci use_backend http-workers-03 if 03-http-ci #--------------------------------------------------------------------- # HTTPS frontend which proxys to the created worker nodes #--------------------------------------------------------------------- frontend https-all mode tcp option tcplog bind *:443 tcp-request inspect-delay 5s tcp-request content accept if { req_ssl_hello_type 1 } acl 00-https req_ssl_sni -m end .libvirt-ppc64le-1-0 use_backend https-workers-00 if 00-https acl 00-https-ci req_ssl_sni -m end .libvirt-ppc64le-1-0.ci use_backend https-workers-00 if 00-https-ci acl 01-https req_ssl_sni -m end .libvirt-ppc64le-1-1 use_backend https-workers-01 if 01-https acl 01-https-ci req_ssl_sni -m end .libvirt-ppc64le-1-1.ci use_backend https-workers-01 if 01-https-ci acl 02-https req_ssl_sni -m end .libvirt-ppc64le-1-2 use_backend https-workers-02 if 02-https acl 02-https-ci req_ssl_sni -m end .libvirt-ppc64le-1-2.ci use_backend https-workers-02 if 02-https-ci acl 03-https req_ssl_sni -m end .libvirt-ppc64le-1-3 use_backend https-workers-03 if 03-https acl 03-https-ci req_ssl_sni -m end .libvirt-ppc64le-1-3.ci use_backend https-workers-03 if 03-https-ci ##--------------------------------------------------------------------- ## SSH frontend which proxys to the created bootstrap nodes ##--------------------------------------------------------------------- #frontend ssh-all # mode tcp # option tcplog # # bind *:1023 # # tcp-request inspect-delay 5s # tcp-request content accept if { req_ssl_hello_type 1 } # # acl 00-ssh req_ssl_sni -m end .libvirt-ppc64le-1-0 # use_backend ssh-bootstrap-00 if 00-ssh # # acl 00-ssh-ci req_ssl_sni -m end .libvirt-ppc64le-1-0.ci # use_backend ssh-bootstrap-00 if 00-ssh-ci # # acl 01-ssh req_ssl_sni -m end .libvirt-ppc64le-1-1 # use_backend ssh-bootstrap-01 if 01-ssh # # acl 01-ssh-ci req_ssl_sni -m end .libvirt-ppc64le-1-1.ci # use_backend ssh-bootstrap-01 if 01-ssh-ci # # acl 02-ssh req_ssl_sni -m end .libvirt-ppc64le-1-2 # use_backend ssh-bootstrap-02 if 02-ssh # # acl 02-ssh-ci req_ssl_sni -m end .libvirt-ppc64le-1-2.ci # use_backend ssh-bootstrap-02 if 02-ssh-ci # # acl 03-ssh req_ssl_sni -m end .libvirt-ppc64le-1-3 # use_backend ssh-bootstrap-03 if 03-ssh # # acl 03-ssh-ci req_ssl_sni -m end .libvirt-ppc64le-1-3.ci # use_backend ssh-bootstrap-03 if 03-ssh-ci #--------------------------------------------------------------------- # Master node backends for serving API traffic #--------------------------------------------------------------------- backend masters-00 mode tcp option httpchk GET /readyz HTTP/1.0 # Uncomment log-health-checks option only when in production or debugging, disabled for CI # option log-health-checks balance roundrobin server bootstrap 192.168.126.10:6443 weight 1 verify none check check-ssl inter 10s fall 2 rise 3 server master1 192.168.126.11:6443 weight 1 verify none check check-ssl inter 10s fall 2 rise 3 server master2 192.168.126.12:6443 weight 1 verify none check check-ssl inter 10s fall 2 rise 3 server master3 192.168.126.13:6443 weight 1 verify none check check-ssl inter 10s fall 2 rise 3 backend masters-01 mode tcp option httpchk GET /readyz HTTP/1.0 # option log-health-checks balance roundrobin server bootstrap 192.168.1.10:6443 weight 1 verify none check check-ssl inter 10s fall 2 rise 3 server master1 192.168.1.11:6443 weight 1 verify none check check-ssl inter 10s fall 2 rise 3 server master2 192.168.1.12:6443 weight 1 verify none check check-ssl inter 10s fall 2 rise 3 server master3 192.168.1.13:6443 weight 1 verify none check check-ssl inter 10s fall 2 rise 3 backend masters-02 mode tcp option httpchk GET /readyz HTTP/1.0 # option log-health-checks balance roundrobin server bootstrap 192.168.2.10:6443 weight 1 verify none check check-ssl inter 10s fall 2 rise 3 server master1 192.168.2.11:6443 weight 1 verify none check check-ssl inter 10s fall 2 rise 3 server master2 192.168.2.12:6443 weight 1 verify none check check-ssl inter 10s fall 2 rise 3 server master3 192.168.2.13:6443 weight 1 verify none check check-ssl inter 10s fall 2 rise 3 backend masters-03 mode tcp option httpchk GET /readyz HTTP/1.0 # option log-health-checks balance roundrobin server bootstrap 192.168.3.10:6443 weight 1 verify none check check-ssl inter 10s fall 2 rise 3 server master1 192.168.3.11:6443 weight 1 verify none check check-ssl inter 10s fall 2 rise 3 server master2 192.168.3.12:6443 weight 1 verify none check check-ssl inter 10s fall 2 rise 3 server master3 192.168.3.13:6443 weight 1 verify none check check-ssl inter 10s fall 2 rise 3 #--------------------------------------------------------------------- # Worker node backends for serving HTTP service endpoints #--------------------------------------------------------------------- backend http-workers-00 option forwardfor except 127.0.0.0/8 balance roundrobin server master1 192.168.126.11:80 check server master2 192.168.126.12:80 check server master3 192.168.126.13:80 check server worker1 192.168.126.51:80 check server worker2 192.168.126.52:80 check backend http-workers-01 option forwardfor except 127.0.0.0/8 balance roundrobin server master1 192.168.1.11:80 check server master2 192.168.1.12:80 check server master3 192.168.1.13:80 check server worker1 192.168.1.51:80 check server worker2 192.168.1.52:80 check backend http-workers-02 option forwardfor except 127.0.0.0/8 balance roundrobin server master1 192.168.2.11:80 check server master2 192.168.2.12:80 check server master3 192.168.2.13:80 check server worker1 192.168.2.51:80 check server worker2 192.168.2.52:80 check backend http-workers-03 option forwardfor except 127.0.0.0/8 balance roundrobin server master1 192.168.3.11:80 check server master2 192.168.3.12:80 check server master3 192.168.3.13:80 check server worker1 192.168.3.51:80 check server worker2 192.168.3.52:80 check #--------------------------------------------------------------------- # Debug node #--------------------------------------------------------------------- #backend node # option forwardfor except 127.0.0.0/8 # server node 127.0.0.1:8080 check #--------------------------------------------------------------------- # Worker node backends for serving HTTPS service endpoints #--------------------------------------------------------------------- backend https-workers-00 mode tcp balance roundrobin server master1 192.168.126.11:443 check server master2 192.168.126.12:443 check server master3 192.168.126.13:443 check server worker1 192.168.126.51:443 check server worker2 192.168.126.52:443 check backend https-workers-01 mode tcp balance roundrobin server master1 192.168.1.11:443 check server master2 192.168.1.12:443 check server master3 192.168.1.13:443 check server worker1 192.168.1.51:443 check server worker2 192.168.1.52:443 check backend https-workers-02 mode tcp balance roundrobin server master1 192.168.2.11:443 check server master2 192.168.2.12:443 check server master3 192.168.2.13:443 check server worker1 192.168.2.51:443 check server worker2 192.168.2.52:443 check backend https-workers-03 mode tcp balance roundrobin server master1 192.168.3.11:443 check server master2 192.168.3.12:443 check server master3 192.168.3.13:443 check server worker1 192.168.3.51:443 check server worker2 192.168.3.52:443 check #--------------------------------------------------------------------- # Debug node https #--------------------------------------------------------------------- #backend node-https # mode tcp # server node 127.0.0.1:8443 check ##--------------------------------------------------------------------- ## Bootstrap node backends for serving SSH service endpoints ##--------------------------------------------------------------------- #backend ssh-bootstrap-00 # mode tcp # balance roundrobin # server bootstrap 192.168.126.10:22 check #backend ssh-bootstrap-01 # mode tcp # balance roundrobin # server bootstrap 192.168.1.10:22 check #backend ssh-bootstrap-02 # mode tcp # balance roundrobin # server bootstrap 192.168.2.10:22 check #backend ssh-bootstrap-03 # mode tcp # balance roundrobin # server bootstrap 192.168.3.10:22 check