HAProxy Load Balancer

this topic explains how to use an http //www haproxy org/ for your swimlane deployment haproxy can be run either as a layer 4 (tcp mode) or a layer 7 (http mode) currently, a layer 7 load balancer is not supported for the kubernetes api however, haproxy works as a hybrid and provides load balancing for both layer 4 and layer 7 applications using a single daemon note this topic is limited to being an example of how to use haproxy as a load balancer for swimlane configuring the load balancer as described here will result in a non highly available configuration haproxy can be configured with ha and failover capabilities using the same example configuration, but the ha configuration of haproxy is beyond the scope of this topic note both examples in this topic include an enabled haproxy statistics listener this can be useful for keeping track of metrics and backend node health it is accessible over port 8080 it is in no way required and can be disabled by deleting the listener stats sections of the configuration architecture diagram tcp mode (layer 4) haproxy http mode (layer 7) haproxy layer 4 (tcp mode) haproxy load balancer the benefits of tcp mode are in its simplicity tcp mode simply forwards network traffic at the port level to the configured backend servers this allows the backend service to control almost all aspects of the communication for example, tcp mode enables the backend service to provide its own tls certificate so that ssl doesn't get terminated at the load balancer the downside of tcp mode for swimlane's use case is that generally upgrades to the load balancer (ie whitelisting or blacklisting ssl ciphers) can happen much more quickly in http mode by the administrator versus waiting for a swimlane release example configuration for a layer 4 haproxy server \################## \# global options # \################## global defaults timeout client 30s timeout server 30s timeout connect 30s listen stats bind 8080 mode http stats enable stats uri / stats hide version \## \# swimlane frontend / backend \## frontend swimlane frontend mode tcp bind 80 # optional https redirection bind 443 http request redirect scheme https unless { ssl fc } # optional https redirection default backend swimlane backend backend swimlane backend mode tcp balance roundrobin option tcp check server spi node 1 spi node 1 swimlane io 443 check server spi node 2 spi node 2 swimlane io 443 check server spi node 3 spi node 3 swimlane io 443 check \## \# swimlane platform installer ui frontend / backend \## frontend replicated frontend mode tcp bind 8800 default backend replicated backend backend replicated backend mode tcp balance roundrobin option tcp check server spi node 1 spi node 1 swimlane io 8800 check server spi node 2 spi node 2 swimlane io 8800 check server spi node 3 spi node 3 swimlane io 8800 check \## \# kubernetes api frontend / backend \## frontend kube api frontend mode tcp bind 6443 default backend kube api backend backend kube api backend mode tcp balance roundrobin option tcp check server spi node 1 spi node 1 swimlane io 6443 check server spi node 2 spi node 2 swimlane io 6443 check server spi node 3 spi node 3 swimlane io 6443 check swimlane configuration be sure to select the enable included ingress controller option on the swimlane platform installer ui config tab when using tcp mode port requirements the ports to be load balanced in tcp mode are port 443 port 6443 port 8800 these ports must be accessible from the load balancer to any node that is a part of the cluster layer 7 (http mode) haproxy load balancer http mode load balancers offer more flexibility and more advanced routing capabilities over tcp mode ssl termination occurs at the load balancer, at which point the load balancer communicates with the backend nodes over the http protocol configuration of the load balancer in http mode is more flexible and allows for a wider range of configuration options that do not rely on a swimlane release be aware that http mode is incompatible with the kubernetes api you will need to utilize at least one tcp mode frontend and backend the example below requires an ssl certificate + a key located at /etc/haproxy/server pem example configuration for a layer 7 haproxy server \################## \# global options # \################## global defaults timeout client 30s timeout server 30s timeout connect 30s listen stats bind 8080 mode http stats enable stats uri / stats hide version \## \# swimlane frontend / backend \## frontend swimlane frontend mode http bind 443 ssl crt /etc/haproxy/server pem default backend swimlane backend backend swimlane backend mode http balance roundrobin option tcp check server spi node 1 spi node 1 swimlane io 4443 check check ssl ssl verify none server spi node 2 spi node 2 swimlane io 4443 check check ssl ssl verify none server spi node 3 spi node 3 swimlane io 4443 check check ssl ssl verify none \## \# swimlane platform installer ui frontend / backend \## frontend replicated frontend mode http bind 8800 ssl crt /etc/haproxy/server pem default backend replicated backend backend replicated backend mode http balance roundrobin option httpchk get /healthz server spi node 1 spi node 1 swimlane io 8800 check check ssl ssl verify none server spi node 2 spi node 2 swimlane io 8800 check check ssl ssl verify none server spi node 3 spi node 3 swimlane io 8800 check check ssl ssl verify none \## \# kubernetes api frontend / backend \## frontend kube api frontend mode tcp bind 6443 default backend kube api backend backend kube api backend mode tcp balance roundrobin option tcp check server spi node 1 spi node 1 swimlane io 6443 check server spi node 2 spi node 2 swimlane io 6443 check server spi node 3 spi node 3 swimlane io 6443 check swimlane configuration be sure to enable the expose the swimlane web service externally option on the swimlane platform installer ui config tab when using haproxy in http mode port requirements the ports to be load balanced in http mode are port 4443 port 6443 port 8800