HAProxy Load Balancer

this topic explains how to use an haproxy load balancer http //www haproxy org/ for your turbine deployment haproxy can be run either as a layer 4 (tcp mode) or a layer 7 (http mode) currently, a layer 7 load balancer is not supported for the kubernetes api however, haproxy works as a hybrid and provides load balancing for both layer 4 and layer 7 applications using a single daemon this topic is limited to being an example of how to use haproxy as a load balancer for turbine configuring the load balancer as described here will result in a non highly available configuration haproxy can be configured with ha and failover capabilities using the same example configuration, but the ha configuration of haproxy is beyond the scope of this topic both examples in this topic include an enabled haproxy statistics listener this can be useful for keeping track of metrics and backend node health it is accessible over port 8080 it is in no way required and can be disabled by deleting the listener stats sections of the configuration architecture diagram tcp mode (layer 4) haproxy http mode (layer 7) haproxy layer 4 (tcp mode) haproxy load balancer the benefits of tcp mode are in its simplicity tcp mode simply forwards network traffic at the port level to the configured backend servers this allows the backend service to control almost all aspects of the communication for example, tcp mode enables the backend service to provide its own tls certificate so that ssl doesn't get terminated at the load balancer the downside of tcp mode for turbine's use case is that generally upgrades to the load balancer (ie whitelisting or blacklisting ssl ciphers) can happen much more quickly in http mode by the administrator versus waiting for a turbine release example configuration for a layer 4 haproxy server turbine configuration be sure to select the enable included ingress controller option on the turbine platform installer ui config tab when using tcp mode port requirements the ports to be load balanced in tcp mode are port 443 port 6443 port 8800 these ports must be accessible from the load balancer to any node that is a part of the cluster layer 7 (http mode) haproxy load balancer http mode load balancers offer more flexibility and more advanced routing capabilities over tcp mode ssl termination occurs at the load balancer, at which point the load balancer communicates with the backend nodes over the http protocol configuration of the load balancer in http mode is more flexible and allows for a wider range of configuration options that do not rely on a turbine release be aware that http mode is incompatible with the kubernetes api you will need to utilize at least one tcp mode frontend and backend the example below requires an ssl certificate + a key located at /etc/haproxy/server pem example configuration for a layer 7 haproxy server swimlane configuration be sure to enable the expose the swimlane web service externally option on the turbine platform installer ui config tab when using haproxy in http mode port requirements the ports to be load balanced in http mode are port 4443 port 6443 port 8800