Table of Contents

Introduction

HAProxy LB is a powerful, high-performance load balancer and proxy server that plays a crucial role in managing and optimizing network traffic in OKD clusters. OKD, the community distribution of Kubernetes that powers Red Hat OpenShift, benefits significantly from HAProxy’s advanced features. With its ability to distribute incoming traffic efficiently across multiple nodes and ensure high availability, HAProxy helps maintain the reliability and scalability of applications running within the cluster. By leveraging HAProxy, OKD administrators can achieve improved load balancing, fail-over capabilities, and enhanced performance, making it an essential tool for managing the complexities of modern containerized environments.

Installing HAProxy

Install the haproxy and make a backup original config file.

$ dnf install haproxy -y
$ cp /etc/haproxy/haproxy.cfg /etc/haproxy/haproxy.cfg-original

Configuring HAProxy LB

Below is the HAProxy config we are using in the lab setup, make sure to replace the IP and host names according to your setup.

$ vim /etc/haproxy/haproxy.cfg

global
    log         127.0.0.1 local2

    chroot      /var/lib/haproxy
    pidfile     /var/run/haproxy.pid
    maxconn     4000
    user        haproxy
    group       haproxy
    daemon

    # turn on stats unix socket
    stats socket /var/lib/haproxy/stats

    # utilize system-wide crypto-policies
    ssl-default-bind-ciphers PROFILE=SYSTEM
    ssl-default-server-ciphers PROFILE=SYSTEM

#---------------------------------------------------------------------
# common defaults that all the 'listen' and 'backend' sections will
# use if not designated in their block
#---------------------------------------------------------------------
defaults
    mode                    http
    log                     global
    option                  httplog
    option                  dontlognull
    option http-server-close
    option forwardfor       except 127.0.0.0/8
    option                  redispatch
    retries                 3
    timeout http-request    10s
    timeout queue           1m
    timeout connect         10s
    timeout client          1m
    timeout server          1m
    timeout http-keep-alive 10s
    timeout check           10s
    maxconn                 3000

#---------------------------------------------------------------------
# round robin balancing between the various backends
#---------------------------------------------------------------------
listen api-server-6443 
  bind *:6443
  mode tcp
  option  httpchk GET /readyz HTTP/1.0
  option  log-health-checks
  balance roundrobin
  server bootstrap bootstrap.okdcls.linuxsysadmins.lan:6443 verify none check check-ssl inter 10s fall 2 rise 3 backup 
  server control-plane1 control-plane1.okdcls.linuxsysadmins.lan:6443 weight 1 verify none check check-ssl inter 10s fall 2 rise 3
  server control-plane2 control-plane2.okdcls.linuxsysadmins.lan:6443 weight 1 verify none check check-ssl inter 10s fall 2 rise 3
  server control-plane3 control-plane3.okdcls.linuxsysadmins.lan:6443 weight 1 verify none check check-ssl inter 10s fall 2 rise 3

listen machine-config-server-22623
  bind *:22623
  mode tcp
  server bootstrap bootstrap.okdcls.linuxsysadmins.lan:22623 check inter 1s backup 
  server control-plane1 control-plane1.okdcls.linuxsysadmins.lan:22623 check inter 1s
  server control-plane2 control-plane2.okdcls.linuxsysadmins.lan:22623 check inter 1s
  server control-plane3 control-plane3.okdcls.linuxsysadmins.lan:22623 check inter 1s

listen ingress-router-443 
  bind *:443
  mode tcp
  balance source
  server compute1 compute1.okdcls.linuxsysadmins.lan:443 check inter 1s
  server compute2 compute2.okdcls.linuxsysadmins.lan:443 check inter 1s
  server compute3 compute3.okdcls.linuxsysadmins.lan:443 check inter 1s

listen ingress-router-80 
  bind *:80
  mode tcp
  balance source
  server compute1 compute1.okdcls.linuxsysadmins.lan:80 check inter 1s
  server compute2 compute2.okdcls.linuxsysadmins.lan:80 check inter 1s
  server compute3 compute3.okdcls.linuxsysadmins.lan:80 check inter 1s

In my case, SELinux is set to enforcing mode. To ensure that HAProxy can connect to all TCP ports, make sure to set the relevant boolean value to 1. If this is not done, HAProxy will fail to start after a server reboot.

$ setsebool -P haproxy_connect_any=1

Start & enable HAProxy LB

Strat and enable the service persistently.

$ systemctl enable haproxy.service --now 
$ systemctl status haproxy.service

Firewall exclusion for HAProxy LB

Add the firewall rules for inbound from all the OKD cluster nodes.

$ firewall-cmd --add-port={6443,22623,443,80}/tcp --permanent
$ firewall-cmd --reload
$ firewall-cmd --list-all

That’s it, we are dine with setting up the HAProxy for HA OKD cluster.

jos on How to Configure Sudo email alertMarch 4, 2022
Hi! Some way to send commands write as root by email? Thanks!
paul on Monitoring Proxmox with InfluxDB and Grafana in 4 Easy stepsMarch 1, 2022
Tried 12966 per your example, got error "failed to import dashboard."
Anonymous on Migrate existing Iptables to Nftables in RHEL8/CentOSFebruary 27, 2022
I followed the procedures and successfully loaded some weird 8081 port configurations needed for the app, however I discovered it…
sy on Install Ansible AWX on Kubernetes in 5 minutesFebruary 17, 2022
tried many times - followed all steps but was unable to setup custom context I always get -> The connection…
Faraz Ahmed on Prometheus with Grafana for Linux server monitoring in 5 easy stepsFebruary 7, 2022
Hello Babin Lonston, Your tutorial is very helpful to me to Install the prometheus and nodeexporter on the server. Can…