Re[4]: nginx in front of haproxy ?
Hi Fabio.
-- Originalnachricht --
Von: "Fabio Martinelli" <fabio.martinelli.1...@gmail.com>
An: "Aleksandar Lazic" <al...@me2digital.eu>
Gesendet: 04.01.2018 10:34:03
Betreff: Re: Re[2]: nginx in front of haproxy ?
Thanks Joel,
that's correct, in this particular case it is not nginx in front of our
3 haproxy but nginx in front of our 3 Web Console ; I got confused
because in our nginx we have other rules pointing to the 3 haproxy, for
instance to manage the 'metrics.hosting.wfp.org' case
Thanks Aleksandar,
my inventory sets :
openshift_master_default_subdomain=hosting.wfp.org
openshift_master_cluster_public_hostname={{openshift_master_default_subdomain}}
maybe I had to be more explicit as you advice by directly setting :
openshift_master_cluster_public_hostname=hosting.wfp.org
I would do
`openshift_master_cluster_public_hostname=master.{{openshift_master_default_subdomain}}`
The ip for `master.hosting.wfp.org` should be a vip.
The domain alone is not enough you need a ip e. g.: 10.11.40.99, if you
have not setuped a wild-card dns entry for this domain.
https://github.com/openshift/openshift-ansible/blob/master/inventory/hosts.example#L304-L311
anyway I'm afraid to run Ansible again because of the 2 GlusterFS we
run, 1 for general data, 1 for the internal registry ;
installing GlusterFS was the hardest part for us, maybe is there a way
to skip the GlusterFS part without modifying the inventory file ?
Well I don't know.
How about to show us your inventory file with removed sensible data.
best regards,
Fabio
Best regards
Aleks
smime.p7s
Description: S/MIME cryptographic signature
___
users mailing list
users@lists.openshift.redhat.com
http://lists.openshift.redhat.com/openshiftmm/listinfo/users
Re[2]: nginx in front of haproxy ?
Hi.
@Fabio: When you use the advanced setup you should set the
`openshift_master_cluster_public_hostname` to `hosting.wfp.org`and rerun
the install playbook.
I suggest to take a look into the now very detailed documentation.
https://docs.openshift.org/latest/install_config/install/advanced_install.html#configuring-cluster-variables
https://docs.openshift.org/latest/install_config/install/advanced_install.html#running-the-advanced-installation-system-container
It's big but worth to read.
-- Originalnachricht --
Von: "Joel Pearson" <japear...@agiledigital.com.au>
An: "Fabio Martinelli" <fabio.martinelli.1...@gmail.com>
Cc: users@lists.openshift.redhat.com
Gesendet: 03.01.2018 20:59:59
Betreff: Re: nginx in front of haproxy ?
It’s also worth mentioning that the console is not haproxy. That is the
router, which run on the infrastructure nodes. The console/api server
runs something else.
The 'something else' is the openshift master server or the api servers
depend on the setup.
Regards
Aleks
On Wed, 3 Jan 2018 at 1:46 am, Fabio Martinelli
<fabio.martinelli.1...@gmail.com> wrote:
It was actually needed to rewrite the master-config.yaml in this other
way, basically removing all the :8443 strings in the 'public' fields,
i.e. to make it implicitly appear as :443
[snipp]
the strange PHP error message was due to another service listening on
the 8443 port on the same host where nginx it's running !
Exploiting this post https://github.com/openshift/origin/issues/17456
our nginx setup got now :
upstream openshift-cluster-webconsole {
ip_hash;
server wfpromshap21.global.wfp.org:8443;
server wfpromshap22.global.wfp.org:8443;
server wfpromshap23.global.wfp.org:8443;
}
server {
listen 10.11.40.99:80;
server_name hosting.wfp.org;
return 301 https://$server_name$request_uri;
}
server {
listen 10.11.40.99:443;
server_name hosting.wfp.org;
access_log /var/log/nginx/hosting-console-access.log;
#access_log off;
error_log /var/log/nginx/hosting-console-error.log crit;
include /data/nginx/includes.d/ssl-wfp.conf;
include /data/nginx/includes.d/error.conf;
include /data/nginx/includes.d/proxy.conf;
proxy_set_header Host $host;
location / {
proxy_pass https://openshift-cluster-webconsole;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
}
}
and it seems to work by nicely masking the 3 Web Consoles.
___
users mailing list
users@lists.openshift.redhat.com
http://lists.openshift.redhat.com/openshiftmm/listinfo/users
smime.p7s
Description: S/MIME cryptographic signature
___
users mailing list
users@lists.openshift.redhat.com
http://lists.openshift.redhat.com/openshiftmm/listinfo/users
Re: nginx in front of haproxy ?
It’s also worth mentioning that the console is not haproxy. That is the
router, which run on the infrastructure nodes. The console/api server runs
something else.
On Wed, 3 Jan 2018 at 1:46 am, Fabio Martinelli <
fabio.martinelli.1...@gmail.com> wrote:
> It was actually needed to rewrite the master-config.yaml in this other
> way, basically removing all the :8443 strings in the 'public' fields, i.e.
> to make it implicitly appear as :443
>
> admissionConfig:
> pluginConfig:
> BuildDefaults:
> configuration:
> apiVersion: v1
> env: []
> kind: BuildDefaultsConfig
> resources:
> limits: {}
> requests: {}
> BuildOverrides:
> configuration:
> apiVersion: v1
> kind: BuildOverridesConfig
> PodPreset:
> configuration:
> apiVersion: v1
> disable: false
> kind: DefaultAdmissionConfig
> openshift.io/ImagePolicy:
> configuration:
> apiVersion: v1
> executionRules:
> - matchImageAnnotations:
> - key: images.openshift.io/deny-execution
> value: 'true'
> name: execution-denied
> onResources:
> - resource: pods
> - resource: builds
> reject: true
> skipOnResolutionFailure: true
> kind: ImagePolicyConfig
> aggregatorConfig:
> proxyClientInfo:
> certFile: aggregator-front-proxy.crt
> keyFile: aggregator-front-proxy.key
> apiLevels:
> - v1
> apiVersion: v1
> assetConfig:
> extensionScripts:
> - /etc/origin/master/openshift-ansible-catalog-console.js
> logoutURL: ""
> masterPublicURL: https://hosting.wfp.org<
> metricsPublicURL: https://metrics.hosting.wfp.org/hawkular/metrics
> publicURL: https://hosting.wfp.org/console/<
> servingInfo:
> bindAddress: 0.0.0.0:8443
> bindNetwork: tcp4
> certFile: master.server.crt
> clientCA: ""
> keyFile: master.server.key
> maxRequestsInFlight: 0
> requestTimeoutSeconds: 0
> authConfig:
> requestHeader:
> clientCA: front-proxy-ca.crt
> clientCommonNames:
> - aggregator-front-proxy
> extraHeaderPrefixes:
> - X-Remote-Extra-
> groupHeaders:
> - X-Remote-Group
> usernameHeaders:
> - X-Remote-User
> controllerConfig:
> election:
> lockName: openshift-master-controllers
> serviceServingCert:
> signer:
> certFile: service-signer.crt
> keyFile: service-signer.key
> controllers: '*'
> corsAllowedOrigins:
> - (?i)//127\.0\.0\.1(:|\z)
> - (?i)//localhost(:|\z)
> - (?i)//10\.11\.41\.85(:|\z)
> - (?i)//kubernetes\.default(:|\z)
> - (?i)//kubernetes\.default\.svc\.cluster\.local(:|\z)
> - (?i)//kubernetes(:|\z)
> - (?i)//openshift\.default(:|\z)
> - (?i)//hosting\.wfp\.org(:|\z)
> - (?i)//openshift\.default\.svc(:|\z)
> - (?i)//172\.30\.0\.1(:|\z)
> - (?i)//wfpromshap21\.global\.wfp\.org(:|\z)
> - (?i)//openshift\.default\.svc\.cluster\.local(:|\z)
> - (?i)//kubernetes\.default\.svc(:|\z)
> - (?i)//openshift(:|\z)
> dnsConfig:
> bindAddress: 0.0.0.0:8053
> bindNetwork: tcp4
> etcdClientInfo:
> ca: master.etcd-ca.crt
> certFile: master.etcd-client.crt
> keyFile: master.etcd-client.key
> urls:
> - https://wfpromshap21.global.wfp.org:2379
> - https://wfpromshap22.global.wfp.org:2379
> - https://wfpromshap23.global.wfp.org:2379
> etcdStorageConfig:
> kubernetesStoragePrefix: kubernetes.io
> kubernetesStorageVersion: v1
> openShiftStoragePrefix: openshift.io
> openShiftStorageVersion: v1
> imageConfig:
> format: openshift/origin-${component}:${version}
> latest: false
> kind: MasterConfig
> kubeletClientInfo:
> ca: ca-bundle.crt
> certFile: master.kubelet-client.crt
> keyFile: master.kubelet-client.key
> port: 10250
> kubernetesMasterConfig:
> apiServerArguments:
> runtime-config:
> - apis/settings.k8s.io/v1alpha1=true
> storage-backend:
> - etcd3
> storage-media-type:
> - application/vnd.kubernetes.protobuf
> controllerArguments:
> masterCount: 3
> masterIP: 10.11.41.85
> podEvictionTimeout:
> proxyClientInfo:
> certFile: master.proxy-client.crt
> keyFile: master.proxy-client.key
> schedulerArguments:
> schedulerConfigFile: /etc/origin/master/scheduler.json
> servicesNodePortRange: ""
> servicesSubnet: 172.30.0.0/16
> staticNodeNames: []
> masterClients:
> externalKubernetesClientConnectionOverrides:
> acceptContentTypes:
> application/vnd.kubernetes.protobuf,application/json
> burst: 400
> contentType: application/vnd.kubernetes.protobuf
> qps: 200
> externalKubernetesKubeConfig: ""
> openshiftLoopbackClientConnectionOverrides:
> acceptContentTypes:
> application/vnd.kubernetes.protobuf,application/json
> burst: 600
> contentType: application/vnd.kubernetes.protobuf
> qps: 300
> openshiftLoopbackKubeConfig: openshift-master.kubeconfig
> masterPublicURL: https://hosting.wfp.org<
> networkConfig:
>
Re: nginx in front of haproxy ?
It was actually needed to rewrite the master-config.yaml in this other way,
basically removing all the :8443 strings in the 'public' fields, i.e. to
make it implicitly appear as :443
admissionConfig:
pluginConfig:
BuildDefaults:
configuration:
apiVersion: v1
env: []
kind: BuildDefaultsConfig
resources:
limits: {}
requests: {}
BuildOverrides:
configuration:
apiVersion: v1
kind: BuildOverridesConfig
PodPreset:
configuration:
apiVersion: v1
disable: false
kind: DefaultAdmissionConfig
openshift.io/ImagePolicy:
configuration:
apiVersion: v1
executionRules:
- matchImageAnnotations:
- key: images.openshift.io/deny-execution
value: 'true'
name: execution-denied
onResources:
- resource: pods
- resource: builds
reject: true
skipOnResolutionFailure: true
kind: ImagePolicyConfig
aggregatorConfig:
proxyClientInfo:
certFile: aggregator-front-proxy.crt
keyFile: aggregator-front-proxy.key
apiLevels:
- v1
apiVersion: v1
assetConfig:
extensionScripts:
- /etc/origin/master/openshift-ansible-catalog-console.js
logoutURL: ""
masterPublicURL: https://hosting.wfp.org<
metricsPublicURL: https://metrics.hosting.wfp.org/hawkular/metrics
publicURL: https://hosting.wfp.org/console/<
servingInfo:
bindAddress: 0.0.0.0:8443
bindNetwork: tcp4
certFile: master.server.crt
clientCA: ""
keyFile: master.server.key
maxRequestsInFlight: 0
requestTimeoutSeconds: 0
authConfig:
requestHeader:
clientCA: front-proxy-ca.crt
clientCommonNames:
- aggregator-front-proxy
extraHeaderPrefixes:
- X-Remote-Extra-
groupHeaders:
- X-Remote-Group
usernameHeaders:
- X-Remote-User
controllerConfig:
election:
lockName: openshift-master-controllers
serviceServingCert:
signer:
certFile: service-signer.crt
keyFile: service-signer.key
controllers: '*'
corsAllowedOrigins:
- (?i)//127\.0\.0\.1(:|\z)
- (?i)//localhost(:|\z)
- (?i)//10\.11\.41\.85(:|\z)
- (?i)//kubernetes\.default(:|\z)
- (?i)//kubernetes\.default\.svc\.cluster\.local(:|\z)
- (?i)//kubernetes(:|\z)
- (?i)//openshift\.default(:|\z)
- (?i)//hosting\.wfp\.org(:|\z)
- (?i)//openshift\.default\.svc(:|\z)
- (?i)//172\.30\.0\.1(:|\z)
- (?i)//wfpromshap21\.global\.wfp\.org(:|\z)
- (?i)//openshift\.default\.svc\.cluster\.local(:|\z)
- (?i)//kubernetes\.default\.svc(:|\z)
- (?i)//openshift(:|\z)
dnsConfig:
bindAddress: 0.0.0.0:8053
bindNetwork: tcp4
etcdClientInfo:
ca: master.etcd-ca.crt
certFile: master.etcd-client.crt
keyFile: master.etcd-client.key
urls:
- https://wfpromshap21.global.wfp.org:2379
- https://wfpromshap22.global.wfp.org:2379
- https://wfpromshap23.global.wfp.org:2379
etcdStorageConfig:
kubernetesStoragePrefix: kubernetes.io
kubernetesStorageVersion: v1
openShiftStoragePrefix: openshift.io
openShiftStorageVersion: v1
imageConfig:
format: openshift/origin-${component}:${version}
latest: false
kind: MasterConfig
kubeletClientInfo:
ca: ca-bundle.crt
certFile: master.kubelet-client.crt
keyFile: master.kubelet-client.key
port: 10250
kubernetesMasterConfig:
apiServerArguments:
runtime-config:
- apis/settings.k8s.io/v1alpha1=true
storage-backend:
- etcd3
storage-media-type:
- application/vnd.kubernetes.protobuf
controllerArguments:
masterCount: 3
masterIP: 10.11.41.85
podEvictionTimeout:
proxyClientInfo:
certFile: master.proxy-client.crt
keyFile: master.proxy-client.key
schedulerArguments:
schedulerConfigFile: /etc/origin/master/scheduler.json
servicesNodePortRange: ""
servicesSubnet: 172.30.0.0/16
staticNodeNames: []
masterClients:
externalKubernetesClientConnectionOverrides:
acceptContentTypes: application/vnd.kubernetes.protobuf,application/json
burst: 400
contentType: application/vnd.kubernetes.protobuf
qps: 200
externalKubernetesKubeConfig: ""
openshiftLoopbackClientConnectionOverrides:
acceptContentTypes: application/vnd.kubernetes.protobuf,application/json
burst: 600
contentType: application/vnd.kubernetes.protobuf
qps: 300
openshiftLoopbackKubeConfig: openshift-master.kubeconfig
masterPublicURL: https://hosting.wfp.org<
networkConfig:
clusterNetworkCIDR: 10.128.0.0/14
clusterNetworks:
- cidr: 10.128.0.0/14
hostSubnetLength: 9
externalIPNetworkCIDRs:
- 0.0.0.0/0
hostSubnetLength: 9
networkPluginName: redhat/openshift-ovs-multitenant
serviceNetworkCIDR: 172.30.0.0/16
oauthConfig:
assetPublicURL: https://hosting.wfp.org/console/
grantConfig:
method: auto
identityProviders:
- challenge: true
login: true
mappingMethod: claim
name: htpasswd_auth
provider:
apiVersion: v1
file: /etc/origin/master/htpasswd
kind:
nginx in front of haproxy ?
Hello
as our load balancer I've to setup nginx 1.13.8 configured in HA on 2 nodes
by Keepalived in front of our 3 masters Origin 3.7 containerized
installation ;
seemingly on the 3 masters the master-config.yaml got configured fine by
the Ansible run :
admissionConfig:
pluginConfig:
BuildDefaults:
configuration:
apiVersion: v1
env: []
kind: BuildDefaultsConfig
resources:
limits: {}
requests: {}
BuildOverrides:
configuration:
apiVersion: v1
kind: BuildOverridesConfig
PodPreset:
configuration:
apiVersion: v1
disable: false
kind: DefaultAdmissionConfig
openshift.io/ImagePolicy:
configuration:
apiVersion: v1
executionRules:
- matchImageAnnotations:
- key: images.openshift.io/deny-execution
value: 'true'
name: execution-denied
onResources:
- resource: pods
- resource: builds
reject: true
skipOnResolutionFailure: true
kind: ImagePolicyConfig
aggregatorConfig:
proxyClientInfo:
certFile: aggregator-front-proxy.crt
keyFile: aggregator-front-proxy.key
apiLevels:
- v1
apiVersion: v1
assetConfig:
extensionScripts:
- /etc/origin/master/openshift-ansible-catalog-console.js
logoutURL: ""
masterPublicURL: https://hosting.wfp.org:8443<
metricsPublicURL: https://metrics.hosting.wfp.org/hawkular/metrics
publicURL: https://hosting.wfp.org:8443/console/ <
servingInfo:
bindAddress: 0.0.0.0:8443
bindNetwork: tcp4
certFile: master.server.crt
clientCA: ""
keyFile: master.server.key
maxRequestsInFlight: 0
requestTimeoutSeconds: 0
authConfig:
requestHeader:
clientCA: front-proxy-ca.crt
clientCommonNames:
- aggregator-front-proxy
extraHeaderPrefixes:
- X-Remote-Extra-
groupHeaders:
- X-Remote-Group
usernameHeaders:
- X-Remote-User
controllerConfig:
election:
lockName: openshift-master-controllers
serviceServingCert:
signer:
certFile: service-signer.crt
keyFile: service-signer.key
controllers: '*'
corsAllowedOrigins:
- (?i)//127\.0\.0\.1(:|\z)
- (?i)//localhost(:|\z)
- (?i)//10\.11\.41\.85(:|\z)
- (?i)//kubernetes\.default(:|\z)
- (?i)//kubernetes\.default\.svc\.cluster\.local(:|\z)
- (?i)//kubernetes(:|\z)
- (?i)//openshift\.default(:|\z)
- (?i)//hosting\.wfp\.org(:|\z)
- (?i)//openshift\.default\.svc(:|\z)
- (?i)//172\.30\.0\.1(:|\z)
- (?i)//wfpromshap21\.global\.wfp\.org(:|\z)
- (?i)//openshift\.default\.svc\.cluster\.local(:|\z)
- (?i)//kubernetes\.default\.svc(:|\z)
- (?i)//openshift(:|\z)
dnsConfig:
bindAddress: 0.0.0.0:8053
bindNetwork: tcp4
etcdClientInfo:
ca: master.etcd-ca.crt
certFile: master.etcd-client.crt
keyFile: master.etcd-client.key
urls:
- https://wfpromshap21.global.wfp.org:2379
- https://wfpromshap22.global.wfp.org:2379
- https://wfpromshap23.global.wfp.org:2379
etcdStorageConfig:
kubernetesStoragePrefix: kubernetes.io
kubernetesStorageVersion: v1
openShiftStoragePrefix: openshift.io
openShiftStorageVersion: v1
imageConfig:
format: openshift/origin-${component}:${version}
latest: false
kind: MasterConfig
kubeletClientInfo:
ca: ca-bundle.crt
certFile: master.kubelet-client.crt
keyFile: master.kubelet-client.key
port: 10250
kubernetesMasterConfig:
apiServerArguments:
runtime-config:
- apis/settings.k8s.io/v1alpha1=true
storage-backend:
- etcd3
storage-media-type:
- application/vnd.kubernetes.protobuf
controllerArguments:
masterCount: 3
masterIP: 10.11.41.85
podEvictionTimeout:
proxyClientInfo:
certFile: master.proxy-client.crt
keyFile: master.proxy-client.key
schedulerArguments:
schedulerConfigFile: /etc/origin/master/scheduler.json
servicesNodePortRange: ""
servicesSubnet: 172.30.0.0/16
staticNodeNames: []
masterClients:
externalKubernetesClientConnectionOverrides:
acceptContentTypes: application/vnd.kubernetes.protobuf,application/json
burst: 400
contentType: application/vnd.kubernetes.protobuf
qps: 200
externalKubernetesKubeConfig: ""
openshiftLoopbackClientConnectionOverrides:
acceptContentTypes: application/vnd.kubernetes.protobuf,application/json
burst: 600
contentType: application/vnd.kubernetes.protobuf
qps: 300
openshiftLoopbackKubeConfig: openshift-master.kubeconfig
masterPublicURL: https://hosting.wfp.org:8443<
networkConfig:
clusterNetworkCIDR: 10.128.0.0/14
clusterNetworks:
- cidr: 10.128.0.0/14
hostSubnetLength: 9
externalIPNetworkCIDRs:
- 0.0.0.0/0
hostSubnetLength: 9
networkPluginName: redhat/openshift-ovs-multitenant
serviceNetworkCIDR: 172.30.0.0/16
oauthConfig:
assetPublicURL: https://hosting.wfp.org:8443/console/<
grantConfig:
method: auto
identityProviders:
- challenge: true
login: true
mappingMethod: claim
name: htpasswd_auth
