[AAI] Haproxy user updated in config

[oom.git] / kubernetes / aai / resources / config / haproxy / haproxy-pluggable-security.cfg

diff --git a/kubernetes/aai/resources/config/haproxy/haproxy-pluggable-security.cfg b/kubernetes/aai/resources/config/haproxy/haproxy-pluggable-security.cfg
index b05ffae..03212b9 100644 (file)
--- a/kubernetes/aai/resources/config/haproxy/haproxy-pluggable-security.cfg
+++ b/kubernetes/aai/resources/config/haproxy/haproxy-pluggable-security.cfg
@@ -17,8 +17,10 @@ global
         log /dev/log    local0
         stats socket /usr/local/etc/haproxy/haproxy.socket mode 660 level admin
         stats timeout 30s
-        user root
-        group root
+        # it is required else pod will not come up
+        maxconn 50000
+        user haproxy
+        group haproxy
         daemon
         #################################
         # Default SSL material locations#
@@ -38,7 +40,8 @@ defaults
         mode    http
         option  httplog
         option  ssl-hello-chk
-        option  httpchk GET /aai/util/echo HTTP/1.1\r\nHost:\ aai\r\nX-TransactionId:\ haproxy-0111\r\nX-FromAppId:\ haproxy\r\nAccept:\ application/json\r\nAuthorization:\ Basic\ YWFpQGFhaS5vbmFwLm9yZzpkZW1vMTIzNDU2IQ==
+        option  httpchk
+        http-check send meth GET uri /aai/util/echo ver HTTP/1.1 hdr Host aai hdr X-TransactionId  haproxy-0111 hdr X-FromAppId haproxy hdr Accept application/json hdr Authorization 'Basic QUFJOkFBSQ=='
         default-server init-addr none
 #       option  dontlognull
 #       errorfile 400 /etc/haproxy/errors/400.http
@@ -59,10 +62,16 @@ defaults
         timeout server  480000
         timeout http-keep-alive 30000
 
+frontend stats
+       bind *:8448
+       http-request use-service prometheus-exporter if { path /metrics }
+       stats enable
+       stats uri /stats
+       stats refresh 10s
 
 frontend IST_8443
         mode http
-        bind 0.0.0.0:8443 name https ssl crt /etc/ssl/private/aai.pem
+        bind 0.0.0.0:8443 name https ssl crt /opt/app/osaaf/local/certs/fullchain.pem
 #       log-format %ci:%cp\ [%t]\ %ft\ %b/%s\ %Tq/%Tw/%Tc/%Tr/%Tt\ %ST\ %B\ %CC\ %CS\ %tsc\ %ac/%fc/%bc/%sc/%rc\ %sq/%bq\ %hr\ %hs\ {%[ssl_c_verify],%{+Q}[ssl_c_s_dn],%{+Q}[ssl_c_i_dn]}\ %{+Q}r
         log-format "%ci:%cp [%tr] %ft %b/%s %TR/%Tw/%Tc/%Tr/%Ta %ST %B %CC \ %CS %tsc %ac/%fc/%bc/%sc/%rc %sq/%bq %hr %hs %{+Q}r"
         option httplog
@@ -73,6 +82,10 @@ frontend IST_8443
         capture response header Host len 100
         option log-separate-errors
         option forwardfor
+
+        http-request set-header X-Forwarded-Proto https
+        http-request add-header X-Forwarded-Port 8443
+
         http-request set-header X-Forwarded-Proto https if { ssl_fc }
         http-request set-header X-AAI-Client-SSL TRUE if { ssl_c_used }
         http-request set-header X-AAI-SSL                       %[ssl_fc]
@@ -88,8 +101,14 @@ frontend IST_8443
         http-request set-header X-AAI-SSL-Client-ST             %{+Q}[ssl_c_s_dn(ST)]
         http-request set-header X-AAI-SSL-Client-C              %{+Q}[ssl_c_s_dn(C)]
         http-request set-header X-AAI-SSL-Client-O              %{+Q}[ssl_c_s_dn(O)]
-        reqadd X-Forwarded-Proto:\ https
-        reqadd X-Forwarded-Port:\ 8443
+#######################################
+## Request blocking configuration ###
+#######################################
+        {{- if eq $.Values.haproxy.requestBlocking.enabled true }}
+        {{- range $custom_config := $.Values.haproxy.requestBlocking.customConfigs }}
+        {{ $custom_config }}
+        {{- end }}
+        {{- end }}
 
 #######################
 #ACLS FOR PORT 8446####
@@ -98,22 +117,25 @@ frontend IST_8443
         acl is_Port_8446_generic path_reg -i ^/aai/v[0-9]+/search/generic-query$
         acl is_Port_8446_nodes path_reg -i ^/aai/v[0-9]+/search/nodes-query$
         acl is_Port_8446_version path_reg -i ^/aai/v[0-9]+/query$
+        acl is_dsl path_reg -i ^/aai/v[0-9]+/dsl$
         acl is_named-query path_beg -i /aai/search/named-query
         acl is_search-model path_beg -i /aai/search/model
-        use_backend IST_AAI_8446 if is_Port_8446_generic or is_Port_8446_nodes or is_Port_8446_version or is_named-query or is_search-model
+        use_backend IST_AAI_8446 if is_Port_8446_generic or is_Port_8446_nodes or is_Port_8446_version or is_named-query or is_search-model or is_dsl
 
         default_backend IST_Default_8447
 
 
 #######################
-#DEFAULT BACKEND 847###
+#DEFAULT BACKEND 8447##
 #######################
 
 backend IST_Default_8447
         balance roundrobin
+        stick-table type string len 100 size 200k expire 2m
+        stick on path
         http-request set-header X-Forwarded-Port %[src_port]
         http-response set-header Strict-Transport-Security max-age=16000000;\ includeSubDomains;\ preload;
-        server aai-resources.{{.Release.Namespace}} aai-resources.{{.Release.Namespace}}.svc.cluster.local:8447 resolvers kubernetes check check-ssl port 8447 ssl verify none
+        server-template aai-resources.{{.Release.Namespace}} {{$.Values.haproxy.replicas.aaiResources}} aai-resources.{{.Release.Namespace}}.svc.cluster.local:8447 resolvers kubernetes check check-ssl port 8447 ssl verify none
 
 
 #######################
@@ -122,9 +144,11 @@ backend IST_Default_8447
 
 backend IST_AAI_8446
         balance roundrobin
+        stick-table type string len 100 size 200k expire 2m
+        stick on path
         http-request set-header X-Forwarded-Port %[src_port]
         http-response set-header Strict-Transport-Security max-age=16000000;\ includeSubDomains;\ preload;
-        server aai-traversal.{{.Release.Namespace}} aai-traversal.{{.Release.Namespace}}.svc.cluster.local:8446 resolvers kubernetes check check-ssl port 8446 ssl verify none
+        server-template aai-traversal.{{.Release.Namespace}} {{$.Values.haproxy.replicas.aaiTraversal}} aai-traversal.{{.Release.Namespace}}.svc.cluster.local:8446 resolvers kubernetes check check-ssl port 8446 ssl verify none
 
 listen IST_AAI_STATS
         mode http