Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Adding option to check backend health via TLS #699

Merged
merged 2 commits into from
Aug 10, 2024
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
5 changes: 4 additions & 1 deletion jobs/haproxy/spec
Original file line number Diff line number Diff line change
Expand Up @@ -677,7 +677,10 @@ properties:
ha_proxy.backend_health_rise:
description: Number of consecutive successful health checks required before the server is considered healthy from an unhealthy state. The default value of 2 matches the default if the parameter is undefined. This parameter will be ignored if ha_proxy.backend_use_http_health is false.
default: 2

ha_proxy.backend_https_check:
description: Set to true if the backend uses TLS on the health endpoint. Adds the check-ssl option to the backend configs. If backend certificate on traffic port is verified the Health endpoint cert will also be verified.
default: false
schmidtsv marked this conversation as resolved.
Show resolved Hide resolved

ha_proxy.global_config:
description: |
Raw HAProxy config that will be added to the HA proxy global section, provided either as a multiline text blob or as an array of lines.
Expand Down
4 changes: 3 additions & 1 deletion jobs/haproxy/templates/haproxy.config.erb
Original file line number Diff line number Diff line change
Expand Up @@ -856,9 +856,11 @@ backend <%= backend[:name] %>
<%- health_check_options = "port " + p("ha_proxy.backend_http_health_port").to_s -%>
<%- health_check_options += " fall " + p("ha_proxy.backend_health_fall").to_s -%>
<%- health_check_options += " rise " + p("ha_proxy.backend_health_rise").to_s -%>
<%- p("ha_proxy.backend_https_check") ? ssl_check = " check-ssl" : ssl_check = nil -%>
<%- end -%>

<% backend_servers.each_with_index do |ip, index| %>
server node<%= index %> <%= ip %>:<%= backend_port -%> <%= resolvers -%><%= backend_crt -%>check inter 1000 <%= health_check_options %> <%= backend[:backend_ssl] %><%= backend[:alpn] %><%- if !backend_servers_local.empty? && !backend_servers_local.include?(ip) -%> backup<%- end -%>
server node<%= index %> <%= ip %>:<%= backend_port -%> <%= resolvers -%><%= backend_crt -%>check<%= ssl_check -%> inter 1000 <%= health_check_options %> <%= backend[:backend_ssl] %><%= backend[:alpn] %><%- if !backend_servers_local.empty? && !backend_servers_local.include?(ip) -%> backup<%- end -%>
<% end %>
# }}}
<%- end %>
Expand Down
20 changes: 20 additions & 0 deletions spec/haproxy/templates/haproxy_config/backend_http_spec.rb
Original file line number Diff line number Diff line change
Expand Up @@ -146,6 +146,26 @@
expect(backend_http1).to include('server node1 10.0.0.2:80 check inter 1000 port 8080 fall 3 rise 99')
end
end

context 'when tls health checks for backend are enabled' do
let(:properties) do
{
'backend_use_http_health' => true,
'backend_http_health_uri' => '1.2.3.5/health',
'backend_servers' => ['10.0.0.1', '10.0.0.2'],
'backend_https_check' => true
}
end

it 'configures the healthcheck' do
expect(backend_http1).to include('option httpchk GET 1.2.3.5/health')
end

it 'configures the servers' do
expect(backend_http1).to include('server node0 10.0.0.1:80 check check-ssl inter 1000 port 8080 fall 3 rise 2')
expect(backend_http1).to include('server node1 10.0.0.2:80 check check-ssl inter 1000 port 8080 fall 3 rise 2')
end
end
end

context 'when backend servers are provided via ha_proxy.backend_servers' do
Expand Down