HAProxy configuration
Learn how to configure the HAProxy for cross region failover.
The required components for this task are:
Example values:- Two OpenShift® clusters running on a hybrid architecture.
- Two Web GUI deployments.
- Two HAProxys.
https://webgui.east.example.com
as the URL for Web GUI normally accessed by users in the east.https://webgui.west.example.com
as URL for Web GUI normally accessed by users in the west.https://netcool.east.example.com
as URL for HAProxy associated with the Web GUI normally accessed by users in the east.https://netcool.west.example.com
as URL for HAProxy associated with the Web GUI normally accessed by users in the west.https://netcool.primary.example.com
as URL for Netcool Operations Insight application running in the primary OpenShift cluster.https://netcool.secondary.example.com
as URL for Netcool Operations Insight application running in the secondary OpenShift cluster.
Note:
netcool.primary.example.com
and
netcool.secondary.example.com
must resolve to the IP addresses of the respective
OpenShift ingress routers.
However, netcool.east.example.com
and netcool.west.example.com
resolve to the IP addresses of HAProxies configured to forward requests to the currently active
OpenShift.Web GUI configuration
- Ensure that each Web GUI is set up to use a valid TLS certificate with the correct DNS name in the subject alternative name extension and that the web browser doesn't show any certificate errors.
- Obtain a copy of the root CA certificate used to sign each of the Web GUI certificates. You can skip this step if all the certificates were signed by a well-known public CAs.
- Update the
jazz/profile/config/cells/JazzSMNode01Cell/oauth20/base.clients.xml
by creating a<client>
element for each client. You need a different client ID for each Ha Proxy, and for each OpenShift cluster too if users can access Netcool Operations Insight directly on OpenShift. Follow this link to have more information. The following table shows the properties of each element according to the example.Table 1: Example of properties for Web GUI configuration.Id Secret Redirect east
secret1 https://netcool.east.example.com/
west
secret2 https://netcool.west.example.com/
primary
secret3 https://netcool.primary.example.com/
secondary
secret4 https://netcool.secondary.example.com/
- Stop and restart the server.
HAProxy configuration
The HAProxy configuration file is normally called
/usr/local/etc/haproxy/haproxy.cnf
and is usually in a directory similar to
/usr/local/etc/haproxy
. The configuration file shows a single backend to explain
the changes to requests and responses that the HAProxy needs to make. Click Ha Proxy Documents to the
HAProxy documentation for guidance on setting up multiple backends with rules for monitoring and
switching.global
log stdout local0
# The following is the location for valid certificates for HA Proxy endpoint and the value is given by the PROXY_HOST.
ca-base <full path to location of your haproxy server certs>
# For example: ca-base /usr/local/etc/ca-certs
# PROXY_HOST includes port only if it is not default (443)
presetenv PROXY_HOST <proxy hostname>
# For example: presetenv PROXY_HOST "primary.apps.hadr.os.fyre.ibm.com:3443"
# This is the NOI OCP route endpoint for the PRIMARY Deployment
setenv NETCOOL_OCP_HOST_PRIMARY <PRIMARY NOI Deployment OCP route endpoint>
# For example: setenv NETCOOL_OCP_HOST_PRIMARY "netcool.noi.apps.hadr.os.fyre.ibm.com"
# This is the NOI OCP route endpoint for the BACKUP Deployment
setenv NETCOOL_OCP_HOST_BACKUP <BACKUP NOI Deployment OCP route endpoint>
# For example: setenv NETCOOL_OCP_HOST_BACKUP "netcool.noi.apps.pg2.os.fyre.ibm.com"
defaults
mode http
log global
timeout connect 5000ms
timeout client 50000ms
timeout server 50000ms
option httplog
frontend http-in
# This is the server certificate for the proxy frontend hostname, PROXY_HOST. This is usually generated by the Corporation Signing Certificate authority (CA).
bind *:443 ssl crt <location to your server certificate for the proxy>
# For example: bind *:443 ssl crt /usr/local/etc/keys/proxy.pem
use_backend http-out-primary if { srv_is_up(http-out-primary/noi-primary) }
use_backend http-out-backup if { srv_is_up(http-out-backup/noi-backup) }
backend http-out-primary
default-server inter 3s fall 3 rise 2
# The ca-file refers to the signing certificate of the NETCOOL_OCP_HOST_PRIMARY route endpoint.
server noi-primary "${NETCOOL_OCP_HOST_PRIMARY}": 443 ssl verify required ca-file /usr/local/etc/ca-certs/rootca.pem sni str("${NETCOOL_OCP_HOST_PRIMARY}") check check-ssl check-sni "${NETCOOL_OCP_HOST_PRIMARY}"
http-request set-header X-NOI-HAProxy-Host %[req.hdr(Host)]
http-request set-header Host "${NETCOOL_OCP_HOST_PRIMARY}"
# If redirecting to NOI, change base to point to the proxy
http-response replace-value location ^([^:]*://)"${NETCOOL_OCP_HOST_PRIMARY}"(.*)$ \1"${PROXY_HOST}"\2
# If redirect has a return URI within NOI, change that as well
http-response replace-value location ^(.*redirect_uri=[^&]*)"${NETCOOL_OCP_HOST_PRIMARY}"(.*)$ \1"${PROXY_HOST}"\2
backend http-out-backup
default-server inter 3s fall 3 rise 2
server noi-backup "${NETCOOL_OCP_HOST_BACKUP}" addr "${NETCOOL_OCP_HOST_BACKUP}" port 443 ssl verify required ca-file /usr/local/etc/ca-certs/rootca.pem sni str("${NETCOOL_OCP_HOST_BACKUP}") check check-ssl check-sni "${NETCOOL_OCP_HOST_BACKUP}"
http-request set-header X-NOI-HAProxy-Host %[req.hdr(Host)]
http-request set-header Host "${NETCOOL_OCP_HOST_BACKUP}"
# If redirecting to NOI, change base to point to the proxy
http-response replace-value location ^([^:]*://)"${NETCOOL_OCP_HOST_BACKUP}"(.*)$ \1"${PROXY_HOST}"\2
# If redirect has a return URI within NOI, change that as well
http-response replace-value location ^(.*redirect_uri=[^&]*[^\.])"${NETCOOL_OCP_HOST_BACKUP}"(.*)$ \1"${PROXY_HOST}"\2
Where:
must select the correct Netcool Operations Insight OpenShift ingress route. Theserver netcool-noi "${PRIMARY_OCP_HOST}" ssl verify required ca-file rootca.pem sni str("${PRIMARY_OCP_HOST}")
rootca.pem
file must contain the root certificate that was used to sign the Netcool Operations Insight OpenShift ingress route certificate. Refer https://www.ibm.com/docs/en/noi/1.6.3?topic=tasks-optional-using-custom-certificates-routes to use custom certificates for routes.
is used by Netcool Operations Insight to identify which HAProxy the request passed through. This is used to identify the correct Web GUI.http-request set-header X-NOI-HAProxy-Host
is used to update the Host header, in order for the OpenShift ingress router to direct the request to the correct pod.http-request set-header Host
updates any redirect responses so that the client continues to use the HAProxy and does not get redirected to the OpenShift router.http-response replace-value location
Netcool Operations Insight hybrid configuration
- Use the following command based on the example in Table 1 to create a secret containing the
client id and secret values
required:
Wherekubectl create secret generic RELEASE-was-oauth-cnea-secrets \ --from-literal=client-id=primary \ --from-literal=client-secret=secret3 \ --from-literal=netcool.east.example.com.id=east \ --from-literal=netcool.east.example.com.secret=secret1 \ --from-literal=netcool.west.example.com.id=west \ --from-literal=netcool.west.example.com.secret=secret2
RELEASE
needs to be replaced with the name of the Netcool Operations Insight hybrid deployment.Note: The values calledclient-id
andclient-secret
must contain the values for the local instance. When you run this command for the secondary instance of your Netcool Operations Insight hybrid deployment, the values change tosecondary
andsecret4
. The other values are named after the FQDN of the HAProxies. Do not include the port numbers even if they are not default. For each proxy, there is a.id
and a.secret
value. - You can either create the
RELEASE-was-oauth-cnea-secrets
secret before the Netcool Operations Insight hybrid is installed or patch it after the installation. Read the kubectl documentation, Install kubectl and kubectl CLI for more information. - When Netcool
Operations Insight hybrid is created, include the following:
dash.url
as the URL of the default Web GUI.dash.username
as the username for connecting to on-premise Web GUI.dash.trustedCAConfigMapName
as the name of a configuration map that contains the CA certificates that were used to sign all of the Web GUI certificates. If all certificates were signed by well-known public CAs this might be omitted.dash.crossRegionUrls
as an array of the HAProxy and Web GUI pairs in the format below. Remember to include port numbers if they are not the default (443).
dash: .... crossRegionUrls: - proxy: https://netcool.east.example.com dash: https://webgui.east.example.com - proxy: https://netcool.west.example.com dash: https://webgui.west.example.com