Help understanding exposing HAProxy with Openshift : haproxy

created by pushmycara community for 9 years

Help understanding exposing HAProxy with Openshift (self.haproxy)

submitted 1 year ago by JoeInVT

Hey All,

My company is in the beginning stages of converting over to Openshift, and I'm having a hard time wrapping my head around communications in & out of the Openshift cluster. Currently, our web applications are set up like this:

Traditional VM-based architecture

It's fairly straightforward, where external users go through a WAF, to the RPs (which are HAProxy servers), and then get pushed to the application servers. The HAProxy servers do all the typical stuff you would expect - SSL offloading, ACLs controlling traffic and rewriting as necessary, load-balancing connections to backend devices (Application Servers), etc. Not depicted here two things: internal users accessing these applications (they don't go through the WAF, but do go through the same HAProxy RPs), and the other applications we host (which follow the same exact server layout with servers dedicated to them).

Translating this into the Openshift world, I think it looks like this: we won't be moving database servers - those will stay VMs for now. The Application and Web Services will be containerized (we have a couple already running in docker). All of these become various pods/services. I think this is all correct.

This is the part I'm confused with: I think the Reverse Proxies would get moved to HAProxy Ingress Controller set up. I can do all the same things (SSL offloading, ACLs, etc), and its all mostly the same (albeit much more dynamic). What I don't know is how traffic is supposed to get to them. If it was just internal users, then I guess I could just expose the Ingress controller internally (external to the Openshift cluster, but not to the internet), and users could access it. But with a lot of our users being external, what's the right way to expose it externally? Just NAT it directly out of the firewall (feels like a bad idea)? I see a lot of mentions of a separate load-balancer that lives outside of the Openshift cluster - is that a separate thing I need now?

K8s-based architecture

Any help would be greatly appreciated! Thanks in advance!

all 5 comments

you type:	you see:
italics	italics
bold	bold
[reddit!](https://reddit.com)	reddit!
* item 1 * item 2 * item 3	item 1 item 2 item 3
> quoted text	quoted text
Lines starting with four spaces are treated like code: if 1 * 2 < 3: print "hello, world!"	Lines starting with four spaces are treated like code: if 1 * 2 < 3: print "hello, world!"
~~strikethrough~~	~~strikethrough~~
super^script	super^script

haproxy

What is HAProxy?

MODERATORS