blob: 8fad471fbc67ede450959f00cbe87dcb743a41e5 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
|
- The users are not directly connected to the services running in OpenShift. There is always
load-balancing HAProxy sitting in between. There is several implications:
* The service will get request from HAProxy IP. I.e. IP-based authentication is not possible
anymore.
* If multiple service replicas running, by default HAProxy will distribute request in round-robin
fashion. I.e. request from the user will be served by different replicas. If we have several running
datbases which are not completely in sync, the user may get confusing changing data. This can be fixed
by setting 'haproxy.router.openshift.io/balance' to 'source' in route metadata. Then, the destination
replica will be determined based on the client IP.
* HAProxy has configured a default timeout. If replica does not send data within '30s' the connection
will be terminated. It can be increased with 'haproxy.router.openshift.io/timeout'
* There is a several ways to configure certiciates for HTTPS services defined by type of tls termination
in the route specification. With 'passthrough' the container is expected to handle certificates itself.
In the edge termination mode, the certificates are configured in the route and HAProxy manages secure
communication with clients and provides unencrypted data to the service in the cluster.
|
