0

I am using OpenShift router, by default the router is based on haproxy. When I create a domain such as aa.bb.cc, then I can access my service via this route.

I saw router (haproxy) pods are running my cluster, my question is, when I curl http://aa.bb.cc, how does domain aa.bb.cc reach to haproxy pods? What component is resolving domain aa.bb.cc?

Joe
  • 623
  • 7
  • 16

1 Answers1

1

That would be the DNS Server containing the wildcard domain. The flow us typically the following:

 *.apps.example.com
                                       +
+-----------------+                    |
|   DNS Server    |                    |
+-----+-----------+                    |       OpenShift Cluster
      ^    |                           |
      |    |                           |
      |    | LB IP                     |
      |    |                           |
      |    v                           |
    +-+----+--+      +--------------+  | +---------------+                +----------+
    |         |      |              |  | |               |                |          |
    | Clients +------> Loadbalancer +-----> HAProxy      +--------------->+ App Pods |
    |         |      |              |  | |               |                |          |
    +---------+      +--------------+  | +---------------+                +----------+
                                       |
                                       +

Your client will use its regular DNS server to resolve the application domain. Typically, there is a wildcard DNS entry for all application Routes running on an OpenShift cluster (for example *.apps.example.com). So when your client requests myapp.apps.example.com, the IP of the Loadbalancer for the OpenShift cluster is returned.

The Loadbalancer in turn knows about all the Nodes where an OpenShift Router is running. So the Loadbalancer will forward the request to any of these Nodes.

As you noted, the OpenShift Router running HAProxy is then looking at the HTTP Host Header or the SNI extension for TLS connections to check where the connection needs to be forwarded to.

The HAProxy has a dynamic configuration that is derived from the Routes / Services in the cluster and then forwards your request to your Application Pods.

Simon
  • 4,251
  • 2
  • 24
  • 34
  • Thanks Simon, your explanation about OpenShift Router is very clear. I still have a afew of questions. In our lab, loadbalancer also use HAProxy service, its configuration looks like following, here is just a http traffic example. it seems Loadbalancer only identify port ( here is port 80 fot http traffic), then send traffic to each nodes. My question is, how can http traffic with port 80 find HAProxy in OpenShift Cluster side? HAProoxy in OpenShift Cluster side doesn't expose NodePort. – Joe Jan 20 '21 at 13:11
  • ``` frontend ingress-http bind *:80 default_backend ingress-http mode tcp option tcplog backend ingress-http balance source mode tcp server worker0 10.16.32.212:80 check server worker1 10.16.32.212:80 check ``` – Joe Jan 20 '21 at 13:11
  • This will depend on your OCP version and your Ingress configuration. Also check your Services (for example the `router-default` Service). – Simon Jan 20 '21 at 18:21