HAProxy¶
Manual failover¶
Although HAProxy runs on multiple nodes, the virtual IP addresses can only be assigned to one node. That means that only one HAProxy instance is used at the same time.
Keepalived manages the virtual IP addresses and initiates an automatic failover if one node fails. There is no official way to manually tell keepalived to failover the VIP. But if you restart the keepalived container on the active node, the VIP will be moved to another node.
$ docker restart keepalived
Another possibility is the use of a additional dummy interface. However, it is necessary to maintain keepalived configuration as an overlay file.
https://www.virtualtothecore.com/en/manual-failover-of-keepalived/
Change certificate¶
After Tran:¶
Replace the file
environments/kolla/certificates/haproxy.pem
. You can encrypt thehaproxy.pem
with ansible vault password.
environments/kolla/certifcates/haproxy.pem
-----BEGIN CERTIFICATE-----
[...]
-----END CERTIFICATE-----
-----BEGIN RSA PRIVATE KEY-----
[...]
-----END RSA PRIVATE KEY-----
Key and certificates in PEM format are stored consecutively in the following order:
server public key
server private key (without any password)
intermediate CA certificates
Bevor Train:¶
Update the certificate in the file
environments/kolla/secrets.yml
(kolla_external_fqdn_cert
) The order of certificates is important:server private key
server public key
intermediate CA certificates (if any)
CA root certificate
Reconfigure HAProxy with
osism-kolla reconfigure loadbalancer
Validate configuration¶
$ osism-kolla config loadbalancer
$ docker exec -it haproxy haproxy -c -V -f /etc/haproxy/haproxy.cfg
Configuration file is valid
Restart HAProxy to load new certificate¶
osism-ansible generic all -m shell -a 'docker restart haproxy' -l control