Hello everyone,
We have 2 Openshift clusters (primary and secondary) with the same apps running over them. We use HAProxy to handle user access to those apps, and everything works great, but problems appears when an app is down (no pod running).
Situation is as follows:
We have an app (pod) in Openshift, and when that app’s pod is down, we need to redirect that user access to the our another Openshift cluster (secondary), which has the same apps and probably the affected app running OK on it.
We can’t get this done yet. Openshift ingress operator always returns 200 OK, because the operator has to handle request for all Openshift pods, so if whe use a health check expecting 200 in the backend, the servers will be always healthy.
When one app is down (no pod running for that app), we receibe a 503 error page.
Is there a way to redirect the user requests, only when Openshift responds 503 error?
Global settings
#---------------------------------------------------------------------
global
log 127.0.0.1 local2 debug
chroot /var/lib/haproxy
pidfile /var/run/haproxy.pid
maxconn 4000
user haproxy
group haproxy
daemon
# turn on stats unix socket
stats socket /var/lib/haproxy/stats
ssl-default-bind-options no-sslv3 no-tls-tickets no-tlsv10 no-tlsv11
ssl-default-bind-ciphers EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH
tune.ssl.default-dh-param 2048
defaults
log global
option dontlognull
option http-server-close
option redispatch
retries 3
timeout http-request 10s
timeout queue 1m
timeout connect 10s
timeout client 1m
timeout server 1m
timeout http-keep-alive 10s
timeout check 10s
maxconn 3000
errorfile 503 /etc/haproxy/errorfiles/sorry.http
#---------------------------------------------------------------------
Frontend
#---------------------------------------------------------------------
frontend ocp.company.com
mode http
http-response set-header Strict-Transport-Security max-age=31536000
http-response set-header X-Frame-Options SAMEORIGIN
http-response set-header X-Content-Type-Options nosniff
redirect scheme https code 301 if !{ ssl_fc }
bind 192.168.XXX.XXX:80
bind 192.168.XXX.XXX:443 ssl crt /etc/ssl/certs/_.ocp.company.com.pem
default_backend openshift
option forwardfor except 127.0.0.0/8
#---------------------------------------------------------------------
Backend
#---------------------------------------------------------------------
backend openshift
mode http
balance roundrobin
option httplog
option forwardfor header X-Real-IP
option log-health-checks
option redispatch
option tcplog
server infra-1 server1.domain.local:443 check ssl verify none
server infra-3 server3.domain.local:443 check ssl verify none
server infra-5 server5.domain.local:443 check ssl verify none
server infra-7 server7.domain.local:443 check ssl verify none
server infra-9 server9.domain.local:443 check ssl verify none
server infra-11 server11.domain.local:443 check ssl verify none
timeout connect 1s
timeout queue 5s
timeout server 3600s
#---------------------------------------------------------------------