Convert to k8s

entrypoint.sh

@@ -286,7 +286,7 @@ die() {
 
 cert_init() {
   log_info "cert_init...waiting 10s for haproxy to be ready"
-  sleep 10
+  sleep 20
   log_info "Executing cert_init at $(date -R)"
 
   # Take checksum of haproxy certs so we can tell if we need to restart as inotify is not running yet

haproxy.cfg

@@ -27,28 +27,28 @@ defaults
     # never fail on address resolution
     default-server init-addr none
 
-resolvers docker_resolver
-    nameserver dns 127.0.0.11:53
-
+resolvers kube_resolver
+    parse-resolv-conf
+    hold valid 10s
 
 frontend stats
-   bind *:8404
-   http-request use-service prometheus-exporter if { path /metrics }
-   stats enable
-   stats uri /stats
-   stats refresh 10s
+    bind *:8404
+    http-request use-service prometheus-exporter if { path /metrics }
+    stats enable
+    stats uri /stats
+    stats refresh 10s
 
 frontend http
-    bind *:80
+    bind *:8080
 
     # Serve certificate validation challenges directly with Lua plugin
     acl url_acme_http01 path_beg /.well-known/acme-challenge/
     http-request use-service lua.acme-http01 if METH_GET url_acme_http01
 
-    # Static health endpoint for docker healthcheck (don't log it)
-    acl url_docker_health path /docker-health
-    http-request set-log-level silent if url_docker_health
-    http-request return status 200 if url_docker_health
+    # Static health endpoint for cluster manager healthcheck (don't log it)
+    acl url_cluster_health path /health-check
+    http-request set-log-level silent if url_cluster_health
+    http-request return status 200 if url_cluster_health
 
     # Optional: redirects for root requests with certain host names to service paths
     acl is_root path -i /
@@ -74,16 +74,16 @@ frontend http
     redirect code 302 location "https://${DOMAINNAME}${PROXY_HOST_REDIRECT_10_TARGET}" if is_root is_redirect_10
 
     # Redirect all http requests to https
-    redirect scheme https if !url_acme_http01 !url_docker_health
+    redirect scheme https if !url_acme_http01 !url_cluster_health
 
 frontend https
-    bind *:443 ssl crt /etc/haproxy/certs crt "${CERT_DIR}" no-tls-tickets
+    bind *:8443 ssl crt /etc/haproxy/certs crt "${CERT_DIR}" no-tls-tickets
 
     # Enable X-Forwarded header(s)
     option forwardfor
     http-request add-header X-Forwarded-Proto https
     http-request set-header X-Forwarded-Host %[req.hdr(Host)]
-    http-request add-header X-Forwarded-Port %[dst_port]
+    http-request add-header X-Forwarded-Port 443
     http-request add-header Strict-Transport-Security max-age=15768000
 
     acl auth url_beg /auth
@@ -101,10 +101,10 @@ listen mqtt
     log-format "%T %ft CLIENT=%ci:%cp BACKEND=%bi:%bp %ts %ac/%fc/%bc/%sc/%rc %sq/%bq"
     balance leastconn
 
-    server manager "${MANAGER_HOST}":"${MANAGER_MQTT_PORT}" resolvers docker_resolver
+    server manager "${MANAGER_HOST}":"${MANAGER_MQTT_PORT}" resolvers kube_resolver check inter 1000
 
 backend manager_backend
-  server manager "${MANAGER_HOST}":"${MANAGER_WEB_PORT}" resolvers docker_resolver
+  server manager "${MANAGER_HOST}":"${MANAGER_WEB_PORT}" resolvers kube_resolver check inter 1000
 
 backend keycloak_backend
-  server keycloak "${KEYCLOAK_HOST}":"${KEYCLOAK_PORT}" resolvers docker_resolver
+  server keycloak "${KEYCLOAK_HOST}":"${KEYCLOAK_PORT}" resolvers kube_resolver check inter 1000