Load balancer

In a containerized deployment, you can use a load balancer to distribute incoming requests to the containers in the deployment. This environment uses HA Proxy as the load balancer. The i2eng-haproxy image is based off the official haproxy image.

Running a ha_proxy container

A ha_proxy container uses the ha_proxy image. In the docker run command, you can use -e to pass environment variables to ha_proxy on the container. The environment variables are described in environment variables.

The container will run with a User ID and Group ID of 1000. All files in mounted directories will be created with these IDs. If files are manipulated externally these IDs must be retained or the container will not function correctly.

Docker run command

The following docker run command runs a HA Proxy container:

  docker run -d \
    --name "load_balancer" \
    --net "eia" \
    --net-alias "i2analyze.eia" \
    -p "9046:9046" \
    -v "ac_load_balancer_config:/usr/local/etc/haproxy" \
    -v "/environment-secrets/simulated-secret-store/i2analyze:/run/secrets/" \
    -e LIBERTY1_LB_STANZA="liberty1.eia:9080" \
    -e LIBERTY2_LB_STANZA="liberty2.eia:9080" \
    -e LIBERTY_SSL_CONNECTION="true" \
    -e SERVER_SSL="true" \
    -e SSL_PRIVATE_KEY_FILE="/run/secrets/server.key" \
    -e SSL_CERTIFICATE_FILE="/run/secrets/server.cer" \
    -e SSL_CA_CERTIFICATE_FILE="/run/secrets/CA.cer" \
    -e GATEWAY_SSL_CONNECTION="true" \
    -e SSL_OUTBOUND_PRIVATE_KEY_FILE="/run/secrets/gateway_user.key" \
    -e SSL_OUTBOUND_CERTIFICATE_FILE="/run/secrets/gateway_user.cer" \
    -e SSL_OUTBOUND_CA_CERTIFICATE_FILE="/run/secrets/outbound_CA.cer" \
    -e SSL_ADDITIONAL_TRUST_CERTIFICATES="/run/secrets/additional_trust_certificates.cer" \
    "i2eng-haproxy:2.9"

For an example of the docker run command, see utils/server_functions.sh script. The run_load_balancer function does not take any arguments.

Storage

Named volumes are used to persist configuration files.

To configure the HA Proxy to use the volume, specify the -v option with the name of the volume and the path where the directory is mounted in the container. By setting -v option in the docker run command, a named volume is created. For HA Proxy, the path to the directory that must be mounted is /usr/local/etc/haproxy.

For example:

-v ac_load_balancer_config:/usr/local/etc/haproxy

• Secrets:

A directory that contains all of the secrets that this tool requires.
The directory is mounted to /run/secrets inside the container. This can then be used by other environment variables such as SSL_PRIVATE_KEY_FILE to locate the secrets.
In a production environment, the orchestration environment can provide the secrets to the file system or the secrets can be passed in via environment variables. The mechanism that is used here simulates the orchestration system providing the secrets as files. This is achieved by using a bind mount. In production this would not be required.

Environment variables

To configure the load balancer, you provide environment variables to the Docker container in the docker run command.

The following table describes the environment variables that you can use to configure the load balancer:

Environment variable	Description
LIBERTY1_LB_STANZA	The stanza for the first Liberty server.
LIBERTY2_LB_STANZA	The stanza for the second Liberty server.
LIBERTY_SSL_CONNECTION	See Secure Environment variables.
SERVER_SSL	See Secure Environment variables.
SSL_PRIVATE_KEY_FILE	See Secure Environment variables.
SSL_CERTIFICATE_FILE	See Secure Environment variables.
SSL_CA_CERTIFICATE_FILE	See Secure Environment variables.
GATEWAY_SSL_CONNECTION	See Secure Environment variables.
SSL_OUTBOUND_PRIVATE_KEY_FILE	See Secure Environment variables.
SSL_OUTBOUND_CERTIFICATE_FILE	See Secure Environment variables.
SSL_OUTBOUND_CA_CERTIFICATE_FILE	See Secure Environment variables.
SSL_ADDITIONAL_TRUST_CERTIFICATES	See Secure Environment variables.