Make haproxy maxconn configurable

The haproxy maxconn (maximum connections) is by default 2000. This
change makes that configurable through the oadm router
--max-connections= option when creating a router.  For existing
routers the value can be set in the ROUTER_MAX_CONNECTIONS environment
variable.

openshift-docs PR 3609

bug 1405440
https://bugzilla.redhat.com/show_bug.cgi?id=1405440

Author: pecameron

contrib/completions/bash/oadm

@@ -4612,6 +4612,8 @@ _oadm_router()
     local_nonpersistent_flags+=("--labels=")
     flags+=("--latest-images")
     local_nonpersistent_flags+=("--latest-images")
+    flags+=("--max-connections=")
+    local_nonpersistent_flags+=("--max-connections=")
     flags+=("--metrics-image=")
     local_nonpersistent_flags+=("--metrics-image=")
     flags+=("--output=")

contrib/completions/bash/oc

@@ -4619,6 +4619,8 @@ _oc_adm_router()
     local_nonpersistent_flags+=("--labels=")
     flags+=("--latest-images")
     local_nonpersistent_flags+=("--latest-images")
+    flags+=("--max-connections=")
+    local_nonpersistent_flags+=("--max-connections=")
     flags+=("--metrics-image=")
     local_nonpersistent_flags+=("--metrics-image=")
     flags+=("--output=")

contrib/completions/bash/openshift

@@ -4612,6 +4612,8 @@ _openshift_admin_router()
     local_nonpersistent_flags+=("--labels=")
     flags+=("--latest-images")
     local_nonpersistent_flags+=("--latest-images")
+    flags+=("--max-connections=")
+    local_nonpersistent_flags+=("--max-connections=")
     flags+=("--metrics-image=")
     local_nonpersistent_flags+=("--metrics-image=")
     flags+=("--output=")
@@ -9520,6 +9522,8 @@ _openshift_cli_adm_router()
     local_nonpersistent_flags+=("--labels=")
     flags+=("--latest-images")
     local_nonpersistent_flags+=("--latest-images")
+    flags+=("--max-connections=")
+    local_nonpersistent_flags+=("--max-connections=")
     flags+=("--metrics-image=")
     local_nonpersistent_flags+=("--metrics-image=")
     flags+=("--output=")
@@ -21980,6 +21984,8 @@ _openshift_infra_router()
     local_nonpersistent_flags+=("--labels=")
     flags+=("--master=")
     local_nonpersistent_flags+=("--master=")
+    flags+=("--max-connections=")
+    local_nonpersistent_flags+=("--max-connections=")
     flags+=("--name=")
     local_nonpersistent_flags+=("--name=")
     flags+=("--namespace=")

contrib/completions/zsh/oadm

@@ -4760,6 +4760,8 @@ _oadm_router()
     local_nonpersistent_flags+=("--labels=")
     flags+=("--latest-images")
     local_nonpersistent_flags+=("--latest-images")
+    flags+=("--max-connections=")
+    local_nonpersistent_flags+=("--max-connections=")
     flags+=("--metrics-image=")
     local_nonpersistent_flags+=("--metrics-image=")
     flags+=("--output=")

contrib/completions/zsh/oc

@@ -4767,6 +4767,8 @@ _oc_adm_router()
     local_nonpersistent_flags+=("--labels=")
     flags+=("--latest-images")
     local_nonpersistent_flags+=("--latest-images")
+    flags+=("--max-connections=")
+    local_nonpersistent_flags+=("--max-connections=")
     flags+=("--metrics-image=")
     local_nonpersistent_flags+=("--metrics-image=")
     flags+=("--output=")

contrib/completions/zsh/openshift

@@ -4760,6 +4760,8 @@ _openshift_admin_router()
     local_nonpersistent_flags+=("--labels=")
     flags+=("--latest-images")
     local_nonpersistent_flags+=("--latest-images")
+    flags+=("--max-connections=")
+    local_nonpersistent_flags+=("--max-connections=")
     flags+=("--metrics-image=")
     local_nonpersistent_flags+=("--metrics-image=")
     flags+=("--output=")
@@ -9668,6 +9670,8 @@ _openshift_cli_adm_router()
     local_nonpersistent_flags+=("--labels=")
     flags+=("--latest-images")
     local_nonpersistent_flags+=("--latest-images")
+    flags+=("--max-connections=")
+    local_nonpersistent_flags+=("--max-connections=")
     flags+=("--metrics-image=")
     local_nonpersistent_flags+=("--metrics-image=")
     flags+=("--output=")
@@ -22128,6 +22132,8 @@ _openshift_infra_router()
     local_nonpersistent_flags+=("--labels=")
     flags+=("--master=")
     local_nonpersistent_flags+=("--master=")
+    flags+=("--max-connections=")
+    local_nonpersistent_flags+=("--max-connections=")
     flags+=("--name=")
     local_nonpersistent_flags+=("--name=")
     flags+=("--namespace=")

docs/man/man1/oadm-router.1

@@ -107,6 +107,10 @@ If a router does not exist with the given name, this command will create a deplo
 \fB\-\-latest\-images\fP=false
     If true, attempt to use the latest images for the router instead of the latest release.
 
+.PP
+\fB\-\-max\-connections\fP=2000
+    MaxConnections specifies the maximum number of concurrent connections. Default 2000
+
 .PP
 \fB\-\-metrics\-image\fP=""
     If \-\-expose\-metrics is specified this is the image to use to run a sidecar container in the pod exposing metrics. If not set and \-\-expose\-metrics is true the image will depend on router implementation.

docs/man/man1/oc-adm-router.1

@@ -107,6 +107,10 @@ If a router does not exist with the given name, this command will create a deplo
 \fB\-\-latest\-images\fP=false
     If true, attempt to use the latest images for the router instead of the latest release.
 
+.PP
+\fB\-\-max\-connections\fP=2000
+    MaxConnections specifies the maximum number of concurrent connections. Default 2000
+
 .PP
 \fB\-\-metrics\-image\fP=""
     If \-\-expose\-metrics is specified this is the image to use to run a sidecar container in the pod exposing metrics. If not set and \-\-expose\-metrics is true the image will depend on router implementation.

docs/man/man1/openshift-admin-router.1

@@ -107,6 +107,10 @@ If a router does not exist with the given name, this command will create a deplo
 \fB\-\-latest\-images\fP=false
     If true, attempt to use the latest images for the router instead of the latest release.
 
+.PP
+\fB\-\-max\-connections\fP=2000
+    MaxConnections specifies the maximum number of concurrent connections. Default 2000
+
 .PP
 \fB\-\-metrics\-image\fP=""
     If \-\-expose\-metrics is specified this is the image to use to run a sidecar container in the pod exposing metrics. If not set and \-\-expose\-metrics is true the image will depend on router implementation.

docs/man/man1/openshift-cli-adm-router.1

@@ -107,6 +107,10 @@ If a router does not exist with the given name, this command will create a deplo
 \fB\-\-latest\-images\fP=false
     If true, attempt to use the latest images for the router instead of the latest release.
 
+.PP
+\fB\-\-max\-connections\fP=2000
+    MaxConnections specifies the maximum number of concurrent connections. Default 2000
+
 .PP
 \fB\-\-metrics\-image\fP=""
     If \-\-expose\-metrics is specified this is the image to use to run a sidecar container in the pod exposing metrics. If not set and \-\-expose\-metrics is true the image will depend on router implementation.

docs/man/man1/openshift-infra-router.1

@@ -135,6 +135,10 @@ You may restrict the set of routes exposed to a single project (with \-\-namespa
 \[la]http://localhost:8080"\[ra]
     The address the master can be reached on (host, host:port, or URL).
 
+.PP
+\fB\-\-max\-connections\fP="2000"
+    MaxConnections specifies the maximum number of concurrent connections. Default 2000
+
 .PP
 \fB\-\-name\fP="public"
     The name the router will identify itself with in the route status

images/router/haproxy/conf/haproxy-config.template

@@ -6,7 +6,8 @@
 {{ define "/var/lib/haproxy/conf/haproxy.config" }}
 {{ $workingDir := .WorkingDir }}
 global
-  # maxconn 4096
+  maxconn {{env "ROUTER_MAX_CONNECTIONS" "20000"}}
+
   daemon
 {{ with (env "ROUTER_SYSLOG_ADDRESS" "") }}
   log {{.}} local1 {{env "ROUTER_LOG_LEVEL" "warning"}}
@@ -33,7 +34,8 @@ global
   # ssl-default-bind-ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:ECDHE-RSA-DES-CBC3-SHA:ECDHE-ECDSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA
 
 defaults
-  # maxconn 4096
+  maxconn {{env "ROUTER_MAX_CONNECTIONS" "20000"}}
+
   # Add x-forwarded-for header.
 {{ if ne (env "ROUTER_SYSLOG_ADDRESS" "") ""}}
   option httplog

pkg/cmd/admin/router/router.go

@@ -215,6 +215,10 @@ type RouterConfig struct {
 	//          restricted, or if all the users can be trusted.
 	DisableNamespaceOwnershipCheck bool
 
+	// MaxConnections specifies the maximum number of concurrent
+	// connections. Default defaultMaxConnections
+	MaxConnections int
+
 	// ExposeMetrics is a hint on whether to expose metrics.
 	ExposeMetrics bool
 
@@ -232,6 +236,9 @@ const (
 	// Default stats and healthz port.
 	defaultStatsPort   = 1936
 	defaultHealthzPort = defaultStatsPort
+
+	// Default maximum number of connections
+	defaultMaxConnections = 2000
 )
 
 // NewCmdRouter implements the OpenShift CLI router command.
@@ -250,6 +257,8 @@ func NewCmdRouter(f *clientcmd.Factory, parentName, name string, out, errout io.
 		StatsPort:     defaultStatsPort,
 		HostNetwork:   true,
 		HostPorts:     true,
+
+		MaxConnections: defaultMaxConnections,
 	}
 
 	cmd := &cobra.Command{
@@ -299,6 +308,7 @@ func NewCmdRouter(f *clientcmd.Factory, parentName, name string, out, errout io.
 	cmd.Flags().BoolVar(&cfg.ExternalHostInsecure, "external-host-insecure", cfg.ExternalHostInsecure, "If the underlying router implementation connects with an external host over a secure connection, this causes the router to skip strict certificate verification with the external host.")
 	cmd.Flags().StringVar(&cfg.ExternalHostPartitionPath, "external-host-partition-path", cfg.ExternalHostPartitionPath, "If the underlying router implementation uses partitions for control boundaries, this is the path to use for that partition.")
 	cmd.Flags().BoolVar(&cfg.DisableNamespaceOwnershipCheck, "disable-namespace-ownership-check", cfg.DisableNamespaceOwnershipCheck, "Disables the namespace ownership check and allows different namespaces to claim either different paths to a route host or overlapping host names in case of a wildcard route. The default behavior (false) to restrict claims to the oldest namespace that has claimed either the host or the subdomain. Please be aware that if namespace ownership checks are disabled, routes in a different namespace can use this mechanism to 'steal' sub-paths for existing domains. This is only safe if route creation privileges are restricted, or if all the users can be trusted.")
+	cmd.Flags().IntVar(&cfg.MaxConnections, "max-connections", cfg.MaxConnections, "MaxConnections specifies the maximum number of concurrent connections. Default 2000")
 
 	cfg.Action.BindForOutput(cmd.Flags())
 	cmd.Flags().String("output-version", "", "The preferred API versions of the output objects")
@@ -641,6 +651,7 @@ func RunCmdRouter(f *clientcmd.Factory, cmd *cobra.Command, out, errout io.Write
 		"STATS_PORT":                            strconv.Itoa(cfg.StatsPort),
 		"STATS_USERNAME":                        cfg.StatsUsername,
 		"STATS_PASSWORD":                        cfg.StatsPassword,
+		"ROUTER_MAX_CONNECTIONS":                strconv.Itoa(cfg.MaxConnections),
 	}
 	if len(cfg.ForceSubdomain) > 0 {
 		env["ROUTER_SUBDOMAIN"] = cfg.ForceSubdomain

pkg/cmd/infra/router/template.go

@@ -65,6 +65,7 @@ type TemplateRouter struct {
 	ExtendedValidation      bool
 	RouterService           *ktypes.NamespacedName
 	BindPortsAfterSync      bool
+	MaxConnections          string
 }
 
 // reloadInterval returns how often to run the router reloads. The interval
@@ -91,6 +92,7 @@ func (o *TemplateRouter) Bind(flag *pflag.FlagSet) {
 	flag.DurationVar(&o.ReloadInterval, "interval", reloadInterval(), "Controls how often router reloads are invoked. Mutiple router reload requests are coalesced for the duration of this interval since the last reload time.")
 	flag.BoolVar(&o.ExtendedValidation, "extended-validation", util.Env("EXTENDED_VALIDATION", "true") == "true", "If set, then an additional extended validation step is performed on all routes admitted in by this router. Defaults to true and enables the extended validation checks.")
 	flag.BoolVar(&o.BindPortsAfterSync, "bind-ports-after-sync", util.Env("ROUTER_BIND_PORTS_AFTER_SYNC", "") == "true", "Bind ports only after route state has been synchronized")
+	flag.StringVar(&o.MaxConnections, "max-connections", util.Env("ROUTER_MAX_CONNECTIONS", "2000"), "MaxConnections specifies the maximum number of concurrent connections. Default 2000")
 }
 
 type RouterStats struct {
@@ -206,6 +208,7 @@ func (o *TemplateRouterOptions) Run() error {
 		BindPortsAfterSync:     o.BindPortsAfterSync,
 		IncludeUDP:             o.RouterSelection.IncludeUDP,
 		AllowWildcardRoutes:    o.RouterSelection.AllowWildcardRoutes,
+		MaxConnections:         o.MaxConnections,
 	}
 
 	oc, kc, err := o.Config.Clients()

pkg/router/template/plugin.go

@@ -51,6 +51,7 @@ type TemplatePluginConfig struct {
 	AllowWildcardRoutes    bool
 	PeerService            *ktypes.NamespacedName
 	BindPortsAfterSync     bool
+	MaxConnections         string
 }
 
 // routerInterface controls the interaction of the plugin with the underlying router implementation

test/cmd/router.sh

@@ -40,6 +40,8 @@ os::cmd::expect_success_and_text 'oadm router --dry-run --host-network=false --h
 os::cmd::expect_success_and_text 'oadm router --dry-run --host-network=false --host-ports=false --router-canonical-hostname=1a.b.c.d -o yaml' '1a.b.c.d'
 os::cmd::expect_failure_and_text 'oadm router --dry-run --host-network=false --host-ports=false --router-canonical-hostname=1a._b.c.d -o yaml' 'error: invalid canonical hostname'
 os::cmd::expect_failure_and_text 'oadm router --dry-run --host-network=false --host-ports=false --router-canonical-hostname=1.2.3.4 -o yaml' 'error: canonical hostname must not be an IP address'
+# max_conn
+os::cmd::expect_success_and_text 'oadm router --dry-run --host-network=false --host-ports=false --max-connections=14583 -o yaml' '14583'
 
 # mount tls crt as secret
 os::cmd::expect_success_and_not_text 'oadm router --dry-run --host-network=false --host-ports=false -o yaml' 'value: /etc/pki/tls/private/tls.crt'