ab testing

Author: Rajat Chopra

api/swagger-spec/oapi-v1.json

@@ -24052,9 +24052,16 @@
       "description": "Path that the router watches for, to route traffic for to the service. Optional"
      },
      "to": {
-      "$ref": "v1.ObjectReference",
+      "$ref": "v1.RouteTargetReference",
       "description": "To is an object the route points to. Only the Service kind is allowed, and it will be defaulted to Service."
      },
+     "alternateBackends": {
+      "type": "array",
+      "items": {
+       "$ref": "v1.RouteTargetReference"
+      },
+      "description": "AlternateBackends is an extension of the 'to' field. If more than one service needs to be pointed to, then use this field. Use the weight field in RouteTargetReference object to specify relative preference"
+     },
      "port": {
       "$ref": "v1.RoutePort",
       "description": "If specified, the port to be used by the router. Most routers will use all endpoints exposed by the service by default - set this value to instruct routers which port to use."
@@ -24065,6 +24072,30 @@
      }
     }
    },
+   "v1.RouteTargetReference": {
+    "id": "v1.RouteTargetReference",
+    "description": "RouteTargetReference specifies the target that resolve into endpoints. Only the 'Service' kind is allowed. Use 'weight' field to emphasize one over others.",
+    "required": [
+     "kind",
+     "name",
+     "weight"
+    ],
+    "properties": {
+     "kind": {
+      "type": "string",
+      "description": "The kind of target that the route is referring to. Currently, only 'Service' is allowed"
+     },
+     "name": {
+      "type": "string",
+      "description": "Name of the service/target that is being referred to. e.g. name of the service"
+     },
+     "weight": {
+      "type": "integer",
+      "format": "int32",
+      "description": "Weight as an integer between 1 and 256 that specifies the target's relative weight against other target reference objects"
+     }
+    }
+   },
    "v1.RoutePort": {
     "id": "v1.RoutePort",
     "description": "RoutePort defines a port mapping from a router to an endpoint in the service endpoints.",

images/router/haproxy/conf/haproxy-config.template

@@ -207,18 +207,25 @@ backend openshift_default
             where to send the traffic but should run the be in tcp mode
         3. if the config is terminated at the
 */}}
-{{ range $id, $serviceUnit := .State }}
-        {{ range $cfgIdx, $cfg := $serviceUnit.ServiceAliasConfigs }}
-            {{ if or (eq $cfg.TLSTermination "") (eq $cfg.TLSTermination "edge") }}
-                {{ if (eq $cfg.TLSTermination "") }}
+{{ range $cfgIdx, $cfg := .State }}
+  {{ if or (eq $cfg.TLSTermination "") (eq $cfg.TLSTermination "edge") }}
+    {{ if (eq $cfg.TLSTermination "") }}
+# Plain http backend
 backend be_http_{{$cfgIdx}}
-                {{ else }}
+    {{ else }}
+# Plain http backend but request is TLS, terminated at edge
 backend be_edge_http_{{$cfgIdx}}
-                {{ end }}
+    {{ end }}
   mode http
   option redispatch
   option forwardfor
+    {{ with $balanceAlgo := index $cfg.Annotations "router.openshift.io/haproxy.balance" }}
+      {{ with $matchValue := (matchValues $balanceAlgo "roundrobin" "leastconn" ) }}
+  balance {{ $balanceAlgo }}
+      {{ end }}
+    {{ else }}
   balance leastconn
+    {{ end }}
   timeout check 5000ms
   http-request set-header X-Forwarded-Host %[req.hdr(host)]
   http-request set-header X-Forwarded-Port %[dst_port]
@@ -227,41 +234,53 @@ backend be_edge_http_{{$cfgIdx}}
   {{ if (eq $cfg.TLSTermination "") }}
     cookie {{$cfg.RoutingKeyName}} insert indirect nocache httponly
   {{ else }}
-    cookie {{$cfg.RoutingKeyName}} insert indirect nocache httponly secure
+  cookie {{$cfg.RoutingKeyName}} insert indirect nocache httponly secure
   {{ end }}
   http-request set-header Forwarded for=%[src];host=%[req.hdr(host)];proto=%[req.hdr(X-Forwarded-Proto)]
-                {{ range $idx, $endpoint := endpointsForAlias $cfg $serviceUnit }}
-  server {{$endpoint.IdHash}} {{$endpoint.IP}}:{{$endpoint.Port}} check inter 5000ms cookie {{$endpoint.IdHash}}
-                {{ end }}
-            {{ end }}
-
-            {{ if eq $cfg.TLSTermination "passthrough" }}
+    {{ range $serviceUnitName, $weight := $cfg.ServiceUnitNames }}
+      {{ with $serviceUnit := index $.ServiceUnits $serviceUnitName }}
+          {{ range $idx, $endpoint := endpointsForAlias $cfg $serviceUnit }}
+  server {{$endpoint.IdHash}} {{$endpoint.IP}}:{{$endpoint.Port}} check inter 5000ms cookie {{$endpoint.IdHash}} weight {{ $weight }}
+          {{ end }}
+      {{ end }}
+    {{ end }}{{/* end iterate over services */}}
+  {{ end }}{{/* end if tls==edge/none */}}
+
+# Secure backend, pass through
+  {{ if eq $cfg.TLSTermination "passthrough" }}
 backend be_tcp_{{$cfgIdx}}
 {{ if ne (env "ROUTER_SYSLOG_ADDRESS" "") ""}}
   option tcplog
 {{ end }}
   balance {{ env "ROUTER_TCP_BALANCE_SCHEME" "source" }}
   hash-type consistent
   timeout check 5000ms
-                {{ range $idx, $endpoint := endpointsForAlias $cfg $serviceUnit }}
+    {{ range $serviceUnitName, $weight := $cfg.ServiceUnitNames }}
+      {{ with $serviceUnit := index $.ServiceUnits $serviceUnitName }}
+        {{ range $idx, $endpoint := endpointsForAlias $cfg $serviceUnit }}
   server {{$endpoint.ID}} {{$endpoint.IP}}:{{$endpoint.Port}} check inter 5000ms
-                {{ end }}
-            {{ end }}
+        {{ end }}
+      {{ end }}
+    {{ end }}{{/* end iterate over services*/}}
+  {{ end }}{{/*end tls==passthrough*/}}
 
-            {{ if eq $cfg.TLSTermination "reencrypt" }}
+# Secure backend which requires re-encryption
+  {{ if eq $cfg.TLSTermination "reencrypt" }}
 backend be_secure_{{$cfgIdx}}
   mode http
   option redispatch
   balance leastconn
   timeout check 5000ms
   cookie {{$cfg.RoutingKeyName}} insert indirect nocache httponly secure
-                {{ range $idx, $endpoint := endpointsForAlias $cfg $serviceUnit }}
+    {{ range $serviceUnitName, $weight := $cfg.ServiceUnitNames }}
+      {{ with $serviceUnit := index $.ServiceUnits $serviceUnitName }}
+        {{ range $idx, $endpoint := endpointsForAlias $cfg $serviceUnit }}
   server {{$endpoint.IdHash}} {{$endpoint.IP}}:{{$endpoint.Port}} ssl check inter 5000ms verify required ca-file {{ $workingDir }}/cacerts/{{$cfgIdx}}.pem cookie {{$endpoint.IdHash}}
-                {{ end }}
-            {{ end  }}
-        {{ end  }}{{/* $serviceUnit.ServiceAliasConfigs*/}}
-{{ end }}{{/* $serviceUnit */}}
-
+        {{ end }}
+      {{ end }}
+    {{ end }}
+  {{ end }}{{/* end tls==reencrypt */}}
+{{ end }}{{/* end loop over routes */}}
 {{ end }}{{/* end haproxy config template */}}
 
 {{/*--------------------------------- END OF HAPROXY CONFIG, BELOW ARE MAPPING FILES ------------------------*/}}
@@ -270,27 +289,23 @@ backend be_secure_{{$cfgIdx}}
                         by attaching a prefix (be_http_) by use_backend statements if acls are matched.
 */}}
 {{ define "/var/lib/haproxy/conf/os_http_be.map" }}
-{{   range $id, $serviceUnit := .State }}
-{{     range $idx, $cfg := $serviceUnit.ServiceAliasConfigs }}
+{{     range $idx, $cfg := .State }}
 {{       if and (ne $cfg.Host "") (eq $cfg.TLSTermination "")}}
 {{$cfg.Host}}{{$cfg.Path}} {{$idx}}
 {{       end }}
 {{     end }}
-{{   end }}
 {{ end }}{{/* end http host map template */}}
 
 {{/*
     os_edge_http_be.map: same as os_http_be.map but allows us to separate tls from non-tls routes to ensure we don't expose
                             a tls only route on the unsecure port
 */}}
 {{ define "/var/lib/haproxy/conf/os_edge_http_be.map" }}
-{{   range $id, $serviceUnit := .State }}
-{{     range $idx, $cfg := $serviceUnit.ServiceAliasConfigs }}
+{{     range $idx, $cfg := .State }}
 {{       if and (ne $cfg.Host "") (eq $cfg.TLSTermination "edge")}}
 {{$cfg.Host}}{{$cfg.Path}} {{$idx}}
 {{       end }}
 {{     end }}
-{{   end }}
 {{ end }}{{/* end edge http host map template */}}
 
 {{/*
@@ -299,13 +314,11 @@ backend be_secure_{{$cfgIdx}}
     (http) if acls match for routes with insecure option set to expose.
 */}}
 {{ define "/var/lib/haproxy/conf/os_edge_http_expose.map" }}
-{{   range $id, $serviceUnit := .State }}
-{{     range $idx, $cfg := $serviceUnit.ServiceAliasConfigs }}
+{{     range $idx, $cfg := .State }}
 {{       if and (ne $cfg.Host "") (and (eq $cfg.TLSTermination "edge") (eq $cfg.InsecureEdgeTerminationPolicy "Allow"))}}
 {{$cfg.Host}}{{$cfg.Path}} {{$idx}}
 {{       end }}
 {{     end }}
-{{   end }}
 {{ end }}{{/* end edge insecure expose http host map template */}}
 
 {{/*
@@ -314,13 +327,11 @@ backend be_secure_{{$cfgIdx}}
     if acls match for routes that have the insecure option set to redirect.
 */}}
 {{ define "/var/lib/haproxy/conf/os_edge_http_redirect.map" }}
-{{   range $id, $serviceUnit := .State }}
-{{     range $idx, $cfg := $serviceUnit.ServiceAliasConfigs }}
+{{     range $idx, $cfg := .State }}
 {{       if and (ne $cfg.Host "") (and (eq $cfg.TLSTermination "edge") (eq $cfg.InsecureEdgeTerminationPolicy "Redirect"))}}
 {{$cfg.Host}}{{$cfg.Path}} {{$idx}}
 {{       end }}
 {{     end }}
-{{   end }}
 {{ end }}{{/* end edge insecure redirect http host map template */}}
 
 
@@ -329,27 +340,23 @@ backend be_secure_{{$cfgIdx}}
                         by attaching a prefix (be_tcp_ or be_secure_) by use_backend statements if acls are matched.
 */}}
 {{ define "/var/lib/haproxy/conf/os_tcp_be.map" }}
-{{   range $id, $serviceUnit := .State }}
-{{     range $idx, $cfg := $serviceUnit.ServiceAliasConfigs }}
+{{     range $idx, $cfg := .State }}
 {{       if and (eq $cfg.Path "") (and (ne $cfg.Host "") (or (eq $cfg.TLSTermination "passthrough") (eq $cfg.TLSTermination "reencrypt"))) }}
 {{$cfg.Host}} {{$idx}}
 {{       end }}
 {{     end }}
-{{   end }}
 {{ end }}{{/* end tcp host map template */}}
 
 {{/*
     os_sni_passthrough.map: contains a mapping of routes that expect to have an sni header and should be passed
     					through to the host_be.  Driven by the termination type of the ServiceAliasConfigs
 */}}
 {{ define "/var/lib/haproxy/conf/os_sni_passthrough.map" }}
-{{   range $id, $serviceUnit := .State }}
-{{     range $idx, $cfg := $serviceUnit.ServiceAliasConfigs }}
+{{     range $idx, $cfg := .State }}
 {{       if and (eq $cfg.Path "") (eq $cfg.TLSTermination "passthrough") }}
 {{$cfg.Host}} 1
 {{       end }}
 {{     end }}
-{{   end }}
 {{ end }}{{/* end sni passthrough map template */}}
 
 
@@ -358,11 +365,9 @@ backend be_secure_{{$cfgIdx}}
                     that does specific checks that avoid mitm attacks: http://cbonte.github.io/haproxy-dconv/configuration-1.5.html#5.2-ssl
 */}}
 {{ define "/var/lib/haproxy/conf/os_reencrypt.map" }}
-{{   range $id, $serviceUnit := .State }}
-{{     range $idx, $cfg := $serviceUnit.ServiceAliasConfigs }}
+{{     range $idx, $cfg := .State }}
 {{       if and (ne $cfg.Host "") (eq $cfg.TLSTermination "reencrypt") }}
 {{$cfg.Host}}{{$cfg.Path}} {{$idx}}
 {{       end }}
 {{     end }}
-{{   end }}
 {{ end }}{{/* end reencrypt passthrough map template */}}

pkg/api/serialization_test.go

@@ -243,12 +243,11 @@ func fuzzInternalObject(t *testing.T, forVersion unversioned.GroupVersion, item
 				j.To.Name = strings.Replace(j.To.Name, ":", "-", -1)
 			}
 		},
-		func(j *route.RouteSpec, c fuzz.Continue) {
+		func(j *route.RouteTargetReference, c fuzz.Continue) {
 			c.FuzzNoCustom(j)
-			j.To = kapi.ObjectReference{
-				Kind: "Service",
-				Name: j.To.Name,
-			}
+			j.Kind = "Service"
+			j.Weight = new(int32)
+			*j.Weight = 100
 		},
 		func(j *route.TLSConfig, c fuzz.Continue) {
 			c.FuzzNoCustom(j)