External traffic management subsystem
| 🌐 This document is available in both English and Ukrainian. Use the language toggle in the top right corner to switch between versions. |
1. Overview
The subsystem is represented by OpenShift Router component, which is integrated into OpenShift, and uses HAProxy as a reverse proxy-server / balancer, and provides reliable and secure interaction of external clients with Platform services.
The subsystem is the entry point for external traffic to the OpenShift-cluster and acts as a gateway with the function to redirect incoming traffic to the Platform services, and Registries deployed on it.
The subsystem uses the domain from cluster OpenShift configuration as the domain for the external API-gateway by default. This domain is also used during the generation of default domain name for OpenShift Route resource, if another domain name isn’t stated.
2. Subsystem functions
-
Redirection of incoming external traffic to the internal services according to the configured routing rules
-
Ongoing update of services configurations and routing rules
-
Service state monitoring and division of traffic into instances available for request processing
-
IP- and network-based access management to Platform and Registries subsystems
-
Workload balancing through distribution of incoming traffic between services
-
External traffic encryption and decryption before redirection to internal services (SSL/TLS Termination)
-
Performance metrics data gathering for monitoring
-
Incoming requests logging
4. Subsystem components
| Component name | Representation in Platform | Source | Repository | Function |
|---|---|---|---|---|
Operational zone external API-gateway |
|
3rd-party |
- |
OpenShift Ingress Controller (also known as OpenShift Router) - a component that manages incoming traffic routing in OpenShift cluster. |
Operational zone external API-gateway operator |
|
3rd-party |
A component that is responsible for the deployment and configuring of the Operational zone external API-gateway |
6. Subsystem qiality attributes
6.1. Scalability
External traffic management subsystem supports vertical and horizontal scaling for request processing in case of growing incoming traffic, by using additional resources for OpenShift Router pods, or increasing the number of OpenShift Router pods, accordingly. Horizontal scaling is performed via Horizontal Pod Autoscaler (HPA), which automatically increases or decreases the number of Router replicas, according to the current workload and target workload. The HPA operation is based on the monitoring of requests amount and resource usage values.
|
You can find more details in the corresponding sections: |
6.2. Availability
External traffic management subsystem supports deployment in high-availability mode to provide incoming traffic processing in case of failure. High availability is achieved by using horizontal scaling to deploy redundant OpenShift Router pod replicas. This allows for the distribution of external traffic across the replicas, and guarantee that in case of an OpenShift Router pod failure, , the traffic will be redirected to a replica.
|
You can find more details in the corresponding sections: |
6.3. Security
External traffic management subsystem provides flexible and vast incoming traffic restriction and control functionality.
It maintains data integrity and confidentiality in the information transfer channel between the clients and Platform services.
The subsystem does not log or store confidential information.
6.4. Performance
External traffic management subsystem high performance is achieved thanks to several factors:
-
usage of high-performance HAProxy reverse proxy-server.
-
traffic distribution balance across OpenShift Router pod replicas.
-
automated horizontal scaling to achieve target performance values during an increase in external traffic.
6.5. Observability
External traffic management subsystem supports incoming requests logging, and performance metrics gathering for further analysis via the corresponding Platform subsystems web-interfaces.
|
You can find more details in the corresponding sections: |