#!/bin/bash

echo ""
echo "... ] INSTALLING KUBE-API HAPROXY [ ..."

HOME=$( cd "$(dirname "$0")" && pwd )
source $HOME/../config

#installing haproxy
apt-get update -q
apt-get install -y haproxy

#installing haproxy
systemctl stop haproxy.service
mv /etc/haproxy/haproxy.cfg /etc/haproxy/haproxy.old.cfg

cat <<EOF > /etc/haproxy/haproxy.cfg
global
  log /dev/log  local0
  log /dev/log  local1 notice
  chroot /var/lib/haproxy
  stats socket /run/haproxy/admin.sock mode 660 level admin
  stats timeout 30s
  user haproxy
  group haproxy
  daemon

  # Default SSL material locations
  ca-base /etc/ssl/certs
  crt-base /etc/ssl/private

  # Default ciphers to use on SSL-enabled listening sockets.
  # For more information, see ciphers(1SSL). This list is from:
  #  https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/
  # An alternative list with additional directives can be obtained from
  #  https://mozilla.github.io/server-side-tls/ssl-config-generator/?server=haproxy
  ssl-default-bind-ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:!aNULL:!MD5:!DSS
  ssl-default-bind-options no-sslv3

defaults
  log global
  mode  http
  option  httplog
  option  dontlognull
  timeout connect 5s
  timeout client  1d
  timeout server  1d
  timeout http-request 60s
  timeout http-keep-alive 60s
  errorfile 400 /etc/haproxy/errors/400.http
  errorfile 403 /etc/haproxy/errors/403.http
  errorfile 408 /etc/haproxy/errors/408.http
  errorfile 500 /etc/haproxy/errors/500.http
  errorfile 502 /etc/haproxy/errors/502.http
  errorfile 503 /etc/haproxy/errors/503.http
  errorfile 504 /etc/haproxy/errors/504.http

frontend monitor-in
  bind 127.0.0.1:33305
  mode http
  option httplog
  monitor-uri /monitor

listen stats
  bind    127.0.0.1:9000
  mode    http
  stats   enable
  stats   hide-version
  stats   uri       /stats
  stats   refresh   30s
  stats   realm     Haproxy\ Statistics
  stats   auth      ${HAPROXY_STATS_AUTH}

frontend ${CLUSTER_NAME}-api
  bind *:16443
  bind 127.0.0.1:16443
  mode tcp
  option tcplog
  tcp-request inspect-delay 5s
  default_backend ${CLUSTER_NAME}-api

backend ${CLUSTER_NAME}-api
  mode tcp
  option tcplog
  option tcp-check
  balance roundrobin
  default-server inter 10s downinter 5s rise 2 fall 2 slowstart 60s maxconn 250 maxqueue 256 weight 100
  server ${MASTER_1_NAME}-api ${MASTER_1_IP}:6443 check
  server ${MASTER_2_NAME}-api ${MASTER_2_IP}:6443 check
  server ${MASTER_3_NAME}-api ${MASTER_3_IP}:6443 check
EOF

systemctl daemon-reload
systemctl enable haproxy.service
systemctl start haproxy.service