a9541f517b
Some checks failed
Veza CI / Frontend (Web) (push) Has been cancelled
E2E Playwright / e2e (full) (push) Has been cancelled
Veza CI / Notify on failure (push) Blocked by required conditions
Veza CI / Backend (Go) (push) Failing after 4m34s
Veza CI / Rust (Stream Server) (push) Successful in 5m37s
Security Scan / Secret Scanning (gitleaks) (push) Failing after 1m7s
Phase-1 of the active/active backend story. HAProxy in front of two
backend-api containers + two stream-server containers ; sticky cookie
pins WS sessions to one backend, URI hash routes track_id to one
streamer for HLS cache locality.
Day 19 acceptance asks for : kill backend-api-1, HAProxy bascule, WS
sessions reconnect to backend-api-2 sans perte. The smoke test wires
that gate ; phase-2 (W5) will add keepalived for an LB pair.
- infra/ansible/roles/haproxy/
* Install HAProxy + render haproxy.cfg with frontend (HTTP, optional
HTTPS via haproxy_tls_cert_path), api_pool (round-robin + sticky
cookie SERVERID), stream_pool (URI-hash + consistent jump-hash).
* Active health check GET /api/v1/health every 5s ; fall=3, rise=2.
on-marked-down shutdown-sessions + slowstart 30s on recovery.
* Stats socket bound to 127.0.0.1:9100 for the future prometheus
haproxy_exporter sidecar.
* Mozilla Intermediate TLS cipher list ; only effective when a cert
is mounted.
- infra/ansible/roles/backend_api/
* Scaffolding for the multi-instance Go API. Creates veza-api
system user, /opt/veza/backend-api dir, /etc/veza env dir,
/var/log/veza, and a hardened systemd unit pointing at the binary.
* Binary deployment is OUT of scope (documented in README) — the
Go binary is built outside Ansible (Makefile target) and pushed
via incus file push. CI → ansible-pull integration is W5+.
- infra/ansible/playbooks/haproxy.yml : provisions the haproxy Incus
container + applies common baseline + role.
- infra/ansible/inventory/lab.yml : 3 new groups :
* haproxy (single LB node)
* backend_api_instances (backend-api-{1,2})
* stream_server_instances (stream-server-{1,2})
HAProxy template reads these groups directly to populate its
upstream blocks ; falls back to the static haproxy_backend_api_fallback
list if the group is missing (for in-isolation tests).
- infra/ansible/tests/test_backend_failover.sh
* step 0 : pre-flight — both backends UP per HAProxy stats socket.
* step 1 : 5 baseline GET /api/v1/health through the LB → all 200.
* step 2 : incus stop --force backend-api-1 ; record t0.
* step 3 : poll HAProxy stats until backend-api-1 is DOWN
(timeout 30s ; expected ~ 15s = fall × interval).
* step 4 : 5 GET requests during the down window — all must 200
(served by backend-api-2). Fails if any returns non-200.
* step 5 : incus start backend-api-1 ; poll until UP again.
Acceptance (Day 19) : smoke test passes ; HAProxy sticky cookie
keeps WS sessions on the same backend until that backend dies, at
which point the cookie is ignored and the request rebalances.
W4 progress : Day 16 done · Day 17 done · Day 18 done · Day 19 done ·
Day 20 (k6 nightly load test) pending.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
61 lines
1.8 KiB
YAML
61 lines
1.8 KiB
YAML
# backend_api role — runtime baseline for the Go API container.
|
|
# v1.0.9 W4 Day 19 — multi-instance scaffolding. Binary deploy is
|
|
# explicitly out of scope (Makefile + scp/incus push, NOT Ansible).
|
|
#
|
|
# What this role DOES :
|
|
# - creates the veza-api system user
|
|
# - lays down /opt/veza/backend-api + /etc/veza + /var/log/veza
|
|
# - renders a systemd unit pointing at the binary path
|
|
# - opens port 8080 (no firewall changes ; Incus bridge is
|
|
# trusted today)
|
|
#
|
|
# What this role does NOT do (deliberately) :
|
|
# - build / copy the Go binary
|
|
# - render .env (the secrets are managed by ansible-vault outside
|
|
# the role ; the env file path is referenced here)
|
|
# - run migrations
|
|
---
|
|
- name: Create veza-api system user
|
|
ansible.builtin.user:
|
|
name: "{{ backend_api_user }}"
|
|
system: true
|
|
shell: /usr/sbin/nologin
|
|
home: "{{ backend_api_install_dir }}"
|
|
create_home: true
|
|
tags: [backend_api, install]
|
|
|
|
- name: Ensure install + log directories
|
|
ansible.builtin.file:
|
|
path: "{{ item }}"
|
|
state: directory
|
|
owner: "{{ backend_api_user }}"
|
|
group: "{{ backend_api_user }}"
|
|
mode: "0755"
|
|
loop:
|
|
- "{{ backend_api_install_dir }}"
|
|
- "{{ backend_api_log_dir }}"
|
|
tags: [backend_api, install]
|
|
|
|
- name: Ensure /etc/veza exists for the env file
|
|
ansible.builtin.file:
|
|
path: /etc/veza
|
|
state: directory
|
|
owner: root
|
|
group: "{{ backend_api_user }}"
|
|
mode: "0750"
|
|
tags: [backend_api, config]
|
|
|
|
- name: Render systemd unit
|
|
ansible.builtin.template:
|
|
src: veza-backend-api.service.j2
|
|
dest: /etc/systemd/system/veza-backend-api.service
|
|
owner: root
|
|
group: root
|
|
mode: "0644"
|
|
notify: Restart veza-backend-api
|
|
tags: [backend_api, service]
|
|
|
|
- name: Reload systemd daemon
|
|
ansible.builtin.systemd:
|
|
daemon_reload: true
|
|
tags: [backend_api, service]
|