Merge branch 'master' into okd_enable_user_workload_monitoring

fix(opnsense-config): ensure load balancer service configuration is idempotent (#129 )
The previous implementation blindly added HAProxy components without checking for existing configurations on the same port, which caused duplicate entries and errors when a service was updated. This commit refactors the logic to a robust "remove-then-add" strategy. The configure_service method now finds and removes any existing frontend and its dependent components (backend, servers, health check) before adding the new, complete service definition. This change makes the process fully idempotent, preventing configuration drift and ensuring a predictable state. Co-authored-by: Ian Letourneau <letourneau.ian@gmail.com> Reviewed-on: #129
2025-10-21 13:48:33 +00:00 · 2025-10-20 19:18:49 +00:00 · 2025-10-16 18:24:58 +00:00 · 2025-10-16 18:24:34 +00:00 · 2025-10-16 14:23:41 -04:00 · 2025-10-16 18:23:01 +00:00
17 changed files with 384 additions and 148 deletions
--- a/Cargo.lock
+++ b/Cargo.lock
@@ -1847,18 +1847,6 @@ dependencies = [
 "url",
 ]

-[[package]]
-name = "example-penpot"
-version = "0.1.0"
-dependencies = [
- "harmony",
- "harmony_cli",
- "harmony_macros",
- "harmony_types",
- "tokio",
- "url",
-]
-
 [[package]]
 name = "example-pxe"
 version = "0.1.0"
@@ -1930,6 +1918,8 @@ dependencies = [
 "env_logger",
 "harmony",
 "harmony_macros",
+ "harmony_secret",
+ "harmony_secret_derive",
 "harmony_tui",
 "harmony_types",
 "log",
@@ -2456,17 +2446,6 @@ dependencies = [
 "tokio",
 ]

-[[package]]
-name = "harmony_derive"
-version = "0.1.3"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "2d138bbb32bb346299c5f95fbb53532313f39927cb47c411c99c634ef8665ef7"
-dependencies = [
- "proc-macro2",
- "quote",
- "syn 1.0.109",
-]
-
 [[package]]
 name = "harmony_inventory_agent"
 version = "0.1.0"
@@ -3913,19 +3892,6 @@ dependencies = [
 "web-time",
 ]

-[[package]]
-name = "okd_host_network"
-version = "0.1.0"
-dependencies = [
- "harmony",
- "harmony_cli",
- "harmony_derive",
- "harmony_inventory_agent",
- "harmony_macros",
- "harmony_types",
- "tokio",
-]
-
 [[package]]
 name = "once_cell"
 version = "1.21.3"
@@ -3954,6 +3920,7 @@ checksum = "d05e27ee213611ffe7d6348b942e8f942b37114c00cc03cec254295a4a17852e"
 name = "opnsense-config"
 version = "0.1.0"
 dependencies = [
+ "assertor",
 "async-trait",
 "chrono",
 "env_logger",
--- a/Cargo.toml
+++ b/Cargo.toml
@@ -15,7 +15,8 @@ members = [
  "harmony_inventory_agent",
  "harmony_secret_derive",
  "harmony_secret",
-  "adr/agent_discovery/mdns", "brocade",
+  "adr/agent_discovery/mdns",
+  "brocade",
 ]

 [workspace.package]
--- a/brocade/src/fast_iron.rs
+++ b/brocade/src/fast_iron.rs
@@ -70,7 +70,7 @@ impl FastIronClient {

        Some(Ok(InterSwitchLink {
            local_port,
-            remote_port: None, // FIXME: Map the remote port as well
+            remote_port: None,
        }))
    }

--- a/brocade/src/network_operating_system.rs
+++ b/brocade/src/network_operating_system.rs
@@ -270,7 +270,7 @@ impl BrocadeClient for NetworkOperatingSystemClient {
            commands.push("no ip address".into());
            commands.push("no fabric isl enable".into());
            commands.push("no fabric trunk enable".into());
-            commands.push(format!("channel-group {} mode active", channel_id));
+            commands.push(format!("channel-group {channel_id} mode active"));
            commands.push("no shutdown".into());
            commands.push("exit".into());
        }
--- a/harmony/src/domain/hardware/mod.rs
+++ b/harmony/src/domain/hardware/mod.rs
@@ -12,11 +12,11 @@ pub type FirewallGroup = Vec<PhysicalHost>;
 pub struct PhysicalHost {
    pub id: Id,
    pub category: HostCategory,
-    pub network: Vec<NetworkInterface>, // FIXME: Don't use harmony_inventory_agent::NetworkInterface
-    pub storage: Vec<StorageDrive>,     // FIXME: Don't use harmony_inventory_agent::StorageDrive
+    pub network: Vec<NetworkInterface>,
+    pub storage: Vec<StorageDrive>,
    pub labels: Vec<Label>,
-    pub memory_modules: Vec<MemoryModule>, // FIXME: Don't use harmony_inventory_agent::MemoryModule
-    pub cpus: Vec<CPU>,                    // FIXME: Don't use harmony_inventory_agent::CPU
+    pub memory_modules: Vec<MemoryModule>,
+    pub cpus: Vec<CPU>,
 }

 impl PhysicalHost {
--- a/harmony/src/domain/topology/ha_cluster.rs
+++ b/harmony/src/domain/topology/ha_cluster.rs
@@ -2,9 +2,10 @@ use async_trait::async_trait;
 use brocade::BrocadeOptions;
 use harmony_macros::ip;
 use harmony_secret::SecretManager;
-use harmony_types::net::MacAddress;
-use harmony_types::net::Url;
-use harmony_types::switch::PortLocation;
+use harmony_types::{
+    net::{MacAddress, Url},
+    switch::PortLocation,
+};
 use k8s_openapi::api::core::v1::Namespace;
 use kube::api::ObjectMeta;
 use log::debug;
@@ -15,40 +16,19 @@ use crate::executors::ExecutorError;
 use crate::hardware::PhysicalHost;
 use crate::infra::brocade::BrocadeSwitchAuth;
 use crate::infra::brocade::BrocadeSwitchClient;
-use crate::modules::okd::crd::InstallPlanApproval;
-use crate::modules::okd::crd::OperatorGroup;
-use crate::modules::okd::crd::OperatorGroupSpec;
-use crate::modules::okd::crd::Subscription;
-use crate::modules::okd::crd::SubscriptionSpec;
-use crate::modules::okd::crd::nmstate;
-use crate::modules::okd::crd::nmstate::NMState;
-use crate::modules::okd::crd::nmstate::NodeNetworkConfigurationPolicy;
-use crate::modules::okd::crd::nmstate::NodeNetworkConfigurationPolicySpec;
+use crate::modules::okd::crd::{
+    InstallPlanApproval, OperatorGroup, OperatorGroupSpec, Subscription, SubscriptionSpec,
+    nmstate::{self, NMState, NodeNetworkConfigurationPolicy, NodeNetworkConfigurationPolicySpec},
+};
 use crate::topology::PxeOptions;

-use super::DHCPStaticEntry;
-use super::DhcpServer;
-use super::DnsRecord;
-use super::DnsRecordType;
-use super::DnsServer;
-use super::Firewall;
-use super::HostNetworkConfig;
-use super::HttpServer;
-use super::IpAddress;
-use super::K8sclient;
-use super::LoadBalancer;
-use super::LoadBalancerService;
-use super::LogicalHost;
-use super::PreparationError;
-use super::PreparationOutcome;
-use super::Router;
-use super::Switch;
-use super::SwitchClient;
-use super::SwitchError;
-use super::TftpServer;
+use super::{
+    DHCPStaticEntry, DhcpServer, DnsRecord, DnsRecordType, DnsServer, Firewall, HostNetworkConfig,
+    HttpServer, IpAddress, K8sclient, LoadBalancer, LoadBalancerService, LogicalHost,
+    PreparationError, PreparationOutcome, Router, Switch, SwitchClient, SwitchError, TftpServer,
+    Topology, k8s::K8sClient,
+};

-use super::Topology;
-use super::k8s::K8sClient;
 use std::collections::BTreeMap;
 use std::net::IpAddr;
 use std::sync::Arc;
@@ -533,7 +513,7 @@ impl Switch for HAClusterTopology {
        host: &PhysicalHost,
        config: HostNetworkConfig,
    ) -> Result<(), SwitchError> {
-        // self.configure_bond(host, &config).await?;
+        self.configure_bond(host, &config).await?;
        self.configure_port_channel(host, &config).await
    }
 }
--- a/harmony/src/domain/topology/load_balancer.rs
+++ b/harmony/src/domain/topology/load_balancer.rs
@@ -28,13 +28,7 @@ pub trait LoadBalancer: Send + Sync {
        &self,
        service: &LoadBalancerService,
    ) -> Result<(), ExecutorError> {
-        debug!(
-            "Listing LoadBalancer services {:?}",
-            self.list_services().await
-        );
-        if !self.list_services().await.contains(service) {
-            self.add_service(service).await?;
-        }
+        self.add_service(service).await?;
        Ok(())
    }
 }
--- a/harmony/src/infra/opnsense/load_balancer.rs
+++ b/harmony/src/infra/opnsense/load_balancer.rs
@@ -26,19 +26,13 @@ impl LoadBalancer for OPNSenseFirewall {
    }

    async fn add_service(&self, service: &LoadBalancerService) -> Result<(), ExecutorError> {
-        warn!(
-            "TODO : the current implementation does not check / cleanup / merge with existing haproxy services properly. Make sure to manually verify that the configuration is correct after executing any operation here"
-        );
        let mut config = self.opnsense_config.write().await;
+        let mut load_balancer = config.load_balancer();
+
        let (frontend, backend, servers, healthcheck) =
            harmony_load_balancer_service_to_haproxy_xml(service);
-        let mut load_balancer = config.load_balancer();
-        load_balancer.add_backend(backend);
-        load_balancer.add_frontend(frontend);
-        load_balancer.add_servers(servers);
-        if let Some(healthcheck) = healthcheck {
-            load_balancer.add_healthcheck(healthcheck);
-        }
+
+        load_balancer.configure_service(frontend, backend, servers, healthcheck);

        Ok(())
    }
@@ -106,7 +100,7 @@ pub(crate) fn haproxy_xml_config_to_harmony_loadbalancer(
                .backends
                .backends
                .iter()
-                .find(|b| b.uuid == frontend.default_backend);
+                .find(|b| Some(b.uuid.clone()) == frontend.default_backend);

            let mut health_check = None;
            match matching_backend {
@@ -116,8 +110,7 @@ pub(crate) fn haproxy_xml_config_to_harmony_loadbalancer(
                }
                None => {
                    warn!(
-                        "HAProxy config could not find a matching backend for frontend {:?}",
-                        frontend
+                        "HAProxy config could not find a matching backend for frontend {frontend:?}"
                    );
                }
            }
@@ -152,11 +145,11 @@ pub(crate) fn get_servers_for_backend(
        .servers
        .iter()
        .filter_map(|server| {
+            let address = server.address.clone()?;
+            let port = server.port?;
+
            if backend_servers.contains(&server.uuid.as_str()) {
-                return Some(BackendServer {
-                    address: server.address.clone(),
-                    port: server.port,
-                });
+                return Some(BackendServer { address, port });
            }
            None
        })
@@ -347,7 +340,7 @@ pub(crate) fn harmony_load_balancer_service_to_haproxy_xml(
        name: format!("frontend_{}", service.listening_port),
        bind: service.listening_port.to_string(),
        mode: "tcp".to_string(), // TODO do not depend on health check here
-        default_backend: backend.uuid.clone(),
+        default_backend: Some(backend.uuid.clone()),
        ..Default::default()
    };
    info!("HAPRoxy frontend and backend mode currently hardcoded to tcp");
@@ -361,8 +354,8 @@ fn server_to_haproxy_server(server: &BackendServer) -> HAProxyServer {
        uuid: Uuid::new_v4().to_string(),
        name: format!("{}_{}", &server.address, &server.port),
        enabled: 1,
-        address: server.address.clone(),
-        port: server.port,
+        address: Some(server.address.clone()),
+        port: Some(server.port),
        mode: "active".to_string(),
        server_type: "static".to_string(),
        ..Default::default()
@@ -385,8 +378,8 @@ mod tests {
        let mut haproxy = HAProxy::default();
        let server = HAProxyServer {
            uuid: "server1".to_string(),
-            address: "192.168.1.1".to_string(),
-            port: 80,
+            address: Some("192.168.1.1".to_string()),
+            port: Some(80),
            ..Default::default()
        };
        haproxy.servers.servers.push(server);
@@ -411,8 +404,8 @@ mod tests {
        let mut haproxy = HAProxy::default();
        let server = HAProxyServer {
            uuid: "server1".to_string(),
-            address: "192.168.1.1".to_string(),
-            port: 80,
+            address: Some("192.168.1.1".to_string()),
+            port: Some(80),
            ..Default::default()
        };
        haproxy.servers.servers.push(server);
@@ -431,8 +424,8 @@ mod tests {
        let mut haproxy = HAProxy::default();
        let server = HAProxyServer {
            uuid: "server1".to_string(),
-            address: "192.168.1.1".to_string(),
-            port: 80,
+            address: Some("192.168.1.1".to_string()),
+            port: Some(80),
            ..Default::default()
        };
        haproxy.servers.servers.push(server);
@@ -453,16 +446,16 @@ mod tests {
        let mut haproxy = HAProxy::default();
        let server = HAProxyServer {
            uuid: "server1".to_string(),
-            address: "some-hostname.test.mcd".to_string(),
-            port: 80,
+            address: Some("some-hostname.test.mcd".to_string()),
+            port: Some(80),
            ..Default::default()
        };
        haproxy.servers.servers.push(server);

        let server = HAProxyServer {
            uuid: "server2".to_string(),
-            address: "192.168.1.2".to_string(),
-            port: 8080,
+            address: Some("192.168.1.2".to_string()),
+            port: Some(8080),
            ..Default::default()
        };
        haproxy.servers.servers.push(server);
--- a/harmony/src/modules/okd/bootstrap_03_control_plane.rs
+++ b/harmony/src/modules/okd/bootstrap_03_control_plane.rs
@@ -215,7 +215,7 @@ impl OKDSetup03ControlPlaneInterpret {
    ) -> Result<(), InterpretError> {
        info!("[ControlPlane] Ensuring persistent bonding");
        let score = HostNetworkConfigurationScore {
-            hosts: hosts.clone(), // FIXME: Avoid clone if possible
+            hosts: hosts.clone(),
        };
        score.interpret(inventory, topology).await?;

--- a/harmony/src/modules/okd/bootstrap_load_balancer.rs
+++ b/harmony/src/modules/okd/bootstrap_load_balancer.rs
@@ -77,6 +77,8 @@ impl OKDBootstrapLoadBalancerScore {
            address: topology.bootstrap_host.ip.to_string(),
            port,
        });
+
+        backend.dedup();
        backend
    }
 }
--- a/harmony/src/modules/okd/crd/nmstate.rs
+++ b/harmony/src/modules/okd/crd/nmstate.rs
@@ -240,7 +240,7 @@ pub struct OvsPortSpec {
 #[derive(Deserialize, Serialize, Clone, Debug, Default, JsonSchema)]
 #[serde(rename_all = "kebab-case")]
 pub struct EthtoolSpec {
-    // FIXME: Properly describe this spec (https://nmstate.io/devel/yaml_api.html#ethtool)
+    // TODO: Properly describe this spec (https://nmstate.io/devel/yaml_api.html#ethtool)
 }

 #[derive(Deserialize, Serialize, Clone, Debug, Default, JsonSchema)]
--- a/harmony/src/modules/okd/host_network.rs
+++ b/harmony/src/modules/okd/host_network.rs
@@ -50,6 +50,7 @@ impl HostNetworkConfigurationInterpret {

        Ok(())
    }
+
    async fn collect_switch_ports_for_host<T: Topology + Switch>(
        &self,
        topology: &T,
@@ -125,7 +126,6 @@ impl<T: Topology + Switch> Interpret<T> for HostNetworkConfigurationInterpret {

        let mut configured_host_count = 0;
        for host in &self.score.hosts {
-            // FIXME: Clear the previous config for host
            self.configure_network_for_host(topology, host).await?;
            configured_host_count += 1;
        }
@@ -283,7 +283,6 @@ mod tests {

    #[tokio::test]
    async fn port_not_found_for_mac_address_should_not_configure_interface() {
-        // FIXME: Should it still configure an empty bond/port channel?
        let score = given_score(vec![given_host(&HOST_ID, vec![UNKNOWN_INTERFACE.clone()])]);
        let topology = TopologyWithSwitch::new_port_not_found();

--- a/opnsense-config-xml/src/data/haproxy.rs
+++ b/opnsense-config-xml/src/data/haproxy.rs
@@ -77,7 +77,7 @@ impl YaSerializeTrait for HAProxyId {
    }
 }

-#[derive(PartialEq, Debug)]
+#[derive(PartialEq, Debug, Clone)]
 pub struct HAProxyId(String);

 impl Default for HAProxyId {
@@ -297,7 +297,7 @@ pub struct HAProxyFrontends {
    pub frontend: Vec<Frontend>,
 }

-#[derive(Default, PartialEq, Debug, YaSerialize, YaDeserialize)]
+#[derive(Clone, Default, PartialEq, Debug, YaSerialize, YaDeserialize)]
 pub struct Frontend {
    #[yaserde(attribute = true)]
    pub uuid: String,
@@ -310,7 +310,7 @@ pub struct Frontend {
    pub bind_options: MaybeString,
    pub mode: String,
    #[yaserde(rename = "defaultBackend")]
-    pub default_backend: String,
+    pub default_backend: Option<String>,
    pub ssl_enabled: i32,
    pub ssl_certificates: MaybeString,
    pub ssl_default_certificate: MaybeString,
@@ -416,7 +416,7 @@ pub struct HAProxyBackends {
    pub backends: Vec<HAProxyBackend>,
 }

-#[derive(Default, PartialEq, Debug, YaSerialize, YaDeserialize)]
+#[derive(Clone, Default, PartialEq, Debug, YaSerialize, YaDeserialize)]
 pub struct HAProxyBackend {
    #[yaserde(attribute = true, rename = "uuid")]
    pub uuid: String,
@@ -535,7 +535,7 @@ pub struct HAProxyServers {
    pub servers: Vec<HAProxyServer>,
 }

-#[derive(Default, PartialEq, Debug, YaSerialize, YaDeserialize)]
+#[derive(Clone, Default, PartialEq, Debug, YaSerialize, YaDeserialize)]
 pub struct HAProxyServer {
    #[yaserde(attribute = true, rename = "uuid")]
    pub uuid: String,
@@ -543,8 +543,8 @@ pub struct HAProxyServer {
    pub enabled: u8,
    pub name: String,
    pub description: MaybeString,
-    pub address: String,
-    pub port: u16,
+    pub address: Option<String>,
+    pub port: Option<u16>,
    pub checkport: MaybeString,
    pub mode: String,
    pub multiplexer_protocol: MaybeString,
@@ -589,7 +589,7 @@ pub struct HAProxyHealthChecks {
    pub healthchecks: Vec<HAProxyHealthCheck>,
 }

-#[derive(Default, PartialEq, Debug, YaSerialize, YaDeserialize)]
+#[derive(Clone, Default, PartialEq, Debug, YaSerialize, YaDeserialize)]
 pub struct HAProxyHealthCheck {
    #[yaserde(attribute = true)]
    pub uuid: String,
--- a/opnsense-config/Cargo.toml
+++ b/opnsense-config/Cargo.toml
@@ -25,6 +25,7 @@ sha2 = "0.10.9"

 [dev-dependencies]
 pretty_assertions.workspace = true
+assertor.workspace = true

 [lints.rust]
 unexpected_cfgs = { level = "warn", check-cfg = ['cfg(e2e_test)'] }
--- a/opnsense-config/src/config/manager/ssh.rs
+++ b/opnsense-config/src/config/manager/ssh.rs
@@ -30,8 +30,7 @@ impl SshConfigManager {

        self.opnsense_shell
            .exec(&format!(
-                "cp /conf/config.xml /conf/backup/{}",
-                backup_filename
+                "cp /conf/config.xml /conf/backup/{backup_filename}"
            ))
            .await
    }
--- a/opnsense-config/src/config/shell/mod.rs
+++ b/opnsense-config/src/config/shell/mod.rs
@@ -1,9 +1,7 @@
 mod ssh;
-pub use ssh::*;
-
-use async_trait::async_trait;
-
 use crate::Error;
+use async_trait::async_trait;
+pub use ssh::*;

 #[async_trait]
 pub trait OPNsenseShell: std::fmt::Debug + Send + Sync {
--- a/opnsense-config/src/modules/load_balancer.rs
+++ b/opnsense-config/src/modules/load_balancer.rs
@@ -1,11 +1,8 @@
-use std::sync::Arc;
-
-use log::warn;
+use crate::{config::OPNsenseShell, Error};
 use opnsense_config_xml::{
    Frontend, HAProxy, HAProxyBackend, HAProxyHealthCheck, HAProxyServer, OPNsense,
 };
-
-use crate::{config::OPNsenseShell, Error};
+use std::{collections::HashSet, sync::Arc};

 pub struct LoadBalancerConfig<'a> {
    opnsense: &'a mut OPNsense,
@@ -31,7 +28,7 @@ impl<'a> LoadBalancerConfig<'a> {
        match &mut self.opnsense.opnsense.haproxy.as_mut() {
            Some(haproxy) => f(haproxy),
            None => unimplemented!(
-                "Adding a backend is not supported when haproxy config does not exist yet"
+                "Cannot configure load balancer when haproxy config does not exist yet"
            ),
        }
    }
@@ -40,21 +37,67 @@ impl<'a> LoadBalancerConfig<'a> {
        self.with_haproxy(|haproxy| haproxy.general.enabled = enabled as i32);
    }

-    pub fn add_backend(&mut self, backend: HAProxyBackend) {
-        warn!("TODO make sure this new backend does not refer non-existing entities like servers or health checks");
-        self.with_haproxy(|haproxy| haproxy.backends.backends.push(backend));
+    /// Configures a service by removing any existing service on the same port
+    /// and then adding the new definition. This ensures idempotency.
+    pub fn configure_service(
+        &mut self,
+        frontend: Frontend,
+        backend: HAProxyBackend,
+        servers: Vec<HAProxyServer>,
+        healthcheck: Option<HAProxyHealthCheck>,
+    ) {
+        self.remove_service_by_bind_address(&frontend.bind);
+        self.remove_servers(&servers);
+
+        self.add_new_service(frontend, backend, servers, healthcheck);
    }

-    pub fn add_frontend(&mut self, frontend: Frontend) {
-        self.with_haproxy(|haproxy| haproxy.frontends.frontend.push(frontend));
+    // Remove the corresponding real servers based on their name if they already exist.
+    fn remove_servers(&mut self, servers: &[HAProxyServer]) {
+        let server_names: HashSet<_> = servers.iter().map(|s| s.name.clone()).collect();
+        self.with_haproxy(|haproxy| {
+            haproxy
+                .servers
+                .servers
+                .retain(|s| !server_names.contains(&s.name));
+        });
    }

-    pub fn add_healthcheck(&mut self, healthcheck: HAProxyHealthCheck) {
-        self.with_haproxy(|haproxy| haproxy.healthchecks.healthchecks.push(healthcheck));
+    /// Removes a service and its dependent components based on the frontend's bind address.
+    /// This performs a cascading delete of the frontend, backend, servers, and health check.
+    fn remove_service_by_bind_address(&mut self, bind_address: &str) {
+        self.with_haproxy(|haproxy| {
+            let Some(old_frontend) = remove_frontend_by_bind_address(haproxy, bind_address) else {
+                return;
+            };
+
+            let Some(old_backend) = remove_backend(haproxy, old_frontend) else {
+                return;
+            };
+
+            remove_healthcheck(haproxy, &old_backend);
+            remove_linked_servers(haproxy, &old_backend);
+        });
    }

-    pub fn add_servers(&mut self, mut servers: Vec<HAProxyServer>) {
-        self.with_haproxy(|haproxy| haproxy.servers.servers.append(&mut servers));
+    /// Adds the components of a new service to the HAProxy configuration.
+    /// This function de-duplicates servers by name to prevent configuration errors.
+    fn add_new_service(
+        &mut self,
+        frontend: Frontend,
+        backend: HAProxyBackend,
+        servers: Vec<HAProxyServer>,
+        healthcheck: Option<HAProxyHealthCheck>,
+    ) {
+        self.with_haproxy(|haproxy| {
+            if let Some(check) = healthcheck {
+                haproxy.healthchecks.healthchecks.push(check);
+            }
+
+            haproxy.servers.servers.extend(servers);
+            haproxy.backends.backends.push(backend);
+            haproxy.frontends.frontend.push(frontend);
+        });
    }

    pub async fn reload_restart(&self) -> Result<(), Error> {
@@ -82,3 +125,262 @@ impl<'a> LoadBalancerConfig<'a> {
        Ok(())
    }
 }
+
+fn remove_frontend_by_bind_address(haproxy: &mut HAProxy, bind_address: &str) -> Option<Frontend> {
+    let pos = haproxy
+        .frontends
+        .frontend
+        .iter()
+        .position(|f| f.bind == bind_address);
+
+    match pos {
+        Some(pos) => Some(haproxy.frontends.frontend.remove(pos)),
+        None => None,
+    }
+}
+
+fn remove_backend(haproxy: &mut HAProxy, old_frontend: Frontend) -> Option<HAProxyBackend> {
+    let default_backend = old_frontend.default_backend?;
+    let pos = haproxy
+        .backends
+        .backends
+        .iter()
+        .position(|b| b.uuid == default_backend);
+
+    match pos {
+        Some(pos) => Some(haproxy.backends.backends.remove(pos)),
+        None => None, // orphaned frontend, shouldn't happen
+    }
+}
+
+fn remove_healthcheck(haproxy: &mut HAProxy, backend: &HAProxyBackend) {
+    if let Some(uuid) = &backend.health_check.content {
+        haproxy
+            .healthchecks
+            .healthchecks
+            .retain(|h| h.uuid != *uuid);
+    }
+}
+
+/// Remove the backend's servers. This assumes servers are not shared between services.
+fn remove_linked_servers(haproxy: &mut HAProxy, backend: &HAProxyBackend) {
+    if let Some(server_uuids_str) = &backend.linked_servers.content {
+        let server_uuids_to_remove: HashSet<_> = server_uuids_str.split(',').collect();
+        haproxy
+            .servers
+            .servers
+            .retain(|s| !server_uuids_to_remove.contains(s.uuid.as_str()));
+    }
+}
+
+#[cfg(test)]
+mod tests {
+    use crate::config::DummyOPNSenseShell;
+    use assertor::*;
+    use opnsense_config_xml::{
+        Frontend, HAProxy, HAProxyBackend, HAProxyBackends, HAProxyFrontends, HAProxyHealthCheck,
+        HAProxyHealthChecks, HAProxyId, HAProxyServer, HAProxyServers, MaybeString, OPNsense,
+    };
+    use std::sync::Arc;
+
+    use super::LoadBalancerConfig;
+
+    static SERVICE_BIND_ADDRESS: &str = "192.168.1.1:80";
+    static OTHER_SERVICE_BIND_ADDRESS: &str = "192.168.1.1:443";
+
+    static SERVER_ADDRESS: &str = "1.1.1.1:80";
+    static OTHER_SERVER_ADDRESS: &str = "1.1.1.1:443";
+
+    #[test]
+    fn configure_service_should_add_all_service_components_to_haproxy() {
+        let mut opnsense = given_opnsense();
+        let mut load_balancer = given_load_balancer(&mut opnsense);
+        let (healthcheck, servers, backend, frontend) =
+            given_service(SERVICE_BIND_ADDRESS, SERVER_ADDRESS);
+
+        load_balancer.configure_service(
+            frontend.clone(),
+            backend.clone(),
+            servers.clone(),
+            Some(healthcheck.clone()),
+        );
+
+        assert_haproxy_configured_with(
+            opnsense,
+            vec![frontend],
+            vec![backend],
+            servers,
+            vec![healthcheck],
+        );
+    }
+
+    #[test]
+    fn configure_service_should_replace_service_on_same_bind_address() {
+        let (healthcheck, servers, backend, frontend) =
+            given_service(SERVICE_BIND_ADDRESS, SERVER_ADDRESS);
+        let mut opnsense = given_opnsense_with(given_haproxy(
+            vec![frontend.clone()],
+            vec![backend.clone()],
+            servers.clone(),
+            vec![healthcheck.clone()],
+        ));
+        let mut load_balancer = given_load_balancer(&mut opnsense);
+
+        let (updated_healthcheck, updated_servers, updated_backend, updated_frontend) =
+            given_service(SERVICE_BIND_ADDRESS, OTHER_SERVER_ADDRESS);
+
+        load_balancer.configure_service(
+            updated_frontend.clone(),
+            updated_backend.clone(),
+            updated_servers.clone(),
+            Some(updated_healthcheck.clone()),
+        );
+
+        assert_haproxy_configured_with(
+            opnsense,
+            vec![updated_frontend],
+            vec![updated_backend],
+            updated_servers,
+            vec![updated_healthcheck],
+        );
+    }
+
+    #[test]
+    fn configure_service_should_keep_existing_service_on_different_bind_addresses() {
+        let (healthcheck, servers, backend, frontend) =
+            given_service(SERVICE_BIND_ADDRESS, SERVER_ADDRESS);
+        let (other_healthcheck, other_servers, other_backend, other_frontend) =
+            given_service(OTHER_SERVICE_BIND_ADDRESS, OTHER_SERVER_ADDRESS);
+        let mut opnsense = given_opnsense_with(given_haproxy(
+            vec![frontend.clone()],
+            vec![backend.clone()],
+            servers.clone(),
+            vec![healthcheck.clone()],
+        ));
+        let mut load_balancer = given_load_balancer(&mut opnsense);
+
+        load_balancer.configure_service(
+            other_frontend.clone(),
+            other_backend.clone(),
+            other_servers.clone(),
+            Some(other_healthcheck.clone()),
+        );
+
+        assert_haproxy_configured_with(
+            opnsense,
+            vec![frontend, other_frontend],
+            vec![backend, other_backend],
+            [servers, other_servers].concat(),
+            vec![healthcheck, other_healthcheck],
+        );
+    }
+
+    fn assert_haproxy_configured_with(
+        opnsense: OPNsense,
+        frontends: Vec<Frontend>,
+        backends: Vec<HAProxyBackend>,
+        servers: Vec<HAProxyServer>,
+        healthchecks: Vec<HAProxyHealthCheck>,
+    ) {
+        let haproxy = opnsense.opnsense.haproxy.as_ref().unwrap();
+        assert_that!(haproxy.frontends.frontend).contains_exactly(frontends);
+        assert_that!(haproxy.backends.backends).contains_exactly(backends);
+        assert_that!(haproxy.servers.servers).is_equal_to(servers);
+        assert_that!(haproxy.healthchecks.healthchecks).contains_exactly(healthchecks);
+    }
+
+    fn given_opnsense() -> OPNsense {
+        OPNsense::default()
+    }
+
+    fn given_opnsense_with(haproxy: HAProxy) -> OPNsense {
+        let mut opnsense = OPNsense::default();
+        opnsense.opnsense.haproxy = Some(haproxy);
+
+        opnsense
+    }
+
+    fn given_load_balancer<'a>(opnsense: &'a mut OPNsense) -> LoadBalancerConfig<'a> {
+        let opnsense_shell = Arc::new(DummyOPNSenseShell {});
+        if opnsense.opnsense.haproxy.is_none() {
+            opnsense.opnsense.haproxy = Some(HAProxy::default());
+        }
+        LoadBalancerConfig::new(opnsense, opnsense_shell)
+    }
+
+    fn given_service(
+        bind_address: &str,
+        server_address: &str,
+    ) -> (
+        HAProxyHealthCheck,
+        Vec<HAProxyServer>,
+        HAProxyBackend,
+        Frontend,
+    ) {
+        let healthcheck = given_healthcheck();
+        let servers = vec![given_server(server_address)];
+        let backend = given_backend();
+        let frontend = given_frontend(bind_address);
+        (healthcheck, servers, backend, frontend)
+    }
+
+    fn given_haproxy(
+        frontends: Vec<Frontend>,
+        backends: Vec<HAProxyBackend>,
+        servers: Vec<HAProxyServer>,
+        healthchecks: Vec<HAProxyHealthCheck>,
+    ) -> HAProxy {
+        HAProxy {
+            frontends: HAProxyFrontends {
+                frontend: frontends,
+            },
+            backends: HAProxyBackends { backends },
+            servers: HAProxyServers { servers },
+            healthchecks: HAProxyHealthChecks { healthchecks },
+            ..Default::default()
+        }
+    }
+
+    fn given_frontend(bind_address: &str) -> Frontend {
+        Frontend {
+            uuid: "uuid".into(),
+            id: HAProxyId::default(),
+            enabled: 1,
+            name: format!("frontend_{bind_address}"),
+            bind: bind_address.into(),
+            default_backend: Some("backend-uuid".into()),
+            ..Default::default()
+        }
+    }
+
+    fn given_backend() -> HAProxyBackend {
+        HAProxyBackend {
+            uuid: "backend-uuid".into(),
+            id: HAProxyId::default(),
+            enabled: 1,
+            name: "backend_192.168.1.1:80".into(),
+            linked_servers: MaybeString::from("server-uuid"),
+            health_check_enabled: 1,
+            health_check: MaybeString::from("healthcheck-uuid"),
+            ..Default::default()
+        }
+    }
+
+    fn given_server(address: &str) -> HAProxyServer {
+        HAProxyServer {
+            uuid: "server-uuid".into(),
+            id: HAProxyId::default(),
+            name: address.into(),
+            address: Some(address.into()),
+            ..Default::default()
+        }
+    }
+
+    fn given_healthcheck() -> HAProxyHealthCheck {
+        HAProxyHealthCheck {
+            uuid: "healthcheck-uuid".into(),
+            name: "healthcheck".into(),
+            ..Default::default()
+        }
+    }
+}
Author	SHA1	Message	Date
Ian Letourneau	05f4769ffe	Merge branch 'master' into okd_enable_user_workload_monitoring Some checks failed Run Check Script / check (pull_request) Has been cancelled Details	2025-10-21 13:48:33 +00:00
Ian Letourneau	ed7f81aa1f	fix(opnsense-config): ensure load balancer service configuration is idempotent (#129 ) Some checks are pending Run Check Script / check (push) Waiting to run Details Compile and package harmony_composer / package_harmony_composer (push) Waiting to run Details The previous implementation blindly added HAProxy components without checking for existing configurations on the same port, which caused duplicate entries and errors when a service was updated. This commit refactors the logic to a robust "remove-then-add" strategy. The configure_service method now finds and removes any existing frontend and its dependent components (backend, servers, health check) before adding the new, complete service definition. This change makes the process fully idempotent, preventing configuration drift and ensuring a predictable state. Co-authored-by: Ian Letourneau <letourneau.ian@gmail.com> Reviewed-on: #129	2025-10-20 19:18:49 +00:00
Ian Letourneau	2d891e4463	Merge pull request 'feat(host_network): configure bonds and port channels' (#169 ) from config-host-network into master Some checks failed Run Check Script / check (push) Has been cancelled Details Compile and package harmony_composer / package_harmony_composer (push) Has been cancelled Details Reviewed-on: #169	2025-10-16 18:24:58 +00:00
Ian Letourneau	f66e58b9ca	Merge branch 'master' into config-host-network Some checks failed Run Check Script / check (pull_request) Has been cancelled Details	2025-10-16 18:24:34 +00:00
Ian Letourneau	ea39d93aa7	feat(host_network): configure bonds on the host and switch port channels Some checks failed Run Check Script / check (pull_request) Has been cancelled Details	2025-10-16 14:23:41 -04:00
Ian Letourneau	6989d208cf	Merge pull request 'feat(switch/brocade): Implement client to interact with Brocade switches' (#168 ) from brocade-switch-client into master Some checks are pending Run Check Script / check (push) Waiting to run Details Compile and package harmony_composer / package_harmony_composer (push) Waiting to run Details Reviewed-on: #168	2025-10-16 18:23:01 +00:00
Ian Letourneau	c0bd8007c7	feat(switch/brocade): Implement client to interact with Brocade Switch All checks were successful Run Check Script / check (pull_request) Successful in 1m5s Details * Expose a high-level `brocade::init()` function to connect to a Brocade switch and automatically pick the best implementation based on its OS and version * Implement a client for Brocade switches running on Network Operating System (NOS) * Implement a client for older Brocade switches running on FastIron (partial implementation) The architecture for the library is based on 3 layers: 1. The `BrocadeClient` trait to describe the available capabilities to interact with a Brocade switch. It is partly opinionated in order to offer higher level features to group multiple commands into a single function (e.g. create a port channel). Its implementations are basically just the commands to run on the switch and the functions to parse the output. 2. The `BrocadeShell` struct to make it easier to authenticate, send commands, and interact with the switch. 3. The `ssh` module to actually connect to the switch over SSH and execute the commands. With time, we will add support for more Brocade switches and their various OS/versions. If needed, shared behavior could be extracted into a separate module to make it easier to add new implementations.	2025-10-15 15:28:24 -04:00
Willem	36b909ee20	fix: moved wait_for_pod_ready to K8sClient, switched rust yaml string to k8s_openapi resource ConfigMap	2025-09-29 09:36:01 -04:00
Willem	cdf75faa8f	feat(monitoring): tested and modified ensure pod ready to wait for pod ready, which prevents check from failing immediately and gives time for the resource to be created All checks were successful Run Check Script / check (pull_request) Successful in 49s Details	2025-09-19 15:11:28 -04:00
Willem	21e51b8d80	feat(monitoring): score to enable user-workload-monitoring within okd	2025-09-19 10:15:53 -04:00