# Main load balancer. L4, backed by Octavia with OVN driver
# OVN driver is simpler and more lightweight than amphora:
# - No amphora VMs needed
# - Uses the main subnet directly
# - Lower overhead and faster provisioning
# OVN limitations:
# - Does not support allowed_cidrs on listeners
# - Only supports ROUND_ROBIN and SOURCE_IP_PORT lb_method (not LEAST_CONNECTIONS)
# - Only supports TCP and UDP-CONNECT health monitors (not HTTP/HTTPS)

resource "openstack_lb_loadbalancer_v2" "main_lb" {
  vip_subnet_id         = local.main_private_subnet_id
  name                  = local.octavia_lb_name
  description           = local.octavia_lb_description
  vip_address           = local.basic_services_ip.octavia_main
  loadbalancer_provider = "ovn"
}

# Allocate a floating IP
resource "openstack_networking_floatingip_v2" "main_lb_ip" {
  pool        = local.floating_ip_pools.main_public_ip_pool
  description = local.octavia_lb_description
}

resource "openstack_networking_floatingip_associate_v2" "main_lb" {
  floating_ip = openstack_networking_floatingip_v2.main_lb_ip.address
  port_id     = openstack_lb_loadbalancer_v2.main_lb.vip_port_id
}

locals {
  lb_recordset_name = "${local.octavia_lb_hostname}.${local.dns_zone.name}"
}

resource "openstack_dns_recordset_v2" "main_lb_dns_recordset" {
  zone_id     = local.dns_zone_id
  name        = local.lb_recordset_name
  description = "Public IP address of the main Octavia load balancer"
  ttl         = 8600
  type        = "A"
  records     = [openstack_networking_floatingip_v2.main_lb_ip.address]
}

# Main HAPROXY stats listener
# Note: OVN provider does not support allowed_cidrs option.
# Access restriction must be handled at the HAProxy level or via security groups.
resource "openstack_lb_listener_v2" "main_haproxy_stats_listener" {
  loadbalancer_id = openstack_lb_loadbalancer_v2.main_lb.id
  protocol        = "TCP"
  protocol_port   = 8880
  description     = "Listener for the stats of the main HAPROXY instances"
  name            = "main_haproxy_stats_listener"
}

resource "openstack_lb_pool_v2" "main_haproxy_stats_pool" {
  listener_id = openstack_lb_listener_v2.main_haproxy_stats_listener.id
  protocol    = "TCP"
  lb_method   = "SOURCE_IP_PORT"
  name        = "main-haproxy-lb-stats"
  description = "Pool for the stats of the main HAPROXY instances"
  persistence {
    type = "SOURCE_IP"
  }
}

resource "openstack_lb_members_v2" "main_haproxy_stats_pool_members" {
  pool_id = openstack_lb_pool_v2.main_haproxy_stats_pool.id
  member {
    name          = "haproxy l7 1"
    address       = local.basic_services_ip.haproxy_l7_1
    protocol_port = 8880
  }
  member {
    name          = "haproxy l7 2"
    address       = local.basic_services_ip.haproxy_l7_2
    protocol_port = 8880
  }
}

resource "openstack_lb_monitor_v2" "main_haproxy_stats_monitor" {
  pool_id        = openstack_lb_pool_v2.main_haproxy_stats_pool.id
  name           = "main_haproxy_stats_monitor"
  type           = "TCP"
  delay          = 20
  timeout        = 5
  max_retries    = 3
  admin_state_up = true
}

# Main HAPROXY HTTP
resource "openstack_lb_listener_v2" "main_haproxy_http_listener" {
  loadbalancer_id = openstack_lb_loadbalancer_v2.main_lb.id
  protocol        = "TCP"
  protocol_port   = 80
  description     = "HTTP listener of the main HAPROXY instances"
  name            = "main_haproxy_http_listener"
  admin_state_up  = true
}

resource "openstack_lb_pool_v2" "main_haproxy_http_pool" {
  listener_id = openstack_lb_listener_v2.main_haproxy_http_listener.id
  protocol    = "TCP"
  lb_method   = "SOURCE_IP_PORT"
  name        = "main-haproxy-lb-http"
  description = "Pool for the HTTP listener of the main HAPROXY instances"
  persistence {
    type = "SOURCE_IP"
  }
  admin_state_up = true
}

resource "openstack_lb_members_v2" "main_haproxy_http_pool_members" {
  pool_id = openstack_lb_pool_v2.main_haproxy_http_pool.id
  member {
    name          = "haproxy l7 1"
    address       = local.basic_services_ip.haproxy_l7_1
    protocol_port = 80
  }
  member {
    name          = "haproxy l7 2"
    address       = local.basic_services_ip.haproxy_l7_2
    protocol_port = 80
  }
}

resource "openstack_lb_monitor_v2" "main_haproxy_http_monitor" {
  pool_id        = openstack_lb_pool_v2.main_haproxy_http_pool.id
  name           = "main_haproxy_http_monitor"
  type           = "TCP"
  delay          = 20
  timeout        = 5
  max_retries    = 3
  admin_state_up = true
}

# Main HAPROXY HTTPS
resource "openstack_lb_listener_v2" "main_haproxy_https_listener" {
  loadbalancer_id        = openstack_lb_loadbalancer_v2.main_lb.id
  protocol               = "TCP"
  protocol_port          = 443
  description            = "HTTPS listener of the main HAPROXY instances"
  name                   = "main_haproxy_https_listener"
  timeout_client_data    = 3600000
  timeout_member_connect = 10000
  timeout_member_data    = 7200000
  admin_state_up         = true
}

resource "openstack_lb_pool_v2" "main_haproxy_https_pool" {
  listener_id = openstack_lb_listener_v2.main_haproxy_https_listener.id
  protocol    = "TCP"
  lb_method   = "SOURCE_IP_PORT"
  name        = "main-haproxy-lb-https"
  description = "Pool for the HTTPS listener of the main HAPROXY instances"
  persistence {
    type = "SOURCE_IP"
  }
  admin_state_up = true
}

resource "openstack_lb_members_v2" "main_haproxy_https_pool_members" {
  pool_id = openstack_lb_pool_v2.main_haproxy_https_pool.id
  member {
    name          = "haproxy l7 1"
    address       = local.basic_services_ip.haproxy_l7_1
    protocol_port = 443
  }
  member {
    name          = "haproxy l7 2"
    address       = local.basic_services_ip.haproxy_l7_2
    protocol_port = 443
  }
}

resource "openstack_lb_monitor_v2" "main_haproxy_https_monitor" {
  pool_id        = openstack_lb_pool_v2.main_haproxy_https_pool.id
  name           = "main_haproxy_https_monitor"
  type           = "TCP"
  delay          = 20
  timeout        = 5
  max_retries    = 3
  admin_state_up = true
}