From e97d061f46231479194c9cc01a07c5c9c87558d4 Mon Sep 17 00:00:00 2001
From: Ben Vincent <ben@unkin.net>
Date: Sat, 6 Apr 2024 15:45:28 +1100
Subject: [PATCH 1/3] feat: add puppetdbapi to haproxy

- add puppetdbapi backend to haproxy
- add puppetdbapi altname to the vault certificate
- add mapping for hostname to backend
---
 .../au/region/drw1/infra/halb/haproxy.yaml        | 15 +++++++++++++++
 site/profiles/manifests/puppet/puppetdb_api.pp    | 12 ++++++++++++
 2 files changed, 27 insertions(+)

diff --git a/hieradata/country/au/region/drw1/infra/halb/haproxy.yaml b/hieradata/country/au/region/drw1/infra/halb/haproxy.yaml
index 9c4753e..d67dc86 100644
--- a/hieradata/country/au/region/drw1/infra/halb/haproxy.yaml
+++ b/hieradata/country/au/region/drw1/infra/halb/haproxy.yaml
@@ -2,6 +2,7 @@
 # mappings
 profiles::haproxy::mappings::list:
   - 'puppetboard.main.unkin.net be_puppetboard'
+  - 'puppetdbapi.main.unkin.net be_puppetdbapi'
 
 profiles::haproxy::backends:
   be_puppetboard:
@@ -17,6 +18,19 @@ profiles::haproxy::backends:
         - set-header X-Forwarded-Port %[dst_port]
         - add-header X-Forwarded-Proto https if { dst_port 443 }
       redirect: 'scheme https if !{ ssl_fc }'
+  be_puppetdbapi:
+    description: Backend for the PuppetDB API
+    collect_exported: false # handled in custom function
+    options:
+      balance: roundrobin
+      option:
+        - httpchk GET /
+        - forwardfor
+      cookie: SRVNAME insert
+      http-request:
+        - set-header X-Forwarded-Port %[dst_port]
+        - add-header X-Forwarded-Proto https if { dst_port 443 }
+      redirect: 'scheme https if !{ ssl_fc }'
   be_letsencrypt:
     description: Backend for LetsEncrypt Verifications
     collect_exported: true
@@ -67,3 +81,4 @@ profiles::haproxy::certlist::certificates:
 # additional altnames
 profiles::pki::vault::alt_names:
   - puppetboard.main.unkin.net
+  - puppetdbapi.main.unkin.net
diff --git a/site/profiles/manifests/puppet/puppetdb_api.pp b/site/profiles/manifests/puppet/puppetdb_api.pp
index fa51753..37e8f63 100644
--- a/site/profiles/manifests/puppet/puppetdb_api.pp
+++ b/site/profiles/manifests/puppet/puppetdb_api.pp
@@ -18,4 +18,16 @@ class profiles::puppet::puppetdb_api (
     export_scrape_job => true,
   }
 
+  # export haproxy balancemember
+  profiles::haproxy::balancemember { "${facts['networking']['fqdn']}_8080":
+    service => 'be_puppetdbapi',
+    ports   => [8080],
+    options => [
+      "cookie ${facts['networking']['hostname']}",
+      'check',
+      'inter 2s',
+      'rise 3',
+      'fall 2',
+    ]
+  }
 }

From c9a1d35af90d41bcae0b229b96fa77d59a229227 Mon Sep 17 00:00:00 2001
From: Ben Vincent <ben@unkin.net>
Date: Sat, 6 Apr 2024 16:08:05 +1100
Subject: [PATCH 2/3] feat: add cnames to haproxy

- manage A records for haproxy
- manage cnames for services using haproxy
---
 .../au/region/drw1/infra/halb/haproxy.yaml    |  5 ++++
 site/profiles/manifests/haproxy/dns.pp        | 27 +++++++++++++++++++
 site/profiles/manifests/haproxy/server.pp     |  2 ++
 3 files changed, 34 insertions(+)
 create mode 100644 site/profiles/manifests/haproxy/dns.pp

diff --git a/hieradata/country/au/region/drw1/infra/halb/haproxy.yaml b/hieradata/country/au/region/drw1/infra/halb/haproxy.yaml
index d67dc86..75dcd39 100644
--- a/hieradata/country/au/region/drw1/infra/halb/haproxy.yaml
+++ b/hieradata/country/au/region/drw1/infra/halb/haproxy.yaml
@@ -82,3 +82,8 @@ profiles::haproxy::certlist::certificates:
 profiles::pki::vault::alt_names:
   - puppetboard.main.unkin.net
   - puppetdbapi.main.unkin.net
+
+# additional cnames
+profiles::haproxy::dns::cnames:
+  - puppetboard.main.unkin.net
+  - puppetdbapi.main.unkin.net
diff --git a/site/profiles/manifests/haproxy/dns.pp b/site/profiles/manifests/haproxy/dns.pp
new file mode 100644
index 0000000..af0e8ac
--- /dev/null
+++ b/site/profiles/manifests/haproxy/dns.pp
@@ -0,0 +1,27 @@
+# profiles::haproxy::dns
+class profiles::haproxy::dns (
+  Array[Stdlib::Fqdn] $cnames = [],
+  Integer             $order  = 10,
+){
+
+  # create an A record for each load balancer in a region
+  $location_environment = "${facts['country']}-${facts['region']}-${facts['environment']}"
+  profiles::dns::record { "${facts['networking']['fqdn']}_${location_environment}-halb_A":
+    value  => $::facts['networking']['ip'],
+    type   => 'A',
+    record => "${location_environment}-halb",
+    zone   => $::facts['networking']['domain'],
+    order  => $order,
+  }
+
+  # export cnames for haproxy applications
+  $cnames.each |$cname| {
+    profiles::dns::record { "${::facts['networking']['fqdn']}_${cname}_CNAME":
+      value  => "${location_environment}-halb",
+      type   => 'CNAME',
+      record => "${cname}.",
+      zone   => $::facts['networking']['domain'],
+      order  => $order,
+    }
+  }
+}
diff --git a/site/profiles/manifests/haproxy/server.pp b/site/profiles/manifests/haproxy/server.pp
index ed185f3..1864727 100644
--- a/site/profiles/manifests/haproxy/server.pp
+++ b/site/profiles/manifests/haproxy/server.pp
@@ -2,6 +2,7 @@
 class profiles::haproxy::server (
   Hash  $globals = {},
   Hash  $defaults = {},
+  Array $cnames = [],
 ){
 
   # default global/defaults arrays
@@ -50,6 +51,7 @@ class profiles::haproxy::server (
   include profiles::haproxy::ls_stats  # default status listener
   include profiles::haproxy::fe_http   # default http frontend
   include profiles::haproxy::fe_https  # default https frontend
+  include profiles::haproxy::dns       # manage dns for haproxy
 
   # for each backend:
   $backends = lookup('profiles::haproxy::backends')

From f79d9de49581c6b55e3e62ff058c3d8eacd1a700 Mon Sep 17 00:00:00 2001
From: Ben Vincent <ben@unkin.net>
Date: Sat, 6 Apr 2024 18:31:41 +1100
Subject: [PATCH 3/3] feat: update node_lookup

- update node_lookup to use new puppetdb URL
---
 hieradata/common.yaml                           | 1 -
 site/profiles/templates/helpers/node_lookup.erb | 4 ++--
 2 files changed, 2 insertions(+), 3 deletions(-)

diff --git a/hieradata/common.yaml b/hieradata/common.yaml
index 606c093..eab58f7 100644
--- a/hieradata/common.yaml
+++ b/hieradata/common.yaml
@@ -126,7 +126,6 @@ profiles::base::hosts::additional_hosts:
     hostname: prodinf01n04.main.unkin.net
     aliases:
       - prodinf01n04
-      - puppetdb
   - ip: 198.18.17.5
     hostname: prodinf01n05.main.unkin.net
     aliases:
diff --git a/site/profiles/templates/helpers/node_lookup.erb b/site/profiles/templates/helpers/node_lookup.erb
index 7596821..d12c364 100644
--- a/site/profiles/templates/helpers/node_lookup.erb
+++ b/site/profiles/templates/helpers/node_lookup.erb
@@ -23,8 +23,8 @@ def build_query(node=None, fact_name=None, match=None, show_role=False):
         return json.dumps(["and"] + query_filters)
 
 def query_puppetdb(query):
-    url = 'http://puppetdb:8080/pdb/query/v4/facts'
-    response = requests.get(url, params={'query': query})
+    url = 'https://puppetdbapi.main.unkin.net/pdb/query/v4/facts'
+    response = requests.get(url, params={'query': query}, verify='/etc/pki/tls/cert.pem')
     process_response(response)
 
 def process_response(response):