Merge pull request 'neoloc/haproxy_puppetdbapi' (#151) from neoloc/haproxy_puppetdbapi into develop

Reviewed-on: unkinben/puppet-prod#151
2024-04-06 17:09:37 +09:30 · 2024-04-06 17:09:37 +09:30 · 258cedb566
commit 258cedb566
parent f7881b19cf f79d9de495
6 changed files with 63 additions and 3 deletions
--- a/hieradata/common.yaml
+++ b/hieradata/common.yaml
@ -126,7 +126,6 @@ profiles::base::hosts::additional_hosts:
    hostname: prodinf01n04.main.unkin.net
    aliases:
      - prodinf01n04
-      - puppetdb
  - ip: 198.18.17.5
    hostname: prodinf01n05.main.unkin.net
    aliases:
--- a/hieradata/country/au/region/drw1/infra/halb/haproxy.yaml
+++ b/hieradata/country/au/region/drw1/infra/halb/haproxy.yaml
@ -2,6 +2,7 @@
 # mappings
 profiles::haproxy::mappings::list:
  - 'puppetboard.main.unkin.net be_puppetboard'
+  - 'puppetdbapi.main.unkin.net be_puppetdbapi'

 profiles::haproxy::backends:
  be_puppetboard:
@ -17,6 +18,19 @@ profiles::haproxy::backends:
        - set-header X-Forwarded-Port %[dst_port]
        - add-header X-Forwarded-Proto https if { dst_port 443 }
      redirect: 'scheme https if !{ ssl_fc }'
+  be_puppetdbapi:
+    description: Backend for the PuppetDB API
+    collect_exported: false # handled in custom function
+    options:
+      balance: roundrobin
+      option:
+        - httpchk GET /
+        - forwardfor
+      cookie: SRVNAME insert
+      http-request:
+        - set-header X-Forwarded-Port %[dst_port]
+        - add-header X-Forwarded-Proto https if { dst_port 443 }
+      redirect: 'scheme https if !{ ssl_fc }'
  be_letsencrypt:
    description: Backend for LetsEncrypt Verifications
    collect_exported: true
@ -67,3 +81,9 @@ profiles::haproxy::certlist::certificates:
 # additional altnames
 profiles::pki::vault::alt_names:
  - puppetboard.main.unkin.net
+  - puppetdbapi.main.unkin.net
+
+# additional cnames
+profiles::haproxy::dns::cnames:
+  - puppetboard.main.unkin.net
+  - puppetdbapi.main.unkin.net
--- a/site/profiles/manifests/haproxy/dns.pp
+++ b/site/profiles/manifests/haproxy/dns.pp
@ -0,0 +1,27 @@
+# profiles::haproxy::dns
+class profiles::haproxy::dns (
+  Array[Stdlib::Fqdn] $cnames = [],
+  Integer             $order  = 10,
+){
+
+  # create an A record for each load balancer in a region
+  $location_environment = "${facts['country']}-${facts['region']}-${facts['environment']}"
+  profiles::dns::record { "${facts['networking']['fqdn']}_${location_environment}-halb_A":
+    value  => $::facts['networking']['ip'],
+    type   => 'A',
+    record => "${location_environment}-halb",
+    zone   => $::facts['networking']['domain'],
+    order  => $order,
+  }
+
+  # export cnames for haproxy applications
+  $cnames.each |$cname| {
+    profiles::dns::record { "${::facts['networking']['fqdn']}_${cname}_CNAME":
+      value  => "${location_environment}-halb",
+      type   => 'CNAME',
+      record => "${cname}.",
+      zone   => $::facts['networking']['domain'],
+      order  => $order,
+    }
+  }
+}
--- a/site/profiles/manifests/haproxy/server.pp
+++ b/site/profiles/manifests/haproxy/server.pp
@ -2,6 +2,7 @@
 class profiles::haproxy::server (
  Hash  $globals = {},
  Hash  $defaults = {},
+  Array $cnames = [],
 ){

  # default global/defaults arrays
@ -50,6 +51,7 @@ class profiles::haproxy::server (
  include profiles::haproxy::ls_stats  # default status listener
  include profiles::haproxy::fe_http   # default http frontend
  include profiles::haproxy::fe_https  # default https frontend
+  include profiles::haproxy::dns       # manage dns for haproxy

  # for each backend:
  $backends = lookup('profiles::haproxy::backends')
--- a/site/profiles/manifests/puppet/puppetdb_api.pp
+++ b/site/profiles/manifests/puppet/puppetdb_api.pp
@ -18,4 +18,16 @@ class profiles::puppet::puppetdb_api (
    export_scrape_job => true,
  }

+  # export haproxy balancemember
+  profiles::haproxy::balancemember { "${facts['networking']['fqdn']}_8080":
+    service => 'be_puppetdbapi',
+    ports   => [8080],
+    options => [
+      "cookie ${facts['networking']['hostname']}",
+      'check',
+      'inter 2s',
+      'rise 3',
+      'fall 2',
+    ]
+  }
 }
--- a/site/profiles/templates/helpers/node_lookup.erb
+++ b/site/profiles/templates/helpers/node_lookup.erb
@ -23,8 +23,8 @@ def build_query(node=None, fact_name=None, match=None, show_role=False):
        return json.dumps(["and"] + query_filters)

 def query_puppetdb(query):
-    url = 'http://puppetdb:8080/pdb/query/v4/facts'
-    response = requests.get(url, params={'query': query})
+    url = 'https://puppetdbapi.main.unkin.net/pdb/query/v4/facts'
+    response = requests.get(url, params={'query': query}, verify='/etc/pki/tls/cert.pem')
    process_response(response)

 def process_response(response):