feat: add ceph-dashboard to haproxy (#382)

- add profile to export haproxy backend - add new cert for dashboard.ceph.unkin.net - extend balancemember with ipaddress attribute Reviewed-on: #382
2025-08-14 11:06:11 +10:00 · 2025-08-14 11:06:11 +10:00 · 62aade77ff
commit 62aade77ff
parent 83bb3e1085
5 changed files with 54 additions and 1 deletions
--- a/hieradata/country/au/region/syd1/infra/halb/haproxy2.yaml
+++ b/hieradata/country/au/region/syd1/infra/halb/haproxy2.yaml
@ -10,6 +10,7 @@ profiles::haproxy::dns::vrrp_cnames:
  - git.unkin.net
  - fafflix.unkin.net
  - grafana.unkin.net
+  - dashboard.ceph.unkin.net

 profiles::haproxy::mappings:
  fe_http:
@ -27,6 +28,7 @@ profiles::haproxy::mappings:
      - 'fafflix.unkin.net be_jellyfin'
      - 'git.unkin.net be_gitea'
      - 'grafana.unkin.net be_grafana'
+      - 'dashboard.ceph.unkin.net be_ceph_dashboard'
  fe_https:
    ensure: present
    mappings:
@ -42,6 +44,7 @@ profiles::haproxy::mappings:
      - 'fafflix.unkin.net be_jellyfin'
      - 'git.unkin.net be_gitea'
      - 'grafana.unkin.net be_grafana'
+      - 'dashboard.ceph.unkin.net be_ceph_dashboard'

 profiles::haproxy::frontends:
  fe_http:
@ -62,6 +65,7 @@ profiles::haproxy::frontends:
        - 'acl_fafflix req.hdr(host) -i fafflix.unkin.net'
        - 'acl_gitea req.hdr(host) -i git.unkin.net'
        - 'acl_grafana req.hdr(host) -i grafana.unkin.net'
+        - 'acl_ceph_dashboard req.hdr(host) -i dashboard.ceph.unkin.net'
        - 'acl_internalsubnets src 198.18.0.0/16 10.10.12.0/24'
      use_backend:
        - "%[req.hdr(host),lower,map(/etc/haproxy/fe_https.map,be_default)]"
@ -79,6 +83,7 @@ profiles::haproxy::frontends:
        - 'set-header X-Frame-Options DENY if acl_fafflix'
        - 'set-header X-Frame-Options DENY if acl_gitea'
        - 'set-header X-Frame-Options DENY if acl_grafana'
+        - 'set-header X-Frame-Options DENY if acl_ceph_dashboard'
        - 'set-header X-Content-Type-Options nosniff'
        - 'set-header X-XSS-Protection 1;mode=block'

@ -262,6 +267,26 @@ profiles::haproxy::backends:
      redirect: 'scheme https if !{ ssl_fc }'
      stick-table: 'type ip size 200k expire 30m'
      stick: 'on src'
+  be_ceph_dashboard:
+    description: Backend for Ceph Dashboard from Mgr instances
+    collect_exported: false # handled in custom function
+    options:
+      balance: roundrobin
+      option:
+        - httpchk GET /
+        - forwardfor
+        - http-keep-alive
+        - prefer-last-server
+      cookie: SRVNAME insert indirect nocache
+      http-reuse: always
+      http-check:
+        - expect status 200
+      http-request:
+        - set-header X-Forwarded-Port %[dst_port]
+        - add-header X-Forwarded-Proto https if { dst_port 9443 }
+      redirect: 'scheme https if !{ ssl_fc }'
+      stick-table: 'type ip size 200k expire 30m'
+      stick: 'on src'

 profiles::haproxy::certlist::enabled: true
 profiles::haproxy::certlist::certificates:
@ -276,6 +301,7 @@ profiles::haproxy::certlist::certificates:
  - /etc/pki/tls/letsencrypt/fafflix.unkin.net/fullchain_combined.pem
  - /etc/pki/tls/letsencrypt/git.unkin.net/fullchain_combined.pem
  - /etc/pki/tls/letsencrypt/grafana.unkin.net/fullchain_combined.pem
+  - /etc/pki/tls/letsencrypt/dashboard.ceph.unkin.net/fullchain_combined.pem
  - /etc/pki/tls/vault/certificate.pem

 # additional altnames
@ -303,3 +329,4 @@ certbot::client::domains:
  - fafflix.unkin.net
  - git.unkin.net
  - grafana.unkin.net
+  - dashboard.ceph.unkin.net
--- a/hieradata/roles/infra/incus/node.yaml
+++ b/hieradata/roles/infra/incus/node.yaml
@ -6,6 +6,7 @@ hiera_include:
  - zfs
  - profiles::ceph::node
  - profiles::ceph::client
+  - profiles::ceph::dashboard
  - profiles::storage::cephfsvols
  - exporters::frr_exporter

@ -121,6 +122,9 @@ profiles::yum::global::repos:
 # dns
 profiles::dns::base::primary_interface: loopback0

+# dashboard/haproxy
+profiles::ceph::dashboard::ipaddress: "%{hiera('networking_loopback0_ip')}"
+
 # networking
 systemd::manage_networkd: true
 systemd::manage_all_network_files: true
--- a/hieradata/roles/infra/pki/certbot.yaml
+++ b/hieradata/roles/infra/pki/certbot.yaml
@ -15,3 +15,4 @@ certbot::domains:
  - fafflix.unkin.net
  - git.unkin.net
  - grafana.unkin.net
+  - dashboard.ceph.unkin.net
--- a/site/profiles/manifests/ceph/dashboard.pp
+++ b/site/profiles/manifests/ceph/dashboard.pp
@ -0,0 +1,20 @@
+class profiles::ceph::dashboard (
+  Stdlib::IP::Address $ipaddress = $facts['networking']['ip'],
+){
+
+  # export haproxy balancemember
+  profiles::haproxy::balancemember { "${facts['networking']['fqdn']}_9443":
+    service   => 'be_ceph_dashboard',
+    ipaddress => $ipaddress,
+    ports     => [9443],
+    options   => [
+      "cookie ${facts['networking']['hostname']}",
+      'ssl',
+      'verify none',
+      'check',
+      'inter 2s',
+      'rise 3',
+      'fall 2',
+    ]
+  }
+}
--- a/site/profiles/manifests/haproxy/balancemember.pp
+++ b/site/profiles/manifests/haproxy/balancemember.pp
@ -3,6 +3,7 @@ define profiles::haproxy::balancemember (
  String              $service,
  Array[Stdlib::Port] $ports,
  Array               $options = ['check'],
+  Stdlib::IP::Address $ipaddress = $facts['networking']['ip'],
 ) {

  $location_environment = "${facts['country']}-${facts['region']}-${facts['environment']}"
@ -12,7 +13,7 @@ define profiles::haproxy::balancemember (
    listening_service => $service,
    ports             => $ports,
    server_names      => $facts['networking']['hostname'],
-    ipaddresses       => $facts['networking']['ip'],
+    ipaddresses       => $ipaddress,
    options           => $options,
    tag               => $balancemember_tag,
  }