feat: configure edgecache for postgresql

- add fact to record system resolvers
- add resolvers feature in /etc/nginx/conf.d/resolvers.conf
- add rewrite rules for postgres/yum/repodata

hieradata/roles/infra/storage/edgecache.yaml

@@ -25,6 +25,8 @@ profiles::pki::vault::alt_names:
   - edgecache.service.consul
   - edgecache.query.consul
 
+profiles::edgecache::params::nginx_resolvers_enable: true
+profiles::edgecache::params::nginx_resolvers_ipv4only: true
 profiles::edgecache::params::nginx_listen_mode: both
 profiles::edgecache::params::nginx_cert_type: vault
 profiles::edgecache::params::nginx_aliases:
@@ -36,6 +38,9 @@ profiles::edgecache::params::directories:
   /data/edgecache/pub/almalinux: { owner: nginx, group: nginx }
   /data/edgecache/pub/debian: { owner: nginx, group: nginx }
   /data/edgecache/pub/epel: { owner: nginx, group: nginx }
+  /data/edgecache/pub/postgres: { owner: nginx, group: nginx }
+  /data/edgecache/pub/postgres/apt: { owner: nginx, group: nginx }
+  /data/edgecache/pub/postgres/yum: { owner: nginx, group: nginx }
 
 profiles::edgecache::params::mirrors:
   debian:
@@ -74,3 +79,29 @@ profiles::edgecache::params::mirrors:
     proxy_cache_valid:
       - '200 302 1440h'
       - '404 1m'
+  postgres_yum_repodata:
+    ensure: present
+    location: '~* ^/postgres/yum/.*/repodata/'
+    rewrite_rules:
+      - '^/postgres/yum/(.*)$ /pub/repos/yum/$1 break'
+    proxy: https://download.postgresql.org
+  postgres_yum_data:
+    ensure: present
+    location: /postgres/yum
+    proxy: https://download.postgresql.org/pub/repos/yum
+    proxy_cache: cache
+    proxy_cache_valid:
+      - '200 302 1440h'
+      - '404 1m'
+  postgres_apt:
+    ensure: present
+    location: /postgres/apt
+    proxy: https://download.postgresql.org/pub/repos/apt
+  postgres_apt_pool:
+    ensure: present
+    location: /postgres/apt/pool
+    proxy: https://download.postgresql.org/pub/repos/apt/pool
+    proxy_cache: cache
+    proxy_cache_valid:
+      - '200 302 1440h'
+      - '404 1m'

modules/libs/lib/facter/nameservers.rb

@@ -0,0 +1,9 @@
+# frozen_string_literal: true
+
+Facter.add(:nameservers) do
+  confine kernel: 'Linux'
+  setcode do
+    nameservers = File.readlines('/etc/resolv.conf').grep(/^nameserver\s+(\S+)/) { Regexp.last_match(1) }
+    nameservers
+  end
+end

site/profiles/manifests/edgecache/nginx.pp

@@ -10,6 +10,8 @@ class profiles::edgecache::nginx {
   $nginx_ssl_port    = $profiles::edgecache::params::nginx_ssl_port
   $nginx_listen_mode = $profiles::edgecache::params::nginx_listen_mode
   $nginx_cert_type   = $profiles::edgecache::params::nginx_cert_type
+  $nginx_resolvers_enable   = $profiles::edgecache::params::nginx_resolvers_enable
+  $nginx_resolvers_ipv4only = $profiles::edgecache::params::nginx_resolvers_ipv4only
 
   # select the certificates to use based on cert type
   case $nginx_cert_type {
@@ -61,6 +63,14 @@ class profiles::edgecache::nginx {
     }
   }
 
+  if $nginx_resolvers_ipv4only and $nginx_resolvers_enable {
+    $resolvers = $facts['nameservers'].join(' ')
+    file { '/etc/nginx/conf.d/resolvers.conf':
+      ensure  => file,
+      content => "resolver ${resolvers} ipv4=on;\n",
+    }
+  }
+
   # set the server_names
   $server_names = unique([$facts['networking']['fqdn'], $nginx_vhost] + $nginx_aliases)
 

site/profiles/manifests/edgecache/params.pp

@@ -7,6 +7,8 @@ class profiles::edgecache::params (
   Stdlib::Port $nginx_ssl_port = 443,
   Enum['http','https','both'] $nginx_listen_mode = 'http',
   Enum['puppet', 'vault']     $nginx_cert_type = 'vault',
+  Boolean $nginx_resolvers_enable = false,
+  Boolean $nginx_resolvers_ipv4only = false,
   Hash $directories = {},
   Hash $mirrors = {},
 ){