Merge pull request 'feat: sydney haproxy cluster' (#191) from neoloc/haproxy_syd1 into develop

Reviewed-on: unkinben/puppet-prod#191
2024-04-28 20:49:32 +09:30 · 2024-04-28 20:49:32 +09:30 · af8763b044
commit af8763b044
parent a141de8b74 220ac182f4
9 changed files with 160 additions and 28 deletions
--- a/hieradata/country/au/region/drw1/infra/halb/haproxy.yaml
+++ b/hieradata/country/au/region/drw1/infra/halb/haproxy.yaml
@ -1,6 +1,11 @@
 ---
 # mappings
 profiles::haproxy::mappings:
+  fe_http:
+    ensure: present
+    mappings:
+      - 'puppetboard.main.unkin.net be_puppetboard'
+      - 'puppetdbapi.main.unkin.net be_puppetdbapi'
  fe_https:
    ensure: present
    mappings:
--- a/hieradata/country/au/region/syd1/infra/halb/haproxy.yaml
+++ b/hieradata/country/au/region/syd1/infra/halb/haproxy.yaml
@ -0,0 +1,93 @@
+---
+# mappings
+profiles::haproxy::mappings:
+  fe_http:
+    ensure: present
+    mappings:
+      - 'au-syd1-pve.main.unkin.net be_ausyd1pve'
+  fe_https:
+    ensure: present
+    mappings:
+      - 'au-syd1-pve.main.unkin.net be_ausyd1pve'
+
+# profiles::haproxy::listeners:
+#   ls_puppetdbapi_direct:
+#     collect_exported: false # handled in custom function
+#     ipaddress: "%{facts.networking.ip}"
+#     ports:
+#       - 8081
+#     mode: tcp
+#     options:
+#       option:
+#         - tcplog
+#         - ssl-hello-chk
+#       balance: roundrobin
+
+profiles::haproxy::backends:
+  be_ausyd1pve:
+    description: Backend for au-syd1 pve cluster
+    collect_exported: false # handled in custom function
+    options:
+      balance: roundrobin
+      option:
+        - httpchk GET /
+        - forwardfor
+      cookie: SRVNAME insert
+      http-request:
+        - set-header X-Forwarded-Port %[dst_port]
+        - add-header X-Forwarded-Proto https if { dst_port 443 }
+      redirect: 'scheme https if !{ ssl_fc }'
+  be_letsencrypt:
+    description: Backend for LetsEncrypt Verifications
+    collect_exported: true
+    options:
+      balance: roundrobin
+  be_default:
+    description: Backend for unmatched HTTP traffic
+    collect_exported: true
+    options:
+      balance: roundrobin
+      option:
+        - httpchk GET /
+        - forwardfor
+      cookie: SRVNAME insert
+      http-request:
+        - set-header X-Forwarded-Port %[dst_port]
+        - add-header X-Forwarded-Proto https if { dst_port 443 }
+
+# fe_http
+profiles::haproxy::fe_http::bind_addr: 0.0.0.0
+profiles::haproxy::fe_http::bind_port: 80
+profiles::haproxy::fe_http::bind_opts:
+  - transparent
+profiles::haproxy::fe_http::acls:
+  - 'acl-letsencrypt path_beg /.well-known/acme-challenge/'
+profiles::haproxy::fe_http::http_request:
+  - 'set-header X-Forwarded-Proto https'
+  - 'set-header X-Real-IP %[src]'
+
+# fe_https
+profiles::haproxy::fe_https::bind_addr: 0.0.0.0
+profiles::haproxy::fe_https::bind_port: 443
+profiles::haproxy::fe_https::bind_opts:
+  - ssl
+  - crt-list /etc/haproxy/certificate.list
+  - ciphers EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH
+  - force-tlsv12
+profiles::haproxy::fe_https::acls:
+  - 'acl-letsencrypt path_beg /.well-known/acme-challenge/'
+profiles::haproxy::fe_https::http_request:
+  - 'set-header X-Forwarded-Proto https'
+  - 'set-header X-Real-IP %[src]'
+
+profiles::haproxy::certlist::enabled: true
+profiles::haproxy::certlist::certificates:
+  - /etc/pki/tls/vault/certificate.pem
+
+# additional altnames
+profiles::pki::vault::alt_names:
+  - au-syd1-pve.main.unkin.net
+
+# additional cnames
+profiles::haproxy::dns::cnames:
+  - au-syd1-pve.main.unkin.net
--- a/site/profiles/manifests/haproxy/balancemember.pp
+++ b/site/profiles/manifests/haproxy/balancemember.pp
@ -8,7 +8,7 @@ define profiles::haproxy::balancemember (
  $location_environment = "${facts['country']}-${facts['region']}-${facts['environment']}"
  $balancemember_tag = "${service}_${location_environment}"

-  @@haproxy::balancermember { $balancemember_tag:
+  @@haproxy::balancermember { $title:
    listening_service => $service,
    ports             => $ports,
    server_names      => $facts['networking']['hostname'],
--- a/site/profiles/manifests/haproxy/fe_http.pp
+++ b/site/profiles/manifests/haproxy/fe_http.pp
@ -5,16 +5,18 @@ class profiles::haproxy::fe_http (
  Array             $bind_opts    = ['transparent'],
  Array             $acls         = [],
  Array             $http_request = [],
+  Array             $http_response = [],
 ) {
  haproxy::frontend { 'fe_http':
    description => 'Default HTTP Frontend',
    bind        => { "${bind_addr}:${bind_port}" => $bind_opts },
    mode        => 'http',
    options     => {
-      'acl'          => $acls,
-      'http-request' => $http_request,
-      'use_backend'  => [
-        '%[req.hdr(host),lower,map(/etc/haproxy/domains-to-backends.map,be_default)]',
+      'acl'           => $acls,
+      'http-request'  => $http_request,
+      'http-response' => $http_response,
+      'use_backend'   => [
+        '%[req.hdr(host),lower,map(/etc/haproxy/fe_http.map,be_default)]',
      ],
    },
  }
--- a/site/profiles/manifests/haproxy/fe_https.pp
+++ b/site/profiles/manifests/haproxy/fe_https.pp
@ -5,16 +5,18 @@ class profiles::haproxy::fe_https (
  Array             $bind_opts    = [],
  Array             $acls         = [],
  Array             $http_request = [],
+  Array             $http_response = [],
 ) {
  haproxy::frontend { 'fe_https':
    description => 'Default HTTPS Frontend',
    bind        => { "${bind_addr}:${bind_port}" => $bind_opts },
    mode        => 'http',
    options     => {
-      'acl'          => $acls,
-      'http-request' => $http_request,
-      'use_backend'  => [
-        '%[req.hdr(host),lower,map(/etc/haproxy/domains-to-backends.map,be_default)]',
+      'acl'           => $acls,
+      'http-request'  => $http_request,
+      'http-response' => $http_response,
+      'use_backend'   => [
+        '%[req.hdr(host),lower,map(/etc/haproxy/fe_https.map,be_default)]',
      ],
    },
  }
--- a/site/profiles/manifests/haproxy/server.pp
+++ b/site/profiles/manifests/haproxy/server.pp
@ -35,24 +35,31 @@ class profiles::haproxy::server (
  $merged_global_options = merge($global_options, $globals)
  $merged_default_options = merge($default_options, $defaults)

-  # manage selinux
-  include profiles::haproxy::selinux
+  # wait until enc_role matches haproxy enc_role
+  if $facts['enc_role'] == 'roles::infra::halb::haproxy' {

-  # create the haproxy service/instance
-  class { 'haproxy':
-    global_options   => $merged_global_options,
-    defaults_options => $merged_default_options,
-    require          => Class['profiles::haproxy::selinux']
+    # manage selinux
+    include profiles::haproxy::selinux
+
+    # create the haproxy service/instance
+    class { 'haproxy':
+      global_options   => $merged_global_options,
+      defaults_options => $merged_default_options,
+      require          => Class['profiles::haproxy::selinux']
+    }
+
+    include profiles::haproxy::certlist  # manage the certificate list file
+    include profiles::haproxy::mappings  # manage the domain to backend mappings
+    include profiles::haproxy::ls_stats  # default status listener
+    include profiles::haproxy::fe_http   # default http frontend
+    include profiles::haproxy::fe_https  # default https frontend
+    include profiles::haproxy::dns       # manage dns for haproxy
+    include profiles::haproxy::frontends # create frontends
+    include profiles::haproxy::backends  # create backends
+    include profiles::haproxy::listeners # create listeners
+
+    Class['profiles::haproxy::certlist']
+    -> Class['profiles::haproxy::dns']
+    -> Class['profiles::haproxy::mappings']
  }
-
-  include profiles::haproxy::certlist  # manage the certificate list file
-  include profiles::haproxy::mappings  # manage the domain to backend mappings
-  include profiles::haproxy::ls_stats  # default status listener
-  include profiles::haproxy::fe_http   # default http frontend
-  include profiles::haproxy::fe_https  # default https frontend
-  include profiles::haproxy::dns       # manage dns for haproxy
-  include profiles::haproxy::frontends # create frontends
-  include profiles::haproxy::backends  # create backends
-  include profiles::haproxy::listeners # create listeners
-
 }
--- a/site/profiles/manifests/proxmox/init.pp
+++ b/site/profiles/manifests/proxmox/init.pp
@ -7,6 +7,7 @@ class profiles::proxmox::init {
  include profiles::proxmox::clusterjoin
  include profiles::proxmox::ceph
  include profiles::proxmox::config
+  include profiles::proxmox::weblb

  Class['profiles::proxmox::repos']
  -> Class['profiles::proxmox::install']
--- a/site/profiles/manifests/proxmox/params.pp
+++ b/site/profiles/manifests/proxmox/params.pp
@ -38,6 +38,7 @@ class profiles::proxmox::params (
    'ceph-volume',
    'gdisk',
    'nvme-cli'
-  ]
+  ],
+  Stdlib::Port  $pve_webport  = 8006,
 ){
 }
--- a/site/profiles/manifests/proxmox/weblb.pp
+++ b/site/profiles/manifests/proxmox/weblb.pp
@ -0,0 +1,21 @@
+# profiles::proxmox::weblb
+class profiles::proxmox::weblb {
+
+  # include params class
+  include profiles::proxmox::params
+
+  # export haproxy balancemember
+  profiles::haproxy::balancemember { "${facts['networking']['fqdn']}_${profiles::proxmox::params::pve_webport}}":
+    service => "be_${facts['country']}${facts['region']}pve",
+    ports   => [$profiles::proxmox::params::pve_webport],
+    options => [
+      "cookie ${facts['networking']['hostname']}",
+      'ssl',
+      'verify none',
+      'check',
+      'inter 2s',
+      'rise 3',
+      'fall 2',
+    ]
+  }
+}