diff --git a/hieradata/country/au/region/drw1/infra/halb/haproxy.yaml b/hieradata/country/au/region/drw1/infra/halb/haproxy.yaml index e8ba37a..9c4753e 100644 --- a/hieradata/country/au/region/drw1/infra/halb/haproxy.yaml +++ b/hieradata/country/au/region/drw1/infra/halb/haproxy.yaml @@ -1,5 +1,22 @@ --- -haproxy::backend: +# mappings +profiles::haproxy::mappings::list: + - 'puppetboard.main.unkin.net be_puppetboard' + +profiles::haproxy::backends: + be_puppetboard: + description: Backend for Puppetboard + collect_exported: false # handled in custom function + options: + balance: roundrobin + option: + - httpchk GET / + - forwardfor + cookie: SRVNAME insert + http-request: + - set-header X-Forwarded-Port %[dst_port] + - add-header X-Forwarded-Proto https if { dst_port 443 } + redirect: 'scheme https if !{ ssl_fc }' be_letsencrypt: description: Backend for LetsEncrypt Verifications collect_exported: true @@ -11,9 +28,8 @@ haproxy::backend: options: balance: roundrobin option: - - httpchk + - httpchk GET / - forwardfor - http-check: send meth GET uri / cookie: SRVNAME insert http-request: - set-header X-Forwarded-Port %[dst_port] @@ -47,3 +63,7 @@ profiles::haproxy::fe_https::http_request: profiles::haproxy::certlist::enabled: true profiles::haproxy::certlist::certificates: - /etc/pki/tls/vault/certificate.pem + +# additional altnames +profiles::pki::vault::alt_names: + - puppetboard.main.unkin.net diff --git a/site/profiles/manifests/haproxy/server.pp b/site/profiles/manifests/haproxy/server.pp index 63e4de7..ed185f3 100644 --- a/site/profiles/manifests/haproxy/server.pp +++ b/site/profiles/manifests/haproxy/server.pp @@ -51,10 +51,18 @@ class profiles::haproxy::server ( include profiles::haproxy::fe_http # default http frontend include profiles::haproxy::fe_https # default https frontend - $backends = lookup('haproxy::backend').keys - $backends.each |$backend| { + # for each backend: + $backends = lookup('profiles::haproxy::backends') + $backends.each |$backend, $data| { + + # create backend + haproxy::backend { $backend: + * => $data, + } + + # collect exported resources $location_environment = "${facts['country']}-${facts['region']}-${facts['environment']}" - $tag = "${location_environment}_${backend}" + $tag = "${backend}_${location_environment}" Haproxy::Balancermember <<| tag == $tag |>> } } diff --git a/site/profiles/manifests/puppet/puppetboard.pp b/site/profiles/manifests/puppet/puppetboard.pp index ec6f164..6a2bbb9 100644 --- a/site/profiles/manifests/puppet/puppetboard.pp +++ b/site/profiles/manifests/puppet/puppetboard.pp @@ -121,13 +121,38 @@ class profiles::puppet::puppetboard ( location_alias => "${virtualenv_dir}/lib/python${python_version}/site-packages/puppetboard/static", } + # export haproxy balancemember + profiles::haproxy::balancemember { "${facts['networking']['fqdn']}_${nginx_port}}": + service => 'be_puppetboard', + ports => [$nginx_port], + options => [ + "cookie ${facts['networking']['hostname']}", + 'check', + 'inter 2s', + 'rise 3', + 'fall 2', + ] + } + #@@haproxy::balancermember { "${facts['networking']['fqdn']}_${nginx_port}}": + # listening_service => 'be_puppetboard', + # ports => [$nginx_port], + # server_names => $facts['networking']['hostname'], + # ipaddresses => $facts['networking']['ip'], + # options => [ + # "cookie ${facts['networking']['hostname']}", + # 'check', + # 'inter 2s', + # 'rise 3', + # 'fall 2', + # ] + #} - # if selinux is defined, manage it - if $::facts['os']['selinux']['config_mode'] == 'enforcing' { + # if selinux is defined, manage it + if $::facts['os']['selinux']['config_mode'] == 'enforcing' { - # call the nginx selinux class - class { 'profiles::selinux::nginx': - require => Class['Nginx'], - } + # call the nginx selinux class + class { 'profiles::selinux::nginx': + require => Class['Nginx'], } + } }