unkin/puppet-prod
2
0
Fork 0
Code Issues 10 Pull Requests Actions Packages Projects Releases Wiki Activity

promote develop to master #6

Merged
unkinben merged 449 commits from develop into master 2024-06-01 14:48:48 +10:00
Conversation 0 Commits 449 Files Changed 291 +160 -28
9 changed files with 160 additions and 28 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files
Showing only changes of commit 220ac182f4 - Show all commits

5
hieradata/country/au/region/drw1/infra/halb/haproxy.yaml
View File

@ -1,6 +1,11 @@
--- ---
# mappings # mappings
profiles::haproxy::mappings: profiles::haproxy::mappings:
fe_http:
ensure: present
mappings:
- 'puppetboard.main.unkin.net be_puppetboard'
- 'puppetdbapi.main.unkin.net be_puppetdbapi'
fe_https: fe_https:
ensure: present ensure: present
mappings: mappings:

93
hieradata/country/au/region/syd1/infra/halb/haproxy.yaml Normal file
View File

@ -0,0 +1,93 @@
---
# mappings
profiles::haproxy::mappings:
fe_http:
ensure: present
mappings:
- 'au-syd1-pve.main.unkin.net be_ausyd1pve'
fe_https:
ensure: present
mappings:
- 'au-syd1-pve.main.unkin.net be_ausyd1pve'
# profiles::haproxy::listeners:
# ls_puppetdbapi_direct:
# collect_exported: false # handled in custom function
# ipaddress: "%{facts.networking.ip}"
# ports:
# - 8081
# mode: tcp
# options:
# option:
# - tcplog
# - ssl-hello-chk
# balance: roundrobin
profiles::haproxy::backends:
be_ausyd1pve:
description: Backend for au-syd1 pve cluster
collect_exported: false # handled in custom function
options:
balance: roundrobin
option:
- httpchk GET /
- forwardfor
cookie: SRVNAME insert
http-request:
- set-header X-Forwarded-Port %[dst_port]
- add-header X-Forwarded-Proto https if { dst_port 443 }
redirect: 'scheme https if !{ ssl_fc }'
be_letsencrypt:
description: Backend for LetsEncrypt Verifications
collect_exported: true
options:
balance: roundrobin
be_default:
description: Backend for unmatched HTTP traffic
collect_exported: true
options:
balance: roundrobin
option:
- httpchk GET /
- forwardfor
cookie: SRVNAME insert
http-request:
- set-header X-Forwarded-Port %[dst_port]
- add-header X-Forwarded-Proto https if { dst_port 443 }
# fe_http
profiles::haproxy::fe_http::bind_addr: 0.0.0.0
profiles::haproxy::fe_http::bind_port: 80
profiles::haproxy::fe_http::bind_opts:
- transparent
profiles::haproxy::fe_http::acls:
- 'acl-letsencrypt path_beg /.well-known/acme-challenge/'
profiles::haproxy::fe_http::http_request:
- 'set-header X-Forwarded-Proto https'
- 'set-header X-Real-IP %[src]'
# fe_https
profiles::haproxy::fe_https::bind_addr: 0.0.0.0
profiles::haproxy::fe_https::bind_port: 443
profiles::haproxy::fe_https::bind_opts:
- ssl
- crt-list /etc/haproxy/certificate.list
- ciphers EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH
- force-tlsv12
profiles::haproxy::fe_https::acls:
- 'acl-letsencrypt path_beg /.well-known/acme-challenge/'
profiles::haproxy::fe_https::http_request:
- 'set-header X-Forwarded-Proto https'
- 'set-header X-Real-IP %[src]'
profiles::haproxy::certlist::enabled: true
profiles::haproxy::certlist::certificates:
- /etc/pki/tls/vault/certificate.pem
# additional altnames
profiles::pki::vault::alt_names:
- au-syd1-pve.main.unkin.net
# additional cnames
profiles::haproxy::dns::cnames:
- au-syd1-pve.main.unkin.net

2
site/profiles/manifests/haproxy/balancemember.pp
View File

@ -8,7 +8,7 @@ define profiles::haproxy::balancemember (
$location_environment = "${facts['country']}-${facts['region']}-${facts['environment']}" $location_environment = "${facts['country']}-${facts['region']}-${facts['environment']}"
$balancemember_tag = "${service}_${location_environment}" $balancemember_tag = "${service}_${location_environment}"
@@haproxy::balancermember { $balancemember_tag: @@haproxy::balancermember { $title:
listening_service => $service, listening_service => $service,
ports => $ports, ports => $ports,
server_names => $facts['networking']['hostname'], server_names => $facts['networking']['hostname'],

10
site/profiles/manifests/haproxy/fe_http.pp
View File

@ -5,16 +5,18 @@ class profiles::haproxy::fe_http (
Array $bind_opts = ['transparent'], Array $bind_opts = ['transparent'],
Array $acls = [], Array $acls = [],
Array $http_request = [], Array $http_request = [],
Array $http_response = [],
) { ) {
haproxy::frontend { 'fe_http': haproxy::frontend { 'fe_http':
description => 'Default HTTP Frontend', description => 'Default HTTP Frontend',
bind => { "${bind_addr}:${bind_port}" => $bind_opts }, bind => { "${bind_addr}:${bind_port}" => $bind_opts },
mode => 'http', mode => 'http',
options => { options => {
'acl' => $acls, 'acl' => $acls,
'http-request' => $http_request, 'http-request' => $http_request,
'use_backend' => [ 'http-response' => $http_response,
'%[req.hdr(host),lower,map(/etc/haproxy/domains-to-backends.map,be_default)]', 'use_backend' => [
'%[req.hdr(host),lower,map(/etc/haproxy/fe_http.map,be_default)]',
], ],
}, },
} }

10
site/profiles/manifests/haproxy/fe_https.pp
View File

@ -5,16 +5,18 @@ class profiles::haproxy::fe_https (
Array $bind_opts = [], Array $bind_opts = [],
Array $acls = [], Array $acls = [],
Array $http_request = [], Array $http_request = [],
Array $http_response = [],
) { ) {
haproxy::frontend { 'fe_https': haproxy::frontend { 'fe_https':
description => 'Default HTTPS Frontend', description => 'Default HTTPS Frontend',
bind => { "${bind_addr}:${bind_port}" => $bind_opts }, bind => { "${bind_addr}:${bind_port}" => $bind_opts },
mode => 'http', mode => 'http',
options => { options => {
'acl' => $acls, 'acl' => $acls,
'http-request' => $http_request, 'http-request' => $http_request,
'use_backend' => [ 'http-response' => $http_response,
'%[req.hdr(host),lower,map(/etc/haproxy/domains-to-backends.map,be_default)]', 'use_backend' => [
'%[req.hdr(host),lower,map(/etc/haproxy/fe_https.map,be_default)]',
], ],
}, },
} }

43
site/profiles/manifests/haproxy/server.pp
View File

@ -35,24 +35,31 @@ class profiles::haproxy::server (
$merged_global_options = merge($global_options, $globals) $merged_global_options = merge($global_options, $globals)
$merged_default_options = merge($default_options, $defaults) $merged_default_options = merge($default_options, $defaults)
# manage selinux # wait until enc_role matches haproxy enc_role
include profiles::haproxy::selinux if $facts['enc_role'] == 'roles::infra::halb::haproxy' {
# create the haproxy service/instance # manage selinux
class { 'haproxy': include profiles::haproxy::selinux
global_options => $merged_global_options,
defaults_options => $merged_default_options, # create the haproxy service/instance
require => Class['profiles::haproxy::selinux'] class { 'haproxy':
global_options => $merged_global_options,
defaults_options => $merged_default_options,
require => Class['profiles::haproxy::selinux']
}
include profiles::haproxy::certlist # manage the certificate list file
include profiles::haproxy::mappings # manage the domain to backend mappings
include profiles::haproxy::ls_stats # default status listener
include profiles::haproxy::fe_http # default http frontend
include profiles::haproxy::fe_https # default https frontend
include profiles::haproxy::dns # manage dns for haproxy
include profiles::haproxy::frontends # create frontends
include profiles::haproxy::backends # create backends
include profiles::haproxy::listeners # create listeners
Class['profiles::haproxy::certlist']
-> Class['profiles::haproxy::dns']
-> Class['profiles::haproxy::mappings']
} }
include profiles::haproxy::certlist # manage the certificate list file
include profiles::haproxy::mappings # manage the domain to backend mappings
include profiles::haproxy::ls_stats # default status listener
include profiles::haproxy::fe_http # default http frontend
include profiles::haproxy::fe_https # default https frontend
include profiles::haproxy::dns # manage dns for haproxy
include profiles::haproxy::frontends # create frontends
include profiles::haproxy::backends # create backends
include profiles::haproxy::listeners # create listeners
} }

1
site/profiles/manifests/proxmox/init.pp
View File

@ -7,6 +7,7 @@ class profiles::proxmox::init {
include profiles::proxmox::clusterjoin include profiles::proxmox::clusterjoin
include profiles::proxmox::ceph include profiles::proxmox::ceph
include profiles::proxmox::config include profiles::proxmox::config
include profiles::proxmox::weblb
Class['profiles::proxmox::repos'] Class['profiles::proxmox::repos']
-> Class['profiles::proxmox::install'] -> Class['profiles::proxmox::install']

3
site/profiles/manifests/proxmox/params.pp
View File

@ -38,6 +38,7 @@ class profiles::proxmox::params (
'ceph-volume', 'ceph-volume',
'gdisk', 'gdisk',
'nvme-cli' 'nvme-cli'
] ],
Stdlib::Port $pve_webport = 8006,
){ ){
} }

21
site/profiles/manifests/proxmox/weblb.pp Normal file
View File

@ -0,0 +1,21 @@
# profiles::proxmox::weblb
class profiles::proxmox::weblb {
# include params class
include profiles::proxmox::params
# export haproxy balancemember
profiles::haproxy::balancemember { "${facts['networking']['fqdn']}_${profiles::proxmox::params::pve_webport}}":
service => "be_${facts['country']}${facts['region']}pve",
ports => [$profiles::proxmox::params::pve_webport],
options => [
"cookie ${facts['networking']['hostname']}",
'ssl',
'verify none',
'check',
'inter 2s',
'rise 3',
'fall 2',
]
}
}