hieradata/country/au/region/drw1/infra/halb/haproxy.yaml

@@ -1,5 +1,22 @@
 ---
-haproxy::backend:
+# mappings
+profiles::haproxy::mappings::list:
+  - 'puppetboard.main.unkin.net be_puppetboard'
+
+profiles::haproxy::backends:
+  be_puppetboard:
+    description: Backend for Puppetboard
+    collect_exported: false # handled in custom function
+    options:
+      balance: roundrobin
+      option:
+        - httpchk GET /
+        - forwardfor
+      cookie: SRVNAME insert
+      http-request:
+        - set-header X-Forwarded-Port %[dst_port]
+        - add-header X-Forwarded-Proto https if { dst_port 443 }
+      redirect: 'scheme https if !{ ssl_fc }'
   be_letsencrypt:
     description: Backend for LetsEncrypt Verifications
     collect_exported: true
@@ -11,9 +28,8 @@ haproxy::backend:
     options:
       balance: roundrobin
       option:
-        - httpchk
+        - httpchk GET /
         - forwardfor
-      http-check: send meth GET uri /
       cookie: SRVNAME insert
       http-request:
         - set-header X-Forwarded-Port %[dst_port]
@@ -47,3 +63,7 @@ profiles::haproxy::fe_https::http_request:
 profiles::haproxy::certlist::enabled: true
 profiles::haproxy::certlist::certificates:
   - /etc/pki/tls/vault/certificate.pem
+
+# additional altnames
+profiles::pki::vault::alt_names:
+  - puppetboard.main.unkin.net

site/profiles/manifests/haproxy/server.pp

@@ -51,10 +51,18 @@ class profiles::haproxy::server (
   include profiles::haproxy::fe_http   # default http frontend
   include profiles::haproxy::fe_https  # default https frontend
 
-  $backends = lookup('haproxy::backend').keys
+  # for each backend:
-  $backends.each |$backend| {
+  $backends = lookup('profiles::haproxy::backends')
+  $backends.each |$backend, $data| {
+
+    # create backend
+    haproxy::backend { $backend:
+      * => $data,
+    }
+
+    # collect exported resources
     $location_environment = "${facts['country']}-${facts['region']}-${facts['environment']}"
-    $tag = "${location_environment}_${backend}"
+    $tag = "${backend}_${location_environment}"
     Haproxy::Balancermember <<| tag == $tag |>>
   }
 }

site/profiles/manifests/puppet/puppetboard.pp

@@ -121,13 +121,38 @@ class profiles::puppet::puppetboard (
       location_alias => "${virtualenv_dir}/lib/python${python_version}/site-packages/puppetboard/static",
   }
 
+  # export haproxy balancemember
+  profiles::haproxy::balancemember { "${facts['networking']['fqdn']}_${nginx_port}}":
+    service => 'be_puppetboard',
+    ports   => [$nginx_port],
+    options => [
+      "cookie ${facts['networking']['hostname']}",
+      'check',
+      'inter 2s',
+      'rise 3',
+      'fall 2',
+    ]
+  }
+  #@@haproxy::balancermember { "${facts['networking']['fqdn']}_${nginx_port}}":
+  #  listening_service => 'be_puppetboard',
+  #  ports             => [$nginx_port],
+  #  server_names      => $facts['networking']['hostname'],
+  #  ipaddresses       => $facts['networking']['ip'],
+  #  options           => [
+  #    "cookie ${facts['networking']['hostname']}",
+  #    'check',
+  #    'inter 2s',
+  #    'rise 3',
+  #    'fall 2',
+  #  ]
+  #}
 
-    # if selinux is defined, manage it
+  # if selinux is defined, manage it
-    if $::facts['os']['selinux']['config_mode'] == 'enforcing' {
+  if $::facts['os']['selinux']['config_mode'] == 'enforcing' {
 
-      # call the nginx selinux class
+    # call the nginx selinux class
-      class { 'profiles::selinux::nginx':
+    class { 'profiles::selinux::nginx':
-        require      => Class['Nginx'],
+      require      => Class['Nginx'],
-      }
     }
+  }
 }