puppet-prod/hieradata/country/au/region/drw1/infra/halb/haproxy.yaml

---
# mappings
profiles::haproxy::mappings:
  fe_http:
    ensure: present
    mappings:
      - 'puppetboard.main.unkin.net be_puppetboard'
      - 'puppetdbapi.main.unkin.net be_puppetdbapi'
  fe_https:
    ensure: present
    mappings:
      - 'puppetboard.main.unkin.net be_puppetboard'
      - 'puppetdbapi.main.unkin.net be_puppetdbapi'

# profiles::haproxy::listeners:
#   ls_puppetdbapi_direct:
#     collect_exported: false # handled in custom function
#     ipaddress: "%{facts.networking.ip}"
#     ports:
#       - 8081
#     mode: tcp
#     options:
#       option:
#         - tcplog
#         - ssl-hello-chk
#       balance: roundrobin

profiles::haproxy::backends:
  be_puppetboard:
    description: Backend for Puppetboard
    collect_exported: false # handled in custom function
    options:
      balance: roundrobin
      option:
        - httpchk GET /
        - forwardfor
      cookie: SRVNAME insert
      http-request:
        - set-header X-Forwarded-Port %[dst_port]
        - add-header X-Forwarded-Proto https if { dst_port 443 }
      redirect: 'scheme https if !{ ssl_fc }'
  be_puppetdbapi:
    description: Backend for the PuppetDB API
    collect_exported: false # handled in custom function
    options:
      balance: roundrobin
      option:
        - httpchk GET /
        - forwardfor
      cookie: SRVNAME insert
      http-request:
        - set-header X-Forwarded-Port %[dst_port]
        - add-header X-Forwarded-Proto https if { dst_port 443 }
      redirect: 'scheme https if !{ ssl_fc }'

profiles::haproxy::certlist::enabled: true
profiles::haproxy::certlist::certificates:
  - /etc/pki/tls/vault/certificate.pem

# additional altnames
profiles::pki::vault::alt_names:
  - puppetboard.main.unkin.net
  - puppetdbapi.main.unkin.net

# additional cnames
profiles::haproxy::dns::cnames:
  - puppetboard.main.unkin.net
  - puppetdbapi.main.unkin.net