Ben Vincent
a7e9f1590e
- set syd1 as primary consul datacentre - add consul.service.consul zone - add nginx reverse proxy for consul webui - set dns zones/acls/views/keys to be deep merged from hiera - update default token - add consul/consul.service.consul/consul.main.unkin.net to vault cert
98 lines
2.9 KiB
Puppet
98 lines
2.9 KiB
Puppet
# profiles::consul::nginx
|
|
class profiles::consul::nginx (
|
|
String $nginx_vhost = 'consul.service.consul',
|
|
Stdlib::Port $nginx_port = 80,
|
|
Stdlib::Port $nginx_ssl_port = 443,
|
|
Enum['http','https','both'] $nginx_listen_mode = 'https',
|
|
Enum['puppet', 'vault'] $nginx_cert_type = 'vault'
|
|
) {
|
|
|
|
# set the server_names
|
|
$server_names = [$facts['networking']['fqdn'], $nginx_vhost, 'consul', 'consul.main.unkin.net']
|
|
|
|
# select the certificates to use based on cert type
|
|
case $nginx_cert_type {
|
|
'puppet': {
|
|
$selected_ssl_cert = "/etc/pki/tls/puppet/${facts['networking']['fqdn']}.crt"
|
|
$selected_ssl_key = "/etc/pki/tls/puppet/${facts['networking']['fqdn']}.key"
|
|
}
|
|
'vault': {
|
|
$selected_ssl_cert = '/etc/pki/tls/vault/certificate.crt'
|
|
$selected_ssl_key = '/etc/pki/tls/vault/private.key'
|
|
}
|
|
default: {
|
|
# enum param prevents this ever being reached
|
|
}
|
|
}
|
|
|
|
# set variables based on the listen_mode
|
|
case $nginx_listen_mode {
|
|
'http': {
|
|
$enable_ssl = false
|
|
$ssl_cert = undef
|
|
$ssl_key = undef
|
|
$listen_port = $nginx_port
|
|
$listen_ssl_port = undef
|
|
$extras_hash = {}
|
|
}
|
|
'https': {
|
|
$enable_ssl = true
|
|
$ssl_cert = $selected_ssl_cert
|
|
$ssl_key = $selected_ssl_key
|
|
$listen_port = $nginx_ssl_port
|
|
$listen_ssl_port = $nginx_ssl_port
|
|
$extras_hash = {
|
|
'subscribe' => [File[$ssl_cert], File[$ssl_key]],
|
|
}
|
|
}
|
|
'both': {
|
|
$enable_ssl = true
|
|
$ssl_cert = $selected_ssl_cert
|
|
$ssl_key = $selected_ssl_key
|
|
$listen_port = $nginx_port
|
|
$listen_ssl_port = $nginx_ssl_port
|
|
$extras_hash = {
|
|
'subscribe' => [File[$ssl_cert], File[$ssl_key]],
|
|
}
|
|
}
|
|
default: {
|
|
# enum param prevents this ever being reached
|
|
}
|
|
}
|
|
|
|
# define the default parameters for the nginx server
|
|
$defaults = {
|
|
'listen_port' => $listen_port,
|
|
'server_name' => $server_names,
|
|
'use_default_location' => true,
|
|
'access_log' => "/var/log/nginx/${nginx_vhost}_access.log",
|
|
'error_log' => "/var/log/nginx/${nginx_vhost}_error.log",
|
|
'autoindex' => 'on',
|
|
'ssl' => $enable_ssl,
|
|
'ssl_cert' => $ssl_cert,
|
|
'ssl_key' => $ssl_key,
|
|
'ssl_port' => $listen_ssl_port,
|
|
'proxy' => "http://${facts['networking']['ip']}:8500/",
|
|
}
|
|
|
|
# merge the hashes conditionally
|
|
$nginx_parameters = merge($defaults, $extras_hash)
|
|
|
|
# manage the nginx class
|
|
include 'nginx'
|
|
|
|
# create the nginx vhost with the merged parameters
|
|
create_resources('nginx::resource::server', { $nginx_vhost => $nginx_parameters })
|
|
|
|
# manage selinux
|
|
if $::facts['os']['selinux']['config_mode'] == 'enforcing' {
|
|
|
|
# make sure nginx can reverse proxy
|
|
selboolean { 'httpd_can_network_connect':
|
|
persistent => true,
|
|
value => 'on',
|
|
}
|
|
|
|
}
|
|
}
|