Puppet Class: profile::cache::haproxy

Defined in:
modules/profile/manifests/cache/haproxy.pp

Overview

Parameters:

  • tls_port (Stdlib::Port) (defaults to: lookup('profile::cache::haproxy::tls_port'))
  • prometheus_port (Stdlib::Port) (defaults to: lookup('profile::cache::haproxy::prometheus_port', {'default_value' => 9422}))
  • available_unified_certificates (Hash[String, Haproxy::Tlscertificate]) (defaults to: lookup('profile::cache::haproxy::available_unified_certificates'))
  • extra_certificates (Optional[Hash[String, Haproxy::Tlscertificate]]) (defaults to: lookup('profile::cache::haproxy::extra_certificates', {'default_value' => undef}))
  • unified_certs (Optional[Array[String]]) (defaults to: lookup('profile::cache::haproxy::unified_certs', {'default_value' => undef}))
  • unified_acme_chief (Boolean) (defaults to: lookup('profile::cache::haproxy::unified_acme_chief'))
  • varnish_socket (Array[Stdlib::Unixpath]) (defaults to: lookup('profile::cache::haproxy::varnish_socket'))
  • tls_ciphers (String) (defaults to: lookup('profile::cache::haproxy::tls_ciphers'))
  • tls13_ciphers (String) (defaults to: lookup('profile::cache::haproxy::tls13_ciphers'))
  • tls_cachesize (Integer[0]) (defaults to: lookup('profile::cache::haproxy::tls_cachesize'))
  • tls_session_lifetime (Integer[0]) (defaults to: lookup('profile::cache::haproxy::tls_session_lifetime'))
  • timeout (Haproxy::Timeout) (defaults to: lookup('profile::cache::haproxy::timeout'))
  • h2settings (Haproxy::H2settings) (defaults to: lookup('profile::cache::haproxy::h2settings'))
  • proxy_protocol (Optional[Haproxy::Proxyprotocol]) (defaults to: lookup('profile::cache::haproxy::proxy_protocol', {'default_value' => undef}))
  • vars (Array[Haproxy::Var]) (defaults to: lookup('profile::cache::haproxy::vars'))
  • acls (Array[Haproxy::Acl]) (defaults to: lookup('profile::cache::haproxy::acls'))
  • add_headers (Array[Haproxy::Header]) (defaults to: lookup('profile::cache::haproxy::add_headers'))
  • del_headers (Array[Haproxy::Header]) (defaults to: lookup('profile::cache::haproxy::del_headers'))
  • do_ocsp (Boolean) (defaults to: lookup('profile::cache::haproxy::do_ocsp'))
  • ocsp_proxy (String) (defaults to: lookup('http_proxy'))
  • public_tls_unified_cert_vendor (String) (defaults to: lookup('public_tls_unified_cert_vendor'))
  • mtail_dir (Stdlib::Unixpath) (defaults to: lookup('profile::cache::haproxy::mtail_dir', {'default_value' => '/etc/haproxymtail'}))
  • mtail_port (Stdlib::Port::User) (defaults to: lookup('profile::cache::haproxy::mtail_port', {'default_value' => 3906}))
  • mtail_fifo (Stdlib::Unixpath) (defaults to: lookup('profile::cache::haproxy::mtail_fifo', {'default_value' => '/var/log/haproxy.fifo'}))


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
# File 'modules/profile/manifests/cache/haproxy.pp', line 1

class profile::cache::haproxy(
    Stdlib::Port $tls_port = lookup('profile::cache::haproxy::tls_port'),
    Stdlib::Port $prometheus_port = lookup('profile::cache::haproxy::prometheus_port', {'default_value' => 9422}),
    Hash[String, Haproxy::Tlscertificate] $available_unified_certificates = lookup('profile::cache::haproxy::available_unified_certificates'),
    Optional[Hash[String, Haproxy::Tlscertificate]] $extra_certificates = lookup('profile::cache::haproxy::extra_certificates', {'default_value' => undef}),
    Optional[Array[String]] $unified_certs = lookup('profile::cache::haproxy::unified_certs', {'default_value' => undef}),
    Boolean $unified_acme_chief = lookup('profile::cache::haproxy::unified_acme_chief'),
    Array[Stdlib::Unixpath] $varnish_socket = lookup('profile::cache::haproxy::varnish_socket'),
    String $tls_ciphers = lookup('profile::cache::haproxy::tls_ciphers'),
    String $tls13_ciphers = lookup('profile::cache::haproxy::tls13_ciphers'),
    Integer[0] $tls_cachesize = lookup('profile::cache::haproxy::tls_cachesize'),
    Integer[0] $tls_session_lifetime = lookup('profile::cache::haproxy::tls_session_lifetime'),
    Haproxy::Timeout $timeout = lookup('profile::cache::haproxy::timeout'),
    Haproxy::H2settings $h2settings = lookup('profile::cache::haproxy::h2settings'),
    Optional[Haproxy::Proxyprotocol] $proxy_protocol = lookup('profile::cache::haproxy::proxy_protocol', {'default_value' => undef}),
    Array[Haproxy::Var] $vars = lookup('profile::cache::haproxy::vars'),
    Array[Haproxy::Acl] $acls = lookup('profile::cache::haproxy::acls'),
    Array[Haproxy::Header] $add_headers = lookup('profile::cache::haproxy::add_headers'),
    Array[Haproxy::Header] $del_headers = lookup('profile::cache::haproxy::del_headers'),
    Boolean $do_ocsp = lookup('profile::cache::haproxy::do_ocsp'),
    String $ocsp_proxy = lookup('http_proxy'),
    String $public_tls_unified_cert_vendor=lookup('public_tls_unified_cert_vendor'),
    Stdlib::Unixpath $mtail_dir = lookup('profile::cache::haproxy::mtail_dir', {'default_value' => '/etc/haproxymtail'}),
    Stdlib::Port::User $mtail_port = lookup('profile::cache::haproxy::mtail_port', {'default_value' => 3906}),
    Stdlib::Unixpath $mtail_fifo = lookup('profile::cache::haproxy::mtail_fifo', {'default_value' => '/var/log/haproxy.fifo'}),
) {
    class { 'sslcert::dhparam':
    }
    if $do_ocsp {
        class { 'sslcert::ocsp::init':
        }
    }

    # variables used inside HAProxy's systemd unit
    $pid = '/run/haproxy/haproxy.pid'
    $exec_start = '/usr/sbin/haproxy -Ws'


    # Use HAProxy 2.2 from buster-backports
    apt::pin { 'haproxy-buster-bpo':
        package  => 'haproxy',
        pin      => 'release n=buster-backports',
        priority => 1002,
        before   => Class['::haproxy'],
    }

    class { '::haproxy':
        template              => 'profile/cache/haproxy.cfg.erb',
        systemd_content       => template('profile/cache/haproxy.service.erb'),
        logging               => false,
        monitor_check_haproxy => false,
    }

    ensure_packages('python3-pystemd')
    file { '/usr/local/sbin/haproxy-stek-manager':
        ensure => present,
        source => 'puppet:///modules/profile/cache/haproxy_stek_manager.py',
        owner  => root,
        group  => root,
        mode   => '0544',
    }

    systemd::tmpfile { 'haproxy_secrets_tmpfile':
        content => 'd /run/haproxy-secrets 0700 haproxy haproxy -',
    }

    $tls_ticket_keys_path = '/run/haproxy-secrets/stek.keys'
    systemd::timer::job { 'haproxy_stek_job':
        ensure      => present,
        description => 'HAProxy STEK manager',
        command     => "/usr/local/sbin/haproxy-stek-manager ${tls_ticket_keys_path}",
        interval    => [
            {
            'start'    => 'OnCalendar',
            'interval' => '*-*-* 00/8:00:00', # every 8 hours
            },
            {
            'start'    => 'OnBootSec',
            'interval' => '0sec',
            },
        ],
        user        => 'root',
        require     => File['/usr/local/sbin/haproxy-stek-manager'],
    }

    if !$available_unified_certificates[$public_tls_unified_cert_vendor] {
        fail('The specified TLS unified cert vendor is not available')
    }

    unless empty($unified_certs) {
        $unified_certs.each |String $cert| {
            sslcert::certificate { $cert:
                before => Haproxy::Site['tls']
            }

            if $do_ocsp {
                sslcert::ocsp::conf { $cert:
                    proxy  => $ocsp_proxy,
                    before => Service['haproxy'],
                }
                # HAProxy expects the prefetched OCSP response on the same path as the certificate
                file { "/etc/ssl/private/${cert}.chained.crt.key.ocsp":
                    ensure  => link,
                    target  => "/var/cache/ocsp/${cert}.ocsp",
                    require => Sslcert::Ocsp::Conf[$cert],
                }
            }
        }
        if $do_ocsp {
            sslcert::ocsp::hook { 'haproxy-ocsp':
                content => file('profile/cache/update_ocsp_haproxy_hook.sh'),
            }
        }
    }

    if $unified_acme_chief {
        acme_chief::cert { 'unified':
            puppet_svc => 'haproxy',
            key_group  => 'haproxy',
        }
    }

    if !empty($extra_certificates) {
        $extra_certificates.each |String $extra_cert_name, Hash $extra_cert| {
            acme_chief::cert { $extra_cert_name:
                puppet_svc => 'haproxy',
                key_group  => 'haproxy',
            }
        }
        $certificates = [$available_unified_certificates[$public_tls_unified_cert_vendor]] + values($extra_certificates)
    } else {
        $certificates = [$available_unified_certificates[$public_tls_unified_cert_vendor]]
    }

    file { '/etc/haproxy/tls.lua':
        ensure  => absent,
        owner   => 'haproxy',
        group   => 'haproxy',
        mode    => '0444',
        content => file('profile/cache/haproxy-tls.lua'),
    }

    haproxy::tls_terminator { 'tls':
        port                 => $tls_port,
        backend_socket       => $varnish_socket,
        certificates         => $certificates,
        tls_ciphers          => $tls_ciphers,
        tls13_ciphers        => $tls13_ciphers,
        timeout              => $timeout,
        h2settings           => $h2settings,
        proxy_protocol       => $proxy_protocol,
        tls_cachesize        => $tls_cachesize,
        tls_session_lifetime => $tls_session_lifetime,
        tls_ticket_keys_path => $tls_ticket_keys_path,
        http_reuse           => 'always',
        vars                 => $vars,
        acls                 => $acls,
        add_headers          => $add_headers,
        del_headers          => $del_headers,
        prometheus_port      => $prometheus_port,
    }

    profile::cache::haproxy::monitoring { 'haproxy_tls_monitoring':
        port         => $tls_port,
        certificates => $certificates,
        do_ocsp      => $do_ocsp,
        acme_chief   => $unified_acme_chief,
        require      => Haproxy::Tls_terminator['tls'],
    }

    systemd::service { 'haproxy-mtail@tls.socket':
        content => systemd_template('haproxy-mtail@.socket'),
    }

    systemd::service { 'haproxy-mtail@tls':
        content => systemd_template('haproxy-mtail@'),
    }

    rsyslog::conf { 'haproxy@tls':
        priority => 20,
        content  => template('profile/cache/haproxy.rsyslog.conf.erb'),
    }

    mtail::program { 'cache_haproxy':
        source      => 'puppet:///modules/mtail/programs/cache_haproxy.mtail',
        destination => $mtail_dir,
        notify      => Service['haproxy-mtail@tls'],
    }
}