16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
|
# File 'modules/profile/manifests/thanos/httpd.pp', line 16
class profile::thanos::httpd (
Stdlib::Port::Unprivileged $query_port = lookup('profile::thanos::httpd::query_port'),
Integer $maxconn = lookup('profile::thanos::httpd::maxconn'),
Hash[Stdlib::Fqdn, Hash] $rule_hosts = lookup('profile::thanos::rule_hosts'),
Boolean $oidc_sso = lookup('profile::thanos::oidc_sso_enabled', { 'default_value' => false }),
) {
class { 'httpd':
modules => ['proxy_http', 'lbmethod_byrequests', 'allowmethods', 'rewrite'],
}
if ($oidc_sso) {
# auth_cas needs to be disabled for $oidc_sso to go
# from false to true (i.e. opting in to OIDC SSO)
httpd::mod_conf { 'auth_cas':
ensure => absent,
}
include profile::thanos::oidc
} else {
profile::idp::client::httpd::site {'thanos.wikimedia.org':
vhost_content => 'profile/idp/client/httpd-thanos.erb',
proxied_as_https => true,
document_root => '/var/www/html',
required_groups => [
'cn=wmf,ou=groups,dc=wikimedia,dc=org',
'cn=nda,ou=groups,dc=wikimedia,dc=org',
],
vhost_settings => {
query_port => $query_port,
maxconn => $maxconn,
bucket_web_port => 15902,
rule_hosts => $rule_hosts,
rule_port => 17902,
}
}
}
httpd::site { 'thanos-query':
content => template('profile/thanos/httpd.conf.erb'),
}
ferm::service { 'thanos_httpd':
proto => 'tcp',
port => 80,
srange => '$DOMAIN_NETWORKS',
}
profile::auto_restarts::service { 'apache2': }
profile::auto_restarts::service { 'envoyproxy': }
}
|