Puppet Class: profile::toolforge::k8s::haproxy

Defined in:
modules/profile/manifests/toolforge/k8s/haproxy.pp

Overview

Parameters:

  • ingress_nodes (Array[Stdlib::Fqdn]) (defaults to: lookup('profile::toolforge::k8s::ingress_nodes', {default_value => ['localhost']}))
  • ingress_port (Stdlib::Port) (defaults to: lookup('profile::toolforge::k8s::ingress_port', {default_value => 30000}))
  • ingress_backend_port (Stdlib::Port) (defaults to: lookup('profile::toolforge::k8s::ingress_backend_port', {default_value => 30002}))
  • control_nodes (Array[Stdlib::Fqdn]) (defaults to: lookup('profile::toolforge::k8s::control_nodes', {default_value => ['localhost']}))
  • api_port (Stdlib::Port) (defaults to: lookup('profile::toolforge::k8s::apiserver_port', {default_value => 6443}))
  • api_gateway_port (Stdlib::Port) (defaults to: lookup('profile::toolforge::k8s::haproxy::api_gateway_port', {default_value => 30003}))
  • keepalived_vips (Array[Stdlib::Fqdn]) (defaults to: lookup('profile::toolforge::k8s::haproxy::keepalived_vips', {default_value => []}))
  • keepalived_peers (Array[Stdlib::Fqdn]) (defaults to: lookup('profile::toolforge::k8s::haproxy::keepalived_peers', {default_value => ['localhost']}))
  • keepalived_password (String) (defaults to: lookup('profile::toolforge::k8s::haproxy::keepalived_password', {default_value => 'notarealpassword'}))
  • web_domain (Stdlib::Fqdn) (defaults to: lookup('profile::toolforge::web_domain', {default_value => 'toolforge.org'})) 


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
 
# File 'modules/profile/manifests/toolforge/k8s/haproxy.pp', line 1

class profile::toolforge::k8s::haproxy (
    Array[Stdlib::Fqdn] $ingress_nodes        = lookup('profile::toolforge::k8s::ingress_nodes',                {default_value => ['localhost']}),
    Stdlib::Port        $ingress_port         = lookup('profile::toolforge::k8s::ingress_port',                 {default_value => 30000}),
    Stdlib::Port        $ingress_backend_port = lookup('profile::toolforge::k8s::ingress_backend_port',         {default_value => 30002}),
    Array[Stdlib::Fqdn] $control_nodes        = lookup('profile::toolforge::k8s::control_nodes',                {default_value => ['localhost']}),
    Stdlib::Port        $api_port             = lookup('profile::toolforge::k8s::apiserver_port',               {default_value => 6443}),
    Stdlib::Port        $api_gateway_port     = lookup('profile::toolforge::k8s::haproxy::api_gateway_port',    {default_value => 30003}),
    Array[Stdlib::Fqdn] $keepalived_vips      = lookup('profile::toolforge::k8s::haproxy::keepalived_vips',     {default_value => []}),
    Array[Stdlib::Fqdn] $keepalived_peers     = lookup('profile::toolforge::k8s::haproxy::keepalived_peers',    {default_value => ['localhost']}),
    String              $keepalived_password  = lookup('profile::toolforge::k8s::haproxy::keepalived_password', {default_value => 'notarealpassword'}),
    Stdlib::Fqdn        $web_domain           = lookup('profile::toolforge::web_domain',                        {default_value => 'toolforge.org'}),
) {
    class { 'haproxy::cloud::base': }

    file { '/etc/haproxy/conf.d/k8s-api-servers.cfg':
        owner   => 'root',
        group   => 'root',
        mode    => '0444',
        content => template('profile/toolforge/k8s/haproxy/k8s-api-servers.cfg.erb'),
        notify  => Service['haproxy'],
    }
    file { '/etc/haproxy/conf.d/k8s-ingress.cfg':
        owner   => 'root',
        group   => 'root',
        mode    => '0444',
        content => template('profile/toolforge/k8s/haproxy/k8s-ingress.cfg.erb'),
        notify  => Service['haproxy'],
    }

    file { '/etc/haproxy/conf.d/k8s-ingress-jobs.cfg':
        ensure => absent,
        notify => Service['haproxy'],
    }
    file { '/etc/haproxy/conf.d/k8s-ingress-api-gateway.cfg':
        owner   => 'root',
        group   => 'root',
        mode    => '0444',
        content => template('profile/toolforge/k8s/haproxy/k8s-ingress-api-gateway.cfg.erb'),
        notify  => Service['haproxy'],
    }

    class { 'prometheus::haproxy_exporter': }

    if !$keepalived_vips.empty() and $facts['networking']['fqdn'] in $keepalived_peers {
        class { 'keepalived':
            auth_pass => $keepalived_password,
            peers     => delete($keepalived_peers, $facts['networking']['fqdn']),
            vips      => $keepalived_vips.map |$host| { ipresolve($host, 4) },
        }
    }

    prometheus::blackbox::check::http {
        default:
            port                => $ingress_port,
            ip_families         => ['ip4'],
            prometheus_instance => 'tools',
            team                => 'wmcs',
            severity            => 'warning';

        # well-known-to-exist web service
        "admin.${web_domain}":
            path               => '/healthz',
            body_regex_matches => ['OK'];

        # monitor the 404 handler
        # creation on this tool has been blocked by the title blacklist
        "this-tool-does-not-exist.${web_domain}":
            timeout            => '15s',
            body_regex_matches => ['The URL you have requested'],
            status_matches     => [404];
    }
}