diff --git a/roles/haproxy/templates/haproxy.cfg.j2 b/inventories/dev/templates/haproxy.cfg.j2 similarity index 100% rename from roles/haproxy/templates/haproxy.cfg.j2 rename to inventories/dev/templates/haproxy.cfg.j2 diff --git a/inventories/production-ehi/templates/haproxy.cfg.j2 b/inventories/production-ehi/templates/haproxy.cfg.j2 new file mode 100644 index 0000000..97acb1f --- /dev/null +++ b/inventories/production-ehi/templates/haproxy.cfg.j2 @@ -0,0 +1,342 @@ +global + log /dev/log local0 + log /dev/log local1 notice + chroot /var/lib/haproxy + stats socket /run/haproxy/admin.sock mode 660 level admin expose-fd listeners + stats timeout 30s + user haproxy + group haproxy + daemon + + # Default SSL material locations + ca-base /etc/ssl/certs + crt-base /etc/ssl/private + + # See: https://ssl-config.mozilla.org/#server=haproxy&server-version=2.0.3&config=intermediate + ssl-default-bind-ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384 + ssl-default-bind-ciphersuites TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256 + ssl-default-bind-options ssl-min-ver TLSv1.2 no-tls-tickets + +defaults + log global + mode http + option httplog + option dontlognull + timeout connect 5000 + timeout client 4h + timeout server 4h + errorfile 400 /etc/haproxy/errors/400.http + errorfile 403 /etc/haproxy/errors/403.http + errorfile 408 /etc/haproxy/errors/408.http + errorfile 500 /etc/haproxy/errors/500.http + errorfile 502 /etc/haproxy/errors/502.http + errorfile 503 /etc/haproxy/errors/503.http + errorfile 504 /etc/haproxy/errors/504.http + +listen stats + mode http + bind *:8443 ssl crt /etc/wildcard-tls/latest/generic/_.estuary.tech-combined.pem + stats enable + stats uri / + stats admin if LOCALHOST + +frontend http + bind *:80 + bind *:443 ssl crt /etc/wildcard-tls/latest/generic/_.estuary.tech-combined.pem crt /etc/wildcard-tls/latest/generic/_.delta.estuary.tech-combined.pem crt /etc/wildcard-tls/latest/generic/_.edge.estuary.tech-combined.pem crt /etc/wildcard-tls/latest/generic/_.registry.estuary.tech-combined.pem crt /etc/wildcard-tls/latest/generic/_.s3.estuary.tech-combined.pem alpn h2,http/1.1 + # HTTPS redirect + redirect scheme https code 301 if !{ ssl_fc } + + tcp-request inspect-delay 5s + + mode http + option tcplog + # Edge nodes + acl dev_edge hdr(host) -i dev-edge.estuary.tech + use_backend dev-edge if dev_edge + # SeaweedFS S3 + acl s3_path hdr(host) -m reg -i ^[^\.]+\.s3\.estuary\.tech$ + use_backend s3_gateway if s3_path + acl s3_direct hdr(host) -i s3.estuary.tech + use_backend s3_gateway if s3_direct + # CPI Edge nodes + acl cpi_edge hdr(host) -m reg -i ^[^\.]+\.edge\.estuary\.tech$ + use_backend rke2_phos_ingress if cpi_edge + # CPI Delta nodes + acl cpi_delta hdr(host) -m reg -i ^[^\.]+\.delta\.estuary\.tech$ + use_backend rke2_phos_ingress if cpi_delta + # CPI Delta Registry nodes + acl cpi_delta_registry hdr(host) -m reg -i ^[^\.]+\.registry\.estuary\.tech$ + use_backend rke2_phos_ingress if cpi_delta_registry + # EBI Rancher (production) + acl rancher hdr(host) -i rancher.estuary.tech + use_backend rke2_ebi_ingress if rancher + # EBI AWX (production) + acl awx hdr(host) -i awx.estuary.tech + use_backend rke2_ebi_ingress if awx + # EBI Nautobot (production) + acl nautobot hdr(host) -i nautobot.estuary.tech|hdr(host) -i ipam.estuary.tech + use_backend nautobot if nautobot + # EBI Snipe-IT Inventory (production) + acl snipeit hdr(host) -i inventory.estuary.tech|hdr(host) -i snipeit.estuary.tech + use_backend snipeit if snipeit + # EHI ArgoCD (production) + acl argocd hdr(host) -i argocd.estuary.tech + use_backend rke2_phos_ingress if argocd + # EHI Edge (production) + acl edge hdr(host) -i edge.estuary.tech + use_backend edge if edge + # EHI Delta (production) + acl delta hdr(host) -i delta.estuary.tech + use_backend delta if delta + acl delta-dm hdr(host) -i delta-dm.estuary.tech + use_backend delta-dm if delta-dm + acl delta-web hdr(host) -i delta-web.estuary.tech + use_backend delta-web if delta-web + # Filecoin tl;dr demo (dev) + acl filecointldr hdr(host) -i filecointldr.estuary.tech + use_backend filecointldr if filecointldr + # FWS cdn + acl fwscdn hdr(host) -i fwscdn.estuary.tech + use_backend fwscdn if fwscdn + # Blackhole all other traffic + default_backend blackhole + +frontend rgw_gateway + bind *:7480 ssl crt /etc/wildcard-tls/latest/generic/_.estuary.tech-combined.pem + mode http + option httplog + log global + default_backend rgw_gateway + +frontend rke2_ebi_cluster + bind *:9345 + mode tcp + option tcplog + log global + default_backend rke2_ebi_cluster + +frontend ebi_postgresql + bind *:51432 + mode tcp + option tcplog + timeout client 1h + log global + default_backend ebi_postgresql + +frontend ehi_postgresql + bind *:52432 + mode tcp + option tcplog + timeout client 1h + log global + default_backend ehi_postgresql + +frontend mariadb_cluster + bind *:3306 + mode tcp + option tcplog + log global + default_backend mariadb_cluster + +# Send all traffic not specifically destined for a destination to an invalid port. +backend blackhole + server blackhole 127.0.0.1:443 verify none + +backend s3_gateway + balance leastconn + http-check expect status 200 + server prod-swfs-filer01 prod-swfs-filer01.estuary.tech:443 ssl verify none + server prod-swfs-filer02 prod-swfs-filer01.estuary.tech:443 ssl verify none + server prod-swfs-filer03 prod-swfs-filer01.estuary.tech:443 ssl verify none + server prod-swfs-filer04 prod-swfs-filer01.estuary.tech:443 ssl verify none + +backend rgw_gateway + balance leastconn + option httpchk GET /swift/healthcheck + http-check expect status 200 + server altair altair.estuary.tech:7480 check + server apollo apollo.estuary.tech:7480 check + server arcturus arcturus.estuary.tech:7480 check + server capella capella.estuary.tech:7480 check + server pioneer pioneer.estuary.tech:7480 check + server polaris polaris.estuary.tech:7480 check + server sirius sirius.estuary.tech:7480 check + server vega vega.estuary.tech:7480 check + +backend moosefs + balance source + option tcp-check + tcp-check connect port 9425 + server mfs-m01 polaris.estuary.tech:9425 check + server mfs-m02 vega.estuary.tech:9425 check + server mfs-m03 sirius.estuary.tech:9425 check + server mfs-m04 capella.estuary.tech:9425 check + +backend fwscdn + mode http + balance leastconn + option httpchk + http-check expect status 200,405 + server prod-fwscdn01 prod-fwscdn01.estuary.tech:80 check + server prod-fwscdn02 prod-fwscdn02.estuary.tech:80 check + server prod-fwscdn03 prod-fwscdn03.estuary.tech:80 check + +backend dev-edge + server dev-edge01 dev-edge01.estuary.tech:1414 check + +backend edge + mode http + balance leastconn + option httpchk + server prod-ehi-edge01 prod-ehi-edge01.estuary.tech:1414 check + server prod-ehi-edge02 prod-ehi-edge02.estuary.tech:1414 check + server prod-ehi-edge03 prod-ehi-edge03.estuary.tech:1414 check + server prod-ehi-edge04 prod-ehi-edge04.estuary.tech:1414 check + server prod-ehi-edge05 prod-ehi-edge05.estuary.tech:1414 check + server prod-ehi-edge06 prod-ehi-edge06.estuary.tech:1414 check + server prod-ehi-edge07 prod-ehi-edge07.estuary.tech:1414 check + server prod-ehi-edge08 prod-ehi-edge08.estuary.tech:1414 check + +backend delta + mode http + balance leastconn + option httpchk + server prod-ehi-delta01 prod-ehi-delta01.estuary.tech:1414 check + server prod-ehi-delta02 prod-ehi-delta02.estuary.tech:1414 check + server prod-ehi-delta03 prod-ehi-delta03.estuary.tech:1414 check + server prod-ehi-delta04 prod-ehi-delta04.estuary.tech:1414 check + server prod-ehi-delta05 prod-ehi-delta05.estuary.tech:1414 check + server prod-ehi-delta06 prod-ehi-delta06.estuary.tech:1414 check + server prod-ehi-delta07 prod-ehi-delta07.estuary.tech:1414 check + server prod-ehi-delta08 prod-ehi-delta08.estuary.tech:1414 check + +backend delta-dm + mode http + balance leastconn + option httpchk + server prod-ehi-delta01 prod-ehi-delta01.estuary.tech:1415 check + server prod-ehi-delta02 prod-ehi-delta02.estuary.tech:1415 check + server prod-ehi-delta03 prod-ehi-delta03.estuary.tech:1415 check + server prod-ehi-delta04 prod-ehi-delta04.estuary.tech:1415 check + server prod-ehi-delta05 prod-ehi-delta05.estuary.tech:1415 check + server prod-ehi-delta06 prod-ehi-delta06.estuary.tech:1415 check + server prod-ehi-delta07 prod-ehi-delta07.estuary.tech:1415 check + server prod-ehi-delta08 prod-ehi-delta08.estuary.tech:1415 check + +backend delta-web + mode http + balance leastconn + option httpchk + http-check expect status 200,405 + server prod-ehi-delta01 prod-ehi-delta01.estuary.tech:3000 check + server prod-ehi-delta02 prod-ehi-delta02.estuary.tech:3000 check + server prod-ehi-delta03 prod-ehi-delta03.estuary.tech:3000 check + server prod-ehi-delta04 prod-ehi-delta04.estuary.tech:3000 check + server prod-ehi-delta05 prod-ehi-delta05.estuary.tech:3000 check + server prod-ehi-delta06 prod-ehi-delta06.estuary.tech:3000 check + server prod-ehi-delta07 prod-ehi-delta07.estuary.tech:3000 check + server prod-ehi-delta08 prod-ehi-delta08.estuary.tech:3000 check + +backend rke2_ebi_cluster + balance roundrobin + option tcp-check + tcp-check connect port 9345 + timeout check 5000 + server prod-ebi-k8s-m01 prod-ebi-k8s-m01.estuary.tech:9345 check + server prod-ebi-k8s-m02 prod-ebi-k8s-m02.estuary.tech:9345 check + server prod-ebi-k8s-m03 prod-ebi-k8s-m03.estuary.tech:9345 check + +backend rke2_ebi_ingress + mode http + balance roundrobin + # TODO (bug): This check should not be dependent on AWX being online. + # This ingress will be used for other things too, which shouldn't go offline just because AWX does. + option httpchk GET / HTTP/1.1\r\nHost:\ awx.estuary.tech + timeout check 5000 + log global + server prod-ebi-k8s-m01 prod-ebi-k8s-m01.estuary.tech:443 ssl check verify none + server prod-ebi-k8s-m02 prod-ebi-k8s-m02.estuary.tech:443 ssl check verify none + server prod-ebi-k8s-m03 prod-ebi-k8s-m03.estuary.tech:443 ssl check verify none + +backend rke2_phos_ingress + mode http + balance roundrobin + timeout check 5000 + # TODO add checks, use DNS to load list of workers instead of statically coding them in + log global + server prod-phos-k8s-w01 prod-phos-k8s-w01.estuary.tech:443 ssl verify none + server prod-phos-k8s-w02 prod-phos-k8s-w02.estuary.tech:443 ssl verify none + server prod-phos-k8s-w03 prod-phos-k8s-w03.estuary.tech:443 ssl verify none + +backend nautobot + mode http + option httpchk + balance roundrobin + timeout check 5000 + log global + server prod-nautobot01 prod-nautobot01.estuary.tech:443 check ssl verify none + +backend snipeit + mode http + option httpchk GET / HTTP/1.1\r\nHost:\ inventory.estuary.tech + balance roundrobin + timeout check 5000 + log global + server prod-docker01 prod-docker01.estuary.tech:443 check ssl verify none + +backend ebi_postgresql + balance source + mode tcp + timeout connect 90000 + timeout server 1h + option httpchk + http-check expect status 200 + timeout check 5000 + default-server inter 3s fall 3 rise 2 on-marked-down shutdown-sessions +# server prod-ebi-db01 prod-ebi-db01.estuary.tech:5432 check port 8008 +# server prod-ebi-db02 prod-ebi-db02.estuary.tech:5432 check port 8008 +# server prod-ebi-db03 prod-ebi-db03.estuary.tech:5432 check port 8008 +# Old servers + server prod-ebi-db01 10.24.0.61:5432 check port 8008 + server prod-ebi-db02 10.24.0.62:5432 check port 8008 + server prod-ebi-db03 10.24.0.63:5432 check port 8008 + +backend ehi_postgresql + balance source + mode tcp + timeout connect 90000 + timeout server 1h + option httpchk + http-check expect status 200 + timeout check 5000 + default-server inter 3s fall 3 rise 2 on-marked-down shutdown-sessions + server prod-ehi-db01 prod-ehi-db01.estuary.tech:5432 check port 8008 + server prod-ehi-db02 prod-ehi-db02.estuary.tech:5432 check port 8008 + server prod-ehi-db03 prod-ehi-db03.estuary.tech:5432 check port 8008 + +backend ehi_postgresql_read + balance source + mode tcp + timeout connect 90000 + timeout server 1h + timeout check 5000 + default-server inter 3s fall 3 rise 2 on-marked-down shutdown-sessions + server prod-ehi-db01 prod-ehi-db01.estuary.tech:5432 check + server prod-ehi-db02 prod-ehi-db02.estuary.tech:5432 check + server prod-ehi-db03 prod-ehi-db03.estuary.tech:5432 check + +backend mariadb_cluster + balance leastconn + mode tcp + timeout queue 1m + timeout connect 30s + timeout server 1h + option httpchk + server prod-ebi-mariadb01 prod-ebi-mariadb01.estuary.tech:3306 check port 9200 + server prod-ebi-mariadb02 prod-ebi-mariadb02.estuary.tech:3306 check port 9200 + server prod-ebi-mariadb03 prod-ebi-mariadb03.estuary.tech:3306 check port 9200 + +backend filecointldr + balance source + mode http + server dev-nginx-ana01 dev-nginx-ana01.estuary.tech:80 check diff --git a/roles/haproxy/tasks/main.yml b/roles/haproxy/tasks/main.yml index a8bbad8..8935635 100644 --- a/roles/haproxy/tasks/main.yml +++ b/roles/haproxy/tasks/main.yml @@ -6,7 +6,7 @@ - name: Configure haproxy ansible.builtin.template: - src: haproxy.cfg.j2 + src: "{{ inventory_dir }}/templates/haproxy.cfg.j2" dest: /etc/haproxy/haproxy.cfg owner: root group: root