Merge pull request #250 from stfc/update_haproxy

khalford · web-flow · commit 37d4404486e7 · 2025-10-13T09:11:06.000+01:00
ENH: Update HAProxy to use self-signed certificates
diff --git a/chatops_deployment/ansible/roles/haproxy/tasks/haproxy.yml b/chatops_deployment/ansible/roles/haproxy/tasks/haproxy.yml
@@ -21,6 +21,31 @@
     path: /etc/haproxy/{{ domain }}.crt
   register: haproxy_certificate_file
 
+- name: Create ssl directory to store self signed certificates
+  become: true
+  ansible.builtin.file:
+    path: /etc/haproxy/ssl
+    state: directory
+    owner: root
+    group: haproxy
+    mode: "0774"
+
+- name: Copy service self signed certificates
+  become: true
+  ansible.builtin.copy:
+    src: "./{{ env }}_ssl/{{ item }}.crt"
+    dest: "/etc/haproxy/ssl/{{ item }}.crt"
+    owner: root
+    group: haproxy
+    mode: "0440"
+  loop:
+    - grafana
+    - kibana
+    - elasticsearch
+    - prometheus
+    - alertmanager
+    - chatops
+
 - name: Make sure haproxy.service is running
   become: true
   ansible.builtin.systemd_service:
diff --git a/chatops_deployment/ansible/roles/haproxy/templates/haproxy.cfg.j2 b/chatops_deployment/ansible/roles/haproxy/templates/haproxy.cfg.j2
@@ -40,8 +40,10 @@ bind *:443 ssl crt /etc/haproxy/{{ domain }}.crt
 stats enable
 stats uri /stats
 stats refresh 10s
-http-request add-header X-Forwarded-Proto  https
+http-request add-header X-Forwarded-Proto https
+http-request add-header X-Forwarded-Port 443
 redirect scheme https if !{ ssl_fc }
+option forwardfor
 
 acl grafana hdr_sub(host) -i grafana.{{ domain }}
 acl prometheus hdr_sub(host) -i prometheus.{{ domain }}
@@ -64,35 +66,19 @@ frontend PROMETHEUS
 
 backend GRAFANA
 balance source
-{% for address in groups['grafana'] %}
-{% if loop.first %}
-server grafana_{{ loop.index }} {{ address }}:3000 check
-{% else %}
-server grafana_{{ loop.index }} {{ address }}:3000 check backup
-{% endif %}
-{% endfor %}
+server grafana localhost:3000 check ssl verify required ca-file /etc/haproxy/ssl/grafana.crt
 
 backend PROMETHEUS
 balance source
-{% for address in groups['prometheus'] %}
-server prometheus_{{ loop.index }} {{ address }}:9090 check
-{% endfor %}
+server prometheus localhost:9090 check ssl verify required ca-file /etc/haproxy/ssl/prometheus.crt
 
 backend ALERTMANAGER
-{% for address in groups['prometheus'] %}
-server alertmanager_{{ loop.index }} {{ address }}:9093 check
-{% endfor %}
+server alertmanager localhost:9093 check ssl verify required ca-file /etc/haproxy/ssl/alertmanager.crt
 
 backend CHATOPS
-{% for address in groups['chatops'] %}
-{% if loop.last %}
-server chatops_{{ loop.index }} {{ address }}:3000 check backup
-{% else %}
-server chatops_{{ loop.index }} {{ address }}:3000 check
-{% endif %}
-{% endfor %}
+server chatops_0 localhost:3030 check
+server chatops_1 localhost:3031 check
+server chatops_2 localhost:3032 check backup
 
 backend KIBANA
-{% for address in groups['elastic'] %}
-server elastic_{{ loop.index }} {{ address }}:5601 check
-{% endfor %}
+server kibana localhost:5601 check ssl verify required ca-file /etc/haproxy/ssl/kibana.crt
