Created
October 17, 2018 20:58
-
-
Save lutter/b668f0d4e3b7ddc5a4ff72065e6b6764 to your computer and use it in GitHub Desktop.
HAProxy container for loadbalancing between Puppet masters/compilers
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #! /bin/bash | |
| # Master will cat public and private key into this file | |
| cert=/etc/ssl/proxy_cert.pem | |
| while [[ ! -f "$cert" ]]; do | |
| sleep 1 | |
| done | |
| exec haproxy -f /usr/local/etc/haproxy/haproxy.cfg |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| FROM haproxy:latest | |
| # HAProxy management port | |
| EXPOSE 8765 | |
| # Puppetserver | |
| EXPOSE 8140 | |
| COPY haproxy.cfg /usr/local/etc/haproxy/haproxy.cfg | |
| COPY docker-entrypoint.sh / | |
| ENTRYPOINT ["/docker-entrypoint.sh"] |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| global | |
| stats socket ipv4@*:8765 level admin | |
| tune.ssl.default-dh-param 2048 | |
| log /var/run/rsyslog/dev/log local0 | |
| log /var/run/rsyslog/dev/log local1 | |
| defaults | |
| mode http | |
| option httplog | |
| timeout connect 5000 | |
| timeout check 5000 | |
| timeout client 30000 | |
| timeout server 30000 | |
| listen stats # Define a listen section called "stats" | |
| bind *:9000 # Listen on localhost:9000 | |
| stats enable # Enable stats page | |
| stats hide-version # Hide HAProxy version | |
| stats realm Haproxy\ Statistics # Title text for popup window | |
| stats uri / # Stats URI | |
| #--------------------------------------------------------------------- | |
| # frontend with SSL termination | |
| # see https://github.com/vshn/puppet-in-docker/blob/master/haproxy/haproxy.tmpl | |
| #--------------------------------------------------------------------- | |
| frontend puppet | |
| bind *:8140 ssl ca-file /etc/ssl/certs/ca.pem crt /etc/ssl/proxy_cert.pem verify optional crl-file /etc/ssl/crl.pem | |
| acl is_ca_uri path_beg "/puppet-ca/" | |
| http-request set-header X-Client-Verify-Real %[ssl_c_verify] | |
| http-request set-header X-Client-Verify NONE if !{ hdr_val(X-Client-Verify-Real) eq 0 } | |
| http-request set-header X-Client-Verify SUCCESS if { hdr_val(X-Client-Verify-Real) eq 0 } | |
| http-request set-header X-Client-DN CN=%{+Q}[ssl_c_s_dn(cn)] | |
| http-request set-header X-Client-Cert "-----BEGIN CERTIFICATE-----%%0A%[ssl_c_der,base64]%%0A-----END CERTIFICATE----- #" if { ssl_c_used } | |
| use_backend ca if is_ca_uri | |
| default_backend puppets | |
| log global | |
| backend ca | |
| server master "master:8140" check port 8140 inter 5s | |
| backend puppets | |
| balance roundrobin | |
| server master master:8140 check port 8140 inter 5s | |
| # Create slots for compilers, but point them at a dummy and | |
| # disable them | |
| server-template compiler 1-20 master:8140 check port 8140 inter 5s disabled |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment