mboisson
commented
8 months ago This existing puppet module might be useful: https://forge.puppet.com/modules/puppetlabs/haproxy/readme
Open mboisson opened 8 months ago
mboisson
commented
8 months ago This existing puppet module might be useful: https://forge.puppet.com/modules/puppetlabs/haproxy/readme
mboisson
commented
8 months ago I ended up creating it with the above puppet module, with:
an instance
haproxy = { type = "p2-3gb", tags = ["haproxy"], count = 1 }in my main.tf, adding
`mod 'puppetlabs-haproxy', '8.0.0'`to my Puppetfile, and then in my yaml files:
magic_castle::site::tags:
haproxy:
- haproxy
profile::sssd::client::domains:
CCLDAP:
id_provider: ldap
auth_provider: ldap
ldap_schema: rfc2307
ldap_uri:
- ldaps://haproxy1
.....
haproxy::merge_options: false
haproxy::defaults_options:
log: global
option: ['tcplog', 'tcpka']
balance: first
timeout server: 1800s
timeout connect: 2s
mode: tcp
haproxy::custom_fragment: |
frontend ldaps_service_front
mode tcp
bind %{lookup('terraform.self.local_ip')}:636
description LDAPS Service
option socket-stats
option tcpka
timeout client 3600s
default_backend ldaps_service_back
backend ldaps_service_back
server ldap-1 <server1>:636 check fall 1 rise 1 inter 2s
server ldap-2 <server1>:636 check fall 1 rise 1 inter 2s
option ssl-hello-chk
In our cloud, if a VM has a public IP, all connections go through the public IP. When authenticating against an external LDAP, this means that the LDAP firewall configuration needs to be adjusted every time we add a new public VM. A better solution would be to run an HAProxy service on one of the internal nodes (mgmt1, puppet1, or dedicated node) which does not have a public IP. Communications of those VMs all go through the project's router, and the LDAP would only need to be open from the project's LDAP router.
Documentation on configuring a HAProxy service is available on this internal page: https://wiki.alliancecan.ca/wiki/LDAP_HAProxy