diff options
| author | Hugo Hörnquist <hugo@lysator.liu.se> | 2023-06-20 17:44:06 +0200 |
|---|---|---|
| committer | Hugo Hörnquist <hugo@lysator.liu.se> | 2023-06-20 17:44:06 +0200 |
| commit | f6bf58194e19db45090c43f8e8cf248826fded7a (patch) | |
| tree | e725b19edd885c283a8a36ad319a47b985c1438d | |
| parent | fixes (diff) | |
| download | concourse-f6bf58194e19db45090c43f8e8cf248826fded7a.tar.gz concourse-f6bf58194e19db45090c43f8e8cf248826fded7a.tar.xz | |
fixes
| -rw-r--r-- | manifests/proxy/nginx.pp | 22 | ||||
| -rw-r--r-- | metadata.json | 4 |
2 files changed, 25 insertions, 1 deletions
diff --git a/manifests/proxy/nginx.pp b/manifests/proxy/nginx.pp index c5b0132..3f315f0 100644 --- a/manifests/proxy/nginx.pp +++ b/manifests/proxy/nginx.pp @@ -3,6 +3,8 @@ # Rev-proxy, which also gathers all web nodes in a cluster, into a # single web endpoint # +# This also manages the TLS certificate for the load balancer. +# # @param server_name # Name of the nginx server, will also be used for rev-proxy routing. # @param cluster @@ -19,19 +21,35 @@ define concourse::proxy::nginx ( Enum['absent', 'present'] $ensure = 'present', ) { include concourse + include ::letsencrypt nginx::resource::upstream { "concourse_${cluster}": ensure => $ensure, members => $upstream_members, } + letsencrypt::cert { $server_name: + include_self => true, + authenticator => 'nginx', + config => { + 'post-hook' => 'nginx -s reload', + }, + } + nginx::resource::server { $server_name: ipv6_enable => true, ipv6_listen_options => '', use_default_location => false, - # TODO SSL + * => letsencrypt::conf::nginx($server_name), } + # TODO the connection from nginx to each web instance is unencrypted. + # Concourse's documentation only mentions TLS through letsencrypt, + # which works less than ideal with internal nodes. + # Running unencrypted is however a bad idea, since web nodes are + # assumed to be on different machines. Either figure out how to use + # a custom certificate internally, or configure a segregated network. + # TODO proxy to upstream nginx::resource::streamhost { "${server_name}-stream": listen_port => 2222, @@ -44,6 +62,7 @@ define concourse::proxy::nginx ( server => $server_name, location => '/', proxy => "http://concourse_${cluster}", + * => letsencrypt::conf::nginx::location($server_name), } nginx::resource::location { "${server_name} - ~ /hijack$": @@ -60,5 +79,6 @@ define concourse::proxy::nginx ( 'Upgrade $http_upgrade', 'Connection "upgrade"', ], + * => letsencrypt::conf::nginx::location($server_name), } } diff --git a/metadata.json b/metadata.json index bd45e42..9cee105 100644 --- a/metadata.json +++ b/metadata.json @@ -25,6 +25,10 @@ { "name": "puppetlabs/concat", "version_requirement": ">= 8.0.0 < 9.0.0" + }, + { + "name": "HugoNikanor/letsencrypt", + "version_requirement": "0.2.0" } ], "requirements": [ |