feat(stats): refactor global stats sockets

This allows for multiple sockets to be defined, which is useful if multiple sockets with different access levels are desired. This is altering the haproxy:global:stats pillar structure and hence a BREAKING CHANGE. Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
saltstack-formulas · Mar 5, 2024 · 975fc8b · 975fc8b
1 parent 42b603b
commit 975fc8b
Show file tree

Hide file tree

Showing 3 changed files with 22 additions and 21 deletions.
diff --git a/haproxy/templates/haproxy.jinja b/haproxy/templates/haproxy.jinja
@@ -45,12 +45,9 @@ global
 {%- if salt['pillar.get']('haproxy:global:daemon', 'no') == True %}
     daemon
 {%- endif %}
-{%- if salt['pillar.get']('haproxy:global:stats:enable', 'no') == True %}
-  {%- set socketpath = salt['pillar.get']('haproxy:global:stats:socketpath', '/tmp/ha_stats.sock') %}
-  {%- set mode = salt['pillar.get']('haproxy:global:stats:mode', '660') %}
-  {%- set level = salt['pillar.get']('haproxy:global:stats:level', 'operator') %}
-    stats socket {{ socketpath }} mode {{ mode }} level {{ level }}{% if 'extra' in salt['pillar.get']('haproxy:global:stats', {}) %} {{ salt['pillar.get']('haproxy:global:stats:extra') }}{% endif %}
-{%- endif %}
+{%- for socket, socket_config in salt['pillar.get']('haproxy:global:stats', {}).items() %}
+    stats socket {{ socket }} mode {{ socket_config.get('mode', '0600') }} level {{ socket_config.get('level', 'user') }} user {{ socket_config.get('user', 'haproxy') }} group {{ socket_config.get('group', 'haproxy') }}
+{%- endfor %}
 {%- if 'maxconn' in salt['pillar.get']('haproxy:global', {}) %}
     maxconn {{ salt['pillar.get']('haproxy:global:maxconn') }}
 {%- endif %}

diff --git a/pillar.example b/pillar.example
@@ -24,14 +24,19 @@ haproxy:
     log-tag: haproxy
     # Optional log-send-hostname parameter, sets the hostname field in the syslog header
     log-send-hostname: localhost
+    # stats sockets
     stats:
-      enable: true
-      socketpath: /var/lib/haproxy/stats
-      mode: 660
-      level: admin
-      # yamllint disable-line rule:line-length
-      # Optional extra bind parameter, for example to set the owner/group on the socket file
-      extra: user haproxy group haproxy
+      /run/haproxy/stats-ro:
+        # the defaults
+        level: user
+        mode: 600
+        user: haproxy
+        group: haproxy
+      /run/haproxy/stats-rw:
+        # custom example
+        level: admin
+        mode: 660
+        group: sysadmins
     # yamllint disable-line rule:line-length
     ssl-default-bind-ciphers: "ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA384"
     ssl-default-bind-options: "no-sslv3 no-tlsv10 no-tlsv11"

diff --git a/test/salt/pillar/default.sls b/test/salt/pillar/default.sls
@@ -21,14 +21,13 @@ haproxy:
     # Optional log-send-hostname parameter, sets the hostname field in the syslog header
     log-send-hostname: localhost
     stats:
-      enable: true
-      # Using the `haproxy:global:chroot:path`
-      socketpath: /var/lib/haproxy/stats
-      mode: 660
-      level: admin
-      # yamllint disable-line rule:line-length
-      # Optional extra bind parameter, for example to set the owner/group on the socket file
-      extra: user haproxy group haproxy
+      /run/haproxy/stats-operator:
+        level: operator
+        mode: 660
+        group: wheel
+      /run/haproxy/stats-admin:
+        level: admin
+        mode: 600
     # yamllint disable-line rule:line-length
     ssl-default-bind-ciphers: "ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA384"
     ssl-default-bind-options: "no-sslv3 no-tlsv10 no-tlsv11"