From 3ca94d2bf44acb7f6a2ffebb87ea89f45fe56450 Mon Sep 17 00:00:00 2001
From: "Dustin C. Hatch" <dustin@hatch.name>
Date: Tue, 5 Nov 2024 06:23:49 -0600
Subject: [PATCH] r/haproxy: Enable Prometheus metrics

HAProxy can export stats in Prometheus format, but this requires
special configuration of a dedicated front-end.  To support this, the
_haproxy_ Ansible role now has a pair of variables,
`haproxy_enable_stats` and `haproxy_stats_port`, which control whether
or not the stats front-end is enabled, and if so, what port it listens
on.  Note that on Fedora with the default SELinux policy, the port must
be labelled either `http_port_t` or `http_cache_port_t`.
---
 roles/haproxy/defaults/main.yml      |  2 ++
 roles/haproxy/tasks/main.yml         | 23 +++++++++++++++++++++++
 roles/haproxy/templates/stats.cfg.j2 | 10 ++++++++++
 3 files changed, 35 insertions(+)
 create mode 100644 roles/haproxy/templates/stats.cfg.j2

diff --git a/roles/haproxy/defaults/main.yml b/roles/haproxy/defaults/main.yml
index 40c5721..e07c209 100644
--- a/roles/haproxy/defaults/main.yml
+++ b/roles/haproxy/defaults/main.yml
@@ -1,2 +1,4 @@
 haproxy_ssl_default_ciphers: '{{ haproxy_default_ssl_default_ciphers }}'
 haproxy_ssl_default_server_ciphers: '{{ haproxy_default_ssl_default_server_ciphers|d("") }}'
+haproxy_stats_port: 8118
+haproxy_enable_stats: true
diff --git a/roles/haproxy/tasks/main.yml b/roles/haproxy/tasks/main.yml
index 9346f1e..627ec9e 100644
--- a/roles/haproxy/tasks/main.yml
+++ b/roles/haproxy/tasks/main.yml
@@ -29,6 +29,15 @@
     dest: /etc/haproxy/conf.d/20-defaults.cfg
     mode: u=rw,go=r
   notify: restart haproxy
+- name: ensure haproxy stats frontend is configured
+  template:
+    src: stats.cfg.j2
+    dest: /etc/haproxy/conf.d/30-stats.cfg
+    mode: u=rw,go=r
+  notify: reload haproxy
+  tags:
+  - config
+  - stats
 
 - name: ensure haproxy starts at boot
   service:
@@ -43,3 +52,17 @@
     state: started
   tags:
   - service
+
+- name: ensure firewall is configured for haproxy stats
+  firewalld:
+    port: '{{ haproxy_stats_port }}/tcp'
+    immediate: '{{ item == "immediate" }}'
+    permanent: '{{ item == "permanent" }}'
+    state: enabled
+  loop:
+  - immediate
+  - permanent
+  when: host_uses_firewalld|d(true) and haproxy_enable_stats
+  tags:
+  - firewalld
+  - stats
diff --git a/roles/haproxy/templates/stats.cfg.j2 b/roles/haproxy/templates/stats.cfg.j2
new file mode 100644
index 0000000..d3e00ad
--- /dev/null
+++ b/roles/haproxy/templates/stats.cfg.j2
@@ -0,0 +1,10 @@
+{% if haproxy_enable_stats %}
+frontend stats
+    bind *:{{ haproxy_stats_port }}
+    http-request use-service prometheus-exporter if { path /metrics }
+    stats enable
+    stats uri /stats
+    stats refresh 10s
+{% else %}
+# HAProxy stats frontend is disabled.
+{% endif %}