r/haproxy: Enable Prometheus metrics

HAProxy can export stats in Prometheus format, but this requires
special configuration of a dedicated front-end.  To support this, the
_haproxy_ Ansible role now has a pair of variables,
`haproxy_enable_stats` and `haproxy_stats_port`, which control whether
or not the stats front-end is enabled, and if so, what port it listens
on.  Note that on Fedora with the default SELinux policy, the port must
be labelled either `http_port_t` or `http_cache_port_t`.

roles/haproxy/defaults/main.yml

@@ -1,2 +1,4 @@
 haproxy_ssl_default_ciphers: '{{ haproxy_default_ssl_default_ciphers }}'
 haproxy_ssl_default_server_ciphers: '{{ haproxy_default_ssl_default_server_ciphers|d("") }}'
+haproxy_stats_port: 8118
+haproxy_enable_stats: true

roles/haproxy/tasks/main.yml

@@ -29,6 +29,15 @@
     dest: /etc/haproxy/conf.d/20-defaults.cfg
     mode: u=rw,go=r
   notify: restart haproxy
+- name: ensure haproxy stats frontend is configured
+  template:
+    src: stats.cfg.j2
+    dest: /etc/haproxy/conf.d/30-stats.cfg
+    mode: u=rw,go=r
+  notify: reload haproxy
+  tags:
+  - config
+  - stats
 
 - name: ensure haproxy starts at boot
   service:
@@ -43,3 +52,17 @@
     state: started
   tags:
   - service
+
+- name: ensure firewall is configured for haproxy stats
+  firewalld:
+    port: '{{ haproxy_stats_port }}/tcp'
+    immediate: '{{ item == "immediate" }}'
+    permanent: '{{ item == "permanent" }}'
+    state: enabled
+  loop:
+  - immediate
+  - permanent
+  when: host_uses_firewalld|d(true) and haproxy_enable_stats
+  tags:
+  - firewalld
+  - stats

roles/haproxy/templates/stats.cfg.j2

@@ -0,0 +1,10 @@
+{% if haproxy_enable_stats %}
+frontend stats
+    bind *:{{ haproxy_stats_port }}
+    http-request use-service prometheus-exporter if { path /metrics }
+    stats enable
+    stats uri /stats
+    stats refresh 10s
+{% else %}
+# HAProxy stats frontend is disabled.
+{% endif %}