From fbf62ab7a479cf376dd605b6430e2a3e004732ce Mon Sep 17 00:00:00 2001
From: Maria Haider <mariah@sunet.se>
Date: Tue, 15 Apr 2025 10:32:22 +0200
Subject: [PATCH] moving bankidp.qa.swamid.se to new LBs

---
 lb-common/overlay/etc/hiera/data/group.yaml   | 25 +++++++++++++++++
 .../opt/frontend/config/bankidpqa/haproxy.j2  | 28 +++++++++++++++++++
 2 files changed, 53 insertions(+)
 create mode 100644 lb-common/overlay/opt/frontend/config/bankidpqa/haproxy.j2

diff --git a/lb-common/overlay/etc/hiera/data/group.yaml b/lb-common/overlay/etc/hiera/data/group.yaml
index e756905..f519188 100644
--- a/lb-common/overlay/etc/hiera/data/group.yaml
+++ b/lb-common/overlay/etc/hiera/data/group.yaml
@@ -795,3 +795,28 @@ sunet_frontend:
         letsencrypt_server: 'acme-c.sunet.se'
         haproxy_imagetag: '20230228-stable'
         frontendtools_imagetag: '20230228'
+
+      'bankidpqa':
+        haproxy_volumes:
+          - "/etc/ssl/certs/infra.crt:/etc/ssl/certs/infra.crt:ro"
+          - "/opt/frontend/config/ssl/infra_haproxy.crt:/opt/frontend/config/ssl/infra_haproxy.crt:ro"
+        site_name: 'bankidp.qa.swamid.se'
+        frontends:
+          'tug-lb-1.sunet.se':
+            ips: ['37.156.192.84', '2001:6b0:60:c0::84']
+          'sthb-lb-1.sunet.se':
+            ips: ['37.156.192.85', '2001:6b0:60:c0::85']
+        backends:
+          default:
+            'bankid-idp-app1.qa.swamid.se':
+              ips: ['89.46.21.115']
+              server_args: 'ssl  alpn h2  crt /opt/frontend/config/ssl/infra_haproxy.crt  verify required  ca-file /etc/ssl/certs/infra.crt  check check-alpn http/1.1'
+            'bankid-idp-app2.qa.swamid.se':
+              ips: ['89.45.236.159']
+              server_args: 'ssl  alpn h2  crt /opt/frontend/config/ssl/infra_haproxy.crt  verify required  ca-file /etc/ssl/certs/infra.crt  check check-alpn http/1.1'
+        allow_ports:
+          - 443
+          - 80
+        letsencrypt_server: 'acme-c.sunet.se'
+        haproxy_imagetag: '20230228-stable'
+        frontendtools_imagetag: '20230228'
diff --git a/lb-common/overlay/opt/frontend/config/bankidpqa/haproxy.j2 b/lb-common/overlay/opt/frontend/config/bankidpqa/haproxy.j2
new file mode 100644
index 0000000..1d47059
--- /dev/null
+++ b/lb-common/overlay/opt/frontend/config/bankidpqa/haproxy.j2
@@ -0,0 +1,28 @@
+{% extends 'common/haproxy_base.j2' %}
+
+{% from "common/haproxy_macros.j2" import bind_ip_tls, web_security_options, acme_challenge, csp %}
+
+{%- macro bind_ip_tls_extra(bind_ips, port, tls_cert, extra) -%}
+{%- for ip in bind_ips %}
+    bind {{ ip }}:{{ port }} ssl crt {{ tls_cert }}  {{ extra }}
+{%- endfor %}
+{%- endmacro %}
+
+{% block frontend %}
+frontend {{ site_name }}
+    {{ bind_ip_tls_extra(bind_ips, 443, tls_certificate_bundle, "verify optional  crt-ignore-err all  ca-file /etc/ssl/certs/ca-certificates.crt") }}
+
+
+    timeout http-request 10s
+    timeout http-keep-alive 4s
+    option forwardfor
+    http-request set-header X-Forwarded-Proto https
+    http-request set-header client-cert %{+Q}[ssl_c_der,base64]
+
+    {{ web_security_options(['no_frames', 'block_xss', 'hsts', 'no_sniff', 'no_cache']) }}
+
+
+    {{ acme_challenge(letsencrypt_server) }}
+
+    use_backend {{ site_name }}__default
+{% endblock frontend %}