Merge pull request #598 from enovance/haproxy_horizon_allow_ssl_and_80

loadbalancer.pp: Enable HAProxy binding on 80 and 443

manifests/loadbalancer.pp

@@ -180,6 +180,7 @@ class cloud::loadbalancer(
   $keystone_api_admin               = true,
   $trove_api                        = true,
   $horizon                          = true,
+  $horizon_ssl                      = false,
   $spice                            = true,
   $haproxy_auth                     = 'admin:changeme',
   $keepalived_state                 = 'BACKUP',
@@ -205,6 +206,7 @@ class cloud::loadbalancer(
   $swift_bind_options               = [],
   $spice_bind_options               = [],
   $horizon_bind_options             = [],
+  $horizon_ssl_bind_options         = [],
   $galera_bind_options              = [],
   $ks_ceilometer_public_port        = 8777,
   $ks_cinder_public_port            = 8776,
@@ -222,6 +224,7 @@ class cloud::loadbalancer(
   $ks_swift_public_port             = 8080,
   $ks_trove_public_port             = 8779,
   $horizon_port                     = 80,
+  $horizon_ssl_port                 = 443,
   $spice_port                       = 6082,
   $vip_public_ip                    = ['127.0.0.1'],
   $vip_internal_ip                  = false,
@@ -229,8 +232,6 @@ class cloud::loadbalancer(
   # Deprecated parameters
   $keepalived_interface             = false,
   $keepalived_ipvs                  = false,
-  $horizon_ssl                      = false,
-  $horizon_ssl_port                 = false,
 ){
 
   # Manage deprecation when using old parameters
@@ -246,32 +247,6 @@ class cloud::loadbalancer(
   } else {
     $keepalived_public_ipvs_real = $keepalived_public_ipvs
   }
-  if $horizon_ssl {
-    warning('horizon_ssl parameter is deprecated. Specify ssl in the horizon_bind_options instead.')
-    $horizon_httpchk = 'ssl-hello-chk'
-    $horizon_options = {
-      'mode'    => 'tcp',
-      'cookie'  => 'sessionid prefix',
-      'balance' => 'leastconn' }
-  } else {
-    $horizon_httpchk = "httpchk GET  /${horizon_auth_url}  \"HTTP/1.0\\r\\nUser-Agent: HAproxy-${::hostname}\""
-    if 'ssl' in $horizon_bind_options {
-      $horizon_options = {
-      'cookie'  => 'sessionid prefix',
-      'reqadd'  => 'X-Forwarded-Proto:\ https if { ssl_fc }',
-      'balance' => 'leastconn' }
-    } else {
-      $horizon_options = {
-      'cookie'  => 'sessionid prefix',
-      'balance' => 'leastconn' }
-    }
-  }
-  if $horizon_ssl_port {
-    warning('horizon_ssl_port parameter is deprecated. Specify port with the horizon_port instead.')
-    $horizon_port_real = $horizon_ssl_port
-  } else {
-    $horizon_port_real = $horizon_port
-  }
   # end of deprecation support
 
   # Fail if OpenStack and Galera VIP are  not in the VIP list
@@ -459,15 +434,42 @@ class cloud::loadbalancer(
   } else {
     $horizon_auth_url = 'horizon'
   }
+
+  $horizon_ssl_options = {
+    'mode'    => 'tcp',
+    'cookie'  => 'sessionid prefix',
+    'balance' => 'leastconn'
+  }
+
+  if 'ssl' in $horizon_bind_options {
+    $horizon_options = {
+      'cookie'  => 'sessionid prefix',
+      'reqadd'  => 'X-Forwarded-Proto:\ https if { ssl_fc }',
+      'balance' => 'leastconn'
+    }
+  } else {
+    $horizon_options = {
+      'cookie'  => 'sessionid prefix',
+      'balance' => 'leastconn'
+    }
+  }
+
   cloud::loadbalancer::binding { 'horizon_cluster':
-    ip           => $vip_public_ip,
-    # to maintain backward compatibility
-    port         => $horizon_port_real,
-    httpchk      => $horizon_httpchk,
+    ip           => $horizon,
+    port         => $horizon_port,
+    httpchk      => "httpchk GET  /${horizon_auth_url}  \"HTTP/1.0\\r\\nUser-Agent: HAproxy-${::hostname}\"",
     options      => $horizon_options,
     bind_options => $horizon_bind_options,
   }
 
+  cloud::loadbalancer::binding { 'horizon_ssl_cluster':
+    ip           => $horizon_ssl,
+    port         => $horizon_ssl_port,
+    httpchk      => 'ssl-hello-chk',
+    options      => $horizon_ssl_options,
+    bind_options => $horizon_ssl_bind_options,
+  }
+
   if ($galera_ip in $keepalived_public_ipvs_real) {
     warning('Exposing Galera cluster to public network is a security issue.')
   }

spec/classes/cloud_loadbalancer_spec.rb

@@ -338,45 +338,21 @@ describe 'cloud::loadbalancer' do
       )}
     end
 
-    context 'configure OpenStack Horizon with backward compatibility' do
-      before do
-        params.merge!(
-          :horizon_ssl_port => '80'
-        )
-      end
+    context 'configure OpenStack Horizon' do
       it { should contain_haproxy__listen('horizon_cluster').with(
         :ipaddress => [params[:vip_public_ip]],
         :ports     => '80',
         :options   => {
           'mode'           => 'http',
           'http-check'     => 'expect ! rstatus ^5',
-          'option'         => ["tcpka", "forwardfor", "tcplog", "httpchk GET  /  \"HTTP/1.0\\r\\nUser-Agent: HAproxy-myhost\""],
+          'option'         => ["tcpka", "forwardfor", "tcplog", "httpchk GET  /#{platform_params[:auth_url]}  \"HTTP/1.0\\r\\nUser-Agent: HAproxy-myhost\""],
           'cookie'         => 'sessionid prefix',
           'balance'        => 'leastconn',
-        },
+        }
       )}
     end
 
-    context 'configure OpenStack Horizon SSL with backward compatibility' do
-      before do
-        params.merge!(
-          :horizon_ssl      => true,
-          :horizon_ssl_port => '443'
-        )
-      end
-      it { should contain_haproxy__listen('horizon_cluster').with(
-        :ipaddress => [params[:vip_public_ip]],
-        :ports     => '443',
-        :options   => {
-          'mode'           => 'tcp',
-          'option'         => ['tcpka','forwardfor','tcplog',  'ssl-hello-chk'],
-          'cookie'         => 'sessionid prefix',
-          'balance'        => 'leastconn',
-        },
-      )}
-    end
-
-    context 'configure OpenStack Horizon SSL binding' do
+    context 'configure OpenStack Horizon with SSL termination on HAProxy' do
       before do
         params.merge!(
           :horizon_port         => '443',
@@ -391,7 +367,7 @@ describe 'cloud::loadbalancer' do
         :options   => {
           'mode'           => 'http',
           'http-check'     => 'expect ! rstatus ^5',
-          'option'         => ["tcpka", "forwardfor", "tcplog", "httpchk GET  /  \"HTTP/1.0\\r\\nUser-Agent: HAproxy-myhost\""],
+          'option'         => ["tcpka", "forwardfor", "tcplog", "httpchk GET  /#{platform_params[:auth_url]}  \"HTTP/1.0\\r\\nUser-Agent: HAproxy-myhost\""],
           'cookie'         => 'sessionid prefix',
           'balance'        => 'leastconn',
           'reqadd'         => 'X-Forwarded-Proto:\ https if { ssl_fc }'
@@ -400,6 +376,25 @@ describe 'cloud::loadbalancer' do
       )}
     end
 
+    context 'configure OpenStack Horizon SSL with termination on the webserver' do
+      before do
+        params.merge!(
+          :horizon_ssl      => true,
+          :horizon_ssl_port => '443'
+        )
+      end
+      it { should contain_haproxy__listen('horizon_ssl_cluster').with(
+        :ipaddress => [params[:vip_public_ip]],
+        :ports     => '443',
+        :options   => {
+          'mode'           => 'tcp',
+          'option'         => ["tcpka", "forwardfor", "tcplog", "ssl-hello-chk"],
+          'cookie'         => 'sessionid prefix',
+          'balance'        => 'leastconn',
+        }
+      )}
+    end
+
     context 'configure OpenStack Heat API SSL binding' do
       before do
         params.merge!(
@@ -428,6 +423,10 @@ describe 'cloud::loadbalancer' do
         :concat_basedir => '/var/lib/puppet/concat' }
     end
 
+    let :platform_params do
+      { :auth_url       => 'horizon' }
+    end
+
     it_configures 'openstack loadbalancer'
   end
 
@@ -438,6 +437,10 @@ describe 'cloud::loadbalancer' do
         :concat_basedir => '/var/lib/puppet/concat' }
     end
 
+    let :platform_params do
+      { :auth_url       => 'dashboard' }
+    end
+
     it_configures 'openstack loadbalancer'
   end