Add TLS protection on external API endpoints

TLS can be used to encrypt and authenticate the connection with OpenStack endpoints. This patch provides the necessary parameters and changes the resulting service configurations to enable TLS for the Kolla deployed OpenStack cloud. The new input parameters are: kolla_enable_tls_external: "yes" or "no" (default is "no") kolla_external_fqdn_cert: "/etc/kolla/certificates/haproxy.pem" kolla_external_fqdn_cacert: "/etc/kolla/certificates/haproxy-ca.crt" Implements: blueprint kolla-ssl Change-Id: I48ef8a781c3035d58817f9bf6f36d59a488bab41
2016-02-29 13:51:11 -05:00 · 2016-02-29 13:51:11 -05:00 · 3daded6242
commit 3daded6242
parent a94d537aab
11 changed files with 117 additions and 25 deletions
--- a/ansible/group_vars/all.yml
+++ b/ansible/group_vars/all.yml
@ -136,7 +136,7 @@ elasticsearch_port: "9200"

 manila_api_port: "8786"

-public_protocol: "http"
+public_protocol: "{{ 'https' if kolla_enable_tls_external | bool else 'http' }}"
 internal_protocol: "http"
 admin_protocol: "http"

@ -207,7 +207,9 @@ rabbitmq_user: "openstack"
 ####################
 haproxy_user: "openstack"
 haproxy_enable_external_vip: "{{ 'no' if kolla_external_vip_address == kolla_internal_vip_address else 'yes' }}"
-
+kolla_enable_tls_external: "no"
+kolla_external_fqdn_cert: "{{ node_config_directory }}/certificates/haproxy.pem"
+kolla_external_fqdn_cacert: "{{ node_config_directory }}/certificates/haproxy-ca.crt"

 #################################
 # Cinder - Block Storage options
--- a/ansible/roles/certificates/tasks/generate.yml
+++ b/ansible/roles/certificates/tasks/generate.yml
@ -21,7 +21,7 @@

 - name: Creating Server Certificate
  command: creates="{{ item }}" openssl req -new -nodes -sha256 -x509 \
-    -subj "/C=US/ST=NC/L=RTP/O=kolla/CN={{ kolla_external_address }}" \
+    -subj "/C=US/ST=NC/L=RTP/O=kolla/CN={{ kolla_external_fqdn }}" \
    -config {{ node_config_directory }}/certificates/openssl-kolla.cnf \
    -days 3650 \
    -extensions v3_req \
--- a/ansible/roles/certificates/templates/openssl-kolla.cnf.j2
+++ b/ansible/roles/certificates/templates/openssl-kolla.cnf.j2
@ -7,7 +7,7 @@ countryName = US
 stateOrProvinceName = NC
 localityName = RTP
 organizationalUnitName = kolla
-commonName = {{ kolla_external_address }}
+commonName = {{ kolla_external_fqdn }}

 [v3_req]
 subjectAltName = @alt_names
--- a/ansible/roles/haproxy/tasks/config.yml
+++ b/ansible/roles/haproxy/tasks/config.yml
@ -33,3 +33,11 @@
    dest: "{{ node_config_directory }}/{{ item }}/{{ item }}.conf"
  with_items:
    - "keepalived"
+
+- name: Copying over haproxy.pem
+  when: kolla_enable_tls_external | bool
+  copy:
+    src: "{{ kolla_external_fqdn_cert }}"
+    dest: "{{ node_config_directory }}/haproxy/{{ item }}"
+  with_items:
+    - "haproxy.pem"
--- a/ansible/roles/haproxy/templates/haproxy.cfg.j2
+++ b/ansible/roles/haproxy/templates/haproxy.cfg.j2
@ -1,8 +1,14 @@
+{% set tls_bind_info = 'ssl crt /etc/haproxy/haproxy.pem' if kolla_enable_tls_external | bool else '' %}
 global
  daemon
  log /var/lib/kolla/heka/log local0
  maxconn 4000
  stats socket /var/lib/kolla/haproxy/haproxy.sock
+{% if kolla_enable_tls_external | bool %}
+  ssl-default-bind-ciphers DEFAULT:!MEDIUM:!3DES
+  ssl-default-bind-options no-sslv3 no-tlsv10
+  tune.ssl.default-dh-param 4096
+{% endif %}

 defaults
  log global
@ -58,13 +64,16 @@ listen mongodb
 {% if enable_keystone | bool %}
 listen keystone_internal
  bind {{ kolla_internal_vip_address }}:{{ keystone_public_port }}
+  http-request del-header X-Forwarded-Proto
 {% for host in groups['keystone'] %}
  server {{ hostvars[host]['ansible_hostname'] }} {{ hostvars[host]['ansible_' + hostvars[host]['api_interface']]['ipv4']['address'] }}:{{ keystone_public_port }} check inter 2000 rise 2 fall 5
 {% endfor %}
 {% if haproxy_enable_external_vip | bool %}

 listen keystone_external
-  bind {{ kolla_external_vip_address }}:{{ keystone_public_port }}
+  bind {{ kolla_external_vip_address }}:{{ keystone_public_port }} {{ tls_bind_info }}
+  http-request del-header X-Forwarded-Proto
+  http-request set-header X-Forwarded-Proto https if { ssl_fc }
 {% for host in groups['keystone'] %}
  server {{ hostvars[host]['ansible_hostname'] }} {{ hostvars[host]['ansible_' + hostvars[host]['api_interface']]['ipv4']['address'] }}:{{ keystone_public_port }} check inter 2000 rise 2 fall 5
 {% endfor %}
@ -72,6 +81,7 @@ listen keystone_external

 listen keystone_admin
  bind {{ kolla_internal_vip_address }}:{{ keystone_admin_port }}
+  http-request del-header X-Forwarded-Proto
 {% for host in groups['keystone'] %}
  server {{ hostvars[host]['ansible_hostname'] }} {{ hostvars[host]['ansible_' + hostvars[host]['api_interface']]['ipv4']['address'] }}:{{ keystone_admin_port }} check inter 2000 rise 2 fall 5
 {% endfor %}
@ -92,13 +102,13 @@ listen glance_api
 {% if haproxy_enable_external_vip | bool %}

 listen glance_registry_external
-  bind {{ kolla_external_vip_address }}:{{ glance_registry_port }}
+  bind {{ kolla_external_vip_address }}:{{ glance_registry_port }} {{ tls_bind_info }}
 {% for host in groups['glance-registry'] %}
  server {{ hostvars[host]['ansible_hostname'] }} {{ hostvars[host]['ansible_' + hostvars[host]['api_interface']]['ipv4']['address'] }}:{{ glance_registry_port }} check inter 2000 rise 2 fall 5
 {% endfor %}

 listen glance_api_external
-  bind {{ kolla_external_vip_address }}:{{ glance_api_port }}
+  bind {{ kolla_external_vip_address }}:{{ glance_api_port }} {{ tls_bind_info }}
 {% for host in groups['glance-api'] %}
  server {{ hostvars[host]['ansible_hostname'] }} {{ hostvars[host]['ansible_' + hostvars[host]['api_interface']]['ipv4']['address'] }}:{{ glance_api_port }} check inter 2000 rise 2 fall 5
 {% endfor %}
@ -108,18 +118,21 @@ listen glance_api_external
 {% if enable_nova | bool %}
 listen nova_api
  bind {{ kolla_internal_vip_address }}:{{ nova_api_port }}
+  http-request del-header X-Forwarded-Proto
 {% for host in groups['nova-api'] %}
  server {{ hostvars[host]['ansible_hostname'] }} {{ hostvars[host]['ansible_' + hostvars[host]['api_interface']]['ipv4']['address'] }}:{{ nova_api_port }} check inter 2000 rise 2 fall 5
 {% endfor %}

 listen nova_api_ec2
  bind {{ kolla_internal_vip_address }}:{{ nova_api_ec2_port }}
+  http-request del-header X-Forwarded-Proto
 {% for host in groups['nova-api'] %}
  server {{ hostvars[host]['ansible_hostname'] }} {{ hostvars[host]['ansible_' + hostvars[host]['api_interface']]['ipv4']['address'] }}:{{ nova_api_ec2_port }} check inter 2000 rise 2 fall 5
 {% endfor %}

 listen nova_metadata
  bind {{ kolla_internal_vip_address }}:{{ nova_metadata_port }}
+  http-request del-header X-Forwarded-Proto
 {% for host in groups['nova-api'] %}
  server {{ hostvars[host]['ansible_hostname'] }} {{ hostvars[host]['ansible_' + hostvars[host]['api_interface']]['ipv4']['address'] }}:{{ nova_metadata_port }} check inter 2000 rise 2 fall 5
 {% endfor %}
@ -127,6 +140,8 @@ listen nova_metadata
 {% if nova_console == 'novnc' %}
 listen nova_novncproxy
  bind {{ kolla_internal_vip_address }}:{{ nova_novncproxy_port }}
+  http-request del-header X-Forwarded-Proto
+  http-request set-header X-Forwarded-Proto https if { ssl_fc }
 {% for host in groups['nova-novncproxy'] %}
  server {{ hostvars[host]['ansible_hostname'] }} {{ hostvars[host]['ansible_' + hostvars[host]['api_interface']]['ipv4']['address'] }}:{{ nova_novncproxy_port }} check inter 2000 rise 2 fall 5
 {% endfor %}
@ -140,32 +155,42 @@ listen nova_spicehtml5proxy
 {% if haproxy_enable_external_vip | bool %}

 listen nova_api_external
-  bind {{ kolla_external_vip_address }}:{{ nova_api_port }}
+  bind {{ kolla_external_vip_address }}:{{ nova_api_port }} {{ tls_bind_info }}
+  http-request del-header X-Forwarded-Proto
+  http-request set-header X-Forwarded-Proto https if { ssl_fc }
 {% for host in groups['nova-api'] %}
  server {{ hostvars[host]['ansible_hostname'] }} {{ hostvars[host]['ansible_' + hostvars[host]['api_interface']]['ipv4']['address'] }}:{{ nova_api_port }} check inter 2000 rise 2 fall 5
 {% endfor %}

 listen nova_api_ec2_external
-  bind {{ kolla_external_vip_address }}:{{ nova_api_ec2_port }}
+  bind {{ kolla_external_vip_address }}:{{ nova_api_ec2_port }} {{ tls_bind_info }}
+  http-request del-header X-Forwarded-Proto
+  http-request set-header X-Forwarded-Proto https if { ssl_fc }
 {% for host in groups['nova-api'] %}
  server {{ hostvars[host]['ansible_hostname'] }} {{ hostvars[host]['ansible_' + hostvars[host]['api_interface']]['ipv4']['address'] }}:{{ nova_api_ec2_port }} check inter 2000 rise 2 fall 5
 {% endfor %}

 listen nova_metadata_external
-  bind {{ kolla_external_vip_address }}:{{ nova_metadata_port }}
+  bind {{ kolla_external_vip_address }}:{{ nova_metadata_port }} {{ tls_bind_info }}
+  http-request del-header X-Forwarded-Proto
+  http-request set-header X-Forwarded-Proto https if { ssl_fc }
 {% for host in groups['nova-api'] %}
  server {{ hostvars[host]['ansible_hostname'] }} {{ hostvars[host]['ansible_' + hostvars[host]['api_interface']]['ipv4']['address'] }}:{{ nova_metadata_port }} check inter 2000 rise 2 fall 5
 {% endfor %}

 {% if nova_console == 'novnc' %}
 listen nova_novncproxy_external
-  bind {{ kolla_external_vip_address }}:{{ nova_novncproxy_port }}
+  bind {{ kolla_external_vip_address }}:{{ nova_novncproxy_port }} {{ tls_bind_info }}
+  http-request del-header X-Forwarded-Proto
+  http-request set-header X-Forwarded-Proto https if { ssl_fc }
 {% for host in groups['nova-novncproxy'] %}
  server {{ hostvars[host]['ansible_hostname'] }} {{ hostvars[host]['ansible_' + hostvars[host]['api_interface']]['ipv4']['address'] }}:{{ nova_novncproxy_port }} check inter 2000 rise 2 fall 5
 {% endfor %}
 {% elif nova_console == 'spice' %}
 listen nova_spicehtml5proxy_external
-  bind {{ kolla_external_vip_address }}:{{ nova_spicehtml5proxy_port }}
+  bind {{ kolla_external_vip_address }}:{{ nova_spicehtml5proxy_port }} {{ tls_bind_info }}
+  http-request del-header X-Forwarded-Proto
+  http-request set-header X-Forwarded-Proto https if { ssl_fc }
 {% for host in groups['nova-spicehtml5proxy'] %}
  server {{ hostvars[host]['ansible_hostname'] }} {{ hostvars[host]['ansible_' + hostvars[host]['api_interface']]['ipv4']['address'] }}:{{ nova_spicehtml5proxy_port }} check inter 2000 rise 2 fall 5
 {% endfor %}
@ -182,7 +207,7 @@ listen neutron_server
 {% if haproxy_enable_external_vip | bool %}

 listen neutron_server_external
-  bind {{ kolla_external_vip_address }}:{{ neutron_server_port }}
+  bind {{ kolla_external_vip_address }}:{{ neutron_server_port }} {{ tls_bind_info }}
 {% for host in groups['neutron-server'] %}
  server {{ hostvars[host]['ansible_hostname'] }} {{ hostvars[host]['ansible_' + hostvars[host]['api_interface']]['ipv4']['address'] }}:{{ neutron_server_port }} check inter 2000 rise 2 fall 5
 {% endfor %}
@ -192,11 +217,24 @@ listen neutron_server_external
 {% if enable_horizon | bool %}
 listen horizon
  bind {{ kolla_internal_vip_address }}:80
+  http-request del-header X-Forwarded-Proto
 {% for host in groups['horizon'] %}
  server {{ hostvars[host]['ansible_hostname'] }} {{ hostvars[host]['ansible_' + hostvars[host]['api_interface']]['ipv4']['address'] }}:80 check inter 2000 rise 2 fall 5
 {% endfor %}
-{% if haproxy_enable_external_vip | bool %}

+{% if haproxy_enable_external_vip | bool %}
+{% if kolla_enable_tls_external | bool %}
+listen horizon_external
+  bind {{ kolla_external_vip_address }}:443 {{ tls_bind_info }}
+  http-request del-header X-Forwarded-Proto
+  http-request set-header X-Forwarded-Proto https if { ssl_fc }
+{% for host in groups['horizon'] %}
+  server {{ hostvars[host]['ansible_hostname'] }} {{ hostvars[host]['ansible_' + hostvars[host]['api_interface']]['ipv4']['address'] }}:80 check inter 2000 rise 2 fall 5
+{% endfor %}
+
+frontend horizon_external_redirect {{ kolla_external_vip_address }}:80
+   redirect scheme https code 301 if !{ ssl_fc }
+{% else %}
 listen horizon_external
  bind {{ kolla_external_vip_address }}:80
 {% for host in groups['horizon'] %}
@ -204,17 +242,21 @@ listen horizon_external
 {% endfor %}
 {% endif %}
 {% endif %}
+{% endif %}

 {% if enable_cinder | bool %}
 listen cinder_api
  bind {{ kolla_internal_vip_address }}:{{ cinder_api_port }}
+  http-request del-header X-Forwarded-Proto
 {% for host in groups['cinder-api'] %}
  server {{ hostvars[host]['ansible_hostname'] }} {{ hostvars[host]['ansible_' + hostvars[host]['api_interface']]['ipv4']['address'] }}:{{ cinder_api_port }} check inter 2000 rise 2 fall 5
 {% endfor %}
 {% if haproxy_enable_external_vip | bool %}

 listen cinder_api_external
-  bind {{ kolla_external_vip_address }}:{{ cinder_api_port }}
+  bind {{ kolla_external_vip_address }}:{{ cinder_api_port }} {{ tls_bind_info }}
+  http-request del-header X-Forwarded-Proto
+  http-request set-header X-Forwarded-Proto https if { ssl_fc }
 {% for host in groups['cinder-api'] %}
  server {{ hostvars[host]['ansible_hostname'] }} {{ hostvars[host]['ansible_' + hostvars[host]['api_interface']]['ipv4']['address'] }}:{{ cinder_api_port }} check inter 2000 rise 2 fall 5
 {% endfor %}
@ -224,25 +266,31 @@ listen cinder_api_external
 {% if enable_heat | bool %}
 listen heat_api
  bind {{ kolla_internal_vip_address }}:{{ heat_api_port }}
+  http-request del-header X-Forwarded-Proto
 {% for host in groups['heat-api'] %}
  server {{ hostvars[host]['ansible_hostname'] }} {{ hostvars[host]['ansible_' + hostvars[host]['api_interface']]['ipv4']['address'] }}:{{ heat_api_port }} check inter 2000 rise 2 fall 5
 {% endfor %}

 listen heat_api_cfn
  bind {{ kolla_internal_vip_address }}:{{ heat_api_cfn_port }}
+  http-request del-header X-Forwarded-Proto
 {% for host in groups['heat-api-cfn'] %}
  server {{ hostvars[host]['ansible_hostname'] }} {{ hostvars[host]['ansible_' + hostvars[host]['api_interface']]['ipv4']['address'] }}:{{ heat_api_cfn_port }} check inter 2000 rise 2 fall 5
 {% endfor %}
 {% if haproxy_enable_external_vip | bool %}

 listen heat_api_external
-  bind {{ kolla_external_vip_address }}:{{ heat_api_port }}
+  bind {{ kolla_external_vip_address }}:{{ heat_api_port }} {{ tls_bind_info }}
+  http-request del-header X-Forwarded-Proto
+  http-request set-header X-Forwarded-Proto https if { ssl_fc }
 {% for host in groups['heat-api'] %}
  server {{ hostvars[host]['ansible_hostname'] }} {{ hostvars[host]['ansible_' + hostvars[host]['api_interface']]['ipv4']['address'] }}:{{ heat_api_port }} check inter 2000 rise 2 fall 5
 {% endfor %}

 listen heat_api_cfn_external
-  bind {{ kolla_external_vip_address }}:{{ heat_api_cfn_port }}
+  bind {{ kolla_external_vip_address }}:{{ heat_api_cfn_port }} {{ tls_bind_info }}
+  http-request del-header X-Forwarded-Proto
+  http-request set-header X-Forwarded-Proto https if { ssl_fc }
 {% for host in groups['heat-api-cfn'] %}
  server {{ hostvars[host]['ansible_hostname'] }} {{ hostvars[host]['ansible_' + hostvars[host]['api_interface']]['ipv4']['address'] }}:{{ heat_api_cfn_port }} check inter 2000 rise 2 fall 5
 {% endfor %}
@ -258,7 +306,7 @@ listen ironic_api
 {% if haproxy_enable_external_vip | bool %}

 listen ironic_api_external
-  bind {{ kolla_external_vip_address }}:{{ ironic_api_port }}
+  bind {{ kolla_external_vip_address }}:{{ ironic_api_port }} {{ tls_bind_info }}
 {% for host in groups['ironic-api'] %}
  server {{ hostvars[host]['ansible_hostname'] }} {{ hostvars[host]['ansible_' + hostvars[host]['api_interface']]['ipv4']['address'] }}:{{ ironic_api_port }} check inter 2000 rise 2 fall 5
 {% endfor %}
@ -274,7 +322,7 @@ listen swift_api
 {% if haproxy_enable_external_vip | bool %}

 listen swift_api_external
-  bind {{ kolla_external_vip_address }}:{{ swift_proxy_server_port }}
+  bind {{ kolla_external_vip_address }}:{{ swift_proxy_server_port }} {{ tls_bind_info }}
 {% for host in groups['swift-proxy-server'] %}
  server {{ hostvars[host]['ansible_hostname'] }} {{ hostvars[host]['ansible_' + hostvars[host]['api_interface']]['ipv4']['address'] }}:{{ swift_proxy_server_port }} check inter 2000 rise 2 fall 5
 {% endfor %}
@ -290,7 +338,7 @@ listen murano_api
 {% if haproxy_enable_external_vip | bool %}

 listen murano_api_external
-  bind {{ kolla_external_vip_address }}:{{ murano_api_port }}
+  bind {{ kolla_external_vip_address }}:{{ murano_api_port }} {{ tls_bind_info }}
 {% for host in groups['murano-api'] %}
  server {{ hostvars[host]['ansible_hostname'] }} {{ hostvars[host]['ansible_' + hostvars[host]['api_interface']]['ipv4']['address'] }}:{{ murano_api_port }} check inter 2000 rise 2 fall 5
 {% endfor %}
@ -306,7 +354,7 @@ listen magnum_api
 {% if haproxy_enable_external_vip | bool %}

 listen magnum_api_external
-  bind {{ kolla_external_vip_address }}:{{ magnum_api_port }}
+  bind {{ kolla_external_vip_address }}:{{ magnum_api_port }} {{ tls_bind_info }}
 {% for host in groups['magnum-api'] %}
  server {{ hostvars[host]['ansible_hostname'] }} {{ hostvars[host]['ansible_' + hostvars[host]['api_interface']]['ipv4']['address'] }}:{{ magnum_api_port }} check inter 2000 rise 2 fall 5
 {% endfor %}
@ -322,7 +370,7 @@ listen radosgw
 {% if haproxy_enable_external_vip | bool %}

 listen radosgw_external
-  bind {{ kolla_external_vip_address }}:{{ rgw_port }}
+  bind {{ kolla_external_vip_address }}:{{ rgw_port }} {{ tls_bind_info }}
 {% for host in groups['ceph-rgw'] %}
  server {{ hostvars[host]['ansible_hostname'] }} {{ hostvars[host]['ansible_' + hostvars[host]['api_interface']]['ipv4']['address'] }}:{{ rgw_port }} check inter 2000 rise 2 fall 5
 {% endfor %}
--- a/ansible/roles/haproxy/templates/haproxy.json.j2
+++ b/ansible/roles/haproxy/templates/haproxy.json.j2
@ -6,6 +6,13 @@
            "dest": "/etc/haproxy/haproxy.cfg",
            "owner": "root",
            "perm": "0644"
+        },
+        {
+            "source": "{{ container_config_directory }}/haproxy.pem",
+            "dest": "/etc/haproxy/haproxy.pem",
+            "owner": "root",
+            "perm": "0600",
+            "optional": "true"
        }
    ]
 }
--- a/ansible/roles/horizon/templates/horizon.conf.j2
+++ b/ansible/roles/horizon/templates/horizon.conf.j2
@ -22,3 +22,7 @@ Listen {{ hostvars[inventory_hostname]['ansible_' + api_interface]['ipv4']['addr
        SetHandler None
    </Location>
 </Virtualhost>
+
+{% if kolla_enable_tls_external | bool %}
+Header edit Location ^http://(.*)$ https://$1
+{% endif %}
--- a/ansible/roles/horizon/templates/local_settings.j2
+++ b/ansible/roles/horizon/templates/local_settings.j2
@ -41,6 +41,12 @@ ALLOWED_HOSTS = ['*']
 #CSRF_COOKIE_SECURE = True
 #SESSION_COOKIE_SECURE = True

+{% if kolla_enable_tls_external | bool %}
+SECURE_PROXY_SSL_HEADER = ('HTTP_X_FORWARDED_PROTO', 'https')
+CSRF_COOKIE_SECURE = True
+SESSION_COOKIE_SECURE = True
+{% endif %}
+
 # Overrides for OpenStack API versions. Use this setting to force the
 # OpenStack dashboard to use a specific API version for a given service API.
 # Versions specified here should be integers or floats, not strings.
@ -147,8 +153,8 @@ EMAIL_BACKEND = 'django.core.mail.backends.console.EmailBackend'
 #    ('http://cluster2.example.com:5000/v2.0', 'cluster2'),
 #]

-OPENSTACK_HOST = "{{ kolla_external_fqdn }}"
-OPENSTACK_KEYSTONE_URL = "{{ public_protocol }}://%s:{{ keystone_public_port }}/v3" % OPENSTACK_HOST
+OPENSTACK_HOST = "{{ kolla_internal_fqdn }}"
+OPENSTACK_KEYSTONE_URL = "{{ internal_protocol }}://%s:{{ keystone_public_port }}/v3" % OPENSTACK_HOST
 OPENSTACK_KEYSTONE_DEFAULT_ROLE = "_member_"

 # Enables keystone web single-sign-on if set to True.
@ -292,7 +298,7 @@ IMAGE_RESERVED_CUSTOM_PROPERTIES = []
 # OPENSTACK_ENDPOINT_TYPE specifies the endpoint type to use for the endpoints
 # in the Keystone service catalog. Use this setting when Horizon is running
 # external to the OpenStack environment. The default is 'publicURL'.
-#OPENSTACK_ENDPOINT_TYPE = "publicURL"
+OPENSTACK_ENDPOINT_TYPE = "internalURL"

 # SECONDARY_ENDPOINT_TYPE specifies the fallback endpoint type to use in the
 # case that OPENSTACK_ENDPOINT_TYPE is not present in the endpoints
--- a/ansible/roles/keystone/templates/keystone.conf.j2
+++ b/ansible/roles/keystone/templates/keystone.conf.j2
@ -4,5 +4,7 @@ debug = {{ keystone_logging_debug }}
 # NOTE(elemoine) log_dir alone does not work for Keystone
 log_file = /var/log/kolla/keystone/keystone.log

+secure_proxy_ssl_header = HTTP_X_FORWARDED_PROTO
+
 [database]
 connection = mysql+pymysql://{{ keystone_database_user }}:{{ keystone_database_password }}@{{ keystone_database_address }}/{{ keystone_database_name }}
--- a/ansible/roles/nova/templates/nova.conf.j2
+++ b/ansible/roles/nova/templates/nova.conf.j2
@ -8,6 +8,10 @@ use_forwarded_for = true
 api_paste_config = /etc/nova/api-paste.ini
 state_path = /var/lib/nova

+{% if kolla_enable_tls_external | bool %}
+secure_proxy_ssl_header = X-Forwarded-Proto
+{% endif %}
+
 osapi_compute_listen = {{ hostvars[inventory_hostname]['ansible_' + api_interface]['ipv4']['address'] }}
 osapi_compute_listen_port = {{ nova_api_port }}

--- a/etc/kolla/globals.yml
+++ b/etc/kolla/globals.yml
@ -72,6 +72,17 @@ neutron_external_interface: "eth1"
 #neutron_plugin_agent: "openvswitch"


+####################
+# TLS options
+####################
+# To provide encryption and authentication on the kolla_external_vip_interface,
+# TLS can be enabled.  When TLS is enabled, certificates must be provided to
+# allow clients to perform authentication.  The default is TLS disabled.
+# kolla_enable_tls_external: "yes"
+# kolla_external_fqdn_cert: "{{ node_config_directory }}/certificates/haproxy.pem"
+# kolla_external_fqdn_cacert: "{{ node_config_directory }}/certificates/haproxy-ca.crt"
+
+
 ####################
 # OpenStack options
 ####################