Fix health-monitors with ALPN members

Using HTTP or HTTPS health-monitor on a ALPN pool failed with SSL
errors.
haproxy doc mentions that when using "check" with ALPN servers, the
check-alpn option must be enabled.

[0] https://docs.haproxy.org/2.8/configuration.html#5.2-check

Closes-Bug: #2043812

Change-Id: I5698558857cbaa585f8a3d7ac37aaa31c0189d46

octavia/common/jinja/haproxy/combined_listeners/templates/macros.j2

@@ -208,13 +208,18 @@ frontend {{ listener.id }}
         {% else %}
             {% set monitor_port_opt = "" %}
         {% endif %}
+        {% if pool.alpn_protocols is defined %}
+            {% set alpn_opt = " check-alpn %s"|format(pool.alpn_protocols) %}
+        {% else %}
+            {% set alpn_opt = "" %}
+        {% endif %}
         {% if pool.health_monitor.type == constants.HEALTH_MONITOR_HTTPS %}
             {% set monitor_ssl_opt = " check-ssl verify none" %}
         {% else %}
             {% set monitor_ssl_opt = "" %}
         {% endif %}
-        {% set hm_opt = " check%s inter %ds fall %d rise %d%s%s"|format(
+        {% set hm_opt = " check%s%s inter %ds fall %d rise %d%s%s"|format(
-            monitor_ssl_opt, pool.health_monitor.delay,
+            monitor_ssl_opt, alpn_opt, pool.health_monitor.delay,
             pool.health_monitor.fall_threshold,
             pool.health_monitor.rise_threshold, monitor_addr_opt,
             monitor_port_opt) %}

octavia/tests/unit/common/jinja/haproxy/combined_listeners/test_jinja_cfg.py

@@ -1331,11 +1331,11 @@ class TestHaproxyCfg(base.TestCase):
               "    timeout connect 5000\n"
               "    timeout server 50000\n"
               "    server sample_member_id_1 10.0.0.99:82 weight 13 "
-              "check inter 30s fall 3 rise 2 cookie sample_member_id_1 "
+              "check check-alpn {alpn} inter 30s fall 3 rise 2 cookie "
-              "{opts} alpn {alpn}\n"
+              "sample_member_id_1 {opts} alpn {alpn}\n"
               "    server sample_member_id_2 10.0.0.98:82 weight 13 "
-              "check inter 30s fall 3 rise 2 cookie sample_member_id_2 "
+              "check check-alpn {alpn} inter 30s fall 3 rise 2 cookie "
-              "{opts} alpn {alpn}\n\n").format(
+              "sample_member_id_2 {opts} alpn {alpn}\n\n").format(
             maxconn=constants.HAPROXY_DEFAULT_MAXCONN,
             opts="ssl crt %s verify none sni ssl_fc_sni" % cert_file_path +
                  " ciphers " + constants.CIPHERS_OWASP_SUITE_B +
@@ -1410,11 +1410,11 @@ class TestHaproxyCfg(base.TestCase):
               "    timeout connect 5000\n"
               "    timeout server 50000\n"
               "    server sample_member_id_1 10.0.0.99:82 weight 13 "
-              "check inter 30s fall 3 rise 2 cookie sample_member_id_1 "
+              "check check-alpn {alpn} inter 30s fall 3 rise 2 cookie "
-              "{opts} alpn {alpn}\n"
+              "sample_member_id_1 {opts} alpn {alpn}\n"
               "    server sample_member_id_2 10.0.0.98:82 weight 13 "
-              "check inter 30s fall 3 rise 2 cookie sample_member_id_2 "
+              "check check-alpn {alpn} inter 30s fall 3 rise 2 cookie "
-              "{opts} alpn {alpn}\n\n").format(
+              "sample_member_id_2 {opts} alpn {alpn}\n\n").format(
             maxconn=constants.HAPROXY_DEFAULT_MAXCONN,
             opts="ssl crt %s verify none sni ssl_fc_sni" % cert_file_path +
                  " ciphers " + constants.CIPHERS_OWASP_SUITE_B,
@@ -1450,11 +1450,11 @@ class TestHaproxyCfg(base.TestCase):
               "    timeout connect 5000\n"
               "    timeout server 50000\n"
               "    server sample_member_id_1 10.0.0.99:82 weight 13 "
-              "check inter 30s fall 3 rise 2 cookie sample_member_id_1 "
+              "check check-alpn {alpn} inter 30s fall 3 rise 2 cookie "
-              "{opts} alpn {alpn}\n"
+              "sample_member_id_1 {opts} alpn {alpn}\n"
               "    server sample_member_id_2 10.0.0.98:82 weight 13 "
-              "check inter 30s fall 3 rise 2 cookie sample_member_id_2 "
+              "check check-alpn {alpn} inter 30s fall 3 rise 2 cookie "
-              "{opts} alpn {alpn}\n\n").format(
+              "sample_member_id_2 {opts} alpn {alpn}\n\n").format(
             maxconn=constants.HAPROXY_DEFAULT_MAXCONN,
             opts="ssl crt %s verify none sni ssl_fc_sni" % cert_file_path +
                  " no-sslv3 no-tlsv10 no-tlsv11",
@@ -1550,11 +1550,11 @@ class TestHaproxyCfg(base.TestCase):
               "    timeout connect 5000\n"
               "    timeout server 50000\n"
               "    server sample_member_id_1 10.0.0.99:82 weight 13 "
-              "check inter 30s fall 3 rise 2 cookie sample_member_id_1 "
+              "check check-alpn {alpn} inter 30s fall 3 rise 2 cookie "
-              "{opts} alpn {alpn}\n"
+              "sample_member_id_1 {opts} alpn {alpn}\n"
               "    server sample_member_id_2 10.0.0.98:82 weight 13 "
-              "check inter 30s fall 3 rise 2 cookie sample_member_id_2 "
+              "check check-alpn {alpn} inter 30s fall 3 rise 2 cookie "
-              "{opts} alpn {alpn}\n\n").format(
+              "sample_member_id_2 {opts} alpn {alpn}\n\n").format(
             maxconn=constants.HAPROXY_DEFAULT_MAXCONN,
             opts="%s %s %s %s %s %s" % (
                 "ssl", "crt", pool_client_cert,

releasenotes/notes/fix-http-https-healthmonitor-with-alpn-pools-82249b2b9a025068.yaml

@@ -0,0 +1,7 @@
+---
+fixes:
+  - |
+    Fixed a bug with HTTP/HTTPS health-monitors on pools with ALPN protocols in
+    the amphora-driver. The healthchecks sent by haproxy were flagged as bad
+    requests by the backend servers. Updated haproxy configuration to use ALPN
+    for the heathchecks too.