Enable TLS on internal communication has 2 parts
* Enabling TLS on the internal VIPs for haproxy frontends
* Enabling TLS on the service backends
Haproxy has support for enabling TLS on frontends and backends,
but doing so would cause downtime.
In the case of upgrading frontends, enabling TLS would prevent
openstack services from working until their config is changed
from http to https, as they do not follow redirects.
In the case of backends haproxy would mark each backend as down
because if could not initiate a HTTPS connection to the backend
until the backend is updated.
This patch fixes this and allows haproxy to accept both HTTP and
HTTPS on the same well known port for each service. It also
allows for both HTTP and HTTPS backends.
Support for HTTP and HTTPS on the frontend is enabled by setting
haproxy_tcp_upgrade_frontend: true
Support for HTTP and HTTPS on the backend is enabled by setting
haproxy_tcp_upgrade_backend: true
This is a temporary patch and will be removed once instances have
been upgraded to HTTPS for internal communications in a future
release of OSA.
Change-Id: I4279005d5b4e6133cf85ba43379b51149c838f17
d30bb2e6d1