Remove X-Forwarded-Proto header in apache

Ther X-Forward-Proto header should be added on the external loadbalancer only,
otherwise admin, internal endpoint requests to keystone may suddenly flip to
HTTPS while HTTP is configured in default.
This also affects request to local keystone API calls for monitoring etc.

Closes-Bug: #2068039
Change-Id: I4cfef16841f95328d4ae7e4666f5a8fac053440b

defaults/main.yml

@@ -365,9 +365,6 @@ keystone_ssl_cipher_suite_tls13: >-
 # keystone_user_ssl_key: <path to cert on ansible deployment host>
 # keystone_user_ssl_ca_cert: <path to cert on ansible deployment host>
 
-# Set to true when terminating SSL/TLS at a load balancer
-keystone_external_ssl: "{{ (haproxy_ssl | default(True)) | bool }}"
-
 # External SSL forwarding proto
 keystone_secure_proxy_ssl_header: X-Forwarded-Proto
 

releasenotes/notes/keystone_external_ssl-removal-5d972299f98dcc32.yaml

@@ -0,0 +1,8 @@
+---
+deprecations:
+  - |
+    The variable ``keystone_external_ssl`` was deprecated and is no longer used.
+    You still can control if communication between HAProxy and Keystone should
+    be covered with TLS through ``keystone_backend_ssl`` or
+    ``haproxy_ssl``/``haproxy_ssl_all_vips`` for communication between clients
+    and HAProxy on frontend.

templates/keystone-httpd.conf.j2

@@ -20,12 +20,6 @@ Listen {{ keystone_web_server_bind_address }}:{{ keystone_service_port }}
     {% endif -%}
     Header set X-Frame-Options "{{ keystone_x_frame_options | default ('DENY') }}"
 
-    {% if (keystone_external_ssl | bool) %}
-    RequestHeader set {{ keystone_secure_proxy_ssl_header }} "https"
-    {% else %}
-    RequestHeader set {{ keystone_secure_proxy_ssl_header }} "http"
-    {% endif %}
-
     {% if keystone_backend_ssl | bool -%}
     SSLEngine on
     SSLCertificateFile    {{ keystone_ssl_cert }}