Cover nova metadata with SSL

We should also cover nova metadata endpoint with SSL in case
haproxy_ssl_all_vips is set to true.

This also places nova_metadata_* variables under correct scope, since
the only place they are used is
neutron hosts

Change-Id: Ie05e07624b204c92f02e05d6d8c8d02ab8ff9008

inventory/group_vars/all/nova.yml

@@ -13,12 +13,12 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
-nova_service_port: 8774
 # Consumed by Neutron role and must remained scoped to 'all' group
 nova_metadata_port: 8775
+nova_metadata_protocol: "{{ openstack_service_internaluri_proto | default('http') }}"
+nova_metadata_insecure: "{{ keystone_service_internaluri_insecure | default(False) }}"
 nova_service_region: "{{ service_region }}"
 nova_service_user_name: nova
 nova_service_project_name: service
 nova_service_project_domain_id: default
 nova_service_user_domain_id: default
-nova_keystone_auth_plugin: password

inventory/group_vars/haproxy/haproxy.yml

@@ -136,7 +136,8 @@ haproxy_default_services:
       haproxy_backend_nodes: "{{ groups['nova_api_metadata'] | default([]) }}"
       haproxy_bind: "{{ [internal_lb_vip_address] }}"
       haproxy_port: 8775
-      haproxy_ssl: False
+      haproxy_ssl: "{{ haproxy_ssl_all_vips }}"
+      haproxy_ssl_all_vips: "{{ haproxy_ssl_all_vips }}"
       haproxy_balance_type: http
       haproxy_backend_options:
         - "httpchk HEAD / HTTP/1.0\\r\\nUser-agent:\\ osa-haproxy-healthcheck"

inventory/group_vars/nova_all.yml

@@ -15,8 +15,6 @@
 
 nova_service_port: 8774
 nova_service_proto: http
-nova_metadata_protocol: "{{ openstack_service_internaluri_proto | default(nova_service_proto) }}"
-nova_metadata_insecure: False
 nova_service_adminuri_proto: "{{ openstack_service_adminuri_proto | default(nova_service_proto) }}"
 nova_service_adminuri: "{{ nova_service_adminuri_proto }}://{{ internal_lb_vip_address }}:{{ nova_service_port }}"
 nova_service_adminurl: "{{ nova_service_adminuri }}/v2.1"