From 5e402263e42855d7043dad33726af51e2d89cd3b Mon Sep 17 00:00:00 2001
From: Jonathan Rosser <jonathan.rosser@rd.bbc.co.uk>
Date: Tue, 11 Oct 2022 15:55:57 +0100
Subject: [PATCH] Add ironic serial console to haproxy

* Combine ironic and nova serial console backends when the nova
  console type is 'serialconsole'

* Create a separate ironic console frontend and backend when the
  ironic console type is different from the nova console type

* Add the serialconsole websocket to the content security policy

Change-Id: I93ef5bff33ba7bf0b75539543611561e46bee3fc
---
 inventory/group_vars/all/ironic.yml      |  2 ++
 inventory/group_vars/haproxy/haproxy.yml | 19 +++++++++++++++++--
 2 files changed, 19 insertions(+), 2 deletions(-)
 create mode 100644 inventory/group_vars/all/ironic.yml

diff --git a/inventory/group_vars/all/ironic.yml b/inventory/group_vars/all/ironic.yml
new file mode 100644
index 0000000000..17ffd63704
--- /dev/null
+++ b/inventory/group_vars/all/ironic.yml
@@ -0,0 +1,2 @@
+ironic_console_port: 6083
+ironic_console_type: "disabled"
diff --git a/inventory/group_vars/haproxy/haproxy.yml b/inventory/group_vars/haproxy/haproxy.yml
index 7638a60336..3b26e2e028 100644
--- a/inventory/group_vars/haproxy/haproxy.yml
+++ b/inventory/group_vars/haproxy/haproxy.yml
@@ -43,7 +43,7 @@ haproxy_security_headers_max_age: 31536000
 # Set CSP headers to report only for testing
 haproxy_security_headers_csp_report_only: False
 # To override the CSP used by a specific service define a variable haproxy_<service name>_csp
-haproxy_security_headers_csp: "http-response set-header {{ haproxy_security_headers_csp_report_only | ternary('Content-Security-Policy-Report-Only', 'Content-Security-Policy') }} \"default-src 'self'; frame-ancestors 'none'; form-action 'self'; upgrade-insecure-requests; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; child-src 'self' {{ external_lb_vip_address }}:{{ nova_console_port }}; frame-src 'self' {{ external_lb_vip_address }}:{{ nova_console_port }}; connect-src 'self' {{ external_lb_vip_address }}:*; img-src 'self' data:; worker-src blob:;\""
+haproxy_security_headers_csp: "http-response set-header {{ haproxy_security_headers_csp_report_only | ternary('Content-Security-Policy-Report-Only', 'Content-Security-Policy') }} \"default-src 'self'; frame-ancestors 'none'; form-action 'self'; upgrade-insecure-requests; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; child-src 'self' {{ external_lb_vip_address }}:{{ nova_console_port }}; frame-src 'self' {{ external_lb_vip_address }}:{{ nova_console_port }}; connect-src 'self' {{ external_lb_vip_address }}:* wss://{{ external_lb_vip_address }}:{{ ironic_console_port }}; img-src 'self' data:; worker-src blob:;\""
 # To disable security headers set to []
 haproxy_security_headers:
   - "http-response set-header Strict-Transport-Security \"max-age={{ haproxy_security_headers_max_age }}; includeSubDomains;\""
@@ -381,7 +381,7 @@ haproxy_nova_console_http_mode: "{{ not (nova_console_user_ssl_cert is defined
                                          and nova_console_user_ssl_key is defined) }}"
 haproxy_nova_console_service:
   haproxy_service_name: nova_console
-  haproxy_backend_nodes: "{{ groups['nova_console'] | default([]) }}"
+  haproxy_backend_nodes: "{{ groups['nova_console'] | default([]) + ((ironic_console_type == nova_console_type) | ternary(groups['ironic_console'], [])) }}"
   haproxy_ssl: "{{ haproxy_ssl }}"
   haproxy_ssl_all_vips: "{{ haproxy_ssl_all_vips }}"
   haproxy_port: "{{ nova_console_port }}"
@@ -393,6 +393,20 @@ haproxy_nova_console_service:
   haproxy_backend_httpcheck_options: "{{ haproxy_nova_console_http_mode | ternary(['expect status 200'], []) }}"
   haproxy_service_enabled: "{{ groups['nova_console'] is defined and groups['nova_console'] | length > 0 and nova_console_type != 'disabled' }}"
 
+# run a seperate service for the ironic nova console proxy when then console type is not the same as the one used by
+# nova-compute managed virtual machines
+haproxy_nova_ironic_console_service:
+  haproxy_service_name: nova_ironic_console
+  haproxy_backend_nodes: "{{ groups['ironic_console'] }}"
+  haproxy_ssl: "{{ haproxy_ssl }}"
+  haproxy_ssl_all_vips: "{{ haproxy_ssl_all_vips }}"
+  haproxy_port: "{{ ironic_console_port }}"
+  haproxy_balance_type: http
+  haproxy_balance_alg: source
+  haproxy_timeout_client: 10m   # see https://docs.openstack.org/ironic/latest/admin/console.html#configuring-ha
+  haproxy_timeout_server: 10m   # ditto
+  haproxy_service_enabled: "{{ groups['ironic_console'] is defined and groups['ironic_console'] | length > 0 and ironic_console_type != nova_console_type }}"
+
 haproxy_octavia_service:
   haproxy_service_name: octavia
   haproxy_backend_nodes: "{{ groups['octavia_all'] | default([]) }}"
@@ -598,6 +612,7 @@ haproxy_default_services:
   - service: "{{ haproxy_nova_api_metadata_service | combine(haproxy_nova_api_metadata_service_overrides | default({})) }}"
   - service: "{{ haproxy_nova_api_compute_service | combine(haproxy_nova_api_compute_service_overrides | default({})) }}"
   - service: "{{ haproxy_nova_console_service | combine(haproxy_nova_console_service_overrides | default({})) }}"
+  - service: "{{ haproxy_nova_ironic_console_service | combine(haproxy_nova_ironic_console_service_overrides | default({})) }}"
   - service: "{{ haproxy_octavia_service | combine(haproxy_octavia_service_overrides | default({})) }}"
   - service: "{{ haproxy_opendaylight_neutron_service | combine(haproxy_opendaylight_neutron_service_overrides | default({})) }}"
   - service: "{{ haproxy_opendaylight_websocket_service | combine(haproxy_opendaylight_websocket_service_overrides | default({})) }}"