Add security.txt to haproxy frontend

If keystone_security_txt_content is defined in user variables,
the keystone service will host this file at the following locations
/security.txt and /.well-known/security.txt as defined in
https://securitytxt.org/

This patch uses a HaProxy ACL to forward request to the Horizon
frontend for */security.txt to the keysteone backend.

Depends-On: https://review.opendev.org/766437
Change-Id: I2321f29362945f25c7dcfc5f5f8365aa2c025842

inventory/group_vars/haproxy/haproxy.yml

@@ -35,6 +35,11 @@ haproxy_repo_git_whitelist_networks: "{{ haproxy_whitelist_networks }}"
 haproxy_repo_cache_whitelist_networks: "{{ haproxy_whitelist_networks }}"
 haproxy_opendaylight_whitelist_networks: "{{ haproxy_whitelist_networks }}"
 
+haproxy_security_txt_acl:
+  keystone-security-txt-acl:
+    rule: "path_end /security.txt"
+    backend_name: keystone_service
+
 haproxy_default_services:
   - service:
       haproxy_service_name: galera
@@ -205,6 +210,7 @@ haproxy_default_services:
       haproxy_service_enabled: "{{ groups['horizon_all'] is defined and groups['horizon_all'] | length > 0 }}"
       haproxy_redirect_scheme: "{{ (haproxy_ssl_letsencrypt_enable | bool and haproxy_ssl | bool) | ternary('https if !{ ssl_fc } !{ path_beg /.well-known/acme-challenge/ }', 'https if !{ ssl_fc }') }}"
       haproxy_frontend_acls: "{{ (haproxy_ssl_letsencrypt_enable | bool and haproxy_ssl | bool) | ternary(haproxy_ssl_letsencrypt_acl, {}) }}"
+      haproxy_acls: "{{ keystone_security_txt_content is defined | ternary(haproxy_security_txt_acl, {}) }}"
   - service:
       haproxy_service_name: letsencrypt
       haproxy_backend_nodes: "{{ groups['haproxy_all'] }}"