For http service endpoints always redirect to https

If public TLS is enabled, this sets as default that services should always redirect to https. Change-Id: I19b9d07ac8925366ed27fefcaca4fdb9a9ab1b37
2017-06-14 11:22:35 +03:00 · 2017-06-14 11:22:35 +03:00 · 192463755b
commit 192463755b
parent 5e91493f7a
2 changed files with 15 additions and 13 deletions
--- a/manifests/haproxy.pp
+++ b/manifests/haproxy.pp
@ -902,17 +902,8 @@ class tripleo::haproxy (
  }

  if $keystone_public {
-    if $service_certificate {
-      $keystone_public_tls_listen_opts = {
-        'rsprep'       => '^Location:\ http://(.*) Location:\ https://\1',
-        # NOTE(jaosorior): We always redirect to https for the public_virtual_ip.
-        'redirect'     => "scheme https code 301 if { hdr(host) -i ${public_virtual_ip} } !{ ssl_fc }",
-        'option'       => 'forwardfor',
-      }
-    } else {
-      $keystone_public_tls_listen_opts = {
-        'option' => [ 'httpchk GET /v3', ],
-      }
+    $keystone_listen_opts = {
+      'option' => [ 'httpchk GET /v3', ],
    }
    ::tripleo::haproxy::endpoint { 'keystone_public':
      public_virtual_ip => $public_virtual_ip,
@ -921,7 +912,7 @@ class tripleo::haproxy (
      ip_addresses      => hiera('keystone_public_api_node_ips', $controller_hosts_real),
      server_names      => hiera('keystone_public_api_node_names', $controller_hosts_names_real),
      mode              => 'http',
-      listen_options    => merge($default_listen_options, $keystone_public_tls_listen_opts),
+      listen_options    => merge($default_listen_options, $keystone_listen_opts),
      public_ssl_port   => $ports[keystone_public_api_ssl_port],
      service_network   => $keystone_public_network,
      member_options    => union($haproxy_member_options, $internal_tls_member_options),
--- a/manifests/haproxy/endpoint.pp
+++ b/manifests/haproxy/endpoint.pp
@ -108,9 +108,20 @@ define tripleo::haproxy::endpoint (
    # service exposed to the public network

    if $public_certificate {
+      if $mode == 'http' {
+        $tls_listen_options = {
+          'rsprep'       => '^Location:\ http://(.*) Location:\ https://\1',
+          'redirect'     => "scheme https code 301 if { hdr(host) -i ${public_virtual_ip} } !{ ssl_fc }",
+          'option'       => 'forwardfor',
+        }
+        $listen_options_real = merge($tls_listen_options, $listen_options)
+      } else {
+        $listen_options_real = $listen_options
+      }
      $public_bind_opts = list_to_hash(suffix(any2array($public_virtual_ip), ":${public_ssl_port}"),
                                        union($haproxy_listen_bind_param, ['ssl', 'crt', $public_certificate]))
    } else {
+      $listen_options_real = $listen_options
      $public_bind_opts = list_to_hash(suffix(any2array($public_virtual_ip), ":${service_port}"), $haproxy_listen_bind_param)
    }
  } else {
@ -138,7 +149,7 @@ define tripleo::haproxy::endpoint (
    bind             => $bind_opts,
    collect_exported => false,
    mode             => $mode,
-    options          => $listen_options,
+    options          => $listen_options_real,
  }
  haproxy::balancermember { "${name}":
    listening_service => $name,