From c663793036b8cc6b7184453bcb0f58876347b8a2 Mon Sep 17 00:00:00 2001
From: Emilien Macchi <emilien.macchi@enovance.com>
Date: Mon, 30 Jun 2014 09:52:28 +0200
Subject: [PATCH] loadbalancer: implement X-Forwarded-Proto for Heat

Heat APIs support X-Forwarded-Proto in HTTP headers. It's mandatory when
using SSL termination in HAproxy.
---
 manifests/loadbalancer.pp               | 21 +++++++++++++++++++++
 spec/classes/cloud_loadbalancer_spec.rb | 19 +++++++++++++++++++
 2 files changed, 40 insertions(+)

diff --git a/manifests/loadbalancer.pp b/manifests/loadbalancer.pp
index ae25cb5d..b64b9fae 100644
--- a/manifests/loadbalancer.pp
+++ b/manifests/loadbalancer.pp
@@ -399,20 +399,41 @@ class cloud::loadbalancer(
     port         => $ks_ceilometer_public_port,
     bind_options => $ceilometer_bind_options,
   }
+  if 'ssl' in $heat_api_bind_options {
+    $heat_api_options = {
+    'reqadd'  => 'X-Forwarded-Proto:\ https if { ssl_fc }' }
+  } else {
+    $heat_api_options = {}
+  }
   cloud::loadbalancer::binding { 'heat_api_cluster':
     ip           => $heat_api,
     port         => $ks_heat_public_port,
     bind_options => $heat_api_bind_options,
+    options      => $heat_api_options
+  }
+  if 'ssl' in $heat_cfn_bind_options {
+    $heat_cfn_options = {
+    'reqadd'  => 'X-Forwarded-Proto:\ https if { ssl_fc }' }
+  } else {
+    $heat_cfn_options = { }
   }
   cloud::loadbalancer::binding { 'heat_cfn_api_cluster':
     ip           => $heat_cfn_api,
     port         => $ks_heat_cfn_public_port,
     bind_options => $heat_cfn_bind_options,
+    options      => $heat_cfn_options
+  }
+  if 'ssl' in $heat_cloudwatch_bind_options {
+    $heat_cloudwatch_options = {
+    'reqadd'  => 'X-Forwarded-Proto:\ https if { ssl_fc }' }
+  } else {
+    $heat_cloudwatch_options = { }
   }
   cloud::loadbalancer::binding { 'heat_cloudwatch_api_cluster':
     ip           => $heat_cloudwatch_api,
     port         => $ks_heat_cloudwatch_public_port,
     bind_options => $heat_cloudwatch_bind_options,
+    options      => $heat_cloudwatch_options
   }
 
   if $::operatingsystem == 'RedHat' {
diff --git a/spec/classes/cloud_loadbalancer_spec.rb b/spec/classes/cloud_loadbalancer_spec.rb
index 42ee6e28..a6bce617 100644
--- a/spec/classes/cloud_loadbalancer_spec.rb
+++ b/spec/classes/cloud_loadbalancer_spec.rb
@@ -399,6 +399,25 @@ describe 'cloud::loadbalancer' do
       )}
     end
 
+    context 'configure OpenStack Heat API SSL binding' do
+      before do
+        params.merge!(
+          :heat_api_bind_options => ['ssl', 'crt']
+        )
+      end
+      it { should contain_haproxy__listen('heat_api_cluster').with(
+        :ipaddress => [params[:vip_public_ip]],
+        :ports     => '8004',
+        :options   => {
+          'reqadd'         => 'X-Forwarded-Proto:\ https if { ssl_fc }',
+          'mode'           => 'http',
+          'option'         => ['tcpka','forwardfor','tcplog', 'httpchk'],
+          'http-check'     => 'expect ! rstatus ^5',
+          'balance'        => 'roundrobin'
+        },
+        :bind_options => ['ssl', 'crt']
+      )}
+    end
   end # shared:: openstack loadbalancer
 
   context 'on Debian platforms' do