loadbalancer: implement X-Forwarded-Proto for Heat

Heat APIs support X-Forwarded-Proto in HTTP headers. It's mandatory when using SSL termination in HAproxy.
2014-06-30 09:52:28 +02:00
parent da4bae48cf
commit c663793036
2 changed files with 40 additions and 0 deletions
--- a/manifests/loadbalancer.pp
+++ b/manifests/loadbalancer.pp
@@ -399,20 +399,41 @@ class cloud::loadbalancer(
    port         => $ks_ceilometer_public_port,
    bind_options => $ceilometer_bind_options,
  }
+  if 'ssl' in $heat_api_bind_options {
+    $heat_api_options = {
+    'reqadd'  => 'X-Forwarded-Proto:\ https if { ssl_fc }' }
+  } else {
+    $heat_api_options = {}
+  }
  cloud::loadbalancer::binding { 'heat_api_cluster':
    ip           => $heat_api,
    port         => $ks_heat_public_port,
    bind_options => $heat_api_bind_options,
+    options      => $heat_api_options
+  }
+  if 'ssl' in $heat_cfn_bind_options {
+    $heat_cfn_options = {
+    'reqadd'  => 'X-Forwarded-Proto:\ https if { ssl_fc }' }
+  } else {
+    $heat_cfn_options = { }
  }
  cloud::loadbalancer::binding { 'heat_cfn_api_cluster':
    ip           => $heat_cfn_api,
    port         => $ks_heat_cfn_public_port,
    bind_options => $heat_cfn_bind_options,
+    options      => $heat_cfn_options
+  }
+  if 'ssl' in $heat_cloudwatch_bind_options {
+    $heat_cloudwatch_options = {
+    'reqadd'  => 'X-Forwarded-Proto:\ https if { ssl_fc }' }
+  } else {
+    $heat_cloudwatch_options = { }
  }
  cloud::loadbalancer::binding { 'heat_cloudwatch_api_cluster':
    ip           => $heat_cloudwatch_api,
    port         => $ks_heat_cloudwatch_public_port,
    bind_options => $heat_cloudwatch_bind_options,
+    options      => $heat_cloudwatch_options
  }

  if $::operatingsystem == 'RedHat' {
--- a/spec/classes/cloud_loadbalancer_spec.rb
+++ b/spec/classes/cloud_loadbalancer_spec.rb
@@ -399,6 +399,25 @@ describe 'cloud::loadbalancer' do
      )}
    end

+    context 'configure OpenStack Heat API SSL binding' do
+      before do
+        params.merge!(
+          :heat_api_bind_options => ['ssl', 'crt']
+        )
+      end
+      it { should contain_haproxy__listen('heat_api_cluster').with(
+        :ipaddress => [params[:vip_public_ip]],
+        :ports     => '8004',
+        :options   => {
+          'reqadd'         => 'X-Forwarded-Proto:\ https if { ssl_fc }',
+          'mode'           => 'http',
+          'option'         => ['tcpka','forwardfor','tcplog', 'httpchk'],
+          'http-check'     => 'expect ! rstatus ^5',
+          'balance'        => 'roundrobin'
+        },
+        :bind_options => ['ssl', 'crt']
+      )}
+    end
  end # shared:: openstack loadbalancer

  context 'on Debian platforms' do