From eba6f7446e9d0cbf46093341c67f6c2e361aeead Mon Sep 17 00:00:00 2001
From: Emilien Macchi <emilien@redhat.com>
Date: Mon, 22 Jun 2015 10:57:23 -0400
Subject: [PATCH] loadbalancer/heat: use HTTP binding options when running SSL

Heat does not support TCP binding when running SSL termination.
That means we need to make sure using HTTP is configured in HAproxy
options when SSL is part of binding options, defined by the deployer.

Closes-bug: #1467515
Change-Id: I621c2ee624d3d16394529daa4ca6c96ab1c7a067
---
 manifests/loadbalancer.pp               | 21 +++++++++++++++------
 spec/classes/cloud_loadbalancer_spec.rb |  9 +++++----
 2 files changed, 20 insertions(+), 10 deletions(-)

diff --git a/manifests/loadbalancer.pp b/manifests/loadbalancer.pp
index 74b1aa8e..e1c23008 100644
--- a/manifests/loadbalancer.pp
+++ b/manifests/loadbalancer.pp
@@ -871,9 +871,12 @@ class cloud::loadbalancer(
     firewall_settings => $firewall_settings,
   }
   if 'ssl' in $heat_api_bind_options {
-    $heat_api_options = merge($common_tcp_options, {
+    $heat_api_options = {
       'reqadd'         => 'X-Forwarded-Proto:\ https if { ssl_fc }',
-    })
+      'balance'        => 'source',
+      'timeout server' => $api_timeout,
+      'timeout client' => $api_timeout,
+    }
   } else {
     $heat_api_options = $common_tcp_options
   }
@@ -885,9 +888,12 @@ class cloud::loadbalancer(
     firewall_settings => $firewall_settings,
   }
   if 'ssl' in $heat_cfn_bind_options {
-    $heat_cfn_options = merge($common_tcp_options, {
+    $heat_cfn_options = {
       'reqadd'         => 'X-Forwarded-Proto:\ https if { ssl_fc }',
-    })
+      'balance'        => 'source',
+      'timeout server' => $api_timeout,
+      'timeout client' => $api_timeout,
+    }
   } else {
     $heat_cfn_options = $common_tcp_options
   }
@@ -899,9 +905,12 @@ class cloud::loadbalancer(
     firewall_settings => $firewall_settings,
   }
   if 'ssl' in $heat_cloudwatch_bind_options {
-    $heat_cloudwatch_options = merge($common_tcp_options, {
+    $heat_cloudwatch_options = {
       'reqadd'         => 'X-Forwarded-Proto:\ https if { ssl_fc }',
-    })
+      'balance'        => 'source',
+      'timeout server' => $api_timeout,
+      'timeout client' => $api_timeout,
+    }
   } else {
     $heat_cloudwatch_options = $common_tcp_options
   }
diff --git a/spec/classes/cloud_loadbalancer_spec.rb b/spec/classes/cloud_loadbalancer_spec.rb
index 1083af87..488fa3c1 100644
--- a/spec/classes/cloud_loadbalancer_spec.rb
+++ b/spec/classes/cloud_loadbalancer_spec.rb
@@ -527,12 +527,13 @@ describe 'cloud::loadbalancer' do
         :ipaddress => [params[:vip_public_ip]],
         :ports     => '8004',
         :options   => {
-          'mode'           => 'tcp',
-          'reqadd'         => 'X-Forwarded-Proto:\ https if { ssl_fc }',
+          'mode'           => 'http',
           'balance'        => 'source',
-          'option'         => ['tcpka', 'tcplog', 'forwardfor'],
+          'option'         => ['tcpka', 'forwardfor', 'tcplog', 'httpchk'],
+          'reqadd'         => 'X-Forwarded-Proto:\ https if { ssl_fc }',
           'timeout server' => '90m',
-          'timeout client' => '90m'
+          'timeout client' => '90m',
+          'http-check'     => 'expect ! rstatus ^5',
         },
         :bind_options => ['ssl', 'crt']
       )}