Terminate ssl on haproxy for cinder (bsc#1149535)

Boris Bobrov · Boris Bobrov · commit 015bd0fc1abd · 2020-01-27T18:33:56.000+01:00
If ssl is passed-thru on haproxy, the source ip gets replaced with the one of the node where haproxy lives, and there is no way to get the original ip on the services side. Add ssl termination on haproxy. Two new hidden options are added: loadbalancer_terminate_ssl (boolean) and pemfile (path to the certificate to use in haproxy-recognized format). This patch adds support for cinder. (cherry picked from commit 44e0f6a)
diff --git a/chef/cookbooks/cinder/attributes/default.rb b/chef/cookbooks/cinder/attributes/default.rb
@@ -54,3 +54,9 @@
 default[:cinder][:ha][:op][:monitor][:interval] = "10s"
 # Ports to bind to when haproxy is used for the real ports
 default[:cinder][:ha][:ports][:api] = 5520
+
+#
+# SSL settings
+#
+default[:cinder][:ssl][:loadbalancer_terminate_ssl] = false
+default[:cinder][:ssl][:pemfile] = "/etc/ssl/private/cinder.pem"
diff --git a/chef/cookbooks/cinder/recipes/controller_ha.rb b/chef/cookbooks/cinder/recipes/controller_ha.rb
@@ -28,6 +28,8 @@
   address node[:cinder][:api][:bind_open_address] ? "0.0.0.0" : cluster_admin_ip
   port node[:cinder][:api][:bind_port]
   use_ssl (node[:cinder][:api][:protocol] == "https")
+  terminate_ssl node[:cinder][:ssl][:loadbalancer_terminate_ssl]
+  pemfile node[:cinder][:ssl][:pemfile]
   servers CrowbarPacemakerHelper.haproxy_servers_for_service(node, "cinder", "cinder-controller", "api")
   rate_limit node[:cinder][:ha_rate_limit]["cinder-api"]
   action :nothing
diff --git a/chef/data_bags/crowbar/migrate/cinder/208_add_haproxy_mode_http.rb b/chef/data_bags/crowbar/migrate/cinder/208_add_haproxy_mode_http.rb
@@ -0,0 +1,12 @@
+def upgrade(template_attrs, template_deployment, attrs, deployment)
+  key = "loadbalancer_terminate_ssl"
+  template_value = template_attrs["cinder"]["ssl"][key]
+  attrs["cinder"]["ssl"][key] = template_value unless attrs["cinder"]["ssl"].key? key
+  return attrs, deployment
+end
+
+def downgrade(template_attrs, template_deployment, attrs, deployment)
+  key = "loadbalancer_terminate_ssl"
+  attrs["cinder"]["ssl"].delete(key) unless template_attrs["cinder"]["ssl"].key? key
+  return attrs, deployment
+end
diff --git a/chef/data_bags/crowbar/template-cinder.json b/chef/data_bags/crowbar/template-cinder.json
@@ -155,7 +155,9 @@
         "generate_certs": false,
         "insecure": false,
         "cert_required": false,
-        "ca_certs": "/etc/cinder/ssl/certs/ca.pem"
+        "ca_certs": "/etc/cinder/ssl/certs/ca.pem",
+        "loadbalancer_terminate_ssl": false,
+        "pemfile": "/etc/ssl/private/cinder.pem"
       },
       "db": {
         "password": "",
@@ -182,7 +184,7 @@
     "cinder": {
       "crowbar-revision": 0,
       "crowbar-applied": false,
-      "schema-revision": 207,
+      "schema-revision": 208,
       "element_states": {
           "cinder-controller": [ "readying", "ready", "applying" ],
           "cinder-volume": [ "readying", "ready", "applying" ]
diff --git a/chef/data_bags/crowbar/template-cinder.schema b/chef/data_bags/crowbar/template-cinder.schema
@@ -330,7 +330,9 @@
               "generate_certs": { "type" : "bool", "required" : true },
               "insecure": { "type" : "bool", "required" : true },
               "cert_required": { "type" : "bool", "required" : true },
-              "ca_certs": { "type" : "str", "required" : true }
+              "ca_certs": { "type" : "str", "required" : true },
+              "loadbalancer_terminate_ssl": { "type" : "bool", "required": true},
+              "pemfile": { "type" : "str", "required": true}
             }},
             "db": {
               "type": "map",
