Terminate nova ssl on haproxy (bsc#1149535)

Boris Bobrov · Boris Bobrov · commit a4f082462cc3 · 2020-01-24T13:35:50.000+01:00
If ssl is passed-thru on haproxy, the source ip gets replaced with the one of the node where haproxy lives, and there is no way to get the original ip on the services side. Add ssl termination on haproxy. Two new hidden options are added: loadbalancer_terminate_ssl (boolean) and pemfile (path to the certificate to use in haproxy-recognized format). (cherry picked from commit 94fc788)
diff --git a/chef/cookbooks/nova/attributes/default.rb b/chef/cookbooks/nova/attributes/default.rb
@@ -186,3 +186,9 @@
 # metadata/vendordata
 #
 default[:nova][:metadata][:vendordata][:json] = "{}"
+
+#
+# SSL settings
+#
+default[:nova][:ssl][:loadbalancer_terminate_ssl] = false
+default[:nova][:ssl][:pemfile] = "/etc/ssl/private/nova.pem"
diff --git a/chef/cookbooks/nova/recipes/controller_ha.rb b/chef/cookbooks/nova/recipes/controller_ha.rb
@@ -28,6 +28,8 @@
   address "0.0.0.0"
   port node[:nova][:ports][:api]
   use_ssl node[:nova][:ssl][:enabled]
+  terminate_ssl node[:nova][:ssl][:loadbalancer_terminate_ssl]
+  pemfile node[:nova][:ssl][:pemfile]
   servers CrowbarPacemakerHelper.haproxy_servers_for_service(node, "nova", "nova-controller", "api")
   rate_limit node[:nova][:ha_rate_limit]["nova-api"]
   action :nothing
diff --git a/chef/data_bags/crowbar/migrate/nova/212_add_haproxy_mode_http.rb b/chef/data_bags/crowbar/migrate/nova/212_add_haproxy_mode_http.rb
@@ -0,0 +1,12 @@
+def upgrade(template_attrs, template_deployment, attrs, deployment)
+  key = "loadbalancer_terminate_ssl"
+  template_value = template_attrs["nova"]["ssl"][key]
+  attrs["nova"]["ssl"][key] = template_value unless attrs["nova"]["ssl"].key? key
+  return attrs, deployment
+end
+
+def downgrade(template_attrs, template_deployment, attrs, deployment)
+  key = "loadbalancer_terminate_ssl"
+  attrs["nova"]["ssl"].delete(key) unless template_attrs["nova"]["ssl"].key? key
+  return attrs, deployment
+end
diff --git a/chef/data_bags/crowbar/template-nova.json b/chef/data_bags/crowbar/template-nova.json
@@ -119,7 +119,9 @@
         "generate_certs": false,
         "insecure": false,
         "cert_required": false,
-        "ca_certs": "/etc/nova/ssl/certs/ca.pem"
+        "ca_certs": "/etc/nova/ssl/certs/ca.pem",
+        "loadbalancer_terminate_ssl": false,
+        "pemfile": "/etc/ssl/private/nova.pem"
       },
       "novnc": {
         "ssl": {
@@ -185,7 +187,7 @@
     "nova": {
       "crowbar-revision": 0,
       "crowbar-applied": false,
-      "schema-revision": 211,
+      "schema-revision": 212,
       "element_states": {
         "nova-controller": [ "readying", "ready", "applying" ],
         "nova-compute-ironic": [ "readying", "ready", "applying" ],
diff --git a/chef/data_bags/crowbar/template-nova.schema b/chef/data_bags/crowbar/template-nova.schema
@@ -183,7 +183,9 @@
                 "generate_certs": { "type" : "bool", "required" : true },
                 "insecure": { "type" : "bool", "required" : true },
                 "cert_required": { "type" : "bool", "required" : true },
-                "ca_certs": { "type" : "str", "required" : true }
+                "ca_certs": { "type" : "str", "required" : true },
+                "loadbalancer_terminate_ssl": { "type" : "bool", "required": true},
+                "pemfile": { "type" : "str", "required": true}
               }
             },
             "novnc": {
