diff options
-rw-r--r-- | manifests/haproxy.pp | 21 | ||||
-rw-r--r-- | manifests/profile/base/kernel.pp | 10 |
2 files changed, 23 insertions, 8 deletions
diff --git a/manifests/haproxy.pp b/manifests/haproxy.pp index 0a53353..e2b2cc9 100644 --- a/manifests/haproxy.pp +++ b/manifests/haproxy.pp @@ -517,6 +517,21 @@ class tripleo::haproxy ( } if $keystone_public { + $keystone_listen_opts = { + 'http-request' => [ + 'set-header X-Forwarded-Proto https if { ssl_fc }', + 'set-header X-Forwarded-Proto http if !{ ssl_fc }'], + } + if $service_certificate { + $keystone_public_tls_listen_opts = { + 'rsprep' => '^Location:\ http://(.*) Location:\ https://\1', + # NOTE(jaosorior): We always redirect to https for the public_virtual_ip. + 'redirect' => "scheme https code 301 if { hdr(host) -i ${public_virtual_ip} } !{ ssl_fc }", + 'option' => 'forwardfor', + } + } else { + $keystone_public_tls_listen_opts = {} + } ::tripleo::haproxy::endpoint { 'keystone_public': public_virtual_ip => $public_virtual_ip, internal_ip => hiera('keystone_public_api_vip', $controller_virtual_ip), @@ -524,11 +539,7 @@ class tripleo::haproxy ( ip_addresses => hiera('keystone_public_api_node_ips', $controller_hosts_real), server_names => $controller_hosts_names_real, mode => 'http', - listen_options => { - 'http-request' => [ - 'set-header X-Forwarded-Proto https if { ssl_fc }', - 'set-header X-Forwarded-Proto http if !{ ssl_fc }'], - }, + listen_options => merge($keystone_listen_opts, $keystone_public_tls_listen_opts), public_ssl_port => $ports[keystone_public_api_ssl_port], } } diff --git a/manifests/profile/base/kernel.pp b/manifests/profile/base/kernel.pp index db0280f..df13a98 100644 --- a/manifests/profile/base/kernel.pp +++ b/manifests/profile/base/kernel.pp @@ -19,8 +19,12 @@ # class tripleo::profile::base::kernel { - create_resources(kmod::load, hiera('kernel_modules'), { }) - create_resources(sysctl::value, hiera('sysctl_settings'), { }) - Exec <| tag == 'kmod::load' |> -> Sysctl <| |> + if hiera('kernel_modules', undef) { + create_resources(kmod::load, hiera('kernel_modules'), { }) + } + if hiera('sysctl_settings', undef) { + create_resources(sysctl::value, hiera('sysctl_settings'), { }) + } + Exec <| tag == 'kmod::load' |> -> Sysctl <| |> } |