4 files changed, 75 insertions, 2 deletions

diff --git a/Gemfile b/Gemfile
index 91c5f0a..bdf11ff 100644
--- a/Gemfile
+++ b/Gemfile
@@ -13,7 +13,6 @@ group :development, :test do
   gem 'puppet-lint-variable_contains_upcase', :require => 'false'
   gem 'puppet-lint-numericvariable',          :require => 'false'
   gem 'json',                                 :require => 'false'
-  gem 'webmock',                              :require => 'false'
   # adding 'psych' explicitly
   # https://github.com/bundler/bundler/issues/2068
   # TODO: drop it in a future release of 'bundle'.
diff --git a/manifests/loadbalancer.pp b/manifests/loadbalancer.pp
index fdb5950..a37ecff 100644
--- a/manifests/loadbalancer.pp
+++ b/manifests/loadbalancer.pp
@@ -158,6 +158,11 @@
 #  When set, enables SSL on the Trove public API endpoint using the specified file.
 #  Defaults to undef
 #
+# [*gnocchi_certificate*]
+#  Filename of an HAProxy-compatible certificate and key file
+#  When set, enables SSL on the Gnocchi public API endpoint using the specified file.
+#  Defaults to undef
+#
 # [*swift_certificate*]
 #  Filename of an HAProxy-compatible certificate and key file
 #  When set, enables SSL on the Swift public API endpoint using the specified file.
@@ -238,6 +243,10 @@
 #  (optional) Enable or not Aodh API binding
 #  Defaults to false
 #
+# [*gnocchi*]
+#  (optional) Enable or not Gnocchi API binding
+#  Defaults to false
+#
 # [*swift_proxy_server*]
 #  (optional) Enable or not Swift API binding
 #  Defaults to false
@@ -312,6 +321,7 @@ class tripleo::loadbalancer (
   $nova_certificate          = undef,
   $ceilometer_certificate    = undef,
   $aodh_certificate          = undef,
+  $gnocchi_certificate       = undef,
   $swift_certificate         = undef,
   $heat_certificate          = undef,
   $horizon_certificate       = undef,
@@ -331,6 +341,7 @@ class tripleo::loadbalancer (
   $nova_novncproxy           = false,
   $ceilometer                = false,
   $aodh                      = false,
+  $gnocchi                   = false,
   $swift_proxy_server        = false,
   $heat_api                  = false,
   $heat_cloudwatch           = false,
@@ -490,6 +501,11 @@ class tripleo::loadbalancer (
   } else {
     $aodh_bind_certificate = $service_certificate
   }
+  if $gnocchi_certificate {
+    $gnocchi_bind_certificate = $gnocchi_certificate
+  } else {
+    $gnocchi_bind_certificate = $service_certificate
+  }
   if $swift_certificate {
     $swift_bind_certificate = $swift_certificate
   } else {
@@ -676,6 +692,19 @@ class tripleo::loadbalancer (
     }
   }
 
+  $gnocchi_api_vip = hiera('gnocchi_api_vip', $controller_virtual_ip)
+  if $gnocchi_bind_certificate {
+    $gnocchi_bind_opts = {
+      "${gnocchi_api_vip}:8041" => [],
+      "${public_virtual_ip}:13041" => ['ssl', 'crt', $gnocchi_bind_certificate],
+    }
+  } else {
+    $gnocchi_bind_opts = {
+      "${gnocchi_api_vip}:8041" => [],
+      "${public_virtual_ip}:8041" => [],
+    }
+  }
+
   $swift_proxy_vip = hiera('swift_proxy_vip', $controller_virtual_ip)
   if $swift_bind_certificate {
     $swift_bind_opts = {
@@ -851,6 +880,10 @@ class tripleo::loadbalancer (
     haproxy::listen { 'cinder':
       bind             => $cinder_bind_opts,
       collect_exported => false,
+      mode             => 'http', # Needed for http-request option
+      options          => {
+          'http-request' => ['set-header X-Forwarded-Proto https if { ssl_fc }'],
+      },
     }
     haproxy::balancermember { 'cinder':
       listening_service => 'cinder',
@@ -1023,6 +1056,20 @@ class tripleo::loadbalancer (
     }
   }
 
+  if $gnocchi {
+    haproxy::listen { 'gnocchi':
+      bind             => $gnocchi_bind_opts,
+      collect_exported => false,
+    }
+    haproxy::balancermember { 'gnocchi':
+      listening_service => 'gnocchi',
+      ports             => '8041',
+      ipaddresses       => hiera('gnocchi_api_node_ips', $controller_hosts_real),
+      server_names      => $controller_hosts_names_real,
+      options           => ['check', 'inter 2000', 'rise 2', 'fall 5'],
+    }
+  }
+
   if $swift_proxy_server {
     haproxy::listen { 'swift_proxy_server':
       bind             => $swift_bind_opts,
diff --git a/manifests/ssl/cinder_config.pp b/manifests/ssl/cinder_config.pp
new file mode 100644
index 0000000..e1ed113
--- /dev/null
+++ b/manifests/ssl/cinder_config.pp
@@ -0,0 +1,28 @@
+# Copyright 2016 Red Hat, Inc.
+# All Rights Reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License. You may obtain
+# a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+# License for the specific language governing permissions and limitations
+# under the License.
+
+# == Class: tripleo::ssl::cinder_config
+#
+# Enable SSL middleware for the cinder service's pipeline.
+#
+
+class tripleo::ssl::cinder_config {
+  cinder_api_paste_ini {
+    'filter:ssl_header_handler/paste.filter_factory':
+      value => 'oslo_middleware.http_proxy_to_wsgi:HTTPProxyToWSGI.factory';
+    'pipeline:apiversions/pipeline':
+      value => 'ssl_header_handler faultwrap osvolumeversionapp';
+  }
+}
diff --git a/spec/spec_helper.rb b/spec/spec_helper.rb
index 5cf9642..15d5eab 100644
--- a/spec/spec_helper.rb
+++ b/spec/spec_helper.rb
@@ -1,6 +1,5 @@
 require 'puppetlabs_spec_helper/module_spec_helper'
 require 'shared_examples'
-require 'webmock/rspec'
 
 fixture_path = File.expand_path(File.join(__FILE__, '..', 'fixtures'))