1 files changed, 25 insertions, 61 deletions

diff --git a/manifests/haproxy.pp b/manifests/haproxy.pp
index a3d088a..9939ca9 100644
--- a/manifests/haproxy.pp
+++ b/manifests/haproxy.pp
@@ -402,6 +402,10 @@
 #  (optional) Specify the network heat_cloudwatch is running on.
 #  Defaults to hiera('heat_api_cloudwatch_network', undef)
 #
+# [*horizon_network*]
+#  (optional) Specify the network horizon is running on.
+#  Defaults to hiera('horizon_network', undef)
+#
 # [*ironic_inspector_network*]
 #  (optional) Specify the network ironic_inspector is running on.
 #  Defaults to hiera('ironic_inspector_network', undef)
@@ -520,7 +524,6 @@
 #    'ironic_inspector_port' (Defaults to 5050)
 #    'ironic_inspector_ssl_port' (Defaults to 13050)
 #    'keystone_admin_api_port' (Defaults to 35357)
-#    'keystone_admin_api_ssl_port' (Defaults to 13357)
 #    'keystone_public_api_port' (Defaults to 5000)
 #    'keystone_public_api_ssl_port' (Defaults to 13000)
 #    'manila_api_port' (Defaults to 8786)
@@ -644,6 +647,7 @@ class tripleo::haproxy (
   $heat_api_network            = hiera('heat_api_network', undef),
   $heat_cfn_network            = hiera('heat_api_cfn_network', undef),
   $heat_cloudwatch_network     = hiera('heat_api_cloudwatch_network', undef),
+  $horizon_network             = hiera('horizon_network', undef),
   $ironic_inspector_network    = hiera('ironic_inspector_network', undef),
   $ironic_network              = hiera('ironic_api_network', undef),
   $keystone_admin_network      = hiera('keystone_admin_api_network', undef),
@@ -708,7 +712,6 @@ class tripleo::haproxy (
     ironic_inspector_port => 5050,
     ironic_inspector_ssl_port => 13050,
     keystone_admin_api_port => 35357,
-    keystone_admin_api_ssl_port => 13357,
     keystone_public_api_port => 5000,
     keystone_public_api_ssl_port => 13000,
     manila_api_port => 8786,
@@ -772,43 +775,6 @@ class tripleo::haproxy (
     $controller_hosts_names_real = downcase(any2array(split($controller_hosts_names, ',')))
   }
 
-  $horizon_vip = hiera('horizon_vip', $controller_virtual_ip)
-  if $service_certificate {
-    # NOTE(jaosorior): If the horizon_vip and the public_virtual_ip are the
-    # same, the first option takes precedence. Which is the case when network
-    # isolation is not enabled. This is not a problem as both options are
-    # identical. If network isolation is enabled, this works correctly and
-    # will add a TLS binding to both the horizon_vip and the
-    # public_virtual_ip.
-    # Even though for the public_virtual_ip the port 80 is listening, we
-    # redirect to https in the horizon_options below.
-    $horizon_bind_opts = {
-      "${horizon_vip}:80"        => $haproxy_listen_bind_param,
-      "${horizon_vip}:443"       => union($haproxy_listen_bind_param, ['ssl', 'crt', $service_certificate]),
-      "${public_virtual_ip}:80"  => $haproxy_listen_bind_param,
-      "${public_virtual_ip}:443" => union($haproxy_listen_bind_param, ['ssl', 'crt', $service_certificate]),
-    }
-    $horizon_options = {
-      'cookie'       => 'SERVERID insert indirect nocache',
-      'rsprep'       => '^Location:\ http://(.*) Location:\ https://\1',
-      # NOTE(jaosorior): We always redirect to https for the public_virtual_ip.
-      'redirect'     => 'scheme https code 301 if !{ ssl_fc }',
-      'option'       => [ 'forwardfor', 'httpchk' ],
-      'http-request' => [
-          'set-header X-Forwarded-Proto https if { ssl_fc }',
-          'set-header X-Forwarded-Proto http if !{ ssl_fc }'],
-    }
-  } else {
-    $horizon_bind_opts = {
-      "${horizon_vip}:80" => $haproxy_listen_bind_param,
-      "${public_virtual_ip}:80" => $haproxy_listen_bind_param,
-    }
-    $horizon_options = {
-      'cookie' => 'SERVERID insert indirect nocache',
-      'option' => [ 'forwardfor', 'httpchk' ],
-    }
-  }
-
   $mysql_vip = hiera('mysql_vip', $controller_virtual_ip)
   $mysql_bind_opts = {
     "${mysql_vip}:3306" => $haproxy_listen_bind_param,
@@ -894,16 +860,14 @@ class tripleo::haproxy (
 
   if $keystone_admin {
     ::tripleo::haproxy::endpoint { 'keystone_admin':
-      public_virtual_ip => $public_virtual_ip,
-      internal_ip       => hiera('keystone_admin_api_vip', $controller_virtual_ip),
-      service_port      => $ports[keystone_admin_api_port],
-      ip_addresses      => hiera('keystone_admin_api_node_ips', $controller_hosts_real),
-      server_names      => hiera('keystone_admin_api_node_names', $controller_hosts_names_real),
-      mode              => 'http',
-      listen_options    => merge($default_listen_options, { 'option' => [ 'httpchk GET /v3' ] }),
-      public_ssl_port   => $ports[keystone_admin_api_ssl_port],
-      service_network   => $keystone_admin_network,
-      member_options    => union($haproxy_member_options, $internal_tls_member_options),
+      internal_ip     => hiera('keystone_admin_api_vip', $controller_virtual_ip),
+      service_port    => $ports[keystone_admin_api_port],
+      ip_addresses    => hiera('keystone_admin_api_node_ips', $controller_hosts_real),
+      server_names    => hiera('keystone_admin_api_node_names', $controller_hosts_names_real),
+      mode            => 'http',
+      listen_options  => merge($default_listen_options, { 'option' => [ 'httpchk GET /v3' ] }),
+      service_network => $keystone_admin_network,
+      member_options  => union($haproxy_member_options, $internal_tls_member_options),
     }
   }
 
@@ -1071,6 +1035,7 @@ class tripleo::haproxy (
         'option'  => [ 'httpchk', ],
       },
       service_network => $nova_metadata_network,
+      member_options  => union($haproxy_member_options, $internal_tls_member_options),
     }
   }
 
@@ -1274,18 +1239,17 @@ class tripleo::haproxy (
   }
 
   if $horizon {
-    haproxy::listen { 'horizon':
-      bind             => $horizon_bind_opts,
-      options          => $horizon_options,
-      mode             => 'http',
-      collect_exported => false,
-    }
-    haproxy::balancermember { 'horizon':
-      listening_service => 'horizon',
-      ports             => '80',
-      ipaddresses       => hiera('horizon_node_ips', $controller_hosts_real),
-      server_names      => hiera('horizon_node_names', $controller_hosts_names_real),
-      options           => union($haproxy_member_options, ["cookie ${::hostname}"]),
+    class { '::tripleo::haproxy::horizon_endpoint':
+      public_virtual_ip           => $public_virtual_ip,
+      internal_ip                 => hiera('horizon_vip', $controller_virtual_ip),
+      haproxy_listen_bind_param   => $haproxy_listen_bind_param,
+      ip_addresses                => hiera('horizon_node_ips', $controller_hosts_real),
+      server_names                => hiera('horizon_node_names', $controller_hosts_names_real),
+      member_options              => union($haproxy_member_options, $internal_tls_member_options),
+      public_certificate          => $service_certificate,
+      use_internal_certificates   => $use_internal_certificates,
+      internal_certificates_specs => $internal_certificates_specs,
+      service_network             => $horizon_network,
     }
   }