From 5222b8d920d5b5b2e87004c10808b6bea597720a Mon Sep 17 00:00:00 2001
From: Juan Antonio Osorio Robles <jaosorior@redhat.com>
Date: Tue, 15 Aug 2017 19:02:42 +0300
Subject: Remove extra keystone admin haproxy listen and allow TLS

The current code exposes an unused public listen directive in HAProxy
for the keystone admin endpoint. This is not ideal and should be
removed, as it exposes the service unnecessarily. We should stick to
just exposing it to the ctlplane network as is the default.

If folks really need to expose it to the public network, they can do so
by modifying the ServiceNetMap through t-h-t and setting the keystone
admin endpoint's network to external.

Now, for "single" or "internal" haproxy endpoints, this adds the ability
to detect if they're using the external network, and thus use TLS on it.
Which is something a deployer would want if they exposed the keystone
admin endpoint in such a way.

Change-Id: I79563f62fd49a4f7654779157ebda3c239d6dd22
Closes-Bug: #1710909
Closes-Bug: #1639996
---
 manifests/haproxy.pp          | 20 ++++++++------------
 manifests/haproxy/endpoint.pp | 25 +++++++++++++++++++------
 2 files changed, 27 insertions(+), 18 deletions(-)

diff --git a/manifests/haproxy.pp b/manifests/haproxy.pp
index a3d088a..0933831 100644
--- a/manifests/haproxy.pp
+++ b/manifests/haproxy.pp
@@ -520,7 +520,6 @@
 #    'ironic_inspector_port' (Defaults to 5050)
 #    'ironic_inspector_ssl_port' (Defaults to 13050)
 #    'keystone_admin_api_port' (Defaults to 35357)
-#    'keystone_admin_api_ssl_port' (Defaults to 13357)
 #    'keystone_public_api_port' (Defaults to 5000)
 #    'keystone_public_api_ssl_port' (Defaults to 13000)
 #    'manila_api_port' (Defaults to 8786)
@@ -708,7 +707,6 @@ class tripleo::haproxy (
     ironic_inspector_port => 5050,
     ironic_inspector_ssl_port => 13050,
     keystone_admin_api_port => 35357,
-    keystone_admin_api_ssl_port => 13357,
     keystone_public_api_port => 5000,
     keystone_public_api_ssl_port => 13000,
     manila_api_port => 8786,
@@ -894,16 +892,14 @@ class tripleo::haproxy (
 
   if $keystone_admin {
     ::tripleo::haproxy::endpoint { 'keystone_admin':
-      public_virtual_ip => $public_virtual_ip,
-      internal_ip       => hiera('keystone_admin_api_vip', $controller_virtual_ip),
-      service_port      => $ports[keystone_admin_api_port],
-      ip_addresses      => hiera('keystone_admin_api_node_ips', $controller_hosts_real),
-      server_names      => hiera('keystone_admin_api_node_names', $controller_hosts_names_real),
-      mode              => 'http',
-      listen_options    => merge($default_listen_options, { 'option' => [ 'httpchk GET /v3' ] }),
-      public_ssl_port   => $ports[keystone_admin_api_ssl_port],
-      service_network   => $keystone_admin_network,
-      member_options    => union($haproxy_member_options, $internal_tls_member_options),
+      internal_ip     => hiera('keystone_admin_api_vip', $controller_virtual_ip),
+      service_port    => $ports[keystone_admin_api_port],
+      ip_addresses    => hiera('keystone_admin_api_node_ips', $controller_hosts_real),
+      server_names    => hiera('keystone_admin_api_node_names', $controller_hosts_names_real),
+      mode            => 'http',
+      listen_options  => merge($default_listen_options, { 'option' => [ 'httpchk GET /v3' ] }),
+      service_network => $keystone_admin_network,
+      member_options  => union($haproxy_member_options, $internal_tls_member_options),
     }
   }
 
diff --git a/manifests/haproxy/endpoint.pp b/manifests/haproxy/endpoint.pp
index 9139061..3bde942 100644
--- a/manifests/haproxy/endpoint.pp
+++ b/manifests/haproxy/endpoint.pp
@@ -139,15 +139,28 @@ define tripleo::haproxy::endpoint (
     if !$service_network {
       fail("The service_network for this service is undefined. Can't configure TLS for the internal network.")
     }
-    # NOTE(jaosorior): The key of the internal_certificates_specs hash must
-    # must match the convention haproxy-<network name> or else this
-    # will fail. Futherly, it must contain the path that we'll use under
-    # 'service_pem'.
-    $internal_cert_path = $internal_certificates_specs["haproxy-${service_network}"]['service_pem']
+
+    if $service_network == 'external' and $public_certificate {
+      # NOTE(jaosorior): This service has been configured to use the external
+      # network. We should use the public certificate in this case.
+      $internal_cert_path = $public_certificate
+    } else {
+      # NOTE(jaosorior): This service is configured for the internal network.
+      # We use the certificate spec hash. The key of the
+      # internal_certificates_specs hash must must match the convention
+      # haproxy-<network name> or else this will fail. Futherly, it must
+      # contain the path that we'll use under 'service_pem'.
+      $internal_cert_path = $internal_certificates_specs["haproxy-${service_network}"]['service_pem']
+    }
     $internal_bind_opts = list_to_hash(suffix(any2array($internal_ip), ":${service_port}"),
                                         union($haproxy_listen_bind_param, ['ssl', 'crt', $internal_cert_path]))
   } else {
-    $internal_bind_opts = list_to_hash(suffix(any2array($internal_ip), ":${service_port}"), $haproxy_listen_bind_param)
+    if $service_network == 'external' and $public_certificate {
+      $internal_bind_opts = list_to_hash(suffix(any2array($internal_ip), ":${service_port}"),
+                                          union($haproxy_listen_bind_param, ['ssl', 'crt', $public_certificate]))
+    } else {
+      $internal_bind_opts = list_to_hash(suffix(any2array($internal_ip), ":${service_port}"), $haproxy_listen_bind_param)
+    }
   }
   $bind_opts = merge($internal_bind_opts, $public_bind_opts)
 
-- 
cgit 1.2.3-korg