From fd1427aa258e8a18167c869b9251d45b7b867987 Mon Sep 17 00:00:00 2001
From: Boris Bobrov <bbobrov@suse.com>
Date: Mon, 27 Jan 2020 18:27:32 +0100
Subject: [PATCH] Terminate ssl on haproxy for cinder (bsc#1149535)

If ssl is passed-thru on haproxy, the source ip gets replaced with
the one of the node where haproxy lives, and there is no way to get the
original ip on the services side.

Add ssl termination on haproxy. Two new hidden options are added:
loadbalancer_terminate_ssl (boolean) and pemfile (path to the
certificate to use in haproxy-recognized format).

This patch adds support for cinder.

(cherry picked from commit 44e0f6a88c7d68e9ecbf7c35270db3ee3d83c6fb)
---
 chef/cookbooks/cinder/attributes/default.rb          |  6 ++++++
 chef/cookbooks/cinder/recipes/controller_ha.rb       |  2 ++
 .../migrate/cinder/210_add_haproxy_mode_http.rb      | 12 ++++++++++++
 chef/data_bags/crowbar/template-cinder.json          |  6 ++++--
 chef/data_bags/crowbar/template-cinder.schema        |  4 +++-
 5 files changed, 27 insertions(+), 3 deletions(-)
 create mode 100644 chef/data_bags/crowbar/migrate/cinder/210_add_haproxy_mode_http.rb

diff --git a/chef/cookbooks/cinder/attributes/default.rb b/chef/cookbooks/cinder/attributes/default.rb
index 92d31d6951..8e2e112cd3 100644
--- a/chef/cookbooks/cinder/attributes/default.rb
+++ b/chef/cookbooks/cinder/attributes/default.rb
@@ -54,3 +54,9 @@
 default[:cinder][:ha][:op][:monitor][:interval] = "10s"
 # Ports to bind to when haproxy is used for the real ports
 default[:cinder][:ha][:ports][:api] = 5520
+
+#
+# SSL settings
+#
+default[:cinder][:ssl][:loadbalancer_terminate_ssl] = false
+default[:cinder][:ssl][:pemfile] = "/etc/ssl/private/cinder.pem"
diff --git a/chef/cookbooks/cinder/recipes/controller_ha.rb b/chef/cookbooks/cinder/recipes/controller_ha.rb
index a4b2390839..bff42d2e62 100644
--- a/chef/cookbooks/cinder/recipes/controller_ha.rb
+++ b/chef/cookbooks/cinder/recipes/controller_ha.rb
@@ -28,6 +28,8 @@
   address node[:cinder][:api][:bind_open_address] ? "0.0.0.0" : cluster_admin_ip
   port node[:cinder][:api][:bind_port]
   use_ssl (node[:cinder][:api][:protocol] == "https")
+  terminate_ssl node[:cinder][:ssl][:loadbalancer_terminate_ssl]
+  pemfile node[:cinder][:ssl][:pemfile]
   servers CrowbarPacemakerHelper.haproxy_servers_for_service(node, "cinder", "cinder-controller", "api")
   rate_limit node[:cinder][:ha_rate_limit]["cinder-api"]
   action :nothing
diff --git a/chef/data_bags/crowbar/migrate/cinder/210_add_haproxy_mode_http.rb b/chef/data_bags/crowbar/migrate/cinder/210_add_haproxy_mode_http.rb
new file mode 100644
index 0000000000..08254d0e07
--- /dev/null
+++ b/chef/data_bags/crowbar/migrate/cinder/210_add_haproxy_mode_http.rb
@@ -0,0 +1,12 @@
+def upgrade(template_attrs, template_deployment, attrs, deployment)
+  key = "loadbalancer_terminate_ssl"
+  template_value = template_attrs["cinder"]["ssl"][key]
+  attrs["cinder"]["ssl"][key] = template_value unless attrs["cinder"]["ssl"].key? key
+  return attrs, deployment
+end
+
+def downgrade(template_attrs, template_deployment, attrs, deployment)
+  key = "loadbalancer_terminate_ssl"
+  attrs["cinder"]["ssl"].delete(key) unless template_attrs["cinder"]["ssl"].key? key
+  return attrs, deployment
+end
diff --git a/chef/data_bags/crowbar/template-cinder.json b/chef/data_bags/crowbar/template-cinder.json
index c3653aa891..e2f01b2883 100644
--- a/chef/data_bags/crowbar/template-cinder.json
+++ b/chef/data_bags/crowbar/template-cinder.json
@@ -156,7 +156,9 @@
         "generate_certs": false,
         "insecure": false,
         "cert_required": false,
-        "ca_certs": "/etc/cinder/ssl/certs/ca.pem"
+        "ca_certs": "/etc/cinder/ssl/certs/ca.pem",
+        "loadbalancer_terminate_ssl": false,
+        "pemfile": "/etc/ssl/private/cinder.pem"
       },
       "db": {
         "password": "",
@@ -183,7 +185,7 @@
     "cinder": {
       "crowbar-revision": 0,
       "crowbar-applied": false,
-      "schema-revision": 209,
+      "schema-revision": 210,
       "element_states": {
           "cinder-controller": [ "readying", "ready", "applying" ],
           "cinder-volume": [ "readying", "ready", "applying" ]
diff --git a/chef/data_bags/crowbar/template-cinder.schema b/chef/data_bags/crowbar/template-cinder.schema
index 0c7804509c..58ef0e1ab7 100644
--- a/chef/data_bags/crowbar/template-cinder.schema
+++ b/chef/data_bags/crowbar/template-cinder.schema
@@ -332,7 +332,9 @@
               "generate_certs": { "type" : "bool", "required" : true },
               "insecure": { "type" : "bool", "required" : true },
               "cert_required": { "type" : "bool", "required" : true },
-              "ca_certs": { "type" : "str", "required" : true }
+              "ca_certs": { "type" : "str", "required" : true },
+              "loadbalancer_terminate_ssl": { "type" : "bool", "required": true},
+              "pemfile": { "type" : "str", "required": true}
             }},
             "db": {
               "type": "map",