For http service endpoints always redirect to https

If public TLS is enabled, this sets as default that services should
always redirect to https.

Change-Id: I19b9d07ac8925366ed27fefcaca4fdb9a9ab1b37

diff --git a/manifests/haproxy.pp b/manifests/haproxy.pp
index 98c9c96..6b305cb 100644 (file)
--- a/manifests/haproxy.pp
+++ b/manifests/haproxy.pp
@@ -902,17 +902,8 @@ class tripleo::haproxy (
   }
 
   if $keystone_public {
-    if $service_certificate {
-      $keystone_public_tls_listen_opts = {
-        'rsprep'       => '^Location:\ http://(.*) Location:\ https://\1',
-        # NOTE(jaosorior): We always redirect to https for the public_virtual_ip.
-        'redirect'     => "scheme https code 301 if { hdr(host) -i ${public_virtual_ip} } !{ ssl_fc }",
-        'option'       => 'forwardfor',
-      }
-    } else {
-      $keystone_public_tls_listen_opts = {
-        'option' => [ 'httpchk GET /v3', ],
-      }
+    $keystone_listen_opts = {
+      'option' => [ 'httpchk GET /v3', ],
     }
     ::tripleo::haproxy::endpoint { 'keystone_public':
       public_virtual_ip => $public_virtual_ip,
@@ -921,7 +912,7 @@ class tripleo::haproxy (
       ip_addresses      => hiera('keystone_public_api_node_ips', $controller_hosts_real),
       server_names      => hiera('keystone_public_api_node_names', $controller_hosts_names_real),
       mode              => 'http',
-      listen_options    => merge($default_listen_options, $keystone_public_tls_listen_opts),
+      listen_options    => merge($default_listen_options, $keystone_listen_opts),
       public_ssl_port   => $ports[keystone_public_api_ssl_port],
       service_network   => $keystone_public_network,
       member_options    => union($haproxy_member_options, $internal_tls_member_options),

diff --git a/manifests/haproxy/endpoint.pp b/manifests/haproxy/endpoint.pp
index 16e0bd1..f1e80e8 100644 (file)
--- a/manifests/haproxy/endpoint.pp
+++ b/manifests/haproxy/endpoint.pp
@@ -108,9 +108,20 @@ define tripleo::haproxy::endpoint (
     # service exposed to the public network
 
     if $public_certificate {
+      if $mode == 'http' {
+        $tls_listen_options = {
+          'rsprep'       => '^Location:\ http://(.*) Location:\ https://\1',
+          'redirect'     => "scheme https code 301 if { hdr(host) -i ${public_virtual_ip} } !{ ssl_fc }",
+          'option'       => 'forwardfor',
+        }
+        $listen_options_real = merge($tls_listen_options, $listen_options)
+      } else {
+        $listen_options_real = $listen_options
+      }
       $public_bind_opts = list_to_hash(suffix(any2array($public_virtual_ip), ":${public_ssl_port}"),
                                         union($haproxy_listen_bind_param, ['ssl', 'crt', $public_certificate]))
     } else {
+      $listen_options_real = $listen_options
       $public_bind_opts = list_to_hash(suffix(any2array($public_virtual_ip), ":${service_port}"), $haproxy_listen_bind_param)
     }
   } else {
@@ -138,7 +149,7 @@ define tripleo::haproxy::endpoint (
     bind             => $bind_opts,
     collect_exported => false,
     mode             => $mode,
-    options          => $listen_options,
+    options          => $listen_options_real,
   }
   haproxy::balancermember { "${name}":
     listening_service => $name,