From 75df3dab1231c8a1083a32b30b0c1817da07e785 Mon Sep 17 00:00:00 2001
From: Boris Bobrov <bbobrov@suse.com>
Date: Thu, 9 Jan 2020 19:55:22 +0100
Subject: [PATCH 1/2] Terminate nova ssl on haproxy (bsc#1149535)

If ssl is passed-thru on haproxy, the source ip gets replaced with
the one of the node where haproxy lives, and there is no way to get the
original ip on the services side.

Add ssl termination on haproxy. Two new hidden options are added:
loadbalancer_terminate_ssl (boolean) and pemfile (path to the
certificate to use in haproxy-recognized format).

(cherry picked from commit 94fc788d401633f766474137e9493cb310e53c5d)
---
 chef/cookbooks/nova/attributes/default.rb            |  6 ++++++
 chef/cookbooks/nova/recipes/controller_ha.rb         |  2 ++
 .../migrate/nova/214_add_haproxy_mode_http.rb        | 12 ++++++++++++
 chef/data_bags/crowbar/template-nova.json            |  6 ++++--
 chef/data_bags/crowbar/template-nova.schema          |  4 +++-
 5 files changed, 27 insertions(+), 3 deletions(-)
 create mode 100644 chef/data_bags/crowbar/migrate/nova/214_add_haproxy_mode_http.rb

diff --git a/chef/cookbooks/nova/attributes/default.rb b/chef/cookbooks/nova/attributes/default.rb
index dce35e3481..4deb763452 100644
--- a/chef/cookbooks/nova/attributes/default.rb
+++ b/chef/cookbooks/nova/attributes/default.rb
@@ -183,3 +183,9 @@
 # metadata/vendordata
 #
 default[:nova][:metadata][:vendordata][:json] = "{}"
+
+#
+# SSL settings
+#
+default[:nova][:ssl][:loadbalancer_terminate_ssl] = false
+default[:nova][:ssl][:pemfile] = "/etc/ssl/private/nova.pem"
diff --git a/chef/cookbooks/nova/recipes/controller_ha.rb b/chef/cookbooks/nova/recipes/controller_ha.rb
index 76b551a2ee..83773f0802 100644
--- a/chef/cookbooks/nova/recipes/controller_ha.rb
+++ b/chef/cookbooks/nova/recipes/controller_ha.rb
@@ -28,6 +28,8 @@
   address "0.0.0.0"
   port node[:nova][:ports][:api]
   use_ssl node[:nova][:ssl][:enabled]
+  terminate_ssl node[:nova][:ssl][:loadbalancer_terminate_ssl]
+  pemfile node[:nova][:ssl][:pemfile]
   servers CrowbarPacemakerHelper.haproxy_servers_for_service(node, "nova", "nova-controller", "api")
   rate_limit node[:nova][:ha_rate_limit]["nova-api"]
   action :nothing
diff --git a/chef/data_bags/crowbar/migrate/nova/214_add_haproxy_mode_http.rb b/chef/data_bags/crowbar/migrate/nova/214_add_haproxy_mode_http.rb
new file mode 100644
index 0000000000..4ea89933e1
--- /dev/null
+++ b/chef/data_bags/crowbar/migrate/nova/214_add_haproxy_mode_http.rb
@@ -0,0 +1,12 @@
+def upgrade(template_attrs, template_deployment, attrs, deployment)
+  key = "loadbalancer_terminate_ssl"
+  template_value = template_attrs["nova"]["ssl"][key]
+  attrs["nova"]["ssl"][key] = template_value unless attrs["nova"]["ssl"].key? key
+  return attrs, deployment
+end
+
+def downgrade(template_attrs, template_deployment, attrs, deployment)
+  key = "loadbalancer_terminate_ssl"
+  attrs["nova"]["ssl"].delete(key) unless template_attrs["nova"]["ssl"].key? key
+  return attrs, deployment
+end
diff --git a/chef/data_bags/crowbar/template-nova.json b/chef/data_bags/crowbar/template-nova.json
index 8b150fe4a6..01ff6c967a 100644
--- a/chef/data_bags/crowbar/template-nova.json
+++ b/chef/data_bags/crowbar/template-nova.json
@@ -116,7 +116,9 @@
         "generate_certs": false,
         "insecure": false,
         "cert_required": false,
-        "ca_certs": "/etc/nova/ssl/certs/ca.pem"
+        "ca_certs": "/etc/nova/ssl/certs/ca.pem",
+        "loadbalancer_terminate_ssl": false,
+        "pemfile": "/etc/ssl/private/nova.pem"
       },
       "novnc": {
         "ssl": {
@@ -182,7 +184,7 @@
     "nova": {
       "crowbar-revision": 0,
       "crowbar-applied": false,
-      "schema-revision": 213,
+      "schema-revision": 214,
       "element_states": {
         "nova-controller": [ "readying", "ready", "applying" ],
         "nova-compute-ironic": [ "readying", "ready", "applying" ],
diff --git a/chef/data_bags/crowbar/template-nova.schema b/chef/data_bags/crowbar/template-nova.schema
index 8478958a5b..8d0e22cb33 100644
--- a/chef/data_bags/crowbar/template-nova.schema
+++ b/chef/data_bags/crowbar/template-nova.schema
@@ -178,7 +178,9 @@
                 "generate_certs": { "type" : "bool", "required" : true },
                 "insecure": { "type" : "bool", "required" : true },
                 "cert_required": { "type" : "bool", "required" : true },
-                "ca_certs": { "type" : "str", "required" : true }
+                "ca_certs": { "type" : "str", "required" : true },
+                "loadbalancer_terminate_ssl": { "type" : "bool", "required": true},
+                "pemfile": { "type" : "str", "required": true}
               }
             },
             "novnc": {

From fd1427aa258e8a18167c869b9251d45b7b867987 Mon Sep 17 00:00:00 2001
From: Boris Bobrov <bbobrov@suse.com>
Date: Mon, 27 Jan 2020 18:27:32 +0100
Subject: [PATCH 2/2] Terminate ssl on haproxy for cinder (bsc#1149535)

If ssl is passed-thru on haproxy, the source ip gets replaced with
the one of the node where haproxy lives, and there is no way to get the
original ip on the services side.

Add ssl termination on haproxy. Two new hidden options are added:
loadbalancer_terminate_ssl (boolean) and pemfile (path to the
certificate to use in haproxy-recognized format).

This patch adds support for cinder.

(cherry picked from commit 44e0f6a88c7d68e9ecbf7c35270db3ee3d83c6fb)
---
 chef/cookbooks/cinder/attributes/default.rb          |  6 ++++++
 chef/cookbooks/cinder/recipes/controller_ha.rb       |  2 ++
 .../migrate/cinder/210_add_haproxy_mode_http.rb      | 12 ++++++++++++
 chef/data_bags/crowbar/template-cinder.json          |  6 ++++--
 chef/data_bags/crowbar/template-cinder.schema        |  4 +++-
 5 files changed, 27 insertions(+), 3 deletions(-)
 create mode 100644 chef/data_bags/crowbar/migrate/cinder/210_add_haproxy_mode_http.rb

diff --git a/chef/cookbooks/cinder/attributes/default.rb b/chef/cookbooks/cinder/attributes/default.rb
index 92d31d6951..8e2e112cd3 100644
--- a/chef/cookbooks/cinder/attributes/default.rb
+++ b/chef/cookbooks/cinder/attributes/default.rb
@@ -54,3 +54,9 @@
 default[:cinder][:ha][:op][:monitor][:interval] = "10s"
 # Ports to bind to when haproxy is used for the real ports
 default[:cinder][:ha][:ports][:api] = 5520
+
+#
+# SSL settings
+#
+default[:cinder][:ssl][:loadbalancer_terminate_ssl] = false
+default[:cinder][:ssl][:pemfile] = "/etc/ssl/private/cinder.pem"
diff --git a/chef/cookbooks/cinder/recipes/controller_ha.rb b/chef/cookbooks/cinder/recipes/controller_ha.rb
index a4b2390839..bff42d2e62 100644
--- a/chef/cookbooks/cinder/recipes/controller_ha.rb
+++ b/chef/cookbooks/cinder/recipes/controller_ha.rb
@@ -28,6 +28,8 @@
   address node[:cinder][:api][:bind_open_address] ? "0.0.0.0" : cluster_admin_ip
   port node[:cinder][:api][:bind_port]
   use_ssl (node[:cinder][:api][:protocol] == "https")
+  terminate_ssl node[:cinder][:ssl][:loadbalancer_terminate_ssl]
+  pemfile node[:cinder][:ssl][:pemfile]
   servers CrowbarPacemakerHelper.haproxy_servers_for_service(node, "cinder", "cinder-controller", "api")
   rate_limit node[:cinder][:ha_rate_limit]["cinder-api"]
   action :nothing
diff --git a/chef/data_bags/crowbar/migrate/cinder/210_add_haproxy_mode_http.rb b/chef/data_bags/crowbar/migrate/cinder/210_add_haproxy_mode_http.rb
new file mode 100644
index 0000000000..08254d0e07
--- /dev/null
+++ b/chef/data_bags/crowbar/migrate/cinder/210_add_haproxy_mode_http.rb
@@ -0,0 +1,12 @@
+def upgrade(template_attrs, template_deployment, attrs, deployment)
+  key = "loadbalancer_terminate_ssl"
+  template_value = template_attrs["cinder"]["ssl"][key]
+  attrs["cinder"]["ssl"][key] = template_value unless attrs["cinder"]["ssl"].key? key
+  return attrs, deployment
+end
+
+def downgrade(template_attrs, template_deployment, attrs, deployment)
+  key = "loadbalancer_terminate_ssl"
+  attrs["cinder"]["ssl"].delete(key) unless template_attrs["cinder"]["ssl"].key? key
+  return attrs, deployment
+end
diff --git a/chef/data_bags/crowbar/template-cinder.json b/chef/data_bags/crowbar/template-cinder.json
index c3653aa891..e2f01b2883 100644
--- a/chef/data_bags/crowbar/template-cinder.json
+++ b/chef/data_bags/crowbar/template-cinder.json
@@ -156,7 +156,9 @@
         "generate_certs": false,
         "insecure": false,
         "cert_required": false,
-        "ca_certs": "/etc/cinder/ssl/certs/ca.pem"
+        "ca_certs": "/etc/cinder/ssl/certs/ca.pem",
+        "loadbalancer_terminate_ssl": false,
+        "pemfile": "/etc/ssl/private/cinder.pem"
       },
       "db": {
         "password": "",
@@ -183,7 +185,7 @@
     "cinder": {
       "crowbar-revision": 0,
       "crowbar-applied": false,
-      "schema-revision": 209,
+      "schema-revision": 210,
       "element_states": {
           "cinder-controller": [ "readying", "ready", "applying" ],
           "cinder-volume": [ "readying", "ready", "applying" ]
diff --git a/chef/data_bags/crowbar/template-cinder.schema b/chef/data_bags/crowbar/template-cinder.schema
index 0c7804509c..58ef0e1ab7 100644
--- a/chef/data_bags/crowbar/template-cinder.schema
+++ b/chef/data_bags/crowbar/template-cinder.schema
@@ -332,7 +332,9 @@
               "generate_certs": { "type" : "bool", "required" : true },
               "insecure": { "type" : "bool", "required" : true },
               "cert_required": { "type" : "bool", "required" : true },
-              "ca_certs": { "type" : "str", "required" : true }
+              "ca_certs": { "type" : "str", "required" : true },
+              "loadbalancer_terminate_ssl": { "type" : "bool", "required": true},
+              "pemfile": { "type" : "str", "required": true}
             }},
             "db": {
               "type": "map",