Enable SSL termination for all services

This change makes it so that all services are expecting SSL termination
at the load balancer by default. This is more indicative of how a real
world deployment will be setup and is being added such that we can test
a more production like deployment system by default.

The AIO will now terminate SSL in HAProxy using a self-signed cert.

Change-Id: I913b4140e258b56d56f5323d55fd633288b3ef6a
Re-Implementation-Of: https://review.openstack.org/#/c/277199/9
Signed-off-by: Kevin Carter <kevin.carter@rackspace.com>

defaults/main.yml

@@ -164,6 +164,10 @@ nova_console_ssl_dir: "/etc/nova/ssl"
 nova_console_ssl_cert: "{{ nova_console_ssl_dir }}/nova-console.pem"
 nova_console_ssl_key: "{{ nova_console_ssl_dir }}/nova-console.key"
 
+# External SSL forwarding proto
+nova_ssl_external: true
+nova_secure_proxy_ssl_header: HTTP_X_FORWARDED_PROTO
+
 ## Nova global config
 nova_cpu_mode: host-model
 nova_linuxnet_interface_driver: nova.network.linux_net.NeutronLinuxBridgeInterfaceDriver

templates/nova.conf.j2

@@ -13,6 +13,10 @@ state_path = {{ nova_system_home_folder }}
 rootwrap_config = /etc/nova/rootwrap.conf
 service_down_time = 120
 
+{% if nova_ssl_external | bool %}
+secure_proxy_ssl_header = {{ nova_secure_proxy_ssl_header }}
+{% endif %}
+
 # Quota
 quota_cores = {{ nova_quota_cores }}
 quota_fixed_ips = {{ nova_quota_fixed_ips }}
@@ -172,6 +176,7 @@ user_domain_name = {{ neutron_service_domain_name |default("Default") }}
 project_domain_name = {{ neutron_service_domain_name |default("Default") }}
 # Keystone client plugin authentication URL option
 auth_url = {{ keystone_service_adminurl }}
+insecure = {{ keystone_service_adminuri_insecure | bool }}
 metadata_proxy_shared_secret = {{ nova_metadata_proxy_secret }}
 service_metadata_proxy = {{ nova_metadata_proxy_enabled }}