From f4083979a392013f560c8f8dfbb44317f217f1da Mon Sep 17 00:00:00 2001
From: Kevin Carter <kevin.carter@rackspace.com>
Date: Sun, 7 Feb 2016 14:38:30 -0600
Subject: [PATCH] Enable SSL termination for all services

This change makes it so that all services are expecting SSL termination
at the load balancer by default. This is more indicative of how a real
world deployment will be setup and is being added such that we can test
a more production like deployment system by default.

The AIO will now terminate SSL in HAProxy using a self-signed cert.

Change-Id: I913b4140e258b56d56f5323d55fd633288b3ef6a
Re-Implementation-Of: https://review.openstack.org/#/c/277199/9
Signed-off-by: Kevin Carter <kevin.carter@rackspace.com>
---
 defaults/main.yml      | 4 ++++
 templates/nova.conf.j2 | 5 +++++
 2 files changed, 9 insertions(+)

diff --git a/defaults/main.yml b/defaults/main.yml
index 1e1c609c..247c97cc 100644
--- a/defaults/main.yml
+++ b/defaults/main.yml
@@ -164,6 +164,10 @@ nova_console_ssl_dir: "/etc/nova/ssl"
 nova_console_ssl_cert: "{{ nova_console_ssl_dir }}/nova-console.pem"
 nova_console_ssl_key: "{{ nova_console_ssl_dir }}/nova-console.key"
 
+# External SSL forwarding proto
+nova_ssl_external: true
+nova_secure_proxy_ssl_header: HTTP_X_FORWARDED_PROTO
+
 ## Nova global config
 nova_cpu_mode: host-model
 nova_linuxnet_interface_driver: nova.network.linux_net.NeutronLinuxBridgeInterfaceDriver
diff --git a/templates/nova.conf.j2 b/templates/nova.conf.j2
index 2c558667..d083117a 100644
--- a/templates/nova.conf.j2
+++ b/templates/nova.conf.j2
@@ -13,6 +13,10 @@ state_path = {{ nova_system_home_folder }}
 rootwrap_config = /etc/nova/rootwrap.conf
 service_down_time = 120
 
+{% if nova_ssl_external | bool %}
+secure_proxy_ssl_header = {{ nova_secure_proxy_ssl_header }}
+{% endif %}
+
 # Quota
 quota_cores = {{ nova_quota_cores }}
 quota_fixed_ips = {{ nova_quota_fixed_ips }}
@@ -172,6 +176,7 @@ user_domain_name = {{ neutron_service_domain_name |default("Default") }}
 project_domain_name = {{ neutron_service_domain_name |default("Default") }}
 # Keystone client plugin authentication URL option
 auth_url = {{ keystone_service_adminurl }}
+insecure = {{ keystone_service_adminuri_insecure | bool }}
 metadata_proxy_shared_secret = {{ nova_metadata_proxy_secret }}
 service_metadata_proxy = {{ nova_metadata_proxy_enabled }}