From 2d0f483c843d7bd0db8eb7dc5f2f169714c73169 Mon Sep 17 00:00:00 2001
From: Gaudenz Steinlin <gaudenz.steinlin@cloudscale.ch>
Date: Mon, 5 Mar 2018 18:49:47 +0100
Subject: [PATCH] Options to enable SSL for backend connections

Currently backend connections are always unencrypted. This adds optional
parameters to configure backend connections with SSL. This is useful for
extra services wich require SSL or to have backend connections to
OpenStack services encrypted in the future.

Change-Id: I6a032962ae987bb1cbc4982fb6ddbd06f8e53936
---
 doc/source/configure-haproxy.rst |  5 +++++
 templates/service.j2             | 18 ++++++++++++++++++
 tests/test-vars.yml              |  9 +++++++++
 3 files changed, 32 insertions(+)

diff --git a/doc/source/configure-haproxy.rst b/doc/source/configure-haproxy.rst
index fbc84f9..2d4ce93 100644
--- a/doc/source/configure-haproxy.rst
+++ b/doc/source/configure-haproxy.rst
@@ -166,6 +166,11 @@ An example HTTP service could look like:
           haproxy_ssl: "{{ haproxy_ssl }}"
           haproxy_port: 10000
           haproxy_balance_type: http
+          # If backend connections should be secured with SSL (default False)
+          haproxy_backend_ssl: True
+          haproxy_backend_ca: /path/to/ca/cert.pem
+          # Or if certificate validation should be disabled
+          # haproxy_backend_ca: False
 
 Additionally, you can specify haproxy services that are not managed
 in the Ansible inventory by manually specifying their hostnames/IP Addresses:
diff --git a/templates/service.j2 b/templates/service.j2
index 243a635..1af3c58 100644
--- a/templates/service.j2
+++ b/templates/service.j2
@@ -115,6 +115,15 @@ backend {{ item.service.haproxy_service_name }}-back
 {% set _ = entry.append(item.service.haproxy_backend_nodes | count | string) %}
 {% set _ = entry.append("fall") %}
 {% set _ = entry.append(item.service.haproxy_backend_nodes | count | string) %}
+{% if item.service.haproxy_backend_ssl | default(False) %}
+{% set _ = entry.append("ssl") %}
+{% if item.service.haproxy_backend_ca %}
+{% set _ = entry.append("ca-file") %}
+{% set _ = entry.append(item.service.haproxy_backend_ca) %}
+{% else %}
+{% set _ = entry.append("verify none") %}
+{% endif %}
+{% endif %}
     {{ entry | join(' ') }}
 {% endfor %}
 
@@ -136,5 +145,14 @@ backend {{ item.service.haproxy_service_name }}-back
 {% set _ = entry.append("fall") %}
 {% set _ = entry.append(item.service.haproxy_backup_nodes | count | string) %}
 {% set _ = entry.append("backup") %}
+{% if item.service.haproxy_backend_ssl | default(False) %}
+{% set _ = entry.append("ssl") %}
+{% if item.service.haproxy_backend_ca %}
+{% set _ = entry.append("ca-file") %}
+{% set _ = entry.append(item.service.haproxy_backend_ca) %}
+{% else %}
+{% set _ = entry.append("verify none") %}
+{% endif %}
+{% endif %}
     {{ entry | join(' ') }}
 {% endfor %}
diff --git a/tests/test-vars.yml b/tests/test-vars.yml
index e22fb46..bf929b0 100644
--- a/tests/test-vars.yml
+++ b/tests/test-vars.yml
@@ -22,3 +22,12 @@ haproxy_service_configs:
       haproxy_balance_type: tcp
       haproxy_backend_options:
         - tcp-check
+  - service:
+      haproxy_service_name: test_backend_ssl
+      haproxy_backend_nodes: "{{ groups['haproxy_all'] | default([]) }}"
+      haproxy_port: 8180
+      haproxy_backend_port: 443
+      haproxy_backend_ssl: True
+      haproxy_backend_ca: False
+      haproxy_ssl: False
+      haproxy_balance_type: http