From 33ee3fcb17a3d55cca0fa64916be19cb61e4c26f Mon Sep 17 00:00:00 2001
From: Dmitriy Rabotyagov <dmitriy.rabotyagov@citynetwork.eu>
Date: Fri, 12 Aug 2022 10:54:54 +0200
Subject: [PATCH] Fix keystone_secure_proxy_ssl_header logic

Previous commit [1] introduced logic that breaks proper service
discovery. Now we're fixing logic, following next rules/assumptiuons:
+----------+---------+---------------+
| HAProxy  | Apache  | RequestHeader |
+----------+---------+-- ------------+
| non-SSL  | non-SSL | http          |
| non-SSL  | SSL     | http          |
| SSL      | SSL     | https         |
| SSL      | non-SSL | https         |
+----------+---------+---------------+

[1] https://opendev.org/openstack/openstack-ansible-os_keystone/commit/6fae2bdade459c85dba55aae64c9f6f4e485a782

Change-Id: Ibf7759eea63b7150aeae655c10eccc69cd3417ea
---
 templates/keystone-httpd.conf.j2 | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/templates/keystone-httpd.conf.j2 b/templates/keystone-httpd.conf.j2
index b19b9844..b55485c0 100644
--- a/templates/keystone-httpd.conf.j2
+++ b/templates/keystone-httpd.conf.j2
@@ -20,9 +20,9 @@ Listen {{ keystone_web_server_bind_address }}:{{ keystone_service_port }}
     {% endif -%}
     Header set X-Frame-Options "{{ keystone_x_frame_options | default ('DENY') }}"
 
-    {% if (keystone_ssl | bool) and (keystone_external_ssl | bool) %}
+    {% if (keystone_external_ssl | bool) %}
     RequestHeader set {{ keystone_secure_proxy_ssl_header }} "https"
-    {% elif not (keystone_ssl | bool) and (keystone_external_ssl | bool) %}
+    {% else %}
     RequestHeader set {{ keystone_secure_proxy_ssl_header }} "http"
     {% endif %}