From ac79ad02bb97c8306cd9f7f894bcc0eb8eb01144 Mon Sep 17 00:00:00 2001
From: Takashi Kajinami <kajinamit@oss.nttdata.com>
Date: Thu, 22 Feb 2024 10:15:47 +0900
Subject: [PATCH] healthcheck: Add support for ignore_proxied_requests

The new ignore_proxied_requests option was added to the healthcheck
middleware which allows operators to prohibit access to healthcheck
information via load balancers. This introduces a new parameter which
corresponds to this option.

Depends-on: https://review.opendev.org/901215
Change-Id: Iaf9b40db938f998c20d6cea4b19cf09651c46bbf
---
 manifests/healthcheck.pp                      | 26 ++++++++++++-------
 ...ore_proxied_requests-1c64c62f261882c9.yaml |  4 +++
 spec/defines/oslo_healthcheck_spec.rb         | 13 ++++++----
 3 files changed, 28 insertions(+), 15 deletions(-)
 create mode 100644 releasenotes/notes/healthcheck-ignore_proxied_requests-1c64c62f261882c9.yaml

diff --git a/manifests/healthcheck.pp b/manifests/healthcheck.pp
index 704e9fe..912ec86 100644
--- a/manifests/healthcheck.pp
+++ b/manifests/healthcheck.pp
@@ -18,6 +18,10 @@
 #   healthcheck information.
 #   Defaults to $facts['os_service_default']
 #
+# [*ignore_proxied_requests*]
+#   (Optional) Ignore requests with proxy headers
+#   Defaults to $facts['os_service_default']
+#
 # [*disable_by_file_path*]
 #   (Optional) Check the presence of a file to determine if an application
 #   is running on a port.
@@ -29,11 +33,12 @@
 #   Defaults to $facts['os_service_default']
 #
 define oslo::healthcheck(
-  $detailed              = $facts['os_service_default'],
-  $backends              = $facts['os_service_default'],
-  $allowed_source_ranges = $facts['os_service_default'],
-  $disable_by_file_path  = $facts['os_service_default'],
-  $disable_by_file_paths = $facts['os_service_default'],
+  $detailed                = $facts['os_service_default'],
+  $backends                = $facts['os_service_default'],
+  $allowed_source_ranges   = $facts['os_service_default'],
+  $ignore_proxied_requests = $facts['os_service_default'],
+  $disable_by_file_path    = $facts['os_service_default'],
+  $disable_by_file_paths   = $facts['os_service_default'],
 ) {
 
   $backends_real = join(any2array($backends), ',')
@@ -41,11 +46,12 @@ define oslo::healthcheck(
   $disable_by_file_paths_real = join(any2array($disable_by_file_paths), ',')
 
   $healthcheck_options = {
-    'healthcheck/detailed'              => { value => $detailed },
-    'healthcheck/backends'              => { value => $backends_real },
-    'healthcheck/allowed_source_ranges' => { value => $allowed_source_ranges_real },
-    'healthcheck/disable_by_file_path'  => { value => $disable_by_file_path },
-    'healthcheck/disable_by_file_paths' => { value => $disable_by_file_paths_real},
+    'healthcheck/detailed'                => { value => $detailed },
+    'healthcheck/backends'                => { value => $backends_real },
+    'healthcheck/allowed_source_ranges'   => { value => $allowed_source_ranges_real },
+    'healthcheck/ignore_proxied_requests' => { value => $ignore_proxied_requests },
+    'healthcheck/disable_by_file_path'    => { value => $disable_by_file_path },
+    'healthcheck/disable_by_file_paths'   => { value => $disable_by_file_paths_real },
   }
   create_resources($name, $healthcheck_options)
 }
diff --git a/releasenotes/notes/healthcheck-ignore_proxied_requests-1c64c62f261882c9.yaml b/releasenotes/notes/healthcheck-ignore_proxied_requests-1c64c62f261882c9.yaml
new file mode 100644
index 0000000..c8b56e2
--- /dev/null
+++ b/releasenotes/notes/healthcheck-ignore_proxied_requests-1c64c62f261882c9.yaml
@@ -0,0 +1,4 @@
+---
+features:
+  - |
+    The new ``oslo::ignore_proxied_requests`` parameter has been added.
diff --git a/spec/defines/oslo_healthcheck_spec.rb b/spec/defines/oslo_healthcheck_spec.rb
index d59e7b8..c299043 100644
--- a/spec/defines/oslo_healthcheck_spec.rb
+++ b/spec/defines/oslo_healthcheck_spec.rb
@@ -15,6 +15,7 @@ describe 'oslo::healthcheck' do
         is_expected.to contain_keystone_config('healthcheck/detailed').with_value('<SERVICE DEFAULT>')
         is_expected.to contain_keystone_config('healthcheck/backends').with_value('<SERVICE DEFAULT>')
         is_expected.to contain_keystone_config('healthcheck/allowed_source_ranges').with_value('<SERVICE DEFAULT>')
+        is_expected.to contain_keystone_config('healthcheck/ignore_proxied_requests').with_value('<SERVICE DEFAULT>')
         is_expected.to contain_keystone_config('healthcheck/disable_by_file_path').with_value('<SERVICE DEFAULT>')
         is_expected.to contain_keystone_config('healthcheck/disable_by_file_paths').with_value('<SERVICE DEFAULT>')
       end
@@ -23,14 +24,15 @@ describe 'oslo::healthcheck' do
     context 'with parameters overridden' do
       let :params do
         {
-          :detailed              => true,
-          :backends              => ['disable_by_file', 'disable_by_files_ports'],
-          :allowed_source_ranges => ['10.0.0.0/24', '10.0.1.0/24'],
-          :disable_by_file_path  => '/etc/keystone/healthcheck/disabled',
-          :disable_by_file_paths => [
+          :detailed                => true,
+          :backends                => ['disable_by_file', 'disable_by_files_ports'],
+          :allowed_source_ranges   => ['10.0.0.0/24', '10.0.1.0/24'],
+          :disable_by_file_path    => '/etc/keystone/healthcheck/disabled',
+          :disable_by_file_paths   => [
             '5000:/etc/keystone/healthcheck/public-disabled',
             '35357:/etc/keystone/healthcheck/admin-disabled'
           ],
+          :ignore_proxied_requests => false,
         }
       end
 
@@ -42,6 +44,7 @@ describe 'oslo::healthcheck' do
         is_expected.to contain_keystone_config('healthcheck/allowed_source_ranges').with_value(
           '10.0.0.0/24,10.0.1.0/24'
         )
+        is_expected.to contain_keystone_config('healthcheck/ignore_proxied_requests').with_value('false')
         is_expected.to contain_keystone_config('healthcheck/disable_by_file_path').with_value(
           '/etc/keystone/healthcheck/disabled'
         )