Convert haproxy_security_headers_csp to a multiline string

This is much easier to read.

Change-Id: Iffb919402f981ab94b641ff43a4abaf773b99df2

doc/source/user/security/security-headers.rst

@@ -124,4 +124,14 @@ Security Policy to allow access to your authorisation server by overriding the
 
 .. code-block:: yaml
 
-    haproxy_horizon_csp: "http-response set-header Content-Security-Policy \"default-src 'self'; frame-ancestors 'self'; form-action 'self' {{ external_lb_vip_address }}:5000 <YOUR-AUTHORISATION-SERVER-ORIGIN>; upgrade-insecure-requests; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; child-src 'self' {{ external_lb_vip_address }}:{{ nova_console_port }}; frame-src 'self' {{ external_lb_vip_address }}:{{ nova_console_port }};\""
+    haproxy_horizon_csp: >
+      http-response set-header Content-Security-Policy "
+      default-src 'self';
+      frame-ancestors 'self';
+      form-action 'self' {{ external_lb_vip_address }}:5000 <YOUR-AUTHORISATION-SERVER-ORIGIN>;
+      upgrade-insecure-requests;
+      style-src 'self' 'unsafe-inline';
+      script-src 'self' 'unsafe-inline' 'unsafe-eval';
+      child-src 'self' {{ external_lb_vip_address }}:{{ nova_console_port }};
+      frame-src 'self' {{ external_lb_vip_address }}:{{ nova_console_port }};
+      "

inventory/group_vars/haproxy/haproxy.yml

@@ -45,7 +45,21 @@ haproxy_security_headers_max_age: 31536000
 # Set CSP headers to report only for testing
 haproxy_security_headers_csp_report_only: False
 # To override the CSP used by a specific service define a variable haproxy_<service name>_csp
-haproxy_security_headers_csp: "http-response set-header {{ haproxy_security_headers_csp_report_only | ternary('Content-Security-Policy-Report-Only', 'Content-Security-Policy') }} \"default-src 'self'; frame-ancestors 'none'; form-action 'self'; upgrade-insecure-requests; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; child-src 'self' {{ external_lb_vip_address }}:{{ nova_console_port }}; frame-src 'self' {{ external_lb_vip_address }}:{{ nova_console_port }}; connect-src 'self' {{ external_lb_vip_address }}:* wss://{{ external_lb_vip_address }}:{{ ironic_console_port }}; img-src 'self' data:; worker-src blob:;\""
+haproxy_security_headers_csp: >
+  http-response set-header {{ haproxy_security_headers_csp_report_only | ternary('Content-Security-Policy-Report-Only', 'Content-Security-Policy') }} "
+  default-src 'self';
+  frame-ancestors 'none';
+  form-action 'self';
+  upgrade-insecure-requests;
+  style-src 'self' 'unsafe-inline';
+  script-src 'self' 'unsafe-inline' 'unsafe-eval';
+  child-src 'self' {{ external_lb_vip_address }}:{{ nova_console_port }};
+  frame-src 'self' {{ external_lb_vip_address }}:{{ nova_console_port }};
+  connect-src 'self' {{ external_lb_vip_address }}:* wss://{{ external_lb_vip_address }}:{{ ironic_console_port }};
+  img-src 'self' data:;
+  worker-src blob:;
+  "
+
 # To disable security headers set to []
 haproxy_security_headers:
   - "http-response set-header Strict-Transport-Security \"max-age={{ haproxy_security_headers_max_age }}; includeSubDomains;\""