Add support for TLS backends

This patch allows haproxy to communicate with service backends over TLS. It's disabled by default and each service role needs to have TLS backend support implemented to get it working. For example, TLS support for glance was added in [1] [1] https://review.opendev.org/c/openstack/openstack-ansible-os_glance/+/821011 Depends-On: https://review.opendev.org/c/openstack/openstack-ansible-os_glance/+/880872 Change-Id: I5fc507f4031dcf63ed95dae307c30d9f436ef3da
2023-03-30 21:50:55 +02:00 · 2023-03-30 21:50:55 +02:00 · e9445504f4
commit e9445504f4
parent 4dca2883f7
32 changed files with 92 additions and 2 deletions
--- a/inventory/group_vars/adjutant_all.yml
+++ b/inventory/group_vars/adjutant_all.yml
@ -23,6 +23,8 @@ haproxy_adjutant_api_service:
  haproxy_balance_alg: source
  haproxy_backend_options:
    - "httpchk GET / HTTP/1.0\\r\\nUser-agent:\\ osa-haproxy-healthcheck"
+  haproxy_backend_ssl: "{{ adjutant_backend_ssl | default(openstack_service_backend_ssl) }}"
+  haproxy_backend_ca: "{{ adjutant_haproxy_backend_ca | default(openstack_haproxy_backend_ca) }}"
  haproxy_service_enabled: "{{ groups['adjutant_api'] is defined and groups['adjutant_api'] | length > 0 }}"

 adjutant_haproxy_services:
--- a/inventory/group_vars/all/all.yml
+++ b/inventory/group_vars/all/all.yml
@ -70,6 +70,10 @@ openstack_host_manage_hosts_file: "{{ groups['unbound'] is not defined or groups
 ## Enable external SSL handling for general OpenStack services
 openstack_external_ssl: true

+## Control whether traffic between haproxy and service backends should
+## be encrypted.
+openstack_service_backend_ssl: False
+
 ## OpenStack global Endpoint Protos
 openstack_service_publicuri_proto: https
 openstack_service_adminuri_proto: http
--- a/inventory/group_vars/all/haproxy.yml
+++ b/inventory/group_vars/all/haproxy.yml
@ -31,5 +31,10 @@ openstack_haproxy_stick_table:
  - "http-request track-sc0 src"
  - "http-request deny deny_status 429 if { sc_http_err_rate(0) gt 20 } !{ src {{ haproxy_stick_table_allowlist_networks | join(' } !{ src ') }} }"

+# CA used by haproxy to verify backend certificate.
+# It can contain CA path or a boolean:
+# (true = use system CA, false = cert validation disabled)
+openstack_haproxy_backend_ca: True
+
 # apply the stick table as default for all backends
 haproxy_stick_table: "{{ openstack_haproxy_stick_table }}"
--- a/inventory/group_vars/all/ssl.yml
+++ b/inventory/group_vars/all/ssl.yml
@ -65,3 +65,6 @@ openstack_pki_authorities:
 #install the root CA certificate on all hosts and containers
 openstack_pki_install_ca:
 - name: "ExampleCorpRoot"
+
+# Subject Alternate Name(SAN) for certificates
+openstack_pki_san: "{{ 'DNS:' ~ ansible_facts['hostname'] ~ ',IP:' ~ management_address }}"
--- a/inventory/group_vars/aodh_all.yml
+++ b/inventory/group_vars/aodh_all.yml
@ -22,6 +22,8 @@ haproxy_aodh_api_service:
  haproxy_balance_type: http
  haproxy_backend_options:
    - "httpchk HEAD / HTTP/1.0\\r\\nUser-agent:\\ osa-haproxy-healthcheck"
+  haproxy_backend_ssl: "{{ aodh_backend_ssl | default(openstack_service_backend_ssl) }}"
+  haproxy_backend_ca: "{{ aodh_haproxy_backend_ca | default(openstack_haproxy_backend_ca) }}"
  haproxy_service_enabled: "{{ groups['aodh_api'] is defined and groups['aodh_api'] | length > 0 }}"

 aodh_haproxy_services:
--- a/inventory/group_vars/barbican_all.yml
+++ b/inventory/group_vars/barbican_all.yml
@ -22,6 +22,8 @@ haproxy_barbican_service:
  haproxy_balance_type: http
  haproxy_backend_options:
    - "httpchk GET /healthcheck HTTP/1.0\\r\\nUser-agent:\\ osa-haproxy-healthcheck"
+  haproxy_backend_ssl: "{{ barbican_backend_ssl | default(openstack_service_backend_ssl) }}"
+  haproxy_backend_ca: "{{ barbican_haproxy_backend_ca | default(openstack_haproxy_backend_ca) }}"
  haproxy_service_enabled: "{{ groups['barbican_api'] is defined and groups['barbican_api'] | length > 0 }}"

 barbican_haproxy_services:
--- a/inventory/group_vars/blazar_all.yml
+++ b/inventory/group_vars/blazar_all.yml
@ -24,6 +24,8 @@ haproxy_blazar_api_service:
    - "httpchk HEAD / HTTP/1.0\\r\\nUser-agent:\\ osa-haproxy-healthcheck"
  haproxy_backend_httpcheck_options:
    - 'expect rstatus (200|401)'
+  haproxy_backend_ssl: "{{ blazar_backend_ssl | default(False) }}"
+  haproxy_backend_ca: "{{ openstack_haproxy_backend_ca | default(True) }}"
  haproxy_service_enabled: "{{ groups['blazar_api'] is defined and groups['blazar_api'] | length > 0 }}"

 blazar_haproxy_services:
--- a/inventory/group_vars/cinder_all.yml
+++ b/inventory/group_vars/cinder_all.yml
@ -36,6 +36,8 @@ haproxy_cinder_api_service:
  haproxy_balance_type: http
  haproxy_backend_options:
    - "httpchk HEAD /healthcheck HTTP/1.0\\r\\nUser-agent:\\ osa-haproxy-healthcheck"
+  haproxy_backend_ssl: "{{ cinder_backend_ssl | default(openstack_service_backend_ssl) }}"
+  haproxy_backend_ca: "{{ cinder_haproxy_backend_ca | default(openstack_haproxy_backend_ca) }}"
  haproxy_service_enabled: "{{ groups['cinder_api'] is defined and groups['cinder_api'] | length > 0 }}"

 cinder_haproxy_services:
--- a/inventory/group_vars/cloudkitty_all.yml
+++ b/inventory/group_vars/cloudkitty_all.yml
@ -23,6 +23,8 @@ haproxy_cloudkitty_api_service:
  haproxy_balance_alg: source
  haproxy_backend_options:
    - "httpchk GET /healthcheck HTTP/1.0\\r\\nUser-agent:\\ osa-haproxy-healthcheck"
+  haproxy_backend_ssl: "{{ cloudkitty_backend_ssl | default(openstack_service_backend_ssl) }}"
+  haproxy_backend_ca: "{{ cloudkitty_haproxy_backend_ca | default(openstack_haproxy_backend_ca) }}"
  haproxy_service_enabled: "{{ groups['cloudkitty_api'] is defined and groups['cloudkitty_api'] | length > 0 }}"

 cloudkitty_haproxy_services:
--- a/inventory/group_vars/designate_all.yml
+++ b/inventory/group_vars/designate_all.yml
@ -24,6 +24,8 @@ haproxy_designate_api_service:
    - "forwardfor"
    - "httpchk GET / HTTP/1.0\\r\\nUser-agent:\\ osa-haproxy-healthcheck"
    - "httplog"
+  haproxy_backend_ssl: "{{ designate_backend_ssl | default(openstack_service_backend_ssl) }}"
+  haproxy_backend_ca: "{{ designate_haproxy_backend_ca | default(openstack_haproxy_backend_ca) }}"
  haproxy_service_enabled: "{{ groups['designate_api'] is defined and groups['designate_api'] | length > 0 }}"

 designate_haproxy_services:
--- a/inventory/group_vars/glance_all.yml
+++ b/inventory/group_vars/glance_all.yml
@ -15,6 +15,8 @@

 # If there are Swift hosts in the environment, then use it as the default Glance store
 glance_default_store: "{{ ((groups['swift_all'] is defined) and (groups['swift_all'] | length > 0)) | ternary('swift', 'file') }}"
+glance_available_stores: "{{ [ glance_default_store ] + (glance_additional_stores | default([])) }}"
+glance_use_uwsgi: "{{ ('ceph' not in glance_available_stores) }}"

 # glance default list of bind mounts
 glance_container_bind_mounts:
@ -33,6 +35,8 @@ haproxy_glance_api_service:
  haproxy_balance_alg: source
  haproxy_backend_options:
    - "httpchk GET /healthcheck HTTP/1.0\\r\\nUser-agent:\\ osa-haproxy-healthcheck"
+  haproxy_backend_ssl: "{{ (glance_use_uwsgi | default(True)) | ternary((glance_backend_ssl | default(openstack_service_backend_ssl)), False) }}"
+  haproxy_backend_ca: "{{ glance_haproxy_backend_ca | default(openstack_haproxy_backend_ca) }}"
  haproxy_service_enabled: "{{ groups['glance_api'] is defined and groups['glance_api'] | length > 0 }}"

 glance_haproxy_services:
--- a/inventory/group_vars/gnocchi_all.yml
+++ b/inventory/group_vars/gnocchi_all.yml
@ -27,6 +27,8 @@ haproxy_gnocchi_service:
  haproxy_balance_type: http
  haproxy_backend_options:
    - "httpchk GET /healthcheck HTTP/1.0\\r\\nUser-agent:\\ osa-haproxy-healthcheck"
+  haproxy_backend_ssl: "{{ gnocchi_backend_ssl | default(openstack_service_backend_ssl) }}"
+  haproxy_backend_ca: "{{ gnocchi_haproxy_backend_ca | default(openstack_haproxy_backend_ca) }}"
  haproxy_service_enabled: "{{ groups['gnocchi_all'] is defined and groups['gnocchi_all'] | length > 0 }}"

 gnocchi_haproxy_services:
--- a/inventory/group_vars/heat_all.yml
+++ b/inventory/group_vars/heat_all.yml
@ -26,6 +26,8 @@ haproxy_heat_api_service:
  haproxy_balance_type: http
  haproxy_backend_options:
    - "httpchk HEAD /healthcheck HTTP/1.0\\r\\nUser-agent:\\ osa-haproxy-healthcheck"
+  haproxy_backend_ssl: "{{ heat_backend_ssl | default(openstack_service_backend_ssl) }}"
+  haproxy_backend_ca: "{{ heat_haproxy_backend_ca | default(openstack_haproxy_backend_ca) }}"
  haproxy_service_enabled: "{{ groups['heat_api'] is defined and groups['heat_api'] | length > 0 }}"

 haproxy_heat_api_cfn_service:
@ -37,6 +39,8 @@ haproxy_heat_api_cfn_service:
  haproxy_balance_type: http
  haproxy_backend_options:
    - "httpchk HEAD /healthcheck HTTP/1.0\\r\\nUser-agent:\\ osa-haproxy-healthcheck"
+  haproxy_backend_ssl: "{{ heat_backend_ssl | default(openstack_service_backend_ssl) }}"
+  haproxy_backend_ca: "{{ heat_haproxy_backend_ca | default(openstack_haproxy_backend_ca) }}"
  haproxy_service_enabled: "{{ groups['heat_api_cfn'] is defined and groups['heat_api_cfn'] | length > 0 }}"

 heat_haproxy_services:
--- a/inventory/group_vars/horizon_all.yml
+++ b/inventory/group_vars/horizon_all.yml
@ -30,12 +30,14 @@ haproxy_horizon_service:
  haproxy_backend_only: true    #only describe the backends, frontend is in `base` via haproxy_all group vars
  haproxy_service_name: horizon
  haproxy_backend_nodes: "{{ groups['horizon_all'] | default([]) }}"
-  haproxy_backend_port: 80
+  haproxy_backend_port: "{{ (horizon_backend_ssl | default(False)) | ternary(443, 80) }}"
  haproxy_balance_type: http
  haproxy_balance_alg: source
  haproxy_backend_options:
    - "httpchk HEAD /auth/login/ HTTP/1.0\\r\\nUser-agent:\\ osa-haproxy-healthcheck"
  haproxy_service_enabled: "{{ groups['horizon_all'] is defined and groups['horizon_all'] | length > 0 }}"
+  haproxy_backend_ssl: "{{ horizon_backend_ssl | default(openstack_service_backend_ssl) }}"
+  haproxy_backend_ca: "{{ horizon_haproxy_backend_ca | default(openstack_haproxy_backend_ca) }}"
  haproxy_stick_table: "{{ openstack_haproxy_horizon_stick_table }}"
  haproxy_map_entries:
    - name: base_regex
--- a/inventory/group_vars/ironic_all.yml
+++ b/inventory/group_vars/ironic_all.yml
@ -28,6 +28,8 @@ haproxy_ironic_api_service:
  haproxy_backend_arguments:
    - "http-request deny if { path_beg /v1/lookup } !{ src {{ haproxy_ironic_allowlist_networks | join(' } !{ src ') }} }"
    - "http-request deny if { path_beg /v1/heartbeat } !{ src {{ haproxy_ironic_allowlist_networks | join(' } !{ src ') }} }"
+  haproxy_backend_ssl: "{{ ironic_backend_ssl | default(openstack_service_backend_ssl) }}"
+  haproxy_backend_ca: "{{ ironic_haproxy_backend_ca | default(openstack_haproxy_backend_ca) }}"
  haproxy_service_enabled: "{{ groups['ironic_api'] is defined and groups['ironic_api'] | length > 0 }}"

 haproxy_ironic_inspector_service:
@ -41,6 +43,8 @@ haproxy_ironic_inspector_service:
    - "httpchk GET /healthcheck HTTP/1.0\\r\\nUser-agent:\\ osa-haproxy-healthcheck"
  haproxy_backend_arguments:
    - "http-request deny if { path_beg /v1/continue } !{ src {{ haproxy_ironic_inspector_allowlist_networks | join(' } !{ src ') }} }"
+  haproxy_backend_ssl: "{{ ironic_backend_ssl | default(openstack_service_backend_ssl) }}"
+  haproxy_backend_ca: "{{ ironic_haproxy_backend_ca | default(openstack_haproxy_backend_ca) }}"
  haproxy_service_enabled: "{{ groups['ironic_inspector'] is defined and groups['ironic_inspector'] | length > 0 }}"

 ironic_haproxy_services:
--- a/inventory/group_vars/keystone_all.yml
+++ b/inventory/group_vars/keystone_all.yml
@ -28,6 +28,8 @@ haproxy_keystone_service:
  haproxy_balance_type: "http"
  haproxy_backend_options:
    - "httpchk HEAD /healthcheck HTTP/1.0\\r\\nUser-agent:\\ osa-haproxy-healthcheck"
+  haproxy_backend_ssl: "{{ keystone_backend_ssl | default(openstack_service_backend_ssl) }}"
+  haproxy_backend_ca: "{{ keystone_haproxy_backend_ca | default(openstack_haproxy_backend_ca) }}"
  haproxy_service_enabled: "{{ groups['keystone_all'] is defined and groups['keystone_all'] | length > 0 }}"

 keystone_haproxy_services:
--- a/inventory/group_vars/magnum_all.yml
+++ b/inventory/group_vars/magnum_all.yml
@ -22,6 +22,8 @@ haproxy_magnum_service:
  haproxy_balance_type: http
  haproxy_backend_options:
    - "httpchk GET /healthcheck HTTP/1.0\\r\\nUser-agent:\\ osa-haproxy-healthcheck"
+  haproxy_backend_ssl: "{{ magnum_backend_ssl | default(openstack_service_backend_ssl) }}"
+  haproxy_backend_ca: "{{ magnum_haproxy_backend_ca | default(openstack_haproxy_backend_ca) }}"
  haproxy_service_enabled: "{{ groups['magnum_all'] is defined and groups['magnum_all'] | length > 0 }}"

 magnum_haproxy_services:
--- a/inventory/group_vars/manila_all.yml
+++ b/inventory/group_vars/manila_all.yml
@ -22,6 +22,8 @@ haproxy_manila_service:
  haproxy_balance_type: http
  haproxy_backend_options:
    - "httpchk HEAD /healthcheck HTTP/1.0\\r\\nUser-agent:\\ osa-haproxy-healthcheck"
+  haproxy_backend_ssl: "{{ manila_backend_ssl | default(openstack_service_backend_ssl) }}"
+  haproxy_backend_ca: "{{ manila_haproxy_backend_ca | default(openstack_haproxy_backend_ca) }}"
  haproxy_service_enabled: "{{ groups['manila_api'] is defined and groups['manila_api'] | length > 0 }}"

 manila_haproxy_services:
--- a/inventory/group_vars/masakari_all.yml
+++ b/inventory/group_vars/masakari_all.yml
@ -22,6 +22,8 @@ haproxy_masakari_api_service:
  haproxy_balance_type: http
  haproxy_backend_options:
    - "httpchk GET / HTTP/1.0\\r\\nUser-agent:\\ osa-haproxy-healthcheck"
+  haproxy_backend_ssl: "{{ masakari_backend_ssl | default(openstack_service_backend_ssl) }}"
+  haproxy_backend_ca: "{{ masakari_haproxy_backend_ca | default(openstack_haproxy_backend_ca) }}"
  haproxy_service_enabled: "{{ groups['masakari_api'] is defined and groups['masakari_api'] | length > 0 }}"

 masakari_haproxy_services:
--- a/inventory/group_vars/mistral_all.yml
+++ b/inventory/group_vars/mistral_all.yml
@ -22,6 +22,8 @@ haproxy_mistral_service:
  haproxy_balance_type: http
  haproxy_backend_options:
    - "httpchk GET / HTTP/1.0\\r\\nUser-agent:\\ osa-haproxy-healthcheck"
+  haproxy_backend_ssl: "{{ mistral_backend_ssl | default(openstack_service_backend_ssl) }}"
+  haproxy_backend_ca: "{{ mistral_haproxy_backend_ca | default(openstack_haproxy_backend_ca) }}"
  haproxy_service_enabled: "{{ groups['mistral_all'] is defined and groups['mistral_all'] | length > 0 }}"

 mistral_haproxy_services:
--- a/inventory/group_vars/murano_all.yml
+++ b/inventory/group_vars/murano_all.yml
@ -24,6 +24,8 @@ haproxy_murano_service:
    - "httpchk GET /v1 HTTP/1.0\\r\\nUser-agent:\\ osa-haproxy-healthcheck"
  haproxy_backend_httpcheck_options:
    - "expect status 401"
+  haproxy_backend_ssl: "{{ murano_backend_ssl | default(openstack_service_backend_ssl) }}"
+  haproxy_backend_ca: "{{ murano_haproxy_backend_ca | default(openstack_haproxy_backend_ca) }}"
  haproxy_service_enabled: "{{ groups['murano_all'] is defined and groups['murano_all'] | length > 0 }}"

 murano_haproxy_services:
--- a/inventory/group_vars/neutron_all.yml
+++ b/inventory/group_vars/neutron_all.yml
@ -24,6 +24,8 @@ haproxy_neutron_server_service:
  haproxy_balance_type: http
  haproxy_backend_options:
    - "httpchk GET /healthcheck HTTP/1.0\\r\\nUser-agent:\\ osa-haproxy-healthcheck"
+  haproxy_backend_ssl: "{{ neutron_backend_ssl | default(openstack_service_backend_ssl) }}"
+  haproxy_backend_ca: "{{ neutron_haproxy_backend_ca | default(openstack_haproxy_backend_ca) }}"
  haproxy_service_enabled: "{{ groups['neutron_server'] is defined and groups['neutron_server'] | length > 0 }}"

 haproxy_opendaylight_neutron_service:
--- a/inventory/group_vars/nova_all.yml
+++ b/inventory/group_vars/nova_all.yml
@ -33,6 +33,8 @@ haproxy_nova_api_metadata_service:
  haproxy_backend_options:
    - "httpchk HEAD / HTTP/1.0\\r\\nUser-agent:\\ osa-haproxy-healthcheck"
  haproxy_allowlist_networks: "{{ haproxy_nova_metadata_allowlist_networks }}"
+  haproxy_backend_ssl: "{{ nova_backend_ssl | default(openstack_service_backend_ssl) }}"
+  haproxy_backend_ca: "{{ nova_haproxy_backend_ca | default(openstack_haproxy_backend_ca) }}"
  haproxy_service_enabled: "{{ groups['nova_api_metadata'] is defined and groups['nova_api_metadata'] | length > 0 }}"

 haproxy_nova_api_compute_service:
@ -44,6 +46,8 @@ haproxy_nova_api_compute_service:
  haproxy_balance_type: http
  haproxy_backend_options:
    - "httpchk HEAD / HTTP/1.0\\r\\nUser-agent:\\ osa-haproxy-healthcheck"
+  haproxy_backend_ssl: "{{ nova_backend_ssl | default(openstack_service_backend_ssl) }}"
+  haproxy_backend_ca: "{{ nova_haproxy_backend_ca | default(openstack_haproxy_backend_ca) }}"
  haproxy_service_enabled: "{{ groups['nova_api_os_compute'] is defined and groups['nova_api_os_compute'] | length > 0 }}"

 haproxy_nova_spice_console_service:
@ -58,7 +62,9 @@ haproxy_nova_spice_console_service:
  haproxy_balance_alg: source
  haproxy_backend_options: "{{ haproxy_nova_console_http_mode | ternary(['httpchk HEAD /spice_auto.html HTTP/1.0\\r\\nUser-agent:\\ osa-haproxy-healthcheck'], []) }}"
  haproxy_backend_httpcheck_options: "{{ haproxy_nova_console_http_mode | ternary(['expect status 200'], []) }}"
-  haproxy_service_enabled: "{{ groups['nova_console'] is defined and groups['nova_console'] | length > 0 and nova_console_type == 'spice' }}"
+  haproxy_backend_ssl: "{{ nova_backend_ssl | default(openstack_service_backend_ssl) }}"
+  haproxy_backend_ca: "{{ nova_haproxy_backend_ca | default(openstack_haproxy_backend_ca) }}"
+  haproxy_service_enabled: "{{ groups['nova_console'] is defined and groups['nova_console'] | length > 0 and nova_console_type != 'disabled' }}"

 haproxy_nova_serial_console_service:
  haproxy_service_name: nova_serial_console
@ -72,6 +78,8 @@ haproxy_nova_serial_console_service:
  haproxy_balance_alg: source
  haproxy_backend_options: "{{ haproxy_nova_console_http_mode | ternary(['httpchk HEAD / HTTP/1.0\\r\\nUser-agent:\\ osa-haproxy-healthcheck'], []) }}"
  haproxy_backend_httpcheck_options: "{{ haproxy_nova_console_http_mode | ternary(['expect status 200'], []) }}"
+  haproxy_backend_ssl: "{{ nova_backend_ssl | default(openstack_service_backend_ssl) }}"
+  haproxy_backend_ca: "{{ nova_haproxy_backend_ca | default(openstack_haproxy_backend_ca) }}"
  haproxy_service_enabled: "{{ (groups['nova_console'] is defined and groups['nova_console'] | length > 0 and nova_console_type == 'serial') or
                               (groups['ironic_console'] is defined and groups['ironic_console'] | length > 0 and ironic_console_type == 'serial') }}"

@ -87,6 +95,8 @@ haproxy_nova_novnc_console_service:
  haproxy_balance_alg: source
  haproxy_backend_options: "{{ haproxy_nova_console_http_mode | ternary(['httpchk HEAD /vnc.html HTTP/1.0\\r\\nUser-agent:\\ osa-haproxy-healthcheck'], []) }}"
  haproxy_backend_httpcheck_options: "{{ haproxy_nova_console_http_mode | ternary(['expect status 200'], []) }}"
+  haproxy_backend_ssl: "{{ nova_backend_ssl | default(openstack_service_backend_ssl) }}"
+  haproxy_backend_ca: "{{ nova_haproxy_backend_ca | default(openstack_haproxy_backend_ca) }}"
  haproxy_service_enabled: "{{ groups['nova_console'] is defined and groups['nova_console'] | length > 0 and nova_console_type == 'novnc' }}"

 # NOTE(jrosser) Clean up legacy console haproxy configs from previous releases
--- a/inventory/group_vars/octavia_all.yml
+++ b/inventory/group_vars/octavia_all.yml
@ -22,6 +22,8 @@ haproxy_octavia_service:
  haproxy_balance_type: http
  haproxy_backend_options:
    - "httpchk GET /healthcheck HTTP/1.0\\r\\nUser-agent:\\ osa-haproxy-healthcheck"
+  haproxy_backend_ssl: "{{ octavia_backend_ssl | default(openstack_service_backend_ssl) }}"
+  haproxy_backend_ca: "{{ octavia_haproxy_backend_ca | default(openstack_haproxy_backend_ca) }}"
  haproxy_service_enabled: "{{ groups['octavia_all'] is defined and groups['octavia_all'] | length > 0 }}"

 octavia_haproxy_services:
--- a/inventory/group_vars/placement_all.yml
+++ b/inventory/group_vars/placement_all.yml
@ -22,6 +22,8 @@ haproxy_placement_service:
  haproxy_balance_type: http
  haproxy_backend_options:
    - "httpchk GET / HTTP/1.0\\r\\nUser-agent:\\ osa-haproxy-healthcheck"
+  haproxy_backend_ssl: "{{ placement_backend_ssl | default(openstack_service_backend_ssl) }}"
+  haproxy_backend_ca: "{{ placement_haproxy_backend_ca | default(openstack_haproxy_backend_ca) }}"
  haproxy_service_enabled: "{{ groups['placement_all'] is defined and groups['placement_all'] | length > 0 }}"

 placement_haproxy_services:
--- a/inventory/group_vars/repo_all.yml
+++ b/inventory/group_vars/repo_all.yml
@ -45,6 +45,8 @@ haproxy_repo_service:
    - "httpchk GET /constraints/upper_constraints_cached.txt HTTP/1.0\\r\\nUser-agent:\\ osa-haproxy-healthcheck"
  haproxy_backend_httpcheck_options:
    - "expect status 200"
+  haproxy_backend_ssl: "{{ repo_backend_ssl | default(openstack_service_backend_ssl) }}"
+  haproxy_backend_ca: "{{ repo_haproxy_backend_ca | default(openstack_haproxy_backend_ca) }}"
  haproxy_service_enabled: "{{ groups['repo_all'] is defined and groups['repo_all'] | length > 0 }}"

 repo_haproxy_services:
--- a/inventory/group_vars/sahara_all.yml
+++ b/inventory/group_vars/sahara_all.yml
@ -23,6 +23,8 @@ haproxy_sahara_api_service:
  haproxy_balance_type: http
  haproxy_backend_options:
    - "httpchk GET / HTTP/1.0\\r\\nUser-agent:\\ osa-haproxy-healthcheck"
+  haproxy_backend_ssl: "{{ sahara_backend_ssl | default(openstack_service_backend_ssl) }}"
+  haproxy_backend_ca: "{{ sahara_haproxy_backend_ca | default(openstack_haproxy_backend_ca) }}"
  haproxy_service_enabled: "{{ groups['sahara_api'] is defined and groups['sahara_api'] | length > 0 }}"

 sahara_haproxy_services:
--- a/inventory/group_vars/senlin_all.yml
+++ b/inventory/group_vars/senlin_all.yml
@ -22,6 +22,8 @@ haproxy_senlin_api_service:
  haproxy_balance_type: http
  haproxy_backend_options:
    - "httpchk GET / HTTP/1.0\\r\\nUser-agent:\\ osa-haproxy-healthcheck"
+  haproxy_backend_ssl: "{{ senlin_backend_ssl | default(openstack_service_backend_ssl) }}"
+  haproxy_backend_ca: "{{ senlin_haproxy_backend_ca | default(openstack_haproxy_backend_ca) }}"
  haproxy_service_enabled: "{{ groups['senlin_api'] is defined and groups['senlin_api'] | length > 0 }}"

 senlin_haproxy_services:
--- a/inventory/group_vars/swift_all.yml
+++ b/inventory/group_vars/swift_all.yml
@ -29,6 +29,11 @@ haproxy_swift_proxy_service:
  haproxy_balance_type: http
  haproxy_backend_options:
    - "httpchk GET /healthcheck HTTP/1.0\\r\\nUser-agent:\\ osa-haproxy-healthcheck"
+  # `openstack_service_backend_ssl` is not taken into account
+  # because TLS in swift-proxy is only for testing purposes:
+  # https://opendev.org/openstack/swift/src/commit/c78a5962b5f6c9e75f154cac924a226815236e98/etc/proxy-server.conf-sample
+  haproxy_backend_ssl: "{{ swift_backend_ssl | default(False) }}"
+  haproxy_backend_ca: "{{ swift_haproxy_backend_ca | default(openstack_haproxy_backend_ca) }}"
  haproxy_service_enabled: "{{ groups['swift_proxy'] is defined and groups['swift_proxy'] | length > 0 }}"

 swift_haproxy_services:
--- a/inventory/group_vars/tacker_all.yml
+++ b/inventory/group_vars/tacker_all.yml
@ -24,6 +24,8 @@ haproxy_tacker_service:
    - "forwardfor"
    - "httpchk GET / HTTP/1.0\\r\\nUser-agent:\\ osa-haproxy-healthcheck"
    - "httplog"
+  haproxy_backend_ssl: "{{ tacker_backend_ssl | default(openstack_service_backend_ssl) }}"
+  haproxy_backend_ca: "{{ tacker_haproxy_backend_ca | default(openstack_haproxy_backend_ca) }}"
  haproxy_service_enabled: "{{ groups['tacker_all'] is defined and groups['tacker_all'] | length > 0 }}"

 tacker_haproxy_services:
--- a/inventory/group_vars/trove_all.yml
+++ b/inventory/group_vars/trove_all.yml
@ -24,6 +24,8 @@ haproxy_trove_service:
  haproxy_balance_type: http
  haproxy_backend_options:
    - "httpchk HEAD / HTTP/1.0\\r\\nUser-agent:\\ osa-haproxy-healthcheck"
+  haproxy_backend_ssl: "{{ trove_backend_ssl | default(openstack_service_backend_ssl) }}"
+  haproxy_backend_ca: "{{ trove_haproxy_backend_ca | default(openstack_haproxy_backend_ca) }}"
  haproxy_service_enabled: "{{ groups['trove_api'] is defined and groups['trove_api'] | length > 0 }}"

 trove_haproxy_services:
--- a/inventory/group_vars/zun_all.yml
+++ b/inventory/group_vars/zun_all.yml
@ -22,6 +22,8 @@ haproxy_zun_api_service:
  haproxy_balance_type: http
  haproxy_backend_options:
      - "httpchk GET /healthcheck HTTP/1.0\\r\\nUser-agent:\\ osa-haproxy-healthcheck"
+  haproxy_backend_ssl: "{{ zun_backend_ssl | default(openstack_service_backend_ssl) }}"
+  haproxy_backend_ca: "{{ zun_haproxy_backend_ca | default(openstack_haproxy_backend_ca) }}"
  haproxy_service_enabled: "{{ groups['zun_api'] is defined and groups['zun_api'] | length > 0 }}"

 haproxy_zun_console_service:
@ -38,6 +40,9 @@ haproxy_zun_console_service:
    - "httpchk HEAD / HTTP/1.0\\r\\nUser-agent:\\ osa-haproxy-healthcheck"
  haproxy_backend_httpcheck_options:
    - "expect status 405"
+  # haproxy_backend_ssl disabled due to: https://bugs.launchpad.net/zun/+bug/2016917
+  haproxy_backend_ssl: False
+  haproxy_backend_ca: "{{ zun_haproxy_backend_ca | default(openstack_haproxy_backend_ca) }}"
  haproxy_service_enabled: "{{ groups['zun_api'] is defined and groups['zun_api'] | length > 0 }}"

 zun_haproxy_services: