openstack/kuryr: expose origin API on 443 for pods

Kuryr deployments run without kube-proxy, so we need an LB listener to
expose the kubernetes API on the 443 port that the openshift node
environment variables tell the pods the API listens to.

Change-Id: I5dad82fe57585bcdfadfe6edf474d6cd6794268a
Signed-off-by: Antoni Segura Puimedon <antonisp@celebdor.com>

roles/openshift_openstack/templates/heat_stack.yaml.j2

@@ -139,6 +139,23 @@ resources:
       loadbalancer: { get_resource: api_lb }
       protocol: HTTPS
       protocol_port: {{ openshift_master_api_port }}
+      default_pool: { get_resource: api_lb_pool }
+
+{% if openshift_use_kuryr|default(false)|bool and openshift_master_api_port|default(8443) != 443 %}
+  # 443 listener for pod access. In non-kuryr envs handled by iptables
+  internal_api_lb_listener:
+    type: OS::Neutron::LBaaS::Listener
+    properties:
+      name:
+        str_replace:
+          template: openshift-ansible-cluster_id-api-lb-internal-listener
+          params:
+            cluster_id: {{ openshift_openstack_full_dns_domain }}
+      loadbalancer: { get_resource: api_lb }
+      protocol: HTTPS
+      protocol_port: 443
+      default_pool: { get_resource: api_lb_pool }
+{% endif %}
 
   api_lb_pool:
     type: OS::Neutron::LBaaS::Pool
@@ -151,7 +168,7 @@ resources:
       protocol: HTTPS
       # TODO(shadower): Make this configurable?
       lb_algorithm: ROUND_ROBIN
-      listener: { get_resource: api_lb_listener }
+      loadbalancer: { get_resource: api_lb }
 {% endif %}
 
 {% if not openshift_openstack_provider_network_name %}