Listen on additional health check port only if it is configured via flag

Author: b1tamara

jobs/haproxy/spec

@@ -579,7 +579,6 @@ properties:
     default: false
   ha_proxy.enable_additional_health_check_proxy:
       description: "Enable the additional health check listener with use of the PROXY protocol"
-      default: false
   ha_proxy.binding_ip:
     description: "If there are multiple ethernet interfaces, specify which one to bind. Set to `::` to bind to all IPv6 interfaces (no IPv4). IPv6 must be enabled on the HAProxy VM in the deployment manifest."
     default: ""
@@ -602,7 +601,7 @@ properties:
       - 172.168.4.1/32
       - 10.2.0.0/16
   ha_proxy.expect_proxy_cidrs:
-    description: "List of CIDRs to enable proxy protocol for. This enables forwarding of the client source IP for hyperscalers not supporting IP dual stack (v4 & v6). This property is mutually exclusive with the accept_proxy."
+    description: "List of CIDRs to enable proxy protocol for. This enables the forwarding of the client source IP for hyperscalers that do not support IP dual stack (v4 & v6). This property is mutually exclusive with the accept_proxy. For backward compatibility, if the list is not empty, HAProxy will listen on an additional health check port (health_check_port + 1) with proxy protocol enabled, by implicitly setting enable_additional_health_check_proxy to true if not set explicitly."
     default: ~
     example:
       expect_proxy_cidrs:

jobs/haproxy/templates/haproxy.config.erb

@@ -271,6 +271,10 @@ end
   if backend_ssl != "" && (enable_http2 || backend_match_http_protocol)
     backends += [{ name: "http-routers-http2", backend_ssl: backend_ssl, alpn: "alpn h2,http/1.1 " }]
   end
+
+  # to keep backward compatibility enable_additional_health_check_proxy if expect_proxy_cidrs is not empty.
+  enable_additional_health_check_proxy = p("ha_proxy.enable_additional_health_check_proxy", p("ha_proxy.expect_proxy_cidrs", []).size > 0)
+
 -%>
 
 global
@@ -385,7 +389,7 @@ listen health_check_http_url
     acl http-routers_down nbsrv(<%= backends.first[:name] %>) eq 0
     monitor fail if http-routers_down
 
-<%- if p("ha_proxy.expect_proxy_cidrs", []).size > 0 || p("ha_proxy.enable_additional_health_check_proxy") -%>
+<%- if enable_additional_health_check_proxy -%>
 listen health_check_http_url_proxy_protocol
     bind :<%= p("ha_proxy.health_check_port") + 1 %> accept-proxy
     mode http
@@ -1101,7 +1105,7 @@ listen health_check_http_tcp-<%= tcp_proxy["name"] %>
     acl tcp-<%= tcp_proxy["name"] %>-routers_down nbsrv(tcp-<%= tcp_proxy["name"] %>) eq 0
     monitor fail if tcp-<%= tcp_proxy["name"] %>-routers_down
 
-    <%- if p("ha_proxy.expect_proxy_cidrs", []).size > 0 || p("ha_proxy.enable_additional_health_check_proxy") -%>
+    <%- if enable_additional_health_check_proxy -%>
 listen health_check_http_tcp-<%= tcp_proxy["name"] %>_proxy_protocol
     bind :<%= tcp_proxy["health_check_http"] + 1 %> accept-proxy
     mode http

spec/haproxy/templates/haproxy_config/healthcheck_listener_spec.rb

@@ -95,12 +95,27 @@
           }
         end
 
-        it 'sets expect-proxy for the healthcheck' do
+        it 'sets expect-proxy for the healthchecks on ports 8080 and 8081' do
+          expect(healthcheck_listener).to include('bind :8080')
           expect(healthcheck_listener).to include('tcp-request connection expect-proxy layer4 unless LOCALHOST')
           expect(healthcheck_listener_proxy_protocol).to include('bind :8081 accept-proxy')
         end
       end
 
+      context 'when expect_proxy_cidrs is not empty due to backward compatibility' do
+        let(:properties) do
+          {
+            'enable_health_check_http' => true,
+            'expect_proxy_cidrs' => ['10.5.6.7/27']
+          }
+        end
+
+        it 'sets expect-proxy for the healthcheck on port 8081' do
+          expect(healthcheck_listener).to include('bind :8080')
+          expect(healthcheck_listener_proxy_protocol).to include('bind :8081 accept-proxy')
+        end
+      end
+
       context 'when ha_proxy.enable_additional_health_check_proxy is false but accept_proxy true' do
         let(:properties) do
           {