setup keystone using apache mod_wsgi

Allow keystone to be set up to use apache mod_wsgi as the server instead of a standalone eventlet service. There is a new keystone class parameter: service_name. The default is 'keystone', which will set up the standalone eventlet service. If 'httpd' is used, the keystone class will skip creating the keystone service, which also means no 'openstack-keystone' service. The class 'keystone::wsgi::apache' is then used to configure apache mod_wsgi to serve keystone. Had to remove the File resource default in the keystone class. When using wsgi::apache, the apache class and other classes are included. Since puppet uses dynamic scoping, this overrides the file resources in those classes as well. keystone now explicitly sets all of the parameters in files/directory resources. Change-Id: Ib05ac81381e169845b44b2ef7cb810a4d5db17de Closes-Bug: #1348728
xbezdick · Sep 25, 2014 · 879f872 · 879f872
1 parent fdbe8f9
commit 879f872
Show file tree

Hide file tree

Showing 5 changed files with 313 additions and 198 deletions.
diff --git a/manifests/init.pp b/manifests/init.pp
@@ -195,6 +195,23 @@
 #   custom service provider for changing start/stop/status behavior of service,
 #   and set it here.
 #
+#   [*service_name*]
+#   (optional) Name of the service that will be providing the
+#   server functionality of keystone.  For example, the default
+#   is just 'keystone', which means keystone will be run as a
+#   standalone eventlet service, and will able to be managed
+#   separately by the operating system's service manager.  For
+#   example, you will be able to use
+#   service openstack-keystone restart
+#   to restart the service.
+#   If the value is 'httpd', this means keystone will be a web
+#   service, and you must use another class to configure that
+#   web service.  For example, after calling class {'keystone'...}
+#   use class { 'keystone::wsgi::apache'...} to make keystone be
+#   a web app using apache mod_wsgi.
+#   Defaults to 'keystone'
+#   NOTE: validate_service only applies if the value is 'keystone'
+#
 # == Dependencies
 #  None
 #
@@ -205,6 +222,17 @@
 #     admin_token => 'my_special_token',
 #   }
 #
+#   OR
+#
+#   class { 'keystone':
+#      ...
+#      service_name => 'httpd',
+#      ...
+#   }
+#   class { 'keystone::wsgi::apache':
+#      ...
+#   }
+#
 # == Authors
 #
 #   Dan Bode [email protected]
@@ -272,6 +300,7 @@
   $validate_auth_url     = false,
   $validate_cacert       = undef,
   $service_provider      = $::keystone::params::service_provider,
+  $service_name          = 'keystone',
   # DEPRECATED PARAMETERS
   $mysql_module          = undef,
   $sql_connection        = undef,
@@ -308,12 +337,6 @@
     warning('Version string /v2.0/ should not be included in keystone::public_endpoint')
   }
 
-  File['/etc/keystone/keystone.conf'] -> Keystone_config<||> ~> Service['keystone']
-  Keystone_config<||> ~> Exec<| title == 'keystone-manage db_sync'|>
-  Keystone_config<||> ~> Exec<| title == 'keystone-manage pki_setup'|>
-
-  include keystone::params
-
   if $rabbit_use_ssl {
     if !$kombu_ssl_ca_certs {
       fail('The kombu_ssl_ca_certs parameter is required when rabbit_use_ssl is set to true')
@@ -326,13 +349,10 @@
     }
   }
 
-  File {
-    ensure  => present,
-    owner   => 'keystone',
-    group   => 'keystone',
-    require => Package['keystone'],
-    notify  => Service['keystone'],
-  }
+  File['/etc/keystone/keystone.conf'] -> Keystone_config<||> ~> Service[$service_name]
+  Keystone_config<||> ~> Exec<| title == 'keystone-manage db_sync'|>
+  Keystone_config<||> ~> Exec<| title == 'keystone-manage pki_setup'|>
+  include ::keystone::params
 
   package { 'keystone':
     ensure => $package_ensure,
@@ -355,10 +375,19 @@
   file { ['/etc/keystone', '/var/log/keystone', '/var/lib/keystone']:
     ensure  => directory,
     mode    => '0750',
+    owner   => 'keystone',
+    group   => 'keystone',
+    require => Package['keystone'],
+    notify  => Service[$service_name],
   }
 
   file { '/etc/keystone/keystone.conf':
+    ensure  => present,
     mode    => '0600',
+    owner   => 'keystone',
+    group   => 'keystone',
+    require => Package['keystone'],
+    notify  => Service[$service_name],
   }
 
   if $bind_host {
@@ -505,7 +534,7 @@
       user        => 'keystone',
       refreshonly => true,
       creates     => $signing_keyfile,
-      notify      => Service['keystone'],
+      notify      => Service[$service_name],
       subscribe   => Package['keystone'],
       require     => User['keystone'],
     }
@@ -574,42 +603,43 @@
     $service_ensure = 'stopped'
   }
 
-  if $validate_service {
+  if $service_name == 'keystone' {
+    if $validate_service {
+      if $validate_auth_url {
+        $v_auth_url = $validate_auth_url
+      } else {
+        $v_auth_url = $admin_endpoint
+      }
 
-    if $validate_auth_url {
-      $v_auth_url = $validate_auth_url
+      class { 'keystone::service':
+        ensure         => $service_ensure,
+        service_name   => $::keystone::params::service_name,
+        enable         => $enabled,
+        hasstatus      => true,
+        hasrestart     => true,
+        provider       => $service_provider,
+        validate       => true,
+        admin_endpoint => $v_auth_url,
+        admin_token    => $admin_token,
+        insecure       => $validate_insecure,
+        cacert         => $validate_cacert,
+      }
     } else {
-      $v_auth_url = $admin_endpoint
-    }
-
-    class { 'keystone::service':
-      ensure         => $service_ensure,
-      service_name   => $::keystone::params::service_name,
-      enable         => $enabled,
-      hasstatus      => true,
-      hasrestart     => true,
-      provider       => $service_provider,
-      validate       => true,
-      admin_endpoint => $v_auth_url,
-      admin_token    => $admin_token,
-      insecure       => $validate_insecure,
-      cacert         => $validate_cacert,
-    }
-  } else {
-    class { 'keystone::service':
-      ensure       => $service_ensure,
-      service_name => $::keystone::params::service_name,
-      enable       => $enabled,
-      hasstatus    => true,
-      hasrestart   => true,
-      provider     => $service_provider,
-      validate     => false,
+      class { 'keystone::service':
+        ensure       => $service_ensure,
+        service_name => $::keystone::params::service_name,
+        enable       => $enabled,
+        hasstatus    => true,
+        hasrestart   => true,
+        provider     => $service_provider,
+        validate     => false,
+      }
     }
   }
 
   if $enabled {
-    include keystone::db::sync
-    Class['keystone::db::sync'] ~> Service['keystone']
+    include ::keystone::db::sync
+    Class['::keystone::db::sync'] ~> Service[$service_name]
   }
 
   # Syslog configuration

diff --git a/manifests/params.pp b/manifests/params.pp
@@ -16,6 +16,9 @@
           $keystone_wsgi_script_source = '/usr/share/keystone/wsgi.py'
         }
         default: {
+          # NOTE: Ubuntu does not currently provide the keystone wsgi script in the
+          # keystone packages.  When Ubuntu does provide the script, change this
+          # to use the correct path (which I'm assuming will be the same as Debian).
           $service_provider            = 'upstart'
           $keystone_wsgi_script_source = 'puppet:///modules/keystone/httpd/keystone.py'
         }
@@ -27,7 +30,7 @@
       $keystone_wsgi_script_path    = '/var/www/cgi-bin/keystone'
       $python_memcache_package_name = 'python-memcached'
       $service_provider             = undef
-      $keystone_wsgi_script_source  = 'puppet:///modules/keystone/httpd/keystone.py'
+      $keystone_wsgi_script_source  = '/usr/share/keystone/keystone.wsgi'
     }
   }
 }
diff --git a/manifests/wsgi/apache.pp b/manifests/wsgi/apache.pp
@@ -93,16 +93,19 @@
   $ssl_ca        = undef,
   $ssl_crl_path  = undef,
   $ssl_crl       = undef,
-  $ssl_certs_dir = undef
+  $ssl_certs_dir = undef,
+  $threads       = $::processorcount,
+  $priority      = '10',
 ) {
 
-  include keystone::params
+  include ::keystone::params
   include ::apache
   include ::apache::mod::wsgi
-  include keystone::db::sync
+  if $ssl {
+    include ::apache::mod::ssl
+  }
 
-  Exec <| title == 'keystone-manage pki_setup' |> ~> Service['httpd']
-  Exec <| title == 'keystone-manage db_sync' |> ~> Service['httpd']
+  Package['keystone'] -> Package['httpd']
   Package['keystone'] ~> Service['httpd']
   Keystone_config <| |> ~> Service['httpd']
   Service['httpd'] -> Keystone_endpoint <| |>
@@ -137,7 +140,8 @@
     owner   => 'keystone',
     group   => 'keystone',
     mode    => '0644',
-    require => File[$::keystone::params::keystone_wsgi_script_path],
+    # source file provided by keystone package
+    require => [File[$::keystone::params::keystone_wsgi_script_path], Package['keystone']],
   }
 
   file { 'keystone_wsgi_main':
@@ -147,14 +151,15 @@
     owner   => 'keystone',
     group   => 'keystone',
     mode    => '0644',
-    require => File[$::keystone::params::keystone_wsgi_script_path],
+    # source file provided by keystone package
+    require => [File[$::keystone::params::keystone_wsgi_script_path], Package['keystone']],
   }
 
   $wsgi_daemon_process_options = {
     user      => 'keystone',
     group     => 'keystone',
     processes => $workers,
-    threads   => '1'
+    threads   => $threads,
   }
   $wsgi_script_aliases_main = hash([$public_path_real,"${::keystone::params::keystone_wsgi_script_path}/main"])
   $wsgi_script_aliases_admin = hash([$admin_path_real, "${::keystone::params::keystone_wsgi_script_path}/admin"])
@@ -165,13 +170,15 @@
     $wsgi_script_aliases_main_real = $wsgi_script_aliases_main
   }
 
-  apache::vhost { 'keystone_wsgi_main':
+  ::apache::vhost { 'keystone_wsgi_main':
+    ensure                      => 'present',
     servername                  => $servername,
     ip                          => $bind_host,
     port                        => $public_port,
     docroot                     => $::keystone::params::keystone_wsgi_script_path,
     docroot_owner               => 'keystone',
     docroot_group               => 'keystone',
+    priority                    => $priority,
     ssl                         => $ssl,
     ssl_cert                    => $ssl_cert,
     ssl_key                     => $ssl_key,
@@ -180,32 +187,36 @@
     ssl_crl_path                => $ssl_crl_path,
     ssl_crl                     => $ssl_crl,
     ssl_certs_dir               => $ssl_certs_dir,
-    wsgi_daemon_process         => 'keystone',
+    wsgi_daemon_process         => 'keystone_main',
     wsgi_daemon_process_options => $wsgi_daemon_process_options,
-    wsgi_process_group          => 'keystone',
+    wsgi_process_group          => 'keystone_main',
     wsgi_script_aliases         => $wsgi_script_aliases_main_real,
-    require                     => [Class['apache::mod::wsgi'], File['keystone_wsgi_main']],
+    require                     => File['keystone_wsgi_main'],
   }
 
   if $public_port != $admin_port {
-    apache::vhost { 'keystone_wsgi_admin':
-      servername          => $servername,
-      ip                  => $bind_host,
-      port                => $admin_port,
-      docroot             => $::keystone::params::keystone_wsgi_script_path,
-      docroot_owner       => 'keystone',
-      docroot_group       => 'keystone',
-      ssl                 => $ssl,
-      ssl_cert            => $ssl_cert,
-      ssl_key             => $ssl_key,
-      ssl_chain           => $ssl_chain,
-      ssl_ca              => $ssl_ca,
-      ssl_crl_path        => $ssl_crl_path,
-      ssl_crl             => $ssl_crl,
-      ssl_certs_dir       => $ssl_certs_dir,
-      wsgi_process_group  => 'keystone',
-      wsgi_script_aliases => $wsgi_script_aliases_admin,
-      require             => [Class['apache::mod::wsgi'], File['keystone_wsgi_admin']],
+    ::apache::vhost { 'keystone_wsgi_admin':
+      ensure                      => 'present',
+      servername                  => $servername,
+      ip                          => $bind_host,
+      port                        => $admin_port,
+      docroot                     => $::keystone::params::keystone_wsgi_script_path,
+      docroot_owner               => 'keystone',
+      docroot_group               => 'keystone',
+      priority                    => $priority,
+      ssl                         => $ssl,
+      ssl_cert                    => $ssl_cert,
+      ssl_key                     => $ssl_key,
+      ssl_chain                   => $ssl_chain,
+      ssl_ca                      => $ssl_ca,
+      ssl_crl_path                => $ssl_crl_path,
+      ssl_crl                     => $ssl_crl,
+      ssl_certs_dir               => $ssl_certs_dir,
+      wsgi_daemon_process         => 'keystone_admin',
+      wsgi_daemon_process_options => $wsgi_daemon_process_options,
+      wsgi_process_group          => 'keystone_admin',
+      wsgi_script_aliases         => $wsgi_script_aliases_admin,
+      require                     => File['keystone_wsgi_admin'],
     }
   }
 }