From 8f1c7dc91fb1e00784f6228526d95f4434ba8a01 Mon Sep 17 00:00:00 2001
From: Goutham Pacha Ravi <gouthampravi@gmail.com>
Date: Wed, 20 Feb 2019 18:00:45 -0800
Subject: [PATCH] Fix tls-proxy issues with the devstack plugin

Enabling tls-proxy allows devstack to
set up a tls proxy server that front-ends
interactions with the manila-api and
terminates tls connections.

Also enable tls-proxy in dummy and lvm
jobs. The dummy driver job is configured
to run the in-built wsgi server, the lvm
job is configured to use mod-wsgi.

Closes-Bug: #1816836
Change-Id: I48b0ccc082604d78242ba61bee94a45efeb2467b
---
 devstack/plugin.sh                            | 24 ++++++++++++-------
 .../development-environment-devstack.rst      |  5 +++-
 .../run.yaml                                  |  2 +-
 .../manila-tempest-minimal-dsvm-lvm/run.yaml  |  2 ++
 4 files changed, 22 insertions(+), 11 deletions(-)

diff --git a/devstack/plugin.sh b/devstack/plugin.sh
index 3f1e04a958..8c8af6a618 100755
--- a/devstack/plugin.sh
+++ b/devstack/plugin.sh
@@ -71,7 +71,7 @@ function _config_manila_apache_wsgi {
     sudo sed -e "
         s|%APACHE_NAME%|$APACHE_NAME|g;
         s|%MANILA_BIN_DIR%|$MANILA_BIN_DIR|g;
-        s|%PORT%|$MANILA_SERVICE_PORT|g;
+        s|%PORT%|$REAL_MANILA_SERVICE_PORT|g;
         s|%APIWORKERS%|$API_WORKERS|g;
         s|%USER%|$STACK_USER|g;
     " -i $manila_api_apache_conf
@@ -277,9 +277,14 @@ function configure_manila {
 
     iniset $MANILA_CONF DEFAULT manila_service_keypair_name $MANILA_SERVICE_KEYPAIR_NAME
 
+    REAL_MANILA_SERVICE_PORT=$MANILA_SERVICE_PORT
     if is_service_enabled tls-proxy; then
+        # Set the protocol to 'https', and set the default port
+        MANILA_SERVICE_PROTOCOL="https"
+        REAL_MANILA_SERVICE_PORT=$MANILA_SERVICE_PORT_INT
         # Set the service port for a proxy to take the original
-        iniset $MANILA_CONF DEFAULT osapi_share_listen_port $MANILA_SERVICE_PORT_INT
+        iniset $MANILA_CONF DEFAULT osapi_share_listen_port $REAL_MANILA_SERVICE_PORT
+        iniset $MANILA_CONF oslo_middleware enable_proxy_headers_parsing True
     fi
 
     iniset_rpc_backend manila $MANILA_CONF DEFAULT
@@ -509,11 +514,6 @@ function create_default_share_group_type {
 # type identified by $MANILA_DEFAULT_SHARE_TYPE is still created, but not
 # configured as default.
 function create_default_share_type {
-    echo "Waiting for Manila API to start..."
-    if ! wait_for_service 60 $MANILA_SERVICE_PROTOCOL://$MANILA_SERVICE_HOST:$MANILA_SERVICE_PORT; then
-        die $LINENO "Manila did not start"
-    fi
-
     enabled_backends=(${MANILA_ENABLED_BACKENDS//,/ })
     driver_handles_share_servers=$(iniget $MANILA_CONF ${enabled_backends[0]} driver_handles_share_servers)
 
@@ -826,14 +826,20 @@ function start_manila_api {
         run_process m-api "$MANILA_BIN_DIR/manila-api --config-file $MANILA_CONF"
     fi
 
+
     echo "Waiting for Manila API to start..."
-    if ! wait_for_service $SERVICE_TIMEOUT $MANILA_SERVICE_PROTOCOL://$MANILA_SERVICE_HOST:$MANILA_SERVICE_PORT; then
+    # This is a health check against the manila-api service we just started.
+    # We use the port ($REAL_MANILA_SERVICE_PORT) here because we want to hit
+    # the bare service endpoint, even if the tls tunnel should be enabled.
+    # We're making sure that the internal port is checked using unencryted
+    # traffic at this point.
+    if ! wait_for_service $SERVICE_TIMEOUT $MANILA_SERVICE_PROTOCOL://$MANILA_SERVICE_HOST:$REAL_MANILA_SERVICE_PORT; then
         die $LINENO "Manila API did not start"
     fi
 
     # Start proxies if enabled
     if is_service_enabled tls-proxy; then
-        start_tls_proxy '*' $MANILA_SERVICE_PORT $MANILA_SERVICE_HOST $MANILA_SERVICE_PORT_INT &
+        start_tls_proxy manila '*' $MANILA_SERVICE_PORT $MANILA_SERVICE_HOST $MANILA_SERVICE_PORT_INT
     fi
 }
 
diff --git a/doc/source/contributor/development-environment-devstack.rst b/doc/source/contributor/development-environment-devstack.rst
index 4d6050658d..b66fa5c200 100644
--- a/doc/source/contributor/development-environment-devstack.rst
+++ b/doc/source/contributor/development-environment-devstack.rst
@@ -184,7 +184,10 @@ Optionally, you can deploy with Manila, Nova, Neutron, Glance and Tempest::
     ENABLED_SERVICES+=q-svc,q-dhcp,q-meta,q-l3,q-agt
     ENABLED_SERVICES+=tempest
 
-
+You can also enable ``tls-proxy`` with ``ENABLED_SERVICES`` to allow
+devstack to use Apache and setup a TLS proxy to terminate TLS connections.
+Using tls-proxy secures all OpenStack service API endpoints and inter-service
+communication on your devstack.
 
 Bootstrapping Tempest
 `````````````````````
diff --git a/playbooks/legacy/manila-tempest-minimal-dsvm-dummy/run.yaml b/playbooks/legacy/manila-tempest-minimal-dsvm-dummy/run.yaml
index adde63f75b..f6cecdb3af 100644
--- a/playbooks/legacy/manila-tempest-minimal-dsvm-dummy/run.yaml
+++ b/playbooks/legacy/manila-tempest-minimal-dsvm-dummy/run.yaml
@@ -44,7 +44,7 @@
           export DEVSTACK_GATE_NEUTRON=1
           export DEVSTACK_PROJECT_FROM_GIT="python-manilaclient"
           # Basic services needed for minimal job
-          export OVERRIDE_ENABLED_SERVICES=key,mysql,rabbit,tempest
+          export OVERRIDE_ENABLED_SERVICES=key,mysql,rabbit,tempest,tls-proxy
 
           export DEVSTACK_GATE_USE_PYTHON3=True
           export PYTHON3_VERSION="3.6"
diff --git a/playbooks/legacy/manila-tempest-minimal-dsvm-lvm/run.yaml b/playbooks/legacy/manila-tempest-minimal-dsvm-lvm/run.yaml
index 561fe36f9d..9d45925569 100644
--- a/playbooks/legacy/manila-tempest-minimal-dsvm-lvm/run.yaml
+++ b/playbooks/legacy/manila-tempest-minimal-dsvm-lvm/run.yaml
@@ -57,6 +57,8 @@
           OVERRIDE_ENABLED_SERVICES+=,n-api,n-cpu,n-cond,n-sch,n-crt,n-cauth,n-obj
           # Enable neutron for scenario tests
           OVERRIDE_ENABLED_SERVICES+=,q-svc,q-dhcp,q-meta,q-l3,q-agt
+          # Enable tls-proxy
+          OVERRIDE_ENABLED_SERVICES+=,tls-proxy
 
           # Enable mandatory placement services for nova starting with ocata
           if [[ "stable/newton" != $ZUUL_BRANCH ]]; then