From 1cb6886a21ebf131259ce5884264df32852b7067 Mon Sep 17 00:00:00 2001 From: Goutham Pacha Ravi Date: Wed, 13 Feb 2019 15:45:57 -0800 Subject: [PATCH] Switch Manila API to httpd and support TLS manila-api can be deployed in two ways: - Using the service-provided eventlet based server - Behind any popular web server as a wsgi process [1] adds support to the kolla image to install necessary packages and write configuration files to enable deploying manila-api with Apache/mod-wsgi/ [2] and [3] add support to puppet-{manila,tripleo} to honor httpd options like other API services. So, switch the manila-api docker/service to running httpd, and add necessary configuration options. Honor the "EnableInternalTLS" option to allow running manila-api with TLS. [1] https://review.openstack.org/#/c/590061/ [2] https://review.openstack.org/#/c/591869/ [3] https://review.openstack.org/#/c/592188/ Depends-On: https://review.openstack.org/#/c/592188/ Change-Id: Ic88a2f08e013a49e3da45a2bfc82c62ba284526a --- .../manila/manila-api-container-puppet.yaml | 63 ++++++++++++++++++- ...to-httpd-support-tls-9b995fe4113b2412.yaml | 6 ++ 2 files changed, 68 insertions(+), 1 deletion(-) create mode 100644 releasenotes/notes/switch-manila-api-to-httpd-support-tls-9b995fe4113b2412.yaml diff --git a/deployment/manila/manila-api-container-puppet.yaml b/deployment/manila/manila-api-container-puppet.yaml index c35b467c00..cb1e9a0c32 100644 --- a/deployment/manila/manila-api-container-puppet.yaml +++ b/deployment/manila/manila-api-container-puppet.yaml @@ -36,6 +36,13 @@ parameters: default: {} description: Parameters specific to the role type: json + EnableInternalTLS: + type: boolean + default: false + ManilaWorkers: + type: string + description: Set the number of workers for manila::wsgi::apache + default: '%{::os_workers}' ManilaPassword: description: The password for the manila service account. type: string @@ -48,6 +55,11 @@ parameters: default: 'overcloud-manila-api' type: string +conditions: + + internal_tls_enabled: {equals: [{get_param: EnableInternalTLS}, true]} + manila_workers_zero: {equals : [{get_param: ManilaWorkers}, 0]} + resources: ContainersCommon: @@ -63,6 +75,19 @@ resources: ServiceData: {get_param: ServiceData} ServiceNetMap: {get_param: ServiceNetMap} DefaultPasswords: {get_param: DefaultPasswords} + RoleName: {get_param: RoleName} + RoleParameters: {get_param: RoleParameters} + + ApacheServiceBase: + type: ../../puppet/services/apache.yaml + properties: + ServiceData: {get_param: ServiceData} + ServiceNetMap: {get_param: ServiceNetMap} + DefaultPasswords: {get_param: DefaultPasswords} + EndpointMap: {get_param: EndpointMap} + RoleName: {get_param: RoleName} + RoleParameters: {get_param: RoleParameters} + EnableInternalTLS: {get_param: EnableInternalTLS} outputs: role_data: @@ -72,6 +97,7 @@ outputs: config_settings: map_merge: - get_attr: [ManilaBase, role_data, config_settings] + - get_attr: [ApacheServiceBase, role_data, config_settings] - manila::keystone::authtoken::password: {get_param: ManilaPassword} manila::keystone::authtoken::auth_uri: { get_param: [EndpointMap, KeystoneInternal, uri_no_suffix] } manila::keystone::authtoken::auth_url: { get_param: [EndpointMap, KeystoneInternal, uri_no_suffix] } @@ -95,8 +121,26 @@ outputs: "%{hiera('$NETWORK')}" params: $NETWORK: {get_param: [ServiceNetMap, ManilaApiNetwork]} + manila::wsgi::apache::bind_host: + str_replace: + template: + "%{hiera('$NETWORK')}" + params: + $NETWORK: {get_param: [ServiceNetMap, ManilaApiNetwork]} + manila::wsgi::apache::ssl: {get_param: EnableInternalTLS} + manila::api::service_name: 'httpd' manila::api::enable_proxy_headers_parsing: true manila::api::default_share_type: 'default' + - manila::wsgi::apache::servername: + str_replace: + template: + "%{hiera('fqdn_$NETWORK')}" + params: + $NETWORK: {get_param: [ServiceNetMap, ManilaApiNetwork]} + - if: + - manila_workers_zero + - {} + - manila::wsgi::apache::workers: {get_param: ManilaWorkers} service_config_settings: map_merge: - get_attr: [ManilaBase, role_data, service_config_settings] @@ -122,8 +166,12 @@ outputs: config_image: {get_param: DockerManilaConfigImage} kolla_config: /var/lib/kolla/config_files/manila_api.json: - command: /usr/bin/manila-api --config-file /usr/share/manila/manila-dist.conf --config-file /etc/manila/manila.conf + command: /usr/sbin/httpd -DFOREGROUND config_files: + - source: "/var/lib/kolla/config_files/src/etc/httpd/conf.d" + dest: "/etc/httpd/conf.d" + merge: false + preserve_properties: true - source: "/var/lib/kolla/config_files/src/*" dest: "/" merge: true @@ -162,6 +210,9 @@ outputs: image: *manila_api_image net: host restart: always + # NOTE(gouthamr) kolla image changes the user to 'manila', we + # need it to be root to run httpd + user: root volumes: list_concat: - {get_attr: [ContainersCommon, volumes]} @@ -170,8 +221,18 @@ outputs: - /var/lib/config-data/puppet-generated/manila/:/var/lib/kolla/config_files/src:ro - /var/log/containers/manila:/var/log/manila:z - /var/log/containers/httpd/manila-api:/var/log/httpd:z + - if: + - internal_tls_enabled + - /etc/pki/tls/certs/httpd:/etc/pki/tls/certs/httpd:ro + - '' + - if: + - internal_tls_enabled + - /etc/pki/tls/private/httpd:/etc/pki/tls/private/httpd:ro + - '' environment: - KOLLA_CONFIG_STRATEGY=COPY_ALWAYS + metadata_settings: + get_attr: [ApacheServiceBase, role_data, metadata_settings] host_prep_tasks: - name: Create persistent directories file: diff --git a/releasenotes/notes/switch-manila-api-to-httpd-support-tls-9b995fe4113b2412.yaml b/releasenotes/notes/switch-manila-api-to-httpd-support-tls-9b995fe4113b2412.yaml new file mode 100644 index 0000000000..94950865e3 --- /dev/null +++ b/releasenotes/notes/switch-manila-api-to-httpd-support-tls-9b995fe4113b2412.yaml @@ -0,0 +1,6 @@ +--- +features: + - | + The Shared File Systems service (manila) API has been switched to running + behind httpd, and it now supports configuring TLS options. +