Run octavia-api under httpd
octavia-api's cli app doesn't behave well with haproxy so let's run under apache and save ourselves some grief. Note: due to the flattening effort and the addition of support for an alternate container runtime, this is a semantic backport for the original patch https://review.openstack.org/#/c/636380/. Depends-On: I00f537ce27b1d4642738f0eb90d7ed1f2c21e729 Change-Id: I7ee040e20f3f93db95b4c965c795a587bc1bf91a
This commit is contained in:
parent
af755c3e8c
commit
d3b70308b9
|
@ -109,7 +109,7 @@ outputs:
|
|||
config_image: {get_param: DockerOctaviaConfigImage}
|
||||
kolla_config:
|
||||
/var/lib/kolla/config_files/octavia_api.json:
|
||||
command: /usr/bin/octavia-api --config-file /usr/share/octavia/octavia-dist.conf --config-file /etc/octavia/octavia.conf --log-file /var/log/octavia/api.log --config-dir /etc/octavia/conf.d/common --config-dir /etc/octavia/conf.d/octavia-api
|
||||
command: /usr/sbin/httpd -DFOREGROUND
|
||||
config_files:
|
||||
- source: "/var/lib/kolla/config_files/src/*"
|
||||
dest: "/"
|
||||
|
@ -119,13 +119,6 @@ outputs:
|
|||
- path: /var/log/octavia
|
||||
owner: octavia:octavia
|
||||
recurse: true
|
||||
/var/lib/kolla/config_files/octavia_api_tls_proxy.json:
|
||||
command: /usr/sbin/httpd -DFOREGROUND
|
||||
config_files:
|
||||
- source: "/var/lib/kolla/config_files/src/*"
|
||||
dest: "/"
|
||||
merge: true
|
||||
preserve_properties: true
|
||||
docker_puppet_tasks:
|
||||
step_5:
|
||||
config_volume: octavia
|
||||
|
@ -177,6 +170,7 @@ outputs:
|
|||
net: host
|
||||
privileged: false
|
||||
restart: always
|
||||
user: root
|
||||
healthcheck:
|
||||
test: /openstack/healthcheck
|
||||
volumes:
|
||||
|
@ -185,29 +179,20 @@ outputs:
|
|||
-
|
||||
- /var/lib/kolla/config_files/octavia_api.json:/var/lib/kolla/config_files/config.json:ro
|
||||
- /var/lib/config-data/puppet-generated/octavia/:/var/lib/kolla/config_files/src:ro
|
||||
- /var/log/containers/octavia:/var/log/octavia
|
||||
- /var/log/containers/httpd/octavia-api:/var/log/httpd
|
||||
- /var/log/containers/octavia:/var/log/octavia:z
|
||||
- /var/log/containers/httpd/octavia-api:/var/log/httpd:z
|
||||
-
|
||||
if:
|
||||
- internal_tls_enabled
|
||||
- /etc/pki/tls/certs/httpd:/etc/pki/tls/certs/httpd:ro
|
||||
- ''
|
||||
-
|
||||
if:
|
||||
- internal_tls_enabled
|
||||
- /etc/pki/tls/private/httpd:/etc/pki/tls/private/httpd:ro
|
||||
- ''
|
||||
environment:
|
||||
- KOLLA_CONFIG_STRATEGY=COPY_ALWAYS
|
||||
- if:
|
||||
- internal_tls_enabled
|
||||
- octavia_api_tls_proxy:
|
||||
start_order: 2
|
||||
image: *octavia_api_image
|
||||
net: host
|
||||
user: root
|
||||
restart: always
|
||||
volumes:
|
||||
list_concat:
|
||||
- {get_attr: [ContainersCommon, volumes]}
|
||||
-
|
||||
- /var/lib/kolla/config_files/octavia_api_tls_proxy.json:/var/lib/kolla/config_files/config.json:ro
|
||||
- /var/lib/config-data/puppet-generated/octavia/:/var/lib/kolla/config_files/src:ro
|
||||
- /etc/pki/tls/certs/httpd:/etc/pki/tls/certs/httpd:ro
|
||||
- /etc/pki/tls/private/httpd:/etc/pki/tls/private/httpd:ro
|
||||
environment:
|
||||
- KOLLA_CONFIG_STRATEGY=COPY_ALWAYS
|
||||
- {}
|
||||
host_prep_tasks:
|
||||
- name: create persistent directories
|
||||
file:
|
||||
|
@ -225,6 +210,14 @@ outputs:
|
|||
Log files from octavia containers can be found under
|
||||
/var/log/containers/octavia and /var/log/containers/httpd/octavia-api.
|
||||
ignore_errors: true
|
||||
update_tasks:
|
||||
- name: remove TLS proxy if configured and running
|
||||
when:
|
||||
- step|int == 2
|
||||
- internal_tls_enabled|bool
|
||||
docker:
|
||||
name: octavia_api_tls_proxy
|
||||
state: absent
|
||||
upgrade_tasks:
|
||||
- when: step|int == 0
|
||||
tags: common
|
||||
|
@ -272,5 +265,10 @@ outputs:
|
|||
- octavia_api_httpd_enabled|bool
|
||||
- httpd_running|bool
|
||||
service: name=httpd state=stopped
|
||||
- name: remove TLS proxy if configured and running
|
||||
when: internal_tls_enabled|bool
|
||||
docker:
|
||||
name: octavia_api_tls_proxy
|
||||
state: absent
|
||||
metadata_settings:
|
||||
get_attr: [OctaviaApiPuppetBase, role_data, metadata_settings]
|
||||
|
|
|
@ -69,17 +69,6 @@ conditions:
|
|||
|
||||
resources:
|
||||
|
||||
TLSProxyBase:
|
||||
type: OS::TripleO::Services::TLSProxyBase
|
||||
properties:
|
||||
ServiceData: {get_param: ServiceData}
|
||||
ServiceNetMap: {get_param: ServiceNetMap}
|
||||
DefaultPasswords: {get_param: DefaultPasswords}
|
||||
EndpointMap: {get_param: EndpointMap}
|
||||
RoleName: {get_param: RoleName}
|
||||
RoleParameters: {get_param: RoleParameters}
|
||||
EnableInternalTLS: {get_param: EnableInternalTLS}
|
||||
|
||||
OctaviaBase:
|
||||
type: ./octavia-base.yaml
|
||||
properties:
|
||||
|
@ -110,7 +99,6 @@ outputs:
|
|||
map_merge:
|
||||
- get_attr: [OctaviaBase, role_data, config_settings]
|
||||
- get_attr: [OctaviaController, role_data, config_settings]
|
||||
- get_attr: [TLSProxyBase, role_data, config_settings]
|
||||
- octavia::keystone::authtoken::www_authenticate_uri: {get_param: [EndpointMap, KeystoneInternal, uri] }
|
||||
octavia::keystone::authtoken::auth_uri: {get_param: [EndpointMap, KeystoneInternal, uri] }
|
||||
octavia::policy::policies: {get_param: OctaviaApiPolicies}
|
||||
|
@ -118,7 +106,9 @@ outputs:
|
|||
octavia::keystone::authtoken::project_name: {get_param: OctaviaProjectName}
|
||||
octavia::keystone::authtoken::password: {get_param: OctaviaPassword}
|
||||
octavia::api::sync_db: true
|
||||
tripleo.octavia_api.firewall_rules:
|
||||
octavia::api::service_name: 'httpd'
|
||||
octavia::wsgi::apache::ssl: {get_param: EnableInternalTLS}
|
||||
tripleo::octavia_api::firewall_rules:
|
||||
'120 octavia api':
|
||||
dport:
|
||||
- 9876
|
||||
|
@ -128,31 +118,24 @@ outputs:
|
|||
# internal_api -> IP
|
||||
# internal_api_uri -> [IP]
|
||||
# internal_api_subnet - > IP/CIDR
|
||||
tripleo::profile::base::octavia::api::tls_proxy_bind_ip:
|
||||
octavia::wsgi::apache::bind_host:
|
||||
str_replace:
|
||||
template:
|
||||
"%{hiera('$NETWORK')}"
|
||||
params:
|
||||
$NETWORK: {get_param: [ServiceNetMap, OctaviaApiNetwork]}
|
||||
tripleo::profile::base::octavia::api::tls_proxy_fqdn:
|
||||
octavia::wsgi::apache::server_name:
|
||||
str_replace:
|
||||
template:
|
||||
"%{hiera('fqdn_$NETWORK')}"
|
||||
params:
|
||||
$NETWORK: {get_param: [ServiceNetMap, OctaviaApiNetwork]}
|
||||
tripleo::profile::base::octavia::api::tls_proxy_port:
|
||||
get_param: [EndpointMap, OctaviaInternal, port]
|
||||
# Bind to localhost if internal TLS is enabled, since we put a TLS
|
||||
# proxy in front.
|
||||
octavia::api::host:
|
||||
if:
|
||||
- use_tls_proxy
|
||||
- '127.0.0.1'
|
||||
- str_replace:
|
||||
template:
|
||||
"%{hiera('$NETWORK')}"
|
||||
params:
|
||||
$NETWORK: {get_param: [ServiceNetMap, OctaviaApiNetwork]}
|
||||
str_replace:
|
||||
template:
|
||||
"%{hiera('$NETWORK')}"
|
||||
params:
|
||||
$NETWORK: {get_param: [ServiceNetMap, OctaviaApiNetwork]}
|
||||
step_config: |
|
||||
include tripleo::profile::base::octavia::api
|
||||
service_config_settings:
|
||||
|
@ -176,5 +159,3 @@ outputs:
|
|||
octavia::db::mysql::allowed_hosts:
|
||||
- '%'
|
||||
- "%{hiera('mysql_bind_host')}"
|
||||
metadata_settings:
|
||||
get_attr: [TLSProxyBase, role_data, metadata_settings]
|
||||
|
|
Loading…
Reference in New Issue