Run octavia-api under httpd

octavia-api's cli app doesn't behave well with haproxy so let's run
under apache and save ourselves some grief.

Note: due to the flattening effort and the addition of support for an
alternate container runtime, this is a semantic backport for the
original patch https://review.openstack.org/#/c/636380/.

Depends-On: I00f537ce27b1d4642738f0eb90d7ed1f2c21e729
Change-Id: I7ee040e20f3f93db95b4c965c795a587bc1bf91a
This commit is contained in:
Brent Eagles 2019-02-12 13:02:38 -03:30
parent af755c3e8c
commit d3b70308b9
2 changed files with 37 additions and 58 deletions

View File

@ -109,7 +109,7 @@ outputs:
config_image: {get_param: DockerOctaviaConfigImage}
kolla_config:
/var/lib/kolla/config_files/octavia_api.json:
command: /usr/bin/octavia-api --config-file /usr/share/octavia/octavia-dist.conf --config-file /etc/octavia/octavia.conf --log-file /var/log/octavia/api.log --config-dir /etc/octavia/conf.d/common --config-dir /etc/octavia/conf.d/octavia-api
command: /usr/sbin/httpd -DFOREGROUND
config_files:
- source: "/var/lib/kolla/config_files/src/*"
dest: "/"
@ -119,13 +119,6 @@ outputs:
- path: /var/log/octavia
owner: octavia:octavia
recurse: true
/var/lib/kolla/config_files/octavia_api_tls_proxy.json:
command: /usr/sbin/httpd -DFOREGROUND
config_files:
- source: "/var/lib/kolla/config_files/src/*"
dest: "/"
merge: true
preserve_properties: true
docker_puppet_tasks:
step_5:
config_volume: octavia
@ -177,6 +170,7 @@ outputs:
net: host
privileged: false
restart: always
user: root
healthcheck:
test: /openstack/healthcheck
volumes:
@ -185,29 +179,20 @@ outputs:
-
- /var/lib/kolla/config_files/octavia_api.json:/var/lib/kolla/config_files/config.json:ro
- /var/lib/config-data/puppet-generated/octavia/:/var/lib/kolla/config_files/src:ro
- /var/log/containers/octavia:/var/log/octavia
- /var/log/containers/httpd/octavia-api:/var/log/httpd
- /var/log/containers/octavia:/var/log/octavia:z
- /var/log/containers/httpd/octavia-api:/var/log/httpd:z
-
if:
- internal_tls_enabled
- /etc/pki/tls/certs/httpd:/etc/pki/tls/certs/httpd:ro
- ''
-
if:
- internal_tls_enabled
- /etc/pki/tls/private/httpd:/etc/pki/tls/private/httpd:ro
- ''
environment:
- KOLLA_CONFIG_STRATEGY=COPY_ALWAYS
- if:
- internal_tls_enabled
- octavia_api_tls_proxy:
start_order: 2
image: *octavia_api_image
net: host
user: root
restart: always
volumes:
list_concat:
- {get_attr: [ContainersCommon, volumes]}
-
- /var/lib/kolla/config_files/octavia_api_tls_proxy.json:/var/lib/kolla/config_files/config.json:ro
- /var/lib/config-data/puppet-generated/octavia/:/var/lib/kolla/config_files/src:ro
- /etc/pki/tls/certs/httpd:/etc/pki/tls/certs/httpd:ro
- /etc/pki/tls/private/httpd:/etc/pki/tls/private/httpd:ro
environment:
- KOLLA_CONFIG_STRATEGY=COPY_ALWAYS
- {}
host_prep_tasks:
- name: create persistent directories
file:
@ -225,6 +210,14 @@ outputs:
Log files from octavia containers can be found under
/var/log/containers/octavia and /var/log/containers/httpd/octavia-api.
ignore_errors: true
update_tasks:
- name: remove TLS proxy if configured and running
when:
- step|int == 2
- internal_tls_enabled|bool
docker:
name: octavia_api_tls_proxy
state: absent
upgrade_tasks:
- when: step|int == 0
tags: common
@ -272,5 +265,10 @@ outputs:
- octavia_api_httpd_enabled|bool
- httpd_running|bool
service: name=httpd state=stopped
- name: remove TLS proxy if configured and running
when: internal_tls_enabled|bool
docker:
name: octavia_api_tls_proxy
state: absent
metadata_settings:
get_attr: [OctaviaApiPuppetBase, role_data, metadata_settings]

View File

@ -69,17 +69,6 @@ conditions:
resources:
TLSProxyBase:
type: OS::TripleO::Services::TLSProxyBase
properties:
ServiceData: {get_param: ServiceData}
ServiceNetMap: {get_param: ServiceNetMap}
DefaultPasswords: {get_param: DefaultPasswords}
EndpointMap: {get_param: EndpointMap}
RoleName: {get_param: RoleName}
RoleParameters: {get_param: RoleParameters}
EnableInternalTLS: {get_param: EnableInternalTLS}
OctaviaBase:
type: ./octavia-base.yaml
properties:
@ -110,7 +99,6 @@ outputs:
map_merge:
- get_attr: [OctaviaBase, role_data, config_settings]
- get_attr: [OctaviaController, role_data, config_settings]
- get_attr: [TLSProxyBase, role_data, config_settings]
- octavia::keystone::authtoken::www_authenticate_uri: {get_param: [EndpointMap, KeystoneInternal, uri] }
octavia::keystone::authtoken::auth_uri: {get_param: [EndpointMap, KeystoneInternal, uri] }
octavia::policy::policies: {get_param: OctaviaApiPolicies}
@ -118,7 +106,9 @@ outputs:
octavia::keystone::authtoken::project_name: {get_param: OctaviaProjectName}
octavia::keystone::authtoken::password: {get_param: OctaviaPassword}
octavia::api::sync_db: true
tripleo.octavia_api.firewall_rules:
octavia::api::service_name: 'httpd'
octavia::wsgi::apache::ssl: {get_param: EnableInternalTLS}
tripleo::octavia_api::firewall_rules:
'120 octavia api':
dport:
- 9876
@ -128,31 +118,24 @@ outputs:
# internal_api -> IP
# internal_api_uri -> [IP]
# internal_api_subnet - > IP/CIDR
tripleo::profile::base::octavia::api::tls_proxy_bind_ip:
octavia::wsgi::apache::bind_host:
str_replace:
template:
"%{hiera('$NETWORK')}"
params:
$NETWORK: {get_param: [ServiceNetMap, OctaviaApiNetwork]}
tripleo::profile::base::octavia::api::tls_proxy_fqdn:
octavia::wsgi::apache::server_name:
str_replace:
template:
"%{hiera('fqdn_$NETWORK')}"
params:
$NETWORK: {get_param: [ServiceNetMap, OctaviaApiNetwork]}
tripleo::profile::base::octavia::api::tls_proxy_port:
get_param: [EndpointMap, OctaviaInternal, port]
# Bind to localhost if internal TLS is enabled, since we put a TLS
# proxy in front.
octavia::api::host:
if:
- use_tls_proxy
- '127.0.0.1'
- str_replace:
template:
"%{hiera('$NETWORK')}"
params:
$NETWORK: {get_param: [ServiceNetMap, OctaviaApiNetwork]}
str_replace:
template:
"%{hiera('$NETWORK')}"
params:
$NETWORK: {get_param: [ServiceNetMap, OctaviaApiNetwork]}
step_config: |
include tripleo::profile::base::octavia::api
service_config_settings:
@ -176,5 +159,3 @@ outputs:
octavia::db::mysql::allowed_hosts:
- '%'
- "%{hiera('mysql_bind_host')}"
metadata_settings:
get_attr: [TLSProxyBase, role_data, metadata_settings]