2 # Class to serve keystone with apache mod_wsgi in place of keystone service
5 # Serving keystone from apache is the recommended way to go for production
6 # systems as the current keystone implementation is not multi-processor aware,
7 # thus limiting the performance for concurrent accesses.
9 # See the following URIs for reference:
10 # https://etherpad.openstack.org/havana-keystone-performance
11 # http://adam.younglogic.com/2012/03/keystone-should-move-to-apache-httpd/
13 # When using this class you should disable your keystone service.
18 # The servername for the virtualhost.
19 # Optional. Defaults to $::fqdn
23 # Optional. Defaults to 5000
27 # Optional. Defaults to 35357
30 # The host/ip address Apache will listen on.
31 # Optional. Defaults to undef (listen on all ip addresses).
34 # The prefix for the public endpoint.
35 # Optional. Defaults to '/'
38 # The prefix for the admin endpoint.
39 # Optional. Defaults to '/'
43 # Optional. Defaults to true
46 # Number of WSGI workers to spawn.
47 # Optional. Defaults to 1
56 # apache::vhost ssl parameters.
57 # Optional. Default to apache::vhost 'ssl_*' defaults.
61 # requires Class['apache'] & Class['keystone']
67 # class { 'keystone::wsgi::apache': }
69 # == Note about ports & paths
71 # When using same port for both endpoints (443 anyone ?), you *MUST* use two
72 # different public_path & admin_path !
76 # Francois Charlier <francois.charlier@enovance.com>
80 # Copyright 2013 eNovance <licensing@enovance.com>
82 class keystone::wsgi::apache (
83 $servername = $::fqdn,
95 $ssl_crl_path = undef,
97 $ssl_certs_dir = undef,
98 $threads = $::processorcount,
102 include ::keystone::params
104 include ::apache::mod::wsgi
106 include ::apache::mod::ssl
109 Package['keystone'] -> Package['httpd']
110 Package['keystone'] ~> Service['httpd']
111 Keystone_config <| |> ~> Service['httpd']
112 Service['httpd'] -> Keystone_endpoint <| |>
113 Service['httpd'] -> Keystone_role <| |>
114 Service['httpd'] -> Keystone_service <| |>
115 Service['httpd'] -> Keystone_tenant <| |>
116 Service['httpd'] -> Keystone_user <| |>
117 Service['httpd'] -> Keystone_user_role <| |>
119 ## Sanitize parameters
121 # Ensure there's no trailing '/' except if this is also the only character
122 $public_path_real = regsubst($public_path, '(^/.*)/$', '\1')
123 # Ensure there's no trailing '/' except if this is also the only character
124 $admin_path_real = regsubst($admin_path, '(^/.*)/$', '\1')
126 if $public_port == $admin_port and $public_path_real == $admin_path_real {
127 fail('When using the same port for public & private endpoints, public_path and admin_path should be different.')
130 file { $::keystone::params::keystone_wsgi_script_path:
134 require => Package['httpd'],
137 file { 'keystone_wsgi_admin':
139 path => "${::keystone::params::keystone_wsgi_script_path}/admin",
140 source => $::keystone::params::keystone_wsgi_script_source,
144 # source file provided by keystone package
145 require => [File[$::keystone::params::keystone_wsgi_script_path], Package['keystone']],
148 file { 'keystone_wsgi_main':
150 path => "${::keystone::params::keystone_wsgi_script_path}/main",
151 source => $::keystone::params::keystone_wsgi_script_source,
155 # source file provided by keystone package
156 require => [File[$::keystone::params::keystone_wsgi_script_path], Package['keystone']],
159 $wsgi_daemon_process_options_main = {
162 processes => $workers,
164 display-name => 'keystone-main',
167 $wsgi_daemon_process_options_admin = {
170 processes => $workers,
172 display-name => 'keystone-admin',
175 $wsgi_script_aliases_main = hash([$public_path_real,"${::keystone::params::keystone_wsgi_script_path}/main"])
176 $wsgi_script_aliases_admin = hash([$admin_path_real, "${::keystone::params::keystone_wsgi_script_path}/admin"])
178 if $public_port == $admin_port {
179 $wsgi_script_aliases_main_real = merge($wsgi_script_aliases_main, $wsgi_script_aliases_admin)
181 $wsgi_script_aliases_main_real = $wsgi_script_aliases_main
184 ::apache::vhost { 'keystone_wsgi_main':
186 servername => $servername,
188 port => $public_port,
189 docroot => $::keystone::params::keystone_wsgi_script_path,
190 docroot_owner => 'keystone',
191 docroot_group => 'keystone',
192 priority => $priority,
194 ssl_cert => $ssl_cert,
196 ssl_chain => $ssl_chain,
198 ssl_crl_path => $ssl_crl_path,
200 ssl_certs_dir => $ssl_certs_dir,
201 wsgi_daemon_process => 'keystone_main',
202 wsgi_daemon_process_options => $wsgi_daemon_process_options_main,
203 wsgi_process_group => 'keystone_main',
204 wsgi_script_aliases => $wsgi_script_aliases_main_real,
205 require => File['keystone_wsgi_main'],
208 if $public_port != $admin_port {
209 ::apache::vhost { 'keystone_wsgi_admin':
211 servername => $servername,
214 docroot => $::keystone::params::keystone_wsgi_script_path,
215 docroot_owner => 'keystone',
216 docroot_group => 'keystone',
217 priority => $priority,
219 ssl_cert => $ssl_cert,
221 ssl_chain => $ssl_chain,
223 ssl_crl_path => $ssl_crl_path,
225 ssl_certs_dir => $ssl_certs_dir,
226 wsgi_daemon_process => 'keystone_admin',
227 wsgi_daemon_process_options => $wsgi_daemon_process_options_admin,
228 wsgi_process_group => 'keystone_admin',
229 wsgi_script_aliases => $wsgi_script_aliases_admin,
230 require => File['keystone_wsgi_admin'],