2 # Class to serve keystone with apache mod_wsgi in place of keystone service
4 # Serving keystone from apache is the recommended way to go for production
5 # systems as the current keystone implementation is not multi-processor aware,
6 # thus limiting the performance for concurrent accesses.
8 # See the following URIs for reference:
9 # https://etherpad.openstack.org/havana-keystone-performance
10 # http://adam.younglogic.com/2012/03/keystone-should-move-to-apache-httpd/
12 # When using this class you should disable your keystone service.
17 # The servername for the virtualhost.
18 # Optional. Defaults to $::fqdn
22 # Optional. Defaults to 5000
26 # Optional. Defaults to 35357
29 # The host/ip address Apache will listen on.
30 # Optional. Defaults to undef (listen on all ip addresses).
33 # The prefix for the public endpoint.
34 # Optional. Defaults to '/'
37 # The prefix for the admin endpoint.
38 # Optional. Defaults to '/'
42 # Optional. Defaults to true
45 # Number of WSGI workers to spawn.
46 # Optional. Defaults to 1
55 # apache::vhost ssl parameters.
56 # Optional. Default to apache::vhost 'ssl_*' defaults.
60 # requires Class['apache'] & Class['keystone']
66 # class { 'keystone::wsgi::apache': }
68 # == Note about ports & paths
70 # When using same port for both endpoints (443 anyone ?), you *MUST* use two
71 # different public_path & admin_path !
75 # Francois Charlier <francois.charlier@enovance.com>
79 # Copyright 2013 eNovance <licensing@enovance.com>
81 class keystone::wsgi::apache (
82 $servername = $::fqdn,
94 $ssl_crl_path = undef,
96 $ssl_certs_dir = undef,
97 $threads = $::processorcount,
101 include ::keystone::params
103 include ::apache::mod::wsgi
105 include ::apache::mod::ssl
108 Package['keystone'] -> Package['httpd']
109 Package['keystone'] ~> Service['httpd']
110 Keystone_config <| |> ~> Service['httpd']
111 Service['httpd'] -> Keystone_endpoint <| |>
112 Service['httpd'] -> Keystone_role <| |>
113 Service['httpd'] -> Keystone_service <| |>
114 Service['httpd'] -> Keystone_tenant <| |>
115 Service['httpd'] -> Keystone_user <| |>
116 Service['httpd'] -> Keystone_user_role <| |>
118 ## Sanitize parameters
120 # Ensure there's no trailing '/' except if this is also the only character
121 $public_path_real = regsubst($public_path, '(^/.*)/$', '\1')
122 # Ensure there's no trailing '/' except if this is also the only character
123 $admin_path_real = regsubst($admin_path, '(^/.*)/$', '\1')
125 if $public_port == $admin_port and $public_path_real == $admin_path_real {
126 fail('When using the same port for public & private endpoints, public_path and admin_path should be different.')
129 file { $::keystone::params::keystone_wsgi_script_path:
133 require => Package['httpd'],
136 file { 'keystone_wsgi_admin':
138 path => "${::keystone::params::keystone_wsgi_script_path}/admin",
139 source => $::keystone::params::keystone_wsgi_script_source,
143 # source file provided by keystone package
144 require => [File[$::keystone::params::keystone_wsgi_script_path], Package['keystone']],
147 file { 'keystone_wsgi_main':
149 path => "${::keystone::params::keystone_wsgi_script_path}/main",
150 source => $::keystone::params::keystone_wsgi_script_source,
154 # source file provided by keystone package
155 require => [File[$::keystone::params::keystone_wsgi_script_path], Package['keystone']],
158 $wsgi_daemon_process_options_main = {
161 processes => $workers,
163 display-name => 'keystone-main',
166 $wsgi_daemon_process_options_admin = {
169 processes => $workers,
171 display-name => 'keystone-admin',
174 $wsgi_script_aliases_main = hash([$public_path_real,"${::keystone::params::keystone_wsgi_script_path}/main"])
175 $wsgi_script_aliases_admin = hash([$admin_path_real, "${::keystone::params::keystone_wsgi_script_path}/admin"])
177 if $public_port == $admin_port {
178 $wsgi_script_aliases_main_real = merge($wsgi_script_aliases_main, $wsgi_script_aliases_admin)
180 $wsgi_script_aliases_main_real = $wsgi_script_aliases_main
183 ::apache::vhost { 'keystone_wsgi_main':
185 servername => $servername,
187 port => $public_port,
188 docroot => $::keystone::params::keystone_wsgi_script_path,
189 docroot_owner => 'keystone',
190 docroot_group => 'keystone',
191 priority => $priority,
193 ssl_cert => $ssl_cert,
195 ssl_chain => $ssl_chain,
197 ssl_crl_path => $ssl_crl_path,
199 ssl_certs_dir => $ssl_certs_dir,
200 wsgi_daemon_process => 'keystone_main',
201 wsgi_daemon_process_options => $wsgi_daemon_process_options_main,
202 wsgi_process_group => 'keystone_main',
203 wsgi_script_aliases => $wsgi_script_aliases_main_real,
204 require => File['keystone_wsgi_main'],
207 if $public_port != $admin_port {
208 ::apache::vhost { 'keystone_wsgi_admin':
210 servername => $servername,
213 docroot => $::keystone::params::keystone_wsgi_script_path,
214 docroot_owner => 'keystone',
215 docroot_group => 'keystone',
216 priority => $priority,
218 ssl_cert => $ssl_cert,
220 ssl_chain => $ssl_chain,
222 ssl_crl_path => $ssl_crl_path,
224 ssl_certs_dir => $ssl_certs_dir,
225 wsgi_daemon_process => 'keystone_admin',
226 wsgi_daemon_process_options => $wsgi_daemon_process_options_admin,
227 wsgi_process_group => 'keystone_admin',
228 wsgi_script_aliases => $wsgi_script_aliases_admin,
229 require => File['keystone_wsgi_admin'],