--- /dev/null
+# == Class: horizon::wsgi::apache
+#
+# Configures Apache WSGI for Horizon.
+#
+# === Parameters
+#
+# [*bind_address*]
+# (optional) Bind address in Apache for Horizon. (Defaults to '0.0.0.0')
+#
+# [*server_aliases*]
+# (optional) List of names which should be defined as ServerAlias directives
+# in vhost.conf.
+# Defaults to ::fqdn.
+#
+# [*listen_ssl*]
+# (optional) Enable SSL support in Apache. (Defaults to false)
+#
+# [*horizon_cert*]
+# (required with listen_ssl) Certificate to use for SSL support.
+#
+# [*horizon_key*]
+# (required with listen_ssl) Private key to use for SSL support.
+#
+# [*horizon_ca*]
+# (required with listen_ssl) CA certificate to use for SSL support.
+#
+# [*wsgi_processes*]
+# (optional) Number of Horizon processes to spawn
+# Defaults to '3'
+#
+# [*wsgi_threads*]
+# (optional) Number of thread to run in a Horizon process
+# Defaults to '10'
+#
+# [*priority*]
+# (optional) The apache vhost priority.
+# Defaults to '15'. To set Horizon as the primary vhost, change to '10'.
+#
+# [*extra_params*]
+# (optional) A hash of extra paramaters for apache::wsgi class.
+# Defaults to {}
+class horizon::wsgi::apache (
+ $bind_address = undef,
+ $fqdn = undef,
+ $servername = $::fqdn,
+ $server_aliases = $::fqdn,
+ $listen_ssl = false,
+ $ssl_redirect = true,
+ $horizon_cert = undef,
+ $horizon_key = undef,
+ $horizon_ca = undef,
+ $wsgi_processes = '3',
+ $wsgi_threads = '10',
+ $priority = '15',
+ $vhost_conf_name = 'horizon_vhost',
+ $vhost_ssl_conf_name = 'horizon_ssl_vhost',
+ $extra_params = {},
+) {
+
+ include ::horizon::params
+ include ::apache
+
+ if $fqdn {
+ warning('Parameter fqdn is deprecated. Please use parameter server_aliases for setting ServerAlias directives in vhost.conf.')
+ $final_server_aliases = $fqdn
+ } else {
+ $final_server_aliases = $server_aliases
+ }
+
+ include ::apache::mod::wsgi
+
+ # We already use apache::vhost to generate our own
+ # configuration file, let's clean the configuration
+ # embedded within the package
+ file { $::horizon::params::httpd_config_file:
+ ensure => present,
+ content => "#
+# This file has been cleaned by Puppet.
+#
+# OpenStack Horizon configuration has been moved to:
+# - ${priority}-${vhost_conf_name}.conf
+# - ${priority}-${vhost_ssl_conf_name}.conf
+#",
+ require => Package[$::horizon::params::package_name]
+ }
+
+
+ if $listen_ssl {
+ include ::apache::mod::ssl
+ $ensure_ssl_vhost = 'present'
+
+ if $horizon_ca == undef {
+ fail('The horizon_ca parameter is required when listen_ssl is true')
+ }
+
+ if $horizon_cert == undef {
+ fail('The horizon_cert parameter is required when listen_ssl is true')
+ }
+
+ if $horizon_key == undef {
+ fail('The horizon_key parameter is required when listen_ssl is true')
+ }
+
+ if $ssl_redirect {
+ $redirect_match = '(.*)'
+ $redirect_url = "https://${servername}"
+ }
+
+ } else {
+ $ensure_ssl_vhost = 'absent'
+ $redirect_match = '^/$'
+ $redirect_url = $::horizon::params::root_url
+ }
+
+ Package['horizon'] -> Package[$::horizon::params::http_service]
+ File[$::horizon::params::config_file] ~> Service[$::horizon::params::http_service]
+
+ $unix_user = $::osfamily ? {
+ 'RedHat' => $::horizon::params::apache_user,
+ default => $::horizon::params::wsgi_user
+ }
+ $unix_group = $::osfamily ? {
+ 'RedHat' => $::horizon::params::apache_group,
+ default => $::horizon::params::wsgi_group,
+ }
+
+ file { $::horizon::params::logdir:
+ ensure => directory,
+ owner => $unix_user,
+ group => $unix_group,
+ before => Service[$::horizon::params::http_service],
+ mode => '0751',
+ require => Package['horizon']
+ }
+
+ file { "${::horizon::params::logdir}/horizon.log":
+ ensure => file,
+ owner => $unix_user,
+ group => $unix_group,
+ before => Service[$::horizon::params::http_service],
+ mode => '0640',
+ require => [ File[$::horizon::params::logdir], Package['horizon'] ],
+ }
+
+ $default_vhost_conf_no_ip = {
+ servername => $servername,
+ serveraliases => os_any2array($final_server_aliases),
+ docroot => '/var/www/',
+ access_log_file => 'horizon_access.log',
+ error_log_file => 'horizon_error.log',
+ priority => $priority,
+ aliases => [
+ { alias => '/static', path => '/usr/share/openstack-dashboard/static' }
+ ],
+ port => 80,
+ ssl_cert => $horizon_cert,
+ ssl_key => $horizon_key,
+ ssl_ca => $horizon_ca,
+ wsgi_script_aliases => hash([$::horizon::params::root_url, $::horizon::params::django_wsgi]),
+ wsgi_daemon_process => $::horizon::params::wsgi_group,
+ wsgi_daemon_process_options => {
+ processes => $wsgi_processes,
+ threads => $wsgi_threads,
+ user => $unix_user,
+ group => $unix_group,
+ },
+ wsgi_import_script => $::horizon::params::django_wsgi,
+ wsgi_process_group => $::horizon::params::wsgi_group,
+ redirectmatch_status => 'permanent',
+ }
+
+ # Only add the 'ip' element to the $default_vhost_conf hash if it was explicitly
+ # specified in the instantiation of the class. This is because ip => undef gets
+ # changed to ip => '' via the Puppet function API when ensure_resource is called.
+ # See https://bugs.launchpad.net/puppet-horizon/+bug/1371345
+ if $bind_address {
+ $default_vhost_conf = merge($default_vhost_conf_no_ip, { ip => $bind_address })
+ } else {
+ $default_vhost_conf = $default_vhost_conf_no_ip
+ }
+
+ ensure_resource('apache::vhost', $vhost_conf_name, merge ($default_vhost_conf, $extra_params, {
+ redirectmatch_regexp => $redirect_match,
+ redirectmatch_dest => $redirect_url,
+ }))
+ ensure_resource('apache::vhost', $vhost_ssl_conf_name, merge ($default_vhost_conf, $extra_params, {
+ access_log_file => 'horizon_ssl_access.log',
+ error_log_file => 'horizon_ssl_error.log',
+ priority => $priority,
+ ssl => true,
+ port => 443,
+ ensure => $ensure_ssl_vhost,
+ wsgi_daemon_process => 'horizon-ssl',
+ wsgi_process_group => 'horizon-ssl',
+ redirectmatch_regexp => '^/$',
+ redirectmatch_dest => $::horizon::params::root_url,
+ }))
+
+}