+++ /dev/null
-#
-# Class to serve keystone with apache mod_wsgi in place of keystone service
-#
-# Serving keystone from apache is the recommended way to go for production
-# systems as the current keystone implementation is not multi-processor aware,
-# thus limiting the performance for concurrent accesses.
-#
-# See the following URIs for reference:
-# https://etherpad.openstack.org/havana-keystone-performance
-# http://adam.younglogic.com/2012/03/keystone-should-move-to-apache-httpd/
-#
-# When using this class you should disable your keystone service.
-#
-# == Parameters
-#
-# [*servername*]
-# The servername for the virtualhost.
-# Optional. Defaults to $::fqdn
-#
-# [*public_port*]
-# The public port.
-# Optional. Defaults to 5000
-#
-# [*admin_port*]
-# The admin port.
-# Optional. Defaults to 35357
-#
-# [*bind_host*]
-# The host/ip address Apache will listen on.
-# Optional. Defaults to undef (listen on all ip addresses).
-#
-# [*public_path*]
-# The prefix for the public endpoint.
-# Optional. Defaults to '/'
-#
-# [*admin_path*]
-# The prefix for the admin endpoint.
-# Optional. Defaults to '/'
-#
-# [*ssl*]
-# Use ssl ? (boolean)
-# Optional. Defaults to true
-#
-# [*workers*]
-# Number of WSGI workers to spawn.
-# Optional. Defaults to 1
-#
-# [*ssl_cert*]
-# [*ssl_key*]
-# [*ssl_chain*]
-# [*ssl_ca*]
-# [*ssl_crl_path*]
-# [*ssl_crl*]
-# [*ssl_certs_dir*]
-# apache::vhost ssl parameters.
-# Optional. Default to apache::vhost 'ssl_*' defaults.
-#
-# == Dependencies
-#
-# requires Class['apache'] & Class['keystone']
-#
-# == Examples
-#
-# include apache
-#
-# class { 'keystone::wsgi::apache': }
-#
-# == Note about ports & paths
-#
-# When using same port for both endpoints (443 anyone ?), you *MUST* use two
-# different public_path & admin_path !
-#
-# == Authors
-#
-# François Charlier <francois.charlier@enovance.com>
-#
-# == Copyright
-#
-# Copyright 2013 eNovance <licensing@enovance.com>
-#
-class keystone::wsgi::apache (
- $servername = $::fqdn,
- $public_port = 5000,
- $admin_port = 35357,
- $bind_host = undef,
- $public_path = '/',
- $admin_path = '/',
- $ssl = true,
- $workers = 1,
- $ssl_cert = undef,
- $ssl_key = undef,
- $ssl_chain = undef,
- $ssl_ca = undef,
- $ssl_crl_path = undef,
- $ssl_crl = undef,
- $ssl_certs_dir = undef,
- $threads = $::processorcount,
- $priority = '10',
-) {
-
- include ::keystone::params
- include ::apache
- include ::apache::mod::wsgi
- if $ssl {
- include ::apache::mod::ssl
- }
-
- Package['keystone'] -> Package['httpd']
- Package['keystone'] ~> Service['httpd']
- Keystone_config <| |> ~> Service['httpd']
- Service['httpd'] -> Keystone_endpoint <| |>
- Service['httpd'] -> Keystone_role <| |>
- Service['httpd'] -> Keystone_service <| |>
- Service['httpd'] -> Keystone_tenant <| |>
- Service['httpd'] -> Keystone_user <| |>
- Service['httpd'] -> Keystone_user_role <| |>
-
- ## Sanitize parameters
-
- # Ensure there's no trailing '/' except if this is also the only character
- $public_path_real = regsubst($public_path, '(^/.*)/$', '\1')
- # Ensure there's no trailing '/' except if this is also the only character
- $admin_path_real = regsubst($admin_path, '(^/.*)/$', '\1')
-
- if $public_port == $admin_port and $public_path_real == $admin_path_real {
- fail('When using the same port for public & private endpoints, public_path and admin_path should be different.')
- }
-
- file { $::keystone::params::keystone_wsgi_script_path:
- ensure => directory,
- owner => 'keystone',
- group => 'keystone',
- require => Package['httpd'],
- }
-
- file { 'keystone_wsgi_admin':
- ensure => file,
- path => "${::keystone::params::keystone_wsgi_script_path}/admin",
- source => $::keystone::params::keystone_wsgi_script_source,
- owner => 'keystone',
- group => 'keystone',
- mode => '0644',
- # source file provided by keystone package
- require => [File[$::keystone::params::keystone_wsgi_script_path], Package['keystone']],
- }
-
- file { 'keystone_wsgi_main':
- ensure => file,
- path => "${::keystone::params::keystone_wsgi_script_path}/main",
- source => $::keystone::params::keystone_wsgi_script_source,
- owner => 'keystone',
- group => 'keystone',
- mode => '0644',
- # source file provided by keystone package
- require => [File[$::keystone::params::keystone_wsgi_script_path], Package['keystone']],
- }
-
- $wsgi_daemon_process_options_main = {
- user => 'keystone',
- group => 'keystone',
- processes => $workers,
- threads => $threads,
- display-name => 'keystone-main',
- }
-
- $wsgi_daemon_process_options_admin = {
- user => 'keystone',
- group => 'keystone',
- processes => $workers,
- threads => $threads,
- display-name => 'keystone-admin',
- }
-
- $wsgi_script_aliases_main = hash([$public_path_real,"${::keystone::params::keystone_wsgi_script_path}/main"])
- $wsgi_script_aliases_admin = hash([$admin_path_real, "${::keystone::params::keystone_wsgi_script_path}/admin"])
-
- if $public_port == $admin_port {
- $wsgi_script_aliases_main_real = merge($wsgi_script_aliases_main, $wsgi_script_aliases_admin)
- } else {
- $wsgi_script_aliases_main_real = $wsgi_script_aliases_main
- }
-
- ::apache::vhost { 'keystone_wsgi_main':
- ensure => 'present',
- servername => $servername,
- ip => $bind_host,
- port => $public_port,
- docroot => $::keystone::params::keystone_wsgi_script_path,
- docroot_owner => 'keystone',
- docroot_group => 'keystone',
- priority => $priority,
- ssl => $ssl,
- ssl_cert => $ssl_cert,
- ssl_key => $ssl_key,
- ssl_chain => $ssl_chain,
- ssl_ca => $ssl_ca,
- ssl_crl_path => $ssl_crl_path,
- ssl_crl => $ssl_crl,
- ssl_certs_dir => $ssl_certs_dir,
- wsgi_daemon_process => 'keystone_main',
- wsgi_daemon_process_options => $wsgi_daemon_process_options_main,
- wsgi_process_group => 'keystone_main',
- wsgi_script_aliases => $wsgi_script_aliases_main_real,
- require => File['keystone_wsgi_main'],
- }
-
- if $public_port != $admin_port {
- ::apache::vhost { 'keystone_wsgi_admin':
- ensure => 'present',
- servername => $servername,
- ip => $bind_host,
- port => $admin_port,
- docroot => $::keystone::params::keystone_wsgi_script_path,
- docroot_owner => 'keystone',
- docroot_group => 'keystone',
- priority => $priority,
- ssl => $ssl,
- ssl_cert => $ssl_cert,
- ssl_key => $ssl_key,
- ssl_chain => $ssl_chain,
- ssl_ca => $ssl_ca,
- ssl_crl_path => $ssl_crl_path,
- ssl_crl => $ssl_crl,
- ssl_certs_dir => $ssl_certs_dir,
- wsgi_daemon_process => 'keystone_admin',
- wsgi_daemon_process_options => $wsgi_daemon_process_options_admin,
- wsgi_process_group => 'keystone_admin',
- wsgi_script_aliases => $wsgi_script_aliases_admin,
- require => File['keystone_wsgi_admin'],
- }
- }
-}