X-Git-Url: https://git.donarmstrong.com/?p=dsa-puppet.git;a=blobdiff_plain;f=3rdparty%2Fmodules%2Fkeystone%2Fmanifests%2Fwsgi%2Fapache.pp;fp=3rdparty%2Fmodules%2Fkeystone%2Fmanifests%2Fwsgi%2Fapache.pp;h=42dec06227b948fc1451c4adbdbfb14accc08a38;hp=0000000000000000000000000000000000000000;hb=b8fa2c1a5ec9dbcd1d2f9e9b41afdde4c603aa35;hpb=b7626cbcbb2fb8e7ce3dc5ac60e80a981175f9d3 diff --git a/3rdparty/modules/keystone/manifests/wsgi/apache.pp b/3rdparty/modules/keystone/manifests/wsgi/apache.pp new file mode 100644 index 00000000..42dec062 --- /dev/null +++ b/3rdparty/modules/keystone/manifests/wsgi/apache.pp @@ -0,0 +1,232 @@ +# +# Class to serve keystone with apache mod_wsgi in place of keystone service +# +# Serving keystone from apache is the recommended way to go for production +# systems as the current keystone implementation is not multi-processor aware, +# thus limiting the performance for concurrent accesses. +# +# See the following URIs for reference: +# https://etherpad.openstack.org/havana-keystone-performance +# http://adam.younglogic.com/2012/03/keystone-should-move-to-apache-httpd/ +# +# When using this class you should disable your keystone service. +# +# == Parameters +# +# [*servername*] +# The servername for the virtualhost. +# Optional. Defaults to $::fqdn +# +# [*public_port*] +# The public port. +# Optional. Defaults to 5000 +# +# [*admin_port*] +# The admin port. +# Optional. Defaults to 35357 +# +# [*bind_host*] +# The host/ip address Apache will listen on. +# Optional. Defaults to undef (listen on all ip addresses). +# +# [*public_path*] +# The prefix for the public endpoint. +# Optional. Defaults to '/' +# +# [*admin_path*] +# The prefix for the admin endpoint. +# Optional. Defaults to '/' +# +# [*ssl*] +# Use ssl ? (boolean) +# Optional. Defaults to true +# +# [*workers*] +# Number of WSGI workers to spawn. +# Optional. Defaults to 1 +# +# [*ssl_cert*] +# [*ssl_key*] +# [*ssl_chain*] +# [*ssl_ca*] +# [*ssl_crl_path*] +# [*ssl_crl*] +# [*ssl_certs_dir*] +# apache::vhost ssl parameters. +# Optional. Default to apache::vhost 'ssl_*' defaults. +# +# == Dependencies +# +# requires Class['apache'] & Class['keystone'] +# +# == Examples +# +# include apache +# +# class { 'keystone::wsgi::apache': } +# +# == Note about ports & paths +# +# When using same port for both endpoints (443 anyone ?), you *MUST* use two +# different public_path & admin_path ! +# +# == Authors +# +# François Charlier +# +# == Copyright +# +# Copyright 2013 eNovance +# +class keystone::wsgi::apache ( + $servername = $::fqdn, + $public_port = 5000, + $admin_port = 35357, + $bind_host = undef, + $public_path = '/', + $admin_path = '/', + $ssl = true, + $workers = 1, + $ssl_cert = undef, + $ssl_key = undef, + $ssl_chain = undef, + $ssl_ca = undef, + $ssl_crl_path = undef, + $ssl_crl = undef, + $ssl_certs_dir = undef, + $threads = $::processorcount, + $priority = '10', +) { + + include ::keystone::params + include ::apache + include ::apache::mod::wsgi + if $ssl { + include ::apache::mod::ssl + } + + Package['keystone'] -> Package['httpd'] + Package['keystone'] ~> Service['httpd'] + Keystone_config <| |> ~> Service['httpd'] + Service['httpd'] -> Keystone_endpoint <| |> + Service['httpd'] -> Keystone_role <| |> + Service['httpd'] -> Keystone_service <| |> + Service['httpd'] -> Keystone_tenant <| |> + Service['httpd'] -> Keystone_user <| |> + Service['httpd'] -> Keystone_user_role <| |> + + ## Sanitize parameters + + # Ensure there's no trailing '/' except if this is also the only character + $public_path_real = regsubst($public_path, '(^/.*)/$', '\1') + # Ensure there's no trailing '/' except if this is also the only character + $admin_path_real = regsubst($admin_path, '(^/.*)/$', '\1') + + if $public_port == $admin_port and $public_path_real == $admin_path_real { + fail('When using the same port for public & private endpoints, public_path and admin_path should be different.') + } + + file { $::keystone::params::keystone_wsgi_script_path: + ensure => directory, + owner => 'keystone', + group => 'keystone', + require => Package['httpd'], + } + + file { 'keystone_wsgi_admin': + ensure => file, + path => "${::keystone::params::keystone_wsgi_script_path}/admin", + source => $::keystone::params::keystone_wsgi_script_source, + owner => 'keystone', + group => 'keystone', + mode => '0644', + # source file provided by keystone package + require => [File[$::keystone::params::keystone_wsgi_script_path], Package['keystone']], + } + + file { 'keystone_wsgi_main': + ensure => file, + path => "${::keystone::params::keystone_wsgi_script_path}/main", + source => $::keystone::params::keystone_wsgi_script_source, + owner => 'keystone', + group => 'keystone', + mode => '0644', + # source file provided by keystone package + require => [File[$::keystone::params::keystone_wsgi_script_path], Package['keystone']], + } + + $wsgi_daemon_process_options_main = { + user => 'keystone', + group => 'keystone', + processes => $workers, + threads => $threads, + display-name => 'keystone-main', + } + + $wsgi_daemon_process_options_admin = { + user => 'keystone', + group => 'keystone', + processes => $workers, + threads => $threads, + display-name => 'keystone-admin', + } + + $wsgi_script_aliases_main = hash([$public_path_real,"${::keystone::params::keystone_wsgi_script_path}/main"]) + $wsgi_script_aliases_admin = hash([$admin_path_real, "${::keystone::params::keystone_wsgi_script_path}/admin"]) + + if $public_port == $admin_port { + $wsgi_script_aliases_main_real = merge($wsgi_script_aliases_main, $wsgi_script_aliases_admin) + } else { + $wsgi_script_aliases_main_real = $wsgi_script_aliases_main + } + + ::apache::vhost { 'keystone_wsgi_main': + ensure => 'present', + servername => $servername, + ip => $bind_host, + port => $public_port, + docroot => $::keystone::params::keystone_wsgi_script_path, + docroot_owner => 'keystone', + docroot_group => 'keystone', + priority => $priority, + ssl => $ssl, + ssl_cert => $ssl_cert, + ssl_key => $ssl_key, + ssl_chain => $ssl_chain, + ssl_ca => $ssl_ca, + ssl_crl_path => $ssl_crl_path, + ssl_crl => $ssl_crl, + ssl_certs_dir => $ssl_certs_dir, + wsgi_daemon_process => 'keystone_main', + wsgi_daemon_process_options => $wsgi_daemon_process_options_main, + wsgi_process_group => 'keystone_main', + wsgi_script_aliases => $wsgi_script_aliases_main_real, + require => File['keystone_wsgi_main'], + } + + if $public_port != $admin_port { + ::apache::vhost { 'keystone_wsgi_admin': + ensure => 'present', + servername => $servername, + ip => $bind_host, + port => $admin_port, + docroot => $::keystone::params::keystone_wsgi_script_path, + docroot_owner => 'keystone', + docroot_group => 'keystone', + priority => $priority, + ssl => $ssl, + ssl_cert => $ssl_cert, + ssl_key => $ssl_key, + ssl_chain => $ssl_chain, + ssl_ca => $ssl_ca, + ssl_crl_path => $ssl_crl_path, + ssl_crl => $ssl_crl, + ssl_certs_dir => $ssl_certs_dir, + wsgi_daemon_process => 'keystone_admin', + wsgi_daemon_process_options => $wsgi_daemon_process_options_admin, + wsgi_process_group => 'keystone_admin', + wsgi_script_aliases => $wsgi_script_aliases_admin, + require => File['keystone_wsgi_admin'], + } + } +}