From 88e512ef181a8e18c7ec7e484b3f5f1b85aaa057 Mon Sep 17 00:00:00 2001
From: Samuel Cassiba <s@cassiba.com>
Date: Thu, 14 Dec 2017 07:44:32 -0800
Subject: [PATCH] Implemented wsgi support for cinder-api

- Cinder's API service is a WSGI service running behind Apache, which is
  enabled by default on Ubuntu. Let's get with the times and manage that
  service.
- version bump to pick up the new change

Change-Id: I641fa32cac6025e44c1aeedc5f89a12b5efa4e58
---
 attributes/default.rb                    | 10 ++++++
 metadata.rb                              |  2 +-
 recipes/api.rb                           | 30 ++++++++++++++---
 spec/spec_helper.rb                      |  4 ++-
 templates/default/wsgi-template.conf.erb | 42 ++++++++++++++++++++++++
 5 files changed, 82 insertions(+), 6 deletions(-)
 create mode 100644 templates/default/wsgi-template.conf.erb

diff --git a/attributes/default.rb b/attributes/default.rb
index 1330791..c6275d5 100644
--- a/attributes/default.rb
+++ b/attributes/default.rb
@@ -71,6 +71,16 @@ default['openstack']['block-storage']['volume']['block_devices'] = nil
 default['openstack']['block-storage']['user'] = 'cinder'
 default['openstack']['block-storage']['group'] = 'cinder'
 
+# Cinder WSGI app SSL settings
+default['openstack']['block-storage']['ssl']['enabled'] = false
+default['openstack']['block-storage']['ssl']['certfile'] = ''
+default['openstack']['block-storage']['ssl']['chainfile'] = ''
+default['openstack']['block-storage']['ssl']['keyfile'] = ''
+default['openstack']['block-storage']['ssl']['ca_certs_path'] = ''
+default['openstack']['block-storage']['ssl']['cert_required'] = false
+default['openstack']['block-storage']['ssl']['protocol'] = ''
+default['openstack']['block-storage']['ssl']['ciphers'] = ''
+
 case platform_family
 when 'rhel' # :pragma-foodcritic: ~FC024 - won't fix this
   # operating system user and group names
diff --git a/metadata.rb b/metadata.rb
index 39f4965..e338aa6 100644
--- a/metadata.rb
+++ b/metadata.rb
@@ -4,7 +4,7 @@ maintainer_email 'openstack-dev@lists.openstack.org'
 license          'Apache 2.0'
 description      'The OpenStack Advanced Volume Management service Cinder.'
 long_description IO.read(File.join(File.dirname(__FILE__), 'README.md'))
-version          '15.0.0'
+version          '15.1.0'
 
 %w(ubuntu redhat centos).each do |os|
   supports os
diff --git a/recipes/api.rb b/recipes/api.rb
index 726c5ce..287ae5f 100644
--- a/recipes/api.rb
+++ b/recipes/api.rb
@@ -27,6 +27,7 @@ end
 
 include_recipe 'openstack-block-storage::cinder-common'
 
+bind_service = node['openstack']['bind_service']['all']['block-storage']
 platform_options = node['openstack']['block-storage']['platform']
 
 platform_options['cinder_api_packages'].each do |pkg|
@@ -43,10 +44,6 @@ node['openstack']['db']['python_packages'][db_type].each do |pkg|
   end
 end
 
-# Todo(jr): Runs via wsgi in apache2 now, need to find a nice way to
-# trigger apache2 restart. Also disable the default installed wsgi
-# service and use our template based setup
-
 execute 'cinder-manage db sync' do
   user node['openstack']['block-storage']['user']
   group node['openstack']['block-storage']['group']
@@ -60,3 +57,28 @@ if node['openstack']['block-storage']['policyfile_url']
     mode 0o0644
   end
 end
+
+# remove the cinder-wsgi.conf automatically generated from package
+apache_config 'cinder-wsgi' do
+  enable false
+end
+
+web_app 'cinder-api' do
+  template 'wsgi-template.conf.erb'
+  daemon_process 'cinder-wsgi'
+  server_host bind_service['host']
+  server_port bind_service['port']
+  server_entry '/usr/bin/cinder-wsgi'
+  log_dir node['apache']['log_dir']
+  run_dir node['apache']['run_dir']
+  user node['openstack']['block-storage']['user']
+  group node['openstack']['block-storage']['group']
+  use_ssl node['openstack']['block-storage']['ssl']['enabled']
+  cert_file node['openstack']['block-storage']['ssl']['certfile']
+  chain_file node['openstack']['block-storage']['ssl']['chainfile']
+  key_file node['openstack']['block-storage']['ssl']['keyfile']
+  ca_certs_path node['openstack']['block-storage']['ssl']['ca_certs_path']
+  cert_required node['openstack']['block-storage']['ssl']['cert_required']
+  protocol node['openstack']['block-storage']['ssl']['protocol']
+  ciphers node['openstack']['block-storage']['ssl']['ciphers']
+end
diff --git a/spec/spec_helper.rb b/spec/spec_helper.rb
index 061067c..1311f46 100644
--- a/spec/spec_helper.rb
+++ b/spec/spec_helper.rb
@@ -12,7 +12,7 @@ require 'chef/application'
 LOG_LEVEL = :fatal
 REDHAT_OPTS = {
   platform: 'redhat',
-  version: '7.1',
+  version: '7.3',
   log_level: LOG_LEVEL
 }.freeze
 UBUNTU_OPTS = {
@@ -58,6 +58,8 @@ shared_context 'block-storage-stubs' do
     allow_any_instance_of(Chef::Recipe).to receive(:rabbit_transport_url)
       .with('block-storage')
       .and_return('rabbit://guest:mypass@127.0.0.1:5672')
+    stub_command('/usr/sbin/httpd -t').and_return(true)
+    stub_command('/usr/sbin/apache2 -t').and_return(true)
     allow(Chef::Application).to receive(:fatal!)
   end
 end
diff --git a/templates/default/wsgi-template.conf.erb b/templates/default/wsgi-template.conf.erb
new file mode 100644
index 0000000..ecf379b
--- /dev/null
+++ b/templates/default/wsgi-template.conf.erb
@@ -0,0 +1,42 @@
+<%= node["openstack"]["block-storage"]["custom_template_banner"] %>
+
+Listen <%= @params[:server_host] %>:<%= @params[:server_port] %>
+
+<VirtualHost <%= @params[:server_host] %>:<%= @params[:server_port] %>>
+  WSGIDaemonProcess <%= @params[:daemon_process] %> processes=2 threads=10 user=<%= @params[:user] %> group=<%= @params[:group] %> display-name=%{GROUP}
+  WSGIProcessGroup <%= @params[:daemon_process] %>
+  WSGIScriptAlias / <%= @params[:server_entry] %>
+  WSGIApplicationGroup %{GLOBAL}
+  WSGIPassAuthorization On
+
+  <Directory /usr/bin>
+    Require all granted
+  </Directory>
+
+  ErrorLogFormat "%{cu}t %M"
+  ErrorLog <%= @params[:log_dir] %>/<%= @params[:daemon_process] %>_error.log
+  CustomLog <%= @params[:log_dir] %>/<%= @params[:daemon_process] %>_access.log combined
+<% if [true, 'true', 'True'].include?(@params[:log_debug]) -%>
+  LogLevel debug
+<% end -%>
+
+<% if @params[:use_ssl] -%>
+  SSLEngine On
+  SSLCertificateFile <%= @params[:cert_file] %>
+  SSLCertificateKeyFile <%= @params[:key_file] %>
+  SSLCACertificatePath <%= @params[:ca_certs_path] %>
+<%   if @params[:chain_file] %>
+  SSLCertificateChainFile <%= @params[:chain_file] %>
+<%   end -%>
+  SSLProtocol <%= @params[:protocol] %>
+<%   if @params[:ciphers] -%>
+  SSLCipherSuite <%= @params[:ciphers] %>
+<%   end -%>
+<%   if @params[:cert_required] -%>
+  SSLVerifyClient require
+<%   end -%>
+<% end -%>
+</VirtualHost>
+
+WSGISocketPrefix <%= @params[:run_dir] -%>
+