openstack
/
cookbook-openstack-identity
Code Issues Proposed changes

Update to apache2 ~> 8.0 cookbook 

This brings us up to date with the latest apache2 cookbook which
included a major refactor in 6.0.0 removing all of the definitions and
recipe with proper resources. Instead of using the apache2_default_site
resource, directly use a template and then enable the config file using
the apache2_site resource. This gives us the most flexibility.

- Install mod_wsgi as a package on RHEL since there is no built-in
  resource for it.
- Don't set SELinux to permissive on RHEL (I tested this works properly
  with it set to enforcing).
- Remove hack for restarting apache.
- Convert web_app to template and subscribe to restarting apache.
- Remove resources to restore SELinux contexts since this taken care of
  by Chef now automatically.
- Remove unused references to log_debug in wsgi template
- Add missing WSGISocketPrefix to wsgi template
- Additional tests for keystone.conf and identity.conf
- Remove unused ldap section tests as we no longer have attributes for it
- Include additional cookbooks in Berksfile required for CI

Depends-On: https://review.opendev.org/702772

Change-Id: I717247217523e89251e4c0bead0c1a0d114ade2a
This commit is contained in:
Lance Albertson 2020-01-08 10:52:37 -08:00
parent 21255e36b4
commit 453ab3bb95
8 changed files with 240 additions and 263 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

13
Berksfile
View File

@ -1,8 +1,19 @@
source 'https://supermarket.chef.io'
solver :ruby, :required
metadata
%w(-common client).each do |cookbook|
%w(
client
-common
-dns
-image
-integration-test
-network
-ops-database
-ops-messaging
).each do |cookbook|
if Dir.exist?("../cookbook-openstack#{cookbook}")
cookbook "openstack#{cookbook}", path: "../cookbook-openstack#{cookbook}"
else

2
README.rst
View File

@ -37,7 +37,7 @@ Cookbooks
The following cookbooks are dependencies:
- 'apache2', '~> 5.0.1'
- 'apache2', '~> 8.0'
- 'openstack-common', '>= 18.0.0'
- 'openstackclient'

19
attributes/default.rb
View File

@ -141,7 +141,17 @@ when 'fedora', 'rhel' # :pragma-foodcritic: ~FC024 - won't fix this
# platform specific package and service name options
default['openstack']['identity']['platform'] = {
'memcache_python_packages' => ['python-memcached'],
'keystone_packages' => ['openstack-keystone', 'openstack-selinux', 'python2-urllib3'],
# TODO(ramereth): python2-urllib3 is here to workaround an issue if
# it's already been installed from the base repository which is
# incompatible with what's shipped with RDO. This should be removed
# once fixed upstream.
'keystone_packages' =>
%w(
mod_wsgi
openstack-keystone
openstack-selinux
python2-urllib3
),
'keystone_service' => 'openstack-keystone',
'keystone_process_name' => 'keystone-all',
'package_options' => '',
@ -150,7 +160,12 @@ when 'debian'
# platform specific package and service name options
default['openstack']['identity']['platform'] = {
'memcache_python_packages' => ['python3-memcache'],
'keystone_packages' => ['libapache2-mod-wsgi-py3', 'python3-keystone', 'keystone'],
'keystone_packages' =>
%w(
keystone
libapache2-mod-wsgi-py3
python3-keystone
),
'keystone_service' => 'keystone',
'keystone_process_name' => 'keystone-all',
'package_overrides' => '',

4
metadata.rb
View File

@ -16,9 +16,9 @@ recipe 'server-apache', 'Installs and configures the OpenStack Identity Service
supports os
end
depends 'openstack-common', '>= 18.0.0'
depends 'apache2', '~> 8.0'
depends 'openstackclient'
depends 'apache2', '5.0.1'
depends 'openstack-common', '>= 18.0.0'
issues_url 'https://launchpad.net/openstack-chef'
source_url 'https://opendev.org/openstack/cookbook-openstack-identity'

121
recipes/server-apache.rb
View File

@ -26,25 +26,7 @@ require 'uri'
# load the methods defined in cookbook-openstack-common libraries
class ::Chef::Recipe
include ::Openstack
end
# Workaround lifted from openstack-dashboard::apache2-server to install apache2
# on a RHEL-ish machine with SELinux set to enforcing.
#
# TODO(sc): once apache2 is in a place to allow for subscribes to web_app,
# this workaround should go away
#
execute 'set-selinux-permissive' do
command '/sbin/setenforce Permissive'
action :run
only_if "[ ! -e /etc/httpd/conf/httpd.conf ] && [ -e /etc/redhat-release ] && [ $(/sbin/sestatus | grep -c '^Current mode:.*enforcing') -eq 1 ]"
end
# Clear lock file when notified
execute 'Clear Keystone apache restart' do
command "rm -f #{Chef::Config[:file_cache_path]}/keystone-apache-restarted"
action :nothing
include Apache2::Cookbook::Helpers
end
# include the logging recipe from openstack-common if syslog usage is enbaled
@ -110,8 +92,8 @@ service 'keystone' do
end
# disable default keystone config file from UCA package
apache_site 'keystone' do
enable false
apache2_site 'keystone' do
action :disable
only_if { platform_family?('debian') }
end
@ -198,7 +180,7 @@ template '/etc/keystone/keystone.conf' do
variables(
service_config: keystone_conf_options
)
notifies :run, 'execute[Clear Keystone apache restart]', :immediately
notifies :restart, 'service[apache2]'
end
# delete all secrets saved in the attribute
@ -232,81 +214,48 @@ end
#### Start of Apache specific work
# configure attributes for apache2 cookbook to align with openstack settings
apache_listen = Array(node['apache']['listen']) # include already defined listen attributes
# Remove the default apache2 cookbook port, as that is also the default for horizon, but with
# a different address syntax. *:80 vs 0.0.0.0:80
apache_listen -= ['*:80']
apache_listen += ["#{bind_address}:#{bind_service['port']}"]
node.normal['apache']['listen'] = apache_listen.uniq
# include the apache2 default recipe and the recipes for mod_wsgi
include_recipe 'apache2'
# TODO(jh): hardcoded to include py2 mod-wsgi package
# include_recipe 'apache2::mod_wsgi'
case node['platform_family']
when 'debian'
apache_module 'wsgi'
when 'rhel', 'fedora', 'arch', 'amazon'
include_recipe 'apache2::mod_wsgi'
# service['apache2'] is defined in the apache2_default_install resource
# but other resources are currently unable to reference it. To work
# around this issue, define the following helper in your cookbook:
service 'apache2' do
extend Apache2::Cookbook::Helpers
service_name lazy { apache_platform_service_name }
supports restart: true, status: true, reload: true
action :nothing
end
# include the apache2 mod_ssl recipe if ssl is enabled for identity
include_recipe 'apache2::mod_ssl' if node['openstack']['identity']['ssl']['enabled']
apache2_install 'openstack' do
listen "#{bind_address}:#{bind_service['port']}"
end
apache2_module 'wsgi'
apache2_module 'ssl' if node['openstack']['identity']['ssl']['enabled']
# create the keystone apache directory
keystone_apache_dir = "#{node['apache']['docroot_dir']}/keystone"
keystone_apache_dir = "#{default_docroot_dir}/keystone"
directory keystone_apache_dir do
owner 'root'
group 'root'
mode 0o0755
end
# create the keystone apache config using the web_app resource from the apache2
# cookbook
web_app 'identity' do
template 'wsgi-keystone.conf.erb'
server_host bind_address
server_port bind_service['port']
server_entry '/usr/bin/keystone-wsgi-public'
server_alias 'identity'
server_suffix app
log_dir node['apache']['log_dir']
log_debug node['openstack']['identity']['debug']
user keystone_user
group keystone_group
use_ssl node['openstack']['identity']['ssl']['enabled']
cert_file node['openstack']['identity']['ssl']['certfile']
chain_file node['openstack']['identity']['ssl']['chainfile']
key_file node['openstack']['identity']['ssl']['keyfile']
ca_certs_path node['openstack']['identity']['ssl']['ca_certs_path']
cert_required node['openstack']['identity']['ssl']['cert_required']
protocol node['openstack']['identity']['ssl']['protocol']
ciphers node['openstack']['identity']['ssl']['ciphers']
# create the keystone apache config using template
template "#{apache_dir}/sites-available/identity.conf" do
extend Apache2::Cookbook::Helpers
source 'wsgi-keystone.conf.erb'
variables(
server_host: bind_address,
server_port: bind_service['port'],
server_entry: '/usr/bin/keystone-wsgi-public',
server_alias: 'identity',
log_dir: default_log_dir,
run_dir: lock_dir,
user: keystone_user,
group: keystone_group
)
notifies :restart, 'service[apache2]'
end
# Hack until Apache cookbook has lwrp's for proper use of notify restart
# apache2 after keystone if completely configured. Whenever a keystone
# config is updated, have it notify the resource which clears the lock
# so the service can be restarted.
# TODO(ramereth): This should be removed once this cookbook is updated
# to use the newer apache2 cookbook which uses proper resources.
edit_resource(:template, "#{node['apache']['dir']}/sites-available/identity.conf") do
notifies :run, 'execute[Clear Keystone apache restart]', :immediately
end
# Only restart Keystone apache during the initial install. This causes
# monitoring and service issues while the service is restarted so we
# should minimize the amount of times we restart apache.
execute 'Keystone apache restart' do
command "touch #{Chef::Config[:file_cache_path]}/keystone-apache-restarted"
creates "#{Chef::Config[:file_cache_path]}/keystone-apache-restarted"
notifies :run, 'execute[restore-selinux-context]', :immediately
apache2_site 'identity' do
notifies :restart, 'service[apache2]', :immediately
end
execute 'restore-selinux-context' do
command 'restorecon -Rv /etc/httpd /etc/pki || :'
action :nothing
only_if { platform_family?('rhel') }
end

26
spec/server-apache-redhat_spec.rb Normal file
View File

@ -0,0 +1,26 @@
# encoding: UTF-8
#
require_relative 'spec_helper'
describe 'openstack-identity::server-apache' do
describe 'redhat' do
let(:runner) { ChefSpec::SoloRunner.new(REDHAT_OPTS) }
let(:node) { runner.node }
cached(:chef_run) do
runner.converge(described_recipe)
end
include_context 'identity_stubs'
it 'upgrades memcache python packages' do
expect(chef_run).to upgrade_package('identity cookbook package python-memcached')
end
it 'upgrades keystone packages' do
expect(chef_run).to upgrade_package('identity cookbook package openstack-keystone')
expect(chef_run).to upgrade_package('identity cookbook package openstack-selinux')
expect(chef_run).to upgrade_package('identity cookbook package mod_wsgi')
end
end
end

283
spec/server-apache_spec.rb
View File

@ -49,6 +49,10 @@ describe 'openstack-identity::server-apache' do
expect(chef_run).to upgrade_package('identity cookbook package keystone')
end
it do
expect(chef_run).to disable_apache2_site('keystone')
end
it 'bootstrap with keystone-manage' do
expect(chef_run).to run_execute('bootstrap_keystone').with(command: "keystone-manage bootstrap \\
--bootstrap-password #{password} \\
@ -127,19 +131,22 @@ describe 'openstack-identity::server-apache' do
expect(chef_run).not_to render_config_file(path).with_section_content('DEFAULT', /^list_limit = /)
end
it 'has default transport_url/AMQP options set' do
[%r{^transport_url = rabbit://openstack:mypass@127.0.0.1:5672$}].each do |line|
expect(chef_run).to render_file(path).with_content(line)
end
end
describe '[DEFAULT] section' do
[
%r{^log_dir = /var/log/keystone$},
%r{^public_endpoint = http://127.0.0.1:5000/$},
%r{^transport_url = rabbit://openstack:mypass@127.0.0.1:5672$},
].each do |line|
it do
expect(chef_run).to render_config_file(path).with_section_content('DEFAULT', line)
end
end
describe 'syslog configuration' do
log_file = %r{^log_dir = /var/log/keystone$}
log_conf = %r{^log_config_append = /\w+}
it 'renders log_file correctly' do
expect(chef_run).to render_config_file(path).with_section_content('DEFAULT', log_file)
it do
expect(chef_run).not_to render_config_file(path).with_section_content('DEFAULT', log_conf)
end
@ -148,19 +155,12 @@ describe 'openstack-identity::server-apache' do
node.override['openstack']['identity']['syslog']['use'] = true
runner.converge(described_recipe)
end
it 'renders log_config correctly' do
it do
expect(chef_run).to render_config_file(path).with_section_content('DEFAULT', log_conf)
expect(chef_run).not_to render_config_file(path).with_section_content('DEFAULT', log_file)
end
end
end
it 'has correct endpoints' do
# values correspond to node attrs set in chef_run above
pub = line_regexp('public_endpoint = http://127.0.0.1:5000/')
expect(chef_run).to render_config_file(path).with_section_content('DEFAULT', pub)
end
end
describe '[memcache] section' do
@ -180,8 +180,7 @@ describe 'openstack-identity::server-apache' do
hosts = ['host1:111', 'host2:222']
r = line_regexp("servers = #{hosts.join(',')}")
allow_any_instance_of(Chef::Recipe).to receive(:memcached_servers)
.and_return(hosts)
allow_any_instance_of(Chef::Recipe).to receive(:memcached_servers).and_return(hosts)
expect(chef_run).to render_config_file(path).with_section_content('memcache', r)
end
end
@ -189,52 +188,46 @@ describe 'openstack-identity::server-apache' do
describe '[sql] section' do
it 'has a connection' do
r = /^connection = \w+/
r = %r{^connection = mysql\+pymysql://keystone:@127.0.0.1:3306/keystone\?charset=utf8$}
expect(chef_run).to render_config_file(path).with_section_content('database', r)
end
end
describe '[ldap] section' do
describe 'optional nil attributes' do
optional_attrs = %w(group_tree_dn group_filter user_filter
user_tree_dn user_enabled_emulation_dn
group_attribute_ignore role_attribute_ignore
role_tree_dn role_filter project_tree_dn
project_enabled_emulation_dn project_filter
project_attribute_ignore)
it 'does not configure attributes' do
optional_attrs.each do |a|
r = /^#{Regexp.quote(a)} = $/
expect(chef_run).not_to render_config_file(path).with_section_content('ldap', r)
end
end
context 'ssl settings' do
context 'when use_tls disabled' do
it 'does not set tls_ options if use_tls is disabled' do
[/^tls_cacertfile = /, /^tls_cacertdir = /, /^tls_req_cert = /].each do |setting|
expect(chef_run).not_to render_config_file(path).with_section_content('ldap', setting)
end
end
end
end
end
end
describe '[assignment] section' do
it 'configures driver' do
r = line_regexp('driver = sql')
r = /^driver = sql$/
expect(chef_run).to render_config_file(path).with_section_content('assignment', r)
end
end
describe '[policy] section' do
it 'configures driver' do
r = line_regexp('driver = sql')
r = /^driver = sql$/
expect(chef_run).to render_config_file(path).with_section_content('policy', r)
end
end
describe '[fernet_tokens] section' do
it do
r = %r{^key_repository = /etc/keystone/fernet-tokens$}
expect(chef_run).to render_config_file(path).with_section_content('fernet_tokens', r)
end
end
describe '[credential] section' do
it do
r = %r{^key_repository = /etc/keystone/credential-tokens$}
expect(chef_run).to render_config_file(path).with_section_content('credential', r)
end
end
describe '[cache] section' do
[
/^enabled = true$/,
/^backend = oslo_cache.memcache_pool$/,
].each do |line|
it do
expect(chef_run).to render_config_file(path).with_section_content('cache', line)
end
end
end
end
describe 'db_sync' do
@ -314,25 +307,34 @@ describe 'openstack-identity::server-apache' do
end
describe 'apache setup' do
it 'set apache addresses and ports' do
expect(chef_run.node['apache']['listen']).to eq(%w(127.0.0.1:5000))
it do
expect(chef_run.template('/etc/keystone/keystone.conf')).to notify('service[apache2]').to(:restart)
end
describe 'apache recipes' do
it 'include apache recipes' do
expect(chef_run).to include_recipe('apache2')
expect(chef_run).not_to include_recipe('apache2::mod_wsgi')
expect(chef_run).not_to include_recipe('apache2::mod_ssl')
end
it do
expect(chef_run.template('/etc/apache2/sites-available/identity.conf')).to \
notify('service[apache2]').to(:restart)
end
context 'ssl enabled' do
cached(:chef_run) do
node.override['openstack']['identity']['ssl']['enabled'] = true
runner.converge(described_recipe)
end
it 'include apache recipes' do
expect(chef_run).to include_recipe('apache2::mod_ssl')
end
it do
expect(chef_run).to install_apache2_install('openstack').with(listen: '127.0.0.1:5000')
end
it do
expect(chef_run).to enable_apache2_module('wsgi')
end
it do
expect(chef_run).to_not enable_apache2_module('ssl')
end
context 'ssl enabled' do
cached(:chef_run) do
node.override['openstack']['identity']['ssl']['enabled'] = true
runner.converge(described_recipe)
end
it do
expect(chef_run).to enable_apache2_module('ssl')
end
end
@ -341,9 +343,17 @@ describe 'openstack-identity::server-apache' do
it 'creates identity.conf' do
expect(chef_run).to create_template(file).with(
user: 'root',
group: 'root',
mode: '0644'
source: 'wsgi-keystone.conf.erb',
variables: {
group: 'keystone',
log_dir: '/var/log/apache2',
run_dir: '/var/lock/apache2',
server_alias: 'identity',
server_entry: '/usr/bin/keystone-wsgi-public',
server_host: '127.0.0.1',
server_port: 5000,
user: 'keystone',
}
)
end
@ -351,25 +361,45 @@ describe 'openstack-identity::server-apache' do
expect(chef_run).not_to render_file('/etc/apache2/sites-available/keystone-admin.conf')
end
[
/^<VirtualHost 127.0.0.1:5000>$/,
/WSGIDaemonProcess identity processes=5 threads=1 user=keystone group=keystone display-name=%{GROUP}$/,
/WSGIProcessGroup identity$/,
%r{WSGIScriptAlias / /usr/bin/keystone-wsgi-public$},
%r{ErrorLog /var/log/apache2/identity.log$},
%r{CustomLog /var/log/apache2/identity_access.log combined$},
%r{WSGISocketPrefix /var/lock/apache2$},
].each do |line|
it do
expect(chef_run).to render_file(file).with_content(line)
end
end
context 'custom_template_banner' do
cached(:chef_run) do
node.override['openstack']['identity']['custom_template_banner'] = 'custom_template_banner_value'
runner.converge(described_recipe)
end
it 'configures identity.conf lines' do
[/^custom_template_banner_value$/,
/user=keystone/,
/group=keystone/,
%r{^ ErrorLog /var/log/apache2/identity.log$},
%r{^ CustomLog /var/log/apache2/identity_access.log combined$}].each do |line|
[
/^custom_template_banner_value$/,
].each do |line|
it do
expect(chef_run).to render_file(file).with_content(line)
end
end
end
it 'does not configure identity.conf triggered common lines' do
[/^ LogLevel/,
/^ SSL/].each do |line|
[
/SSLEngine On$/,
/SSLCertificateFile/,
/SSLCertificateKeyFile/,
/SSLCACertificatePath/,
/SSLCertificateChainFile/,
/SSLProtocol/,
/SSLCipherSuite/,
/SSLVerifyClient/,
].each do |line|
it do
expect(chef_run).not_to render_file(file).with_content(line)
end
end
@ -380,99 +410,46 @@ describe 'openstack-identity::server-apache' do
node.override['openstack']['identity']['ssl']['enabled'] = true
runner.converge(described_recipe)
end
it 'configures identity.conf common ssl lines' do
[/^ SSLEngine On$/,
%r{^ SSLCertificateFile /etc/keystone/ssl/certs/sslcert.pem$},
%r{^ SSLCertificateKeyFile /etc/keystone/ssl/private/sslkey.pem$},
%r{^ SSLCACertificatePath /etc/keystone/ssl/certs/$},
/^ SSLProtocol All -SSLv2 -SSLv3$/].each do |line|
[
/SSLEngine On$/,
%r{SSLCertificateFile /etc/keystone/ssl/certs/sslcert.pem$},
%r{SSLCertificateKeyFile /etc/keystone/ssl/private/sslkey.pem$},
%r{SSLCACertificatePath /etc/keystone/ssl/certs/$},
/SSLProtocol All -SSLv2 -SSLv3$/,
].each do |line|
it do
expect(chef_run).to render_file(file).with_content(line)
end
end
it 'does not configure identity.conf common ssl lines' do
[/^ SSLCertificateChainFile/,
/^ SSLCipherSuite/,
/^ SSLVerifyClient require/].each do |line|
[
/SSLCertificateChainFile/,
/SSLCipherSuite/,
/SSLVerifyClient require/,
].each do |line|
it do
expect(chef_run).not_to render_file(file).with_content(line)
end
end
context 'chainfile' do
context 'Enable chainfile, ciphers & cert_required' do
cached(:chef_run) do
node.override['openstack']['identity']['ssl']['enabled'] = true
node.override['openstack']['identity']['ssl']['chainfile'] = '/etc/keystone/ssl/certs/chainfile.pem'
runner.converge(described_recipe)
end
it 'configures identity.conf chainfile when set' do
expect(chef_run).to render_file(file)
.with_content(%r{^ SSLCertificateChainFile /etc/keystone/ssl/certs/chainfile.pem$})
end
end
context 'ciphers' do
cached(:chef_run) do
node.override['openstack']['identity']['ssl']['enabled'] = true
node.override['openstack']['identity']['ssl']['ciphers'] = 'ciphers_value'
runner.converge(described_recipe)
end
it 'configures identity.conf ciphers when set' do
expect(chef_run).to render_file(file)
.with_content(/^ SSLCipherSuite ciphers_value$/)
end
end
context 'cert_required' do
cached(:chef_run) do
node.override['openstack']['identity']['ssl']['enabled'] = true
node.override['openstack']['identity']['ssl']['cert_required'] = true
runner.converge(described_recipe)
end
it 'configures identity.conf cert_required set' do
expect(chef_run).to render_file(file)
.with_content(/^ SSLVerifyClient require$/)
[
%r{SSLCertificateChainFile /etc/keystone/ssl/certs/chainfile.pem$},
/SSLCipherSuite ciphers_value$/,
/SSLVerifyClient require$/,
].each do |line|
it do
expect(chef_run).to render_file(file).with_content(line)
end
end
end
end
end
describe 'identity.conf' do
let(:file) { '/etc/apache2/sites-available/identity.conf' }
it 'configures required lines' do
[/^<VirtualHost 127.0.0.1:5000>$/,
/^ WSGIDaemonProcess identity/,
/^ WSGIProcessGroup identity$/,
%r{^ WSGIScriptAlias / /usr/bin/keystone-wsgi-public$}].each do |line|
expect(chef_run).to render_file(file).with_content(line)
end
end
end
describe 'restart apache' do
it do
expect(chef_run).to nothing_execute('Clear Keystone apache restart')
.with(
command: 'rm -f /var/chef/cache/keystone-apache-restarted'
)
end
%w(
/etc/keystone/keystone.conf
/etc/apache2/sites-available/identity.conf
).each do |f|
it "#{f} notifies execute[Clear Keystone apache restart]" do
expect(chef_run.template(f)).to notify('execute[Clear Keystone apache restart]').to(:run).immediately
end
end
it do
expect(chef_run).to run_execute('Keystone apache restart')
.with(
command: 'touch /var/chef/cache/keystone-apache-restarted',
creates: '/var/chef/cache/keystone-apache-restarted'
)
end
it do
expect(chef_run.execute('Keystone apache restart')).to notify('execute[restore-selinux-context]').to(:run).immediately
end
it do
expect(chef_run.execute('Keystone apache restart')).to notify('service[apache2]').to(:restart).immediately
end
end
end
end
end

35
templates/default/wsgi-keystone.conf.erb
View File

@ -1,37 +1,36 @@
<%= node['openstack']['identity']['custom_template_banner'] %>
<VirtualHost <%= @params[:server_host] %>:<%= @params[:server_port] %>>
WSGIDaemonProcess identity processes=5 threads=1 user=<%= @params[:user] %> group=<%= @params[:group] %> display-name=%{GROUP}
<VirtualHost <%= @server_host %>:<%= @server_port %>>
WSGIDaemonProcess identity processes=5 threads=1 user=<%= @user %> group=<%= @group %> display-name=%{GROUP}
WSGIProcessGroup identity
WSGIScriptAlias / <%= @params[:server_entry] %>
WSGIScriptAlias / <%= @server_entry %>
WSGIApplicationGroup %{GLOBAL}
WSGIPassAuthorization On
ErrorLogFormat "%{cu}t %M"
ErrorLog <%= @params[:log_dir] %>/identity.log
CustomLog <%= @params[:log_dir] %>/identity_access.log combined
<% if [true, 'true', 'True'].include?(@params[:log_debug]) -%>
LogLevel debug
<% end -%>
ErrorLog <%= @log_dir %>/identity.log
CustomLog <%= @log_dir %>/identity_access.log combined
<Directory /usr/bin>
Require all granted
</Directory>
<% if node['openstack']['identity']['ssl']['enabled'] -%>
<% if @params[:use_ssl] -%>
SSLEngine On
SSLCertificateFile <%= @params[:cert_file] %>
SSLCertificateKeyFile <%= @params[:key_file] %>
SSLCACertificatePath <%= @params[:ca_certs_path] %>
<% if @params[:chain_file] %>
SSLCertificateChainFile <%= @params[:chain_file] %>
SSLCertificateFile <%= node['openstack']['identity']['ssl']['certfile'] %>
SSLCertificateKeyFile <%= node['openstack']['identity']['ssl']['keyfile'] %>
SSLCACertificatePath <%= node['openstack']['identity']['ssl']['ca_certs_path'] %>
<% if node['openstack']['identity']['ssl']['chainfile'] %>
SSLCertificateChainFile <%= node['openstack']['identity']['ssl']['chainfile'] %>
<% end -%>
SSLProtocol <%= @params[:protocol] %>
<% if @params[:ciphers] -%>
SSLCipherSuite <%= @params[:ciphers] %>
SSLProtocol <%= node['openstack']['identity']['ssl']['protocol'] %>
<% if node['openstack']['identity']['ssl']['ciphers'] -%>
SSLCipherSuite <%= node['openstack']['identity']['ssl']['ciphers'] %>
<% end -%>
<% if @params[:cert_required] -%>
<% if node['openstack']['identity']['ssl']['cert_required'] -%>
SSLVerifyClient require
<% end -%>
<% end -%>
</VirtualHost>
WSGISocketPrefix <%= @run_dir %>