diff --git a/deployment/puppet/cobbler/.fixtures.yml b/deployment/puppet/cobbler/.fixtures.yml
index 7ea8b0fa33..6c8b0a612d 100644
--- a/deployment/puppet/cobbler/.fixtures.yml
+++ b/deployment/puppet/cobbler/.fixtures.yml
@@ -7,3 +7,4 @@ fixtures:
stdlib: "#{source_dir}/../stdlib"
apache: "#{source_dir}/../apache"
concat: "#{source_dir}/../concat"
+ fuel: "#{source_dir}/../fuel"
diff --git a/deployment/puppet/cobbler/manifests/apache.pp b/deployment/puppet/cobbler/manifests/apache.pp
index ce22ae25cd..4bba28c157 100644
--- a/deployment/puppet/cobbler/manifests/apache.pp
+++ b/deployment/puppet/cobbler/manifests/apache.pp
@@ -3,11 +3,16 @@
# Configure apache and listen ports.
#
class cobbler::apache {
+ file { ['/etc/httpd/', '/etc/httpd/conf.ports.d/']: ensure => directory }
+ ->
class { '::apache':
server_signature => 'Off',
trace_enable => 'Off',
purge_configs => false,
+ purge_vhost_dir => false,
default_vhost => false,
+ ports_file => '/etc/httpd/conf.ports.d/cobbler.conf',
+ conf_template => 'fuel/httpd.conf.erb',
}
apache::vhost { 'cobbler non-ssl':
diff --git a/deployment/puppet/cobbler/spec/classes/cobbler_apache_spec.rb b/deployment/puppet/cobbler/spec/classes/cobbler_apache_spec.rb
index 7eba76764c..2eacda143a 100644
--- a/deployment/puppet/cobbler/spec/classes/cobbler_apache_spec.rb
+++ b/deployment/puppet/cobbler/spec/classes/cobbler_apache_spec.rb
@@ -53,12 +53,21 @@ describe "cobbler::apache" do
end
end
+ it "ensures httpd confdir for ports-configs" do
+ is_expected.to contain_file('/etc/httpd/conf.ports.d/').with(
+ :ensure => 'directory',
+ )
+ end
+
it "configures 'apache' class" do
is_expected.to contain_class("apache").with(
:server_signature => "Off",
- :trace_enable => "Off",
- :purge_configs => false,
- :default_vhost => false,
+ :trace_enable => "Off",
+ :purge_configs => false,
+ :purge_vhost_dir => false,
+ :default_vhost => false,
+ :conf_template => 'fuel/httpd.conf.erb',
+ :ports_file => '/etc/httpd/conf.ports.d/cobbler.conf',
)
end
diff --git a/deployment/puppet/fuel/examples/keystone.pp b/deployment/puppet/fuel/examples/keystone.pp
index 7af29240c5..ed38f797c2 100644
--- a/deployment/puppet/fuel/examples/keystone.pp
+++ b/deployment/puppet/fuel/examples/keystone.pp
@@ -23,10 +23,3 @@ class { 'fuel::keystone':
ostf_user => $::fuel_settings['keystone']['ostf_user'],
ostf_password => $::fuel_settings['keystone']['ostf_password'],
}
-
-fuel::systemd {['openstack-keystone']:
- start => true,
- template_path => 'fuel/systemd/restart_template.erb',
- config_name => 'restart.conf',
- require => Class['fuel::keystone'],
-}
diff --git a/deployment/puppet/fuel/manifests/keystone.pp b/deployment/puppet/fuel/manifests/keystone.pp
index fcfb0747f8..fd255920bc 100644
--- a/deployment/puppet/fuel/manifests/keystone.pp
+++ b/deployment/puppet/fuel/manifests/keystone.pp
@@ -4,6 +4,10 @@ class fuel::keystone (
$admin_port = $::fuel::params::keystone_admin_port,
$keystone_domain = $::fuel::params::keystone_domain,
+ $ssl = $::fuel::params::ssl,
+
+ $vhost_limit_request_field_size = $::fuel::params::vhost_limit_request_field_size,
+
$db_engine = $::fuel::params::db_engine,
$db_host = $::fuel::params::db_host,
$db_port = $::fuel::params::db_port,
@@ -31,6 +35,18 @@ class fuel::keystone (
ensure_packages(['crontabs', 'os-client-config', 'python-tablib',
'python-unicodecsv', 'rubygem-thread_safe'])
+ file { ['/etc/httpd/', '/etc/httpd/conf.ports.d/']: ensure => directory }
+ ->
+ class {'::apache':
+ server_signature => 'Off',
+ trace_enable => 'Off',
+ purge_configs => false,
+ purge_vhost_dir => false,
+ default_vhost => false,
+ ports_file => '/etc/httpd/conf.ports.d/keystone.conf',
+ conf_template => 'fuel/httpd.conf.erb',
+ }
+
class { '::keystone':
# (TODO iberezovskiy): Set 'enable_bootstrap' to true when MOS packages will
# be updated and 'keystone-manage bootstrap' command will be available
@@ -41,8 +57,19 @@ class fuel::keystone (
token_expiration => $token_expiration,
token_provider => 'keystone.token.providers.uuid.Provider',
default_domain => $keystone_domain,
- service_name => $::fuel::params::keystone_service_name,
+ service_name => 'httpd',
+ use_syslog => true,
}
+ class { 'keystone::wsgi::apache':
+ public_port => $port,
+ admin_port => $admin_port,
+ ssl => $ssl,
+ priority => '05',
+ threads => 3,
+ workers => min($::processorcount, 6),
+ vhost_custom_fragment => $vhost_limit_request_field_size,
+ access_log_format => 'forwarded',
+ }
# Ensure that keystone_paste_ini file includes "admin_token_auth" filter
# so the Puppet keystone types are able to use the admin token.
diff --git a/deployment/puppet/fuel/manifests/params.pp b/deployment/puppet/fuel/manifests/params.pp
index 789dd89766..8415a1525b 100644
--- a/deployment/puppet/fuel/manifests/params.pp
+++ b/deployment/puppet/fuel/manifests/params.pp
@@ -36,6 +36,9 @@ class fuel::params {
$keystone_port = '5000'
$keystone_admin_port = '35357'
$keystone_domain = 'fuel'
+ $ssl = false
+
+ $vhost_limit_request_field_size = 'LimitRequestFieldSize 81900'
$keystone_admin_user = 'admin'
$keystone_admin_password = 'admin'
diff --git a/deployment/puppet/fuel/spec/classes/fuel_keystone_spec.rb b/deployment/puppet/fuel/spec/classes/fuel_keystone_spec.rb
new file mode 100644
index 0000000000..dd1f6492b8
--- /dev/null
+++ b/deployment/puppet/fuel/spec/classes/fuel_keystone_spec.rb
@@ -0,0 +1,58 @@
+require "spec_helper"
+
+describe "fuel::keystone" do
+
+ let :global_facts do
+ {
+ :processorcount => 42,
+ }
+ end
+
+ shared_examples_for "keystone configuration" do
+
+ context "with default params" do
+
+ it "ensures httpd confdir for ports-configs" do
+ is_expected.to contain_file('/etc/httpd/conf.ports.d/').with(
+ :ensure => 'directory',
+ )
+ end
+
+ it "configures 'apache' class" do
+ is_expected.to contain_class("apache").with(
+ :server_signature => "Off",
+ :trace_enable => "Off",
+ :purge_configs => false,
+ :purge_vhost_dir => false,
+ :default_vhost => false,
+ :conf_template => 'fuel/httpd.conf.erb',
+ :ports_file => '/etc/httpd/conf.ports.d/keystone.conf',
+ )
+ end
+
+ it "creates 'keystone' vhost" do
+ is_expected.to contain_class("keystone::wsgi::apache").with(
+ :public_port => '5000',
+ :admin_port => '35357',
+ :ssl => false,
+ :priority => '05',
+ :threads => 3,
+ :vhost_custom_fragment => 'LimitRequestFieldSize 81900',
+ :workers => 6,
+ :access_log_format => 'forwarded',
+ )
+ end
+
+ end
+
+ end
+
+ on_supported_os(supported_os: supported_os).each do |os, facts|
+ context "on #{os}" do
+ let(:facts) { facts }
+ it_configures "keystone configuration"
+ end
+ end
+
+end
+
diff --git a/deployment/puppet/fuel/templates/httpd.conf.erb b/deployment/puppet/fuel/templates/httpd.conf.erb
new file mode 100644
index 0000000000..d217608e08
--- /dev/null
+++ b/deployment/puppet/fuel/templates/httpd.conf.erb
@@ -0,0 +1,146 @@
+# Security
+ServerTokens <%= @server_tokens %>
+ServerSignature <%= scope.function_bool2httpd([@server_signature]) %>
+TraceEnable <%= scope.function_bool2httpd([@trace_enable]) %>
+
+ServerName "<%= @servername %>"
+ServerRoot "<%= @server_root %>"
+PidFile <%= @pidfile %>
+Timeout <%= @timeout %>
+KeepAlive <%= @keepalive %>
+MaxKeepAliveRequests <%= @max_keepalive_requests %>
+KeepAliveTimeout <%= @keepalive_timeout %>
+LimitRequestFieldSize <%= @limitreqfieldsize %>
+
+<%- if @rewrite_lock and scope.function_versioncmp([@apache_version, '2.2']) <= 0 -%>
+RewriteLock <%= @rewrite_lock %>
+<%- end -%>
+
+User <%= @user %>
+Group <%= @group %>
+
+AccessFileName .htaccess
+
+<%- if scope.function_versioncmp([@apache_version, '2.4']) >= 0 -%>
+ Require all denied
+<%- else -%>
+ Order allow,deny
+ Deny from all
+ Satisfy all
+<%- end -%>
+
+
+
+ Options <%= Array(@root_directory_options).join(' ') %>
+ AllowOverride None
+<%- if @root_directory_secured -%>
+<%- if scope.function_versioncmp([@apache_version, '2.4']) >= 0 -%>
+ Require all denied
+<%- else -%>
+ Order deny,allow
+ Deny from all
+<%- end -%>
+<%- end -%>
+
+
+<% if @default_charset -%>
+AddDefaultCharset <%= @default_charset %>
+<% end -%>
+
+<%- if scope.function_versioncmp([@apache_version, '2.4']) < 0 -%>
+DefaultType <%= @default_type %>
+<%- end -%>
+HostnameLookups Off
+ErrorLog "<%= @logroot %>/<%= @error_log %>"
+LogLevel <%= @log_level %>
+EnableSendfile <%= @sendfile %>
+<%- if @allow_encoded_slashes -%>
+AllowEncodedSlashes <%= @allow_encoded_slashes %>
+<%- end -%>
+
+#Listen 80
+
+<% if @apxs_workaround -%>
+# Workaround: without this hack apxs would be confused about where to put
+# LoadModule directives and fail entire procedure of apache package
+# installation/reinstallation. This problem was observed on FreeBSD (apache22).
+#LoadModule fake_module libexec/apache22/mod_fake.so
+<% end -%>
+
+Include "<%= @mod_load_dir %>/*.load"
+<% if @mod_load_dir != @confd_dir and @mod_load_dir != @vhost_load_dir -%>
+Include "<%= @mod_load_dir %>/*.conf"
+<% end -%>
+Include /etc/httpd/conf.ports.d/*.conf
+
+<% unless @log_formats.has_key?('combined') -%>
+LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined
+<% end -%>
+<% unless @log_formats.has_key?('common') -%>
+LogFormat "%h %l %u %t \"%r\" %>s %b" common
+<% end -%>
+<% unless @log_formats.has_key?('referer') -%>
+LogFormat "%{Referer}i -> %U" referer
+<% end -%>
+<% unless @log_formats.has_key?('agent') -%>
+LogFormat "%{User-agent}i" agent
+<% end -%>
+<% unless @log_formats.has_key?('forwarded') -%>
+LogFormat "%{X-Forwarded-For}i %l %u %t \"%r\" %s %b \"%{Referer}i\" \"%{User-agent}i\"" forwarded
+<% end -%>
+<% if @log_formats and !@log_formats.empty? -%>
+ <%- @log_formats.sort.each do |nickname,format| -%>
+LogFormat "<%= format -%>" <%= nickname %>
+ <%- end -%>
+<% end -%>
+
+<%- if scope.function_versioncmp([@apache_version, '2.4']) >= 0 -%>
+IncludeOptional "<%= @confd_dir %>/*.conf"
+<%- else -%>
+Include "<%= @confd_dir %>/*.conf"
+<%- end -%>
+<% if @vhost_load_dir != @confd_dir -%>
+<%- if scope.function_versioncmp([@apache_version, '2.4']) >= 0 -%>
+IncludeOptional "<%= @vhost_load_dir %>/<%= @vhost_include_pattern %>"
+<%- else -%>
+Include "<%= @vhost_load_dir %>/<%= @vhost_include_pattern %>"
+<%- end -%>
+<% end -%>
+
+<% if @error_documents -%>
+# /usr/share/apache2/error on debian
+Alias /error/ "<%= @error_documents_path %>/"
+
+">
+ AllowOverride None
+ Options IncludesNoExec
+ AddOutputFilter Includes html
+ AddHandler type-map var
+<%- if scope.function_versioncmp([@apache_version, '2.4']) >= 0 -%>
+ Require all granted
+<%- else -%>
+ Order allow,deny
+ Allow from all
+<%- end -%>
+ LanguagePriority en cs de es fr it nl sv pt-br ro
+ ForceLanguagePriority Prefer Fallback
+
+
+ErrorDocument 400 /error/HTTP_BAD_REQUEST.html.var
+ErrorDocument 401 /error/HTTP_UNAUTHORIZED.html.var
+ErrorDocument 403 /error/HTTP_FORBIDDEN.html.var
+ErrorDocument 404 /error/HTTP_NOT_FOUND.html.var
+ErrorDocument 405 /error/HTTP_METHOD_NOT_ALLOWED.html.var
+ErrorDocument 408 /error/HTTP_REQUEST_TIME_OUT.html.var
+ErrorDocument 410 /error/HTTP_GONE.html.var
+ErrorDocument 411 /error/HTTP_LENGTH_REQUIRED.html.var
+ErrorDocument 412 /error/HTTP_PRECONDITION_FAILED.html.var
+ErrorDocument 413 /error/HTTP_REQUEST_ENTITY_TOO_LARGE.html.var
+ErrorDocument 414 /error/HTTP_REQUEST_URI_TOO_LARGE.html.var
+ErrorDocument 415 /error/HTTP_UNSUPPORTED_MEDIA_TYPE.html.var
+ErrorDocument 500 /error/HTTP_INTERNAL_SERVER_ERROR.html.var
+ErrorDocument 501 /error/HTTP_NOT_IMPLEMENTED.html.var
+ErrorDocument 502 /error/HTTP_BAD_GATEWAY.html.var
+ErrorDocument 503 /error/HTTP_SERVICE_UNAVAILABLE.html.var
+ErrorDocument 506 /error/HTTP_VARIANT_ALSO_VARIES.html.var
+<% end -%>
diff --git a/tests/noop/spec/hosts/master/keystone_spec.rb b/tests/noop/spec/hosts/master/keystone_spec.rb
index f3cf143e17..053323e47e 100644
--- a/tests/noop/spec/hosts/master/keystone_spec.rb
+++ b/tests/noop/spec/hosts/master/keystone_spec.rb
@@ -31,14 +31,12 @@ describe manifest do
is_expected.to contain_class('fuel::keystone').with parameters
end
- it 'should have "openstack-keystone" fuel::systemd service' do
- parameters = {
- :start => true,
- :template_path => 'fuel/systemd/restart_template.erb',
- :config_name => 'restart.conf',
- }
- is_expected.to contain_fuel__systemd('openstack-keystone').with parameters
- end
+ it {
+ should contain_service('httpd').with(
+ :ensure => 'running',
+ :enable => true
+ )
+ }
end
run_test manifest