Switch octavia-api to wsgi running under apache.

This change also adds support for Octavia backend TLS.

Closes-Bug: #1874228
Depends-On: https://review.opendev.org/c/openstack/kolla/+/779892
Change-Id: I5ff84aec4cdbc15f6a797391815243821dbdbd67
This commit is contained in:
Martin Chlumsky 2021-03-10 21:58:02 -05:00
parent d1e7964a8d
commit 400c5a9f18
8 changed files with 114 additions and 7 deletions

View File

@ -1,7 +1,7 @@
<match kolla.var.log.kolla.*.*.log>
@type rewrite_tag_filter
capitalize_regex_backreference yes
rewriterule1 programname ^(cinder-api-access|cloudkitty-api-access|gnocchi-api-access|horizon-access|keystone-apache-admin-access|keystone-apache-public-access|monasca-api-access|placement-api-access|panko-api-access)$ apache_access
rewriterule1 programname ^(cinder-api-access|cloudkitty-api-access|gnocchi-api-access|horizon-access|keystone-apache-admin-access|keystone-apache-public-access|monasca-api-access|octavia-api-access|placement-api-access|panko-api-access)$ apache_access
rewriterule2 programname ^(aodh_wsgi_access|barbican_api_uwsgi_access|zun_api_wsgi_access|vitrage_wsgi_access)$ wsgi_access
rewriterule3 programname ^(nova-api|nova-compute|nova-compute-ironic|nova-conductor|nova-manage|nova-novncproxy|nova-scheduler|nova-placement-api|placement-api|privsep-helper)$ openstack_python
rewriterule4 programname ^(sahara-api|sahara-engine)$ openstack_python

View File

@ -3,7 +3,7 @@
capitalize_regex_backreference yes
<rule>
key programname
pattern ^(cinder-api-access|cloudkitty-api-access|gnocchi-api-access|horizon-access|keystone-apache-admin-access|keystone-apache-public-access|monasca-api-access|placement-api-access|panko-api-access)$
pattern ^(cinder-api-access|cloudkitty-api-access|gnocchi-api-access|horizon-access|keystone-apache-admin-access|keystone-apache-public-access|monasca-api-access|octavia-api-access|placement-api-access|panko-api-access)$
tag apache_access
</rule>
<rule>

View File

@ -16,11 +16,15 @@ octavia_services:
mode: "http"
external: false
port: "{{ octavia_api_port }}"
listen_port: "{{ octavia_api_listen_port }}"
tls_backend: "{{ octavia_enable_tls_backend }}"
octavia_api_external:
enabled: "{{ enable_octavia }}"
mode: "http"
external: true
port: "{{ octavia_api_port }}"
listen_port: "{{ octavia_api_listen_port }}"
tls_backend: "{{ octavia_enable_tls_backend }}"
octavia-driver-agent:
container_name: octavia_driver_agent
group: octavia-driver-agent
@ -105,7 +109,7 @@ octavia_api_enable_healthchecks: "{{ enable_container_healthchecks }}"
octavia_api_healthcheck_interval: "{{ default_container_healthcheck_interval }}"
octavia_api_healthcheck_retries: "{{ default_container_healthcheck_retries }}"
octavia_api_healthcheck_start_period: "{{ default_container_healthcheck_start_period }}"
octavia_api_healthcheck_test: ["CMD-SHELL", "healthcheck_curl http://{{ api_interface_address | put_address_in_context('url') }}:{{ octavia_api_listen_port }}"]
octavia_api_healthcheck_test: ["CMD-SHELL", "healthcheck_curl {{ 'https' if octavia_enable_tls_backend | bool else 'http' }}://{{ api_interface_address | put_address_in_context('url') }}:{{ octavia_api_listen_port }}"]
octavia_api_healthcheck_timeout: "{{ default_container_healthcheck_timeout }}"
octavia_api_healthcheck:
interval: "{{ octavia_api_healthcheck_interval }}"
@ -327,3 +331,8 @@ octavia_amp_network_cidr: 10.1.0.0/24
# Octavia provider drivers
octavia_provider_drivers: "amphora:Amphora provider{% if neutron_plugin_agent == 'ovn'%}, ovn:OVN provider{% endif %}"
octavia_provider_agents: "amphora_agent{% if neutron_plugin_agent == 'ovn'%}, ovn{% endif %}"
####################
# TLS
####################
octavia_enable_tls_backend: "{{ kolla_enable_tls_backend }}"

View File

@ -47,7 +47,7 @@
- include_tasks: copy-certs.yml
when:
- kolla_copy_ca_into_containers | bool
- kolla_copy_ca_into_containers | bool or octavia_enable_tls_backend | bool
- name: Copying over config.json files for services
template:
@ -62,6 +62,24 @@
notify:
- "Restart {{ item.key }} container"
- name: Copying over octavia-wsgi.conf
vars:
service: "{{ octavia_services['octavia-api'] }}"
become: true
template:
src: "{{ item }}"
dest: "{{ node_config_directory }}/octavia-api/octavia-wsgi.conf"
mode: "0660"
with_first_found:
- "{{ node_custom_config }}/octavia/{{ inventory_hostname }}/octavia-wsgi.conf"
- "{{ node_custom_config }}/octavia/octavia-wsgi.conf"
- "octavia-wsgi.conf.j2"
when:
- inventory_hostname in groups[service.group]
- service.enabled | bool
notify:
- Restart octavia-api container
- name: Copying over octavia.conf
vars:
service_name: "{{ item.key }}"

View File

@ -1,20 +1,45 @@
{% set apache_binary = 'apache2' if kolla_base_distro in ['ubuntu', 'debian'] else 'httpd' %}
{% set apache_conf_dir = 'apache2/conf-enabled' if kolla_base_distro in ['ubuntu', 'debian'] else 'httpd/conf.d' %}
{
"command": "octavia-api --config-file /etc/octavia/octavia.conf",
"command": "/usr/sbin/{{ apache_binary }} -DFOREGROUND",
"config_files": [
{
"source": "{{ container_config_directory }}/octavia.conf",
"dest": "/etc/octavia/octavia.conf",
"owner": "octavia",
"perm": "0600"
},
{
"source": "{{ container_config_directory }}/octavia-wsgi.conf",
"dest": "/etc/{{ apache_conf_dir }}/octavia-wsgi.conf",
"owner": "octavia",
"perm": "0600"
}{% if octavia_policy_file is defined %},
{
"source": "{{ container_config_directory }}/{{ octavia_policy_file }}",
"dest": "/etc/octavia/{{ octavia_policy_file }}",
"owner": "octavia",
"perm": "0600"
}{% endif %}
],
}{% endif %}{% if octavia_enable_tls_backend | bool %},
{
"source": "{{ container_config_directory }}/octavia-cert.pem",
"dest": "/etc/octavia/certs/octavia-cert.pem",
"owner": "octavia",
"perm": "0600"
},
{
"source": "{{ container_config_directory }}/octavia-key.pem",
"dest": "/etc/octavia/certs/octavia-key.pem",
"owner": "octavia",
"perm": "0600"
}
{% endif %}],
"permissions": [
{
"path": "/var/log/kolla/octavia",
"owner": "octavia:octavia",
"recurse": true
},
{
"path": "/var/run/octavia",
"owner": "octavia:octavia"

View File

@ -0,0 +1,43 @@
{% set wsgi_directory = '/usr/bin' if octavia_install_type == 'binary' else '/var/lib/kolla/venv/bin' %}
{% if octavia_enable_tls_backend | bool %}
{% if kolla_base_distro in ['centos'] %}
LoadModule ssl_module /usr/lib64/httpd/modules/mod_ssl.so
{% else %}
LoadModule ssl_module /usr/lib/apache2/modules/mod_ssl.so
{% endif %}
{% endif %}
Listen {{ api_interface_address | put_address_in_context('url') }}:{{ octavia_api_listen_port }}
ServerSignature Off
ServerTokens Prod
TraceEnable off
TimeOut {{ kolla_httpd_timeout }}
KeepAliveTimeout {{ kolla_httpd_keep_alive }}
{% if octavia_logging_debug | bool %}
LogLevel info
{% endif %}
<VirtualHost *:{{ octavia_api_listen_port }}>
WSGIDaemonProcess octavia-api processes={{ openstack_service_workers }} threads=1 user=octavia group=octavia display-name=octavia-api
WSGIProcessGroup octavia-api
WSGIScriptAlias / {{ wsgi_directory }}/octavia-wsgi
WSGIApplicationGroup %{GLOBAL}
WSGIPassAuthorization On
<IfVersion >= 2.4>
ErrorLogFormat "%{cu}t %M"
</IfVersion>
ErrorLog /var/log/kolla/octavia/octavia-api-error.log
LogFormat "%{X-Forwarded-For}i %l %u %t \"%r\" %>s %b %D \"%{Referer}i\" \"%{User-Agent}i\"" logformat
CustomLog /var/log/kolla/octavia/octavia-api-access.log logformat
<Directory {{ wsgi_directory }}>
<Files octavia-wsgi>
Require all granted
</Files>
</Directory>
{% if octavia_enable_tls_backend | bool %}
SSLEngine On
SSLCertificateFile /etc/octavia/certs/octavia-cert.pem
SSLCertificateKeyFile /etc/octavia/certs/octavia-key.pem
{% endif %}
</VirtualHost>

View File

@ -2,6 +2,9 @@
debug = {{ octavia_logging_debug }}
log_dir = /var/log/kolla/octavia
{% if service_name == "octavia-api" %}
log_file = octavia-api.log
{% endif %}
transport_url = {{ rpc_transport_url }}

View File

@ -0,0 +1,9 @@
---
features:
- |
Switch octavia-api to wsgi running under apache.
- |
Added configuration options to enable backend TLS encryption from HAProxy
to the Octavia service. When used in conjunction with enabling TLS for
service API endpoints, network communication will be encrypted end to end,
from client through HAProxy to the Octavia service.