Add the option to deploy keystone without apache

This change gives the keystone role the ability to deploy keystone using only uWSGI, which eliminates Apache and all of its dependencies from the environment. While this capability is not as feature rich as the apache based deployment, which is still the default, it does offer a signficant reduction in process overhead targeting minimal deployment usec-ases, for deployments which do not need or want advanced keystone features this is a huge benefit. Signed-off-by: Kevin Carter <kevin@cloudnull.com> Change-Id: I5a8484082f6331d2c5a452af2760c8e79d44fab8
2022-09-08 12:19:50 -05:00 · 2022-09-08 12:19:50 -05:00 · 3928511919
parent b9fc36753b
commit 3928511919
8 changed files with 35 additions and 11 deletions
--- a/defaults/main.yml
+++ b/defaults/main.yml
@ -179,12 +179,18 @@ keystone_service_adminuri: "{{ keystone_service_adminuri_proto }}://{{ internal_
 ## Set this value to override the "public_endpoint" keystone.conf variable
 #keystone_public_endpoint: "{{ keystone_service_publicuri }}"

+# Enable or disable uWSGI as the primary service manager. While uWSGI is used
+# for basic deployments, when this option is enabled it will become the sole
+# service manager instead of being a proxy target.
+keystone_use_uwsgi: false
+
 # Apache web server will handle all requests and will act as a
-# reverse proxy to uWSGI. If internal TLS/SSL certificates are configured,
-# they are implemented in this web server's configuration. Using a web server
-# for endpoints is far better for scale and allows the use of additional
-# modules to improve performance or security, leaving uWSGI to only have
-# to be used for running the service.
+# reverse proxy to uWSGI when the `keystone_use_uwsgi` option is not enabled.
+# If internal TLS/SSL certificates are configured, they are implemented in
+# this web server's configuration. Using a web server for endpoints is
+# far better for scale and allows the use of additional modules to improve
+# performance or security, leaving uWSGI to only have to be used for running
+# the service.
 #
 keystone_web_server_bind_address: "{{ openstack_service_bind_address | default('0.0.0.0') }}"

@ -616,7 +622,7 @@ keystone_services:
    wsgi_path: "{{ keystone_bin }}/keystone-wsgi-public"
    uwsgi_overrides: "{{ keystone_default_uwsgi_overrides | combine(keystone_uwsgi_ini_overrides, recursive=True) }}"
    uwsgi_bind_address: "{{ keystone_uwsgi_bind_address }}"
-    uwsgi_port: "{{ keystone_uwsgi_ports['keystone-wsgi-public']['http'] }}"
+    uwsgi_port: "{{ (keystone_use_uwsgi | bool) | ternary(keystone_service_port, keystone_uwsgi_ports['keystone-wsgi-public']['http']) }}"

 ## Extra HTTP headers for Keystone
 # Add any additional headers here that Keystone should return.
--- a/releasenotes/notes/keystone_uwsgi-86116742b67bb944.yaml
+++ b/releasenotes/notes/keystone_uwsgi-86116742b67bb944.yaml
@ -0,0 +1,15 @@
+---
+features:
+  - |
+    The keystone role now supports the option `keystone_use_uwsgi`, which will
+    allow deployers the ability to run keystone via uWSGI without needing the
+    apache webserver. When the `keystone_use_uwsgi` option is enabled, it will
+    setup the uWSGI process on port 5000.
+other:
+  - |
+    The keystone role can now has the ability to run a minimal uWSGI process
+    for keystone when the option `keystone_use_uwsgi` is set **true**. This
+    feature provides operators the ability to run a minimal install without
+    apache. While the minimal deployment is functional, it is not featureful.
+    Things like modshib and oath are not supported when running the minimal
+    setup.
--- a/tasks/main.yml
+++ b/tasks/main.yml
@ -150,6 +150,7 @@
 - import_tasks: keystone_federation_sp_shib_setup.yml
  when:
    - keystone_sp_apache_mod_shib
+    - not (keystone_use_uwsgi | bool)
  tags:
    - keystone-config

@ -173,6 +174,8 @@
    - keystone-config

 - import_tasks: "keystone_apache.yml"
+  when:
+    - not (keystone_use_uwsgi | bool)
  tags:
    - keystone-config

--- a/vars/debian.yml
+++ b/vars/debian.yml
@ -95,7 +95,7 @@ keystone_apache_modules:
 #  - name: "mod_journald"
 #    state: "present

-keystone_system_service_name: apache2
+keystone_system_service_name: "{{ (keystone_use_uwsgi | bool) | ternary('keystone-wsgi-public', 'apache2') }}"

 keystone_uwsgi_bin: '/usr/bin'

--- a/vars/distro_install.yml
+++ b/vars/distro_install.yml
@ -19,7 +19,7 @@
 # enabled.
 #
 keystone_package_list: |-
-  {% set packages = keystone_distro_packages + keystone_apache_distro_packages %}
+  {% set packages = keystone_distro_packages | union((keystone_use_uwsgi | bool) | ternary([], keystone_apache_distro_packages)) %}
  {% if keystone_idp != {} %}
  {%   set _ = packages.extend(keystone_idp_distro_packages) %}
  {% endif %}
--- a/vars/redhat.yml
+++ b/vars/redhat.yml
@ -75,7 +75,7 @@ keystone_apache_configs:
  - { src: "keystone-httpd.conf.j2", dest: "/etc/httpd/conf.d/keystone-httpd.conf" }
  - { src: "keystone-httpd-mpm.conf.j2", dest: "/etc/httpd/conf.modules.d/mpm_{{ keystone_httpd_mpm_backend }}.conf" }

-keystone_system_service_name: httpd
+keystone_system_service_name: "{{ (keystone_use_uwsgi | bool) | ternary('keystone-wsgi-public', 'httpd') }}"

 keystone_uwsgi_bin: '/usr/sbin'

--- a/vars/source_install.yml
+++ b/vars/source_install.yml
@ -19,7 +19,7 @@
 # enabled.
 #
 keystone_package_list: |-
-  {% set packages = keystone_distro_packages + keystone_apache_distro_packages %}
+  {% set packages = keystone_distro_packages | union((keystone_use_uwsgi | bool) | ternary([], keystone_apache_distro_packages)) %}
  {% if keystone_idp != {} %}
  {%   set _ = packages.extend(keystone_idp_distro_packages) %}
  {% endif %}
--- a/vars/ubuntu-18.04.yml
+++ b/vars/ubuntu-18.04.yml
@ -95,7 +95,7 @@ keystone_apache_modules:
 #  - name: "mod_journald"
 #    state: "present

-keystone_system_service_name: apache2
+keystone_system_service_name: "{{ (keystone_use_uwsgi | bool) | ternary('keystone-wsgi-public', 'apache2') }}"

 keystone_uwsgi_bin: '/usr/bin'