Merge "Configure Apache to proxy for Uwsgi"

releasenotes/notes/os-keystone-uwsgi-and-nginx-options-2157f8e40a7a8156.yaml

@@ -0,0 +1,19 @@
+---
+features:
+  - Introduced option to deploy Keystone under Uwsgi. A new variable
+    ``keystone_mod_wsgi_enabled`` is introduced to toggle this
+    behavior. The ports used by Uwsgi for socket and http connection
+    for both public and admin Keystone services are configurable
+    (see also the ``keystone_uwsgi_ports`` dictionary variable).
+    Federation features should be considered _experimental_ with
+    this configuration at this time. The default is ``true`` which
+    continues to deploy with mod_wsgi for Apache.
+  - Introduced option to deploy Keystone behind Nginx. A new
+    variable ``keystone_apache_enabled`` is introduced to toggle
+    this behavior. Additional configuration can be delivered to
+    Nginx through the use of the ``keystone_nginx_extra_conf`` list
+    variable. Federation features are not supported with this
+    configuration at this time. Use of this option requires
+    ``keystone_mod_wsgi_enabled`` to be set to ``false`` which will
+    deploy Keystone under Uwsgi. The default is ``true`` which
+    continues to deploy with Apache.

tasks/keystone_install_apt.yml

@@ -53,7 +53,20 @@
   retries: 5
   delay: 2
   with_items: "{{ keystone_mod_wsgi_distro_packages }}"
-  when: keystone_mod_wsgi_enabled | bool
+  when:
+    - keystone_mod_wsgi_enabled | bool
+
+- name: Install mod_proxy_uwsgi apt packages
+  apt:
+    pkg: "{{ item }}"
+    state: "{{ keystone_package_state }}"
+  register: install_packages
+  until: install_packages|success
+  retries: 5
+  delay: 2
+  with_items: "{{ keystone_mod_proxy_uwsgi_distro_packages }}"
+  when:
+    - not keystone_mod_wsgi_enabled | bool
 
 - name: Install Nginx apt packages
   apt:

tasks/keystone_install_yum.yml

@@ -70,6 +70,18 @@
   when:
     - keystone_mod_wsgi_enabled | bool
 
+- name: Install mod_proxy_uwsgi apt packages
+  yum:
+    pkg: "{{ item }}"
+    state: "{{ keystone_package_state }}"
+  register: install_packages
+  until: install_packages|success
+  retries: 5
+  delay: 2
+  with_items: "{{ keystone_mod_proxy_uwsgi_distro_packages }}"
+  when:
+    - not keystone_mod_wsgi_enabled | bool
+
 - name: Install Nginx yum packages
   yum:
     pkg: "{{ item }}"

templates/keystone-httpd.conf.j2

@@ -57,12 +57,16 @@
     WSGIScriptAliasMatch ^(/v3/OS-FEDERATION/identity_providers/.*?/protocols/.*?/auth)$ /var/www/cgi-bin/keystone/main/$1
     {% endif %}
 
+    {% if keystone_mod_wsgi_enabled | bool -%}
     <Directory /var/www/cgi-bin/keystone>
         Options Indexes FollowSymLinks MultiViews
         AllowOverride All
         Order allow,deny
         allow from all
     </Directory>
+    {% else %}
+    ProxyPass / uwsgi://127.0.0.1:{{ keystone_uwsgi_ports[keystone-wsgi-public]["socket"] }}/
+    {% endif %}
 
 </VirtualHost>
 
@@ -97,10 +101,19 @@
     SSLOptions +StdEnvVars +ExportCertData
     {% endif %}
 
+    {% if keystone_mod_wsgi_enabled | bool -%}
     <Directory /var/www/cgi-bin/keystone>
         Options Indexes FollowSymLinks MultiViews
         AllowOverride All
         Order allow,deny
         allow from all
     </Directory>
+    {% else -%}
+    ProxyPass / uwsgi://127.0.0.1:{{ keystone_uwsgi_ports[keystone-wsgi-admin]["socket"] }}/
+    {% endif %}
+
 </VirtualHost>
+{% if not keystone_mod_wsgi_enabled | bool -%}
+ProxyPass /identity uwsgi://127.0.0.1:{{ keystone_uwsgi_ports[keystone-wsgi-public]['socket'] }}/
+ProxyPass /identity_admin uwsgi://127.0.0.1:{{ keystone_uwsgi_ports[keystone-wsgi-admin]['socket'] }}/
+{% endif %}

tox.ini

@@ -175,6 +175,30 @@ commands =
     bash -c 'rsync -av --ignore-errors /var/log/ /openstack/log/ {toxinidir}/logs/ || true'
 
 
+[testenv:func_uwsgi_apache]
+# Ignore_errors is set to true so that the logs are collected at the
+#  end of the run. This will not produce a failse positive. Any
+#  exception will be mark the run as "failed" and exit 1 after all of
+#  the commands have been iterated through.
+ignore_errors = True
+# NOTE(stevelle): this will test keystone with uwsgi & apache
+install_command =
+    {[testenv:func_base]install_command}
+deps =
+    {[testenv:ansible]deps}
+setenv =
+    {[testenv:ansible]setenv}
+commands =
+    {[testenv:ansible]commands}
+    ansible-playbook -i {toxinidir}/tests/inventory \
+                     -e "rolename={toxinidir}" \
+                     -e "install_test_packages=True" \
+                     -e "keystone_mod_wsgi_enabled=False" \
+                     {toxinidir}/tests/test.yml -vvvv
+    bash -c 'mkdir -p {toxinidir}/logs'
+    bash -c 'rsync -av --ignore-errors /var/log/ /openstack/log/ {toxinidir}/logs/ || true'
+
+
 [testenv:func_uwsgi_nginx]
 # Ignore_errors is set to true so that the logs are collected at the
 #  end of the run. This will not produce a failse positive. Any

vars/redhat-7.yml

@@ -44,6 +44,9 @@ keystone_apache_distro_packages:
 keystone_mod_wsgi_distro_packages:
   - mod_wsgi
 
+keystone_mod_proxy_uwsgi_distro_packages:
+  - mod_proxy_uwsgi
+
 keystone_nginx_distro_packages:
   - nginx
 

vars/ubuntu-14.04.yml

@@ -36,6 +36,9 @@ keystone_apache_distro_packages:
 keystone_mod_wsgi_distro_packages:
   - libapache2-mod-wsgi
 
+keystone_mod_proxy_uwsgi_distro_packages:
+  - libapache2-mod-proxy-uwsgi
+
 keystone_nginx_distro_packages:
   - nginx-full
 

vars/ubuntu-16.04.yml

@@ -36,6 +36,9 @@ keystone_apache_distro_packages:
 keystone_mod_wsgi_distro_packages:
   - libapache2-mod-wsgi
 
+keystone_mod_proxy_uwsgi_distro_packages:
+  - libapache2-mod-proxy-uwsgi
+
 keystone_nginx_distro_packages:
   - nginx-full