Isolate mod_wsgi from Apache install

This allows deploys to elect to have Keystone run off of Apache
without implying the use of mod_wsgi, such as with uwsgi. A
following patch will introduce the Apache configuration needed to
link Apache to uwsgi so that existing Federation support can be
used.

Release notes summarizing all changes for this blueprint will follow
in the final patch in the series.

Change-Id: Idf9e48b0c93174648982cf27cf922d3801565c74
Related: blueprint keystone-uwsgi

defaults/main.yml

@@ -166,7 +166,8 @@ keystone_service_adminurl: "{{ keystone_service_adminurl_v3 }}"
 #keystone_public_endpoint: "{{ keystone_service_publicuri }}"
 
 ## Apache setup
-keystone_apache_mod_wsgi_enabled: true
+keystone_apache_enabled: true
+keystone_mod_wsgi_enabled: true
 keystone_apache_log_level: info
 keystone_apache_custom_log_format: combined
 keystone_apache_servertokens: "Prod"

handlers/main.yml

@@ -22,7 +22,7 @@
   until: _restart|success
   retries: 5
   delay: 2
-  when: keystone_apache_mod_wsgi_enabled | bool
+  when: (keystone_apache_enabled | bool) or (keystone_mod_wsgi_enabled | bool)
 
 - name: Restart Nginx
   service:
@@ -32,7 +32,7 @@
   until: keystone_restart | success
   retries: 5
   delay: 2
-  when: not keystone_apache_mod_wsgi_enabled | bool
+  when: not keystone_apache_enabled | bool
 
 - name: Restart Keystone APIs
   service:
@@ -43,7 +43,7 @@
   retries: 5
   delay: 2
   with_items: keystone_wsgi_program_names
-  when: not keystone_apache_mod_wsgi_enabled | bool
+  when: not keystone_mod_wsgi_enabled | bool
 
 - name: Restart Shibd
   service:

tasks/keystone_install_apt.yml

@@ -42,7 +42,18 @@
   delay: 2
   with_items: "{{ keystone_apache_distro_packages }}"
   when:
-    - keystone_apache_mod_wsgi_enabled | bool
+    - keystone_apache_enabled | bool
+
+- name: Install mod_wsgi apt packages
+  apt:
+    pkg: "{{ item }}"
+    state: "{{ keystone_package_state }}"
+  register: install_packages
+  until: install_packages|success
+  retries: 5
+  delay: 2
+  with_items: "{{ keystone_mod_wsgi_distro_packages }}"
+  when: keystone_mod_wsgi_enabled | bool
 
 - name: Install Nginx apt packages
   apt:
@@ -54,7 +65,7 @@
   delay: 2
   with_items: "{{ keystone_nginx_distro_packages }}"
   when:
-    - not keystone_apache_mod_wsgi_enabled | bool
+    - not keystone_apache_enabled | bool
 
 - name: Install IdP apt packages
   apt:
@@ -66,7 +77,7 @@
   delay: 2
   with_items: "{{ keystone_idp_distro_packages }}"
   when:
-    - keystone_apache_mod_wsgi_enabled | bool
+    - keystone_apache_enabled | bool
     - keystone_idp != {}
 
 - name: Install SP apt packages
@@ -79,7 +90,7 @@
   delay: 2
   with_items: "{{ keystone_sp_distro_packages }}"
   when:
-    - keystone_apache_mod_wsgi_enabled | bool
+    - keystone_apache_enabled | bool
     - keystone_sp != {}
 
 - name: Install developer mode apt packages

tasks/keystone_install_yum.yml

@@ -56,7 +56,19 @@
   delay: 2
   with_items: "{{ keystone_apache_distro_packages }}"
   when:
-    - keystone_apache_mod_wsgi_enabled | bool
+    - keystone_apache_enabled | bool
+
+- name: Install mod_wsgi yum packages
+  yum:
+    pkg: "{{ item }}"
+    state: "{{ keystone_package_state }}"
+  register: install_packages
+  until: install_packages|success
+  retries: 5
+  delay: 2
+  with_items: "{{ keystone_mod_wsgi_distro_packages }}"
+  when:
+    - keystone_mod_wsgi_enabled | bool
 
 - name: Install Nginx yum packages
   yum:
@@ -68,7 +80,7 @@
   delay: 2
   with_items: "{{ keystone_nginx_distro_packages }}"
   when:
-    - not keystone_apache_mod_wsgi_enabled | bool
+    - not keystone_apache_enabled | bool
 
 - name: Install IdP yum packages
   yum:

tasks/keystone_nginx.yml

@@ -19,7 +19,6 @@
     state: stopped
     pattern: "{{ keystone_system_service_name }}"
   failed_when: false
-  when: not keystone_apache_mod_wsgi_enabled | bool
 
 - name: Disable default configuration
   file:

tasks/main.yml

@@ -21,6 +21,15 @@
   tags:
     - always
 
+- name: Fail if incompatible configuration detected
+  fail:
+    msg: "keystone_apache_enabled must be True when keystone_mod_wsgi_enabled."
+  when:
+    - not keystone_apache_enabled | bool
+    - keystone_mod_wsgi_enabled | bool
+  tags:
+    - always
+
 - name: Gather variables for each operating system
   include_vars: "{{ item }}"
   with_first_found:
@@ -99,20 +108,19 @@
   tags:
     - keystone-install
     - keystone-config
-  when: keystone_apache_mod_wsgi_enabled | bool
+  when: keystone_apache_enabled | bool
 
 - include: keystone_nginx.yml
   tags:
     - keystone-install
     - keystone-config
-  when: not keystone_apache_mod_wsgi_enabled | bool
+  when: not keystone_apache_enabled | bool
 
 - include: keystone_uwsgi.yml
   tags:
     - keystone-install
     - keystone-config
-  when:
-    - not keystone_apache_mod_wsgi_enabled | bool
+  when: not keystone_apache_enabled | bool
 
 - name: Flush handlers
   meta: flush_handlers

tox.ini

@@ -144,17 +144,23 @@ commands =
     ansible-lint {toxinidir}
 
 
+[testenv:func_base]
+# NOTE(odyssey4me): this target does not use constraints because
+# it doesn't work in OpenStack-CI yet. Once that's fixed, we can
+# drop the install_command.
+install_command =
+    pip install -U --force-reinstall {opts} {packages}
+
+
 [testenv:functional]
 # Ignore_errors is set to true so that the logs are collected at the
 #  end of the run. This will not produce a failse positive. Any
 #  exception will be mark the run as "failed" and exit 1 after all of
 #  the commands have been iterated through.
 ignore_errors = True
-# NOTE(odyssey4me): this target does not use constraints because
-# it doesn't work in OpenStack-CI yet. Once that's fixed, we can
-# drop the install_command.
+# NOTE(andymccr): this target will test keystone with apache & mod_wsgi
 install_command =
-    pip install -U --force-reinstall {opts} {packages}
+    {[testenv:func_base]install_command}
 deps =
     {[testenv:ansible]deps}
 setenv =
@@ -168,10 +174,16 @@ commands =
     bash -c 'mkdir -p {toxinidir}/logs'
     bash -c 'rsync -av --ignore-errors /var/log/ /openstack/log/ {toxinidir}/logs/ || true'
 
+
+[testenv:func_uwsgi_nginx]
+# Ignore_errors is set to true so that the logs are collected at the
+#  end of the run. This will not produce a failse positive. Any
+#  exception will be mark the run as "failed" and exit 1 after all of
+#  the commands have been iterated through.
+ignore_errors = True
 # NOTE(andymccr): this will test keystone with uwsgi & nginx
-[testenv:func_uwsgi-nginx]
 install_command =
-    pip install -U --force-reinstall {opts} {packages}
+    {[testenv:func_base]install_command}
 deps =
     {[testenv:ansible]deps}
 setenv =
@@ -181,8 +193,11 @@ commands =
     ansible-playbook -i {toxinidir}/tests/inventory \
                      -e "rolename={toxinidir}" \
                      -e "install_test_packages=True" \
-                     -e "keystone_apache_mod_wsgi_enabled=False" \
+                     -e "keystone_apache_enabled=False" \
+                     -e "keystone_mod_wsgi_enabled=False" \
                      {toxinidir}/tests/test.yml -vvvv
+    bash -c 'mkdir -p {toxinidir}/logs'
+    bash -c 'rsync -av --ignore-errors /var/log/ /openstack/log/ {toxinidir}/logs/ || true'
 
 
 [testenv:linters]

vars/redhat-7.yml

@@ -30,8 +30,6 @@ keystone_distro_packages:
   - libgsasl-devel
   - libxml2-devel
   - libxslt-devel
-  - mod_ssl
-  - mod_wsgi
   - openldap
   - openldap-devel
   - openssl
@@ -41,6 +39,10 @@ keystone_distro_packages:
 keystone_apache_distro_packages:
   - httpd
   - httpd-tools
+  - mod_ssl
+
+keystone_mod_wsgi_distro_packages:
+  - mod_wsgi
 
 keystone_nginx_distro_packages:
   - nginx

vars/ubuntu-14.04.yml

@@ -32,6 +32,8 @@ keystone_distro_packages:
 keystone_apache_distro_packages:
   - apache2
   - apache2-utils
+
+keystone_mod_wsgi_distro_packages:
   - libapache2-mod-wsgi
 
 keystone_nginx_distro_packages:

vars/ubuntu-16.04.yml

@@ -32,6 +32,8 @@ keystone_distro_packages:
 keystone_apache_distro_packages:
   - apache2
   - apache2-utils
+
+keystone_mod_wsgi_distro_packages:
   - libapache2-mod-wsgi
 
 keystone_nginx_distro_packages: