Added apache component

Add test and mods for deployment as an apache module Change-Id: I6f693c0aa41af7190b4466910795a07546347ce5
2016-03-21 22:07:46 -04:00 · 2016-03-21 22:07:46 -04:00 · ff8615d1f0
parent 28abb08c20
commit ff8615d1f0
4 changed files with 282 additions and 16 deletions
--- a/manifests/api.pp
+++ b/manifests/api.pp
@ -204,6 +204,15 @@
 #   automatically when the server starts.
 #   Defaults to $::os_service_default
 #
+# [*service_name*]
+#   (optional) Name of the service that will be providing the
+#   server functionality of barbican-api.
+#   If the value is 'httpd', this means barbican-api will be a web
+#   service, and you must use another class to configure that
+#   web service. For example, use class { 'barbican::wsgi::apache'...}
+#   to make barbican-api be a web app using apache mod_wsgi.
+#   Defaults to 'barbican-api'
+#
 class barbican::api (
  $ensure_package                                = 'present',
  $client_package_ensure                         = 'present',
@ -250,6 +259,7 @@ class barbican::api (
  $enabled                                       = true,
  $sync_db                                       = true,
  $db_auto_create                                = $::os_service_default,
+  $service_name                                  = 'barbican-api',
 ) inherits barbican::params {

  include ::barbican::db
@ -271,7 +281,7 @@ class barbican::api (
    owner   => 'root',
    group   => 'barbican',
    require => Package['barbican-api'],
-    notify  => Service['barbican-api'],
+    notify  => Service[$service_name],
  }

  file { ['/etc/barbican/barbican.conf',
@ -279,7 +289,7 @@ class barbican::api (
          '/etc/barbican/gunicorn-config.py']:
    ensure  => present,
    require => Package['barbican-api'],
-    notify  => Service['barbican-api'],
+    notify  => Service[$service_name],
  }

  package { 'barbican-api':
@ -290,8 +300,8 @@ class barbican::api (

  File['/etc/barbican/barbican.conf']          -> Barbican_config<||>
  File['/etc/barbican/barbican-api-paste.ini'] -> Barbican_api_paste_ini<||>
-  Barbican_config<||>                          ~> Service['barbican-api']
-  Barbican_api_paste_ini<||>                   ~> Service['barbican-api']
+  Barbican_config<||>                          ~> Service[$service_name]
+  Barbican_api_paste_ini<||>                   ~> Service[$service_name]

  # basic service config
  if $host_href == undef {
@ -311,7 +321,7 @@ class barbican::api (
      path  => '/etc/barbican/gunicorn-config.py',
      line  => "bind = '${bind_host}:${bind_port}'",
      match => '.*bind = .*',
-    } -> Service['barbican-api']
+    } -> Service[$service_name]

  #rabbit config
  if $rpc_backend in [$::os_service_default, 'rabbit'] {
@ -403,13 +413,28 @@ class barbican::api (
    include ::barbican::db::sync
  }

-  service { 'barbican-api':
-    ensure     => $service_ensure,
-    name       => $::barbican::params::api_service_name,
-    enable     => $enabled,
-    hasstatus  => true,
-    hasrestart => true,
-    tag        => 'barbican-service',
+  if $service_name == 'barbican-api' {
+    service { 'barbican-api':
+      ensure     => $service_ensure,
+      name       => $::barbican::params::api_service_name,
+      enable     => $enabled,
+      hasstatus  => true,
+      hasrestart => true,
+      tag        => 'barbican-service',
+    }
+  } elsif $service_name == 'httpd' {
+    include ::apache::params
+    service { 'barbican-api':
+      ensure => 'stopped',
+      name   => $::barbican::params::api_service_name,
+      enable => false,
+      tag    => 'barbican-service',
+    }
+
+    # we need to make sure barbican-api is stopped before trying to start apache
+    Service['barbican-api'] -> Service[$service_name]
+  } else {
+    fail('Invalid service_name. Use barbican-api for stand-alone or httpd')
  }

 }
--- a/manifests/params.pp
+++ b/manifests/params.pp
@ -11,7 +11,7 @@ class barbican::params {
      $worker_service_name          = 'openstack-barbican-worker'
      $client_package_name          = 'python-barbicanclient'
      $barbican_wsgi_script_path    = '/var/www/cgi-bin/barbican'
-      $barbican_wsgi_script_source  = '/usr/share/barbican/barbican.wsgi'
+      $barbican_wsgi_script_source  = '/usr/lib/python2.7/site-packages/barbican/api/app.wsgi'
      $paste_config                 = '/etc/barbican/barbican-api-paste.ini'
      $dogtag_client_package        = 'pki-base'
    }
@ -20,7 +20,7 @@ class barbican::params {
      $service_name                 = 'openstack-barbican'
      $client_package_name          = 'python-barbicanclient'
      $barbican_wsgi_script_path    = '/var/www/cgi-bin/barbican'
-      $barbican_wsgi_script_source  = '/usr/share/barbican/barbican.wsgi'
+      $barbican_wsgi_script_source  = '/usr/lib/python2.7/site-packages/barbican/api/app.wsgi'
      $paste_config                 = '/etc/barbican/barbican-api-paste.ini'
      $dogtag_client_package        = 'pki-base'
    }
--- a/manifests/wsgi/apache.pp
+++ b/manifests/wsgi/apache.pp
@ -0,0 +1,235 @@
+#
+# Class to serve barbican with apache mod_wsgi in place of barbican service
+#
+# Serving barbican from apache is the recommended way to go for production
+# systems as the current barbican implementation is not multi-processor aware,
+# thus limiting the performance for concurrent accesses.
+#
+# When using this class you should disable your barbican service.
+#
+# == Parameters
+#
+#   [*servername*]
+#     The servername for the virtualhost.
+#     Optional. Defaults to $::fqdn
+#
+#   [*public_port*]
+#     The public port.
+#     Optional. Defaults to 9311
+#
+#   [*bind_host*]
+#     The host/ip address Apache will listen on.
+#     Optional. Defaults to undef (listen on all ip addresses).
+#
+#   [*public_path*]
+#     The prefix for the public endpoint.
+#     Optional. Defaults to '/'
+#
+#   [*ssl*]
+#     Use ssl ? (boolean)
+#     Optional. Defaults to true
+#
+#   [*workers*]
+#     Number of WSGI workers to spawn.
+#     Optional. Defaults to 1
+#
+#   [*ssl_cert*]
+#     (optional) Path to SSL certificate
+#     Default to apache::vhost 'ssl_*' defaults.
+#
+#   [*ssl_key*]
+#     (optional) Path to SSL key
+#     Default to apache::vhost 'ssl_*' defaults.
+#
+#   [*ssl_chain*]
+#     (optional) SSL chain
+#     Default to apache::vhost 'ssl_*' defaults.
+#
+#   [*ssl_ca*]
+#     (optional) Path to SSL certificate authority
+#     Default to apache::vhost 'ssl_*' defaults.
+#
+#   [*ssl_crl_path*]
+#     (optional) Path to SSL certificate revocation list
+#     Default to apache::vhost 'ssl_*' defaults.
+#
+#   [*ssl_crl*]
+#     (optional) SSL certificate revocation list name
+#     Default to apache::vhost 'ssl_*' defaults.
+#
+#   [*ssl_certs_dir*]
+#     apache::vhost ssl parameters.
+#     Optional. Default to apache::vhost 'ssl_*' defaults.
+#
+#   [*priority*]
+#     (optional) The priority for the vhost.
+#     Defaults to '10'
+#
+#   [*threads*]
+#     (optional) The number of threads for the vhost.
+#     Defaults to $::processorcount
+#
+#   [*wsgi_script_ensure*]
+#     (optional) File ensure parameter for wsgi scripts.
+#     Defaults to 'file'.
+#
+#   [*wsgi_script_source*]
+#     (optional) Wsgi script source.
+#     Defaults to undef.
+#
+#   [*wsgi_application_group*]
+#     (optional) The application group of the WSGI script.
+#     Defaults to '%{GLOBAL}'
+#
+#   [*wsgi_pass_authorization*]
+#     (optional) Whether HTTP authorisation headers are passed through to a WSGI
+#     script when the equivalent HTTP request headers are present.
+#     Defaults to 'On'
+#
+#   [*access_log_format*]
+#     The log format for the virtualhost.
+#     Optional. Defaults to false.
+#
+#   [*vhost_custom_fragment*]
+#     (optional) Passes a string of custom configuration
+#     directives to be placed at the end of the vhost configuration.
+#     Defaults to undef.
+#
+# == Dependencies
+#
+#   requires Class['apache'] & Class['barbican']
+#
+# == Examples
+#
+#   include apache
+#
+#   class { 'barbican::wsgi::apache': }
+#
+# == Authors
+#
+#   Ade Lee <alee@redhat.com>
+#
+# == Copyright
+#
+#   Copyright 2015 Red Hat Inc. <licensing@redhat.com>
+#
+class barbican::wsgi::apache (
+  $servername              = $::fqdn,
+  $public_port             = 9311,
+  $bind_host               = undef,
+  $public_path             = '/',
+  $ssl                     = true,
+  $workers                 = 1,
+  $ssl_cert                = undef,
+  $ssl_key                 = undef,
+  $ssl_chain               = undef,
+  $ssl_ca                  = undef,
+  $ssl_crl_path            = undef,
+  $ssl_crl                 = undef,
+  $ssl_certs_dir           = undef,
+  $threads                 = $::processorcount,
+  $priority                = '10',
+  $wsgi_script_ensure      = 'file',
+  $wsgi_script_source      = undef,
+  $wsgi_application_group  = '%{GLOBAL}',
+  $wsgi_pass_authorization = 'On',
+
+  $access_log_format     = false,
+  $vhost_custom_fragment = undef,
+) {
+
+  include ::barbican::params
+  include ::apache
+  include ::apache::mod::wsgi
+  if $ssl {
+    include ::apache::mod::ssl
+  }
+
+  Package['barbican-api'] -> Package['httpd']
+  Package['barbican-api'] ~> Service['httpd']
+  Barbican_config <| |> ~> Service['httpd']
+  Service['httpd'] -> Keystone_endpoint <| |>
+  Service['httpd'] -> Keystone_role <| |>
+  Service['httpd'] -> Keystone_service <| |>
+  Service['httpd'] -> Keystone_tenant <| |>
+  Service['httpd'] -> Keystone_user <| |>
+  Service['httpd'] -> Keystone_user_role <| |>
+
+  ## Sanitize parameters
+
+  # Ensure there's no trailing '/' except if this is also the only character
+  $public_path_real = regsubst($public_path, '(^/.*)/$', '\1')
+
+  file { $::barbican::params::barbican_wsgi_script_path:
+    ensure  => directory,
+    owner   => 'barbican',
+    group   => 'barbican',
+    require => Package['httpd'],
+  }
+
+  $wsgi_files = {
+    'barbican_wsgi_main'  => {
+      'path' => "${::barbican::params::barbican_wsgi_script_path}/main",
+    },
+  }
+
+  $wsgi_file_defaults = {
+    'ensure'  => $wsgi_script_ensure,
+    'owner'   => 'barbican',
+    'group'   => 'barbican',
+    'mode'    => '0644',
+    'require' => [File[$::barbican::params::barbican_wsgi_script_path], Package['barbican-api']],
+  }
+
+  $wsgi_script_source_real = $wsgi_script_source ? {
+    default => $wsgi_script_source,
+    undef   => $::barbican::params::barbican_wsgi_script_source,
+  }
+
+  case $wsgi_script_ensure {
+    'link':  { $wsgi_file_source = { 'target' => $wsgi_script_source_real } }
+    default: { $wsgi_file_source = { 'source' => $wsgi_script_source_real } }
+  }
+
+  create_resources('file', $wsgi_files, merge($wsgi_file_defaults, $wsgi_file_source))
+
+  $wsgi_daemon_process_options_main = {
+    user         => 'barbican',
+    group        => 'barbican',
+    processes    => $workers,
+    threads      => $threads,
+    display-name => 'barbican-api',
+  }
+
+  $wsgi_script_aliases_main = hash([$public_path_real,"${::barbican::params::barbican_wsgi_script_path}/main"])
+  $wsgi_script_aliases_main_real = $wsgi_script_aliases_main
+
+  ::apache::vhost { 'barbican_wsgi_main':
+    ensure                      => 'present',
+    servername                  => $servername,
+    ip                          => $bind_host,
+    port                        => $public_port,
+    docroot                     => $::barbican::params::barbican_wsgi_script_path,
+    docroot_owner               => 'barbican',
+    docroot_group               => 'barbican',
+    priority                    => $priority,
+    ssl                         => $ssl,
+    ssl_cert                    => $ssl_cert,
+    ssl_key                     => $ssl_key,
+    ssl_chain                   => $ssl_chain,
+    ssl_ca                      => $ssl_ca,
+    ssl_crl_path                => $ssl_crl_path,
+    ssl_crl                     => $ssl_crl,
+    ssl_certs_dir               => $ssl_certs_dir,
+    wsgi_daemon_process         => 'barbican-api',
+    wsgi_daemon_process_options => $wsgi_daemon_process_options_main,
+    wsgi_process_group          => 'barbican-api',
+    wsgi_script_aliases         => $wsgi_script_aliases_main_real,
+    wsgi_application_group      => $wsgi_application_group,
+    wsgi_pass_authorization     => $wsgi_pass_authorization,
+    custom_fragment             => $vhost_custom_fragment,
+    require                     => File['barbican_wsgi_main'],
+    access_log_format           => $access_log_format,
+    log_level                   => 'debug',
+  }
+}
--- a/spec/acceptance/basic_barbican_spec.rb
+++ b/spec/acceptance/basic_barbican_spec.rb
@ -1,5 +1,5 @@
 require 'spec_helper_acceptance'
-describe 'barbican::api class' do
+describe 'barbican::api basic test class' do
  context 'default parameters' do
    pp= <<-EOS
      include ::openstack_integration
@ -41,9 +41,15 @@ describe 'barbican::api class' do
            host_href                         => 'http://localhost:9311',
            auth_type                         => 'keystone',
            keystone_password                 => 'a_big_secret',
+            service_name                      => 'httpd',
            enabled_certificate_plugins       => ['snakeoil_ca'],
            db_auto_create                    => false,
          }
+
+          include ::apache
+          class { '::barbican::wsgi::apache':
+            ssl => false,
+          }
        }
      }
    EOS
@ -72,7 +78,7 @@ describe 'barbican::api class' do
      end

      describe port(9311) do
-        it { is_expected.to be_listening.with('tcp') }
+        it { is_expected.to be_listening }
      end
    end
  end