From ff8615d1f004e7284ff2ca20bd4e3b7141c4a1fb Mon Sep 17 00:00:00 2001 From: Ade Lee Date: Mon, 21 Mar 2016 22:07:46 -0400 Subject: [PATCH] Added apache component Add test and mods for deployment as an apache module Change-Id: I6f693c0aa41af7190b4466910795a07546347ce5 --- manifests/api.pp | 49 ++++-- manifests/params.pp | 4 +- manifests/wsgi/apache.pp | 235 +++++++++++++++++++++++++ spec/acceptance/basic_barbican_spec.rb | 10 +- 4 files changed, 282 insertions(+), 16 deletions(-) create mode 100644 manifests/wsgi/apache.pp diff --git a/manifests/api.pp b/manifests/api.pp index 679fbad5..91e9e0d8 100644 --- a/manifests/api.pp +++ b/manifests/api.pp @@ -204,6 +204,15 @@ # automatically when the server starts. # Defaults to $::os_service_default # +# [*service_name*] +# (optional) Name of the service that will be providing the +# server functionality of barbican-api. +# If the value is 'httpd', this means barbican-api will be a web +# service, and you must use another class to configure that +# web service. For example, use class { 'barbican::wsgi::apache'...} +# to make barbican-api be a web app using apache mod_wsgi. +# Defaults to 'barbican-api' +# class barbican::api ( $ensure_package = 'present', $client_package_ensure = 'present', @@ -250,6 +259,7 @@ class barbican::api ( $enabled = true, $sync_db = true, $db_auto_create = $::os_service_default, + $service_name = 'barbican-api', ) inherits barbican::params { include ::barbican::db @@ -271,7 +281,7 @@ class barbican::api ( owner => 'root', group => 'barbican', require => Package['barbican-api'], - notify => Service['barbican-api'], + notify => Service[$service_name], } file { ['/etc/barbican/barbican.conf', @@ -279,7 +289,7 @@ class barbican::api ( '/etc/barbican/gunicorn-config.py']: ensure => present, require => Package['barbican-api'], - notify => Service['barbican-api'], + notify => Service[$service_name], } package { 'barbican-api': @@ -290,8 +300,8 @@ class barbican::api ( File['/etc/barbican/barbican.conf'] -> Barbican_config<||> File['/etc/barbican/barbican-api-paste.ini'] -> Barbican_api_paste_ini<||> - Barbican_config<||> ~> Service['barbican-api'] - Barbican_api_paste_ini<||> ~> Service['barbican-api'] + Barbican_config<||> ~> Service[$service_name] + Barbican_api_paste_ini<||> ~> Service[$service_name] # basic service config if $host_href == undef { @@ -311,7 +321,7 @@ class barbican::api ( path => '/etc/barbican/gunicorn-config.py', line => "bind = '${bind_host}:${bind_port}'", match => '.*bind = .*', - } -> Service['barbican-api'] + } -> Service[$service_name] #rabbit config if $rpc_backend in [$::os_service_default, 'rabbit'] { @@ -403,13 +413,28 @@ class barbican::api ( include ::barbican::db::sync } - service { 'barbican-api': - ensure => $service_ensure, - name => $::barbican::params::api_service_name, - enable => $enabled, - hasstatus => true, - hasrestart => true, - tag => 'barbican-service', + if $service_name == 'barbican-api' { + service { 'barbican-api': + ensure => $service_ensure, + name => $::barbican::params::api_service_name, + enable => $enabled, + hasstatus => true, + hasrestart => true, + tag => 'barbican-service', + } + } elsif $service_name == 'httpd' { + include ::apache::params + service { 'barbican-api': + ensure => 'stopped', + name => $::barbican::params::api_service_name, + enable => false, + tag => 'barbican-service', + } + + # we need to make sure barbican-api is stopped before trying to start apache + Service['barbican-api'] -> Service[$service_name] + } else { + fail('Invalid service_name. Use barbican-api for stand-alone or httpd') } } diff --git a/manifests/params.pp b/manifests/params.pp index 2d2babef..acb54c03 100644 --- a/manifests/params.pp +++ b/manifests/params.pp @@ -11,7 +11,7 @@ class barbican::params { $worker_service_name = 'openstack-barbican-worker' $client_package_name = 'python-barbicanclient' $barbican_wsgi_script_path = '/var/www/cgi-bin/barbican' - $barbican_wsgi_script_source = '/usr/share/barbican/barbican.wsgi' + $barbican_wsgi_script_source = '/usr/lib/python2.7/site-packages/barbican/api/app.wsgi' $paste_config = '/etc/barbican/barbican-api-paste.ini' $dogtag_client_package = 'pki-base' } @@ -20,7 +20,7 @@ class barbican::params { $service_name = 'openstack-barbican' $client_package_name = 'python-barbicanclient' $barbican_wsgi_script_path = '/var/www/cgi-bin/barbican' - $barbican_wsgi_script_source = '/usr/share/barbican/barbican.wsgi' + $barbican_wsgi_script_source = '/usr/lib/python2.7/site-packages/barbican/api/app.wsgi' $paste_config = '/etc/barbican/barbican-api-paste.ini' $dogtag_client_package = 'pki-base' } diff --git a/manifests/wsgi/apache.pp b/manifests/wsgi/apache.pp new file mode 100644 index 00000000..c74f5871 --- /dev/null +++ b/manifests/wsgi/apache.pp @@ -0,0 +1,235 @@ +# +# Class to serve barbican with apache mod_wsgi in place of barbican service +# +# Serving barbican from apache is the recommended way to go for production +# systems as the current barbican implementation is not multi-processor aware, +# thus limiting the performance for concurrent accesses. +# +# When using this class you should disable your barbican service. +# +# == Parameters +# +# [*servername*] +# The servername for the virtualhost. +# Optional. Defaults to $::fqdn +# +# [*public_port*] +# The public port. +# Optional. Defaults to 9311 +# +# [*bind_host*] +# The host/ip address Apache will listen on. +# Optional. Defaults to undef (listen on all ip addresses). +# +# [*public_path*] +# The prefix for the public endpoint. +# Optional. Defaults to '/' +# +# [*ssl*] +# Use ssl ? (boolean) +# Optional. Defaults to true +# +# [*workers*] +# Number of WSGI workers to spawn. +# Optional. Defaults to 1 +# +# [*ssl_cert*] +# (optional) Path to SSL certificate +# Default to apache::vhost 'ssl_*' defaults. +# +# [*ssl_key*] +# (optional) Path to SSL key +# Default to apache::vhost 'ssl_*' defaults. +# +# [*ssl_chain*] +# (optional) SSL chain +# Default to apache::vhost 'ssl_*' defaults. +# +# [*ssl_ca*] +# (optional) Path to SSL certificate authority +# Default to apache::vhost 'ssl_*' defaults. +# +# [*ssl_crl_path*] +# (optional) Path to SSL certificate revocation list +# Default to apache::vhost 'ssl_*' defaults. +# +# [*ssl_crl*] +# (optional) SSL certificate revocation list name +# Default to apache::vhost 'ssl_*' defaults. +# +# [*ssl_certs_dir*] +# apache::vhost ssl parameters. +# Optional. Default to apache::vhost 'ssl_*' defaults. +# +# [*priority*] +# (optional) The priority for the vhost. +# Defaults to '10' +# +# [*threads*] +# (optional) The number of threads for the vhost. +# Defaults to $::processorcount +# +# [*wsgi_script_ensure*] +# (optional) File ensure parameter for wsgi scripts. +# Defaults to 'file'. +# +# [*wsgi_script_source*] +# (optional) Wsgi script source. +# Defaults to undef. +# +# [*wsgi_application_group*] +# (optional) The application group of the WSGI script. +# Defaults to '%{GLOBAL}' +# +# [*wsgi_pass_authorization*] +# (optional) Whether HTTP authorisation headers are passed through to a WSGI +# script when the equivalent HTTP request headers are present. +# Defaults to 'On' +# +# [*access_log_format*] +# The log format for the virtualhost. +# Optional. Defaults to false. +# +# [*vhost_custom_fragment*] +# (optional) Passes a string of custom configuration +# directives to be placed at the end of the vhost configuration. +# Defaults to undef. +# +# == Dependencies +# +# requires Class['apache'] & Class['barbican'] +# +# == Examples +# +# include apache +# +# class { 'barbican::wsgi::apache': } +# +# == Authors +# +# Ade Lee +# +# == Copyright +# +# Copyright 2015 Red Hat Inc. +# +class barbican::wsgi::apache ( + $servername = $::fqdn, + $public_port = 9311, + $bind_host = undef, + $public_path = '/', + $ssl = true, + $workers = 1, + $ssl_cert = undef, + $ssl_key = undef, + $ssl_chain = undef, + $ssl_ca = undef, + $ssl_crl_path = undef, + $ssl_crl = undef, + $ssl_certs_dir = undef, + $threads = $::processorcount, + $priority = '10', + $wsgi_script_ensure = 'file', + $wsgi_script_source = undef, + $wsgi_application_group = '%{GLOBAL}', + $wsgi_pass_authorization = 'On', + + $access_log_format = false, + $vhost_custom_fragment = undef, +) { + + include ::barbican::params + include ::apache + include ::apache::mod::wsgi + if $ssl { + include ::apache::mod::ssl + } + + Package['barbican-api'] -> Package['httpd'] + Package['barbican-api'] ~> Service['httpd'] + Barbican_config <| |> ~> Service['httpd'] + Service['httpd'] -> Keystone_endpoint <| |> + Service['httpd'] -> Keystone_role <| |> + Service['httpd'] -> Keystone_service <| |> + Service['httpd'] -> Keystone_tenant <| |> + Service['httpd'] -> Keystone_user <| |> + Service['httpd'] -> Keystone_user_role <| |> + + ## Sanitize parameters + + # Ensure there's no trailing '/' except if this is also the only character + $public_path_real = regsubst($public_path, '(^/.*)/$', '\1') + + file { $::barbican::params::barbican_wsgi_script_path: + ensure => directory, + owner => 'barbican', + group => 'barbican', + require => Package['httpd'], + } + + $wsgi_files = { + 'barbican_wsgi_main' => { + 'path' => "${::barbican::params::barbican_wsgi_script_path}/main", + }, + } + + $wsgi_file_defaults = { + 'ensure' => $wsgi_script_ensure, + 'owner' => 'barbican', + 'group' => 'barbican', + 'mode' => '0644', + 'require' => [File[$::barbican::params::barbican_wsgi_script_path], Package['barbican-api']], + } + + $wsgi_script_source_real = $wsgi_script_source ? { + default => $wsgi_script_source, + undef => $::barbican::params::barbican_wsgi_script_source, + } + + case $wsgi_script_ensure { + 'link': { $wsgi_file_source = { 'target' => $wsgi_script_source_real } } + default: { $wsgi_file_source = { 'source' => $wsgi_script_source_real } } + } + + create_resources('file', $wsgi_files, merge($wsgi_file_defaults, $wsgi_file_source)) + + $wsgi_daemon_process_options_main = { + user => 'barbican', + group => 'barbican', + processes => $workers, + threads => $threads, + display-name => 'barbican-api', + } + + $wsgi_script_aliases_main = hash([$public_path_real,"${::barbican::params::barbican_wsgi_script_path}/main"]) + $wsgi_script_aliases_main_real = $wsgi_script_aliases_main + + ::apache::vhost { 'barbican_wsgi_main': + ensure => 'present', + servername => $servername, + ip => $bind_host, + port => $public_port, + docroot => $::barbican::params::barbican_wsgi_script_path, + docroot_owner => 'barbican', + docroot_group => 'barbican', + priority => $priority, + ssl => $ssl, + ssl_cert => $ssl_cert, + ssl_key => $ssl_key, + ssl_chain => $ssl_chain, + ssl_ca => $ssl_ca, + ssl_crl_path => $ssl_crl_path, + ssl_crl => $ssl_crl, + ssl_certs_dir => $ssl_certs_dir, + wsgi_daemon_process => 'barbican-api', + wsgi_daemon_process_options => $wsgi_daemon_process_options_main, + wsgi_process_group => 'barbican-api', + wsgi_script_aliases => $wsgi_script_aliases_main_real, + wsgi_application_group => $wsgi_application_group, + wsgi_pass_authorization => $wsgi_pass_authorization, + custom_fragment => $vhost_custom_fragment, + require => File['barbican_wsgi_main'], + access_log_format => $access_log_format, + log_level => 'debug', + } +} diff --git a/spec/acceptance/basic_barbican_spec.rb b/spec/acceptance/basic_barbican_spec.rb index 23ba7197..7c24dba3 100644 --- a/spec/acceptance/basic_barbican_spec.rb +++ b/spec/acceptance/basic_barbican_spec.rb @@ -1,5 +1,5 @@ require 'spec_helper_acceptance' -describe 'barbican::api class' do +describe 'barbican::api basic test class' do context 'default parameters' do pp= <<-EOS include ::openstack_integration @@ -41,9 +41,15 @@ describe 'barbican::api class' do host_href => 'http://localhost:9311', auth_type => 'keystone', keystone_password => 'a_big_secret', + service_name => 'httpd', enabled_certificate_plugins => ['snakeoil_ca'], db_auto_create => false, } + + include ::apache + class { '::barbican::wsgi::apache': + ssl => false, + } } } EOS @@ -72,7 +78,7 @@ describe 'barbican::api class' do end describe port(9311) do - it { is_expected.to be_listening.with('tcp') } + it { is_expected.to be_listening } end end end