openstack/puppet-heat
Code Issues Proposed changes

Add manifests to deploy APIs over httpd

Browse Source 
This includes a resource that will generically create the vhost for
the specified API.

Co-Authored-By: Thomas Herve <therve@redhat.com>
Depends-On: I9a9246522810de546a7c460ab1133d6bf9081a15
Change-Id: I253f46f5ad943971dd9ea6995591c72a36953bdb
This commit is contained in:
Juan Antonio Osorio Robles
2016-11-08 11:08:43 +02:00
parent d5ca9fb1b3
commit fe394add6f
15 changed files with 841 additions and 38 deletions
Download Patch File Download Diff File Expand all files Collapse all files

42
manifests/api.pp
View File

@@ -42,6 +42,15 @@
# Required when $use_ssl is set to 'true'.
# Defaults to $::os_service_default.
#
# [*service_name*]
# (optional) Name of the service that will be providing the
# server functionality of heat-api.
# If the value is 'httpd', this means heat-api will be a web
# service, and you must use another class to configure that
# web service. For example, use class { 'heat::wsgi::apache_api'...}
# to make heat-api be a web app using apache mod_wsgi.
# Defaults to '$::heat::params::api_service_name'
#
# === Deprecated Parameters
#
# No Deprecated Parameters.
@@ -56,7 +65,8 @@ class heat::api (
$use_ssl = false,
$cert_file = $::os_service_default,
$key_file = $::os_service_default,
) {
$service_name = $::heat::params::api_service_name,
) inherits heat::params {
include ::heat
include ::heat::deps
@@ -86,13 +96,29 @@ class heat::api (
}
}
service { 'heat-api':
ensure => $service_ensure,
name => $::heat::params::api_service_name,
enable => $enabled,
hasstatus => true,
hasrestart => true,
tag => 'heat-service',
if $service_name == $::heat::params::api_service_name {
service { 'heat-api':
ensure => $service_ensure,
name => $::heat::params::api_service_name,
enable => $enabled,
hasstatus => true,
hasrestart => true,
tag => 'heat-service',
}
} elsif $service_name == 'httpd' {
include ::apache::params
service { 'heat-api':
ensure => 'stopped',
name => $::heat::params::api_service_name,
enable => false,
tag => ['heat-service'],
}
# we need to make sure heat-api/eventlet is stopped before trying to start apache
Service['heat-api'] -> Service[$service_name]
} else {
fail("Invalid service_name. Either heat-api/openstack-heat-api for \
running as a standalone service, or httpd for being run by a httpd server")
}
heat_config {

42
manifests/api_cfn.pp
View File

@@ -45,6 +45,15 @@
# Required when $use_ssl is set to 'true'.
# Defaults to $::os_service_default.
#
# [*service_name*]
# (optional) Name of the service that will be providing the
# server functionality of heat-api-cfn.
# If the value is 'httpd', this means heat-api-cfn will be a web
# service, and you must use another class to configure that
# web service. For example, use class { 'heat::wsgi::apache_api_cfn'...}
# to make heat-api-cfn be a web app using apache mod_wsgi.
# Defaults to '$::heat::params::api_cfn_service_name'
#
# == Deprecated Parameters
#
# No Deprecated Parameters.
@@ -59,7 +68,8 @@ class heat::api_cfn (
$use_ssl = false,
$cert_file = $::os_service_default,
$key_file = $::os_service_default,
) {
$service_name = $::heat::params::api_cfn_service_name,
) inherits heat::params {
include ::heat
include ::heat::deps
@@ -89,13 +99,29 @@ class heat::api_cfn (
}
}
service { 'heat-api-cfn':
ensure => $service_ensure,
name => $::heat::params::api_cfn_service_name,
enable => $enabled,
hasstatus => true,
hasrestart => true,
tag => 'heat-service',
if $service_name == $::heat::params::api_cfn_service_name {
service { 'heat-api-cfn':
ensure => $service_ensure,
name => $::heat::params::api_cfn_service_name,
enable => $enabled,
hasstatus => true,
hasrestart => true,
tag => 'heat-service',
}
} elsif $service_name == 'httpd' {
include ::apache::params
service { 'heat-api-cfn':
ensure => 'stopped',
name => $::heat::params::api_cfn_service_name,
enable => false,
tag => ['heat-service'],
}
# we need to make sure heat-api-cfn/eventlet is stopped before trying to start apache
Service['heat-api-cfn'] -> Service[$service_name]
} else {
fail("Invalid service_name. Either heat-api-cfn/openstack-heat-api-cfn for \
running as a standalone service, or httpd for being run by a httpd server")
}
heat_config {

43
manifests/api_cloudwatch.pp
View File

@@ -44,6 +44,16 @@
# Required when $use_ssl is set to 'true'.
# Defaults to $::os_service_default.
#
# [*service_name*]
# (optional) Name of the service that will be providing the
# server functionality of heat-api-cloudwatch.
# If the value is 'httpd', this means heat-api-cloudwatch will be a web
# service, and you must use another class to configure that
# web service. For example, use
# class{ 'heat::wsgi::apache_api_cloudwatch'...} to make heat-api-cloudwatch
# be a web app using apache mod_wsgi.
# Defaults to '$::heat::params::api_cloudwatch_service_name'
#
# == Deprecated Parameters
#
# No Deprecated Parameters.
@@ -58,7 +68,8 @@ class heat::api_cloudwatch (
$use_ssl = false,
$cert_file = $::os_service_default,
$key_file = $::os_service_default,
) {
$service_name = $::heat::params::api_cloudwatch_service_name,
) inherits heat::params {
include ::heat
include ::heat::deps
@@ -88,13 +99,29 @@ class heat::api_cloudwatch (
}
}
service { 'heat-api-cloudwatch':
ensure => $service_ensure,
name => $::heat::params::api_cloudwatch_service_name,
enable => $enabled,
hasstatus => true,
hasrestart => true,
tag => 'heat-service',
if $service_name == $::heat::params::api_cloudwatch_service_name {
service { 'heat-api-cloudwatch':
ensure => $service_ensure,
name => $::heat::params::api_cloudwatch_service_name,
enable => $enabled,
hasstatus => true,
hasrestart => true,
tag => 'heat-service',
}
} elsif $service_name == 'httpd' {
include ::apache::params
service { 'heat-api-cloudwatch':
ensure => 'stopped',
name => $::heat::params::api_cloudwatch_service_name,
enable => false,
tag => ['heat-service'],
}
# we need to make sure heat-api-cloudwatch/eventlet is stopped before trying to start apache
Service['heat-api-cloudwatch'] -> Service[$service_name]
} else {
fail("Invalid service_name. Either heat-api-cloudwatch/openstack-heat-api-cloudwatch for \
running as a standalone service, or httpd for being run by a httpd server")
}
heat_config {

10
manifests/params.pp
View File

@@ -20,6 +20,11 @@ class heat::params {
$api_cloudwatch_service_name = 'openstack-heat-api-cloudwatch'
$api_cfn_service_name = 'openstack-heat-api-cfn'
$engine_service_name = 'openstack-heat-engine'
# WSGI scripts
$heat_wsgi_script_path = '/var/www/cgi-bin/heat'
$heat_api_wsgi_script_source = '/usr/bin/heat-wsgi-api'
$heat_api_cfn_wsgi_script_source = '/usr/bin/heat-wsgi-api-cfn'
$heat_api_cloudwatch_wsgi_script_source = '/usr/bin/heat-wsgi-api-cloudwatch'
}
'Debian': {
# package names
@@ -33,6 +38,11 @@ class heat::params {
$api_cloudwatch_service_name = 'heat-api-cloudwatch'
$api_cfn_service_name = 'heat-api-cfn'
$engine_service_name = 'heat-engine'
# WSGI scripts
$heat_wsgi_script_path = '/usr/lib/cgi-bin/heat'
$heat_api_wsgi_script_source = '/usr/bin/heat-wsgi-api'
$heat_api_cfn_wsgi_script_source = '/usr/bin/heat-wsgi-api-cfn'
$heat_api_cloudwatch_wsgi_script_source = '/usr/bin/heat-wsgi-api-cloudwatch'
# Operating system specific
case $::operatingsystem {
'Ubuntu': {

133
manifests/wsgi/apache.pp Normal file
View File

@@ -0,0 +1,133 @@
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
#
# Resource to serve Heat API with apache mod_wsgi in place of heat-api service.
#
# This is useful for the main API as well as the CFN and Cloudwatch APIs.
# Serving Heat API from apache is the recommended way to go for production
# because of limited performance for concurrent accesses when running eventlet.
#
# When using this class you should disable your heat-api service.
#
# == Parameters
#
# [*title*]
# The heat API that will be running over this vhost.
# The valid options are "api", "api_cfn" and "api_cloudwatch"
#
# [*port*]
# The port for the specific API.
#
# [*servername*]
# The servername for the virtualhost.
# Optional. Defaults to $::fqdn
#
# [*bind_host*]
# The host/ip address Apache will listen on.
# Optional. Defaults to undef (listen on all ip addresses).
#
# [*path*]
# The prefix for the endpoint.
# Optional. Defaults to '/'
#
# [*ssl*]
# Use ssl ? (boolean)
# Optional. Defaults to true
#
# [*workers*]
# Number of WSGI workers to spawn.
# Optional. Defaults to 1
#
# [*priority*]
# (optional) The priority for the vhost.
# Defaults to '10'
#
# [*threads*]
# (optional) The number of threads for the vhost.
# Defaults to $::os_workers
#
# [*ssl_cert*]
# [*ssl_key*]
# [*ssl_chain*]
# [*ssl_ca*]
# [*ssl_crl_path*]
# [*ssl_crl*]
# [*ssl_certs_dir*]
# apache::vhost ssl parameters.
# Optional. Default to apache::vhost 'ssl_*' defaults.
#
# == Dependencies
#
# requires Class['apache'] & Class['heat']
#
# == Examples
#
# include apache
#
# class { 'heat::wsgi::apache': }
#
define heat::wsgi::apache (
$port,
$servername = $::fqdn,
$bind_host = undef,
$path = '/',
$ssl = true,
$workers = 1,
$ssl_cert = undef,
$ssl_key = undef,
$ssl_chain = undef,
$ssl_ca = undef,
$ssl_crl_path = undef,
$ssl_crl = undef,
$ssl_certs_dir = undef,
$threads = $::os_workers,
$priority = '10',
) {
if $title !~ /^api(|_cfn|_cloudwatch)$/ {
fail('The valid options are api, api_cfn, api_cloudwatch')
}
include ::heat::deps
include ::heat::params
include ::apache
include ::apache::mod::wsgi
if $ssl {
include ::apache::mod::ssl
}
::openstacklib::wsgi::apache { "heat_${title}_wsgi":
bind_host => $bind_host,
bind_port => $port,
group => 'heat',
path => $path,
priority => $priority,
servername => $servername,
ssl => $ssl,
ssl_ca => $ssl_ca,
ssl_cert => $ssl_cert,
ssl_certs_dir => $ssl_certs_dir,
ssl_chain => $ssl_chain,
ssl_crl => $ssl_crl,
ssl_crl_path => $ssl_crl_path,
ssl_key => $ssl_key,
threads => $threads,
user => 'heat',
workers => $workers,
wsgi_daemon_process => "heat_${title}",
wsgi_process_group => "heat_${title}",
wsgi_script_dir => $::heat::params::heat_wsgi_script_path,
wsgi_script_file => "heat_${title}",
wsgi_script_source => getvar("::heat::params::heat_${title}_wsgi_script_source"),
allow_encoded_slashes => 'on',
require => Anchor['heat::install::end'],
}
}

108
manifests/wsgi/apache_api.pp Normal file
View File

@@ -0,0 +1,108 @@
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
#
# Resource to serve Heat API with apache mod_wsgi in place of heat-api service.
#
# Serving Heat API from apache is the recommended way to go for production
# because of limited performance for concurrent accesses when running eventlet.
#
# When using this class you should disable your heat-api service.
#
# == Parameters
#
# [*port*]
# The port for the specific API.
#
# [*servername*]
# The servername for the virtualhost.
# Optional. Defaults to $::fqdn
#
# [*bind_host*]
# The host/ip address Apache will listen on.
# Optional. Defaults to undef (listen on all ip addresses).
#
# [*path*]
# The prefix for the endpoint.
# Optional. Defaults to '/'
#
# [*ssl*]
# Use ssl ? (boolean)
# Optional. Defaults to true
#
# [*workers*]
# Number of WSGI workers to spawn.
# Optional. Defaults to 1
#
# [*priority*]
# (optional) The priority for the vhost.
# Defaults to '10'
#
# [*threads*]
# (optional) The number of threads for the vhost.
# Defaults to $::os_workers
#
# [*ssl_cert*]
# [*ssl_key*]
# [*ssl_chain*]
# [*ssl_ca*]
# [*ssl_crl_path*]
# [*ssl_crl*]
# [*ssl_certs_dir*]
# apache::vhost ssl parameters.
# Optional. Default to apache::vhost 'ssl_*' defaults.
#
# == Dependencies
#
# requires Class['apache'] & Class['heat']
#
# == Examples
#
# include apache
#
# class { 'heat::wsgi::apache': }
#
class heat::wsgi::apache_api (
$port = 8004,
$servername = $::fqdn,
$bind_host = undef,
$path = '/',
$ssl = true,
$workers = 1,
$ssl_cert = undef,
$ssl_key = undef,
$ssl_chain = undef,
$ssl_ca = undef,
$ssl_crl_path = undef,
$ssl_crl = undef,
$ssl_certs_dir = undef,
$threads = $::os_workers,
$priority = '10',
) {
heat::wsgi::apache { 'api':
port => $port,
servername => $servername,
bind_host => $bind_host,
path => $path,
ssl => $ssl,
workers => $workers,
ssl_cert => $ssl_cert,
ssl_key => $ssl_key,
ssl_chain => $ssl_chain,
ssl_ca => $ssl_ca,
ssl_crl_path => $ssl_crl_path,
ssl_crl => $ssl_crl,
ssl_certs_dir => $ssl_certs_dir,
threads => $threads,
priority => $priority,
}
}

119
manifests/wsgi/apache_api_cfn.pp Normal file
View File

@@ -0,0 +1,119 @@
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
#
# Resource to serve Heat API with apache mod_wsgi in place of heat-api service.
#
# Serving Heat API from apache is the recommended way to go for production
# because of limited performance for concurrent accesses when running eventlet.
#
# When using this class you should disable your heat-api service.
#
# == Parameters
#
# [*port*]
# The port for the specific API.
#
# [*servername*]
# The servername for the virtualhost.
# Optional. Defaults to $::fqdn
#
# [*bind_host*]
# The host/ip address Apache will listen on.
# Optional. Defaults to undef (listen on all ip addresses).
#
# [*path*]
# The prefix for the endpoint.
# Optional. Defaults to '/'
#
# [*ssl*]
# Use ssl ? (boolean)
# Optional. Defaults to true
#
# [*workers*]
# Number of WSGI workers to spawn.
# Optional. Defaults to 1
#
# [*priority*]
# (optional) The priority for the vhost.
# Defaults to '10'
#
# [*threads*]
# (optional) The number of threads for the vhost.
# Defaults to $::os_workers
#
# [*ssl_cert*]
# [*ssl_key*]
# [*ssl_chain*]
# [*ssl_ca*]
# [*ssl_crl_path*]
# [*ssl_crl*]
# [*ssl_certs_dir*]
# apache::vhost ssl parameters.
# Optional. Default to apache::vhost 'ssl_*' defaults.
#
# == Dependencies
#
# requires Class['apache'] & Class['heat']
#
# == Examples
#
# include apache
#
# class { 'heat::wsgi::apache': }
#
class heat::wsgi::apache_api_cfn (
$port = 8000,
$servername = $::fqdn,
$bind_host = undef,
$path = '/',
$ssl = true,
$workers = 1,
$ssl_cert = undef,
$ssl_key = undef,
$ssl_chain = undef,
$ssl_ca = undef,
$ssl_crl_path = undef,
$ssl_crl = undef,
$ssl_certs_dir = undef,
$threads = $::os_workers,
$priority = '10',
) {
validate_integer($port)
# Workaround for https://bugzilla.redhat.com/show_bug.cgi?id=1396553
if $::osfamily == 'RedHat' and $port == 8000 and $::selinux {
exec { "semanage port -m -t http_port_t -p tcp ${port}":
unless => "semanage port -l | grep -q \"http_port_t.*${port}\"",
path => ['/usr/bin', '/usr/sbin'],
notify => Heat::Wsgi::Apache['api_cfn'],
}
}
heat::wsgi::apache { 'api_cfn':
port => $port,
servername => $servername,
bind_host => $bind_host,
path => $path,
ssl => $ssl,
workers => $workers,
ssl_cert => $ssl_cert,
ssl_key => $ssl_key,
ssl_chain => $ssl_chain,
ssl_ca => $ssl_ca,
ssl_crl_path => $ssl_crl_path,
ssl_crl => $ssl_crl,
ssl_certs_dir => $ssl_certs_dir,
threads => $threads,
priority => $priority,
}
}

108
manifests/wsgi/apache_api_cloudwatch.pp Normal file
View File

@@ -0,0 +1,108 @@
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
#
# Resource to serve Heat API with apache mod_wsgi in place of heat-api service.
#
# Serving Heat API from apache is the recommended way to go for production
# because of limited performance for concurrent accesses when running eventlet.
#
# When using this class you should disable your heat-api service.
#
# == Parameters
#
# [*port*]
# The port for the specific API.
#
# [*servername*]
# The servername for the virtualhost.
# Optional. Defaults to $::fqdn
#
# [*bind_host*]
# The host/ip address Apache will listen on.
# Optional. Defaults to undef (listen on all ip addresses).
#
# [*path*]
# The prefix for the endpoint.
# Optional. Defaults to '/'
#
# [*ssl*]
# Use ssl ? (boolean)
# Optional. Defaults to true
#
# [*workers*]
# Number of WSGI workers to spawn.
# Optional. Defaults to 1
#
# [*priority*]
# (optional) The priority for the vhost.
# Defaults to '10'
#
# [*threads*]
# (optional) The number of threads for the vhost.
# Defaults to $::os_workers
#
# [*ssl_cert*]
# [*ssl_key*]
# [*ssl_chain*]
# [*ssl_ca*]
# [*ssl_crl_path*]
# [*ssl_crl*]
# [*ssl_certs_dir*]
# apache::vhost ssl parameters.
# Optional. Default to apache::vhost 'ssl_*' defaults.
#
# == Dependencies
#
# requires Class['apache'] & Class['heat']
#
# == Examples
#
# include apache
#
# class { 'heat::wsgi::apache': }
#
class heat::wsgi::apache_api_cloudwatch (
$port = 8003,
$servername = $::fqdn,
$bind_host = undef,
$path = '/',
$ssl = true,
$workers = 1,
$ssl_cert = undef,
$ssl_key = undef,
$ssl_chain = undef,
$ssl_ca = undef,
$ssl_crl_path = undef,
$ssl_crl = undef,
$ssl_certs_dir = undef,
$threads = $::os_workers,
$priority = '10',
) {
heat::wsgi::apache { 'api_cloudwatch':
port => $port,
servername => $servername,
bind_host => $bind_host,
path => $path,
ssl => $ssl,
workers => $workers,
ssl_cert => $ssl_cert,
ssl_key => $ssl_key,
ssl_chain => $ssl_chain,
ssl_ca => $ssl_ca,
ssl_crl_path => $ssl_crl_path,
ssl_crl => $ssl_crl,
ssl_certs_dir => $ssl_certs_dir,
threads => $threads,
priority => $priority,
}
}