openstack/puppet-keystone
Code Issues Proposed changes
35e4cb2a7d
puppet-keystone/manifests/wsgi/apache.pp

247 lines
8.4 KiB
ObjectPascal
Raw Normal View History

Enable serving keystone from apache mod_wsgi Serving keystone from a wsgi container is recommended for production setups. SSL is enabled by default. See the following URLs for explanations: http://adam.younglogic.com/2012/03/keystone-should-move-to-apache-httpd/ https://etherpad.openstack.org/havana-keystone-performance Documentation in manifests/wsgi/apache.pp Apache can be configured as a drop in replacement for keystone (using ports 5000 & 35357) or with paths using the standard SSL port. See examples in examples/apache_*.pp - Also change some 'real_' prefix into '_real' suffix to respect the coding guide. - Added the '--insecure' option to keystone client in the provider to allow using self-signed certificates. - Fixed parsing the ssl/enable value in the provider. There is no integer verification done in the manifests and to get around a bug in rspec, which has been fixed in https://github.com/rodjek/rspec-puppet/pull/107, certain parameters that should be integer are treated as strings files/httpd/keystone.py updated with lastest from keystone git repo Change-Id: Ide8c090d105c1ea75a14939f5e8ddb7d24ca3f1c
2013-05-02 18:03:12 +02:00
#
Use openstacklib::wsgi::apache for keystone wsgi This patch changes the usage of the of apache::vhost to openstacklib::wsgi::apache. Also removes the wsgi_script_source param that was deprecated in Mitaka. Fixes and cleans up spec testing, cleans up documentation in the manifest to conform with the overall standard. Depends-On: I31096140a6f355ec99496053fb06ce6c73094180 Change-Id: Ic11a0aea68a04d370453a7e81218642e0e150a9f Closes-Bug: 1657582
2018-04-04 20:12:58 +02:00
# Copyright 2013 eNovance <licensing@enovance.com>
Enable serving keystone from apache mod_wsgi Serving keystone from a wsgi container is recommended for production setups. SSL is enabled by default. See the following URLs for explanations: http://adam.younglogic.com/2012/03/keystone-should-move-to-apache-httpd/ https://etherpad.openstack.org/havana-keystone-performance Documentation in manifests/wsgi/apache.pp Apache can be configured as a drop in replacement for keystone (using ports 5000 & 35357) or with paths using the standard SSL port. See examples in examples/apache_*.pp - Also change some 'real_' prefix into '_real' suffix to respect the coding guide. - Added the '--insecure' option to keystone client in the provider to allow using self-signed certificates. - Fixed parsing the ssl/enable value in the provider. There is no integer verification done in the manifests and to get around a bug in rspec, which has been fixed in https://github.com/rodjek/rspec-puppet/pull/107, certain parameters that should be integer are treated as strings files/httpd/keystone.py updated with lastest from keystone git repo Change-Id: Ide8c090d105c1ea75a14939f5e8ddb7d24ca3f1c
2013-05-02 18:03:12 +02:00
#
Use openstacklib::wsgi::apache for keystone wsgi This patch changes the usage of the of apache::vhost to openstacklib::wsgi::apache. Also removes the wsgi_script_source param that was deprecated in Mitaka. Fixes and cleans up spec testing, cleans up documentation in the manifest to conform with the overall standard. Depends-On: I31096140a6f355ec99496053fb06ce6c73094180 Change-Id: Ic11a0aea68a04d370453a7e81218642e0e150a9f Closes-Bug: 1657582
2018-04-04 20:12:58 +02:00
# Author: Francois Charlier <francois.charlier@enovance.com>
Enable serving keystone from apache mod_wsgi Serving keystone from a wsgi container is recommended for production setups. SSL is enabled by default. See the following URLs for explanations: http://adam.younglogic.com/2012/03/keystone-should-move-to-apache-httpd/ https://etherpad.openstack.org/havana-keystone-performance Documentation in manifests/wsgi/apache.pp Apache can be configured as a drop in replacement for keystone (using ports 5000 & 35357) or with paths using the standard SSL port. See examples in examples/apache_*.pp - Also change some 'real_' prefix into '_real' suffix to respect the coding guide. - Added the '--insecure' option to keystone client in the provider to allow using self-signed certificates. - Fixed parsing the ssl/enable value in the provider. There is no integer verification done in the manifests and to get around a bug in rspec, which has been fixed in https://github.com/rodjek/rspec-puppet/pull/107, certain parameters that should be integer are treated as strings files/httpd/keystone.py updated with lastest from keystone git repo Change-Id: Ide8c090d105c1ea75a14939f5e8ddb7d24ca3f1c
2013-05-02 18:03:12 +02:00
#
Use openstacklib::wsgi::apache for keystone wsgi This patch changes the usage of the of apache::vhost to openstacklib::wsgi::apache. Also removes the wsgi_script_source param that was deprecated in Mitaka. Fixes and cleans up spec testing, cleans up documentation in the manifest to conform with the overall standard. Depends-On: I31096140a6f355ec99496053fb06ce6c73094180 Change-Id: Ic11a0aea68a04d370453a7e81218642e0e150a9f Closes-Bug: 1657582
2018-04-04 20:12:58 +02:00
# == Class: keystone::wsgi::apache
Enable serving keystone from apache mod_wsgi Serving keystone from a wsgi container is recommended for production setups. SSL is enabled by default. See the following URLs for explanations: http://adam.younglogic.com/2012/03/keystone-should-move-to-apache-httpd/ https://etherpad.openstack.org/havana-keystone-performance Documentation in manifests/wsgi/apache.pp Apache can be configured as a drop in replacement for keystone (using ports 5000 & 35357) or with paths using the standard SSL port. See examples in examples/apache_*.pp - Also change some 'real_' prefix into '_real' suffix to respect the coding guide. - Added the '--insecure' option to keystone client in the provider to allow using self-signed certificates. - Fixed parsing the ssl/enable value in the provider. There is no integer verification done in the manifests and to get around a bug in rspec, which has been fixed in https://github.com/rodjek/rspec-puppet/pull/107, certain parameters that should be integer are treated as strings files/httpd/keystone.py updated with lastest from keystone git repo Change-Id: Ide8c090d105c1ea75a14939f5e8ddb7d24ca3f1c
2013-05-02 18:03:12 +02:00
#
Use openstacklib::wsgi::apache for keystone wsgi This patch changes the usage of the of apache::vhost to openstacklib::wsgi::apache. Also removes the wsgi_script_source param that was deprecated in Mitaka. Fixes and cleans up spec testing, cleans up documentation in the manifest to conform with the overall standard. Depends-On: I31096140a6f355ec99496053fb06ce6c73094180 Change-Id: Ic11a0aea68a04d370453a7e81218642e0e150a9f Closes-Bug: 1657582
2018-04-04 20:12:58 +02:00
# Serve keystone with apache mod_wsgi in place of keystone service
Enable serving keystone from apache mod_wsgi Serving keystone from a wsgi container is recommended for production setups. SSL is enabled by default. See the following URLs for explanations: http://adam.younglogic.com/2012/03/keystone-should-move-to-apache-httpd/ https://etherpad.openstack.org/havana-keystone-performance Documentation in manifests/wsgi/apache.pp Apache can be configured as a drop in replacement for keystone (using ports 5000 & 35357) or with paths using the standard SSL port. See examples in examples/apache_*.pp - Also change some 'real_' prefix into '_real' suffix to respect the coding guide. - Added the '--insecure' option to keystone client in the provider to allow using self-signed certificates. - Fixed parsing the ssl/enable value in the provider. There is no integer verification done in the manifests and to get around a bug in rspec, which has been fixed in https://github.com/rodjek/rspec-puppet/pull/107, certain parameters that should be integer are treated as strings files/httpd/keystone.py updated with lastest from keystone git repo Change-Id: Ide8c090d105c1ea75a14939f5e8ddb7d24ca3f1c
2013-05-02 18:03:12 +02:00
# When using this class you should disable your keystone service.
#
# == Parameters
#
Use openstacklib::wsgi::apache for keystone wsgi This patch changes the usage of the of apache::vhost to openstacklib::wsgi::apache. Also removes the wsgi_script_source param that was deprecated in Mitaka. Fixes and cleans up spec testing, cleans up documentation in the manifest to conform with the overall standard. Depends-On: I31096140a6f355ec99496053fb06ce6c73094180 Change-Id: Ic11a0aea68a04d370453a7e81218642e0e150a9f Closes-Bug: 1657582
2018-04-04 20:12:58 +02:00
# [*servername*]
# (Optional) The servername for the virtualhost.
# Defaults to $::fqdn
#
# [*bind_host*]
# (Optional) The host/ip address Apache will listen on.
# Defaults to undef (listen on all ip addresses)
#
Remove port 35357 deployment The legacy admin and public ports for Keystone has since the release of the v3 API not been required as keystone moved all actions to the same API. [1] This patch removes the deployment of port 35357 and remodels puppet-keystone and more specifically the keystone::wsgi::apache class to only deploy keystone on port 5000. This has already been changed in the installation guides [2] and is the recommend way to deploy keystone. We have already prepared all our modules default values to use port 5000 instead of 35357 a while ago and we also in the Rocky release informed our users with a release note that this would be performed [3] [1] https://github.com/openstack/keystone/blob/master/keystone/server/wsgi.py [2] https://docs.openstack.org/keystone/rocky/install/keystone-install-obs.html [3] https://review.openstack.org/#/c/586791/ Closes-Bug: 1804426 Depends-On: https://review.openstack.org/#/c/627793/ Change-Id: I726cd9408d20f868b2b5337ef2df4da458904e51
2018-11-21 15:17:08 +01:00
# [*api_port*]
# (Optional) The keystone API port.
# Defaults to 5000
Use openstacklib::wsgi::apache for keystone wsgi This patch changes the usage of the of apache::vhost to openstacklib::wsgi::apache. Also removes the wsgi_script_source param that was deprecated in Mitaka. Fixes and cleans up spec testing, cleans up documentation in the manifest to conform with the overall standard. Depends-On: I31096140a6f355ec99496053fb06ce6c73094180 Change-Id: Ic11a0aea68a04d370453a7e81218642e0e150a9f Closes-Bug: 1657582
2018-04-04 20:12:58 +02:00
#
Remove port 35357 deployment The legacy admin and public ports for Keystone has since the release of the v3 API not been required as keystone moved all actions to the same API. [1] This patch removes the deployment of port 35357 and remodels puppet-keystone and more specifically the keystone::wsgi::apache class to only deploy keystone on port 5000. This has already been changed in the installation guides [2] and is the recommend way to deploy keystone. We have already prepared all our modules default values to use port 5000 instead of 35357 a while ago and we also in the Rocky release informed our users with a release note that this would be performed [3] [1] https://github.com/openstack/keystone/blob/master/keystone/server/wsgi.py [2] https://docs.openstack.org/keystone/rocky/install/keystone-install-obs.html [3] https://review.openstack.org/#/c/586791/ Closes-Bug: 1804426 Depends-On: https://review.openstack.org/#/c/627793/ Change-Id: I726cd9408d20f868b2b5337ef2df4da458904e51
2018-11-21 15:17:08 +01:00
# [*path*]
# (Optional) The prefix for the API endpoint.
Use openstacklib::wsgi::apache for keystone wsgi This patch changes the usage of the of apache::vhost to openstacklib::wsgi::apache. Also removes the wsgi_script_source param that was deprecated in Mitaka. Fixes and cleans up spec testing, cleans up documentation in the manifest to conform with the overall standard. Depends-On: I31096140a6f355ec99496053fb06ce6c73094180 Change-Id: Ic11a0aea68a04d370453a7e81218642e0e150a9f Closes-Bug: 1657582
2018-04-04 20:12:58 +02:00
# Defaults to '/'
#
# [*ssl*]
# (Optional) Use SSL.
# Defaults to true
#
# [*workers*]
# (Optional) Number of WSGI workers to spawn.
Fix performance regression due to reduced number of keystone workers The puppet-keystone project consolidated keystone applications: https://github.com/openstack/puppet-keystone/commit/ace7aeb3b71b39a59f92fbc9e7f676a70c9a797a#diff-e5968f40345cf5d3be0539fbba87f787 This effectively reduces the number of available workers to process keystone requests since only half the processes are deployed now that the applications are consolidated [0]. As a result, we see a performance regression [1] when interacting with keystone. For example, in earlier versions, an 8 core machine would spawn four processes to serve the keystone-main application. Another four processes would be spawned to serve the keystone-admin application. Now, we only have 4 processes total to serve the entire keystone application. Due to the difference in the number of workers deployed by default, users will experience reduced performance out-of-the-box. This patch not only brings performance back to the previous levels, it is also safe to implement as we are not changing the number of workers when compared to previous releases and only bringing parity. [0] https://github.com/openstack/puppet-openstacklib/blob/master/lib/facter/os_workers.rb#L33 [1] https://bugzilla.redhat.com/show_bug.cgi?id=1789495 Co-Authored-By: Takashi Kajinami <tkajinam@redhat.com> Depends-on: https://review.opendev.org/#/c/705041/ Change-Id: Icf9acaa106af705fa249a2ef2abca9f9a91fba59
2020-01-10 14:28:32 -05:00
# Defaults to $::os_workers_keystone
Use openstacklib::wsgi::apache for keystone wsgi This patch changes the usage of the of apache::vhost to openstacklib::wsgi::apache. Also removes the wsgi_script_source param that was deprecated in Mitaka. Fixes and cleans up spec testing, cleans up documentation in the manifest to conform with the overall standard. Depends-On: I31096140a6f355ec99496053fb06ce6c73094180 Change-Id: Ic11a0aea68a04d370453a7e81218642e0e150a9f Closes-Bug: 1657582
2018-04-04 20:12:58 +02:00
#
# [*ssl_cert*]
# (Optional) Path to SSL certificate
# Default to apache::vhost 'ssl_*' defaults
#
# [*ssl_key*]
# (Optional) Path to SSL key
# Default to apache::vhost 'ssl_*' defaults
#
# [*ssl_chain*]
# (Optional) SSL chain.
# Default to apache::vhost 'ssl_*' defaults
#
# [*ssl_ca*]
# (Optional) Path to SSL certificate authority.
# Default to apache::vhost 'ssl_*' defaults
#
# [*ssl_crl_path*]
# (Optional) Path to SSL certificate revocation list.
# Default to apache::vhost 'ssl_*' defaults
#
# [*ssl_crl*]
# (Optional) SSL certificate revocation list name.
# Default to apache::vhost 'ssl_*' defaults
#
# [*ssl_certs_dir*]
# (Optional) apache::vhost ssl parameters.
# Default to apache::vhost 'ssl_*' defaults
#
# [*priority*]
# (Optional) The priority for the vhost.
# Defaults to '10'
#
# [*threads*]
# (Optional) The number of threads for the vhost.
# Defaults to 1
#
# [*wsgi_application_group*]
# (Optional) The application group of the WSGI script.
# Defaults to '%{GLOBAL}'
#
# [*wsgi_pass_authorization*]
# (Optional) Whether HTTP authorisation headers are passed through to a WSGI
# script when the equivalent HTTP request headers are present.
# Defaults to 'On'
#
Remove port 35357 deployment The legacy admin and public ports for Keystone has since the release of the v3 API not been required as keystone moved all actions to the same API. [1] This patch removes the deployment of port 35357 and remodels puppet-keystone and more specifically the keystone::wsgi::apache class to only deploy keystone on port 5000. This has already been changed in the installation guides [2] and is the recommend way to deploy keystone. We have already prepared all our modules default values to use port 5000 instead of 35357 a while ago and we also in the Rocky release informed our users with a release note that this would be performed [3] [1] https://github.com/openstack/keystone/blob/master/keystone/server/wsgi.py [2] https://docs.openstack.org/keystone/rocky/install/keystone-install-obs.html [3] https://review.openstack.org/#/c/586791/ Closes-Bug: 1804426 Depends-On: https://review.openstack.org/#/c/627793/ Change-Id: I726cd9408d20f868b2b5337ef2df4da458904e51
2018-11-21 15:17:08 +01:00
# [*wsgi_script_source*]
# (Optional) The wsgi script source for the API.
# This source is copied to the apache cgi-bin path as keystone-public.
# Defaults to '/usr/bin/keystone-wsgi-public'
Use openstacklib::wsgi::apache for keystone wsgi This patch changes the usage of the of apache::vhost to openstacklib::wsgi::apache. Also removes the wsgi_script_source param that was deprecated in Mitaka. Fixes and cleans up spec testing, cleans up documentation in the manifest to conform with the overall standard. Depends-On: I31096140a6f355ec99496053fb06ce6c73094180 Change-Id: Ic11a0aea68a04d370453a7e81218642e0e150a9f Closes-Bug: 1657582
2018-04-04 20:12:58 +02:00
#
Remove port 35357 deployment The legacy admin and public ports for Keystone has since the release of the v3 API not been required as keystone moved all actions to the same API. [1] This patch removes the deployment of port 35357 and remodels puppet-keystone and more specifically the keystone::wsgi::apache class to only deploy keystone on port 5000. This has already been changed in the installation guides [2] and is the recommend way to deploy keystone. We have already prepared all our modules default values to use port 5000 instead of 35357 a while ago and we also in the Rocky release informed our users with a release note that this would be performed [3] [1] https://github.com/openstack/keystone/blob/master/keystone/server/wsgi.py [2] https://docs.openstack.org/keystone/rocky/install/keystone-install-obs.html [3] https://review.openstack.org/#/c/586791/ Closes-Bug: 1804426 Depends-On: https://review.openstack.org/#/c/627793/ Change-Id: I726cd9408d20f868b2b5337ef2df4da458904e51
2018-11-21 15:17:08 +01:00
# [*custom_wsgi_process_options*]
Use openstacklib::wsgi::apache for keystone wsgi This patch changes the usage of the of apache::vhost to openstacklib::wsgi::apache. Also removes the wsgi_script_source param that was deprecated in Mitaka. Fixes and cleans up spec testing, cleans up documentation in the manifest to conform with the overall standard. Depends-On: I31096140a6f355ec99496053fb06ce6c73094180 Change-Id: Ic11a0aea68a04d370453a7e81218642e0e150a9f Closes-Bug: 1657582
2018-04-04 20:12:58 +02:00
# (Optional) gives you the oportunity to add custom process options or to
Remove port 35357 deployment The legacy admin and public ports for Keystone has since the release of the v3 API not been required as keystone moved all actions to the same API. [1] This patch removes the deployment of port 35357 and remodels puppet-keystone and more specifically the keystone::wsgi::apache class to only deploy keystone on port 5000. This has already been changed in the installation guides [2] and is the recommend way to deploy keystone. We have already prepared all our modules default values to use port 5000 instead of 35357 a while ago and we also in the Rocky release informed our users with a release note that this would be performed [3] [1] https://github.com/openstack/keystone/blob/master/keystone/server/wsgi.py [2] https://docs.openstack.org/keystone/rocky/install/keystone-install-obs.html [3] https://review.openstack.org/#/c/586791/ Closes-Bug: 1804426 Depends-On: https://review.openstack.org/#/c/627793/ Change-Id: I726cd9408d20f868b2b5337ef2df4da458904e51
2018-11-21 15:17:08 +01:00
# overwrite the default options for the WSGI process.
Use openstacklib::wsgi::apache for keystone wsgi This patch changes the usage of the of apache::vhost to openstacklib::wsgi::apache. Also removes the wsgi_script_source param that was deprecated in Mitaka. Fixes and cleans up spec testing, cleans up documentation in the manifest to conform with the overall standard. Depends-On: I31096140a6f355ec99496053fb06ce6c73094180 Change-Id: Ic11a0aea68a04d370453a7e81218642e0e150a9f Closes-Bug: 1657582
2018-04-04 20:12:58 +02:00
# For example to use a virtual python environment for the WSGI process
# you could set it to:
# { python-path => '/my/python/virtualenv' }
# Defaults to {}
#
# [*access_log_file*]
# (Optional) The log file name for the virtualhost.
# Defaults to false
#
# [*access_log_pipe*]
# (Optional) Specifies a pipe where Apache sends access logs for the virtualhost.
# Defaults to false
#
# [*access_log_syslog*]
# (Optional) Sends the virtualhost access log messages to syslog.
# Defaults to false
#
# [*access_log_format*]
# (Optional) The log format for the virtualhost.
# Defaults to false
#
# [*error_log_file*]
# (Optional) The error log file name for the virtualhost.
# Defaults to undef
#
# [*error_log_pipe*]
# (Optional) Specifies a pipe where Apache sends error logs for the virtualhost.
# Defaults to undef
#
# [*error_log_syslog*]
# (Optional) Sends the virtualhost error log messages to syslog.
# Defaults to undef
#
# [*headers*]
# (Optional) Headers for the vhost.
# Defaults to undef
#
# [*vhost_custom_fragment*]
# (Optional) Passes a string of custom configuration
# directives to be placed at the end of the vhost configuration.
# Defaults to undef
#
# [*wsgi_chunked_request*]
# (Optional) apache::vhost wsgi_chunked_request parameter.
# Defaults to undef
#
Enable serving keystone from apache mod_wsgi Serving keystone from a wsgi container is recommended for production setups. SSL is enabled by default. See the following URLs for explanations: http://adam.younglogic.com/2012/03/keystone-should-move-to-apache-httpd/ https://etherpad.openstack.org/havana-keystone-performance Documentation in manifests/wsgi/apache.pp Apache can be configured as a drop in replacement for keystone (using ports 5000 & 35357) or with paths using the standard SSL port. See examples in examples/apache_*.pp - Also change some 'real_' prefix into '_real' suffix to respect the coding guide. - Added the '--insecure' option to keystone client in the provider to allow using self-signed certificates. - Fixed parsing the ssl/enable value in the provider. There is no integer verification done in the manifests and to get around a bug in rspec, which has been fixed in https://github.com/rodjek/rspec-puppet/pull/107, certain parameters that should be integer are treated as strings files/httpd/keystone.py updated with lastest from keystone git repo Change-Id: Ide8c090d105c1ea75a14939f5e8ddb7d24ca3f1c
2013-05-02 18:03:12 +02:00
class keystone::wsgi::apache (
add parameter to overwrite/add wsgi process options Add two parameters to apache wsgi to allow overwrite and/or add additional wsgi process options. Change-Id: I1be0584befbb0ddd2503c124a05d27adcd25ae2e
2017-06-10 12:00:21 +02:00
$servername = $::fqdn,
$bind_host = undef,
Remove port 35357 deployment The legacy admin and public ports for Keystone has since the release of the v3 API not been required as keystone moved all actions to the same API. [1] This patch removes the deployment of port 35357 and remodels puppet-keystone and more specifically the keystone::wsgi::apache class to only deploy keystone on port 5000. This has already been changed in the installation guides [2] and is the recommend way to deploy keystone. We have already prepared all our modules default values to use port 5000 instead of 35357 a while ago and we also in the Rocky release informed our users with a release note that this would be performed [3] [1] https://github.com/openstack/keystone/blob/master/keystone/server/wsgi.py [2] https://docs.openstack.org/keystone/rocky/install/keystone-install-obs.html [3] https://review.openstack.org/#/c/586791/ Closes-Bug: 1804426 Depends-On: https://review.openstack.org/#/c/627793/ Change-Id: I726cd9408d20f868b2b5337ef2df4da458904e51
2018-11-21 15:17:08 +01:00
$api_port = 5000,
$path = '/',
add parameter to overwrite/add wsgi process options Add two parameters to apache wsgi to allow overwrite and/or add additional wsgi process options. Change-Id: I1be0584befbb0ddd2503c124a05d27adcd25ae2e
2017-06-10 12:00:21 +02:00
$ssl = true,
Fix performance regression due to reduced number of keystone workers The puppet-keystone project consolidated keystone applications: https://github.com/openstack/puppet-keystone/commit/ace7aeb3b71b39a59f92fbc9e7f676a70c9a797a#diff-e5968f40345cf5d3be0539fbba87f787 This effectively reduces the number of available workers to process keystone requests since only half the processes are deployed now that the applications are consolidated [0]. As a result, we see a performance regression [1] when interacting with keystone. For example, in earlier versions, an 8 core machine would spawn four processes to serve the keystone-main application. Another four processes would be spawned to serve the keystone-admin application. Now, we only have 4 processes total to serve the entire keystone application. Due to the difference in the number of workers deployed by default, users will experience reduced performance out-of-the-box. This patch not only brings performance back to the previous levels, it is also safe to implement as we are not changing the number of workers when compared to previous releases and only bringing parity. [0] https://github.com/openstack/puppet-openstacklib/blob/master/lib/facter/os_workers.rb#L33 [1] https://bugzilla.redhat.com/show_bug.cgi?id=1789495 Co-Authored-By: Takashi Kajinami <tkajinam@redhat.com> Depends-on: https://review.opendev.org/#/c/705041/ Change-Id: Icf9acaa106af705fa249a2ef2abca9f9a91fba59
2020-01-10 14:28:32 -05:00
$workers = $::os_workers_keystone,
add parameter to overwrite/add wsgi process options Add two parameters to apache wsgi to allow overwrite and/or add additional wsgi process options. Change-Id: I1be0584befbb0ddd2503c124a05d27adcd25ae2e
2017-06-10 12:00:21 +02:00
$ssl_cert = undef,
$ssl_key = undef,
$ssl_chain = undef,
$ssl_ca = undef,
$ssl_crl_path = undef,
$ssl_crl = undef,
$ssl_certs_dir = undef,
apache wsgi: Exchange defaults for workers and threads Due to Python's GIL [1], we can't use multiple threads for running OpenStack services without a performance penalty, since the execution ends up serialized, which defeats the purpose. Instead, we should use several processes, since this approach doesn't have this limitation. [1] https://wiki.python.org/moin/GlobalInterpreterLock Change-Id: Ifd7ec428442da08d9aa85718b7b8553ca75c1b5c
2017-10-13 07:59:57 +03:00
$threads = 1,
add parameter to overwrite/add wsgi process options Add two parameters to apache wsgi to allow overwrite and/or add additional wsgi process options. Change-Id: I1be0584befbb0ddd2503c124a05d27adcd25ae2e
2017-06-10 12:00:21 +02:00
$priority = '10',
$wsgi_application_group = '%{GLOBAL}',
$wsgi_pass_authorization = 'On',
$wsgi_chunked_request = undef,
Remove port 35357 deployment The legacy admin and public ports for Keystone has since the release of the v3 API not been required as keystone moved all actions to the same API. [1] This patch removes the deployment of port 35357 and remodels puppet-keystone and more specifically the keystone::wsgi::apache class to only deploy keystone on port 5000. This has already been changed in the installation guides [2] and is the recommend way to deploy keystone. We have already prepared all our modules default values to use port 5000 instead of 35357 a while ago and we also in the Rocky release informed our users with a release note that this would be performed [3] [1] https://github.com/openstack/keystone/blob/master/keystone/server/wsgi.py [2] https://docs.openstack.org/keystone/rocky/install/keystone-install-obs.html [3] https://review.openstack.org/#/c/586791/ Closes-Bug: 1804426 Depends-On: https://review.openstack.org/#/c/627793/ Change-Id: I726cd9408d20f868b2b5337ef2df4da458904e51
2018-11-21 15:17:08 +01:00
$wsgi_script_source = '/usr/bin/keystone-wsgi-public',
Add vhost access/error logs file/syslog options Support vhosts logging to syslog. Related-bug: #1700045 Change-Id: If60cb8e31c46e32ba6e04f53ac73a72bf989df2d Signed-off-by: Bogdan Dobrelya <bogdando@mail.ru>
2017-07-31 14:18:34 +02:00
$access_log_file = false,
$access_log_pipe = false,
$access_log_syslog = false,
add parameter to overwrite/add wsgi process options Add two parameters to apache wsgi to allow overwrite and/or add additional wsgi process options. Change-Id: I1be0584befbb0ddd2503c124a05d27adcd25ae2e
2017-06-10 12:00:21 +02:00
$access_log_format = false,
Add vhost access/error logs file/syslog options Support vhosts logging to syslog. Related-bug: #1700045 Change-Id: If60cb8e31c46e32ba6e04f53ac73a72bf989df2d Signed-off-by: Bogdan Dobrelya <bogdando@mail.ru>
2017-07-31 14:18:34 +02:00
$error_log_file = undef,
$error_log_pipe = undef,
$error_log_syslog = undef,
add parameter to overwrite/add wsgi process options Add two parameters to apache wsgi to allow overwrite and/or add additional wsgi process options. Change-Id: I1be0584befbb0ddd2503c124a05d27adcd25ae2e
2017-06-10 12:00:21 +02:00
$headers = undef,
$vhost_custom_fragment = undef,
Remove port 35357 deployment The legacy admin and public ports for Keystone has since the release of the v3 API not been required as keystone moved all actions to the same API. [1] This patch removes the deployment of port 35357 and remodels puppet-keystone and more specifically the keystone::wsgi::apache class to only deploy keystone on port 5000. This has already been changed in the installation guides [2] and is the recommend way to deploy keystone. We have already prepared all our modules default values to use port 5000 instead of 35357 a while ago and we also in the Rocky release informed our users with a release note that this would be performed [3] [1] https://github.com/openstack/keystone/blob/master/keystone/server/wsgi.py [2] https://docs.openstack.org/keystone/rocky/install/keystone-install-obs.html [3] https://review.openstack.org/#/c/586791/ Closes-Bug: 1804426 Depends-On: https://review.openstack.org/#/c/627793/ Change-Id: I726cd9408d20f868b2b5337ef2df4da458904e51
2018-11-21 15:17:08 +01:00
$custom_wsgi_process_options = {},
Make admin and public scripts configurable When we switched to using the package provided wsgi scripts for keystone, we lost the ability to override these scripts. This change updates the apache::wsgi::apache class to actually allow for the overriding of the admin and public wsgi scripts. Change-Id: I683f1ef95700d9382d480a1daca41cf9ed5ccd26
2016-07-06 09:29:29 -06:00
) inherits ::keystone::params {
Enable serving keystone from apache mod_wsgi Serving keystone from a wsgi container is recommended for production setups. SSL is enabled by default. See the following URLs for explanations: http://adam.younglogic.com/2012/03/keystone-should-move-to-apache-httpd/ https://etherpad.openstack.org/havana-keystone-performance Documentation in manifests/wsgi/apache.pp Apache can be configured as a drop in replacement for keystone (using ports 5000 & 35357) or with paths using the standard SSL port. See examples in examples/apache_*.pp - Also change some 'real_' prefix into '_real' suffix to respect the coding guide. - Added the '--insecure' option to keystone client in the provider to allow using self-signed certificates. - Fixed parsing the ssl/enable value in the provider. There is no integer verification done in the manifests and to get around a bug in rspec, which has been fixed in https://github.com/rodjek/rspec-puppet/pull/107, certain parameters that should be integer are treated as strings files/httpd/keystone.py updated with lastest from keystone git repo Change-Id: Ide8c090d105c1ea75a14939f5e8ddb7d24ca3f1c
2013-05-02 18:03:12 +02:00
Convert all class usage to relative names Change-Id: Ia631adf31be1eeadb7ab0f12b75f1eaed73d5fbf
2019-12-08 23:09:22 +01:00
include keystone::deps
Enable different servername for admin vhost When the admin endpoint is configured in a different IP and host, the servername needs to be changed too. Else the vhost will be routed wrongly by apache. Change-Id: Ief84f524b4e221313b36e72beae291616491fa8b
2016-09-05 08:50:10 +03:00
Remove port 35357 deployment The legacy admin and public ports for Keystone has since the release of the v3 API not been required as keystone moved all actions to the same API. [1] This patch removes the deployment of port 35357 and remodels puppet-keystone and more specifically the keystone::wsgi::apache class to only deploy keystone on port 5000. This has already been changed in the installation guides [2] and is the recommend way to deploy keystone. We have already prepared all our modules default values to use port 5000 instead of 35357 a while ago and we also in the Rocky release informed our users with a release note that this would be performed [3] [1] https://github.com/openstack/keystone/blob/master/keystone/server/wsgi.py [2] https://docs.openstack.org/keystone/rocky/install/keystone-install-obs.html [3] https://review.openstack.org/#/c/586791/ Closes-Bug: 1804426 Depends-On: https://review.openstack.org/#/c/627793/ Change-Id: I726cd9408d20f868b2b5337ef2df4da458904e51
2018-11-21 15:17:08 +01:00
# TODO(tobias-urdin): This dependency chaining can be moved to keystone::deps
# when we have cleaned up some old eventlet code and users are forced to use
# apache even though it's pretty much enforced today.
Enable serving keystone from apache mod_wsgi Serving keystone from a wsgi container is recommended for production setups. SSL is enabled by default. See the following URLs for explanations: http://adam.younglogic.com/2012/03/keystone-should-move-to-apache-httpd/ https://etherpad.openstack.org/havana-keystone-performance Documentation in manifests/wsgi/apache.pp Apache can be configured as a drop in replacement for keystone (using ports 5000 & 35357) or with paths using the standard SSL port. See examples in examples/apache_*.pp - Also change some 'real_' prefix into '_real' suffix to respect the coding guide. - Added the '--insecure' option to keystone client in the provider to allow using self-signed certificates. - Fixed parsing the ssl/enable value in the provider. There is no integer verification done in the manifests and to get around a bug in rspec, which has been fixed in https://github.com/rodjek/rspec-puppet/pull/107, certain parameters that should be integer are treated as strings files/httpd/keystone.py updated with lastest from keystone git repo Change-Id: Ide8c090d105c1ea75a14939f5e8ddb7d24ca3f1c
2013-05-02 18:03:12 +02:00
Keystone hooks support This code moves all deps to an external class so that Keystone can be installed with mechanisms besides packages (like venv or docker). This also cleans-up the dependency tree by removing false or confusing dependencies. Change-Id: If69cd7cba267f75faad51fdbc80a58b24d2095d8 Co-Author: Clayton O'Neill <clayton.oneill@twcable.com>
2016-02-23 18:31:15 -07:00
# The httpd package is untagged, but needs to have ordering enforced,
# so handle it here rather than in the deps class.
Anchor['keystone::install::begin']
-> Package['httpd']
-> Anchor['keystone::install::end']
# Configure apache during the config phase
Anchor['keystone::config::begin']
-> Apache::Vhost<||>
~> Anchor['keystone::config::end']
# Start the service during the service phase
Anchor['keystone::service::begin']
-> Service['httpd']
-> Anchor['keystone::service::end']
# Notify the service when config changes
Anchor['keystone::config::end']
~> Service['httpd']
Enable serving keystone from apache mod_wsgi Serving keystone from a wsgi container is recommended for production setups. SSL is enabled by default. See the following URLs for explanations: http://adam.younglogic.com/2012/03/keystone-should-move-to-apache-httpd/ https://etherpad.openstack.org/havana-keystone-performance Documentation in manifests/wsgi/apache.pp Apache can be configured as a drop in replacement for keystone (using ports 5000 & 35357) or with paths using the standard SSL port. See examples in examples/apache_*.pp - Also change some 'real_' prefix into '_real' suffix to respect the coding guide. - Added the '--insecure' option to keystone client in the provider to allow using self-signed certificates. - Fixed parsing the ssl/enable value in the provider. There is no integer verification done in the manifests and to get around a bug in rspec, which has been fixed in https://github.com/rodjek/rspec-puppet/pull/107, certain parameters that should be integer are treated as strings files/httpd/keystone.py updated with lastest from keystone git repo Change-Id: Ide8c090d105c1ea75a14939f5e8ddb7d24ca3f1c
2013-05-02 18:03:12 +02:00
Remove port 35357 deployment The legacy admin and public ports for Keystone has since the release of the v3 API not been required as keystone moved all actions to the same API. [1] This patch removes the deployment of port 35357 and remodels puppet-keystone and more specifically the keystone::wsgi::apache class to only deploy keystone on port 5000. This has already been changed in the installation guides [2] and is the recommend way to deploy keystone. We have already prepared all our modules default values to use port 5000 instead of 35357 a while ago and we also in the Rocky release informed our users with a release note that this would be performed [3] [1] https://github.com/openstack/keystone/blob/master/keystone/server/wsgi.py [2] https://docs.openstack.org/keystone/rocky/install/keystone-install-obs.html [3] https://review.openstack.org/#/c/586791/ Closes-Bug: 1804426 Depends-On: https://review.openstack.org/#/c/627793/ Change-Id: I726cd9408d20f868b2b5337ef2df4da458904e51
2018-11-21 15:17:08 +01:00
::openstacklib::wsgi::apache { 'keystone_wsgi':
Enable serving keystone from apache mod_wsgi Serving keystone from a wsgi container is recommended for production setups. SSL is enabled by default. See the following URLs for explanations: http://adam.younglogic.com/2012/03/keystone-should-move-to-apache-httpd/ https://etherpad.openstack.org/havana-keystone-performance Documentation in manifests/wsgi/apache.pp Apache can be configured as a drop in replacement for keystone (using ports 5000 & 35357) or with paths using the standard SSL port. See examples in examples/apache_*.pp - Also change some 'real_' prefix into '_real' suffix to respect the coding guide. - Added the '--insecure' option to keystone client in the provider to allow using self-signed certificates. - Fixed parsing the ssl/enable value in the provider. There is no integer verification done in the manifests and to get around a bug in rspec, which has been fixed in https://github.com/rodjek/rspec-puppet/pull/107, certain parameters that should be integer are treated as strings files/httpd/keystone.py updated with lastest from keystone git repo Change-Id: Ide8c090d105c1ea75a14939f5e8ddb7d24ca3f1c
2013-05-02 18:03:12 +02:00
servername => $servername,
Use openstacklib::wsgi::apache for keystone wsgi This patch changes the usage of the of apache::vhost to openstacklib::wsgi::apache. Also removes the wsgi_script_source param that was deprecated in Mitaka. Fixes and cleans up spec testing, cleans up documentation in the manifest to conform with the overall standard. Depends-On: I31096140a6f355ec99496053fb06ce6c73094180 Change-Id: Ic11a0aea68a04d370453a7e81218642e0e150a9f Closes-Bug: 1657582
2018-04-04 20:12:58 +02:00
bind_host => $bind_host,
Remove port 35357 deployment The legacy admin and public ports for Keystone has since the release of the v3 API not been required as keystone moved all actions to the same API. [1] This patch removes the deployment of port 35357 and remodels puppet-keystone and more specifically the keystone::wsgi::apache class to only deploy keystone on port 5000. This has already been changed in the installation guides [2] and is the recommend way to deploy keystone. We have already prepared all our modules default values to use port 5000 instead of 35357 a while ago and we also in the Rocky release informed our users with a release note that this would be performed [3] [1] https://github.com/openstack/keystone/blob/master/keystone/server/wsgi.py [2] https://docs.openstack.org/keystone/rocky/install/keystone-install-obs.html [3] https://review.openstack.org/#/c/586791/ Closes-Bug: 1804426 Depends-On: https://review.openstack.org/#/c/627793/ Change-Id: I726cd9408d20f868b2b5337ef2df4da458904e51
2018-11-21 15:17:08 +01:00
bind_port => $api_port,
group => $::keystone::params::keystone_group,
path => $path,
Use openstacklib::wsgi::apache for keystone wsgi This patch changes the usage of the of apache::vhost to openstacklib::wsgi::apache. Also removes the wsgi_script_source param that was deprecated in Mitaka. Fixes and cleans up spec testing, cleans up documentation in the manifest to conform with the overall standard. Depends-On: I31096140a6f355ec99496053fb06ce6c73094180 Change-Id: Ic11a0aea68a04d370453a7e81218642e0e150a9f Closes-Bug: 1657582
2018-04-04 20:12:58 +02:00
workers => $workers,
threads => $threads,
Remove port 35357 deployment The legacy admin and public ports for Keystone has since the release of the v3 API not been required as keystone moved all actions to the same API. [1] This patch removes the deployment of port 35357 and remodels puppet-keystone and more specifically the keystone::wsgi::apache class to only deploy keystone on port 5000. This has already been changed in the installation guides [2] and is the recommend way to deploy keystone. We have already prepared all our modules default values to use port 5000 instead of 35357 a while ago and we also in the Rocky release informed our users with a release note that this would be performed [3] [1] https://github.com/openstack/keystone/blob/master/keystone/server/wsgi.py [2] https://docs.openstack.org/keystone/rocky/install/keystone-install-obs.html [3] https://review.openstack.org/#/c/586791/ Closes-Bug: 1804426 Depends-On: https://review.openstack.org/#/c/627793/ Change-Id: I726cd9408d20f868b2b5337ef2df4da458904e51
2018-11-21 15:17:08 +01:00
user => $::keystone::params::keystone_user,
setup keystone using apache mod_wsgi Allow keystone to be set up to use apache mod_wsgi as the server instead of a standalone eventlet service. There is a new keystone class parameter: service_name. The default is 'keystone', which will set up the standalone eventlet service. If 'httpd' is used, the keystone class will skip creating the keystone service, which also means no 'openstack-keystone' service. The class 'keystone::wsgi::apache' is then used to configure apache mod_wsgi to serve keystone. Had to remove the File resource default in the keystone class. When using wsgi::apache, the apache class and other classes are included. Since puppet uses dynamic scoping, this overrides the file resources in those classes as well. keystone now explicitly sets all of the parameters in files/directory resources. Change-Id: Ib05ac81381e169845b44b2ef7cb810a4d5db17de Closes-Bug: #1348728
2014-07-17 16:22:34 -06:00
priority => $priority,
Enable serving keystone from apache mod_wsgi Serving keystone from a wsgi container is recommended for production setups. SSL is enabled by default. See the following URLs for explanations: http://adam.younglogic.com/2012/03/keystone-should-move-to-apache-httpd/ https://etherpad.openstack.org/havana-keystone-performance Documentation in manifests/wsgi/apache.pp Apache can be configured as a drop in replacement for keystone (using ports 5000 & 35357) or with paths using the standard SSL port. See examples in examples/apache_*.pp - Also change some 'real_' prefix into '_real' suffix to respect the coding guide. - Added the '--insecure' option to keystone client in the provider to allow using self-signed certificates. - Fixed parsing the ssl/enable value in the provider. There is no integer verification done in the manifests and to get around a bug in rspec, which has been fixed in https://github.com/rodjek/rspec-puppet/pull/107, certain parameters that should be integer are treated as strings files/httpd/keystone.py updated with lastest from keystone git repo Change-Id: Ide8c090d105c1ea75a14939f5e8ddb7d24ca3f1c
2013-05-02 18:03:12 +02:00
ssl => $ssl,
ssl_cert => $ssl_cert,
ssl_key => $ssl_key,
ssl_chain => $ssl_chain,
ssl_ca => $ssl_ca,
ssl_crl_path => $ssl_crl_path,
ssl_crl => $ssl_crl,
ssl_certs_dir => $ssl_certs_dir,
Remove port 35357 deployment The legacy admin and public ports for Keystone has since the release of the v3 API not been required as keystone moved all actions to the same API. [1] This patch removes the deployment of port 35357 and remodels puppet-keystone and more specifically the keystone::wsgi::apache class to only deploy keystone on port 5000. This has already been changed in the installation guides [2] and is the recommend way to deploy keystone. We have already prepared all our modules default values to use port 5000 instead of 35357 a while ago and we also in the Rocky release informed our users with a release note that this would be performed [3] [1] https://github.com/openstack/keystone/blob/master/keystone/server/wsgi.py [2] https://docs.openstack.org/keystone/rocky/install/keystone-install-obs.html [3] https://review.openstack.org/#/c/586791/ Closes-Bug: 1804426 Depends-On: https://review.openstack.org/#/c/627793/ Change-Id: I726cd9408d20f868b2b5337ef2df4da458904e51
2018-11-21 15:17:08 +01:00
wsgi_daemon_process => 'keystone',
wsgi_process_display_name => 'keystone',
wsgi_process_group => 'keystone',
Use openstacklib::wsgi::apache for keystone wsgi This patch changes the usage of the of apache::vhost to openstacklib::wsgi::apache. Also removes the wsgi_script_source param that was deprecated in Mitaka. Fixes and cleans up spec testing, cleans up documentation in the manifest to conform with the overall standard. Depends-On: I31096140a6f355ec99496053fb06ce6c73094180 Change-Id: Ic11a0aea68a04d370453a7e81218642e0e150a9f Closes-Bug: 1657582
2018-04-04 20:12:58 +02:00
wsgi_script_dir => $::keystone::params::keystone_wsgi_script_path,
Remove port 35357 deployment The legacy admin and public ports for Keystone has since the release of the v3 API not been required as keystone moved all actions to the same API. [1] This patch removes the deployment of port 35357 and remodels puppet-keystone and more specifically the keystone::wsgi::apache class to only deploy keystone on port 5000. This has already been changed in the installation guides [2] and is the recommend way to deploy keystone. We have already prepared all our modules default values to use port 5000 instead of 35357 a while ago and we also in the Rocky release informed our users with a release note that this would be performed [3] [1] https://github.com/openstack/keystone/blob/master/keystone/server/wsgi.py [2] https://docs.openstack.org/keystone/rocky/install/keystone-install-obs.html [3] https://review.openstack.org/#/c/586791/ Closes-Bug: 1804426 Depends-On: https://review.openstack.org/#/c/627793/ Change-Id: I726cd9408d20f868b2b5337ef2df4da458904e51
2018-11-21 15:17:08 +01:00
wsgi_script_file => 'keystone',
wsgi_script_source => $wsgi_script_source,
Pass necessary options to Apache when using WSGI Keystone recommend to use WSGIApplicationGroup and WSGIPassAuthorization options when is running under Apache. When WSGIApplicationGroup is not set, import failures are observed and Keystone doesn't work as expected. Change-Id: I30483d269f6ae6edcecd376d6814c80c0166b265 Closes-bug: #1502318
2015-10-02 23:18:55 +03:00
wsgi_application_group => $wsgi_application_group,
wsgi_pass_authorization => $wsgi_pass_authorization,
Add wsgi_chunked_request option This option is necessary[1] when running OpenStack's keystone on Apache. This functionality has been merged[2] into the upstream puppetlabs-apache. [1] https://review.openstack.org/#/c/34835/ [2] https://github.com/puppetlabs/puppetlabs-apache/pull/890 Change-Id: Icaf550e6570890535c7f43e6c77889826bfa90cb
2014-10-27 09:45:08 -07:00
wsgi_chunked_request => $wsgi_chunked_request,
Use openstacklib::wsgi::apache for keystone wsgi This patch changes the usage of the of apache::vhost to openstacklib::wsgi::apache. Also removes the wsgi_script_source param that was deprecated in Mitaka. Fixes and cleans up spec testing, cleans up documentation in the manifest to conform with the overall standard. Depends-On: I31096140a6f355ec99496053fb06ce6c73094180 Change-Id: Ic11a0aea68a04d370453a7e81218642e0e150a9f Closes-Bug: 1657582
2018-04-04 20:12:58 +02:00
headers => $headers,
Remove port 35357 deployment The legacy admin and public ports for Keystone has since the release of the v3 API not been required as keystone moved all actions to the same API. [1] This patch removes the deployment of port 35357 and remodels puppet-keystone and more specifically the keystone::wsgi::apache class to only deploy keystone on port 5000. This has already been changed in the installation guides [2] and is the recommend way to deploy keystone. We have already prepared all our modules default values to use port 5000 instead of 35357 a while ago and we also in the Rocky release informed our users with a release note that this would be performed [3] [1] https://github.com/openstack/keystone/blob/master/keystone/server/wsgi.py [2] https://docs.openstack.org/keystone/rocky/install/keystone-install-obs.html [3] https://review.openstack.org/#/c/586791/ Closes-Bug: 1804426 Depends-On: https://review.openstack.org/#/c/627793/ Change-Id: I726cd9408d20f868b2b5337ef2df4da458904e51
2018-11-21 15:17:08 +01:00
custom_wsgi_process_options => $custom_wsgi_process_options,
Use openstacklib::wsgi::apache for keystone wsgi This patch changes the usage of the of apache::vhost to openstacklib::wsgi::apache. Also removes the wsgi_script_source param that was deprecated in Mitaka. Fixes and cleans up spec testing, cleans up documentation in the manifest to conform with the overall standard. Depends-On: I31096140a6f355ec99496053fb06ce6c73094180 Change-Id: Ic11a0aea68a04d370453a7e81218642e0e150a9f Closes-Bug: 1657582
2018-04-04 20:12:58 +02:00
vhost_custom_fragment => $vhost_custom_fragment,
Add vhost access/error logs file/syslog options Support vhosts logging to syslog. Related-bug: #1700045 Change-Id: If60cb8e31c46e32ba6e04f53ac73a72bf989df2d Signed-off-by: Bogdan Dobrelya <bogdando@mail.ru>
2017-07-31 14:18:34 +02:00
access_log_file => $access_log_file,
access_log_pipe => $access_log_pipe,
access_log_syslog => $access_log_syslog,
Adding wsgi log formatting This change adds the ability to customiz how the keystone wsgi virtual hosts log information. This is especially useful if you have a load balancer and the source ip is being forwarded. Change-Id: Id27179f1ca6001a1596f103013f6ca32ed23b6b4 Closes-bug: #1483776
2015-08-12 10:21:43 -06:00
access_log_format => $access_log_format,
Add vhost access/error logs file/syslog options Support vhosts logging to syslog. Related-bug: #1700045 Change-Id: If60cb8e31c46e32ba6e04f53ac73a72bf989df2d Signed-off-by: Bogdan Dobrelya <bogdando@mail.ru>
2017-07-31 14:18:34 +02:00
error_log_file => $error_log_file,
error_log_pipe => $error_log_pipe,
error_log_syslog => $error_log_syslog,
Enable serving keystone from apache mod_wsgi Serving keystone from a wsgi container is recommended for production setups. SSL is enabled by default. See the following URLs for explanations: http://adam.younglogic.com/2012/03/keystone-should-move-to-apache-httpd/ https://etherpad.openstack.org/havana-keystone-performance Documentation in manifests/wsgi/apache.pp Apache can be configured as a drop in replacement for keystone (using ports 5000 & 35357) or with paths using the standard SSL port. See examples in examples/apache_*.pp - Also change some 'real_' prefix into '_real' suffix to respect the coding guide. - Added the '--insecure' option to keystone client in the provider to allow using self-signed certificates. - Fixed parsing the ssl/enable value in the provider. There is no integer verification done in the manifests and to get around a bug in rspec, which has been fixed in https://github.com/rodjek/rspec-puppet/pull/107, certain parameters that should be integer are treated as strings files/httpd/keystone.py updated with lastest from keystone git repo Change-Id: Ide8c090d105c1ea75a14939f5e8ddb7d24ca3f1c
2013-05-02 18:03:12 +02:00
}
Clear out keystone package config on ubuntu See Bug 1737697. The ubuntu packaging provides a default keystone.conf which we want to remove because we manage the keystone vhost configuration via puppet. This change moves the logic we had in puppet-openstack-integration into puppet-keystone proper. Once the code is removed from p-o-i, we can switch these to actual file resources rather than using ensure_resource Change-Id: Iea8f531a8eff4c053cff01a7f75ce43024c97c7b
2019-04-24 15:38:21 -06:00
# Workaround to empty Keystone vhost that is provided & activated by default with running
# Canonical packaging (called 'keystone'). This will make sure upgrading the package is
# possible, see https://bugs.launchpad.net/ubuntu/+source/keystone/+bug/1737697
if ($::operatingsystem == 'Ubuntu') {
ensure_resource('file', '/etc/apache2/sites-available/keystone.conf', {
'ensure' => 'file',
'content' => '',
})
Package<| tag == 'keystone-package' |>
-> File<| title == '/etc/apache2/sites-available/keystone.conf' |>
~> Anchor['keystone::install::end']
}
Enable serving keystone from apache mod_wsgi Serving keystone from a wsgi container is recommended for production setups. SSL is enabled by default. See the following URLs for explanations: http://adam.younglogic.com/2012/03/keystone-should-move-to-apache-httpd/ https://etherpad.openstack.org/havana-keystone-performance Documentation in manifests/wsgi/apache.pp Apache can be configured as a drop in replacement for keystone (using ports 5000 & 35357) or with paths using the standard SSL port. See examples in examples/apache_*.pp - Also change some 'real_' prefix into '_real' suffix to respect the coding guide. - Added the '--insecure' option to keystone client in the provider to allow using self-signed certificates. - Fixed parsing the ssl/enable value in the provider. There is no integer verification done in the manifests and to get around a bug in rspec, which has been fixed in https://github.com/rodjek/rspec-puppet/pull/107, certain parameters that should be integer are treated as strings files/httpd/keystone.py updated with lastest from keystone git repo Change-Id: Ide8c090d105c1ea75a14939f5e8ddb7d24ca3f1c
2013-05-02 18:03:12 +02:00
}
Copy Permalink