From 47e483587853a2e4c565f08c6185e8db16e18b39 Mon Sep 17 00:00:00 2001
From: Takashi Kajinami <tkajinam@redhat.com>
Date: Wed, 24 Nov 2021 02:27:05 +0900
Subject: [PATCH] Use httpd+mod_wsgi to run glance-api

This makes glance-api run by httpd+mod_wsgi instead of standalone
eventlet service. This allows us to enable ssl for glance endpoints.

Note that this change switches glance backend in scenario 004 from rgw
to file, because usage of rgw causes circular dependencies. Swift API
is already tested by tempest, and we assume that usage of swift store
driver to integrate glance and ceph is not as much popular as one of
rbd store driver.

Change-Id: I888f288bde30c5eeb2d33facd1e55aaddd670450
---
 README.md               |  2 +-
 fixtures/scenario004.pp | 10 ++++++++--
 manifests/ceph.pp       |  1 -
 manifests/glance.pp     | 25 ++++++++++++++-----------
 4 files changed, 23 insertions(+), 15 deletions(-)

diff --git a/README.md b/README.md
index 202858d48..9655df3db 100644
--- a/README.md
+++ b/README.md
@@ -48,7 +48,7 @@ scenario](#all-in-one).
 | ssl        |     yes     |      yes    |      yes    |     yes     |     yes     |     no       |
 | ipv6       |   centos9   |    centos9  |    centos9  |   centos9   |   centos9   |     no       |
 | keystone   |      X      |       X     |       X     |      X      |      X      |      X       |
-| glance     |     rbd     |     swift   |     file    |  swift+rgw  |   cinder    |    file      |
+| glance     |     rbd     |     swift   |     file    |     rbd     |   cinder    |    file      |
 | nova       |     rbd     |       X     |       X     |     rbd     |      X      |      X       |
 | placement  |      X      |       X     |       X     |      X      |      X      |      X       |
 | neutron    |     ovs     |      ovs    |      ovn    |     ovs     |     ovn     |     ovs      |
diff --git a/fixtures/scenario004.pp b/fixtures/scenario004.pp
index bd9b3931d..1f75f7a5b 100644
--- a/fixtures/scenario004.pp
+++ b/fixtures/scenario004.pp
@@ -56,8 +56,9 @@ include openstack_integration::mysql
 include openstack_integration::redis
 include openstack_integration::keystone
 class { 'openstack_integration::glance':
-  backend => 'swift',
+  backend => 'rbd',
 }
+
 class { 'openstack_integration::neutron':
   vpnaas_enabled      => $vpnaas_enabled,
   taas_enabled        => $taas_enabled,
@@ -84,7 +85,11 @@ class { 'openstack_integration::manila':
 }
 include openstack_integration::octavia
 
-include openstack_integration::provision
+class { 'openstack_integration::provision':
+  # NOTE(tkajinam): Use raw format to use rbd image cloning when creating
+  #                 a volume from an image.
+  image_format => 'raw',
+}
 
 # Glance, nova, neutron are true by default.
 class { 'openstack_integration::tempest':
@@ -102,4 +107,5 @@ class { 'openstack_integration::tempest':
   # RADOS Gateway does not support ResellerAdmin role by default
   reseller_admin_role => 'admin',
   swift               => true,
+  image_format        => 'raw',
 }
diff --git a/manifests/ceph.pp b/manifests/ceph.pp
index 065b232f3..1520edb1e 100644
--- a/manifests/ceph.pp
+++ b/manifests/ceph.pp
@@ -185,6 +185,5 @@ test -b /dev/ceph_vg/lv_data
     }
 
     class { 'ceph::profile::rgw': }
-    Service<| tag == 'ceph-radosgw' |> -> Service <| tag == 'glance-service' |>
   }
 }
diff --git a/manifests/glance.pp b/manifests/glance.pp
index 298d46ba3..7df12a09a 100644
--- a/manifests/glance.pp
+++ b/manifests/glance.pp
@@ -17,16 +17,12 @@ class openstack_integration::glance (
   include openstack_integration::config
   include openstack_integration::params
 
-  # TODO(tkajinam): Glance no longer supports native ssl since Ussuri release,
-  #                 so these parameters are unused now.
   if $::openstack_integration::config::ssl {
     openstack_integration::ssl_key { 'glance':
+      notify  => Service['httpd'],
+      require => Anchor['glance::install::end'],
     }
-    $key_file = undef
-    $crt_file = undef
-  } else {
-    $key_file = undef
-    $crt_file = undef
+    Exec['update-ca-certificates'] ~> Service['httpd']
   }
 
   openstack_integration::mq_user { 'glance':
@@ -43,9 +39,9 @@ class openstack_integration::glance (
   include glance
   include glance::client
   class { 'glance::keystone::auth':
-    public_url   => "http://${::openstack_integration::config::ip_for_url}:9292",
-    internal_url => "http://${::openstack_integration::config::ip_for_url}:9292",
-    admin_url    => "http://${::openstack_integration::config::ip_for_url}:9292",
+    public_url   => "${::openstack_integration::config::base_url}:9292",
+    internal_url => "${::openstack_integration::config::base_url}:9292",
+    admin_url    => "${::openstack_integration::config::base_url}:9292",
     roles        => ['admin', 'service'],
     password     => 'a_big_secret',
   }
@@ -113,10 +109,17 @@ class openstack_integration::glance (
     }),
   }
   class { 'glance::api':
-    workers          => 2,
     enabled_backends => $enabled_backends,
     default_backend  => $default_backend,
     bind_host        => $::openstack_integration::config::host,
+    service_name     => 'httpd',
+  }
+  class { 'glance::wsgi::apache':
+    bind_host => $::openstack_integration::config::host,
+    ssl       => $::openstack_integration::config::ssl,
+    ssl_key   => "/etc/glance/ssl/private/${facts['networking']['fqdn']}.pem",
+    ssl_cert  => $::openstack_integration::params::cert_path,
+    workers   => 2,
   }
   class { 'glance::cron::db_purge': }
   class { 'glance::notify::rabbitmq':