From 54c505f1967909505c09fbc11c4a969b1af65439 Mon Sep 17 00:00:00 2001 From: Martin Schuppert Date: Fri, 13 Jul 2018 17:05:36 +0200 Subject: [PATCH] Move nova-metadata api to httpd wsgi Upstream will deprecate usage of eventlet of all the WSGI-run services, including nova-api and nova-metadata-api. See https://review.openstack.org/#/c/549510/ for more details. With this change we move nova-metadata to run via httpd wsgi and therefore uses its own config volume. Depends-On: Ic65736cb0e95c400a728cd699ecf06c6aecff832 Change-Id: Ic46acdbac280ac648ec5ed9d7af0139126334fe0 Closes-Bug: 1781405 --- manifests/profile/base/nova/api.pp | 20 ++- manifests/profile/base/nova/metadata.pp | 86 +++++++++ .../nova_metadata_wsgi-bbc8e5e053282a83.yaml | 7 + ...tripleo_profile_base_nova_metadata_spec.rb | 163 ++++++++++++++++++ 4 files changed, 269 insertions(+), 7 deletions(-) create mode 100644 manifests/profile/base/nova/metadata.pp create mode 100644 releasenotes/notes/nova_metadata_wsgi-bbc8e5e053282a83.yaml create mode 100644 spec/classes/tripleo_profile_base_nova_metadata_spec.rb diff --git a/manifests/profile/base/nova/api.pp b/manifests/profile/base/nova/api.pp index 0785561cf..8447cbde3 100644 --- a/manifests/profile/base/nova/api.pp +++ b/manifests/profile/base/nova/api.pp @@ -46,8 +46,12 @@ # Nova Team discourages it. # Defaults to hiera('nova_wsgi_enabled', false) # +# [*nova_metadata_wsgi_enabled*] +# (Optional) Whether or not deploy Nova Metadata in WSGI with Apache. +# Defaults to hiera('nova_metadata_wsgi_enabled', false) +# # [*nova_metadata_network*] -# (Optional) The network name where the nova metadata endpoint is listening on. +# DEPRECATED: (Optional) The network name where the nova metadata endpoint is listening on. # This is set by t-h-t. # Defaults to hiera('nova_metadata_network', undef) # @@ -57,17 +61,17 @@ # Defaults to hiera('step') # # [*metadata_tls_proxy_bind_ip*] -# IP on which the TLS proxy will listen on. Required only if +# DEPRECATED: IP on which the TLS proxy will listen on. Required only if # enable_internal_tls is set. # Defaults to undef # # [*metadata_tls_proxy_fqdn*] -# fqdn on which the tls proxy will listen on. required only used if +# DEPRECATED: fqdn on which the tls proxy will listen on. required only used if # enable_internal_tls is set. # defaults to undef # # [*metadata_tls_proxy_port*] -# port on which the tls proxy will listen on. Only used if +# DEPRECATED: port on which the tls proxy will listen on. Only used if # enable_internal_tls is set. # defaults to 8080 # @@ -77,6 +81,7 @@ class tripleo::profile::base::nova::api ( $enable_internal_tls = hiera('enable_internal_tls', false), $nova_api_network = hiera('nova_api_network', undef), $nova_api_wsgi_enabled = hiera('nova_wsgi_enabled', false), + $nova_metadata_wsgi_enabled = hiera('nova_metadata_wsgi_enabled', false), $nova_metadata_network = hiera('nova_metadata_network', undef), $step = Integer(hiera('step')), $metadata_tls_proxy_bind_ip = undef, @@ -97,7 +102,7 @@ class tripleo::profile::base::nova::api ( } if $step >= 4 or ($step >= 3 and $sync_db) { - if $enable_internal_tls { + if $enable_internal_tls and !$nova_api_wsgi_enabled { if !$nova_metadata_network { fail('nova_metadata_network is not set in the hieradata.') } @@ -115,8 +120,9 @@ class tripleo::profile::base::nova::api ( } class { '::nova::api': - sync_db => $sync_db, - sync_db_api => $sync_db, + sync_db => $sync_db, + sync_db_api => $sync_db, + nova_metadata_wsgi_enabled => $nova_metadata_wsgi_enabled, } include ::nova::cors include ::nova::network::neutron diff --git a/manifests/profile/base/nova/metadata.pp b/manifests/profile/base/nova/metadata.pp new file mode 100644 index 000000000..9b500b28f --- /dev/null +++ b/manifests/profile/base/nova/metadata.pp @@ -0,0 +1,86 @@ +# Copyright 2016 Red Hat, Inc. +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. +# +# == Class: tripleo::profile::base::nova::metadata +# +# Nova Placement API profile for tripleo +# +# [*bootstrap_node*] +# (Optional) The hostname of the node responsible for bootstrapping tasks +# Defaults to hiera('bootstrap_nodeid') +# +# [*certificates_specs*] +# (Optional) The specifications to give to certmonger for the certificate(s) +# it will create. +# Example with hiera: +# apache_certificates_specs: +# httpd-internal_api: +# hostname: +# service_certificate: +# service_key: +# principal: "haproxy/" +# Defaults to hiera('apache_certificate_specs', {}). +# +# [*enable_internal_tls*] +# (Optional) Whether TLS in the internal network is enabled or not. +# Defaults to hiera('enable_internal_tls', false) +# +# [*nova_metadata_network*] +# (Optional) The network name where the nova metadata endpoint is listening on. +# This is set by t-h-t. +# Defaults to hiera('nova_metadata_network', undef) +# +# [*step*] +# (Optional) The current step in deployment. See tripleo-heat-templates +# for more details. +# Defaults to hiera('step') +# +class tripleo::profile::base::nova::metadata ( + $bootstrap_node = hiera('bootstrap_nodeid', undef), + $certificates_specs = hiera('apache_certificates_specs', {}), + $enable_internal_tls = hiera('enable_internal_tls', false), + $nova_metadata_network = hiera('nova_metadata_network', undef), + $step = Integer(hiera('step')), +) { + if $::hostname == downcase($bootstrap_node) { + $is_bootstrap = true + } else { + $is_bootstrap = false + } + + include ::tripleo::profile::base::nova + include ::tripleo::profile::base::nova::authtoken + + if $enable_internal_tls { + if !$nova_metadata_network { + fail('nova_metadata_network is not set in the hieradata.') + } + $tls_certfile = $certificates_specs["httpd-${nova_metadata_network}"]['service_certificate'] + $tls_keyfile = $certificates_specs["httpd-${nova_metadata_network}"]['service_key'] + } else { + $tls_certfile = undef + $tls_keyfile = undef + } + + if $step >= 4 or ( $step >= 3 and $is_bootstrap ) { + include ::nova::cors + include ::nova::network::neutron + include ::nova::metadata + include ::tripleo::profile::base::apache + class { '::nova::wsgi::apache_metadata': + ssl_cert => $tls_certfile, + ssl_key => $tls_keyfile, + } + } +} diff --git a/releasenotes/notes/nova_metadata_wsgi-bbc8e5e053282a83.yaml b/releasenotes/notes/nova_metadata_wsgi-bbc8e5e053282a83.yaml new file mode 100644 index 000000000..e5f2a2eb6 --- /dev/null +++ b/releasenotes/notes/nova_metadata_wsgi-bbc8e5e053282a83.yaml @@ -0,0 +1,7 @@ +--- +features: + - | + Usage of eventlet of all the WSGI-run nova services get + deprecated, including nova-api and nova-metadata-api. + See https://review.openstack.org/#/c/549510/ for more details. + With this change we move nova-metadata to run via httpd wsgi. diff --git a/spec/classes/tripleo_profile_base_nova_metadata_spec.rb b/spec/classes/tripleo_profile_base_nova_metadata_spec.rb new file mode 100644 index 000000000..73c0e226b --- /dev/null +++ b/spec/classes/tripleo_profile_base_nova_metadata_spec.rb @@ -0,0 +1,163 @@ +# +# Copyright (C) 2018 Red Hat, Inc. +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. +# + +require 'spec_helper' + +describe 'tripleo::profile::base::nova::metadata' do + shared_examples_for 'tripleo::profile::base::nova::metadata' do + let(:pre_condition) do + <<-eos + class { '::tripleo::profile::base::nova': + step => #{params[:step]}, + oslomsg_rpc_hosts => [ 'localhost' ], + oslomsg_rpc_username => 'nova', + oslomsg_rpc_password => 'foo' + } + class { '::tripleo::profile::base::nova::authtoken': + step => #{params[:step]}, + } +eos + end + + context 'with step less than 3' do + let(:params) { { + :step => 1, + } } + + it { + is_expected.to contain_class('tripleo::profile::base::nova::metadata') + is_expected.to contain_class('tripleo::profile::base::nova') + is_expected.to contain_class('tripleo::profile::base::nova::authtoken') + is_expected.to_not contain_class('nova::cors') + is_expected.to_not contain_class('nova::wsgi::apache_metadata') + is_expected.to_not contain_class('nova::network::neutron') + is_expected.to_not contain_class('nova::metadata') + is_expected.to_not contain_class('tripleo::profile::base::apache') + } + end + + context 'with step 3 and not bootstrap_node' do + let(:params) { { + :step => 3, + } } + + it { + is_expected.to contain_class('tripleo::profile::base::nova::metadata') + is_expected.to contain_class('tripleo::profile::base::nova') + is_expected.to contain_class('tripleo::profile::base::nova::authtoken') + is_expected.to_not contain_class('nova::cors') + is_expected.to_not contain_class('nova::wsgi::apache_metadata') + is_expected.to_not contain_class('nova::network::neutron') + is_expected.to_not contain_class('nova::metadata') + is_expected.to_not contain_class('tripleo::profile::base::apache') + } + end + + context 'with step 3 on bootstrap node' do + let(:params) { { + :step => 3, + :bootstrap_node => 'node.example.com', + } } + + it { + is_expected.to contain_class('tripleo::profile::base::nova::metadata') + is_expected.to contain_class('tripleo::profile::base::nova') + is_expected.to contain_class('tripleo::profile::base::nova::authtoken') + is_expected.to contain_class('nova::cors') + is_expected.to contain_class('nova::wsgi::apache_metadata') + is_expected.to contain_class('nova::network::neutron') + is_expected.to contain_class('nova::metadata') + is_expected.to contain_class('tripleo::profile::base::apache') + } + end + + context 'with step 4 not on bootstrap node' do + let(:params) { { + :step => 4, + :bootstrap_node => 'other.example.com', + } } + + it { + is_expected.to contain_class('tripleo::profile::base::nova::metadata') + is_expected.to contain_class('tripleo::profile::base::nova') + is_expected.to contain_class('tripleo::profile::base::nova::authtoken') + is_expected.to contain_class('nova::cors') + is_expected.to contain_class('nova::wsgi::apache_metadata') + is_expected.to contain_class('nova::network::neutron') + is_expected.to contain_class('nova::metadata') + is_expected.to contain_class('tripleo::profile::base::apache') + } + end + + context 'with step 4 not on bootstrap node' do + let(:params) { { + :step => 4, + :bootstrap_node => 'other.example.com', + } } + + it { + is_expected.to contain_class('tripleo::profile::base::nova::metadata') + is_expected.to contain_class('tripleo::profile::base::nova') + is_expected.to contain_class('tripleo::profile::base::nova::authtoken') + is_expected.to contain_class('nova::cors') + is_expected.to contain_class('nova::wsgi::apache_metadata') + is_expected.to contain_class('nova::network::neutron') + is_expected.to contain_class('nova::metadata') + is_expected.to contain_class('tripleo::profile::base::apache') + } + end + + context 'with step 3 and bootstrap with enable_internal_tls and skip generate certs' do + let(:params) { { + :step => 3, + :enable_internal_tls => true, + :nova_metadata_network => 'bar', + :bootstrap_node => 'node.example.com', + :certificates_specs => { + 'httpd-bar' => { + 'hostname' => 'foo', + 'service_certificate' => '/foo.pem', + 'service_key' => '/foo.key', + }, + } + } } + + it { + is_expected.to contain_class('tripleo::profile::base::nova::metadata') + is_expected.to contain_class('tripleo::profile::base::nova') + is_expected.to contain_class('tripleo::profile::base::nova::authtoken') + is_expected.to contain_class('nova::cors') + is_expected.to contain_class('nova::wsgi::apache_metadata').with( + :ssl_cert => '/foo.pem', + :ssl_key => '/foo.key') + is_expected.to contain_class('nova::network::neutron') + is_expected.to contain_class('nova::metadata') + is_expected.to contain_class('tripleo::profile::base::apache') + } + end + end + + + on_supported_os.each do |os, facts| + context "on #{os}" do + let(:facts) do + facts.merge({ :hostname => 'node.example.com' }) + end + + it_behaves_like 'tripleo::profile::base::nova::metadata' + end + end +end