Enable mistral to run under mod_wsgi

Mistral should run under mod_wsgi. Enable that.

Change-Id: I99f83c35eaa892c10deb63e199d22a43f06f5dcc
Depends-On: I61199f53d7e32fcb3d068ccaf548a836b5bb58e9

manifests/profile/base/mistral/api.pp

@@ -18,6 +18,27 @@
 #
 # === Parameters
 #
+# [*certificates_specs*]
+#   (Optional) The specifications to give to certmonger for the certificate(s)
+#   it will create.
+#   Example with hiera:
+#     apache_certificates_specs:
+#       httpd-internal_api:
+#         hostname: <overcloud controller fqdn>
+#         service_certificate: <service certificate path>
+#         service_key: <service key path>
+#         principal: "haproxy/<overcloud controller fqdn>"
+#   Defaults to hiera('apache_certificate_specs', {}).
+#
+# [*enable_internal_tls*]
+#   (Optional) Whether TLS in the internal network is enabled or not.
+#   Defaults to hiera('enable_internal_tls', false)
+#
+# [*mistral_api_network*]
+#   (Optional) The network name where the mistral API endpoint is listening on.
+#   This is set by t-h-t.
+#   Defaults to hiera('mistral_api_network', undef)
+#
 # [*bootstrap_node*]
 #   (Optional) The hostname of the node responsible for bootstrapping tasks
 #   Defaults to hiera('bootstrap_nodeid')
@@ -28,8 +49,11 @@
 #   Defaults to hiera('step')
 #
 class tripleo::profile::base::mistral::api (
-  $bootstrap_node = hiera('bootstrap_nodeid', undef),
+  $bootstrap_node                = hiera('bootstrap_nodeid', undef),
-  $step           = hiera('step'),
+  $certificates_specs            = hiera('apache_certificates_specs', {}),
+  $enable_internal_tls           = hiera('enable_internal_tls', false),
+  $mistral_api_network           = hiera('mistral_api_network', undef),
+  $step                          = hiera('step'),
 ) {
   if $::hostname == downcase($bootstrap_node) {
     $sync_db = true
@@ -39,8 +63,32 @@ class tripleo::profile::base::mistral::api (
 
   include ::tripleo::profile::base::mistral
 
-  if $step >= 4 or ($step >= 3 and $sync_db) {
+  if $enable_internal_tls {
-    include ::mistral::api
+    if !$mistral_api_network {
+      fail('mistral_api_network is not set in the hieradata.')
+    }
+    $tls_certfile = $certificates_specs["httpd-${mistral_api_network}"]['service_certificate']
+    $tls_keyfile = $certificates_specs["httpd-${mistral_api_network}"]['service_key']
+  } else {
+    $tls_certfile = undef
+    $tls_keyfile = undef
+  }
+
+  if $step >= 3 {
+    # TODO: Cleanup when this passes t-h-t
+    class { '::mistral::api':
+      service_name => 'httpd',
+    }
+
+    include ::apache::mod::ssl
+    class { '::mistral::wsgi::apache':
+      ssl_cert   => $tls_certfile,
+      ssl_key    => $tls_keyfile,
+      # The following are temporary and will be passed via t-h-t
+      ssl        => $enable_internal_tls,
+      servername => hiera("fqdn_${mistral_api_network}"),
+      bind_host  => hiera('mistral::api::bind_host'),
+    }
   }
 }
 

releasenotes/notes/mistral-mod-wsgi-1a1d3eb279daa7fd.yaml

@@ -0,0 +1,7 @@
+---
+features:
+  - Move Mistral API to use mod_wsgi under Apache.
+upgrade:
+  - Mistral API systemd service will be stopped and 
+    disabled.
+