Switch Manila API to httpd and support TLS
manila-api can be deployed in two ways:
- Using the service-provided eventlet based server
- Behind any popular web server as a wsgi process
[1] adds support to the kolla image to install necessary
packages and write configuration files to enable deploying
manila-api with Apache/mod-wsgi/
[2] and [3] add support to puppet-{manila,tripleo} to
honor httpd options like other API services.
So, switch the manila-api docker/service to running
httpd, and add necessary configuration options.
Honor the "EnableInternalTLS" option to allow running
manila-api with TLS.
[1] https://review.openstack.org/#/c/590061/
[2] https://review.openstack.org/#/c/591869/
[3] https://review.openstack.org/#/c/592188/
Depends-On: https://review.openstack.org/#/c/592188/
Change-Id: Ic88a2f08e013a49e3da45a2bfc82c62ba284526a
This commit is contained in:
Goutham Pacha Ravi
parent
98ecf97609
commit
1cb6886a21
@ -36,6 +36,13 @@ parameters:
|
|||||||
default: {}
|
default: {}
|
||||||
description: Parameters specific to the role
|
description: Parameters specific to the role
|
||||||
type: json
|
type: json
|
||||||
|
EnableInternalTLS:
|
||||||
|
type: boolean
|
||||||
|
default: false
|
||||||
|
ManilaWorkers:
|
||||||
|
type: string
|
||||||
|
description: Set the number of workers for manila::wsgi::apache
|
||||||
|
default: '%{::os_workers}'
|
||||||
ManilaPassword:
|
ManilaPassword:
|
||||||
description: The password for the manila service account.
|
description: The password for the manila service account.
|
||||||
type: string
|
type: string
|
||||||
@ -48,6 +55,11 @@ parameters:
|
|||||||
default: 'overcloud-manila-api'
|
default: 'overcloud-manila-api'
|
||||||
type: string
|
type: string
|
||||||
|
|
||||||
|
conditions:
|
||||||
|
|
||||||
|
internal_tls_enabled: {equals: [{get_param: EnableInternalTLS}, true]}
|
||||||
|
manila_workers_zero: {equals : [{get_param: ManilaWorkers}, 0]}
|
||||||
|
|
||||||
resources:
|
resources:
|
||||||
|
|
||||||
ContainersCommon:
|
ContainersCommon:
|
||||||
@ -63,6 +75,19 @@ resources:
|
|||||||
ServiceData: {get_param: ServiceData}
|
ServiceData: {get_param: ServiceData}
|
||||||
ServiceNetMap: {get_param: ServiceNetMap}
|
ServiceNetMap: {get_param: ServiceNetMap}
|
||||||
DefaultPasswords: {get_param: DefaultPasswords}
|
DefaultPasswords: {get_param: DefaultPasswords}
|
||||||
|
RoleName: {get_param: RoleName}
|
||||||
|
RoleParameters: {get_param: RoleParameters}
|
||||||
|
|
||||||
|
ApacheServiceBase:
|
||||||
|
type: ../../puppet/services/apache.yaml
|
||||||
|
properties:
|
||||||
|
ServiceData: {get_param: ServiceData}
|
||||||
|
ServiceNetMap: {get_param: ServiceNetMap}
|
||||||
|
DefaultPasswords: {get_param: DefaultPasswords}
|
||||||
|
EndpointMap: {get_param: EndpointMap}
|
||||||
|
RoleName: {get_param: RoleName}
|
||||||
|
RoleParameters: {get_param: RoleParameters}
|
||||||
|
EnableInternalTLS: {get_param: EnableInternalTLS}
|
||||||
|
|
||||||
outputs:
|
outputs:
|
||||||
role_data:
|
role_data:
|
||||||
@ -72,6 +97,7 @@ outputs:
|
|||||||
config_settings:
|
config_settings:
|
||||||
map_merge:
|
map_merge:
|
||||||
- get_attr: [ManilaBase, role_data, config_settings]
|
- get_attr: [ManilaBase, role_data, config_settings]
|
||||||
|
- get_attr: [ApacheServiceBase, role_data, config_settings]
|
||||||
- manila::keystone::authtoken::password: {get_param: ManilaPassword}
|
- manila::keystone::authtoken::password: {get_param: ManilaPassword}
|
||||||
manila::keystone::authtoken::auth_uri: { get_param: [EndpointMap, KeystoneInternal, uri_no_suffix] }
|
manila::keystone::authtoken::auth_uri: { get_param: [EndpointMap, KeystoneInternal, uri_no_suffix] }
|
||||||
manila::keystone::authtoken::auth_url: { get_param: [EndpointMap, KeystoneInternal, uri_no_suffix] }
|
manila::keystone::authtoken::auth_url: { get_param: [EndpointMap, KeystoneInternal, uri_no_suffix] }
|
||||||
@ -95,8 +121,26 @@ outputs:
|
|||||||
"%{hiera('$NETWORK')}"
|
"%{hiera('$NETWORK')}"
|
||||||
params:
|
params:
|
||||||
$NETWORK: {get_param: [ServiceNetMap, ManilaApiNetwork]}
|
$NETWORK: {get_param: [ServiceNetMap, ManilaApiNetwork]}
|
||||||
|
manila::wsgi::apache::bind_host:
|
||||||
|
str_replace:
|
||||||
|
template:
|
||||||
|
"%{hiera('$NETWORK')}"
|
||||||
|
params:
|
||||||
|
$NETWORK: {get_param: [ServiceNetMap, ManilaApiNetwork]}
|
||||||
|
manila::wsgi::apache::ssl: {get_param: EnableInternalTLS}
|
||||||
|
manila::api::service_name: 'httpd'
|
||||||
manila::api::enable_proxy_headers_parsing: true
|
manila::api::enable_proxy_headers_parsing: true
|
||||||
manila::api::default_share_type: 'default'
|
manila::api::default_share_type: 'default'
|
||||||
|
- manila::wsgi::apache::servername:
|
||||||
|
str_replace:
|
||||||
|
template:
|
||||||
|
"%{hiera('fqdn_$NETWORK')}"
|
||||||
|
params:
|
||||||
|
$NETWORK: {get_param: [ServiceNetMap, ManilaApiNetwork]}
|
||||||
|
- if:
|
||||||
|
- manila_workers_zero
|
||||||
|
- {}
|
||||||
|
- manila::wsgi::apache::workers: {get_param: ManilaWorkers}
|
||||||
service_config_settings:
|
service_config_settings:
|
||||||
map_merge:
|
map_merge:
|
||||||
- get_attr: [ManilaBase, role_data, service_config_settings]
|
- get_attr: [ManilaBase, role_data, service_config_settings]
|
||||||
@ -122,8 +166,12 @@ outputs:
|
|||||||
config_image: {get_param: DockerManilaConfigImage}
|
config_image: {get_param: DockerManilaConfigImage}
|
||||||
kolla_config:
|
kolla_config:
|
||||||
/var/lib/kolla/config_files/manila_api.json:
|
/var/lib/kolla/config_files/manila_api.json:
|
||||||
command: /usr/bin/manila-api --config-file /usr/share/manila/manila-dist.conf --config-file /etc/manila/manila.conf
|
command: /usr/sbin/httpd -DFOREGROUND
|
||||||
config_files:
|
config_files:
|
||||||
|
- source: "/var/lib/kolla/config_files/src/etc/httpd/conf.d"
|
||||||
|
dest: "/etc/httpd/conf.d"
|
||||||
|
merge: false
|
||||||
|
preserve_properties: true
|
||||||
- source: "/var/lib/kolla/config_files/src/*"
|
- source: "/var/lib/kolla/config_files/src/*"
|
||||||
dest: "/"
|
dest: "/"
|
||||||
merge: true
|
merge: true
|
||||||
@ -162,6 +210,9 @@ outputs:
|
|||||||
image: *manila_api_image
|
image: *manila_api_image
|
||||||
net: host
|
net: host
|
||||||
restart: always
|
restart: always
|
||||||
|
# NOTE(gouthamr) kolla image changes the user to 'manila', we
|
||||||
|
# need it to be root to run httpd
|
||||||
|
user: root
|
||||||
volumes:
|
volumes:
|
||||||
list_concat:
|
list_concat:
|
||||||
- {get_attr: [ContainersCommon, volumes]}
|
- {get_attr: [ContainersCommon, volumes]}
|
||||||
@ -170,8 +221,18 @@ outputs:
|
|||||||
- /var/lib/config-data/puppet-generated/manila/:/var/lib/kolla/config_files/src:ro
|
- /var/lib/config-data/puppet-generated/manila/:/var/lib/kolla/config_files/src:ro
|
||||||
- /var/log/containers/manila:/var/log/manila:z
|
- /var/log/containers/manila:/var/log/manila:z
|
||||||
- /var/log/containers/httpd/manila-api:/var/log/httpd:z
|
- /var/log/containers/httpd/manila-api:/var/log/httpd:z
|
||||||
|
- if:
|
||||||
|
- internal_tls_enabled
|
||||||
|
- /etc/pki/tls/certs/httpd:/etc/pki/tls/certs/httpd:ro
|
||||||
|
- ''
|
||||||
|
- if:
|
||||||
|
- internal_tls_enabled
|
||||||
|
- /etc/pki/tls/private/httpd:/etc/pki/tls/private/httpd:ro
|
||||||
|
- ''
|
||||||
environment:
|
environment:
|
||||||
- KOLLA_CONFIG_STRATEGY=COPY_ALWAYS
|
- KOLLA_CONFIG_STRATEGY=COPY_ALWAYS
|
||||||
|
metadata_settings:
|
||||||
|
get_attr: [ApacheServiceBase, role_data, metadata_settings]
|
||||||
host_prep_tasks:
|
host_prep_tasks:
|
||||||
- name: Create persistent directories
|
- name: Create persistent directories
|
||||||
file:
|
file:
|
||||||
|
|||||||
@ -0,0 +1,6 @@
|
|||||||
|
---
|
||||||
|
features:
|
||||||
|
- |
|
||||||
|
The Shared File Systems service (manila) API has been switched to running
|
||||||
|
behind httpd, and it now supports configuring TLS options.
|
||||||
|
|
||||||
Loading…
x
Reference in New Issue
Block a user