Run octavia-api under httpd

octavia-api's cli app doesn't behave well with haproxy so let's run under apache and save ourselves some grief. Also adds cleanup for the octavia-api tls proxy in update and upgrade tasks if it was previously deployed. Also updates zuul layout for multinode job to track changes to new flattened octavia service files. Closes-Bug: #1815811 Change-Id: Ied7cb31fbf1222694250e4769573bcbb82ba5bea
2019-03-06 14:05:59 -03:30 · 2019-03-06 14:05:59 -03:30 · f4460a580d
commit f4460a580d
parent 4743b7631f
3 changed files with 64 additions and 55 deletions
--- a/deployment/octavia/octavia-api-container-puppet.yaml
+++ b/deployment/octavia/octavia-api-container-puppet.yaml
@ -83,17 +83,6 @@ resources:
  MySQLClient:
    type: ../database/mysql-client.yaml

-  TLSProxyBase:
-    type: OS::TripleO::Services::TLSProxyBase
-    properties:
-      ServiceData: {get_param: ServiceData}
-      ServiceNetMap: {get_param: ServiceNetMap}
-      DefaultPasswords: {get_param: DefaultPasswords}
-      EndpointMap: {get_param: EndpointMap}
-      RoleName: {get_param: RoleName}
-      RoleParameters: {get_param: RoleParameters}
-      EnableInternalTLS: {get_param: EnableInternalTLS}
-
  OctaviaBase:
    type: ./octavia-base.yaml
    properties:
@ -124,7 +113,6 @@ outputs:
        map_merge:
          - {get_attr: [OctaviaBase, role_data, config_settings]}
          - {get_attr: [OctaviaWorker, role_data, config_settings]}
-          - get_attr: [TLSProxyBase, role_data, config_settings]
          - octavia::keystone::authtoken::www_authenticate_uri: {get_param: [EndpointMap, KeystoneInternal, uri] }
            octavia::keystone::authtoken::auth_uri: {get_param: [EndpointMap, KeystoneInternal, uri] }
            octavia::policy::policies: {get_param: OctaviaApiPolicies}
@ -132,6 +120,8 @@ outputs:
            octavia::keystone::authtoken::project_name: {get_param: OctaviaProjectName}
            octavia::keystone::authtoken::password: {get_param: OctaviaPassword}
            octavia::api::sync_db: true
+            octavia::api::service_name: 'httpd'
+            octavia::wsgi::apache::ssl: {get_param: EnableInternalTLS}
            tripleo::octavia_api::firewall_rules:
              '120 octavia api':
                dport:
@ -142,13 +132,13 @@ outputs:
            # internal_api -> IP
            # internal_api_uri -> [IP]
            # internal_api_subnet - > IP/CIDR
-            tripleo::profile::base::octavia::api::tls_proxy_bind_ip:
+            octavia::wsgi::apache::bind_host:
              str_replace:
                template:
                  "%{hiera('$NETWORK')}"
                params:
                  $NETWORK: {get_param: [ServiceNetMap, OctaviaApiNetwork]}
-            tripleo::profile::base::octavia::api::tls_proxy_fqdn:
+            octavia::wsgi::apache::server_name:
              str_replace:
                template:
                  "%{hiera('fqdn_$NETWORK')}"
@ -159,14 +149,11 @@ outputs:
            # Bind to localhost if internal TLS is enabled, since we put a TLS
            # proxy in front.
            octavia::api::host:
-              if:
-              - use_tls_proxy
-              - '127.0.0.1'
-              - str_replace:
-                  template:
-                    "%{hiera('$NETWORK')}"
-                  params:
-                    $NETWORK: {get_param: [ServiceNetMap, OctaviaApiNetwork]}
+              str_replace:
+                template:
+                  "%{hiera('$NETWORK')}"
+                params:
+                  $NETWORK: {get_param: [ServiceNetMap, OctaviaApiNetwork]}
      service_config_settings:
        fluentd:
          tripleo_fluentd_groups_octavia_api:
@ -200,17 +187,6 @@ outputs:
        config_image: {get_param: DockerOctaviaConfigImage}
      kolla_config:
        /var/lib/kolla/config_files/octavia_api.json:
-          command: /usr/bin/octavia-api --config-file /usr/share/octavia/octavia-dist.conf --config-file /etc/octavia/octavia.conf --log-file /var/log/octavia/api.log --config-dir /etc/octavia/conf.d/common --config-dir /etc/octavia/conf.d/octavia-api
-          config_files:
-            - source: "/var/lib/kolla/config_files/src/*"
-              dest: "/"
-              merge: true
-              preserve_properties: true
-          permissions:
-            - path: /var/log/octavia
-              owner: octavia:octavia
-              recurse: true
-        /var/lib/kolla/config_files/octavia_api_tls_proxy.json:
          command: /usr/sbin/httpd -DFOREGROUND
          config_files:
            - source: "/var/lib/kolla/config_files/src/etc/httpd/conf.d"
@ -221,6 +197,10 @@ outputs:
              dest: "/"
              merge: true
              preserve_properties: true
+          permissions:
+            - path: /var/log/octavia
+              owner: octavia:octavia
+              recurse: true
      container_puppet_tasks:
        step_5:
          config_volume: octavia
@ -271,6 +251,7 @@ outputs:
                start_order: 2
                image: *octavia_api_image
                net: host
+                user: root
                privileged: false
                restart: always
                healthcheck:
@ -283,27 +264,18 @@ outputs:
                      - /var/lib/config-data/puppet-generated/octavia/:/var/lib/kolla/config_files/src:ro
                      - /var/log/containers/octavia:/var/log/octavia:z
                      - /var/log/containers/httpd/octavia-api:/var/log/httpd:z
+                      -
+                        if:
+                          - internal_tls_enabled
+                          - /etc/pki/tls/certs/httpd:/etc/pki/tls/certs/httpd:ro
+                          - ''
+                      -
+                        if:
+                          - internal_tls_enabled
+                          - /etc/pki/tls/private/httpd:/etc/pki/tls/private/httpd:ro
+                          - ''
                environment:
                  - KOLLA_CONFIG_STRATEGY=COPY_ALWAYS
-            - if:
-                - internal_tls_enabled
-                - octavia_api_tls_proxy:
-                    start_order: 2
-                    image: *octavia_api_image
-                    net: host
-                    user: root
-                    restart: always
-                    volumes:
-                      list_concat:
-                        - {get_attr: [ContainersCommon, volumes]}
-                        -
-                          - /var/lib/kolla/config_files/octavia_api_tls_proxy.json:/var/lib/kolla/config_files/config.json:ro
-                          - /var/lib/config-data/puppet-generated/octavia/:/var/lib/kolla/config_files/src:ro
-                          - /etc/pki/tls/certs/httpd:/etc/pki/tls/certs/httpd:ro
-                          - /etc/pki/tls/private/httpd:/etc/pki/tls/private/httpd:ro
-                    environment:
-                      - KOLLA_CONFIG_STRATEGY=COPY_ALWAYS
-                - {}
      host_prep_tasks:
        - name: create persistent directories
          file:
@ -321,9 +293,34 @@ outputs:
              Log files from octavia containers can be found under
              /var/log/containers/octavia and /var/log/containers/httpd/octavia-api.
          ignore_errors: true
-      upgrade_tasks: []
-      metadata_settings:
-        get_attr: [TLSProxyBase, role_data, metadata_settings]
+      update_tasks:
+        - name: remove TLS proxy if configured and running
+          when:
+            - step|int == 2
+            - internal_tls_enabled|bool
+          block: &remove_octavia_tls_proxy_tasks
+            - name: stop and remove octavia_api_tls_proxy container if docker
+              docker:
+                name: octavia_api_tls_proxy
+                state: absent
+              when: container_cli == 'docker'
+            - name: stop and disable octavia_api_tls_proxy container if podman
+              service:
+                name: tripleo_octavia_api_tls_proxy
+                state: stopped
+                enabled: no
+              when: container_cli == 'podman'
+            - name: clean up tripleo service file for octavia_api_tls_proxy
+              file:
+                state: absent
+                path: "/etc/systemd/system/tripleo_octavia_api_tls_proxy"
+              when: container_cli == 'podman'
+      upgrade_tasks:
+        - name: remove TLS proxy if configured and running
+          when:
+            - step|int == 2
+            - internal_tls_enabled|bool
+          block: *remove_octavia_tls_proxy_tasks
      post_upgrade_tasks:
        - when: step|int == 1
          import_role:
--- a/releasenotes/notes/run-octavia-under-apache-94afa32e4f1ae3e1.yaml
+++ b/releasenotes/notes/run-octavia-under-apache-94afa32e4f1ae3e1.yaml
@ -0,0 +1,11 @@
+---
+upgrade:
+  - |
+    When deploying with internal TLS, previous versions configured a separate
+    TLS proxy to provide a secure access point for the Octavia API. This is
+    now implemented by running the Octavia API as an Apache WSGI application
+    and the Octavia TLS Proxy will be removed during updates and upgrades.
+features:
+  - |
+    When deploying with internal TLS, the Octavia API now runs as an Apache
+    WSGI application improving support for IPv6 and performance.
--- a/zuul.d/layout.yaml
+++ b/zuul.d/layout.yaml
@ -100,6 +100,7 @@
            files:
              - ^(deployment|docker|puppet)/.*octavia.*$
              - ^deployment/ceph-ansible.*$
+              - ^deployment/octavia/*$
              - ci/environments/scenario010-multinode-containers.yaml
              - ^ci/common/.*$
              - ^environments\/.*.yaml