Switch Manila API to httpd and support TLS
manila-api can be deployed in two ways: - Using the service-provided eventlet based server - Behind any popular web server as a wsgi process The project team recommends using httpd over the in-built eventlet based server to improve performance, and also handle tls termination. So, switch the manila-api docker/service to running httpd, and add necessary configuration options. Honor the "EnableInternalTLS" option to allow running manila-api with TLS. Depends-On: I47b8820667f7c524a15aa28659626382586d160f Change-Id: Ic88a2f08e013a49e3da45a2bfc82c62ba284526a (cherry picked from commit1cb6886a21
) (cherry picked from commit1f054551b9
)
This commit is contained in:
parent
dd63ab997c
commit
fa69837f9c
|
@ -36,6 +36,13 @@ parameters:
|
|||
default: {}
|
||||
description: Parameters specific to the role
|
||||
type: json
|
||||
EnableInternalTLS:
|
||||
type: boolean
|
||||
default: false
|
||||
|
||||
conditions:
|
||||
|
||||
internal_tls_enabled: {equals: [{get_param: EnableInternalTLS}, true]}
|
||||
|
||||
resources:
|
||||
|
||||
|
@ -52,13 +59,18 @@ resources:
|
|||
ServiceData: {get_param: ServiceData}
|
||||
ServiceNetMap: {get_param: ServiceNetMap}
|
||||
DefaultPasswords: {get_param: DefaultPasswords}
|
||||
RoleName: {get_param: RoleName}
|
||||
RoleParameters: {get_param: RoleParameters}
|
||||
|
||||
outputs:
|
||||
role_data:
|
||||
description: Role data for the Manila API role.
|
||||
value:
|
||||
service_name: {get_attr: [ManilaApiPuppetBase, role_data, service_name]}
|
||||
config_settings: {get_attr: [ManilaApiPuppetBase, role_data, config_settings]}
|
||||
config_settings:
|
||||
map_merge:
|
||||
- get_attr: [ManilaApiPuppetBase, role_data, config_settings]
|
||||
- apache::default_vhost: false
|
||||
logging_source: {get_attr: [ManilaApiPuppetBase, role_data, logging_source]}
|
||||
logging_groups: {get_attr: [ManilaApiPuppetBase, role_data, logging_groups]}
|
||||
service_config_settings: {get_attr: [ManilaApiPuppetBase, role_data, service_config_settings]}
|
||||
|
@ -74,7 +86,7 @@ outputs:
|
|||
config_image: {get_param: DockerManilaConfigImage}
|
||||
kolla_config:
|
||||
/var/lib/kolla/config_files/manila_api.json:
|
||||
command: /usr/bin/manila-api --config-file /usr/share/manila/manila-dist.conf --config-file /etc/manila/manila.conf
|
||||
command: /usr/sbin/httpd -DFOREGROUND
|
||||
config_files:
|
||||
- source: "/var/lib/kolla/config_files/src/*"
|
||||
dest: "/"
|
||||
|
@ -113,6 +125,9 @@ outputs:
|
|||
image: *manila_api_image
|
||||
net: host
|
||||
restart: always
|
||||
# NOTE(gouthamr) kolla image sets the user to 'manila', we need it
|
||||
# to be root to run httpd
|
||||
user: root
|
||||
volumes:
|
||||
list_concat:
|
||||
- {get_attr: [ContainersCommon, volumes]}
|
||||
|
@ -121,6 +136,16 @@ outputs:
|
|||
- /var/lib/config-data/puppet-generated/manila/:/var/lib/kolla/config_files/src:ro
|
||||
- /var/log/containers/manila:/var/log/manila
|
||||
- /var/log/containers/httpd/manila-api:/var/log/httpd
|
||||
-
|
||||
if:
|
||||
- internal_tls_enabled
|
||||
- /etc/pki/tls/certs/httpd:/etc/pki/tls/certs/httpd:ro
|
||||
- ''
|
||||
-
|
||||
if:
|
||||
- internal_tls_enabled
|
||||
- /etc/pki/tls/private/httpd:/etc/pki/tls/private/httpd:ro
|
||||
- ''
|
||||
environment:
|
||||
- KOLLA_CONFIG_STRATEGY=COPY_ALWAYS
|
||||
host_prep_tasks:
|
||||
|
|
|
@ -41,8 +41,30 @@ parameters:
|
|||
MonitoringSubscriptionManilaApi:
|
||||
default: 'overcloud-manila-api'
|
||||
type: string
|
||||
ManilaWorkers:
|
||||
type: string
|
||||
description: Set the number of workers for manila::wsgi::apache
|
||||
default: '%{::os_workers}'
|
||||
EnableInternalTLS:
|
||||
type: boolean
|
||||
default: false
|
||||
|
||||
conditions:
|
||||
manila_workers_zero: {equals : [{get_param: ManilaWorkers}, 0]}
|
||||
|
||||
resources:
|
||||
|
||||
ApacheServiceBase:
|
||||
type: ./apache.yaml
|
||||
properties:
|
||||
ServiceData: {get_param: ServiceData}
|
||||
ServiceNetMap: {get_param: ServiceNetMap}
|
||||
DefaultPasswords: {get_param: DefaultPasswords}
|
||||
EndpointMap: {get_param: EndpointMap}
|
||||
RoleName: {get_param: RoleName}
|
||||
RoleParameters: {get_param: RoleParameters}
|
||||
EnableInternalTLS: {get_param: EnableInternalTLS}
|
||||
|
||||
ManilaBase:
|
||||
type: ./manila-base.yaml
|
||||
properties:
|
||||
|
@ -62,6 +84,7 @@ outputs:
|
|||
config_settings:
|
||||
map_merge:
|
||||
- get_attr: [ManilaBase, role_data, config_settings]
|
||||
- get_attr: [ApacheServiceBase, role_data, config_settings]
|
||||
- manila::keystone::authtoken::password: {get_param: ManilaPassword}
|
||||
manila::keystone::authtoken::auth_uri: { get_param: [EndpointMap, KeystoneInternal, uri_no_suffix] }
|
||||
manila::keystone::authtoken::auth_url: { get_param: [EndpointMap, KeystoneInternal, uri_no_suffix] }
|
||||
|
@ -82,6 +105,28 @@ outputs:
|
|||
manila::api::bind_host: {get_param: [ServiceNetMap, ManilaApiNetwork]}
|
||||
manila::api::enable_proxy_headers_parsing: true
|
||||
manila::api::default_share_type: 'default'
|
||||
|
||||
manila::wsgi::apache::ssl: {get_param: EnableInternalTLS}
|
||||
manila::api::service_name: 'httpd'
|
||||
manila::wsgi::apache::bind_host:
|
||||
str_replace:
|
||||
template:
|
||||
"%{hiera('$NETWORK')}"
|
||||
params:
|
||||
$NETWORK: {get_param: [ServiceNetMap, ManilaApiNetwork]}
|
||||
-
|
||||
manila::wsgi::apache::servername:
|
||||
str_replace:
|
||||
template:
|
||||
"%{hiera('fqdn_$NETWORK')}"
|
||||
params:
|
||||
$NETWORK: {get_param: [ServiceNetMap, ManilaApiNetwork]}
|
||||
-
|
||||
if:
|
||||
- manila_workers_zero
|
||||
- {}
|
||||
- manila::wsgi::apache::workers: {get_param: ManilaWorkers}
|
||||
|
||||
step_config: |
|
||||
include ::tripleo::profile::base::manila::api
|
||||
service_config_settings:
|
||||
|
@ -97,3 +142,5 @@ outputs:
|
|||
manila::keystone::auth::admin_url_v2: {get_param: [EndpointMap, ManilaAdmin, uri]}
|
||||
manila::keystone::auth::password: {get_param: ManilaPassword}
|
||||
manila::keystone::auth::region: {get_param: KeystoneRegion}
|
||||
metadata_settings:
|
||||
get_attr: [ApacheServiceBase, role_data, metadata_settings]
|
|
@ -0,0 +1,5 @@
|
|||
---
|
||||
features:
|
||||
- |
|
||||
The Shared File Systems service (manila) API has been switched to running
|
||||
behind httpd, and it now supports configuring TLS options.
|
Loading…
Reference in New Issue