Switch Manila API to httpd and support TLS

manila-api can be deployed in two ways:
- Using the service-provided eventlet based server
- Behind any popular web server as a wsgi process

The project team recommends using httpd over the
in-built eventlet based server to improve
performance, and also handle tls termination.

So, switch the manila-api docker/service to running
httpd, and add necessary configuration options.
Honor the "EnableInternalTLS" option to allow running
manila-api with TLS.

Depends-On: I47b8820667f7c524a15aa28659626382586d160f
Change-Id: Ic88a2f08e013a49e3da45a2bfc82c62ba284526a
(cherry picked from commit 1cb6886a21)
(cherry picked from commit 1f054551b9)
This commit is contained in:
Goutham Pacha Ravi 2018-08-21 15:54:02 -07:00
parent dd63ab997c
commit fa69837f9c
3 changed files with 79 additions and 2 deletions

View File

@ -36,6 +36,13 @@ parameters:
default: {}
description: Parameters specific to the role
type: json
EnableInternalTLS:
type: boolean
default: false
conditions:
internal_tls_enabled: {equals: [{get_param: EnableInternalTLS}, true]}
resources:
@ -52,13 +59,18 @@ resources:
ServiceData: {get_param: ServiceData}
ServiceNetMap: {get_param: ServiceNetMap}
DefaultPasswords: {get_param: DefaultPasswords}
RoleName: {get_param: RoleName}
RoleParameters: {get_param: RoleParameters}
outputs:
role_data:
description: Role data for the Manila API role.
value:
service_name: {get_attr: [ManilaApiPuppetBase, role_data, service_name]}
config_settings: {get_attr: [ManilaApiPuppetBase, role_data, config_settings]}
config_settings:
map_merge:
- get_attr: [ManilaApiPuppetBase, role_data, config_settings]
- apache::default_vhost: false
logging_source: {get_attr: [ManilaApiPuppetBase, role_data, logging_source]}
logging_groups: {get_attr: [ManilaApiPuppetBase, role_data, logging_groups]}
service_config_settings: {get_attr: [ManilaApiPuppetBase, role_data, service_config_settings]}
@ -74,7 +86,7 @@ outputs:
config_image: {get_param: DockerManilaConfigImage}
kolla_config:
/var/lib/kolla/config_files/manila_api.json:
command: /usr/bin/manila-api --config-file /usr/share/manila/manila-dist.conf --config-file /etc/manila/manila.conf
command: /usr/sbin/httpd -DFOREGROUND
config_files:
- source: "/var/lib/kolla/config_files/src/*"
dest: "/"
@ -113,6 +125,9 @@ outputs:
image: *manila_api_image
net: host
restart: always
# NOTE(gouthamr) kolla image sets the user to 'manila', we need it
# to be root to run httpd
user: root
volumes:
list_concat:
- {get_attr: [ContainersCommon, volumes]}
@ -121,6 +136,16 @@ outputs:
- /var/lib/config-data/puppet-generated/manila/:/var/lib/kolla/config_files/src:ro
- /var/log/containers/manila:/var/log/manila
- /var/log/containers/httpd/manila-api:/var/log/httpd
-
if:
- internal_tls_enabled
- /etc/pki/tls/certs/httpd:/etc/pki/tls/certs/httpd:ro
- ''
-
if:
- internal_tls_enabled
- /etc/pki/tls/private/httpd:/etc/pki/tls/private/httpd:ro
- ''
environment:
- KOLLA_CONFIG_STRATEGY=COPY_ALWAYS
host_prep_tasks:

View File

@ -41,8 +41,30 @@ parameters:
MonitoringSubscriptionManilaApi:
default: 'overcloud-manila-api'
type: string
ManilaWorkers:
type: string
description: Set the number of workers for manila::wsgi::apache
default: '%{::os_workers}'
EnableInternalTLS:
type: boolean
default: false
conditions:
manila_workers_zero: {equals : [{get_param: ManilaWorkers}, 0]}
resources:
ApacheServiceBase:
type: ./apache.yaml
properties:
ServiceData: {get_param: ServiceData}
ServiceNetMap: {get_param: ServiceNetMap}
DefaultPasswords: {get_param: DefaultPasswords}
EndpointMap: {get_param: EndpointMap}
RoleName: {get_param: RoleName}
RoleParameters: {get_param: RoleParameters}
EnableInternalTLS: {get_param: EnableInternalTLS}
ManilaBase:
type: ./manila-base.yaml
properties:
@ -62,6 +84,7 @@ outputs:
config_settings:
map_merge:
- get_attr: [ManilaBase, role_data, config_settings]
- get_attr: [ApacheServiceBase, role_data, config_settings]
- manila::keystone::authtoken::password: {get_param: ManilaPassword}
manila::keystone::authtoken::auth_uri: { get_param: [EndpointMap, KeystoneInternal, uri_no_suffix] }
manila::keystone::authtoken::auth_url: { get_param: [EndpointMap, KeystoneInternal, uri_no_suffix] }
@ -82,6 +105,28 @@ outputs:
manila::api::bind_host: {get_param: [ServiceNetMap, ManilaApiNetwork]}
manila::api::enable_proxy_headers_parsing: true
manila::api::default_share_type: 'default'
manila::wsgi::apache::ssl: {get_param: EnableInternalTLS}
manila::api::service_name: 'httpd'
manila::wsgi::apache::bind_host:
str_replace:
template:
"%{hiera('$NETWORK')}"
params:
$NETWORK: {get_param: [ServiceNetMap, ManilaApiNetwork]}
-
manila::wsgi::apache::servername:
str_replace:
template:
"%{hiera('fqdn_$NETWORK')}"
params:
$NETWORK: {get_param: [ServiceNetMap, ManilaApiNetwork]}
-
if:
- manila_workers_zero
- {}
- manila::wsgi::apache::workers: {get_param: ManilaWorkers}
step_config: |
include ::tripleo::profile::base::manila::api
service_config_settings:
@ -97,3 +142,5 @@ outputs:
manila::keystone::auth::admin_url_v2: {get_param: [EndpointMap, ManilaAdmin, uri]}
manila::keystone::auth::password: {get_param: ManilaPassword}
manila::keystone::auth::region: {get_param: KeystoneRegion}
metadata_settings:
get_attr: [ApacheServiceBase, role_data, metadata_settings]

View File

@ -0,0 +1,5 @@
---
features:
- |
The Shared File Systems service (manila) API has been switched to running
behind httpd, and it now supports configuring TLS options.