Switch trove-api to wsgi running under apache.

This change also adds support for Trove backend TLS. Depends-On: https://review.opendev.org/c/openstack/kolla/+/854744 Change-Id: I2acf7820b24b112b57b0c00a01f5c4b8cb85ce25
2022-08-26 15:11:49 +08:00 · 2022-08-26 15:11:49 +08:00 · 303998e294
commit 303998e294
parent 66ec9cef55
9 changed files with 113 additions and 8 deletions
--- a/ansible/group_vars/all.yml
+++ b/ansible/group_vars/all.yml
@ -541,6 +541,7 @@ syslog_udp_port: "{{ fluentd_syslog_port }}"
 tacker_server_port: "9890"

 trove_api_port: "8779"
+trove_api_listen_port: "{{ trove_api_port }}"

 venus_api_port: "10010"

--- a/ansible/roles/common/templates/conf/filter/01-rewrite.conf.j2
+++ b/ansible/roles/common/templates/conf/filter/01-rewrite.conf.j2
@ -3,7 +3,7 @@
    capitalize_regex_backreference yes
  <rule>
    key     programname
-    pattern ^(cinder-api-access|cloudkitty-api-access|gnocchi-api-access|horizon-access|keystone-apache-admin-access|keystone-apache-public-access|octavia-api-access|placement-api-access)$
+    pattern ^(cinder-api-access|cloudkitty-api-access|gnocchi-api-access|horizon-access|keystone-apache-admin-access|keystone-apache-public-access|octavia-api-access|placement-api-access|trove-api-access)$
    tag apache_access
  </rule>
  <rule>
--- a/ansible/roles/trove/defaults/main.yml
+++ b/ansible/roles/trove/defaults/main.yml
@ -14,11 +14,15 @@ trove_services:
        mode: "http"
        external: false
        port: "{{ trove_api_port }}"
+        listen_port: "{{ trove_api_listen_port }}"
+        tls_backend: "{{ trove_enable_tls_backend }}"
      trove_api_external:
        enabled: "{{ enable_trove }}"
        mode: "http"
        external: true
        port: "{{ trove_api_port }}"
+        listen_port: "{{ trove_api_listen_port }}"
+        tls_backend: "{{ trove_enable_tls_backend }}"
  trove-conductor:
    container_name: trove_conductor
    group: trove-conductor
@ -198,3 +202,8 @@ trove_ks_users:
    user: "{{ trove_keystone_user }}"
    password: "{{ trove_keystone_password }}"
    role: "admin"
+
+####################
+# TLS
+####################
+trove_enable_tls_backend: "{{ kolla_enable_tls_backend }}"
--- a/ansible/roles/trove/tasks/config.yml
+++ b/ansible/roles/trove/tasks/config.yml
@ -33,7 +33,7 @@

 - include_tasks: copy-certs.yml
  when:
-    - kolla_copy_ca_into_containers | bool
+    - kolla_copy_ca_into_containers | bool or trove_enable_tls_backend | bool

 - name: Copying over config.json files for services
  template:
@ -48,6 +48,24 @@
  notify:
    - "Restart {{ item.key }} container"

+- name: Copying over trove-wsgi.conf
+  vars:
+    service: "{{ trove_services['trove-api'] }}"
+  become: true
+  template:
+    src: "{{ item }}"
+    dest: "{{ node_config_directory }}/trove-api/trove-wsgi.conf"
+    mode: "0660"
+  with_first_found:
+    - "{{ node_custom_config }}/trove/{{ inventory_hostname }}/trove-wsgi.conf"
+    - "{{ node_custom_config }}/trove/trove-wsgi.conf"
+    - "trove-wsgi.conf.j2"
+  when:
+    - inventory_hostname in groups[service.group]
+    - service.enabled | bool
+  notify:
+    - Restart trove-api container
+
 - name: Copying over trove-guestagent.conf
  vars:
    services_need_confs:
--- a/ansible/roles/trove/tasks/precheck.yml
+++ b/ansible/roles/trove/tasks/precheck.yml
@ -17,7 +17,7 @@
 - name: Checking free port for Trove API
  wait_for:
    host: "{{ api_interface_address }}"
-    port: "{{ trove_api_port }}"
+    port: "{{ trove_api_listen_port }}"
    connect_timeout: 1
    timeout: 1
    state: stopped
--- a/ansible/roles/trove/templates/trove-api.json.j2
+++ b/ansible/roles/trove/templates/trove-api.json.j2
@ -1,24 +1,48 @@
+{% set apache_binary = 'apache2' if kolla_base_distro in ['ubuntu', 'debian'] else 'httpd' %}
+{% set apache_conf_dir = 'apache2/conf-enabled' if kolla_base_distro in ['ubuntu', 'debian'] else 'httpd/conf.d' %}
 {
-    "command": "trove-api --config-file=/etc/trove/trove.conf",
+    "command": "/usr/sbin/{{ apache_binary }} -DFOREGROUND",
    "config_files": [
        {
            "source": "{{ container_config_directory }}/trove.conf",
            "dest": "/etc/trove/trove.conf",
            "owner": "trove",
            "perm": "0600"
-    }{% if trove_policy_file is defined %},
+        },
+        {
+            "source": "{{ container_config_directory }}/trove-wsgi.conf",
+            "dest": "/etc/{{ apache_conf_dir }}/trove-wsgi.conf",
+            "owner": "trove",
+            "perm": "0600"
+        }{% if trove_policy_file is defined %},
        {
            "source": "{{ container_config_directory }}/{{ trove_policy_file }}",
            "dest": "/etc/trove/{{ trove_policy_file }}",
            "owner": "trove",
            "perm": "0600"
-        }{% endif %}
-    ],
+        }{% endif %}{% if trove_enable_tls_backend | bool %},
+        {
+            "source": "{{ container_config_directory }}/trove-cert.pem",
+            "dest": "/etc/trove/certs/trove-cert.pem",
+            "owner": "trove",
+            "perm": "0600"
+        },
+        {
+            "source": "{{ container_config_directory }}/trove-key.pem",
+            "dest": "/etc/trove/certs/trove-key.pem",
+            "owner": "trove",
+            "perm": "0600"
+        }
+    {% endif %}],
    "permissions": [
        {
            "path": "/var/log/kolla/trove",
            "owner": "trove:trove",
            "recurse": true
+        },
+        {
+            "path": "/var/run/trove",
+            "owner": "trove:trove"
        }
    ]
 }
--- a/ansible/roles/trove/templates/trove-wsgi.conf.j2
+++ b/ansible/roles/trove/templates/trove-wsgi.conf.j2
@ -0,0 +1,43 @@
+{% set wsgi_directory = '/var/lib/kolla/venv/bin' %}
+{% if trove_enable_tls_backend | bool %}
+{% if kolla_base_distro in ['centos']  %}
+LoadModule ssl_module /usr/lib64/httpd/modules/mod_ssl.so
+{% else %}
+LoadModule ssl_module /usr/lib/apache2/modules/mod_ssl.so
+{% endif %}
+{% endif %}
+Listen {{ api_interface_address | put_address_in_context('url') }}:{{ trove_api_listen_port }}
+
+ServerSignature Off
+ServerTokens Prod
+TraceEnable off
+TimeOut {{ kolla_httpd_timeout }}
+KeepAliveTimeout {{ kolla_httpd_keep_alive }}
+
+{% if trove_logging_debug | bool %}
+LogLevel info
+{% endif %}
+
+<VirtualHost *:{{ trove_api_listen_port }}>
+    WSGIDaemonProcess trove-api processes={{ trove_api_workers }} threads=1 user=trove group=trove display-name=trove-api
+    WSGIProcessGroup trove-api
+    WSGIScriptAlias / {{ wsgi_directory }}/trove-wsgi
+    WSGIApplicationGroup %{GLOBAL}
+    WSGIPassAuthorization On
+    <IfVersion >= 2.4>
+      ErrorLogFormat "%{cu}t %M"
+    </IfVersion>
+    ErrorLog /var/log/kolla/trove/trove-api-error.log
+    LogFormat "%{X-Forwarded-For}i %l %u %t \"%r\" %>s %b %D \"%{Referer}i\" \"%{User-Agent}i\"" logformat
+    CustomLog /var/log/kolla/trove/trove-api-access.log logformat
+    <Directory {{ wsgi_directory }}>
+        <Files trove-wsgi>
+            Require all granted
+        </Files>
+    </Directory>
+{% if trove_enable_tls_backend | bool %}
+    SSLEngine On
+    SSLCertificateFile /etc/trove/certs/trove-cert.pem
+    SSLCertificateKeyFile /etc/trove/certs/trove-key.pem
+{% endif %}
+</VirtualHost>
--- a/ansible/roles/trove/templates/trove.conf.j2
+++ b/ansible/roles/trove/templates/trove.conf.j2
@ -2,10 +2,13 @@
 debug = {{ trove_logging_debug }}

 log_dir = /var/log/kolla/trove
+{% if service_name == "trove-api" %}
+log_file = trove-api.log
+{% endif %}

 host = {{ api_interface_address }}

-bind_port = {{ trove_api_port }}
+bind_port = {{ trove_api_listen_port }}
 bind_host = {{ api_interface_address }}
 trove_api_workers = {{ trove_api_workers }}
 auth_strategy = keystone
--- a/releasenotes/notes/trove-api-wsgi-bd6a3a5ab26fe896.yaml
+++ b/releasenotes/notes/trove-api-wsgi-bd6a3a5ab26fe896.yaml
@ -0,0 +1,7 @@
+---
+features:
+  - |
+    Switch ``trove-api`` to WSGI running under Apache.
+  - |
+    Added configuration options to enable backend TLS encryption from HAProxy
+    to the Trove service.