Add the option to deploy keystone without apache
This change gives the keystone role the ability to deploy keystone using only uWSGI, which eliminates Apache and all of its dependencies from the environment. While this capability is not as feature rich as the apache based deployment, which is still the default, it does offer a signficant reduction in process overhead targeting minimal deployment usec-ases, for deployments which do not need or want advanced keystone features this is a huge benefit. Signed-off-by: Kevin Carter <kevin@cloudnull.com> Change-Id: I5a8484082f6331d2c5a452af2760c8e79d44fab8
This commit is contained in:
parent
b9fc36753b
commit
3928511919
@ -179,12 +179,18 @@ keystone_service_adminuri: "{{ keystone_service_adminuri_proto }}://{{ internal_
|
|||||||
## Set this value to override the "public_endpoint" keystone.conf variable
|
## Set this value to override the "public_endpoint" keystone.conf variable
|
||||||
#keystone_public_endpoint: "{{ keystone_service_publicuri }}"
|
#keystone_public_endpoint: "{{ keystone_service_publicuri }}"
|
||||||
|
|
||||||
|
# Enable or disable uWSGI as the primary service manager. While uWSGI is used
|
||||||
|
# for basic deployments, when this option is enabled it will become the sole
|
||||||
|
# service manager instead of being a proxy target.
|
||||||
|
keystone_use_uwsgi: false
|
||||||
|
|
||||||
# Apache web server will handle all requests and will act as a
|
# Apache web server will handle all requests and will act as a
|
||||||
# reverse proxy to uWSGI. If internal TLS/SSL certificates are configured,
|
# reverse proxy to uWSGI when the `keystone_use_uwsgi` option is not enabled.
|
||||||
# they are implemented in this web server's configuration. Using a web server
|
# If internal TLS/SSL certificates are configured, they are implemented in
|
||||||
# for endpoints is far better for scale and allows the use of additional
|
# this web server's configuration. Using a web server for endpoints is
|
||||||
# modules to improve performance or security, leaving uWSGI to only have
|
# far better for scale and allows the use of additional modules to improve
|
||||||
# to be used for running the service.
|
# performance or security, leaving uWSGI to only have to be used for running
|
||||||
|
# the service.
|
||||||
#
|
#
|
||||||
keystone_web_server_bind_address: "{{ openstack_service_bind_address | default('0.0.0.0') }}"
|
keystone_web_server_bind_address: "{{ openstack_service_bind_address | default('0.0.0.0') }}"
|
||||||
|
|
||||||
@ -616,7 +622,7 @@ keystone_services:
|
|||||||
wsgi_path: "{{ keystone_bin }}/keystone-wsgi-public"
|
wsgi_path: "{{ keystone_bin }}/keystone-wsgi-public"
|
||||||
uwsgi_overrides: "{{ keystone_default_uwsgi_overrides | combine(keystone_uwsgi_ini_overrides, recursive=True) }}"
|
uwsgi_overrides: "{{ keystone_default_uwsgi_overrides | combine(keystone_uwsgi_ini_overrides, recursive=True) }}"
|
||||||
uwsgi_bind_address: "{{ keystone_uwsgi_bind_address }}"
|
uwsgi_bind_address: "{{ keystone_uwsgi_bind_address }}"
|
||||||
uwsgi_port: "{{ keystone_uwsgi_ports['keystone-wsgi-public']['http'] }}"
|
uwsgi_port: "{{ (keystone_use_uwsgi | bool) | ternary(keystone_service_port, keystone_uwsgi_ports['keystone-wsgi-public']['http']) }}"
|
||||||
|
|
||||||
## Extra HTTP headers for Keystone
|
## Extra HTTP headers for Keystone
|
||||||
# Add any additional headers here that Keystone should return.
|
# Add any additional headers here that Keystone should return.
|
||||||
|
15
releasenotes/notes/keystone_uwsgi-86116742b67bb944.yaml
Normal file
15
releasenotes/notes/keystone_uwsgi-86116742b67bb944.yaml
Normal file
@ -0,0 +1,15 @@
|
|||||||
|
---
|
||||||
|
features:
|
||||||
|
- |
|
||||||
|
The keystone role now supports the option `keystone_use_uwsgi`, which will
|
||||||
|
allow deployers the ability to run keystone via uWSGI without needing the
|
||||||
|
apache webserver. When the `keystone_use_uwsgi` option is enabled, it will
|
||||||
|
setup the uWSGI process on port 5000.
|
||||||
|
other:
|
||||||
|
- |
|
||||||
|
The keystone role can now has the ability to run a minimal uWSGI process
|
||||||
|
for keystone when the option `keystone_use_uwsgi` is set **true**. This
|
||||||
|
feature provides operators the ability to run a minimal install without
|
||||||
|
apache. While the minimal deployment is functional, it is not featureful.
|
||||||
|
Things like modshib and oath are not supported when running the minimal
|
||||||
|
setup.
|
@ -150,6 +150,7 @@
|
|||||||
- import_tasks: keystone_federation_sp_shib_setup.yml
|
- import_tasks: keystone_federation_sp_shib_setup.yml
|
||||||
when:
|
when:
|
||||||
- keystone_sp_apache_mod_shib
|
- keystone_sp_apache_mod_shib
|
||||||
|
- not (keystone_use_uwsgi | bool)
|
||||||
tags:
|
tags:
|
||||||
- keystone-config
|
- keystone-config
|
||||||
|
|
||||||
@ -173,6 +174,8 @@
|
|||||||
- keystone-config
|
- keystone-config
|
||||||
|
|
||||||
- import_tasks: "keystone_apache.yml"
|
- import_tasks: "keystone_apache.yml"
|
||||||
|
when:
|
||||||
|
- not (keystone_use_uwsgi | bool)
|
||||||
tags:
|
tags:
|
||||||
- keystone-config
|
- keystone-config
|
||||||
|
|
||||||
|
@ -95,7 +95,7 @@ keystone_apache_modules:
|
|||||||
# - name: "mod_journald"
|
# - name: "mod_journald"
|
||||||
# state: "present
|
# state: "present
|
||||||
|
|
||||||
keystone_system_service_name: apache2
|
keystone_system_service_name: "{{ (keystone_use_uwsgi | bool) | ternary('keystone-wsgi-public', 'apache2') }}"
|
||||||
|
|
||||||
keystone_uwsgi_bin: '/usr/bin'
|
keystone_uwsgi_bin: '/usr/bin'
|
||||||
|
|
||||||
|
@ -19,7 +19,7 @@
|
|||||||
# enabled.
|
# enabled.
|
||||||
#
|
#
|
||||||
keystone_package_list: |-
|
keystone_package_list: |-
|
||||||
{% set packages = keystone_distro_packages + keystone_apache_distro_packages %}
|
{% set packages = keystone_distro_packages | union((keystone_use_uwsgi | bool) | ternary([], keystone_apache_distro_packages)) %}
|
||||||
{% if keystone_idp != {} %}
|
{% if keystone_idp != {} %}
|
||||||
{% set _ = packages.extend(keystone_idp_distro_packages) %}
|
{% set _ = packages.extend(keystone_idp_distro_packages) %}
|
||||||
{% endif %}
|
{% endif %}
|
||||||
|
@ -75,7 +75,7 @@ keystone_apache_configs:
|
|||||||
- { src: "keystone-httpd.conf.j2", dest: "/etc/httpd/conf.d/keystone-httpd.conf" }
|
- { src: "keystone-httpd.conf.j2", dest: "/etc/httpd/conf.d/keystone-httpd.conf" }
|
||||||
- { src: "keystone-httpd-mpm.conf.j2", dest: "/etc/httpd/conf.modules.d/mpm_{{ keystone_httpd_mpm_backend }}.conf" }
|
- { src: "keystone-httpd-mpm.conf.j2", dest: "/etc/httpd/conf.modules.d/mpm_{{ keystone_httpd_mpm_backend }}.conf" }
|
||||||
|
|
||||||
keystone_system_service_name: httpd
|
keystone_system_service_name: "{{ (keystone_use_uwsgi | bool) | ternary('keystone-wsgi-public', 'httpd') }}"
|
||||||
|
|
||||||
keystone_uwsgi_bin: '/usr/sbin'
|
keystone_uwsgi_bin: '/usr/sbin'
|
||||||
|
|
||||||
|
@ -19,7 +19,7 @@
|
|||||||
# enabled.
|
# enabled.
|
||||||
#
|
#
|
||||||
keystone_package_list: |-
|
keystone_package_list: |-
|
||||||
{% set packages = keystone_distro_packages + keystone_apache_distro_packages %}
|
{% set packages = keystone_distro_packages | union((keystone_use_uwsgi | bool) | ternary([], keystone_apache_distro_packages)) %}
|
||||||
{% if keystone_idp != {} %}
|
{% if keystone_idp != {} %}
|
||||||
{% set _ = packages.extend(keystone_idp_distro_packages) %}
|
{% set _ = packages.extend(keystone_idp_distro_packages) %}
|
||||||
{% endif %}
|
{% endif %}
|
||||||
|
@ -95,7 +95,7 @@ keystone_apache_modules:
|
|||||||
# - name: "mod_journald"
|
# - name: "mod_journald"
|
||||||
# state: "present
|
# state: "present
|
||||||
|
|
||||||
keystone_system_service_name: apache2
|
keystone_system_service_name: "{{ (keystone_use_uwsgi | bool) | ternary('keystone-wsgi-public', 'apache2') }}"
|
||||||
|
|
||||||
keystone_uwsgi_bin: '/usr/bin'
|
keystone_uwsgi_bin: '/usr/bin'
|
||||||
|
|
||||||
|
Loading…
x
Reference in New Issue
Block a user