Drop Nginx webserver support

There is no reason to support multiple web servers as a proxy for keystone. Nginx is missing modules to support federation. With it's removal we simplify code and reduce maintaining efforts needed. Change-Id: Ib3f90a72dfc8f78cf304b0f130883befdeb09220 Depends-On: https://review.opendev.org/c/openstack/openstack-ansible/+/818674
2021-11-10 13:54:03 +02:00 · 2021-11-10 13:54:03 +02:00 · eb9a0c6cea
commit eb9a0c6cea
parent eeef3a48f4
15 changed files with 64 additions and 288 deletions
--- a/defaults/main.yml
+++ b/defaults/main.yml
@ -180,20 +180,13 @@ keystone_service_adminuri: "{{ keystone_service_adminuri_proto }}://{{ internal_
 ## Set this value to override the "public_endpoint" keystone.conf variable
 #keystone_public_endpoint: "{{ keystone_service_publicuri }}"
-# This is the web server that will handle all requests and will act as a
+# Apache web server will handle all requests and will act as a
 # reverse proxy to uWSGI. If internal TLS/SSL certificates are configured,
 # they are implemented in this web server's configuration. Using a web server
 # for endpoints is far better for scale and allows the use of additional
 # modules to improve performance or security, leaving uWSGI to only have
 # to be used for running the service.
 #
 # Note:
 # The default is nginx, but apache will be used if Keystone is configured
 # as a Federated Service provider.
 # TODO (odyssey4me): Convert the SP implementation to use nginx instead
 # so that we do not have to be concerned with multiple web servers.
 #
 keystone_web_server: "{{ (keystone_sp != {}) | ternary('apache', 'nginx') }}"
 keystone_web_server_bind_address: "{{ openstack_service_bind_address | default('0.0.0.0') }}"
 ## security.txt
@ -216,26 +209,15 @@ keystone_apache_serversignature: "Off"
 ## Apache MPM tunables
 keystone_httpd_mpm_backend: event
 keystone_httpd_mpm_server_limit: "{{ keystone_wsgi_processes }}"
 keystone_httpd_mpm_start_servers: 2
 keystone_httpd_mpm_min_spare_threads: 25
 keystone_httpd_mpm_max_spare_threads: 75
 keystone_httpd_mpm_thread_limit: 64
 keystone_httpd_mpm_thread_child: 25
-keystone_httpd_mpm_max_requests: 150
+keystone_httpd_mpm_max_requests: "{{ keystone_httpd_mpm_server_limit * keystone_httpd_mpm_thread_child }}"
 keystone_httpd_mpm_max_conn_child: 0
 ## Centos NGINX repository options
 keystone_centos_nginx_mirror: "{{ centos_nginx_mirror | default('http://nginx.org/packages/centos/7/$basearch/') }}"
 keystone_centos_nginx_key: "{{ centos_nginx_key | default('http://nginx.org/keys/nginx_signing.key') }}"
 ## Nginx setup
 keystone_nginx_access_log_format_combined: '$remote_addr - $remote_user [$time_local] "$request" $status $body_bytes_sent "$http_referer" "$http_user_agent"'
 keystone_nginx_access_log_format_extras: '$request_time $upstream_response_time'
 keystone_nginx_ports:
  keystone-wsgi-public: "{{ keystone_service_port }}"
 keystone_nginx_extra_conf:
  - keepalive_timeout   70;
 ## uWSGI setup
 keystone_wsgi_threads: 1
 ## Cap the maximun number of processes when a user value is unspecified.
@ -255,7 +237,7 @@ keystone_ssl: false
 keystone_ssl_cert: /etc/ssl/certs/keystone.pem
 keystone_ssl_key: /etc/ssl/private/keystone.key
 keystone_ssl_ca_cert: /etc/ssl/certs/keystone-ca.pem
-keystone_ssl_protocol: "{{ (keystone_web_server == 'nginx') | ternary('TLSv1.2', 'ALL -SSLv2 -SSLv3 -TLSv1.0 -TLSv1.1') }}"
+keystone_ssl_protocol: "ALL -SSLv2 -SSLv3 -TLSv1.0 -TLSv1.1"
 keystone_ssl_cipher_suite: "{{ ssl_cipher_suite | default('ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:!aNULL:!MD5:!DSS') }}"
 # if using a self-signed certificate, set this to true to regenerate it
--- a/files/nginx.conf
+++ b/files/nginx.conf
@ -1,43 +0,0 @@
 user nginx nginx;
 worker_processes 1;
 error_log /var/log/nginx/error_log info;
 events {
  worker_connections 1024;
  use epoll;
 }
 http {
  include /etc/nginx/mime.types;
  default_type application/octet-stream;
  log_format main
    '$remote_addr - $remote_user [$time_local] '
    '"$request" $status $bytes_sent '
    '"$http_referer" "$http_user_agent" '
    '"$gzip_ratio"';
  client_header_timeout 10m;
  client_body_timeout 10m;
  send_timeout 10m;
  connection_pool_size 256;
  client_header_buffer_size 1k;
  large_client_header_buffers 4 2k;
  request_pool_size 4k;
  gzip off;
  output_buffers 1 32k;
  postpone_output 1460;
  sendfile on;
  tcp_nopush on;
  tcp_nodelay on;
  keepalive_timeout 75 20;
  ignore_invalid_headers on;
  include /etc/nginx/sites-available/*.conf;
 }
--- a/handlers/main.yml
+++ b/handlers/main.yml
@ -15,7 +15,7 @@
 - name: Restart web server
  service:
-    name: "{{ (keystone_web_server == 'apache') | ternary(keystone_system_service_name, 'nginx') }}"
+    name: "{{ keystone_system_service_name }}"
    enabled: yes
    state: restarted
    daemon_reload: "{{ (ansible_facts['service_mgr'] == 'systemd') | ternary('yes', omit) }}"
--- a/releasenotes/notes/keystone_drop_nginx-5e7791d22f0be48a.yaml
+++ b/releasenotes/notes/keystone_drop_nginx-5e7791d22f0be48a.yaml
@ -0,0 +1,16 @@
 ---
 deprecations:
  - |
    We removed multiple web server support for keystone and left only Apache
    since nginx is missing features required for federation setup.
    With this change following variables are deprecated and have no effect:
      * keystone_web_server
      * keystone_centos_nginx_mirror
      * keystone_centos_nginx_key
      * keystone_nginx_access_log_format_combined
      * keystone_nginx_access_log_format_extras
      * keystone_nginx_ports
      * keystone_nginx_extra_conf
    Nginx web server will be removed and replaced with Apache during upgrade.
--- a/tasks/keystone_install.yml
+++ b/tasks/keystone_install.yml
@ -47,48 +47,45 @@
    - ansible_facts['pkg_mgr'] == 'dnf'
    - keystone_sp != {}
- name: Add NGINX repository keys
+# TODO(noonedeadpunk): Remove nginx-related changes in Y release
-  rpm_key:
+- name: Remove nginx keystone vhost configuration
-    key: "{{ keystone_centos_nginx_key }}"
+  file:
-    state: present
+    path: "/etc/nginx/{{ (ansible_facts['os_family'] | lower == 'debian') | ternary('sites-available', 'conf.d') }}/{{ item }}.conf"
-  when:
+    state: absent
-    - ansible_facts['pkg_mgr'] == 'dnf'
+  with_items: "{{ keystone_services.keys() | list }}"
-    - keystone_web_server == 'nginx'
+  register: nginx_vhosts
  register: add_nginx_key
  until: add_nginx_key is success
  retries: 5
  delay: 2
- name: Add NGINX repository
+- name: Remove nginx symlink for vhost configuration
-  yum_repository:
+  file:
-    name: nginx
+    path: /etc/nginx/sites-enabled/{{ item }}.conf
-    description: 'nginx repo'
+    state: absent
-    baseurl: "{{ keystone_centos_nginx_mirror }}"
+  with_items: "{{ keystone_services.keys() | list }}"
-  when:
+  when: ansible_facts['os_family'] == "Debian"
-    - ansible_facts['pkg_mgr'] == 'dnf'
+
-    - keystone_web_server == 'nginx'
+- name: Reload nginx if needed
-  register: add_nginx_repo
+  service:
-  until: add_nginx_repo is success
+    name: "nginx"
-  retries: 5
+    state: restarted
-  delay: 2
+  failed_when: false
  when: nginx_vhosts is changed
 # If the web server being removed was never installed, this task will fail when trying
 # to stop/disable it. The task is therefore set to never fail.
- name: Ensure other web server is not running/enabled
+- name: Remove nginx web server
-  service:
+  when: "('repo_all' in groups and inventory_hostname not in groups['repo_all']) or ('repo_all' not in groups)"
-    name: "{{ (keystone_web_server == 'nginx') | ternary(keystone_system_service_name, 'nginx') }}"
+  block:
-    enabled: no
+    - name: Ensure nginx web server is not running/enabled
-    state: stopped
+      service:
-    daemon_reload: "yes"
+        name: "nginx"
-  failed_when: false
+        enabled: no
        state: stopped
      failed_when: false
- name: Remove other web server distro packages and mod_wsgi
+    - name: Remove nginx server distro packages
-  package:
+      package:
-    name: "{{ (keystone_web_server == 'nginx') | ternary(keystone_apache_distro_packages, keystone_nginx_distro_packages) }}"
+        name: "nginx"
-    state: absent
+        state: absent
-    autoremove: "{{ (ansible_facts['pkg_mgr'] == 'apt') | ternary('yes', omit) }}"
+        autoremove: "{{ (ansible_facts['pkg_mgr'] == 'apt') | ternary('yes', omit) }}"
  when: "(is_metal is undefined) or
         not (is_metal | bool)"
 - name: Install distro packages
  package:
--- a/tasks/keystone_nginx.yml
+++ b/tasks/keystone_nginx.yml
@ -1,95 +0,0 @@
 ---
 # Copyright 2016, Rackspace US, Inc.
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
 # You may obtain a copy of the License at
 #
 #     http://www.apache.org/licenses/LICENSE-2.0
 #
 # Unless required by applicable law or agreed to in writing, software
 # distributed under the License is distributed on an "AS IS" BASIS,
 # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 # See the License for the specific language governing permissions and
 # limitations under the License.
 - name: Ensure Apache is not running
  service:
    name: "{{ keystone_system_service_name }}"
    state: stopped
  failed_when: false
  when: ('horizon_all' in groups and inventory_hostname not in groups['horizon_all']) or ('horizon_all' not in groups)
 - name: Disable default configuration
  file:
    path: /etc/nginx/sites-enabled/default
    state: absent
  notify:
    - Manage LB
    - Restart web server
 - name: Remove default nginx config
  file:
    path: /etc/nginx/conf.d/default.conf
    state: absent
  notify:
    - Manage LB
    - Restart web server
 - name: Ensure configuration directories exist
  file:
    path: "{{ item }}"
    state: directory
  with_items:
    - "/etc/nginx/{{ keystone_nginx_conf_path }}"
    - "/etc/nginx/conf.d"
 - name: Configure custom nginx log format
  copy:
    # NOTE(odyssey4me):
    # To cater for the situation where there are no containers, or
    # nginx is shared in some way, it's better to add custom directives
    # for nginx.conf into a conf.d file. That way it's never overwritten.
    content: |
      # Ansible managed
      log_format custom '{{ keystone_nginx_access_log_format_combined }} {{ keystone_nginx_access_log_format_extras }}';
    dest: "/etc/nginx/conf.d/custom_log.conf"
  notify:
    - Manage LB
    - Restart web server
 # Configure app
 - name: Configure virtual hosts
  template:
    src: keystone_nginx.conf.j2
    dest: "/etc/nginx/{{ keystone_nginx_conf_path }}/{{ item }}.conf"
  with_items: "{{ keystone_services.keys() | list }}"
  notify:
    - Manage LB
    - Restart web server
 - name: Link to enable virtual hosts
  file:
    src: "/etc/nginx/sites-available/{{ item }}.conf"
    path: "/etc/nginx/sites-enabled/{{ item }}.conf"
    state: link
  with_items: "{{ keystone_services.keys() | list }}"
  when: ansible_facts['os_family'] == "Debian"
  notify:
    - Manage LB
    - Restart web server
 - name: Ensure nginx does not listen on 80 port
  replace:
    path: /etc/nginx/nginx.conf
    regexp: "{{ item.regexp }}"
    replace: "{{ item.replace }}"
    validate: nginx -t -c %s
  with_items:
    - regexp: '(\s+listen\s+)[\[,\],:]+80'
      replace: '\1 [::1]:8008'
    - regexp: '(\s+listen\s+)80'
      replace: '\1 127.0.0.1:8008'
  notify:
    - Manage LB
    - Restart web server
--- a/tasks/main.yml
+++ b/tasks/main.yml
@ -153,7 +153,7 @@
  tags:
    - keystone-config
- import_tasks: "keystone_{{ keystone_web_server }}.yml"
+- import_tasks: "keystone_apache.yml"
  tags:
    - keystone-config
--- a/templates/keystone-httpd-mpm.conf.j2
+++ b/templates/keystone-httpd-mpm.conf.j2
@ -1,4 +1,5 @@
 <IfModule mpm_{{ keystone_httpd_mpm_backend }}_module>
        ServerLimit              {{ keystone_httpd_mpm_server_limit }}
        StartServers             {{ keystone_httpd_mpm_start_servers }}
        MinSpareThreads          {{ keystone_httpd_mpm_min_spare_threads }}
        MaxSpareThreads          {{ keystone_httpd_mpm_max_spare_threads }}
--- a/templates/keystone-httpd.conf.j2
+++ b/templates/keystone-httpd.conf.j2
@ -1,6 +1,6 @@
 # {{ ansible_managed }}
-Listen {{ keystone_service_port }}
+Listen {{ keystone_web_server_bind_address }}:{{ keystone_service_port }}
 <VirtualHost {{ keystone_web_server_bind_address }}:{{ keystone_service_port }}>
    <IfVersion >= 2.4>
--- a/templates/keystone_nginx.conf.j2
+++ b/templates/keystone_nginx.conf.j2
@ -1,57 +0,0 @@
 # {{ ansible_managed }}
 server {
    listen {{ keystone_web_server_bind_address }}:{{ keystone_nginx_ports[item] }};
    {% if keystone_ssl | bool and keystone_service_adminuri_proto == "https" %}
    ssl                     on;
    ssl_protocols           {{ keystone_ssl_protocol }};
    ssl_certificate         {{ keystone_ssl_cert }};
    ssl_certificate_key     {{ keystone_ssl_key }};
    ssl_trusted_certificate {{ keystone_ssl_ca_cert }};
    ssl_ciphers             {{ keystone_ssl_cipher_suite }};
    ssl_prefer_server_ciphers on;
    ssl_session_cache   shared:SSL:2m;
    ssl_session_timeout 2m;
    {%- endif %}
    {% for line in keystone_nginx_extra_conf %}
    {{ line }}
    {%- endfor %}
    error_log   syslog:server=unix:/dev/log;
    access_log  syslog:server=unix:/dev/log;
    add_header X-Content-Type-Options nosniff;
    add_header X-XSS-Protection "1; mode=block";
    add_header Content-Security-Policy "default-src 'self' https: wss:;";
    add_header X-Frame-Options {{ keystone_x_frame_options | default ('DENY') }};
    real_ip_header   X-Forwarded-For;
    {% for ip in keystone_set_real_ip_from %}
    set_real_ip_from {{ ip }};
    {%- endfor %}
    {% if keystone_security_txt_content is defined %}
    location /security.txt {
        alias {{ keystone_security_txt_dir }}/security.txt;
    }
    location /.well-known/security.txt {
        alias {{ keystone_security_txt_dir }}/security.txt;
    }
    {%- endif %}
    location / {
        try_files   $uri @yourapplication;
    }
    location @yourapplication {
        include     /etc/nginx/uwsgi_params;
        uwsgi_pass  127.0.0.1:{{ keystone_uwsgi_ports[item]['socket'] }};
        uwsgi_param SCRIPT_NAME '';
 {% for header in keystone_extra_headers %}
        add_header "{{ header['parameter'] }}" "{{ header['value'] }}";
 {% endfor %}
    }
 }
--- a/vars/debian.yml
+++ b/vars/debian.yml
@ -48,9 +48,6 @@ keystone_apache_distro_packages:
  - apache2-utils
  - libapache2-mod-proxy-uwsgi
 keystone_nginx_distro_packages:
  - nginx-extras
 keystone_idp_distro_packages:
  - ssl-cert
  - xmlsec1
@ -99,8 +96,6 @@ keystone_apache_modules:
 #  - name: "mod_journald"
 #    state: "present
 keystone_nginx_conf_path: "sites-available"
 keystone_system_service_name: apache2
 keystone_uwsgi_bin: '/usr/bin'
--- a/vars/distro_install.yml
+++ b/vars/distro_install.yml
@ -19,14 +19,9 @@
 # enabled.
 #
 keystone_package_list: |-
-  {% set packages = keystone_distro_packages %}
+  {% set packages = keystone_distro_packages + keystone_apache_distro_packages %}
-  {% if keystone_web_server == 'apache' %}
+  {% if keystone_idp != {} %}
-  {%   set _ = packages.extend(keystone_apache_distro_packages) %}
+  {%   set _ = packages.extend(keystone_idp_distro_packages) %}
  {%   if keystone_idp != {} %}
  {%     set _ = packages.extend(keystone_idp_distro_packages) %}
  {%   endif %}
  {% else %}
  {%   set _ = packages.extend(keystone_nginx_distro_packages) %}
  {% endif %}
  {% if keystone_oslomsg_amqp1_enabled | bool %}
  {%   set _ = packages.extend(keystone_oslomsg_amqp1_distro_packages) %}
--- a/vars/redhat.yml
+++ b/vars/redhat.yml
@ -43,9 +43,6 @@ keystone_apache_distro_packages:
  - httpd-tools
  - mod_ssl
 keystone_nginx_distro_packages:
  - nginx
 keystone_idp_distro_packages:
  - xmlsec1
@ -79,8 +76,6 @@ keystone_apache_configs:
  - { src: "keystone-httpd.conf.j2", dest: "/etc/httpd/conf.d/keystone-httpd.conf" }
  - { src: "keystone-httpd-mpm.conf.j2", dest: "/etc/httpd/conf.modules.d/mpm_{{ keystone_httpd_mpm_backend }}.conf" }
 keystone_nginx_conf_path: "conf.d"
 keystone_system_service_name: httpd
 keystone_uwsgi_bin: '/usr/sbin'
--- a/vars/source_install.yml
+++ b/vars/source_install.yml
@ -19,14 +19,9 @@
 # enabled.
 #
 keystone_package_list: |-
-  {% set packages = keystone_distro_packages %}
+  {% set packages = keystone_distro_packages + keystone_apache_distro_packages %}
-  {% if keystone_web_server == 'apache' %}
+  {% if keystone_idp != {} %}
-  {%   set _ = packages.extend(keystone_apache_distro_packages) %}
+  {%   set _ = packages.extend(keystone_idp_distro_packages) %}
  {%   if keystone_idp != {} %}
  {%     set _ = packages.extend(keystone_idp_distro_packages) %}
  {%   endif %}
  {% else %}
  {%   set _ = packages.extend(keystone_nginx_distro_packages) %}
  {% endif %}
  {% if keystone_oslomsg_amqp1_enabled | bool %}
  {%   set _ = packages.extend(keystone_oslomsg_amqp1_distro_packages) %}
--- a/vars/ubuntu-18.04.yml
+++ b/vars/ubuntu-18.04.yml
@ -48,9 +48,6 @@ keystone_apache_distro_packages:
  - apache2-utils
  - libapache2-mod-proxy-uwsgi
 keystone_nginx_distro_packages:
  - nginx-extras
 keystone_idp_distro_packages:
  - ssl-cert
  - xmlsec1
@ -99,8 +96,6 @@ keystone_apache_modules:
 #  - name: "mod_journald"
 #    state: "present
 keystone_nginx_conf_path: "sites-available"
 keystone_system_service_name: apache2
 keystone_uwsgi_bin: '/usr/bin'