2 # Class to serve keystone with apache mod_wsgi in place of keystone service
4 # Serving keystone from apache is the recommended way to go for production
5 # systems as the current keystone implementation is not multi-processor aware,
6 # thus limiting the performance for concurrent accesses.
8 # See the following URIs for reference:
9 # https://etherpad.openstack.org/havana-keystone-performance
10 # http://adam.younglogic.com/2012/03/keystone-should-move-to-apache-httpd/
12 # When using this class you should disable your keystone service.
17 # The servername for the virtualhost.
18 # Optional. Defaults to $::fqdn
22 # Optional. Defaults to 5000
26 # Optional. Defaults to 35357
29 # The host/ip address Apache will listen on.
30 # Optional. Defaults to undef (listen on all ip addresses).
33 # The prefix for the public endpoint.
34 # Optional. Defaults to '/'
37 # The prefix for the admin endpoint.
38 # Optional. Defaults to '/'
42 # Optional. Defaults to true
45 # Number of WSGI workers to spawn.
46 # Optional. Defaults to 1
49 # (optional) Path to SSL certificate
50 # Default to apache::vhost 'ssl_*' defaults.
53 # (optional) Path to SSL key
54 # Default to apache::vhost 'ssl_*' defaults.
57 # (optional) SSL chain
58 # Default to apache::vhost 'ssl_*' defaults.
61 # (optional) Path to SSL certificate authority
62 # Default to apache::vhost 'ssl_*' defaults.
65 # (optional) Path to SSL certificate revocation list
66 # Default to apache::vhost 'ssl_*' defaults.
69 # (optional) SSL certificate revocation list name
70 # Default to apache::vhost 'ssl_*' defaults.
73 # apache::vhost ssl parameters.
74 # Optional. Default to apache::vhost 'ssl_*' defaults.
77 # (optional) The priority for the vhost.
81 # (optional) The number of threads for the vhost.
82 # Defaults to $::processorcount
84 # [*wsgi_script_ensure*]
85 # (optional) File ensure parameter for wsgi scripts.
88 # [*wsgi_script_source*]
89 # (optional) Wsgi script source.
94 # requires Class['apache'] & Class['keystone']
100 # class { 'keystone::wsgi::apache': }
102 # == Note about ports & paths
104 # When using same port for both endpoints (443 anyone ?), you *MUST* use two
105 # different public_path & admin_path !
109 # Francois Charlier <francois.charlier@enovance.com>
113 # Copyright 2013 eNovance <licensing@enovance.com>
115 class keystone::wsgi::apache (
116 $servername = $::fqdn,
128 $ssl_crl_path = undef,
130 $ssl_certs_dir = undef,
131 $threads = $::processorcount,
133 $wsgi_script_ensure = 'file',
134 $wsgi_script_source = undef,
137 include ::keystone::params
139 include ::apache::mod::wsgi
141 include ::apache::mod::ssl
144 Package['keystone'] -> Package['httpd']
145 Package['keystone'] ~> Service['httpd']
146 Keystone_config <| |> ~> Service['httpd']
147 Service['httpd'] -> Keystone_endpoint <| |>
148 Service['httpd'] -> Keystone_role <| |>
149 Service['httpd'] -> Keystone_service <| |>
150 Service['httpd'] -> Keystone_tenant <| |>
151 Service['httpd'] -> Keystone_user <| |>
152 Service['httpd'] -> Keystone_user_role <| |>
154 ## Sanitize parameters
156 # Ensure there's no trailing '/' except if this is also the only character
157 $public_path_real = regsubst($public_path, '(^/.*)/$', '\1')
158 # Ensure there's no trailing '/' except if this is also the only character
159 $admin_path_real = regsubst($admin_path, '(^/.*)/$', '\1')
161 if $public_port == $admin_port and $public_path_real == $admin_path_real {
162 fail('When using the same port for public & private endpoints, public_path and admin_path should be different.')
165 file { $::keystone::params::keystone_wsgi_script_path:
169 require => Package['httpd'],
173 'keystone_wsgi_admin' => {
174 'path' => "${::keystone::params::keystone_wsgi_script_path}/admin",
176 'keystone_wsgi_main' => {
177 'path' => "${::keystone::params::keystone_wsgi_script_path}/main",
181 $wsgi_file_defaults = {
182 'ensure' => $wsgi_script_ensure,
183 'owner' => 'keystone',
184 'group' => 'keystone',
186 'require' => [File[$::keystone::params::keystone_wsgi_script_path], Package['keystone']],
189 $wsgi_script_source_real = $wsgi_script_source ? {
190 default => $wsgi_script_source,
191 undef => $::keystone::params::keystone_wsgi_script_source,
194 case $wsgi_script_ensure {
195 'link': { $wsgi_file_source = { 'target' => $wsgi_script_source_real } }
196 default: { $wsgi_file_source = { 'source' => $wsgi_script_source_real } }
199 create_resources('file', $wsgi_files, merge($wsgi_file_defaults, $wsgi_file_source))
201 $wsgi_daemon_process_options_main = {
204 processes => $workers,
206 display-name => 'keystone-main',
209 $wsgi_daemon_process_options_admin = {
212 processes => $workers,
214 display-name => 'keystone-admin',
217 $wsgi_script_aliases_main = hash([$public_path_real,"${::keystone::params::keystone_wsgi_script_path}/main"])
218 $wsgi_script_aliases_admin = hash([$admin_path_real, "${::keystone::params::keystone_wsgi_script_path}/admin"])
220 if $public_port == $admin_port {
221 $wsgi_script_aliases_main_real = merge($wsgi_script_aliases_main, $wsgi_script_aliases_admin)
223 $wsgi_script_aliases_main_real = $wsgi_script_aliases_main
226 ::apache::vhost { 'keystone_wsgi_main':
228 servername => $servername,
230 port => $public_port,
231 docroot => $::keystone::params::keystone_wsgi_script_path,
232 docroot_owner => 'keystone',
233 docroot_group => 'keystone',
234 priority => $priority,
236 ssl_cert => $ssl_cert,
238 ssl_chain => $ssl_chain,
240 ssl_crl_path => $ssl_crl_path,
242 ssl_certs_dir => $ssl_certs_dir,
243 wsgi_daemon_process => 'keystone_main',
244 wsgi_daemon_process_options => $wsgi_daemon_process_options_main,
245 wsgi_process_group => 'keystone_main',
246 wsgi_script_aliases => $wsgi_script_aliases_main_real,
247 require => File['keystone_wsgi_main'],
250 if $public_port != $admin_port {
251 ::apache::vhost { 'keystone_wsgi_admin':
253 servername => $servername,
256 docroot => $::keystone::params::keystone_wsgi_script_path,
257 docroot_owner => 'keystone',
258 docroot_group => 'keystone',
259 priority => $priority,
261 ssl_cert => $ssl_cert,
263 ssl_chain => $ssl_chain,
265 ssl_crl_path => $ssl_crl_path,
267 ssl_certs_dir => $ssl_certs_dir,
268 wsgi_daemon_process => 'keystone_admin',
269 wsgi_daemon_process_options => $wsgi_daemon_process_options_admin,
270 wsgi_process_group => 'keystone_admin',
271 wsgi_script_aliases => $wsgi_script_aliases_admin,
272 require => File['keystone_wsgi_admin'],