From 3a3a2bac674041f5bb92bc1ef59c7fc55a9946bd Mon Sep 17 00:00:00 2001
From: Dean Troyer <dtroyer@gmail.com>
Date: Tue, 11 Dec 2012 15:26:24 -0600
Subject: [PATCH] Set up Nova for TLS

* Start n-api proxy if 'tls-proxy' is enabled
* Configure nova service catalog for TLS

Change-Id: If031eb315f76c5c441a25fe3582b626bbee73c6e
---
 functions |  8 ++++++++
 lib/nova  | 41 ++++++++++++++++++++++++++++++++++++++---
 stack.sh  |  7 +------
 3 files changed, 47 insertions(+), 9 deletions(-)

diff --git a/functions b/functions
index 1b7d1308e7..9565e10daf 100644
--- a/functions
+++ b/functions
@@ -996,6 +996,14 @@ function use_exclusive_service {
     return 0
 }
 
+# Wait for an HTTP server to start answering requests
+# wait_for_service timeout url
+function wait_for_service() {
+    local timeout=$1
+    local url=$2
+    timeout $timeout sh -c "while ! http_proxy= https_proxy= curl -s $url >/dev/null; do sleep 1; done"
+}
+
 # Wrapper for ``yum`` to set proxy environment variables
 # Uses globals ``OFFLINE``, ``*_proxy`
 # yum_install package [package ...]
diff --git a/lib/nova b/lib/nova
index 840965eeac..04a869e732 100644
--- a/lib/nova
+++ b/lib/nova
@@ -39,6 +39,12 @@ NOVA_CONF_DIR=/etc/nova
 NOVA_CONF=$NOVA_CONF_DIR/nova.conf
 NOVA_API_PASTE_INI=${NOVA_API_PASTE_INI:-$NOVA_CONF_DIR/api-paste.ini}
 
+# Public facing bits
+NOVA_SERVICE_HOST=${NOVA_SERVICE_HOST:-$SERVICE_HOST}
+NOVA_SERVICE_PORT=${NOVA_SERVICE_PORT:-8774}
+NOVA_SERVICE_PORT_INT=${NOVA_SERVICE_PORT_INT:-18774}
+NOVA_SERVICE_PROTOCOL=${NOVA_SERVICE_PROTOCOL:-$SERVICE_PROTOCOL}
+
 # Support entry points installation of console scripts
 if [[ -d $NOVA_DIR/bin ]]; then
     NOVA_BIN_DIR=$NOVA_DIR/bin
@@ -170,6 +176,10 @@ function configure_nova() {
             s,%SERVICE_TENANT_NAME%,$SERVICE_TENANT_NAME,g;
             s,%SERVICE_TOKEN%,$SERVICE_TOKEN,g;
         " -i $NOVA_API_PASTE_INI
+        iniset $NOVA_API_PASTE_INI filter:authtoken auth_host $SERVICE_HOST
+        if is_service_enabled tls-proxy; then
+            iniset $NOVA_API_PASTE_INI filter:authtoken auth_protocol $SERVICE_PROTOCOL
+        fi
     fi
 
     iniset $NOVA_API_PASTE_INI filter:authtoken signing_dir $NOVA_AUTH_CACHE_DIR
@@ -324,9 +334,9 @@ create_nova_accounts() {
             keystone endpoint-create \
                 --region RegionOne \
                 --service_id $NOVA_SERVICE \
-                --publicurl "http://$SERVICE_HOST:\$(compute_port)s/v2/\$(tenant_id)s" \
-                --adminurl "http://$SERVICE_HOST:\$(compute_port)s/v2/\$(tenant_id)s" \
-                --internalurl "http://$SERVICE_HOST:\$(compute_port)s/v2/\$(tenant_id)s"
+                --publicurl "$NOVA_SERVICE_PROTOCOL://$NOVA_SERVICE_HOST:$NOVA_SERVICE_PORT/v2/\$(tenant_id)s" \
+                --adminurl "$NOVA_SERVICE_PROTOCOL://$NOVA_SERVICE_HOST:$NOVA_SERVICE_PORT/v2/\$(tenant_id)s" \
+                --internalurl "$NOVA_SERVICE_PROTOCOL://$NOVA_SERVICE_HOST:$NOVA_SERVICE_PORT/v2/\$(tenant_id)s"
         fi
     fi
 }
@@ -361,6 +371,10 @@ function create_nova_conf() {
 
     if is_service_enabled n-api; then
         add_nova_opt "enabled_apis=$NOVA_ENABLED_APIS"
+        if is_service_enabled tls-proxy; then
+            # Set the service port for a proxy to take the original
+            add_nova_opt "osapi_compute_listen_port=$NOVA_SERVICE_PORT_INT"
+        fi
     fi
     if is_service_enabled cinder; then
         add_nova_opt "volume_api_class=nova.volume.cinder.API"
@@ -472,6 +486,27 @@ function install_nova() {
     git_clone $NOVA_REPO $NOVA_DIR $NOVA_BRANCH
 }
 
+# start_nova_api() - Start the API process ahead of other things
+function start_nova_api() {
+    # Get right service port for testing
+    local service_port=$NOVA_SERVICE_PORT
+    if is_service_enabled tls-proxy; then
+        service_port=$NOVA_SERVICE_PORT_INT
+    fi
+
+    screen_it n-api "cd $NOVA_DIR && $NOVA_BIN_DIR/nova-api"
+    echo "Waiting for nova-api to start..."
+    if ! wait_for_service $SERVICE_TIMEOUT http://$SERVICE_HOST:$service_port; then
+      echo "nova-api did not start"
+      exit 1
+    fi
+
+    # Start proxies if enabled
+    if is_service_enabled tls-proxy; then
+        start_tls_proxy '*' $NOVA_SERVICE_PORT $NOVA_SERVICE_HOST $NOVA_SERVICE_PORT_INT &
+    fi
+}
+
 # start_nova() - Start running processes, including screen
 function start_nova() {
     # The group **libvirtd** is added to the current user in this script.
diff --git a/stack.sh b/stack.sh
index f2fd68cc67..a3772177a9 100755
--- a/stack.sh
+++ b/stack.sh
@@ -1568,12 +1568,7 @@ screen_it zeromq "cd $NOVA_DIR && $NOVA_BIN_DIR/nova-rpc-zmq-receiver"
 # Launch the nova-api and wait for it to answer before continuing
 if is_service_enabled n-api; then
     echo_summary "Starting Nova API"
-    screen_it n-api "cd $NOVA_DIR && $NOVA_BIN_DIR/nova-api"
-    echo "Waiting for nova-api to start..."
-    if ! timeout $SERVICE_TIMEOUT sh -c "while ! http_proxy= wget -q -O- http://127.0.0.1:8774; do sleep 1; done"; then
-      echo "nova-api did not start"
-      exit 1
-    fi
+    start_nova_api
 fi
 
 if is_service_enabled q-svc; then