Merge "Add support for encrypting Nova API"
This commit is contained in:
Zuul
Gerrit Code Review
commit
a726cda8d1
ansible/roles/nova
@ -17,24 +17,28 @@ nova_services:
|
||||
external: false
|
||||
port: "{{ nova_api_port }}"
|
||||
listen_port: "{{ nova_api_listen_port }}"
|
||||
tls_backend: "{{ nova_enable_tls_backend }}"
|
||||
nova_api_external:
|
||||
enabled: "{{ enable_nova }}"
|
||||
mode: "http"
|
||||
external: true
|
||||
port: "{{ nova_api_port }}"
|
||||
listen_port: "{{ nova_api_listen_port }}"
|
||||
tls_backend: "{{ nova_enable_tls_backend }}"
|
||||
nova_metadata:
|
||||
enabled: "{{ enable_nova }}"
|
||||
mode: "http"
|
||||
external: false
|
||||
port: "{{ nova_metadata_port }}"
|
||||
listen_port: "{{ nova_metadata_listen_port }}"
|
||||
tls_backend: "{{ nova_enable_tls_backend }}"
|
||||
nova_metadata_external:
|
||||
enabled: "{{ enable_nova }}"
|
||||
mode: "http"
|
||||
external: true
|
||||
port: "{{ nova_metadata_port }}"
|
||||
listen_port: "{{ nova_metadata_listen_port }}"
|
||||
tls_backend: "{{ nova_enable_tls_backend }}"
|
||||
nova-scheduler:
|
||||
container_name: "nova_scheduler"
|
||||
group: "nova-scheduler"
|
||||
@ -190,3 +194,8 @@ nova_git_repository: "{{ kolla_dev_repos_git }}/{{ project_name }}"
|
||||
nova_dev_repos_pull: "{{ kolla_dev_repos_pull }}"
|
||||
nova_dev_mode: "{{ kolla_dev_mode }}"
|
||||
nova_source_version: "{{ kolla_source_version }}"
|
||||
|
||||
####################
|
||||
# TLS
|
||||
####################
|
||||
nova_enable_tls_backend: "{{ kolla_enable_tls_backend }}"
|
||||
|
||||
@ -33,7 +33,7 @@
|
||||
|
||||
- include_tasks: copy-certs.yml
|
||||
when:
|
||||
- kolla_copy_ca_into_containers | bool
|
||||
- kolla_copy_ca_into_containers | bool or nova_enable_tls_backend | bool
|
||||
|
||||
- name: Copying over config.json files for services
|
||||
become: true
|
||||
@ -83,5 +83,17 @@
|
||||
notify:
|
||||
- "Restart {{ item.key }} container"
|
||||
|
||||
- name: Copying over nova-api-wsgi.conf
|
||||
template:
|
||||
src: "nova-api-wsgi.conf.j2"
|
||||
dest: "{{ node_config_directory }}/nova-api/nova-api-wsgi.conf"
|
||||
mode: "0660"
|
||||
become: true
|
||||
when:
|
||||
- inventory_hostname in groups["nova-api"]
|
||||
- nova_services["nova-api"].enabled | bool
|
||||
notify:
|
||||
- "Restart nova-api container"
|
||||
|
||||
- import_tasks: check-containers.yml
|
||||
when: kolla_action != "config"
|
||||
|
||||
70
ansible/roles/nova/templates/nova-api-wsgi.conf.j2
Normal file
70
ansible/roles/nova/templates/nova-api-wsgi.conf.j2
Normal file
@ -0,0 +1,70 @@
|
||||
{% set nova_log_dir = '/var/log/kolla/nova' %}
|
||||
{% set wsgi_directory = '/usr/bin' if nova_install_type == 'binary' else '/var/lib/kolla/venv/bin' %}
|
||||
{% if nova_enable_tls_backend | bool %}
|
||||
{% if kolla_base_distro in ['centos'] %}
|
||||
LoadModule ssl_module /usr/lib64/httpd/modules/mod_ssl.so
|
||||
{% else %}
|
||||
LoadModule ssl_module /usr/lib/apache2/modules/mod_ssl.so
|
||||
{% endif %}
|
||||
{% endif %}
|
||||
Listen {{ api_interface_address | put_address_in_context('url') }}:{{ nova_api_listen_port }}
|
||||
Listen {{ api_interface_address | put_address_in_context('url') }}:{{ nova_metadata_listen_port }}
|
||||
|
||||
ServerSignature Off
|
||||
ServerTokens Prod
|
||||
TraceEnable off
|
||||
KeepAliveTimeout {{ kolla_httpd_keep_alive }}
|
||||
|
||||
<Directory "{{ wsgi_directory }}">
|
||||
<FilesMatch "^nova-(api-wsgi|metadata-wsgi)$">
|
||||
Options None
|
||||
Require all granted
|
||||
</FilesMatch>
|
||||
</Directory>
|
||||
|
||||
ErrorLog "{{ nova_log_dir }}/apache-error.log"
|
||||
<IfModule log_config_module>
|
||||
CustomLog "{{ nova_log_dir }}/apache-access.log" common
|
||||
</IfModule>
|
||||
|
||||
{% if nova_logging_debug | bool %}
|
||||
LogLevel info
|
||||
{% endif %}
|
||||
|
||||
<VirtualHost *:{{ nova_api_listen_port }}>
|
||||
WSGIDaemonProcess nova-api processes={{ openstack_service_workers }} threads=1 user=nova group=nova display-name=%{GROUP}
|
||||
WSGIProcessGroup nova-api
|
||||
WSGIScriptAlias / {{ wsgi_directory }}/nova-api-wsgi
|
||||
WSGIApplicationGroup %{GLOBAL}
|
||||
WSGIPassAuthorization On
|
||||
<IfVersion >= 2.4>
|
||||
ErrorLogFormat "%{cu}t %M"
|
||||
</IfVersion>
|
||||
ErrorLog "{{ nova_log_dir }}/nova-api-error.log"
|
||||
LogFormat "%{X-Forwarded-For}i %l %u %t \"%r\" %>s %b %D \"%{Referer}i\" \"%{User-Agent}i\"" logformat
|
||||
CustomLog "{{ nova_log_dir }}/nova-api-access.log" logformat
|
||||
{% if nova_enable_tls_backend | bool %}
|
||||
SSLEngine on
|
||||
SSLCertificateFile /etc/nova/certs/nova-cert.pem
|
||||
SSLCertificateKeyFile /etc/nova/certs/nova-key.pem
|
||||
{% endif %}
|
||||
</VirtualHost>
|
||||
|
||||
<VirtualHost *:{{ nova_metadata_listen_port }}>
|
||||
WSGIDaemonProcess nova-metadata processes={{ openstack_service_workers }} threads=1 user=nova group=nova display-name=%{GROUP}
|
||||
WSGIProcessGroup nova-metadata
|
||||
WSGIScriptAlias / {{ wsgi_directory }}/nova-metadata-wsgi
|
||||
WSGIApplicationGroup %{GLOBAL}
|
||||
WSGIPassAuthorization On
|
||||
<IfVersion >= 2.4>
|
||||
ErrorLogFormat "%{cu}t %M"
|
||||
</IfVersion>
|
||||
ErrorLog "{{ nova_log_dir }}/nova-metadata-error.log"
|
||||
LogFormat "%{X-Forwarded-For}i %l %u %t \"%r\" %>s %b %D \"%{Referer}i\" \"%{User-Agent}i\"" logformat
|
||||
CustomLog "{{ nova_log_dir }}/nova-metadata-access.log" logformat
|
||||
{% if nova_enable_tls_backend | bool %}
|
||||
SSLEngine on
|
||||
SSLCertificateFile /etc/nova/certs/nova-cert.pem
|
||||
SSLCertificateKeyFile /etc/nova/certs/nova-key.pem
|
||||
{% endif %}
|
||||
</VirtualHost>
|
||||
@ -1,17 +1,37 @@
|
||||
{% set apache_binary = 'apache2' if kolla_base_distro in ['ubuntu', 'debian'] else 'httpd' %}
|
||||
{% set apache_conf_dir = 'apache2/conf-enabled' if kolla_base_distro in ['ubuntu', 'debian'] else 'httpd/conf.d' %}
|
||||
{
|
||||
"command": "nova-api",
|
||||
"command": "/usr/sbin/{{ apache_binary }} -DFOREGROUND",
|
||||
"config_files": [
|
||||
{
|
||||
"source": "{{ container_config_directory }}/nova.conf",
|
||||
"dest": "/etc/nova/nova.conf",
|
||||
"owner": "nova",
|
||||
"perm": "0600"
|
||||
},
|
||||
{
|
||||
"source": "{{ container_config_directory }}/nova-api-wsgi.conf",
|
||||
"dest": "/etc/{{ apache_conf_dir }}/nova-api-wsgi.conf",
|
||||
"owner": "nova",
|
||||
"perm": "0600"
|
||||
}{% if nova_policy_file is defined %},
|
||||
{
|
||||
"source": "{{ container_config_directory }}/{{ nova_policy_file }}",
|
||||
"dest": "/etc/nova/{{ nova_policy_file }}",
|
||||
"owner": "nova",
|
||||
"perm": "0600"
|
||||
}{% endif %}{% if nova_enable_tls_backend | bool %},
|
||||
{
|
||||
"source": "{{ container_config_directory }}/nova-cert.pem",
|
||||
"dest": "/etc/nova/certs/nova-cert.pem",
|
||||
"owner": "nova",
|
||||
"perm": "0600"
|
||||
},
|
||||
{
|
||||
"source": "{{ container_config_directory }}/nova-key.pem",
|
||||
"dest": "/etc/nova/certs/nova-key.pem",
|
||||
"owner": "nova",
|
||||
"perm": "0600"
|
||||
}{% endif %}
|
||||
],
|
||||
"permissions": [
|
||||
|
||||
@ -8,15 +8,6 @@ log_file = /var/log/kolla/nova/nova-super-conductor.log
|
||||
{% endif %}
|
||||
|
||||
state_path = /var/lib/nova
|
||||
|
||||
osapi_compute_listen = {{ api_interface_address }}
|
||||
osapi_compute_listen_port = {{ nova_api_listen_port }}
|
||||
osapi_compute_workers = {{ openstack_service_workers }}
|
||||
metadata_workers = {{ openstack_service_workers }}
|
||||
|
||||
metadata_listen = {{ api_interface_address }}
|
||||
metadata_listen_port = {{ nova_metadata_listen_port }}
|
||||
|
||||
allow_resize_to_same_host = true
|
||||
|
||||
# Though my_ip is not used directly, lots of other variables use $my_ip
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user