diff --git a/ansible/group_vars/all.yml b/ansible/group_vars/all.yml
index aa30b4923f..8ddb843396 100644
--- a/ansible/group_vars/all.yml
+++ b/ansible/group_vars/all.yml
@@ -548,6 +548,7 @@ syslog_udp_port: "{{ fluentd_syslog_port }}"
tacker_server_port: "9890"
trove_api_port: "8779"
+trove_api_listen_port: "{{ trove_api_port }}"
venus_api_port: "10010"
diff --git a/ansible/roles/common/templates/conf/filter/01-rewrite.conf.j2 b/ansible/roles/common/templates/conf/filter/01-rewrite.conf.j2
index 45b8d6d4c3..e2867aabcc 100644
--- a/ansible/roles/common/templates/conf/filter/01-rewrite.conf.j2
+++ b/ansible/roles/common/templates/conf/filter/01-rewrite.conf.j2
@@ -3,7 +3,7 @@
capitalize_regex_backreference yes
key programname
- pattern ^(cinder-api-access|cloudkitty-api-access|gnocchi-api-access|horizon-access|keystone-apache-admin-access|keystone-apache-public-access|octavia-api-access|placement-api-access)$
+ pattern ^(cinder-api-access|cloudkitty-api-access|gnocchi-api-access|horizon-access|keystone-apache-admin-access|keystone-apache-public-access|octavia-api-access|placement-api-access|trove-api-access)$
tag apache_access
diff --git a/ansible/roles/trove/defaults/main.yml b/ansible/roles/trove/defaults/main.yml
index 455849ff37..a857486326 100644
--- a/ansible/roles/trove/defaults/main.yml
+++ b/ansible/roles/trove/defaults/main.yml
@@ -14,11 +14,15 @@ trove_services:
mode: "http"
external: false
port: "{{ trove_api_port }}"
+ listen_port: "{{ trove_api_listen_port }}"
+ tls_backend: "{{ trove_enable_tls_backend }}"
trove_api_external:
enabled: "{{ enable_trove }}"
mode: "http"
external: true
port: "{{ trove_api_port }}"
+ listen_port: "{{ trove_api_listen_port }}"
+ tls_backend: "{{ trove_enable_tls_backend }}"
trove-conductor:
container_name: trove_conductor
group: trove-conductor
@@ -198,3 +202,8 @@ trove_ks_users:
user: "{{ trove_keystone_user }}"
password: "{{ trove_keystone_password }}"
role: "admin"
+
+####################
+# TLS
+####################
+trove_enable_tls_backend: "{{ kolla_enable_tls_backend }}"
diff --git a/ansible/roles/trove/tasks/config.yml b/ansible/roles/trove/tasks/config.yml
index 1bbe2f24e6..6b5da98056 100644
--- a/ansible/roles/trove/tasks/config.yml
+++ b/ansible/roles/trove/tasks/config.yml
@@ -33,7 +33,7 @@
- include_tasks: copy-certs.yml
when:
- - kolla_copy_ca_into_containers | bool
+ - kolla_copy_ca_into_containers | bool or trove_enable_tls_backend | bool
- name: Copying over config.json files for services
template:
@@ -48,6 +48,24 @@
notify:
- "Restart {{ item.key }} container"
+- name: Copying over trove-wsgi.conf
+ vars:
+ service: "{{ trove_services['trove-api'] }}"
+ become: true
+ template:
+ src: "{{ item }}"
+ dest: "{{ node_config_directory }}/trove-api/trove-wsgi.conf"
+ mode: "0660"
+ with_first_found:
+ - "{{ node_custom_config }}/trove/{{ inventory_hostname }}/trove-wsgi.conf"
+ - "{{ node_custom_config }}/trove/trove-wsgi.conf"
+ - "trove-wsgi.conf.j2"
+ when:
+ - inventory_hostname in groups[service.group]
+ - service.enabled | bool
+ notify:
+ - Restart trove-api container
+
- name: Copying over trove-guestagent.conf
vars:
services_need_confs:
diff --git a/ansible/roles/trove/tasks/precheck.yml b/ansible/roles/trove/tasks/precheck.yml
index 08743e633a..5502edaaa6 100644
--- a/ansible/roles/trove/tasks/precheck.yml
+++ b/ansible/roles/trove/tasks/precheck.yml
@@ -17,7 +17,7 @@
- name: Checking free port for Trove API
wait_for:
host: "{{ api_interface_address }}"
- port: "{{ trove_api_port }}"
+ port: "{{ trove_api_listen_port }}"
connect_timeout: 1
timeout: 1
state: stopped
diff --git a/ansible/roles/trove/templates/trove-api.json.j2 b/ansible/roles/trove/templates/trove-api.json.j2
index be2acebeae..c2e4744efa 100644
--- a/ansible/roles/trove/templates/trove-api.json.j2
+++ b/ansible/roles/trove/templates/trove-api.json.j2
@@ -1,24 +1,48 @@
+{% set apache_binary = 'apache2' if kolla_base_distro in ['ubuntu', 'debian'] else 'httpd' %}
+{% set apache_conf_dir = 'apache2/conf-enabled' if kolla_base_distro in ['ubuntu', 'debian'] else 'httpd/conf.d' %}
{
- "command": "trove-api --config-file=/etc/trove/trove.conf",
+ "command": "/usr/sbin/{{ apache_binary }} -DFOREGROUND",
"config_files": [
{
"source": "{{ container_config_directory }}/trove.conf",
"dest": "/etc/trove/trove.conf",
"owner": "trove",
"perm": "0600"
- }{% if trove_policy_file is defined %},
+ },
+ {
+ "source": "{{ container_config_directory }}/trove-wsgi.conf",
+ "dest": "/etc/{{ apache_conf_dir }}/trove-wsgi.conf",
+ "owner": "trove",
+ "perm": "0600"
+ }{% if trove_policy_file is defined %},
{
"source": "{{ container_config_directory }}/{{ trove_policy_file }}",
"dest": "/etc/trove/{{ trove_policy_file }}",
"owner": "trove",
"perm": "0600"
- }{% endif %}
- ],
+ }{% endif %}{% if trove_enable_tls_backend | bool %},
+ {
+ "source": "{{ container_config_directory }}/trove-cert.pem",
+ "dest": "/etc/trove/certs/trove-cert.pem",
+ "owner": "trove",
+ "perm": "0600"
+ },
+ {
+ "source": "{{ container_config_directory }}/trove-key.pem",
+ "dest": "/etc/trove/certs/trove-key.pem",
+ "owner": "trove",
+ "perm": "0600"
+ }
+ {% endif %}],
"permissions": [
{
"path": "/var/log/kolla/trove",
"owner": "trove:trove",
"recurse": true
+ },
+ {
+ "path": "/var/run/trove",
+ "owner": "trove:trove"
}
]
}
diff --git a/ansible/roles/trove/templates/trove-wsgi.conf.j2 b/ansible/roles/trove/templates/trove-wsgi.conf.j2
new file mode 100644
index 0000000000..26449a5384
--- /dev/null
+++ b/ansible/roles/trove/templates/trove-wsgi.conf.j2
@@ -0,0 +1,43 @@
+{% set wsgi_directory = '/var/lib/kolla/venv/bin' %}
+{% if trove_enable_tls_backend | bool %}
+{% if kolla_base_distro in ['centos'] %}
+LoadModule ssl_module /usr/lib64/httpd/modules/mod_ssl.so
+{% else %}
+LoadModule ssl_module /usr/lib/apache2/modules/mod_ssl.so
+{% endif %}
+{% endif %}
+Listen {{ api_interface_address | put_address_in_context('url') }}:{{ trove_api_listen_port }}
+
+ServerSignature Off
+ServerTokens Prod
+TraceEnable off
+TimeOut {{ kolla_httpd_timeout }}
+KeepAliveTimeout {{ kolla_httpd_keep_alive }}
+
+{% if trove_logging_debug | bool %}
+LogLevel info
+{% endif %}
+
+
+ WSGIDaemonProcess trove-api processes={{ trove_api_workers }} threads=1 user=trove group=trove display-name=trove-api
+ WSGIProcessGroup trove-api
+ WSGIScriptAlias / {{ wsgi_directory }}/trove-wsgi
+ WSGIApplicationGroup %{GLOBAL}
+ WSGIPassAuthorization On
+ = 2.4>
+ ErrorLogFormat "%{cu}t %M"
+
+ ErrorLog /var/log/kolla/trove/trove-api-error.log
+ LogFormat "%{X-Forwarded-For}i %l %u %t \"%r\" %>s %b %D \"%{Referer}i\" \"%{User-Agent}i\"" logformat
+ CustomLog /var/log/kolla/trove/trove-api-access.log logformat
+
+
+ Require all granted
+
+
+{% if trove_enable_tls_backend | bool %}
+ SSLEngine On
+ SSLCertificateFile /etc/trove/certs/trove-cert.pem
+ SSLCertificateKeyFile /etc/trove/certs/trove-key.pem
+{% endif %}
+
diff --git a/ansible/roles/trove/templates/trove.conf.j2 b/ansible/roles/trove/templates/trove.conf.j2
index ac6c45b38c..4f6db853c0 100644
--- a/ansible/roles/trove/templates/trove.conf.j2
+++ b/ansible/roles/trove/templates/trove.conf.j2
@@ -2,10 +2,13 @@
debug = {{ trove_logging_debug }}
log_dir = /var/log/kolla/trove
+{% if service_name == "trove-api" %}
+log_file = trove-api.log
+{% endif %}
host = {{ api_interface_address }}
-bind_port = {{ trove_api_port }}
+bind_port = {{ trove_api_listen_port }}
bind_host = {{ api_interface_address }}
trove_api_workers = {{ trove_api_workers }}
auth_strategy = keystone
diff --git a/releasenotes/notes/trove-api-wsgi-bd6a3a5ab26fe896.yaml b/releasenotes/notes/trove-api-wsgi-bd6a3a5ab26fe896.yaml
new file mode 100644
index 0000000000..4468f9180f
--- /dev/null
+++ b/releasenotes/notes/trove-api-wsgi-bd6a3a5ab26fe896.yaml
@@ -0,0 +1,7 @@
+---
+features:
+ - |
+ Switch ``trove-api`` to WSGI running under Apache.
+ - |
+ Added configuration options to enable backend TLS encryption from HAProxy
+ to the Trove service.