diff --git a/ansible/group_vars/all.yml b/ansible/group_vars/all.yml index aa30b4923f..8ddb843396 100644 --- a/ansible/group_vars/all.yml +++ b/ansible/group_vars/all.yml @@ -548,6 +548,7 @@ syslog_udp_port: "{{ fluentd_syslog_port }}" tacker_server_port: "9890" trove_api_port: "8779" +trove_api_listen_port: "{{ trove_api_port }}" venus_api_port: "10010" diff --git a/ansible/roles/common/templates/conf/filter/01-rewrite.conf.j2 b/ansible/roles/common/templates/conf/filter/01-rewrite.conf.j2 index 45b8d6d4c3..e2867aabcc 100644 --- a/ansible/roles/common/templates/conf/filter/01-rewrite.conf.j2 +++ b/ansible/roles/common/templates/conf/filter/01-rewrite.conf.j2 @@ -3,7 +3,7 @@ capitalize_regex_backreference yes key programname - pattern ^(cinder-api-access|cloudkitty-api-access|gnocchi-api-access|horizon-access|keystone-apache-admin-access|keystone-apache-public-access|octavia-api-access|placement-api-access)$ + pattern ^(cinder-api-access|cloudkitty-api-access|gnocchi-api-access|horizon-access|keystone-apache-admin-access|keystone-apache-public-access|octavia-api-access|placement-api-access|trove-api-access)$ tag apache_access diff --git a/ansible/roles/trove/defaults/main.yml b/ansible/roles/trove/defaults/main.yml index 455849ff37..a857486326 100644 --- a/ansible/roles/trove/defaults/main.yml +++ b/ansible/roles/trove/defaults/main.yml @@ -14,11 +14,15 @@ trove_services: mode: "http" external: false port: "{{ trove_api_port }}" + listen_port: "{{ trove_api_listen_port }}" + tls_backend: "{{ trove_enable_tls_backend }}" trove_api_external: enabled: "{{ enable_trove }}" mode: "http" external: true port: "{{ trove_api_port }}" + listen_port: "{{ trove_api_listen_port }}" + tls_backend: "{{ trove_enable_tls_backend }}" trove-conductor: container_name: trove_conductor group: trove-conductor @@ -198,3 +202,8 @@ trove_ks_users: user: "{{ trove_keystone_user }}" password: "{{ trove_keystone_password }}" role: "admin" + +#################### +# TLS +#################### +trove_enable_tls_backend: "{{ kolla_enable_tls_backend }}" diff --git a/ansible/roles/trove/tasks/config.yml b/ansible/roles/trove/tasks/config.yml index 1bbe2f24e6..6b5da98056 100644 --- a/ansible/roles/trove/tasks/config.yml +++ b/ansible/roles/trove/tasks/config.yml @@ -33,7 +33,7 @@ - include_tasks: copy-certs.yml when: - - kolla_copy_ca_into_containers | bool + - kolla_copy_ca_into_containers | bool or trove_enable_tls_backend | bool - name: Copying over config.json files for services template: @@ -48,6 +48,24 @@ notify: - "Restart {{ item.key }} container" +- name: Copying over trove-wsgi.conf + vars: + service: "{{ trove_services['trove-api'] }}" + become: true + template: + src: "{{ item }}" + dest: "{{ node_config_directory }}/trove-api/trove-wsgi.conf" + mode: "0660" + with_first_found: + - "{{ node_custom_config }}/trove/{{ inventory_hostname }}/trove-wsgi.conf" + - "{{ node_custom_config }}/trove/trove-wsgi.conf" + - "trove-wsgi.conf.j2" + when: + - inventory_hostname in groups[service.group] + - service.enabled | bool + notify: + - Restart trove-api container + - name: Copying over trove-guestagent.conf vars: services_need_confs: diff --git a/ansible/roles/trove/tasks/precheck.yml b/ansible/roles/trove/tasks/precheck.yml index 08743e633a..5502edaaa6 100644 --- a/ansible/roles/trove/tasks/precheck.yml +++ b/ansible/roles/trove/tasks/precheck.yml @@ -17,7 +17,7 @@ - name: Checking free port for Trove API wait_for: host: "{{ api_interface_address }}" - port: "{{ trove_api_port }}" + port: "{{ trove_api_listen_port }}" connect_timeout: 1 timeout: 1 state: stopped diff --git a/ansible/roles/trove/templates/trove-api.json.j2 b/ansible/roles/trove/templates/trove-api.json.j2 index be2acebeae..c2e4744efa 100644 --- a/ansible/roles/trove/templates/trove-api.json.j2 +++ b/ansible/roles/trove/templates/trove-api.json.j2 @@ -1,24 +1,48 @@ +{% set apache_binary = 'apache2' if kolla_base_distro in ['ubuntu', 'debian'] else 'httpd' %} +{% set apache_conf_dir = 'apache2/conf-enabled' if kolla_base_distro in ['ubuntu', 'debian'] else 'httpd/conf.d' %} { - "command": "trove-api --config-file=/etc/trove/trove.conf", + "command": "/usr/sbin/{{ apache_binary }} -DFOREGROUND", "config_files": [ { "source": "{{ container_config_directory }}/trove.conf", "dest": "/etc/trove/trove.conf", "owner": "trove", "perm": "0600" - }{% if trove_policy_file is defined %}, + }, + { + "source": "{{ container_config_directory }}/trove-wsgi.conf", + "dest": "/etc/{{ apache_conf_dir }}/trove-wsgi.conf", + "owner": "trove", + "perm": "0600" + }{% if trove_policy_file is defined %}, { "source": "{{ container_config_directory }}/{{ trove_policy_file }}", "dest": "/etc/trove/{{ trove_policy_file }}", "owner": "trove", "perm": "0600" - }{% endif %} - ], + }{% endif %}{% if trove_enable_tls_backend | bool %}, + { + "source": "{{ container_config_directory }}/trove-cert.pem", + "dest": "/etc/trove/certs/trove-cert.pem", + "owner": "trove", + "perm": "0600" + }, + { + "source": "{{ container_config_directory }}/trove-key.pem", + "dest": "/etc/trove/certs/trove-key.pem", + "owner": "trove", + "perm": "0600" + } + {% endif %}], "permissions": [ { "path": "/var/log/kolla/trove", "owner": "trove:trove", "recurse": true + }, + { + "path": "/var/run/trove", + "owner": "trove:trove" } ] } diff --git a/ansible/roles/trove/templates/trove-wsgi.conf.j2 b/ansible/roles/trove/templates/trove-wsgi.conf.j2 new file mode 100644 index 0000000000..26449a5384 --- /dev/null +++ b/ansible/roles/trove/templates/trove-wsgi.conf.j2 @@ -0,0 +1,43 @@ +{% set wsgi_directory = '/var/lib/kolla/venv/bin' %} +{% if trove_enable_tls_backend | bool %} +{% if kolla_base_distro in ['centos'] %} +LoadModule ssl_module /usr/lib64/httpd/modules/mod_ssl.so +{% else %} +LoadModule ssl_module /usr/lib/apache2/modules/mod_ssl.so +{% endif %} +{% endif %} +Listen {{ api_interface_address | put_address_in_context('url') }}:{{ trove_api_listen_port }} + +ServerSignature Off +ServerTokens Prod +TraceEnable off +TimeOut {{ kolla_httpd_timeout }} +KeepAliveTimeout {{ kolla_httpd_keep_alive }} + +{% if trove_logging_debug | bool %} +LogLevel info +{% endif %} + + + WSGIDaemonProcess trove-api processes={{ trove_api_workers }} threads=1 user=trove group=trove display-name=trove-api + WSGIProcessGroup trove-api + WSGIScriptAlias / {{ wsgi_directory }}/trove-wsgi + WSGIApplicationGroup %{GLOBAL} + WSGIPassAuthorization On + = 2.4> + ErrorLogFormat "%{cu}t %M" + + ErrorLog /var/log/kolla/trove/trove-api-error.log + LogFormat "%{X-Forwarded-For}i %l %u %t \"%r\" %>s %b %D \"%{Referer}i\" \"%{User-Agent}i\"" logformat + CustomLog /var/log/kolla/trove/trove-api-access.log logformat + + + Require all granted + + +{% if trove_enable_tls_backend | bool %} + SSLEngine On + SSLCertificateFile /etc/trove/certs/trove-cert.pem + SSLCertificateKeyFile /etc/trove/certs/trove-key.pem +{% endif %} + diff --git a/ansible/roles/trove/templates/trove.conf.j2 b/ansible/roles/trove/templates/trove.conf.j2 index ac6c45b38c..4f6db853c0 100644 --- a/ansible/roles/trove/templates/trove.conf.j2 +++ b/ansible/roles/trove/templates/trove.conf.j2 @@ -2,10 +2,13 @@ debug = {{ trove_logging_debug }} log_dir = /var/log/kolla/trove +{% if service_name == "trove-api" %} +log_file = trove-api.log +{% endif %} host = {{ api_interface_address }} -bind_port = {{ trove_api_port }} +bind_port = {{ trove_api_listen_port }} bind_host = {{ api_interface_address }} trove_api_workers = {{ trove_api_workers }} auth_strategy = keystone diff --git a/releasenotes/notes/trove-api-wsgi-bd6a3a5ab26fe896.yaml b/releasenotes/notes/trove-api-wsgi-bd6a3a5ab26fe896.yaml new file mode 100644 index 0000000000..4468f9180f --- /dev/null +++ b/releasenotes/notes/trove-api-wsgi-bd6a3a5ab26fe896.yaml @@ -0,0 +1,7 @@ +--- +features: + - | + Switch ``trove-api`` to WSGI running under Apache. + - | + Added configuration options to enable backend TLS encryption from HAProxy + to the Trove service.