magnum: Switch to use uWSGI and add support for backend TLS

Change-Id: I0a7f27fb3a6239890aa1b4d8d1a149113d8ee203
Signed-off-by: Michal Nasiadka <[email protected]>
Signed-off-by: Bartosz Bezak <[email protected]>

Author: mnasiadka

ansible/roles/magnum/defaults/main.yml

@@ -10,6 +10,7 @@ magnum_services:
     volumes: "{{ magnum_api_default_volumes + magnum_api_extra_volumes }}"
     dimensions: "{{ magnum_api_dimensions }}"
     healthcheck: "{{ magnum_api_healthcheck }}"
+    wsgi: "magnum.wsgi.api:application"
     haproxy:
       magnum_api:
         enabled: "{{ enable_magnum }}"
@@ -19,6 +20,7 @@ magnum_services:
         listen_port: "{{ magnum_api_listen_port }}"
         backend_http_extra:
           - "option httpchk"
+        tls_backend: "{{ magnum_enable_tls_backend | bool }}"
       magnum_api_external:
         enabled: "{{ enable_magnum }}"
         mode: "http"
@@ -28,6 +30,7 @@ magnum_services:
         listen_port: "{{ magnum_api_listen_port }}"
         backend_http_extra:
           - "option httpchk"
+        tls_backend: "{{ magnum_enable_tls_backend | bool }}"
   magnum-conductor:
     container_name: magnum_conductor
     group: magnum-conductor
@@ -98,7 +101,7 @@ magnum_api_enable_healthchecks: "{{ enable_container_healthchecks }}"
 magnum_api_healthcheck_interval: "{{ default_container_healthcheck_interval }}"
 magnum_api_healthcheck_retries: "{{ default_container_healthcheck_retries }}"
 magnum_api_healthcheck_start_period: "{{ default_container_healthcheck_start_period }}"
-magnum_api_healthcheck_test: ["CMD-SHELL", "healthcheck_curl http://{{ api_interface_address | put_address_in_context('url') }}:{{ magnum_api_port }}"]
+magnum_api_healthcheck_test: ["CMD-SHELL", "healthcheck_curl {{ 'https' if magnum_enable_tls_backend | bool else 'http' }}://{{ api_interface_address | put_address_in_context('url') }}:{{ magnum_api_listen_port }}"]
 magnum_api_healthcheck_timeout: "{{ default_container_healthcheck_timeout }}"
 magnum_api_healthcheck:
   interval: "{{ magnum_api_healthcheck_interval }}"
@@ -195,10 +198,17 @@ magnum_ks_users:
     password: "{{ magnum_keystone_password }}"
     role: "admin"
 
+###################
 # Database
+###################
 magnum_database_enable_tls_internal: "{{ database_enable_tls_internal | bool }}"
 
 ###################
 # Copy certificates
 ###################
-magnum_copy_certs: "{{ kolla_copy_ca_into_containers | bool or magnum_database_enable_tls_internal | bool }}"
+magnum_copy_certs: "{{ kolla_copy_ca_into_containers | bool or magnum_enable_tls_backend | bool or magnum_database_enable_tls_internal | bool }}"
+
+####################
+# TLS
+####################
+magnum_enable_tls_backend: "{{ kolla_enable_tls_backend }}"

ansible/roles/magnum/tasks/config.yml

@@ -63,6 +63,24 @@
   become: true
   with_dict: "{{ magnum_services | select_services_enabled_and_mapped_to_host }}"
 
+- name: Configure uWSGI for Magnum
+  include_role:
+    name: service-uwsgi-config
+  vars:
+    project_services: "{{ magnum_services }}"
+    service: "{{ magnum_services['magnum-api'] }}"
+    service_name: "magnum-api"
+    service_uwsgi_config_http_port: "{{ magnum_api_listen_port }}"
+    service_uwsgi_config_log_file_chmod: "644"
+    service_uwsgi_config_module: "{{ service.wsgi }}"
+    service_uwsgi_config_tls_backend: "{{ magnum_enable_tls_backend | bool }}"
+    service_uwsgi_config_tls_cert: "/etc/magnum/certs/magnum-cert.pem"
+    service_uwsgi_config_tls_key: "/etc/magnum/certs/magnum-key.pem"
+    service_uwsgi_config_workers: "{{ magnum_api_workers }}"
+    service_uwsgi_config_uid: "magnum"
+  when:
+    - service | service_enabled_and_mapped_to_host
+
 - name: Copying over magnum.conf
   vars:
     service_name: "{{ item.key }}"

ansible/roles/magnum/templates/magnum-api.json.j2

@@ -1,12 +1,30 @@
 {
-    "command": "magnum-api --config-file /etc/magnum/magnum.conf",
+    "command": "uwsgi /etc/magnum/magnum-api-uwsgi.ini",
     "config_files": [
         {
             "source": "{{ container_config_directory }}/magnum.conf",
             "dest": "/etc/magnum/magnum.conf",
             "owner": "magnum",
             "perm": "0600"
-        }{% if magnum_kubeconfig_file_path is defined %},
+        },
+        {
+            "source": "{{ container_config_directory }}/magnum-api-uwsgi.ini",
+            "dest": "/etc/magnum/magnum-api-uwsgi.ini",
+            "owner": "magnum",
+            "perm": "0600"
+        }{% if magnum_enable_tls_backend | bool %},
+        {
+            "source": "{{ container_config_directory }}/magnum-cert.pem",
+            "dest": "/etc/magnum/certs/magnum-cert.pem",
+            "owner": "magnum",
+            "perm": "0600"
+        },
+        {
+            "source": "{{ container_config_directory }}/magnum-key.pem",
+            "dest": "/etc/magnum/certs/magnum-key.pem",
+            "owner": "magnum",
+            "perm": "0600"
+        }{% endif %}{% if magnum_kubeconfig_file_path is defined %},
         {
             "source": "{{ container_config_directory }}/kubeconfig",
             "dest": "/var/lib/magnum/.kube/config",

ansible/roles/magnum/templates/magnum.conf.j2

@@ -2,6 +2,7 @@
 debug = {{ magnum_logging_debug }}
 state_path = /var/lib/magnum
 log_dir = /var/log/kolla/magnum
+log_file = /var/log/kolla/magnum/{{ service_name }}.log
 
 host = {{ api_interface_address }}
 

releasenotes/notes/uwsgi-magnum-6702c72f30286978.yaml

@@ -0,0 +1,4 @@
+---
+upgrade:
+  - |
+    ``magnum-api`` is now running under uWSGI and now supports backend TLS.