From 423d0cfa7d96ec990d280c38262aceb937760aec Mon Sep 17 00:00:00 2001
From: Kevin Carter <kevin.carter@rackspace.com>
Date: Wed, 30 Sep 2015 11:30:44 -0500
Subject: [PATCH] Implement keystone venv support

This commit conditionally allows the os_keystone role to
install build and deploy within a venv. This is the new
default behavior of the role however the functionality
can be disabled.

Change-Id: Ie9e51926c96125a543e05eaa1912684fb01fecda
Implements: blueprint enable-venv-support-within-the-roles
Signed-off-by: Kevin Carter <kevin.carter@rackspace.com>
---
 defaults/main.yml                             | 21 ++++++++--
 tasks/keystone_db_setup.yml                   |  3 +-
 tasks/keystone_fernet_keys_create.yml         | 12 ++++--
 tasks/keystone_idp_metadata.yml               |  3 +-
 tasks/keystone_install.yml                    | 40 ++++++++++++++++++-
 tasks/keystone_post_install.yml               | 33 ++++++++++++++-
 tasks/keystone_pre_install.yml                | 12 ++++++
 tasks/keystone_token_cleanup.yml              |  4 +-
 tasks/main.yml                                |  8 ++--
 templates/keystone-fernet-rotate.sh.j2        |  5 ++-
 .../keystone-wsgi.py.j2                       |  5 +++
 11 files changed, 126 insertions(+), 20 deletions(-)
 rename files/keystone-wsgi.py => templates/keystone-wsgi.py.j2 (83%)

diff --git a/defaults/main.yml b/defaults/main.yml
index a147d5a83..6a4375265 100644
--- a/defaults/main.yml
+++ b/defaults/main.yml
@@ -13,12 +13,22 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
-# Defines that the role will be deployed on a host machine
-is_metal: true
-
 ## Verbosity Options
 debug: False
 verbose: True
+
+# Name of the virtual env to deploy into
+keystone_venv_tag: untagged
+keystone_venv_bin: "/openstack/venvs/keystone-{{ keystone_venv_tag }}/bin"
+
+# Set this to enable or disable installing in a venv
+keystone_venv_enabled: true
+
+# The bin path defaults to the venv path however if installation in a
+#  venv is disabled the bin path will be dynamically set based on the
+#  system path used when the installing.
+keystone_bin: "{{ keystone_venv_bin }}"
+
 keystone_fatal_deprecations: False
 
 ## System info
@@ -334,6 +344,11 @@ keystone_idp_apt_packages:
   - ssl-cert
   - xmlsec1
 
+# Keystone packages that must be installed before anything else
+keystone_requires_pip_packages:
+  - virtualenv
+  - python-keystoneclient # Keystoneclient needed to OSA keystone lib
+
 # Common pip packages
 keystone_pip_packages:
   - keystone
diff --git a/tasks/keystone_db_setup.yml b/tasks/keystone_db_setup.yml
index 9bdf171a5..7c887187c 100644
--- a/tasks/keystone_db_setup.yml
+++ b/tasks/keystone_db_setup.yml
@@ -40,10 +40,11 @@
     - keystone-db-setup
 
 - name: Perform a Keystone DB sync
-  command: keystone-manage db_sync
+  command: "{{ keystone_bin }}/keystone-manage db_sync"
   sudo: yes
   sudo_user: "{{ keystone_system_user_name }}"
   tags:
     - keystone-db-setup
     - keystone-db-sync
     - keystone-setup
+    - keystone-command-bin
diff --git a/tasks/keystone_fernet_keys_create.yml b/tasks/keystone_fernet_keys_create.yml
index 39a5b7095..15e554578 100644
--- a/tasks/keystone_fernet_keys_create.yml
+++ b/tasks/keystone_fernet_keys_create.yml
@@ -22,21 +22,25 @@
 
 - name: Create fernet keys for Keystone
   command: >
-    keystone-manage fernet_setup --keystone-user "{{ keystone_system_user_name }}"
-                                 --keystone-group "{{ keystone_system_group_name }}"
+    {{ keystone_bin }}/keystone-manage fernet_setup
+                                       --keystone-user "{{ keystone_system_user_name }}"
+                                       --keystone-group "{{ keystone_system_group_name }}"
   sudo: yes
   sudo_user: "{{ keystone_system_user_name }}"
   when: not _fernet_keys.stat.exists
   tags:
     - keystone-setup
     - keystone-fernet
+    - keystone-command-bin
 
 - name: Rotate fernet keys for Keystone
   command: >
-    keystone-manage fernet_rotate --keystone-user "{{ keystone_system_user_name }}"
-                                  --keystone-group "{{ keystone_system_group_name }}"
+    {{ keystone_bin }}/keystone-manage fernet_rotate
+                                       --keystone-user "{{ keystone_system_user_name }}"
+                                       --keystone-group "{{ keystone_system_group_name }}"
   sudo: yes
   sudo_user: "{{ keystone_system_user_name }}"
   when: _fernet_keys.stat.exists
   tags:
     - keystone-fernet
+    - keystone-command-bin
diff --git a/tasks/keystone_idp_metadata.yml b/tasks/keystone_idp_metadata.yml
index 489428cf8..70e4e5f93 100644
--- a/tasks/keystone_idp_metadata.yml
+++ b/tasks/keystone_idp_metadata.yml
@@ -14,7 +14,8 @@
 # limitations under the License.
 
 - name: Generate IdP metadata
-  shell: "keystone-manage saml_idp_metadata > {{ keystone_idp.idp_metadata_path }}"
+  shell: |
+    {{ keystone_bin }}/keystone-manage saml_idp_metadata > {{ keystone_idp.idp_metadata_path }}
   sudo: yes
   sudo_user: "{{ keystone_system_user_name }}"
   when: keystone_idp is defined
diff --git a/tasks/keystone_install.yml b/tasks/keystone_install.yml
index bacad8e2f..c5a21337c 100644
--- a/tasks/keystone_install.yml
+++ b/tasks/keystone_install.yml
@@ -34,6 +34,7 @@
   delay: 2
   with_items: keystone_apt_packages
   tags:
+    - keystone-install
     - keystone-apt-packages
 
 - name: Install IdP apt packages
@@ -47,6 +48,7 @@
   with_items: keystone_idp_apt_packages
   when: keystone_idp is defined
   tags:
+    - keystone-install
     - keystone-apt-packages
 
 - name: Install SP apt packages
@@ -60,9 +62,43 @@
   with_items: keystone_sp_apt_packages
   when: keystone_sp is defined
   tags:
+    - keystone-install
     - keystone-apt-packages
 
-- name: Install pip packages
+- name: Install requires pip packages
+  pip:
+    name: "{{ item }}"
+    state: present
+    extra_args: "{{ pip_install_options|default('') }}"
+  register: install_packages
+  until: install_packages|success
+  retries: 5
+  delay: 2
+  with_items:
+    - "{{ keystone_requires_pip_packages }}"
+  tags:
+    - keystone-install
+    - keystone-pip-packages
+
+- name: Install pip packages (venv)
+  pip:
+    name: "{{ item }}"
+    state: present
+    virtualenv: "{{ keystone_venv_bin | dirname }}"
+    virtualenv_site_packages: "no"
+    extra_args: "{{ pip_install_options|default('') }}"
+  register: install_packages
+  until: install_packages|success
+  retries: 5
+  delay: 2
+  with_items:
+    - "{{ keystone_pip_packages }}"
+  when: keystone_venv_enabled | bool
+  tags:
+    - keystone-install
+    - keystone-pip-packages
+
+- name: Install pip packages (no venv)
   pip:
     name: "{{ item }}"
     state: present
@@ -73,5 +109,7 @@
   delay: 2
   with_items:
     - "{{ keystone_pip_packages }}"
+  when: not keystone_venv_enabled | bool
   tags:
+    - keystone-install
     - keystone-pip-packages
diff --git a/tasks/keystone_post_install.yml b/tasks/keystone_post_install.yml
index 506fed82d..659cf9ef2 100644
--- a/tasks/keystone_post_install.yml
+++ b/tasks/keystone_post_install.yml
@@ -53,9 +53,38 @@
     mode: "{{ item.mode|default('0644') }}"
   with_items:
     - { src: "sso_callback_template.html", dest: "/etc/keystone/sso_callback_template.html" }
-    - { src: "keystone-wsgi.py", dest: "/var/www/cgi-bin/keystone/admin", mode: "0755" }
-    - { src: "keystone-wsgi.py", dest: "/var/www/cgi-bin/keystone/main", mode: "0755" }
   notify:
     - Restart Apache
   tags:
     - keystone-config
+
+- name: Drop Keystone WSGI Configs
+  template:
+    src: "{{ item.src }}"
+    dest: "{{ item.dest }}"
+    owner: "{{ keystone_system_user_name }}"
+    group: "{{ keystone_system_group_name }}"
+    mode: "{{ item.mode|default('0644') }}"
+  with_items:
+    - { src: "keystone-wsgi.py.j2", dest: "/var/www/cgi-bin/keystone/admin", mode: "0755" }
+    - { src: "keystone-wsgi.py.j2", dest: "/var/www/cgi-bin/keystone/main", mode: "0755" }
+  notify:
+    - Restart Apache
+  tags:
+    - keystone-config
+
+- name: Get keystone command path
+  command: which keystone
+  register: keystone_command_path
+  when:
+    - not keystone_venv_enabled | bool
+  tags:
+    - keystone-command-bin
+
+- name: Set keystone command path
+  set_fact:
+    keystone_bin: "{{ keystone_command_path.stdout | dirname }}"
+  when:
+    - not keystone_venv_enabled | bool
+  tags:
+    - keystone-command-bin
diff --git a/tasks/keystone_pre_install.yml b/tasks/keystone_pre_install.yml
index b75ababc4..3fb9eb1d6 100644
--- a/tasks/keystone_pre_install.yml
+++ b/tasks/keystone_pre_install.yml
@@ -67,6 +67,7 @@
     group: "{{ item.group|default(keystone_system_group_name) }}"
     mode: "{{ item.mode|default(0755) }}"
   with_items:
+    - { path: "/openstack", mode: "0755", owner: "root", group: "root" }
     - { path: "/etc/keystone" }
     - { path: "{{ keystone_ldap_domain_config_dir }}" }
     - { path: "/etc/keystone/ssl" }
@@ -78,6 +79,17 @@
   tags:
     - keystone-dirs
 
+- name: Create keystone venv dir
+  file:
+    path: "{{ item.path }}"
+    state: directory
+  with_items:
+    - { path: "/openstack/venvs" }
+    - { path: "{{ keystone_venv_bin }}" }
+  when: keystone_venv_enabled | bool
+  tags:
+    - keystone-dirs
+
 - name: Test for log directory or link
   shell: |
     if [ -h "/var/log/keystone"  ]; then
diff --git a/tasks/keystone_token_cleanup.yml b/tasks/keystone_token_cleanup.yml
index 9e5f33e4f..0a785c687 100644
--- a/tasks/keystone_token_cleanup.yml
+++ b/tasks/keystone_token_cleanup.yml
@@ -17,9 +17,7 @@
   cron:
     name: "Clear out stale keystone tokens"
     minute: 0
-    job: "/usr/local/bin/keystone-manage token_flush"
+    job: "{{ keystone_bin }}/keystone-manage token_flush"
     user: "{{ keystone_system_user_name }}"
-  when: >
-    'sql' in keystone_token_driver
   tags:
     - keystone-config
diff --git a/tasks/main.yml b/tasks/main.yml
index 8e80dc164..0d416f543 100644
--- a/tasks/main.yml
+++ b/tasks/main.yml
@@ -15,6 +15,7 @@
 
 - include: keystone_pre_install.yml
 - include: keystone_install.yml
+- include: keystone_post_install.yml
 
 - include: keystone_key_setup.yml
   tags:
@@ -27,8 +28,6 @@
   when: >
     'fernet' in keystone_token_provider
 
-- include: keystone_post_install.yml
-
 - include: keystone_federation_sp_setup.yml
   when: >
     keystone_sp is defined
@@ -37,9 +36,12 @@
   when: >
     inventory_hostname == groups['keystone_all'][0]
 
+- include: keystone_token_cleanup.yml
+  when: >
+    'sql' in keystone_token_driver
+
 - include: keystone_ssl.yml
 - include: keystone_apache.yml
-- include: keystone_token_cleanup.yml
 
 - include: keystone_service_setup.yml
   when: >
diff --git a/templates/keystone-fernet-rotate.sh.j2 b/templates/keystone-fernet-rotate.sh.j2
index 0594ceaf3..432390273 100644
--- a/templates/keystone-fernet-rotate.sh.j2
+++ b/templates/keystone-fernet-rotate.sh.j2
@@ -23,8 +23,9 @@
 
 function autorotate {
     # Rotate the keys
-    keystone-manage fernet_rotate --keystone-user "{{ keystone_system_user_name }}" \
-                                  --keystone-group "{{ keystone_system_group_name }}"
+    {{ keystone_bin }}/keystone-manage fernet_rotate \
+                                       --keystone-user "{{ keystone_system_user_name }}" \
+                                       --keystone-group "{{ keystone_system_group_name }}"
     {% for host in groups['keystone_all'] %}
 
     {% if inventory_hostname != host %}
diff --git a/files/keystone-wsgi.py b/templates/keystone-wsgi.py.j2
similarity index 83%
rename from files/keystone-wsgi.py
rename to templates/keystone-wsgi.py.j2
index 0c7018ff6..7c39db6e3 100644
--- a/files/keystone-wsgi.py
+++ b/templates/keystone-wsgi.py.j2
@@ -14,6 +14,11 @@
 
 import os
 
+{% if keystone_venv_enabled | bool %}
+activate_this = os.path.expanduser("{{ keystone_venv_bin }}/activate_this.py")
+execfile(activate_this, dict(__file__=activate_this))
+{% endif %}
+
 from keystone.server import wsgi as wsgi_server