Enable serving keystone from apache mod_wsgi

Serving keystone from a wsgi container is recommended for production
setups. SSL is enabled by default.

See the following URLs for explanations:
    http://adam.younglogic.com/2012/03/keystone-should-move-to-apache-httpd/
    https://etherpad.openstack.org/havana-keystone-performance

Documentation in manifests/wsgi/apache.pp

Apache can be configured as a drop in replacement for keystone (using
    ports 5000 & 35357) or with paths using the standard SSL port. See
examples in examples/apache_*.pp

- Also change some 'real_' prefix into '_real' suffix to respect the
coding guide.
- Added the '--insecure' option to keystone client in the provider to
allow using self-signed certificates.
- Fixed parsing the ssl/enable value in the provider.

There is no integer verification done in the manifests
and to get around a bug in rspec, which has been fixed
in rodjek/rspec-puppet#107,
certain parameters that should be integer are treated as
strings

files/httpd/keystone.py updated with lastest from keystone git repo

Change-Id: Ide8c090d105c1ea75a14939f5e8ddb7d24ca3f1c

.fixtures.yml

@@ -1,5 +1,7 @@
 fixtures:
   repositories:
+    'apache': 'git://github.com/puppetlabs/puppetlabs-apache.git'
+    'concat': 'git://github.com/puppetlabs/puppetlabs-concat.git'
     'apt': 'git://github.com/puppetlabs/puppetlabs-apt.git'
     'mysql':
       repo: 'git://github.com/puppetlabs/puppetlabs-mysql.git'

Modulefile

@@ -7,6 +7,7 @@ summary 'Puppet Labs Keystone Module'
 description 'Puppet module to install and configure the Openstack identity service'
 project_page 'https://launchpad.net/puppet-openstack'
 
+dependency 'puppetlabs/apache', '>=0.9.0 <1.0.0'
 dependency 'puppetlabs/inifile', '>=1.0.0 <2.0.0'
 dependency 'puppetlabs/mysql', '>=0.6.1 <1.0.0'
 dependency 'puppetlabs/stdlib', '>= 2.5.0'

examples/apache_dropin.pp

@@ -0,0 +1,52 @@
+# Example using apache to serve keystone
+#
+# To be sure everything is working, run:
+#   $ export OS_USERNAME=admin
+#   $ export OS_PASSWORD=ChangeMe
+#   $ export OS_TENANT_NAME=openstack
+#   $ export OS_AUTH_URL=http://keystone.local/keystone/main/v2.0
+#   $ keystone catalog
+#   Service: identity
+#   +-------------+----------------------------------------------+
+#   |   Property  |                    Value                     |
+#   +-------------+----------------------------------------------+
+#   |   adminURL  | http://keystone.local:80/keystone/admin/v2.0 |
+#   |      id     |       4f0f55f6789d4c73a53c51f991559b72       |
+#   | internalURL | http://keystone.local:80/keystone/main/v2.0  |
+#   |  publicURL  | http://keystone.local:80/keystone/main/v2.0  |
+#   |    region   |                  RegionOne                   |
+#   +-------------+----------------------------------------------+
+#
+
+Exec { logoutput => 'on_failure' }
+
+class { 'mysql::server': }
+class { 'keystone::db::mysql':
+  password => 'keystone',
+}
+class { 'keystone':
+  verbose        => true,
+  debug          => true,
+  sql_connection => 'mysql://keystone_admin:keystone@127.0.0.1/keystone',
+  catalog_type   => 'sql',
+  admin_token    => 'admin_token',
+  enabled        => false,
+}
+class { 'keystone::roles::admin':
+  email    => 'test@puppetlabs.com',
+  password => 'ChangeMe',
+}
+class { 'keystone::endpoint':
+  public_address   => $::fqdn,
+  admin_address    => $::fqdn,
+  internal_address => $::fqdn,
+  public_protocol  => 'https',
+  admin_protocol   => 'https'
+}
+
+keystone_config { 'ssl/enable': value => true }
+
+include apache
+class { 'keystone::wsgi::apache':
+  ssl => true
+}

examples/apache_with_paths.pp

@@ -0,0 +1,59 @@
+# Example using apache to serve keystone
+#
+# To be sure everything is working, run:
+#   $ export OS_USERNAME=admin
+#   $ export OS_PASSWORD=ChangeMe
+#   $ export OS_TENANT_NAME=openstack
+#   $ export OS_AUTH_URL=http://keystone.local/keystone/main/v2.0
+#   $ keystone catalog
+#   Service: identity
+#   +-------------+----------------------------------------------+
+#   |   Property  |                    Value                     |
+#   +-------------+----------------------------------------------+
+#   |   adminURL  | http://keystone.local:80/keystone/admin/v2.0 |
+#   |      id     |       4f0f55f6789d4c73a53c51f991559b72       |
+#   | internalURL | http://keystone.local:80/keystone/main/v2.0  |
+#   |  publicURL  | http://keystone.local:80/keystone/main/v2.0  |
+#   |    region   |                  RegionOne                   |
+#   +-------------+----------------------------------------------+
+#
+
+Exec { logoutput => 'on_failure' }
+
+class { 'mysql::server': }
+class { 'keystone::db::mysql':
+  password => 'keystone',
+}
+class { 'keystone':
+  verbose        => true,
+  debug          => true,
+  sql_connection => 'mysql://keystone_admin:keystone@127.0.0.1/keystone',
+  catalog_type   => 'sql',
+  admin_token    => 'admin_token',
+  enabled        => true,
+}
+class { 'keystone::roles::admin':
+  email    => 'test@puppetlabs.com',
+  password => 'ChangeMe',
+}
+class { 'keystone::endpoint':
+  public_address   => $::fqdn,
+  admin_address    => $::fqdn,
+  internal_address => $::fqdn,
+  public_port      => 443,
+  admin_port       => 443,
+  public_protocol  => 'https',
+  admin_protocol   => 'https'
+}
+
+# keystone_config { 'ssl/enable': value => true }
+keystone_config { 'ssl/enable': ensure  => absent }
+
+include apache
+class { 'keystone::wsgi::apache':
+  ssl         => true,
+  public_port => 443,
+  admin_port  => 443,
+  public_path => '/main/',
+  admin_path  => '/admin/'
+}

files/httpd/keystone.py

@@ -0,0 +1,54 @@
+# vim: tabstop=4 shiftwidth=4 softtabstop=4
+
+# Copyright 2013 OpenStack Foundation
+#
+#    Licensed under the Apache License, Version 2.0 (the "License"); you may
+#    not use this file except in compliance with the License. You may obtain
+#    a copy of the License at
+#
+#         http://www.apache.org/licenses/LICENSE-2.0
+#
+#    Unless required by applicable law or agreed to in writing, software
+#    distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+#    WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+#    License for the specific language governing permissions and limitations
+#    under the License.
+
+#
+# This file was copied from https://github.com/openstack/keystone/raw/c3b92295b718a41c3136876eb39297081015a97c/httpd/keystone.py
+# It's only required for platforms on which it is not packaged yet.
+# It should be removed when available everywhere in a package.
+#
+
+import logging
+import os
+
+from paste import deploy
+
+from keystone.openstack.common import gettextutils
+
+# NOTE(blk-u):
+# gettextutils.install() must run to set _ before importing any modules that
+# contain static translated strings.
+gettextutils.install('keystone')
+
+from keystone.common import environment
+from keystone import config
+from keystone.openstack.common import log
+
+
+CONF = config.CONF
+CONF(project='keystone')
+config.setup_logging(CONF)
+
+environment.use_stdlib()
+name = os.path.basename(__file__)
+
+if CONF.debug:
+    CONF.log_opt_values(log.getLogger(CONF.prog), logging.DEBUG)
+
+# NOTE(ldbragst): 'application' is required in this context by WSGI spec.
+# The following is a reference to Python Paste Deploy documentation
+# http://pythonpaste.org/deploy/
+application = deploy.loadapp('config:%s' % config.find_paste_config(),
+                             name=name)

manifests/params.pp

@@ -6,21 +6,26 @@
 
   case $::osfamily {
     'Debian': {
-      $package_name     = 'keystone'
-      $service_name     = 'keystone'
+      $package_name              = 'keystone'
+      $service_name              = 'keystone'
+      $keystone_wsgi_script_path = '/usr/lib/cgi-bin/keystone'
       case $::operatingsystem {
         'Debian': {
-          $service_provider = undef
+          $service_provider            = undef
+          $keystone_wsgi_script_source = '/usr/share/keystone/wsgi.py'
         }
         default: {
-          $service_provider = 'upstart'
+          $service_provider            = 'upstart'
+          $keystone_wsgi_script_source = 'puppet:///modules/keystone/httpd/keystone.py'
         }
       }
     }
     'RedHat': {
-      $package_name     = 'openstack-keystone'
-      $service_name     = 'openstack-keystone'
-      $service_provider = undef
+      $package_name                = 'openstack-keystone'
+      $service_name                = 'openstack-keystone'
+      $keystone_wsgi_script_path   = '/var/www/cgi-bin/keystone'
+      $service_provider            = undef
+      $keystone_wsgi_script_source = 'puppet:///modules/keystone/httpd/keystone.py'
     }
   }
 }