From 067e1a32a93b1aaad94746defe091ebc63b6ff66 Mon Sep 17 00:00:00 2001
From: Emilien Macchi <emilien@redhat.com>
Date: Fri, 3 Feb 2017 11:02:03 -0500
Subject: [PATCH] Stop deploying Nova API in WSGI with Apache

It was suggested by Nova team to not deploying Nova API in WSGI with
Apache in production.
It's causing some issues that we didn't catch until now (see in the bug
report). Until we figure out what was wrong, let's disable it so we can
move forward in the upgrade process.

Note: we also need to fix orchestration in provision to make sure
Keystone is ready before creating nova flavors, and other resources.

Depends-On: I1688eae1369f6da2c7084dc3864d19708d15c78d
Change-Id: I4a0d999d5290785a416bbb11953fee7a5028a00b
Related-Bug: 1661360
---
 manifests/neutron.pp   | 19 ++++++++++++++++---
 manifests/nova.pp      | 20 ++++++++++----------
 manifests/provision.pp |  9 ++++++---
 3 files changed, 32 insertions(+), 16 deletions(-)

diff --git a/manifests/neutron.pp b/manifests/neutron.pp
index bfa7e2c34..25ac717b0 100644
--- a/manifests/neutron.pp
+++ b/manifests/neutron.pp
@@ -141,10 +141,23 @@ class openstack_integration::neutron (
     mechanism_drivers    => $driver,
     firewall_driver      => $firewall_driver,
   }
+  if $::openstack_integration::config::ssl {
+    $metadata_protocol    = 'https'
+    $nova_client_cert     = $::openstack_integration::params::cert_path
+    $nova_client_priv_key = "/etc/neutron/ssl/private/${::fqdn}.pem"
+  } else {
+    $metadata_protocol    = $::os_service_default
+    $nova_client_cert     = $::os_service_default
+    $nova_client_priv_key = $::os_service_default
+  }
   class { '::neutron::agents::metadata':
-    debug            => true,
-    shared_secret    => 'a_big_secret',
-    metadata_workers => 2,
+    debug                => true,
+    shared_secret        => 'a_big_secret',
+    metadata_workers     => 2,
+    metadata_protocol    => $metadata_protocol,
+    metadata_insecure    => true,
+    nova_client_cert     => $nova_client_cert,
+    nova_client_priv_key => $nova_client_priv_key,
   }
   class { '::neutron::agents::lbaas':
     interface_driver => $driver,
diff --git a/manifests/nova.pp b/manifests/nova.pp
index 873de3386..3f42cc58b 100644
--- a/manifests/nova.pp
+++ b/manifests/nova.pp
@@ -30,9 +30,13 @@ class openstack_integration::nova (
 
   if $::openstack_integration::config::ssl {
     openstack_integration::ssl_key { 'nova':
-      notify  => Service['httpd'],
+      notify  => [
+        Service['nova-api'],
+        Service['httpd'],
+      ],
       require => Package['nova-common'],
     }
+    Exec['update-ca-certificates'] ~> Service['nova-api']
     Exec['update-ca-certificates'] ~> Service['httpd']
   }
 
@@ -103,22 +107,18 @@ class openstack_integration::nova (
     debug                         => true,
     notification_driver           => 'messagingv2',
     notify_on_state_change        => 'vm_and_task_state',
+    use_ssl                       => $::openstack_integration::config::ssl,
+    key_file                      => "/etc/nova/ssl/private/${::fqdn}.pem",
+    cert_file                     => $::openstack_integration::params::cert_path,
   }
   class { '::nova::api':
     api_bind_address                     => $::openstack_integration::config::host,
     neutron_metadata_proxy_shared_secret => 'a_big_secret',
     metadata_workers                     => 2,
+    osapi_compute_workers                => 2,
     default_floating_pool                => 'public',
     sync_db_api                          => true,
-    service_name                         => 'httpd',
-  }
-  include ::apache
-  class { '::nova::wsgi::apache_api':
-    bind_host => $::openstack_integration::config::ip_for_url,
-    ssl_key   => "/etc/nova/ssl/private/${::fqdn}.pem",
-    ssl_cert  => $::openstack_integration::params::cert_path,
-    ssl       => $::openstack_integration::config::ssl,
-    workers   => '2',
+
   }
   if $::osfamily == 'RedHat' {
     class { '::nova::wsgi::apache_placement':
diff --git a/manifests/provision.pp b/manifests/provision.pp
index d95a7eb35..d35377154 100644
--- a/manifests/provision.pp
+++ b/manifests/provision.pp
@@ -18,7 +18,8 @@ class openstack_integration::provision {
     disk   => '0',
     vcpus  => '1',
   }
-  Keystone_user_role['admin@openstack'] -> Nova_flavor<||>
+  Keystone_user_role <||>-> Nova_flavor<||>
+  Keystone_endpoint <||>-> Nova_flavor<||>
 
   neutron_network { 'public':
     tenant_name               => 'openstack',
@@ -26,7 +27,8 @@ class openstack_integration::provision {
     provider_physical_network => 'external',
     provider_network_type     => 'flat',
   }
-  Keystone_user_role['admin@openstack'] -> Neutron_network<||>
+  Keystone_user_role <||>-> Neutron_network<||>
+  Keystone_endpoint <||>-> Neutron_network<||>
 
   neutron_subnet { 'public-subnet':
     cidr             => '172.24.5.0/24',
@@ -52,5 +54,6 @@ class openstack_integration::provision {
     is_public        => 'yes',
     source           => '/tmp/openstack/tempest/cirros-0.3.4-x86_64-disk.img'
   }
-  Keystone_user_role['admin@openstack'] -> Glance_image<||>
+  Keystone_user_role <||>-> Glance_image<||>
+  Keystone_endpoint <||>-> Glance_image<||>
 }