fix: Barbican use same uwsgi config as other services. (#1119)

This renew Barbican uwsgi config and make sure it uses same uwsgi config as other services. relate to #42 Reviewed-by: Mohammed Naser <[email protected]>
vexxhost · Apr 21, 2024 · 36e65de · 36e65de
1 parent 8624823
commit 36e65de
Show file tree

Hide file tree

Showing 6 changed files with 57 additions and 20 deletions.
diff --git a/.charts.yml b/.charts.yml
@@ -13,6 +13,10 @@ charts:
     version: 0.3.10
     repository: *openstack_helm_repository
     dependencies: *openstack_helm_dependencies
+    patches:
+      gerrit:
+        review.opendev.org:
+          - 916034
   - name: ceph-csi-rbd
     version: 3.5.1
     repository:

diff --git a/charts/barbican/templates/bin/_barbican.sh.tpl b/charts/barbican/templates/bin/_barbican.sh.tpl
@@ -18,7 +18,7 @@ set -ex
 COMMAND="${@:-start}"
 
 function start () {
-  exec uwsgi --die-on-term --master --emperor /etc/barbican/vassals
+  exec uwsgi --ini /etc/barbican/barbican-api-uwsgi.ini
 }
 
 function stop () {

diff --git a/charts/barbican/templates/configmap-etc.yaml b/charts/barbican/templates/configmap-etc.yaml
@@ -67,12 +67,10 @@ limitations under the License.
 {{- $_ := tuple "key_manager" "public" "api" . | include "helm-toolkit.endpoints.keystone_endpoint_uri_lookup" | trimSuffix $barbicanPath | set .Values.conf.barbican.DEFAULT "host_href" -}}
 {{- end -}}
 
-{{- if empty .Values.conf.barbican.barbican_api.bind_port -}}
-{{- $_ := tuple "key_manager" "service" "api" . | include "helm-toolkit.endpoints.endpoint_port_lookup" | set .Values.conf.barbican.barbican_api "bind_port" -}}
-{{- end -}}
-
-{{- if empty .Values.conf.barbican_api.uwsgi.socket -}}
-{{- $_ := printf ":%s" ( tuple "key_manager" "service" "api" . | include "helm-toolkit.endpoints.endpoint_port_lookup" ) | set .Values.conf.barbican_api.uwsgi "socket" -}}
+{{- if empty (index .Values.conf.barbican_api_uwsgi.uwsgi "http-socket") -}}
+{{- $http_socket_port := tuple "key_manager" "service" "api" . | include "helm-toolkit.endpoints.endpoint_port_lookup" | toString }}
+{{- $http_socket := printf "0.0.0.0:%s" $http_socket_port }}
+{{- $_ := set .Values.conf.barbican_api_uwsgi.uwsgi "http-socket" $http_socket -}}
 {{- end -}}
 
 {{- if and (empty .Values.conf.logging.handler_fluent) (has "fluent" .Values.conf.logging.handlers.keys) -}}
@@ -99,6 +97,6 @@ data:
   barbican-api-paste.ini: {{ include "helm-toolkit.utils.to_ini" .Values.conf.paste | b64enc }}
   api_audit_map.conf: {{ include "helm-toolkit.utils.to_ini" .Values.conf.audit_map | b64enc }}
   policy.yaml: {{ toYaml .Values.conf.policy | b64enc }}
-  barbican-api.ini: {{ include "helm-toolkit.utils.to_ini" .Values.conf.barbican_api | b64enc }}
+  barbican-api-uwsgi.ini: {{ include "helm-toolkit.utils.to_ini" .Values.conf.barbican_api_uwsgi | b64enc }}
   old_kek: {{ index .Values.conf.simple_crypto_kek_rewrap "old_kek" | default "" | b64enc | quote }}
 {{- end }}
diff --git a/charts/barbican/templates/deployment-api.yaml b/charts/barbican/templates/deployment-api.yaml
@@ -90,8 +90,8 @@ spec:
             - name: etcbarbican
               mountPath: /etc/barbican
             - name: barbican-etc
-              mountPath: /etc/barbican/vassals/barbican-api.ini
-              subPath: barbican-api.ini
+              mountPath: /etc/barbican/barbican-api-uwsgi.ini
+              subPath: barbican-api-uwsgi.ini
               readOnly: true
             - name: barbican-etc
               mountPath: /etc/barbican/barbican.conf

diff --git a/charts/barbican/values.yaml b/charts/barbican/values.yaml
@@ -356,18 +356,28 @@ conf:
     service_endpoints:
       # map endpoint type defined in service catalog to CADF typeURI
       key-manager: service/security/keymanager
-  barbican_api:
+  barbican_api_uwsgi:
     uwsgi:
-      socket: null
-      protocol: http
-      processes: 1
-      lazy: true
-      vacuum: true
-      no-default-app: true
-      memory-report: true
-      plugins: python
-      paste: "config:/etc/barbican/barbican-api-paste.ini"
       add-header: "Connection: close"
+      buffer-size: 65535
+      chunked-input-limit: "4096000"
+      die-on-term: true
+      enable-threads: true
+      exit-on-reload: false
+      hook-master-start: unix_signal:15 gracefully_kill_them_all
+      http-auto-chunked: true
+      http-raw-body: true
+      lazy-apps: true
+      log-x-forwarded-for: true
+      master: true
+      need-app: true
+      procname-prefix-spaced: "barbiacan-api:"
+      route-user-agent: '^kube-probe.* donotlog:'
+      socket-timeout: 10
+      thunder-lock: true
+      worker-reload-mercy: 80
+      wsgi-file: /var/lib/openstack/bin/barbican-wsgi-api
+      processes: 1
   barbican:
     DEFAULT:
       transport_url: null

diff --git a/charts/patches/barbican/0001-tune-uwsgi-config.patch b/charts/patches/barbican/0001-tune-uwsgi-config.patch
@@ -0,0 +1,25 @@
+diff --git a/barbican/values.yaml b/charts/barbican/values.yaml
+index 3991d2ba..86abf1d3 100644
+--- a/barbican/values.yaml
++++ b/barbican/values.yaml
+@@ -360,15 +360,20 @@ conf:
+     uwsgi:
+       add-header: "Connection: close"
+       buffer-size: 65535
++      chunked-input-limit: "4096000"
+       die-on-term: true
+       enable-threads: true
+       exit-on-reload: false
+       hook-master-start: unix_signal:15 gracefully_kill_them_all
++      http-auto-chunked: true
++      http-raw-body: true
+       lazy-apps: true
+       log-x-forwarded-for: true
+       master: true
++      need-app: true
+       procname-prefix-spaced: "barbiacan-api:"
+       route-user-agent: '^kube-probe.* donotlog:'
++      socket-timeout: 10
+       thunder-lock: true
+       worker-reload-mercy: 80
+       wsgi-file: /var/lib/openstack/bin/barbican-wsgi-api