From bb7bd1c58ecde7acf5ff8a8798c2975a985276f3 Mon Sep 17 00:00:00 2001
From: Alexey Odinokov <aodinokov@mirantis.com>
Date: Sun, 12 Apr 2020 07:46:08 +0000
Subject: [PATCH] Substituting redfish-emulator and reverse-proxy with Apache
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
The current implementation of airship-libvirt-gate is using
sushy-emulator binary to emulate redfish. Sushy-emulator works
only for http and also can’t authenticate users out-of-box if
ran by itself. In order to check https and authentication the
reverse-proxy was introduced. This approach had several
drawbacks:
1) http still doesn’t check auth
2) to use apache for https only is too heavy solution for https
This change converts reverse proxy to apache running
sushy-emulator as wsgi backend, that gives an ability to check
authentication for both http and https.
We’re also getting rid of ad-hoc sushy-emulator service and
using out-of-box apache service implementation.
The code also introduces gathering of apache resulting configs
and logs for quicker debug if needed.
Right now authentication is disabled, since manifests are
written in a way so they don’t use them. If it’s necessary to
enable it, just set username here[1]
PS
There is ability to use apache for http-server [2], but it’s
better to do as a separate PR
[1]
roles/airship-libvirt-gate/defaults/main.yaml
[2]
roles/http-fileserver
Change-Id: I43b5bca41519c88b01535c156b2db0e9edaa81bb
---
playbooks/airship-collect-logs.yaml | 2 +-
.../tasks/main.yaml | 32 +++-
roles/airship-libvirt-gate/defaults/main.yaml | 23 ++-
.../tasks/build-infra.yaml | 30 ++--
roles/airship-libvirt-gate/tests/main.yaml | 12 +-
roles/airship-libvirt-gate/tests/vars.yaml | 23 ++-
roles/apache-server/defaults/main.yml | 27 ++++
roles/apache-server/handlers/main.yml | 31 ++++
roles/apache-server/tasks/htpasswd.yml | 35 +++++
roles/apache-server/tasks/install.yml | 64 ++++++++
.../tasks/main.yml} | 2 +-
.../tasks/restart.yml} | 14 +-
roles/apache-server/tasks/ssl.yml | 53 +++++++
.../templates}/ssl-params.conf.j2 | 1 -
.../defaults/main.yml | 19 +++
.../tasks/backend.yml | 59 +++++++
.../tasks/frontend.yml | 123 +++++++++++++++
.../tasks/main.yml} | 4 +-
.../templates/sushy-emulator.wsgi.j2 | 2 +
.../templates/wsgi-sushy-emulator-ssl.conf.j2 | 35 +++++
.../templates/wsgi-sushy-emulator.conf.j2 | 29 ++++
.../tests/main.yaml | 13 +-
.../tests/vars.yaml | 0
roles/redfish-emulator/tasks/install.yaml | 48 ------
.../templates/sushy-tools.service.j2 | 15 --
roles/redfish-emulator/tests/local-main.retry | 1 -
roles/reverse-proxy/defaults/main.yaml | 9 --
roles/reverse-proxy/tasks/dependencies.yaml | 23 ---
roles/reverse-proxy/tasks/install.yaml | 103 ------------
roles/reverse-proxy/tasks/main.yaml | 1 -
.../sites-available/000-default.conf.j2 | 3 -
.../sites-available/default-ssl.conf.j2 | 148 ------------------
tests/ansible/role-test-runner.yaml | 2 +-
33 files changed, 572 insertions(+), 414 deletions(-)
rename roles/{airship-gather-sushy-logs => airship-gather-apache-logs}/tasks/main.yaml (53%)
create mode 100644 roles/apache-server/defaults/main.yml
create mode 100644 roles/apache-server/handlers/main.yml
create mode 100644 roles/apache-server/tasks/htpasswd.yml
create mode 100644 roles/apache-server/tasks/install.yml
rename roles/{redfish-emulator/tasks/main.yaml => apache-server/tasks/main.yml} (91%)
rename roles/{redfish-emulator/handlers/main.yaml => apache-server/tasks/restart.yml} (74%)
create mode 100644 roles/apache-server/tasks/ssl.yml
rename roles/{reverse-proxy/templates/etc/apache2/conf-available => apache-server/templates}/ssl-params.conf.j2 (88%)
create mode 100644 roles/apache-wsgi-sushy-emulator/defaults/main.yml
create mode 100644 roles/apache-wsgi-sushy-emulator/tasks/backend.yml
create mode 100644 roles/apache-wsgi-sushy-emulator/tasks/frontend.yml
rename roles/{redfish-emulator/defaults/main.yaml => apache-wsgi-sushy-emulator/tasks/main.yml} (85%)
create mode 100644 roles/apache-wsgi-sushy-emulator/templates/sushy-emulator.wsgi.j2
create mode 100644 roles/apache-wsgi-sushy-emulator/templates/wsgi-sushy-emulator-ssl.conf.j2
create mode 100644 roles/apache-wsgi-sushy-emulator/templates/wsgi-sushy-emulator.conf.j2
rename roles/{redfish-emulator => apache-wsgi-sushy-emulator}/tests/main.yaml (80%)
rename roles/{redfish-emulator => apache-wsgi-sushy-emulator}/tests/vars.yaml (100%)
delete mode 100644 roles/redfish-emulator/tasks/install.yaml
delete mode 100644 roles/redfish-emulator/templates/sushy-tools.service.j2
delete mode 100644 roles/redfish-emulator/tests/local-main.retry
delete mode 100644 roles/reverse-proxy/defaults/main.yaml
delete mode 100644 roles/reverse-proxy/tasks/dependencies.yaml
delete mode 100644 roles/reverse-proxy/tasks/install.yaml
delete mode 100644 roles/reverse-proxy/tasks/main.yaml
delete mode 100644 roles/reverse-proxy/templates/etc/apache2/sites-available/000-default.conf.j2
delete mode 100644 roles/reverse-proxy/templates/etc/apache2/sites-available/default-ssl.conf.j2
diff --git a/playbooks/airship-collect-logs.yaml b/playbooks/airship-collect-logs.yaml
index 07b8f2d12..7c376bf92 100644
--- a/playbooks/airship-collect-logs.yaml
+++ b/playbooks/airship-collect-logs.yaml
@@ -17,7 +17,7 @@
logs_dir: "/tmp/logs"
roles:
- gather-system-logs
- - airship-gather-sushy-logs
+ - airship-gather-apache-logs
- airship-gather-libvirt-logs
- airship-gather-runtime-logs
- airship-airshipctl-gather-configs
diff --git a/roles/airship-gather-sushy-logs/tasks/main.yaml b/roles/airship-gather-apache-logs/tasks/main.yaml
similarity index 53%
rename from roles/airship-gather-sushy-logs/tasks/main.yaml
rename to roles/airship-gather-apache-logs/tasks/main.yaml
index e9d6e4ddf..41d8b76dc 100644
--- a/roles/airship-gather-sushy-logs/tasks/main.yaml
+++ b/roles/airship-gather-apache-logs/tasks/main.yaml
@@ -10,26 +10,42 @@
# See the License for the specific language governing permissions and
# limitations under the License.
-- name: set redfish log dir
+- name: set apache log dir
set_fact:
- redfish_log_dir: "{{ logs_dir }}/redfish"
+ apache_log_dir: "{{ logs_dir }}/apache"
-- name: ensure directory for redfish logs exists
+- name: ensure directory for apache logs exists
file:
state: directory
- path: "{{ redfish_log_dir }}"
+ path: "{{ apache_log_dir }}"
-- name: dump sushy-tool logs to directory
+- name: dump apache logs to directory
shell: |-
- journalctl --unit sushy-tools.service > "{{ redfish_log_dir }}/sushy-tools.log"
+ journalctl --unit apache2.service > "{{ apache_log_dir }}/apache2-service.log"
args:
executable: /bin/bash
ignore_errors: True
become: true
+- name: copy configs
+ command: "cp -r /etc/apache2 {{ apache_log_dir }}/configs"
+ become: true
+
+- name: copy logs
+ command: "cp -r /var/log/apache2 {{ apache_log_dir }}/logs"
+ become: true
+
+- name: Change ownership of the logs dir
+ file:
+ state: directory
+ recurse: true
+ owner: "{{ ansible_user }}"
+ path: "{{ apache_log_dir }}"
+ become: true
+
- name: "Downloads logs to executor"
synchronize:
- src: "{{ redfish_log_dir }}"
+ src: "{{ apache_log_dir }}"
dest: "{{ zuul.executor.log_root }}/{{ inventory_hostname }}"
mode: pull
- ignore_errors: True
\ No newline at end of file
+ ignore_errors: True
diff --git a/roles/airship-libvirt-gate/defaults/main.yaml b/roles/airship-libvirt-gate/defaults/main.yaml
index 22f90e12d..9830914b5 100644
--- a/roles/airship-libvirt-gate/defaults/main.yaml
+++ b/roles/airship-libvirt-gate/defaults/main.yaml
@@ -30,13 +30,22 @@ airship_gate_ipam:
provision_network:
bridge_ip: "10.23.24.1"
-airship_gate_redfish:
- hostname: "redfish-emulator"
- username: "username"
- password: "password"
- secure_port: 443
- port: 8000
- bind_address: "127.0.0.1"
+airship_gate_redfish_noauth:
+ servername: "localhost"
+ ip:
+ - "127.0.0.1"
+ - "::1"
+ http_port: 8000
+
+airship_gate_redfish_auth:
+ servername: "localhost"
+ ip:
+ - "127.0.0.1"
+ - "::1"
+ https_port: 8443
+ user:
+ - username: "username"
+ password: "password"
airship_gate_flavors:
small:
diff --git a/roles/airship-libvirt-gate/tasks/build-infra.yaml b/roles/airship-libvirt-gate/tasks/build-infra.yaml
index da58dacaf..42d0d6e71 100644
--- a/roles/airship-libvirt-gate/tasks/build-infra.yaml
+++ b/roles/airship-libvirt-gate/tasks/build-infra.yaml
@@ -106,23 +106,23 @@
- network: "{{ airship_gate_names.nat_network }}"
- network: "{{ airship_gate_names.provision_network }}"
-- name: install apache2 reverse proxy
+- name: Add noauth sushy-emulator to apache
include_role:
- name: reverse-proxy
+ name: apache-wsgi-sushy-emulator
vars:
- reverse_proxy_action: "install"
- reverse_proxy_hostname: "{{ airship_gate_redfish.hostname }}"
- reverse_proxy_username: "{{ airship_gate_redfish.username }}"
- reverse_proxy_password: "{{ airship_gate_redfish.password }}"
- reverse_proxy_frontend_ip: "{{ airship_gate_redfish.bind_address }}"
- reverse_proxy_frontend_port: "{{ airship_gate_redfish.secure_port }}"
- reverse_proxy_backend_ip: "{{ airship_gate_redfish.bind_address }}"
- reverse_proxy_backend_port: "{{ airship_gate_redfish.port }}"
+ sushy_emulator_frontend_name: airship_gate_redfish_noauth
+ sushy_emulator_frontend_servername: "{{ airship_gate_redfish_noauth.servername }}"
+ sushy_emulator_frontend_ip: "{{ airship_gate_redfish_noauth.ip }}"
+ sushy_emulator_frontend_http_port: "{{ airship_gate_redfish_noauth.http_port }}"
-- name: install and start redfish emulator
+- name: Add auth sushy-emulator to apache
include_role:
- name: redfish-emulator
+ name: apache-wsgi-sushy-emulator
vars:
- redfish_action: "install"
- redfish_emulator_bind_ip: "{{ airship_gate_redfish.bind_address }}"
- redfish_emulator_bind_port: "{{ airship_gate_redfish.port }}"
+ sushy_emulator_frontend_name: airship_gate_redfish_auth
+ sushy_emulator_frontend_servername: "{{ airship_gate_redfish_auth.servername }}"
+ sushy_emulator_frontend_ip: "{{ airship_gate_redfish_auth.ip }}"
+ sushy_emulator_frontend_https_port: "{{ airship_gate_redfish_auth.https_port }}"
+ sushy_emulator_frontend_user: "{{ airship_gate_redfish_auth.user }}"
+
+
diff --git a/roles/airship-libvirt-gate/tests/main.yaml b/roles/airship-libvirt-gate/tests/main.yaml
index 28fea6b99..9cfb55d59 100644
--- a/roles/airship-libvirt-gate/tests/main.yaml
+++ b/roles/airship-libvirt-gate/tests/main.yaml
@@ -23,9 +23,9 @@
- name: query redfish to make sure it has running domains using HTTPS
uri:
- url: "https://{{ airship_gate_redfish.bind_address }}:{{ airship_gate_redfish.secure_port }}/redfish/v1/Systems?format=json"
- url_username: "{{ airship_gate_redfish.username }}"
- url_password: "{{ airship_gate_redfish.password }}"
+ url: "https://{{ airship_gate_redfish_auth.servername }}:{{ airship_gate_redfish_auth.https_port }}/redfish/v1/Systems?format=json"
+ url_username: "{{ airship_gate_redfish_auth.user[0].username }}"
+ url_password: "{{ airship_gate_redfish_auth.user[0].password}}"
validate_certs: false
method: GET
return_content: yes
@@ -37,9 +37,9 @@
- name: save ids to list
uri:
- url: "https://{{ airship_gate_redfish.bind_address }}:{{ airship_gate_redfish.secure_port }}{{ item.value }}?format=json"
- url_username: "{{ airship_gate_redfish.username }}"
- url_password: "{{ airship_gate_redfish.password }}"
+ url: "https://{{ airship_gate_redfish_auth.servername }}:{{ airship_gate_redfish_auth.https_port }}{{ item.value }}?format=json"
+ url_username: "{{ airship_gate_redfish_auth.user[0].username }}"
+ url_password: "{{ airship_gate_redfish_auth.user[0].password }}"
validate_certs: false
method: GET
return_content: yes
diff --git a/roles/airship-libvirt-gate/tests/vars.yaml b/roles/airship-libvirt-gate/tests/vars.yaml
index a5c1041fd..0c49f2c9d 100644
--- a/roles/airship-libvirt-gate/tests/vars.yaml
+++ b/roles/airship-libvirt-gate/tests/vars.yaml
@@ -10,13 +10,22 @@
# See the License for the specific language governing permissions and
# limitations under the License.
-airship_gate_redfish:
- hostname: "redfish-emulator"
- username: "username"
- password: "password"
- secure_port: 443
- port: 8000
- bind_address: "127.0.0.1"
+airship_gate_redfish_noauth:
+ servername: "localhost"
+ ip:
+ - "127.0.0.1"
+ - "::1"
+ http_port: 8000
+
+airship_gate_redfish_auth:
+ servername: "localhost"
+ ip:
+ - "127.0.0.1"
+ - "::1"
+ https_port: 8443
+ user:
+ - username: "username"
+ password: "password"
airship_gate_names:
provision_network: air_prov
diff --git a/roles/apache-server/defaults/main.yml b/roles/apache-server/defaults/main.yml
new file mode 100644
index 000000000..c4a047162
--- /dev/null
+++ b/roles/apache-server/defaults/main.yml
@@ -0,0 +1,27 @@
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+# install, htpasswd, ssl
+apache_server_action: install
+
+apache_server_htpasswd_path: /etc/apache2/sites-available/.htpasswd
+apache_server_htpasswd_user:
+ - username: username
+ password: password
+
+apache_server_ssl_cn: localhost
+apache_server_ssl_alt_name:
+ - "IP:127.0.0.1"
+ - "IP:::1"
+apache_server_ssl_key_path: /etc/ssl/private/.key
+apache_server_ssl_cert_path: /etc/ssl/private/.pem
+
diff --git a/roles/apache-server/handlers/main.yml b/roles/apache-server/handlers/main.yml
new file mode 100644
index 000000000..f8f661094
--- /dev/null
+++ b/roles/apache-server/handlers/main.yml
@@ -0,0 +1,31 @@
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+---
+# handlers file for ansible-apache2
+- name: restart apache2
+ service:
+ name: "apache2"
+ state: "restarted"
+ become: true
+
+- name: reload apache2
+ service:
+ name: "apache2"
+ state: "reloaded"
+ become: true
+
+- name: "restart httpd"
+ service:
+ name: "httpd"
+ state: "restarted"
+ become: true
diff --git a/roles/apache-server/tasks/htpasswd.yml b/roles/apache-server/tasks/htpasswd.yml
new file mode 100644
index 000000000..47d5f16e3
--- /dev/null
+++ b/roles/apache-server/tasks/htpasswd.yml
@@ -0,0 +1,35 @@
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+
+- name: Confguring htpasswd
+ become: true
+ block:
+ - name: Ensure needed packages
+ apt:
+ name:
+ - python3-passlib
+ state: present
+
+ - name: Remove older htpasswd file
+ file:
+ path: "{{ apache_server_htpasswd_path }}"
+ state: absent
+
+ - name: Adding users
+ when: apache_server_htpasswd_user is defined
+ htpasswd:
+ path: "{{ apache_server_htpasswd_path }}"
+ name: "{{ item.username }}"
+ password: "{{ item.password }}"
+ with_items: "{{ apache_server_htpasswd_user }}"
+
diff --git a/roles/apache-server/tasks/install.yml b/roles/apache-server/tasks/install.yml
new file mode 100644
index 000000000..d0804622c
--- /dev/null
+++ b/roles/apache-server/tasks/install.yml
@@ -0,0 +1,64 @@
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+---
+- name: redhat | ensuring apache packages are present
+ become: true
+ when: ansible_distribution == 'CentOS' or ansible_distribution == 'Red Hat Enterprise Linux'
+ yum:
+ name:
+ - httpd
+ update_cache: yes
+ state: present
+
+- name: ubuntu | ensuring apache packages are present
+ become: true
+ when: ansible_distribution == 'Debian' or ansible_distribution == 'Ubuntu'
+ apt:
+ name:
+ - apache2
+ update_cache: yes
+ state: present
+
+- name: Disable default virtual host
+ become: true
+ command: a2dissite 000-default
+
+- name: Enable ssl module
+ become: true
+ command: a2enmod headers ssl
+
+- name: Add ssl configuration
+ become: true
+ template:
+ src: ssl-params.conf.j2
+ dest: /etc/apache2/conf-available/ssl-params.conf
+
+- name: Enable ssl configuration
+ become: true
+ command: a2enconf ssl-params
+
+- name: redhat | enabling apache on boot and starting
+ become: true
+ when: ansible_distribution == 'CentOS' or ansible_distribution == 'Red Hat Enterprise Linux'
+ service:
+ name: httpd
+ state: started
+ enabled: true
+
+- name: Reload apache2 service
+ become: true
+ when: ansible_distribution == 'Debian' or ansible_distribution == 'Ubuntu'
+ service:
+ name: apache2
+ state: reloaded
+
diff --git a/roles/redfish-emulator/tasks/main.yaml b/roles/apache-server/tasks/main.yml
similarity index 91%
rename from roles/redfish-emulator/tasks/main.yaml
rename to roles/apache-server/tasks/main.yml
index a162cbc37..7887da259 100644
--- a/roles/redfish-emulator/tasks/main.yaml
+++ b/roles/apache-server/tasks/main.yml
@@ -10,4 +10,4 @@
# See the License for the specific language governing permissions and
# limitations under the License.
-- include_tasks: "{{ redfish_action }}.yaml"
+- include_tasks: "{{ apache_server_action }}.yml"
diff --git a/roles/redfish-emulator/handlers/main.yaml b/roles/apache-server/tasks/restart.yml
similarity index 74%
rename from roles/redfish-emulator/handlers/main.yaml
rename to roles/apache-server/tasks/restart.yml
index 13e044e43..afc515ca5 100644
--- a/roles/redfish-emulator/handlers/main.yaml
+++ b/roles/apache-server/tasks/restart.yml
@@ -10,14 +10,8 @@
# See the License for the specific language governing permissions and
# limitations under the License.
-- name: reload systemd configuration
- become: yes
- systemd:
- daemon_reload: yes
-
-- name: restart sushy-emulator
- become: yes
+- name: Reload apache2 service
+ become: true
service:
- name: sushy-tools
- state: restarted
- enabled: true
\ No newline at end of file
+ name: apache2
+ state: reloaded
diff --git a/roles/apache-server/tasks/ssl.yml b/roles/apache-server/tasks/ssl.yml
new file mode 100644
index 000000000..7ab988d28
--- /dev/null
+++ b/roles/apache-server/tasks/ssl.yml
@@ -0,0 +1,53 @@
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+- name: Generating ssl key & certificate
+ become: true
+ block:
+ - name: Ensure needed packages
+ apt:
+ name:
+ - python3-passlib
+ - python3-openssl
+ state: present
+
+ - name: Generate private key
+ openssl_privatekey:
+ path: "{{ apache_server_ssl_key_path }}"
+
+ - name: Create temporary CSR file
+ tempfile:
+ state: file
+ suffix: csr
+ register: csr_tempfile
+
+ - name: Generate CSR
+ openssl_csr:
+ path: "{{ csr_tempfile.path }}"
+ privatekey_path: "{{ apache_server_ssl_key_path }}"
+ common_name: "{{ apache_server_ssl_cn }}"
+ subject_alt_name: "{{ apache_server_ssl_alt_name }}"
+
+ - name: Generate the self signed certificate for sushy-emulator
+ openssl_certificate:
+ path: "{{ apache_server_ssl_cert_path }}"
+ privatekey_path: "{{ apache_server_ssl_key_path }}"
+ csr_path: "{{ csr_tempfile.path }}"
+ provider: selfsigned
+
+ always:
+ - name: Cleanup CSR file
+ file:
+ path: "{{ csr_tempfile.path }}"
+ state: absent
+ when: csr_tempfile.path is defined
+
diff --git a/roles/reverse-proxy/templates/etc/apache2/conf-available/ssl-params.conf.j2 b/roles/apache-server/templates/ssl-params.conf.j2
similarity index 88%
rename from roles/reverse-proxy/templates/etc/apache2/conf-available/ssl-params.conf.j2
rename to roles/apache-server/templates/ssl-params.conf.j2
index 91867779f..4fcb1d338 100644
--- a/roles/reverse-proxy/templates/etc/apache2/conf-available/ssl-params.conf.j2
+++ b/roles/apache-server/templates/ssl-params.conf.j2
@@ -14,4 +14,3 @@ SSLSessionTickets Off
SSLUseStapling on
SSLStaplingCache "shmcb:logs/stapling-cache(150000)"
-#SSLOpenSSLConfCmd DHParameters "/etc/ssl/certs/{{ reverse_proxy_hostname }}-dhparam.pem"
diff --git a/roles/apache-wsgi-sushy-emulator/defaults/main.yml b/roles/apache-wsgi-sushy-emulator/defaults/main.yml
new file mode 100644
index 000000000..200322a48
--- /dev/null
+++ b/roles/apache-wsgi-sushy-emulator/defaults/main.yml
@@ -0,0 +1,19 @@
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+sushy_emulator_action: frontend
+sushy_emulator_frontend_name: wsgi-sushy-emulator
+sushy_emulator_frontend_ip:
+ - "127.0.0.1"
+ - "::1"
+sushy_emulator_frontend_servername: "localhost"
+sushy_emulator_frontend_check: true
diff --git a/roles/apache-wsgi-sushy-emulator/tasks/backend.yml b/roles/apache-wsgi-sushy-emulator/tasks/backend.yml
new file mode 100644
index 000000000..cac35c00e
--- /dev/null
+++ b/roles/apache-wsgi-sushy-emulator/tasks/backend.yml
@@ -0,0 +1,59 @@
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+- name: ensure OS
+ when: ansible_distribution != 'Debian' and ansible_distribution != 'Ubuntu'
+ fail:
+ msg: "Only Debian|Ubuntu are currently supported"
+
+- name: Preparing wsgi module for sushy-emulator
+ become: true
+ block:
+
+ - name: Ensure Apache
+ include_role:
+ name: apache-server
+
+ - name: Install needed packages
+ apt:
+ name:
+ - python3-pip
+ - libapache2-mod-wsgi-py3
+ state: present
+
+ - name: Install sushy-tools
+ pip:
+ name: sushy-tools
+ executable: pip3
+
+ - name: Create a used wsgi will run with
+ user:
+ name: wsgiapp-sushy
+ groups: libvirt
+ state: present
+ system: yes
+
+ - name: Create sushy-emulator wsgi dir
+ file:
+ path: /var/www/sushy-emulator/
+ state: directory
+ owner: wsgiapp-sushy
+ group: wsgiapp-sushy
+ mode: u+rwx,g-w,o-w
+
+ - name: Created sushy-emulator wsgi file
+ template:
+ src: sushy-emulator.wsgi.j2
+ dest: /var/www/sushy-emulator/sushy-emulator.wsgi
+ owner: wsgiapp-sushy
+ group: wsgiapp-sushy
+
diff --git a/roles/apache-wsgi-sushy-emulator/tasks/frontend.yml b/roles/apache-wsgi-sushy-emulator/tasks/frontend.yml
new file mode 100644
index 000000000..2946b94a8
--- /dev/null
+++ b/roles/apache-wsgi-sushy-emulator/tasks/frontend.yml
@@ -0,0 +1,123 @@
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+
+- name: ensure OS
+ when: ansible_distribution != 'Debian' and ansible_distribution != 'Ubuntu'
+ fail:
+ msg: "Only Debian|Ubuntu are currently supported"
+
+- name: Confguring sushy-emulator frontend
+ become: true
+ block:
+ - name: Ensure sushy-emulator backend
+ include_role:
+ name: apache-wsgi-sushy-emulator
+ vars:
+ sushy_emulator_action: backend
+
+ - name: Create htpasswd file
+ when: sushy_emulator_frontend_user is defined
+ include_role:
+ name: apache-server
+ vars:
+ apache_server_action: htpasswd
+ apache_server_htpasswd_path: "/etc/apache2/sites-available/{{ sushy_emulator_frontend_name }}.htpasswd"
+ apache_server_htpasswd_user: "{{ sushy_emulator_frontend_user }}"
+
+ - name: Create sushy-emulator HTTP virtual host config
+ when: sushy_emulator_frontend_http_port is defined
+ block:
+ - name: Create sushy-emulator virtual host config for HTTP
+ template:
+ src: wsgi-sushy-emulator.conf.j2
+ dest: "/etc/apache2/sites-available/{{ sushy_emulator_frontend_name }}.conf"
+
+ - name: Enable sushy-emulator virtual host
+ command: "a2ensite {{ sushy_emulator_frontend_name }}"
+
+ - name: Create sushy-emulator HTTPS virtual host config
+ when: sushy_emulator_frontend_https_port is defined
+ block:
+ - name: Generate certs for casewith alt_names
+ when: sushy_emulator_frontend_ip is defined
+ include_role:
+ name: apache-server
+ vars:
+ apache_server_action: ssl
+ apache_server_ssl_key_path: "/etc/ssl/private/{{ sushy_emulator_frontend_name }}.key"
+ apache_server_ssl_cert_path: "/etc/ssl/certs/{{ sushy_emulator_frontend_name }}.pem"
+ apache_server_ssl_cn: "{{ sushy_emulator_frontend_servername }}"
+ apache_server_ssl_alt_name: "{{ sushy_emulator_frontend_ip | map('regex_replace', '(.*)', 'IP:\\1') | list }}"
+
+ - name: Generate certs for case without alt_names
+ when: sushy_emulator_frontend_ip is undefined
+ include_role:
+ name: apache-server
+ vars:
+ apache_server_action: ssl
+ apache_server_ssl_key_path: "/etc/ssl/private/{{ sushy_emulator_frontend_name }}.key"
+ apache_server_ssl_cert_path: "/etc/ssl/certs/{{ sushy_emulator_frontend_name }}.pem"
+ apache_server_ssl_cn: "{{ sushy_emulator_frontend_servername }}"
+
+ - name: Create sushy-emulator virtual host config for HTTPS
+ template:
+ src: wsgi-sushy-emulator-ssl.conf.j2
+ dest: "/etc/apache2/sites-available/{{ sushy_emulator_frontend_name }}-ssl.conf"
+
+ - name: Enable sushy-emulator virtual host
+ command: "a2ensite {{ sushy_emulator_frontend_name }}-ssl"
+
+ - name: Restart Apache to apply all changes
+ include_role:
+ name: apache-server
+ vars:
+ apache_server_action: restart
+
+- name: Sanity check for HTTP
+ when: sushy_emulator_frontend_check and sushy_emulator_frontend_http_port is defined
+ block:
+ - name: Check without auth
+ when: sushy_emulator_frontend_user is undefined
+ uri:
+ url: http://{{ sushy_emulator_frontend_servername }}:{{sushy_emulator_frontend_http_port }}/redfish/v1/Systems?format=json
+ method: GET
+ return_content: yes
+ - name: Check with auth
+ when: sushy_emulator_frontend_user is defined
+ uri:
+ url: http://{{ sushy_emulator_frontend_servername }}:{{sushy_emulator_frontend_http_port }}/redfish/v1/Systems?format=json
+ url_username: "{{ sushy_emulator_frontend_user[0].username }}"
+ url_password: "{{ sushy_emulator_frontend_user[0].password }}"
+ method: GET
+ return_content: yes
+
+- name: Sanity check for HTTPS
+ when: sushy_emulator_frontend_check and sushy_emulator_frontend_https_port is defined
+ block:
+ - name: Check without auth
+ when: sushy_emulator_frontend_user is undefined
+ uri:
+ url: https://{{ sushy_emulator_frontend_servername }}:{{sushy_emulator_frontend_https_port }}/redfish/v1/Systems?format=json
+ method: GET
+ validate_certs: false
+ return_content: yes
+ - name: Check with auth
+ when: sushy_emulator_frontend_user is defined
+ uri:
+ url: https://{{ sushy_emulator_frontend_servername }}:{{sushy_emulator_frontend_https_port }}/redfish/v1/Systems?format=json
+ url_username: "{{ sushy_emulator_frontend_user[0].username }}"
+ url_password: "{{ sushy_emulator_frontend_user[0].password }}"
+ validate_certs: false
+ method: GET
+ return_content: yes
+
diff --git a/roles/redfish-emulator/defaults/main.yaml b/roles/apache-wsgi-sushy-emulator/tasks/main.yml
similarity index 85%
rename from roles/redfish-emulator/defaults/main.yaml
rename to roles/apache-wsgi-sushy-emulator/tasks/main.yml
index c56a21d7b..10c2f2929 100644
--- a/roles/redfish-emulator/defaults/main.yaml
+++ b/roles/apache-wsgi-sushy-emulator/tasks/main.yml
@@ -10,6 +10,4 @@
# See the License for the specific language governing permissions and
# limitations under the License.
-redfish_action: install
-redfish_emulator_bind_ip: 127.0.0.1
-redfish_emulator_bind_port: 8000
\ No newline at end of file
+- include_tasks: "{{ sushy_emulator_action }}.yml"
diff --git a/roles/apache-wsgi-sushy-emulator/templates/sushy-emulator.wsgi.j2 b/roles/apache-wsgi-sushy-emulator/templates/sushy-emulator.wsgi.j2
new file mode 100644
index 000000000..55820ce50
--- /dev/null
+++ b/roles/apache-wsgi-sushy-emulator/templates/sushy-emulator.wsgi.j2
@@ -0,0 +1,2 @@
+from sushy_tools.emulator.main import app as application
+
diff --git a/roles/apache-wsgi-sushy-emulator/templates/wsgi-sushy-emulator-ssl.conf.j2 b/roles/apache-wsgi-sushy-emulator/templates/wsgi-sushy-emulator-ssl.conf.j2
new file mode 100644
index 000000000..00e234b40
--- /dev/null
+++ b/roles/apache-wsgi-sushy-emulator/templates/wsgi-sushy-emulator-ssl.conf.j2
@@ -0,0 +1,35 @@
+<IfModule mod_ssl.c>
+{% if sushy_emulator_frontend_https_port != 443 %}
+ Listen {{ sushy_emulator_frontend_https_port }}
+{% endif %}
+ <VirtualHost *:{{ sushy_emulator_frontend_https_port }}>
+ # Add machine's IP address (use ifconfig command)
+ ServerName {{ sushy_emulator_frontend_servername }}
+ # Give an alias to to start your website url with
+ WSGIDaemonProcess wsgiapp-{{ sushy_emulator_frontend_name }}-https user=wsgiapp-sushy processes=2 threads=5
+ WSGIScriptAlias / /var/www/sushy-emulator/sushy-emulator.wsgi
+ <Directory /var/www/sushy-emulator/>
+ # set permissions as per apache2.conf file
+ WSGIProcessGroup wsgiapp-{{ sushy_emulator_frontend_name }}-https
+ Options FollowSymLinks
+ AllowOverride None
+ Require all granted
+ </Directory>
+{% if sushy_emulator_frontend_user is defined %}
+ <Location />
+ AuthType Basic
+ AuthName "Authentication Required"
+ AuthUserFile /etc/apache2/sites-available/{{ sushy_emulator_frontend_name }}.htpasswd
+ Require valid-user
+ </Location>
+{% endif %}
+ SSLEngine on
+ SSLCertificateFile /etc/ssl/certs/{{ sushy_emulator_frontend_name }}.pem
+ SSLCertificateKeyFile /etc/ssl/private/{{ sushy_emulator_frontend_name }}.key
+
+ ErrorLog ${APACHE_LOG_DIR}/error.log
+ LogLevel warn
+ CustomLog ${APACHE_LOG_DIR}/access.log combined
+ </VirtualHost>
+</IfModule>
+
diff --git a/roles/apache-wsgi-sushy-emulator/templates/wsgi-sushy-emulator.conf.j2 b/roles/apache-wsgi-sushy-emulator/templates/wsgi-sushy-emulator.conf.j2
new file mode 100644
index 000000000..015a0b060
--- /dev/null
+++ b/roles/apache-wsgi-sushy-emulator/templates/wsgi-sushy-emulator.conf.j2
@@ -0,0 +1,29 @@
+{% if sushy_emulator_frontend_http_port != 80 %}
+Listen {{ sushy_emulator_frontend_http_port }}
+{% endif %}
+<VirtualHost *:{{ sushy_emulator_frontend_http_port }}>
+ # Add machine's IP address (use ifconfig command)
+ ServerName {{ sushy_emulator_frontend_servername }}
+ # Give an alias to to start your website url with
+ WSGIDaemonProcess wsgiapp-{{ sushy_emulator_frontend_name }} user=wsgiapp-sushy processes=2 threads=5
+ WSGIScriptAlias / /var/www/sushy-emulator/sushy-emulator.wsgi
+ <Directory /var/www/sushy-emulator/>
+ # set permissions as per apache2.conf file
+ WSGIProcessGroup wsgiapp-{{ sushy_emulator_frontend_name }}
+ Options FollowSymLinks
+ AllowOverride None
+ Require all granted
+ </Directory>
+{% if sushy_emulator_frontend_user is defined %}
+ <Location />
+ AuthType Basic
+ AuthName "Authentication Required"
+ AuthUserFile /etc/apache2/sites-available/{{ sushy_emulator_frontend_name }}.htpasswd
+ Require valid-user
+ </Location>
+{% endif %}
+ ErrorLog ${APACHE_LOG_DIR}/error.log
+ LogLevel warn
+ CustomLog ${APACHE_LOG_DIR}/access.log combined
+</VirtualHost>
+
diff --git a/roles/redfish-emulator/tests/main.yaml b/roles/apache-wsgi-sushy-emulator/tests/main.yaml
similarity index 80%
rename from roles/redfish-emulator/tests/main.yaml
rename to roles/apache-wsgi-sushy-emulator/tests/main.yaml
index 405eb559e..9dff9a735 100644
--- a/roles/redfish-emulator/tests/main.yaml
+++ b/roles/apache-wsgi-sushy-emulator/tests/main.yaml
@@ -31,12 +31,19 @@
- name: create libvirt domains
include_role:
name: libvirt-domain
-- name: install sushy-tools
+- name: install apache-wsgi-sushy-emulator
include_role:
- name: redfish-emulator
+ name: apache-wsgi-sushy-emulator
+ vars:
+ sushy_emulator_frontend_http_port: 80
+ sushy_emulator_frontend_user:
+ - username: "user"
+ password: "password"
- name: query redfish to make sure it has runnig domains
uri:
- url: http://localhost:8000/redfish/v1/Systems?format=json
+ url: http://localhost:80/redfish/v1/Systems?format=json
+ url_username: "user"
+ url_password: "password"
method: GET
return_content: yes
register: sushy_response
diff --git a/roles/redfish-emulator/tests/vars.yaml b/roles/apache-wsgi-sushy-emulator/tests/vars.yaml
similarity index 100%
rename from roles/redfish-emulator/tests/vars.yaml
rename to roles/apache-wsgi-sushy-emulator/tests/vars.yaml
diff --git a/roles/redfish-emulator/tasks/install.yaml b/roles/redfish-emulator/tasks/install.yaml
deleted file mode 100644
index 95dd0ad89..000000000
--- a/roles/redfish-emulator/tasks/install.yaml
+++ /dev/null
@@ -1,48 +0,0 @@
-# Licensed under the Apache License, Version 2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-# http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-
-- block:
- - name: Ensuring python3-pip and support packages are present
- when: ansible_distribution == 'CentOS' or ansible_distribution == 'Red Hat Enterprise Linux'
- fail:
- msg: "CentoOS or RHEL is not currently supported"
-
- - name: Ensuring python3-pip and support packages are present
- become: true
- when: ansible_distribution == 'Debian' or ansible_distribution == 'Ubuntu'
- apt:
- name:
- - python3-pip
- - python3-libvirt
- state: present
-
- - name: Install sushy-tools
- pip:
- name: sushy-tools
- executable: pip3
- become: true
-
-- name: install systemd sushy service unit
- become: true
- template:
- src: sushy-tools.service.j2
- dest: /etc/systemd/system/sushy-tools.service
- notify:
- - reload systemd configuration
- - restart sushy-emulator
-
-- name: start sushy-emulator service
- become: true
- service:
- name: sushy-tools
- state: started
- enabled: true
diff --git a/roles/redfish-emulator/templates/sushy-tools.service.j2 b/roles/redfish-emulator/templates/sushy-tools.service.j2
deleted file mode 100644
index db132020a..000000000
--- a/roles/redfish-emulator/templates/sushy-tools.service.j2
+++ /dev/null
@@ -1,15 +0,0 @@
-# This file is part of sushy-emulator (redfish).
-#
-
-[Unit]
-Description=Sushy Libvirt emulator
-After=syslog.target
-
-[Service]
-Type=simple
-ExecStart=/usr/local/bin/sushy-emulator -i {{ redfish_emulator_bind_ip }} -p {{ redfish_emulator_bind_port }} --libvirt-uri "qemu:///system"
-StandardOutput=syslog
-StandardError=syslog
-
-[Install]
-WantedBy=multi-user.target
\ No newline at end of file
diff --git a/roles/redfish-emulator/tests/local-main.retry b/roles/redfish-emulator/tests/local-main.retry
deleted file mode 100644
index e06aca39a..000000000
--- a/roles/redfish-emulator/tests/local-main.retry
+++ /dev/null
@@ -1 +0,0 @@
-primary
diff --git a/roles/reverse-proxy/defaults/main.yaml b/roles/reverse-proxy/defaults/main.yaml
deleted file mode 100644
index 37318bbf2..000000000
--- a/roles/reverse-proxy/defaults/main.yaml
+++ /dev/null
@@ -1,9 +0,0 @@
-reverse_proxy_action: install
-
-reverse_proxy_hostname: "redfish-emulator"
-reverse_proxy_username: "username"
-reverse_proxy_password: "password"
-reverse_proxy_frontend_ip: "127.0.0.1"
-reverse_proxy_frontend_port: 443
-reverse_proxy_backend_ip: "127.0.0.1"
-reverse_proxy_backend_port: 8000
diff --git a/roles/reverse-proxy/tasks/dependencies.yaml b/roles/reverse-proxy/tasks/dependencies.yaml
deleted file mode 100644
index a0ebb508c..000000000
--- a/roles/reverse-proxy/tasks/dependencies.yaml
+++ /dev/null
@@ -1,23 +0,0 @@
-- block:
- - name: Ensuring python3-pip and support packages are present
- when: ansible_distribution == 'CentOS' or ansible_distribution == 'Red Hat Enterprise Linux'
- fail:
- msg: "CentoOS or RHEL is not currently supported"
-
- - name: Ensuring python3-pip and support packages are present
- become: true
- when: ansible_distribution == 'Debian' or ansible_distribution == 'Ubuntu'
- apt:
- name:
- - python3-pip
- - python3-libvirt
- state: present
-
- - name: Install required pip packages
- pip:
- name: "{{ item }}"
- executable: pip3
- with_items:
- - pyOpenSSL
- - passlib
- become: true
diff --git a/roles/reverse-proxy/tasks/install.yaml b/roles/reverse-proxy/tasks/install.yaml
deleted file mode 100644
index ba2a3a5bb..000000000
--- a/roles/reverse-proxy/tasks/install.yaml
+++ /dev/null
@@ -1,103 +0,0 @@
-- name: Install dependencies
- include_tasks: dependencies.yaml
-
-- name: Install apache2 package
- apt:
- name: apache2
- state: present
- become: true
-
-- name: Disable default virtualhost
- file:
- path: /etc/apache2/sites-enabled/000-default.conf
- state: absent
- become: true
-
-- name: Enable proxy related modules
- apache2_module:
- name: "{{ item }}"
- state: present
- with_items:
- - headers
- - proxy
- - proxy_http
- - rewrite
- - ssl
- become: true
-
-- name: Generate private key for "{{ reverse_proxy_hostname }}"
- openssl_privatekey:
- path: /etc/ssl/private/{{ reverse_proxy_hostname }}-privkey.pem
- become: true
-
-- name: Generate CSR for "{{ reverse_proxy_hostname }}"
- openssl_csr:
- path: /tmp/{{ reverse_proxy_hostname }}.csr
- privatekey_path: /etc/ssl/private/{{ reverse_proxy_hostname }}-privkey.pem
- common_name: "{{ reverse_proxy_hostname }}"
- subject_alt_name: "IP:{{ reverse_proxy_frontend_ip }}"
- become: true
-
-- name: Generate the self signed certificate for "{{ reverse_proxy_hostname }}"
- openssl_certificate:
- path: /etc/ssl/certs/{{ reverse_proxy_hostname }}-cert.pem
- privatekey_path: /etc/ssl/private/{{ reverse_proxy_hostname }}-privkey.pem
- csr_path: /tmp/{{ reverse_proxy_hostname }}.csr
- provider: selfsigned
- become: true
-
-# TODO: Using dhparam can be good to have for HTTPS virtual host
-# But it takes too much time to generate for each run.
-# It can be enabled if necessary at a later point.
-#- name: Generate Diffie-Hellman parameters with the default size (4096 bits)
-# openssl_dhparam:
-# path: /etc/ssl/certs/{{ reverse_proxy_hostname }}-dhparams.pem
-
-- name: Remove older htpasswd file
- file:
- path: /etc/apache2/{{ reverse_proxy_hostname }}-passwd
- state: absent
- become: true
-
-- name: Create username and password for basic authentication
- htpasswd:
- path: /etc/apache2/{{ reverse_proxy_hostname }}-passwd
- name: "{{ reverse_proxy_username }}"
- password: "{{ reverse_proxy_password }}"
- become: true
-
-- name: Add default virtual host
- template:
- src: etc/apache2/sites-available/000-default.conf.j2
- dest: /etc/apache2/sites-available/000-default.conf
- become: true
-
-- name: Add ssl virtual host
- template:
- src: etc/apache2/sites-available/default-ssl.conf.j2
- dest: /etc/apache2/sites-available/default-ssl.conf
- become: true
-
-- name: Add ssl configuration
- template:
- src: etc/apache2/conf-available/ssl-params.conf.j2
- dest: /etc/apache2/conf-available/ssl-params.conf
- become: true
-
-- name: Enable default virtual host
- command: a2ensite 000-default
- become: true
-
-- name: Enable ssl virtual host
- command: a2ensite default-ssl
- become: true
-
-- name: Enable ssl configuration
- command: a2enconf ssl-params
- become: true
-
-- name: Reload apache2 service
- service:
- name: apache2
- state: reloaded
- become: true
diff --git a/roles/reverse-proxy/tasks/main.yaml b/roles/reverse-proxy/tasks/main.yaml
deleted file mode 100644
index 2f4233beb..000000000
--- a/roles/reverse-proxy/tasks/main.yaml
+++ /dev/null
@@ -1 +0,0 @@
-- include_tasks: "{{ reverse_proxy_action }}.yaml"
diff --git a/roles/reverse-proxy/templates/etc/apache2/sites-available/000-default.conf.j2 b/roles/reverse-proxy/templates/etc/apache2/sites-available/000-default.conf.j2
deleted file mode 100644
index c6840c506..000000000
--- a/roles/reverse-proxy/templates/etc/apache2/sites-available/000-default.conf.j2
+++ /dev/null
@@ -1,3 +0,0 @@
-<VirtualHost *:80>
- Redirect permanent "/" "https://{{ reverse_proxy_frontend_ip }}:{{ reverse_proxy_frontend_port }}/"
-</VirtualHost>
diff --git a/roles/reverse-proxy/templates/etc/apache2/sites-available/default-ssl.conf.j2 b/roles/reverse-proxy/templates/etc/apache2/sites-available/default-ssl.conf.j2
deleted file mode 100644
index dbffe7658..000000000
--- a/roles/reverse-proxy/templates/etc/apache2/sites-available/default-ssl.conf.j2
+++ /dev/null
@@ -1,148 +0,0 @@
-<IfModule mod_ssl.c>
- <VirtualHost {{ reverse_proxy_frontend_ip }}:{{ reverse_proxy_frontend_port }}>
- ServerAdmin webmaster@localhost
- ServerName {{ reverse_proxy_hostname }}
-
- DocumentRoot /var/www/html
-
- # Available loglevels: trace8, ..., trace1, debug, info, notice, warn,
- # error, crit, alert, emerg.
- # It is also possible to configure the loglevel for particular
- # modules, e.g.
- #LogLevel info ssl:warn
-
- ErrorLog ${APACHE_LOG_DIR}/error.log
- CustomLog ${APACHE_LOG_DIR}/access.log combined
-
- # For most configuration files from conf-available/, which are
- # enabled or disabled at a global level, it is possible to
- # include a line for only one particular virtual host. For example the
- # following line enables the CGI configuration for this host only
- # after it has been globally disabled with "a2disconf".
- #Include conf-available/serve-cgi-bin.conf
-
- # SSL Engine Switch:
- # Enable/Disable SSL for this virtual host.
- SSLEngine on
-
- # A self-signed (snakeoil) certificate can be created by installing
- # the ssl-cert package. See
- # /usr/share/doc/apache2/README.Debian.gz for more info.
- # If both key and certificate are stored in the same file, only the
- # SSLCertificateFile directive is needed.
- SSLCertificateFile /etc/ssl/certs/{{ reverse_proxy_hostname }}-cert.pem
- SSLCertificateKeyFile /etc/ssl/private/{{ reverse_proxy_hostname }}-privkey.pem
-
- # Server Certificate Chain:
- # Point SSLCertificateChainFile at a file containing the
- # concatenation of PEM encoded CA certificates which form the
- # certificate chain for the server certificate. Alternatively
- # the referenced file can be the same as SSLCertificateFile
- # when the CA certificates are directly appended to the server
- # certificate for convinience.
- #SSLCertificateChainFile /etc/apache2/ssl.crt/server-ca.crt
-
- # Certificate Authority (CA):
- # Set the CA certificate verification path where to find CA
- # certificates for client authentication or alternatively one
- # huge file containing all of them (file must be PEM encoded)
- # Note: Inside SSLCACertificatePath you need hash symlinks
- # to point to the certificate files. Use the provided
- # Makefile to update the hash symlinks after changes.
- #SSLCACertificatePath /etc/ssl/certs/
- #SSLCACertificateFile /etc/apache2/ssl.crt/ca-bundle.crt
-
- # Certificate Revocation Lists (CRL):
- # Set the CA revocation path where to find CA CRLs for client
- # authentication or alternatively one huge file containing all
- # of them (file must be PEM encoded)
- # Note: Inside SSLCARevocationPath you need hash symlinks
- # to point to the certificate files. Use the provided
- # Makefile to update the hash symlinks after changes.
- #SSLCARevocationPath /etc/apache2/ssl.crl/
- #SSLCARevocationFile /etc/apache2/ssl.crl/ca-bundle.crl
-
- # Client Authentication (Type):
- # Client certificate verification type and depth. Types are
- # none, optional, require and optional_no_ca. Depth is a
- # number which specifies how deeply to verify the certificate
- # issuer chain before deciding the certificate is not valid.
- #SSLVerifyClient require
- #SSLVerifyDepth 10
-
- # SSL Engine Options:
- # Set various options for the SSL engine.
- # o FakeBasicAuth:
- # Translate the client X.509 into a Basic Authorisation. This means that
- # the standard Auth/DBMAuth methods can be used for access control. The
- # user name is the `one line' version of the client's X.509 certificate.
- # Note that no password is obtained from the user. Every entry in the user
- # file needs this password: `xxj31ZMTZzkVA'.
- # o ExportCertData:
- # This exports two additional environment variables: SSL_CLIENT_CERT and
- # SSL_SERVER_CERT. These contain the PEM-encoded certificates of the
- # server (always existing) and the client (only existing when client
- # authentication is used). This can be used to import the certificates
- # into CGI scripts.
- # o StdEnvVars:
- # This exports the standard SSL/TLS related `SSL_*' environment variables.
- # Per default this exportation is switched off for performance reasons,
- # because the extraction step is an expensive operation and is usually
- # useless for serving static content. So one usually enables the
- # exportation for CGI and SSI requests only.
- # o OptRenegotiate:
- # This enables optimized SSL connection renegotiation handling when SSL
- # directives are used in per-directory context.
- #SSLOptions +FakeBasicAuth +ExportCertData +StrictRequire
- <FilesMatch "\.(cgi|shtml|phtml|php)$">
- SSLOptions +StdEnvVars
- </FilesMatch>
- <Directory /usr/lib/cgi-bin>
- SSLOptions +StdEnvVars
- </Directory>
-
- # SSL Protocol Adjustments:
- # The safe and default but still SSL/TLS standard compliant shutdown
- # approach is that mod_ssl sends the close notify alert but doesn't wait for
- # the close notify alert from client. When you need a different shutdown
- # approach you can use one of the following variables:
- # o ssl-unclean-shutdown:
- # This forces an unclean shutdown when the connection is closed, i.e. no
- # SSL close notify alert is send or allowed to received. This violates
- # the SSL/TLS standard but is needed for some brain-dead browsers. Use
- # this when you receive I/O errors because of the standard approach where
- # mod_ssl sends the close notify alert.
- # o ssl-accurate-shutdown:
- # This forces an accurate shutdown when the connection is closed, i.e. a
- # SSL close notify alert is send and mod_ssl waits for the close notify
- # alert of the client. This is 100% SSL/TLS standard compliant, but in
- # practice often causes hanging connections with brain-dead browsers. Use
- # this only for browsers where you know that their SSL implementation
- # works correctly.
- # Notice: Most problems of broken clients are also related to the HTTP
- # keep-alive facility, so you usually additionally want to disable
- # keep-alive for those clients, too. Use variable "nokeepalive" for this.
- # Similarly, one has to force some clients to use HTTP/1.0 to workaround
- # their broken HTTP/1.1 implementation. Use variables "downgrade-1.0" and
- # "force-response-1.0" for this.
- # BrowserMatch "MSIE [2-6]" \
- # nokeepalive ssl-unclean-shutdown \
- # downgrade-1.0 force-response-1.0
-
- <Proxy *>
- Order deny,allow
- Allow from all
- Authtype Basic
- Authname "Password based authentication"
- AuthUserFile /etc/apache2/{{ reverse_proxy_hostname }}-passwd
- Require valid-user
- </Proxy>
-
- ProxyPreserveHost On
-
- ProxyPass / http://{{ reverse_proxy_backend_ip }}:{{ reverse_proxy_backend_port }}/
- ProxyPassReverse / http://{{ reverse_proxy_backend_ip }}:{{ reverse_proxy_backend_port }}/
- </VirtualHost>
-</IfModule>
-
-# vim: syntax=apache ts=4 sw=4 sts=4 sr noet
diff --git a/tests/ansible/role-test-runner.yaml b/tests/ansible/role-test-runner.yaml
index 622dc978c..17b00f542 100644
--- a/tests/ansible/role-test-runner.yaml
+++ b/tests/ansible/role-test-runner.yaml
@@ -20,7 +20,7 @@
- libvirt-pool
- libvirt-volume
- libvirt-domain
- - redfish-emulator
+ - apache-wsgi-sushy-emulator
- airship-libvirt-gate
- http-fileserver
- name: run tests against defined roles