From 36e65de7c5c003cc23dc78f2ad3e8117bf8922c0 Mon Sep 17 00:00:00 2001
From: Rico Lin <rlin@vexxhost.com>
Date: Mon, 22 Apr 2024 00:08:06 +0800
Subject: [PATCH] fix: Barbican use same uwsgi config as other services.
 (#1119)

This renew Barbican uwsgi config and make sure it uses same uwsgi config as other services.
relate to #42

Reviewed-by: Mohammed Naser <mnaser@vexxhost.com>
---
 .charts.yml                                   |  4 +++
 .../barbican/templates/bin/_barbican.sh.tpl   |  2 +-
 charts/barbican/templates/configmap-etc.yaml  | 12 ++++----
 charts/barbican/templates/deployment-api.yaml |  4 +--
 charts/barbican/values.yaml                   | 30 ++++++++++++-------
 .../barbican/0001-tune-uwsgi-config.patch     | 25 ++++++++++++++++
 6 files changed, 57 insertions(+), 20 deletions(-)
 create mode 100644 charts/patches/barbican/0001-tune-uwsgi-config.patch

diff --git a/.charts.yml b/.charts.yml
index a03428aaa..77038bd75 100644
--- a/.charts.yml
+++ b/.charts.yml
@@ -13,6 +13,10 @@ charts:
     version: 0.3.10
     repository: *openstack_helm_repository
     dependencies: *openstack_helm_dependencies
+    patches:
+      gerrit:
+        review.opendev.org:
+          - 916034
   - name: ceph-csi-rbd
     version: 3.5.1
     repository:
diff --git a/charts/barbican/templates/bin/_barbican.sh.tpl b/charts/barbican/templates/bin/_barbican.sh.tpl
index 1ac7911e5..21612f791 100644
--- a/charts/barbican/templates/bin/_barbican.sh.tpl
+++ b/charts/barbican/templates/bin/_barbican.sh.tpl
@@ -18,7 +18,7 @@ set -ex
 COMMAND="${@:-start}"
 
 function start () {
-  exec uwsgi --die-on-term --master --emperor /etc/barbican/vassals
+  exec uwsgi --ini /etc/barbican/barbican-api-uwsgi.ini
 }
 
 function stop () {
diff --git a/charts/barbican/templates/configmap-etc.yaml b/charts/barbican/templates/configmap-etc.yaml
index d9323e08f..d2bff2c01 100644
--- a/charts/barbican/templates/configmap-etc.yaml
+++ b/charts/barbican/templates/configmap-etc.yaml
@@ -67,12 +67,10 @@ limitations under the License.
 {{- $_ := tuple "key_manager" "public" "api" . | include "helm-toolkit.endpoints.keystone_endpoint_uri_lookup" | trimSuffix $barbicanPath | set .Values.conf.barbican.DEFAULT "host_href" -}}
 {{- end -}}
 
-{{- if empty .Values.conf.barbican.barbican_api.bind_port -}}
-{{- $_ := tuple "key_manager" "service" "api" . | include "helm-toolkit.endpoints.endpoint_port_lookup" | set .Values.conf.barbican.barbican_api "bind_port" -}}
-{{- end -}}
-
-{{- if empty .Values.conf.barbican_api.uwsgi.socket -}}
-{{- $_ := printf ":%s" ( tuple "key_manager" "service" "api" . | include "helm-toolkit.endpoints.endpoint_port_lookup" ) | set .Values.conf.barbican_api.uwsgi "socket" -}}
+{{- if empty (index .Values.conf.barbican_api_uwsgi.uwsgi "http-socket") -}}
+{{- $http_socket_port := tuple "key_manager" "service" "api" . | include "helm-toolkit.endpoints.endpoint_port_lookup" | toString }}
+{{- $http_socket := printf "0.0.0.0:%s" $http_socket_port }}
+{{- $_ := set .Values.conf.barbican_api_uwsgi.uwsgi "http-socket" $http_socket -}}
 {{- end -}}
 
 {{- if and (empty .Values.conf.logging.handler_fluent) (has "fluent" .Values.conf.logging.handlers.keys) -}}
@@ -99,6 +97,6 @@ data:
   barbican-api-paste.ini: {{ include "helm-toolkit.utils.to_ini" .Values.conf.paste | b64enc }}
   api_audit_map.conf: {{ include "helm-toolkit.utils.to_ini" .Values.conf.audit_map | b64enc }}
   policy.yaml: {{ toYaml .Values.conf.policy | b64enc }}
-  barbican-api.ini: {{ include "helm-toolkit.utils.to_ini" .Values.conf.barbican_api | b64enc }}
+  barbican-api-uwsgi.ini: {{ include "helm-toolkit.utils.to_ini" .Values.conf.barbican_api_uwsgi | b64enc }}
   old_kek: {{ index .Values.conf.simple_crypto_kek_rewrap "old_kek" | default "" | b64enc | quote }}
 {{- end }}
diff --git a/charts/barbican/templates/deployment-api.yaml b/charts/barbican/templates/deployment-api.yaml
index d777f42fd..8ae9ea426 100644
--- a/charts/barbican/templates/deployment-api.yaml
+++ b/charts/barbican/templates/deployment-api.yaml
@@ -90,8 +90,8 @@ spec:
             - name: etcbarbican
               mountPath: /etc/barbican
             - name: barbican-etc
-              mountPath: /etc/barbican/vassals/barbican-api.ini
-              subPath: barbican-api.ini
+              mountPath: /etc/barbican/barbican-api-uwsgi.ini
+              subPath: barbican-api-uwsgi.ini
               readOnly: true
             - name: barbican-etc
               mountPath: /etc/barbican/barbican.conf
diff --git a/charts/barbican/values.yaml b/charts/barbican/values.yaml
index 9e6f4064b..e2e87bf7b 100644
--- a/charts/barbican/values.yaml
+++ b/charts/barbican/values.yaml
@@ -356,18 +356,28 @@ conf:
     service_endpoints:
       # map endpoint type defined in service catalog to CADF typeURI
       key-manager: service/security/keymanager
-  barbican_api:
+  barbican_api_uwsgi:
     uwsgi:
-      socket: null
-      protocol: http
-      processes: 1
-      lazy: true
-      vacuum: true
-      no-default-app: true
-      memory-report: true
-      plugins: python
-      paste: "config:/etc/barbican/barbican-api-paste.ini"
       add-header: "Connection: close"
+      buffer-size: 65535
+      chunked-input-limit: "4096000"
+      die-on-term: true
+      enable-threads: true
+      exit-on-reload: false
+      hook-master-start: unix_signal:15 gracefully_kill_them_all
+      http-auto-chunked: true
+      http-raw-body: true
+      lazy-apps: true
+      log-x-forwarded-for: true
+      master: true
+      need-app: true
+      procname-prefix-spaced: "barbiacan-api:"
+      route-user-agent: '^kube-probe.* donotlog:'
+      socket-timeout: 10
+      thunder-lock: true
+      worker-reload-mercy: 80
+      wsgi-file: /var/lib/openstack/bin/barbican-wsgi-api
+      processes: 1
   barbican:
     DEFAULT:
       transport_url: null
diff --git a/charts/patches/barbican/0001-tune-uwsgi-config.patch b/charts/patches/barbican/0001-tune-uwsgi-config.patch
new file mode 100644
index 000000000..3c472ee8b
--- /dev/null
+++ b/charts/patches/barbican/0001-tune-uwsgi-config.patch
@@ -0,0 +1,25 @@
+diff --git a/barbican/values.yaml b/charts/barbican/values.yaml
+index 3991d2ba..86abf1d3 100644
+--- a/barbican/values.yaml
++++ b/barbican/values.yaml
+@@ -360,15 +360,20 @@ conf:
+     uwsgi:
+       add-header: "Connection: close"
+       buffer-size: 65535
++      chunked-input-limit: "4096000"
+       die-on-term: true
+       enable-threads: true
+       exit-on-reload: false
+       hook-master-start: unix_signal:15 gracefully_kill_them_all
++      http-auto-chunked: true
++      http-raw-body: true
+       lazy-apps: true
+       log-x-forwarded-for: true
+       master: true
++      need-app: true
+       procname-prefix-spaced: "barbiacan-api:"
+       route-user-agent: '^kube-probe.* donotlog:'
++      socket-timeout: 10
+       thunder-lock: true
+       worker-reload-mercy: 80
+       wsgi-file: /var/lib/openstack/bin/barbican-wsgi-api