Horizon: add policy override and make chart image agnostic

This PS makes horizon image agnostic and also use PyMySQL for the
database backend, in addition to making the policy fully configurable.

Change-Id: I95f269139539a9397c3cc05327f02dd28ee4917c

horizon/templates/bin/_db-sync.sh.tpl

@@ -18,4 +18,8 @@ limitations under the License.
 
 set -ex
 
-exec /var/lib/kolla/venv/bin/manage.py migrate
+SITE_PACKAGES_ROOT=$(python -c "from distutils.sysconfig import get_python_lib; print(get_python_lib())")
+rm -f ${SITE_PACKAGES_ROOT}/openstack_dashboard/local/local_settings.py
+ln -s /etc/openstack-dashboard/local_settings ${SITE_PACKAGES_ROOT}/openstack_dashboard/local/local_settings.py
+
+exec /tmp/manage.py migrate --noinput

horizon/templates/bin/_django.wsgi.tpl

@@ -0,0 +1,38 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+NOTE (Portdirect): This file is required to support Horizon regardless of the
+image used, and to provide PyMySQL support.
+*/}}
+
+import logging
+import os
+import sys
+
+import pymysql
+
+pymysql.install_as_MySQLdb()
+
+from django.core.wsgi import get_wsgi_application
+from django.conf import settings
+
+# Add this file path to sys.path in order to import settings
+sys.path.insert(0, os.path.join(os.path.dirname(os.path.realpath(__file__)), '../..'))
+os.environ['DJANGO_SETTINGS_MODULE'] = 'openstack_dashboard.settings'
+sys.stdout = sys.stderr
+
+DEBUG = False
+
+application = get_wsgi_application()

horizon/templates/bin/_horizon.sh.tpl

@@ -20,6 +20,13 @@ set -ex
 COMMAND="${@:-start}"
 
 function start () {
+  SITE_PACKAGES_ROOT=$(python -c "from distutils.sysconfig import get_python_lib; print(get_python_lib())")
+  rm -f ${SITE_PACKAGES_ROOT}/openstack_dashboard/local/local_settings.py
+  ln -s /etc/openstack-dashboard/local_settings ${SITE_PACKAGES_ROOT}/openstack_dashboard/local/local_settings.py
+
+  # wsgi/horizon-http needs open files here, including secret_key_store
+  chown -R horizon ${SITE_PACKAGES_ROOT}/openstack_dashboard/local/
+
   if [ -f /etc/apache2/envvars ]; then
      # Loading Apache2 ENV variables
      source /etc/apache2/envvars
@@ -28,13 +35,10 @@ function start () {
   APACHE_DIR="apache2"
 
   # Compress Horizon's assets.
-  /var/lib/kolla/venv/bin/manage.py collectstatic --noinput
-  /var/lib/kolla/venv/bin/manage.py compress --force
+  /tmp/manage.py collectstatic --noinput
+  /tmp/manage.py compress --force
   rm -rf /tmp/_tmp_.secret_key_store.lock /tmp/.secret_key_store
 
-  # wsgi/horizon-http needs open files here, including secret_key_store
-  chown -R horizon /var/lib/kolla/venv/lib/python2.7/site-packages/openstack_dashboard/local/
-
   exec apache2 -DFOREGROUND
 }
 

horizon/templates/bin/_manage.py.tpl

@@ -0,0 +1,34 @@
+#!/usr/bin/env python
+
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+NOTE (Portdirect): This file is required to support Horizon regardless of the
+image used, and to provide PyMySQL support.
+*/}}
+
+import os
+import sys
+
+import pymysql
+
+pymysql.install_as_MySQLdb()
+
+from django.core.management import execute_from_command_line
+
+if __name__ == "__main__":
+    os.environ.setdefault("DJANGO_SETTINGS_MODULE",
+                          "openstack_dashboard.settings")
+    execute_from_command_line(sys.argv)

horizon/templates/configmap-bin.yaml

@@ -28,4 +28,8 @@ data:
 {{ tuple "bin/_db-sync.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
   horizon.sh: |
 {{ tuple "bin/_horizon.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
+  manage.py: |
+{{ tuple "bin/_manage.py.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
+  django.wsgi: |
+{{ tuple "bin/_django.wsgi.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
 {{- end }}

horizon/templates/configmap-etc.yaml

@@ -26,4 +26,18 @@ data:
 {{ tuple "etc/_horizon.conf.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
   local_settings: |
 {{ tuple "etc/_local_settings.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
+  ceilometer_policy.json: |+
+{{  toJson .Values.conf.ceilometer_policy | indent 4 }}
+  cinder_policy.json: |+
+{{  toJson .Values.conf.cinder_policy | indent 4 }}
+  glance_policy.json: |+
+{{  toJson .Values.conf.glance_policy | indent 4 }}
+  heat_policy.json: |+
+{{  toJson .Values.conf.heat_policy | indent 4 }}
+  keystone_policy.json: |+
+{{  toJson .Values.conf.keystone_policy | indent 4 }}
+  neutron_policy.json: |+
+{{  toJson .Values.conf.neutron_policy | indent 4 }}
+  nova_policy.json: |+
+{{  toJson .Values.conf.nova_policy | indent 4 }}
 {{- end }}

horizon/templates/deployment.yaml

@@ -47,6 +47,8 @@ spec:
           image: {{ .Values.images.horizon }}
           imagePullPolicy: {{ .Values.images.pull_policy }}
 {{ tuple $envAll $envAll.Values.pod.resources.server | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+          securityContext:
+            runAsUser: 0
           command:
             - /tmp/horizon.sh
             - start
@@ -62,23 +64,63 @@ spec:
             tcpSocket:
               port: {{ .Values.network.port }}
           volumeMounts:
-            - name: startsh
+            - name: static-horizon
+              mountPath: /var/www/html/
+            - name: horizon-bin
               mountPath: /tmp/horizon.sh
               subPath: horizon.sh
               readOnly: true
+            - name: horizon-bin
+              mountPath: /tmp/manage.py
+              subPath: manage.py
+              readOnly: true
             - name: horizon-etc
               mountPath: /etc/apache2/sites-enabled/000-default.conf
               subPath: horizon.conf
               readOnly: true
+            - name: horizon-bin
+              mountPath: /var/www/cgi-bin/horizon/django.wsgi
+              subPath: django.wsgi
+              readOnly: true
             - name: horizon-etc
               mountPath: /etc/openstack-dashboard/local_settings
               subPath: local_settings
               readOnly: true
+            - name: horizon-etc
+              mountPath: /etc/openstack-dashboard/ceilometer_policy.json
+              subPath: ceilometer_policy.json
+              readOnly: true
+            - name: horizon-etc
+              mountPath: /etc/openstack-dashboard/cinder_policy.json
+              subPath: cinder_policy.json
+              readOnly: true
+            - name: horizon-etc
+              mountPath: /etc/openstack-dashboard/glance_policy.json
+              subPath: glance_policy.json
+              readOnly: true
+            - name: horizon-etc
+              mountPath: /etc/openstack-dashboard/heat_policy.json
+              subPath: heat_policy.json
+              readOnly: true
+            - name: horizon-etc
+              mountPath: /etc/openstack-dashboard/keystone_policy.json
+              subPath: keystone_policy.json
+              readOnly: true
+            - name: horizon-etc
+              mountPath: /etc/openstack-dashboard/neutron_policy.json
+              subPath: neutron_policy.json
+              readOnly: true
+            - name: horizon-etc
+              mountPath: /etc/openstack-dashboard/nova_policy.json
+              subPath: nova_policy.json
+              readOnly: true
 {{ if $mounts_horizon.volumeMounts }}{{ toYaml $mounts_horizon.volumeMounts | indent 12 }}{{ end }}
-          securityContext:
-            runAsUser: 0
       volumes:
-        - name: startsh
+        - name: wsgi-horizon
+          emptyDir: {}
+        - name: static-horizon
+          emptyDir: {}
+        - name: horizon-bin
           configMap:
             name: horizon-bin
             defaultMode: 0555

horizon/templates/etc/_horizon.conf.tpl

@@ -27,14 +27,14 @@ CustomLog /dev/stdout proxy env=forwarded
     WSGIScriptReloading On
     WSGIDaemonProcess horizon-http processes=5 threads=1 user=horizon group=horizon display-name=%{GROUP} python-path=/var/lib/kolla/venv/lib/python2.7/site-packages
     WSGIProcessGroup horizon-http
-    WSGIScriptAlias / /var/lib/kolla/venv/lib/python2.7/site-packages/openstack_dashboard/wsgi/django.wsgi
+    WSGIScriptAlias / /var/www/cgi-bin/horizon/django.wsgi
     WSGIPassAuthorization On
 
     <Location "/">
         Require all granted
     </Location>
 
-    Alias /static /var/lib/kolla/venv/lib/python2.7/site-packages/static
+    Alias /static /var/www/html/horizon
     <Location "/static">
         SetHandler None
     </Location>

horizon/templates/etc/_local_settings.tpl

@@ -672,3 +672,5 @@ REST_API_REQUIRED_SETTINGS = ['OPENSTACK_HYPERVISOR_FEATURES',
 # For more information see:
 # http://tinyurl.com/anticlickjack
 # DISALLOW_IFRAME_EMBED = True
+
+STATIC_ROOT = '/var/www/html/horizon'

horizon/templates/job-db-sync.yaml

@@ -51,6 +51,10 @@ spec:
             mountPath: /tmp/db-sync.sh
             subPath: db-sync.sh
             readOnly: true
+          - name: horizon-bin
+            mountPath: /tmp/manage.py
+            subPath: manage.py
+            readOnly: true
 {{ if $mounts_horizon_db_sync.volumeMounts }}{{ toYaml $mounts_horizon_db_sync.volumeMounts | indent 10 }}{{ end }}
       volumes:
       - name: horizon-etc