Merge "Horizon: add policy override and make chart image agnostic"

horizon/templates/bin/_db-sync.sh.tpl

@@ -18,4 +18,8 @@ limitations under the License.
 
 set -ex
 
-exec /var/lib/kolla/venv/bin/manage.py migrate
+SITE_PACKAGES_ROOT=$(python -c "from distutils.sysconfig import get_python_lib; print(get_python_lib())")
+rm -f ${SITE_PACKAGES_ROOT}/openstack_dashboard/local/local_settings.py
+ln -s /etc/openstack-dashboard/local_settings ${SITE_PACKAGES_ROOT}/openstack_dashboard/local/local_settings.py
+
+exec /tmp/manage.py migrate --noinput

horizon/templates/bin/_django.wsgi.tpl

@@ -0,0 +1,38 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+NOTE (Portdirect): This file is required to support Horizon regardless of the
+image used, and to provide PyMySQL support.
+*/}}
+
+import logging
+import os
+import sys
+
+import pymysql
+
+pymysql.install_as_MySQLdb()
+
+from django.core.wsgi import get_wsgi_application
+from django.conf import settings
+
+# Add this file path to sys.path in order to import settings
+sys.path.insert(0, os.path.join(os.path.dirname(os.path.realpath(__file__)), '../..'))
+os.environ['DJANGO_SETTINGS_MODULE'] = 'openstack_dashboard.settings'
+sys.stdout = sys.stderr
+
+DEBUG = False
+
+application = get_wsgi_application()

horizon/templates/bin/_horizon.sh.tpl

@@ -20,6 +20,13 @@ set -ex
 COMMAND="${@:-start}"
 
 function start () {
+  SITE_PACKAGES_ROOT=$(python -c "from distutils.sysconfig import get_python_lib; print(get_python_lib())")
+  rm -f ${SITE_PACKAGES_ROOT}/openstack_dashboard/local/local_settings.py
+  ln -s /etc/openstack-dashboard/local_settings ${SITE_PACKAGES_ROOT}/openstack_dashboard/local/local_settings.py
+
+  # wsgi/horizon-http needs open files here, including secret_key_store
+  chown -R horizon ${SITE_PACKAGES_ROOT}/openstack_dashboard/local/
+
   if [ -f /etc/apache2/envvars ]; then
      # Loading Apache2 ENV variables
      source /etc/apache2/envvars
@@ -28,13 +35,10 @@ function start () {
   APACHE_DIR="apache2"
 
   # Compress Horizon's assets.
-  /var/lib/kolla/venv/bin/manage.py collectstatic --noinput
-  /var/lib/kolla/venv/bin/manage.py compress --force
+  /tmp/manage.py collectstatic --noinput
+  /tmp/manage.py compress --force
   rm -rf /tmp/_tmp_.secret_key_store.lock /tmp/.secret_key_store
 
-  # wsgi/horizon-http needs open files here, including secret_key_store
-  chown -R horizon /var/lib/kolla/venv/lib/python2.7/site-packages/openstack_dashboard/local/
-
   exec apache2 -DFOREGROUND
 }
 

horizon/templates/bin/_manage.py.tpl

@@ -0,0 +1,34 @@
+#!/usr/bin/env python
+
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+NOTE (Portdirect): This file is required to support Horizon regardless of the
+image used, and to provide PyMySQL support.
+*/}}
+
+import os
+import sys
+
+import pymysql
+
+pymysql.install_as_MySQLdb()
+
+from django.core.management import execute_from_command_line
+
+if __name__ == "__main__":
+    os.environ.setdefault("DJANGO_SETTINGS_MODULE",
+                          "openstack_dashboard.settings")
+    execute_from_command_line(sys.argv)

horizon/templates/configmap-bin.yaml

@@ -28,4 +28,8 @@ data:
 {{ tuple "bin/_db-sync.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
   horizon.sh: |
 {{ tuple "bin/_horizon.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
+  manage.py: |
+{{ tuple "bin/_manage.py.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
+  django.wsgi: |
+{{ tuple "bin/_django.wsgi.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
 {{- end }}

horizon/templates/configmap-etc.yaml

@@ -26,4 +26,18 @@ data:
 {{ tuple "etc/_horizon.conf.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
   local_settings: |
 {{ tuple "etc/_local_settings.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
+  ceilometer_policy.json: |+
+{{  toJson .Values.conf.ceilometer_policy | indent 4 }}
+  cinder_policy.json: |+
+{{  toJson .Values.conf.cinder_policy | indent 4 }}
+  glance_policy.json: |+
+{{  toJson .Values.conf.glance_policy | indent 4 }}
+  heat_policy.json: |+
+{{  toJson .Values.conf.heat_policy | indent 4 }}
+  keystone_policy.json: |+
+{{  toJson .Values.conf.keystone_policy | indent 4 }}
+  neutron_policy.json: |+
+{{  toJson .Values.conf.neutron_policy | indent 4 }}
+  nova_policy.json: |+
+{{  toJson .Values.conf.nova_policy | indent 4 }}
 {{- end }}

horizon/templates/deployment.yaml

@@ -47,6 +47,8 @@ spec:
           image: {{ .Values.images.horizon }}
           imagePullPolicy: {{ .Values.images.pull_policy }}
 {{ tuple $envAll $envAll.Values.pod.resources.server | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+          securityContext:
+            runAsUser: 0
           command:
             - /tmp/horizon.sh
             - start
@@ -62,23 +64,63 @@ spec:
             tcpSocket:
               port: {{ .Values.network.port }}
           volumeMounts:
-            - name: startsh
+            - name: static-horizon
+              mountPath: /var/www/html/
+            - name: horizon-bin
               mountPath: /tmp/horizon.sh
               subPath: horizon.sh
               readOnly: true
+            - name: horizon-bin
+              mountPath: /tmp/manage.py
+              subPath: manage.py
+              readOnly: true
             - name: horizon-etc
               mountPath: /etc/apache2/sites-enabled/000-default.conf
               subPath: horizon.conf
               readOnly: true
+            - name: horizon-bin
+              mountPath: /var/www/cgi-bin/horizon/django.wsgi
+              subPath: django.wsgi
+              readOnly: true
             - name: horizon-etc
               mountPath: /etc/openstack-dashboard/local_settings
               subPath: local_settings
               readOnly: true
+            - name: horizon-etc
+              mountPath: /etc/openstack-dashboard/ceilometer_policy.json
+              subPath: ceilometer_policy.json
+              readOnly: true
+            - name: horizon-etc
+              mountPath: /etc/openstack-dashboard/cinder_policy.json
+              subPath: cinder_policy.json
+              readOnly: true
+            - name: horizon-etc
+              mountPath: /etc/openstack-dashboard/glance_policy.json
+              subPath: glance_policy.json
+              readOnly: true
+            - name: horizon-etc
+              mountPath: /etc/openstack-dashboard/heat_policy.json
+              subPath: heat_policy.json
+              readOnly: true
+            - name: horizon-etc
+              mountPath: /etc/openstack-dashboard/keystone_policy.json
+              subPath: keystone_policy.json
+              readOnly: true
+            - name: horizon-etc
+              mountPath: /etc/openstack-dashboard/neutron_policy.json
+              subPath: neutron_policy.json
+              readOnly: true
+            - name: horizon-etc
+              mountPath: /etc/openstack-dashboard/nova_policy.json
+              subPath: nova_policy.json
+              readOnly: true
 {{ if $mounts_horizon.volumeMounts }}{{ toYaml $mounts_horizon.volumeMounts | indent 12 }}{{ end }}
-          securityContext:
-            runAsUser: 0
       volumes:
-        - name: startsh
+        - name: wsgi-horizon
+          emptyDir: {}
+        - name: static-horizon
+          emptyDir: {}
+        - name: horizon-bin
           configMap:
             name: horizon-bin
             defaultMode: 0555

horizon/templates/etc/_horizon.conf.tpl

@@ -27,14 +27,14 @@ CustomLog /dev/stdout proxy env=forwarded
     WSGIScriptReloading On
     WSGIDaemonProcess horizon-http processes=5 threads=1 user=horizon group=horizon display-name=%{GROUP} python-path=/var/lib/kolla/venv/lib/python2.7/site-packages
     WSGIProcessGroup horizon-http
-    WSGIScriptAlias / /var/lib/kolla/venv/lib/python2.7/site-packages/openstack_dashboard/wsgi/django.wsgi
+    WSGIScriptAlias / /var/www/cgi-bin/horizon/django.wsgi
     WSGIPassAuthorization On
 
     <Location "/">
         Require all granted
     </Location>
 
-    Alias /static /var/lib/kolla/venv/lib/python2.7/site-packages/static
+    Alias /static /var/www/html/horizon
     <Location "/static">
         SetHandler None
     </Location>

horizon/templates/etc/_local_settings.tpl

@@ -672,3 +672,5 @@ REST_API_REQUIRED_SETTINGS = ['OPENSTACK_HYPERVISOR_FEATURES',
 # For more information see:
 # http://tinyurl.com/anticlickjack
 # DISALLOW_IFRAME_EMBED = True
+
+STATIC_ROOT = '/var/www/html/horizon'

horizon/templates/job-db-sync.yaml

@@ -51,6 +51,10 @@ spec:
             mountPath: /tmp/db-sync.sh
             subPath: db-sync.sh
             readOnly: true
+          - name: horizon-bin
+            mountPath: /tmp/manage.py
+            subPath: manage.py
+            readOnly: true
 {{ if $mounts_horizon_db_sync.volumeMounts }}{{ toYaml $mounts_horizon_db_sync.volumeMounts | indent 10 }}{{ end }}
       volumes:
       - name: horizon-etc