Browse Source

flatten the horizon service configurations

This change combines the previous puppet and docker files into a single
file that performs the docker service installation and configuration
for the horizon service.

With this patch the baremetal version of each respective horizon service
has been removed.

Change-Id: I132465a32cd9f5e094ed184a92549d6521ad4e64
Related-Blueprint: services-yaml-flattening
changes/52/634752/2
Dan Prince 3 years ago
parent
commit
3238e547a6
  1. 175
      deployment/horizon/horizon-container-puppet.yaml
  2. 2
      environments/baremetal-services.yaml
  3. 2
      overcloud-resource-registry-puppet.j2.yaml
  4. 197
      puppet/services/horizon.yaml
  5. 2
      sample-env-generator/openidc.yaml
  6. 2
      sample-env-generator/ssl.yaml

175
docker/services/horizon.yaml → deployment/horizon/horizon-container-puppet.yaml

@ -39,38 +39,179 @@ parameters:
EnableInternalTLS:
type: boolean
default: false
Debug:
default: false
description: Set to True to enable debugging on all services.
type: boolean
HorizonDebug:
default: false
description: Set to True to enable debugging Horizon service.
type: string
constraints:
- allowed_values: [ '', 'true', 'True', 'TRUE', 'false', 'False', 'FALSE']
HorizonAllowedHosts:
default: '*'
description: A list of IP/Hostname for the server Horizon is running on.
Used for header checks.
type: comma_delimited_list
HorizonPasswordValidator:
description: Regex for password validation
type: string
default: ''
HorizonPasswordValidatorHelp:
description: Help text for password validation
type: string
default: ''
HorizonSecret:
description: Secret key for Django
type: string
hidden: true
default: ''
HorizonSecureCookies:
description: Set CSRF_COOKIE_SECURE / SESSION_COOKIE_SECURE in Horizon
type: boolean
default: false
MemcachedIPv6:
default: false
description: Enable IPv6 features in Memcached.
type: boolean
MonitoringSubscriptionHorizon:
default: 'overcloud-horizon'
type: string
EnableInternalTLS:
type: boolean
default: false
InternalTLSCAFile:
default: '/etc/ipa/ca.crt'
type: string
description: Specifies the default CA cert to use if TLS is used for
services in the internal network.
HorizonVhostExtraParams:
default:
add_listen: true
priority: 10
access_log_format: '%a %l %u %t \"%r\" %>s %b \"%%{}{Referer}i\" \"%%{}{User-Agent}i\"'
options: ['FollowSymLinks','MultiViews']
description: Extra parameters for Horizon vhost configuration
type: json
HorizonCustomizationModule:
default: ''
description: Horizon has a global overrides mechanism available to perform customizations
type: string
WebSSOEnable:
default: false
type: boolean
description: Enable support for Web Single Sign-On
WebSSOInitialChoice:
default: 'OIDC'
type: string
description: The initial authentication choice to select by default
WebSSOChoices:
default:
- ['OIDC', 'OpenID Connect']
type: json
description: Specifies the list of SSO authentication choices to present.
Each item is a list of an SSO choice identifier and a display
message.
WebSSOIDPMapping:
default:
'OIDC': ['myidp', 'openid']
type: json
description: Specifies a mapping from SSO authentication choice to identity
provider and protocol. The identity provider and protocol names
must match the resources defined in keystone.
conditions:
debug_unset: {equals : [{get_param: Debug}, '']}
websso_enabled: {equals : [{get_param: WebSSOEnable}, True]}
internal_tls_enabled: {equals: [{get_param: EnableInternalTLS}, true]}
resources:
ContainersCommon:
type: ./containers-common.yaml
HorizonBase:
type: ../../puppet/services/horizon.yaml
properties:
EndpointMap: {get_param: EndpointMap}
ServiceData: {get_param: ServiceData}
ServiceNetMap: {get_param: ServiceNetMap}
DefaultPasswords: {get_param: DefaultPasswords}
RoleName: {get_param: RoleName}
RoleParameters: {get_param: RoleParameters}
type: ../../docker/services/containers-common.yaml
outputs:
role_data:
description: Role data for the Horizon API role.
value:
service_name: {get_attr: [HorizonBase, role_data, service_name]}
config_settings: {get_attr: [HorizonBase, role_data, config_settings]}
service_config_settings: {get_attr: [HorizonBase, role_data, service_config_settings]}
service_name: horizon
monitoring_subscription: {get_param: MonitoringSubscriptionHorizon}
config_settings:
map_merge:
- horizon::allowed_hosts: {get_param: HorizonAllowedHosts}
tripleo::horizon::firewall_rules:
'126 horizon':
dport:
- 80
- 443
horizon::enable_secure_proxy_ssl_header: true
horizon::disable_password_reveal: true
horizon::enforce_password_check: true
horizon::disallow_iframe_embed: true
horizon::cache_backend: django.core.cache.backends.memcached.MemcachedCache
horizon::django_session_engine: 'django.contrib.sessions.backends.cache'
horizon::vhost_extra_params: {get_param: HorizonVhostExtraParams}
horizon::bind_address:
str_replace:
template:
"%{hiera('$NETWORK')}"
params:
$NETWORK: {get_param: [ServiceNetMap, HorizonNetwork]}
horizon::keystone_url: {get_param: [EndpointMap, KeystoneV3Public, uri]}
horizon::password_validator: {get_param: [HorizonPasswordValidator]}
horizon::password_validator_help: {get_param: [HorizonPasswordValidatorHelp]}
horizon::secret_key:
yaql:
expression: $.data.passwords.where($ != '').first()
data:
passwords:
- {get_param: HorizonSecret}
- {get_param: [DefaultPasswords, horizon_secret]}
horizon::secure_cookies: {get_param: [HorizonSecureCookies]}
memcached_ipv6: {get_param: MemcachedIPv6}
horizon::servername:
str_replace:
template:
"%{hiera('fqdn_$NETWORK')}"
params:
$NETWORK: {get_param: [ServiceNetMap, HorizonNetwork]}
horizon::listen_ssl: {get_param: EnableInternalTLS}
horizon::horizon_ca: {get_param: InternalTLSCAFile}
horizon::customization_module: {get_param: HorizonCustomizationModule}
-
if:
- websso_enabled
-
horizon::websso_enabled:
get_param: WebSSOEnable
horizon::websso_initial_choice:
get_param: WebSSOInitialChoice
horizon::websso_choices:
get_param: WebSSOChoices
horizon::websso_idp_mapping:
get_param: WebSSOIDPMapping
- {}
-
if:
- debug_unset
- horizon::django_debug: { get_param: HorizonDebug }
- horizon::django_debug: { get_param: Debug }
service_config_settings:
haproxy:
tripleo::haproxy::firewall_rules:
'127 horizon':
dport:
- 80
- 443
keystone:
keystone_enable_member: true
# BEGIN DOCKER SETTINGS
puppet_config:
config_volume: horizon
puppet_tags: horizon_config
step_config: {get_attr: [HorizonBase, role_data, step_config]}
step_config: |
include ::tripleo::profile::base::horizon
config_image: {get_param: DockerHorizonConfigImage}
kolla_config:
/var/lib/kolla/config_files/horizon.json:
@ -226,5 +367,3 @@ outputs:
vars:
containers_to_rm:
- horizon
metadata_settings:
get_attr: [HorizonBase, role_data, metadata_settings]

2
environments/baremetal-services.yaml

@ -24,7 +24,7 @@ resource_registry:
OS::TripleO::Services::HeatApiCfn: ../deployment/heat/heat-api-cfn-container-puppet.yaml
OS::TripleO::Services::HeatEngine: ../deployment/heat/heat-engine-container-puppet.yaml
OS::TripleO::Services::HAproxy: ../deployment/haproxy/haproxy-container-puppet.yaml
OS::TripleO::Services::Horizon: ../puppet/services/horizon.yaml
OS::TripleO::Services::Horizon: ../deployment/horizon/horizon-container-puppet.yaml
OS::TripleO::Services::Iscsid: ../deployment/iscsid/iscsid-container-puppet.yaml
OS::TripleO::Services::Keystone: ../deployment/keystone/keystone-container-puppet.yaml
OS::TripleO::Services::Memcached: ../deployment/memcached/memcached-container-puppet.yaml

2
overcloud-resource-registry-puppet.j2.yaml

@ -220,7 +220,7 @@ resource_registry:
OS::TripleO::Services::CeilometerAgentIpmi: docker/services/ceilometer-agent-ipmi.yaml
OS::TripleO::Services::CeilometerAgentNotification: docker/services/ceilometer-agent-notification.yaml
OS::TripleO::Services::ComputeCeilometerAgent: docker/services/ceilometer-agent-compute.yaml
OS::TripleO::Services::Horizon: docker/services/horizon.yaml
OS::TripleO::Services::Horizon: deployment/horizon/horizon-container-puppet.yaml
#Gnocchi services
OS::TripleO::Services::GnocchiApi: docker/services/gnocchi-api.yaml
OS::TripleO::Services::GnocchiMetricd: docker/services/gnocchi-metricd.yaml

197
puppet/services/horizon.yaml

@ -1,197 +0,0 @@
heat_template_version: rocky
description: >
Horizon service configured with Puppet
parameters:
ServiceData:
default: {}
description: Dictionary packing service data
type: json
ServiceNetMap:
default: {}
description: Mapping of service_name -> network name. Typically set
via parameter_defaults in the resource registry. This
mapping overrides those in ServiceNetMapDefaults.
type: json
Debug:
default: false
description: Set to True to enable debugging on all services.
type: boolean
HorizonDebug:
default: false
description: Set to True to enable debugging Horizon service.
type: string
constraints:
- allowed_values: [ '', 'true', 'True', 'TRUE', 'false', 'False', 'FALSE']
DefaultPasswords:
default: {}
type: json
RoleName:
default: ''
description: Role name on which the service is applied
type: string
RoleParameters:
default: {}
description: Parameters specific to the role
type: json
EndpointMap:
default: {}
description: Mapping of service endpoint -> protocol. Typically set
via parameter_defaults in the resource registry.
type: json
HorizonAllowedHosts:
default: '*'
description: A list of IP/Hostname for the server Horizon is running on.
Used for header checks.
type: comma_delimited_list
HorizonPasswordValidator:
description: Regex for password validation
type: string
default: ''
HorizonPasswordValidatorHelp:
description: Help text for password validation
type: string
default: ''
HorizonSecret:
description: Secret key for Django
type: string
hidden: true
default: ''
HorizonSecureCookies:
description: Set CSRF_COOKIE_SECURE / SESSION_COOKIE_SECURE in Horizon
type: boolean
default: false
MemcachedIPv6:
default: false
description: Enable IPv6 features in Memcached.
type: boolean
MonitoringSubscriptionHorizon:
default: 'overcloud-horizon'
type: string
EnableInternalTLS:
type: boolean
default: false
InternalTLSCAFile:
default: '/etc/ipa/ca.crt'
type: string
description: Specifies the default CA cert to use if TLS is used for
services in the internal network.
HorizonVhostExtraParams:
default:
add_listen: true
priority: 10
access_log_format: '%a %l %u %t \"%r\" %>s %b \"%%{}{Referer}i\" \"%%{}{User-Agent}i\"'
options: ['FollowSymLinks','MultiViews']
description: Extra parameters for Horizon vhost configuration
type: json
HorizonCustomizationModule:
default: ''
description: Horizon has a global overrides mechanism available to perform customizations
type: string
WebSSOEnable:
default: false
type: boolean
description: Enable support for Web Single Sign-On
WebSSOInitialChoice:
default: 'OIDC'
type: string
description: The initial authentication choice to select by default
WebSSOChoices:
default:
- ['OIDC', 'OpenID Connect']
type: json
description: Specifies the list of SSO authentication choices to present.
Each item is a list of an SSO choice identifier and a display
message.
WebSSOIDPMapping:
default:
'OIDC': ['myidp', 'openid']
type: json
description: Specifies a mapping from SSO authentication choice to identity
provider and protocol. The identity provider and protocol names
must match the resources defined in keystone.
conditions:
debug_unset: {equals : [{get_param: Debug}, '']}
websso_enabled: {equals : [{get_param: WebSSOEnable}, True]}
outputs:
role_data:
description: Role data for the Horizon role.
value:
service_name: horizon
monitoring_subscription: {get_param: MonitoringSubscriptionHorizon}
config_settings:
map_merge:
- horizon::allowed_hosts: {get_param: HorizonAllowedHosts}
tripleo::horizon::firewall_rules:
'126 horizon':
dport:
- 80
- 443
horizon::enable_secure_proxy_ssl_header: true
horizon::disable_password_reveal: true
horizon::enforce_password_check: true
horizon::disallow_iframe_embed: true
horizon::cache_backend: django.core.cache.backends.memcached.MemcachedCache
horizon::django_session_engine: 'django.contrib.sessions.backends.cache'
horizon::vhost_extra_params: {get_param: HorizonVhostExtraParams}
horizon::bind_address:
str_replace:
template:
"%{hiera('$NETWORK')}"
params:
$NETWORK: {get_param: [ServiceNetMap, HorizonNetwork]}
horizon::keystone_url: {get_param: [EndpointMap, KeystoneV3Public, uri]}
horizon::password_validator: {get_param: [HorizonPasswordValidator]}
horizon::password_validator_help: {get_param: [HorizonPasswordValidatorHelp]}
horizon::secret_key:
yaql:
expression: $.data.passwords.where($ != '').first()
data:
passwords:
- {get_param: HorizonSecret}
- {get_param: [DefaultPasswords, horizon_secret]}
horizon::secure_cookies: {get_param: [HorizonSecureCookies]}
memcached_ipv6: {get_param: MemcachedIPv6}
horizon::servername:
str_replace:
template:
"%{hiera('fqdn_$NETWORK')}"
params:
$NETWORK: {get_param: [ServiceNetMap, HorizonNetwork]}
horizon::listen_ssl: {get_param: EnableInternalTLS}
horizon::horizon_ca: {get_param: InternalTLSCAFile}
horizon::customization_module: {get_param: HorizonCustomizationModule}
-
if:
- websso_enabled
-
horizon::websso_enabled:
get_param: WebSSOEnable
horizon::websso_initial_choice:
get_param: WebSSOInitialChoice
horizon::websso_choices:
get_param: WebSSOChoices
horizon::websso_idp_mapping:
get_param: WebSSOIDPMapping
- {}
-
if:
- debug_unset
- horizon::django_debug: { get_param: HorizonDebug }
- horizon::django_debug: { get_param: Debug }
step_config: |
include ::tripleo::profile::base::horizon
upgrade_tasks: []
service_config_settings:
haproxy:
tripleo::haproxy::firewall_rules:
'127 horizon':
dport:
- 80
- 443
keystone:
keystone_enable_member: true

2
sample-env-generator/openidc.yaml

@ -16,7 +16,7 @@ environments:
- KeystoneOpenIdcCryptoPassphrase
- KeystoneOpenIdcResponseType
- KeystoneOpenIdcRemoteIdAttribute
puppet/services/horizon.yaml:
deployment/horizon/horizon-container-puppet.yaml:
parameters:
- WebSSOEnable
- WebSSOInitialChoice

2
sample-env-generator/ssl.yaml

@ -9,7 +9,7 @@ environments:
files:
deployment/haproxy/haproxy-public-tls-inject.yaml:
parameters: all
puppet/services/horizon.yaml:
deployment/horizon/horizon-container-puppet.yaml:
parameters:
- HorizonSecureCookies
static:

Loading…
Cancel
Save