diff --git a/docker/services/horizon.yaml b/deployment/horizon/horizon-container-puppet.yaml similarity index 58% rename from docker/services/horizon.yaml rename to deployment/horizon/horizon-container-puppet.yaml index 947a1faef5..30f40e5e7d 100644 --- a/docker/services/horizon.yaml +++ b/deployment/horizon/horizon-container-puppet.yaml @@ -39,38 +39,179 @@ parameters: EnableInternalTLS: type: boolean default: false + Debug: + default: false + description: Set to True to enable debugging on all services. + type: boolean + HorizonDebug: + default: false + description: Set to True to enable debugging Horizon service. + type: string + constraints: + - allowed_values: [ '', 'true', 'True', 'TRUE', 'false', 'False', 'FALSE'] + HorizonAllowedHosts: + default: '*' + description: A list of IP/Hostname for the server Horizon is running on. + Used for header checks. + type: comma_delimited_list + HorizonPasswordValidator: + description: Regex for password validation + type: string + default: '' + HorizonPasswordValidatorHelp: + description: Help text for password validation + type: string + default: '' + HorizonSecret: + description: Secret key for Django + type: string + hidden: true + default: '' + HorizonSecureCookies: + description: Set CSRF_COOKIE_SECURE / SESSION_COOKIE_SECURE in Horizon + type: boolean + default: false + MemcachedIPv6: + default: false + description: Enable IPv6 features in Memcached. + type: boolean + MonitoringSubscriptionHorizon: + default: 'overcloud-horizon' + type: string + EnableInternalTLS: + type: boolean + default: false + InternalTLSCAFile: + default: '/etc/ipa/ca.crt' + type: string + description: Specifies the default CA cert to use if TLS is used for + services in the internal network. + HorizonVhostExtraParams: + default: + add_listen: true + priority: 10 + access_log_format: '%a %l %u %t \"%r\" %>s %b \"%%{}{Referer}i\" \"%%{}{User-Agent}i\"' + options: ['FollowSymLinks','MultiViews'] + description: Extra parameters for Horizon vhost configuration + type: json + HorizonCustomizationModule: + default: '' + description: Horizon has a global overrides mechanism available to perform customizations + type: string + WebSSOEnable: + default: false + type: boolean + description: Enable support for Web Single Sign-On + WebSSOInitialChoice: + default: 'OIDC' + type: string + description: The initial authentication choice to select by default + WebSSOChoices: + default: + - ['OIDC', 'OpenID Connect'] + type: json + description: Specifies the list of SSO authentication choices to present. + Each item is a list of an SSO choice identifier and a display + message. + WebSSOIDPMapping: + default: + 'OIDC': ['myidp', 'openid'] + type: json + description: Specifies a mapping from SSO authentication choice to identity + provider and protocol. The identity provider and protocol names + must match the resources defined in keystone. conditions: - + debug_unset: {equals : [{get_param: Debug}, '']} + websso_enabled: {equals : [{get_param: WebSSOEnable}, True]} internal_tls_enabled: {equals: [{get_param: EnableInternalTLS}, true]} resources: ContainersCommon: - type: ./containers-common.yaml - - HorizonBase: - type: ../../puppet/services/horizon.yaml - properties: - EndpointMap: {get_param: EndpointMap} - ServiceData: {get_param: ServiceData} - ServiceNetMap: {get_param: ServiceNetMap} - DefaultPasswords: {get_param: DefaultPasswords} - RoleName: {get_param: RoleName} - RoleParameters: {get_param: RoleParameters} + type: ../../docker/services/containers-common.yaml outputs: role_data: description: Role data for the Horizon API role. value: - service_name: {get_attr: [HorizonBase, role_data, service_name]} - config_settings: {get_attr: [HorizonBase, role_data, config_settings]} - service_config_settings: {get_attr: [HorizonBase, role_data, service_config_settings]} + service_name: horizon + monitoring_subscription: {get_param: MonitoringSubscriptionHorizon} + config_settings: + map_merge: + - horizon::allowed_hosts: {get_param: HorizonAllowedHosts} + tripleo::horizon::firewall_rules: + '126 horizon': + dport: + - 80 + - 443 + horizon::enable_secure_proxy_ssl_header: true + horizon::disable_password_reveal: true + horizon::enforce_password_check: true + horizon::disallow_iframe_embed: true + horizon::cache_backend: django.core.cache.backends.memcached.MemcachedCache + horizon::django_session_engine: 'django.contrib.sessions.backends.cache' + horizon::vhost_extra_params: {get_param: HorizonVhostExtraParams} + horizon::bind_address: + str_replace: + template: + "%{hiera('$NETWORK')}" + params: + $NETWORK: {get_param: [ServiceNetMap, HorizonNetwork]} + horizon::keystone_url: {get_param: [EndpointMap, KeystoneV3Public, uri]} + horizon::password_validator: {get_param: [HorizonPasswordValidator]} + horizon::password_validator_help: {get_param: [HorizonPasswordValidatorHelp]} + horizon::secret_key: + yaql: + expression: $.data.passwords.where($ != '').first() + data: + passwords: + - {get_param: HorizonSecret} + - {get_param: [DefaultPasswords, horizon_secret]} + horizon::secure_cookies: {get_param: [HorizonSecureCookies]} + memcached_ipv6: {get_param: MemcachedIPv6} + horizon::servername: + str_replace: + template: + "%{hiera('fqdn_$NETWORK')}" + params: + $NETWORK: {get_param: [ServiceNetMap, HorizonNetwork]} + horizon::listen_ssl: {get_param: EnableInternalTLS} + horizon::horizon_ca: {get_param: InternalTLSCAFile} + horizon::customization_module: {get_param: HorizonCustomizationModule} + - + if: + - websso_enabled + - + horizon::websso_enabled: + get_param: WebSSOEnable + horizon::websso_initial_choice: + get_param: WebSSOInitialChoice + horizon::websso_choices: + get_param: WebSSOChoices + horizon::websso_idp_mapping: + get_param: WebSSOIDPMapping + - {} + - + if: + - debug_unset + - horizon::django_debug: { get_param: HorizonDebug } + - horizon::django_debug: { get_param: Debug } + service_config_settings: + haproxy: + tripleo::haproxy::firewall_rules: + '127 horizon': + dport: + - 80 + - 443 + keystone: + keystone_enable_member: true # BEGIN DOCKER SETTINGS puppet_config: config_volume: horizon puppet_tags: horizon_config - step_config: {get_attr: [HorizonBase, role_data, step_config]} + step_config: | + include ::tripleo::profile::base::horizon config_image: {get_param: DockerHorizonConfigImage} kolla_config: /var/lib/kolla/config_files/horizon.json: @@ -226,5 +367,3 @@ outputs: vars: containers_to_rm: - horizon - metadata_settings: - get_attr: [HorizonBase, role_data, metadata_settings] diff --git a/environments/baremetal-services.yaml b/environments/baremetal-services.yaml index 6643bf7052..7da03657ec 100644 --- a/environments/baremetal-services.yaml +++ b/environments/baremetal-services.yaml @@ -24,7 +24,7 @@ resource_registry: OS::TripleO::Services::HeatApiCfn: ../deployment/heat/heat-api-cfn-container-puppet.yaml OS::TripleO::Services::HeatEngine: ../deployment/heat/heat-engine-container-puppet.yaml OS::TripleO::Services::HAproxy: ../deployment/haproxy/haproxy-container-puppet.yaml - OS::TripleO::Services::Horizon: ../puppet/services/horizon.yaml + OS::TripleO::Services::Horizon: ../deployment/horizon/horizon-container-puppet.yaml OS::TripleO::Services::Iscsid: ../deployment/iscsid/iscsid-container-puppet.yaml OS::TripleO::Services::Keystone: ../deployment/keystone/keystone-container-puppet.yaml OS::TripleO::Services::Memcached: ../deployment/memcached/memcached-container-puppet.yaml diff --git a/overcloud-resource-registry-puppet.j2.yaml b/overcloud-resource-registry-puppet.j2.yaml index 0872106028..4cf31047b4 100644 --- a/overcloud-resource-registry-puppet.j2.yaml +++ b/overcloud-resource-registry-puppet.j2.yaml @@ -220,7 +220,7 @@ resource_registry: OS::TripleO::Services::CeilometerAgentIpmi: docker/services/ceilometer-agent-ipmi.yaml OS::TripleO::Services::CeilometerAgentNotification: docker/services/ceilometer-agent-notification.yaml OS::TripleO::Services::ComputeCeilometerAgent: docker/services/ceilometer-agent-compute.yaml - OS::TripleO::Services::Horizon: docker/services/horizon.yaml + OS::TripleO::Services::Horizon: deployment/horizon/horizon-container-puppet.yaml #Gnocchi services OS::TripleO::Services::GnocchiApi: docker/services/gnocchi-api.yaml OS::TripleO::Services::GnocchiMetricd: docker/services/gnocchi-metricd.yaml diff --git a/puppet/services/horizon.yaml b/puppet/services/horizon.yaml deleted file mode 100644 index 5784415cfb..0000000000 --- a/puppet/services/horizon.yaml +++ /dev/null @@ -1,197 +0,0 @@ -heat_template_version: rocky - -description: > - Horizon service configured with Puppet - -parameters: - ServiceData: - default: {} - description: Dictionary packing service data - type: json - ServiceNetMap: - default: {} - description: Mapping of service_name -> network name. Typically set - via parameter_defaults in the resource registry. This - mapping overrides those in ServiceNetMapDefaults. - type: json - Debug: - default: false - description: Set to True to enable debugging on all services. - type: boolean - HorizonDebug: - default: false - description: Set to True to enable debugging Horizon service. - type: string - constraints: - - allowed_values: [ '', 'true', 'True', 'TRUE', 'false', 'False', 'FALSE'] - DefaultPasswords: - default: {} - type: json - RoleName: - default: '' - description: Role name on which the service is applied - type: string - RoleParameters: - default: {} - description: Parameters specific to the role - type: json - EndpointMap: - default: {} - description: Mapping of service endpoint -> protocol. Typically set - via parameter_defaults in the resource registry. - type: json - HorizonAllowedHosts: - default: '*' - description: A list of IP/Hostname for the server Horizon is running on. - Used for header checks. - type: comma_delimited_list - HorizonPasswordValidator: - description: Regex for password validation - type: string - default: '' - HorizonPasswordValidatorHelp: - description: Help text for password validation - type: string - default: '' - HorizonSecret: - description: Secret key for Django - type: string - hidden: true - default: '' - HorizonSecureCookies: - description: Set CSRF_COOKIE_SECURE / SESSION_COOKIE_SECURE in Horizon - type: boolean - default: false - MemcachedIPv6: - default: false - description: Enable IPv6 features in Memcached. - type: boolean - MonitoringSubscriptionHorizon: - default: 'overcloud-horizon' - type: string - EnableInternalTLS: - type: boolean - default: false - InternalTLSCAFile: - default: '/etc/ipa/ca.crt' - type: string - description: Specifies the default CA cert to use if TLS is used for - services in the internal network. - HorizonVhostExtraParams: - default: - add_listen: true - priority: 10 - access_log_format: '%a %l %u %t \"%r\" %>s %b \"%%{}{Referer}i\" \"%%{}{User-Agent}i\"' - options: ['FollowSymLinks','MultiViews'] - description: Extra parameters for Horizon vhost configuration - type: json - HorizonCustomizationModule: - default: '' - description: Horizon has a global overrides mechanism available to perform customizations - type: string - WebSSOEnable: - default: false - type: boolean - description: Enable support for Web Single Sign-On - WebSSOInitialChoice: - default: 'OIDC' - type: string - description: The initial authentication choice to select by default - WebSSOChoices: - default: - - ['OIDC', 'OpenID Connect'] - type: json - description: Specifies the list of SSO authentication choices to present. - Each item is a list of an SSO choice identifier and a display - message. - WebSSOIDPMapping: - default: - 'OIDC': ['myidp', 'openid'] - type: json - description: Specifies a mapping from SSO authentication choice to identity - provider and protocol. The identity provider and protocol names - must match the resources defined in keystone. - -conditions: - - debug_unset: {equals : [{get_param: Debug}, '']} - websso_enabled: {equals : [{get_param: WebSSOEnable}, True]} - -outputs: - role_data: - description: Role data for the Horizon role. - value: - service_name: horizon - monitoring_subscription: {get_param: MonitoringSubscriptionHorizon} - config_settings: - map_merge: - - horizon::allowed_hosts: {get_param: HorizonAllowedHosts} - tripleo::horizon::firewall_rules: - '126 horizon': - dport: - - 80 - - 443 - horizon::enable_secure_proxy_ssl_header: true - horizon::disable_password_reveal: true - horizon::enforce_password_check: true - horizon::disallow_iframe_embed: true - horizon::cache_backend: django.core.cache.backends.memcached.MemcachedCache - horizon::django_session_engine: 'django.contrib.sessions.backends.cache' - horizon::vhost_extra_params: {get_param: HorizonVhostExtraParams} - horizon::bind_address: - str_replace: - template: - "%{hiera('$NETWORK')}" - params: - $NETWORK: {get_param: [ServiceNetMap, HorizonNetwork]} - horizon::keystone_url: {get_param: [EndpointMap, KeystoneV3Public, uri]} - horizon::password_validator: {get_param: [HorizonPasswordValidator]} - horizon::password_validator_help: {get_param: [HorizonPasswordValidatorHelp]} - horizon::secret_key: - yaql: - expression: $.data.passwords.where($ != '').first() - data: - passwords: - - {get_param: HorizonSecret} - - {get_param: [DefaultPasswords, horizon_secret]} - horizon::secure_cookies: {get_param: [HorizonSecureCookies]} - memcached_ipv6: {get_param: MemcachedIPv6} - horizon::servername: - str_replace: - template: - "%{hiera('fqdn_$NETWORK')}" - params: - $NETWORK: {get_param: [ServiceNetMap, HorizonNetwork]} - horizon::listen_ssl: {get_param: EnableInternalTLS} - horizon::horizon_ca: {get_param: InternalTLSCAFile} - horizon::customization_module: {get_param: HorizonCustomizationModule} - - - if: - - websso_enabled - - - horizon::websso_enabled: - get_param: WebSSOEnable - horizon::websso_initial_choice: - get_param: WebSSOInitialChoice - horizon::websso_choices: - get_param: WebSSOChoices - horizon::websso_idp_mapping: - get_param: WebSSOIDPMapping - - {} - - - if: - - debug_unset - - horizon::django_debug: { get_param: HorizonDebug } - - horizon::django_debug: { get_param: Debug } - step_config: | - include ::tripleo::profile::base::horizon - upgrade_tasks: [] - service_config_settings: - haproxy: - tripleo::haproxy::firewall_rules: - '127 horizon': - dport: - - 80 - - 443 - keystone: - keystone_enable_member: true diff --git a/sample-env-generator/openidc.yaml b/sample-env-generator/openidc.yaml index cf3c4fa57e..8e86ac22b4 100644 --- a/sample-env-generator/openidc.yaml +++ b/sample-env-generator/openidc.yaml @@ -16,7 +16,7 @@ environments: - KeystoneOpenIdcCryptoPassphrase - KeystoneOpenIdcResponseType - KeystoneOpenIdcRemoteIdAttribute - puppet/services/horizon.yaml: + deployment/horizon/horizon-container-puppet.yaml: parameters: - WebSSOEnable - WebSSOInitialChoice diff --git a/sample-env-generator/ssl.yaml b/sample-env-generator/ssl.yaml index e07e999b52..3c4931e976 100644 --- a/sample-env-generator/ssl.yaml +++ b/sample-env-generator/ssl.yaml @@ -9,7 +9,7 @@ environments: files: deployment/haproxy/haproxy-public-tls-inject.yaml: parameters: all - puppet/services/horizon.yaml: + deployment/horizon/horizon-container-puppet.yaml: parameters: - HorizonSecureCookies static: