heat_template_version: rocky description: > OpenStack containerized Horizon service parameters: DockerHorizonImage: description: image type: string DockerHorizonConfigImage: description: The container image to use for the horizon config_volume type: string EndpointMap: default: {} description: Mapping of service endpoint -> protocol. Typically set via parameter_defaults in the resource registry. type: json ServiceData: default: {} description: Dictionary packing service data type: json ServiceNetMap: default: {} description: Mapping of service_name -> network name. Typically set via parameter_defaults in the resource registry. This mapping overrides those in ServiceNetMapDefaults. type: json DefaultPasswords: default: {} type: json RoleName: default: '' description: Role name on which the service is applied type: string RoleParameters: default: {} description: Parameters specific to the role type: json EnableInternalTLS: type: boolean default: false Debug: default: false description: Set to True to enable debugging on all services. type: boolean HorizonDebug: default: false description: Set to True to enable debugging Horizon service. type: string constraints: - allowed_values: [ '', 'true', 'True', 'TRUE', 'false', 'False', 'FALSE'] HorizonAllowedHosts: default: '*' description: A list of IP/Hostname for the server Horizon is running on. Used for header checks. type: comma_delimited_list HorizonPasswordValidator: description: Regex for password validation type: string default: '' HorizonPasswordValidatorHelp: description: Help text for password validation type: string default: '' HorizonSecret: description: Secret key for Django type: string hidden: true default: '' HorizonSecureCookies: description: Set CSRF_COOKIE_SECURE / SESSION_COOKIE_SECURE in Horizon type: boolean default: false MemcachedIPv6: default: false description: Enable IPv6 features in Memcached. type: boolean MonitoringSubscriptionHorizon: default: 'overcloud-horizon' type: string EnableInternalTLS: type: boolean default: false InternalTLSCAFile: default: '/etc/ipa/ca.crt' type: string description: Specifies the default CA cert to use if TLS is used for services in the internal network. HorizonVhostExtraParams: default: add_listen: true priority: 10 access_log_format: '%a %l %u %t \"%r\" %>s %b \"%%{}{Referer}i\" \"%%{}{User-Agent}i\"' options: ['FollowSymLinks','MultiViews'] description: Extra parameters for Horizon vhost configuration type: json HorizonCustomizationModule: default: '' description: Horizon has a global overrides mechanism available to perform customizations type: string WebSSOEnable: default: false type: boolean description: Enable support for Web Single Sign-On WebSSOInitialChoice: default: 'OIDC' type: string description: The initial authentication choice to select by default WebSSOChoices: default: - ['OIDC', 'OpenID Connect'] type: json description: Specifies the list of SSO authentication choices to present. Each item is a list of an SSO choice identifier and a display message. WebSSOIDPMapping: default: 'OIDC': ['myidp', 'openid'] type: json description: Specifies a mapping from SSO authentication choice to identity provider and protocol. The identity provider and protocol names must match the resources defined in keystone. conditions: debug_unset: {equals : [{get_param: Debug}, '']} websso_enabled: {equals : [{get_param: WebSSOEnable}, True]} internal_tls_enabled: {equals: [{get_param: EnableInternalTLS}, true]} resources: ContainersCommon: type: ../../docker/services/containers-common.yaml outputs: role_data: description: Role data for the Horizon API role. value: service_name: horizon monitoring_subscription: {get_param: MonitoringSubscriptionHorizon} config_settings: map_merge: - horizon::allowed_hosts: {get_param: HorizonAllowedHosts} tripleo::horizon::firewall_rules: '126 horizon': dport: - 80 - 443 horizon::enable_secure_proxy_ssl_header: true horizon::disable_password_reveal: true horizon::enforce_password_check: true horizon::disallow_iframe_embed: true horizon::cache_backend: django.core.cache.backends.memcached.MemcachedCache horizon::django_session_engine: 'django.contrib.sessions.backends.cache' horizon::vhost_extra_params: {get_param: HorizonVhostExtraParams} horizon::bind_address: str_replace: template: "%{hiera('$NETWORK')}" params: $NETWORK: {get_param: [ServiceNetMap, HorizonNetwork]} horizon::keystone_url: {get_param: [EndpointMap, KeystoneV3Public, uri]} horizon::password_validator: {get_param: [HorizonPasswordValidator]} horizon::password_validator_help: {get_param: [HorizonPasswordValidatorHelp]} horizon::secret_key: yaql: expression: $.data.passwords.where($ != '').first() data: passwords: - {get_param: HorizonSecret} - {get_param: [DefaultPasswords, horizon_secret]} horizon::secure_cookies: {get_param: [HorizonSecureCookies]} memcached_ipv6: {get_param: MemcachedIPv6} horizon::servername: str_replace: template: "%{hiera('fqdn_$NETWORK')}" params: $NETWORK: {get_param: [ServiceNetMap, HorizonNetwork]} horizon::listen_ssl: {get_param: EnableInternalTLS} horizon::horizon_ca: {get_param: InternalTLSCAFile} horizon::customization_module: {get_param: HorizonCustomizationModule} - if: - websso_enabled - horizon::websso_enabled: get_param: WebSSOEnable horizon::websso_initial_choice: get_param: WebSSOInitialChoice horizon::websso_choices: get_param: WebSSOChoices horizon::websso_idp_mapping: get_param: WebSSOIDPMapping - {} - if: - debug_unset - horizon::django_debug: { get_param: HorizonDebug } - horizon::django_debug: { get_param: Debug } service_config_settings: haproxy: tripleo::haproxy::firewall_rules: '127 horizon': dport: - 80 - 443 keystone: keystone_enable_member: true # BEGIN DOCKER SETTINGS puppet_config: config_volume: horizon puppet_tags: horizon_config step_config: | include ::tripleo::profile::base::horizon config_image: {get_param: DockerHorizonConfigImage} kolla_config: /var/lib/kolla/config_files/horizon.json: command: /usr/sbin/httpd -DFOREGROUND config_files: - source: "/var/lib/kolla/config_files/src/etc/httpd/conf.d" dest: "/etc/httpd/conf.d" merge: false preserve_properties: true - source: "/var/lib/kolla/config_files/src/*" dest: "/" merge: true preserve_properties: true permissions: - path: /var/log/horizon/ owner: apache:apache recurse: true # NOTE The upstream Kolla Dockerfile sets /etc/openstack-dashboard/ ownership to # horizon:horizon - the policy.json files need read permissions for the apache user # FIXME We should consider whether this should be fixed in the Kolla Dockerfile instead - path: /etc/openstack-dashboard/ owner: apache:apache recurse: true # FIXME Apache tries to write a .lock file there - path: /usr/share/openstack-dashboard/openstack_dashboard/local/ owner: apache:apache recurse: false # FIXME Our theme settings are there - path: /usr/share/openstack-dashboard/openstack_dashboard/local/local_settings.d/ owner: apache:apache recurse: false docker_config: step_2: horizon_fix_perms: image: &horizon_image {get_param: DockerHorizonImage} net: none user: root # NOTE Set ownership for /var/log/horizon/horizon.log file here, # otherwise it's created by root when generating django cache. # FIXME Apache needs to read files in /etc/openstack-dashboard # Need to set permissions to match the BM case, # http://paste.openstack.org/show/609819/ command: ['/bin/bash', '-c', 'touch /var/log/horizon/horizon.log && chown -R apache:apache /var/log/horizon && chmod -R a+rx /etc/openstack-dashboard'] volumes: - /var/log/containers/horizon:/var/log/horizon:z - /var/log/containers/httpd/horizon:/var/log/httpd:z - /var/lib/config-data/puppet-generated/horizon/etc/openstack-dashboard:/etc/openstack-dashboard step_3: horizon: image: *horizon_image net: host privileged: false restart: always volumes: list_concat: - {get_attr: [ContainersCommon, volumes]} - - /var/lib/kolla/config_files/horizon.json:/var/lib/kolla/config_files/config.json:ro - /var/lib/config-data/puppet-generated/horizon/:/var/lib/kolla/config_files/src:ro - /var/log/containers/horizon:/var/log/horizon:z - /var/log/containers/httpd/horizon:/var/log/httpd:z - /var/www/:/var/www/:ro - if: - internal_tls_enabled - /etc/pki/tls/certs/httpd:/etc/pki/tls/certs/httpd:ro - '' - if: - internal_tls_enabled - /etc/pki/tls/private/httpd:/etc/pki/tls/private/httpd:ro - '' environment: - KOLLA_CONFIG_STRATEGY=COPY_ALWAYS # Installed plugins: - ENABLE_CLOUDKITTY=no - ENABLE_IRONIC=yes - ENABLE_MAGNUM=no - ENABLE_MANILA=no - ENABLE_HEAT=yes # murano depends on heat-dashboard that is not yet installed # https://bugs.launchpad.net/tripleo/+bug/1752132 - ENABLE_MURANO=no - ENABLE_MISTRAL=yes - ENABLE_NEUTRON_LBAAS=yes - ENABLE_OCTAVIA=yes - ENABLE_SAHARA=yes - ENABLE_TROVE=no # Not installed: - ENABLE_FREEZER=no - ENABLE_FWAAS=no - ENABLE_KARBOR=no - ENABLE_DESIGNATE=no - ENABLE_SEARCHLIGHT=no - ENABLE_SENLIN=no - ENABLE_SOLUM=no - ENABLE_TACKER=no - ENABLE_WATCHER=no - ENABLE_ZAQAR=no - ENABLE_ZUN=no host_prep_tasks: - name: create persistent directories file: path: "{{ item.path }}" state: directory setype: "{{ item.setype }}" with_items: - { 'path': /var/log/containers/horizon, 'setype': svirt_sandbox_file_t } - { 'path': /var/log/containers/httpd/horizon, 'setype': svirt_sandbox_file_t } - { 'path': /var/www, 'setype': svirt_sandbox_file_t } - { 'path': /var/log/horizon, 'setype': svirt_sandbox_file_t } - name: horizon logs readme copy: dest: /var/log/horizon/readme.txt content: | Log files from horizon containers can be found under /var/log/containers/horizon and /var/log/containers/httpd/horizon. ignore_errors: true upgrade_tasks: - when: step|int == 0 tags: common block: - name: Check for horizon running under apache shell: "httpd -t -D DUMP_VHOSTS | grep -q horizon_vhost" ignore_errors: True register: horizon_httpd_enabled_result - set_fact: horizon_httpd_enabled: "{{ horizon_httpd_enabled_result.rc == 0 }}" - name: Check if httpd is running command: systemctl is-active --quiet httpd ignore_errors: True register: httpd_running_result when: httpd_running is undefined - name: Set fact httpd_running set_fact: httpd_running: "{{ httpd_running_result.rc == 0 }}" when: httpd_running is undefined - name: "PreUpgrade step0,validation: Check if horizon is running" shell: systemctl is-active --quiet httpd when: - horizon_httpd_enabled|bool - httpd_running|bool tags: validation - name: Stop and disable horizon service (running under httpd) when: - step|int == 2 - httpd_running|bool service: name=httpd state=stopped enabled=no post_upgrade_tasks: - when: step|int == 1 import_role: name: tripleo-docker-rm vars: containers_to_rm: - horizon