heat_template_version: rocky description: > OpenStack containerized Horizon service parameters: ContainerHorizonImage: description: image type: string ContainerHorizonConfigImage: description: The container image to use for the horizon config_volume type: string EndpointMap: default: {} description: Mapping of service endpoint -> protocol. Typically set via parameter_defaults in the resource registry. type: json ServiceData: default: {} description: Dictionary packing service data type: json ServiceNetMap: default: {} description: Mapping of service_name -> network name. Typically set via parameter_defaults in the resource registry. This mapping overrides those in ServiceNetMapDefaults. type: json DefaultPasswords: default: {} type: json RoleName: default: '' description: Role name on which the service is applied type: string RoleParameters: default: {} description: Parameters specific to the role type: json EnableInternalTLS: type: boolean default: false Debug: default: false description: Set to True to enable debugging on all services. type: boolean HorizonDebug: default: '' description: Set to True to enable debugging Horizon service. type: string constraints: - allowed_values: [ '', 'true', 'True', 'TRUE', 'false', 'False', 'FALSE'] HorizonAllowedHosts: default: '*' description: A list of IP/Hostname for the server Horizon is running on. Used for header checks. type: comma_delimited_list HorizonPasswordValidator: description: Regex for password validation type: string default: '' HorizonPasswordValidatorHelp: description: Help text for password validation type: string default: '' HorizonSecret: description: Secret key for Django type: string hidden: true default: '' HorizonSecureCookies: description: Set CSRF_COOKIE_SECURE / SESSION_COOKIE_SECURE in Horizon type: boolean default: false MemcachedIPv6: default: false description: Enable IPv6 features in Memcached. type: boolean MonitoringSubscriptionHorizon: default: 'overcloud-horizon' type: string EnableInternalTLS: type: boolean default: false InternalTLSCAFile: default: '/etc/ipa/ca.crt' type: string description: Specifies the default CA cert to use if TLS is used for services in the internal network. HorizonVhostExtraParams: default: add_listen: true priority: 10 access_log_format: '%a %l %u %t \"%r\" %>s %b \"%%{}{Referer}i\" \"%%{}{User-Agent}i\"' options: ['FollowSymLinks','MultiViews'] description: Extra parameters for Horizon vhost configuration type: json HorizonCustomizationModule: default: '' description: Horizon has a global overrides mechanism available to perform customizations type: string HorizonHelpURL: default: 'http://docs.openstack.org' description: On top of dashboard there is a Help button. This button could be used to re-direct user to vendor documentation or dedicated help portal. type: string TimeZone: default: 'UTC' description: The timezone to be set on the overcloud. type: string WebSSOEnable: default: false type: boolean description: Enable support for Web Single Sign-On WebSSOInitialChoice: default: 'OIDC' type: string description: The initial authentication choice to select by default WebSSOChoices: default: - ['OIDC', 'OpenID Connect'] type: json description: Specifies the list of SSO authentication choices to present. Each item is a list of an SSO choice identifier and a display message. WebSSOIDPMapping: default: 'OIDC': ['myidp', 'openid'] type: json description: Specifies a mapping from SSO authentication choice to identity provider and protocol. The identity provider and protocol names must match the resources defined in keystone. HorizonLoggingSource: type: json default: tag: openstack.horizon file: /var/log/containers/horizon/horizon.log conditions: service_debug_unset: {equals : [{get_param: HorizonDebug}, '']} websso_enabled: {equals : [{get_param: WebSSOEnable}, True]} internal_tls_enabled: {equals: [{get_param: EnableInternalTLS}, true]} horizon_logger_debug: or: - and: - service_debug_unset - get_param: Debug - and: - not: service_debug_unset - yaql: expression: $.data.horizon_debug.matches("true|True|TRUE") data: horizon_debug: get_param: HorizonDebug resources: ContainersCommon: type: ../containers-common.yaml outputs: role_data: description: Role data for the Horizon API role. value: service_name: horizon monitoring_subscription: {get_param: MonitoringSubscriptionHorizon} config_settings: map_merge: - horizon::allowed_hosts: {get_param: HorizonAllowedHosts} tripleo::horizon::firewall_rules: '126 horizon': dport: - 80 - 443 horizon::enable_secure_proxy_ssl_header: true horizon::disable_password_reveal: true horizon::enforce_password_check: true horizon::disallow_iframe_embed: true horizon::cache_backend: django.core.cache.backends.memcached.MemcachedCache horizon::django_session_engine: 'django.contrib.sessions.backends.cache' horizon::vhost_extra_params: {get_param: HorizonVhostExtraParams} horizon::bind_address: str_replace: template: "%{hiera('$NETWORK')}" params: $NETWORK: {get_param: [ServiceNetMap, HorizonNetwork]} horizon::keystone_url: {get_param: [EndpointMap, KeystoneV3Public, uri]} horizon::password_validator: {get_param: [HorizonPasswordValidator]} horizon::password_validator_help: {get_param: [HorizonPasswordValidatorHelp]} horizon::secret_key: yaql: expression: $.data.passwords.where($ != '').first() data: passwords: - {get_param: HorizonSecret} - {get_param: [DefaultPasswords, horizon_secret]} horizon::secure_cookies: {get_param: [HorizonSecureCookies]} memcached_ipv6: {get_param: MemcachedIPv6} horizon::servername: str_replace: template: "%{hiera('fqdn_$NETWORK')}" params: $NETWORK: {get_param: [ServiceNetMap, HorizonNetwork]} horizon::listen_ssl: {get_param: EnableInternalTLS} horizon::horizon_ca: {get_param: InternalTLSCAFile} horizon::customization_module: {get_param: HorizonCustomizationModule} horizon::timezone: {get_param: TimeZone} horizon::file_upload_temp_dir: '/var/tmp' horizon::help_url: {get_param: HorizonHelpURL} - if: - websso_enabled - horizon::websso_enabled: get_param: WebSSOEnable horizon::websso_initial_choice: get_param: WebSSOInitialChoice horizon::websso_choices: get_param: WebSSOChoices horizon::websso_idp_mapping: get_param: WebSSOIDPMapping - {} - if: - service_debug_unset - horizon::django_debug: { get_param: Debug } - horizon::django_debug: { get_param: HorizonDebug } - if: - horizon_logger_debug - horizon::log_level: 'DEBUG' - {} ansible_group_vars: keystone_enable_member: true service_config_settings: rsyslog: tripleo_logging_sources_horizon: yaql: expression: $.data.sources.flatten() data: sources: - {get_param: HorizonLoggingSource} # BEGIN DOCKER SETTINGS puppet_config: config_volume: horizon puppet_tags: horizon_config step_config: | include ::tripleo::profile::base::horizon config_image: {get_param: ContainerHorizonConfigImage} kolla_config: /var/lib/kolla/config_files/horizon.json: command: /usr/sbin/httpd -DFOREGROUND config_files: - source: "/var/lib/kolla/config_files/src/etc/httpd/conf.d" dest: "/etc/httpd/conf.d" merge: false preserve_properties: true - source: "/var/lib/kolla/config_files/src/etc/httpd/conf.modules.d" dest: "/etc/httpd/conf.modules.d" # TODO(emilien) remove optional flag once we get a promotion # https://launchpad.net/bugs/1884115 optional: true merge: false preserve_properties: true - source: "/var/lib/kolla/config_files/src/*" dest: "/" merge: true preserve_properties: true permissions: - path: /var/log/horizon/ owner: apache:apache recurse: true # NOTE The upstream Kolla Dockerfile sets /etc/openstack-dashboard/ ownership to # horizon:horizon - the policy.json files need read permissions for the apache user # FIXME We should consider whether this should be fixed in the Kolla Dockerfile instead - path: /etc/openstack-dashboard/ owner: apache:apache recurse: true # FIXME Apache tries to write a .lock file there - path: /usr/share/openstack-dashboard/openstack_dashboard/local/ owner: apache:apache recurse: false # FIXME Our theme settings are there - path: /usr/share/openstack-dashboard/openstack_dashboard/local/local_settings.d/ owner: apache:apache recurse: false docker_config: step_2: horizon_fix_perms: image: &horizon_image {get_param: ContainerHorizonImage} net: none user: root # NOTE Set ownership for /var/log/horizon/horizon.log file here, # otherwise it's created by root when generating django cache. # FIXME Apache needs to read files in /etc/openstack-dashboard # Need to set permissions to match the BM case, # http://paste.openstack.org/show/609819/ command: ['/bin/bash', '-c', 'touch /var/log/horizon/horizon.log ; chown -R apache:apache /var/log/horizon && chmod -R a+rx /etc/openstack-dashboard'] volumes: - /var/log/containers/horizon:/var/log/horizon:z - /var/log/containers/httpd/horizon:/var/log/httpd:z - /var/lib/config-data/puppet-generated/horizon/etc/openstack-dashboard:/etc/openstack-dashboard step_3: horizon: image: *horizon_image net: host privileged: false restart: always healthcheck: test: /openstack/healthcheck volumes: list_concat: - {get_attr: [ContainersCommon, volumes]} - - /var/lib/kolla/config_files/horizon.json:/var/lib/kolla/config_files/config.json:ro - /var/lib/config-data/puppet-generated/horizon:/var/lib/kolla/config_files/src:ro - /var/log/containers/horizon:/var/log/horizon:z - /var/log/containers/httpd/horizon:/var/log/httpd:z - /var/tmp/:/var/tmp/:z - /var/www/:/var/www/:ro - if: - internal_tls_enabled - - /etc/pki/tls/certs/httpd:/etc/pki/tls/certs/httpd:ro - [] - if: - internal_tls_enabled - - /etc/pki/tls/private/httpd:/etc/pki/tls/private/httpd:ro - [] environment: KOLLA_CONFIG_STRATEGY: COPY_ALWAYS # Installed plugins: ENABLE_CLOUDKITTY: 'no' ENABLE_IRONIC: 'yes' ENABLE_MAGNUM: 'no' ENABLE_MANILA: 'yes' ENABLE_HEAT: 'yes' # murano depends on heat-dashboard that is not yet installed # https://bugs.launchpad.net/tripleo/+bug/1752132 ENABLE_MURANO: 'no' ENABLE_MISTRAL: 'yes' ENABLE_OCTAVIA: 'yes' ENABLE_SAHARA: 'yes' ENABLE_TROVE: 'no' # Not installed: ENABLE_FREEZER: 'no' ENABLE_FWAAS: 'no' ENABLE_KARBOR: 'no' ENABLE_DESIGNATE: 'no' ENABLE_SEARCHLIGHT: 'no' ENABLE_SENLIN: 'no' ENABLE_SOLUM: 'no' ENABLE_TACKER: 'no' ENABLE_WATCHER: 'no' ENABLE_ZAQAR: 'no' ENABLE_ZUN: 'no' host_prep_tasks: - name: create persistent directories file: path: "{{ item.path }}" state: directory setype: "{{ item.setype }}" mode: "{{ item.mode|default(omit) }}" with_items: - { 'path': /var/log/containers/horizon, 'setype': svirt_sandbox_file_t, 'mode': '0750' } - { 'path': /var/log/containers/httpd/horizon, 'setype': svirt_sandbox_file_t, 'mode': '0750' } - { 'path': /var/www, 'setype': svirt_sandbox_file_t } upgrade_tasks: [] external_upgrade_tasks: - when: - step|int == 1 tags: - never - system_upgrade_transfer_data - system_upgrade_stop_services block: - name: Stop horizon container import_role: name: tripleo-container-stop vars: tripleo_containers_to_stop: - horizon tripleo_delegate_to: "{{ groups['horizon'] | default([]) }}"