heat_template_version: rocky description: > Horizon service configured with Puppet parameters: ServiceData: default: {} description: Dictionary packing service data type: json ServiceNetMap: default: {} description: Mapping of service_name -> network name. Typically set via parameter_defaults in the resource registry. This mapping overrides those in ServiceNetMapDefaults. type: json Debug: default: false description: Set to True to enable debugging on all services. type: boolean HorizonDebug: default: false description: Set to True to enable debugging Horizon service. type: string constraints: - allowed_values: [ '', 'true', 'True', 'TRUE', 'false', 'False', 'FALSE'] DefaultPasswords: default: {} type: json RoleName: default: '' description: Role name on which the service is applied type: string RoleParameters: default: {} description: Parameters specific to the role type: json EndpointMap: default: {} description: Mapping of service endpoint -> protocol. Typically set via parameter_defaults in the resource registry. type: json HorizonAllowedHosts: default: '*' description: A list of IP/Hostname for the server Horizon is running on. Used for header checks. type: comma_delimited_list HorizonPasswordValidator: description: Regex for password validation type: string default: '' HorizonPasswordValidatorHelp: description: Help text for password validation type: string default: '' HorizonSecret: description: Secret key for Django type: string hidden: true default: '' HorizonSecureCookies: description: Set CSRF_COOKIE_SECURE / SESSION_COOKIE_SECURE in Horizon type: boolean default: false MemcachedIPv6: default: false description: Enable IPv6 features in Memcached. type: boolean MonitoringSubscriptionHorizon: default: 'overcloud-horizon' type: string EnableInternalTLS: type: boolean default: false InternalTLSCAFile: default: '/etc/ipa/ca.crt' type: string description: Specifies the default CA cert to use if TLS is used for services in the internal network. HorizonVhostExtraParams: default: add_listen: true priority: 10 access_log_format: '%a %l %u %t \"%r\" %>s %b \"%%{}{Referer}i\" \"%%{}{User-Agent}i\"' options: ['FollowSymLinks','MultiViews'] description: Extra parameters for Horizon vhost configuration type: json HorizonCustomizationModule: default: '' description: Horizon has a global overrides mechanism available to perform customizations type: string WebSSOEnable: default: false type: boolean description: Enable support for Web Single Sign-On WebSSOInitialChoice: default: 'OIDC' type: string description: The initial authentication choice to select by default WebSSOChoices: default: - ['OIDC', 'OpenID Connect'] type: json description: Specifies the list of SSO authentication choices to present. Each item is a list of an SSO choice identifier and a display message. WebSSOIDPMapping: default: 'OIDC': ['myidp', 'openid'] type: json description: Specifies a mapping from SSO authentication choice to identity provider and protocol. The identity provider and protocol names must match the resources defined in keystone. conditions: debug_unset: {equals : [{get_param: Debug}, '']} websso_enabled: {equals : [{get_param: WebSSOEnable}, True]} outputs: role_data: description: Role data for the Horizon role. value: service_name: horizon monitoring_subscription: {get_param: MonitoringSubscriptionHorizon} config_settings: map_merge: - horizon::allowed_hosts: {get_param: HorizonAllowedHosts} tripleo::horizon::firewall_rules: '126 horizon': dport: - 80 - 443 horizon::enable_secure_proxy_ssl_header: true horizon::disable_password_reveal: true horizon::enforce_password_check: true horizon::disallow_iframe_embed: true horizon::cache_backend: django.core.cache.backends.memcached.MemcachedCache horizon::django_session_engine: 'django.contrib.sessions.backends.cache' horizon::vhost_extra_params: {get_param: HorizonVhostExtraParams} horizon::bind_address: str_replace: template: "%{hiera('$NETWORK')}" params: $NETWORK: {get_param: [ServiceNetMap, HorizonNetwork]} horizon::keystone_url: {get_param: [EndpointMap, KeystoneV3Public, uri]} horizon::password_validator: {get_param: [HorizonPasswordValidator]} horizon::password_validator_help: {get_param: [HorizonPasswordValidatorHelp]} horizon::secret_key: yaql: expression: $.data.passwords.where($ != '').first() data: passwords: - {get_param: HorizonSecret} - {get_param: [DefaultPasswords, horizon_secret]} horizon::secure_cookies: {get_param: [HorizonSecureCookies]} memcached_ipv6: {get_param: MemcachedIPv6} horizon::servername: str_replace: template: "%{hiera('fqdn_$NETWORK')}" params: $NETWORK: {get_param: [ServiceNetMap, HorizonNetwork]} horizon::listen_ssl: {get_param: EnableInternalTLS} horizon::horizon_ca: {get_param: InternalTLSCAFile} horizon::customization_module: {get_param: HorizonCustomizationModule} - if: - websso_enabled - horizon::websso_enabled: get_param: WebSSOEnable horizon::websso_initial_choice: get_param: WebSSOInitialChoice horizon::websso_choices: get_param: WebSSOChoices horizon::websso_idp_mapping: get_param: WebSSOIDPMapping - {} - if: - debug_unset - horizon::django_debug: { get_param: HorizonDebug } - horizon::django_debug: { get_param: Debug } step_config: | include ::tripleo::profile::base::horizon upgrade_tasks: [] service_config_settings: haproxy: tripleo::haproxy::firewall_rules: '127 horizon': dport: - 80 - 443 keystone: keystone_enable_member: true