heat_template_version: wallaby description: > OpenStack containerized Horizon service parameters: ContainerHorizonImage: description: image type: string ContainerHorizonConfigImage: description: The container image to use for the horizon config_volume type: string EndpointMap: default: {} description: Mapping of service endpoint -> protocol. Typically set via parameter_defaults in the resource registry. type: json ServiceData: default: {} description: Dictionary packing service data type: json ServiceNetMap: default: {} description: Mapping of service_name -> network name. Typically set via parameter_defaults in the resource registry. Use parameter_merge_strategies to merge it with the defaults. type: json RoleName: default: '' description: Role name on which the service is applied type: string RoleParameters: default: {} description: Parameters specific to the role type: json Debug: default: false description: Set to True to enable debugging on all services. type: boolean HorizonDebug: default: false description: Set to True to enable debugging Horizon service. type: boolean HorizonAllowedHosts: default: '*' description: A list of IP/Hostname for the server Horizon is running on. Used for header checks. type: comma_delimited_list HorizonPasswordValidator: description: Regex for password validation type: string default: '' HorizonPasswordValidatorHelp: description: Help text for password validation type: string default: '' HorizonSecret: description: Secret key for Django type: string hidden: true default: '' HorizonSecureCookies: description: Set CSRF_COOKIE_SECURE / SESSION_COOKIE_SECURE in Horizon type: boolean default: false HorizonSessionTimeout: description: Set session timeout for horizon in seconds type: number default: 1800 MemcachedIPv6: default: false description: Enable IPv6 features in Memcached. type: boolean MonitoringSubscriptionHorizon: default: 'overcloud-horizon' type: string EnableInternalTLS: type: boolean default: false InternalTLSCAFile: default: '/etc/ipa/ca.crt' type: string description: Specifies the default CA cert to use if TLS is used for services in the internal network. HorizonVhostExtraParams: default: add_listen: true priority: 10 access_log_format: '%a %l %u %t \"%r\" %>s %b \"%%{}{Referer}i\" \"%%{}{User-Agent}i\"' options: ['FollowSymLinks','MultiViews'] description: Extra parameters for Horizon vhost configuration type: json HorizonCustomizationModule: default: '' description: Horizon has a global overrides mechanism available to perform customizations type: string HorizonHelpURL: default: 'http://docs.openstack.org' description: On top of dashboard there is a Help button. This button could be used to re-direct user to vendor documentation or dedicated help portal. type: string TimeZone: default: 'UTC' description: The timezone to be set on the overcloud. type: string WebSSOEnable: default: false type: boolean description: Enable support for Web Single Sign-On WebSSOInitialChoice: default: 'OIDC' type: string description: The initial authentication choice to select by default WebSSOChoices: default: - ['OIDC', 'OpenID Connect'] type: json description: Specifies the list of SSO authentication choices to present. Each item is a list of an SSO choice identifier and a display message. WebSSOIDPMapping: default: 'OIDC': ['myidp', 'openid'] type: json description: Specifies a mapping from SSO authentication choice to identity provider and protocol. The identity provider and protocol names must match the resources defined in keystone. HorizonDomainChoices: default: [] type: json description: Specifies available domains to choose from. We expect an array of hashes, and the hashes should have two items each (name, display) containing Keystone domain name and a human-readable description of the domain respectively. HorizonLoggingSource: type: json default: tag: openstack.horizon file: /var/log/containers/horizon/horizon.log parameter_groups: - label: deprecated description: | The following parameters are deprecated and will be removed. They should not be relied on for new deployments. If you have concerns regarding deprecated parameters, please contact the TripleO development team on IRC or the OpenStack mailing list. parameters: - MemcachedIPv6 conditions: horizon_domain_choices_set: {not: {equals: [{get_param: HorizonDomainChoices}, []]}} is_ipv6: equals: - {get_param: [ServiceData, net_ip_version_map, {get_param: [ServiceNetMap, HorizonNetwork]}]} - 6 horizon_logger_debug: or: - {get_param: Debug} - {get_param: HorizonDebug} resources: ContainersCommon: type: ../containers-common.yaml outputs: role_data: description: Role data for the Horizon API role. value: service_name: horizon firewall_rules: '126 horizon': dport: - 80 - 443 monitoring_subscription: {get_param: MonitoringSubscriptionHorizon} config_settings: map_merge: - horizon::allowed_hosts: {get_param: HorizonAllowedHosts} horizon::enable_secure_proxy_ssl_header: true horizon::disable_password_reveal: true horizon::enforce_password_check: true horizon::disallow_iframe_embed: true horizon::cache_backend: django.core.cache.backends.memcached.MemcachedCache horizon::django_session_engine: 'django.contrib.sessions.backends.cache' horizon::vhost_extra_params: {get_param: HorizonVhostExtraParams} horizon::bind_address: str_replace: template: "%{hiera('$NETWORK')}" params: $NETWORK: {get_param: [ServiceNetMap, HorizonNetwork]} horizon::keystone_url: {get_param: [EndpointMap, KeystoneV3Public, uri]} horizon::password_validator: {get_param: [HorizonPasswordValidator]} horizon::password_validator_help: {get_param: [HorizonPasswordValidatorHelp]} horizon::secret_key: {get_param: HorizonSecret} horizon::secure_cookies: {get_param: [HorizonSecureCookies]} horizon::session_timeout: {get_param: HorizonSessionTimeout} memcached_ipv6: {if: [is_ipv6, true, false]} horizon::servername: str_replace: template: "%{hiera('fqdn_$NETWORK')}" params: $NETWORK: {get_param: [ServiceNetMap, HorizonNetwork]} horizon::listen_ssl: {get_param: EnableInternalTLS} horizon::customization_module: {get_param: HorizonCustomizationModule} horizon::timezone: {get_param: TimeZone} horizon::file_upload_temp_dir: '/var/tmp' horizon::help_url: {get_param: HorizonHelpURL} - if: - {get_param: EnableInternalTLS} - horizon::horizon_ca: {get_param: InternalTLSCAFile} horizon::ssl_verify_client: require - if: - {get_param: WebSSOEnable} - horizon::websso_enabled: get_param: WebSSOEnable horizon::websso_initial_choice: get_param: WebSSOInitialChoice horizon::websso_choices: get_param: WebSSOChoices horizon::websso_idp_mapping: get_param: WebSSOIDPMapping - if: - {get_param: HorizonDebug} - horizon::django_debug: true - horizon::django_debug: {get_param: Debug} - if: - horizon_logger_debug - horizon::log_level: 'DEBUG' - if: - horizon_domain_choices_set - horizon::keystone_domain_choices: {get_param: HorizonDomainChoices} ansible_group_vars: keystone_enable_member: true service_config_settings: rsyslog: tripleo_logging_sources_horizon: yaql: expression: $.data.sources.flatten() data: sources: - {get_param: HorizonLoggingSource} # BEGIN DOCKER SETTINGS puppet_config: config_volume: horizon puppet_tags: horizon_config step_config: | include tripleo::profile::base::horizon config_image: {get_param: ContainerHorizonConfigImage} kolla_config: /var/lib/kolla/config_files/horizon.json: command: /usr/sbin/httpd -DFOREGROUND config_files: - source: "/var/lib/kolla/config_files/src/etc/httpd/conf.d" dest: "/etc/httpd/conf.d" merge: false preserve_properties: true - source: "/var/lib/kolla/config_files/src/etc/httpd/conf.modules.d" dest: "/etc/httpd/conf.modules.d" merge: false preserve_properties: true - source: "/var/lib/kolla/config_files/src/*" dest: "/" merge: true preserve_properties: true permissions: - path: /var/log/horizon/ owner: apache:apache recurse: true # NOTE The upstream Kolla Dockerfile sets /etc/openstack-dashboard/ ownership to # horizon:horizon - the policy.json files need read permissions for the apache user # FIXME We should consider whether this should be fixed in the Kolla Dockerfile instead - path: /etc/openstack-dashboard/ owner: apache:apache recurse: true # FIXME Apache tries to write a .lock file there - path: /usr/share/openstack-dashboard/openstack_dashboard/local/ owner: apache:apache recurse: false # FIXME Our theme settings are there - path: /usr/share/openstack-dashboard/openstack_dashboard/local/local_settings.d/ owner: apache:apache recurse: false docker_config: step_2: horizon_fix_perms: image: &horizon_image {get_param: ContainerHorizonImage} net: none user: root # NOTE Set ownership for /var/log/horizon/horizon.log file here, # otherwise it's created by root when generating django cache. # FIXME Apache needs to read files in /etc/openstack-dashboard # Need to set permissions to match the BM case, # http://paste.openstack.org/show/609819/ command: ['/bin/bash', '-c', 'touch /var/log/horizon/horizon.log ; chown -R apache:apache /var/log/horizon && chmod -R a+rx /etc/openstack-dashboard'] volumes: - /var/log/containers/horizon:/var/log/horizon:z - /var/log/containers/httpd/horizon:/var/log/httpd:z - /var/lib/config-data/puppet-generated/horizon/etc/openstack-dashboard:/etc/openstack-dashboard step_3: horizon: image: *horizon_image net: host privileged: false restart: always healthcheck: test: /openstack/healthcheck volumes: list_concat: - {get_attr: [ContainersCommon, volumes]} - - /var/lib/kolla/config_files/horizon.json:/var/lib/kolla/config_files/config.json:ro - /var/lib/config-data/puppet-generated/horizon:/var/lib/kolla/config_files/src:ro - /var/log/containers/horizon:/var/log/horizon:z - /var/log/containers/httpd/horizon:/var/log/httpd:z - /var/tmp/horizon:/var/tmp/:z - /var/www/:/var/www/:ro - if: - {get_param: EnableInternalTLS} - - /etc/pki/tls/certs/httpd:/etc/pki/tls/certs/httpd:ro - /etc/pki/tls/private/httpd:/etc/pki/tls/private/httpd:ro environment: KOLLA_CONFIG_STRATEGY: COPY_ALWAYS ENABLE_HEAT: 'yes' ENABLE_IRONIC: 'yes' ENABLE_MANILA: 'yes' ENABLE_OCTAVIA: 'yes' host_prep_tasks: - name: create persistent directories file: path: "{{ item.path }}" state: directory setype: "{{ item.setype }}" mode: "{{ item.mode|default(omit) }}" with_items: - { 'path': /var/log/containers/horizon, 'setype': container_file_t, 'mode': '0750' } - { 'path': /var/log/containers/httpd/horizon, 'setype': container_file_t, 'mode': '0750' } - { 'path': /var/www, 'setype': container_file_t } - { 'path': /var/tmp/horizon, 'setype': container_file_t, 'mode': '1777' } - name: ensure /var/tmp/horizon exists on boot copy: dest: /etc/tmpfiles.d/var-tmp-horizon.conf content: | d /var/tmp/horizon 1777 root root - - upgrade_tasks: - name: Anchor for upgrade and update tasks when: step|int == 0 block: &tmp_reset_label - name: Reset selinux label on /var/tmp file: path: /var/tmp state: directory setype: tmp_t mode: 1777 update_tasks: - name: Anchor for upgrade and update tasks when: step|int == 0 block: *tmp_reset_label external_upgrade_tasks: - when: - step|int == 1 tags: - never - system_upgrade_transfer_data - system_upgrade_stop_services block: - name: Stop horizon container import_role: name: tripleo_container_stop vars: tripleo_containers_to_stop: - horizon tripleo_delegate_to: "{{ groups['horizon'] | default([]) }}"