tripleo-heat-templates/deployment/horizon/horizon-container-puppet.yaml

375 lines
14 KiB
YAML

heat_template_version: rocky
description: >
OpenStack containerized Horizon service
parameters:
ContainerHorizonImage:
description: image
type: string
ContainerHorizonConfigImage:
description: The container image to use for the horizon config_volume
type: string
EndpointMap:
default: {}
description: Mapping of service endpoint -> protocol. Typically set
via parameter_defaults in the resource registry.
type: json
ServiceData:
default: {}
description: Dictionary packing service data
type: json
ServiceNetMap:
default: {}
description: Mapping of service_name -> network name. Typically set
via parameter_defaults in the resource registry. This
mapping overrides those in ServiceNetMapDefaults.
type: json
DefaultPasswords:
default: {}
type: json
RoleName:
default: ''
description: Role name on which the service is applied
type: string
RoleParameters:
default: {}
description: Parameters specific to the role
type: json
Debug:
default: false
description: Set to True to enable debugging on all services.
type: boolean
HorizonDebug:
default: false
description: Set to True to enable debugging Horizon service.
type: string
constraints:
- allowed_values: [ '', 'true', 'True', 'TRUE', 'false', 'False', 'FALSE']
HorizonAllowedHosts:
default: '*'
description: A list of IP/Hostname for the server Horizon is running on.
Used for header checks.
type: comma_delimited_list
HorizonPasswordValidator:
description: Regex for password validation
type: string
default: ''
HorizonPasswordValidatorHelp:
description: Help text for password validation
type: string
default: ''
HorizonSecret:
description: Secret key for Django
type: string
hidden: true
default: ''
HorizonSecureCookies:
description: Set CSRF_COOKIE_SECURE / SESSION_COOKIE_SECURE in Horizon
type: boolean
default: false
MemcachedIPv6:
default: false
description: Enable IPv6 features in Memcached.
type: boolean
MonitoringSubscriptionHorizon:
default: 'overcloud-horizon'
type: string
EnableInternalTLS:
type: boolean
default: false
InternalTLSCAFile:
default: '/etc/ipa/ca.crt'
type: string
description: Specifies the default CA cert to use if TLS is used for
services in the internal network.
HorizonVhostExtraParams:
default:
add_listen: true
priority: 10
access_log_format: '%a %l %u %t \"%r\" %>s %b \"%%{}{Referer}i\" \"%%{}{User-Agent}i\"'
options: ['FollowSymLinks','MultiViews']
description: Extra parameters for Horizon vhost configuration
type: json
HorizonCustomizationModule:
default: ''
description: Horizon has a global overrides mechanism available to perform customizations
type: string
HorizonHelpURL:
default: 'http://docs.openstack.org'
description: On top of dashboard there is a Help button. This button could be used
to re-direct user to vendor documentation or dedicated help portal.
type: string
TimeZone:
default: 'UTC'
description: The timezone to be set on the overcloud.
type: string
WebSSOEnable:
default: false
type: boolean
description: Enable support for Web Single Sign-On
WebSSOInitialChoice:
default: 'OIDC'
type: string
description: The initial authentication choice to select by default
WebSSOChoices:
default:
- ['OIDC', 'OpenID Connect']
type: json
description: Specifies the list of SSO authentication choices to present.
Each item is a list of an SSO choice identifier and a display
message.
WebSSOIDPMapping:
default:
'OIDC': ['myidp', 'openid']
type: json
description: Specifies a mapping from SSO authentication choice to identity
provider and protocol. The identity provider and protocol names
must match the resources defined in keystone.
HorizonDomainChoices:
default: []
type: json
description: Specifies available domains to choose from. We expect an array
of hashes, and the hashes should have two items each (name, display)
containing Keystone domain name and a human-readable description of
the domain respectively.
parameter_groups:
- label: deprecated
description: |
The following parameters are deprecated and will be removed. They should not
be relied on for new deployments. If you have concerns regarding deprecated
parameters, please contact the TripleO development team on IRC or the
OpenStack mailing list.
parameters:
- MemcachedIPv6
conditions:
debug_unset: {equals : [{get_param: Debug}, '']}
websso_enabled: {equals : [{get_param: WebSSOEnable}, True]}
internal_tls_enabled: {equals: [{get_param: EnableInternalTLS}, true]}
horizon_domain_choices_set: {not: {equals: [{get_param: HorizonDomainChoices}, []]}}
is_ipv6:
equals:
- {get_param: [ServiceData, net_ip_version_map, {get_param: [ServiceNetMap, HorizonNetwork]}]}
- 6
resources:
ContainersCommon:
type: ../containers-common.yaml
outputs:
role_data:
description: Role data for the Horizon API role.
value:
service_name: horizon
firewall_rules:
'126 horizon':
dport:
- 80
- 443
monitoring_subscription: {get_param: MonitoringSubscriptionHorizon}
config_settings:
map_merge:
- horizon::allowed_hosts: {get_param: HorizonAllowedHosts}
horizon::enable_secure_proxy_ssl_header: true
horizon::disable_password_reveal: true
horizon::enforce_password_check: true
horizon::disallow_iframe_embed: true
horizon::cache_backend: django.core.cache.backends.memcached.MemcachedCache
horizon::django_session_engine: 'django.contrib.sessions.backends.cache'
horizon::vhost_extra_params: {get_param: HorizonVhostExtraParams}
horizon::bind_address:
str_replace:
template:
"%{hiera('$NETWORK')}"
params:
$NETWORK: {get_param: [ServiceNetMap, HorizonNetwork]}
horizon::keystone_url: {get_param: [EndpointMap, KeystoneV3Public, uri]}
horizon::password_validator: {get_param: [HorizonPasswordValidator]}
horizon::password_validator_help: {get_param: [HorizonPasswordValidatorHelp]}
horizon::secret_key:
yaql:
expression: $.data.passwords.where($ != '').first()
data:
passwords:
- {get_param: HorizonSecret}
- {get_param: [DefaultPasswords, horizon_secret]}
horizon::secure_cookies: {get_param: [HorizonSecureCookies]}
memcached_ipv6: {if: [is_ipv6, true, false]}
horizon::servername:
str_replace:
template:
"%{hiera('fqdn_$NETWORK')}"
params:
$NETWORK: {get_param: [ServiceNetMap, HorizonNetwork]}
horizon::listen_ssl: {get_param: EnableInternalTLS}
horizon::horizon_ca: {get_param: InternalTLSCAFile}
horizon::customization_module: {get_param: HorizonCustomizationModule}
horizon::timezone: {get_param: TimeZone}
horizon::file_upload_temp_dir: '/var/tmp'
horizon::help_url: {get_param: HorizonHelpURL}
-
if:
- websso_enabled
-
horizon::websso_enabled:
get_param: WebSSOEnable
horizon::websso_initial_choice:
get_param: WebSSOInitialChoice
horizon::websso_choices:
get_param: WebSSOChoices
horizon::websso_idp_mapping:
get_param: WebSSOIDPMapping
- {}
-
if:
- debug_unset
- horizon::django_debug: { get_param: HorizonDebug }
- horizon::django_debug: { get_param: Debug }
- if:
- horizon_domain_choices_set
- horizon::keystone_domain_choices: {get_param: HorizonDomainChoices}
- {}
ansible_group_vars:
keystone_enable_member: true
# BEGIN DOCKER SETTINGS
puppet_config:
config_volume: horizon
puppet_tags: horizon_config
step_config: |
include tripleo::profile::base::horizon
config_image: {get_param: ContainerHorizonConfigImage}
kolla_config:
/var/lib/kolla/config_files/horizon.json:
command: /usr/sbin/httpd -DFOREGROUND
config_files:
- source: "/var/lib/kolla/config_files/src/etc/httpd/conf.d"
dest: "/etc/httpd/conf.d"
merge: false
preserve_properties: true
- source: "/var/lib/kolla/config_files/src/etc/httpd/conf.modules.d"
dest: "/etc/httpd/conf.modules.d"
# TODO(emilien) remove optional flag once we get a promotion
# https://launchpad.net/bugs/1884115
optional: true
merge: false
preserve_properties: true
- source: "/var/lib/kolla/config_files/src/*"
dest: "/"
merge: true
preserve_properties: true
permissions:
- path: /var/log/horizon/
owner: apache:apache
recurse: true
# NOTE The upstream Kolla Dockerfile sets /etc/openstack-dashboard/ ownership to
# horizon:horizon - the policy.json files need read permissions for the apache user
# FIXME We should consider whether this should be fixed in the Kolla Dockerfile instead
- path: /etc/openstack-dashboard/
owner: apache:apache
recurse: true
# FIXME Apache tries to write a .lock file there
- path: /usr/share/openstack-dashboard/openstack_dashboard/local/
owner: apache:apache
recurse: false
# FIXME Our theme settings are there
- path: /usr/share/openstack-dashboard/openstack_dashboard/local/local_settings.d/
owner: apache:apache
recurse: false
docker_config:
step_2:
horizon_fix_perms:
image: &horizon_image {get_param: ContainerHorizonImage}
net: none
user: root
# NOTE Set ownership for /var/log/horizon/horizon.log file here,
# otherwise it's created by root when generating django cache.
# FIXME Apache needs to read files in /etc/openstack-dashboard
# Need to set permissions to match the BM case,
# http://paste.openstack.org/show/609819/
command: ['/bin/bash', '-c', 'touch /var/log/horizon/horizon.log ; chown -R apache:apache /var/log/horizon && chmod -R a+rx /etc/openstack-dashboard']
volumes:
- /var/log/containers/horizon:/var/log/horizon:z
- /var/log/containers/httpd/horizon:/var/log/httpd:z
- /var/lib/config-data/puppet-generated/horizon/etc/openstack-dashboard:/etc/openstack-dashboard
step_3:
horizon:
image: *horizon_image
net: host
privileged: false
restart: always
healthcheck:
test: /openstack/healthcheck
volumes:
list_concat:
- {get_attr: [ContainersCommon, volumes]}
-
- /var/lib/kolla/config_files/horizon.json:/var/lib/kolla/config_files/config.json:ro
- /var/lib/config-data/puppet-generated/horizon:/var/lib/kolla/config_files/src:ro
- /var/log/containers/horizon:/var/log/horizon:z
- /var/log/containers/httpd/horizon:/var/log/httpd:z
- /var/tmp/:/var/tmp/:z
- /var/www/:/var/www/:ro
- if:
- internal_tls_enabled
- - /etc/pki/tls/certs/httpd:/etc/pki/tls/certs/httpd:ro
- []
- if:
- internal_tls_enabled
- - /etc/pki/tls/private/httpd:/etc/pki/tls/private/httpd:ro
- []
environment:
KOLLA_CONFIG_STRATEGY: COPY_ALWAYS
# Installed plugins:
ENABLE_CLOUDKITTY: 'no'
ENABLE_IRONIC: 'yes'
ENABLE_MAGNUM: 'no'
ENABLE_MANILA: 'yes'
ENABLE_HEAT: 'yes'
ENABLE_MURANO: 'no'
ENABLE_MISTRAL: 'no'
ENABLE_OCTAVIA: 'yes'
ENABLE_SAHARA: 'yes'
ENABLE_TROVE: 'no'
# Not installed:
ENABLE_FREEZER: 'no'
ENABLE_FWAAS: 'no'
ENABLE_KARBOR: 'no'
ENABLE_DESIGNATE: 'no'
ENABLE_SEARCHLIGHT: 'no'
ENABLE_SENLIN: 'no'
ENABLE_SOLUM: 'no'
ENABLE_TACKER: 'no'
ENABLE_WATCHER: 'no'
ENABLE_ZAQAR: 'no'
ENABLE_ZUN: 'no'
host_prep_tasks:
- name: create persistent directories
file:
path: "{{ item.path }}"
state: directory
setype: "{{ item.setype }}"
mode: "{{ item.mode|default(omit) }}"
with_items:
- { 'path': /var/log/containers/horizon, 'setype': container_file_t, 'mode': '0750' }
- { 'path': /var/log/containers/httpd/horizon, 'setype': container_file_t, 'mode': '0750' }
- { 'path': /var/www, 'setype': container_file_t }
upgrade_tasks: []
external_upgrade_tasks:
- when:
- step|int == 1
tags:
- never
- system_upgrade_transfer_data
- system_upgrade_stop_services
block:
- name: Stop horizon container
import_role:
name: tripleo_container_stop
vars:
tripleo_containers_to_stop:
- horizon
tripleo_delegate_to: "{{ groups['horizon'] | default([]) }}"