3238e547a6
This change combines the previous puppet and docker files into a single file that performs the docker service installation and configuration for the horizon service. With this patch the baremetal version of each respective horizon service has been removed. Change-Id: I132465a32cd9f5e094ed184a92549d6521ad4e64 Related-Blueprint: services-yaml-flattening
370 lines
14 KiB
YAML
370 lines
14 KiB
YAML
heat_template_version: rocky
|
|
|
|
description: >
|
|
OpenStack containerized Horizon service
|
|
|
|
parameters:
|
|
DockerHorizonImage:
|
|
description: image
|
|
type: string
|
|
DockerHorizonConfigImage:
|
|
description: The container image to use for the horizon config_volume
|
|
type: string
|
|
EndpointMap:
|
|
default: {}
|
|
description: Mapping of service endpoint -> protocol. Typically set
|
|
via parameter_defaults in the resource registry.
|
|
type: json
|
|
ServiceData:
|
|
default: {}
|
|
description: Dictionary packing service data
|
|
type: json
|
|
ServiceNetMap:
|
|
default: {}
|
|
description: Mapping of service_name -> network name. Typically set
|
|
via parameter_defaults in the resource registry. This
|
|
mapping overrides those in ServiceNetMapDefaults.
|
|
type: json
|
|
DefaultPasswords:
|
|
default: {}
|
|
type: json
|
|
RoleName:
|
|
default: ''
|
|
description: Role name on which the service is applied
|
|
type: string
|
|
RoleParameters:
|
|
default: {}
|
|
description: Parameters specific to the role
|
|
type: json
|
|
EnableInternalTLS:
|
|
type: boolean
|
|
default: false
|
|
Debug:
|
|
default: false
|
|
description: Set to True to enable debugging on all services.
|
|
type: boolean
|
|
HorizonDebug:
|
|
default: false
|
|
description: Set to True to enable debugging Horizon service.
|
|
type: string
|
|
constraints:
|
|
- allowed_values: [ '', 'true', 'True', 'TRUE', 'false', 'False', 'FALSE']
|
|
HorizonAllowedHosts:
|
|
default: '*'
|
|
description: A list of IP/Hostname for the server Horizon is running on.
|
|
Used for header checks.
|
|
type: comma_delimited_list
|
|
HorizonPasswordValidator:
|
|
description: Regex for password validation
|
|
type: string
|
|
default: ''
|
|
HorizonPasswordValidatorHelp:
|
|
description: Help text for password validation
|
|
type: string
|
|
default: ''
|
|
HorizonSecret:
|
|
description: Secret key for Django
|
|
type: string
|
|
hidden: true
|
|
default: ''
|
|
HorizonSecureCookies:
|
|
description: Set CSRF_COOKIE_SECURE / SESSION_COOKIE_SECURE in Horizon
|
|
type: boolean
|
|
default: false
|
|
MemcachedIPv6:
|
|
default: false
|
|
description: Enable IPv6 features in Memcached.
|
|
type: boolean
|
|
MonitoringSubscriptionHorizon:
|
|
default: 'overcloud-horizon'
|
|
type: string
|
|
EnableInternalTLS:
|
|
type: boolean
|
|
default: false
|
|
InternalTLSCAFile:
|
|
default: '/etc/ipa/ca.crt'
|
|
type: string
|
|
description: Specifies the default CA cert to use if TLS is used for
|
|
services in the internal network.
|
|
HorizonVhostExtraParams:
|
|
default:
|
|
add_listen: true
|
|
priority: 10
|
|
access_log_format: '%a %l %u %t \"%r\" %>s %b \"%%{}{Referer}i\" \"%%{}{User-Agent}i\"'
|
|
options: ['FollowSymLinks','MultiViews']
|
|
description: Extra parameters for Horizon vhost configuration
|
|
type: json
|
|
HorizonCustomizationModule:
|
|
default: ''
|
|
description: Horizon has a global overrides mechanism available to perform customizations
|
|
type: string
|
|
WebSSOEnable:
|
|
default: false
|
|
type: boolean
|
|
description: Enable support for Web Single Sign-On
|
|
WebSSOInitialChoice:
|
|
default: 'OIDC'
|
|
type: string
|
|
description: The initial authentication choice to select by default
|
|
WebSSOChoices:
|
|
default:
|
|
- ['OIDC', 'OpenID Connect']
|
|
type: json
|
|
description: Specifies the list of SSO authentication choices to present.
|
|
Each item is a list of an SSO choice identifier and a display
|
|
message.
|
|
WebSSOIDPMapping:
|
|
default:
|
|
'OIDC': ['myidp', 'openid']
|
|
type: json
|
|
description: Specifies a mapping from SSO authentication choice to identity
|
|
provider and protocol. The identity provider and protocol names
|
|
must match the resources defined in keystone.
|
|
|
|
conditions:
|
|
debug_unset: {equals : [{get_param: Debug}, '']}
|
|
websso_enabled: {equals : [{get_param: WebSSOEnable}, True]}
|
|
internal_tls_enabled: {equals: [{get_param: EnableInternalTLS}, true]}
|
|
|
|
resources:
|
|
|
|
ContainersCommon:
|
|
type: ../../docker/services/containers-common.yaml
|
|
|
|
outputs:
|
|
role_data:
|
|
description: Role data for the Horizon API role.
|
|
value:
|
|
service_name: horizon
|
|
monitoring_subscription: {get_param: MonitoringSubscriptionHorizon}
|
|
config_settings:
|
|
map_merge:
|
|
- horizon::allowed_hosts: {get_param: HorizonAllowedHosts}
|
|
tripleo::horizon::firewall_rules:
|
|
'126 horizon':
|
|
dport:
|
|
- 80
|
|
- 443
|
|
horizon::enable_secure_proxy_ssl_header: true
|
|
horizon::disable_password_reveal: true
|
|
horizon::enforce_password_check: true
|
|
horizon::disallow_iframe_embed: true
|
|
horizon::cache_backend: django.core.cache.backends.memcached.MemcachedCache
|
|
horizon::django_session_engine: 'django.contrib.sessions.backends.cache'
|
|
horizon::vhost_extra_params: {get_param: HorizonVhostExtraParams}
|
|
horizon::bind_address:
|
|
str_replace:
|
|
template:
|
|
"%{hiera('$NETWORK')}"
|
|
params:
|
|
$NETWORK: {get_param: [ServiceNetMap, HorizonNetwork]}
|
|
horizon::keystone_url: {get_param: [EndpointMap, KeystoneV3Public, uri]}
|
|
horizon::password_validator: {get_param: [HorizonPasswordValidator]}
|
|
horizon::password_validator_help: {get_param: [HorizonPasswordValidatorHelp]}
|
|
horizon::secret_key:
|
|
yaql:
|
|
expression: $.data.passwords.where($ != '').first()
|
|
data:
|
|
passwords:
|
|
- {get_param: HorizonSecret}
|
|
- {get_param: [DefaultPasswords, horizon_secret]}
|
|
horizon::secure_cookies: {get_param: [HorizonSecureCookies]}
|
|
memcached_ipv6: {get_param: MemcachedIPv6}
|
|
horizon::servername:
|
|
str_replace:
|
|
template:
|
|
"%{hiera('fqdn_$NETWORK')}"
|
|
params:
|
|
$NETWORK: {get_param: [ServiceNetMap, HorizonNetwork]}
|
|
horizon::listen_ssl: {get_param: EnableInternalTLS}
|
|
horizon::horizon_ca: {get_param: InternalTLSCAFile}
|
|
horizon::customization_module: {get_param: HorizonCustomizationModule}
|
|
-
|
|
if:
|
|
- websso_enabled
|
|
-
|
|
horizon::websso_enabled:
|
|
get_param: WebSSOEnable
|
|
horizon::websso_initial_choice:
|
|
get_param: WebSSOInitialChoice
|
|
horizon::websso_choices:
|
|
get_param: WebSSOChoices
|
|
horizon::websso_idp_mapping:
|
|
get_param: WebSSOIDPMapping
|
|
- {}
|
|
-
|
|
if:
|
|
- debug_unset
|
|
- horizon::django_debug: { get_param: HorizonDebug }
|
|
- horizon::django_debug: { get_param: Debug }
|
|
service_config_settings:
|
|
haproxy:
|
|
tripleo::haproxy::firewall_rules:
|
|
'127 horizon':
|
|
dport:
|
|
- 80
|
|
- 443
|
|
keystone:
|
|
keystone_enable_member: true
|
|
# BEGIN DOCKER SETTINGS
|
|
puppet_config:
|
|
config_volume: horizon
|
|
puppet_tags: horizon_config
|
|
step_config: |
|
|
include ::tripleo::profile::base::horizon
|
|
config_image: {get_param: DockerHorizonConfigImage}
|
|
kolla_config:
|
|
/var/lib/kolla/config_files/horizon.json:
|
|
command: /usr/sbin/httpd -DFOREGROUND
|
|
config_files:
|
|
- source: "/var/lib/kolla/config_files/src/etc/httpd/conf.d"
|
|
dest: "/etc/httpd/conf.d"
|
|
merge: false
|
|
preserve_properties: true
|
|
- source: "/var/lib/kolla/config_files/src/*"
|
|
dest: "/"
|
|
merge: true
|
|
preserve_properties: true
|
|
permissions:
|
|
- path: /var/log/horizon/
|
|
owner: apache:apache
|
|
recurse: true
|
|
# NOTE The upstream Kolla Dockerfile sets /etc/openstack-dashboard/ ownership to
|
|
# horizon:horizon - the policy.json files need read permissions for the apache user
|
|
# FIXME We should consider whether this should be fixed in the Kolla Dockerfile instead
|
|
- path: /etc/openstack-dashboard/
|
|
owner: apache:apache
|
|
recurse: true
|
|
# FIXME Apache tries to write a .lock file there
|
|
- path: /usr/share/openstack-dashboard/openstack_dashboard/local/
|
|
owner: apache:apache
|
|
recurse: false
|
|
# FIXME Our theme settings are there
|
|
- path: /usr/share/openstack-dashboard/openstack_dashboard/local/local_settings.d/
|
|
owner: apache:apache
|
|
recurse: false
|
|
docker_config:
|
|
step_2:
|
|
horizon_fix_perms:
|
|
image: &horizon_image {get_param: DockerHorizonImage}
|
|
net: none
|
|
user: root
|
|
# NOTE Set ownership for /var/log/horizon/horizon.log file here,
|
|
# otherwise it's created by root when generating django cache.
|
|
# FIXME Apache needs to read files in /etc/openstack-dashboard
|
|
# Need to set permissions to match the BM case,
|
|
# http://paste.openstack.org/show/609819/
|
|
command: ['/bin/bash', '-c', 'touch /var/log/horizon/horizon.log && chown -R apache:apache /var/log/horizon && chmod -R a+rx /etc/openstack-dashboard']
|
|
volumes:
|
|
- /var/log/containers/horizon:/var/log/horizon:z
|
|
- /var/log/containers/httpd/horizon:/var/log/httpd:z
|
|
- /var/lib/config-data/puppet-generated/horizon/etc/openstack-dashboard:/etc/openstack-dashboard
|
|
step_3:
|
|
horizon:
|
|
image: *horizon_image
|
|
net: host
|
|
privileged: false
|
|
restart: always
|
|
volumes:
|
|
list_concat:
|
|
- {get_attr: [ContainersCommon, volumes]}
|
|
-
|
|
- /var/lib/kolla/config_files/horizon.json:/var/lib/kolla/config_files/config.json:ro
|
|
- /var/lib/config-data/puppet-generated/horizon/:/var/lib/kolla/config_files/src:ro
|
|
- /var/log/containers/horizon:/var/log/horizon:z
|
|
- /var/log/containers/httpd/horizon:/var/log/httpd:z
|
|
- /var/www/:/var/www/:ro
|
|
-
|
|
if:
|
|
- internal_tls_enabled
|
|
- /etc/pki/tls/certs/httpd:/etc/pki/tls/certs/httpd:ro
|
|
- ''
|
|
-
|
|
if:
|
|
- internal_tls_enabled
|
|
- /etc/pki/tls/private/httpd:/etc/pki/tls/private/httpd:ro
|
|
- ''
|
|
environment:
|
|
- KOLLA_CONFIG_STRATEGY=COPY_ALWAYS
|
|
# Installed plugins:
|
|
- ENABLE_CLOUDKITTY=no
|
|
- ENABLE_IRONIC=yes
|
|
- ENABLE_MAGNUM=no
|
|
- ENABLE_MANILA=no
|
|
- ENABLE_HEAT=yes
|
|
# murano depends on heat-dashboard that is not yet installed
|
|
# https://bugs.launchpad.net/tripleo/+bug/1752132
|
|
- ENABLE_MURANO=no
|
|
- ENABLE_MISTRAL=yes
|
|
- ENABLE_NEUTRON_LBAAS=yes
|
|
- ENABLE_OCTAVIA=yes
|
|
- ENABLE_SAHARA=yes
|
|
- ENABLE_TROVE=no
|
|
# Not installed:
|
|
- ENABLE_FREEZER=no
|
|
- ENABLE_FWAAS=no
|
|
- ENABLE_KARBOR=no
|
|
- ENABLE_DESIGNATE=no
|
|
- ENABLE_SEARCHLIGHT=no
|
|
- ENABLE_SENLIN=no
|
|
- ENABLE_SOLUM=no
|
|
- ENABLE_TACKER=no
|
|
- ENABLE_WATCHER=no
|
|
- ENABLE_ZAQAR=no
|
|
- ENABLE_ZUN=no
|
|
host_prep_tasks:
|
|
- name: create persistent directories
|
|
file:
|
|
path: "{{ item.path }}"
|
|
state: directory
|
|
setype: "{{ item.setype }}"
|
|
with_items:
|
|
- { 'path': /var/log/containers/horizon, 'setype': svirt_sandbox_file_t }
|
|
- { 'path': /var/log/containers/httpd/horizon, 'setype': svirt_sandbox_file_t }
|
|
- { 'path': /var/www, 'setype': svirt_sandbox_file_t }
|
|
- { 'path': /var/log/horizon, 'setype': svirt_sandbox_file_t }
|
|
- name: horizon logs readme
|
|
copy:
|
|
dest: /var/log/horizon/readme.txt
|
|
content: |
|
|
Log files from horizon containers can be found under
|
|
/var/log/containers/horizon and /var/log/containers/httpd/horizon.
|
|
ignore_errors: true
|
|
upgrade_tasks:
|
|
- when: step|int == 0
|
|
tags: common
|
|
block:
|
|
- name: Check for horizon running under apache
|
|
shell: "httpd -t -D DUMP_VHOSTS | grep -q horizon_vhost"
|
|
ignore_errors: True
|
|
register: horizon_httpd_enabled_result
|
|
- set_fact:
|
|
horizon_httpd_enabled: "{{ horizon_httpd_enabled_result.rc == 0 }}"
|
|
- name: Check if httpd is running
|
|
command: systemctl is-active --quiet httpd
|
|
ignore_errors: True
|
|
register: httpd_running_result
|
|
when: httpd_running is undefined
|
|
- name: Set fact httpd_running
|
|
set_fact:
|
|
httpd_running: "{{ httpd_running_result.rc == 0 }}"
|
|
when: httpd_running is undefined
|
|
- name: "PreUpgrade step0,validation: Check if horizon is running"
|
|
shell: systemctl is-active --quiet httpd
|
|
when:
|
|
- horizon_httpd_enabled|bool
|
|
- httpd_running|bool
|
|
tags: validation
|
|
- name: Stop and disable horizon service (running under httpd)
|
|
when:
|
|
- step|int == 2
|
|
- httpd_running|bool
|
|
service: name=httpd state=stopped enabled=no
|
|
post_upgrade_tasks:
|
|
- when: step|int == 1
|
|
import_role:
|
|
name: tripleo-docker-rm
|
|
vars:
|
|
containers_to_rm:
|
|
- horizon
|