d762417106
There is a help button in horizon dashboard that has various use cases: - by default it should point to upstream documentation; - OpenStack vendor could adjust this URL, so it will point to his documentation; - every cloud operator could adjust this URL, so users will be re-directed to some custom portal. This patch adds an option to configure custom URL for Help button using HorizonHelpURL parameter. Change-Id: Ic95e55a007ea6db9336e81574c7a49185590eaee Closes-Bug: #1879522 Related: rhbz#1835820
368 lines
14 KiB
YAML
368 lines
14 KiB
YAML
heat_template_version: rocky
|
|
|
|
description: >
|
|
OpenStack containerized Horizon service
|
|
|
|
parameters:
|
|
ContainerHorizonImage:
|
|
description: image
|
|
type: string
|
|
ContainerHorizonConfigImage:
|
|
description: The container image to use for the horizon config_volume
|
|
type: string
|
|
EndpointMap:
|
|
default: {}
|
|
description: Mapping of service endpoint -> protocol. Typically set
|
|
via parameter_defaults in the resource registry.
|
|
type: json
|
|
ServiceData:
|
|
default: {}
|
|
description: Dictionary packing service data
|
|
type: json
|
|
ServiceNetMap:
|
|
default: {}
|
|
description: Mapping of service_name -> network name. Typically set
|
|
via parameter_defaults in the resource registry. This
|
|
mapping overrides those in ServiceNetMapDefaults.
|
|
type: json
|
|
DefaultPasswords:
|
|
default: {}
|
|
type: json
|
|
RoleName:
|
|
default: ''
|
|
description: Role name on which the service is applied
|
|
type: string
|
|
RoleParameters:
|
|
default: {}
|
|
description: Parameters specific to the role
|
|
type: json
|
|
Debug:
|
|
default: false
|
|
description: Set to True to enable debugging on all services.
|
|
type: boolean
|
|
HorizonDebug:
|
|
default: false
|
|
description: Set to True to enable debugging Horizon service.
|
|
type: string
|
|
constraints:
|
|
- allowed_values: [ '', 'true', 'True', 'TRUE', 'false', 'False', 'FALSE']
|
|
HorizonAllowedHosts:
|
|
default: '*'
|
|
description: A list of IP/Hostname for the server Horizon is running on.
|
|
Used for header checks.
|
|
type: comma_delimited_list
|
|
HorizonPasswordValidator:
|
|
description: Regex for password validation
|
|
type: string
|
|
default: ''
|
|
HorizonPasswordValidatorHelp:
|
|
description: Help text for password validation
|
|
type: string
|
|
default: ''
|
|
HorizonSecret:
|
|
description: Secret key for Django
|
|
type: string
|
|
hidden: true
|
|
default: ''
|
|
HorizonSecureCookies:
|
|
description: Set CSRF_COOKIE_SECURE / SESSION_COOKIE_SECURE in Horizon
|
|
type: boolean
|
|
default: false
|
|
MemcachedIPv6:
|
|
default: false
|
|
description: Enable IPv6 features in Memcached.
|
|
type: boolean
|
|
MonitoringSubscriptionHorizon:
|
|
default: 'overcloud-horizon'
|
|
type: string
|
|
EnableInternalTLS:
|
|
type: boolean
|
|
default: false
|
|
InternalTLSCAFile:
|
|
default: '/etc/ipa/ca.crt'
|
|
type: string
|
|
description: Specifies the default CA cert to use if TLS is used for
|
|
services in the internal network.
|
|
HorizonVhostExtraParams:
|
|
default:
|
|
add_listen: true
|
|
priority: 10
|
|
access_log_format: '%a %l %u %t \"%r\" %>s %b \"%%{}{Referer}i\" \"%%{}{User-Agent}i\"'
|
|
options: ['FollowSymLinks','MultiViews']
|
|
description: Extra parameters for Horizon vhost configuration
|
|
type: json
|
|
HorizonCustomizationModule:
|
|
default: ''
|
|
description: Horizon has a global overrides mechanism available to perform customizations
|
|
type: string
|
|
HorizonHelpURL:
|
|
default: 'http://docs.openstack.org'
|
|
description: On top of dashboard there is a Help button. This button could be used
|
|
to re-direct user to vendor documentation or dedicated help portal.
|
|
type: string
|
|
TimeZone:
|
|
default: 'UTC'
|
|
description: The timezone to be set on the overcloud.
|
|
type: string
|
|
WebSSOEnable:
|
|
default: false
|
|
type: boolean
|
|
description: Enable support for Web Single Sign-On
|
|
WebSSOInitialChoice:
|
|
default: 'OIDC'
|
|
type: string
|
|
description: The initial authentication choice to select by default
|
|
WebSSOChoices:
|
|
default:
|
|
- ['OIDC', 'OpenID Connect']
|
|
type: json
|
|
description: Specifies the list of SSO authentication choices to present.
|
|
Each item is a list of an SSO choice identifier and a display
|
|
message.
|
|
WebSSOIDPMapping:
|
|
default:
|
|
'OIDC': ['myidp', 'openid']
|
|
type: json
|
|
description: Specifies a mapping from SSO authentication choice to identity
|
|
provider and protocol. The identity provider and protocol names
|
|
must match the resources defined in keystone.
|
|
HorizonDomainChoices:
|
|
default: []
|
|
type: json
|
|
description: Specifies available domains to choose from. We expect an array
|
|
of hashes, and the hashes should have two items each (name, display)
|
|
containing Keystone domain name and a human-readable description of
|
|
the domain respectively.
|
|
|
|
parameter_groups:
|
|
- label: deprecated
|
|
description: |
|
|
The following parameters are deprecated and will be removed. They should not
|
|
be relied on for new deployments. If you have concerns regarding deprecated
|
|
parameters, please contact the TripleO development team on IRC or the
|
|
OpenStack mailing list.
|
|
parameters:
|
|
- MemcachedIPv6
|
|
|
|
conditions:
|
|
debug_unset: {equals : [{get_param: Debug}, '']}
|
|
websso_enabled: {equals : [{get_param: WebSSOEnable}, True]}
|
|
internal_tls_enabled: {equals: [{get_param: EnableInternalTLS}, true]}
|
|
horizon_domain_choices_set: {not: {equals: [{get_param: HorizonDomainChoices}, []]}}
|
|
is_ipv6:
|
|
equals:
|
|
- {get_param: [ServiceData, net_ip_version_map, {get_param: [ServiceNetMap, HorizonNetwork]}]}
|
|
- 6
|
|
|
|
resources:
|
|
|
|
ContainersCommon:
|
|
type: ../containers-common.yaml
|
|
|
|
outputs:
|
|
role_data:
|
|
description: Role data for the Horizon API role.
|
|
value:
|
|
service_name: horizon
|
|
firewall_rules:
|
|
'126 horizon':
|
|
dport:
|
|
- 80
|
|
- 443
|
|
monitoring_subscription: {get_param: MonitoringSubscriptionHorizon}
|
|
config_settings:
|
|
map_merge:
|
|
- horizon::allowed_hosts: {get_param: HorizonAllowedHosts}
|
|
horizon::enable_secure_proxy_ssl_header: true
|
|
horizon::disable_password_reveal: true
|
|
horizon::enforce_password_check: true
|
|
horizon::disallow_iframe_embed: true
|
|
horizon::cache_backend: django.core.cache.backends.memcached.MemcachedCache
|
|
horizon::django_session_engine: 'django.contrib.sessions.backends.cache'
|
|
horizon::vhost_extra_params: {get_param: HorizonVhostExtraParams}
|
|
horizon::bind_address:
|
|
str_replace:
|
|
template:
|
|
"%{hiera('$NETWORK')}"
|
|
params:
|
|
$NETWORK: {get_param: [ServiceNetMap, HorizonNetwork]}
|
|
horizon::keystone_url: {get_param: [EndpointMap, KeystoneV3Public, uri]}
|
|
horizon::password_validator: {get_param: [HorizonPasswordValidator]}
|
|
horizon::password_validator_help: {get_param: [HorizonPasswordValidatorHelp]}
|
|
horizon::secret_key:
|
|
yaql:
|
|
expression: $.data.passwords.where($ != '').first()
|
|
data:
|
|
passwords:
|
|
- {get_param: HorizonSecret}
|
|
- {get_param: [DefaultPasswords, horizon_secret]}
|
|
horizon::secure_cookies: {get_param: [HorizonSecureCookies]}
|
|
memcached_ipv6: {if: [is_ipv6, true, false]}
|
|
horizon::servername:
|
|
str_replace:
|
|
template:
|
|
"%{hiera('fqdn_$NETWORK')}"
|
|
params:
|
|
$NETWORK: {get_param: [ServiceNetMap, HorizonNetwork]}
|
|
horizon::listen_ssl: {get_param: EnableInternalTLS}
|
|
horizon::horizon_ca: {get_param: InternalTLSCAFile}
|
|
horizon::customization_module: {get_param: HorizonCustomizationModule}
|
|
horizon::timezone: {get_param: TimeZone}
|
|
horizon::file_upload_temp_dir: '/var/tmp'
|
|
horizon::help_url: {get_param: HorizonHelpURL}
|
|
-
|
|
if:
|
|
- websso_enabled
|
|
-
|
|
horizon::websso_enabled:
|
|
get_param: WebSSOEnable
|
|
horizon::websso_initial_choice:
|
|
get_param: WebSSOInitialChoice
|
|
horizon::websso_choices:
|
|
get_param: WebSSOChoices
|
|
horizon::websso_idp_mapping:
|
|
get_param: WebSSOIDPMapping
|
|
- {}
|
|
-
|
|
if:
|
|
- debug_unset
|
|
- horizon::django_debug: { get_param: HorizonDebug }
|
|
- horizon::django_debug: { get_param: Debug }
|
|
- if:
|
|
- horizon_domain_choices_set
|
|
- horizon::keystone_domain_choices: {get_param: HorizonDomainChoices}
|
|
- {}
|
|
ansible_group_vars:
|
|
keystone_enable_member: true
|
|
# BEGIN DOCKER SETTINGS
|
|
puppet_config:
|
|
config_volume: horizon
|
|
puppet_tags: horizon_config
|
|
step_config: |
|
|
include tripleo::profile::base::horizon
|
|
config_image: {get_param: ContainerHorizonConfigImage}
|
|
kolla_config:
|
|
/var/lib/kolla/config_files/horizon.json:
|
|
command: /usr/sbin/httpd -DFOREGROUND
|
|
config_files:
|
|
- source: "/var/lib/kolla/config_files/src/etc/httpd/conf.d"
|
|
dest: "/etc/httpd/conf.d"
|
|
merge: false
|
|
preserve_properties: true
|
|
- source: "/var/lib/kolla/config_files/src/*"
|
|
dest: "/"
|
|
merge: true
|
|
preserve_properties: true
|
|
permissions:
|
|
- path: /var/log/horizon/
|
|
owner: apache:apache
|
|
recurse: true
|
|
# NOTE The upstream Kolla Dockerfile sets /etc/openstack-dashboard/ ownership to
|
|
# horizon:horizon - the policy.json files need read permissions for the apache user
|
|
# FIXME We should consider whether this should be fixed in the Kolla Dockerfile instead
|
|
- path: /etc/openstack-dashboard/
|
|
owner: apache:apache
|
|
recurse: true
|
|
# FIXME Apache tries to write a .lock file there
|
|
- path: /usr/share/openstack-dashboard/openstack_dashboard/local/
|
|
owner: apache:apache
|
|
recurse: false
|
|
# FIXME Our theme settings are there
|
|
- path: /usr/share/openstack-dashboard/openstack_dashboard/local/local_settings.d/
|
|
owner: apache:apache
|
|
recurse: false
|
|
docker_config:
|
|
step_2:
|
|
horizon_fix_perms:
|
|
image: &horizon_image {get_param: ContainerHorizonImage}
|
|
net: none
|
|
user: root
|
|
# NOTE Set ownership for /var/log/horizon/horizon.log file here,
|
|
# otherwise it's created by root when generating django cache.
|
|
# FIXME Apache needs to read files in /etc/openstack-dashboard
|
|
# Need to set permissions to match the BM case,
|
|
# http://paste.openstack.org/show/609819/
|
|
command: ['/bin/bash', '-c', 'touch /var/log/horizon/horizon.log ; chown -R apache:apache /var/log/horizon && chmod -R a+rx /etc/openstack-dashboard']
|
|
volumes:
|
|
- /var/log/containers/horizon:/var/log/horizon:z
|
|
- /var/log/containers/httpd/horizon:/var/log/httpd:z
|
|
- /var/lib/config-data/puppet-generated/horizon/etc/openstack-dashboard:/etc/openstack-dashboard
|
|
step_3:
|
|
horizon:
|
|
image: *horizon_image
|
|
net: host
|
|
privileged: false
|
|
restart: always
|
|
healthcheck:
|
|
test: /openstack/healthcheck
|
|
volumes:
|
|
list_concat:
|
|
- {get_attr: [ContainersCommon, volumes]}
|
|
-
|
|
- /var/lib/kolla/config_files/horizon.json:/var/lib/kolla/config_files/config.json:ro
|
|
- /var/lib/config-data/puppet-generated/horizon:/var/lib/kolla/config_files/src:ro
|
|
- /var/log/containers/horizon:/var/log/horizon:z
|
|
- /var/log/containers/httpd/horizon:/var/log/httpd:z
|
|
- /var/tmp/:/var/tmp/:z
|
|
- /var/www/:/var/www/:ro
|
|
- if:
|
|
- internal_tls_enabled
|
|
- - /etc/pki/tls/certs/httpd:/etc/pki/tls/certs/httpd:ro
|
|
- []
|
|
- if:
|
|
- internal_tls_enabled
|
|
- - /etc/pki/tls/private/httpd:/etc/pki/tls/private/httpd:ro
|
|
- []
|
|
environment:
|
|
KOLLA_CONFIG_STRATEGY: COPY_ALWAYS
|
|
# Installed plugins:
|
|
ENABLE_CLOUDKITTY: 'no'
|
|
ENABLE_IRONIC: 'yes'
|
|
ENABLE_MAGNUM: 'no'
|
|
ENABLE_MANILA: 'yes'
|
|
ENABLE_HEAT: 'yes'
|
|
ENABLE_MURANO: 'no'
|
|
ENABLE_MISTRAL: 'no'
|
|
ENABLE_OCTAVIA: 'yes'
|
|
ENABLE_SAHARA: 'yes'
|
|
ENABLE_TROVE: 'no'
|
|
# Not installed:
|
|
ENABLE_FREEZER: 'no'
|
|
ENABLE_FWAAS: 'no'
|
|
ENABLE_KARBOR: 'no'
|
|
ENABLE_DESIGNATE: 'no'
|
|
ENABLE_SEARCHLIGHT: 'no'
|
|
ENABLE_SENLIN: 'no'
|
|
ENABLE_SOLUM: 'no'
|
|
ENABLE_TACKER: 'no'
|
|
ENABLE_WATCHER: 'no'
|
|
ENABLE_ZAQAR: 'no'
|
|
ENABLE_ZUN: 'no'
|
|
host_prep_tasks:
|
|
- name: create persistent directories
|
|
file:
|
|
path: "{{ item.path }}"
|
|
state: directory
|
|
setype: "{{ item.setype }}"
|
|
mode: "{{ item.mode|default(omit) }}"
|
|
with_items:
|
|
- { 'path': /var/log/containers/horizon, 'setype': container_file_t, 'mode': '0750' }
|
|
- { 'path': /var/log/containers/httpd/horizon, 'setype': container_file_t, 'mode': '0750' }
|
|
- { 'path': /var/www, 'setype': container_file_t }
|
|
upgrade_tasks: []
|
|
external_upgrade_tasks:
|
|
- when:
|
|
- step|int == 1
|
|
tags:
|
|
- never
|
|
- system_upgrade_transfer_data
|
|
- system_upgrade_stop_services
|
|
block:
|
|
- name: Stop horizon container
|
|
import_role:
|
|
name: tripleo_container_stop
|
|
vars:
|
|
tripleo_containers_to_stop:
|
|
- horizon
|
|
tripleo_delegate_to: "{{ groups['horizon'] | default([]) }}"
|