openstack/tripleo-heat-templates
Code Issues Proposed changes
af7a4ab5b8
tripleo-heat-templates/puppet/services/horizon.yaml
Steven Hardy 3a7baa8fa6 Convert ServiceNetMap evals to hiera interpolation 
Since https://review.openstack.org/#/c/514707/ added the net_ip_map
to hieradata, we can look up the per-network bind IPs via hiera
interpolation instead of heat map_replace.

In some cases the ServiceNetMap lookup is used for other things,
but anywhere we make use of the "magic" translation via NetIpMap
is changed the same way.

This will enable more of the configuration data to be exposed per
role vs per node in a future patch (to simplify our ansible
workflow).

Co-authored-by: Bogdan Dobrelya <bdobreli@redhat.com>
Change-Id: Ie3da9fedbfce87e85f74d8780e7ad1ceadda79c8
2018-03-10 08:18:30 +00:00

181 lines
6.0 KiB
YAML
Raw Blame History

heat_template_version: queens
description: >
Horizon service configured with Puppet
parameters:
ServiceData:
default: {}
description: Dictionary packing service data
type: json
ServiceNetMap:
default: {}
description: Mapping of service_name -> network name. Typically set
via parameter_defaults in the resource registry. This
mapping overrides those in ServiceNetMapDefaults.
type: json
Debug:
default: false
description: Set to True to enable debugging on all services.
type: boolean
HorizonDebug:
default: false
description: Set to True to enable debugging Horizon service.
type: string
constraints:
- allowed_values: [ '', 'true', 'True', 'TRUE', 'false', 'False', 'FALSE']
DefaultPasswords:
default: {}
type: json
RoleName:
default: ''
description: Role name on which the service is applied
type: string
RoleParameters:
default: {}
description: Parameters specific to the role
type: json
EndpointMap:
default: {}
description: Mapping of service endpoint -> protocol. Typically set
via parameter_defaults in the resource registry.
type: json
HorizonAllowedHosts:
default: '*'
description: A list of IP/Hostname for the server Horizon is running on.
Used for header checks.
type: comma_delimited_list
HorizonPasswordValidator:
description: Regex for password validation
type: string
default: ''
HorizonPasswordValidatorHelp:
description: Help text for password validation
type: string
default: ''
HorizonSecret:
description: Secret key for Django
type: string
hidden: true
default: ''
HorizonSecureCookies:
description: Set CSRF_COOKIE_SECURE / SESSION_COOKIE_SECURE in Horizon
type: boolean
default: false
MemcachedIPv6:
default: false
description: Enable IPv6 features in Memcached.
type: boolean
MonitoringSubscriptionHorizon:
default: 'overcloud-horizon'
type: string
EnableInternalTLS:
type: boolean
default: false
InternalTLSCAFile:
default: '/etc/ipa/ca.crt'
type: string
description: Specifies the default CA cert to use if TLS is used for
services in the internal network.
HorizonVhostExtraParams:
default:
add_listen: true
priority: 10
access_log_format: '%a %l %u %t \"%r\" %>s %b \"%%{}{Referer}i\" \"%%{}{User-Agent}i\"'
options: ['FollowSymLinks','MultiViews']
description: Extra parameters for Horizon vhost configuration
type: json
HorizonCustomizationModule:
default: ''
description: Horizon has a global overrides mechanism available to perform customizations
type: string
conditions:
debug_unset: {equals : [{get_param: Debug}, '']}
outputs:
role_data:
description: Role data for the Horizon role.
value:
service_name: horizon
monitoring_subscription: {get_param: MonitoringSubscriptionHorizon}
config_settings:
map_merge:
- horizon::allowed_hosts: {get_param: HorizonAllowedHosts}
tripleo.horizon.firewall_rules:
'126 horizon':
dport:
- 80
- 443
horizon::enable_secure_proxy_ssl_header: true
horizon::disable_password_reveal: true
horizon::enforce_password_check: true
horizon::disallow_iframe_embed: true
horizon::cache_backend: django.core.cache.backends.memcached.MemcachedCache
horizon::django_session_engine: 'django.contrib.sessions.backends.cache'
horizon::vhost_extra_params: {get_param: HorizonVhostExtraParams}
horizon::bind_address:
str_replace:
template:
"%{hiera('$NETWORK')}"
params:
$NETWORK: {get_param: [ServiceNetMap, HorizonNetwork]}
horizon::keystone_url: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix]}
horizon::password_validator: {get_param: [HorizonPasswordValidator]}
horizon::password_validator_help: {get_param: [HorizonPasswordValidatorHelp]}
horizon::secret_key:
yaql:
expression: $.data.passwords.where($ != '').first()
data:
passwords:
- {get_param: HorizonSecret}
- {get_param: [DefaultPasswords, horizon_secret]}
horizon::secure_cookies: {get_param: [HorizonSecureCookies]}
memcached_ipv6: {get_param: MemcachedIPv6}
horizon::servername:
str_replace:
template:
"%{hiera('fqdn_$NETWORK')}"
params:
$NETWORK: {get_param: [ServiceNetMap, HorizonNetwork]}
horizon::listen_ssl: {get_param: EnableInternalTLS}
horizon::horizon_ca: {get_param: InternalTLSCAFile}
horizon::customization_module: {get_param: HorizonCustomizationModule}
-
if:
- debug_unset
- horizon::django_debug: { get_param: HorizonDebug }
- horizon::django_debug: { get_param: Debug }
step_config: |
include ::tripleo::profile::base::horizon
# Ansible tasks to handle upgrade
upgrade_tasks:
- name: Check if httpd is deployed
command: systemctl is-enabled httpd
tags: common
ignore_errors: True
register: httpd_enabled
- name: "PreUpgrade step0,validation: Check if httpd is running"
shell: >
/usr/bin/systemctl show 'httpd' --property ActiveState |
grep '\bactive\b'
when:
- step|int == 0
- httpd_enabled.rc == 0
tags: validation
- name: Stop Horizon (under httpd)
when:
- step|int == 1
- httpd_enabled.rc == 0
service: name=httpd state=stopped
service_config_settings:
haproxy:
tripleo.horizon.firewall_rules:
'127 horizon':
dport:
- 80
- 443
keystone:
keystone_enable_member: true
View Git Blame Copy Permalink