openstack/tripleo-heat-templates
Code Issues Proposed changes
bec1ffeeb8
tripleo-heat-templates/deployment/horizon/horizon-container-puppet.yaml
Takashi Kajinami 0bb24e11e7 Remove ENABLE_* environment about puglins not installed 
Currently we maintain list of installed plugins and not installed
plugins in horizon template but the list has some incorrect/invalid
items. Futhermore kolla sets ENABLE_* to no by default unless
the environments are explicitly set so there is no need to maintain
"uninstalled" items.

This change simplifies the list of plugins to include only installed
and enabled plugins.

Change-Id: I3e7532e0e33326f1e4ff8f59bafe41d8582abd03
2021-06-04 23:20:28 +09:00

376 lines
14 KiB
YAML
Raw Blame History

heat_template_version: wallaby
description: >
OpenStack containerized Horizon service
parameters:
ContainerHorizonImage:
description: image
type: string
ContainerHorizonConfigImage:
description: The container image to use for the horizon config_volume
type: string
EndpointMap:
default: {}
description: Mapping of service endpoint -> protocol. Typically set
via parameter_defaults in the resource registry.
type: json
ServiceData:
default: {}
description: Dictionary packing service data
type: json
ServiceNetMap:
default: {}
description: Mapping of service_name -> network name. Typically set
via parameter_defaults in the resource registry. Use
parameter_merge_strategies to merge it with the defaults.
type: json
RoleName:
default: ''
description: Role name on which the service is applied
type: string
RoleParameters:
default: {}
description: Parameters specific to the role
type: json
Debug:
default: false
description: Set to True to enable debugging on all services.
type: boolean
HorizonDebug:
default: false
description: Set to True to enable debugging Horizon service.
type: boolean
HorizonAllowedHosts:
default: '*'
description: A list of IP/Hostname for the server Horizon is running on.
Used for header checks.
type: comma_delimited_list
HorizonPasswordValidator:
description: Regex for password validation
type: string
default: ''
HorizonPasswordValidatorHelp:
description: Help text for password validation
type: string
default: ''
HorizonSecret:
description: Secret key for Django
type: string
hidden: true
default: ''
HorizonSecureCookies:
description: Set CSRF_COOKIE_SECURE / SESSION_COOKIE_SECURE in Horizon
type: boolean
default: false
HorizonSessionTimeout:
description: Set session timeout for horizon in seconds
type: number
default: 1800
MemcachedIPv6:
default: false
description: Enable IPv6 features in Memcached.
type: boolean
MonitoringSubscriptionHorizon:
default: 'overcloud-horizon'
type: string
EnableInternalTLS:
type: boolean
default: false
InternalTLSCAFile:
default: '/etc/ipa/ca.crt'
type: string
description: Specifies the default CA cert to use if TLS is used for
services in the internal network.
HorizonVhostExtraParams:
default:
add_listen: true
priority: 10
access_log_format: '%a %l %u %t \"%r\" %>s %b \"%%{}{Referer}i\" \"%%{}{User-Agent}i\"'
options: ['FollowSymLinks','MultiViews']
description: Extra parameters for Horizon vhost configuration
type: json
HorizonCustomizationModule:
default: ''
description: Horizon has a global overrides mechanism available to perform customizations
type: string
HorizonHelpURL:
default: 'http://docs.openstack.org'
description: On top of dashboard there is a Help button. This button could be used
to re-direct user to vendor documentation or dedicated help portal.
type: string
TimeZone:
default: 'UTC'
description: The timezone to be set on the overcloud.
type: string
WebSSOEnable:
default: false
type: boolean
description: Enable support for Web Single Sign-On
WebSSOInitialChoice:
default: 'OIDC'
type: string
description: The initial authentication choice to select by default
WebSSOChoices:
default:
- ['OIDC', 'OpenID Connect']
type: json
description: Specifies the list of SSO authentication choices to present.
Each item is a list of an SSO choice identifier and a display
message.
WebSSOIDPMapping:
default:
'OIDC': ['myidp', 'openid']
type: json
description: Specifies a mapping from SSO authentication choice to identity
provider and protocol. The identity provider and protocol names
must match the resources defined in keystone.
HorizonDomainChoices:
default: []
type: json
description: Specifies available domains to choose from. We expect an array
of hashes, and the hashes should have two items each (name, display)
containing Keystone domain name and a human-readable description of
the domain respectively.
HorizonLoggingSource:
type: json
default:
tag: openstack.horizon
file: /var/log/containers/horizon/horizon.log
parameter_groups:
- label: deprecated
description: |
The following parameters are deprecated and will be removed. They should not
be relied on for new deployments. If you have concerns regarding deprecated
parameters, please contact the TripleO development team on IRC or the
OpenStack mailing list.
parameters:
- MemcachedIPv6
conditions:
horizon_domain_choices_set: {not: {equals: [{get_param: HorizonDomainChoices}, []]}}
is_ipv6:
equals:
- {get_param: [ServiceData, net_ip_version_map, {get_param: [ServiceNetMap, HorizonNetwork]}]}
- 6
horizon_logger_debug:
or:
- {get_param: Debug}
- {get_param: HorizonDebug}
resources:
ContainersCommon:
type: ../containers-common.yaml
outputs:
role_data:
description: Role data for the Horizon API role.
value:
service_name: horizon
firewall_rules:
'126 horizon':
dport:
- 80
- 443
monitoring_subscription: {get_param: MonitoringSubscriptionHorizon}
config_settings:
map_merge:
- horizon::allowed_hosts: {get_param: HorizonAllowedHosts}
horizon::enable_secure_proxy_ssl_header: true
horizon::disable_password_reveal: true
horizon::enforce_password_check: true
horizon::disallow_iframe_embed: true
horizon::cache_backend: django.core.cache.backends.memcached.MemcachedCache
horizon::django_session_engine: 'django.contrib.sessions.backends.cache'
horizon::vhost_extra_params: {get_param: HorizonVhostExtraParams}
horizon::bind_address:
str_replace:
template:
"%{hiera('$NETWORK')}"
params:
$NETWORK: {get_param: [ServiceNetMap, HorizonNetwork]}
horizon::keystone_url: {get_param: [EndpointMap, KeystoneV3Public, uri]}
horizon::password_validator: {get_param: [HorizonPasswordValidator]}
horizon::password_validator_help: {get_param: [HorizonPasswordValidatorHelp]}
horizon::secret_key: {get_param: HorizonSecret}
horizon::secure_cookies: {get_param: [HorizonSecureCookies]}
horizon::session_timeout: {get_param: HorizonSessionTimeout}
memcached_ipv6: {if: [is_ipv6, true, false]}
horizon::servername:
str_replace:
template:
"%{hiera('fqdn_$NETWORK')}"
params:
$NETWORK: {get_param: [ServiceNetMap, HorizonNetwork]}
horizon::listen_ssl: {get_param: EnableInternalTLS}
horizon::customization_module: {get_param: HorizonCustomizationModule}
horizon::timezone: {get_param: TimeZone}
horizon::file_upload_temp_dir: '/var/tmp'
horizon::help_url: {get_param: HorizonHelpURL}
- if:
- {get_param: EnableInternalTLS}
- horizon::horizon_ca: {get_param: InternalTLSCAFile}
horizon::ssl_verify_client: require
- if:
- {get_param: WebSSOEnable}
- horizon::websso_enabled:
get_param: WebSSOEnable
horizon::websso_initial_choice:
get_param: WebSSOInitialChoice
horizon::websso_choices:
get_param: WebSSOChoices
horizon::websso_idp_mapping:
get_param: WebSSOIDPMapping
- if:
- {get_param: HorizonDebug}
- horizon::django_debug: true
- horizon::django_debug: {get_param: Debug}
- if:
- horizon_logger_debug
- horizon::log_level: 'DEBUG'
- if:
- horizon_domain_choices_set
- horizon::keystone_domain_choices: {get_param: HorizonDomainChoices}
ansible_group_vars:
keystone_enable_member: true
service_config_settings:
rsyslog:
tripleo_logging_sources_horizon:
yaql:
expression: $.data.sources.flatten()
data:
sources:
- {get_param: HorizonLoggingSource}
# BEGIN DOCKER SETTINGS
puppet_config:
config_volume: horizon
puppet_tags: horizon_config
step_config: |
include tripleo::profile::base::horizon
config_image: {get_param: ContainerHorizonConfigImage}
kolla_config:
/var/lib/kolla/config_files/horizon.json:
command: /usr/sbin/httpd -DFOREGROUND
config_files:
- source: "/var/lib/kolla/config_files/src/etc/httpd/conf.d"
dest: "/etc/httpd/conf.d"
merge: false
preserve_properties: true
- source: "/var/lib/kolla/config_files/src/etc/httpd/conf.modules.d"
dest: "/etc/httpd/conf.modules.d"
merge: false
preserve_properties: true
- source: "/var/lib/kolla/config_files/src/*"
dest: "/"
merge: true
preserve_properties: true
permissions:
- path: /var/log/horizon/
owner: apache:apache
recurse: true
# NOTE The upstream Kolla Dockerfile sets /etc/openstack-dashboard/ ownership to
# horizon:horizon - the policy.json files need read permissions for the apache user
# FIXME We should consider whether this should be fixed in the Kolla Dockerfile instead
- path: /etc/openstack-dashboard/
owner: apache:apache
recurse: true
# FIXME Apache tries to write a .lock file there
- path: /usr/share/openstack-dashboard/openstack_dashboard/local/
owner: apache:apache
recurse: false
# FIXME Our theme settings are there
- path: /usr/share/openstack-dashboard/openstack_dashboard/local/local_settings.d/
owner: apache:apache
recurse: false
docker_config:
step_2:
horizon_fix_perms:
image: &horizon_image {get_param: ContainerHorizonImage}
net: none
user: root
# NOTE Set ownership for /var/log/horizon/horizon.log file here,
# otherwise it's created by root when generating django cache.
# FIXME Apache needs to read files in /etc/openstack-dashboard
# Need to set permissions to match the BM case,
# http://paste.openstack.org/show/609819/
command: ['/bin/bash', '-c', 'touch /var/log/horizon/horizon.log ; chown -R apache:apache /var/log/horizon && chmod -R a+rx /etc/openstack-dashboard']
volumes:
- /var/log/containers/horizon:/var/log/horizon:z
- /var/log/containers/httpd/horizon:/var/log/httpd:z
- /var/lib/config-data/puppet-generated/horizon/etc/openstack-dashboard:/etc/openstack-dashboard
step_3:
horizon:
image: *horizon_image
net: host
privileged: false
restart: always
healthcheck:
test: /openstack/healthcheck
volumes:
list_concat:
- {get_attr: [ContainersCommon, volumes]}
- - /var/lib/kolla/config_files/horizon.json:/var/lib/kolla/config_files/config.json:ro
- /var/lib/config-data/puppet-generated/horizon:/var/lib/kolla/config_files/src:ro
- /var/log/containers/horizon:/var/log/horizon:z
- /var/log/containers/httpd/horizon:/var/log/httpd:z
- /var/tmp/horizon:/var/tmp/:z
- /var/www/:/var/www/:ro
- if:
- {get_param: EnableInternalTLS}
- - /etc/pki/tls/certs/httpd:/etc/pki/tls/certs/httpd:ro
- /etc/pki/tls/private/httpd:/etc/pki/tls/private/httpd:ro
environment:
KOLLA_CONFIG_STRATEGY: COPY_ALWAYS
ENABLE_HEAT: 'yes'
ENABLE_IRONIC: 'yes'
ENABLE_MANILA: 'yes'
ENABLE_OCTAVIA: 'yes'
host_prep_tasks:
- name: create persistent directories
file:
path: "{{ item.path }}"
state: directory
setype: "{{ item.setype }}"
mode: "{{ item.mode|default(omit) }}"
with_items:
- { 'path': /var/log/containers/horizon, 'setype': container_file_t, 'mode': '0750' }
- { 'path': /var/log/containers/httpd/horizon, 'setype': container_file_t, 'mode': '0750' }
- { 'path': /var/www, 'setype': container_file_t }
- { 'path': /var/tmp/horizon, 'setype': container_file_t, 'mode': '1777' }
- name: ensure /var/tmp/horizon exists on boot
copy:
dest: /etc/tmpfiles.d/var-tmp-horizon.conf
content: |
d /var/tmp/horizon 1777 root root - -
upgrade_tasks:
- name: Anchor for upgrade and update tasks
when: step|int == 0
block: &tmp_reset_label
- name: Reset selinux label on /var/tmp
file:
path: /var/tmp
state: directory
setype: tmp_t
mode: 1777
update_tasks:
- name: Anchor for upgrade and update tasks
when: step|int == 0
block: *tmp_reset_label
external_upgrade_tasks:
- when:
- step|int == 1
tags:
- never
- system_upgrade_transfer_data
- system_upgrade_stop_services
block:
- name: Stop horizon container
import_role:
name: tripleo_container_stop
vars:
tripleo_containers_to_stop:
- horizon
tripleo_delegate_to: "{{ groups['horizon'] | default([]) }}"
View Git Blame Copy Permalink