56acca5078
Almost every single tripleo service creates a persistent directory. To
simplify the creation, a with_items structure was being used. In which
many times, the mode option was being set. However, that mode option
was not taken into account at the time of creating the file. As a
consequence, the directory was being created with its father directory
rights, instead of the ones being passed in the template.
Change-Id: I215db2bb79029c19ab8c62a7ae8d93cec50fb8dc
Closes-Bug: #1871231
(cherry picked from commit 94bc023390)
341 lines
13 KiB
YAML
341 lines
13 KiB
YAML
heat_template_version: rocky
|
|
|
|
description: >
|
|
OpenStack containerized Horizon service
|
|
|
|
parameters:
|
|
ContainerHorizonImage:
|
|
description: image
|
|
type: string
|
|
ContainerHorizonConfigImage:
|
|
description: The container image to use for the horizon config_volume
|
|
type: string
|
|
EndpointMap:
|
|
default: {}
|
|
description: Mapping of service endpoint -> protocol. Typically set
|
|
via parameter_defaults in the resource registry.
|
|
type: json
|
|
ServiceData:
|
|
default: {}
|
|
description: Dictionary packing service data
|
|
type: json
|
|
ServiceNetMap:
|
|
default: {}
|
|
description: Mapping of service_name -> network name. Typically set
|
|
via parameter_defaults in the resource registry. This
|
|
mapping overrides those in ServiceNetMapDefaults.
|
|
type: json
|
|
DefaultPasswords:
|
|
default: {}
|
|
type: json
|
|
RoleName:
|
|
default: ''
|
|
description: Role name on which the service is applied
|
|
type: string
|
|
RoleParameters:
|
|
default: {}
|
|
description: Parameters specific to the role
|
|
type: json
|
|
EnableInternalTLS:
|
|
type: boolean
|
|
default: false
|
|
Debug:
|
|
default: false
|
|
description: Set to True to enable debugging on all services.
|
|
type: boolean
|
|
HorizonDebug:
|
|
default: false
|
|
description: Set to True to enable debugging Horizon service.
|
|
type: string
|
|
constraints:
|
|
- allowed_values: [ '', 'true', 'True', 'TRUE', 'false', 'False', 'FALSE']
|
|
HorizonAllowedHosts:
|
|
default: '*'
|
|
description: A list of IP/Hostname for the server Horizon is running on.
|
|
Used for header checks.
|
|
type: comma_delimited_list
|
|
HorizonPasswordValidator:
|
|
description: Regex for password validation
|
|
type: string
|
|
default: ''
|
|
HorizonPasswordValidatorHelp:
|
|
description: Help text for password validation
|
|
type: string
|
|
default: ''
|
|
HorizonSecret:
|
|
description: Secret key for Django
|
|
type: string
|
|
hidden: true
|
|
default: ''
|
|
HorizonSecureCookies:
|
|
description: Set CSRF_COOKIE_SECURE / SESSION_COOKIE_SECURE in Horizon
|
|
type: boolean
|
|
default: false
|
|
MemcachedIPv6:
|
|
default: false
|
|
description: Enable IPv6 features in Memcached.
|
|
type: boolean
|
|
MonitoringSubscriptionHorizon:
|
|
default: 'overcloud-horizon'
|
|
type: string
|
|
EnableInternalTLS:
|
|
type: boolean
|
|
default: false
|
|
InternalTLSCAFile:
|
|
default: '/etc/ipa/ca.crt'
|
|
type: string
|
|
description: Specifies the default CA cert to use if TLS is used for
|
|
services in the internal network.
|
|
HorizonVhostExtraParams:
|
|
default:
|
|
add_listen: true
|
|
priority: 10
|
|
access_log_format: '%a %l %u %t \"%r\" %>s %b \"%%{}{Referer}i\" \"%%{}{User-Agent}i\"'
|
|
options: ['FollowSymLinks','MultiViews']
|
|
description: Extra parameters for Horizon vhost configuration
|
|
type: json
|
|
HorizonCustomizationModule:
|
|
default: ''
|
|
description: Horizon has a global overrides mechanism available to perform customizations
|
|
type: string
|
|
TimeZone:
|
|
default: 'UTC'
|
|
description: The timezone to be set on the overcloud.
|
|
type: string
|
|
WebSSOEnable:
|
|
default: false
|
|
type: boolean
|
|
description: Enable support for Web Single Sign-On
|
|
WebSSOInitialChoice:
|
|
default: 'OIDC'
|
|
type: string
|
|
description: The initial authentication choice to select by default
|
|
WebSSOChoices:
|
|
default:
|
|
- ['OIDC', 'OpenID Connect']
|
|
type: json
|
|
description: Specifies the list of SSO authentication choices to present.
|
|
Each item is a list of an SSO choice identifier and a display
|
|
message.
|
|
WebSSOIDPMapping:
|
|
default:
|
|
'OIDC': ['myidp', 'openid']
|
|
type: json
|
|
description: Specifies a mapping from SSO authentication choice to identity
|
|
provider and protocol. The identity provider and protocol names
|
|
must match the resources defined in keystone.
|
|
|
|
conditions:
|
|
debug_unset: {equals : [{get_param: Debug}, '']}
|
|
websso_enabled: {equals : [{get_param: WebSSOEnable}, True]}
|
|
internal_tls_enabled: {equals: [{get_param: EnableInternalTLS}, true]}
|
|
|
|
resources:
|
|
|
|
ContainersCommon:
|
|
type: ../containers-common.yaml
|
|
|
|
outputs:
|
|
role_data:
|
|
description: Role data for the Horizon API role.
|
|
value:
|
|
service_name: horizon
|
|
monitoring_subscription: {get_param: MonitoringSubscriptionHorizon}
|
|
config_settings:
|
|
map_merge:
|
|
- horizon::allowed_hosts: {get_param: HorizonAllowedHosts}
|
|
tripleo::horizon::firewall_rules:
|
|
'126 horizon':
|
|
dport:
|
|
- 80
|
|
- 443
|
|
horizon::enable_secure_proxy_ssl_header: true
|
|
horizon::disable_password_reveal: true
|
|
horizon::enforce_password_check: true
|
|
horizon::disallow_iframe_embed: true
|
|
horizon::cache_backend: django.core.cache.backends.memcached.MemcachedCache
|
|
horizon::django_session_engine: 'django.contrib.sessions.backends.cache'
|
|
horizon::vhost_extra_params: {get_param: HorizonVhostExtraParams}
|
|
horizon::bind_address:
|
|
str_replace:
|
|
template:
|
|
"%{hiera('$NETWORK')}"
|
|
params:
|
|
$NETWORK: {get_param: [ServiceNetMap, HorizonNetwork]}
|
|
horizon::keystone_url: {get_param: [EndpointMap, KeystoneV3Public, uri]}
|
|
horizon::password_validator: {get_param: [HorizonPasswordValidator]}
|
|
horizon::password_validator_help: {get_param: [HorizonPasswordValidatorHelp]}
|
|
horizon::secret_key:
|
|
yaql:
|
|
expression: $.data.passwords.where($ != '').first()
|
|
data:
|
|
passwords:
|
|
- {get_param: HorizonSecret}
|
|
- {get_param: [DefaultPasswords, horizon_secret]}
|
|
horizon::secure_cookies: {get_param: [HorizonSecureCookies]}
|
|
memcached_ipv6: {get_param: MemcachedIPv6}
|
|
horizon::servername:
|
|
str_replace:
|
|
template:
|
|
"%{hiera('fqdn_$NETWORK')}"
|
|
params:
|
|
$NETWORK: {get_param: [ServiceNetMap, HorizonNetwork]}
|
|
horizon::listen_ssl: {get_param: EnableInternalTLS}
|
|
horizon::horizon_ca: {get_param: InternalTLSCAFile}
|
|
horizon::customization_module: {get_param: HorizonCustomizationModule}
|
|
horizon::timezone: {get_param: TimeZone}
|
|
horizon::file_upload_temp_dir: '/var/tmp'
|
|
-
|
|
if:
|
|
- websso_enabled
|
|
-
|
|
horizon::websso_enabled:
|
|
get_param: WebSSOEnable
|
|
horizon::websso_initial_choice:
|
|
get_param: WebSSOInitialChoice
|
|
horizon::websso_choices:
|
|
get_param: WebSSOChoices
|
|
horizon::websso_idp_mapping:
|
|
get_param: WebSSOIDPMapping
|
|
- {}
|
|
-
|
|
if:
|
|
- debug_unset
|
|
- horizon::django_debug: { get_param: HorizonDebug }
|
|
- horizon::django_debug: { get_param: Debug }
|
|
ansible_group_vars:
|
|
keystone_enable_member: true
|
|
# BEGIN DOCKER SETTINGS
|
|
puppet_config:
|
|
config_volume: horizon
|
|
puppet_tags: horizon_config
|
|
step_config: |
|
|
include ::tripleo::profile::base::horizon
|
|
config_image: {get_param: ContainerHorizonConfigImage}
|
|
kolla_config:
|
|
/var/lib/kolla/config_files/horizon.json:
|
|
command: /usr/sbin/httpd -DFOREGROUND
|
|
config_files:
|
|
- source: "/var/lib/kolla/config_files/src/etc/httpd/conf.d"
|
|
dest: "/etc/httpd/conf.d"
|
|
merge: false
|
|
preserve_properties: true
|
|
- source: "/var/lib/kolla/config_files/src/*"
|
|
dest: "/"
|
|
merge: true
|
|
preserve_properties: true
|
|
permissions:
|
|
- path: /var/log/horizon/
|
|
owner: apache:apache
|
|
recurse: true
|
|
# NOTE The upstream Kolla Dockerfile sets /etc/openstack-dashboard/ ownership to
|
|
# horizon:horizon - the policy.json files need read permissions for the apache user
|
|
# FIXME We should consider whether this should be fixed in the Kolla Dockerfile instead
|
|
- path: /etc/openstack-dashboard/
|
|
owner: apache:apache
|
|
recurse: true
|
|
# FIXME Apache tries to write a .lock file there
|
|
- path: /usr/share/openstack-dashboard/openstack_dashboard/local/
|
|
owner: apache:apache
|
|
recurse: false
|
|
# FIXME Our theme settings are there
|
|
- path: /usr/share/openstack-dashboard/openstack_dashboard/local/local_settings.d/
|
|
owner: apache:apache
|
|
recurse: false
|
|
docker_config:
|
|
step_2:
|
|
horizon_fix_perms:
|
|
image: &horizon_image {get_param: ContainerHorizonImage}
|
|
net: none
|
|
user: root
|
|
# NOTE Set ownership for /var/log/horizon/horizon.log file here,
|
|
# otherwise it's created by root when generating django cache.
|
|
# FIXME Apache needs to read files in /etc/openstack-dashboard
|
|
# Need to set permissions to match the BM case,
|
|
# http://paste.openstack.org/show/609819/
|
|
command: ['/bin/bash', '-c', 'touch /var/log/horizon/horizon.log ; chown -R apache:apache /var/log/horizon && chmod -R a+rx /etc/openstack-dashboard']
|
|
volumes:
|
|
- /var/log/containers/horizon:/var/log/horizon:z
|
|
- /var/log/containers/httpd/horizon:/var/log/httpd:z
|
|
- /var/lib/config-data/puppet-generated/horizon/etc/openstack-dashboard:/etc/openstack-dashboard
|
|
step_3:
|
|
horizon:
|
|
image: *horizon_image
|
|
net: host
|
|
privileged: false
|
|
restart: always
|
|
healthcheck:
|
|
test: /openstack/healthcheck
|
|
volumes:
|
|
list_concat:
|
|
- {get_attr: [ContainersCommon, volumes]}
|
|
-
|
|
- /var/lib/kolla/config_files/horizon.json:/var/lib/kolla/config_files/config.json:ro
|
|
- /var/lib/config-data/puppet-generated/horizon:/var/lib/kolla/config_files/src:ro
|
|
- /var/log/containers/horizon:/var/log/horizon:z
|
|
- /var/log/containers/httpd/horizon:/var/log/httpd:z
|
|
- /var/tmp/:/var/tmp/:z
|
|
- /var/www/:/var/www/:ro
|
|
- if:
|
|
- internal_tls_enabled
|
|
- - /etc/pki/tls/certs/httpd:/etc/pki/tls/certs/httpd:ro
|
|
- []
|
|
- if:
|
|
- internal_tls_enabled
|
|
- - /etc/pki/tls/private/httpd:/etc/pki/tls/private/httpd:ro
|
|
- []
|
|
environment:
|
|
KOLLA_CONFIG_STRATEGY: COPY_ALWAYS
|
|
# Installed plugins:
|
|
ENABLE_CLOUDKITTY: 'no'
|
|
ENABLE_IRONIC: 'yes'
|
|
ENABLE_MAGNUM: 'no'
|
|
ENABLE_MANILA: 'yes'
|
|
ENABLE_HEAT: 'yes'
|
|
# murano depends on heat-dashboard that is not yet installed
|
|
# https://bugs.launchpad.net/tripleo/+bug/1752132
|
|
ENABLE_MURANO: 'no'
|
|
ENABLE_MISTRAL: 'yes'
|
|
ENABLE_OCTAVIA: 'yes'
|
|
ENABLE_SAHARA: 'yes'
|
|
ENABLE_TROVE: 'no'
|
|
# Not installed:
|
|
ENABLE_FREEZER: 'no'
|
|
ENABLE_FWAAS: 'no'
|
|
ENABLE_KARBOR: 'no'
|
|
ENABLE_DESIGNATE: 'no'
|
|
ENABLE_SEARCHLIGHT: 'no'
|
|
ENABLE_SENLIN: 'no'
|
|
ENABLE_SOLUM: 'no'
|
|
ENABLE_TACKER: 'no'
|
|
ENABLE_WATCHER: 'no'
|
|
ENABLE_ZAQAR: 'no'
|
|
ENABLE_ZUN: 'no'
|
|
host_prep_tasks:
|
|
- name: create persistent directories
|
|
file:
|
|
path: "{{ item.path }}"
|
|
state: directory
|
|
setype: "{{ item.setype }}"
|
|
mode: "{{ item.mode|default(omit) }}"
|
|
with_items:
|
|
- { 'path': /var/log/containers/horizon, 'setype': svirt_sandbox_file_t, 'mode': '0750' }
|
|
- { 'path': /var/log/containers/httpd/horizon, 'setype': svirt_sandbox_file_t, 'mode': '0750' }
|
|
- { 'path': /var/www, 'setype': svirt_sandbox_file_t }
|
|
upgrade_tasks: []
|
|
external_upgrade_tasks:
|
|
- when:
|
|
- step|int == 1
|
|
tags:
|
|
- never
|
|
- system_upgrade_transfer_data
|
|
- system_upgrade_stop_services
|
|
block:
|
|
- name: Stop horizon container
|
|
import_role:
|
|
name: tripleo-container-stop
|
|
vars:
|
|
tripleo_containers_to_stop:
|
|
- horizon
|
|
tripleo_delegate_to: "{{ groups['horizon'] | default([]) }}"
|