c7acaa28de
There was a mix-up with "1777" and "01777" - while the first is OK with "chmod", it's not good with ansible. This patch corrects the mode introduced in I6c239065d4c92c9afc62ff4e513e6d097a06e218, meaning we will need it down to stable/train. Change-Id: I6c26b19891c1210592e2696c2ae5cb865e3ded99 Resolves: rhbz#2117221
425 lines
16 KiB
YAML
425 lines
16 KiB
YAML
heat_template_version: wallaby
|
|
|
|
description: >
|
|
OpenStack containerized Horizon service
|
|
|
|
parameters:
|
|
ContainerHorizonImage:
|
|
description: image
|
|
type: string
|
|
tags:
|
|
- role_specific
|
|
ContainerHorizonConfigImage:
|
|
description: The container image to use for the horizon config_volume
|
|
type: string
|
|
tags:
|
|
- role_specific
|
|
EndpointMap:
|
|
default: {}
|
|
description: Mapping of service endpoint -> protocol. Typically set
|
|
via parameter_defaults in the resource registry.
|
|
type: json
|
|
ServiceData:
|
|
default: {}
|
|
description: Dictionary packing service data
|
|
type: json
|
|
ServiceNetMap:
|
|
default: {}
|
|
description: Mapping of service_name -> network name. Typically set
|
|
via parameter_defaults in the resource registry. Use
|
|
parameter_merge_strategies to merge it with the defaults.
|
|
type: json
|
|
RoleName:
|
|
default: ''
|
|
description: Role name on which the service is applied
|
|
type: string
|
|
RoleParameters:
|
|
default: {}
|
|
description: Parameters specific to the role
|
|
type: json
|
|
Debug:
|
|
default: false
|
|
description: Set to True to enable debugging on all services.
|
|
type: boolean
|
|
HorizonDebug:
|
|
default: false
|
|
description: Set to True to enable debugging Horizon service.
|
|
type: boolean
|
|
HorizonAllowedHosts:
|
|
default: '*'
|
|
description: A list of IP/Hostname for the server Horizon is running on.
|
|
Used for header checks.
|
|
type: comma_delimited_list
|
|
HorizonPasswordValidator:
|
|
description: Regex for password validation
|
|
type: string
|
|
default: ''
|
|
HorizonPasswordValidatorHelp:
|
|
description: Help text for password validation
|
|
type: string
|
|
default: ''
|
|
HorizonSecret:
|
|
description: Secret key for Django
|
|
type: string
|
|
hidden: true
|
|
default: ''
|
|
HorizonSecureCookies:
|
|
description: Set CSRF_COOKIE_SECURE / SESSION_COOKIE_SECURE in Horizon
|
|
type: boolean
|
|
default: false
|
|
HorizonSessionTimeout:
|
|
description: Set session timeout for horizon in seconds
|
|
type: number
|
|
default: 1800
|
|
MemcachedIPv6:
|
|
default: false
|
|
description: Enable IPv6 features in Memcached.
|
|
type: boolean
|
|
MonitoringSubscriptionHorizon:
|
|
default: 'overcloud-horizon'
|
|
type: string
|
|
EnableInternalTLS:
|
|
type: boolean
|
|
default: false
|
|
InternalTLSCAFile:
|
|
default: '/etc/ipa/ca.crt'
|
|
type: string
|
|
description: Specifies the default CA cert to use if TLS is used for
|
|
services in the internal network.
|
|
HorizonVhostExtraParams:
|
|
default:
|
|
add_listen: true
|
|
priority: 10
|
|
access_log_format: '%{X-Forwarded-For}i %l %u %t \"%r\" %>s %b \"%%{}{Referer}i\" \"%%{}{User-Agent}i\"'
|
|
options: ['FollowSymLinks','MultiViews']
|
|
description: Extra parameters for Horizon vhost configuration
|
|
type: json
|
|
HorizonCustomizationModule:
|
|
default: ''
|
|
description: Horizon has a global overrides mechanism available to perform customizations
|
|
type: string
|
|
HorizonHelpURL:
|
|
default: 'http://docs.openstack.org'
|
|
description: On top of dashboard there is a Help button. This button could be used
|
|
to re-direct user to vendor documentation or dedicated help portal.
|
|
type: string
|
|
TimeZone:
|
|
default: 'UTC'
|
|
description: The timezone to be set on the overcloud.
|
|
type: string
|
|
WebSSOEnable:
|
|
default: false
|
|
type: boolean
|
|
description: Enable support for Web Single Sign-On
|
|
WebSSOInitialChoice:
|
|
default: 'OIDC'
|
|
type: string
|
|
description: The initial authentication choice to select by default
|
|
WebSSOChoices:
|
|
default:
|
|
- ['OIDC', 'OpenID Connect']
|
|
type: json
|
|
description: Specifies the list of SSO authentication choices to present.
|
|
Each item is a list of an SSO choice identifier and a display
|
|
message.
|
|
WebSSOIDPMapping:
|
|
default:
|
|
'OIDC': ['myidp', 'openid']
|
|
type: json
|
|
description: Specifies a mapping from SSO authentication choice to identity
|
|
provider and protocol. The identity provider and protocol names
|
|
must match the resources defined in keystone.
|
|
HorizonDomainChoices:
|
|
default: []
|
|
type: json
|
|
description: Specifies available domains to choose from. We expect an array
|
|
of hashes, and the hashes should have two items each (name, display)
|
|
containing Keystone domain name and a human-readable description of
|
|
the domain respectively.
|
|
HorizonLoggingSource:
|
|
type: json
|
|
default:
|
|
tag: openstack.horizon
|
|
file: /var/log/containers/horizon/horizon.log
|
|
HorizonWorkers:
|
|
default: 0
|
|
description: Number of workers for Horizon service.
|
|
type: number
|
|
HorizonHstsHeaderValue:
|
|
default: []
|
|
description: Enables HTTP Strict-Transport-Security header in response.
|
|
type: comma_delimited_list
|
|
|
|
parameter_groups:
|
|
- label: deprecated
|
|
description: |
|
|
The following parameters are deprecated and will be removed. They should not
|
|
be relied on for new deployments. If you have concerns regarding deprecated
|
|
parameters, please contact the TripleO development team on IRC or the
|
|
OpenStack mailing list.
|
|
parameters:
|
|
- MemcachedIPv6
|
|
|
|
conditions:
|
|
horizon_domain_choices_set: {not: {equals: [{get_param: HorizonDomainChoices}, []]}}
|
|
is_ipv6:
|
|
equals:
|
|
- {get_param: [ServiceData, net_ip_version_map, {get_param: [ServiceNetMap, HorizonNetwork]}]}
|
|
- 6
|
|
horizon_logger_debug:
|
|
or:
|
|
- {get_param: Debug}
|
|
- {get_param: HorizonDebug}
|
|
horizon_workers_set:
|
|
not: {equals : [{get_param: HorizonWorkers}, 0]}
|
|
horizon_hsts_header_value_set:
|
|
not: {equals : [{get_param: HorizonHstsHeaderValue}, []]}
|
|
|
|
resources:
|
|
|
|
ContainersCommon:
|
|
type: ../containers-common.yaml
|
|
|
|
RoleParametersValue:
|
|
type: OS::Heat::Value
|
|
properties:
|
|
type: json
|
|
value:
|
|
map_replace:
|
|
- map_replace:
|
|
- ContainerHorizonImage: ContainerHorizonImage
|
|
ContainerHorizonConfigImage: ContainerHorizonConfigImage
|
|
- values: {get_param: [RoleParameters]}
|
|
- values:
|
|
ContainerHorizonImage: {get_param: ContainerHorizonImage}
|
|
ContainerHorizonConfigImage: {get_param: ContainerHorizonConfigImage}
|
|
|
|
outputs:
|
|
role_data:
|
|
description: Role data for the Horizon API role.
|
|
value:
|
|
service_name: horizon
|
|
firewall_rules:
|
|
'126 horizon':
|
|
dport:
|
|
- if:
|
|
- {get_param: EnableInternalTLS}
|
|
- 443
|
|
- 80
|
|
firewall_frontend_rules:
|
|
'100 horizon_haproxy_frontend':
|
|
dport:
|
|
- 80
|
|
firewall_ssl_frontend_rules:
|
|
'100 horizon_haproxy_frontend_ssl':
|
|
dport:
|
|
- 443
|
|
monitoring_subscription: {get_param: MonitoringSubscriptionHorizon}
|
|
config_settings:
|
|
map_merge:
|
|
- horizon::allowed_hosts: {get_param: HorizonAllowedHosts}
|
|
horizon::enable_secure_proxy_ssl_header: true
|
|
horizon::secure_proxy_addr_header: HTTP_X_FORWARDED_FOR
|
|
horizon::disable_password_reveal: true
|
|
horizon::enforce_password_check: true
|
|
horizon::disallow_iframe_embed: true
|
|
horizon::cache_backend: django.core.cache.backends.memcached.MemcachedCache
|
|
horizon::django_session_engine: 'django.contrib.sessions.backends.cache'
|
|
horizon::vhost_extra_params: {get_param: HorizonVhostExtraParams}
|
|
horizon::bind_address:
|
|
str_replace:
|
|
template:
|
|
"%{lookup('$NETWORK')}"
|
|
params:
|
|
$NETWORK: {get_param: [ServiceNetMap, HorizonNetwork]}
|
|
horizon::keystone_url: {get_param: [EndpointMap, KeystoneV3Public, uri]}
|
|
horizon::password_validator: {get_param: [HorizonPasswordValidator]}
|
|
horizon::password_validator_help: {get_param: [HorizonPasswordValidatorHelp]}
|
|
horizon::secret_key: {get_param: HorizonSecret}
|
|
horizon::secure_cookies: {get_param: [HorizonSecureCookies]}
|
|
horizon::session_timeout: {get_param: HorizonSessionTimeout}
|
|
memcached_ipv6: {if: [is_ipv6, true, false]}
|
|
horizon::servername:
|
|
str_replace:
|
|
template:
|
|
"%{lookup('fqdn_$NETWORK')}"
|
|
params:
|
|
$NETWORK: {get_param: [ServiceNetMap, HorizonNetwork]}
|
|
horizon::listen_ssl: {get_param: EnableInternalTLS}
|
|
horizon::customization_module: {get_param: HorizonCustomizationModule}
|
|
horizon::timezone: {get_param: TimeZone}
|
|
horizon::file_upload_temp_dir: '/var/tmp'
|
|
horizon::help_url: {get_param: HorizonHelpURL}
|
|
- if:
|
|
- {get_param: EnableInternalTLS}
|
|
- horizon::horizon_ca: {get_param: InternalTLSCAFile}
|
|
horizon::ssl_verify_client: require
|
|
- if:
|
|
- {get_param: WebSSOEnable}
|
|
- horizon::websso_enabled:
|
|
get_param: WebSSOEnable
|
|
horizon::websso_initial_choice:
|
|
get_param: WebSSOInitialChoice
|
|
horizon::websso_choices:
|
|
get_param: WebSSOChoices
|
|
horizon::websso_idp_mapping:
|
|
get_param: WebSSOIDPMapping
|
|
- if:
|
|
- {get_param: HorizonDebug}
|
|
- horizon::django_debug: true
|
|
- horizon::django_debug: {get_param: Debug}
|
|
- if:
|
|
- horizon_logger_debug
|
|
- horizon::log_level: 'DEBUG'
|
|
- if:
|
|
- horizon_domain_choices_set
|
|
- horizon::keystone_domain_choices: {get_param: HorizonDomainChoices}
|
|
- if:
|
|
- horizon_workers_set
|
|
- horizon::wsgi_processes: {get_param: HorizonWorkers}
|
|
ansible_group_vars:
|
|
keystone_enable_member: true
|
|
service_config_settings:
|
|
rsyslog:
|
|
tripleo_logging_sources_horizon:
|
|
yaql:
|
|
expression: $.data.sources.flatten()
|
|
data:
|
|
sources:
|
|
- {get_param: HorizonLoggingSource}
|
|
haproxy:
|
|
if:
|
|
- horizon_hsts_header_value_set
|
|
- tripleo::profile::base::horizon::hsts_header_value: {get_param: HorizonHstsHeaderValue}
|
|
# BEGIN DOCKER SETTINGS
|
|
puppet_config:
|
|
config_volume: horizon
|
|
puppet_tags: horizon_config
|
|
step_config: |
|
|
include tripleo::profile::base::horizon
|
|
config_image: {get_attr: [RoleParametersValue, value, ContainerHorizonConfigImage]}
|
|
kolla_config:
|
|
/var/lib/kolla/config_files/horizon.json:
|
|
command: /usr/sbin/httpd -DFOREGROUND
|
|
config_files:
|
|
- source: "/var/lib/kolla/config_files/src/etc/httpd/conf.d"
|
|
dest: "/etc/httpd/conf.d"
|
|
merge: false
|
|
preserve_properties: true
|
|
- source: "/var/lib/kolla/config_files/src/etc/httpd/conf.modules.d"
|
|
dest: "/etc/httpd/conf.modules.d"
|
|
merge: false
|
|
preserve_properties: true
|
|
- source: "/var/lib/kolla/config_files/src/*"
|
|
dest: "/"
|
|
merge: true
|
|
preserve_properties: true
|
|
permissions:
|
|
- path: /var/log/horizon/
|
|
owner: apache:apache
|
|
recurse: true
|
|
# NOTE The upstream Kolla Dockerfile sets /etc/openstack-dashboard/ ownership to
|
|
# horizon:horizon - the policy.json files need read permissions for the apache user
|
|
# FIXME We should consider whether this should be fixed in the Kolla Dockerfile instead
|
|
- path: /etc/openstack-dashboard/
|
|
owner: apache:apache
|
|
recurse: true
|
|
# FIXME Apache tries to write a .lock file there
|
|
- path: /usr/share/openstack-dashboard/openstack_dashboard/local/
|
|
owner: apache:apache
|
|
recurse: false
|
|
# FIXME Our theme settings are there
|
|
- path: /usr/share/openstack-dashboard/openstack_dashboard/local/local_settings.d/
|
|
owner: apache:apache
|
|
recurse: false
|
|
docker_config:
|
|
step_2:
|
|
horizon_fix_perms:
|
|
image: &horizon_image {get_attr: [RoleParametersValue, value, ContainerHorizonImage]}
|
|
net: none
|
|
user: root
|
|
# NOTE Set ownership for /var/log/horizon/horizon.log file here,
|
|
# otherwise it's created by root when generating django cache.
|
|
# FIXME Apache needs to read files in /etc/openstack-dashboard
|
|
# Need to set permissions to match the BM case,
|
|
# http://paste.openstack.org/show/609819/
|
|
command: ['/bin/bash', '-c', 'touch /var/log/horizon/horizon.log ; chown -R apache:apache /var/log/horizon && chmod -R a+rx /etc/openstack-dashboard']
|
|
volumes:
|
|
- /var/log/containers/horizon:/var/log/horizon:z
|
|
- /var/log/containers/httpd/horizon:/var/log/httpd:z
|
|
- /var/lib/config-data/puppet-generated/horizon/etc/openstack-dashboard:/etc/openstack-dashboard
|
|
step_3:
|
|
horizon:
|
|
image: *horizon_image
|
|
net: host
|
|
privileged: false
|
|
restart: always
|
|
healthcheck:
|
|
test: /openstack/healthcheck
|
|
volumes:
|
|
list_concat:
|
|
- {get_attr: [ContainersCommon, volumes]}
|
|
- - /var/lib/kolla/config_files/horizon.json:/var/lib/kolla/config_files/config.json:ro
|
|
- /var/lib/config-data/puppet-generated/horizon:/var/lib/kolla/config_files/src:ro
|
|
- /var/log/containers/horizon:/var/log/horizon:z
|
|
- /var/log/containers/httpd/horizon:/var/log/httpd:z
|
|
- /var/tmp/horizon:/var/tmp:z
|
|
- /var/www:/var/www:ro
|
|
- if:
|
|
- {get_param: EnableInternalTLS}
|
|
- - /etc/pki/tls/certs/httpd:/etc/pki/tls/certs/httpd:ro
|
|
- /etc/pki/tls/private/httpd:/etc/pki/tls/private/httpd:ro
|
|
environment:
|
|
KOLLA_CONFIG_STRATEGY: COPY_ALWAYS
|
|
ENABLE_DESIGNATE: 'yes'
|
|
ENABLE_HEAT: 'yes'
|
|
ENABLE_IRONIC: 'yes'
|
|
ENABLE_MANILA: 'yes'
|
|
ENABLE_OCTAVIA: 'yes'
|
|
host_prep_tasks:
|
|
- name: create persistent directories
|
|
file:
|
|
path: "{{ item.path }}"
|
|
state: directory
|
|
setype: "{{ item.setype }}"
|
|
mode: "{{ item.mode|default(omit) }}"
|
|
with_items:
|
|
- { 'path': /var/log/containers/horizon, 'setype': container_file_t, 'mode': '0750' }
|
|
- { 'path': /var/log/containers/httpd/horizon, 'setype': container_file_t, 'mode': '0750' }
|
|
- { 'path': /var/www, 'setype': container_file_t }
|
|
- { 'path': /var/tmp/horizon, 'setype': container_file_t, 'mode': '01777' }
|
|
- name: ensure /var/tmp/horizon exists on boot
|
|
copy:
|
|
dest: /etc/tmpfiles.d/var-tmp-horizon.conf
|
|
content: |
|
|
d /var/tmp/horizon 01777 root root - -
|
|
upgrade_tasks:
|
|
- name: Anchor for upgrade and update tasks
|
|
when: step|int == 0
|
|
block: &tmp_reset_label
|
|
- name: Reset selinux label on /var/tmp
|
|
file:
|
|
path: /var/tmp
|
|
state: directory
|
|
setype: tmp_t
|
|
mode: 01777
|
|
update_tasks:
|
|
- name: Anchor for upgrade and update tasks
|
|
when: step|int == 0
|
|
block: *tmp_reset_label
|
|
external_upgrade_tasks:
|
|
- when:
|
|
- step|int == 1
|
|
tags:
|
|
- never
|
|
- system_upgrade_transfer_data
|
|
- system_upgrade_stop_services
|
|
block:
|
|
- name: Stop horizon container
|
|
import_role:
|
|
name: tripleo_container_stop
|
|
vars:
|
|
tripleo_containers_to_stop:
|
|
- horizon
|
|
tripleo_delegate_to: "{{ groups['horizon'] | default([]) }}"
|