Unfortunatelly having `horizon_config_overrides` is not sufficient, as
not all options can be defined in HORIZON_CONFIG.
Some are expected to be preset inside local_settings themselves.
We introduce new variable that can be used to extend local_settings file
with arbitrary parameters.
Change-Id: Ic119105189c9158aa3b38c4deb07040110d9d660
We change a default value of `horizon_webroot` to reflect the usecase
where both Horizon and Skyline are deployed. When it is the case,
horizon webroot URL will be changed to `/horizon`.
Depends-On: https://review.opendev.org/c/openstack/openstack-ansible/+/859446
Change-Id: Ia38311a6fde88292c090cf6289bf5b6c6279c479
To standarize variable name across roles, this change renames
`horizon_enable_ssl` to `horizon_backend_ssl`.
All other roles use `<service>_backend_ssl` format.
It also better describes what it does. With `horizon_enable_ssl` it's
unclear whether it is about frontend or backend.
Backward compatibility will be kept until 2024.1.
Change-Id: I218d45b7be667732e4204316b8d18fa3e136962b
`horizon_enable_ssl` is responsible for enabling TLS on horizon backend.
It defaults to `haproxy_ssl` which is generally used to enable TLS on
haproxy frontends.
It is more reasonable to disable it by default as it's done for other
services.
This patch does not change current behavior in gating as backend TLS
works only with horizon_external_ssl=False(while it's set to True by
default).
It also does not affect behavior of horizon's haproxy frontend
encryption.
Change-Id: I8f207426c9dc5bcefdec42c0bfc0f5f0376509a3
This change provides the horizon role the ability to deploy its services
using uWSGI instead of apache. This feature produces a minimal horizon
deployment which is perfectly functional in cases where capabilities
like federation and SSL terminated all the way through are not needed.
Change-Id: I457a111511543731746d868ae7f7184743e5703b
Signed-off-by: Kevin Carter <kevin@cloudnull.com>
This change adds the ability within horizon to define a list of domains
which are trusted through the CSRF functions of django.
Change-Id: Ib92480e6caa74e050a99b36a54b2032714efb509
Signed-off-by: Kevin Carter <kevin@cloudnull.com>
This adds a new variable to manage TLS v1.3 cipher suites.
The old variable for TLS v1.2 and below ciphers is renamed for
consistency, but is still supported as a default where overridden
by deployments.
Depends-On: https://review.opendev.org/c/openstack/openstack-ansible/+/823943
Change-Id: Ib43d465c8fa24ec7d14174ecc17bce0b3e8bd7a4
In case policies are overriden for services,
horizon maintain and ship it's own set of policies that should be
separatelly overriden.
Depends-On: https://review.opendev.org/754382
Change-Id: I7099a5b11390d3296c7b4bb74d69670c7fe64f58
This patch adds deployement of murano-dashboard to horizon,
once `horizon_enable_murano_ui` variable is set to True.
Depends-On: https://review.opendev.org/710773
Change-Id: I9a2f1920611ca8ad2b2f2cdb625281132b968ec2
Previously we were using cached_db session backend by default.
However with django version update, it requires more recent
mysqlclient module which is not part of requirements.
Moreover usage of cached_db makes us to carry and maintain
extra stuff, which can be dropped with memcached backend.
Change-Id: I8df7ee967d8dcbeb09a42fd568f98acc3e88adad
Added variable horizon_bind_address which allows to define address
on which horizon will be listening.
horizon_listen_ports variable was converted to dict()
and used in apache vhost template.
As an addition metal jobs were added for horizon CI.
Depends-On: https://review.opendev.org/681722
Change-Id: I11c3edec6d58e39da8de5e214fab9731eb5df9e2
Because of global retirement process of neutron-lbaas we stop providing
neutron-lbaas-ui plugin installation for horizon.
Change-Id: Ic39a4d1cc03df72a4080abd6513bf8f4036da456
Added masakari dashboard to horizon installation.
As for now it's installation is available only from source.
Change-Id: I07937e2d97080ec5f4aece61a6bf032cd8790f5f
Implements: blueprint masakari-ansible-plugin
Horizon has, since OSA's inception, been deployed with HTTPS
access enabled, and has had no way to turn it off. Some use-cases
may want to access via HTTP instead, so this patch enables
the following:
1. Listen via HTTPS on a load balancer, but via HTTP on the
horizon host and have the load balancer forward the correct
headers. It will do this by default in the integrated build
due to the presence of the load balancer, so the current
behaviour is retained.
2. Enable HTTPS on the horizon host without a load balancer.
This is the role's default behaviour which matches what it
always has been.
3. Disable HTTPS entirely by setting ``haproxy_ssl: no`` (which
will also disable https on haproxy. This setting is inherited
by the new ``horizon_enable_ssl`` variable by default. This
is a new option.
Co-Authored-By: Jesse Pretorius <jesse.pretorius@rackspace.co.uk>
Change-Id: I823f2f949258157e306dbf80570abe53373da0c3
Closes-Bug: 1794337
Adds key ``theme_src_archive`` to ``horizon_custom_themes``,
which should point to archive with packed theme inside.
Archive should be placed on the deployment host and it
may be easily created by git-archive, or ansible git module.
Structure inside archive should be as a standard theme,
without any leading folders.
Unarchive is used instead of synchronize with flat files,
as synchronize establishes independent SSH connection
and doesn't use nspawn or any other methods from
custom ssh plugin and may case connection errors.
Recursive copy has limitations on number of files inside of the
directory. This limit is pretty high, but still it's a limit.
This method differs from uploading custom files, as themes may
have complex structure and include a lot of files.
As a result, if ``horizon_custom_themes`` contains
``theme_src_archive`` key, theme will be distributed by role.
Change-Id: Icbfff0793a703de94091cfdcdecf5a2c91bae4be
Related-Bug: 1778098
Distributions provide packages for the OpenStack services so we add
support for using these instead of the pip ones.
Implements: blueprint openstack-distribution-packages
Change-Id: Ie6eeff541a319967715e619dcdc26177aec5be72
In order to reduce the packages required to pip install on to the hosts,
we allow the service setup to be delegated to a specific host, defaulting
to the deploy host. We also switch as many tasks as possible to using the
built-in Ansible modules which make use of the shade library.
The 'virtualenv' package is now installed appropriately by the openstack_hosts
role, so there's no need to install it any more. The 'httplib2' package is a
legacy Ansible requirement for the get_url/get_uri module which is no longer
needed. The keystone client library is not required any more now that we're
using the upstream modules. As there are no required packages left, the task
to install them is also removed.
With the dependent patches, the openstack_openrc role is now executed once
on the designated host, so it is no longer required as a meta-dependency for
the role.
Depends-On: https://review.openstack.org/579233
Depends-On: https://review.openstack.org/579959
Depends-On: https://review.openstack.org/580156
Change-Id: Ic3c0bb31c12a83fe8fe475091e97e5d5537fab6f
This variable allows customizing the default values for properties found
in the Launch Instance modal, using the LAUNCH_INSTANCE_DEFAULTS config
option.
Change-Id: I1a795b788b3fbc78e814c93f56fd996090c7463b
To facilitiate a translations check site this patch enables the ability
to perform a pull_catalog and compilemessages, which will update the
translations site. By default this won't run at all.
Change-Id: Ib9b527d60226d3133206675b394d83f1185631b2
Users can configure the number of worker threads however when it's
not specified the calculated number of workers can get too large on
hosts with a large number of CPUs.
Change-Id: I09433117941dcd543775d5c347cb03912c21475c
Because horizon local settings cannot use config_template, we
have to maintain the features possible in the template ourselves.
This adds the possibility to allow/deny the use of embedded
iframes.
Change-Id: I12470ac156a433eee795b4090b21d106418ecd5a
The current constraints generation for the
installation involves multiple tasks and multiple
variables.
Using multiple tasks extends the installation time
unnecessarily and the additional variables are
unnecessary.
This patch aims to simplify the mechanism and
hopes to speed it up a little.
Change-Id: I66974d89e3a89620abaf1d228e10a70575b2e067
In order to make it easier to differentiate between the lists of
python packages, distribution packages, downloaded packages,
package pins and other similar variables the variable names are
being changed to ensure that they have a more explicit suffix
that defines the purpose and makes the naming more consistent.
This is to facilitate a lookup plugin which will be able to look
up all the package lists and present them as a consolidated piece
of data which may be used for artifact preparation.
Change-Id: Ib4b177992753ad53b8bdb7a7652f1fbc6cc5267d
As Horizon treats admins differently and can't discern what roles are
administrative in nature, we have to tell it if there are roles
beyond/besides "admin".
If not overriden by the user, then the default is `['admin']` as seen
in the code:
https://github.com/openstack/horizon/blob/stable/mitaka/openstack_dashboard/utils/identity.py#L20-L25.
Closes-Bug: #1614213
Change-Id: I5e475db52be7d6390a1ab29a08b58fc102e16037
Co-Author: Corey Wright <corey.wright@rackspace.com>
This patch adds Magnum-UI plugin support to Horizon.
Additionally some commenting is added to clarify the purpose of the
developer mode variables.
Change-Id: I79c532cbadd5f9cd84ac993d94eb795ba20ea003
Implements: blueprint role-magnum
The current method of installing the distribution packages required is
set in the tasks and cannot be changed by a deployer.
Currently the apt task always installs the latest package. This results
in unexpected binary changes when a deployer may simply be trying to
execute a configuration change.
This patch adds the ability for a deployer to change the desired state
so that the results are predictable.
Change-Id: Iebd947fc93738e6ccb62460061b00306b96437d6
