--- # Copyright 2014, Rackspace US, Inc. # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. # You may obtain a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. ## Verbosity Options debug: False # Set the host which will execute the shade modules # for the service setup. The host must already have # clouds.yaml properly configured. horizon_service_setup_host: "{{ openstack_service_setup_host | default('localhost') }}" # Set the package install state for distribution and pip packages # Options are 'present' and 'latest' horizon_package_state: "latest" horizon_pip_package_state: "latest" # Set installation method. horizon_install_method: "source" ## Toggle developer mode horizon_developer_mode: false ## The git source/branch for Horizon horizon_git_repo: https://git.openstack.org/openstack/horizon horizon_git_install_branch: master ## The git source/branch for the Magnum UI plugin magnum_dashboard_git_repo: https://git.openstack.org/openstack/magnum-ui magnum_dashboard_git_install_branch: master ## The git source/branch for the Octavia UI plugin octavia_dashboard_git_repo: https://git.openstack.org/openstack/octavia-dashboard octavia_dashboard_git_install_branch: master ## The git source/branch for the Designate UI plugin designate_dashboard_git_repo: https://git.openstack.org/openstack/designate-dashboard designate_dashboard_git_install_branch: master ## The git source/branch for the Trove UI plugin trove_dashboard_git_repo: https://git.openstack.org/openstack/trove-dashboard trove_dashboard_git_install_branch: master ## The git source/branch for the Heat UI plugin heat_dashboard_git_repo: https://git.openstack.org/openstack/heat-dashboard heat_dashboard_git_install_branch: master ## The packages to build from source (used in developer mode) horizon_developer_constraints: - "git+{{ horizon_git_repo }}@{{ horizon_git_install_branch }}#egg=horizon" - "git+{{ magnum_dashboard_git_repo }}@{{ magnum_dashboard_git_install_branch }}#egg=magnum-ui" - "git+{{ designate_dashboard_git_repo }}@{{ designate_dashboard_git_install_branch }}#egg=designate_dashboard" - "git+{{ trove_dashboard_git_repo }}@{{ trove_dashboard_git_install_branch }}#egg=trove_dashboard" - "git+{{ heat_dashboard_git_repo }}@{{ heat_dashboard_git_install_branch }}#egg=heat_dashboard" # TODO(odyssey4me): # This can be simplified once all the roles are using # python_venv_build. We can then switch to using a # set of constraints in pip.conf inside the venv, # perhaps prepared by giving a giving a list of # constraints to the role. horizon_pip_install_args: >- {{ horizon_developer_mode | ternary(pip_install_developer_constraints | default('--constraint /opt/developer-pip-constraints.txt'), '') }} {{ (pip_install_upper_constraints is defined) | ternary('--constraint ' + pip_install_upper_constraints | default(''), '') }} {{ pip_install_options | default('') }} # Name of the virtual env to deploy into horizon_venv_tag: "{{ venv_tag | default('untagged') }}" horizon_bin: "{{ _horizon_bin }}" # venv_download, even when true, will use the fallback method of building the # venv from scratch if the venv download fails. horizon_venv_download: "{{ not horizon_developer_mode | bool }}" horizon_venv_download_url: http://127.0.0.1/venvs/untagged/ubuntu/horizon.tgz ## System info horizon_system_user_name: horizon horizon_system_group_name: horizon horizon_system_shell: /bin/false horizon_system_comment: horizon system user horizon_system_user_home: "/var/lib/{{ horizon_system_user_name }}" ## Service Type and Data horizon_service_region: RegionOne horizon_service_name: horizon ## Database info horizon_db_setup_host: "{{ ('galera_all' in groups) | ternary(groups['galera_all'][0], 'localhost') }}" horizon_galera_address: "{{ galera_address | default('127.0.0.1') }}" horizon_galera_database: dash horizon_galera_user: dash horizon_galera_use_ssl: "{{ galera_use_ssl | default(False) }}" horizon_galera_ssl_ca_cert: "{{ galera_ssl_ca_cert | default('/etc/ssl/certs/galera-ca.pem') }}" ## Session configuration # Specifies the timespan in seconds inactivity, until a user is considered as # logged out horizon_session_timeout: 1800 ## Horizon Help URL Path horizon_help_url: http://docs.openstack.org ## Installation directories horizon_lib_dir: "{{ _horizon_lib_dir }}" horizon_lib_wsgi_file: "{{ horizon_lib_dir }}/openstack_dashboard/wsgi/django.wsgi" horizon_endpoint_type: internalURL horizon_server_name: "{{ ansible_fqdn | default('horizon') }}" horizon_apache_servertokens: "Prod" horizon_apache_serversignature: "Off" horizon_log_level: info horizon_apache_custom_log_format: combined horizon_dropdown_max_items: 30 horizon_instance_log_length: 35 horizon_overview_days_range: 1 horizon_images_upload_mode: direct horizon_images_allow_location: False horizon_time_zone: UTC horizon_enforce_password_check: False horizon_disable_password_reveal: False horizon_enable_password_retrieve: False horizon_enable_password_autocomplete: False horizon_enable_heatstack_user_pass: True # If nova_libvirt_inject_password is set to True, then this can also be enabled: horizon_can_set_password: False horizon_enable_cinder_backup: False # Enables IPv6 support in Horizon, such as managing network subnets horizon_enable_ipv6: True # Enables router support in Horizon, disable if you don't have Neutron L3 agent horizon_enable_router: True # Disable/Enable simplified floating IP address management for deployments with # multiple floating IP pools or complex network requirements. horizon_simple_ip_management: True # To enable ha router support in horizon set to True horizon_enable_ha_router: False # Provide default DNS servers to use when a subnet is created. horizon_default_dns_nameservers: [] # DISALLOW_IFRAME_EMBED can be used to prevent Horizon from being embedded # within an iframe. Legacy browsers are still vulnerable to a Cross-Frame # Scripting (XFS) vulnerability, so this option allows extra security hardening # where iframes are not used in deployment. Default setting is True. # For more information see: # http://tinyurl.com/anticlickjack horizon_disallow_iframe_embed: True # WSGI tuning parameters # horizon_wsgi_processes: 4 # horizon_wsgi_threads: 4 ## Cap the maximun number of threads / workers when a user value is unspecified. horizon_wsgi_threads_max: 16 horizon_wsgi_threads: "{{ [[ansible_processor_vcpus|default(2) // 2, 1] | max, horizon_wsgi_threads_max] | min }}" ## Horizon SSL horizon_ssl_cert: /etc/ssl/certs/horizon.pem horizon_ssl_key: /etc/ssl/private/horizon.key horizon_ssl_ca_cert: /etc/ssl/certs/horizon-ca.pem horizon_ssl_protocol: "{{ ssl_protocol | default('ALL -SSLv2 -SSLv3') }}" horizon_ssl_cipher_suite: "{{ ssl_cipher_suite | default('ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:!aNULL:!MD5:!DSS') }}" # if using a self-signed certificate, set this to true to regenerate it horizon_ssl_self_signed_regen: false horizon_ssl_self_signed_subject: "/C=US/ST=Texas/L=San Antonio/O=IT/CN={{ horizon_server_name }}/subjectAltName=IP.1={{ external_lb_vip_address }}" # Set these variables to deploy custom certificates # horizon_user_ssl_cert: # horizon_user_ssl_key: # horizon_user_ssl_ca_cert: # Set this to True if you do ssl termination on an external device, like the # load balancer horizon_external_ssl: false # Set this to the header that your device sets when doing ssl termination horizon_secure_proxy_ssl_header: "X-Forwarded-Proto" horizon_secure_proxy_ssl_header_django: "HTTP_{{ horizon_secure_proxy_ssl_header | replace('-', '_') | upper }}" # For multiple regions uncomment this configuration, and # add the extra endpoints below the first list item. # horizon_available_regions: # - { url: "{{ keystone_service_internalurl }}", name: "{{ keystone_service_region }}" } # - { url: "http://cluster1.example.com:5000/v2.0", name: "RegionTwo" } ## Horizon's keystone endpoint settings horizon_keystone_host: "{{ internal_lb_vip_address }}" horizon_keystone_endpoint: "{{ keystone_service_internalurl }}" ## Horizon Multi-Domain Support # these variables should only be changed if horizon_keystone_endpoint is a Keystone v3 API endpoint horizon_keystone_multidomain_support: False horizon_keystone_default_domain: Default ### Set the cacert pem for Keystone if you'd like Horizon to verify it. # horizon_cacert_pem: /path/to/cacert.pem ## alternatively, you can set horizon to turn off ssl verification for Keystone horizon_ssl_no_verify: "{{ (keystone_service_adminuri_insecure | bool or keystone_service_internaluri_insecure | bool) | default(false) }}" ## The role which Horizon should use as a default for users horizon_default_role_name: _member_ ## Launch instance horizon_launch_instance_legacy: False horizon_launch_instance_ng: True horizon_launch_instance_defaults: config_drive: False enable_scheduler_hints: True disable_image: False disable_instance_snapshot: False disable_volume: False disable_volume_snapshot: False create_volume: True ## horizon UI Panel horizon_enable_ironic_ui: False ## Magnum UI Panel horizon_enable_magnum_ui: False ## Magnum UI Panel horizon_enable_octavia_ui: False ## Sahara UI Panel horizon_enable_sahara_ui: False ## Trove UI Panel horizon_enable_trove_ui: False ## Designate UI Panel horizon_enable_designate_ui: False ## Heat UI Panel horizon_enable_heat_ui: False ## Neutron features to enable horizon_enable_neutron_lbaas: False horizon_enable_neutron_fwaas: False ## Swift horizon_swift_file_transfer_chunk_size: 524288 ## Panel horizon_default_panel: overview # For blacklisting certain Nova extensions uncomment this configuration, # and add necessary list items. # horizon_nova_extensions_blacklist: # - "SimpleTenantUsage" ## Customization module ## See https://docs.openstack.org/horizon/latest/configuration/customizing.html#horizon-customization-module-overrides # horizon_customization_module: /local/path/to/customization_module.py ## Replace default theme files with your own # horizon_custom_uploads: # logo: # src: "path_on_deployment_host_of_your_custom_logo.svg" # dest: "img/logo.svg" # logo_splash: # src: "path_on_deployment_host_of_your_custom_logo-splash.svg" # dest: "img/logo-splash.svg" _horizon_available_themes: default: theme_name: "default" theme_label: "Default" theme_path: "themes/default" material: theme_name: "material" theme_label: "Material" theme_path: "themes/material" # Add custom themes. Deployers need to place the archive, with the theme inside, # into the directory, which is specified by theme_src_archive key. # It should be an absolute path to the archive on the deployment host. # Leading folders are not expected in the archive. # Following archive formats are supported: # .tar.gz, .tgz, .zip, .tar.bz, .tar.bz2, .tbz, .tbz2 # See https://docs.openstack.org/horizon/latest/configuration/themes.html # for more details on custom themes # Example: # # horizon_custom_themes: # custom_theme: # theme_name: "custom" # theme_label: "Custom" # theme_path: "themes/custom" # theme_src_archive: "/etc/openstack_deploy/horizon/themes/custom.tar.gz" # horizon_custom_themes: {} # Which of the available themes will be used by default # value is the theme_name from the vars above horizon_default_theme: "default" horizon_webroot: / horizon_listen_ports: - "80" - "443" horizon_pip_packages: - cryptography - django-appconf - django-openstack-auth - greenlet - heat_dashboard - horizon - ironic-ui - magnum-ui - keystonemiddleware - MySQL-python - PyMySQL - neutron-lbaas-dashboard - neutron-fwaas-dashboard - oslo.config - ply - python-memcached - python-keystoneclient - sahara_dashboard - trove_dashboard - designate_dashboard - octavia_dashboard # This variable is used to install additional pip packages # that could be needed for additional dashboards horizon_optional_pip_packages: [] # This variable is used to update the horizon translations from # Zanata, this can be set to "True" when testing translations, # but should otherwise be left as False. horizon_translations_update: False # This variable is used to define the version of the project # (horizon) to pull from Zanata. Default value is master, # other possibly values are stable/pike, stable/queens... horizon_translations_project_version: "master" # This variable is used to be able to fully override or # partially union/intersect lists in order to change the # behaviour of the pull of the translations per component. horizon_translations_pull: "{{ _horizon_translations_pull }}" # This variable is used by the repo_build process to determine # which host group to check for members of before building the # pip packages required by this role. The value is picked up # by the py_pkgs lookup. horizon_role_project_group: horizon_all # Set arbitrary horizon configuration options horizon_config_overrides: {} horizon_keystone_admin_roles: - admin # Set the "credentials" authentication choice to show as default. # The list of authentication mechanisms which include keystone # federation protocols and identity provider/federation protocol horizon_websso_initial_choice: "credentials" horizon_panels: "{{ _horizon_panels }}"