heat_template_version: ocata

description: >
  Horizon service configured with Puppet

parameters:
  ServiceNetMap:
    default: {}
    description: Mapping of service_name -> network name. Typically set
                 via parameter_defaults in the resource registry.  This
                 mapping overrides those in ServiceNetMapDefaults.
    type: json
  Debug:
    default: ''
    description: Set to True to enable debugging on all services.
    type: string
  DefaultPasswords:
    default: {}
    type: json
  EndpointMap:
    default: {}
    description: Mapping of service endpoint -> protocol. Typically set
                 via parameter_defaults in the resource registry.
    type: json
  HorizonAllowedHosts:
    default: '*'
    description: A list of IP/Hostname for the server Horizon is running on.
                 Used for header checks.
    type: comma_delimited_list
  HorizonPasswordValidator:
    description: Regex for password validation
    type: string
    default: ''
  HorizonPasswordValidatorHelp:
    description: Help text for password validation
    type: string
    default: ''
  HorizonSecret:
    description: Secret key for Django
    type: string
    hidden: true
    default: ''
  MemcachedIPv6:
    default: false
    description: Enable IPv6 features in Memcached.
    type: boolean
  MonitoringSubscriptionHorizon:
    default: 'overcloud-horizon'
    type: string

conditions:

  debug_empty: {equals : [{get_param: Debug}, '']}

outputs:
  role_data:
    description: Role data for the Horizon role.
    value:
      service_name: horizon
      monitoring_subscription: {get_param: MonitoringSubscriptionHorizon}
      config_settings:
        map_merge:
        - horizon::allowed_hosts: {get_param: HorizonAllowedHosts}
          tripleo.horizon.firewall_rules:
            '126 horizon':
              dport:
                - 80
                - 443
          horizon::enable_secure_proxy_ssl_header: true
          horizon::disable_password_reveal: true
          horizon::enforce_password_check: true
          horizon::disallow_iframe_embed: true
          horizon::cache_backend: django.core.cache.backends.memcached.MemcachedCache
          horizon::django_session_engine: 'django.contrib.sessions.backends.cache'
          horizon::vhost_extra_params:
            add_listen: false
            priority: 10
            access_log_format: '%a %l %u %t \"%r\" %>s %b \"%%{}{Referer}i\" \"%%{}{User-Agent}i\"'
            options: ['FollowSymLinks','MultiViews']
          horizon::bind_address: {get_param: [ServiceNetMap, HorizonNetwork]}
          horizon::keystone_url: {get_param: [EndpointMap, KeystoneInternal, uri]}
          horizon::password_validator: {get_param: [HorizonPasswordValidator]}
          horizon::password_validator_help: {get_param: [HorizonPasswordValidatorHelp]}
          horizon::secret_key:
            yaql:
              expression: $.data.passwords.where($ != '').first()
              data:
                passwords:
                  - {get_param: HorizonSecret}
                  - {get_param: [DefaultPasswords, horizon_secret]}
          memcached_ipv6: {get_param: MemcachedIPv6}
        -
          if:
          - debug_empty
          - {}
          - horizon::django_debug: {get_param: Debug}
      step_config: |
        include ::tripleo::profile::base::horizon
      # Ansible tasks to handle upgrade
      upgrade_tasks:
        - name: Check if httpd is deployed
          command: systemctl is-enabled httpd
          tags: step0,validation
          ignore_errors: True
          register: httpd_enabled
        - name: "PreUpgrade step0,validation: Check if httpd is running"
          shell: >
            /usr/bin/systemctl show 'httpd' --property ActiveState |
            grep '\bactive\b'
          when: httpd_enabled.rc == 0
          tags: step0,validation
        - name: Stop Horizon (under httpd)
          tags: step2
          service: name=httpd state=stopped