[Feature] Add skyline deployment capability

This change adds Skyline deployment options to OSA. New files have been added / integrated into the normal deployment process to support the use of skyline. Co-Authored-By: Jonathan Rosser <jonathan.rosser@rd.bbc.co.uk> Signed-off-by: Kevin Carter <kevin@cloudnull.com> Needed-By: https://review.opendev.org/c/openstack/openstack-ansible-os_skyline/+/912333 Depends-On: https://review.opendev.org/c/openstack/openstack-ansible-os_skyline/+/914439 Change-Id: Ia5c8c60fb152e3eb27e2719f6d7032ca62690601
2023-07-08 13:37:06 +00:00 · 2023-07-08 13:37:06 +00:00 · 2c06a65a75
commit 2c06a65a75
parent 3e2d7afa05
17 changed files with 239 additions and 4 deletions
--- a/ansible-role-requirements.yml
+++ b/ansible-role-requirements.yml
@ -227,6 +227,12 @@
  version: master
  trackbranch: master
  shallow_since: '2023-12-06'
+- name: os_skyline
+  scm: git
+  src: https://opendev.org/openstack/openstack-ansible-os_skyline
+  version: master
+  trackbranch: master
+  shallow_since: '2023-12-06'
 - name: os_tacker
  scm: git
  src: https://opendev.org/openstack/openstack-ansible-os_tacker
--- a/doc/source/user/security/security-headers.rst
+++ b/doc/source/user/security/security-headers.rst
@ -135,3 +135,9 @@ Security Policy to allow access to your authorisation server by overriding the
      child-src 'self' {{ external_lb_vip_address }}:{{ nova_spice_html5proxy_base_port }} {{ external_lb_vip_address }}:{{ nova_novncproxy_port }} {{ external_lb_vip_address }}:{{ nova_serialconsoleproxy_port }};
      frame-src 'self' {{ external_lb_vip_address }}:{{ nova_spice_html5proxy_base_port }} {{ external_lb_vip_address }}:{{ nova_novncproxy_port }} {{ external_lb_vip_address }}:{{ nova_serialconsoleproxy_port }};
      "
+
+It is also possible to set specific security headers for skyline.
+
+.. code-block:: yaml
+
+    haproxy_skyline_csp: ...
--- a/etc/openstack_deploy/conf.d/skyline.yml.aio
+++ b/etc/openstack_deploy/conf.d/skyline.yml.aio
@ -0,0 +1,3 @@
+skyline_dashboard_hosts:
+  aio1:
+    ip: 172.29.236.100
--- a/etc/openstack_deploy/conf.d/skyline.yml.example
+++ b/etc/openstack_deploy/conf.d/skyline.yml.example
@ -0,0 +1,7 @@
+skyline_dashboard_hosts:
+  infra1:
+    ip: 172.20.236.111
+  infra2:
+    ip: 172.20.236.112
+  infra3:
+    ip: 172.20.236.113
--- a/etc/openstack_deploy/user_secrets.yml
+++ b/etc/openstack_deploy/user_secrets.yml
@ -186,6 +186,11 @@ senlin_galera_password:
 senlin_oslomsg_rpc_password:
 senlin_service_password:

+## Skyline Options:
+skyline_galera_password:
+skyline_service_password:
+skyline_prometheus_basic_auth_password:
+skyline_secret_key:

 ## Swift Options:
 swift_service_password:
--- a/inventory/env.d/skyline.yml
+++ b/inventory/env.d/skyline.yml
@ -0,0 +1,21 @@
+---
+component_skel:
+  skyline:
+    belongs_to:
+      - skyline_all
+
+container_skel:
+  skyline_container:
+    belongs_to:
+      - skyline_dashboard_containers
+      - os-infra_containers
+    contains:
+      - skyline
+
+physical_skel:
+  skyline_dashboard_containers:
+    belongs_to:
+      - all_containers
+  skyline_dashboard_hosts:
+    belongs_to:
+      - hosts
--- a/inventory/group_vars/haproxy/haproxy.yml
+++ b/inventory/group_vars/haproxy/haproxy.yml
@ -82,7 +82,12 @@ haproxy_base_service:
  haproxy_service_enabled: true
  haproxy_redirect_scheme: "{{ (haproxy_ssl_letsencrypt_enable | bool and haproxy_ssl | bool) | ternary('https if !{ ssl_fc } !{ path_beg /.well-known/acme-challenge/ }', 'https if !{ ssl_fc }') }}"
  haproxy_frontend_acls: "{{ (haproxy_ssl_letsencrypt_enable | bool and haproxy_ssl | bool) | ternary(haproxy_ssl_letsencrypt_acl, {}) }}"
-  haproxy_frontend_raw: "{{ (haproxy_ssl | bool and haproxy_security_headers is defined) | ternary( haproxy_security_headers + [ haproxy_horizon_csp | default(haproxy_security_headers_csp)], []) }}"
+  haproxy_frontend_raw: >-
+    {{
+      (haproxy_ssl | bool and haproxy_security_headers is defined) | ternary(
+        haproxy_security_headers + [ haproxy_horizon_csp | default(haproxy_security_headers_csp)] + [haproxy_skyline_csp | default('')],
+        [])
+    }}
  haproxy_maps:
    - 'use_backend %[path,map_reg(/etc/haproxy/base_regex.map)]'
  haproxy_map_entries:
--- a/inventory/group_vars/horizon_all/haproxy_service.yml
+++ b/inventory/group_vars/horizon_all/haproxy_service.yml
@ -23,6 +23,8 @@ openstack_haproxy_horizon_stick_table:
  - "http-request deny deny_status 429 if { sc_http_req_rate(0) gt 20 } { path_beg /auth } !{ src {{ haproxy_stick_table_allowlist_networks | join(' } !{ src ') }} }"
  - "http-request deny deny_status 429 if { sc_http_err_rate(0) gt 20 } !{ src {{ haproxy_stick_table_allowlist_networks | join(' } !{ src ') }} }"

+horizon_webroot: "{{ (groups['skyline_all'] | default([])) | ternary('/horizon', '/') }}"
+
 haproxy_horizon_service:
  haproxy_backend_only: true    #only describe the backends, frontend is in `base` via haproxy_all group vars
  haproxy_service_name: horizon
@ -31,17 +33,17 @@ haproxy_horizon_service:
  haproxy_balance_type: http
  haproxy_balance_alg: source
  haproxy_backend_httpcheck_options:
-    - 'send hdr User-Agent "osa-haproxy-healthcheck" meth HEAD uri /auth/login/'
+    - 'send hdr User-Agent "osa-haproxy-healthcheck" meth HEAD uri {{ horizon_webroot }}/auth/login/'
  haproxy_service_enabled: "{{ groups['horizon_all'] is defined and groups['horizon_all'] | length > 0 }}"
  haproxy_backend_ssl: "{{ horizon_backend_ssl | default(openstack_service_backend_ssl) }}"
  haproxy_backend_ca: "{{ horizon_haproxy_backend_ca | default(openstack_haproxy_backend_ca) }}"
  haproxy_stick_table: "{{ openstack_haproxy_horizon_stick_table }}"
  haproxy_map_entries:
    - name: base_regex
-      order: 99
+      order: 98
      #match any requests to the horizon backend
      entries:
-        - '.* horizon-back'
+        - "{{ horizon_webroot }} horizon-back"

 horizon_haproxy_services:
  - "{{ haproxy_horizon_service | combine(haproxy_horizon_service_overrides | default({})) }}"
--- a/inventory/group_vars/skyline_all/defaults.yml
+++ b/inventory/group_vars/skyline_all/defaults.yml
@ -0,0 +1,16 @@
+---
+# Copyright 2022, Cloudnull
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+skyline_service_port: 9999
--- a/inventory/group_vars/skyline_all/haproxy_service.yml
+++ b/inventory/group_vars/skyline_all/haproxy_service.yml
@ -0,0 +1,38 @@
+---
+# Copyright 2023, Rackspace Technology
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+haproxy_skyline_service:
+  haproxy_service_name: skyline
+  haproxy_backend_only: true    #only describe the backends, frontend is in `base` via haproxy_all group vars
+  haproxy_backend_nodes: "{{ groups['skyline_all'] | default([]) }}"
+  haproxy_ssl: "{{ haproxy_ssl }}"
+  haproxy_ssl_all_vips: "{{ haproxy_ssl_all_vips }}"
+  haproxy_backend_port: "{{ skyline_service_port }}"
+  haproxy_balance_type: http
+  haproxy_balance_alg: source
+  haproxy_backend_options:
+    - "httpchk HEAD /auth/login/ HTTP/1.0\\r\\nUser-agent:\\ osa-haproxy-healthcheck"
+  haproxy_service_enabled: "{{ groups['skyline_all'] is defined and groups['skyline_all'] | length > 0 }}"
+  haproxy_map_entries:
+    - name: base_regex
+      order: 99
+      # NOTE: match any requests to the skyline backend.
+      #       Horizon will be served under /horizon.
+      #       At the moment change of `skyline_webroot` is not fully implemented.
+      entries:
+        - "{{ skyline_webroot | default('/') }} skyline-back"
+
+skyline_haproxy_services:
+  - "{{ haproxy_skyline_service | combine(haproxy_skyline_service_overrides | default({})) }}"
--- a/inventory/group_vars/skyline_all/source_git.yml
+++ b/inventory/group_vars/skyline_all/source_git.yml
@ -0,0 +1,25 @@
+---
+# Copyright 2023, Rackspace Technology
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+### HEAD as of 09.03.2024 ###
+
+## Skyline service
+skyline_git_repo: "{{ openstack_opendev_base_url }}/openstack/skyline-apiserver"
+skyline_git_install_branch: 86c2fd5ce74edb6f06ca6309d0ecc69b195434cf
+skyline_git_track_branch: master
+
+skyline_console_git_repo: "{{ openstack_opendev_base_url }}/openstack/skyline-console"
+skyline_console_git_install_branch: 4.0.0
+skyline_console_git_track_branch: None
--- a/playbooks/os-skyline-install.yml
+++ b/playbooks/os-skyline-install.yml
@ -0,0 +1,60 @@
+---
+# Copyright 2022, BBC R&D
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#    http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+- name: Gather skyline facts
+  hosts: skyline_all
+  gather_facts: "{{ osa_gather_facts | default(True) }}"
+  tasks:
+    - name: Gather additional facts
+      include_tasks: "common-tasks/gather-hardware-facts.yml"
+      when: osa_gather_facts | default(True)
+  tags:
+    - always
+
+- name: Configure haproxy services
+  import_playbook: openstack.osa.haproxy_service_config
+  vars:
+    service_group: skyline_all
+    service_variable: "skyline_haproxy_services"
+  when: groups[service_group]
+  tags:
+    - haproxy-service-config
+
+- name: Install skyline components
+  hosts: skyline_all
+  gather_facts: false
+  serial: "{{ skyline_api_serial | default(['1','100%']) }}"
+  environment: "{{ deployment_environment_variables | default({}) }}"
+  user: root
+  vars_files:
+    - "defaults/{{ install_method }}_install.yml"
+  tags:
+    - skyline
+  pre_tasks:
+    - name: Including container-setup tasks
+      include_role:
+        name: "openstack.osa.{{ container_tech | default('lxc') }}_container_setup"
+      when: not is_metal
+
+    - name: Including unbound-clients tasks
+      include_tasks: common-tasks/unbound-clients.yml
+      when:
+        - hostvars['localhost']['resolvconf_enabled'] | bool
+
+  roles:
+    - role: "os_skyline"
+    - role: "openstack.osa.system_crontab_coordination"
+      tags:
+        - crontab
--- a/playbooks/setup-openstack.yml
+++ b/playbooks/setup-openstack.yml
@ -108,6 +108,9 @@
 - name: Importing ceph-rgw-install playbook
  import_playbook: ceph-rgw-install.yml

+- name: Importing os-skyline-install playbook
+  import_playbook: os-skyline-install.yml
+
 - name: Importing os-tempest-install playbook
  import_playbook: os-tempest-install.yml

--- a/releasenotes/notes/skyline-deploy-2d963c0b3b1d6e49.yaml
+++ b/releasenotes/notes/skyline-deploy-2d963c0b3b1d6e49.yaml
@ -0,0 +1,20 @@
+---
+prelude: >
+  Added support to deploy Skyline dashboard.
+
+features:
+  - |
+    OpenStack-Ansible can now be used to deploy Skyline, an alternantive
+    dashboard. New example files have been added to `env.d` and `conf.d`
+    to support the Skyline infrastructure, and a playbook named
+    `os-skyline-install.yml` has been added to deploy the API and console
+    service.
+other:
+  - |
+    When Skyline is deployed with the built-in HAProxy server it will, by
+    default, listen on port 80 when ssl is disabled and port 443 when ssl
+    is enabled. Skyline backend in it's term will listen on port 9999.
+
+    When Skyline is attempted to be deployed with Horizon, Skyline will
+    take precedence by serving on port 80/443. In the meanwhile Horizon
+    will be available in "subdirectory" ``/horizon``.
--- a/tests/roles/bootstrap-host/templates/user_variables.aio.yml.j2
+++ b/tests/roles/bootstrap-host/templates/user_variables.aio.yml.j2
@ -172,6 +172,14 @@ heat_wsgi_buffer_size: 16384
 horizon_wsgi_processes: 1
 horizon_wsgi_threads: 1

+## Skyline
+skyline_api_workers: 2
+{% if 'skyline' in bootstrap_host_scenarios_expanded and 'yarn' in bootstrap_host_scenarios_expanded %}
+{%   raw %}
+skyline_console_git_install_branch: "{{ skyline_git_track_branch }}"
+{%   endraw %}
+{% endif %}
+
 ## Ceilometer
 ceilometer_notification_workers: 1

--- a/tests/test_inventory.py
+++ b/tests/test_inventory.py
@ -455,6 +455,12 @@ class TestAnsibleInventoryFormatConstraints(unittest.TestCase):
        'senlin_engine',
        'senlin_conductor',
        'senlin_health_manager',
+        'skyline',
+        'skyline_all',
+        'skyline_container',
+        'skyline_dashboard_containers',
+        'skyline_dashboard_hosts',
+        'skyline_dashboard_all',
        'shared-infra_all',
        'shared-infra_containers',
        'shared-infra_hosts',
--- a/zuul.d/jobs.yaml
+++ b/zuul.d/jobs.yaml
@ -87,6 +87,7 @@
      - name: openstack/openstack-ansible-os_rally
      - name: openstack/openstack-ansible-os_sahara
      - name: openstack/openstack-ansible-os_senlin
+      - name: openstack/openstack-ansible-os_skyline
      - name: openstack/openstack-ansible-os_swift
      - name: openstack/openstack-ansible-os_tacker
      - name: openstack/openstack-ansible-os_tempest
@ -208,6 +209,7 @@
      - name: openstack/openstack-ansible-os_rally
      - name: openstack/openstack-ansible-os_sahara
      - name: openstack/openstack-ansible-os_senlin
+      - name: openstack/openstack-ansible-os_skyline
      - name: openstack/openstack-ansible-os_swift
      - name: openstack/openstack-ansible-os_tacker
      - name: openstack/openstack-ansible-os_tempest
@ -259,6 +261,8 @@
      - name: openstack/ovn-octavia-provider
      - name: openstack/sahara
      - name: openstack/senlin
+      - name: openstack/skyline-apiserver
+      - name: openstack/skyline-console
      - name: openstack/swift
      - name: openstack/ironic
      - name: openstack/ironic-inspector