From 2c06a65a75f501c30376f7369f4b7eccd3f0523a Mon Sep 17 00:00:00 2001 From: James Denton Date: Sat, 8 Jul 2023 13:37:06 +0000 Subject: [PATCH] [Feature] Add skyline deployment capability This change adds Skyline deployment options to OSA. New files have been added / integrated into the normal deployment process to support the use of skyline. Co-Authored-By: Jonathan Rosser Signed-off-by: Kevin Carter Needed-By: https://review.opendev.org/c/openstack/openstack-ansible-os_skyline/+/912333 Depends-On: https://review.opendev.org/c/openstack/openstack-ansible-os_skyline/+/914439 Change-Id: Ia5c8c60fb152e3eb27e2719f6d7032ca62690601 --- ansible-role-requirements.yml | 6 ++ doc/source/user/security/security-headers.rst | 6 ++ etc/openstack_deploy/conf.d/skyline.yml.aio | 3 + .../conf.d/skyline.yml.example | 7 +++ etc/openstack_deploy/user_secrets.yml | 5 ++ inventory/env.d/skyline.yml | 21 +++++++ inventory/group_vars/haproxy/haproxy.yml | 7 ++- .../horizon_all/haproxy_service.yml | 8 ++- inventory/group_vars/skyline_all/defaults.yml | 16 +++++ .../skyline_all/haproxy_service.yml | 38 ++++++++++++ .../group_vars/skyline_all/source_git.yml | 25 ++++++++ playbooks/os-skyline-install.yml | 60 +++++++++++++++++++ playbooks/setup-openstack.yml | 3 + .../skyline-deploy-2d963c0b3b1d6e49.yaml | 20 +++++++ .../templates/user_variables.aio.yml.j2 | 8 +++ tests/test_inventory.py | 6 ++ zuul.d/jobs.yaml | 4 ++ 17 files changed, 239 insertions(+), 4 deletions(-) create mode 100644 etc/openstack_deploy/conf.d/skyline.yml.aio create mode 100644 etc/openstack_deploy/conf.d/skyline.yml.example create mode 100644 inventory/env.d/skyline.yml create mode 100644 inventory/group_vars/skyline_all/defaults.yml create mode 100644 inventory/group_vars/skyline_all/haproxy_service.yml create mode 100644 inventory/group_vars/skyline_all/source_git.yml create mode 100644 playbooks/os-skyline-install.yml create mode 100644 releasenotes/notes/skyline-deploy-2d963c0b3b1d6e49.yaml diff --git a/ansible-role-requirements.yml b/ansible-role-requirements.yml index d0648911a3..579cf4b6cf 100644 --- a/ansible-role-requirements.yml +++ b/ansible-role-requirements.yml @@ -227,6 +227,12 @@ version: master trackbranch: master shallow_since: '2023-12-06' +- name: os_skyline + scm: git + src: https://opendev.org/openstack/openstack-ansible-os_skyline + version: master + trackbranch: master + shallow_since: '2023-12-06' - name: os_tacker scm: git src: https://opendev.org/openstack/openstack-ansible-os_tacker diff --git a/doc/source/user/security/security-headers.rst b/doc/source/user/security/security-headers.rst index b7192996aa..465eba52d4 100644 --- a/doc/source/user/security/security-headers.rst +++ b/doc/source/user/security/security-headers.rst @@ -135,3 +135,9 @@ Security Policy to allow access to your authorisation server by overriding the child-src 'self' {{ external_lb_vip_address }}:{{ nova_spice_html5proxy_base_port }} {{ external_lb_vip_address }}:{{ nova_novncproxy_port }} {{ external_lb_vip_address }}:{{ nova_serialconsoleproxy_port }}; frame-src 'self' {{ external_lb_vip_address }}:{{ nova_spice_html5proxy_base_port }} {{ external_lb_vip_address }}:{{ nova_novncproxy_port }} {{ external_lb_vip_address }}:{{ nova_serialconsoleproxy_port }}; " + +It is also possible to set specific security headers for skyline. + +.. code-block:: yaml + + haproxy_skyline_csp: ... diff --git a/etc/openstack_deploy/conf.d/skyline.yml.aio b/etc/openstack_deploy/conf.d/skyline.yml.aio new file mode 100644 index 0000000000..15c98ec43f --- /dev/null +++ b/etc/openstack_deploy/conf.d/skyline.yml.aio @@ -0,0 +1,3 @@ +skyline_dashboard_hosts: + aio1: + ip: 172.29.236.100 diff --git a/etc/openstack_deploy/conf.d/skyline.yml.example b/etc/openstack_deploy/conf.d/skyline.yml.example new file mode 100644 index 0000000000..a73de18f01 --- /dev/null +++ b/etc/openstack_deploy/conf.d/skyline.yml.example @@ -0,0 +1,7 @@ +skyline_dashboard_hosts: + infra1: + ip: 172.20.236.111 + infra2: + ip: 172.20.236.112 + infra3: + ip: 172.20.236.113 diff --git a/etc/openstack_deploy/user_secrets.yml b/etc/openstack_deploy/user_secrets.yml index c2b259b194..215da75029 100644 --- a/etc/openstack_deploy/user_secrets.yml +++ b/etc/openstack_deploy/user_secrets.yml @@ -186,6 +186,11 @@ senlin_galera_password: senlin_oslomsg_rpc_password: senlin_service_password: +## Skyline Options: +skyline_galera_password: +skyline_service_password: +skyline_prometheus_basic_auth_password: +skyline_secret_key: ## Swift Options: swift_service_password: diff --git a/inventory/env.d/skyline.yml b/inventory/env.d/skyline.yml new file mode 100644 index 0000000000..bfcf7b7b2f --- /dev/null +++ b/inventory/env.d/skyline.yml @@ -0,0 +1,21 @@ +--- +component_skel: + skyline: + belongs_to: + - skyline_all + +container_skel: + skyline_container: + belongs_to: + - skyline_dashboard_containers + - os-infra_containers + contains: + - skyline + +physical_skel: + skyline_dashboard_containers: + belongs_to: + - all_containers + skyline_dashboard_hosts: + belongs_to: + - hosts diff --git a/inventory/group_vars/haproxy/haproxy.yml b/inventory/group_vars/haproxy/haproxy.yml index 889c2f5061..ada0edd1ba 100644 --- a/inventory/group_vars/haproxy/haproxy.yml +++ b/inventory/group_vars/haproxy/haproxy.yml @@ -82,7 +82,12 @@ haproxy_base_service: haproxy_service_enabled: true haproxy_redirect_scheme: "{{ (haproxy_ssl_letsencrypt_enable | bool and haproxy_ssl | bool) | ternary('https if !{ ssl_fc } !{ path_beg /.well-known/acme-challenge/ }', 'https if !{ ssl_fc }') }}" haproxy_frontend_acls: "{{ (haproxy_ssl_letsencrypt_enable | bool and haproxy_ssl | bool) | ternary(haproxy_ssl_letsencrypt_acl, {}) }}" - haproxy_frontend_raw: "{{ (haproxy_ssl | bool and haproxy_security_headers is defined) | ternary( haproxy_security_headers + [ haproxy_horizon_csp | default(haproxy_security_headers_csp)], []) }}" + haproxy_frontend_raw: >- + {{ + (haproxy_ssl | bool and haproxy_security_headers is defined) | ternary( + haproxy_security_headers + [ haproxy_horizon_csp | default(haproxy_security_headers_csp)] + [haproxy_skyline_csp | default('')], + []) + }} haproxy_maps: - 'use_backend %[path,map_reg(/etc/haproxy/base_regex.map)]' haproxy_map_entries: diff --git a/inventory/group_vars/horizon_all/haproxy_service.yml b/inventory/group_vars/horizon_all/haproxy_service.yml index cb09df2cb8..2f7cb9dc36 100644 --- a/inventory/group_vars/horizon_all/haproxy_service.yml +++ b/inventory/group_vars/horizon_all/haproxy_service.yml @@ -23,6 +23,8 @@ openstack_haproxy_horizon_stick_table: - "http-request deny deny_status 429 if { sc_http_req_rate(0) gt 20 } { path_beg /auth } !{ src {{ haproxy_stick_table_allowlist_networks | join(' } !{ src ') }} }" - "http-request deny deny_status 429 if { sc_http_err_rate(0) gt 20 } !{ src {{ haproxy_stick_table_allowlist_networks | join(' } !{ src ') }} }" +horizon_webroot: "{{ (groups['skyline_all'] | default([])) | ternary('/horizon', '/') }}" + haproxy_horizon_service: haproxy_backend_only: true #only describe the backends, frontend is in `base` via haproxy_all group vars haproxy_service_name: horizon @@ -31,17 +33,17 @@ haproxy_horizon_service: haproxy_balance_type: http haproxy_balance_alg: source haproxy_backend_httpcheck_options: - - 'send hdr User-Agent "osa-haproxy-healthcheck" meth HEAD uri /auth/login/' + - 'send hdr User-Agent "osa-haproxy-healthcheck" meth HEAD uri {{ horizon_webroot }}/auth/login/' haproxy_service_enabled: "{{ groups['horizon_all'] is defined and groups['horizon_all'] | length > 0 }}" haproxy_backend_ssl: "{{ horizon_backend_ssl | default(openstack_service_backend_ssl) }}" haproxy_backend_ca: "{{ horizon_haproxy_backend_ca | default(openstack_haproxy_backend_ca) }}" haproxy_stick_table: "{{ openstack_haproxy_horizon_stick_table }}" haproxy_map_entries: - name: base_regex - order: 99 + order: 98 #match any requests to the horizon backend entries: - - '.* horizon-back' + - "{{ horizon_webroot }} horizon-back" horizon_haproxy_services: - "{{ haproxy_horizon_service | combine(haproxy_horizon_service_overrides | default({})) }}" diff --git a/inventory/group_vars/skyline_all/defaults.yml b/inventory/group_vars/skyline_all/defaults.yml new file mode 100644 index 0000000000..072e7b8b1a --- /dev/null +++ b/inventory/group_vars/skyline_all/defaults.yml @@ -0,0 +1,16 @@ +--- +# Copyright 2022, Cloudnull +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +skyline_service_port: 9999 diff --git a/inventory/group_vars/skyline_all/haproxy_service.yml b/inventory/group_vars/skyline_all/haproxy_service.yml new file mode 100644 index 0000000000..6bee346cc0 --- /dev/null +++ b/inventory/group_vars/skyline_all/haproxy_service.yml @@ -0,0 +1,38 @@ +--- +# Copyright 2023, Rackspace Technology +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +haproxy_skyline_service: + haproxy_service_name: skyline + haproxy_backend_only: true #only describe the backends, frontend is in `base` via haproxy_all group vars + haproxy_backend_nodes: "{{ groups['skyline_all'] | default([]) }}" + haproxy_ssl: "{{ haproxy_ssl }}" + haproxy_ssl_all_vips: "{{ haproxy_ssl_all_vips }}" + haproxy_backend_port: "{{ skyline_service_port }}" + haproxy_balance_type: http + haproxy_balance_alg: source + haproxy_backend_options: + - "httpchk HEAD /auth/login/ HTTP/1.0\\r\\nUser-agent:\\ osa-haproxy-healthcheck" + haproxy_service_enabled: "{{ groups['skyline_all'] is defined and groups['skyline_all'] | length > 0 }}" + haproxy_map_entries: + - name: base_regex + order: 99 + # NOTE: match any requests to the skyline backend. + # Horizon will be served under /horizon. + # At the moment change of `skyline_webroot` is not fully implemented. + entries: + - "{{ skyline_webroot | default('/') }} skyline-back" + +skyline_haproxy_services: + - "{{ haproxy_skyline_service | combine(haproxy_skyline_service_overrides | default({})) }}" diff --git a/inventory/group_vars/skyline_all/source_git.yml b/inventory/group_vars/skyline_all/source_git.yml new file mode 100644 index 0000000000..66fd089ba7 --- /dev/null +++ b/inventory/group_vars/skyline_all/source_git.yml @@ -0,0 +1,25 @@ +--- +# Copyright 2023, Rackspace Technology +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +### HEAD as of 09.03.2024 ### + +## Skyline service +skyline_git_repo: "{{ openstack_opendev_base_url }}/openstack/skyline-apiserver" +skyline_git_install_branch: 86c2fd5ce74edb6f06ca6309d0ecc69b195434cf +skyline_git_track_branch: master + +skyline_console_git_repo: "{{ openstack_opendev_base_url }}/openstack/skyline-console" +skyline_console_git_install_branch: 4.0.0 +skyline_console_git_track_branch: None diff --git a/playbooks/os-skyline-install.yml b/playbooks/os-skyline-install.yml new file mode 100644 index 0000000000..ac734ce6e1 --- /dev/null +++ b/playbooks/os-skyline-install.yml @@ -0,0 +1,60 @@ +--- +# Copyright 2022, BBC R&D +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +- name: Gather skyline facts + hosts: skyline_all + gather_facts: "{{ osa_gather_facts | default(True) }}" + tasks: + - name: Gather additional facts + include_tasks: "common-tasks/gather-hardware-facts.yml" + when: osa_gather_facts | default(True) + tags: + - always + +- name: Configure haproxy services + import_playbook: openstack.osa.haproxy_service_config + vars: + service_group: skyline_all + service_variable: "skyline_haproxy_services" + when: groups[service_group] + tags: + - haproxy-service-config + +- name: Install skyline components + hosts: skyline_all + gather_facts: false + serial: "{{ skyline_api_serial | default(['1','100%']) }}" + environment: "{{ deployment_environment_variables | default({}) }}" + user: root + vars_files: + - "defaults/{{ install_method }}_install.yml" + tags: + - skyline + pre_tasks: + - name: Including container-setup tasks + include_role: + name: "openstack.osa.{{ container_tech | default('lxc') }}_container_setup" + when: not is_metal + + - name: Including unbound-clients tasks + include_tasks: common-tasks/unbound-clients.yml + when: + - hostvars['localhost']['resolvconf_enabled'] | bool + + roles: + - role: "os_skyline" + - role: "openstack.osa.system_crontab_coordination" + tags: + - crontab diff --git a/playbooks/setup-openstack.yml b/playbooks/setup-openstack.yml index 06bf85630a..d0bdac97fc 100644 --- a/playbooks/setup-openstack.yml +++ b/playbooks/setup-openstack.yml @@ -108,6 +108,9 @@ - name: Importing ceph-rgw-install playbook import_playbook: ceph-rgw-install.yml +- name: Importing os-skyline-install playbook + import_playbook: os-skyline-install.yml + - name: Importing os-tempest-install playbook import_playbook: os-tempest-install.yml diff --git a/releasenotes/notes/skyline-deploy-2d963c0b3b1d6e49.yaml b/releasenotes/notes/skyline-deploy-2d963c0b3b1d6e49.yaml new file mode 100644 index 0000000000..2264dbd064 --- /dev/null +++ b/releasenotes/notes/skyline-deploy-2d963c0b3b1d6e49.yaml @@ -0,0 +1,20 @@ +--- +prelude: > + Added support to deploy Skyline dashboard. + +features: + - | + OpenStack-Ansible can now be used to deploy Skyline, an alternantive + dashboard. New example files have been added to `env.d` and `conf.d` + to support the Skyline infrastructure, and a playbook named + `os-skyline-install.yml` has been added to deploy the API and console + service. +other: + - | + When Skyline is deployed with the built-in HAProxy server it will, by + default, listen on port 80 when ssl is disabled and port 443 when ssl + is enabled. Skyline backend in it's term will listen on port 9999. + + When Skyline is attempted to be deployed with Horizon, Skyline will + take precedence by serving on port 80/443. In the meanwhile Horizon + will be available in "subdirectory" ``/horizon``. diff --git a/tests/roles/bootstrap-host/templates/user_variables.aio.yml.j2 b/tests/roles/bootstrap-host/templates/user_variables.aio.yml.j2 index a0d2c65be7..03f34e976f 100644 --- a/tests/roles/bootstrap-host/templates/user_variables.aio.yml.j2 +++ b/tests/roles/bootstrap-host/templates/user_variables.aio.yml.j2 @@ -172,6 +172,14 @@ heat_wsgi_buffer_size: 16384 horizon_wsgi_processes: 1 horizon_wsgi_threads: 1 +## Skyline +skyline_api_workers: 2 +{% if 'skyline' in bootstrap_host_scenarios_expanded and 'yarn' in bootstrap_host_scenarios_expanded %} +{% raw %} +skyline_console_git_install_branch: "{{ skyline_git_track_branch }}" +{% endraw %} +{% endif %} + ## Ceilometer ceilometer_notification_workers: 1 diff --git a/tests/test_inventory.py b/tests/test_inventory.py index 32ef52074d..256119a017 100644 --- a/tests/test_inventory.py +++ b/tests/test_inventory.py @@ -455,6 +455,12 @@ class TestAnsibleInventoryFormatConstraints(unittest.TestCase): 'senlin_engine', 'senlin_conductor', 'senlin_health_manager', + 'skyline', + 'skyline_all', + 'skyline_container', + 'skyline_dashboard_containers', + 'skyline_dashboard_hosts', + 'skyline_dashboard_all', 'shared-infra_all', 'shared-infra_containers', 'shared-infra_hosts', diff --git a/zuul.d/jobs.yaml b/zuul.d/jobs.yaml index 5566a66d5a..cb8f9653a2 100644 --- a/zuul.d/jobs.yaml +++ b/zuul.d/jobs.yaml @@ -87,6 +87,7 @@ - name: openstack/openstack-ansible-os_rally - name: openstack/openstack-ansible-os_sahara - name: openstack/openstack-ansible-os_senlin + - name: openstack/openstack-ansible-os_skyline - name: openstack/openstack-ansible-os_swift - name: openstack/openstack-ansible-os_tacker - name: openstack/openstack-ansible-os_tempest @@ -208,6 +209,7 @@ - name: openstack/openstack-ansible-os_rally - name: openstack/openstack-ansible-os_sahara - name: openstack/openstack-ansible-os_senlin + - name: openstack/openstack-ansible-os_skyline - name: openstack/openstack-ansible-os_swift - name: openstack/openstack-ansible-os_tacker - name: openstack/openstack-ansible-os_tempest @@ -259,6 +261,8 @@ - name: openstack/ovn-octavia-provider - name: openstack/sahara - name: openstack/senlin + - name: openstack/skyline-apiserver + - name: openstack/skyline-console - name: openstack/swift - name: openstack/ironic - name: openstack/ironic-inspector