X-Git-Url: https://gerrit.opnfv.org/gerrit/gitweb?a=blobdiff_plain;f=puppet%2Fservices%2Fhorizon.yaml;h=8fb13c16d59c0762e5411f966cc99e19e963b7f1;hb=3a624e6fc169d80c0df1fefdb0da1d1946da2ad2;hp=f31ca17cb5b47b4c36eea565fa41fd73b54bbd0d;hpb=0e18ac5fdec4b9eeaef7f6aa83c466e86415e4e2;p=apex-tripleo-heat-templates.git

diff --git a/puppet/services/horizon.yaml b/puppet/services/horizon.yaml
index f31ca17c..8fb13c16 100644
--- a/puppet/services/horizon.yaml
+++ b/puppet/services/horizon.yaml
@@ -1,4 +1,4 @@
-heat_template_version: 2016-10-14
+heat_template_version: ocata
 
 description: >
   Horizon service configured with Puppet
@@ -40,6 +40,10 @@ parameters:
     type: string
     hidden: true
     default: ''
+  HorizonSecureCookies:
+    description: Set CSRF_COOKIE_SECURE / SESSION_COOKIE_SECURE in Horizon
+    type: boolean
+    default: true
   MemcachedIPv6:
     default: false
     description: Enable IPv6 features in Memcached.
@@ -69,6 +73,7 @@ outputs:
           horizon::enable_secure_proxy_ssl_header: true
           horizon::disable_password_reveal: true
           horizon::enforce_password_check: true
+          horizon::disallow_iframe_embed: true
           horizon::cache_backend: django.core.cache.backends.memcached.MemcachedCache
           horizon::django_session_engine: 'django.contrib.sessions.backends.cache'
           horizon::vhost_extra_params:
@@ -77,7 +82,7 @@ outputs:
             access_log_format: '%a %l %u %t \"%r\" %>s %b \"%%{}{Referer}i\" \"%%{}{User-Agent}i\"'
             options: ['FollowSymLinks','MultiViews']
           horizon::bind_address: {get_param: [ServiceNetMap, HorizonNetwork]}
-          horizon::keystone_url: {get_param: [EndpointMap, KeystoneInternal, uri]}
+          horizon::keystone_url: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix]}
           horizon::password_validator: {get_param: [HorizonPasswordValidator]}
           horizon::password_validator_help: {get_param: [HorizonPasswordValidatorHelp]}
           horizon::secret_key:
@@ -87,6 +92,7 @@ outputs:
                 passwords:
                   - {get_param: HorizonSecret}
                   - {get_param: [DefaultPasswords, horizon_secret]}
+          horizon::secure_cookies: {get_param: [HorizonSecureCookies]}
           memcached_ipv6: {get_param: MemcachedIPv6}
         -
           if:
@@ -95,3 +101,20 @@ outputs:
           - horizon::django_debug: {get_param: Debug}
       step_config: |
         include ::tripleo::profile::base::horizon
+      # Ansible tasks to handle upgrade
+      upgrade_tasks:
+        - name: Check if httpd is deployed
+          command: systemctl is-enabled httpd
+          tags: common
+          ignore_errors: True
+          register: httpd_enabled
+        - name: "PreUpgrade step0,validation: Check if httpd is running"
+          shell: >
+            /usr/bin/systemctl show 'httpd' --property ActiveState |
+            grep '\bactive\b'
+          when: httpd_enabled.rc == 0
+          tags: step0,validation
+        - name: Stop Horizon (under httpd)
+          tags: step1
+          when: httpd_enabled.rc == 0
+          service: name=httpd state=stopped