Added ``horizon_keystone_domain_choices`` hash. It can be used to set the
available domains to choose from on the horizon login page. This feature
was introduced in pike release.
Change-Id: Ia7d2bc45e518848a04ce78e7833e1cf9a0ef21ce
Added horizon_keystone_multidomain flag. It can be now overriden
in globals.yml. Default set to False.
Change-Id: I6f8f261cf4b9779e57c2443ac219cdddb1731f52
WSGI configuration is missing the directive
"WSGIApplicationGroup %{GLOBAL}" after
WSGIProcessGroup" in the horizon template.
Of all WSGI configuration templates it is
the only one that does not have the
"WSGIApplicationGroup" line.
Change-Id: I3001901abbaae842f49179b6febf844337431afc
Closes-Bug: #1717922
Apache access log formats are modified to be consistent with
the format defined in wsgi-keystone.conf, which includes
the response time (%D) and X-forwarder-For fields.
Change-Id: I02aa5eb106fb894196dfb6e22daf2968e27ed3cb
Closes-Bug: #1703571
Introduced new option enable_cinder_backup, that controls
whether to deploy cinder-backup service.
Change-Id: Ibb0ca0a478748d4caba4df434456ead0df95ffca
Signed-off-by: Pavel Glushchak <pglushchak@virtuozzo.com>
Trace method is enabled in default for httpd. There is security risk
with trace enabled. So disable it in default. more info please check[0].
[0] https://security.stackexchange.com/a/7711
Change-Id: I4496a6d058d88e1abfb210085f189e7a610e0362
Closes-Bug: #1705160
kolla-kubernetes is using its own configuration generation[0], so it is
time for kolla-ansible to remove the related code to simplify the
logical.
[0] https://github.com/openstack/kolla-kubernetes/tree/master/ansible
Change-Id: I7bb0b7fe3b8eea906613e936d5e9d19f4f2e80bb
Implements: blueprint clean-k8s-config
This change [0] reverted designate dashboard change because
designate was not finished, we forgot to enable again.
[0] https://review.openstack.org/#/c/408714/
Change-Id: Ibaf7e5a5dc8cbef619d86a0f2b240d384984e8bd
The static contents directory path of the openstack-dashboard
provided by Ubuntu Cloud Archive is different from RDO's.
This fixes the horizon.conf template to set the correct alias
when ubuntu+binary are specified.
Change-Id: I1b0c04cecc66b42bf764aa035e7ec24c37d805e3
Closes-Bug: #1700712
Many of the templates use 600, remove unnecessary permission
on these templates to bring them in line with the others.
Change-Id: I30fe1b3822b9c7bb6ab98729fc519dc1d603db27
Add support for basic multiple regions, that is to say, many OpenStack
with a shared Keystone (same users) and Horizon. The shared Keystone
and Horizon are deployed into one region, for instance RegionOne.
Services of other regions have an access to this Keystone. This
support assumes that the operator knows the name of all OpenStack
regions in advance, and considers as many Kolla runs as there are
regions.
The new variable, multiple_regions_names, contains the name of
regions. It is needed by the region that includes Keystone and
Horizon. In register.yml, it specifies to create as many Keystone
endpoints as there are regiones, so that services of other regions can
connect to Keystone. In local_settings.j2, it changes the render to
support multiple regions in Horizon. The multi-regions.rst explains
how to perform a multiple regions deployment.
Implements: blueprint multi-kolla-config
Change-Id: Icab2aebfc4de0e3bc609950956e0af397705f403
New dashboard plugins are included in horizon,
new custom policies support need to be added for
those services.
Change conditional check to apply changes when
horizon plugin is enabled, not the service itself.
Closes-Bug: #1664505
Change-Id: I67fcb88fd432b4c7554ddf24e76b28c3aab7c01f
Default user group should be set much earlier in deployment
and should be used consistently accross all projects.
Change-Id: Id399f9ddebc903bb9c3eeb5a0ff6f33ca6d6828c
Closes-Bug: #1650501
Horizon and Neutron mistakenly were using keystone_public_url
for authentication. This works without error in deployments
when the internal services happen to have access to the
public network, but it is still wrong. This fails to work
when the internal services can not access the public URLs,
for example when TLS is enabled on the public endppoints.
This patches corrects horizon and neutron to use
keystone_internal_url for auth.
Change-Id: I59b9094364bef375036028ba86a771dabf28c963
Closes-bug: #1625648
Horizon was missing SESSION_ENGINE from it's conf which means it was not
making use of memcached.
Change-Id: I450aee05f59e344902f1e92d913f4c1ce9e8dcc6
Closes-Bug: 1630509
Database-backed sessions are scalable (using an appropriate database
strategy), persistent, and can be made high-concurrency and
highly-available [0]
Default is off.
[0] http://docs.openstack.org/developer/horizon/topics/deployment.html#database
Co-Authored-By: Vladislav Belogrudov <vladislav.belogrudov@oracle.com>
Closes-Bug: 1618781
Change-Id: Ib68a21397dc020d20e07dcc51d3d0fdc1de102ff
When setting multi memcached servers, the value should be a list
rather then a comma joined string
This patch set I586ce1c6c3300254c4e2a398ff46645df576aeb0 set it in
wrong
TrivialFix
Change-Id: Ic612658ab0310c6764310bbca92c925da6d47f6c
Leverage the browser cache and compress to speed up the file transfer.
In RHEL based image, the expire and deflate module are enabled in
default. In the Debian based image, only the deflate is enabled
* Enable expire module on the Debian based image
* Enable the expire for the assets resource
* Enable the deflate for the http response
Closes-Bug: #1605907
Change-Id: If25decc38a10a21929f72a89cdb350d4ac64a5a9
Note: This should not result in any behavior changes in regular Kolla, just
Kolla-Kubernetes and only when you've overridden stuff in globals.yml
Allows override of interface address and memcached pools, so that Kubernetes
can do the right thing.
There are some significant architectural issues involved in memcached pooling
in the Kolla-kubernetes world. Avoiding them right now.
Current working with this Kolla-Kubernetes globals.yml file:
api_interface_address: "0.0.0.0"
memcached_servers: "memcached"
keystone_database_address: "mariadb"
keystone_admin_url: "http://keystone-admin:35357/v3"
keystone_internal_url: "http://keystone-public:5000/v3"
keystone_public_url: "http://keystone-public:5000/v3"
Three tings to note:
* In Kolla-Kubernetes, the service is not using net=host, so a
0.0.0.0 interface address is totally OK. That patch has been merged.
* In Kolla-Kubernetes, the global.yml file doesn't do var substitution
so you have to be explicit about the URLs, otherwise Keystone will
look like it was provisioned but it won't quite be provisioned right.
* In order to not duplicate tons of code, moved the keystone_admin_url /
keystone_internal_url / keystone_public_url to the common defaults
from the keystone defaults.
Co-Authored-By: Ryan Hallisey <rhallise@redhat.com>
Change-Id: I586ce1c6c3300254c4e2a398ff46645df576aeb0
Partially-implements: blueprint api-interface-bind-address-override
When using multi memcached servers, a list of servers should be used
rather than a comma joined servers string.
Change-Id: I93ed68947465b3e6b0c7fa3cf6c8c4ac94ed0bf2
Closes-Bug: #1600082
Changes location of Horizon log, they will be stored on common log volume
kolla_logs.
Change-Id: Ie9d56999a83efd05ab7c3dcb00b4dc42c9bce8f8
Closes-Bug: 1560250
The horizon default is to prevent multidomain login. While allowing
multidomain login wont prevent default domain login. Overhead is we
must type in domain to login even if its default domain.
Change-Id: I965c3612eb584e88071c619037e1f42b3f4c7cd0
Closes-Bug: #1560683
TLS can be used to encrypt and authenticate the connection with
OpenStack endpoints. This patch provides the necessary
parameters and changes the resulting service configurations to
enable TLS for the Kolla deployed OpenStack cloud.
The new input parameters are:
kolla_enable_tls_external: "yes" or "no" (default is "no")
kolla_external_fqdn_cert: "/etc/kolla/certificates/haproxy.pem"
kolla_external_fqdn_cacert: "/etc/kolla/certificates/haproxy-ca.crt"
Implements: blueprint kolla-ssl
Change-Id: I48ef8a781c3035d58817f9bf6f36d59a488bab41
Due to poor planning on our variable names we have a situation where
we have "internal_address" which must be a VIP, but "external_address"
which should be a DNS name. Now with two vips "external_vip_address"
is a new variable.
This corrects that issue by deprecating kolla_internal_address and
replacing it with 4 nicely named variables.
kolla_internal_vip_address
kolla_internal_fqdn
kolla_external_vip_address
kolla_external_fqdn
The default behaviour will remain the same, and the way the variable
inheritance is setup the kolla_internal_address variable can still be
set in globals.yml and propogate out to these 4 new variables like it
normally would, but all reference to kolla_internal_address has been
completely removed.
Change-Id: I4556dcdbf4d91a8d2751981ef9c64bad44a719e5
Partially-Implements: blueprint ssl-kolla
To allow for TLS to protect the service endpoints, the protocol
in the URLs for the endpoints will be either http or https.
This patch removes the hardcoded values of http and replaces them
with variables that can be adjusted accordingly in future patches.
Change-Id: Ibca6f8aac09c65115d1ac9957410e7f81ac7671e
Partially-implements: blueprint ssl-kolla
In heterogeneous environment, api_interfaces are different each other.
So we should specify it from hostvars.
Implements: bp configure-network-interface
Change-Id: Id15d70bfb9ebb62a64a3847a6b77407efb171dbe
Use virtualenv for installation of OpenStack projects and
dependencies to avoid conflicts with Python libraries installed
by non-OpenStack binary packages.
Change-Id: I21ecd673b2e93335b1d3dd4e279e940c9d694c3c
Implements: blueprint virtualenv
Unfortunately there was no was to avoid memcache for consoleauth, so
we might as well take advantage of it for Horizon as well.
Change-Id: Idd338a025b031f6b50fe0c9f03c2c8d862f9d4c0
Closes-Bug: #1504606
Closes-Bug: #1504800
