Based on spec
support-OCI-image-registry-with-authentication-turned-on.rst
Each Helm chart can configure an OCI image registry and
credentials to use. A Kubernetes secret is then created with this
info. Service Accounts then specify an imagePullSecret specifying
the Secret with creds for the registry. Then any pod using one
of these ServiceAccounts may pull images from an authenticated
container registry.
Related OSH-infra change:
https://review.opendev.org/c/openstack/openstack-helm-infra/+/848142
Change-Id: I54540f14fed29622bc5af8d18939afd06d65e2d8
This changes use the helm-toolkit template for toleration
in openstack services
Signed-off-by: Lucas Cavalcante <lucasmedeiros.cavalcante@windriver.com>
Story: 2009276
Task: 43531
Depends-On: I168837f962465d1c89acc511b7bf4064ac4b546c
Change-Id: Ic4bcea7fdbfe600343a42d801b3257aab593bd26
Horizon complains about not defined the container_infra version in OPENSTACK_API_VERSIONS when using the magnum dashboard in horizon. Additional of the api version of the container_infra solves the issue.
Change-Id: I99faeffc82d9d0e50e01f17f3fbf2ca0d19c161b
The policy document and policy documents in the code are conflicting and creating strange issue. As the policy for nova, neutron, keystone, glance and cinder are available in horizon code, they have been removed from the chart values file.
Change-Id: I78b487c11d3d018b18ce823ffd9d8b8940dfa575
Now OPENSTACK_ENABLE_PASSWORD_RETRIEVE value is string so always
get true regardless of the config value.
Change-Id: I0fb1203f22ddd6e707eeb80f72a3685c3b9c350f
At the moment, the multidomain support selector is broken because
it always puts the value of a boolean inside a string which always
evaluates to true, which means setting it to false does nothing.
This patch drops the quotes around the templated configuration,
that way, it is taken for the literal boolean value.
Change-Id: I02c0a0ece680ecb55e83f3da5a992398c3ab6390
In the Victoria cycle oslo.policy decided to change all default policies
to yaml format. Today on openstack-helm we have a mix of json and yaml
on projects and, after having a bad time debugging policies that should
have beeing mounted somewhere but was being mounted elsewhere, I'm
proposing this change so we can unify the delivery method for all
policies across components on yaml (that is supported for quite some
time). This will also avoid having problems in the future as the
services move from json to yaml.
[1] https://specs.openstack.org/openstack/oslo-specs/specs/victoria/policy-json-to-yaml.html
Signed-off-by: Thiago Brito <thiago.brito@windriver.com>
Change-Id: Id170bf184e44fd77cd53929d474582022a5b6d4f
Currently, when users try to navigate through horizon
panels or use the command-line interface that contains
calls to /api/glance/metadefs it will pop up insufficient
permission errors due to the fact we are disabling [1]
the metadef APIs in glance addressing OSSN-0088 [2].
As a side effect on how we address the OSSN, all API calls
to metadefs will be forbidden for any user, which is not recommended
in production environments. However, we have the current
recommendation of the OSSN which allows CRUD of metadef to
admin only and provide read access to all users.
[1] aab5ee7711
[2] https://wiki.openstack.org/wiki/OSSN/OSSN-0088
Story: 2008761
Task: 42128
Change-Id: Ib1415cadbbfab874a8d44ac6b5c6fba3c7502242
Add "enable_pwd_validator" variable to apply password
validator settings when enabled in horizon values.
Modify "PASSWORD_VALIDATOR" so as to enforce password
requirements i.e., password must be at least eight
characters in length and must include characters from
at least two of these groupings: alpha, numeric, and
special characters when "enable_pwd_validator" is enabled.
Change-Id: Ia866feb875490d0bb40e820c6c32ee2cb6aa4c29
In nova latest code, limits and os-availability-zone have been
updated to could be listed as any user by below patches:
limits: 4d37ffc111ae8bb43bd33fe995bc3686b065131b
os-availability-zone: b8c2de86ed46caf7768027e82519c2418989c36b
And target project id is set to {}. So user cannot be matched as
"owner", and lead to API access failure.
Update policy to be the same as latest nova code to avoid the error.
Change-Id: I3621be0fa42388180a7ac3e4bc7f7683a0c15b68
Signed-off-by: Shuicheng Lin <shuicheng.lin@intel.com>
This updates the horizon chart to include the pod
security context on the pod template.
This also adds the container security context to set
readOnlyRootFilesystem flag to true
Change-Id: I2ccd920fa26aca2955afef8b71d56e55d1ae26e8
This patch set updates some default horizon settings to be more secured.
Change-Id: I7849cb0e9819d9e5cf4e149634e2bebee75a1c7f
Signed-off-by: Tin Lam <tin@irrational.io>
The current copyright refers to a non-existent group
"openstack helm authors" with often out-of-date references that
are confusing when adding a new file to the repo.
This change removes all references to this copyright by the
non-existent group and any blank lines underneath.
Change-Id: Ia035037e000f1bf95202fc07b8cd1ad0fc019094
This patch set updates the default job to use OpenStack Stein release.
The previously default Ocata release will be place in separate job.
Change-Id: I489324f762a179a2cab5499a6d8e57e97c81297f
Signed-off-by: Tin Lam <tin@irrational.io>
This patch set adds in the egress policy for core OpenStack Services.
Depends-On: https://review.opendev.org/#/c/679853/
Change-Id: I585ddabcbd640db784520c913af8eddecaee3843
Signed-off-by: Tin Lam <tlam@omegaprime.dev>
This change updates the tests container image
to one which installs python3.
The selenium-test.py template file has been refactored
to match the structure of the selenium tests in
openstack-helm-infra/tools/gate/selenium
Change-Id: I568bea8d715ea28b8e750215d166ba1b04e4172d
This updates the kubernetes-entrypoint image reference to consume
the publicly available kubernetes-entrypoint image that is built
and maintained under the airshipit namespace, as the stackanetes
image is no longer actively maintainedy
Depends-On: https://review.opendev.org/688435
Change-Id: I8e76cdcc9d4db8975b330e97169754a2a407341f
Signed-off-by: Steve Wilkerson <sw5822@att.com>
Added new X-Content-Type-Options: nosniff header to make sure the browser
does not try to detect a different Content-Type than what is actually
sent (can lead to XSS)
Added new Header and set X-Permitted-Cross-Domain-Policies: "none"
Change-Id: I6f89ffb44ad805039c4074889a7c15fbef6fc95e
Some configuration when enable will explicitly set headers, for this
to work the header module should be enabled.
Change-Id: If549d4c6924c990d1a48bca193935ed9a2ed6864
This change adds two network policy zuul checks, one for the compute-kit,
and one for cinder/ceph, to test network policy for each OpenStack
service. These checks will be non-voting initially.
The network policy rules for each service will initially allow all
traffic. These ingress/egress rules will be defined in future changes
to only explicitly allow traffic between services that are explicitly
allowed to communicate, other traffic will be denied.
Depends-On: https://review.opendev.org/#/c/685130/
Change-Id: Ide2998ebb2af2832f24ca7abc398a82e4a6d70e3
This adds a helm test for Horizon, the helm test
runs a selenium webdriver check to verify the dashboard
is up
Change-Id: I3616c05596b2bd94931c39fb774333bf65453d52
Signed-off-by: Steve Wilkerson <sw5822@att.com>
Setting this to HTTP_X_FORWARDED_FOR will display the IP in
X-Forwarded-For header instead of REMOTE_ADDR. This is to display
client's IP.
Change-Id: Ifab508f2c3e39de69e3b1423b6aab57e333fc37e
We now have a process for OSH-images image building,
using Zuul, so we should point the images by default to those
images, instead of pointing to stale images.
Without this, the osh-images build process is completely not
in use, and updating the osh-images process or patching its
code has no impact on OSH.
This should fix it.
Change-Id: I672b8755bf9e182b15eff067479b662529a13477
Currently there is no enabling of the heat dashboard if its
installed on the horizon image.
This patch add an extra conf var that allows several dashboards
to be added and will try to find and enable them on start
If the panel dirs dont exists, it will do nothing
This patch add the extra heat_dashboard and includes the existing
neutron_taas_dashboard into the new config
Change-Id: Ibcc4da166d907f3cb842bfc45d842a650361a2d8
log_level variable is added to Horizon configuration. This
will enable the overwriting of the log levels in a
customized manifest.
Change-Id: I15381add9ee1e880e73004131b329ac02972755b
Signed-off-by: Huang,Sophie <sh879n@att.com>
With this patch we allow for a more easy way of overriding some
of the values that may be used in other distros while maintainting
the default values if those values are not overriden.
The following values are introduced to be overriden:
conf:
software:
apache2:
conf_dir:
site_dir:
mods_dir:
binary:
start_flags:
a2enmod:
a2dismod:
On which:
* conf_dir: directory where to drop the config files
* site_dir: directory where to drop the enabled virtualhosts
* mods_dir: directory where to drop any mod configuration
* binary: the binary to use for launching apache
* start_flags: any flags that will be passed to the apache binary call
* a2enmod: mods to enable
* a2dismod: mods to disable
Notice that if there is no overrides given, it should not affect anything
and the templates will not be changed as the default values are set to what
they used to be as to not disrupt existing deployments.
Change-Id: If0fb9ab03aacfcd7087e753698880505571d0233
