Currently there is no enabling of the heat dashboard if its
installed on the horizon image.
This patch add an extra conf var that allows several dashboards
to be added and will try to find and enable them on start
If the panel dirs dont exists, it will do nothing
This patch add the extra heat_dashboard and includes the existing
neutron_taas_dashboard into the new config
Change-Id: Ibcc4da166d907f3cb842bfc45d842a650361a2d8
log_level variable is added to Horizon configuration. This
will enable the overwriting of the log levels in a
customized manifest.
Change-Id: I15381add9ee1e880e73004131b329ac02972755b
Signed-off-by: Huang,Sophie <sh879n@att.com>
With this patch we allow for a more easy way of overriding some
of the values that may be used in other distros while maintainting
the default values if those values are not overriden.
The following values are introduced to be overriden:
conf:
software:
apache2:
conf_dir:
site_dir:
mods_dir:
binary:
start_flags:
a2enmod:
a2dismod:
On which:
* conf_dir: directory where to drop the config files
* site_dir: directory where to drop the enabled virtualhosts
* mods_dir: directory where to drop any mod configuration
* binary: the binary to use for launching apache
* start_flags: any flags that will be passed to the apache binary call
* a2enmod: mods to enable
* a2dismod: mods to disable
Notice that if there is no overrides given, it should not affect anything
and the templates will not be changed as the default values are set to what
they used to be as to not disrupt existing deployments.
Change-Id: If0fb9ab03aacfcd7087e753698880505571d0233
Adding any dashboards shouldbe done before compiling and compressing
as they can enable additional files that need to be compiled and
compressed, so firs we should enabled them if needed and then
compile+compress
Change-Id: Ib2fb44f5829269aa974d467ea57d9add2b9e0141
Implement container security context for the following Horizon resources:
- Horizon server deployment
Change-Id: I8202cd011f4c4f73d778c5f0ad2648440e259e5d
As mentioned on the apache docs[0] having 2 overlapping
listen directories will cause the apache server to fail
with a fatal error. The seems like it was ignored on
earlier versions so we can use the version module to
change it based on the current apache version as to
not affect existing deployments
[0] https://httpd.apache.org/docs/2.4/es/bind.html
Change-Id: I8ce260e020375e93befa5e2e6df22eca0eaf9d07
If user wants to add an extra volumeMounts/volume to a pod,
amd uses override values e.g. like this
pod:
mounts:
nova_placement:
init_container: null
nova_placement:
volumeMounts:
- name: nova-etc
...
helm template parser complains with
Warning: The destination item 'nova_placement' is a table and ignoring the source 'nova_placement' as it has a non-table value of: <nil>
So when we create empty values for such keys in values.yaml, the source
will be present and warning does not need to be shown.
Change-Id: Ib8dc53c3a54e12014025de8fafe16fbe9721c0da
This adds the release-uuid annotation to the pod spec for all
replication controller templates in the openstack-helm charts
Change-Id: I0159f2741c27277fd173208e7169ff657bb33e57
Expose additional Horizon security params in accordance with the
OpenStack Security Guide [0]
- Check-Dashboard-03: Is DISALLOW_IFRAME_EMBED parameter set to True
- Check-Dashboard-07: Is PASSWORD_AUTOCOMPLETE set to False
[0] https://docs.openstack.org/security-guide/dashboard/checklist.html
Change-Id: I355ddbc9fb1dcd0a6100ee650afd54680ef9ffbd
This PS allows to customize (and disable) information about OS and
Apache version displayed on pages with error messages.
Change-Id: Ic4d19bcc90dadf5cf26faa5c8fb39de00a6f3212
This PS disables the server status page of Apache.
On the page provided information which can aid the
malicious user in finding vulnerabilities in the system.
Change-Id: I11104b10359808dc78a214ebb531d710ec353f60
This disables static page on Apache which would disable Directory
Listings. This is done as a part of Security defect.
Change-Id: Ia1aa07c83c0db9dc33be6d1dfa7e2e60b3a33de9
This patch fixes the network policy issue when use nodeport mode.
If you enable node port witout this patch, it will block by network policy.
so should be allowed tcp port of horizon when use nodeport.
Change-Id: I5e2622c29c6a32ab6d1c5d99d84d4f13382dab65
Signed-off-by: Hyunkook Cho <hk0713.cho@samsung.com>
This patchset enables and moves the securityContext: runAsUser to the pod
level, and uses a non-root user (UID != 0) wherever applicable.
Depends-On: I95264c933b51e2a8e38f63faa1e239bb3c1ebfda
Change-Id: I81f6e11fe31ab7333a3805399b2e5326ec1e06a7
Signed-off-by: Tin Lam <tin@irrational.io>
This PS is enable the Egress policies
and enforces them in Openstack-helm.
Depends-On: Icbe2a18c98dba795d15398dcdcac64228f6a7b4c
Change-Id: I6ef3cd157749fd562acb2f89ad44e63be4f7e975
This will enable the TaaS GUI to the horizon dashbboard.
TaaS dashboard will need to be installed as part of the image,
else it will not try to add the panel.
Change-Id: I226d9d6e46f5b556a7baa88fcd06de8e571bcdff
This patch set updates the gate to by default uses network policy
for all components and enforces them in Openstack-helm.
Change-Id: I70c90b5808075797f02670f21481a4f968205325
Depends-On: I78e87ef3276e948ae4dd2eb462b4b8012251c8c8
Co-Authored-By: Mike Pham <tp6510@att.com>
Signed-off-by: Tin Lam <tin@irrational.io>
This patch set moves the default deployment to ocata from newton.
Newton zuul job is now moved into its separate job.
Change-Id: Ic534c8ee02179f23c7855d93a4707e5a2fd77354
Signed-off-by: Tin Lam <tin@irrational.io>
This PS adds the ability to attach a release uuid to pods and rc
objects as desired. A follow up ps will add the ability to add arbitary
annotations to the same objects.
Depends-On: Iceedba457a03387f6fc44eb763a00fd57f9d84a5
Change-Id: I324680f10263c1aefca2be9056e70d0ff22fcaf0
Signed-off-by: Pete Birley <pete@port.direct>
This PS udpates the keystone endpoint definition to point to the
correct host for the admin endpoint when looked up using endpoint
functions from helm-toolkit.
Change-Id: Ic6b82a002cca92e37d21f594bad5f00758f1ea7a
Signed-off-by: Pete Birley <pete@port.direct>
This PS moves openstack components in OSH to use secrets to store
potentially sensitive config information.
Depends-On: https://review.openstack.org/#/c/593732
Change-Id: I9bab586c03597effea0e48a58c69efff3f980a92
Signed-off-by: Pete Birley <pete@port.direct>
This PS updates the keystoen chart to stop running the keystone api
as the root user.
Change-Id: If3042210f761476846da02fc8e648c700267a591
Signed-off-by: Pete Birley <pete@port.direct>
This PS updates keystone, and the keystone endpoints sections to use
the same layout for port declarations as other charts.
Change-Id: I7dddabee6c74bf023da4b1cdf722a409e7475f8f
Signed-off-by: Pete Birley <pete@port.direct>
This PS adds support for TLS on over-ridden fqdn's for public
endpoints for core OpenStack Services. Currently this implementation
is limited, in that it does not provide support for dynamicly loading
CAs into the containers, or specifying them manually via configuration.
As a result only well known or CA's added manually to containers will
be recognised.
Change-Id: I8f1b699af29cbed2d83ad91bb6840dccce8c5146
Depends-On: I535f38a8d92c01280d79926a1f0acd06984aabbf
Signed-off-by: Tin Lam <tin@irrational.io>
Signed-off-by: Pete Birley <pete@port.direct>
This PS updates horizon to use internal endpoints by default.
Change-Id: I8fa9286859a710ef434d2321a6be19be978b1690
Signed-off-by: Pete Birley <pete@port.direct>
As of Rocky, keystone creates a default "member" role upon bootstrap.
This change modifies any references to the manually created
"_member_" role to "member". In a future change, the manualy creation
of this role in keystone can be removed since it will no longer be
needed.
Change-Id: I65c63695976f38da21dc6dd8f40ad70e23da6f48
This PS moves to use the current ga version for kubernetes deployments.
Story: 2002205
Task: 21735
Depends-On: Icb4e7aa2392da6867427a58926be2da6f424bd56
Change-Id: I062a8a29dff70427ee9bcf09f595011b3611b0b1
Signed-off-by: Pete Birley <pete@port.direct>
When removing helm-toolkit from OSH and swithcing to use the
toolkit from OSH-Infra, the image declaration function was missed.
Depends-On: I2f2012590d81ffcb159d49d8a76eedd4441744cd
Change-Id: I0f1118bb748f3fe1b6bb73acfc00e77c5cca9c7d
Signed-off-by: Pete Birley <pete@port.direct>
This PS adds support for message compilation, if the image supports
it.
Change-Id: Ie15a1a437ff516af697a5bb65c5c7831de872c30
Signed-off-by: Pete Birley <pete@port.direct>
This PS adds the local registry image managment to OSH from OSH-Infra.
With this the delta between helm-toolkits in the Repo's is removed,
allowing the toolkit from OSH-Infra to be used and the one from OSH
to be depreciated.
Change-Id: If5e218cf7df17261fe5ef249d281f9d9637e2f6a
Co-Authored-By: Pete Birley <pete@port.direct>
This PS makes the Horizon deployment compatible with Django 1.10,
which is used in the Queens release.
Change-Id: Id9fef7b0ff8584866ca0f806d373cb6e3e7bf666
Move to v0.3.1 of kubernetes-entrypoint which has 2
breaking changes to pod dependencies, and also adds support for
depending on jobs via labels.
Change-Id: I49d2cea11fbe5c5919ae22a020b877ebbb285992
This PS moves all the config files to be directly values driven,
both simplifying over-ride and allowing configs to be targeted
to pods in future work.
Change-Id: I7e16585c9ef49275327d19a48f00bad192dc4923
