ClusterIssuer does not belong to a single namespace (unlike Issuer)
and can be referenced by Certificate resources from multiple different
namespaces. When internal TLS is added to multiple namespaces, same
ClusterIssuer can be used instead of one Issuer per namespace.
Depends-on: https://review.opendev.org/c/openstack/openstack-helm-infra/+/766359
Change-Id: I6585d5a8c2ccb507a5c99784c0190502b55a5bcf
Add "enable_pwd_validator" variable to apply password
validator settings when enabled in horizon values.
Modify "PASSWORD_VALIDATOR" so as to enforce password
requirements i.e., password must be at least eight
characters in length and must include characters from
at least two of these groupings: alpha, numeric, and
special characters when "enable_pwd_validator" is enabled.
Change-Id: Ia866feb875490d0bb40e820c6c32ee2cb6aa4c29
Since we introduced chart version check in gates, requirements are not
satisfied with strict check of 0.1.0
Change-Id: If537f69dec7e3360f6bffcc4424f10c248919ece
Signed-off-by: Andrii Ostapenko <andrii.ostapenko@att.com>
Added chart lint in zuul CI to enhance the stability for charts.
Fixed some lint errors in the current charts.
Change-Id: I7e4b191fb9e355ab5d5a233e8ed121346519df62
This patch set puts in the missing certificates to the test-pod.
It also corrects the path of sriov_agent.ini file
Change-Id: Ice2124f92a36d545726243fff60db25fbb2ea9c0
In nova latest code, limits and os-availability-zone have been
updated to could be listed as any user by below patches:
limits: 4d37ffc111ae8bb43bd33fe995bc3686b065131b
os-availability-zone: b8c2de86ed46caf7768027e82519c2418989c36b
And target project id is set to {}. So user cannot be matched as
"owner", and lead to API access failure.
Update policy to be the same as latest nova code to avoid the error.
Change-Id: I3621be0fa42388180a7ac3e4bc7f7683a0c15b68
Signed-off-by: Shuicheng Lin <shuicheng.lin@intel.com>
This updates the horizon chart to include the pod
security context on the pod template.
This also adds the container security context to set
readOnlyRootFilesystem flag to true
Change-Id: I2ccd920fa26aca2955afef8b71d56e55d1ae26e8
When introduces extra panels in horizon, eg. ironic-ui, it could
not achieve internationalization. This commit hope to achieve
internationalization.
Related bug: #1886396
Change-Id: Ic4b89d14ee27bb6c70e792193cbf23de1ae553a4
This patch set updates some default horizon settings to be more secured.
Change-Id: I7849cb0e9819d9e5cf4e149634e2bebee75a1c7f
Signed-off-by: Tin Lam <tin@irrational.io>
The current copyright refers to a non-existent group
"openstack helm authors" with often out-of-date references that
are confusing when adding a new file to the repo.
This change removes all references to this copyright by the
non-existent group and any blank lines underneath.
Change-Id: Ia035037e000f1bf95202fc07b8cd1ad0fc019094
This patch set adds in job to test the OpenStack train releases.
Depends-On: https://review.opendev.org/#/c/706456/
Change-Id: I89fef1264f68dab7e921a9e5503c29d6a051f342
Signed-off-by: Tin Lam <tin@irrational.io>
This patch set updates the default job to use OpenStack Stein release.
The previously default Ocata release will be place in separate job.
Change-Id: I489324f762a179a2cab5499a6d8e57e97c81297f
Signed-off-by: Tin Lam <tin@irrational.io>
Currently using envsubst to perform substitution of value overrides in
the feature gate caused conflicts as gotpl gets templated into those
overrides. This adds in '%%%REPLACE_${var}%%%' and uses sed to perform
the substitution instead to address the issue.
This is to achieve parity with OSH-infra patch in [0].
[0] https://review.opendev.org/#/c/697749/
Depends-On: https://review.opendev.org/#/c/697749
Change-Id: I3ed504c65900e7b84728019f3acdf706a40c0427
Signed-off-by: Tin Lam <tlam@omegaprime.dev>
This patch set adds in the egress policy for core OpenStack Services.
Depends-On: https://review.opendev.org/#/c/679853/
Change-Id: I585ddabcbd640db784520c913af8eddecaee3843
Signed-off-by: Tin Lam <tlam@omegaprime.dev>
This change updates the tests container image
to one which installs python3.
The selenium-test.py template file has been refactored
to match the structure of the selenium tests in
openstack-helm-infra/tools/gate/selenium
Change-Id: I568bea8d715ea28b8e750215d166ba1b04e4172d
This updates the kubernetes-entrypoint image reference to consume
the publicly available kubernetes-entrypoint image that is built
and maintained under the airshipit namespace, as the stackanetes
image is no longer actively maintainedy
Depends-On: https://review.opendev.org/688435
Change-Id: I8e76cdcc9d4db8975b330e97169754a2a407341f
Signed-off-by: Steve Wilkerson <sw5822@att.com>
Added new X-Content-Type-Options: nosniff header to make sure the browser
does not try to detect a different Content-Type than what is actually
sent (can lead to XSS)
Added new Header and set X-Permitted-Cross-Domain-Policies: "none"
Change-Id: I6f89ffb44ad805039c4074889a7c15fbef6fc95e
Some configuration when enable will explicitly set headers, for this
to work the header module should be enabled.
Change-Id: If549d4c6924c990d1a48bca193935ed9a2ed6864
This patch set adds in default horizon ingress overrides.
Change-Id: I5a7e8197b84bc5f1ad94d5d6a1d0662257404994
Signed-off-by: Tin Lam <tin@irrational.io>
This change adds two network policy zuul checks, one for the compute-kit,
and one for cinder/ceph, to test network policy for each OpenStack
service. These checks will be non-voting initially.
The network policy rules for each service will initially allow all
traffic. These ingress/egress rules will be defined in future changes
to only explicitly allow traffic between services that are explicitly
allowed to communicate, other traffic will be denied.
Depends-On: https://review.opendev.org/#/c/685130/
Change-Id: Ide2998ebb2af2832f24ca7abc398a82e4a6d70e3
This PS adds checks for the Stein Release of OpenStack in Ubuntu Bionic
containers.
Depends-On: https://review.opendev.org/667726
Change-Id: Icfad3434ca496a841993b95adaf5d853728d920f
Signed-off-by: Pete Birley <pete@port.direct>
This PS adds checks for running the Rocky release of Openstack under
Python3 in Ubuntu Bionic containers.
Change-Id: I269cef9f8f157e22f6b857822df9a8960dac6ea8
Signed-off-by: Pete Birley <pete@port.direct>
The aim of the patch is to creating directory from ${APACHE_RUN_DIR}
variable for:
* aodh
* ceilometer
* horizon
* panko
If an image is built with python3 therefore libapache2-mod-wsgi-py3 module
has to be installed accordingly but the module doesn't create /var/run/apache2
directory which is APACHE_RUN_DIR in apache configuration file so apache can't
start without it due to the fact that the directory is used to make there pid,
run, etc files.
Change-Id: Id511a07fca3eec9b5e80f2f9413628ab4d42d61b
This PS adds checks for the Rocky Release of OpenStack in Ubuntu Xenial
containers.
Change-Id: Ieed4a6a3afa6e3ebd9b2f72ba227aac891d65214
Signed-off-by: Pete Birley <pete@port.direct>
This PS adds checks for the Queens Release of OpenStack in Ubuntu Xenial
containers.
Change-Id: I0d4d427e43f06fa955dfd275859939d0adca113c
Signed-off-by: Pete Birley <pete@port.direct>
This PS adds checks for the Pike Release of OpenStack in Ubuntu Xenial
containers.
Change-Id: I402584bbcdd53a4a6bc21f370586b3498142bf81
Signed-off-by: Pete Birley <pete@port.direct>
This adds a helm test for Horizon, the helm test
runs a selenium webdriver check to verify the dashboard
is up
Change-Id: I3616c05596b2bd94931c39fb774333bf65453d52
Signed-off-by: Steve Wilkerson <sw5822@att.com>
Setting this to HTTP_X_FORWARDED_FOR will display the IP in
X-Forwarded-For header instead of REMOTE_ADDR. This is to display
client's IP.
Change-Id: Ifab508f2c3e39de69e3b1423b6aab57e333fc37e
We now have a process for OSH-images image building,
using Zuul, so we should point the images by default to those
images, instead of pointing to stale images.
Without this, the osh-images build process is completely not
in use, and updating the osh-images process or patching its
code has no impact on OSH.
This should fix it.
Change-Id: I672b8755bf9e182b15eff067479b662529a13477
