This adds the release-uuid annotation to the pod spec for all
replication controller templates in the openstack-helm charts
Change-Id: I0159f2741c27277fd173208e7169ff657bb33e57
Expose additional Horizon security params in accordance with the
OpenStack Security Guide [0]
- Check-Dashboard-03: Is DISALLOW_IFRAME_EMBED parameter set to True
- Check-Dashboard-07: Is PASSWORD_AUTOCOMPLETE set to False
[0] https://docs.openstack.org/security-guide/dashboard/checklist.html
Change-Id: I355ddbc9fb1dcd0a6100ee650afd54680ef9ffbd
This PS allows to customize (and disable) information about OS and
Apache version displayed on pages with error messages.
Change-Id: Ic4d19bcc90dadf5cf26faa5c8fb39de00a6f3212
This PS disables the server status page of Apache.
On the page provided information which can aid the
malicious user in finding vulnerabilities in the system.
Change-Id: I11104b10359808dc78a214ebb531d710ec353f60
This disables static page on Apache which would disable Directory
Listings. This is done as a part of Security defect.
Change-Id: Ia1aa07c83c0db9dc33be6d1dfa7e2e60b3a33de9
This patch fixes the network policy issue when use nodeport mode.
If you enable node port witout this patch, it will block by network policy.
so should be allowed tcp port of horizon when use nodeport.
Change-Id: I5e2622c29c6a32ab6d1c5d99d84d4f13382dab65
Signed-off-by: Hyunkook Cho <hk0713.cho@samsung.com>
This patchset enables and moves the securityContext: runAsUser to the pod
level, and uses a non-root user (UID != 0) wherever applicable.
Depends-On: I95264c933b51e2a8e38f63faa1e239bb3c1ebfda
Change-Id: I81f6e11fe31ab7333a3805399b2e5326ec1e06a7
Signed-off-by: Tin Lam <tin@irrational.io>
This PS is enable the Egress policies
and enforces them in Openstack-helm.
Depends-On: Icbe2a18c98dba795d15398dcdcac64228f6a7b4c
Change-Id: I6ef3cd157749fd562acb2f89ad44e63be4f7e975
This will enable the TaaS GUI to the horizon dashbboard.
TaaS dashboard will need to be installed as part of the image,
else it will not try to add the panel.
Change-Id: I226d9d6e46f5b556a7baa88fcd06de8e571bcdff
This patch set updates the gate to by default uses network policy
for all components and enforces them in Openstack-helm.
Change-Id: I70c90b5808075797f02670f21481a4f968205325
Depends-On: I78e87ef3276e948ae4dd2eb462b4b8012251c8c8
Co-Authored-By: Mike Pham <tp6510@att.com>
Signed-off-by: Tin Lam <tin@irrational.io>
This patch set moves the default deployment to ocata from newton.
Newton zuul job is now moved into its separate job.
Change-Id: Ic534c8ee02179f23c7855d93a4707e5a2fd77354
Signed-off-by: Tin Lam <tin@irrational.io>
This PS adds the ability to attach a release uuid to pods and rc
objects as desired. A follow up ps will add the ability to add arbitary
annotations to the same objects.
Depends-On: Iceedba457a03387f6fc44eb763a00fd57f9d84a5
Change-Id: I324680f10263c1aefca2be9056e70d0ff22fcaf0
Signed-off-by: Pete Birley <pete@port.direct>
This PS udpates the keystone endpoint definition to point to the
correct host for the admin endpoint when looked up using endpoint
functions from helm-toolkit.
Change-Id: Ic6b82a002cca92e37d21f594bad5f00758f1ea7a
Signed-off-by: Pete Birley <pete@port.direct>
This PS moves openstack components in OSH to use secrets to store
potentially sensitive config information.
Depends-On: https://review.openstack.org/#/c/593732
Change-Id: I9bab586c03597effea0e48a58c69efff3f980a92
Signed-off-by: Pete Birley <pete@port.direct>
This PS updates the keystoen chart to stop running the keystone api
as the root user.
Change-Id: If3042210f761476846da02fc8e648c700267a591
Signed-off-by: Pete Birley <pete@port.direct>
This PS updates keystone, and the keystone endpoints sections to use
the same layout for port declarations as other charts.
Change-Id: I7dddabee6c74bf023da4b1cdf722a409e7475f8f
Signed-off-by: Pete Birley <pete@port.direct>
This PS adds support for TLS on over-ridden fqdn's for public
endpoints for core OpenStack Services. Currently this implementation
is limited, in that it does not provide support for dynamicly loading
CAs into the containers, or specifying them manually via configuration.
As a result only well known or CA's added manually to containers will
be recognised.
Change-Id: I8f1b699af29cbed2d83ad91bb6840dccce8c5146
Depends-On: I535f38a8d92c01280d79926a1f0acd06984aabbf
Signed-off-by: Tin Lam <tin@irrational.io>
Signed-off-by: Pete Birley <pete@port.direct>
This PS updates horizon to use internal endpoints by default.
Change-Id: I8fa9286859a710ef434d2321a6be19be978b1690
Signed-off-by: Pete Birley <pete@port.direct>
As of Rocky, keystone creates a default "member" role upon bootstrap.
This change modifies any references to the manually created
"_member_" role to "member". In a future change, the manualy creation
of this role in keystone can be removed since it will no longer be
needed.
Change-Id: I65c63695976f38da21dc6dd8f40ad70e23da6f48
This PS moves to use the current ga version for kubernetes deployments.
Story: 2002205
Task: 21735
Depends-On: Icb4e7aa2392da6867427a58926be2da6f424bd56
Change-Id: I062a8a29dff70427ee9bcf09f595011b3611b0b1
Signed-off-by: Pete Birley <pete@port.direct>
When removing helm-toolkit from OSH and swithcing to use the
toolkit from OSH-Infra, the image declaration function was missed.
Depends-On: I2f2012590d81ffcb159d49d8a76eedd4441744cd
Change-Id: I0f1118bb748f3fe1b6bb73acfc00e77c5cca9c7d
Signed-off-by: Pete Birley <pete@port.direct>
This PS adds support for message compilation, if the image supports
it.
Change-Id: Ie15a1a437ff516af697a5bb65c5c7831de872c30
Signed-off-by: Pete Birley <pete@port.direct>
This PS adds the local registry image managment to OSH from OSH-Infra.
With this the delta between helm-toolkits in the Repo's is removed,
allowing the toolkit from OSH-Infra to be used and the one from OSH
to be depreciated.
Change-Id: If5e218cf7df17261fe5ef249d281f9d9637e2f6a
Co-Authored-By: Pete Birley <pete@port.direct>
This PS makes the Horizon deployment compatible with Django 1.10,
which is used in the Queens release.
Change-Id: Id9fef7b0ff8584866ca0f806d373cb6e3e7bf666
Move to v0.3.1 of kubernetes-entrypoint which has 2
breaking changes to pod dependencies, and also adds support for
depending on jobs via labels.
Change-Id: I49d2cea11fbe5c5919ae22a020b877ebbb285992
This PS moves all the config files to be directly values driven,
both simplifying over-ride and allowing configs to be targeted
to pods in future work.
Change-Id: I7e16585c9ef49275327d19a48f00bad192dc4923
This PS allows arbitary hostnames to be used for public endpoints,
provided the resolve externally to the ingress controllers.
Change-Id: I44411687f756968d00178d487af66c2393e6bde0
This version is already being used by some charts, so this brings the
rest of the charts in line and allows them to use a new feature,
pod dependencies, that this version provides.
Change-Id: Ie8289eb09b31cd8f98c2c5b4dd5bbe469078e6d8
This PS consolidates the Ingress controller service, that is used
to resolve internal requests to public endpoints correctly, to
helm-toolkit.
Change-Id: If7c7deca1b8289a32709f7dc7c936883469aadfe
This change allows enabling the WEBSSO login screen on horizon,
which allows to choose from one or more configured SSO providers.
Example configuration
local_settings:
auth:
sso:
enable: true
initial_choice: "acme_oidc"
idp_mapping:
- name: "acme_oidc"
label: "Acme Corporation - OpenID Connect"
idp: "myidp1"
protocol: "oidc"
- name: "acme_saml2"
label: "Acme Corporation - SAML2"
idp: "myidp2"
protocol: "saml2"
The initial_choice defaults to "credentials" which is the default
Keystone Credential authentication.
The values for idp: and protocol: will be used to construct the redirect
URL for keystone, which will look like:
/v3/OS-FEDERATION/identity_providers/<idp>/protocols/<protocol>/auth
Change-Id: I44e11880292176114753274f965bcd0c2cd01302
This PS moves static dependencies under a 'static' key to allow
expansion to cover dynamic dependencies.
Change-Id: I38990b93aa79fa1f70af6f2c78e5e5c61c63f32c
