Move API cors config to their services
- Move out cors config from tripleo-ui to be in services. - Configure allowed_origin to '*' for the containerized undercloud (when TripleO UI is containerized) - Default param for allowed_origin is unset for security reasons. Change-Id: Iee983d84c78fe055f295eedfadde336b25a5d6a1
This commit is contained in:
Emilien Macchi
parent
5513d94075
commit
88daf0d5da
@ -10,6 +10,7 @@ resource_registry:
|
||||
parameter_defaults:
|
||||
# ensure we enable ip_forward before docker gets run
|
||||
KernelIpForward: 1
|
||||
KeystoneCorsAllowedOrigin: '*'
|
||||
EnablePackageInstall: true
|
||||
StackAction: CREATE
|
||||
SoftwareConfigTransport: POLL_SERVER_HEAT
|
||||
@ -31,6 +32,7 @@ parameter_defaults:
|
||||
NovaAutoDisabling: '0'
|
||||
NeutronDhcpAgentsPerNetwork: 2
|
||||
HeatConvergenceEngine: false
|
||||
HeatCorsAllowedOrigin: '*'
|
||||
HeatMaxResourcesPerStack: -1
|
||||
HeatMaxJsonBodySize: 2097152
|
||||
IronicCleaningDiskErase: 'metadata'
|
||||
@ -77,3 +79,4 @@ parameter_defaults:
|
||||
NeutronVniRanges: '10:100'
|
||||
NeutronPortQuota: '-1'
|
||||
MigrateLegacyNeutronDb: true
|
||||
SwiftCorsAllowedOrigin: '*'
|
||||
|
||||
@ -127,9 +127,15 @@ parameters:
|
||||
description: Driver or drivers to handle sending notifications.
|
||||
constraints:
|
||||
- allowed_values: [ 'messagingv2', 'noop' ]
|
||||
HeatCorsAllowedOrigin:
|
||||
type: string
|
||||
default: ''
|
||||
description: Indicate whether this resource may be shared with the domain received in the request
|
||||
"origin" header.
|
||||
|
||||
conditions:
|
||||
service_debug_unset: {equals : [{get_param: HeatDebug}, '']}
|
||||
cors_allowed_origin_unset: {equals : [{get_param: HeatCorsAllowedOrigin}, '']}
|
||||
|
||||
outputs:
|
||||
role_data:
|
||||
@ -137,45 +143,54 @@ outputs:
|
||||
value:
|
||||
service_name: heat_base
|
||||
config_settings:
|
||||
heat::notification_driver: {get_param: NotificationDriver}
|
||||
heat::rabbit_userid: {get_param: RabbitUserName}
|
||||
heat::rabbit_password: {get_param: RabbitPassword}
|
||||
heat::rabbit_use_ssl: {get_param: RabbitClientUseSSL}
|
||||
heat::rabbit_port: {get_param: RabbitClientPort}
|
||||
heat::debug:
|
||||
if:
|
||||
- service_debug_unset
|
||||
- {get_param: Debug }
|
||||
- {get_param: HeatDebug }
|
||||
heat::enable_proxy_headers_parsing: true
|
||||
heat::rpc_response_timeout: 600
|
||||
heat::rabbit_heartbeat_timeout_threshold: 60
|
||||
heat::keystone::authtoken::project_name: 'service'
|
||||
heat::keystone::authtoken::user_domain_name: 'Default'
|
||||
heat::keystone::authtoken::project_domain_name: 'Default'
|
||||
heat::keystone::authtoken::auth_uri: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix] }
|
||||
heat::keystone::authtoken::auth_url: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix] }
|
||||
heat::keystone::authtoken::password: {get_param: HeatPassword}
|
||||
heat::heat_keystone_clients_url: {get_param: [EndpointMap, KeystonePublic, uri_no_suffix] }
|
||||
heat::keystone::domain::domain_name: 'heat_stack'
|
||||
heat::keystone::domain::domain_admin: 'heat_stack_domain_admin'
|
||||
heat::keystone::domain::domain_admin_email: 'heat_stack_domain_admin@localhost'
|
||||
heat::db::database_db_max_retries: -1
|
||||
heat::db::database_max_retries: -1
|
||||
heat::yaql_memory_quota: 100000
|
||||
heat::yaql_limit_iterators: 1000
|
||||
heat::cron::purge_deleted::ensure: {get_param: HeatCronPurgeDeletedEnsure}
|
||||
heat::cron::purge_deleted::minute: {get_param: HeatCronPurgeDeletedMinute}
|
||||
heat::cron::purge_deleted::hour: {get_param: HeatCronPurgeDeletedHour}
|
||||
heat::cron::purge_deleted::monthday: {get_param: HeatCronPurgeDeletedMonthday}
|
||||
heat::cron::purge_deleted::month: {get_param: HeatCronPurgeDeletedMonth}
|
||||
heat::cron::purge_deleted::weekday: {get_param: HeatCronPurgeDeletedWeekday}
|
||||
heat::cron::purge_deleted::maxdelay: {get_param: HeatCronPurgeDeletedMaxDelay}
|
||||
heat::cron::purge_deleted::user: {get_param: HeatCronPurgeDeletedUser}
|
||||
heat::cron::purge_deleted::age: {get_param: HeatCronPurgeDeletedAge}
|
||||
heat::cron::purge_deleted::age_type: {get_param: HeatCronPurgeDeletedAgeType}
|
||||
heat::cron::purge_deleted::destination: {get_param: HeatCronPurgeDeletedDestination}
|
||||
heat::max_json_body_size: {get_param: HeatMaxJsonBodySize}
|
||||
map_merge:
|
||||
-
|
||||
if:
|
||||
- cors_allowed_origin_unset
|
||||
- {}
|
||||
- heat::cors::allowed_origin: {get_param: HeatCorsAllowedOrigin}
|
||||
- heat::notification_driver: {get_param: NotificationDriver}
|
||||
heat::rabbit_userid: {get_param: RabbitUserName}
|
||||
heat::rabbit_password: {get_param: RabbitPassword}
|
||||
heat::rabbit_use_ssl: {get_param: RabbitClientUseSSL}
|
||||
heat::rabbit_port: {get_param: RabbitClientPort}
|
||||
heat::debug:
|
||||
if:
|
||||
- service_debug_unset
|
||||
- {get_param: Debug }
|
||||
- {get_param: HeatDebug }
|
||||
heat::enable_proxy_headers_parsing: true
|
||||
heat::rpc_response_timeout: 600
|
||||
heat::rabbit_heartbeat_timeout_threshold: 60
|
||||
heat::keystone::authtoken::project_name: 'service'
|
||||
heat::keystone::authtoken::user_domain_name: 'Default'
|
||||
heat::keystone::authtoken::project_domain_name: 'Default'
|
||||
heat::keystone::authtoken::auth_uri: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix] }
|
||||
heat::keystone::authtoken::auth_url: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix] }
|
||||
heat::keystone::authtoken::password: {get_param: HeatPassword}
|
||||
heat::heat_keystone_clients_url: {get_param: [EndpointMap, KeystonePublic, uri_no_suffix] }
|
||||
heat::keystone::domain::domain_name: 'heat_stack'
|
||||
heat::keystone::domain::domain_admin: 'heat_stack_domain_admin'
|
||||
heat::keystone::domain::domain_admin_email: 'heat_stack_domain_admin@localhost'
|
||||
heat::db::database_db_max_retries: -1
|
||||
heat::db::database_max_retries: -1
|
||||
heat::yaql_memory_quota: 100000
|
||||
heat::yaql_limit_iterators: 1000
|
||||
heat::cors::max_age: 3600
|
||||
heat::cors::allow_headers: 'Content-Type,Cache-Control,Content-Language,Expires,Last-Modified,Pragma,X-Auth-Token'
|
||||
heat::cors::expose_headers: 'Content-Type,Cache-Control,Content-Language,Expires,Last-Modified,Pragma'
|
||||
heat::cron::purge_deleted::ensure: {get_param: HeatCronPurgeDeletedEnsure}
|
||||
heat::cron::purge_deleted::minute: {get_param: HeatCronPurgeDeletedMinute}
|
||||
heat::cron::purge_deleted::hour: {get_param: HeatCronPurgeDeletedHour}
|
||||
heat::cron::purge_deleted::monthday: {get_param: HeatCronPurgeDeletedMonthday}
|
||||
heat::cron::purge_deleted::month: {get_param: HeatCronPurgeDeletedMonth}
|
||||
heat::cron::purge_deleted::weekday: {get_param: HeatCronPurgeDeletedWeekday}
|
||||
heat::cron::purge_deleted::maxdelay: {get_param: HeatCronPurgeDeletedMaxDelay}
|
||||
heat::cron::purge_deleted::user: {get_param: HeatCronPurgeDeletedUser}
|
||||
heat::cron::purge_deleted::age: {get_param: HeatCronPurgeDeletedAge}
|
||||
heat::cron::purge_deleted::age_type: {get_param: HeatCronPurgeDeletedAgeType}
|
||||
heat::cron::purge_deleted::destination: {get_param: HeatCronPurgeDeletedDestination}
|
||||
heat::max_json_body_size: {get_param: HeatMaxJsonBodySize}
|
||||
service_config_settings:
|
||||
keystone:
|
||||
tripleo::profile::base::keystone::heat_admin_domain: 'heat_stack'
|
||||
|
||||
@ -277,6 +277,11 @@ parameters:
|
||||
description: >-
|
||||
This controls the number of previous user password iterations to keep in
|
||||
history, in order to enforce that newly created passwords are unique.
|
||||
KeystoneCorsAllowedOrigin:
|
||||
type: string
|
||||
default: ''
|
||||
description: Indicate whether this resource may be shared with the domain received in the request
|
||||
"origin" header.
|
||||
|
||||
parameter_groups:
|
||||
- label: deprecated
|
||||
@ -318,6 +323,7 @@ conditions:
|
||||
password_regex_set: {not: {equals: [{get_param: KeystonePasswordRegex}, '']}}
|
||||
password_regex_description_set: {not: {equals: [{get_param: KeystonePasswordRegexDescription}, '']}}
|
||||
unique_last_password_count_set: {not: {equals: [{get_param: KeystoneUniqueLastPasswordCount}, '']}}
|
||||
cors_allowed_origin_unset: {equals : [{get_param: KeystoneCorsAllowedOrigin}, '']}
|
||||
|
||||
outputs:
|
||||
role_data:
|
||||
@ -328,6 +334,11 @@ outputs:
|
||||
config_settings:
|
||||
map_merge:
|
||||
- get_attr: [ApacheServiceBase, role_data, config_settings]
|
||||
-
|
||||
if:
|
||||
- cors_allowed_origin_unset
|
||||
- {}
|
||||
- keystone::cors::allowed_origin: {get_param: KeystoneCorsAllowedOrigin}
|
||||
- keystone::database_connection:
|
||||
make_url:
|
||||
scheme: {get_param: [EndpointMap, MysqlInternal, protocol]}
|
||||
|
||||
@ -99,6 +99,8 @@ outputs:
|
||||
params:
|
||||
$NETWORK: {get_param: [ServiceNetMap, MistralApiNetwork]}
|
||||
mistral::wsgi::apache::ssl: {get_param: EnableInternalTLS}
|
||||
mistral::cors::allow_headers: 'Content-Type,Cache-Control,Content-Language,Expires,Last-Modified,Pragma,X-Auth-Token'
|
||||
mistral::cors::expose_headers: 'Content-Type,Cache-Control,Content-Language,Expires,Last-Modified,Pragma'
|
||||
mistral::policy::policies: {get_param: MistralApiPolicies}
|
||||
mistral::cron_trigger::execution_interval: {get_param: MistralExecutionInterval}
|
||||
mistral::cors::allow_headers: 'Content-Type,Cache-Control,Content-Language,Expires,Last-Modified,Pragma,X-Auth-Token'
|
||||
|
||||
@ -86,12 +86,18 @@ parameters:
|
||||
EnableInternalTLS:
|
||||
type: boolean
|
||||
default: false
|
||||
SwiftCorsAllowedOrigin:
|
||||
type: string
|
||||
default: ''
|
||||
description: Indicate whether this resource may be shared with the domain received in the request
|
||||
"origin" header.
|
||||
|
||||
conditions:
|
||||
|
||||
ceilometer_pipeline_enabled: {equals : [{get_param: SwiftCeilometerPipelineEnabled}, true]}
|
||||
use_tls_proxy: {equals : [{get_param: EnableInternalTLS}, true]}
|
||||
swift_encryption_enabled: {equals : [{get_param: SwiftEncryptionEnabled}, true]}
|
||||
cors_allowed_origin_unset: {equals : [{get_param: SwiftCorsAllowedOrigin}, '']}
|
||||
|
||||
resources:
|
||||
SwiftBase:
|
||||
@ -123,6 +129,11 @@ outputs:
|
||||
map_merge:
|
||||
- get_attr: [SwiftBase, role_data, config_settings]
|
||||
- get_attr: [TLSProxyBase, role_data, config_settings]
|
||||
-
|
||||
if:
|
||||
- cors_allowed_origin_unset
|
||||
- {}
|
||||
- swift::proxy::cors_allow_origin: {get_param: SwiftCorsAllowedOrigin}
|
||||
- swift::proxy::authtoken::auth_uri: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix]}
|
||||
swift::proxy::authtoken::auth_url: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix]}
|
||||
swift::proxy::authtoken::password: {get_param: SwiftPassword}
|
||||
|
||||
@ -64,16 +64,7 @@ outputs:
|
||||
config_settings:
|
||||
map_merge:
|
||||
- get_attr: [ApacheServiceBase, role_data, config_settings]
|
||||
- keystone::cors::allowed_origin: '*'
|
||||
heat::cors::allowed_origin: '*'
|
||||
heat::cors::max_age: 3600
|
||||
heat::cors::allow_headers: 'Content-Type,Cache-Control,Content-Language,Expires,Last-Modified,Pragma,X-Auth-Token'
|
||||
heat::cors::expose_headers: 'Content-Type,Cache-Control,Content-Language,Expires,Last-Modified,Pragma'
|
||||
mistral::cors::allowed_origin: '*'
|
||||
mistral::cors::allow_headers: 'Content-Type,Cache-Control,Content-Language,Expires,Last-Modified,Pragma,X-Auth-Token'
|
||||
mistral::cors::expose_headers: 'Content-Type,Cache-Control,Content-Language,Expires,Last-Modified,Pragma'
|
||||
swift::proxy::cors_allow_origin: '*'
|
||||
tripleo::ui::endpoint_proxy_zaqar: {get_param: [EndpointMap, ZaqarWebSocketInternal, uri_no_suffix]}
|
||||
- tripleo::ui::endpoint_proxy_zaqar: {get_param: [EndpointMap, ZaqarWebSocketInternal, uri_no_suffix]}
|
||||
tripleo::ui::endpoint_proxy_keystone: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix]}
|
||||
tripleo::ui::endpoint_proxy_heat: {get_param: [EndpointMap, HeatInternal, uri_no_suffix]}
|
||||
tripleo::ui::endpoint_proxy_ironic: {get_param: [EndpointMap, IronicInternal, uri_no_suffix]}
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user