52 Commits

Author SHA1 Message Date
Lars Kellogg-Stedman
3aa91b8462 use versioned keystone endpoint in OPENSTACK_KEYSTONE_URL
Horizon uses OPENSTACK_KEYSTONE_URL to generate browser redirects for
web sso (in openstack_auth/utils.py). In order to generate valid URLs,
this value must use a versioned keystone endpoint.

Change-Id: Ifd8b7dea83a4566b69f76898952f908395c590a4
2018-06-20 10:05:27 -04:00
Lars Kellogg-Stedman
43a39d4b0d use keystone public endpoint in horizon
the horizon::keystone_url is ultimately used to set the
OPENSTACK_KEYSTONE_URL setting in Horizon's local_settings, and this
is used in browser redirects when utilizing web SSO. In many cases,
the keystone internal endpoint would be inaccessible to browser
clients, so we should use the public endpoint here.

Change-Id: I5b3c0935b1a5c38704e748770b7bac52d674a637
2018-06-15 10:46:09 -04:00
Carlos Camacho
44ef2a3ec1 Change template names to rocky
The new master branch should point now to rocky.

So, HOT templates should specify that they might contain features
for rocky release [1]

Also, this submission updates the yaml validation to use only latest
heat_version alias. There are cases in which we will need to set
the version for specific templates i.e. mixed versions, so there
is added a variable to assign specific templates to specific heat_version
aliases, avoiding the introductions of error by bulk replacing the
the old version in new releases.

[1]: https://docs.openstack.org/heat/latest/template_guide/hot_spec.html#rocky
Change-Id: Ib17526d9cc453516d99d4659ee5fa51a5aa7fb4b
2018-05-09 08:28:42 +02:00
Steven Hardy
3a7baa8fa6 Convert ServiceNetMap evals to hiera interpolation
Since https://review.openstack.org/#/c/514707/ added the net_ip_map
to hieradata, we can look up the per-network bind IPs via hiera
interpolation instead of heat map_replace.

In some cases the ServiceNetMap lookup is used for other things,
but anywhere we make use of the "magic" translation via NetIpMap
is changed the same way.

This will enable more of the configuration data to be exposed per
role vs per node in a future patch (to simplify our ansible
workflow).

Co-authored-by: Bogdan Dobrelya <bdobreli@redhat.com>
Change-Id: Ie3da9fedbfce87e85f74d8780e7ad1ceadda79c8
2018-03-10 08:18:30 +00:00
Emilien Macchi
995cf71057 docker: don't override horizon::vhost_extra_params
horizon::vhost_extra_params is already configured in
puppet/services/horizon.yaml, and users can change the value with
HorizonVhostExtraParams parameter.

Docker deployments didn't have HorizonVhostExtraParams taken in account
since we were overriding with Hiera. This patch fix it.

Closes-Bug: #1749627
Change-Id: I77f1312112c7f613d795242060709082ef72f150
2018-02-17 18:00:02 +00:00
Lukas Bezdicka
0cb5c847f3 Always evaluate step first in conditional
If we use variables defined in later step in conditional before
checking which step are we on we will fail.

Resolves: rhbz#1535457
Closes-Bug: #1743764
Change-Id: Ic21f6eb5c4101f230fa894cd0829a11e2f0ef39b
2018-02-09 17:12:29 +01:00
Emilien Macchi
52ac3b33f3 horizon: trigger _member_ role creation in Keystone
The role is needed when Horizon is deployed, let's create it.

Depends-On: I5272f1fc199772043db48d29b0ea99a8bfff4ed5
Change-Id: I81b56071b620f5193fe187300be247c271739333
Closes-Bug: #1741066
2018-02-06 07:08:37 -08:00
marios
dec003def8 Convert tags to when statements for Q major upgrade workflow
This converts "tags: stepN" to "when: step|int == N" for the direct
execution as an ansible playbook, with a loop variable 'step'.
The tasks all include the explicit cast |int.

This also adds a set_fact task for handling of the package removal
with the UpgradeRemovePackages parameter (no change to the interface)

The yaml-validate also now checks for duplicate 'when:' statements

Q upgrade spec @ Ibde21e6efae3a7d311bee526d63c5692c4e27b28
Related Blueprint: major-upgrade-workflow
[0]: 394a92f761/tripleo_common/utils/config.py (L141)
Change-Id: I6adc5619a28099f4e241351b63377f1e96933810
2018-01-08 13:57:47 +02:00
Carlos Camacho
927495fe3d Change template names to queens
The new master branch should point now to queens instead of pike.

So, HOT templates should specify that they might contain features
for queens release [1]

[1]: https://docs.openstack.org/heat/latest/template_guide/hot_spec.html#queens

Change-Id: I7654d1c59db0c4508a9d7045f452612d22493004
2017-11-23 10:15:32 +01:00
Zuul
fabbbbbfdf Merge "Add constraints to service Debug flags" 2017-11-13 22:23:50 +00:00
Zuul
324c534031 Merge "Make Horizon parameters: vhost_extra_params and customization_module configurable" 2017-11-12 05:52:35 +00:00
Juan Antonio Osorio Robles
2f7888c2c5 Add constraints to service Debug flags
The service debug flags (e.g. BarbicanDebug), allow the deployer to set
the verbose logging for a specific service. They are strings to allow
folks to set it up regardless of the global Debug flag being set.

This commit adds a constraint to set the allowed values for these
parameters. It is based on a subset of the underlying implementation
that sets this flag (which uses any2bool).

Change-Id: I35e7a7ee35aefb7108ec6b0bb8f3124610fb97ee
2017-11-06 08:23:21 +02:00
Lokesh Jain
b27cc34d8b Make Horizon parameters: vhost_extra_params and customization_module configurable
Horizon parameters - horizon::vhost_extra_params and horizon::customization_module
are available but not configurable using horizon. This change exposes these parameters
and makes them configurable.

Depends-On: Id204b60b2676f49713fb6ce7eede6200221f7163
Change-Id: I4875585530c6d1d3b1134577ef2e097216c6c348
2017-10-10 18:03:54 -04:00
Ade Lee
c9b7091536 Ensure Debug is a boolean
Oslo does not like it when Debug is not a proper python boolean
Closes-Bug: 1719929

Change-Id: Ib6c3969d4dd75d5fb2cc274266c060acff8d5571
2017-09-27 13:22:07 -04:00
Juan Antonio Osorio Robles
1df5f72688 Enable listening on TLS for the internal network for horizon
This sets the flag that tells the horizon manifest to use TLS for the
configuration.

bp tls-via-certmonger

Depends-On: I7f2e11eb60c7b075e8a59f28682ecc50eeb95c3e
Change-Id: I13d59e7663538884b34b5a910b741de8721abbb9
2017-08-18 05:43:20 +00:00
Giulio Fidente
baf6eee501 Adds network/cidr mapping into a new service property
Makes it possible to resolve network subnets within a service
template; the data is transported into a new property ServiceData
wired into every service which hopefully is generic enough to
be extended in the future and transport more data.

Data can be consumed in service templates to set config values
which need to know what is the subnet where a deamon operates (for
example the Ceph Public vs Cluster network).

Change-Id: I28e21c46f1ef609517175f7e7ee19e28d1c0cba2
2017-07-14 13:44:04 +02:00
Ben Nemec
93b42baf51 Remove add_listen: false from Horizon hieradata
I'm not sure why this was here, but without a Listen directive in
Apache's ports.conf Horizon is inaccessible.  Removing this allows
Horizon to work again.

Change-Id: Ic221e15f188cf50b485e995035cb96f5d5960a72
Closes-Bug: 1696439
2017-06-20 11:42:45 -05:00
Ben Nemec
d8c0c33012 Change HorizonSecureCookies default to False
HorizonSecureCookies is incompatible with non-ssl deployments, which
is our default deployment method.  When SSL is in use, it can be
turned on in the enable-tls.yaml file.  This does mean that
existing users won't automatically get this feature turned on as
part of their upgrade because enable-tls.yaml is an environment that
is intended to be copied and edited, but it's simple to add the
parameter to the file for users who want that behavior after they
upgrade to a version where it is available.

Change-Id: If83d3d8709fc4e0c09569e8bf524721d332bf560
Closes-Bug: 1696861
2017-06-08 16:28:34 -05:00
Emilien Macchi
1e899703cc Ability to enable/disable debug mode per OpenStack service
Add ServiceDebug parameters for each services that will allow operators
to enable/disable Debug for specific services.

We keep the Debug parameters for backward compatibility.

Operators want to enable Debug everywhere:
  Debug: true
Operators want to disable Debug everywhere:
  Debug: false
Operators want to disable Debug everywhere except Glance:
  GlanceDebug: true
Operators want to enable Debug everywhere except Glance:
  Debug: true
  GlanceDebug: false

New parameters: AodhDebug, BarbicanDebug, CeilometerDebug, CinderDebug,
CongressDebug, GlanceDebug, GnocchiDebug, HeatDebug, HorizonDebug,
IronicDebug, KeystoneDebug, ManilaDebug, MistralDebug, NeutronDebug,
NovaDebug, OctaviaDebug, PankoDebug, SaharaDebug, TackerDebug,
ZaqarDebug.

Note: for backward compatibility in Horizon, HorizonDebug is set to
false, so we maintain previous behavior.

Change-Id: Icbf4a38afcdbd8471d1afc11743df9705451db52
Implement-blueprint: composable-debug
Closes-Bug: #1634567
2017-06-07 11:26:30 +02:00
Jenkins
0900c88428 Merge "Open ports 443 and 80 on haproxy's firewall when horizon is standalone" 2017-05-20 02:57:49 +00:00
Carlos Camacho
0a0e2ee629 Update the template_version alias for all the templates to pike.
Master is now the development branch for pike
changing the release alias name.

Change-Id: I938e4a983e361aefcaa0bd9a4226c296c5823127
2017-05-19 09:58:07 +02:00
Saravanan KR
a096ddab34 Add role specific information to the service template
When a service is enabled on multiple roles, the parameters for the
service will be global. This change enables an option to provide
role specific parameter to services and other templates.

Two new parameters - RoleName and RoleParameters, are added to the
service template. RoleName provides the role name of on which the
current instance of the service is being applied on. RoleParameters
provides the list of parameters which are configured specific to the
role in the environment file, like below:

  parameters_default:
      # Default value for applied to all roles
      NovaReservedHostMemory: 2048
      ComputeDpdkParameters:
          # Applied only to ComputeDpdk role
          NovaReservedHostMemory: 4096

In above sample, the cluster contains 2 roles - Compute, ComputeDpdk.
The values of ComputeDpdkParameters will be passed on to the templates
as RoleParameters while creating the stack for ComputeDpdk role. The
parameter which supports role specific configuration, should find the
parameter first in in the RoleParameters list, if not found, then the
default (for all roles) should be used.
Implements: blueprint tripleo-derive-parameters

Change-Id: I72376a803ec6b2ed93903cc0c95a6ffce718b6dc
2017-05-15 10:06:46 +05:30
Radomir Dopieralski
430e4d3128 Open ports 443 and 80 on haproxy's firewall when horizon is standalone
Change-Id: Ifec9839ac0fc688678f0221bb731fb64bd86d2d9
2017-04-26 19:11:26 +02:00
Jenkins
88510fce67 Merge "Adds Horizon secure cookie map." 2017-04-06 23:54:13 +00:00
lhinds
2c4aee2a5c Adds Horizon secure cookie map.
Puppet-horizon already contains a `secure_cookies` parameter, that
sets `CSRF_COOKIE_SECURE` and `SESSION_COOKIE_SECURE` within
`/templates/local_settings.py.erb`.

This change introduces the services map for TripleO Heat Templates

Change-Id: Ie6f6158929c33da8c5f245e2379aebe1afd524ef
Closes-bug: #1640491
2017-03-23 09:49:55 +00:00
Emilien Macchi
6d35336e1c horizon: switch keystone_url to use uri_no_suffix
Switch Horizon to use keystone_url with keystone versionless endpoint.

Change-Id: I7a22136937d414b2c3713894e04b0f093247ad33
Partial-implement: blueprint keystone-v3
2017-03-10 12:25:40 -05:00
Emilien Macchi
7c84a9b390 upgrades/validation: only run validation when services exist
During upgrades, validation test if a service is running before the
upgrade process starts.
In some cases, servies doesn't exist yet so we don't want to run the
validation.

This patch makes sure we check if the service is actually present on the
system before validating it's running correctly.

Also it makes sure that services are enabled before trying to stop them.
It allows use-cases where we want to add new services during an upgrade.
Also install new packages of services added in Ocata, so we can validate
upgrades on scenarios jobs.

Change-Id: Ib48fb6b1557be43956557cbde4cbe26b53a50bd8
2017-03-01 19:49:00 +00:00
Sofer Athlan-Guyot
fb78213782 Put service stop at step1 and quiesce at step2.
In the previous release[1], the services were stopped before the
pacemaker services, so that they get a chance to send last message to
the database/rabbitmq queue:

Let's do the upgrade in the same order.

[1] https://github.com/openstack/tripleo-heat-templates/blob/stable/newton/extraconfig/tasks/major_upgrade_controller_pacemaker_2.sh#L13-L71

Change-Id: I1c4045e8b9167396c9dfa4da99973102f1af1218
2017-02-28 19:20:13 +01:00
Emilien Macchi
db02313b28 Add upgrade support for Horizon
Change-Id: I91c3c93c1571288daa78b6d24b0aa9824a2bb5c4
2017-02-28 09:18:05 +01:00
Jenkins
ca8fc7ea69 Merge "Manage password_validator regex" 2017-01-25 23:50:48 +00:00
Luke Hinds
0e18ac5fde Manage password_validator regex
Horizon provides a password validation check, which OpenStack cloud
operators can use to enforce password complexity checks for users
within horizon.

A dictionary containing a regular expression can be used for
password validation with help text that is displayed if the password
does not pass validation.

HORIZON_CONFIG["password_validator"] = {
    "regex": '.*',
      "help_text": _("Your password does not meet the requirements."),

}

This change allows injection of the regex into horizons local_settings
file from a tripleo heat template

Change-Id: Ib6517c8f96148bea002b0e3442a26367b236928f
Depends-On: If82a80ed6a8e6e65aecc2a25ee6d60640ae03c9a
Closes-Bug: #1640800
2017-01-25 16:45:22 +00:00
Steven Hardy
3c6ec654b4 Bump template version for all templates to "ocata"
Heat now supports release name aliases, so we can replace
the inconsistent mix of date related versions with one consistent
version that aligns with the supported version of heat for this
t-h-t branch.

This should also help new users who sometimes copy/paste old templates
and discover intrinsic functions in the t-h-t docs don't work because
their template version is too old.

Change-Id: Ib415e7290fea27447460baa280291492df197e54
2016-12-23 11:43:39 +00:00
Jenkins
db45116afd Merge "Manage disallow_iframe_embed" 2016-12-23 11:29:14 +00:00
Juan Antonio Osorio Robles
db31ff5e5a Enable SECURE_PROXY_SSL_HEADER option for horizon
This reads makes Django take the X-Forwarded-Proto header into account
when forming URLs.

Change-Id: Ice64de9a11d7819ae7f380279ff356342d9b6673
Depends-On: Ifed7d4c3409419c01c5b20c707221c1fc76ea09e
2016-12-14 08:32:48 +00:00
Luke Hinds
0146b6be0d Manage disallow_iframe_embed
disallow_iframe_embed can be used to prevent Horizon from being
embedded within an iframe. Legacy browsers are still vulnerable
to a Cross-Frame Scripting (XFS) vulnerability, so this option
allows extra security hardening where iframes are not used in
deployment

Change-Id: I2fe6b243250608b340ee555062060dbdad1a49c4
Depends-On: I5c540e552efe738bdec8598f9257fa22ae651a76
Closes-Bug: #1641882
2016-12-13 06:52:43 +00:00
Jenkins
2fc81bef2f Merge "Disable Options Indexes in horizon" 2016-11-22 04:15:23 +00:00
Andreas Karis
0213ae9bd5 Disable Options Indexes in horizon
Security scanners complain that directory listings are enabled in horizon.

Change-Id: I1d7cfcb3521e8235a99bc452f1b7b92c20ce72ac
Closes-Bug: #1637576
2016-11-17 19:31:05 -05:00
Luke Hinds
ca122325dd Enable enforce_password_check
By setting ENFORCE_PASSWORD_CHECK to `True`, it displays an 'Admin
Password' field on the Change Password form to verify that it is indeed
the admin logged-in who wants to change the password.

Change-Id: Ib11bef93b6b0c74063052875fa361290bf1e92fd
Depends-On: If7af97df7a011569a7e14fbab4f880688d7b82c3
Closes-Bug: #1640806
2016-11-17 13:28:14 +00:00
Dan Prince
133edad130 Horizon service cleanups for hiera json hook
This patch resolves a few issues I noticed when porting our
Horizon service to support the new heat hiera agent hook (which
uses Json instead of Yaml).

 -we only need to set django_debug if the string is non-empty. This
  should match previous behavior.

 -remove the duplicated NeutronMechanismDrivers setting. This is already
  managed in the neutron services and shouldn't be set here.

Change-Id: I473e110bb9b14cb8f57d41c4fc398871548726b0
Partial-bug: #1596373
2016-11-15 22:08:14 -05:00
Alex Schultz
465d91380c Disable password reveal in horizon
To improve security,  we should disable the password reveal option in
horizon by default. An end user can override this options via their own
custom hiera if they would ultimately like to have this functionality.

Change-Id: Ie88dac5610840eb4b327252b32dc469099ba5f5f
Depends-On: Iacf899d595a2a3c522df1b96ca527731937ec698
Closes-Bug: 1640492
2016-11-09 08:22:44 -07:00
Jenkins
f4ec754a4d Merge "Clarify horizon allowed hosts setting" 2016-10-21 20:59:23 +00:00
Matthias Runge
d6df3c61c2 Clarify horizon allowed hosts setting
Horizon allowed hosts should name the IP addresses/
DNS names (short/long) the Horizon node is listening to.
Allowed hosts is used for header checks and is a security
mechanism.

Change-Id: I81c96357f969a1a436eecd35eb178579159bc719
2016-10-21 16:23:18 +00:00
Jenkins
dada8f55bf Merge "Remove repeated apache-related hieradata" 2016-09-02 12:19:45 +00:00
Juan Antonio Osorio Robles
3d2d6827d8 Remove repeated apache-related hieradata
This is already set in the apache profile, so we shouldn't be setting
it in horizon.

Change-Id: I21bd2c6770f871b2940c03d4a2b1cff7d4616346
2016-08-31 17:05:05 +03:00
Martin Mágr
25ad7b8e1e Availability monitoring agents support
- adds possibility to install sensu-client on all nodes
- each composable service has it's own subscription

Co-Authored-By: Emilien Macchi <emilien@redhat.com>
Co-Authored-By: Michele Baldessari <michele@redhat.com>
Implements: blueprint tripleo-opstools-availability-monitoring
Change-Id: I6a215763fd0f0015285b3573305d18d0f56c7770
2016-08-31 09:22:59 -04:00
Dan Prince
e3cb92a5db Mv Nova, Neutron, Horizon out of controller.yaml
This patch moves the settings for Nova, Neutron, and Horizon
out of controller.yaml.

Also fixes the NovaPassword settings in nova-base.yaml
so they don't use get_input.

Also, creates a new apache.yaml base service to contain shared
apache settings for several services which use Apache for WSGI.

Co-Authored-By: Giulio Fidente <gfidente@redhat.com>

Change-Id: I35d909bd5abc23976b5732a2b9af31cf1448838e
Related-bug: #1604414
2016-08-30 08:59:07 -04:00
Dan Prince
3b62761d2f Add DefaultPasswords to composable services
This patch adds a new DefaultPasswords parameter to
composable services. This is needed to help provide
access to top level password resources that overcloud.yaml
currently manages (passwords for Rabbit, Mysql, etc.).

Moving the RandomString resources into composable services
would cause them to regenerate within the stack. With this
approach we can leave them where they are while we deprecate
the top level mechanism and move the code that uses the
passwords into the composable services.

Change-Id: I4f21603c58a169a093962594e860933306879e3f
2016-08-18 12:45:30 -04:00
Giulio Fidente
885b37c80e Pass ServiceNetMap to services
This will be needed to pick the network where the service has
to bind to from within the service template.

Change-Id: I52652e1ad8c7b360efd2c7af199e35932aaaea8c
2016-08-18 12:36:18 -04:00
Emilien Macchi
315fa31963 Migrate Puppet Hieradata to composable services
Migrate puppet/hieradata/*.yaml parameters to puppet/services/*.yaml
except for some services that are not composable yet.

Co-Authored-By: Juan Antonio Osorio Robles <jaosorior@redhat.com>
Change-Id: I7e5f8b18ee9aa63a1dffc6facaf88315b07d5fd7
2016-07-27 12:23:38 -04:00
Dan Prince
5195d7f891 Composable firewall rules
Split out the firewall rules in puppet/hieradata/controller.yaml
into the composable services

Depends-On: Id370362ab57347b75b1ab25afda877885b047263
Change-Id: Icaecab100d3f278035fbbb3facb9bf6c62c76c03
2016-07-25 15:24:16 +02:00