Horizon: Expose security config params

This PS exposes security related config params Change-Id: Ia6d2e089301cfc8fd809380ad3f31c6e37dc5607 Signed-off-by: Pete Birley <pete@port.direct>
2019-02-01 15:06:58 -06:00 · 2019-02-01 15:06:58 -06:00 · b02ec05d76
commit b02ec05d76
parent 23f5b18f1c
1 changed files with 13 additions and 4 deletions
--- a/horizon/values.yaml
+++ b/horizon/values.yaml
@ -171,6 +171,11 @@ conf:
        debug: "False"
        keystone_multidomain_support: "True"
        keystone_default_domain: Default
+        disable_password_reveal: "False"
+        csrf_cookie_secure: "False"
+        session_cookie_secure: "False"
+        session_cookie_httponly: "False"
+        secure_proxy_ssl_header: false
        openstack_cinder_features:
          enable_backup: "True"
        openstack_neutron_network:
@ -234,12 +239,16 @@ conf:
        # https://docs.djangoproject.com/en/1.4/ref/settings/#secure-proxy-ssl-header
        #SECURE_PROXY_SSL_HEADER = ('HTTP_X_FORWARDED_PROTOCOL', 'https')
        # https://docs.djangoproject.com/en/1.5/ref/settings/#secure-proxy-ssl-header
-        #SECURE_PROXY_SSL_HEADER = ('HTTP_X_FORWARDED_PROTO', 'https')
+        {{- if .Values.conf.horizon.local_settings.config.secure_proxy_ssl_header }}
+        SECURE_PROXY_SSL_HEADER = ('HTTP_X_FORWARDED_PROTO', 'https')
+        {{- end }}

        # If Horizon is being served through SSL, then uncomment the following two
        # settings to better secure the cookies from security exploits
-        #CSRF_COOKIE_SECURE = True
-        #SESSION_COOKIE_SECURE = True
+        CSRF_COOKIE_SECURE = '{{ .Values.conf.horizon.local_settings.config.csrf_cookie_secure }}'
+        SESSION_COOKIE_SECURE = '{{ .Values.conf.horizon.local_settings.config.session_cookie_secure }}'
+
+        SESSION_COOKIE_HTTPONLY = '{{ .Values.conf.horizon.local_settings.config.session_cookie_httponly }}'

        # Overrides for OpenStack API versions. Use this setting to force the
        # OpenStack dashboard to use a specific API version for a given service API.
@ -305,7 +314,7 @@ conf:

        # Setting this to True will disable the reveal button for password fields,
        # including on the login form.
-        #HORIZON_CONFIG["disable_password_reveal"] = False
+        HORIZON_CONFIG["disable_password_reveal"] = '{{ .Values.conf.horizon.local_settings.config.disable_password_reveal }}'

        LOCAL_PATH = '/tmp'