0344c737ed
This change adds Federation support via OpenIDC. This is the first part of the needed support to enable federated identity in Sunbeam. The following items have been addressed in this PR: Keystone: * Implemented the oauth requirer relation which enables the oidc integration. * The implementation supports relations to multiple oauth providers. * Added a new template that generates the proper OIDC configuration parameters. * The receive-ca-cert relation has been implemented. This relation is needed for situations in which we want to relate keystone to canonical identity platform, or some other IDP that has its own certificate authority deployed in another model. * Certificates uploaded to keystone via the add-ca-cert action and certificates that come in via receive-ca-cert are now added to the system certificate store in the keystone container. This was needed due to the fact that apache2 needs to trust the remote IDP in order to fetch the jwks URL and validate bearer tokens. We also need to continue trusting other IDPs that use certificates signed by CAs already present in the system CA store. * Added a new require trusted-dashboard relation that integrates a dashboard with keystone. Horizon: * Added a new provides trusted-dashboard relation. This will integrate horizon as a trusted dashboard for federated identity. * Enable SSL settings in horizon's local_settings.py. This includes enabling the SECURE_PROXY_SSL_HEADER option that looks for HTTP_X_FORWARDED_PROTO to determine whether or not horizon is being accessed over TLS or not. * Make sure the public and internal URLs areset in CSRF_TRUSTED_ORIGINS. Otherwise a csrf token validation error may appear during login, regardless of authentication method used (keystone credentials or federated identity). Change-Id: I3b579e9e936e73cd83c06575b13b95339c6fa257 Signed-off-by: Gabriel Adrian Samfira <gsamfira@cloudbasesolutions.com>
270 lines
8.2 KiB
YAML
270 lines
8.2 KiB
YAML
type: charm
|
|
name: horizon-k8s
|
|
summary: OpenStack Horizon service
|
|
description: |
|
|
OpenStack Horizon provides an HTTP service for managing, selecting,
|
|
and claiming providers of classes of inventory representing available
|
|
resources in a cloud.
|
|
.
|
|
assumes:
|
|
- k8s-api
|
|
- juju >= 3.1
|
|
links:
|
|
source:
|
|
- https://opendev.org/openstack/charm-horizon-k8s
|
|
issues:
|
|
- https://bugs.launchpad.net/charm-horizon-k8s
|
|
|
|
base: ubuntu@24.04
|
|
platforms:
|
|
amd64:
|
|
|
|
config:
|
|
options:
|
|
debug:
|
|
default: false
|
|
description: Enable debug logging.
|
|
type: boolean
|
|
session-timeout:
|
|
type: int
|
|
default: 3600
|
|
description:
|
|
A method to supersede the token timeout with a shorter dashboard
|
|
session timeout in seconds. For example, if your token expires in 60 minutes,
|
|
a value of 1800 will log users out after 30 minutes.
|
|
default-role:
|
|
type: string
|
|
default: member
|
|
description: |
|
|
Default role for Horizon operations that will be created in
|
|
Keystone upon introduction of an identity-service relation.
|
|
default-domain:
|
|
type: string
|
|
default: null
|
|
description: |
|
|
Default domain when authenticating with Horizon. Disables the domain
|
|
field in the login page.
|
|
secret:
|
|
type: string
|
|
default: null
|
|
description: |
|
|
Secret for Horizon to use when securing internal data; set this when
|
|
using multiple dashboard units.
|
|
dropdown-max-items:
|
|
type: int
|
|
default: 30
|
|
description: |
|
|
Max dropdown items to show in dropdown controls.
|
|
NOTE: This setting is supported >= OpenStack Liberty.
|
|
profile:
|
|
type: string
|
|
default: null
|
|
description: Default profile for the dashboard. Eg. cisco.
|
|
disable-instance-snapshot:
|
|
type: boolean
|
|
default: false
|
|
description: |
|
|
This setting disables Snapshots as a valid boot source for launching
|
|
instances. Snapshots sources won't show up in the Launch Instance modal
|
|
dialogue box. This option works from the Newton release, and has no
|
|
effect on earlier OpenStack releases.
|
|
cinder-backup:
|
|
type: boolean
|
|
default: false
|
|
description: Enable cinder backup panel.
|
|
password-retrieve:
|
|
type: boolean
|
|
default: false
|
|
description: Enable "Retrieve password" instance action.
|
|
customization-module:
|
|
type: string
|
|
default: ""
|
|
description: |
|
|
This option provides a means to enable customisation modules to modify
|
|
existing dashboards and panels.
|
|
allow-password-autocompletion:
|
|
type: boolean
|
|
default: false
|
|
description: |
|
|
Setting this to True will allow password form autocompletion by browser.
|
|
default-create-volume:
|
|
type: boolean
|
|
default: true
|
|
description: |
|
|
The default value for the option of creating a new volume in the
|
|
workflow for image and instance snapshot sources when launching an
|
|
instance. This option has an effect only to Ocata or newer
|
|
releases.
|
|
hide-create-volume:
|
|
type: boolean
|
|
default: false
|
|
description: |
|
|
Hide the "Create New Volume" option and rely on the
|
|
default-create-volume value during instance creation.
|
|
image-formats:
|
|
type: string
|
|
default: ""
|
|
description: |
|
|
The image-formats setting can be used to alter the default list of
|
|
advertised image formats. Many installations cannot use all the formats
|
|
that Glance recognizes, restricting the list here prevents unwanted
|
|
formats from being listed in Horizon which can lead to confusion.
|
|
.
|
|
This setting takes a space separated list, for example: iso qcow2 raw
|
|
.
|
|
Supported formats are: aki, ami, ari, docker, iso, ova, qcow2, raw, vdi,
|
|
vhd, vmdk.
|
|
.
|
|
If not provided, leave the option unconfigured which enables all of the
|
|
above.
|
|
api-result-limit:
|
|
type: int
|
|
default: 1000
|
|
description: |
|
|
The maximum number of objects (e.g. Swift objects or Glance images) to
|
|
display on a single page before providing a paging element (a "more" link)
|
|
to paginate results.
|
|
enable-fip-topology-check:
|
|
type: boolean
|
|
default: true
|
|
description:
|
|
By default Horizon checks that a project has a router attached
|
|
to an external network before allowing FIPs to be attached to a VM. Some use
|
|
cases will not meet this constraint, e.g. if the router is owned by a different
|
|
project. Setting this to False removes this check from Horizon.
|
|
disable-password-reveal:
|
|
type: boolean
|
|
default: false
|
|
description: |
|
|
If enabled, the reveal button for passwords is removed.
|
|
enforce-password-check:
|
|
type: boolean
|
|
default: true
|
|
description: |
|
|
If True, displays an `Admin Password` field on the Change Password form
|
|
to verify that it is indeed the admin logged-in who wants to change the password.
|
|
site-name:
|
|
type: string
|
|
default: ""
|
|
description: |
|
|
An unique site name for OpenStack deployment to be passed via the
|
|
application-dashboard relation
|
|
site-branding:
|
|
type: string
|
|
default: null
|
|
description: |
|
|
A brand name to be shown in the HTML title. The default value is
|
|
"OpenStack Dashboard", e.g. "Instance Overview - OpenStack Dashboard"
|
|
site-branding-link:
|
|
type: string
|
|
default: null
|
|
description: |
|
|
A custom hyperlink when the logo in the dashboard is clicked, e.g.
|
|
https://mycloud.example.com/. The default value is
|
|
"horizon:user_home" to open the top level of the dashboard.
|
|
help-url:
|
|
type: string
|
|
default: null
|
|
description: |
|
|
A custom hyperlink for the "Help" menu, e.g.
|
|
https://mycloud.example.com/help. The default value is
|
|
https://docs.openstack.org/
|
|
create-instance-flavor-sort-key:
|
|
type: string
|
|
default: null
|
|
description: |
|
|
This option can be used to customise the order instances are sorted in.
|
|
Support values include: id, name, ram, disk, and vcpus.
|
|
See https://docs.openstack.org/horizon/latest/configuration/settings.html#create-instance-flavor-sort
|
|
for more details.
|
|
create-instance-flavor-sort-reverse:
|
|
type: boolean
|
|
default: false
|
|
description: |
|
|
This option can be used to set the instance sorting to either ascending or descending.
|
|
Set True to sort in ascending order or False for descending order.
|
|
plugins:
|
|
type: string
|
|
default: "[]"
|
|
description: |
|
|
This option can be used to enable plugins for Horizon. The value should be a
|
|
JSON formatted list of plugin names.
|
|
|
|
actions:
|
|
get-dashboard-url:
|
|
description: URL for access to the Horizon OpenStack Dashboard.
|
|
|
|
containers:
|
|
horizon:
|
|
resource: horizon-image
|
|
|
|
resources:
|
|
horizon-image:
|
|
type: oci-image
|
|
description: OCI image for Horizon
|
|
upstream-source: ghcr.io/canonical/horizon:2025.1
|
|
|
|
requires:
|
|
database:
|
|
interface: mysql_client
|
|
limit: 1
|
|
ingress-internal:
|
|
interface: ingress
|
|
limit: 1
|
|
ingress-public:
|
|
interface: ingress
|
|
optional: true
|
|
limit: 1
|
|
identity-credentials:
|
|
interface: keystone-credentials
|
|
limit: 1
|
|
receive-ca-cert:
|
|
interface: certificate_transfer
|
|
optional: true
|
|
logging:
|
|
interface: loki_push_api
|
|
optional: true
|
|
tracing:
|
|
interface: tracing
|
|
optional: true
|
|
limit: 1
|
|
|
|
provides:
|
|
horizon:
|
|
interface: horizon
|
|
trusted-dashboard:
|
|
interface: trusted-dashboard
|
|
limit: 1
|
|
|
|
peers:
|
|
peers:
|
|
interface: horizon-peer
|
|
|
|
parts:
|
|
update-certificates:
|
|
plugin: nil
|
|
override-build: |
|
|
apt update
|
|
apt install -y ca-certificates
|
|
update-ca-certificates
|
|
charm:
|
|
after:
|
|
- update-certificates
|
|
build-packages:
|
|
- git
|
|
- libffi-dev
|
|
- libssl-dev
|
|
- rustc-1.80
|
|
- cargo-1.80
|
|
- pkg-config
|
|
charm-binary-python-packages:
|
|
- cryptography
|
|
- jsonschema
|
|
- pydantic
|
|
- jinja2
|
|
build-snaps: [astral-uv]
|
|
override-build: |
|
|
uv export --frozen --no-hashes --format=requirements-txt -o requirements.txt
|
|
craftctl default
|
|
charm-requirements: [requirements.txt]
|