33 Commits

Author SHA1 Message Date
Jenkins
0900c88428 Merge "Open ports 443 and 80 on haproxy's firewall when horizon is standalone" 2017-05-20 02:57:49 +00:00
Carlos Camacho
0a0e2ee629 Update the template_version alias for all the templates to pike.
Master is now the development branch for pike
changing the release alias name.

Change-Id: I938e4a983e361aefcaa0bd9a4226c296c5823127
2017-05-19 09:58:07 +02:00
Saravanan KR
a096ddab34 Add role specific information to the service template
When a service is enabled on multiple roles, the parameters for the
service will be global. This change enables an option to provide
role specific parameter to services and other templates.

Two new parameters - RoleName and RoleParameters, are added to the
service template. RoleName provides the role name of on which the
current instance of the service is being applied on. RoleParameters
provides the list of parameters which are configured specific to the
role in the environment file, like below:

  parameters_default:
      # Default value for applied to all roles
      NovaReservedHostMemory: 2048
      ComputeDpdkParameters:
          # Applied only to ComputeDpdk role
          NovaReservedHostMemory: 4096

In above sample, the cluster contains 2 roles - Compute, ComputeDpdk.
The values of ComputeDpdkParameters will be passed on to the templates
as RoleParameters while creating the stack for ComputeDpdk role. The
parameter which supports role specific configuration, should find the
parameter first in in the RoleParameters list, if not found, then the
default (for all roles) should be used.
Implements: blueprint tripleo-derive-parameters

Change-Id: I72376a803ec6b2ed93903cc0c95a6ffce718b6dc
2017-05-15 10:06:46 +05:30
Radomir Dopieralski
430e4d3128 Open ports 443 and 80 on haproxy's firewall when horizon is standalone
Change-Id: Ifec9839ac0fc688678f0221bb731fb64bd86d2d9
2017-04-26 19:11:26 +02:00
Jenkins
88510fce67 Merge "Adds Horizon secure cookie map." 2017-04-06 23:54:13 +00:00
lhinds
2c4aee2a5c Adds Horizon secure cookie map.
Puppet-horizon already contains a `secure_cookies` parameter, that
sets `CSRF_COOKIE_SECURE` and `SESSION_COOKIE_SECURE` within
`/templates/local_settings.py.erb`.

This change introduces the services map for TripleO Heat Templates

Change-Id: Ie6f6158929c33da8c5f245e2379aebe1afd524ef
Closes-bug: #1640491
2017-03-23 09:49:55 +00:00
Emilien Macchi
6d35336e1c horizon: switch keystone_url to use uri_no_suffix
Switch Horizon to use keystone_url with keystone versionless endpoint.

Change-Id: I7a22136937d414b2c3713894e04b0f093247ad33
Partial-implement: blueprint keystone-v3
2017-03-10 12:25:40 -05:00
Emilien Macchi
7c84a9b390 upgrades/validation: only run validation when services exist
During upgrades, validation test if a service is running before the
upgrade process starts.
In some cases, servies doesn't exist yet so we don't want to run the
validation.

This patch makes sure we check if the service is actually present on the
system before validating it's running correctly.

Also it makes sure that services are enabled before trying to stop them.
It allows use-cases where we want to add new services during an upgrade.
Also install new packages of services added in Ocata, so we can validate
upgrades on scenarios jobs.

Change-Id: Ib48fb6b1557be43956557cbde4cbe26b53a50bd8
2017-03-01 19:49:00 +00:00
Sofer Athlan-Guyot
fb78213782 Put service stop at step1 and quiesce at step2.
In the previous release[1], the services were stopped before the
pacemaker services, so that they get a chance to send last message to
the database/rabbitmq queue:

Let's do the upgrade in the same order.

[1] https://github.com/openstack/tripleo-heat-templates/blob/stable/newton/extraconfig/tasks/major_upgrade_controller_pacemaker_2.sh#L13-L71

Change-Id: I1c4045e8b9167396c9dfa4da99973102f1af1218
2017-02-28 19:20:13 +01:00
Emilien Macchi
db02313b28 Add upgrade support for Horizon
Change-Id: I91c3c93c1571288daa78b6d24b0aa9824a2bb5c4
2017-02-28 09:18:05 +01:00
Jenkins
ca8fc7ea69 Merge "Manage password_validator regex" 2017-01-25 23:50:48 +00:00
Luke Hinds
0e18ac5fde Manage password_validator regex
Horizon provides a password validation check, which OpenStack cloud
operators can use to enforce password complexity checks for users
within horizon.

A dictionary containing a regular expression can be used for
password validation with help text that is displayed if the password
does not pass validation.

HORIZON_CONFIG["password_validator"] = {
    "regex": '.*',
      "help_text": _("Your password does not meet the requirements."),

}

This change allows injection of the regex into horizons local_settings
file from a tripleo heat template

Change-Id: Ib6517c8f96148bea002b0e3442a26367b236928f
Depends-On: If82a80ed6a8e6e65aecc2a25ee6d60640ae03c9a
Closes-Bug: #1640800
2017-01-25 16:45:22 +00:00
Steven Hardy
3c6ec654b4 Bump template version for all templates to "ocata"
Heat now supports release name aliases, so we can replace
the inconsistent mix of date related versions with one consistent
version that aligns with the supported version of heat for this
t-h-t branch.

This should also help new users who sometimes copy/paste old templates
and discover intrinsic functions in the t-h-t docs don't work because
their template version is too old.

Change-Id: Ib415e7290fea27447460baa280291492df197e54
2016-12-23 11:43:39 +00:00
Jenkins
db45116afd Merge "Manage disallow_iframe_embed" 2016-12-23 11:29:14 +00:00
Juan Antonio Osorio Robles
db31ff5e5a Enable SECURE_PROXY_SSL_HEADER option for horizon
This reads makes Django take the X-Forwarded-Proto header into account
when forming URLs.

Change-Id: Ice64de9a11d7819ae7f380279ff356342d9b6673
Depends-On: Ifed7d4c3409419c01c5b20c707221c1fc76ea09e
2016-12-14 08:32:48 +00:00
Luke Hinds
0146b6be0d Manage disallow_iframe_embed
disallow_iframe_embed can be used to prevent Horizon from being
embedded within an iframe. Legacy browsers are still vulnerable
to a Cross-Frame Scripting (XFS) vulnerability, so this option
allows extra security hardening where iframes are not used in
deployment

Change-Id: I2fe6b243250608b340ee555062060dbdad1a49c4
Depends-On: I5c540e552efe738bdec8598f9257fa22ae651a76
Closes-Bug: #1641882
2016-12-13 06:52:43 +00:00
Jenkins
2fc81bef2f Merge "Disable Options Indexes in horizon" 2016-11-22 04:15:23 +00:00
Andreas Karis
0213ae9bd5 Disable Options Indexes in horizon
Security scanners complain that directory listings are enabled in horizon.

Change-Id: I1d7cfcb3521e8235a99bc452f1b7b92c20ce72ac
Closes-Bug: #1637576
2016-11-17 19:31:05 -05:00
Luke Hinds
ca122325dd Enable enforce_password_check
By setting ENFORCE_PASSWORD_CHECK to `True`, it displays an 'Admin
Password' field on the Change Password form to verify that it is indeed
the admin logged-in who wants to change the password.

Change-Id: Ib11bef93b6b0c74063052875fa361290bf1e92fd
Depends-On: If7af97df7a011569a7e14fbab4f880688d7b82c3
Closes-Bug: #1640806
2016-11-17 13:28:14 +00:00
Dan Prince
133edad130 Horizon service cleanups for hiera json hook
This patch resolves a few issues I noticed when porting our
Horizon service to support the new heat hiera agent hook (which
uses Json instead of Yaml).

 -we only need to set django_debug if the string is non-empty. This
  should match previous behavior.

 -remove the duplicated NeutronMechanismDrivers setting. This is already
  managed in the neutron services and shouldn't be set here.

Change-Id: I473e110bb9b14cb8f57d41c4fc398871548726b0
Partial-bug: #1596373
2016-11-15 22:08:14 -05:00
Alex Schultz
465d91380c Disable password reveal in horizon
To improve security,  we should disable the password reveal option in
horizon by default. An end user can override this options via their own
custom hiera if they would ultimately like to have this functionality.

Change-Id: Ie88dac5610840eb4b327252b32dc469099ba5f5f
Depends-On: Iacf899d595a2a3c522df1b96ca527731937ec698
Closes-Bug: 1640492
2016-11-09 08:22:44 -07:00
Jenkins
f4ec754a4d Merge "Clarify horizon allowed hosts setting" 2016-10-21 20:59:23 +00:00
Matthias Runge
d6df3c61c2 Clarify horizon allowed hosts setting
Horizon allowed hosts should name the IP addresses/
DNS names (short/long) the Horizon node is listening to.
Allowed hosts is used for header checks and is a security
mechanism.

Change-Id: I81c96357f969a1a436eecd35eb178579159bc719
2016-10-21 16:23:18 +00:00
Jenkins
dada8f55bf Merge "Remove repeated apache-related hieradata" 2016-09-02 12:19:45 +00:00
Juan Antonio Osorio Robles
3d2d6827d8 Remove repeated apache-related hieradata
This is already set in the apache profile, so we shouldn't be setting
it in horizon.

Change-Id: I21bd2c6770f871b2940c03d4a2b1cff7d4616346
2016-08-31 17:05:05 +03:00
Martin Mágr
25ad7b8e1e Availability monitoring agents support
- adds possibility to install sensu-client on all nodes
- each composable service has it's own subscription

Co-Authored-By: Emilien Macchi <emilien@redhat.com>
Co-Authored-By: Michele Baldessari <michele@redhat.com>
Implements: blueprint tripleo-opstools-availability-monitoring
Change-Id: I6a215763fd0f0015285b3573305d18d0f56c7770
2016-08-31 09:22:59 -04:00
Dan Prince
e3cb92a5db Mv Nova, Neutron, Horizon out of controller.yaml
This patch moves the settings for Nova, Neutron, and Horizon
out of controller.yaml.

Also fixes the NovaPassword settings in nova-base.yaml
so they don't use get_input.

Also, creates a new apache.yaml base service to contain shared
apache settings for several services which use Apache for WSGI.

Co-Authored-By: Giulio Fidente <gfidente@redhat.com>

Change-Id: I35d909bd5abc23976b5732a2b9af31cf1448838e
Related-bug: #1604414
2016-08-30 08:59:07 -04:00
Dan Prince
3b62761d2f Add DefaultPasswords to composable services
This patch adds a new DefaultPasswords parameter to
composable services. This is needed to help provide
access to top level password resources that overcloud.yaml
currently manages (passwords for Rabbit, Mysql, etc.).

Moving the RandomString resources into composable services
would cause them to regenerate within the stack. With this
approach we can leave them where they are while we deprecate
the top level mechanism and move the code that uses the
passwords into the composable services.

Change-Id: I4f21603c58a169a093962594e860933306879e3f
2016-08-18 12:45:30 -04:00
Giulio Fidente
885b37c80e Pass ServiceNetMap to services
This will be needed to pick the network where the service has
to bind to from within the service template.

Change-Id: I52652e1ad8c7b360efd2c7af199e35932aaaea8c
2016-08-18 12:36:18 -04:00
Emilien Macchi
315fa31963 Migrate Puppet Hieradata to composable services
Migrate puppet/hieradata/*.yaml parameters to puppet/services/*.yaml
except for some services that are not composable yet.

Co-Authored-By: Juan Antonio Osorio Robles <jaosorior@redhat.com>
Change-Id: I7e5f8b18ee9aa63a1dffc6facaf88315b07d5fd7
2016-07-27 12:23:38 -04:00
Dan Prince
5195d7f891 Composable firewall rules
Split out the firewall rules in puppet/hieradata/controller.yaml
into the composable services

Depends-On: Id370362ab57347b75b1ab25afda877885b047263
Change-Id: Icaecab100d3f278035fbbb3facb9bf6c62c76c03
2016-07-25 15:24:16 +02:00
Dan Prince
6b30ff11d4 Add 'service_name' to composable services
This patch adds a new service_name section to each composable
service. We now have an explicit unit test check to ensure that
service_name exists in tools/yaml-validate.py.

This patch also wires service_names into hieradata on each
of the roles so that tools can access the deployed services locally
during deployment and upgrades.

Change-Id: I60861c5aa760534db3e314bba16a13b90ea72f0c
2016-07-22 07:29:39 -04:00
Carlos Camacho
c4f27255c5 Composable Horizon service - tripleo-heat-templates
Add horizon as a composable service

Depends-on: Iff6508972edfd5f330b239719bc5eb14d3f71944
Change-Id: I734c3e0784c25f30adff2e13faf1155a3e45cefd
Partially-implements: blueprint composable-services-within-roles
2016-07-11 17:18:07 -04:00