Gitiles
Code Review Sign In
review.vexxhost.dev / atmosphere / 35d09c2ac4f02c3c5b022828dedc90f64a8efae3^! / .
commit35d09c2ac4f02c3c5b022828dedc90f64a8efae3[log] [tgz]
authorMohammed Naser <mnaser@vexxhost.com>Wed Feb 05 14:07:02 2025 -0500
committerDong Ma <dong.ma@vexxhost.com>Fri Feb 28 14:53:50 2025 +0000
tree28e75b83438501fab2e4ca8d8d4235d3a265a1c2
parent33ec9a2f0da1faedefd5e1f4158691b691d12abb [diff]
Add horizon security improvements

Change-Id: Ib48e2b4e2b03c8c3815c707b220111d6e8506e75
(cherry picked from commit 1b396e307aa59d5a977c874a79db192b27cb35f1)

diff --git a/releasenotes/notes/horizon-security-improvements-22b2535a85daab75.yaml b/releasenotes/notes/horizon-security-improvements-22b2535a85daab75.yaml
new file mode 100644
index 0000000..2b52c90
--- /dev/null
+++ b/releasenotes/notes/horizon-security-improvements-22b2535a85daab75.yaml

@@ -0,0 +1,8 @@
+---
+security:
+  - The Horizon service now runs as the non-privileged user `horizon` in the
+    container.
+  - The Horizon service ``ALLOWED_HOSTS`` setting is now configured to point
+    to the configured endpoints for the service.
+  - The CORS headers are now configured to only allow requests from the
+    configured endpoints for the service.

diff --git a/roles/horizon/vars/main.yml b/roles/horizon/vars/main.yml
index 3e4f541..e0499bb 100644
--- a/roles/horizon/vars/main.yml
+++ b/roles/horizon/vars/main.yml

@@ -17,6 +17,16 @@
   images:
     tags: "{{ atmosphere_images | vexxhost.atmosphere.openstack_helm_image_tags('horizon') }}"
   pod:
+    security_context:
+      horizon:
+        pod:
+          fsGroup: 42424
+      db_sync:
+        pod:
+          fsGroup: 42424
+      tests:
+        pod:
+          fsGroup: 42424
     replicas:
       server: 3
   conf:
@@ -24,6 +34,8 @@
       local_settings:
         config:
           disallow_iframe_embed: "True"
+          allowed_hosts:
+            - "{{ openstack_helm_endpoints_horizon_api_host }}"
           secure_proxy_ssl_header: "True"
           horizon_images_upload_mode: direct
           openstack_enable_password_retrieve: "True"
@@ -55,3 +67,5 @@
 _horizon_ingress_annotations:
   nginx.ingress.kubernetes.io/proxy-body-size: "5000m"
   nginx.ingress.kubernetes.io/proxy-request-buffering: "off"
+  nginx.ingress.kubernetes.io/enable-cors: "true"
+  nginx.ingress.kubernetes.io/cors-allow-origin: "{{ openstack_helm_endpoints_horizon_api_host }}"

diff --git a/roles/tempest/vars/main.yml b/roles/tempest/vars/main.yml
index 39eb424..068cd87 100644
--- a/roles/tempest/vars/main.yml
+++ b/roles/tempest/vars/main.yml

@@ -33,7 +33,8 @@
         endpoint_type: internal
         fixed_network_name: public
       dashboard:
-        dashboard_url: "http://horizon-int.openstack.svc.cluster.local"
+        dashboard_url: "https://{{ openstack_helm_endpoints_horizon_api_host }}"
+        disable_ssl_certificate_validation: "{{ cluster_issuer_type == 'self-signed' }}"
       identity:
         v3_endpoint_type: internal
       image: