Gitiles
Code Review Sign In
review.vexxhost.dev / atmosphere / ae10375d7ae26bdf56616d465aa035395821dfe1^1..ae10375d7ae26bdf56616d465aa035395821dfe1 / .
commitae10375d7ae26bdf56616d465aa035395821dfe1[log] [tgz]
authorZuul <zuul@review.vexxhost.dev>Sat Mar 01 02:11:52 2025 +0000
committerGerrit Code Review <review@vexxhost.dev>Sat Mar 01 02:11:52 2025 +0000
tree447756bfb3ec3ef54fcd06764b972f7bcdab7065
parent2252d6535eabade6696632bcc828d7bc874e61f3 [diff]
parent35d09c2ac4f02c3c5b022828dedc90f64a8efae3 [diff]
Merge "Add horizon security improvements" into stable/2023.2
diff --git a/releasenotes/notes/horizon-security-improvements-22b2535a85daab75.yaml b/releasenotes/notes/horizon-security-improvements-22b2535a85daab75.yaml
new file mode 100644
index 0000000..2b52c90
--- /dev/null
+++ b/releasenotes/notes/horizon-security-improvements-22b2535a85daab75.yaml

@@ -0,0 +1,8 @@
+---
+security:
+  - The Horizon service now runs as the non-privileged user `horizon` in the
+    container.
+  - The Horizon service ``ALLOWED_HOSTS`` setting is now configured to point
+    to the configured endpoints for the service.
+  - The CORS headers are now configured to only allow requests from the
+    configured endpoints for the service.

diff --git a/roles/horizon/vars/main.yml b/roles/horizon/vars/main.yml
index 3e4f541..e0499bb 100644
--- a/roles/horizon/vars/main.yml
+++ b/roles/horizon/vars/main.yml

@@ -17,6 +17,16 @@
   images:
     tags: "{{ atmosphere_images | vexxhost.atmosphere.openstack_helm_image_tags('horizon') }}"
   pod:
+    security_context:
+      horizon:
+        pod:
+          fsGroup: 42424
+      db_sync:
+        pod:
+          fsGroup: 42424
+      tests:
+        pod:
+          fsGroup: 42424
     replicas:
       server: 3
   conf:
@@ -24,6 +34,8 @@
       local_settings:
         config:
           disallow_iframe_embed: "True"
+          allowed_hosts:
+            - "{{ openstack_helm_endpoints_horizon_api_host }}"
           secure_proxy_ssl_header: "True"
           horizon_images_upload_mode: direct
           openstack_enable_password_retrieve: "True"
@@ -55,3 +67,5 @@
 _horizon_ingress_annotations:
   nginx.ingress.kubernetes.io/proxy-body-size: "5000m"
   nginx.ingress.kubernetes.io/proxy-request-buffering: "off"
+  nginx.ingress.kubernetes.io/enable-cors: "true"
+  nginx.ingress.kubernetes.io/cors-allow-origin: "{{ openstack_helm_endpoints_horizon_api_host }}"

diff --git a/roles/tempest/vars/main.yml b/roles/tempest/vars/main.yml
index 39eb424..068cd87 100644
--- a/roles/tempest/vars/main.yml
+++ b/roles/tempest/vars/main.yml

@@ -33,7 +33,8 @@
         endpoint_type: internal
         fixed_network_name: public
       dashboard:
-        dashboard_url: "http://horizon-int.openstack.svc.cluster.local"
+        dashboard_url: "https://{{ openstack_helm_endpoints_horizon_api_host }}"
+        disable_ssl_certificate_validation: "{{ cluster_issuer_type == 'self-signed' }}"
       identity:
         v3_endpoint_type: internal
       image: