charts/horizon/values.yaml

# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
#     http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.

# Default values for horizon.
# This is a YAML-formatted file.
# Declare name/value pairs to be passed into your templates.
# name: value

---
images:
  tags:
    db_init: docker.io/openstackhelm/heat:stein-ubuntu_bionic
    horizon_db_sync: docker.io/openstackhelm/horizon:stein-ubuntu_bionic
    db_drop: docker.io/openstackhelm/heat:stein-ubuntu_bionic
    horizon: docker.io/openstackhelm/horizon:stein-ubuntu_bionic
    test: docker.io/openstackhelm/osh-selenium:latest-ubuntu_focal
    dep_check: quay.io/airshipit/kubernetes-entrypoint:v1.0.0
    image_repo_sync: docker.io/docker:17.07.0
  pull_policy: "IfNotPresent"
  local_registry:
    active: false
    exclude:
      - dep_check
      - image_repo_sync

# Use selenium v4 syntax
selenium_v4: true

release_group: null

labels:
  dashboard:
    node_selector_key: openstack-control-plane
    node_selector_value: enabled
  job:
    node_selector_key: openstack-control-plane
    node_selector_value: enabled
  test:
    node_selector_key: openstack-control-plane
    node_selector_value: enabled

network:
  dashboard:
    ingress:
      public: true
      classes:
        namespace: "nginx"
        cluster: "nginx-cluster"
      annotations:
        nginx.ingress.kubernetes.io/rewrite-target: /
  external_policy_local: false
  node_port:
    enabled: false
    port: 31000

conf:
  software:
    apache2:
      binary: apache2
      start_parameters: -DFOREGROUND
      site_dir: /etc/apache2/sites-available
      conf_dir: /etc/apache2/conf-available
      mods_dir: /etc/apache2/mods-available
      a2enmod:
        - headers
        - rewrite
      a2dismod:
        - status
  horizon:
    branding:
      logo:
      logo_splash:
      favicon:
    apache: |
      <IfVersion < 2.4>
      Listen 0.0.0.0:{{ tuple "dashboard" "internal" "web" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
      </IfVersion>
      LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined
      LogFormat "%{X-Forwarded-For}i %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" proxy

      SetEnvIf X-Forwarded-For "^.*\..*\..*\..*" forwarded
      CustomLog /dev/stdout combined env=!forwarded
      CustomLog /dev/stdout proxy env=forwarded

      <VirtualHost *:{{ tuple "dashboard" "internal" "web" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}>
          WSGIScriptReloading On
          WSGIDaemonProcess horizon-http processes=5 threads=1 user=horizon group=horizon display-name=%{GROUP} python-path=/var/lib/kolla/venv/lib/python2.7/site-packages
          WSGIProcessGroup horizon-http
          WSGIScriptAlias / /var/www/cgi-bin/horizon/django.wsgi
          WSGIPassAuthorization On
          RewriteEngine on
          RewriteCond %{REQUEST_METHOD} !^(POST|PUT|GET|DELETE|PATCH)
          RewriteRule .* - [F]

          <Location "/">
              Require all granted
          </Location>

          Alias /static /var/www/html/horizon
          <Location "/static">
              SetHandler static
          </Location>

          <IfVersion >= 2.4>
            ErrorLogFormat "%{cu}t %M"
          </IfVersion>
          ErrorLog /dev/stdout
          TransferLog /dev/stdout

          SetEnvIf X-Forwarded-For "^.*\..*\..*\..*" forwarded
          CustomLog /dev/stdout combined env=!forwarded
          CustomLog /dev/stdout proxy env=forwarded
      </Virtualhost>
    security: |
      #
      # Disable access to the entire file system except for the directories that
      # are explicitly allowed later.
      #
      # This currently breaks the configurations that come with some web application
      # Debian packages.
      #
      #<Directory />
      #   AllowOverride None
      #   Require all denied
      #</Directory>

      # Changing the following options will not really affect the security of the
      # server, but might make attacks slightly more difficult in some cases.

      #
      # ServerTokens
      # This directive configures what you return as the Server HTTP response
      # Header. The default is 'Full' which sends information about the OS-Type
      # and compiled in modules.
      # Set to one of:  Full | OS | Minimal | Minor | Major | Prod
      # where Full conveys the most information, and Prod the least.
      ServerTokens Prod

      #
      # Optionally add a line containing the server version and virtual host
      # name to server-generated pages (internal error documents, FTP directory
      # listings, mod_status and mod_info output etc., but not CGI generated
      # documents or custom error documents).
      # Set to "EMail" to also include a mailto: link to the ServerAdmin.
      # Set to one of:  On | Off | EMail
      ServerSignature Off

      #
      # Allow TRACE method
      #
      # Set to "extended" to also reflect the request body (only for testing and
      # diagnostic purposes).
      #
      # Set to one of:  On | Off | extended
      TraceEnable Off

      #
      # Forbid access to version control directories
      #
      # If you use version control systems in your document root, you should
      # probably deny access to their directories. For example, for subversion:
      #
      #<DirectoryMatch "/\.svn">
      #   Require all denied
      #</DirectoryMatch>

      #Security-Settings
      # Setting this header will prevent MSIE from interpreting files as something
      # else than declared by the content type in the HTTP headers.
      # Requires mod_headers to be enabled.
      #
      Header set X-Content-Type-Options: "nosniff"
      Header set X-Permitted-Cross-Domain-Policies: "none"
      # Setting this header will prevent other sites from embedding pages from this
      # site as frames. This defends against clickjacking attacks.
      # Requires mod_headers to be enabled.
      #
    local_settings_d: {}
      ## For example, _50_monasca_ui_settings.py
      # _50_monasca_ui_settings: |
      #   from django.conf import settings
      #   # Grafana button titles/file names (global across all projects):
      #   GRAFANA_LINKS = []
      #   DASHBOARDS = getattr(settings, 'GRAFANA_LINKS', GRAFANA_LINKS)

    local_settings:
      config:
        # Use "True" and "False" as Titlecase strings with quotes, boolean
        # values will not work
        horizon_secret_key: 9aee62c0-5253-4a86-b189-e0fb71fa503c
        debug: "False"
        use_ssl: "False"
        endpoint_type: "internalURL"
        keystone_multidomain_support: "True"
        keystone_default_domain: Default
        disable_password_reveal: "True"
        show_openrc_file: "True"
        csrf_cookie_secure: "False"
        csrf_cookie_httponly: "False"
        enforce_password_check: "True"
        # Set enable_pwd_validator to true to enforce password validator settings.
        enable_pwd_validator: false
        pwd_validator_regex: '(?=.*[a-zA-Z])(?=.*\d).{8,}|(?=.*\d)(?=.*\W).{8,}|(?=.*\W)(?=.*[a-zA-Z]).{8,}'
        pwd_validator_help_text: '_("Your password must be at least eight (8) characters in length and must include characters from at least two (2) of these groupings: alpha, numeric, and special characters.")'
        session_cookie_secure: "False"
        session_cookie_httponly: "False"
        secure_proxy_ssl_header: false
        password_autocomplete: "False"
        disallow_iframe_embed: "False"
        allowed_hosts:
          - '*'
        horizon_images_upload_mode: 'legacy'
        openstack_cinder_features:
          enable_backup: "True"
        openstack_neutron_network:
          enable_router: "True"
          enable_quotas: "True"
          enable_ipv6: "True"
          enable_distributed_router: "False"
          enable_ha_router: "False"
          enable_lb: "True"
          enable_firewall: "True"
          enable_vpn: "True"
          enable_fip_topology_check: "True"
        openstack_enable_password_retrieve: "False"
        auth:
          sso:
            enabled: False
            initial_choice: "credentials"
          idp_mapping:
            - name: "acme_oidc"
              label: "Acme Corporation - OpenID Connect"
              idp: "myidp1"
              protocol: "oidc"
            - name: "acme_saml2"
              label: "Acme Corporation - SAML2"
              idp: "myidp2"
              protocol: "saml2"
        log_level: "DEBUG"
        # Pass any settings to the end of local_settings.py
        raw: {}
        openstack_api_versions:
          container_infra: "1.10"
      template: |
        import os

        from django.utils.translation import gettext_lazy as _

        from openstack_dashboard import exceptions

        DEBUG = {{ .Values.conf.horizon.local_settings.config.debug }}
        TEMPLATE_DEBUG = DEBUG

        COMPRESS_OFFLINE = True
        COMPRESS_CSS_HASHING_METHOD = "hash"

        # WEBROOT is the location relative to Webserver root
        # should end with a slash.
        WEBROOT = '/'
        # LOGIN_URL = WEBROOT + 'auth/login/'
        # LOGOUT_URL = WEBROOT + 'auth/logout/'
        #
        # LOGIN_REDIRECT_URL can be used as an alternative for
        # HORIZON_CONFIG.user_home, if user_home is not set.
        # Do not set it to '/home/', as this will cause circular redirect loop
        # LOGIN_REDIRECT_URL = WEBROOT

        # Required for Django 1.5.
        # If horizon is running in production (DEBUG is False), set this
        # with the list of host/domain names that the application can serve.
        # For more information see:
        # https://docs.djangoproject.com/en/dev/ref/settings/#allowed-hosts
        ALLOWED_HOSTS = [{{ include "helm-toolkit.utils.joinListWithCommaAndSingleQuotes" .Values.conf.horizon.local_settings.config.allowed_hosts }},'%s' % (os.environ.get("MY_POD_IP"))]

        # Set SSL proxy settings:
        # For Django 1.4+ pass this header from the proxy after terminating the SSL,
        # and don't forget to strip it from the client's request.
        # For more information see:
        # https://docs.djangoproject.com/en/1.4/ref/settings/#secure-proxy-ssl-header
        #SECURE_PROXY_SSL_HEADER = ('HTTP_X_FORWARDED_PROTOCOL', 'https')
        # https://docs.djangoproject.com/en/1.5/ref/settings/#secure-proxy-ssl-header
        {{- if .Values.conf.horizon.local_settings.config.secure_proxy_ssl_header }}
        SECURE_PROXY_SSL_HEADER = ('HTTP_X_FORWARDED_PROTO', 'https')
        {{- end }}

        # If Horizon is being served through SSL, then uncomment the following two
        # settings to better secure the cookies from security exploits
        USE_SSL = {{ .Values.conf.horizon.local_settings.config.use_ssl }}
        CSRF_COOKIE_SECURE = {{ .Values.conf.horizon.local_settings.config.csrf_cookie_secure }}
        CSRF_COOKIE_HTTPONLY = {{ .Values.conf.horizon.local_settings.config.csrf_cookie_httponly }}
        SESSION_COOKIE_SECURE = {{ .Values.conf.horizon.local_settings.config.session_cookie_secure }}

        SESSION_COOKIE_HTTPONLY = {{ .Values.conf.horizon.local_settings.config.session_cookie_httponly }}

        # Overrides for OpenStack API versions. Use this setting to force the
        # OpenStack dashboard to use a specific API version for a given service API.
        # Versions specified here should be integers or floats, not strings.
        # NOTE: The version should be formatted as it appears in the URL for the
        # service API. For example, The identity service APIs have inconsistent
        # use of the decimal point, so valid options would be 2.0 or 3.
        #OPENSTACK_API_VERSIONS = {
        #    "data-processing": 1.1,
        #    "identity": 3,
        #    "volume": 2,
        #}

        OPENSTACK_API_VERSIONS = {
            "identity": 3,
            "container-infra": "{{ .Values.conf.horizon.local_settings.config.openstack_api_versions.container_infra }}"
        }

        # Set this to True if running on multi-domain model. When this is enabled, it
        # will require user to enter the Domain name in addition to username for login.
        OPENSTACK_KEYSTONE_MULTIDOMAIN_SUPPORT = {{ .Values.conf.horizon.local_settings.config.keystone_multidomain_support }}

        # Overrides the default domain used when running on single-domain model
        # with Keystone V3. All entities will be created in the default domain.
        OPENSTACK_KEYSTONE_DEFAULT_DOMAIN = '{{ .Values.conf.horizon.local_settings.config.keystone_default_domain }}'

        # Set Console type:
        # valid options are "AUTO"(default), "VNC", "SPICE", "RDP", "SERIAL" or None
        # Set to None explicitly if you want to deactivate the console.
        #CONSOLE_TYPE = "AUTO"

        # Default OpenStack Dashboard configuration.
        HORIZON_CONFIG = {
            'user_home': 'openstack_dashboard.views.get_user_home',
            'ajax_queue_limit': 10,
            'auto_fade_alerts': {
                'delay': 3000,
                'fade_duration': 1500,
                'types': ['alert-success', 'alert-info']
            },
            'help_url': "http://docs.openstack.org",
            'exceptions': {'recoverable': exceptions.RECOVERABLE,
                           'not_found': exceptions.NOT_FOUND,
                           'unauthorized': exceptions.UNAUTHORIZED},
            'modal_backdrop': 'static',
            'angular_modules': [],
            'js_files': [],
            'js_spec_files': [],
        }

        {{- if .Values.conf.horizon.local_settings.config.enable_pwd_validator }}
        # Specify a regular expression to validate user passwords.
        HORIZON_CONFIG["password_validator"] = {
            "regex": '{{ .Values.conf.horizon.local_settings.config.pwd_validator_regex }}',
            "help_text": {{ .Values.conf.horizon.local_settings.config.pwd_validator_help_text }},
        }
        {{- end }}

        # Disable simplified floating IP address management for deployments with
        # multiple floating IP pools or complex network requirements.
        #HORIZON_CONFIG["simple_ip_management"] = False

        # Turn off browser autocompletion for forms including the login form and
        # the database creation workflow if so desired.
        HORIZON_CONFIG["password_autocomplete"] = '{{ .Values.conf.horizon.local_settings.config.password_autocomplete }}'

        # Setting this to True will disable the reveal button for password fields,
        # including on the login form.
        HORIZON_CONFIG["disable_password_reveal"] = {{ .Values.conf.horizon.local_settings.config.disable_password_reveal }}

        LOCAL_PATH = '/tmp'

        # Set custom secret key:
        # You can either set it to a specific value or you can let horizon generate a
        # default secret key that is unique on this machine, e.i. regardless of the
        # amount of Python WSGI workers (if used behind Apache+mod_wsgi): However,
        # there may be situations where you would want to set this explicitly, e.g.
        # when multiple dashboard instances are distributed on different machines
        # (usually behind a load-balancer). Either you have to make sure that a session
        # gets all requests routed to the same dashboard instance or you set the same
        # SECRET_KEY for all of them.
        SECRET_KEY='{{ .Values.conf.horizon.local_settings.config.horizon_secret_key }}'

        CACHES = {
            'default': {
                'BACKEND': 'django.core.cache.backends.memcached.PyMemcacheCache',
                'LOCATION': '{{ tuple "oslo_cache" "internal" "memcache" . | include "helm-toolkit.endpoints.host_and_port_endpoint_uri_lookup" }}',
            }
        }
        DATABASES = {
            'default': {
                # Database configuration here
                'ENGINE': 'django.db.backends.mysql',
                'NAME': '{{ .Values.endpoints.oslo_db.path | base }}',
                'USER': '{{ .Values.endpoints.oslo_db.auth.horizon.username }}',
                'PASSWORD': '{{ .Values.endpoints.oslo_db.auth.horizon.password }}',
                'HOST': '{{ tuple "oslo_db" "internal" . | include "helm-toolkit.endpoints.hostname_fqdn_endpoint_lookup" }}',
                'default-character-set': 'utf8',
                {{- if .Values.manifests.certificates }}
                'OPTIONS':{
                    'ssl': {
                        'ca': '/etc/mysql/certs/ca.crt',
                        'cert': '/etc/mysql/certs/tls.crt',
                        'key': '/etc/mysql/certs/tls.key'
                    }
                },
                {{- end }}
                'PORT': '{{ tuple "oslo_db" "internal" "mysql" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}'
            }
        }
        SESSION_ENGINE = 'django.contrib.sessions.backends.cached_db'

        # Send email to the console by default
        EMAIL_BACKEND = 'django.core.mail.backends.console.EmailBackend'
        # Or send them to /dev/null
        #EMAIL_BACKEND = 'django.core.mail.backends.dummy.EmailBackend'

        # Configure these for your outgoing email host
        #EMAIL_HOST = 'smtp.my-company.com'
        #EMAIL_PORT = 25\\
        #EMAIL_HOST_USER = 'djangomail'
        #EMAIL_HOST_PASSWORD = 'top-secret!'

        # For multiple regions uncomment this configuration, and add (endpoint, title).
        #AVAILABLE_REGIONS = [
        #    ('http://cluster1.example.com:5000/v2.0', 'cluster1'),
        #    ('http://cluster2.example.com:5000/v2.0', 'cluster2'),
        #]

        OPENSTACK_KEYSTONE_URL = "{{ tuple "identity" "internal" "api" . | include "helm-toolkit.endpoints.keystone_endpoint_uri_lookup" }}"
        OPENSTACK_KEYSTONE_DEFAULT_ROLE = "member"

        # This setting specifies the name of the header with remote IP address. If not present,
        # then REMOTE_ADDR header is used. The commom value for this setting is HTTP_X_REAL_IP
        # or HTTP_X_FORWARDED_FORx
        SECURE_PROXY_ADDR_HEADER = 'HTTP_X_FORWARDED_FOR'

        {{- if .Values.conf.horizon.local_settings.config.auth.sso.enabled }}
        # Enables keystone web single-sign-on if set to True.
        WEBSSO_ENABLED = True

        # Determines which authentication choice to show as default.
        WEBSSO_INITIAL_CHOICE = "{{ .Values.conf.horizon.local_settings.config.auth.sso.initial_choice }}"

        # The list of authentication mechanisms
        # which include keystone federation protocols.
        # Current supported protocol IDs are 'saml2' and 'oidc'
        # which represent SAML 2.0, OpenID Connect respectively.
        # Do not remove the mandatory credentials mechanism.
        WEBSSO_CHOICES = (
            ("credentials", _("Keystone Credentials")),
          {{- range $i, $sso := .Values.conf.horizon.local_settings.config.auth.idp_mapping }}
            ({{ $sso.name | quote }}, {{ $sso.label | quote }}),
          {{- end }}
        )

        WEBSSO_IDP_MAPPING = {
          {{- range $i, $sso := .Values.conf.horizon.local_settings.config.auth.idp_mapping }}
            {{ $sso.name | quote}}: ({{ $sso.idp | quote }}, {{ $sso.protocol | quote }}),
          {{- end }}
        }

        {{- end }}

        # Disable SSL certificate checks (useful for self-signed certificates):
        #OPENSTACK_SSL_NO_VERIFY = True

        {{- if .Values.manifests.certificates }}
        # The CA certificate to use to verify SSL connections
        OPENSTACK_SSL_CACERT = '/etc/openstack-dashboard/certs/ca.crt'
        {{- end }}

        # The OPENSTACK_KEYSTONE_BACKEND settings can be used to identify the
        # capabilities of the auth backend for Keystone.
        # If Keystone has been configured to use LDAP as the auth backend then set
        # can_edit_user to False and name to 'ldap'.
        #
        # TODO(tres): Remove these once Keystone has an API to identify auth backend.
        OPENSTACK_KEYSTONE_BACKEND = {
            'name': 'native',
            'can_edit_user': True,
            'can_edit_group': True,
            'can_edit_project': True,
            'can_edit_domain': True,
            'can_edit_role': True,
        }

        # Setting this to True, will add a new "Retrieve Password" action on instance,
        # allowing Admin session password retrieval/decryption.
        OPENSTACK_ENABLE_PASSWORD_RETRIEVE = {{ .Values.conf.horizon.local_settings.config.openstack_enable_password_retrieve }}
        # Controls whether the keystone openrc file is accessible from the user menu and the api access panel.
        SHOW_OPENRC_FILE = {{ .Values.conf.horizon.local_settings.config.show_openrc_file }}
        # The Launch Instance user experience has been significantly enhanced.
        # You can choose whether to enable the new launch instance experience,
        # the legacy experience, or both. The legacy experience will be removed
        # in a future release, but is available as a temporary backup setting to ensure
        # compatibility with existing deployments. Further development will not be
        # done on the legacy experience. Please report any problems with the new
        # experience via the StoryBoard tracking system.
        #
        # Toggle LAUNCH_INSTANCE_LEGACY_ENABLED and LAUNCH_INSTANCE_NG_ENABLED to
        # determine the experience to enable.  Set them both to true to enable
        # both.
        #LAUNCH_INSTANCE_LEGACY_ENABLED = True
        #LAUNCH_INSTANCE_NG_ENABLED = False

        # The Xen Hypervisor has the ability to set the mount point for volumes
        # attached to instances (other Hypervisors currently do not). Setting
        # can_set_mount_point to True will add the option to set the mount point
        # from the UI.
        OPENSTACK_HYPERVISOR_FEATURES = {
            'can_set_mount_point': False,
            'can_set_password': False,
        }

        # The OPENSTACK_CINDER_FEATURES settings can be used to enable optional
        # services provided by cinder that is not exposed by its extension API.
        OPENSTACK_CINDER_FEATURES = {
            'enable_backup': {{ .Values.conf.horizon.local_settings.config.openstack_cinder_features.enable_backup }},
        }

        # The OPENSTACK_NEUTRON_NETWORK settings can be used to enable optional
        # services provided by neutron. Options currently available are load
        # balancer service, security groups, quotas, VPN service.
        OPENSTACK_NEUTRON_NETWORK = {
            'enable_router': {{ .Values.conf.horizon.local_settings.config.openstack_neutron_network.enable_router }},
            'enable_quotas': {{ .Values.conf.horizon.local_settings.config.openstack_neutron_network.enable_quotas }},
            'enable_ipv6': {{ .Values.conf.horizon.local_settings.config.openstack_neutron_network.enable_ipv6 }},
            'enable_distributed_router': {{ .Values.conf.horizon.local_settings.config.openstack_neutron_network.enable_distributed_router }},
            'enable_ha_router': {{ .Values.conf.horizon.local_settings.config.openstack_neutron_network.enable_ha_router }},
            'enable_lb': {{ .Values.conf.horizon.local_settings.config.openstack_neutron_network.enable_lb }},
            'enable_firewall': {{ .Values.conf.horizon.local_settings.config.openstack_neutron_network.enable_firewall }},
            'enable_vpn': {{ .Values.conf.horizon.local_settings.config.openstack_neutron_network.enable_vpn }},
            'enable_fip_topology_check': {{ .Values.conf.horizon.local_settings.config.openstack_neutron_network.enable_fip_topology_check }},

            # The profile_support option is used to detect if an external router can be
            # configured via the dashboard. When using specific plugins the
            # profile_support can be turned on if needed.
            'profile_support': None,
            #'profile_support': 'cisco',

            # Set which provider network types are supported. Only the network types
            # in this list will be available to choose from when creating a network.
            # Network types include local, flat, vlan, gre, and vxlan.
            'supported_provider_types': ['*'],

            # Set which VNIC types are supported for port binding. Only the VNIC
            # types in this list will be available to choose from when creating a
            # port.
            # VNIC types include 'normal', 'macvtap' and 'direct'.
            'supported_vnic_types': ['*']
        }

        # The OPENSTACK_IMAGE_BACKEND settings can be used to customize features
        # in the OpenStack Dashboard related to the Image service, such as the list
        # of supported image formats.
        #OPENSTACK_IMAGE_BACKEND = {
        #    'image_formats': [
        #        ('', _('Select format')),
        #        ('aki', _('AKI - Amazon Kernel Image')),
        #        ('ami', _('AMI - Amazon Machine Image')),
        #        ('ari', _('ARI - Amazon Ramdisk Image')),
        #        ('docker', _('Docker')),
        #        ('iso', _('ISO - Optical Disk Image')),
        #        ('ova', _('OVA - Open Virtual Appliance')),
        #        ('qcow2', _('QCOW2 - QEMU Emulator')),
        #        ('raw', _('Raw')),
        #        ('vdi', _('VDI - Virtual Disk Image')),
        #        ('vhd', ('VHD - Virtual Hard Disk')),
        #        ('vmdk', _('VMDK - Virtual Machine Disk')),
        #    ]
        #}

        # The IMAGE_CUSTOM_PROPERTY_TITLES settings is used to customize the titles for
        # image custom property attributes that appear on image detail pages.
        IMAGE_CUSTOM_PROPERTY_TITLES = {
            "architecture": _("Architecture"),
            "kernel_id": _("Kernel ID"),
            "ramdisk_id": _("Ramdisk ID"),
            "image_state": _("Euca2ools state"),
            "project_id": _("Project ID"),
            "image_type": _("Image Type"),
        }

        # The IMAGE_RESERVED_CUSTOM_PROPERTIES setting is used to specify which image
        # custom properties should not be displayed in the Image Custom Properties
        # table.
        IMAGE_RESERVED_CUSTOM_PROPERTIES = []

        # Set to 'legacy' or 'direct' to allow users to upload images to glance via
        # Horizon server. When enabled, a file form field will appear on the create
        # image form. If set to 'off', there will be no file form field on the create
        # image form. See documentation for deployment considerations.
        HORIZON_IMAGES_UPLOAD_MODE = '{{ .Values.conf.horizon.local_settings.config.horizon_images_upload_mode }}'

        # OPENSTACK_ENDPOINT_TYPE specifies the endpoint type to use for the endpoints
        # in the Keystone service catalog. Use this setting when Horizon is running
        # external to the OpenStack environment. The default is 'publicURL'.
        OPENSTACK_ENDPOINT_TYPE = "{{ .Values.conf.horizon.local_settings.config.endpoint_type }}"

        # SECONDARY_ENDPOINT_TYPE specifies the fallback endpoint type to use in the
        # case that OPENSTACK_ENDPOINT_TYPE is not present in the endpoints
        # in the Keystone service catalog. Use this setting when Horizon is running
        # external to the OpenStack environment. The default is None.  This
        # value should differ from OPENSTACK_ENDPOINT_TYPE if used.
        SECONDARY_ENDPOINT_TYPE = "publicURL"

        # The number of objects (Swift containers/objects or images) to display
        # on a single page before providing a paging element (a "more" link)
        # to paginate results.
        API_RESULT_LIMIT = 1000
        API_RESULT_PAGE_SIZE = 20

        # The size of chunk in bytes for downloading objects from Swift
        SWIFT_FILE_TRANSFER_CHUNK_SIZE = 512 * 1024

        # Specify a maximum number of items to display in a dropdown.
        DROPDOWN_MAX_ITEMS = 30

        # The timezone of the server. This should correspond with the timezone
        # of your entire OpenStack installation, and hopefully be in UTC.
        TIME_ZONE = "UTC"

        # When launching an instance, the menu of available flavors is
        # sorted by RAM usage, ascending. If you would like a different sort order,
        # you can provide another flavor attribute as sorting key. Alternatively, you
        # can provide a custom callback method to use for sorting. You can also provide
        # a flag for reverse sort. For more info, see
        # http://docs.python.org/2/library/functions.html#sorted
        #CREATE_INSTANCE_FLAVOR_SORT = {
        #    'key': 'name',
        #     # or
        #    'key': my_awesome_callback_method,
        #    'reverse': False,
        #}

        # Set this to True to display an 'Admin Password' field on the Change Password
        # form to verify that it is indeed the admin logged-in who wants to change
        # the password.
        ENFORCE_PASSWORD_CHECK = {{ .Values.conf.horizon.local_settings.config.enforce_password_check }}

        # Modules that provide /auth routes that can be used to handle different types
        # of user authentication. Add auth plugins that require extra route handling to
        # this list.
        #AUTHENTICATION_URLS = [
        #    'openstack_auth.urls',
        #]

        # The Horizon Policy Enforcement engine uses these values to load per service
        # policy rule files. The content of these files should match the files the
        # OpenStack services are using to determine role based access control in the
        # target installation.

        # Path to directory containing policy.yaml files
        POLICY_FILES_PATH = '/etc/openstack-dashboard'
        # Map of local copy of service policy files
        #POLICY_FILES = {
        #    'identity': 'keystone_policy.yaml',
        #    'compute': 'nova_policy.yaml',
        #    'volume': 'cinder_policy.yaml',
        #    'image': 'glance_policy.yaml',
        #    'orchestration': 'heat_policy.yaml',
        #    'network': 'neutron_policy.yaml',
        #    'telemetry': 'ceilometer_policy.yaml',
        #}

        # Trove user and database extension support. By default support for
        # creating users and databases on database instances is turned on.
        # To disable these extensions set the permission here to something
        # unusable such as ["!"].
        # TROVE_ADD_USER_PERMS = []
        # TROVE_ADD_DATABASE_PERMS = []

        # Change this patch to the appropriate static directory containing
        # two files: _variables.scss and _styles.scss
        #CUSTOM_THEME_PATH = 'static/themes/default'

        LOGGING = {
            'version': 1,
            # When set to True this will disable all logging except
            # for loggers specified in this configuration dictionary. Note that
            # if nothing is specified here and disable_existing_loggers is True,
            # django.db.backends will still log unless it is disabled explicitly.
            'disable_existing_loggers': False,
            'handlers': {
                'null': {
                    'level': 'DEBUG',
                    'class': 'logging.NullHandler',
                },
                'console': {
                    # Set the level to "DEBUG" for verbose output logging.
                    'level': 'INFO',
                    'class': 'logging.StreamHandler',
                },
            },
            'loggers': {
                # Logging from django.db.backends is VERY verbose, send to null
                # by default.
                'django.db.backends': {
                    'handlers': ['null'],
                    'propagate': False,
                },
                'requests': {
                    'handlers': ['null'],
                    'propagate': False,
                },
                'horizon': {
                    'handlers': ['console'],
                    'level': '{{ .Values.conf.horizon.local_settings.config.log_level }}',
                    'propagate': False,
                },
                'openstack_dashboard': {
                    'handlers': ['console'],
                    'level': '{{ .Values.conf.horizon.local_settings.config.log_level }}',
                    'propagate': False,
                },
                'novaclient': {
                    'handlers': ['console'],
                    'level': '{{ .Values.conf.horizon.local_settings.config.log_level }}',
                    'propagate': False,
                },
                'cinderclient': {
                    'handlers': ['console'],
                    'level': '{{ .Values.conf.horizon.local_settings.config.log_level }}',
                    'propagate': False,
                },
                'glanceclient': {
                    'handlers': ['console'],
                    'level': '{{ .Values.conf.horizon.local_settings.config.log_level }}',
                    'propagate': False,
                },
                'glanceclient': {
                    'handlers': ['console'],
                    'level': '{{ .Values.conf.horizon.local_settings.config.log_level }}',
                    'propagate': False,
                },
                'neutronclient': {
                    'handlers': ['console'],
                    'level': '{{ .Values.conf.horizon.local_settings.config.log_level }}',
                    'propagate': False,
                },
                'heatclient': {
                    'handlers': ['console'],
                    'level': '{{ .Values.conf.horizon.local_settings.config.log_level }}',
                    'propagate': False,
                },
                'ceilometerclient': {
                    'handlers': ['console'],
                    'level': '{{ .Values.conf.horizon.local_settings.config.log_level }}',
                    'propagate': False,
                },
                'troveclient': {
                    'handlers': ['console'],
                    'level': '{{ .Values.conf.horizon.local_settings.config.log_level }}',
                    'propagate': False,
                },
                'swiftclient': {
                    'handlers': ['console'],
                    'level': '{{ .Values.conf.horizon.local_settings.config.log_level }}',
                    'propagate': False,
                },
                'openstack_auth': {
                    'handlers': ['console'],
                    'level': '{{ .Values.conf.horizon.local_settings.config.log_level }}',
                    'propagate': False,
                },
                'nose.plugins.manager': {
                    'handlers': ['console'],
                    'level': '{{ .Values.conf.horizon.local_settings.config.log_level }}',
                    'propagate': False,
                },
                'django': {
                    'handlers': ['console'],
                    'level': '{{ .Values.conf.horizon.local_settings.config.log_level }}',
                    'propagate': False,
                },
                'iso8601': {
                    'handlers': ['null'],
                    'propagate': False,
                },
                'scss': {
                    'handlers': ['null'],
                    'propagate': False,
                },
            }
        }

        # 'direction' should not be specified for all_tcp/udp/icmp.
        # It is specified in the form.
        SECURITY_GROUP_RULES = {
            'all_tcp': {
                'name': _('All TCP'),
                'ip_protocol': 'tcp',
                'from_port': '1',
                'to_port': '65535',
            },
            'all_udp': {
                'name': _('All UDP'),
                'ip_protocol': 'udp',
                'from_port': '1',
                'to_port': '65535',
            },
            'all_icmp': {
                'name': _('All ICMP'),
                'ip_protocol': 'icmp',
                'from_port': '-1',
                'to_port': '-1',
            },
            'ssh': {
                'name': 'SSH',
                'ip_protocol': 'tcp',
                'from_port': '22',
                'to_port': '22',
            },
            'smtp': {
                'name': 'SMTP',
                'ip_protocol': 'tcp',
                'from_port': '25',
                'to_port': '25',
            },
            'dns': {
                'name': 'DNS',
                'ip_protocol': 'tcp',
                'from_port': '53',
                'to_port': '53',
            },
            'http': {
                'name': 'HTTP',
                'ip_protocol': 'tcp',
                'from_port': '80',
                'to_port': '80',
            },
            'pop3': {
                'name': 'POP3',
                'ip_protocol': 'tcp',
                'from_port': '110',
                'to_port': '110',
            },
            'imap': {
                'name': 'IMAP',
                'ip_protocol': 'tcp',
                'from_port': '143',
                'to_port': '143',
            },
            'ldap': {
                'name': 'LDAP',
                'ip_protocol': 'tcp',
                'from_port': '389',
                'to_port': '389',
            },
            'https': {
                'name': 'HTTPS',
                'ip_protocol': 'tcp',
                'from_port': '443',
                'to_port': '443',
            },
            'smtps': {
                'name': 'SMTPS',
                'ip_protocol': 'tcp',
                'from_port': '465',
                'to_port': '465',
            },
            'imaps': {
                'name': 'IMAPS',
                'ip_protocol': 'tcp',
                'from_port': '993',
                'to_port': '993',
            },
            'pop3s': {
                'name': 'POP3S',
                'ip_protocol': 'tcp',
                'from_port': '995',
                'to_port': '995',
            },
            'ms_sql': {
                'name': 'MS SQL',
                'ip_protocol': 'tcp',
                'from_port': '1433',
                'to_port': '1433',
            },
            'mysql': {
                'name': 'MYSQL',
                'ip_protocol': 'tcp',
                'from_port': '3306',
                'to_port': '3306',
            },
            'rdp': {
                'name': 'RDP',
                'ip_protocol': 'tcp',
                'from_port': '3389',
                'to_port': '3389',
            },
        }

        # Deprecation Notice:
        #
        # The setting FLAVOR_EXTRA_KEYS has been deprecated.
        # Please load extra spec metadata into the Glance Metadata Definition Catalog.
        #
        # The sample quota definitions can be found in:
        # <glance_source>/etc/metadefs/compute-quota.json
        #
        # The metadata definition catalog supports CLI and API:
        #  $glance --os-image-api-version 2 help md-namespace-import
        #  $glance-manage db_load_metadefs <directory_with_definition_files>
        #
        # See Metadata Definitions on: https://docs.openstack.org/glance/latest/

        # Indicate to the Sahara data processing service whether or not
        # automatic floating IP allocation is in effect.  If it is not
        # in effect, the user will be prompted to choose a floating IP
        # pool for use in their cluster.  False by default.  You would want
        # to set this to True if you were running Nova Networking with
        # auto_assign_floating_ip = True.
        #SAHARA_AUTO_IP_ALLOCATION_ENABLED = False

        # The hash algorithm to use for authentication tokens. This must
        # match the hash algorithm that the identity server and the
        # auth_token middleware are using. Allowed values are the
        # algorithms supported by Python's hashlib library.
        #OPENSTACK_TOKEN_HASH_ALGORITHM = 'md5'

        # AngularJS requires some settings to be made available to
        # the client side. Some settings are required by in-tree / built-in horizon
        # features. These settings must be added to REST_API_REQUIRED_SETTINGS in the
        # form of ['SETTING_1','SETTING_2'], etc.
        #
        # You may remove settings from this list for security purposes, but do so at
        # the risk of breaking a built-in horizon feature. These settings are required
        # for horizon to function properly. Only remove them if you know what you
        # are doing. These settings may in the future be moved to be defined within
        # the enabled panel configuration.
        # You should not add settings to this list for out of tree extensions.
        # See: https://wiki.openstack.org/wiki/Horizon/RESTAPI
        REST_API_REQUIRED_SETTINGS = ['OPENSTACK_HYPERVISOR_FEATURES',
                                      'LAUNCH_INSTANCE_DEFAULTS',
                                      'OPENSTACK_IMAGE_FORMATS']

        # Additional settings can be made available to the client side for
        # extensibility by specifying them in REST_API_ADDITIONAL_SETTINGS
        # !! Please use extreme caution as the settings are transferred via HTTP/S
        # and are not encrypted on the browser. This is an experimental API and
        # may be deprecated in the future without notice.
        #REST_API_ADDITIONAL_SETTINGS = []

        # DISALLOW_IFRAME_EMBED can be used to prevent Horizon from being embedded
        # within an iframe. Legacy browsers are still vulnerable to a Cross-Frame
        # Scripting (XFS) vulnerability, so this option allows extra security hardening
        # where iframes are not used in deployment. Default setting is True.
        # For more information see:
        # http://tinyurl.com/anticlickjack
        DISALLOW_IFRAME_EMBED = {{ .Values.conf.horizon.local_settings.config.disallow_iframe_embed }}

        STATIC_ROOT = '/var/www/html/horizon'

        {{- range $option, $value := .Values.conf.horizon.local_settings.config.raw }}
        {{ $option }} = {{ toJson $value }}
        {{- end }}
    policy:
      ceilometer:
        context_is_admin: 'role:admin'
        context_is_owner: 'user_id:%(target.user_id)s'
        context_is_project: 'project_id:%(target.project_id)s'
        segregation: 'rule:context_is_admin'
      heat:
        'actions:action': 'rule:deny_stack_user'
        'build_info:build_info': 'rule:deny_stack_user'
        'cloudformation:CancelUpdateStack': 'rule:deny_stack_user'
        'cloudformation:CreateStack': 'rule:deny_stack_user'
        'cloudformation:DeleteStack': 'rule:deny_stack_user'
        'cloudformation:DescribeStackEvents': 'rule:deny_stack_user'
        'cloudformation:DescribeStackResource': ''
        'cloudformation:DescribeStackResources': 'rule:deny_stack_user'
        'cloudformation:DescribeStacks': 'rule:deny_stack_user'
        'cloudformation:EstimateTemplateCost': 'rule:deny_stack_user'
        'cloudformation:GetTemplate': 'rule:deny_stack_user'
        'cloudformation:ListStackResources': 'rule:deny_stack_user'
        'cloudformation:ListStacks': 'rule:deny_stack_user'
        'cloudformation:UpdateStack': 'rule:deny_stack_user'
        'cloudformation:ValidateTemplate': 'rule:deny_stack_user'
        'cloudwatch:DeleteAlarms': 'rule:deny_stack_user'
        'cloudwatch:DescribeAlarmHistory': 'rule:deny_stack_user'
        'cloudwatch:DescribeAlarms': 'rule:deny_stack_user'
        'cloudwatch:DescribeAlarmsForMetric': 'rule:deny_stack_user'
        'cloudwatch:DisableAlarmActions': 'rule:deny_stack_user'
        'cloudwatch:EnableAlarmActions': 'rule:deny_stack_user'
        'cloudwatch:GetMetricStatistics': 'rule:deny_stack_user'
        'cloudwatch:ListMetrics': 'rule:deny_stack_user'
        'cloudwatch:PutMetricAlarm': 'rule:deny_stack_user'
        'cloudwatch:PutMetricData': ''
        'cloudwatch:SetAlarmState': 'rule:deny_stack_user'
        context_is_admin: 'role:admin'
        deny_everybody: '!'
        deny_stack_user: 'not role:heat_stack_user'
        'events:index': 'rule:deny_stack_user'
        'events:show': 'rule:deny_stack_user'
        'resource:index': 'rule:deny_stack_user'
        'resource:mark_unhealthy': 'rule:deny_stack_user'
        'resource:metadata': ''
        'resource:show': 'rule:deny_stack_user'
        'resource:signal': ''
        'resource_types:OS::Cinder::EncryptedVolumeType': 'rule:context_is_admin'
        'resource_types:OS::Cinder::VolumeType': 'rule:context_is_admin'
        'resource_types:OS::Manila::ShareType': 'rule:context_is_admin'
        'resource_types:OS::Neutron::QoSBandwidthLimitRule': 'rule:context_is_admin'
        'resource_types:OS::Neutron::QoSPolicy': 'rule:context_is_admin'
        'resource_types:OS::Nova::Flavor': 'rule:context_is_admin'
        'resource_types:OS::Nova::HostAggregate': 'rule:context_is_admin'
        'service:index': 'rule:context_is_admin'
        'software_configs:create': 'rule:deny_stack_user'
        'software_configs:delete': 'rule:deny_stack_user'
        'software_configs:global_index': 'rule:deny_everybody'
        'software_configs:index': 'rule:deny_stack_user'
        'software_configs:show': 'rule:deny_stack_user'
        'software_deployments:create': 'rule:deny_stack_user'
        'software_deployments:delete': 'rule:deny_stack_user'
        'software_deployments:index': 'rule:deny_stack_user'
        'software_deployments:metadata': ''
        'software_deployments:show': 'rule:deny_stack_user'
        'software_deployments:update': 'rule:deny_stack_user'
        'stacks:abandon': 'rule:deny_stack_user'
        'stacks:create': 'rule:deny_stack_user'
        'stacks:delete': 'rule:deny_stack_user'
        'stacks:delete_snapshot': 'rule:deny_stack_user'
        'stacks:detail': 'rule:deny_stack_user'
        'stacks:environment': 'rule:deny_stack_user'
        'stacks:export': 'rule:deny_stack_user'
        'stacks:generate_template': 'rule:deny_stack_user'
        'stacks:global_index': 'rule:deny_everybody'
        'stacks:index': 'rule:deny_stack_user'
        'stacks:list_outputs': 'rule:deny_stack_user'
        'stacks:list_resource_types': 'rule:deny_stack_user'
        'stacks:list_snapshots': 'rule:deny_stack_user'
        'stacks:list_template_functions': 'rule:deny_stack_user'
        'stacks:list_template_versions': 'rule:deny_stack_user'
        'stacks:lookup': ''
        'stacks:preview': 'rule:deny_stack_user'
        'stacks:preview_update': 'rule:deny_stack_user'
        'stacks:preview_update_patch': 'rule:deny_stack_user'
        'stacks:resource_schema': 'rule:deny_stack_user'
        'stacks:restore_snapshot': 'rule:deny_stack_user'
        'stacks:show': 'rule:deny_stack_user'
        'stacks:show_output': 'rule:deny_stack_user'
        'stacks:show_snapshot': 'rule:deny_stack_user'
        'stacks:snapshot': 'rule:deny_stack_user'
        'stacks:template': 'rule:deny_stack_user'
        'stacks:update': 'rule:deny_stack_user'
        'stacks:update_patch': 'rule:deny_stack_user'
        'stacks:validate_template': 'rule:deny_stack_user'
    # list of panels to enable for horizon
    # this requires that the panels are already installed in the horizon image, if they are not
    # nothing will be added
    # the name of the panel should be the name of the dir where the panel is installed
    # for example heat_dashboard, cloudkittydashboard or neutron_taas_dashboard
    extra_panels:
      - heat_dashboard
      - neutron_taas_dashboard

dependencies:
  dynamic:
    common:
      local_image_registry:
        jobs:
          - horizon-image-repo-sync
        services:
          - endpoint: node
            service: local_image_registry
  static:
    dashboard:
      jobs:
        - horizon-db-sync
      services:
        - endpoint: internal
          service: oslo_cache
        - endpoint: internal
          service: oslo_db
        - endpoint: internal
          service: identity
    db_drop:
      services:
        - endpoint: internal
          service: oslo_db
    db_init:
      services:
        - endpoint: internal
          service: oslo_db
    db_sync:
      jobs:
        - horizon-db-init
      services:
        - endpoint: internal
          service: oslo_db
    image_repo_sync:
      services:
        - endpoint: internal
          service: local_image_registry
    tests:
      services:
        - endpoint: internal
          service: dashboard

pod:
  security_context:
    horizon:
      pod:
        runAsUser: 42424
      container:
        horizon:
          readOnlyRootFilesystem: false
          allowPrivilegeEscalation: false
          runAsUser: 0
    db_sync:
      pod:
        runAsUser: 42424
      container:
        horizon_db_sync:
          readOnlyRootFilesystem: false
          allowPrivilegeEscalation: false
          runAsUser: 0
    test:
      pod:
        runAsUser: 42424
      container:
        horizon_test:
          readOnlyRootFilesystem: true
          allowPrivilegeEscalation: false
  affinity:
    anti:
      type:
        default: preferredDuringSchedulingIgnoredDuringExecution
      topologyKey:
        default: kubernetes.io/hostname
      weight:
        default: 10
  tolerations:
    horizon:
      enabled: false
      tolerations:
      - key: node-role.kubernetes.io/master
        operator: Exists
        effect: NoSchedule
      - key: node-role.kubernetes.io/control-plane
        operator: Exists
        effect: NoSchedule
  mounts:
    horizon_db_init:
      init_container: null
      horizon_db_init:
        volumeMounts:
        volumes:
    horizon_db_sync:
      init_container: null
      horizon_db_sync:
        volumeMounts:
        volumes:
    horizon:
      init_container: null
      horizon:
        volumeMounts:
        volumes:
    horizon_tests:
      init_container: null
      horizon_tests:
        volumeMounts:
        volumes:
  replicas:
    server: 1
  lifecycle:
    upgrades:
      deployments:
        revision_history: 3
        pod_replacement_strategy: RollingUpdate
        rolling_update:
          max_unavailable: 1
          max_surge: 3
    disruption_budget:
      horizon:
        min_available: 0
    termination_grace_period:
      horizon:
        timeout: 30
  resources:
    enabled: false
    server:
      requests:
        memory: "128Mi"
        cpu: "100m"
      limits:
        memory: "1024Mi"
        cpu: "2000m"
    jobs:
      db_init:
        requests:
          memory: "128Mi"
          cpu: "100m"
        limits:
          memory: "1024Mi"
          cpu: "2000m"
      db_sync:
        requests:
          memory: "128Mi"
          cpu: "100m"
        limits:
          memory: "1024Mi"
          cpu: "2000m"
      db_drop:
        requests:
          memory: "128Mi"
          cpu: "100m"
        limits:
          memory: "1024Mi"
          cpu: "2000m"
      image_repo_sync:
        requests:
          memory: "128Mi"
          cpu: "100m"
        limits:
          memory: "1024Mi"
          cpu: "2000m"
      tests:
        requests:
          memory: "128Mi"
          cpu: "100m"
        limits:
          memory: "1024Mi"
          cpu: "2000m"

# Names of secrets used by bootstrap and environmental checks
secrets:
  identity:
    admin: horizon-keystone-admin
  oslo_db:
    admin: horizon-db-admin
    horizon: horizon-db-user
  tls:
    dashboard:
      dashboard:
        public: horizon-tls-public
        internal: horizon-tls-web
  oci_image_registry:
    horizon: horizon-oci-image-registry

tls:
  identity: false

# typically overridden by environmental
# values, but should include all endpoints
# required by this chart
endpoints:
  cluster_domain_suffix: cluster.local
  local_image_registry:
    name: docker-registry
    namespace: docker-registry
    hosts:
      default: localhost
      internal: docker-registry
      node: localhost
    host_fqdn_override:
      default: null
    port:
      registry:
        node: 5000
  oci_image_registry:
    name: oci-image-registry
    namespace: oci-image-registry
    auth:
      enabled: false
      horizon:
        username: horizon
        password: password
    hosts:
      default: localhost
    host_fqdn_override:
      default: null
    port:
      registry:
        default: null
  identity:
    name: keystone
    auth:
      admin:
        region_name: RegionOne
        username: admin
        password: password
        project_name: admin
        user_domain_name: default
        project_domain_name: default
    hosts:
      default: keystone
      internal: keystone-api
    host_fqdn_override:
      default: null
    path:
      default: /v3
    scheme:
      default: http
    port:
      api:
        default: 80
        internal: 5000
  oslo_cache:
    hosts:
      default: memcached
    host_fqdn_override:
      default: null
    port:
      memcache:
        default: 11211
  dashboard:
    name: horizon
    hosts:
      default: horizon-int
      public: horizon
    host_fqdn_override:
      default: null
      # NOTE(portdirect): this chart supports TLS for fqdn over-ridden public
      # endpoints using the following format:
      # public:
      #   host: null
      #   tls:
      #     crt: null
      #     key: null
    path:
      default: null
    scheme:
      default: http
    port:
      web:
        default: 80
  oslo_db:
    auth:
      admin:
        username: root
        password: password
        secret:
          tls:
            internal: mariadb-tls-direct
      horizon:
        username: horizon
        password: password
    hosts:
      default: mariadb
    host_fqdn_override:
      default: null
    path: /horizon
    scheme: mysql+pymysql
    port:
      mysql:
        default: 3306
  # NOTE(tp6510): these endpoints allow for things like DNS lookups and ingress
  # They are using to enable the Egress K8s network policy.
  kube_dns:
    namespace: kube-system
    name: kubernetes-dns
    hosts:
      default: kube-dns
    host_fqdn_override:
      default: null
    path:
      default: null
    scheme: http
    port:
      dns:
        default: 53
        protocol: UDP
  ingress:
    namespace: null
    name: ingress
    hosts:
      default: ingress
    port:
      ingress:
        default: 80

network_policy:
  horizon:
    ingress:
      - {}
    egress:
      - {}

# NOTE(helm_hook): helm_hook might break for helm2 binary.
# set helm3_hook: false when using the helm2 binary.
helm3_hook: true

manifests:
  certificates: false
  configmap_bin: true
  configmap_etc: true
  configmap_logo: false
  deployment: true
  ingress_api: true
  job_db_init: true
  job_db_sync: true
  job_db_drop: false
  job_image_repo_sync: true
  pdb: true
  pod_helm_test: true
  network_policy: false
  secret_db: true
  secret_ingress_tls: true
  secret_keystone: true
  secret_registry: true
  service_ingress: true
  service: true
...