Mohammed Naser | f3f59a7 | 2023-01-15 21:02:04 -0500 | [diff] [blame] | 1 | # Licensed under the Apache License, Version 2.0 (the "License"); |
| 2 | # you may not use this file except in compliance with the License. |
| 3 | # You may obtain a copy of the License at |
| 4 | # |
| 5 | # http://www.apache.org/licenses/LICENSE-2.0 |
| 6 | # |
| 7 | # Unless required by applicable law or agreed to in writing, software |
| 8 | # distributed under the License is distributed on an "AS IS" BASIS, |
| 9 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |
| 10 | # See the License for the specific language governing permissions and |
| 11 | # limitations under the License. |
| 12 | |
| 13 | # Default values for horizon. |
| 14 | # This is a YAML-formatted file. |
| 15 | # Declare name/value pairs to be passed into your templates. |
| 16 | # name: value |
| 17 | |
| 18 | --- |
| 19 | images: |
| 20 | tags: |
| 21 | db_init: docker.io/openstackhelm/heat:stein-ubuntu_bionic |
| 22 | horizon_db_sync: docker.io/openstackhelm/horizon:stein-ubuntu_bionic |
| 23 | db_drop: docker.io/openstackhelm/heat:stein-ubuntu_bionic |
| 24 | horizon: docker.io/openstackhelm/horizon:stein-ubuntu_bionic |
Rico Lin | c6ac7a1 | 2023-11-03 00:25:40 +0800 | [diff] [blame] | 25 | test: docker.io/openstackhelm/osh-selenium:latest-ubuntu_focal |
Mohammed Naser | f3f59a7 | 2023-01-15 21:02:04 -0500 | [diff] [blame] | 26 | dep_check: quay.io/airshipit/kubernetes-entrypoint:v1.0.0 |
| 27 | image_repo_sync: docker.io/docker:17.07.0 |
| 28 | pull_policy: "IfNotPresent" |
| 29 | local_registry: |
| 30 | active: false |
| 31 | exclude: |
| 32 | - dep_check |
| 33 | - image_repo_sync |
| 34 | |
Rico Lin | c6ac7a1 | 2023-11-03 00:25:40 +0800 | [diff] [blame] | 35 | # Use selenium v4 syntax |
| 36 | selenium_v4: true |
| 37 | |
Mohammed Naser | f3f59a7 | 2023-01-15 21:02:04 -0500 | [diff] [blame] | 38 | release_group: null |
| 39 | |
| 40 | labels: |
| 41 | dashboard: |
| 42 | node_selector_key: openstack-control-plane |
| 43 | node_selector_value: enabled |
| 44 | job: |
| 45 | node_selector_key: openstack-control-plane |
| 46 | node_selector_value: enabled |
| 47 | test: |
| 48 | node_selector_key: openstack-control-plane |
| 49 | node_selector_value: enabled |
| 50 | |
| 51 | network: |
| 52 | dashboard: |
| 53 | ingress: |
| 54 | public: true |
| 55 | classes: |
| 56 | namespace: "nginx" |
| 57 | cluster: "nginx-cluster" |
| 58 | annotations: |
| 59 | nginx.ingress.kubernetes.io/rewrite-target: / |
| 60 | external_policy_local: false |
| 61 | node_port: |
| 62 | enabled: false |
| 63 | port: 31000 |
| 64 | |
| 65 | conf: |
| 66 | software: |
| 67 | apache2: |
| 68 | binary: apache2 |
| 69 | start_parameters: -DFOREGROUND |
| 70 | site_dir: /etc/apache2/sites-available |
| 71 | conf_dir: /etc/apache2/conf-available |
| 72 | mods_dir: /etc/apache2/mods-available |
| 73 | a2enmod: |
| 74 | - headers |
| 75 | - rewrite |
| 76 | a2dismod: |
| 77 | - status |
| 78 | horizon: |
| 79 | branding: |
Rico Lin | 5534605 | 2024-05-19 05:30:22 +0800 | [diff] [blame] | 80 | # logo, logo_splash and favicon accepts base64 encoded string. |
Mohammed Naser | f3f59a7 | 2023-01-15 21:02:04 -0500 | [diff] [blame] | 81 | logo: |
| 82 | logo_splash: |
| 83 | favicon: |
| 84 | apache: | |
| 85 | <IfVersion < 2.4> |
| 86 | Listen 0.0.0.0:{{ tuple "dashboard" "internal" "web" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }} |
| 87 | </IfVersion> |
| 88 | LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined |
| 89 | LogFormat "%{X-Forwarded-For}i %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" proxy |
| 90 | |
| 91 | SetEnvIf X-Forwarded-For "^.*\..*\..*\..*" forwarded |
| 92 | CustomLog /dev/stdout combined env=!forwarded |
| 93 | CustomLog /dev/stdout proxy env=forwarded |
| 94 | |
| 95 | <VirtualHost *:{{ tuple "dashboard" "internal" "web" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}> |
| 96 | WSGIScriptReloading On |
| 97 | WSGIDaemonProcess horizon-http processes=5 threads=1 user=horizon group=horizon display-name=%{GROUP} python-path=/var/lib/kolla/venv/lib/python2.7/site-packages |
| 98 | WSGIProcessGroup horizon-http |
| 99 | WSGIScriptAlias / /var/www/cgi-bin/horizon/django.wsgi |
| 100 | WSGIPassAuthorization On |
| 101 | RewriteEngine on |
| 102 | RewriteCond %{REQUEST_METHOD} !^(POST|PUT|GET|DELETE|PATCH) |
| 103 | RewriteRule .* - [F] |
| 104 | |
| 105 | <Location "/"> |
| 106 | Require all granted |
| 107 | </Location> |
| 108 | |
| 109 | Alias /static /var/www/html/horizon |
| 110 | <Location "/static"> |
| 111 | SetHandler static |
| 112 | </Location> |
| 113 | |
| 114 | <IfVersion >= 2.4> |
| 115 | ErrorLogFormat "%{cu}t %M" |
| 116 | </IfVersion> |
| 117 | ErrorLog /dev/stdout |
| 118 | TransferLog /dev/stdout |
| 119 | |
| 120 | SetEnvIf X-Forwarded-For "^.*\..*\..*\..*" forwarded |
| 121 | CustomLog /dev/stdout combined env=!forwarded |
| 122 | CustomLog /dev/stdout proxy env=forwarded |
| 123 | </Virtualhost> |
| 124 | security: | |
| 125 | # |
| 126 | # Disable access to the entire file system except for the directories that |
| 127 | # are explicitly allowed later. |
| 128 | # |
| 129 | # This currently breaks the configurations that come with some web application |
| 130 | # Debian packages. |
| 131 | # |
| 132 | #<Directory /> |
| 133 | # AllowOverride None |
| 134 | # Require all denied |
| 135 | #</Directory> |
| 136 | |
| 137 | # Changing the following options will not really affect the security of the |
| 138 | # server, but might make attacks slightly more difficult in some cases. |
| 139 | |
| 140 | # |
| 141 | # ServerTokens |
| 142 | # This directive configures what you return as the Server HTTP response |
| 143 | # Header. The default is 'Full' which sends information about the OS-Type |
| 144 | # and compiled in modules. |
| 145 | # Set to one of: Full | OS | Minimal | Minor | Major | Prod |
| 146 | # where Full conveys the most information, and Prod the least. |
| 147 | ServerTokens Prod |
| 148 | |
| 149 | # |
| 150 | # Optionally add a line containing the server version and virtual host |
| 151 | # name to server-generated pages (internal error documents, FTP directory |
| 152 | # listings, mod_status and mod_info output etc., but not CGI generated |
| 153 | # documents or custom error documents). |
| 154 | # Set to "EMail" to also include a mailto: link to the ServerAdmin. |
| 155 | # Set to one of: On | Off | EMail |
| 156 | ServerSignature Off |
| 157 | |
| 158 | # |
| 159 | # Allow TRACE method |
| 160 | # |
| 161 | # Set to "extended" to also reflect the request body (only for testing and |
| 162 | # diagnostic purposes). |
| 163 | # |
| 164 | # Set to one of: On | Off | extended |
| 165 | TraceEnable Off |
| 166 | |
| 167 | # |
| 168 | # Forbid access to version control directories |
| 169 | # |
| 170 | # If you use version control systems in your document root, you should |
| 171 | # probably deny access to their directories. For example, for subversion: |
| 172 | # |
| 173 | #<DirectoryMatch "/\.svn"> |
| 174 | # Require all denied |
| 175 | #</DirectoryMatch> |
| 176 | |
| 177 | #Security-Settings |
| 178 | # Setting this header will prevent MSIE from interpreting files as something |
| 179 | # else than declared by the content type in the HTTP headers. |
| 180 | # Requires mod_headers to be enabled. |
| 181 | # |
| 182 | Header set X-Content-Type-Options: "nosniff" |
| 183 | Header set X-Permitted-Cross-Domain-Policies: "none" |
| 184 | # Setting this header will prevent other sites from embedding pages from this |
| 185 | # site as frames. This defends against clickjacking attacks. |
| 186 | # Requires mod_headers to be enabled. |
| 187 | # |
| 188 | local_settings_d: {} |
| 189 | ## For example, _50_monasca_ui_settings.py |
| 190 | # _50_monasca_ui_settings: | |
| 191 | # from django.conf import settings |
| 192 | # # Grafana button titles/file names (global across all projects): |
| 193 | # GRAFANA_LINKS = [] |
| 194 | # DASHBOARDS = getattr(settings, 'GRAFANA_LINKS', GRAFANA_LINKS) |
| 195 | |
| 196 | local_settings: |
| 197 | config: |
| 198 | # Use "True" and "False" as Titlecase strings with quotes, boolean |
| 199 | # values will not work |
| 200 | horizon_secret_key: 9aee62c0-5253-4a86-b189-e0fb71fa503c |
| 201 | debug: "False" |
| 202 | use_ssl: "False" |
| 203 | endpoint_type: "internalURL" |
| 204 | keystone_multidomain_support: "True" |
| 205 | keystone_default_domain: Default |
| 206 | disable_password_reveal: "True" |
| 207 | show_openrc_file: "True" |
| 208 | csrf_cookie_secure: "False" |
| 209 | csrf_cookie_httponly: "False" |
| 210 | enforce_password_check: "True" |
| 211 | # Set enable_pwd_validator to true to enforce password validator settings. |
| 212 | enable_pwd_validator: false |
| 213 | pwd_validator_regex: '(?=.*[a-zA-Z])(?=.*\d).{8,}|(?=.*\d)(?=.*\W).{8,}|(?=.*\W)(?=.*[a-zA-Z]).{8,}' |
| 214 | pwd_validator_help_text: '_("Your password must be at least eight (8) characters in length and must include characters from at least two (2) of these groupings: alpha, numeric, and special characters.")' |
| 215 | session_cookie_secure: "False" |
| 216 | session_cookie_httponly: "False" |
| 217 | secure_proxy_ssl_header: false |
| 218 | password_autocomplete: "False" |
| 219 | disallow_iframe_embed: "False" |
| 220 | allowed_hosts: |
| 221 | - '*' |
| 222 | horizon_images_upload_mode: 'legacy' |
| 223 | openstack_cinder_features: |
| 224 | enable_backup: "True" |
| 225 | openstack_neutron_network: |
| 226 | enable_router: "True" |
| 227 | enable_quotas: "True" |
| 228 | enable_ipv6: "True" |
| 229 | enable_distributed_router: "False" |
| 230 | enable_ha_router: "False" |
| 231 | enable_lb: "True" |
| 232 | enable_firewall: "True" |
| 233 | enable_vpn: "True" |
| 234 | enable_fip_topology_check: "True" |
| 235 | openstack_enable_password_retrieve: "False" |
| 236 | auth: |
| 237 | sso: |
| 238 | enabled: False |
| 239 | initial_choice: "credentials" |
| 240 | idp_mapping: |
| 241 | - name: "acme_oidc" |
| 242 | label: "Acme Corporation - OpenID Connect" |
| 243 | idp: "myidp1" |
| 244 | protocol: "oidc" |
| 245 | - name: "acme_saml2" |
| 246 | label: "Acme Corporation - SAML2" |
| 247 | idp: "myidp2" |
| 248 | protocol: "saml2" |
| 249 | log_level: "DEBUG" |
| 250 | # Pass any settings to the end of local_settings.py |
| 251 | raw: {} |
| 252 | openstack_api_versions: |
Mohammed Naser | bcdd25c | 2023-01-18 03:38:47 +0000 | [diff] [blame] | 253 | container_infra: "1.10" |
Mohammed Naser | f3f59a7 | 2023-01-15 21:02:04 -0500 | [diff] [blame] | 254 | template: | |
| 255 | import os |
| 256 | |
Mohammed Naser | da99423 | 2024-04-13 12:34:01 -0400 | [diff] [blame] | 257 | from django.utils.translation import gettext_lazy as _ |
Mohammed Naser | f3f59a7 | 2023-01-15 21:02:04 -0500 | [diff] [blame] | 258 | |
| 259 | from openstack_dashboard import exceptions |
| 260 | |
| 261 | DEBUG = {{ .Values.conf.horizon.local_settings.config.debug }} |
| 262 | TEMPLATE_DEBUG = DEBUG |
| 263 | |
| 264 | COMPRESS_OFFLINE = True |
| 265 | COMPRESS_CSS_HASHING_METHOD = "hash" |
| 266 | |
| 267 | # WEBROOT is the location relative to Webserver root |
| 268 | # should end with a slash. |
| 269 | WEBROOT = '/' |
| 270 | # LOGIN_URL = WEBROOT + 'auth/login/' |
| 271 | # LOGOUT_URL = WEBROOT + 'auth/logout/' |
| 272 | # |
| 273 | # LOGIN_REDIRECT_URL can be used as an alternative for |
| 274 | # HORIZON_CONFIG.user_home, if user_home is not set. |
| 275 | # Do not set it to '/home/', as this will cause circular redirect loop |
| 276 | # LOGIN_REDIRECT_URL = WEBROOT |
| 277 | |
| 278 | # Required for Django 1.5. |
| 279 | # If horizon is running in production (DEBUG is False), set this |
| 280 | # with the list of host/domain names that the application can serve. |
| 281 | # For more information see: |
| 282 | # https://docs.djangoproject.com/en/dev/ref/settings/#allowed-hosts |
| 283 | ALLOWED_HOSTS = [{{ include "helm-toolkit.utils.joinListWithCommaAndSingleQuotes" .Values.conf.horizon.local_settings.config.allowed_hosts }},'%s' % (os.environ.get("MY_POD_IP"))] |
| 284 | |
| 285 | # Set SSL proxy settings: |
| 286 | # For Django 1.4+ pass this header from the proxy after terminating the SSL, |
| 287 | # and don't forget to strip it from the client's request. |
| 288 | # For more information see: |
| 289 | # https://docs.djangoproject.com/en/1.4/ref/settings/#secure-proxy-ssl-header |
| 290 | #SECURE_PROXY_SSL_HEADER = ('HTTP_X_FORWARDED_PROTOCOL', 'https') |
| 291 | # https://docs.djangoproject.com/en/1.5/ref/settings/#secure-proxy-ssl-header |
| 292 | {{- if .Values.conf.horizon.local_settings.config.secure_proxy_ssl_header }} |
| 293 | SECURE_PROXY_SSL_HEADER = ('HTTP_X_FORWARDED_PROTO', 'https') |
| 294 | {{- end }} |
| 295 | |
| 296 | # If Horizon is being served through SSL, then uncomment the following two |
| 297 | # settings to better secure the cookies from security exploits |
| 298 | USE_SSL = {{ .Values.conf.horizon.local_settings.config.use_ssl }} |
| 299 | CSRF_COOKIE_SECURE = {{ .Values.conf.horizon.local_settings.config.csrf_cookie_secure }} |
| 300 | CSRF_COOKIE_HTTPONLY = {{ .Values.conf.horizon.local_settings.config.csrf_cookie_httponly }} |
| 301 | SESSION_COOKIE_SECURE = {{ .Values.conf.horizon.local_settings.config.session_cookie_secure }} |
| 302 | |
| 303 | SESSION_COOKIE_HTTPONLY = {{ .Values.conf.horizon.local_settings.config.session_cookie_httponly }} |
| 304 | |
| 305 | # Overrides for OpenStack API versions. Use this setting to force the |
| 306 | # OpenStack dashboard to use a specific API version for a given service API. |
| 307 | # Versions specified here should be integers or floats, not strings. |
| 308 | # NOTE: The version should be formatted as it appears in the URL for the |
| 309 | # service API. For example, The identity service APIs have inconsistent |
| 310 | # use of the decimal point, so valid options would be 2.0 or 3. |
| 311 | #OPENSTACK_API_VERSIONS = { |
| 312 | # "data-processing": 1.1, |
| 313 | # "identity": 3, |
| 314 | # "volume": 2, |
| 315 | #} |
| 316 | |
| 317 | OPENSTACK_API_VERSIONS = { |
| 318 | "identity": 3, |
Mohammed Naser | 1402ed0 | 2023-02-19 22:48:59 +0000 | [diff] [blame] | 319 | "container-infra": "{{ .Values.conf.horizon.local_settings.config.openstack_api_versions.container_infra }}" |
Mohammed Naser | f3f59a7 | 2023-01-15 21:02:04 -0500 | [diff] [blame] | 320 | } |
| 321 | |
| 322 | # Set this to True if running on multi-domain model. When this is enabled, it |
| 323 | # will require user to enter the Domain name in addition to username for login. |
| 324 | OPENSTACK_KEYSTONE_MULTIDOMAIN_SUPPORT = {{ .Values.conf.horizon.local_settings.config.keystone_multidomain_support }} |
| 325 | |
| 326 | # Overrides the default domain used when running on single-domain model |
| 327 | # with Keystone V3. All entities will be created in the default domain. |
| 328 | OPENSTACK_KEYSTONE_DEFAULT_DOMAIN = '{{ .Values.conf.horizon.local_settings.config.keystone_default_domain }}' |
| 329 | |
| 330 | # Set Console type: |
| 331 | # valid options are "AUTO"(default), "VNC", "SPICE", "RDP", "SERIAL" or None |
| 332 | # Set to None explicitly if you want to deactivate the console. |
| 333 | #CONSOLE_TYPE = "AUTO" |
| 334 | |
| 335 | # Default OpenStack Dashboard configuration. |
| 336 | HORIZON_CONFIG = { |
| 337 | 'user_home': 'openstack_dashboard.views.get_user_home', |
| 338 | 'ajax_queue_limit': 10, |
| 339 | 'auto_fade_alerts': { |
| 340 | 'delay': 3000, |
| 341 | 'fade_duration': 1500, |
| 342 | 'types': ['alert-success', 'alert-info'] |
| 343 | }, |
| 344 | 'help_url': "http://docs.openstack.org", |
| 345 | 'exceptions': {'recoverable': exceptions.RECOVERABLE, |
| 346 | 'not_found': exceptions.NOT_FOUND, |
| 347 | 'unauthorized': exceptions.UNAUTHORIZED}, |
| 348 | 'modal_backdrop': 'static', |
| 349 | 'angular_modules': [], |
| 350 | 'js_files': [], |
| 351 | 'js_spec_files': [], |
| 352 | } |
| 353 | |
| 354 | {{- if .Values.conf.horizon.local_settings.config.enable_pwd_validator }} |
| 355 | # Specify a regular expression to validate user passwords. |
| 356 | HORIZON_CONFIG["password_validator"] = { |
| 357 | "regex": '{{ .Values.conf.horizon.local_settings.config.pwd_validator_regex }}', |
| 358 | "help_text": {{ .Values.conf.horizon.local_settings.config.pwd_validator_help_text }}, |
| 359 | } |
| 360 | {{- end }} |
| 361 | |
| 362 | # Disable simplified floating IP address management for deployments with |
| 363 | # multiple floating IP pools or complex network requirements. |
| 364 | #HORIZON_CONFIG["simple_ip_management"] = False |
| 365 | |
| 366 | # Turn off browser autocompletion for forms including the login form and |
| 367 | # the database creation workflow if so desired. |
| 368 | HORIZON_CONFIG["password_autocomplete"] = '{{ .Values.conf.horizon.local_settings.config.password_autocomplete }}' |
| 369 | |
| 370 | # Setting this to True will disable the reveal button for password fields, |
| 371 | # including on the login form. |
| 372 | HORIZON_CONFIG["disable_password_reveal"] = {{ .Values.conf.horizon.local_settings.config.disable_password_reveal }} |
| 373 | |
| 374 | LOCAL_PATH = '/tmp' |
| 375 | |
| 376 | # Set custom secret key: |
| 377 | # You can either set it to a specific value or you can let horizon generate a |
| 378 | # default secret key that is unique on this machine, e.i. regardless of the |
| 379 | # amount of Python WSGI workers (if used behind Apache+mod_wsgi): However, |
| 380 | # there may be situations where you would want to set this explicitly, e.g. |
| 381 | # when multiple dashboard instances are distributed on different machines |
| 382 | # (usually behind a load-balancer). Either you have to make sure that a session |
| 383 | # gets all requests routed to the same dashboard instance or you set the same |
| 384 | # SECRET_KEY for all of them. |
| 385 | SECRET_KEY='{{ .Values.conf.horizon.local_settings.config.horizon_secret_key }}' |
| 386 | |
| 387 | CACHES = { |
| 388 | 'default': { |
Mohammed Naser | da99423 | 2024-04-13 12:34:01 -0400 | [diff] [blame] | 389 | 'BACKEND': 'django.core.cache.backends.memcached.PyMemcacheCache', |
Mohammed Naser | f3f59a7 | 2023-01-15 21:02:04 -0500 | [diff] [blame] | 390 | 'LOCATION': '{{ tuple "oslo_cache" "internal" "memcache" . | include "helm-toolkit.endpoints.host_and_port_endpoint_uri_lookup" }}', |
| 391 | } |
| 392 | } |
| 393 | DATABASES = { |
| 394 | 'default': { |
| 395 | # Database configuration here |
| 396 | 'ENGINE': 'django.db.backends.mysql', |
| 397 | 'NAME': '{{ .Values.endpoints.oslo_db.path | base }}', |
| 398 | 'USER': '{{ .Values.endpoints.oslo_db.auth.horizon.username }}', |
| 399 | 'PASSWORD': '{{ .Values.endpoints.oslo_db.auth.horizon.password }}', |
| 400 | 'HOST': '{{ tuple "oslo_db" "internal" . | include "helm-toolkit.endpoints.hostname_fqdn_endpoint_lookup" }}', |
| 401 | 'default-character-set': 'utf8', |
| 402 | {{- if .Values.manifests.certificates }} |
| 403 | 'OPTIONS':{ |
| 404 | 'ssl': { |
| 405 | 'ca': '/etc/mysql/certs/ca.crt', |
| 406 | 'cert': '/etc/mysql/certs/tls.crt', |
| 407 | 'key': '/etc/mysql/certs/tls.key' |
| 408 | } |
| 409 | }, |
| 410 | {{- end }} |
| 411 | 'PORT': '{{ tuple "oslo_db" "internal" "mysql" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}' |
| 412 | } |
| 413 | } |
| 414 | SESSION_ENGINE = 'django.contrib.sessions.backends.cached_db' |
| 415 | |
| 416 | # Send email to the console by default |
| 417 | EMAIL_BACKEND = 'django.core.mail.backends.console.EmailBackend' |
| 418 | # Or send them to /dev/null |
| 419 | #EMAIL_BACKEND = 'django.core.mail.backends.dummy.EmailBackend' |
| 420 | |
| 421 | # Configure these for your outgoing email host |
| 422 | #EMAIL_HOST = 'smtp.my-company.com' |
| 423 | #EMAIL_PORT = 25\\ |
| 424 | #EMAIL_HOST_USER = 'djangomail' |
| 425 | #EMAIL_HOST_PASSWORD = 'top-secret!' |
| 426 | |
| 427 | # For multiple regions uncomment this configuration, and add (endpoint, title). |
| 428 | #AVAILABLE_REGIONS = [ |
| 429 | # ('http://cluster1.example.com:5000/v2.0', 'cluster1'), |
| 430 | # ('http://cluster2.example.com:5000/v2.0', 'cluster2'), |
| 431 | #] |
| 432 | |
| 433 | OPENSTACK_KEYSTONE_URL = "{{ tuple "identity" "internal" "api" . | include "helm-toolkit.endpoints.keystone_endpoint_uri_lookup" }}" |
| 434 | OPENSTACK_KEYSTONE_DEFAULT_ROLE = "member" |
| 435 | |
| 436 | # This setting specifies the name of the header with remote IP address. If not present, |
| 437 | # then REMOTE_ADDR header is used. The commom value for this setting is HTTP_X_REAL_IP |
| 438 | # or HTTP_X_FORWARDED_FORx |
| 439 | SECURE_PROXY_ADDR_HEADER = 'HTTP_X_FORWARDED_FOR' |
| 440 | |
| 441 | {{- if .Values.conf.horizon.local_settings.config.auth.sso.enabled }} |
| 442 | # Enables keystone web single-sign-on if set to True. |
| 443 | WEBSSO_ENABLED = True |
| 444 | |
| 445 | # Determines which authentication choice to show as default. |
| 446 | WEBSSO_INITIAL_CHOICE = "{{ .Values.conf.horizon.local_settings.config.auth.sso.initial_choice }}" |
| 447 | |
| 448 | # The list of authentication mechanisms |
| 449 | # which include keystone federation protocols. |
| 450 | # Current supported protocol IDs are 'saml2' and 'oidc' |
| 451 | # which represent SAML 2.0, OpenID Connect respectively. |
| 452 | # Do not remove the mandatory credentials mechanism. |
| 453 | WEBSSO_CHOICES = ( |
| 454 | ("credentials", _("Keystone Credentials")), |
| 455 | {{- range $i, $sso := .Values.conf.horizon.local_settings.config.auth.idp_mapping }} |
| 456 | ({{ $sso.name | quote }}, {{ $sso.label | quote }}), |
| 457 | {{- end }} |
| 458 | ) |
| 459 | |
| 460 | WEBSSO_IDP_MAPPING = { |
| 461 | {{- range $i, $sso := .Values.conf.horizon.local_settings.config.auth.idp_mapping }} |
| 462 | {{ $sso.name | quote}}: ({{ $sso.idp | quote }}, {{ $sso.protocol | quote }}), |
| 463 | {{- end }} |
| 464 | } |
| 465 | |
| 466 | {{- end }} |
| 467 | |
| 468 | # Disable SSL certificate checks (useful for self-signed certificates): |
| 469 | #OPENSTACK_SSL_NO_VERIFY = True |
| 470 | |
| 471 | {{- if .Values.manifests.certificates }} |
| 472 | # The CA certificate to use to verify SSL connections |
| 473 | OPENSTACK_SSL_CACERT = '/etc/openstack-dashboard/certs/ca.crt' |
| 474 | {{- end }} |
| 475 | |
| 476 | # The OPENSTACK_KEYSTONE_BACKEND settings can be used to identify the |
| 477 | # capabilities of the auth backend for Keystone. |
| 478 | # If Keystone has been configured to use LDAP as the auth backend then set |
| 479 | # can_edit_user to False and name to 'ldap'. |
| 480 | # |
| 481 | # TODO(tres): Remove these once Keystone has an API to identify auth backend. |
| 482 | OPENSTACK_KEYSTONE_BACKEND = { |
| 483 | 'name': 'native', |
| 484 | 'can_edit_user': True, |
| 485 | 'can_edit_group': True, |
| 486 | 'can_edit_project': True, |
| 487 | 'can_edit_domain': True, |
| 488 | 'can_edit_role': True, |
| 489 | } |
| 490 | |
| 491 | # Setting this to True, will add a new "Retrieve Password" action on instance, |
| 492 | # allowing Admin session password retrieval/decryption. |
| 493 | OPENSTACK_ENABLE_PASSWORD_RETRIEVE = {{ .Values.conf.horizon.local_settings.config.openstack_enable_password_retrieve }} |
| 494 | # Controls whether the keystone openrc file is accessible from the user menu and the api access panel. |
| 495 | SHOW_OPENRC_FILE = {{ .Values.conf.horizon.local_settings.config.show_openrc_file }} |
| 496 | # The Launch Instance user experience has been significantly enhanced. |
| 497 | # You can choose whether to enable the new launch instance experience, |
| 498 | # the legacy experience, or both. The legacy experience will be removed |
| 499 | # in a future release, but is available as a temporary backup setting to ensure |
| 500 | # compatibility with existing deployments. Further development will not be |
| 501 | # done on the legacy experience. Please report any problems with the new |
| 502 | # experience via the StoryBoard tracking system. |
| 503 | # |
| 504 | # Toggle LAUNCH_INSTANCE_LEGACY_ENABLED and LAUNCH_INSTANCE_NG_ENABLED to |
| 505 | # determine the experience to enable. Set them both to true to enable |
| 506 | # both. |
| 507 | #LAUNCH_INSTANCE_LEGACY_ENABLED = True |
| 508 | #LAUNCH_INSTANCE_NG_ENABLED = False |
| 509 | |
| 510 | # The Xen Hypervisor has the ability to set the mount point for volumes |
| 511 | # attached to instances (other Hypervisors currently do not). Setting |
| 512 | # can_set_mount_point to True will add the option to set the mount point |
| 513 | # from the UI. |
| 514 | OPENSTACK_HYPERVISOR_FEATURES = { |
| 515 | 'can_set_mount_point': False, |
| 516 | 'can_set_password': False, |
| 517 | } |
| 518 | |
| 519 | # The OPENSTACK_CINDER_FEATURES settings can be used to enable optional |
| 520 | # services provided by cinder that is not exposed by its extension API. |
| 521 | OPENSTACK_CINDER_FEATURES = { |
| 522 | 'enable_backup': {{ .Values.conf.horizon.local_settings.config.openstack_cinder_features.enable_backup }}, |
| 523 | } |
| 524 | |
| 525 | # The OPENSTACK_NEUTRON_NETWORK settings can be used to enable optional |
| 526 | # services provided by neutron. Options currently available are load |
| 527 | # balancer service, security groups, quotas, VPN service. |
| 528 | OPENSTACK_NEUTRON_NETWORK = { |
| 529 | 'enable_router': {{ .Values.conf.horizon.local_settings.config.openstack_neutron_network.enable_router }}, |
| 530 | 'enable_quotas': {{ .Values.conf.horizon.local_settings.config.openstack_neutron_network.enable_quotas }}, |
| 531 | 'enable_ipv6': {{ .Values.conf.horizon.local_settings.config.openstack_neutron_network.enable_ipv6 }}, |
| 532 | 'enable_distributed_router': {{ .Values.conf.horizon.local_settings.config.openstack_neutron_network.enable_distributed_router }}, |
| 533 | 'enable_ha_router': {{ .Values.conf.horizon.local_settings.config.openstack_neutron_network.enable_ha_router }}, |
| 534 | 'enable_lb': {{ .Values.conf.horizon.local_settings.config.openstack_neutron_network.enable_lb }}, |
| 535 | 'enable_firewall': {{ .Values.conf.horizon.local_settings.config.openstack_neutron_network.enable_firewall }}, |
| 536 | 'enable_vpn': {{ .Values.conf.horizon.local_settings.config.openstack_neutron_network.enable_vpn }}, |
| 537 | 'enable_fip_topology_check': {{ .Values.conf.horizon.local_settings.config.openstack_neutron_network.enable_fip_topology_check }}, |
| 538 | |
| 539 | # The profile_support option is used to detect if an external router can be |
| 540 | # configured via the dashboard. When using specific plugins the |
| 541 | # profile_support can be turned on if needed. |
| 542 | 'profile_support': None, |
| 543 | #'profile_support': 'cisco', |
| 544 | |
| 545 | # Set which provider network types are supported. Only the network types |
| 546 | # in this list will be available to choose from when creating a network. |
| 547 | # Network types include local, flat, vlan, gre, and vxlan. |
| 548 | 'supported_provider_types': ['*'], |
| 549 | |
| 550 | # Set which VNIC types are supported for port binding. Only the VNIC |
| 551 | # types in this list will be available to choose from when creating a |
| 552 | # port. |
| 553 | # VNIC types include 'normal', 'macvtap' and 'direct'. |
| 554 | 'supported_vnic_types': ['*'] |
| 555 | } |
| 556 | |
| 557 | # The OPENSTACK_IMAGE_BACKEND settings can be used to customize features |
| 558 | # in the OpenStack Dashboard related to the Image service, such as the list |
| 559 | # of supported image formats. |
| 560 | #OPENSTACK_IMAGE_BACKEND = { |
| 561 | # 'image_formats': [ |
| 562 | # ('', _('Select format')), |
| 563 | # ('aki', _('AKI - Amazon Kernel Image')), |
| 564 | # ('ami', _('AMI - Amazon Machine Image')), |
| 565 | # ('ari', _('ARI - Amazon Ramdisk Image')), |
| 566 | # ('docker', _('Docker')), |
| 567 | # ('iso', _('ISO - Optical Disk Image')), |
| 568 | # ('ova', _('OVA - Open Virtual Appliance')), |
| 569 | # ('qcow2', _('QCOW2 - QEMU Emulator')), |
| 570 | # ('raw', _('Raw')), |
| 571 | # ('vdi', _('VDI - Virtual Disk Image')), |
| 572 | # ('vhd', ('VHD - Virtual Hard Disk')), |
| 573 | # ('vmdk', _('VMDK - Virtual Machine Disk')), |
| 574 | # ] |
| 575 | #} |
| 576 | |
| 577 | # The IMAGE_CUSTOM_PROPERTY_TITLES settings is used to customize the titles for |
| 578 | # image custom property attributes that appear on image detail pages. |
| 579 | IMAGE_CUSTOM_PROPERTY_TITLES = { |
| 580 | "architecture": _("Architecture"), |
| 581 | "kernel_id": _("Kernel ID"), |
| 582 | "ramdisk_id": _("Ramdisk ID"), |
| 583 | "image_state": _("Euca2ools state"), |
| 584 | "project_id": _("Project ID"), |
| 585 | "image_type": _("Image Type"), |
| 586 | } |
| 587 | |
| 588 | # The IMAGE_RESERVED_CUSTOM_PROPERTIES setting is used to specify which image |
| 589 | # custom properties should not be displayed in the Image Custom Properties |
| 590 | # table. |
| 591 | IMAGE_RESERVED_CUSTOM_PROPERTIES = [] |
| 592 | |
| 593 | # Set to 'legacy' or 'direct' to allow users to upload images to glance via |
| 594 | # Horizon server. When enabled, a file form field will appear on the create |
| 595 | # image form. If set to 'off', there will be no file form field on the create |
| 596 | # image form. See documentation for deployment considerations. |
| 597 | HORIZON_IMAGES_UPLOAD_MODE = '{{ .Values.conf.horizon.local_settings.config.horizon_images_upload_mode }}' |
| 598 | |
| 599 | # OPENSTACK_ENDPOINT_TYPE specifies the endpoint type to use for the endpoints |
| 600 | # in the Keystone service catalog. Use this setting when Horizon is running |
| 601 | # external to the OpenStack environment. The default is 'publicURL'. |
| 602 | OPENSTACK_ENDPOINT_TYPE = "{{ .Values.conf.horizon.local_settings.config.endpoint_type }}" |
| 603 | |
| 604 | # SECONDARY_ENDPOINT_TYPE specifies the fallback endpoint type to use in the |
| 605 | # case that OPENSTACK_ENDPOINT_TYPE is not present in the endpoints |
| 606 | # in the Keystone service catalog. Use this setting when Horizon is running |
| 607 | # external to the OpenStack environment. The default is None. This |
| 608 | # value should differ from OPENSTACK_ENDPOINT_TYPE if used. |
| 609 | SECONDARY_ENDPOINT_TYPE = "publicURL" |
| 610 | |
| 611 | # The number of objects (Swift containers/objects or images) to display |
| 612 | # on a single page before providing a paging element (a "more" link) |
| 613 | # to paginate results. |
| 614 | API_RESULT_LIMIT = 1000 |
| 615 | API_RESULT_PAGE_SIZE = 20 |
| 616 | |
| 617 | # The size of chunk in bytes for downloading objects from Swift |
| 618 | SWIFT_FILE_TRANSFER_CHUNK_SIZE = 512 * 1024 |
| 619 | |
| 620 | # Specify a maximum number of items to display in a dropdown. |
| 621 | DROPDOWN_MAX_ITEMS = 30 |
| 622 | |
| 623 | # The timezone of the server. This should correspond with the timezone |
| 624 | # of your entire OpenStack installation, and hopefully be in UTC. |
| 625 | TIME_ZONE = "UTC" |
| 626 | |
| 627 | # When launching an instance, the menu of available flavors is |
| 628 | # sorted by RAM usage, ascending. If you would like a different sort order, |
| 629 | # you can provide another flavor attribute as sorting key. Alternatively, you |
| 630 | # can provide a custom callback method to use for sorting. You can also provide |
| 631 | # a flag for reverse sort. For more info, see |
| 632 | # http://docs.python.org/2/library/functions.html#sorted |
| 633 | #CREATE_INSTANCE_FLAVOR_SORT = { |
| 634 | # 'key': 'name', |
| 635 | # # or |
| 636 | # 'key': my_awesome_callback_method, |
| 637 | # 'reverse': False, |
| 638 | #} |
| 639 | |
| 640 | # Set this to True to display an 'Admin Password' field on the Change Password |
| 641 | # form to verify that it is indeed the admin logged-in who wants to change |
| 642 | # the password. |
| 643 | ENFORCE_PASSWORD_CHECK = {{ .Values.conf.horizon.local_settings.config.enforce_password_check }} |
| 644 | |
| 645 | # Modules that provide /auth routes that can be used to handle different types |
| 646 | # of user authentication. Add auth plugins that require extra route handling to |
| 647 | # this list. |
| 648 | #AUTHENTICATION_URLS = [ |
| 649 | # 'openstack_auth.urls', |
| 650 | #] |
| 651 | |
| 652 | # The Horizon Policy Enforcement engine uses these values to load per service |
| 653 | # policy rule files. The content of these files should match the files the |
| 654 | # OpenStack services are using to determine role based access control in the |
| 655 | # target installation. |
| 656 | |
| 657 | # Path to directory containing policy.yaml files |
| 658 | POLICY_FILES_PATH = '/etc/openstack-dashboard' |
| 659 | # Map of local copy of service policy files |
| 660 | #POLICY_FILES = { |
| 661 | # 'identity': 'keystone_policy.yaml', |
| 662 | # 'compute': 'nova_policy.yaml', |
| 663 | # 'volume': 'cinder_policy.yaml', |
| 664 | # 'image': 'glance_policy.yaml', |
| 665 | # 'orchestration': 'heat_policy.yaml', |
| 666 | # 'network': 'neutron_policy.yaml', |
| 667 | # 'telemetry': 'ceilometer_policy.yaml', |
| 668 | #} |
| 669 | |
| 670 | # Trove user and database extension support. By default support for |
| 671 | # creating users and databases on database instances is turned on. |
| 672 | # To disable these extensions set the permission here to something |
| 673 | # unusable such as ["!"]. |
| 674 | # TROVE_ADD_USER_PERMS = [] |
| 675 | # TROVE_ADD_DATABASE_PERMS = [] |
| 676 | |
| 677 | # Change this patch to the appropriate static directory containing |
| 678 | # two files: _variables.scss and _styles.scss |
| 679 | #CUSTOM_THEME_PATH = 'static/themes/default' |
| 680 | |
| 681 | LOGGING = { |
| 682 | 'version': 1, |
| 683 | # When set to True this will disable all logging except |
| 684 | # for loggers specified in this configuration dictionary. Note that |
| 685 | # if nothing is specified here and disable_existing_loggers is True, |
| 686 | # django.db.backends will still log unless it is disabled explicitly. |
| 687 | 'disable_existing_loggers': False, |
| 688 | 'handlers': { |
| 689 | 'null': { |
| 690 | 'level': 'DEBUG', |
| 691 | 'class': 'logging.NullHandler', |
| 692 | }, |
| 693 | 'console': { |
| 694 | # Set the level to "DEBUG" for verbose output logging. |
| 695 | 'level': 'INFO', |
| 696 | 'class': 'logging.StreamHandler', |
| 697 | }, |
| 698 | }, |
| 699 | 'loggers': { |
| 700 | # Logging from django.db.backends is VERY verbose, send to null |
| 701 | # by default. |
| 702 | 'django.db.backends': { |
| 703 | 'handlers': ['null'], |
| 704 | 'propagate': False, |
| 705 | }, |
| 706 | 'requests': { |
| 707 | 'handlers': ['null'], |
| 708 | 'propagate': False, |
| 709 | }, |
| 710 | 'horizon': { |
| 711 | 'handlers': ['console'], |
| 712 | 'level': '{{ .Values.conf.horizon.local_settings.config.log_level }}', |
| 713 | 'propagate': False, |
| 714 | }, |
| 715 | 'openstack_dashboard': { |
| 716 | 'handlers': ['console'], |
| 717 | 'level': '{{ .Values.conf.horizon.local_settings.config.log_level }}', |
| 718 | 'propagate': False, |
| 719 | }, |
| 720 | 'novaclient': { |
| 721 | 'handlers': ['console'], |
| 722 | 'level': '{{ .Values.conf.horizon.local_settings.config.log_level }}', |
| 723 | 'propagate': False, |
| 724 | }, |
| 725 | 'cinderclient': { |
| 726 | 'handlers': ['console'], |
| 727 | 'level': '{{ .Values.conf.horizon.local_settings.config.log_level }}', |
| 728 | 'propagate': False, |
| 729 | }, |
| 730 | 'glanceclient': { |
| 731 | 'handlers': ['console'], |
| 732 | 'level': '{{ .Values.conf.horizon.local_settings.config.log_level }}', |
| 733 | 'propagate': False, |
| 734 | }, |
| 735 | 'glanceclient': { |
| 736 | 'handlers': ['console'], |
| 737 | 'level': '{{ .Values.conf.horizon.local_settings.config.log_level }}', |
| 738 | 'propagate': False, |
| 739 | }, |
| 740 | 'neutronclient': { |
| 741 | 'handlers': ['console'], |
| 742 | 'level': '{{ .Values.conf.horizon.local_settings.config.log_level }}', |
| 743 | 'propagate': False, |
| 744 | }, |
| 745 | 'heatclient': { |
| 746 | 'handlers': ['console'], |
| 747 | 'level': '{{ .Values.conf.horizon.local_settings.config.log_level }}', |
| 748 | 'propagate': False, |
| 749 | }, |
| 750 | 'ceilometerclient': { |
| 751 | 'handlers': ['console'], |
| 752 | 'level': '{{ .Values.conf.horizon.local_settings.config.log_level }}', |
| 753 | 'propagate': False, |
| 754 | }, |
| 755 | 'troveclient': { |
| 756 | 'handlers': ['console'], |
| 757 | 'level': '{{ .Values.conf.horizon.local_settings.config.log_level }}', |
| 758 | 'propagate': False, |
| 759 | }, |
| 760 | 'swiftclient': { |
| 761 | 'handlers': ['console'], |
| 762 | 'level': '{{ .Values.conf.horizon.local_settings.config.log_level }}', |
| 763 | 'propagate': False, |
| 764 | }, |
| 765 | 'openstack_auth': { |
| 766 | 'handlers': ['console'], |
| 767 | 'level': '{{ .Values.conf.horizon.local_settings.config.log_level }}', |
| 768 | 'propagate': False, |
| 769 | }, |
| 770 | 'nose.plugins.manager': { |
| 771 | 'handlers': ['console'], |
| 772 | 'level': '{{ .Values.conf.horizon.local_settings.config.log_level }}', |
| 773 | 'propagate': False, |
| 774 | }, |
| 775 | 'django': { |
| 776 | 'handlers': ['console'], |
| 777 | 'level': '{{ .Values.conf.horizon.local_settings.config.log_level }}', |
| 778 | 'propagate': False, |
| 779 | }, |
| 780 | 'iso8601': { |
| 781 | 'handlers': ['null'], |
| 782 | 'propagate': False, |
| 783 | }, |
| 784 | 'scss': { |
| 785 | 'handlers': ['null'], |
| 786 | 'propagate': False, |
| 787 | }, |
| 788 | } |
| 789 | } |
| 790 | |
| 791 | # 'direction' should not be specified for all_tcp/udp/icmp. |
| 792 | # It is specified in the form. |
| 793 | SECURITY_GROUP_RULES = { |
| 794 | 'all_tcp': { |
| 795 | 'name': _('All TCP'), |
| 796 | 'ip_protocol': 'tcp', |
| 797 | 'from_port': '1', |
| 798 | 'to_port': '65535', |
| 799 | }, |
| 800 | 'all_udp': { |
| 801 | 'name': _('All UDP'), |
| 802 | 'ip_protocol': 'udp', |
| 803 | 'from_port': '1', |
| 804 | 'to_port': '65535', |
| 805 | }, |
| 806 | 'all_icmp': { |
| 807 | 'name': _('All ICMP'), |
| 808 | 'ip_protocol': 'icmp', |
| 809 | 'from_port': '-1', |
| 810 | 'to_port': '-1', |
| 811 | }, |
| 812 | 'ssh': { |
| 813 | 'name': 'SSH', |
| 814 | 'ip_protocol': 'tcp', |
| 815 | 'from_port': '22', |
| 816 | 'to_port': '22', |
| 817 | }, |
| 818 | 'smtp': { |
| 819 | 'name': 'SMTP', |
| 820 | 'ip_protocol': 'tcp', |
| 821 | 'from_port': '25', |
| 822 | 'to_port': '25', |
| 823 | }, |
| 824 | 'dns': { |
| 825 | 'name': 'DNS', |
| 826 | 'ip_protocol': 'tcp', |
| 827 | 'from_port': '53', |
| 828 | 'to_port': '53', |
| 829 | }, |
| 830 | 'http': { |
| 831 | 'name': 'HTTP', |
| 832 | 'ip_protocol': 'tcp', |
| 833 | 'from_port': '80', |
| 834 | 'to_port': '80', |
| 835 | }, |
| 836 | 'pop3': { |
| 837 | 'name': 'POP3', |
| 838 | 'ip_protocol': 'tcp', |
| 839 | 'from_port': '110', |
| 840 | 'to_port': '110', |
| 841 | }, |
| 842 | 'imap': { |
| 843 | 'name': 'IMAP', |
| 844 | 'ip_protocol': 'tcp', |
| 845 | 'from_port': '143', |
| 846 | 'to_port': '143', |
| 847 | }, |
| 848 | 'ldap': { |
| 849 | 'name': 'LDAP', |
| 850 | 'ip_protocol': 'tcp', |
| 851 | 'from_port': '389', |
| 852 | 'to_port': '389', |
| 853 | }, |
| 854 | 'https': { |
| 855 | 'name': 'HTTPS', |
| 856 | 'ip_protocol': 'tcp', |
| 857 | 'from_port': '443', |
| 858 | 'to_port': '443', |
| 859 | }, |
| 860 | 'smtps': { |
| 861 | 'name': 'SMTPS', |
| 862 | 'ip_protocol': 'tcp', |
| 863 | 'from_port': '465', |
| 864 | 'to_port': '465', |
| 865 | }, |
| 866 | 'imaps': { |
| 867 | 'name': 'IMAPS', |
| 868 | 'ip_protocol': 'tcp', |
| 869 | 'from_port': '993', |
| 870 | 'to_port': '993', |
| 871 | }, |
| 872 | 'pop3s': { |
| 873 | 'name': 'POP3S', |
| 874 | 'ip_protocol': 'tcp', |
| 875 | 'from_port': '995', |
| 876 | 'to_port': '995', |
| 877 | }, |
| 878 | 'ms_sql': { |
| 879 | 'name': 'MS SQL', |
| 880 | 'ip_protocol': 'tcp', |
| 881 | 'from_port': '1433', |
| 882 | 'to_port': '1433', |
| 883 | }, |
| 884 | 'mysql': { |
| 885 | 'name': 'MYSQL', |
| 886 | 'ip_protocol': 'tcp', |
| 887 | 'from_port': '3306', |
| 888 | 'to_port': '3306', |
| 889 | }, |
| 890 | 'rdp': { |
| 891 | 'name': 'RDP', |
| 892 | 'ip_protocol': 'tcp', |
| 893 | 'from_port': '3389', |
| 894 | 'to_port': '3389', |
| 895 | }, |
| 896 | } |
| 897 | |
| 898 | # Deprecation Notice: |
| 899 | # |
| 900 | # The setting FLAVOR_EXTRA_KEYS has been deprecated. |
| 901 | # Please load extra spec metadata into the Glance Metadata Definition Catalog. |
| 902 | # |
| 903 | # The sample quota definitions can be found in: |
| 904 | # <glance_source>/etc/metadefs/compute-quota.json |
| 905 | # |
| 906 | # The metadata definition catalog supports CLI and API: |
| 907 | # $glance --os-image-api-version 2 help md-namespace-import |
| 908 | # $glance-manage db_load_metadefs <directory_with_definition_files> |
| 909 | # |
| 910 | # See Metadata Definitions on: https://docs.openstack.org/glance/latest/ |
| 911 | |
| 912 | # Indicate to the Sahara data processing service whether or not |
| 913 | # automatic floating IP allocation is in effect. If it is not |
| 914 | # in effect, the user will be prompted to choose a floating IP |
| 915 | # pool for use in their cluster. False by default. You would want |
| 916 | # to set this to True if you were running Nova Networking with |
| 917 | # auto_assign_floating_ip = True. |
| 918 | #SAHARA_AUTO_IP_ALLOCATION_ENABLED = False |
| 919 | |
| 920 | # The hash algorithm to use for authentication tokens. This must |
| 921 | # match the hash algorithm that the identity server and the |
| 922 | # auth_token middleware are using. Allowed values are the |
| 923 | # algorithms supported by Python's hashlib library. |
| 924 | #OPENSTACK_TOKEN_HASH_ALGORITHM = 'md5' |
| 925 | |
| 926 | # AngularJS requires some settings to be made available to |
| 927 | # the client side. Some settings are required by in-tree / built-in horizon |
| 928 | # features. These settings must be added to REST_API_REQUIRED_SETTINGS in the |
| 929 | # form of ['SETTING_1','SETTING_2'], etc. |
| 930 | # |
| 931 | # You may remove settings from this list for security purposes, but do so at |
| 932 | # the risk of breaking a built-in horizon feature. These settings are required |
| 933 | # for horizon to function properly. Only remove them if you know what you |
| 934 | # are doing. These settings may in the future be moved to be defined within |
| 935 | # the enabled panel configuration. |
| 936 | # You should not add settings to this list for out of tree extensions. |
| 937 | # See: https://wiki.openstack.org/wiki/Horizon/RESTAPI |
| 938 | REST_API_REQUIRED_SETTINGS = ['OPENSTACK_HYPERVISOR_FEATURES', |
| 939 | 'LAUNCH_INSTANCE_DEFAULTS', |
| 940 | 'OPENSTACK_IMAGE_FORMATS'] |
| 941 | |
| 942 | # Additional settings can be made available to the client side for |
| 943 | # extensibility by specifying them in REST_API_ADDITIONAL_SETTINGS |
| 944 | # !! Please use extreme caution as the settings are transferred via HTTP/S |
| 945 | # and are not encrypted on the browser. This is an experimental API and |
| 946 | # may be deprecated in the future without notice. |
| 947 | #REST_API_ADDITIONAL_SETTINGS = [] |
| 948 | |
| 949 | # DISALLOW_IFRAME_EMBED can be used to prevent Horizon from being embedded |
| 950 | # within an iframe. Legacy browsers are still vulnerable to a Cross-Frame |
| 951 | # Scripting (XFS) vulnerability, so this option allows extra security hardening |
| 952 | # where iframes are not used in deployment. Default setting is True. |
| 953 | # For more information see: |
| 954 | # http://tinyurl.com/anticlickjack |
| 955 | DISALLOW_IFRAME_EMBED = {{ .Values.conf.horizon.local_settings.config.disallow_iframe_embed }} |
| 956 | |
| 957 | STATIC_ROOT = '/var/www/html/horizon' |
| 958 | |
| 959 | {{- range $option, $value := .Values.conf.horizon.local_settings.config.raw }} |
| 960 | {{ $option }} = {{ toJson $value }} |
| 961 | {{- end }} |
| 962 | policy: |
| 963 | ceilometer: |
| 964 | context_is_admin: 'role:admin' |
| 965 | context_is_owner: 'user_id:%(target.user_id)s' |
| 966 | context_is_project: 'project_id:%(target.project_id)s' |
| 967 | segregation: 'rule:context_is_admin' |
| 968 | heat: |
| 969 | 'actions:action': 'rule:deny_stack_user' |
| 970 | 'build_info:build_info': 'rule:deny_stack_user' |
| 971 | 'cloudformation:CancelUpdateStack': 'rule:deny_stack_user' |
| 972 | 'cloudformation:CreateStack': 'rule:deny_stack_user' |
| 973 | 'cloudformation:DeleteStack': 'rule:deny_stack_user' |
| 974 | 'cloudformation:DescribeStackEvents': 'rule:deny_stack_user' |
| 975 | 'cloudformation:DescribeStackResource': '' |
| 976 | 'cloudformation:DescribeStackResources': 'rule:deny_stack_user' |
| 977 | 'cloudformation:DescribeStacks': 'rule:deny_stack_user' |
| 978 | 'cloudformation:EstimateTemplateCost': 'rule:deny_stack_user' |
| 979 | 'cloudformation:GetTemplate': 'rule:deny_stack_user' |
| 980 | 'cloudformation:ListStackResources': 'rule:deny_stack_user' |
| 981 | 'cloudformation:ListStacks': 'rule:deny_stack_user' |
| 982 | 'cloudformation:UpdateStack': 'rule:deny_stack_user' |
| 983 | 'cloudformation:ValidateTemplate': 'rule:deny_stack_user' |
| 984 | 'cloudwatch:DeleteAlarms': 'rule:deny_stack_user' |
| 985 | 'cloudwatch:DescribeAlarmHistory': 'rule:deny_stack_user' |
| 986 | 'cloudwatch:DescribeAlarms': 'rule:deny_stack_user' |
| 987 | 'cloudwatch:DescribeAlarmsForMetric': 'rule:deny_stack_user' |
| 988 | 'cloudwatch:DisableAlarmActions': 'rule:deny_stack_user' |
| 989 | 'cloudwatch:EnableAlarmActions': 'rule:deny_stack_user' |
| 990 | 'cloudwatch:GetMetricStatistics': 'rule:deny_stack_user' |
| 991 | 'cloudwatch:ListMetrics': 'rule:deny_stack_user' |
| 992 | 'cloudwatch:PutMetricAlarm': 'rule:deny_stack_user' |
| 993 | 'cloudwatch:PutMetricData': '' |
| 994 | 'cloudwatch:SetAlarmState': 'rule:deny_stack_user' |
| 995 | context_is_admin: 'role:admin' |
| 996 | deny_everybody: '!' |
| 997 | deny_stack_user: 'not role:heat_stack_user' |
| 998 | 'events:index': 'rule:deny_stack_user' |
| 999 | 'events:show': 'rule:deny_stack_user' |
| 1000 | 'resource:index': 'rule:deny_stack_user' |
| 1001 | 'resource:mark_unhealthy': 'rule:deny_stack_user' |
| 1002 | 'resource:metadata': '' |
| 1003 | 'resource:show': 'rule:deny_stack_user' |
| 1004 | 'resource:signal': '' |
| 1005 | 'resource_types:OS::Cinder::EncryptedVolumeType': 'rule:context_is_admin' |
| 1006 | 'resource_types:OS::Cinder::VolumeType': 'rule:context_is_admin' |
| 1007 | 'resource_types:OS::Manila::ShareType': 'rule:context_is_admin' |
| 1008 | 'resource_types:OS::Neutron::QoSBandwidthLimitRule': 'rule:context_is_admin' |
| 1009 | 'resource_types:OS::Neutron::QoSPolicy': 'rule:context_is_admin' |
| 1010 | 'resource_types:OS::Nova::Flavor': 'rule:context_is_admin' |
| 1011 | 'resource_types:OS::Nova::HostAggregate': 'rule:context_is_admin' |
| 1012 | 'service:index': 'rule:context_is_admin' |
| 1013 | 'software_configs:create': 'rule:deny_stack_user' |
| 1014 | 'software_configs:delete': 'rule:deny_stack_user' |
| 1015 | 'software_configs:global_index': 'rule:deny_everybody' |
| 1016 | 'software_configs:index': 'rule:deny_stack_user' |
| 1017 | 'software_configs:show': 'rule:deny_stack_user' |
| 1018 | 'software_deployments:create': 'rule:deny_stack_user' |
| 1019 | 'software_deployments:delete': 'rule:deny_stack_user' |
| 1020 | 'software_deployments:index': 'rule:deny_stack_user' |
| 1021 | 'software_deployments:metadata': '' |
| 1022 | 'software_deployments:show': 'rule:deny_stack_user' |
| 1023 | 'software_deployments:update': 'rule:deny_stack_user' |
| 1024 | 'stacks:abandon': 'rule:deny_stack_user' |
| 1025 | 'stacks:create': 'rule:deny_stack_user' |
| 1026 | 'stacks:delete': 'rule:deny_stack_user' |
| 1027 | 'stacks:delete_snapshot': 'rule:deny_stack_user' |
| 1028 | 'stacks:detail': 'rule:deny_stack_user' |
| 1029 | 'stacks:environment': 'rule:deny_stack_user' |
| 1030 | 'stacks:export': 'rule:deny_stack_user' |
| 1031 | 'stacks:generate_template': 'rule:deny_stack_user' |
| 1032 | 'stacks:global_index': 'rule:deny_everybody' |
| 1033 | 'stacks:index': 'rule:deny_stack_user' |
| 1034 | 'stacks:list_outputs': 'rule:deny_stack_user' |
| 1035 | 'stacks:list_resource_types': 'rule:deny_stack_user' |
| 1036 | 'stacks:list_snapshots': 'rule:deny_stack_user' |
| 1037 | 'stacks:list_template_functions': 'rule:deny_stack_user' |
| 1038 | 'stacks:list_template_versions': 'rule:deny_stack_user' |
| 1039 | 'stacks:lookup': '' |
| 1040 | 'stacks:preview': 'rule:deny_stack_user' |
| 1041 | 'stacks:preview_update': 'rule:deny_stack_user' |
| 1042 | 'stacks:preview_update_patch': 'rule:deny_stack_user' |
| 1043 | 'stacks:resource_schema': 'rule:deny_stack_user' |
| 1044 | 'stacks:restore_snapshot': 'rule:deny_stack_user' |
| 1045 | 'stacks:show': 'rule:deny_stack_user' |
| 1046 | 'stacks:show_output': 'rule:deny_stack_user' |
| 1047 | 'stacks:show_snapshot': 'rule:deny_stack_user' |
| 1048 | 'stacks:snapshot': 'rule:deny_stack_user' |
| 1049 | 'stacks:template': 'rule:deny_stack_user' |
| 1050 | 'stacks:update': 'rule:deny_stack_user' |
| 1051 | 'stacks:update_patch': 'rule:deny_stack_user' |
| 1052 | 'stacks:validate_template': 'rule:deny_stack_user' |
| 1053 | # list of panels to enable for horizon |
| 1054 | # this requires that the panels are already installed in the horizon image, if they are not |
| 1055 | # nothing will be added |
| 1056 | # the name of the panel should be the name of the dir where the panel is installed |
| 1057 | # for example heat_dashboard, cloudkittydashboard or neutron_taas_dashboard |
| 1058 | extra_panels: |
| 1059 | - heat_dashboard |
| 1060 | - neutron_taas_dashboard |
| 1061 | |
| 1062 | dependencies: |
| 1063 | dynamic: |
| 1064 | common: |
| 1065 | local_image_registry: |
| 1066 | jobs: |
| 1067 | - horizon-image-repo-sync |
| 1068 | services: |
| 1069 | - endpoint: node |
| 1070 | service: local_image_registry |
| 1071 | static: |
| 1072 | dashboard: |
| 1073 | jobs: |
| 1074 | - horizon-db-sync |
| 1075 | services: |
| 1076 | - endpoint: internal |
| 1077 | service: oslo_cache |
| 1078 | - endpoint: internal |
| 1079 | service: oslo_db |
| 1080 | - endpoint: internal |
| 1081 | service: identity |
| 1082 | db_drop: |
| 1083 | services: |
| 1084 | - endpoint: internal |
| 1085 | service: oslo_db |
| 1086 | db_init: |
| 1087 | services: |
| 1088 | - endpoint: internal |
| 1089 | service: oslo_db |
| 1090 | db_sync: |
| 1091 | jobs: |
| 1092 | - horizon-db-init |
| 1093 | services: |
| 1094 | - endpoint: internal |
| 1095 | service: oslo_db |
| 1096 | image_repo_sync: |
| 1097 | services: |
| 1098 | - endpoint: internal |
| 1099 | service: local_image_registry |
| 1100 | tests: |
| 1101 | services: |
| 1102 | - endpoint: internal |
| 1103 | service: dashboard |
| 1104 | |
| 1105 | pod: |
Dong Ma | 6be0a48 | 2025-02-10 13:14:30 +0000 | [diff] [blame] | 1106 | priorityClassName: |
| 1107 | horizon: null |
| 1108 | horizon_tests: null |
Dong Ma | 36b8922 | 2025-02-13 16:15:52 +0000 | [diff] [blame] | 1109 | db_init: null |
Dong Ma | 6be0a48 | 2025-02-10 13:14:30 +0000 | [diff] [blame] | 1110 | db_sync: null |
| 1111 | runtimeClassName: |
| 1112 | horizon: null |
| 1113 | horizon_tests: null |
Dong Ma | 36b8922 | 2025-02-13 16:15:52 +0000 | [diff] [blame] | 1114 | db_init: null |
Dong Ma | 6be0a48 | 2025-02-10 13:14:30 +0000 | [diff] [blame] | 1115 | db_sync: null |
Mohammed Naser | f3f59a7 | 2023-01-15 21:02:04 -0500 | [diff] [blame] | 1116 | security_context: |
| 1117 | horizon: |
| 1118 | pod: |
| 1119 | runAsUser: 42424 |
| 1120 | container: |
| 1121 | horizon: |
| 1122 | readOnlyRootFilesystem: false |
| 1123 | allowPrivilegeEscalation: false |
| 1124 | runAsUser: 0 |
| 1125 | db_sync: |
| 1126 | pod: |
| 1127 | runAsUser: 42424 |
| 1128 | container: |
| 1129 | horizon_db_sync: |
| 1130 | readOnlyRootFilesystem: false |
| 1131 | allowPrivilegeEscalation: false |
| 1132 | runAsUser: 0 |
| 1133 | test: |
| 1134 | pod: |
| 1135 | runAsUser: 42424 |
| 1136 | container: |
| 1137 | horizon_test: |
| 1138 | readOnlyRootFilesystem: true |
| 1139 | allowPrivilegeEscalation: false |
| 1140 | affinity: |
| 1141 | anti: |
| 1142 | type: |
| 1143 | default: preferredDuringSchedulingIgnoredDuringExecution |
| 1144 | topologyKey: |
| 1145 | default: kubernetes.io/hostname |
| 1146 | weight: |
| 1147 | default: 10 |
| 1148 | tolerations: |
| 1149 | horizon: |
| 1150 | enabled: false |
| 1151 | tolerations: |
| 1152 | - key: node-role.kubernetes.io/master |
| 1153 | operator: Exists |
| 1154 | effect: NoSchedule |
okozachenko1203 | 77c6d67 | 2023-03-25 00:17:28 +1100 | [diff] [blame] | 1155 | - key: node-role.kubernetes.io/control-plane |
| 1156 | operator: Exists |
| 1157 | effect: NoSchedule |
Mohammed Naser | f3f59a7 | 2023-01-15 21:02:04 -0500 | [diff] [blame] | 1158 | mounts: |
| 1159 | horizon_db_init: |
| 1160 | init_container: null |
| 1161 | horizon_db_init: |
| 1162 | volumeMounts: |
| 1163 | volumes: |
| 1164 | horizon_db_sync: |
| 1165 | init_container: null |
| 1166 | horizon_db_sync: |
| 1167 | volumeMounts: |
| 1168 | volumes: |
| 1169 | horizon: |
| 1170 | init_container: null |
| 1171 | horizon: |
| 1172 | volumeMounts: |
| 1173 | volumes: |
| 1174 | horizon_tests: |
| 1175 | init_container: null |
| 1176 | horizon_tests: |
| 1177 | volumeMounts: |
| 1178 | volumes: |
| 1179 | replicas: |
| 1180 | server: 1 |
| 1181 | lifecycle: |
| 1182 | upgrades: |
| 1183 | deployments: |
| 1184 | revision_history: 3 |
| 1185 | pod_replacement_strategy: RollingUpdate |
| 1186 | rolling_update: |
| 1187 | max_unavailable: 1 |
| 1188 | max_surge: 3 |
| 1189 | disruption_budget: |
| 1190 | horizon: |
| 1191 | min_available: 0 |
| 1192 | termination_grace_period: |
| 1193 | horizon: |
| 1194 | timeout: 30 |
| 1195 | resources: |
| 1196 | enabled: false |
| 1197 | server: |
| 1198 | requests: |
| 1199 | memory: "128Mi" |
| 1200 | cpu: "100m" |
| 1201 | limits: |
| 1202 | memory: "1024Mi" |
| 1203 | cpu: "2000m" |
| 1204 | jobs: |
| 1205 | db_init: |
| 1206 | requests: |
| 1207 | memory: "128Mi" |
| 1208 | cpu: "100m" |
| 1209 | limits: |
| 1210 | memory: "1024Mi" |
| 1211 | cpu: "2000m" |
| 1212 | db_sync: |
| 1213 | requests: |
| 1214 | memory: "128Mi" |
| 1215 | cpu: "100m" |
| 1216 | limits: |
| 1217 | memory: "1024Mi" |
| 1218 | cpu: "2000m" |
| 1219 | db_drop: |
| 1220 | requests: |
| 1221 | memory: "128Mi" |
| 1222 | cpu: "100m" |
| 1223 | limits: |
| 1224 | memory: "1024Mi" |
| 1225 | cpu: "2000m" |
| 1226 | image_repo_sync: |
| 1227 | requests: |
| 1228 | memory: "128Mi" |
| 1229 | cpu: "100m" |
| 1230 | limits: |
| 1231 | memory: "1024Mi" |
| 1232 | cpu: "2000m" |
| 1233 | tests: |
| 1234 | requests: |
| 1235 | memory: "128Mi" |
| 1236 | cpu: "100m" |
| 1237 | limits: |
| 1238 | memory: "1024Mi" |
| 1239 | cpu: "2000m" |
| 1240 | |
| 1241 | # Names of secrets used by bootstrap and environmental checks |
| 1242 | secrets: |
| 1243 | identity: |
| 1244 | admin: horizon-keystone-admin |
| 1245 | oslo_db: |
| 1246 | admin: horizon-db-admin |
| 1247 | horizon: horizon-db-user |
| 1248 | tls: |
| 1249 | dashboard: |
| 1250 | dashboard: |
| 1251 | public: horizon-tls-public |
| 1252 | internal: horizon-tls-web |
Mohammed Naser | bcdd25c | 2023-01-18 03:38:47 +0000 | [diff] [blame] | 1253 | oci_image_registry: |
| 1254 | horizon: horizon-oci-image-registry |
| 1255 | |
| 1256 | tls: |
| 1257 | identity: false |
Mohammed Naser | f3f59a7 | 2023-01-15 21:02:04 -0500 | [diff] [blame] | 1258 | |
| 1259 | # typically overridden by environmental |
| 1260 | # values, but should include all endpoints |
| 1261 | # required by this chart |
| 1262 | endpoints: |
| 1263 | cluster_domain_suffix: cluster.local |
| 1264 | local_image_registry: |
| 1265 | name: docker-registry |
| 1266 | namespace: docker-registry |
| 1267 | hosts: |
| 1268 | default: localhost |
| 1269 | internal: docker-registry |
| 1270 | node: localhost |
| 1271 | host_fqdn_override: |
| 1272 | default: null |
| 1273 | port: |
| 1274 | registry: |
| 1275 | node: 5000 |
Mohammed Naser | bcdd25c | 2023-01-18 03:38:47 +0000 | [diff] [blame] | 1276 | oci_image_registry: |
| 1277 | name: oci-image-registry |
| 1278 | namespace: oci-image-registry |
| 1279 | auth: |
| 1280 | enabled: false |
| 1281 | horizon: |
| 1282 | username: horizon |
| 1283 | password: password |
| 1284 | hosts: |
| 1285 | default: localhost |
| 1286 | host_fqdn_override: |
| 1287 | default: null |
| 1288 | port: |
| 1289 | registry: |
| 1290 | default: null |
Mohammed Naser | f3f59a7 | 2023-01-15 21:02:04 -0500 | [diff] [blame] | 1291 | identity: |
| 1292 | name: keystone |
| 1293 | auth: |
| 1294 | admin: |
| 1295 | region_name: RegionOne |
| 1296 | username: admin |
| 1297 | password: password |
| 1298 | project_name: admin |
| 1299 | user_domain_name: default |
| 1300 | project_domain_name: default |
| 1301 | hosts: |
| 1302 | default: keystone |
| 1303 | internal: keystone-api |
| 1304 | host_fqdn_override: |
| 1305 | default: null |
| 1306 | path: |
| 1307 | default: /v3 |
| 1308 | scheme: |
| 1309 | default: http |
| 1310 | port: |
| 1311 | api: |
| 1312 | default: 80 |
| 1313 | internal: 5000 |
| 1314 | oslo_cache: |
| 1315 | hosts: |
| 1316 | default: memcached |
| 1317 | host_fqdn_override: |
| 1318 | default: null |
| 1319 | port: |
| 1320 | memcache: |
| 1321 | default: 11211 |
| 1322 | dashboard: |
| 1323 | name: horizon |
| 1324 | hosts: |
| 1325 | default: horizon-int |
| 1326 | public: horizon |
| 1327 | host_fqdn_override: |
| 1328 | default: null |
| 1329 | # NOTE(portdirect): this chart supports TLS for fqdn over-ridden public |
| 1330 | # endpoints using the following format: |
| 1331 | # public: |
| 1332 | # host: null |
| 1333 | # tls: |
| 1334 | # crt: null |
| 1335 | # key: null |
| 1336 | path: |
| 1337 | default: null |
| 1338 | scheme: |
| 1339 | default: http |
| 1340 | port: |
| 1341 | web: |
| 1342 | default: 80 |
| 1343 | oslo_db: |
| 1344 | auth: |
| 1345 | admin: |
| 1346 | username: root |
| 1347 | password: password |
| 1348 | secret: |
| 1349 | tls: |
| 1350 | internal: mariadb-tls-direct |
| 1351 | horizon: |
| 1352 | username: horizon |
| 1353 | password: password |
| 1354 | hosts: |
| 1355 | default: mariadb |
| 1356 | host_fqdn_override: |
| 1357 | default: null |
| 1358 | path: /horizon |
| 1359 | scheme: mysql+pymysql |
| 1360 | port: |
| 1361 | mysql: |
| 1362 | default: 3306 |
| 1363 | # NOTE(tp6510): these endpoints allow for things like DNS lookups and ingress |
| 1364 | # They are using to enable the Egress K8s network policy. |
| 1365 | kube_dns: |
| 1366 | namespace: kube-system |
| 1367 | name: kubernetes-dns |
| 1368 | hosts: |
| 1369 | default: kube-dns |
| 1370 | host_fqdn_override: |
| 1371 | default: null |
| 1372 | path: |
| 1373 | default: null |
| 1374 | scheme: http |
| 1375 | port: |
| 1376 | dns: |
| 1377 | default: 53 |
| 1378 | protocol: UDP |
| 1379 | ingress: |
| 1380 | namespace: null |
| 1381 | name: ingress |
| 1382 | hosts: |
| 1383 | default: ingress |
| 1384 | port: |
| 1385 | ingress: |
| 1386 | default: 80 |
| 1387 | |
| 1388 | network_policy: |
| 1389 | horizon: |
| 1390 | ingress: |
| 1391 | - {} |
| 1392 | egress: |
| 1393 | - {} |
| 1394 | |
| 1395 | # NOTE(helm_hook): helm_hook might break for helm2 binary. |
| 1396 | # set helm3_hook: false when using the helm2 binary. |
| 1397 | helm3_hook: true |
| 1398 | |
| 1399 | manifests: |
| 1400 | certificates: false |
| 1401 | configmap_bin: true |
| 1402 | configmap_etc: true |
| 1403 | configmap_logo: false |
| 1404 | deployment: true |
| 1405 | ingress_api: true |
| 1406 | job_db_init: true |
| 1407 | job_db_sync: true |
| 1408 | job_db_drop: false |
| 1409 | job_image_repo_sync: true |
| 1410 | pdb: true |
| 1411 | pod_helm_test: true |
| 1412 | network_policy: false |
| 1413 | secret_db: true |
| 1414 | secret_ingress_tls: true |
| 1415 | secret_keystone: true |
Mohammed Naser | bcdd25c | 2023-01-18 03:38:47 +0000 | [diff] [blame] | 1416 | secret_registry: true |
Mohammed Naser | f3f59a7 | 2023-01-15 21:02:04 -0500 | [diff] [blame] | 1417 | service_ingress: true |
| 1418 | service: true |
| 1419 | ... |