blob: ebc46b2d89af2f89a372ddc1dd06c3cf5a8b574d [file] [log] [blame]
Mohammed Naserf3f59a72023-01-15 21:02:04 -05001# Licensed under the Apache License, Version 2.0 (the "License");
2# you may not use this file except in compliance with the License.
3# You may obtain a copy of the License at
4#
5# http://www.apache.org/licenses/LICENSE-2.0
6#
7# Unless required by applicable law or agreed to in writing, software
8# distributed under the License is distributed on an "AS IS" BASIS,
9# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
10# See the License for the specific language governing permissions and
11# limitations under the License.
12
13# Default values for horizon.
14# This is a YAML-formatted file.
15# Declare name/value pairs to be passed into your templates.
16# name: value
17
18---
19images:
20 tags:
21 db_init: docker.io/openstackhelm/heat:stein-ubuntu_bionic
22 horizon_db_sync: docker.io/openstackhelm/horizon:stein-ubuntu_bionic
23 db_drop: docker.io/openstackhelm/heat:stein-ubuntu_bionic
24 horizon: docker.io/openstackhelm/horizon:stein-ubuntu_bionic
Rico Linc6ac7a12023-11-03 00:25:40 +080025 test: docker.io/openstackhelm/osh-selenium:latest-ubuntu_focal
Mohammed Naserf3f59a72023-01-15 21:02:04 -050026 dep_check: quay.io/airshipit/kubernetes-entrypoint:v1.0.0
27 image_repo_sync: docker.io/docker:17.07.0
28 pull_policy: "IfNotPresent"
29 local_registry:
30 active: false
31 exclude:
32 - dep_check
33 - image_repo_sync
34
Rico Linc6ac7a12023-11-03 00:25:40 +080035# Use selenium v4 syntax
36selenium_v4: true
37
Mohammed Naserf3f59a72023-01-15 21:02:04 -050038release_group: null
39
40labels:
41 dashboard:
42 node_selector_key: openstack-control-plane
43 node_selector_value: enabled
44 job:
45 node_selector_key: openstack-control-plane
46 node_selector_value: enabled
47 test:
48 node_selector_key: openstack-control-plane
49 node_selector_value: enabled
50
51network:
52 dashboard:
53 ingress:
54 public: true
55 classes:
56 namespace: "nginx"
57 cluster: "nginx-cluster"
58 annotations:
59 nginx.ingress.kubernetes.io/rewrite-target: /
60 external_policy_local: false
61 node_port:
62 enabled: false
63 port: 31000
64
65conf:
66 software:
67 apache2:
68 binary: apache2
69 start_parameters: -DFOREGROUND
70 site_dir: /etc/apache2/sites-available
71 conf_dir: /etc/apache2/conf-available
72 mods_dir: /etc/apache2/mods-available
73 a2enmod:
74 - headers
75 - rewrite
76 a2dismod:
77 - status
78 horizon:
79 branding:
vexxhost-botde3a8f32024-05-20 11:57:20 +010080 # logo, logo_splash and favicon accepts base64 encoded string.
Mohammed Naserf3f59a72023-01-15 21:02:04 -050081 logo:
82 logo_splash:
83 favicon:
84 apache: |
85 <IfVersion < 2.4>
86 Listen 0.0.0.0:{{ tuple "dashboard" "internal" "web" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
87 </IfVersion>
88 LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined
89 LogFormat "%{X-Forwarded-For}i %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" proxy
90
91 SetEnvIf X-Forwarded-For "^.*\..*\..*\..*" forwarded
92 CustomLog /dev/stdout combined env=!forwarded
93 CustomLog /dev/stdout proxy env=forwarded
94
95 <VirtualHost *:{{ tuple "dashboard" "internal" "web" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}>
96 WSGIScriptReloading On
97 WSGIDaemonProcess horizon-http processes=5 threads=1 user=horizon group=horizon display-name=%{GROUP} python-path=/var/lib/kolla/venv/lib/python2.7/site-packages
98 WSGIProcessGroup horizon-http
99 WSGIScriptAlias / /var/www/cgi-bin/horizon/django.wsgi
100 WSGIPassAuthorization On
101 RewriteEngine on
102 RewriteCond %{REQUEST_METHOD} !^(POST|PUT|GET|DELETE|PATCH)
103 RewriteRule .* - [F]
104
105 <Location "/">
106 Require all granted
107 </Location>
108
109 Alias /static /var/www/html/horizon
110 <Location "/static">
111 SetHandler static
112 </Location>
113
114 <IfVersion >= 2.4>
115 ErrorLogFormat "%{cu}t %M"
116 </IfVersion>
117 ErrorLog /dev/stdout
118 TransferLog /dev/stdout
119
120 SetEnvIf X-Forwarded-For "^.*\..*\..*\..*" forwarded
121 CustomLog /dev/stdout combined env=!forwarded
122 CustomLog /dev/stdout proxy env=forwarded
123 </Virtualhost>
124 security: |
125 #
126 # Disable access to the entire file system except for the directories that
127 # are explicitly allowed later.
128 #
129 # This currently breaks the configurations that come with some web application
130 # Debian packages.
131 #
132 #<Directory />
133 # AllowOverride None
134 # Require all denied
135 #</Directory>
136
137 # Changing the following options will not really affect the security of the
138 # server, but might make attacks slightly more difficult in some cases.
139
140 #
141 # ServerTokens
142 # This directive configures what you return as the Server HTTP response
143 # Header. The default is 'Full' which sends information about the OS-Type
144 # and compiled in modules.
145 # Set to one of: Full | OS | Minimal | Minor | Major | Prod
146 # where Full conveys the most information, and Prod the least.
147 ServerTokens Prod
148
149 #
150 # Optionally add a line containing the server version and virtual host
151 # name to server-generated pages (internal error documents, FTP directory
152 # listings, mod_status and mod_info output etc., but not CGI generated
153 # documents or custom error documents).
154 # Set to "EMail" to also include a mailto: link to the ServerAdmin.
155 # Set to one of: On | Off | EMail
156 ServerSignature Off
157
158 #
159 # Allow TRACE method
160 #
161 # Set to "extended" to also reflect the request body (only for testing and
162 # diagnostic purposes).
163 #
164 # Set to one of: On | Off | extended
165 TraceEnable Off
166
167 #
168 # Forbid access to version control directories
169 #
170 # If you use version control systems in your document root, you should
171 # probably deny access to their directories. For example, for subversion:
172 #
173 #<DirectoryMatch "/\.svn">
174 # Require all denied
175 #</DirectoryMatch>
176
177 #Security-Settings
178 # Setting this header will prevent MSIE from interpreting files as something
179 # else than declared by the content type in the HTTP headers.
180 # Requires mod_headers to be enabled.
181 #
182 Header set X-Content-Type-Options: "nosniff"
183 Header set X-Permitted-Cross-Domain-Policies: "none"
184 # Setting this header will prevent other sites from embedding pages from this
185 # site as frames. This defends against clickjacking attacks.
186 # Requires mod_headers to be enabled.
187 #
188 local_settings_d: {}
189 ## For example, _50_monasca_ui_settings.py
190 # _50_monasca_ui_settings: |
191 # from django.conf import settings
192 # # Grafana button titles/file names (global across all projects):
193 # GRAFANA_LINKS = []
194 # DASHBOARDS = getattr(settings, 'GRAFANA_LINKS', GRAFANA_LINKS)
195
196 local_settings:
197 config:
198 # Use "True" and "False" as Titlecase strings with quotes, boolean
199 # values will not work
200 horizon_secret_key: 9aee62c0-5253-4a86-b189-e0fb71fa503c
201 debug: "False"
202 use_ssl: "False"
203 endpoint_type: "internalURL"
204 keystone_multidomain_support: "True"
205 keystone_default_domain: Default
206 disable_password_reveal: "True"
207 show_openrc_file: "True"
208 csrf_cookie_secure: "False"
209 csrf_cookie_httponly: "False"
210 enforce_password_check: "True"
211 # Set enable_pwd_validator to true to enforce password validator settings.
212 enable_pwd_validator: false
213 pwd_validator_regex: '(?=.*[a-zA-Z])(?=.*\d).{8,}|(?=.*\d)(?=.*\W).{8,}|(?=.*\W)(?=.*[a-zA-Z]).{8,}'
214 pwd_validator_help_text: '_("Your password must be at least eight (8) characters in length and must include characters from at least two (2) of these groupings: alpha, numeric, and special characters.")'
215 session_cookie_secure: "False"
216 session_cookie_httponly: "False"
217 secure_proxy_ssl_header: false
218 password_autocomplete: "False"
219 disallow_iframe_embed: "False"
220 allowed_hosts:
221 - '*'
222 horizon_images_upload_mode: 'legacy'
223 openstack_cinder_features:
224 enable_backup: "True"
225 openstack_neutron_network:
226 enable_router: "True"
227 enable_quotas: "True"
228 enable_ipv6: "True"
229 enable_distributed_router: "False"
230 enable_ha_router: "False"
231 enable_lb: "True"
232 enable_firewall: "True"
233 enable_vpn: "True"
234 enable_fip_topology_check: "True"
235 openstack_enable_password_retrieve: "False"
236 auth:
237 sso:
238 enabled: False
239 initial_choice: "credentials"
240 idp_mapping:
241 - name: "acme_oidc"
242 label: "Acme Corporation - OpenID Connect"
243 idp: "myidp1"
244 protocol: "oidc"
245 - name: "acme_saml2"
246 label: "Acme Corporation - SAML2"
247 idp: "myidp2"
248 protocol: "saml2"
249 log_level: "DEBUG"
250 # Pass any settings to the end of local_settings.py
251 raw: {}
252 openstack_api_versions:
Mohammed Naserbcdd25c2023-01-18 03:38:47 +0000253 container_infra: "1.10"
Mohammed Naserf3f59a72023-01-15 21:02:04 -0500254 template: |
255 import os
256
257 from django.utils.translation import ugettext_lazy as _
258
259 from openstack_dashboard import exceptions
260
261 DEBUG = {{ .Values.conf.horizon.local_settings.config.debug }}
262 TEMPLATE_DEBUG = DEBUG
263
264 COMPRESS_OFFLINE = True
265 COMPRESS_CSS_HASHING_METHOD = "hash"
266
267 # WEBROOT is the location relative to Webserver root
268 # should end with a slash.
269 WEBROOT = '/'
270 # LOGIN_URL = WEBROOT + 'auth/login/'
271 # LOGOUT_URL = WEBROOT + 'auth/logout/'
272 #
273 # LOGIN_REDIRECT_URL can be used as an alternative for
274 # HORIZON_CONFIG.user_home, if user_home is not set.
275 # Do not set it to '/home/', as this will cause circular redirect loop
276 # LOGIN_REDIRECT_URL = WEBROOT
277
278 # Required for Django 1.5.
279 # If horizon is running in production (DEBUG is False), set this
280 # with the list of host/domain names that the application can serve.
281 # For more information see:
282 # https://docs.djangoproject.com/en/dev/ref/settings/#allowed-hosts
283 ALLOWED_HOSTS = [{{ include "helm-toolkit.utils.joinListWithCommaAndSingleQuotes" .Values.conf.horizon.local_settings.config.allowed_hosts }},'%s' % (os.environ.get("MY_POD_IP"))]
284
285 # Set SSL proxy settings:
286 # For Django 1.4+ pass this header from the proxy after terminating the SSL,
287 # and don't forget to strip it from the client's request.
288 # For more information see:
289 # https://docs.djangoproject.com/en/1.4/ref/settings/#secure-proxy-ssl-header
290 #SECURE_PROXY_SSL_HEADER = ('HTTP_X_FORWARDED_PROTOCOL', 'https')
291 # https://docs.djangoproject.com/en/1.5/ref/settings/#secure-proxy-ssl-header
292 {{- if .Values.conf.horizon.local_settings.config.secure_proxy_ssl_header }}
293 SECURE_PROXY_SSL_HEADER = ('HTTP_X_FORWARDED_PROTO', 'https')
294 {{- end }}
295
296 # If Horizon is being served through SSL, then uncomment the following two
297 # settings to better secure the cookies from security exploits
298 USE_SSL = {{ .Values.conf.horizon.local_settings.config.use_ssl }}
299 CSRF_COOKIE_SECURE = {{ .Values.conf.horizon.local_settings.config.csrf_cookie_secure }}
300 CSRF_COOKIE_HTTPONLY = {{ .Values.conf.horizon.local_settings.config.csrf_cookie_httponly }}
301 SESSION_COOKIE_SECURE = {{ .Values.conf.horizon.local_settings.config.session_cookie_secure }}
302
303 SESSION_COOKIE_HTTPONLY = {{ .Values.conf.horizon.local_settings.config.session_cookie_httponly }}
304
305 # Overrides for OpenStack API versions. Use this setting to force the
306 # OpenStack dashboard to use a specific API version for a given service API.
307 # Versions specified here should be integers or floats, not strings.
308 # NOTE: The version should be formatted as it appears in the URL for the
309 # service API. For example, The identity service APIs have inconsistent
310 # use of the decimal point, so valid options would be 2.0 or 3.
311 #OPENSTACK_API_VERSIONS = {
312 # "data-processing": 1.1,
313 # "identity": 3,
314 # "volume": 2,
315 #}
316
317 OPENSTACK_API_VERSIONS = {
318 "identity": 3,
Mohammed Naser1402ed02023-02-19 22:48:59 +0000319 "container-infra": "{{ .Values.conf.horizon.local_settings.config.openstack_api_versions.container_infra }}"
Mohammed Naserf3f59a72023-01-15 21:02:04 -0500320 }
321
322 # Set this to True if running on multi-domain model. When this is enabled, it
323 # will require user to enter the Domain name in addition to username for login.
324 OPENSTACK_KEYSTONE_MULTIDOMAIN_SUPPORT = {{ .Values.conf.horizon.local_settings.config.keystone_multidomain_support }}
325
326 # Overrides the default domain used when running on single-domain model
327 # with Keystone V3. All entities will be created in the default domain.
328 OPENSTACK_KEYSTONE_DEFAULT_DOMAIN = '{{ .Values.conf.horizon.local_settings.config.keystone_default_domain }}'
329
330 # Set Console type:
331 # valid options are "AUTO"(default), "VNC", "SPICE", "RDP", "SERIAL" or None
332 # Set to None explicitly if you want to deactivate the console.
333 #CONSOLE_TYPE = "AUTO"
334
335 # Default OpenStack Dashboard configuration.
336 HORIZON_CONFIG = {
337 'user_home': 'openstack_dashboard.views.get_user_home',
338 'ajax_queue_limit': 10,
339 'auto_fade_alerts': {
340 'delay': 3000,
341 'fade_duration': 1500,
342 'types': ['alert-success', 'alert-info']
343 },
344 'help_url': "http://docs.openstack.org",
345 'exceptions': {'recoverable': exceptions.RECOVERABLE,
346 'not_found': exceptions.NOT_FOUND,
347 'unauthorized': exceptions.UNAUTHORIZED},
348 'modal_backdrop': 'static',
349 'angular_modules': [],
350 'js_files': [],
351 'js_spec_files': [],
352 }
353
354 {{- if .Values.conf.horizon.local_settings.config.enable_pwd_validator }}
355 # Specify a regular expression to validate user passwords.
356 HORIZON_CONFIG["password_validator"] = {
357 "regex": '{{ .Values.conf.horizon.local_settings.config.pwd_validator_regex }}',
358 "help_text": {{ .Values.conf.horizon.local_settings.config.pwd_validator_help_text }},
359 }
360 {{- end }}
361
362 # Disable simplified floating IP address management for deployments with
363 # multiple floating IP pools or complex network requirements.
364 #HORIZON_CONFIG["simple_ip_management"] = False
365
366 # Turn off browser autocompletion for forms including the login form and
367 # the database creation workflow if so desired.
368 HORIZON_CONFIG["password_autocomplete"] = '{{ .Values.conf.horizon.local_settings.config.password_autocomplete }}'
369
370 # Setting this to True will disable the reveal button for password fields,
371 # including on the login form.
372 HORIZON_CONFIG["disable_password_reveal"] = {{ .Values.conf.horizon.local_settings.config.disable_password_reveal }}
373
374 LOCAL_PATH = '/tmp'
375
376 # Set custom secret key:
377 # You can either set it to a specific value or you can let horizon generate a
378 # default secret key that is unique on this machine, e.i. regardless of the
379 # amount of Python WSGI workers (if used behind Apache+mod_wsgi): However,
380 # there may be situations where you would want to set this explicitly, e.g.
381 # when multiple dashboard instances are distributed on different machines
382 # (usually behind a load-balancer). Either you have to make sure that a session
383 # gets all requests routed to the same dashboard instance or you set the same
384 # SECRET_KEY for all of them.
385 SECRET_KEY='{{ .Values.conf.horizon.local_settings.config.horizon_secret_key }}'
386
387 CACHES = {
388 'default': {
389 'BACKEND': 'django.core.cache.backends.memcached.MemcachedCache',
390 'LOCATION': '{{ tuple "oslo_cache" "internal" "memcache" . | include "helm-toolkit.endpoints.host_and_port_endpoint_uri_lookup" }}',
391 }
392 }
393 DATABASES = {
394 'default': {
395 # Database configuration here
396 'ENGINE': 'django.db.backends.mysql',
397 'NAME': '{{ .Values.endpoints.oslo_db.path | base }}',
398 'USER': '{{ .Values.endpoints.oslo_db.auth.horizon.username }}',
399 'PASSWORD': '{{ .Values.endpoints.oslo_db.auth.horizon.password }}',
400 'HOST': '{{ tuple "oslo_db" "internal" . | include "helm-toolkit.endpoints.hostname_fqdn_endpoint_lookup" }}',
401 'default-character-set': 'utf8',
402 {{- if .Values.manifests.certificates }}
403 'OPTIONS':{
404 'ssl': {
405 'ca': '/etc/mysql/certs/ca.crt',
406 'cert': '/etc/mysql/certs/tls.crt',
407 'key': '/etc/mysql/certs/tls.key'
408 }
409 },
410 {{- end }}
411 'PORT': '{{ tuple "oslo_db" "internal" "mysql" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}'
412 }
413 }
414 SESSION_ENGINE = 'django.contrib.sessions.backends.cached_db'
415
416 # Send email to the console by default
417 EMAIL_BACKEND = 'django.core.mail.backends.console.EmailBackend'
418 # Or send them to /dev/null
419 #EMAIL_BACKEND = 'django.core.mail.backends.dummy.EmailBackend'
420
421 # Configure these for your outgoing email host
422 #EMAIL_HOST = 'smtp.my-company.com'
423 #EMAIL_PORT = 25\\
424 #EMAIL_HOST_USER = 'djangomail'
425 #EMAIL_HOST_PASSWORD = 'top-secret!'
426
427 # For multiple regions uncomment this configuration, and add (endpoint, title).
428 #AVAILABLE_REGIONS = [
429 # ('http://cluster1.example.com:5000/v2.0', 'cluster1'),
430 # ('http://cluster2.example.com:5000/v2.0', 'cluster2'),
431 #]
432
433 OPENSTACK_KEYSTONE_URL = "{{ tuple "identity" "internal" "api" . | include "helm-toolkit.endpoints.keystone_endpoint_uri_lookup" }}"
434 OPENSTACK_KEYSTONE_DEFAULT_ROLE = "member"
435
436 # This setting specifies the name of the header with remote IP address. If not present,
437 # then REMOTE_ADDR header is used. The commom value for this setting is HTTP_X_REAL_IP
438 # or HTTP_X_FORWARDED_FORx
439 SECURE_PROXY_ADDR_HEADER = 'HTTP_X_FORWARDED_FOR'
440
441 {{- if .Values.conf.horizon.local_settings.config.auth.sso.enabled }}
442 # Enables keystone web single-sign-on if set to True.
443 WEBSSO_ENABLED = True
444
445 # Determines which authentication choice to show as default.
446 WEBSSO_INITIAL_CHOICE = "{{ .Values.conf.horizon.local_settings.config.auth.sso.initial_choice }}"
447
448 # The list of authentication mechanisms
449 # which include keystone federation protocols.
450 # Current supported protocol IDs are 'saml2' and 'oidc'
451 # which represent SAML 2.0, OpenID Connect respectively.
452 # Do not remove the mandatory credentials mechanism.
453 WEBSSO_CHOICES = (
454 ("credentials", _("Keystone Credentials")),
455 {{- range $i, $sso := .Values.conf.horizon.local_settings.config.auth.idp_mapping }}
456 ({{ $sso.name | quote }}, {{ $sso.label | quote }}),
457 {{- end }}
458 )
459
460 WEBSSO_IDP_MAPPING = {
461 {{- range $i, $sso := .Values.conf.horizon.local_settings.config.auth.idp_mapping }}
462 {{ $sso.name | quote}}: ({{ $sso.idp | quote }}, {{ $sso.protocol | quote }}),
463 {{- end }}
464 }
465
466 {{- end }}
467
468 # Disable SSL certificate checks (useful for self-signed certificates):
469 #OPENSTACK_SSL_NO_VERIFY = True
470
471 {{- if .Values.manifests.certificates }}
472 # The CA certificate to use to verify SSL connections
473 OPENSTACK_SSL_CACERT = '/etc/openstack-dashboard/certs/ca.crt'
474 {{- end }}
475
476 # The OPENSTACK_KEYSTONE_BACKEND settings can be used to identify the
477 # capabilities of the auth backend for Keystone.
478 # If Keystone has been configured to use LDAP as the auth backend then set
479 # can_edit_user to False and name to 'ldap'.
480 #
481 # TODO(tres): Remove these once Keystone has an API to identify auth backend.
482 OPENSTACK_KEYSTONE_BACKEND = {
483 'name': 'native',
484 'can_edit_user': True,
485 'can_edit_group': True,
486 'can_edit_project': True,
487 'can_edit_domain': True,
488 'can_edit_role': True,
489 }
490
491 # Setting this to True, will add a new "Retrieve Password" action on instance,
492 # allowing Admin session password retrieval/decryption.
493 OPENSTACK_ENABLE_PASSWORD_RETRIEVE = {{ .Values.conf.horizon.local_settings.config.openstack_enable_password_retrieve }}
494 # Controls whether the keystone openrc file is accessible from the user menu and the api access panel.
495 SHOW_OPENRC_FILE = {{ .Values.conf.horizon.local_settings.config.show_openrc_file }}
496 # The Launch Instance user experience has been significantly enhanced.
497 # You can choose whether to enable the new launch instance experience,
498 # the legacy experience, or both. The legacy experience will be removed
499 # in a future release, but is available as a temporary backup setting to ensure
500 # compatibility with existing deployments. Further development will not be
501 # done on the legacy experience. Please report any problems with the new
502 # experience via the StoryBoard tracking system.
503 #
504 # Toggle LAUNCH_INSTANCE_LEGACY_ENABLED and LAUNCH_INSTANCE_NG_ENABLED to
505 # determine the experience to enable. Set them both to true to enable
506 # both.
507 #LAUNCH_INSTANCE_LEGACY_ENABLED = True
508 #LAUNCH_INSTANCE_NG_ENABLED = False
509
510 # The Xen Hypervisor has the ability to set the mount point for volumes
511 # attached to instances (other Hypervisors currently do not). Setting
512 # can_set_mount_point to True will add the option to set the mount point
513 # from the UI.
514 OPENSTACK_HYPERVISOR_FEATURES = {
515 'can_set_mount_point': False,
516 'can_set_password': False,
517 }
518
519 # The OPENSTACK_CINDER_FEATURES settings can be used to enable optional
520 # services provided by cinder that is not exposed by its extension API.
521 OPENSTACK_CINDER_FEATURES = {
522 'enable_backup': {{ .Values.conf.horizon.local_settings.config.openstack_cinder_features.enable_backup }},
523 }
524
525 # The OPENSTACK_NEUTRON_NETWORK settings can be used to enable optional
526 # services provided by neutron. Options currently available are load
527 # balancer service, security groups, quotas, VPN service.
528 OPENSTACK_NEUTRON_NETWORK = {
529 'enable_router': {{ .Values.conf.horizon.local_settings.config.openstack_neutron_network.enable_router }},
530 'enable_quotas': {{ .Values.conf.horizon.local_settings.config.openstack_neutron_network.enable_quotas }},
531 'enable_ipv6': {{ .Values.conf.horizon.local_settings.config.openstack_neutron_network.enable_ipv6 }},
532 'enable_distributed_router': {{ .Values.conf.horizon.local_settings.config.openstack_neutron_network.enable_distributed_router }},
533 'enable_ha_router': {{ .Values.conf.horizon.local_settings.config.openstack_neutron_network.enable_ha_router }},
534 'enable_lb': {{ .Values.conf.horizon.local_settings.config.openstack_neutron_network.enable_lb }},
535 'enable_firewall': {{ .Values.conf.horizon.local_settings.config.openstack_neutron_network.enable_firewall }},
536 'enable_vpn': {{ .Values.conf.horizon.local_settings.config.openstack_neutron_network.enable_vpn }},
537 'enable_fip_topology_check': {{ .Values.conf.horizon.local_settings.config.openstack_neutron_network.enable_fip_topology_check }},
538
539 # The profile_support option is used to detect if an external router can be
540 # configured via the dashboard. When using specific plugins the
541 # profile_support can be turned on if needed.
542 'profile_support': None,
543 #'profile_support': 'cisco',
544
545 # Set which provider network types are supported. Only the network types
546 # in this list will be available to choose from when creating a network.
547 # Network types include local, flat, vlan, gre, and vxlan.
548 'supported_provider_types': ['*'],
549
550 # Set which VNIC types are supported for port binding. Only the VNIC
551 # types in this list will be available to choose from when creating a
552 # port.
553 # VNIC types include 'normal', 'macvtap' and 'direct'.
554 'supported_vnic_types': ['*']
555 }
556
557 # The OPENSTACK_IMAGE_BACKEND settings can be used to customize features
558 # in the OpenStack Dashboard related to the Image service, such as the list
559 # of supported image formats.
560 #OPENSTACK_IMAGE_BACKEND = {
561 # 'image_formats': [
562 # ('', _('Select format')),
563 # ('aki', _('AKI - Amazon Kernel Image')),
564 # ('ami', _('AMI - Amazon Machine Image')),
565 # ('ari', _('ARI - Amazon Ramdisk Image')),
566 # ('docker', _('Docker')),
567 # ('iso', _('ISO - Optical Disk Image')),
568 # ('ova', _('OVA - Open Virtual Appliance')),
569 # ('qcow2', _('QCOW2 - QEMU Emulator')),
570 # ('raw', _('Raw')),
571 # ('vdi', _('VDI - Virtual Disk Image')),
572 # ('vhd', ('VHD - Virtual Hard Disk')),
573 # ('vmdk', _('VMDK - Virtual Machine Disk')),
574 # ]
575 #}
576
577 # The IMAGE_CUSTOM_PROPERTY_TITLES settings is used to customize the titles for
578 # image custom property attributes that appear on image detail pages.
579 IMAGE_CUSTOM_PROPERTY_TITLES = {
580 "architecture": _("Architecture"),
581 "kernel_id": _("Kernel ID"),
582 "ramdisk_id": _("Ramdisk ID"),
583 "image_state": _("Euca2ools state"),
584 "project_id": _("Project ID"),
585 "image_type": _("Image Type"),
586 }
587
588 # The IMAGE_RESERVED_CUSTOM_PROPERTIES setting is used to specify which image
589 # custom properties should not be displayed in the Image Custom Properties
590 # table.
591 IMAGE_RESERVED_CUSTOM_PROPERTIES = []
592
593 # Set to 'legacy' or 'direct' to allow users to upload images to glance via
594 # Horizon server. When enabled, a file form field will appear on the create
595 # image form. If set to 'off', there will be no file form field on the create
596 # image form. See documentation for deployment considerations.
597 HORIZON_IMAGES_UPLOAD_MODE = '{{ .Values.conf.horizon.local_settings.config.horizon_images_upload_mode }}'
598
599 # OPENSTACK_ENDPOINT_TYPE specifies the endpoint type to use for the endpoints
600 # in the Keystone service catalog. Use this setting when Horizon is running
601 # external to the OpenStack environment. The default is 'publicURL'.
602 OPENSTACK_ENDPOINT_TYPE = "{{ .Values.conf.horizon.local_settings.config.endpoint_type }}"
603
604 # SECONDARY_ENDPOINT_TYPE specifies the fallback endpoint type to use in the
605 # case that OPENSTACK_ENDPOINT_TYPE is not present in the endpoints
606 # in the Keystone service catalog. Use this setting when Horizon is running
607 # external to the OpenStack environment. The default is None. This
608 # value should differ from OPENSTACK_ENDPOINT_TYPE if used.
609 SECONDARY_ENDPOINT_TYPE = "publicURL"
610
611 # The number of objects (Swift containers/objects or images) to display
612 # on a single page before providing a paging element (a "more" link)
613 # to paginate results.
614 API_RESULT_LIMIT = 1000
615 API_RESULT_PAGE_SIZE = 20
616
617 # The size of chunk in bytes for downloading objects from Swift
618 SWIFT_FILE_TRANSFER_CHUNK_SIZE = 512 * 1024
619
620 # Specify a maximum number of items to display in a dropdown.
621 DROPDOWN_MAX_ITEMS = 30
622
623 # The timezone of the server. This should correspond with the timezone
624 # of your entire OpenStack installation, and hopefully be in UTC.
625 TIME_ZONE = "UTC"
626
627 # When launching an instance, the menu of available flavors is
628 # sorted by RAM usage, ascending. If you would like a different sort order,
629 # you can provide another flavor attribute as sorting key. Alternatively, you
630 # can provide a custom callback method to use for sorting. You can also provide
631 # a flag for reverse sort. For more info, see
632 # http://docs.python.org/2/library/functions.html#sorted
633 #CREATE_INSTANCE_FLAVOR_SORT = {
634 # 'key': 'name',
635 # # or
636 # 'key': my_awesome_callback_method,
637 # 'reverse': False,
638 #}
639
640 # Set this to True to display an 'Admin Password' field on the Change Password
641 # form to verify that it is indeed the admin logged-in who wants to change
642 # the password.
643 ENFORCE_PASSWORD_CHECK = {{ .Values.conf.horizon.local_settings.config.enforce_password_check }}
644
645 # Modules that provide /auth routes that can be used to handle different types
646 # of user authentication. Add auth plugins that require extra route handling to
647 # this list.
648 #AUTHENTICATION_URLS = [
649 # 'openstack_auth.urls',
650 #]
651
652 # The Horizon Policy Enforcement engine uses these values to load per service
653 # policy rule files. The content of these files should match the files the
654 # OpenStack services are using to determine role based access control in the
655 # target installation.
656
657 # Path to directory containing policy.yaml files
658 POLICY_FILES_PATH = '/etc/openstack-dashboard'
659 # Map of local copy of service policy files
660 #POLICY_FILES = {
661 # 'identity': 'keystone_policy.yaml',
662 # 'compute': 'nova_policy.yaml',
663 # 'volume': 'cinder_policy.yaml',
664 # 'image': 'glance_policy.yaml',
665 # 'orchestration': 'heat_policy.yaml',
666 # 'network': 'neutron_policy.yaml',
667 # 'telemetry': 'ceilometer_policy.yaml',
668 #}
669
670 # Trove user and database extension support. By default support for
671 # creating users and databases on database instances is turned on.
672 # To disable these extensions set the permission here to something
673 # unusable such as ["!"].
674 # TROVE_ADD_USER_PERMS = []
675 # TROVE_ADD_DATABASE_PERMS = []
676
677 # Change this patch to the appropriate static directory containing
678 # two files: _variables.scss and _styles.scss
679 #CUSTOM_THEME_PATH = 'static/themes/default'
680
681 LOGGING = {
682 'version': 1,
683 # When set to True this will disable all logging except
684 # for loggers specified in this configuration dictionary. Note that
685 # if nothing is specified here and disable_existing_loggers is True,
686 # django.db.backends will still log unless it is disabled explicitly.
687 'disable_existing_loggers': False,
688 'handlers': {
689 'null': {
690 'level': 'DEBUG',
691 'class': 'logging.NullHandler',
692 },
693 'console': {
694 # Set the level to "DEBUG" for verbose output logging.
695 'level': 'INFO',
696 'class': 'logging.StreamHandler',
697 },
698 },
699 'loggers': {
700 # Logging from django.db.backends is VERY verbose, send to null
701 # by default.
702 'django.db.backends': {
703 'handlers': ['null'],
704 'propagate': False,
705 },
706 'requests': {
707 'handlers': ['null'],
708 'propagate': False,
709 },
710 'horizon': {
711 'handlers': ['console'],
712 'level': '{{ .Values.conf.horizon.local_settings.config.log_level }}',
713 'propagate': False,
714 },
715 'openstack_dashboard': {
716 'handlers': ['console'],
717 'level': '{{ .Values.conf.horizon.local_settings.config.log_level }}',
718 'propagate': False,
719 },
720 'novaclient': {
721 'handlers': ['console'],
722 'level': '{{ .Values.conf.horizon.local_settings.config.log_level }}',
723 'propagate': False,
724 },
725 'cinderclient': {
726 'handlers': ['console'],
727 'level': '{{ .Values.conf.horizon.local_settings.config.log_level }}',
728 'propagate': False,
729 },
730 'glanceclient': {
731 'handlers': ['console'],
732 'level': '{{ .Values.conf.horizon.local_settings.config.log_level }}',
733 'propagate': False,
734 },
735 'glanceclient': {
736 'handlers': ['console'],
737 'level': '{{ .Values.conf.horizon.local_settings.config.log_level }}',
738 'propagate': False,
739 },
740 'neutronclient': {
741 'handlers': ['console'],
742 'level': '{{ .Values.conf.horizon.local_settings.config.log_level }}',
743 'propagate': False,
744 },
745 'heatclient': {
746 'handlers': ['console'],
747 'level': '{{ .Values.conf.horizon.local_settings.config.log_level }}',
748 'propagate': False,
749 },
750 'ceilometerclient': {
751 'handlers': ['console'],
752 'level': '{{ .Values.conf.horizon.local_settings.config.log_level }}',
753 'propagate': False,
754 },
755 'troveclient': {
756 'handlers': ['console'],
757 'level': '{{ .Values.conf.horizon.local_settings.config.log_level }}',
758 'propagate': False,
759 },
760 'swiftclient': {
761 'handlers': ['console'],
762 'level': '{{ .Values.conf.horizon.local_settings.config.log_level }}',
763 'propagate': False,
764 },
765 'openstack_auth': {
766 'handlers': ['console'],
767 'level': '{{ .Values.conf.horizon.local_settings.config.log_level }}',
768 'propagate': False,
769 },
770 'nose.plugins.manager': {
771 'handlers': ['console'],
772 'level': '{{ .Values.conf.horizon.local_settings.config.log_level }}',
773 'propagate': False,
774 },
775 'django': {
776 'handlers': ['console'],
777 'level': '{{ .Values.conf.horizon.local_settings.config.log_level }}',
778 'propagate': False,
779 },
780 'iso8601': {
781 'handlers': ['null'],
782 'propagate': False,
783 },
784 'scss': {
785 'handlers': ['null'],
786 'propagate': False,
787 },
788 }
789 }
790
791 # 'direction' should not be specified for all_tcp/udp/icmp.
792 # It is specified in the form.
793 SECURITY_GROUP_RULES = {
794 'all_tcp': {
795 'name': _('All TCP'),
796 'ip_protocol': 'tcp',
797 'from_port': '1',
798 'to_port': '65535',
799 },
800 'all_udp': {
801 'name': _('All UDP'),
802 'ip_protocol': 'udp',
803 'from_port': '1',
804 'to_port': '65535',
805 },
806 'all_icmp': {
807 'name': _('All ICMP'),
808 'ip_protocol': 'icmp',
809 'from_port': '-1',
810 'to_port': '-1',
811 },
812 'ssh': {
813 'name': 'SSH',
814 'ip_protocol': 'tcp',
815 'from_port': '22',
816 'to_port': '22',
817 },
818 'smtp': {
819 'name': 'SMTP',
820 'ip_protocol': 'tcp',
821 'from_port': '25',
822 'to_port': '25',
823 },
824 'dns': {
825 'name': 'DNS',
826 'ip_protocol': 'tcp',
827 'from_port': '53',
828 'to_port': '53',
829 },
830 'http': {
831 'name': 'HTTP',
832 'ip_protocol': 'tcp',
833 'from_port': '80',
834 'to_port': '80',
835 },
836 'pop3': {
837 'name': 'POP3',
838 'ip_protocol': 'tcp',
839 'from_port': '110',
840 'to_port': '110',
841 },
842 'imap': {
843 'name': 'IMAP',
844 'ip_protocol': 'tcp',
845 'from_port': '143',
846 'to_port': '143',
847 },
848 'ldap': {
849 'name': 'LDAP',
850 'ip_protocol': 'tcp',
851 'from_port': '389',
852 'to_port': '389',
853 },
854 'https': {
855 'name': 'HTTPS',
856 'ip_protocol': 'tcp',
857 'from_port': '443',
858 'to_port': '443',
859 },
860 'smtps': {
861 'name': 'SMTPS',
862 'ip_protocol': 'tcp',
863 'from_port': '465',
864 'to_port': '465',
865 },
866 'imaps': {
867 'name': 'IMAPS',
868 'ip_protocol': 'tcp',
869 'from_port': '993',
870 'to_port': '993',
871 },
872 'pop3s': {
873 'name': 'POP3S',
874 'ip_protocol': 'tcp',
875 'from_port': '995',
876 'to_port': '995',
877 },
878 'ms_sql': {
879 'name': 'MS SQL',
880 'ip_protocol': 'tcp',
881 'from_port': '1433',
882 'to_port': '1433',
883 },
884 'mysql': {
885 'name': 'MYSQL',
886 'ip_protocol': 'tcp',
887 'from_port': '3306',
888 'to_port': '3306',
889 },
890 'rdp': {
891 'name': 'RDP',
892 'ip_protocol': 'tcp',
893 'from_port': '3389',
894 'to_port': '3389',
895 },
896 }
897
898 # Deprecation Notice:
899 #
900 # The setting FLAVOR_EXTRA_KEYS has been deprecated.
901 # Please load extra spec metadata into the Glance Metadata Definition Catalog.
902 #
903 # The sample quota definitions can be found in:
904 # <glance_source>/etc/metadefs/compute-quota.json
905 #
906 # The metadata definition catalog supports CLI and API:
907 # $glance --os-image-api-version 2 help md-namespace-import
908 # $glance-manage db_load_metadefs <directory_with_definition_files>
909 #
910 # See Metadata Definitions on: https://docs.openstack.org/glance/latest/
911
912 # Indicate to the Sahara data processing service whether or not
913 # automatic floating IP allocation is in effect. If it is not
914 # in effect, the user will be prompted to choose a floating IP
915 # pool for use in their cluster. False by default. You would want
916 # to set this to True if you were running Nova Networking with
917 # auto_assign_floating_ip = True.
918 #SAHARA_AUTO_IP_ALLOCATION_ENABLED = False
919
920 # The hash algorithm to use for authentication tokens. This must
921 # match the hash algorithm that the identity server and the
922 # auth_token middleware are using. Allowed values are the
923 # algorithms supported by Python's hashlib library.
924 #OPENSTACK_TOKEN_HASH_ALGORITHM = 'md5'
925
926 # AngularJS requires some settings to be made available to
927 # the client side. Some settings are required by in-tree / built-in horizon
928 # features. These settings must be added to REST_API_REQUIRED_SETTINGS in the
929 # form of ['SETTING_1','SETTING_2'], etc.
930 #
931 # You may remove settings from this list for security purposes, but do so at
932 # the risk of breaking a built-in horizon feature. These settings are required
933 # for horizon to function properly. Only remove them if you know what you
934 # are doing. These settings may in the future be moved to be defined within
935 # the enabled panel configuration.
936 # You should not add settings to this list for out of tree extensions.
937 # See: https://wiki.openstack.org/wiki/Horizon/RESTAPI
938 REST_API_REQUIRED_SETTINGS = ['OPENSTACK_HYPERVISOR_FEATURES',
939 'LAUNCH_INSTANCE_DEFAULTS',
940 'OPENSTACK_IMAGE_FORMATS']
941
942 # Additional settings can be made available to the client side for
943 # extensibility by specifying them in REST_API_ADDITIONAL_SETTINGS
944 # !! Please use extreme caution as the settings are transferred via HTTP/S
945 # and are not encrypted on the browser. This is an experimental API and
946 # may be deprecated in the future without notice.
947 #REST_API_ADDITIONAL_SETTINGS = []
948
949 # DISALLOW_IFRAME_EMBED can be used to prevent Horizon from being embedded
950 # within an iframe. Legacy browsers are still vulnerable to a Cross-Frame
951 # Scripting (XFS) vulnerability, so this option allows extra security hardening
952 # where iframes are not used in deployment. Default setting is True.
953 # For more information see:
954 # http://tinyurl.com/anticlickjack
955 DISALLOW_IFRAME_EMBED = {{ .Values.conf.horizon.local_settings.config.disallow_iframe_embed }}
956
957 STATIC_ROOT = '/var/www/html/horizon'
958
959 {{- range $option, $value := .Values.conf.horizon.local_settings.config.raw }}
960 {{ $option }} = {{ toJson $value }}
961 {{- end }}
962 policy:
963 ceilometer:
964 context_is_admin: 'role:admin'
965 context_is_owner: 'user_id:%(target.user_id)s'
966 context_is_project: 'project_id:%(target.project_id)s'
967 segregation: 'rule:context_is_admin'
968 heat:
969 'actions:action': 'rule:deny_stack_user'
970 'build_info:build_info': 'rule:deny_stack_user'
971 'cloudformation:CancelUpdateStack': 'rule:deny_stack_user'
972 'cloudformation:CreateStack': 'rule:deny_stack_user'
973 'cloudformation:DeleteStack': 'rule:deny_stack_user'
974 'cloudformation:DescribeStackEvents': 'rule:deny_stack_user'
975 'cloudformation:DescribeStackResource': ''
976 'cloudformation:DescribeStackResources': 'rule:deny_stack_user'
977 'cloudformation:DescribeStacks': 'rule:deny_stack_user'
978 'cloudformation:EstimateTemplateCost': 'rule:deny_stack_user'
979 'cloudformation:GetTemplate': 'rule:deny_stack_user'
980 'cloudformation:ListStackResources': 'rule:deny_stack_user'
981 'cloudformation:ListStacks': 'rule:deny_stack_user'
982 'cloudformation:UpdateStack': 'rule:deny_stack_user'
983 'cloudformation:ValidateTemplate': 'rule:deny_stack_user'
984 'cloudwatch:DeleteAlarms': 'rule:deny_stack_user'
985 'cloudwatch:DescribeAlarmHistory': 'rule:deny_stack_user'
986 'cloudwatch:DescribeAlarms': 'rule:deny_stack_user'
987 'cloudwatch:DescribeAlarmsForMetric': 'rule:deny_stack_user'
988 'cloudwatch:DisableAlarmActions': 'rule:deny_stack_user'
989 'cloudwatch:EnableAlarmActions': 'rule:deny_stack_user'
990 'cloudwatch:GetMetricStatistics': 'rule:deny_stack_user'
991 'cloudwatch:ListMetrics': 'rule:deny_stack_user'
992 'cloudwatch:PutMetricAlarm': 'rule:deny_stack_user'
993 'cloudwatch:PutMetricData': ''
994 'cloudwatch:SetAlarmState': 'rule:deny_stack_user'
995 context_is_admin: 'role:admin'
996 deny_everybody: '!'
997 deny_stack_user: 'not role:heat_stack_user'
998 'events:index': 'rule:deny_stack_user'
999 'events:show': 'rule:deny_stack_user'
1000 'resource:index': 'rule:deny_stack_user'
1001 'resource:mark_unhealthy': 'rule:deny_stack_user'
1002 'resource:metadata': ''
1003 'resource:show': 'rule:deny_stack_user'
1004 'resource:signal': ''
1005 'resource_types:OS::Cinder::EncryptedVolumeType': 'rule:context_is_admin'
1006 'resource_types:OS::Cinder::VolumeType': 'rule:context_is_admin'
1007 'resource_types:OS::Manila::ShareType': 'rule:context_is_admin'
1008 'resource_types:OS::Neutron::QoSBandwidthLimitRule': 'rule:context_is_admin'
1009 'resource_types:OS::Neutron::QoSPolicy': 'rule:context_is_admin'
1010 'resource_types:OS::Nova::Flavor': 'rule:context_is_admin'
1011 'resource_types:OS::Nova::HostAggregate': 'rule:context_is_admin'
1012 'service:index': 'rule:context_is_admin'
1013 'software_configs:create': 'rule:deny_stack_user'
1014 'software_configs:delete': 'rule:deny_stack_user'
1015 'software_configs:global_index': 'rule:deny_everybody'
1016 'software_configs:index': 'rule:deny_stack_user'
1017 'software_configs:show': 'rule:deny_stack_user'
1018 'software_deployments:create': 'rule:deny_stack_user'
1019 'software_deployments:delete': 'rule:deny_stack_user'
1020 'software_deployments:index': 'rule:deny_stack_user'
1021 'software_deployments:metadata': ''
1022 'software_deployments:show': 'rule:deny_stack_user'
1023 'software_deployments:update': 'rule:deny_stack_user'
1024 'stacks:abandon': 'rule:deny_stack_user'
1025 'stacks:create': 'rule:deny_stack_user'
1026 'stacks:delete': 'rule:deny_stack_user'
1027 'stacks:delete_snapshot': 'rule:deny_stack_user'
1028 'stacks:detail': 'rule:deny_stack_user'
1029 'stacks:environment': 'rule:deny_stack_user'
1030 'stacks:export': 'rule:deny_stack_user'
1031 'stacks:generate_template': 'rule:deny_stack_user'
1032 'stacks:global_index': 'rule:deny_everybody'
1033 'stacks:index': 'rule:deny_stack_user'
1034 'stacks:list_outputs': 'rule:deny_stack_user'
1035 'stacks:list_resource_types': 'rule:deny_stack_user'
1036 'stacks:list_snapshots': 'rule:deny_stack_user'
1037 'stacks:list_template_functions': 'rule:deny_stack_user'
1038 'stacks:list_template_versions': 'rule:deny_stack_user'
1039 'stacks:lookup': ''
1040 'stacks:preview': 'rule:deny_stack_user'
1041 'stacks:preview_update': 'rule:deny_stack_user'
1042 'stacks:preview_update_patch': 'rule:deny_stack_user'
1043 'stacks:resource_schema': 'rule:deny_stack_user'
1044 'stacks:restore_snapshot': 'rule:deny_stack_user'
1045 'stacks:show': 'rule:deny_stack_user'
1046 'stacks:show_output': 'rule:deny_stack_user'
1047 'stacks:show_snapshot': 'rule:deny_stack_user'
1048 'stacks:snapshot': 'rule:deny_stack_user'
1049 'stacks:template': 'rule:deny_stack_user'
1050 'stacks:update': 'rule:deny_stack_user'
1051 'stacks:update_patch': 'rule:deny_stack_user'
1052 'stacks:validate_template': 'rule:deny_stack_user'
1053 # list of panels to enable for horizon
1054 # this requires that the panels are already installed in the horizon image, if they are not
1055 # nothing will be added
1056 # the name of the panel should be the name of the dir where the panel is installed
1057 # for example heat_dashboard, cloudkittydashboard or neutron_taas_dashboard
1058 extra_panels:
1059 - heat_dashboard
1060 - neutron_taas_dashboard
1061
1062dependencies:
1063 dynamic:
1064 common:
1065 local_image_registry:
1066 jobs:
1067 - horizon-image-repo-sync
1068 services:
1069 - endpoint: node
1070 service: local_image_registry
1071 static:
1072 dashboard:
1073 jobs:
1074 - horizon-db-sync
1075 services:
1076 - endpoint: internal
1077 service: oslo_cache
1078 - endpoint: internal
1079 service: oslo_db
1080 - endpoint: internal
1081 service: identity
1082 db_drop:
1083 services:
1084 - endpoint: internal
1085 service: oslo_db
1086 db_init:
1087 services:
1088 - endpoint: internal
1089 service: oslo_db
1090 db_sync:
1091 jobs:
1092 - horizon-db-init
1093 services:
1094 - endpoint: internal
1095 service: oslo_db
1096 image_repo_sync:
1097 services:
1098 - endpoint: internal
1099 service: local_image_registry
1100 tests:
1101 services:
1102 - endpoint: internal
1103 service: dashboard
1104
1105pod:
1106 security_context:
1107 horizon:
1108 pod:
1109 runAsUser: 42424
1110 container:
1111 horizon:
1112 readOnlyRootFilesystem: false
1113 allowPrivilegeEscalation: false
1114 runAsUser: 0
1115 db_sync:
1116 pod:
1117 runAsUser: 42424
1118 container:
1119 horizon_db_sync:
1120 readOnlyRootFilesystem: false
1121 allowPrivilegeEscalation: false
1122 runAsUser: 0
1123 test:
1124 pod:
1125 runAsUser: 42424
1126 container:
1127 horizon_test:
1128 readOnlyRootFilesystem: true
1129 allowPrivilegeEscalation: false
1130 affinity:
1131 anti:
1132 type:
1133 default: preferredDuringSchedulingIgnoredDuringExecution
1134 topologyKey:
1135 default: kubernetes.io/hostname
1136 weight:
1137 default: 10
1138 tolerations:
1139 horizon:
1140 enabled: false
1141 tolerations:
1142 - key: node-role.kubernetes.io/master
1143 operator: Exists
1144 effect: NoSchedule
okozachenko120377c6d672023-03-25 00:17:28 +11001145 - key: node-role.kubernetes.io/control-plane
1146 operator: Exists
1147 effect: NoSchedule
Mohammed Naserf3f59a72023-01-15 21:02:04 -05001148 mounts:
1149 horizon_db_init:
1150 init_container: null
1151 horizon_db_init:
1152 volumeMounts:
1153 volumes:
1154 horizon_db_sync:
1155 init_container: null
1156 horizon_db_sync:
1157 volumeMounts:
1158 volumes:
1159 horizon:
1160 init_container: null
1161 horizon:
1162 volumeMounts:
1163 volumes:
1164 horizon_tests:
1165 init_container: null
1166 horizon_tests:
1167 volumeMounts:
1168 volumes:
1169 replicas:
1170 server: 1
1171 lifecycle:
1172 upgrades:
1173 deployments:
1174 revision_history: 3
1175 pod_replacement_strategy: RollingUpdate
1176 rolling_update:
1177 max_unavailable: 1
1178 max_surge: 3
1179 disruption_budget:
1180 horizon:
1181 min_available: 0
1182 termination_grace_period:
1183 horizon:
1184 timeout: 30
1185 resources:
1186 enabled: false
1187 server:
1188 requests:
1189 memory: "128Mi"
1190 cpu: "100m"
1191 limits:
1192 memory: "1024Mi"
1193 cpu: "2000m"
1194 jobs:
1195 db_init:
1196 requests:
1197 memory: "128Mi"
1198 cpu: "100m"
1199 limits:
1200 memory: "1024Mi"
1201 cpu: "2000m"
1202 db_sync:
1203 requests:
1204 memory: "128Mi"
1205 cpu: "100m"
1206 limits:
1207 memory: "1024Mi"
1208 cpu: "2000m"
1209 db_drop:
1210 requests:
1211 memory: "128Mi"
1212 cpu: "100m"
1213 limits:
1214 memory: "1024Mi"
1215 cpu: "2000m"
1216 image_repo_sync:
1217 requests:
1218 memory: "128Mi"
1219 cpu: "100m"
1220 limits:
1221 memory: "1024Mi"
1222 cpu: "2000m"
1223 tests:
1224 requests:
1225 memory: "128Mi"
1226 cpu: "100m"
1227 limits:
1228 memory: "1024Mi"
1229 cpu: "2000m"
1230
1231# Names of secrets used by bootstrap and environmental checks
1232secrets:
1233 identity:
1234 admin: horizon-keystone-admin
1235 oslo_db:
1236 admin: horizon-db-admin
1237 horizon: horizon-db-user
1238 tls:
1239 dashboard:
1240 dashboard:
1241 public: horizon-tls-public
1242 internal: horizon-tls-web
Mohammed Naserbcdd25c2023-01-18 03:38:47 +00001243 oci_image_registry:
1244 horizon: horizon-oci-image-registry
1245
1246tls:
1247 identity: false
Mohammed Naserf3f59a72023-01-15 21:02:04 -05001248
1249# typically overridden by environmental
1250# values, but should include all endpoints
1251# required by this chart
1252endpoints:
1253 cluster_domain_suffix: cluster.local
1254 local_image_registry:
1255 name: docker-registry
1256 namespace: docker-registry
1257 hosts:
1258 default: localhost
1259 internal: docker-registry
1260 node: localhost
1261 host_fqdn_override:
1262 default: null
1263 port:
1264 registry:
1265 node: 5000
Mohammed Naserbcdd25c2023-01-18 03:38:47 +00001266 oci_image_registry:
1267 name: oci-image-registry
1268 namespace: oci-image-registry
1269 auth:
1270 enabled: false
1271 horizon:
1272 username: horizon
1273 password: password
1274 hosts:
1275 default: localhost
1276 host_fqdn_override:
1277 default: null
1278 port:
1279 registry:
1280 default: null
Mohammed Naserf3f59a72023-01-15 21:02:04 -05001281 identity:
1282 name: keystone
1283 auth:
1284 admin:
1285 region_name: RegionOne
1286 username: admin
1287 password: password
1288 project_name: admin
1289 user_domain_name: default
1290 project_domain_name: default
1291 hosts:
1292 default: keystone
1293 internal: keystone-api
1294 host_fqdn_override:
1295 default: null
1296 path:
1297 default: /v3
1298 scheme:
1299 default: http
1300 port:
1301 api:
1302 default: 80
1303 internal: 5000
1304 oslo_cache:
1305 hosts:
1306 default: memcached
1307 host_fqdn_override:
1308 default: null
1309 port:
1310 memcache:
1311 default: 11211
1312 dashboard:
1313 name: horizon
1314 hosts:
1315 default: horizon-int
1316 public: horizon
1317 host_fqdn_override:
1318 default: null
1319 # NOTE(portdirect): this chart supports TLS for fqdn over-ridden public
1320 # endpoints using the following format:
1321 # public:
1322 # host: null
1323 # tls:
1324 # crt: null
1325 # key: null
1326 path:
1327 default: null
1328 scheme:
1329 default: http
1330 port:
1331 web:
1332 default: 80
1333 oslo_db:
1334 auth:
1335 admin:
1336 username: root
1337 password: password
1338 secret:
1339 tls:
1340 internal: mariadb-tls-direct
1341 horizon:
1342 username: horizon
1343 password: password
1344 hosts:
1345 default: mariadb
1346 host_fqdn_override:
1347 default: null
1348 path: /horizon
1349 scheme: mysql+pymysql
1350 port:
1351 mysql:
1352 default: 3306
1353 # NOTE(tp6510): these endpoints allow for things like DNS lookups and ingress
1354 # They are using to enable the Egress K8s network policy.
1355 kube_dns:
1356 namespace: kube-system
1357 name: kubernetes-dns
1358 hosts:
1359 default: kube-dns
1360 host_fqdn_override:
1361 default: null
1362 path:
1363 default: null
1364 scheme: http
1365 port:
1366 dns:
1367 default: 53
1368 protocol: UDP
1369 ingress:
1370 namespace: null
1371 name: ingress
1372 hosts:
1373 default: ingress
1374 port:
1375 ingress:
1376 default: 80
1377
1378network_policy:
1379 horizon:
1380 ingress:
1381 - {}
1382 egress:
1383 - {}
1384
1385# NOTE(helm_hook): helm_hook might break for helm2 binary.
1386# set helm3_hook: false when using the helm2 binary.
1387helm3_hook: true
1388
1389manifests:
1390 certificates: false
1391 configmap_bin: true
1392 configmap_etc: true
1393 configmap_logo: false
1394 deployment: true
1395 ingress_api: true
1396 job_db_init: true
1397 job_db_sync: true
1398 job_db_drop: false
1399 job_image_repo_sync: true
1400 pdb: true
1401 pod_helm_test: true
1402 network_policy: false
1403 secret_db: true
1404 secret_ingress_tls: true
1405 secret_keystone: true
Mohammed Naserbcdd25c2023-01-18 03:38:47 +00001406 secret_registry: true
Mohammed Naserf3f59a72023-01-15 21:02:04 -05001407 service_ingress: true
1408 service: true
1409...