Horizon: Expose additional security config params

Expose additional Horizon security params in accordance with the OpenStack Security Guide [0] - ALLOWED_HOSTS - HORIZON_IMAGES_UPLOAD_MODE [0] https://docs.openstack.org/security-guide/dashboard/domains-dashboard-upgrades-basic-web-server-configuration.html Depends-On: https://review.opendev.org/#/c/635545 Change-Id: I071c8fbfc5ea9b41d3c35840e342d83349ae1613
2019-02-07 11:06:14 -06:00 · 2019-02-07 11:06:14 -06:00 · 4f5a78351d
commit 4f5a78351d
parent dadf9946e0
2 changed files with 15 additions and 1 deletions
--- a/horizon/templates/deployment.yaml
+++ b/horizon/templates/deployment.yaml
@ -66,6 +66,11 @@ spec:
          command:
            - /tmp/horizon.sh
            - start
+          env:
+          - name: MY_POD_IP
+            valueFrom:
+              fieldRef:
+                fieldPath: status.podIP
          lifecycle:
            preStop:
              exec:
--- a/horizon/values.yaml
+++ b/horizon/values.yaml
@ -194,6 +194,9 @@ conf:
        secure_proxy_ssl_header: false
        password_autocomplete: "off"
        disallow_iframe_embed: "False"
+        allowed_hosts:
+          - '*'
+        horizon_images_upload_mode: 'legacy'
        openstack_cinder_features:
          enable_backup: "True"
        openstack_neutron_network:
@ -249,7 +252,7 @@ conf:
        # with the list of host/domain names that the application can serve.
        # For more information see:
        # https://docs.djangoproject.com/en/dev/ref/settings/#allowed-hosts
-        ALLOWED_HOSTS = ['*']
+        ALLOWED_HOSTS = [{{ include "helm-toolkit.utils.joinListWithCommaAndSingleQuotes" .Values.conf.horizon.local_settings.config.allowed_hosts }},'%s' % (os.environ.get("MY_POD_IP"))]

        # Set SSL proxy settings:
        # For Django 1.4+ pass this header from the proxy after terminating the SSL,
@ -542,6 +545,12 @@ conf:
        # table.
        IMAGE_RESERVED_CUSTOM_PROPERTIES = []

+        # Set to 'legacy' or 'direct' to allow users to upload images to glance via
+        # Horizon server. When enabled, a file form field will appear on the create
+        # image form. If set to 'off', there will be no file form field on the create
+        # image form. See documentation for deployment considerations.
+        HORIZON_IMAGES_UPLOAD_MODE = '{{ .Values.conf.horizon.local_settings.config.horizon_images_upload_mode }}'
+
        # OPENSTACK_ENDPOINT_TYPE specifies the endpoint type to use for the endpoints
        # in the Keystone service catalog. Use this setting when Horizon is running
        # external to the OpenStack environment. The default is 'publicURL'.