From 4f5a78351d094fea60bb5afb77f22035b035fba5 Mon Sep 17 00:00:00 2001 From: "Gupta, Sangeet (sg774j)" Date: Thu, 7 Feb 2019 11:06:14 -0600 Subject: [PATCH] Horizon: Expose additional security config params Expose additional Horizon security params in accordance with the OpenStack Security Guide [0] - ALLOWED_HOSTS - HORIZON_IMAGES_UPLOAD_MODE [0] https://docs.openstack.org/security-guide/dashboard/domains-dashboard-upgrades-basic-web-server-configuration.html Depends-On: https://review.opendev.org/#/c/635545 Change-Id: I071c8fbfc5ea9b41d3c35840e342d83349ae1613 --- horizon/templates/deployment.yaml | 5 +++++ horizon/values.yaml | 11 ++++++++++- 2 files changed, 15 insertions(+), 1 deletion(-) diff --git a/horizon/templates/deployment.yaml b/horizon/templates/deployment.yaml index 1da4553a88..fe8dd9e792 100644 --- a/horizon/templates/deployment.yaml +++ b/horizon/templates/deployment.yaml @@ -66,6 +66,11 @@ spec: command: - /tmp/horizon.sh - start + env: + - name: MY_POD_IP + valueFrom: + fieldRef: + fieldPath: status.podIP lifecycle: preStop: exec: diff --git a/horizon/values.yaml b/horizon/values.yaml index c47d4592c8..e3eeb9320c 100644 --- a/horizon/values.yaml +++ b/horizon/values.yaml @@ -194,6 +194,9 @@ conf: secure_proxy_ssl_header: false password_autocomplete: "off" disallow_iframe_embed: "False" + allowed_hosts: + - '*' + horizon_images_upload_mode: 'legacy' openstack_cinder_features: enable_backup: "True" openstack_neutron_network: @@ -249,7 +252,7 @@ conf: # with the list of host/domain names that the application can serve. # For more information see: # https://docs.djangoproject.com/en/dev/ref/settings/#allowed-hosts - ALLOWED_HOSTS = ['*'] + ALLOWED_HOSTS = [{{ include "helm-toolkit.utils.joinListWithCommaAndSingleQuotes" .Values.conf.horizon.local_settings.config.allowed_hosts }},'%s' % (os.environ.get("MY_POD_IP"))] # Set SSL proxy settings: # For Django 1.4+ pass this header from the proxy after terminating the SSL, @@ -542,6 +545,12 @@ conf: # table. IMAGE_RESERVED_CUSTOM_PROPERTIES = [] + # Set to 'legacy' or 'direct' to allow users to upload images to glance via + # Horizon server. When enabled, a file form field will appear on the create + # image form. If set to 'off', there will be no file form field on the create + # image form. See documentation for deployment considerations. + HORIZON_IMAGES_UPLOAD_MODE = '{{ .Values.conf.horizon.local_settings.config.horizon_images_upload_mode }}' + # OPENSTACK_ENDPOINT_TYPE specifies the endpoint type to use for the endpoints # in the Keystone service catalog. Use this setting when Horizon is running # external to the OpenStack environment. The default is 'publicURL'.