--- network: dashboard: ingress: annotations: nginx.ingress.kubernetes.io/backend-protocol: "https" conf: software: apache2: a2enmod: - headers - rewrite - ssl horizon: apache: | Listen 0.0.0.0:{{ tuple "dashboard" "internal" "web" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }} LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined LogFormat "%{X-Forwarded-For}i %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" proxy SetEnvIf X-Forwarded-For "^.*\..*\..*\..*" forwarded CustomLog /dev/stdout combined env=!forwarded CustomLog /dev/stdout proxy env=forwarded ServerName horizon-int.openstack.svc.cluster.local RewriteEngine On RewriteCond %{HTTPS} off RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} [R,L] ServerName horizon-int.openstack.svc.cluster.local WSGIScriptReloading On WSGIDaemonProcess horizon-http processes=5 threads=1 user=horizon group=horizon display-name=%{GROUP} python-path=/var/lib/kolla/venv/lib/python2.7/site-packages WSGIProcessGroup horizon-http WSGIScriptAlias / /var/www/cgi-bin/horizon/django.wsgi WSGIPassAuthorization On RewriteEngine On RewriteCond %{REQUEST_METHOD} !^(POST|PUT|GET|DELETE|PATCH) RewriteRule .* - [F] Require all granted Alias /static /var/www/html/horizon SetHandler static = 2.4> ErrorLogFormat "%{cu}t %M" ErrorLog /dev/stdout TransferLog /dev/stdout SetEnvIf X-Forwarded-For "^.*\..*\..*\..*" forwarded CustomLog /dev/stdout combined env=!forwarded CustomLog /dev/stdout proxy env=forwarded ErrorLog /dev/stdout SSLEngine on SSLCertificateFile /etc/openstack-dashboard/certs/tls.crt SSLCertificateKeyFile /etc/openstack-dashboard/certs/tls.key SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1 SSLCipherSuite ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256 SSLHonorCipherOrder on local_settings: config: use_ssl: "True" csrf_cookie_secure: "True" enforce_password_check: "True" session_cookie_secure: "True" session_cookie_httponly: "True" endpoints: identity: auth: admin: cacert: /etc/ssl/certs/openstack-helm.crt scheme: default: https port: api: default: 443 dashboard: host_fqdn_override: default: tls: secretName: horizon-tls-web issuerRef: name: ca-issuer scheme: default: https public: https port: web: default: 443 public: 443 ingress: port: ingress: default: 443 manifests: certificates: true ...