Commit Graph

167 Commits

Author SHA1 Message Date
Carlos Bravo ab66a192f4 Added OPENSTACK_KEYSTONE_MFA_TOTP_ENABLED to config options
Starting from Openstack Bobcat (2023.2) Multi Factor Authentication
was added for Horizon. This change introduced a new variable called
OPENSTACK_KEYSTONE_MFA_TOTP_ENABLED, which if set to True will display
a new form requesting for the user's TOTP code for MFA enabled users.

This change provides the missing OPENSTACK_KEYSTONE_MFA_TOTP_ENABLED
config option for the charm, allowing the user to enable from the
charm's configuration. If the value is set to True, the new bobcat
template will render the following values:
OPENSTACK_KEYSTONE_MFA_TOTP_ENABLED = True

AUTHENTICATION_PLUGINS = [
    'openstack_auth.plugin.totp.TotpPlugin',
    'openstack_auth.plugin.password.PasswordPlugin',
    'openstack_auth.plugin.token.TokenPlugin'
]

Closes-Bug: #2058689
Change-Id: Ifedf587356693b58612b1fc4d7404f0f446158ce
2024-03-27 21:57:28 -04:00
Samuel Allan 422611f034
Add config for extra regions
This is so we can register extra region endpoints in horizon,
in situations where the keystone for the extra regions cannot be
integrated via juju (for example, completely separate deployment).

Closes-Bug: #1714926

Change-Id: I52cecec88437fd2bc5a012653f24471039e6b819
2024-03-21 10:50:01 +10:30
Rodrigo Barbieri 6b93e9dd87 Allow configure of OPENSTACK_INSTANCE_RETRIEVE_IP_ADDRESSES
If network calls to retrieve ports and floating IPs take too long,
then the project > instances page cannot be loaded. This config
allows disabling the network calls when loading the page with
minor side-effects, as a workaround to avoid downtime while other
performance optimizations can be done on the side to allow
the page the load so the workaround is no longer needed.

Closes-bug: #2051003
Related-bug: #2045168
Change-Id: Iedad6ef48cbe0b776594f4ad8276d3d713cd360c
2024-01-24 11:19:01 -03:00
Zuul e5f3cf8395 Merge "Run relation_set() in dashboard_relation_changed() on leader" 2023-12-12 15:40:07 +00:00
Felipe Reyes 4d5581438a Run relation_set() in dashboard_relation_changed() on leader
The commit 484b7d8260 introduced a new relation that relies on an
application databag to exchange data, although only the leader can write
to it, and the original patch didn't guard the relation_set() call with
a is_leader(), this patch addresses that problem wich produces a hook
failure on follower units when openstack-dashboard is deployed in HA.

Closes-Bug: #2046257
Related-Bug: #2030094
Change-Id: I1930b0b96f65cb627f896db67dddc6370cf6a413
2023-12-12 11:06:29 -03:00
Alex Kavanagh 264a95c348 Improve platform mocking
Patch out charmhelpers.osplatform.get_platform() and
charmhelpers.core.host.lsb_release() globally in the unit tests to
insulate the unit tests from the platform that the unit tests are being
run on.

Change-Id: I9c5beab362cbf747eb757645fa3704043a2f14c7
2023-10-24 16:00:53 +01:00
Felipe Reyes 484b7d8260 Add new interface 'dashboard'
openstack-dashboard exposes the hostnames (and IP addresses) that can be
used by users to load Horizon. There are 3 possible sources, they are
juju units ingress-address, os-public-hostname and vip config options

Closes-Bug: #2030094
Change-Id: I5eb524c6258f72980ef43175f2bed21d7ca078be
2023-09-04 15:30:00 -03:00
Alex Kavanagh e8d0ca39a1 Make LocalSettingsContext more robust to priority
The relation data for for the LocalSettings context could cause the
priority sorting to break if the priority key wasn't cmpable (e.g. using
<, > or ==).  This patch fixes the associated bug, by making the sorting
extra robust and ensuring that un-cmp-able values are 'greater' (e.g.
further down the list) that cmp-able values, and equal to each other.
E.g. a partially ordered set.

Change-Id: I6bbf7e5f81a772ffc6ea859c9ab7c05f2eb9fdc5
Closes-bug: #2023404
2023-07-04 12:03:08 +01:00
Corey Bryant ea6ad355bd Add package-upgrade action
The package-upgrade action performs package upgrades for the current
OpenStack release.

The code path used is similar to the openstack-upgrade action, with the
difference being that package-upgrade will not execute if an openstack
upgrade is available (based on the openstack-origin setting).

This change includes a charm-helpers sync.

Change-Id: I7a36e0f5f47423ae8601d6ca86aa0fe311ecb735
2023-05-26 16:55:30 +01:00
Zuul 333501d88f Merge "Introduce source IP based rate limiting" 2022-08-19 13:52:29 +00:00
Liam Young 123b8447ed Handle JSON data from dashboard plugins
The dashboard-plugin interface sends relation data json encoded but
the charm does not decode the local-settings key. This change decodes
the data. I have not been able to find any classic plugins that
rely on sending raw data but to maintain backwards compatability
just incase the charm will fallback to the old behaviour if the
relation data is not json encoded.

Change-Id: I3f956ae811cb6c46b5e2ab31f1353678a35e623a
Closes-Bug: #1986538
2022-08-15 14:33:49 +00:00
Mert Kırpıcı c0f8708761 Introduce source IP based rate limiting
Since we are running haproxy in L4, we are tracking the incoming
byte rate from client IPs and rejecting TCP connections in a
sliding window.

This approach limits the incoming HTTP requests however image uploading
through the horizon web app is unaffected.

Change-Id: Ie40d28acb2dc2983fc9edbbeacfd671b380a8f6d
Closes-Bug: #1836514
Signed-off-by: Mert Kırpıcı <mert.kirpici@canonical.com>
2022-08-05 15:29:43 +03:00
Muhammad Ahmad af7a57d539 Add enable_router config option
This patch adds an option of enabling/disabling router panel view
in the horizon. To hide the router/floatin-ip panel, set the config
option 'enable-router-panel=False'. Default value is True.

Closes-Bug: #1966815
Change-Id: If6fb3b57f05a1ab6342077d2142bd47cfce57948
2022-07-28 18:57:15 +00:00
Zuul c2c1be3070 Merge "Force resolve configs after openstack-upgrade action" 2022-05-10 14:10:58 +00:00
jneo8 b00c977b52 Add CREATE_INSTNACE_FLAVOR_SORT option
Closes-Bug: #1663191
Change-Id: I56a30b4b80ef2cb3ac96359a3932b53c735b5c01
2022-04-28 12:06:32 +00:00
Alex Kavanagh eb913cfb5d Updates to enable jammy and finalise charmcraft builds
- Add 22.04 to charmcraft.yaml
- Update metadata to include jammy
- Remove impish from metadata
- Update osci.yaml to include py3.10 default job
- Modify tox.ini to remove py35,py36,py37 tox target and add py310
  target.
- ensure that the openstack-origin is yoga
- Fix mocking on unit tests for install.real hook

Change-Id: I7bf692965341c0cc1c84c7d3c77cce63a6cb6cbc
2022-04-06 11:04:01 +01:00
Billy Olsen 52145181c8 Force resolve configs after openstack-upgrade action
Force resolve the global configs option after an openstack upgrade
action is run but before the config_changed hook is run. This ensures
that the global CONFIGS values are updated to the appropriate templates
before rendering the update config.

Change-Id: Id8ed2f6d60cf79e1360ca7587aa771ffbe1af9aa
Closes-Bug: 1928853
2022-03-14 12:12:06 -07:00
Rodrigo Barbieri a322faa469 Fix ssl_key var name
Incorrect config key was responsible for bugs when configuring
websso when using SSL.

Closes-bug: #1960854
Change-Id: I241c7492ffcddf11c6b6464391fe986c61895b19
2022-02-14 15:45:40 -03:00
Nobuto Murata bd0eed2c84 Allow customization of branding
Make the following values configurable:
- SITE_BRANDING
- SITE_BRANDING_LINK
- HORIZON_CONFIG["help_url"]

Closes-Bug: #1959366
Change-Id: I34716bd68cc50b53dd28f6bb7a19409ece355465
2022-02-01 01:00:09 +09:00
Zuul 9984b7db51 Merge "Add application-dashboard relation" 2022-01-28 15:10:45 +00:00
Hervé Beraud 9da66b4cc5 Use unittest.mock instead of mock
The mock third party library was needed for mock support in py2
runtimes. Since we now only support py36 and later, we can use the
standard lib unittest.mock module instead.

Note that https://github.com/openstack/charms.openstack is used during tests
and he need `mock`, unfortunatelly it doesn't declare `mock` in its
requirements so it retrieve mock from other charm project (cross dependency).
So we depend on charms.openstack first and when
Ib1ed5b598a52375e29e247db9ab4786df5b6d142 will be merged then CI
will pass without errors.

Depends-On: Ib1ed5b598a52375e29e247db9ab4786df5b6d142
Change-Id: I718a003c5f07e390457bc39e69871c7ecb533e7b
2021-12-15 14:33:48 +00:00
Hemanth Nakkina 4355ea2d6b Remove neutron-fwaas-dashboard package for >= V
neutron-fwaas project is retired from Victoria release.
This patch removes installing neutron-fwaas-dashboard package
from Victoria release onwards.

Closes-Bug: 1934129
Change-Id: Id2c8695274bb3438612ee44bb922766a6bddf900
2021-11-30 12:47:22 +05:30
Bartlomiej Poniecki-Klotz 5bfac0a352 improve unstable unit tests and fix whitespace
The unstable unit tests affected by list order were fixed by comparing the sorted region lists.
Additionally, a whitespace fix was implemented.

Change-Id: I2c67f7405a3f533d25111d7c3920ca31380de35a
2021-11-22 13:15:11 +00:00
Bartlomiej Poniecki-Klotz 18a9ac1171 hide-create-volume config added
The configuration option hide-create-volume was added and is passed into the horizon configuration as hide_create_volume.

Closes-Bug: #1939079
Change-Id: I639810d5908cc58f41907f9a3bd66dc78b9517d6
2021-11-16 09:55:37 +00:00
Linda Guo 986ebeab59 Add application-dashboard relation
Homer[1] is static web server and provides one stop shop UI,
which a single URL and be able to click on a link to get to
the LMA stack and other sites (like MAAS, other support portal).
The application is registered to Homer dashboard via application-dashboard
relation.

By adding registration relation in openstack-dashboard charm,
we can register Horizon in Homer dashboard after creating relation
between openstack-dashboard charm and Homer charm

[1]. https://github.com/bastienwirtz/homer

Closes-Bug: 1945725
Change-Id: Ieeacd8f1dda7e88a1f3f7b332163b2b42f1fee41
2021-10-08 12:01:41 +11:00
Liam Young e07c27fc35 Do not assume ksv2 in multi-region deploys
Remove hardcoded keystone v2 from identity urls when in a multi-
region deploy. The api version is passed by the keystone charm
so use that.

Change-Id: I8e52e63e17836260b87899a059e0bbc77827dc54
Closes-Bug: #1925669
2021-04-26 12:52:50 +00:00
Felipe Reyes 530426ae69 Add config use-internal-endpoints option.
This patch adds a configuration option that instructs
openstack-dashboard to configure Horizon using the internal host
exposed by the keystone charm, this behavior is already present in
other charms like nova-cloud-controller.

Change-Id: Ic372a2c65c52a77229c5c2867919aa318e9ac0a1
Closes-Bug: #1812361
Depends-On: https://review.opendev.org/c/openstack/charm-keystone/+/696997
2021-03-08 12:45:44 -03:00
Garrett Thompson 8e4dc4844a Add ENFORCE_PASSWORD_CHECK setting
This setting is a behavior change, requring the admin password
to be provided when changing the password of an admin user. Enabling
this setting by default adheres to the security recommendation
provided in the OpenStack security guide [0].

To enable this setting for Queens (the oldest supported OpenStack
release at the time of this commit), a new local_settings.py file was
copied from the Ocata template to ensure that any future versions will
inherit this setting until a new change is made.

Due to the security-checklist action currently failing [1], these have been
extracted to another class, and refactored in the zaza-openstack-tests
repo [2].

[0] https://docs.openstack.org/security-guide/dashboard/checklist.html

[1] 2ef404be75/zaza/openstack/charm_tests/openstack_dashboard/tests.py (L418)

[2] https://github.com/openstack-charmers/zaza-openstack-tests/pull/501

func-test-pr: https://github.com/openstack-charmers/zaza-openstack-tests/pull/501
Closes-Bug: #1883196
Change-Id: Idfd8654732289481806aea8b47ffa28cf3f97697
2021-02-12 00:27:27 +00:00
Alex Kavanagh 5dd04dac31 Sync libraries & common files prior to freeze
* charm-helpers sync for classic charms
* charms.ceph sync for ceph charms
* rebuild for reactive charms
* sync tox.ini files as needed
* sync requirements.txt files to sync to standard

Change-Id: I179fd55a49bf07515e4fad64dd0a4719b58ac4ca
2020-09-27 19:45:00 +01:00
Liam Young 47c1097ea4 Check the created_roles reply for keystone
Check the created_roles reply for keystone to see if the name of
the role that was created in keystone matches what was requested.
It may differ in terms of case.

Change-Id: I5b5216909268ba3bb1b7ad13767647fa1af77cc5
Closes-Bug: #1890437
2020-08-27 14:08:20 +00:00
Corey Bryant 3f1f985be8 Switch default-role default to lowercase 'member'
This is needed to align with recent changes in the keystone
charm to use keystone bootstrap.

Change-Id: I35a08c483e970712d4db4ebe049f5b135ffb5637
Closes-Bug: #1879783
2020-05-20 19:24:49 -04:00
James Page 476fe0b2ca enforce-ssl: evaluate all sources of cert/key
When the dashboard charm is deployed with Vault using the
certificates relation the enforce-ssl configuration option
is not honoured as the certificates relation is supported
by the get_cert function provided by charmhelpers.

https does much the same set of checks but also looks at
the certificates relation when considering whether https
is actually enabled for the charm.

Minor style tweak to the code to avoid nested conditionals.

Change-Id: Ieb519adef53e8ab68c9119eb38344e5cb8540411
Closes-Bug: 1846189
2020-05-19 13:46:10 +01:00
Alex Kavanagh 700ebb14c7 Enable focal and ussuri as part of the gate tests
Add bionic-ussuri and focal-ussuri (with mysql8 support) bundles.

Also, for focal, switch the install and upgrade-charm hooks to install
python3 modules rather than python2 modules.

Change-Id: I75dbf72eb4c2d7d2986730e0ada9a6c359f825d3
2020-04-03 16:50:58 +01:00
Alex Kavanagh 851821ff39 Fix CONFIGS=None issue with action openstack-upgrade
When the CONFIGS was made lazy in the charm, unfortunately, some of the
work wasn't carried through correctly to the openstack-upgrade action
code.  This patch corrects that.  Tested manually as okay.

Change-Id: I095613ef2eca62da5fae5462e76fa83926d2e80a
Closes-Bug: #1869865
2020-03-31 15:29:14 +01:00
Xav Paice 957a6adc03 Add disable-password-reveal option
Adds config item to add HORIZON_CONFIG['disable_password_reveal'] = True
option to Horizon's local_settings.py, from Mitaka onwards.  This
prevents the reveal password button from being displayed.

Change-Id: I299f6a6388c3a2ab68cabaeb16e5104ec319e144
Closes-bug: #1840251
2020-03-12 15:59:06 +13:00
Alex Kavanagh 1e2515e13f Fix issue with plugins breaking packages
The core issue is that the plugin had no way to signal to the
principal charm what packages needed to be installed, and crucially,
which conflicted with the packages that the plugin needs to operate.
The referenced bug exhibits this issue in that, on install, a package
is removed by the plugin, but the principal charm "doesn't know".  Then
on upgrade, the principal charm re-installs the package, and breaks
the plugin.

This patch allows the plugin to signal which packages it requires to
operate via the dashboard-plugin interface.  This ensures that when
the openstack-dashboard charm upgrades it already "knows" what a
plugin needs and acts accordingly.  Equally, plugins can change their
requirements and this patch allows them to update/remove/install
packages as needed.

The local_settings.py is already controlled by the principal, and this
just shifts absolute control over packaging to the principal as well.
The plugin charm's purpose is to indicate packages and config to the
principal.

Note.  There should be no backwards compatibility issues with this
change. If a plugin doesn't notify the principal of any packages then it
won't take any action.  This does mean that the openstack-charm should
be upgrade prior to any plugins that gain this feature.

Also disable disco test as disco is EOL.

Change-Id: Ib3fc0b0525dabf70f45fd050af2ed05ba31129b9
Related-Bug: #1853851
2020-01-30 16:18:09 +00:00
Liam Young de4e9ec338 When resuming, exclude haproxy
When resuming services exclude those managed by hacluster, in
this case haproxy. If pacemaker lacks quorum it may shut haproxy
down which will cause this charm to error.

Charmhelper sync included to bring in required
get_managed_services_and_ports method.

Change-Id: I6f997df31922b6090e5b4b1daeec342a044be5c3
2020-01-26 07:47:02 +00:00
Alex Kavanagh 03cb557fc8 Add disable-instance-snapshot config item
This patchset adds the disable-instance-snapshot config item that
controls the "disable_instance_snapshot" dictionary item in the
LAUNCH_INSTANCE_DEFAULTS setting in local_settings.py

Change-Id: Ic15f60517ed8a7f67704b15f4b42baabe74f83c6
Closes-Bug: #1818221
2020-01-13 12:01:51 +00:00
cjohnston 8b6d16698a Add config option for exposing HAProxy stats interface.
Change-Id: I41799835a4d59dd7d4e0c0becf0908eaab6281ae
Closes-Bug: #1710208
func-test-pr: https://github.com/openstack-charmers/zaza-openstack-tests/pull/147
2019-12-17 22:28:17 +00:00
Alex Kavanagh 1b1e7c583c Policyd override implementation
This patchset implements policy overrides for octavia.  It uses the
code in charmhelpers [1] which has been modified to support the richer
and more complex approach to handling policy overrides.

[1]: https://github.com/juju/charm-helpers/pull/393

func-test-pr: https://github.com/openstack-charmers/zaza-openstack-tests/pull/126

Change-Id: Ib51fd2c7c540c680083c2928eab4ce4df0d43e23
Closed-Bug: #1741723
2019-11-20 14:40:03 +00:00
Liam Young 5d9592ddca Correct resolve_CONFIGS force_update
A typo in resolve_CONFIGS reveresed the desired behaviour so
force_update=True would not force an update and vice versa.

Change-Id: I4e19e7ab35f09f4e828632b4dc6074d2bd367356
Closes-Bug: #1848440
2019-10-17 09:21:46 +00:00
Liam Young 56e4d3c322 Stop running register_configs at load time
Stop running register_configs so it is not run unnecessarily and
simplifies unit tests. As part of this make sure that CONFIGS is
refreshed after an upgrade as config files and contexts may
have changed.

Change-Id: I08a847abe7db22a11860f359442e1e8945585466
Closes-Bug: #1844325
2019-09-25 10:01:50 +00:00
tpsilva ca21ac8116 Add option to hide/show consistency groups tab
Cinder by default does not enable Consistency Groups, but Horizon always
show its tabs and there is not an option to hide them. This patch adds a
config option to change the policy file to hide or show those tabs.

Change-Id: Ia2fb52650201524acbb8d6aafe37e7c0ea26e99e
Closes-bug: #1684113
2019-03-19 09:50:25 -03:00
David Ames 601875867d Enable vault tls-certificates for SAML Mellon
The charm assumed the use of ssl_cert and ssl_key. The current best
practice is to deploy with vault and the tls-certificates relation.
Enable tls-certificates relation aware configuration for the
websso-trusted-dashboard relation.

Simplify hostname, IP, VIP selection using resolve_address.

Change-Id: Ibcd963946a3956f9b2d2963fe9455d6d9ee78ab6
2019-03-11 07:48:22 -07:00
Zuul c59894df27 Merge "Use common ApacheSSLContext" 2019-02-22 11:00:14 +00:00
Frode Nordahl 19915f6806
Use common ApacheSSLContext
Remove the custom ApacheSSLContext class and use the common
one from ``charmhelpers.contrib.openstack`` instead.

Update ``default-ssl`` template so we can make use of multiple
endpoints with SNI.

Sync required changes to charm-helpers.

Change-Id: Icc990448d2c7469c5253d04ad43371d01d5580d9
Related-Bug: #1816621
2019-02-22 10:56:14 +01:00
Zuul cfeaa06404 Merge "Make DROPDOWN_MAX_ITEMS configurable" 2019-02-22 08:27:05 +00:00
Jesper Schmitz Mouridsen fd9fe98536 Make DROPDOWN_MAX_ITEMS configurable
This change implements a new option dropdown-max-items, that
sets the DROPDOWN_MAX_ITEMS of horizon.

Change-Id: I2ac03b406cc8b787424747c0bfeeedffd7712c9f
2019-02-21 19:36:05 +01:00
Frode Nordahl 256f971c78
Use correct certificate when ``os-public-hostname`` configration option is set
Note that this is a short term kludge/fix, on the long term
we should ditch the charm specific ApacheSSLContext and use
the common one from charm-helpers with an adapted Apache
config inspired from the ``openstack_https_fronted`` template

Change-Id: I74c17113f431c4c21f638be6abffaeeb693f1462
Closes-Bug: #1816621
2019-02-21 16:40:37 +01:00
Andre Ruiz 7e2a9b4749 Implement new option: session-timeout
This change implements a new option in config.yaml that enables
a specific session timeout to be defined.

Change-Id: I4a521c672347e33718fd03427393eaa5356e57cb
Closes-Bug: #1599968
2019-02-19 14:21:27 -03:00