Commit Graph

428 Commits

Author SHA1 Message Date
Carlos Bravo ab66a192f4 Added OPENSTACK_KEYSTONE_MFA_TOTP_ENABLED to config options
Starting from Openstack Bobcat (2023.2) Multi Factor Authentication
was added for Horizon. This change introduced a new variable called
OPENSTACK_KEYSTONE_MFA_TOTP_ENABLED, which if set to True will display
a new form requesting for the user's TOTP code for MFA enabled users.

This change provides the missing OPENSTACK_KEYSTONE_MFA_TOTP_ENABLED
config option for the charm, allowing the user to enable from the
charm's configuration. If the value is set to True, the new bobcat
template will render the following values:
OPENSTACK_KEYSTONE_MFA_TOTP_ENABLED = True

AUTHENTICATION_PLUGINS = [
    'openstack_auth.plugin.totp.TotpPlugin',
    'openstack_auth.plugin.password.PasswordPlugin',
    'openstack_auth.plugin.token.TokenPlugin'
]

Closes-Bug: #2058689
Change-Id: Ifedf587356693b58612b1fc4d7404f0f446158ce
2024-03-27 21:57:28 -04:00
Samuel Allan 422611f034
Add config for extra regions
This is so we can register extra region endpoints in horizon,
in situations where the keystone for the extra regions cannot be
integrated via juju (for example, completely separate deployment).

Closes-Bug: #1714926

Change-Id: I52cecec88437fd2bc5a012653f24471039e6b819
2024-03-21 10:50:01 +10:30
Rodrigo Barbieri 6b93e9dd87 Allow configure of OPENSTACK_INSTANCE_RETRIEVE_IP_ADDRESSES
If network calls to retrieve ports and floating IPs take too long,
then the project > instances page cannot be loaded. This config
allows disabling the network calls when loading the page with
minor side-effects, as a workaround to avoid downtime while other
performance optimizations can be done on the side to allow
the page the load so the workaround is no longer needed.

Closes-bug: #2051003
Related-bug: #2045168
Change-Id: Iedad6ef48cbe0b776594f4ad8276d3d713cd360c
2024-01-24 11:19:01 -03:00
Felipe Reyes 4d5581438a Run relation_set() in dashboard_relation_changed() on leader
The commit 484b7d8260 introduced a new relation that relies on an
application databag to exchange data, although only the leader can write
to it, and the original patch didn't guard the relation_set() call with
a is_leader(), this patch addresses that problem wich produces a hook
failure on follower units when openstack-dashboard is deployed in HA.

Closes-Bug: #2046257
Related-Bug: #2030094
Change-Id: I1930b0b96f65cb627f896db67dddc6370cf6a413
2023-12-12 11:06:29 -03:00
Felipe Reyes 484b7d8260 Add new interface 'dashboard'
openstack-dashboard exposes the hostnames (and IP addresses) that can be
used by users to load Horizon. There are 3 possible sources, they are
juju units ingress-address, os-public-hostname and vip config options

Closes-Bug: #2030094
Change-Id: I5eb524c6258f72980ef43175f2bed21d7ca078be
2023-09-04 15:30:00 -03:00
Alex Kavanagh e8d0ca39a1 Make LocalSettingsContext more robust to priority
The relation data for for the LocalSettings context could cause the
priority sorting to break if the priority key wasn't cmpable (e.g. using
<, > or ==).  This patch fixes the associated bug, by making the sorting
extra robust and ensuring that un-cmp-able values are 'greater' (e.g.
further down the list) that cmp-able values, and equal to each other.
E.g. a partially ordered set.

Change-Id: I6bbf7e5f81a772ffc6ea859c9ab7c05f2eb9fdc5
Closes-bug: #2023404
2023-07-04 12:03:08 +01:00
Zuul 333501d88f Merge "Introduce source IP based rate limiting" 2022-08-19 13:52:29 +00:00
Liam Young 123b8447ed Handle JSON data from dashboard plugins
The dashboard-plugin interface sends relation data json encoded but
the charm does not decode the local-settings key. This change decodes
the data. I have not been able to find any classic plugins that
rely on sending raw data but to maintain backwards compatability
just incase the charm will fallback to the old behaviour if the
relation data is not json encoded.

Change-Id: I3f956ae811cb6c46b5e2ab31f1353678a35e623a
Closes-Bug: #1986538
2022-08-15 14:33:49 +00:00
Mert Kırpıcı c0f8708761 Introduce source IP based rate limiting
Since we are running haproxy in L4, we are tracking the incoming
byte rate from client IPs and rejecting TCP connections in a
sliding window.

This approach limits the incoming HTTP requests however image uploading
through the horizon web app is unaffected.

Change-Id: Ie40d28acb2dc2983fc9edbbeacfd671b380a8f6d
Closes-Bug: #1836514
Signed-off-by: Mert Kırpıcı <mert.kirpici@canonical.com>
2022-08-05 15:29:43 +03:00
Muhammad Ahmad af7a57d539 Add enable_router config option
This patch adds an option of enabling/disabling router panel view
in the horizon. To hide the router/floatin-ip panel, set the config
option 'enable-router-panel=False'. Default value is True.

Closes-Bug: #1966815
Change-Id: If6fb3b57f05a1ab6342077d2142bd47cfce57948
2022-07-28 18:57:15 +00:00
Pedro Castillo 85423b1f73 Fix warning messages related to enforce-ssl
When enforce-ssl is set to false, a warning message comes up saying it is
set to true. This should stop the message from coming up when
enforce-ssl is false.

Related-Bug: #1818636
Change-Id: I6afe116c0cd1e04b5c37413c7daf556a9b05dee4
2022-05-31 17:54:18 -05:00
jneo8 b00c977b52 Add CREATE_INSTNACE_FLAVOR_SORT option
Closes-Bug: #1663191
Change-Id: I56a30b4b80ef2cb3ac96359a3932b53c735b5c01
2022-04-28 12:06:32 +00:00
Rodrigo Barbieri a322faa469 Fix ssl_key var name
Incorrect config key was responsible for bugs when configuring
websso when using SSL.

Closes-bug: #1960854
Change-Id: I241c7492ffcddf11c6b6464391fe986c61895b19
2022-02-14 15:45:40 -03:00
Nobuto Murata bd0eed2c84 Allow customization of branding
Make the following values configurable:
- SITE_BRANDING
- SITE_BRANDING_LINK
- HORIZON_CONFIG["help_url"]

Closes-Bug: #1959366
Change-Id: I34716bd68cc50b53dd28f6bb7a19409ece355465
2022-02-01 01:00:09 +09:00
Zuul 9984b7db51 Merge "Add application-dashboard relation" 2022-01-28 15:10:45 +00:00
Hemanth Nakkina 4355ea2d6b Remove neutron-fwaas-dashboard package for >= V
neutron-fwaas project is retired from Victoria release.
This patch removes installing neutron-fwaas-dashboard package
from Victoria release onwards.

Closes-Bug: 1934129
Change-Id: Id2c8695274bb3438612ee44bb922766a6bddf900
2021-11-30 12:47:22 +05:30
Bartlomiej Poniecki-Klotz 18a9ac1171 hide-create-volume config added
The configuration option hide-create-volume was added and is passed into the horizon configuration as hide_create_volume.

Closes-Bug: #1939079
Change-Id: I639810d5908cc58f41907f9a3bd66dc78b9517d6
2021-11-16 09:55:37 +00:00
Linda Guo 986ebeab59 Add application-dashboard relation
Homer[1] is static web server and provides one stop shop UI,
which a single URL and be able to click on a link to get to
the LMA stack and other sites (like MAAS, other support portal).
The application is registered to Homer dashboard via application-dashboard
relation.

By adding registration relation in openstack-dashboard charm,
we can register Horizon in Homer dashboard after creating relation
between openstack-dashboard charm and Homer charm

[1]. https://github.com/bastienwirtz/homer

Closes-Bug: 1945725
Change-Id: Ieeacd8f1dda7e88a1f3f7b332163b2b42f1fee41
2021-10-08 12:01:41 +11:00
Liam Young e07c27fc35 Do not assume ksv2 in multi-region deploys
Remove hardcoded keystone v2 from identity urls when in a multi-
region deploy. The api version is passed by the keystone charm
so use that.

Change-Id: I8e52e63e17836260b87899a059e0bbc77827dc54
Closes-Bug: #1925669
2021-04-26 12:52:50 +00:00
Felipe Reyes 530426ae69 Add config use-internal-endpoints option.
This patch adds a configuration option that instructs
openstack-dashboard to configure Horizon using the internal host
exposed by the keystone charm, this behavior is already present in
other charms like nova-cloud-controller.

Change-Id: Ic372a2c65c52a77229c5c2867919aa318e9ac0a1
Closes-Bug: #1812361
Depends-On: https://review.opendev.org/c/openstack/charm-keystone/+/696997
2021-03-08 12:45:44 -03:00
Garrett Thompson 8e4dc4844a Add ENFORCE_PASSWORD_CHECK setting
This setting is a behavior change, requring the admin password
to be provided when changing the password of an admin user. Enabling
this setting by default adheres to the security recommendation
provided in the OpenStack security guide [0].

To enable this setting for Queens (the oldest supported OpenStack
release at the time of this commit), a new local_settings.py file was
copied from the Ocata template to ensure that any future versions will
inherit this setting until a new change is made.

Due to the security-checklist action currently failing [1], these have been
extracted to another class, and refactored in the zaza-openstack-tests
repo [2].

[0] https://docs.openstack.org/security-guide/dashboard/checklist.html

[1] 2ef404be75/zaza/openstack/charm_tests/openstack_dashboard/tests.py (L418)

[2] https://github.com/openstack-charmers/zaza-openstack-tests/pull/501

func-test-pr: https://github.com/openstack-charmers/zaza-openstack-tests/pull/501
Closes-Bug: #1883196
Change-Id: Idfd8654732289481806aea8b47ffa28cf3f97697
2021-02-12 00:27:27 +00:00
Alex Kavanagh 5dd04dac31 Sync libraries & common files prior to freeze
* charm-helpers sync for classic charms
* charms.ceph sync for ceph charms
* rebuild for reactive charms
* sync tox.ini files as needed
* sync requirements.txt files to sync to standard

Change-Id: I179fd55a49bf07515e4fad64dd0a4719b58ac4ca
2020-09-27 19:45:00 +01:00
Zuul d74affeaaf Merge "Check the created_roles reply for keystone" 2020-08-28 08:31:55 +00:00
Liam Young 47c1097ea4 Check the created_roles reply for keystone
Check the created_roles reply for keystone to see if the name of
the role that was created in keystone matches what was requested.
It may differ in terms of case.

Change-Id: I5b5216909268ba3bb1b7ad13767647fa1af77cc5
Closes-Bug: #1890437
2020-08-27 14:08:20 +00:00
Liam Young b9905a9d32 Ensure that certificates are correctly managed.
When the certificates relation is ready before the
HA relation is clustered, the VIP symlinks will not
be created pointing at the correct certificates. This
change updates the HA handlers to ensure that the
certificate relation is handled after clustering,
if there are any certificate relations.

There was no functional test coverage for HA and TLS
deployments so this change also add a test for
those and CMR too. Having said that, the test
initialises vault once the deployments are
complete so is unlikely to trigger #1886077 the tests
to check there is no regression of exising
functionality.

func-test-pr: https://github.com/openstack-charmers/zaza-openstack-tests/pull/389

Change-Id: I7c9c81318dbbcea618ac3781b8f19e8159e56bcb
Closes-Bug: #1886077
2020-08-20 15:36:40 +00:00
Alex Kavanagh d566af19a2 Release sync for 20.08
- Classic charms: sync charm-helpers.
- Classic ceph based charms:  also sync charms.ceph
- Reactive charms: trigger a rebuild
- sync tox.ini
- sync requirements.txt and test-requirements.txt
- fix PEP8 issues from new W504 param

Change-Id: I3d1ea2cea971b364001a53d35f2b3bbcaed8361d
2020-07-31 15:41:45 +01:00
Vern Hart 9a84700110 strip newlines and whitespace from user-supplied secret
Closes-Bug: 1868645

Change-Id: Ie287553cd73b634961485dfcb067283bd48ad10b
2020-07-20 20:27:43 -06:00
James Page 476fe0b2ca enforce-ssl: evaluate all sources of cert/key
When the dashboard charm is deployed with Vault using the
certificates relation the enforce-ssl configuration option
is not honoured as the certificates relation is supported
by the get_cert function provided by charmhelpers.

https does much the same set of checks but also looks at
the certificates relation when considering whether https
is actually enabled for the charm.

Minor style tweak to the code to avoid nested conditionals.

Change-Id: Ieb519adef53e8ab68c9119eb38344e5cb8540411
Closes-Bug: 1846189
2020-05-19 13:46:10 +01:00
Alex Kavanagh 700ebb14c7 Enable focal and ussuri as part of the gate tests
Add bionic-ussuri and focal-ussuri (with mysql8 support) bundles.

Also, for focal, switch the install and upgrade-charm hooks to install
python3 modules rather than python2 modules.

Change-Id: I75dbf72eb4c2d7d2986730e0ada9a6c359f825d3
2020-04-03 16:50:58 +01:00
Xav Paice 957a6adc03 Add disable-password-reveal option
Adds config item to add HORIZON_CONFIG['disable_password_reveal'] = True
option to Horizon's local_settings.py, from Mitaka onwards.  This
prevents the reveal password button from being displayed.

Change-Id: I299f6a6388c3a2ab68cabaeb16e5104ec319e144
Closes-bug: #1840251
2020-03-12 15:59:06 +13:00
Zuul 3387091508 Merge "Do not access DB when it is in maintenance mode." 2020-01-31 14:53:54 +00:00
Alex Kavanagh 1e2515e13f Fix issue with plugins breaking packages
The core issue is that the plugin had no way to signal to the
principal charm what packages needed to be installed, and crucially,
which conflicted with the packages that the plugin needs to operate.
The referenced bug exhibits this issue in that, on install, a package
is removed by the plugin, but the principal charm "doesn't know".  Then
on upgrade, the principal charm re-installs the package, and breaks
the plugin.

This patch allows the plugin to signal which packages it requires to
operate via the dashboard-plugin interface.  This ensures that when
the openstack-dashboard charm upgrades it already "knows" what a
plugin needs and acts accordingly.  Equally, plugins can change their
requirements and this patch allows them to update/remove/install
packages as needed.

The local_settings.py is already controlled by the principal, and this
just shifts absolute control over packaging to the principal as well.
The plugin charm's purpose is to indicate packages and config to the
principal.

Note.  There should be no backwards compatibility issues with this
change. If a plugin doesn't notify the principal of any packages then it
won't take any action.  This does mean that the openstack-charm should
be upgrade prior to any plugins that gain this feature.

Also disable disco test as disco is EOL.

Change-Id: Ib3fc0b0525dabf70f45fd050af2ed05ba31129b9
Related-Bug: #1853851
2020-01-30 16:18:09 +00:00
Liam Young c9e844a4a3 Do not access DB when it is in maintenance mode.
If the database is in maintenace mode do not attempt to access
it.

Depends-On: I5d8ed7d3935db5568c50f8d585e37a4d0cc6914f
Change-Id: I91d3f858888a169cf85d51533a54ef37d7a72c58
2020-01-30 12:37:56 +00:00
Liam Young de4e9ec338 When resuming, exclude haproxy
When resuming services exclude those managed by hacluster, in
this case haproxy. If pacemaker lacks quorum it may shut haproxy
down which will cause this charm to error.

Charmhelper sync included to bring in required
get_managed_services_and_ports method.

Change-Id: I6f997df31922b6090e5b4b1daeec342a044be5c3
2020-01-26 07:47:02 +00:00
Alex Kavanagh 03cb557fc8 Add disable-instance-snapshot config item
This patchset adds the disable-instance-snapshot config item that
controls the "disable_instance_snapshot" dictionary item in the
LAUNCH_INSTANCE_DEFAULTS setting in local_settings.py

Change-Id: Ic15f60517ed8a7f67704b15f4b42baabe74f83c6
Closes-Bug: #1818221
2020-01-13 12:01:51 +00:00
cjohnston 8b6d16698a Add config option for exposing HAProxy stats interface.
Change-Id: I41799835a4d59dd7d4e0c0becf0908eaab6281ae
Closes-Bug: #1710208
func-test-pr: https://github.com/openstack-charmers/zaza-openstack-tests/pull/147
2019-12-17 22:28:17 +00:00
Alex Kavanagh 42c10d5465 Improve the debug logging for policyd
Improves the debug logging for a policyd override if the override file
contains a section that doesn't make sense for the charm.

Change-Id: I46aacc4705066aa6c13153c09fa981cd8027332e
2019-11-25 13:02:22 +00:00
Alex Kavanagh 1b1e7c583c Policyd override implementation
This patchset implements policy overrides for octavia.  It uses the
code in charmhelpers [1] which has been modified to support the richer
and more complex approach to handling policy overrides.

[1]: https://github.com/juju/charm-helpers/pull/393

func-test-pr: https://github.com/openstack-charmers/zaza-openstack-tests/pull/126

Change-Id: Ib51fd2c7c540c680083c2928eab4ce4df0d43e23
Closed-Bug: #1741723
2019-11-20 14:40:03 +00:00
Liam Young 5d9592ddca Correct resolve_CONFIGS force_update
A typo in resolve_CONFIGS reveresed the desired behaviour so
force_update=True would not force an update and vice versa.

Change-Id: I4e19e7ab35f09f4e828632b4dc6074d2bd367356
Closes-Bug: #1848440
2019-10-17 09:21:46 +00:00
Stamatis Katsaounis f782e4ad96 Change custom_theme.py file location
This patch changes the location of the soft link of the optional
custom settings file inside a custom theme provided by the user.
The current location is not taken into account by Horizon.

Change-Id: Ief60acb394b7ac340b92120d7ccf18eb680cfb38
Signed-off-by: Stamatis Katsaounis <skatsaounis@admin.grnet.gr>
2019-09-30 14:38:00 +03:00
Liam Young 56e4d3c322 Stop running register_configs at load time
Stop running register_configs so it is not run unnecessarily and
simplifies unit tests. As part of this make sure that CONFIGS is
refreshed after an upgrade as config files and contexts may
have changed.

Change-Id: I08a847abe7db22a11860f359442e1e8945585466
Closes-Bug: #1844325
2019-09-25 10:01:50 +00:00
Corey Bryant fec0eeb2b7 Remove neutron-lbaas-dashboard for train and above
The python3-neutron-lbaas-dashboard no longer exists as of
Train. Remove it in favor of the octavia-dashboard subordinate
charm.

This patch also keeps python-cinderclient at a version
that includes v1.client for testing.

Change-Id: Ic8694cd8604aff8be392a31feeccb7fea55d0e41
2019-09-16 13:28:22 +00:00
Corey Bryant 983d7466d4 Disable train cinder consistency group support
Cinder consistency group support was removed from upstream horizon
as of Train, and has been replaced by the generic group feature.

Change-Id: Iebf4d441b36e7c31b200205cd9bbee0d1fb9a47c
Closes-Bug: #1841188
2019-09-10 13:27:02 +00:00
James Page ae19450b01 stein: Ensure mysqldb driver is installed
The default MySQL dialect for Django in Ubuntu Disco or later
switch back to mysqldb rather than pymysql; ensure that required
driver is installed for stein or later.

Change-Id: Ib03353d12d38b5a5ef1bac820470636c886ec8dc
Closes-Bug: 1834614
2019-07-22 16:37:08 +01:00
Dmitrii Shcherbakov d28f593d66 Fix websso path formatting
If webroot is '/' the resulting path becomes '//' after joining which
leads to 'path: //auth/websso/' passed in relation data.

As a result authentication attempts fail with:

'ERROR https://dashboard.maas/auth/websso/ is not a trusted dashboard
host'

Change-Id: I14e7ff1ec548de4ec98ee41fc27c8948b56fafec
Closes-Bug: #1815205
Closes-Bug: #1828021
2019-05-07 13:47:14 +03:00
tpsilva ca21ac8116 Add option to hide/show consistency groups tab
Cinder by default does not enable Consistency Groups, but Horizon always
show its tabs and there is not an option to hide them. This patch adds a
config option to change the policy file to hide or show those tabs.

Change-Id: Ia2fb52650201524acbb8d6aafe37e7c0ea26e99e
Closes-bug: #1684113
2019-03-19 09:50:25 -03:00
David Ames 601875867d Enable vault tls-certificates for SAML Mellon
The charm assumed the use of ssl_cert and ssl_key. The current best
practice is to deploy with vault and the tls-certificates relation.
Enable tls-certificates relation aware configuration for the
websso-trusted-dashboard relation.

Simplify hostname, IP, VIP selection using resolve_address.

Change-Id: Ibcd963946a3956f9b2d2963fe9455d6d9ee78ab6
2019-03-11 07:48:22 -07:00
Zuul c59894df27 Merge "Use common ApacheSSLContext" 2019-02-22 11:00:14 +00:00
Frode Nordahl 19915f6806
Use common ApacheSSLContext
Remove the custom ApacheSSLContext class and use the common
one from ``charmhelpers.contrib.openstack`` instead.

Update ``default-ssl`` template so we can make use of multiple
endpoints with SNI.

Sync required changes to charm-helpers.

Change-Id: Icc990448d2c7469c5253d04ad43371d01d5580d9
Related-Bug: #1816621
2019-02-22 10:56:14 +01:00
Zuul cfeaa06404 Merge "Make DROPDOWN_MAX_ITEMS configurable" 2019-02-22 08:27:05 +00:00