For isolated deployments which use mirrors it is necessary
to be able to override the github.com URL currently used
in horizon_pip_packages
Change-Id: I767b921dd9114fb6afa6a93d80e3927da481e5ae
At the moment our role does not account for provisionment of default
policy files for extra dashboards.
While they should not be required, it has been reported that absence
of such policy files results in unexpected behaviour. So let's symlink them
alike to how we do with regular policies.
Closes-Bug: #2055415
Change-Id: I683c12938fd4aa67304f564678514bc48bd86a79
We change a default value of `horizon_webroot` to reflect the usecase
where both Horizon and Skyline are deployed. When it is the case,
horizon webroot URL will be changed to `/horizon`.
Depends-On: https://review.opendev.org/c/openstack/openstack-ansible/+/859446
Change-Id: Ia38311a6fde88292c090cf6289bf5b6c6279c479
Since plugin name has changed for OVN, we need to count for it when
deciding if panel should be enabled or not.
Change-Id: Id0923a497e751350c9308726ccbb85b6aa6c36c4
Current behavior leads to all files having executable bit which is not
anticipated or required behaviour.
Thus, we should avoid defining mode recursively to the directory
Closes-Bug: #2052011
Change-Id: I30b9b6a70d2cabfb1f1f434cd883ea2503d867bc
django.utils.translation.ugettext_lazy() is deprecated in favor of the
functions that they’re aliases for: django.utils.translationgettext_lazy()
With that MemcachedCache backend was also deprecated in favor of
PyMemcacheCache. MemcachedCache was removed in django 4.1
https: //docs.djangoproject.com/en/4.0/releases/3.0/#id3
Change-Id: I9b77b33fbc4a9560c72504f935bf7f9082fefdd7
In order to compress static files against pyhton 3.11 a fixed version
with fixed regexp in pyScss is needed. While fix is merged, pyScss is
not tagged/released yet.
While this required only for Debian12, it will work nicely also with older
python versions, since there're almost no changes in the package.
instead of building based on SHA.
Change-Id: I76f945310b70c1b081800c5ba0ec922795b60a73
neutron_ml2_drivers_type is a string, not a list, while default
value for it is a list. Local settings also assume that it is a list.
So we ensure that the falue is a string by default now and
treat it as string in the code.
Change-Id: Ida72c712153dcda4cd06e0959f98ade4fee8dfbd
Right now we are not using any constraints for docs and releasenotes builds.
This has resulted in docs job failures once Sphinx 7.2.0 has been released.
The patch will ensure that constraints are used an we should not face
simmilar issue again.
TOX_CONSTRAINTS_FILE is updated by Release bot once new branch is created,
so it should always track relevant constraints.
Some extra syntax-related changes can apply, since patch is being passed
through ConfigParser, that does not preserve comments and align indenting.
Change-Id: Id609280a58ce263f8860b24762c5670a1a421a3f
Keystone has stopped providing or reffering `_member_` role for a while,
thus role should not be refferenced anymore.
Moreover, with 2023.1 service policies have dropped `_member_`
which resulted in the role to be insufficient for basic operations.
Change-Id: I99bf418c6cb93d5f3cafc818a8cc876a49fb0357
Related-Bug: #2029486
With update of ansible-lint to version >=6.0.0 a lot of new
linters were added, that enabled by default. In order to comply
with linter rules we're applying changes to the role.
With that we also update metdata to reflect current state.
Change-Id: I40ff3ec0393bf90836d943fc09e74d6a5f207b48
To standarize variable name across roles, this change renames
`horizon_enable_ssl` to `horizon_backend_ssl`.
All other roles use `<service>_backend_ssl` format.
It also better describes what it does. With `horizon_enable_ssl` it's
unclear whether it is about frontend or backend.
Backward compatibility will be kept until 2024.1.
Change-Id: I218d45b7be667732e4204316b8d18fa3e136962b
Current logic does not allow horizon backend to listen on https
(`horizon_enable_ssl`) if external loadblanacer serves TLS
(`horizon_external_ssl`).
It basically forces backend to listen on plain http in this case which
does not make any sense. It should be possible to enable TLS on both
loadbalancer and horizon backend.
Additionally, with this patch, role defines a proper
HTTP_X_FORWARDED_PROTO header value(it's included in
`horizon_secure_proxy_ssl_header` and
`horizon_secure_proxy_ssl_header_django` and can be set to 'http' or
'https') based on whether external load balancer listens on https
(`horizon_external_ssl`)[1].
For example if loadbalancer listens on https and backend on http,
HTTP_X_FORWARDED_PROTO should be set to 'https'. Otherwise horizon will
respond with redirection to http.
[1] https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Forwarded-Proto
Change-Id: I7706e52c01b3f0d72ea383a0476045e606078cff
`horizon_enable_ssl` is responsible for enabling TLS on horizon backend.
It defaults to `haproxy_ssl` which is generally used to enable TLS on
haproxy frontends.
It is more reasonable to disable it by default as it's done for other
services.
This patch does not change current behavior in gating as backend TLS
works only with horizon_external_ssl=False(while it's set to True by
default).
It also does not affect behavior of horizon's haproxy frontend
encryption.
Change-Id: I8f207426c9dc5bcefdec42c0bfc0f5f0376509a3
Supported ML2 provided types depends on the ML2 driver
and we should make it configurable in order to reflect dropdown list
that appears for admin panel while creating a network.
Closes-Bug: #2002897
Change-Id: Iceedf6af9559d48c28e0ee782a44f9ceb480119d
Add file to the reno documentation build to show release notes for
stable/zed.
Use pbr instruction to increment the minor version number
automatically so that master versions are higher than the versions on
stable/zed.
Sem-Ver: feature
Change-Id: I52bd5d4b4e35317397242168c2f910d3ae4230ff
This patch changes the horizon ironic dashboard to be installed from
git sources like all of the other dashboards in an openstack-ansible
deployment.
Without this change the package installed from pypi is always the
latest released version and not aligned with the release
being deployed with openstack-ansible. This will potentially
cause the horizon service to fail to start if there is a severe
mismatch between horizon and ironic-ui.
Change-Id: I4dd03f3cd13878dafb621c70dd44a4fd0ff99ae3
This change provides the horizon role the ability to deploy its services
using uWSGI instead of apache. This feature produces a minimal horizon
deployment which is perfectly functional in cases where capabilities
like federation and SSL terminated all the way through are not needed.
Change-Id: I457a111511543731746d868ae7f7184743e5703b
Signed-off-by: Kevin Carter <kevin@cloudnull.com>
This line snuck in with I6b68d4d15ae516d23c88b3c4c21a076e8d54604e
probably to bring it in line with other OSA roles, but should already
be covered by the distribution_major_version line above.
Change-Id: I72281dbc768e8f5f6b702d91abe63bc96376ac30
This change adds some python config to remove all of the deprecation
warnings horizon is spawning. The warnings are all coming from oslo
components which horizon is just inhereting inheriting and has no
control over. This change makes horizon logs legible.
Signed-off-by: Kevin Carter <kevin@cloudnull.com>
Change-Id: Idae4e42c971f53597ac3cf044ba82d7dd468e4a5
This change adds the ability within horizon to define a list of domains
which are trusted through the CSRF functions of django.
Change-Id: Ib92480e6caa74e050a99b36a54b2032714efb509
Signed-off-by: Kevin Carter <kevin@cloudnull.com>
This variable was added in the Yoga release to permit changes
to how Horizon contacts Keystone in an IDP setup.
Change-Id: I959f0f84b264ffc25481e9becb3059f28a233010
With [1] pyscss version was bumped to 1.4.0. With that horizon also
requires pyscss>=1.4.0 which means there's no need to additionally
constraint it.
We also temporary disable all functional jobs to resolve circular
dependency.
Needed-By: https://review.opendev.org/c/openstack/openstack-ansible/+/847272
[1] 4fa5acc415
Change-Id: I5676d358d1ec38904fc067ab5f14711358f6031c
With sphinx release of 5.0.0, they changed default for language variable
to 'en' from None. With that current None valuable is not valid and should
not be used.
Change-Id: I7148e18813fd9dddd77392b20705e885fb41dd65
Openstack upper-constraints for the Yoga release does not specify
a version of pyScss which is compatible with python3.10, this only
starts to happen with the Zed release.
To obtain experimental support for Ubuntu Jammy with the Yoga
release we adjust the upper-constraints to describe a python3.10
compatible version of pyScss.
Change-Id: I04b7b8bc2c8e666f155cccf58bd920ee7d699d72
- SECURE_PROXY_ADDR_HEADER is being used to return the clients
remote address to the logs. On a failed login it is REMOTE_ADDR,
which will be the loadbalancer address,
SECURE_PROXY_ADDR_HEADER='HTTP_X_FORWARDED_FOR' makes sure the
real client IP makes it into the logfiles.
- https://docs.openstack.org/horizon/latest/configuration/settings.html#secure-proxy-addr-header
Change-Id: I0d68cd4ba7882eb4296a2e4df59afa6582c0303a
In order to avoid conflicts with other applications running Apache,
like keystone, we avoid using ports.conf for Listen and using VHost files
for this purpose.
We place same dummy template as keystone does for upgrade purposes.
Change-Id: I8a5ef5234b8aee1e7b3517e9543d2af0a84e90ce
barbican-ui has not yet reached a 1.0.0 release and does not provide
a functioning UI for the key manager service at this time.
Once barbican-ui has basic functionality we can consider enabling this again.
Change-Id: I9fc9147263881cc96f8e51b739d2ccf6f1f9fbf9
Instead of hardcoding lib directory for distro installs, we can
retrieve it dynamically based on the horizon.__file__ output
Change-Id: I8e87f9a9945b7526c90ca8c4dc09e43a86ab62e0
Closes-Bug: #1950798