* Update openstack-ansible-os_horizon from branch 'master'
to ae8f6f9f1967c8d7921e9fe37a5d36a279e5fb82
- Merge "Detect OVN VPNaaS installation"
- Detect OVN VPNaaS installation
Since plugin name has changed for OVN, we need to count for it when
deciding if panel should be enabled or not.
Change-Id: Id0923a497e751350c9308726ccbb85b6aa6c36c4
* Update openstack-ansible-os_horizon from branch 'master'
to ec4b2b48f64d417182e95d44ba21bd0ae62beea0
- Use overridable URL for github rather than hard-coding
For isolated deployments which use mirrors it is necessary
to be able to override the github.com URL currently used
in horizon_pip_packages
Change-Id: I767b921dd9114fb6afa6a93d80e3927da481e5ae
* Update openstack-ansible-os_horizon from branch 'master'
to 5d0255cf26f75e035ad2eaddf848ea0f70007206
- Merge "Reflect horizon_webroot setting in Apache vhost configuration"
- Reflect horizon_webroot setting in Apache vhost configuration
Changing only horizon_webroot is not sufficient without adjustments
to horizon Apache vhost.
Change-Id: I25707600c2b05a7f816a7c4ea38c8985717df2d3
* Update openstack-ansible-os_horizon from branch 'master'
to 99499ec28983a724f5a766ad13d5b3de92a55fdd
- Merge "Do not change mode of files recursively"
- Do not change mode of files recursively
Current behavior leads to all files having executable bit which is not
anticipated or required behaviour.
Thus, we should avoid defining mode recursively to the directory
Closes-Bug: #2052011
Change-Id: I30b9b6a70d2cabfb1f1f434cd883ea2503d867bc
* Update openstack-ansible-os_horizon from branch 'master'
to e62a2cd3ad766ec9610852ccd94f66005299c8b5
- Deploy default policy files
At the moment our role does not account for provisionment of default
policy files for extra dashboards.
While they should not be required, it has been reported that absence
of such policy files results in unexpected behaviour. So let's symlink them
alike to how we do with regular policies.
Closes-Bug: #2055415
Change-Id: I683c12938fd4aa67304f564678514bc48bd86a79
* Update openstack-ansible-os_horizon from branch 'master'
to a57aeff9385da173dbea6a16ee8e880c432f4455
- Address Django Deprecations for 4.1
django.utils.translation.ugettext_lazy() is deprecated in favor of the
functions that they’re aliases for: django.utils.translationgettext_lazy()
With that MemcachedCache backend was also deprecated in favor of
PyMemcacheCache. MemcachedCache was removed in django 4.1
https: //docs.djangoproject.com/en/4.0/releases/3.0/#id3
Change-Id: I9b77b33fbc4a9560c72504f935bf7f9082fefdd7
* Update openstack-ansible-os_horizon from branch 'master'
to d4ef66fc028477709d6e4bd36a2bb39c957c3eae
- Override pyScss version with a bugfixed one
In order to compress static files against pyhton 3.11 a fixed version
with fixed regexp in pyScss is needed. While fix is merged, pyScss is
not tagged/released yet.
While this required only for Debian12, it will work nicely also with older
python versions, since there're almost no changes in the package.
instead of building based on SHA.
Change-Id: I76f945310b70c1b081800c5ba0ec922795b60a73
* Update openstack-ansible-os_horizon from branch 'master'
to 85801c9d105e78df45a4dbb3adc5e98c957b91c2
- Fix linters for example playbook
Change-Id: I36675c9bc208e7e26c3ee6a50f21b92003b9833e
* Update openstack-ansible-os_horizon from branch 'master'
to 5d635c469af4e9c9bb85615257e3bb3738ce3a29
- Fix wrong neutron_ml2_drivers_type
neutron_ml2_drivers_type is a string, not a list, while default
value for it is a list. Local settings also assume that it is a list.
So we ensure that the falue is a string by default now and
treat it as string in the code.
Change-Id: Ida72c712153dcda4cd06e0959f98ade4fee8dfbd
* Update openstack-ansible-os_horizon from branch 'master'
to 1ebeab7d26a32a9f29b680b59e526d57d8371ea4
- Merge "Stop reffering _member_ role"
- Stop reffering _member_ role
Keystone has stopped providing or reffering `_member_` role for a while,
thus role should not be refferenced anymore.
Moreover, with 2023.1 service policies have dropped `_member_`
which resulted in the role to be insufficient for basic operations.
Change-Id: I99bf418c6cb93d5f3cafc818a8cc876a49fb0357
Related-Bug: #2029486
* Update openstack-ansible-os_horizon from branch 'master'
to fe4bf78553a49e1ace54ef0cbd94be4887089810
- Define constraints file for docs and renos
Right now we are not using any constraints for docs and releasenotes builds.
This has resulted in docs job failures once Sphinx 7.2.0 has been released.
The patch will ensure that constraints are used an we should not face
simmilar issue again.
TOX_CONSTRAINTS_FILE is updated by Release bot once new branch is created,
so it should always track relevant constraints.
Some extra syntax-related changes can apply, since patch is being passed
through ConfigParser, that does not preserve comments and align indenting.
Change-Id: Id609280a58ce263f8860b24762c5670a1a421a3f
* Update openstack-ansible-os_horizon from branch 'master'
to a4ecbfc6dcc85ed01c09b34efe7ee8672b67b579
- Fix linters and metadata
With update of ansible-lint to version >=6.0.0 a lot of new
linters were added, that enabled by default. In order to comply
with linter rules we're applying changes to the role.
With that we also update metdata to reflect current state.
Change-Id: I40ff3ec0393bf90836d943fc09e74d6a5f207b48
* Update openstack-ansible-os_horizon from branch 'master'
to db7110d29788701a23ee8713a58c70e4e8e01ad2
- Add PKI support to horizon backends
Replace legacy SSL support with ansible-role-pki.
It is used to generate required TLS certificates if needed.
Depends-On: https://review.opendev.org/c/openstack/openstack-ansible/+/879085
Change-Id: Id2f9d6f911cee6e58c261c1a68c34a37ab9ced4f
* Update openstack-ansible-os_horizon from branch 'master'
to 4686326650d265fbd287e4bccb3e38f4b2292c20
- Rename horizon_enable_ssl to horizon_backend_ssl
To standarize variable name across roles, this change renames
`horizon_enable_ssl` to `horizon_backend_ssl`.
All other roles use `<service>_backend_ssl` format.
It also better describes what it does. With `horizon_enable_ssl` it's
unclear whether it is about frontend or backend.
Backward compatibility will be kept until 2024.1.
Change-Id: I218d45b7be667732e4204316b8d18fa3e136962b
* Update openstack-ansible-os_horizon from branch 'master'
to c92f45e3afa0820ae9064c83e5ab7a1491071508
- Fix horizon_enable_ssl logic
Current logic does not allow horizon backend to listen on https
(`horizon_enable_ssl`) if external loadblanacer serves TLS
(`horizon_external_ssl`).
It basically forces backend to listen on plain http in this case which
does not make any sense. It should be possible to enable TLS on both
loadbalancer and horizon backend.
Additionally, with this patch, role defines a proper
HTTP_X_FORWARDED_PROTO header value(it's included in
`horizon_secure_proxy_ssl_header` and
`horizon_secure_proxy_ssl_header_django` and can be set to 'http' or
'https') based on whether external load balancer listens on https
(`horizon_external_ssl`)[1].
For example if loadbalancer listens on https and backend on http,
HTTP_X_FORWARDED_PROTO should be set to 'https'. Otherwise horizon will
respond with redirection to http.
[1] https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Forwarded-Proto
Change-Id: I7706e52c01b3f0d72ea383a0476045e606078cff
* Update openstack-ansible-os_horizon from branch 'master'
to 9c07e79890692cb477005cf34139fd20d4417be7
- Change default value for horizon_enable_ssl
`horizon_enable_ssl` is responsible for enabling TLS on horizon backend.
It defaults to `haproxy_ssl` which is generally used to enable TLS on
haproxy frontends.
It is more reasonable to disable it by default as it's done for other
services.
This patch does not change current behavior in gating as backend TLS
works only with horizon_external_ssl=False(while it's set to True by
default).
It also does not affect behavior of horizon's haproxy frontend
encryption.
Change-Id: I8f207426c9dc5bcefdec42c0bfc0f5f0376509a3
* Update openstack-ansible-os_horizon from branch 'master'
to e61dab9a05be476c442ec667be81d7bbd774777f
- Allow to override supported_provider_types
Supported ML2 provided types depends on the ML2 driver
and we should make it configurable in order to reflect dropdown list
that appears for admin panel while creating a network.
Closes-Bug: #2002897
Change-Id: Iceedf6af9559d48c28e0ee782a44f9ceb480119d
* Update openstack-ansible-os_horizon from branch 'master'
to 56f670c41ac76c1fa2f7881af36a41fb6147a15e
- Update master for stable/zed
Add file to the reno documentation build to show release notes for
stable/zed.
Use pbr instruction to increment the minor version number
automatically so that master versions are higher than the versions on
stable/zed.
Sem-Ver: feature
Change-Id: I52bd5d4b4e35317397242168c2f910d3ae4230ff
* Update openstack-ansible-os_horizon from branch 'master'
to a20dfea4cf556542284ea89e0c9885d77ad5becb
- Install ironic-ui from git source rather than a pip package
This patch changes the horizon ironic dashboard to be installed from
git sources like all of the other dashboards in an openstack-ansible
deployment.
Without this change the package installed from pypi is always the
latest released version and not aligned with the release
being deployed with openstack-ansible. This will potentially
cause the horizon service to fail to start if there is a severe
mismatch between horizon and ironic-ui.
Change-Id: I4dd03f3cd13878dafb621c70dd44a4fd0ff99ae3
* Update openstack-ansible-os_horizon from branch 'master'
to 43cb7e1243860eb4cc903e4dd18d18862e6085e7
- Merge "Add uwsgi option to horizon"
- Add uwsgi option to horizon
This change provides the horizon role the ability to deploy its services
using uWSGI instead of apache. This feature produces a minimal horizon
deployment which is perfectly functional in cases where capabilities
like federation and SSL terminated all the way through are not needed.
Change-Id: I457a111511543731746d868ae7f7184743e5703b
Signed-off-by: Kevin Carter <kevin@cloudnull.com>
* Update openstack-ansible-os_horizon from branch 'master'
to e2e135c2cbba8c6a2529840dadc789028b591939
- Merge "Add python filter to eliminate deprecation warnings"
- Add python filter to eliminate deprecation warnings
This change adds some python config to remove all of the deprecation
warnings horizon is spawning. The warnings are all coming from oslo
components which horizon is just inhereting inheriting and has no
control over. This change makes horizon logs legible.
Signed-off-by: Kevin Carter <kevin@cloudnull.com>
Change-Id: Idae4e42c971f53597ac3cf044ba82d7dd468e4a5
* Update openstack-ansible-os_horizon from branch 'master'
to 1cc07a1b0b6ceb1673dda35b693ad37f552d9fc2
- Remove redundant vars line
This line snuck in with I6b68d4d15ae516d23c88b3c4c21a076e8d54604e
probably to bring it in line with other OSA roles, but should already
be covered by the distribution_major_version line above.
Change-Id: I72281dbc768e8f5f6b702d91abe63bc96376ac30
* Update openstack-ansible-os_horizon from branch 'master'
to 10126daa9ceaa98ef8cf84331880d1fcc4d4b7b9
- Add the ability to define CSRF_TRUSTED_ORIGINS
This change adds the ability within horizon to define a list of domains
which are trusted through the CSRF functions of django.
Change-Id: Ib92480e6caa74e050a99b36a54b2032714efb509
Signed-off-by: Kevin Carter <kevin@cloudnull.com>
* Update openstack-ansible-os_horizon from branch 'master'
to 24ce4641bcbba87547f698ca1db31ed93cf8e407
- Merge "Add support for websso http referer variable added in yoga"
- Add support for websso http referer variable added in yoga
This variable was added in the Yoga release to permit changes
to how Horizon contacts Keystone in an IDP setup.
Change-Id: I959f0f84b264ffc25481e9becb3059f28a233010
* Update openstack-ansible-os_horizon from branch 'master'
to 2814ae269d86fa9c6bb2fd2abe37adc9e442c9bb
- tls1.2: update ciphers to latest recommendations
Based upon usual recommendations from:
https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/
Change-Id: Ic7bd2c04e850f31952493163c2a4050909b38388
* Update openstack-ansible-os_horizon from branch 'master'
to 2c9f231d6aea5d11f3033a5812656d96e757f206
- Release pyscss constraints
With [1] pyscss version was bumped to 1.4.0. With that horizon also
requires pyscss>=1.4.0 which means there's no need to additionally
constraint it.
We also temporary disable all functional jobs to resolve circular
dependency.
Needed-By: https://review.opendev.org/c/openstack/openstack-ansible/+/847272
[1] 4fa5acc415
Change-Id: I5676d358d1ec38904fc067ab5f14711358f6031c
* Update openstack-ansible-os_horizon from branch 'master'
to 99f8b02ba0052fd111b0ad4f12831203a9b594a3
- Switch sphinx language to en
With sphinx release of 5.0.0, they changed default for language variable
to 'en' from None. With that current None valuable is not valid and should
not be used.
Change-Id: I7148e18813fd9dddd77392b20705e885fb41dd65
* Update openstack-ansible-os_horizon from branch 'master'
to aa9468459fc0fdc71566fc5eaab5ddf958947e5b
- Merge "Override pyScss version for python3.10"
- Override pyScss version for python3.10
Openstack upper-constraints for the Yoga release does not specify
a version of pyScss which is compatible with python3.10, this only
starts to happen with the Zed release.
To obtain experimental support for Ubuntu Jammy with the Yoga
release we adjust the upper-constraints to describe a python3.10
compatible version of pyScss.
Change-Id: I04b7b8bc2c8e666f155cccf58bd920ee7d699d72
* Update openstack-ansible-os_horizon from branch 'master'
to 1ed0cea42aa5ead4897eb191e616b3530e5a97d0
- Merge "Improve defining horizon_lib_dir"
- Improve defining horizon_lib_dir
Instead of hardcoding lib directory for distro installs, we can
retrieve it dynamically based on the horizon.__file__ output
Change-Id: I8e87f9a9945b7526c90ca8c4dc09e43a86ab62e0
Closes-Bug: #1950798
* Update openstack-ansible-os_horizon from branch 'master'
to 36074ecf4c18e24d9fcc340eb9815029c2851a74
- Merge "Only support python3 for apache wsgi module"
- Only support python3 for apache wsgi module
Remove logic supporting python2.
Change-Id: I6897713f1a46311944a384e31fb9caefb27acf4f
* Update openstack-ansible-os_horizon from branch 'master'
to d19c9c2cbb897eb911bd01369ea3855f33aab3b4
- horizon_local_settings.py.j2: adding SECURE_PROXY_ADDR_HEADER
- SECURE_PROXY_ADDR_HEADER is being used to return the clients
remote address to the logs. On a failed login it is REMOTE_ADDR,
which will be the loadbalancer address,
SECURE_PROXY_ADDR_HEADER='HTTP_X_FORWARDED_FOR' makes sure the
real client IP makes it into the logfiles.
- https://docs.openstack.org/horizon/latest/configuration/settings.html#secure-proxy-addr-header
Change-Id: I0d68cd4ba7882eb4296a2e4df59afa6582c0303a
* Update openstack-ansible-os_horizon from branch 'master'
to fec5dcbece8c188b4a4d856658f8bf7753695948
- Merge "Move Listen definition to VHosts"
- Move Listen definition to VHosts
In order to avoid conflicts with other applications running Apache,
like keystone, we avoid using ports.conf for Listen and using VHost files
for this purpose.
We place same dummy template as keystone does for upgrade purposes.
Change-Id: I8a5ef5234b8aee1e7b3517e9543d2af0a84e90ce
* Update openstack-ansible-os_horizon from branch 'master'
to 51bea1095110777e30a357616e16d0f7c60b25a3
- Disable barbican-ui dashboard
barbican-ui has not yet reached a 1.0.0 release and does not provide
a functioning UI for the key manager service at this time.
Once barbican-ui has basic functionality we can consider enabling this again.
Change-Id: I9fc9147263881cc96f8e51b739d2ccf6f1f9fbf9
* Update openstack-ansible-os_horizon from branch 'master'
to aa976a0544fb99f218950499102c3883b2808671
- Merge "Fix default multidomain choices"
- Fix default multidomain choices
We're missing comma at the end of set, which leads to error.
We additionally define condition when choices will be added to config.
Change-Id: I6b1c24fae22e9adb9e16fade4229d5761ac0b520
Closes-Bug: #1958645
* Update openstack-ansible-os_horizon from branch 'master'
to 72642499e8be6bf4141281947e9c36342bba6cf2
- Merge "Adjust default configuration to support TLS v1.3"
- Adjust default configuration to support TLS v1.3
This adds a new variable to manage TLS v1.3 cipher suites.
The old variable for TLS v1.2 and below ciphers is renamed for
consistency, but is still supported as a default where overridden
by deployments.
Depends-On: https://review.opendev.org/c/openstack/openstack-ansible/+/823943
Change-Id: Ib43d465c8fa24ec7d14174ecc17bce0b3e8bd7a4
* Update openstack-ansible-os_horizon from branch 'master'
to c22a552c6f27e7e4bb06a4b2c9d55fbe35edba19
- Refactor use of include_vars
Use a first_found lookup instead of a with_first_found loop so that
the 'paths' parameter can be used.
This ensures that only vars from the role are included, and not vars
from a parent calling role. This can happen when a parent role has
a higher priority vars file available for inclusion than the role
it calls.
Change-Id: I6b68d4d15ae516d23c88b3c4c21a076e8d54604e
* Update openstack-ansible-os_horizon from branch 'master'
to 060bf6c513ba5561f722e109eb4b1adefce7f5d4
- Use config_template as a collection
Since we still use ceph-ansible that has their own implementation of
config_template module it's worth to use mentioned module as a collection
explicitly.
Depends-On: https://review.opendev.org/c/openstack/openstack-ansible/+/819814
Change-Id: I649c5d02b9c909a3339799711a4a7816381a6626
* Update openstack-ansible-os_horizon from branch 'master'
to 2fba97948e1d340d3ac626d2223c1b41bf52e464
- Merge "setup.cfg: Replace dashes with underscores"
- setup.cfg: Replace dashes with underscores
Setuptools v54.1.0 introduces a warning that the use of dash-separated
options in 'setup.cfg' will not be supported in a future version [1].
Get ahead of the issue by replacing the dashes with underscores. Without
this, we see 'UserWarning' messages like the following on new enough
versions of setuptools:
UserWarning: Usage of dash-separated 'description-file' will not be
supported in future versions. Please use the underscore name
'description_file' instead
[1] https://github.com/pypa/setuptools/commit/a2e9ae4cb
Change-Id: Ibbb59bdd6b7ae0794ebe0f5c351e542e2affcf40
* Update openstack-ansible-os_horizon from branch 'master'
to 2447deec622a716abfa4495108e71f9c75c3c2fe
- Add option to override horizon policies
In case policies are overriden for services,
horizon maintain and ship it's own set of policies that should be
separatelly overriden.
Depends-On: https://review.opendev.org/754382
Change-Id: I7099a5b11390d3296c7b4bb74d69670c7fe64f58
* Update openstack-ansible-os_horizon from branch 'master'
to f5503147c334e138383323b878e4bb31dd562495
- Changed minversion in tox to 3.18.0
The patch bumps min version of tox to 3.18.0 in order to
replace tox's whitelist_externals by allowlist_externals option:
https://github.com/tox-dev/tox/blob/master/docs/changelog.rst#v3180-2020-07-23
Change-Id: Ifacd740e31ebbeaadc8e620cebd429f54c0dd3d4
* Update openstack-ansible-os_horizon from branch 'master'
to 4bcf6aef0e0c575e1d1dd61f5c9ed71921fe62c6
- Replace linters test with integarted one
We've created integrated linters check job a while back and it's successfully
working for several releases. At the moment we experience difficulties
with future maintenance of the linters check from the openstack-ansible-tests
repo. So instead of fixing current one, we replace it with modern version of
the test.
Change-Id: Ib0ca232bfdb6528fa7638c34c628406a9c6d8d37