Expose additional Horizon security params in accordance with the
OpenStack Security Guide [0]
- Check-Dashboard-03: Is DISALLOW_IFRAME_EMBED parameter set to True
- Check-Dashboard-07: Is PASSWORD_AUTOCOMPLETE set to False
[0] https://docs.openstack.org/security-guide/dashboard/checklist.html
Change-Id: I355ddbc9fb1dcd0a6100ee650afd54680ef9ffbd
this role is not actually required since ~Kilo
I3f1b70b78b91bfac9af5fadb71140679b208c999
plus the heat chart already sets the trusts_delegated_roles option
for Heat to pass all roles to the trust
Change-Id: Icf900f318d3173d63c5967857d96f7d2a7f9aa5b
This adds both a periodic and experimental job for deploying Ceph
and the OSH components via Armada. This job will then generate a
new release uuid, render an updated manifest for all previously
deployed releases, then apply that manifest to validate the
ability for all deployed charts to update successfully with the
new release uuid annotation
Change-Id: I6f2125f3505904c4714688e7a9900b8d6bea49b4
This adds wait timeouts to nova and neutron to circumvent timeout
issues with deploying those two releases
Change-Id: I3fcc9ef5f16ecbc6dc33fc52df22c2d5ff504fb7
This updates the openstack-helm Armada job to instead deploy
only Ceph, the OpenStack service charts, and their dependencies.
This is dependent on the addition of the Armada job for Ceph and
the LMA components to openstack-helm-infra. This also updates the
jobs definition to use the osh-gate-runner playbook instead, as
well as sets the job both to a periodic and experimental job
Depends-On: https://review.openstack.org/#/c/634676/
Depends-On: https://review.openstack.org/#/c/633067/
Change-Id: I7e191a153f123e04e123acc33fb691d8117062a9
In accordance with the OpenStack Security Guide this PS updates
the cinder.conf to explicity set the auth_strategy param.
Change-Id: Ie0a2b9ffebb597166851226eabac4924c34e1404
Signed-off-by: Pete Birley <pete@port.direct>
This simply adds the release uuid value to the chart overrids in
the Armada manifests, which allows for validation that the release
uuid is appropriately added as an annotation to the resulting pods
Change-Id: I53dc31ed9849ea321064184817549c0e90c34378
1. Chart name : change from "ceph" to "ceph-rgw"
2. Postfix of environment variable's name
: change from "OPENSTACK" to "CEPH"
Change-Id: I03a4e12457cec1811b6fa03367811f74e4bb8b83
Signed-off-by: Deokjin Kim <deokjin81.kim@samsung.com>
To get openstack related metrics, prometheus-openstack-exporter need to
access to keystone. So add prometheus-openstack-exporter to network
policy of keystone.
Change-Id: I31106a10e512578a35122949c3cff698b1bc482b
Signed-off-by: Deokjin Kim <deokjin81.kim@samsung.com>
This PS moves the default to use public endpoints for heat clients
eg: waitcondition url generation consumed by cloudinit in vms.
Change-Id: I24113c969f2b310a48cf128a1ada78930c69a4e1
Signed-off-by: Pete Birley <pete@port.direct>
This change adds a zuul check job to export any templated python
contained in the helm charts and scan it with bandit for any
potential security flaws.
This also adds two nosec comments on the instances of subprocess
used as they currently do not appear to be malicious, as well
as changing the endpoint_update python code to prevent sql
injection, which satisfies bandit code B608.
Change-Id: I2212d26514c3510353d16a4592893dd2e85cb369
This PS allows to customize (and disable) information about OS and
Apache version displayed on pages with error messages.
Change-Id: Ic4d19bcc90dadf5cf26faa5c8fb39de00a6f3212
This PS updates the cinder volume template to restore rootwrap
operation.
Change-Id: Ifc6d2442e536e22dca0563bb16634fd9accf44e1
Signed-off-by: Pete Birley <pete@port.direct>
This parameter has been deprecated in Newton and removed [1]
in Ocata.
[1] https://review.openstack.org/#/c/385604/
Change-Id: Ib80cc6634d0fba8ddd2a8e5c9d26a6a0524164b8
This PS disables the server status page of Apache.
On the page provided information which can aid the
malicious user in finding vulnerabilities in the system.
Change-Id: I11104b10359808dc78a214ebb531d710ec353f60
cinder-backup container should reference cinder-backup-rbd-keyring
not cinder-volume-rbd-keyring if the backend driver of cinder backup
is ceph.
Change-Id: Icb7f80a01fc332ee13a42533f8e41e447008c2f4
This disables static page on Apache which would disable Directory
Listings. This is done as a part of Security defect.
Change-Id: Ia1aa07c83c0db9dc33be6d1dfa7e2e60b3a33de9
This removes the NovaImages.list_images test from the rally
tests defined in the nova chart, as the updated rally version
seemingly doesn't include this test. This caused the multinode
periodic job to fail.
See: http://zuul.openstack.org/build/9628003399d640e683945260d9738ade
Change-Id: I9515fc3fee192ee6636e85a745071f93ff86c051
This patch set host_interface for update host_ip information in compute
node.
Currently helm chart defines the value of my_ip set "0.0.0.0",
therefore host_ip of compute node is null.
$ nova hypervisor-show {uuid}
+---------------------------+------------------------------------------+
| Property | Value |
+---------------------------+------------------------------------------+
| cpu_info_arch | x86_64 |
.
.
| host_ip | None |
Through this patch, OpenStack can provide appropriate values for
the required field.
Change-Id: I05f929cb2c777582c177e8c7a64b9fd431d554ec
This updates the Armada LMA manifest to include overrides for
recent changes to the LMA services in osh-infra
Change-Id: Ib1ec2c23570a86d63df35a9f0d690d9e625f1dd0
The repo used both openstackdocstheme and oslosphinx in requirements but
then configured openstackdocstheme, remove oslosphinx everywhere.
Instead of using sphinx-build, use docstheme-build-translated.sh to
build English and translated documents.
Update doc/source/conf.py for newer openstackdocstheme and require
a new enough version.
Remove module index - it does not exist, this is not a python repo where
autodoc works.
Remove sphinx-quickstart generated output from index.rst, it's not
needed anymore.
Change-Id: Ib3f09128226f0bcc78384b1ee2da811d62a5b59d
- Change all tests to support Mimic and Luminous releases
- Update ceph-config-helper dockerfile to use Mimic Ceph binaries
Change-Id: I06a545c1964eaa5b983c58db48b6ad4ccaaa3b8b
A change was merged that had commented out the check jobs. This
simply uncomments them so checks run against changes to
openstack-helm
The change can be found here: https://review.openstack.org/#/c/591808/48
Change-Id: Ia100f1248ebe783d154420c543a9b19fb1ba4ccc
