Merge pull request #68 from simonpasquier/apache-support-for-keystone
Add class for running Keystone in Apache
diff --git a/cinder/control/notification/cadf.yml b/cinder/control/notification/cadf.yml
new file mode 100644
index 0000000..813dade
--- /dev/null
+++ b/cinder/control/notification/cadf.yml
@@ -0,0 +1,5 @@
+parameters:
+ cinder:
+ controller:
+ audit:
+ enabled: true
diff --git a/glance/control/notification/cadf.yml b/glance/control/notification/cadf.yml
new file mode 100644
index 0000000..0f2fbae
--- /dev/null
+++ b/glance/control/notification/cadf.yml
@@ -0,0 +1,5 @@
+parameters:
+ glance:
+ server:
+ audit:
+ enabled: true
diff --git a/haproxy/proxy/listen/kubernetes/apiserver.yml b/haproxy/proxy/listen/kubernetes/apiserver.yml
index a365c51..a45a71a 100644
--- a/haproxy/proxy/listen/kubernetes/apiserver.yml
+++ b/haproxy/proxy/listen/kubernetes/apiserver.yml
@@ -2,39 +2,23 @@
haproxy:
proxy:
listen:
- k8s_cluster:
+ k8s_secure:
type: kubernetes
+ options:
+ - ssl-hello-chk
binds:
- address: ${_param:cluster_vip_address}
- port: 8080
+ port: 443
servers:
- name: ${_param:cluster_node01_hostname}
host: ${_param:cluster_node01_address}
- port: 8080
+ port: 443
params: check
- name: ${_param:cluster_node02_hostname}
host: ${_param:cluster_node02_address}
- port: 8080
+ port: 443
params: check
- name: ${_param:cluster_node03_hostname}
host: ${_param:cluster_node03_address}
- port: 8080
- params: check
- k8s_cluster_localhost:
- type: kubernetes
- binds:
- - address: localhost
- port: 8080
- servers:
- - name: ${_param:cluster_node01_hostname}
- host: ${_param:cluster_node01_address}
- port: 8080
- params: check
- - name: ${_param:cluster_node02_hostname}
- host: ${_param:cluster_node02_address}
- port: 8080
- params: check
- - name: ${_param:cluster_node03_hostname}
- host: ${_param:cluster_node03_address}
- port: 8080
+ port: 443
params: check
\ No newline at end of file
diff --git a/haproxy/proxy/listen/kubernetes/apiserver_insecure.yml b/haproxy/proxy/listen/kubernetes/apiserver_insecure.yml
new file mode 100644
index 0000000..a365c51
--- /dev/null
+++ b/haproxy/proxy/listen/kubernetes/apiserver_insecure.yml
@@ -0,0 +1,40 @@
+parameters:
+ haproxy:
+ proxy:
+ listen:
+ k8s_cluster:
+ type: kubernetes
+ binds:
+ - address: ${_param:cluster_vip_address}
+ port: 8080
+ servers:
+ - name: ${_param:cluster_node01_hostname}
+ host: ${_param:cluster_node01_address}
+ port: 8080
+ params: check
+ - name: ${_param:cluster_node02_hostname}
+ host: ${_param:cluster_node02_address}
+ port: 8080
+ params: check
+ - name: ${_param:cluster_node03_hostname}
+ host: ${_param:cluster_node03_address}
+ port: 8080
+ params: check
+ k8s_cluster_localhost:
+ type: kubernetes
+ binds:
+ - address: localhost
+ port: 8080
+ servers:
+ - name: ${_param:cluster_node01_hostname}
+ host: ${_param:cluster_node01_address}
+ port: 8080
+ params: check
+ - name: ${_param:cluster_node02_hostname}
+ host: ${_param:cluster_node02_address}
+ port: 8080
+ params: check
+ - name: ${_param:cluster_node03_hostname}
+ host: ${_param:cluster_node03_address}
+ port: 8080
+ params: check
\ No newline at end of file
diff --git a/heat/server/notification/cadf.yml b/heat/server/notification/cadf.yml
new file mode 100644
index 0000000..352e936
--- /dev/null
+++ b/heat/server/notification/cadf.yml
@@ -0,0 +1,5 @@
+parameters:
+ heat:
+ server:
+ audit:
+ enabled: true
diff --git a/keystone/server/notification/cadf.yml b/keystone/server/notification/cadf.yml
new file mode 100644
index 0000000..dffb278
--- /dev/null
+++ b/keystone/server/notification/cadf.yml
@@ -0,0 +1,4 @@
+parameters:
+ keystone:
+ server:
+ notification_format: cadf
diff --git a/linux/system/repo/mos92.yml b/linux/system/repo/mos92.yml
new file mode 100644
index 0000000..999bfde
--- /dev/null
+++ b/linux/system/repo/mos92.yml
@@ -0,0 +1,28 @@
+parameters:
+ linux:
+ system:
+ repo:
+ mirantis_openstack:
+ source: "deb http://mirror.fuel-infra.org/mos-repos/ubuntu/9.2/ mos9.0 main restricted"
+ architectures: amd64
+ key_url: "http://mirror.fuel-infra.org/mos-repos/ubuntu/9.2/archive-mos9.0.key"
+ mirantis_openstack_holdback:
+ source: "deb http://mirror.fuel-infra.org/mos-repos/ubuntu/9.2/ mos9.0-holdback main restricted"
+ architectures: amd64
+ key_url: "http://mirror.fuel-infra.org/mos-repos/ubuntu/9.2/archive-mos9.0.key"
+ mirantis_openstack_hotfix:
+ source: "deb http://mirror.fuel-infra.org/mos-repos/ubuntu/9.2/ mos9.0-hotfix main restricted"
+ architectures: amd64
+ key_url: "http://mirror.fuel-infra.org/mos-repos/ubuntu/9.2/archive-mos9.0.key"
+ mirantis_openstack_proposed:
+ source: "deb http://mirror.fuel-infra.org/mos-repos/ubuntu/9.2/ mos9.0-proposed main restricted"
+ architectures: amd64
+ key_url: "http://mirror.fuel-infra.org/mos-repos/ubuntu/9.2/archive-mos9.0.key"
+ mirantis_openstack_security:
+ source: "deb http://mirror.fuel-infra.org/mos-repos/ubuntu/9.2/ mos9.0-security main restricted"
+ architectures: amd64
+ key_url: "http://mirror.fuel-infra.org/mos-repos/ubuntu/9.2/archive-mos9.0.key"
+ mirantis_openstack_updates:
+ source: "deb http://mirror.fuel-infra.org/mos-repos/ubuntu/9.2/ mos9.0-updates main restricted"
+ architectures: amd64
+ key_url: "http://mirror.fuel-infra.org/mos-repos/ubuntu/9.2/archive-mos9.0.key"
diff --git a/neutron/control/notification/cadf.yml b/neutron/control/notification/cadf.yml
new file mode 100644
index 0000000..f00f96f
--- /dev/null
+++ b/neutron/control/notification/cadf.yml
@@ -0,0 +1,5 @@
+parameters:
+ neutron:
+ server:
+ audit:
+ enabled: true
diff --git a/nova/control/notification/cadf.yml b/nova/control/notification/cadf.yml
new file mode 100644
index 0000000..2f2b1b1
--- /dev/null
+++ b/nova/control/notification/cadf.yml
@@ -0,0 +1,5 @@
+parameters:
+ nova:
+ controller:
+ audit:
+ enabled: true
diff --git a/openssh/server/team/ccp_team.yml b/openssh/server/team/ccp_team.yml
index c809ec9..3355dc1 100644
--- a/openssh/server/team/ccp_team.yml
+++ b/openssh/server/team/ccp_team.yml
@@ -16,6 +16,34 @@
full_name: Sergey Reshetnyak
home: /home/sreshetnyak
email: sreshetnyak@mirantis.com
+ apavlov:
+ enabled: true
+ name: apavlov
+ sudo: true
+ full_name: Andrey Pavlov
+ home: /home/apavlov
+ email: apavlov@mirantis.com
+ sryabin:
+ enabled: true
+ name: sryabin
+ sudo: true
+ full_name: Sergey Ryabin
+ home: /home/sryabin
+ email: sryabin@mirantis.com
+ slukjanov:
+ enabled: true
+ name: slukjanov
+ sudo: true
+ full_name: Sergey Lukjanov
+ home: /home/slukjanov
+ email: slukjanov@mirantis.com
+ ytaraday:
+ enabled: true
+ name: ytaraday
+ sudo: true
+ full_name: Yuriy Taraday
+ home: /home/ytaraday
+ email: ytaraday@mirantis.com
openssh:
server:
enabled: true
@@ -30,8 +58,36 @@
public_keys:
- ${public_keys:sreshetnyak}
user: ${linux:system:user:sreshetnyak}
+ apavlov:
+ enabled: true
+ public_keys:
+ - ${public_keys:apavlov}
+ user: ${linux:system:user:apavlov}
+ sryabin:
+ enabled: true
+ public_keys:
+ - ${public_keys:sryabin}
+ user: ${linux:system:user:sryabin}
+ slukjanov:
+ enabled: true
+ public_keys:
+ - ${public_keys:slukjanov}
+ user: ${linux:system:user:slukjanov}
+ ytaraday:
+ enabled: true
+ public_keys:
+ - ${public_keys:ytaraday}
+ user: ${linux:system:user:ytaraday}
public_keys:
kproskurin:
key: ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDBvuPnwVjS5AuxOp4Bd3zRFhE1IB7g5R8LMwfCpqokolV0pHw1QGbCFprBcahvR0daGla/lB0buUu1sCLmFm0QH/m3VD9PkY8VE/4XW58yCtA5/ANYqLchWaNxaaaQG8Sg3gxtcMwLUQ92HFejZT9c0jgQDRc8pTHHuPj/HuV1I2Cw2a/DHZtrMbMT27aAglrPFiMty+P1Gd5mdHAXK8sfK+LSZ9/PZ2IbW0fCGL3tE8rTwL7FG5rN7eeaX56lWwO3oQMu184Wi1vL/ukIt2sdRi6qvKAYfeELPzffo8GOhesQAq+BXzjpIo2HUT2gSkZid0YzX7lRLPWhAi1sdq3V oloremo@iHAL9000-2.local
sreshetnyak:
key: ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDbc8cUMy2Stjq4qS8TaVGvTIUGetpgTcLCiW3NnG5Yqe+s+nlQnIL3ezvgSKHin4/PYHl8vV9FnmLdPLk+4eefoek1px8soW/B+Ri0KN6aQUy1ztcecMxcxRH9g4VLZWTbazqGsADwRCQVPXmyIQVQN5wMKd0IzXUp5c03dWv/I1PE7QPdKySrdhjjyo+1Npx/tQjtJaSnGCaUJrXfHXBxiiENzmHuY+se14nWV9RyYN3zRWsa8Yt1n2hWNNiKNfT89h6yFwZAxdsS+jGhzbGTLcWyAqq3sfvvgm0yeL5FEm0AKaOMv7AuM5LqjPkQE4zzCGA0j19EQlAjsVcvKHGH sreshetniak@workstation
+ apavlov:
+ key: ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC13FvtJl6OdwdiaLFYfJO5WaA7YUMi2/DJJECWtrjJPObGPeAQ1Z8zxQWanwZVhDO7E5oR7n/LmuKHaJkRIFyQEZY3mHS3k4yybg0Vqu2FcGWQO4P3R16v6qDLvuvu9S4sUkYF3k8oYDzwN/Vc+o7a4AkL5U5rjB3vbLWVdGg8G61jFjdekXbJdFCb0liPpcQrUe1yZmjE2E4ERPOZLCVADPiVzXJhtbKigbn/nwdk4D0g+eq3NW0AwJfkyCu6mt1xXfk6gmhUrBPh1ostWv6mSpD9bXvxIKv/QnIM4SUJ/RhJH0uhWtpH4GeXvnPXHs0bxfyq1GtQt5bD3gqCHruz apavlov@Andreys-MacBook-Pro.local
+ sryabin:
+ key: ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC5KZguajyeerULef0PxEZGOvY2yzaFd+Ob9sdM1v57RZBOyu8EdfNwso1OuLRwrZP6o6V8OBJ95O1AKE0ay5PQzu3VlbZgQfVTazc7ngKOqvIZP7JYlxM58cHcU+Hu1fvtdDYbc0cOzIP1Cu+AA4ZRiqa9YxMbI8i8bKR+MdgX+yKErXiEeM6wMmg8MEyGFFLxNmeOY78pS4xxlFsyd78JkS+TCAStULIahffPDcJI02Kt1Af9lGRyM3fKoFlNx0/lsPncvTGz/trgjAae1Q6f1CrH2saXNtFSwi58Qs6sP4A9lxMTtkGhbUMhkInYg5w+9QnZcGYfBNqXvhA6qbrH
+ slukjanov:
+ key: ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOV5dNsXJ6aJMml7JSd4cJ54qYhOya18QNEdb7NJ88yo
+ ytaraday:
+ key: ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDtcRlAQg3baU14eBh8THRv+1T5sHCGAIeFaReEB/KRT
diff --git a/openssh/server/team/stacklight.yml b/openssh/server/team/stacklight.yml
index 7dd7b62..4fc748f 100644
--- a/openssh/server/team/stacklight.yml
+++ b/openssh/server/team/stacklight.yml
@@ -44,6 +44,13 @@
full_name: Patrick Petit
home: /home/ppetit
email: ppetit@mirantis.com
+ obourdon:
+ enabled: true
+ name: obourdon
+ sudo: true
+ full_name: Olivier Bourdon
+ home: /home/obourdon
+ email: obourdon@mirantis.com
openssh:
client:
enabled: true
@@ -80,6 +87,11 @@
public_keys:
- ${public_keys:ppetit}
user: ${linux:system:user:ppetit}
+ obourdon:
+ enable: true
+ public_keys:
+ - ${public_keys:obourdon}
+ user: ${linux:system:user:obourdon}
public_keys:
newt:
key: ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC3odU+3V2uDA2ptAFL9hrJRPNEEdAyztWOZFQ5Oyd9oerTGOU3p4xmrgWWjfKFKbYGhiiIUcYAol5PkTfKukGEkkjCHYA1t023soCaaAj85wCZCnw2zQNAziwxTYmAzTqgxiSvtZNMMrtJvFHRIRDzJ3M1lV0prWNWkMM1/3FAd4W49y6VT3fkMCo8uqG7CfGdgR2DgBCxf9KaNPfW5eDEPOgmE5lK8tVSEI6T+Cg7hbcTf4lFYnlFBnlQgp/0JstsM4Vbwb4B34LOpOsf2S8rrWk2xQMjwaMHXkc2s/E8iW3F5nVFuyEXYISFQIiAHw8dzC6CHgLcyHUVWwznKawZ newt@newt-dev1
@@ -93,3 +105,5 @@
key: ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDUfVxx6qi4fay4znw8M6yLJJcRr3pdvPPihTAszioFJP9V/GBbqfkofTfeKdpdvJ4j25p40boiDt43Ek7LfcRmKMP9+2SEfk9W7ec/umM8Mer+h4ocnShVQm69weELVUfr9q4G+qWf14ANc9D097bclqQ6FP/cjy8HodVPgQ+i1lpMjwP6xvAAERJJH353lCFsxkh2N8aOi9YcP9M2lQeKWM+eYFsdcmTFAPHbgPq0K4ma6/YXw5UibEBClYu1u4OJTFZSI3z8kERb2cU0aFGYAduiynDMBKM7y7YAoksgBOVprq0huEMFUqJ3vsrZbPn55GIpzmBga+EGnNbSCadt swann@scroiset
ppetit:
key: ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCUGCb+mGidT4FRa4rJxoYx39NX2vCjRw+CmCQJW/Uf6xc0NNp5WRWJ0hnyIMRVVfehvfjdXPo4bO4cXIwmo06C1Wx+DMyvjI9NvuHtt52p3QTsh+PYZe5t4hFuGh7veWQw3LuLtDLVlVS633FQMgT/BXDaBc65yfN9CuV6lHqZ6KPKoGAi3ADlcQFqhFttO+GsVkxd6uGtelnbYXsDMwylCIKop0C/obu6wG85d/8Q2/Zts5CvUcCiCNfZtl8otgNMrpfnuhC0xAsmgwDxqK2kshxUujclyFfO7ixl+E9Plc7kUJvodNbzOcAmY3YpuHVoJQkHx/Ou81/q+JOVtFxz ppetit@baobab
+ obourdon:
+ key: ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDOd0PnoQhjjo/UrmCotaGZxXfpxLoMmuZ+XjKqAkEb9kE+aE0+k8t2EUs8PIctEgIcIC9vmovqOzIt5uNLV5MyN4R+pdIBKyWEQ5fQPaFhn/uZKf7AxLYhTVVW1wM+cDzrpWTyNQ0w59JBfNPZ/BDMtdpch9gTP24pwJ8yUDHHMSt1FnVqa7+Czw8jig4/oM05Mob5DQKlWOdtdUP3XYHSGJuHY4tHmc5sPvzIqs5r47uj5VD4gaCUqYeRS2C1YJcisN880qIqUHuCK0k9gQP+0DKJPVPmPPCuwebBzUUfjhKcbqiikKxPS0p4DWiprmeF8xjvmVWX+V8lP/v0hXiVgMc3wMoXJklH+XM7U5y5uzN8MF4YqAi4M/uSK5UF+TPn5dtu9s+joQmqt5XXaV4iFQe5kcdIYEMNJUGxiwMzByhvqWgC1reYSD8FquqLTH/5ITvFFmaTyQbBJMnXAE+QxdTXMfhTnfI/pbbhAUmfr5w8Z34lZG5UDnUy/rR+LlvJS76MqCr3nemZTHqhUYIrIJA8f9Xa8o9UJTy2QICdj2NidW1UzHCPybc/nH7qc6TjZJALLdhzK2QDbO6seJLOXuVHwSxjOx2Jdv5HImpFSeEfiGRQqc8bT+NGZI5V+cW+FuztU8i46VaSPXFM8t+57Ut/MdndAVYSPqgc7E3u3w== obourdon@mirantis.com
diff --git a/salt/master/formula/git/ccp.yml b/salt/master/formula/git/ccp.yml
index b124870..c8f1c65 100644
--- a/salt/master/formula/git/ccp.yml
+++ b/salt/master/formula/git/ccp.yml
@@ -6,5 +6,5 @@
formula:
ccp:
source: git
- address: '{_param:salt_master_environment_repository}/salt-formula-ccp.git'
+ address: '${_param:salt_master_environment_repository}/salt-formula-ccp.git'
revision: ${_param:salt_master_environment_revision}
diff --git a/salt/minion/cert/k8s_client_certificate.yml b/salt/minion/cert/k8s_client.yml
similarity index 90%
rename from salt/minion/cert/k8s_client_certificate.yml
rename to salt/minion/cert/k8s_client.yml
index 37bf618..06d83c4 100644
--- a/salt/minion/cert/k8s_client_certificate.yml
+++ b/salt/minion/cert/k8s_client.yml
@@ -7,6 +7,7 @@
authority: ${_param:salt_minion_ca_authority}
key_file: /etc/kubernetes/ssl/kubelet-client.key
cert_file: /etc/kubernetes/ssl/kubelet-client.crt
+ ca_file: /etc/kubernetes/ssl/ca-kubernetes.crt
common_name: kubelet-client
signing_policy: cert_client
alternative_names: IP:${_param:cluster_vip_address},IP:${_param:cluster_node01_address},IP:${_param:cluster_node02_address},IP:${_param:cluster_node03_address},IP:${_param:kubernetes_internal_api_address}
\ No newline at end of file
diff --git a/salt/minion/cert/k8s_server.yml b/salt/minion/cert/k8s_server.yml
new file mode 100644
index 0000000..d9b1da6
--- /dev/null
+++ b/salt/minion/cert/k8s_server.yml
@@ -0,0 +1,13 @@
+parameters:
+ salt:
+ minion:
+ cert:
+ k8s_server:
+ host: ${_param:salt_minion_ca_host}
+ authority: ${_param:salt_minion_ca_authority}
+ common_name: kubernetes-server
+ key_file: /srv/salt/env/${_param:salt_master_base_environment}/_certs/kubernetes/kubernetes-server.key
+ cert_file: /srv/salt/env/${_param:salt_master_base_environment}/_certs/kubernetes/kubernetes-server.crt
+ all_file: /srv/salt/env/${_param:salt_master_base_environment}/_certs/kubernetes/kubernetes-server.pem
+ signing_policy: cert_server
+ alternative_names: IP:${_param:cluster_vip_address},IP:${_param:cluster_node01_address},IP:${_param:cluster_node02_address},IP:${_param:cluster_node03_address},IP:${_param:kubernetes_internal_api_address}
diff --git a/salt/minion/cert/k8s_server_certificate.yml b/salt/minion/cert/k8s_server_certificate.yml
deleted file mode 100644
index 835f043..0000000
--- a/salt/minion/cert/k8s_server_certificate.yml
+++ /dev/null
@@ -1,13 +0,0 @@
-parameters:
- salt:
- minion:
- cert:
- k8s_server:
- host: ${_param:salt_minion_ca_host}
- authority: ${_param:salt_minion_ca_authority}
- common_name: kubernetes-server
- key_file: /etc/kubernetes/ssl/kubernetes-server.key
- cert_file: /etc/kubernetes/ssl/kubernetes-server.crt
- ca_file: /etc/kubernetes/ssl/ca-kubernetes.crt
- signing_policy: cert_server
- alternative_names: IP:${_param:cluster_vip_address},IP:${_param:cluster_node01_address},IP:${_param:cluster_node02_address},IP:${_param:cluster_node03_address},IP:${_param:kubernetes_internal_api_address}
\ No newline at end of file