Merge pull request #68 from simonpasquier/apache-support-for-keystone

Add class for running Keystone in Apache
diff --git a/cinder/control/notification/cadf.yml b/cinder/control/notification/cadf.yml
new file mode 100644
index 0000000..813dade
--- /dev/null
+++ b/cinder/control/notification/cadf.yml
@@ -0,0 +1,5 @@
+parameters:
+  cinder:
+    controller:
+      audit:
+        enabled: true
diff --git a/glance/control/notification/cadf.yml b/glance/control/notification/cadf.yml
new file mode 100644
index 0000000..0f2fbae
--- /dev/null
+++ b/glance/control/notification/cadf.yml
@@ -0,0 +1,5 @@
+parameters:
+  glance:
+    server:
+      audit:
+        enabled: true
diff --git a/haproxy/proxy/listen/kubernetes/apiserver.yml b/haproxy/proxy/listen/kubernetes/apiserver.yml
index a365c51..a45a71a 100644
--- a/haproxy/proxy/listen/kubernetes/apiserver.yml
+++ b/haproxy/proxy/listen/kubernetes/apiserver.yml
@@ -2,39 +2,23 @@
   haproxy:
     proxy:
       listen:
-        k8s_cluster:
+        k8s_secure:
           type: kubernetes
+          options:
+            - ssl-hello-chk
           binds:
           - address: ${_param:cluster_vip_address}
-            port: 8080
+            port: 443
           servers:
           - name: ${_param:cluster_node01_hostname}
             host: ${_param:cluster_node01_address}
-            port: 8080
+            port: 443
             params: check
           - name: ${_param:cluster_node02_hostname}
             host: ${_param:cluster_node02_address}
-            port: 8080
+            port: 443
             params: check
           - name: ${_param:cluster_node03_hostname}
             host: ${_param:cluster_node03_address}
-            port: 8080
-            params: check
-        k8s_cluster_localhost:
-          type: kubernetes
-          binds:
-          - address: localhost
-            port: 8080
-          servers:
-          - name: ${_param:cluster_node01_hostname}
-            host: ${_param:cluster_node01_address}
-            port: 8080
-            params: check
-          - name: ${_param:cluster_node02_hostname}
-            host: ${_param:cluster_node02_address}
-            port: 8080
-            params: check
-          - name: ${_param:cluster_node03_hostname}
-            host: ${_param:cluster_node03_address}
-            port: 8080
+            port: 443
             params: check
\ No newline at end of file
diff --git a/haproxy/proxy/listen/kubernetes/apiserver_insecure.yml b/haproxy/proxy/listen/kubernetes/apiserver_insecure.yml
new file mode 100644
index 0000000..a365c51
--- /dev/null
+++ b/haproxy/proxy/listen/kubernetes/apiserver_insecure.yml
@@ -0,0 +1,40 @@
+parameters:
+  haproxy:
+    proxy:
+      listen:
+        k8s_cluster:
+          type: kubernetes
+          binds:
+          - address: ${_param:cluster_vip_address}
+            port: 8080
+          servers:
+          - name: ${_param:cluster_node01_hostname}
+            host: ${_param:cluster_node01_address}
+            port: 8080
+            params: check
+          - name: ${_param:cluster_node02_hostname}
+            host: ${_param:cluster_node02_address}
+            port: 8080
+            params: check
+          - name: ${_param:cluster_node03_hostname}
+            host: ${_param:cluster_node03_address}
+            port: 8080
+            params: check
+        k8s_cluster_localhost:
+          type: kubernetes
+          binds:
+          - address: localhost
+            port: 8080
+          servers:
+          - name: ${_param:cluster_node01_hostname}
+            host: ${_param:cluster_node01_address}
+            port: 8080
+            params: check
+          - name: ${_param:cluster_node02_hostname}
+            host: ${_param:cluster_node02_address}
+            port: 8080
+            params: check
+          - name: ${_param:cluster_node03_hostname}
+            host: ${_param:cluster_node03_address}
+            port: 8080
+            params: check
\ No newline at end of file
diff --git a/heat/server/notification/cadf.yml b/heat/server/notification/cadf.yml
new file mode 100644
index 0000000..352e936
--- /dev/null
+++ b/heat/server/notification/cadf.yml
@@ -0,0 +1,5 @@
+parameters:
+  heat:
+    server:
+      audit:
+        enabled: true
diff --git a/keystone/server/notification/cadf.yml b/keystone/server/notification/cadf.yml
new file mode 100644
index 0000000..dffb278
--- /dev/null
+++ b/keystone/server/notification/cadf.yml
@@ -0,0 +1,4 @@
+parameters:
+  keystone:
+    server:
+      notification_format: cadf
diff --git a/linux/system/repo/mos92.yml b/linux/system/repo/mos92.yml
new file mode 100644
index 0000000..999bfde
--- /dev/null
+++ b/linux/system/repo/mos92.yml
@@ -0,0 +1,28 @@
+parameters:
+  linux:
+    system:
+      repo:
+        mirantis_openstack:
+          source: "deb http://mirror.fuel-infra.org/mos-repos/ubuntu/9.2/ mos9.0 main restricted"
+          architectures: amd64
+          key_url: "http://mirror.fuel-infra.org/mos-repos/ubuntu/9.2/archive-mos9.0.key"
+        mirantis_openstack_holdback:
+          source: "deb http://mirror.fuel-infra.org/mos-repos/ubuntu/9.2/ mos9.0-holdback main restricted"
+          architectures: amd64
+          key_url: "http://mirror.fuel-infra.org/mos-repos/ubuntu/9.2/archive-mos9.0.key"
+        mirantis_openstack_hotfix:
+          source: "deb http://mirror.fuel-infra.org/mos-repos/ubuntu/9.2/ mos9.0-hotfix main restricted"
+          architectures: amd64
+          key_url: "http://mirror.fuel-infra.org/mos-repos/ubuntu/9.2/archive-mos9.0.key"
+        mirantis_openstack_proposed:
+          source: "deb http://mirror.fuel-infra.org/mos-repos/ubuntu/9.2/ mos9.0-proposed main restricted"
+          architectures: amd64
+          key_url: "http://mirror.fuel-infra.org/mos-repos/ubuntu/9.2/archive-mos9.0.key"
+        mirantis_openstack_security:
+          source: "deb http://mirror.fuel-infra.org/mos-repos/ubuntu/9.2/ mos9.0-security main restricted"
+          architectures: amd64
+          key_url: "http://mirror.fuel-infra.org/mos-repos/ubuntu/9.2/archive-mos9.0.key"
+        mirantis_openstack_updates:
+          source: "deb http://mirror.fuel-infra.org/mos-repos/ubuntu/9.2/ mos9.0-updates main restricted"
+          architectures: amd64
+          key_url: "http://mirror.fuel-infra.org/mos-repos/ubuntu/9.2/archive-mos9.0.key"
diff --git a/neutron/control/notification/cadf.yml b/neutron/control/notification/cadf.yml
new file mode 100644
index 0000000..f00f96f
--- /dev/null
+++ b/neutron/control/notification/cadf.yml
@@ -0,0 +1,5 @@
+parameters:
+  neutron:
+    server:
+      audit:
+        enabled: true
diff --git a/nova/control/notification/cadf.yml b/nova/control/notification/cadf.yml
new file mode 100644
index 0000000..2f2b1b1
--- /dev/null
+++ b/nova/control/notification/cadf.yml
@@ -0,0 +1,5 @@
+parameters:
+  nova:
+    controller:
+      audit:
+        enabled: true
diff --git a/openssh/server/team/ccp_team.yml b/openssh/server/team/ccp_team.yml
index c809ec9..3355dc1 100644
--- a/openssh/server/team/ccp_team.yml
+++ b/openssh/server/team/ccp_team.yml
@@ -16,6 +16,34 @@
           full_name: Sergey Reshetnyak
           home: /home/sreshetnyak
           email: sreshetnyak@mirantis.com
+        apavlov:
+          enabled: true
+          name: apavlov
+          sudo: true
+          full_name: Andrey Pavlov
+          home: /home/apavlov
+          email: apavlov@mirantis.com
+        sryabin:
+          enabled: true
+          name: sryabin
+          sudo: true
+          full_name: Sergey Ryabin
+          home: /home/sryabin
+          email: sryabin@mirantis.com
+        slukjanov:
+          enabled: true
+          name: slukjanov
+          sudo: true
+          full_name: Sergey Lukjanov
+          home: /home/slukjanov
+          email: slukjanov@mirantis.com
+        ytaraday:
+          enabled: true
+          name: ytaraday
+          sudo: true
+          full_name: Yuriy Taraday
+          home: /home/ytaraday
+          email: ytaraday@mirantis.com
   openssh:
     server:
       enabled: true
@@ -30,8 +58,36 @@
           public_keys:
           - ${public_keys:sreshetnyak}
           user: ${linux:system:user:sreshetnyak}
+        apavlov:
+          enabled: true
+          public_keys:
+          - ${public_keys:apavlov}
+          user: ${linux:system:user:apavlov}
+        sryabin:
+          enabled: true
+          public_keys:
+          - ${public_keys:sryabin}
+          user: ${linux:system:user:sryabin}
+        slukjanov:
+          enabled: true
+          public_keys:
+          - ${public_keys:slukjanov}
+          user: ${linux:system:user:slukjanov}
+        ytaraday:
+          enabled: true
+          public_keys:
+          - ${public_keys:ytaraday}
+          user: ${linux:system:user:ytaraday}
   public_keys:
     kproskurin:
       key: ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDBvuPnwVjS5AuxOp4Bd3zRFhE1IB7g5R8LMwfCpqokolV0pHw1QGbCFprBcahvR0daGla/lB0buUu1sCLmFm0QH/m3VD9PkY8VE/4XW58yCtA5/ANYqLchWaNxaaaQG8Sg3gxtcMwLUQ92HFejZT9c0jgQDRc8pTHHuPj/HuV1I2Cw2a/DHZtrMbMT27aAglrPFiMty+P1Gd5mdHAXK8sfK+LSZ9/PZ2IbW0fCGL3tE8rTwL7FG5rN7eeaX56lWwO3oQMu184Wi1vL/ukIt2sdRi6qvKAYfeELPzffo8GOhesQAq+BXzjpIo2HUT2gSkZid0YzX7lRLPWhAi1sdq3V oloremo@iHAL9000-2.local
     sreshetnyak:
       key: ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDbc8cUMy2Stjq4qS8TaVGvTIUGetpgTcLCiW3NnG5Yqe+s+nlQnIL3ezvgSKHin4/PYHl8vV9FnmLdPLk+4eefoek1px8soW/B+Ri0KN6aQUy1ztcecMxcxRH9g4VLZWTbazqGsADwRCQVPXmyIQVQN5wMKd0IzXUp5c03dWv/I1PE7QPdKySrdhjjyo+1Npx/tQjtJaSnGCaUJrXfHXBxiiENzmHuY+se14nWV9RyYN3zRWsa8Yt1n2hWNNiKNfT89h6yFwZAxdsS+jGhzbGTLcWyAqq3sfvvgm0yeL5FEm0AKaOMv7AuM5LqjPkQE4zzCGA0j19EQlAjsVcvKHGH sreshetniak@workstation
+    apavlov:
+      key: ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC13FvtJl6OdwdiaLFYfJO5WaA7YUMi2/DJJECWtrjJPObGPeAQ1Z8zxQWanwZVhDO7E5oR7n/LmuKHaJkRIFyQEZY3mHS3k4yybg0Vqu2FcGWQO4P3R16v6qDLvuvu9S4sUkYF3k8oYDzwN/Vc+o7a4AkL5U5rjB3vbLWVdGg8G61jFjdekXbJdFCb0liPpcQrUe1yZmjE2E4ERPOZLCVADPiVzXJhtbKigbn/nwdk4D0g+eq3NW0AwJfkyCu6mt1xXfk6gmhUrBPh1ostWv6mSpD9bXvxIKv/QnIM4SUJ/RhJH0uhWtpH4GeXvnPXHs0bxfyq1GtQt5bD3gqCHruz apavlov@Andreys-MacBook-Pro.local
+    sryabin:
+      key: ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC5KZguajyeerULef0PxEZGOvY2yzaFd+Ob9sdM1v57RZBOyu8EdfNwso1OuLRwrZP6o6V8OBJ95O1AKE0ay5PQzu3VlbZgQfVTazc7ngKOqvIZP7JYlxM58cHcU+Hu1fvtdDYbc0cOzIP1Cu+AA4ZRiqa9YxMbI8i8bKR+MdgX+yKErXiEeM6wMmg8MEyGFFLxNmeOY78pS4xxlFsyd78JkS+TCAStULIahffPDcJI02Kt1Af9lGRyM3fKoFlNx0/lsPncvTGz/trgjAae1Q6f1CrH2saXNtFSwi58Qs6sP4A9lxMTtkGhbUMhkInYg5w+9QnZcGYfBNqXvhA6qbrH
+    slukjanov:
+      key: ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOV5dNsXJ6aJMml7JSd4cJ54qYhOya18QNEdb7NJ88yo
+    ytaraday:
+      key: ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDtcRlAQg3baU14eBh8THRv+1T5sHCGAIeFaReEB/KRT
diff --git a/openssh/server/team/stacklight.yml b/openssh/server/team/stacklight.yml
index 7dd7b62..4fc748f 100644
--- a/openssh/server/team/stacklight.yml
+++ b/openssh/server/team/stacklight.yml
@@ -44,6 +44,13 @@
           full_name: Patrick Petit 
           home: /home/ppetit
           email: ppetit@mirantis.com
+        obourdon:
+          enabled: true
+          name: obourdon
+          sudo: true
+          full_name: Olivier Bourdon
+          home: /home/obourdon
+          email: obourdon@mirantis.com
   openssh:
     client:
       enabled: true
@@ -80,6 +87,11 @@
           public_keys:
           - ${public_keys:ppetit}
           user: ${linux:system:user:ppetit}
+        obourdon:
+          enable: true
+          public_keys:
+          - ${public_keys:obourdon}
+          user: ${linux:system:user:obourdon}
   public_keys:
     newt:
       key: ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC3odU+3V2uDA2ptAFL9hrJRPNEEdAyztWOZFQ5Oyd9oerTGOU3p4xmrgWWjfKFKbYGhiiIUcYAol5PkTfKukGEkkjCHYA1t023soCaaAj85wCZCnw2zQNAziwxTYmAzTqgxiSvtZNMMrtJvFHRIRDzJ3M1lV0prWNWkMM1/3FAd4W49y6VT3fkMCo8uqG7CfGdgR2DgBCxf9KaNPfW5eDEPOgmE5lK8tVSEI6T+Cg7hbcTf4lFYnlFBnlQgp/0JstsM4Vbwb4B34LOpOsf2S8rrWk2xQMjwaMHXkc2s/E8iW3F5nVFuyEXYISFQIiAHw8dzC6CHgLcyHUVWwznKawZ newt@newt-dev1
@@ -93,3 +105,5 @@
       key: ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDUfVxx6qi4fay4znw8M6yLJJcRr3pdvPPihTAszioFJP9V/GBbqfkofTfeKdpdvJ4j25p40boiDt43Ek7LfcRmKMP9+2SEfk9W7ec/umM8Mer+h4ocnShVQm69weELVUfr9q4G+qWf14ANc9D097bclqQ6FP/cjy8HodVPgQ+i1lpMjwP6xvAAERJJH353lCFsxkh2N8aOi9YcP9M2lQeKWM+eYFsdcmTFAPHbgPq0K4ma6/YXw5UibEBClYu1u4OJTFZSI3z8kERb2cU0aFGYAduiynDMBKM7y7YAoksgBOVprq0huEMFUqJ3vsrZbPn55GIpzmBga+EGnNbSCadt swann@scroiset
     ppetit:
       key: ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCUGCb+mGidT4FRa4rJxoYx39NX2vCjRw+CmCQJW/Uf6xc0NNp5WRWJ0hnyIMRVVfehvfjdXPo4bO4cXIwmo06C1Wx+DMyvjI9NvuHtt52p3QTsh+PYZe5t4hFuGh7veWQw3LuLtDLVlVS633FQMgT/BXDaBc65yfN9CuV6lHqZ6KPKoGAi3ADlcQFqhFttO+GsVkxd6uGtelnbYXsDMwylCIKop0C/obu6wG85d/8Q2/Zts5CvUcCiCNfZtl8otgNMrpfnuhC0xAsmgwDxqK2kshxUujclyFfO7ixl+E9Plc7kUJvodNbzOcAmY3YpuHVoJQkHx/Ou81/q+JOVtFxz ppetit@baobab 
+    obourdon:
+      key: ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDOd0PnoQhjjo/UrmCotaGZxXfpxLoMmuZ+XjKqAkEb9kE+aE0+k8t2EUs8PIctEgIcIC9vmovqOzIt5uNLV5MyN4R+pdIBKyWEQ5fQPaFhn/uZKf7AxLYhTVVW1wM+cDzrpWTyNQ0w59JBfNPZ/BDMtdpch9gTP24pwJ8yUDHHMSt1FnVqa7+Czw8jig4/oM05Mob5DQKlWOdtdUP3XYHSGJuHY4tHmc5sPvzIqs5r47uj5VD4gaCUqYeRS2C1YJcisN880qIqUHuCK0k9gQP+0DKJPVPmPPCuwebBzUUfjhKcbqiikKxPS0p4DWiprmeF8xjvmVWX+V8lP/v0hXiVgMc3wMoXJklH+XM7U5y5uzN8MF4YqAi4M/uSK5UF+TPn5dtu9s+joQmqt5XXaV4iFQe5kcdIYEMNJUGxiwMzByhvqWgC1reYSD8FquqLTH/5ITvFFmaTyQbBJMnXAE+QxdTXMfhTnfI/pbbhAUmfr5w8Z34lZG5UDnUy/rR+LlvJS76MqCr3nemZTHqhUYIrIJA8f9Xa8o9UJTy2QICdj2NidW1UzHCPybc/nH7qc6TjZJALLdhzK2QDbO6seJLOXuVHwSxjOx2Jdv5HImpFSeEfiGRQqc8bT+NGZI5V+cW+FuztU8i46VaSPXFM8t+57Ut/MdndAVYSPqgc7E3u3w== obourdon@mirantis.com
diff --git a/salt/master/formula/git/ccp.yml b/salt/master/formula/git/ccp.yml
index b124870..c8f1c65 100644
--- a/salt/master/formula/git/ccp.yml
+++ b/salt/master/formula/git/ccp.yml
@@ -6,5 +6,5 @@
           formula:
             ccp:
               source: git
-              address: '{_param:salt_master_environment_repository}/salt-formula-ccp.git'
+              address: '${_param:salt_master_environment_repository}/salt-formula-ccp.git'
               revision: ${_param:salt_master_environment_revision}
diff --git a/salt/minion/cert/k8s_client_certificate.yml b/salt/minion/cert/k8s_client.yml
similarity index 90%
rename from salt/minion/cert/k8s_client_certificate.yml
rename to salt/minion/cert/k8s_client.yml
index 37bf618..06d83c4 100644
--- a/salt/minion/cert/k8s_client_certificate.yml
+++ b/salt/minion/cert/k8s_client.yml
@@ -7,6 +7,7 @@
           authority: ${_param:salt_minion_ca_authority}
           key_file: /etc/kubernetes/ssl/kubelet-client.key
           cert_file: /etc/kubernetes/ssl/kubelet-client.crt
+          ca_file: /etc/kubernetes/ssl/ca-kubernetes.crt
           common_name: kubelet-client
           signing_policy: cert_client
           alternative_names: IP:${_param:cluster_vip_address},IP:${_param:cluster_node01_address},IP:${_param:cluster_node02_address},IP:${_param:cluster_node03_address},IP:${_param:kubernetes_internal_api_address}
\ No newline at end of file
diff --git a/salt/minion/cert/k8s_server.yml b/salt/minion/cert/k8s_server.yml
new file mode 100644
index 0000000..d9b1da6
--- /dev/null
+++ b/salt/minion/cert/k8s_server.yml
@@ -0,0 +1,13 @@
+parameters:
+  salt:
+    minion:
+      cert:
+        k8s_server:
+          host: ${_param:salt_minion_ca_host}
+          authority: ${_param:salt_minion_ca_authority}
+          common_name: kubernetes-server
+          key_file: /srv/salt/env/${_param:salt_master_base_environment}/_certs/kubernetes/kubernetes-server.key
+          cert_file: /srv/salt/env/${_param:salt_master_base_environment}/_certs/kubernetes/kubernetes-server.crt
+          all_file: /srv/salt/env/${_param:salt_master_base_environment}/_certs/kubernetes/kubernetes-server.pem
+          signing_policy: cert_server
+          alternative_names: IP:${_param:cluster_vip_address},IP:${_param:cluster_node01_address},IP:${_param:cluster_node02_address},IP:${_param:cluster_node03_address},IP:${_param:kubernetes_internal_api_address}
diff --git a/salt/minion/cert/k8s_server_certificate.yml b/salt/minion/cert/k8s_server_certificate.yml
deleted file mode 100644
index 835f043..0000000
--- a/salt/minion/cert/k8s_server_certificate.yml
+++ /dev/null
@@ -1,13 +0,0 @@
-parameters:
-  salt:
-    minion:
-      cert:
-        k8s_server:
-          host: ${_param:salt_minion_ca_host}
-          authority: ${_param:salt_minion_ca_authority}
-          common_name: kubernetes-server
-          key_file: /etc/kubernetes/ssl/kubernetes-server.key
-          cert_file: /etc/kubernetes/ssl/kubernetes-server.crt
-          ca_file: /etc/kubernetes/ssl/ca-kubernetes.crt
-          signing_policy: cert_server
-          alternative_names: IP:${_param:cluster_vip_address},IP:${_param:cluster_node01_address},IP:${_param:cluster_node02_address},IP:${_param:cluster_node03_address},IP:${_param:kubernetes_internal_api_address}
\ No newline at end of file