Merge "Parametrize manila options"
diff --git a/barbican/server/cluster.yml b/barbican/server/cluster.yml
index 972c05d..aac0400 100644
--- a/barbican/server/cluster.yml
+++ b/barbican/server/cluster.yml
@@ -1,9 +1,12 @@
classes:
- service.barbican.server.cluster
- system.haproxy.proxy.listen.openstack.barbican
+- system.salt.minion.cert.mysql.clients.openstack.barbican
parameters:
_param:
cluster_internal_protocol: 'http'
+ openstack_mysql_x509_enabled: False
+ galera_ssl_enabled: False
barbican:
server:
role: ${_param:openstack_node_role}
@@ -11,6 +14,13 @@
protocol: ${_param:cluster_internal_protocol}
database:
host: ${_param:openstack_database_address}
+ x509:
+ enabled: ${_param:openstack_mysql_x509_enabled}
+ ca_file: ${_param:mysql_barbican_ssl_ca_file}
+ key_file: ${_param:mysql_barbican_client_ssl_key_file}
+ cert_file: ${_param:mysql_barbican_client_ssl_cert_file}
+ ssl:
+ enabled: ${_param:galera_ssl_enabled}
linux:
system:
package:
diff --git a/barbican/server/single.yml b/barbican/server/single.yml
index 207957f..6bed260 100644
--- a/barbican/server/single.yml
+++ b/barbican/server/single.yml
@@ -1,10 +1,21 @@
classes:
- service.barbican.server.single
+- system.salt.minion.cert.mysql.clients.openstack.barbican
parameters:
_param:
internal_protocol: 'http'
+ openstack_mysql_x509_enabled: False
+ galera_ssl_enabled: False
barbican:
server:
+ database:
+ x509:
+ enabled: ${_param:openstack_mysql_x509_enabled}
+ ca_file: ${_param:mysql_barbican_ssl_ca_file}
+ key_file: ${_param:mysql_barbican_client_ssl_key_file}
+ cert_file: ${_param:mysql_barbican_client_ssl_cert_file}
+ ssl:
+ enabled: ${_param:galera_ssl_enabled}
role: ${_param:openstack_node_role}
identity:
protocol: ${_param:internal_protocol}
diff --git a/cinder/control/cluster.yml b/cinder/control/cluster.yml
index 5bc5c75..503537e 100644
--- a/cinder/control/cluster.yml
+++ b/cinder/control/cluster.yml
@@ -4,11 +4,14 @@
- service.keepalived.cluster.single
- system.haproxy.proxy.listen.openstack.cinder
- system.salt.minion.cert.mysql.clients.openstack.cinder
+- system.salt.minion.cert.rabbitmq.clients.openstack.cinder
parameters:
_param:
cluster_internal_protocol: 'http'
openstack_mysql_x509_enabled: False
galera_ssl_enabled: False
+ openstack_rabbitmq_x509_enabled: False
+ rabbitmq_ssl_enabled: False
linux:
system:
package:
@@ -67,6 +70,13 @@
user: openstack
password: ${_param:rabbitmq_openstack_password}
virtual_host: '/openstack'
+ x509:
+ enabled: ${_param:openstack_rabbitmq_x509_enabled}
+ ca_file: ${_param:rabbitmq_cinder_ssl_ca_file}
+ key_file: ${_param:rabbitmq_cinder_client_ssl_key_file}
+ cert_file: ${_param:rabbitmq_cinder_client_ssl_cert_file}
+ ssl:
+ enabled: ${_param:rabbitmq_ssl_enabled}
cache:
engine: memcached
members:
diff --git a/cinder/control/single.yml b/cinder/control/single.yml
index f38cfb4..ce01579 100644
--- a/cinder/control/single.yml
+++ b/cinder/control/single.yml
@@ -1,11 +1,14 @@
classes:
- service.cinder.control.single
- system.salt.minion.cert.mysql.clients.openstack.cinder
+- system.salt.minion.cert.rabbitmq.clients.openstack.cinder
parameters:
_param:
internal_protocol: 'http'
openstack_mysql_x509_enabled: False
galera_ssl_enabled: False
+ openstack_rabbitmq_x509_enabled: False
+ rabbitmq_ssl_enabled: False
linux:
system:
package:
@@ -31,4 +34,12 @@
identity:
protocol: ${_param:internal_protocol}
region: ${_param:openstack_region}
+ message_queue:
+ x509:
+ enabled: ${_param:openstack_rabbitmq_x509_enabled}
+ ca_file: ${_param:rabbitmq_cinder_ssl_ca_file}
+ key_file: ${_param:rabbitmq_cinder_client_ssl_key_file}
+ cert_file: ${_param:rabbitmq_cinder_client_ssl_cert_file}
+ ssl:
+ enabled: ${_param:rabbitmq_ssl_enabled}
diff --git a/cinder/volume/local.yml b/cinder/volume/local.yml
index 51c3ba8..d1634d0 100644
--- a/cinder/volume/local.yml
+++ b/cinder/volume/local.yml
@@ -1,10 +1,13 @@
classes:
- service.cinder.volume.local
- system.salt.minion.cert.mysql.clients.openstack.cinder
+- system.salt.minion.cert.rabbitmq.clients.openstack.cinder
parameters:
_param:
openstack_mysql_x509_enabled: False
galera_ssl_enabled: False
+ openstack_rabbitmq_x509_enabled: False
+ rabbitmq_ssl_enabled: False
cinder:
volume:
enabled: True
@@ -21,6 +24,13 @@
host: ${_param:single_address}
message_queue:
host: ${_param:single_address}
+ x509:
+ enabled: ${_param:openstack_rabbitmq_x509_enabled}
+ ca_file: ${_param:rabbitmq_cinder_ssl_ca_file}
+ key_file: ${_param:rabbitmq_cinder_client_ssl_key_file}
+ cert_file: ${_param:rabbitmq_cinder_client_ssl_cert_file}
+ ssl:
+ enabled: ${_param:rabbitmq_ssl_enabled}
identity:
host: ${_param:single_address}
region: ${_param:openstack_region}
diff --git a/cinder/volume/single.yml b/cinder/volume/single.yml
index f6d4503..637e45a 100644
--- a/cinder/volume/single.yml
+++ b/cinder/volume/single.yml
@@ -1,11 +1,14 @@
classes:
- service.cinder.volume.single
- system.salt.minion.cert.mysql.clients.openstack.cinder
+- system.salt.minion.cert.rabbitmq.clients.openstack.cinder
parameters:
_param:
cluster_internal_protocol: 'http'
openstack_mysql_x509_enabled: False
galera_ssl_enabled: False
+ openstack_rabbitmq_x509_enabled: False
+ rabbitmq_ssl_enabled: False
linux:
system:
package:
@@ -32,6 +35,13 @@
- host: ${_param:openstack_message_queue_node01_address}
- host: ${_param:openstack_message_queue_node02_address}
- host: ${_param:openstack_message_queue_node03_address}
+ x509:
+ enabled: ${_param:openstack_rabbitmq_x509_enabled}
+ ca_file: ${_param:rabbitmq_cinder_ssl_ca_file}
+ key_file: ${_param:rabbitmq_cinder_client_ssl_key_file}
+ cert_file: ${_param:rabbitmq_cinder_client_ssl_cert_file}
+ ssl:
+ enabled: ${_param:rabbitmq_ssl_enabled}
identity:
host: ${_param:openstack_control_address}
protocol: ${_param:cluster_internal_protocol}
diff --git a/galera/server/database/ssl/barbican.yml b/galera/server/database/ssl/barbican.yml
new file mode 100644
index 0000000..1b1c7c1
--- /dev/null
+++ b/galera/server/database/ssl/barbican.yml
@@ -0,0 +1,4 @@
+parameters:
+ _param:
+ mysql_barbican_ssl_option:
+ - SSL: True
\ No newline at end of file
diff --git a/galera/server/database/ssl/gnocchi.yml b/galera/server/database/ssl/gnocchi.yml
new file mode 100644
index 0000000..c1bb459
--- /dev/null
+++ b/galera/server/database/ssl/gnocchi.yml
@@ -0,0 +1,4 @@
+parameters:
+ _param:
+ mysql_gnocchi_ssl_option:
+ - SSL: True
\ No newline at end of file
diff --git a/galera/server/database/x509/barbican.yml b/galera/server/database/x509/barbican.yml
new file mode 100644
index 0000000..ae1865f
--- /dev/null
+++ b/galera/server/database/x509/barbican.yml
@@ -0,0 +1,7 @@
+parameters:
+ _param:
+ mysql_barbican_client_ssl_x509_subject: '/C=cz/CN=mysql-barbican-client/L=Prague/O=Mirantis'
+ mysql_barbican_client_ssl_x509_issuer: '/C=cz/CN=Salt Master CA/L=Prague/O=Mirantis'
+ mysql_barbican_ssl_option:
+ - SUBJECT: ${_param:mysql_barbican_client_ssl_x509_subject}
+ - ISSUER: ${_param:mysql_barbican_client_ssl_x509_issuer}
\ No newline at end of file
diff --git a/galera/server/database/x509/gnocchi.yml b/galera/server/database/x509/gnocchi.yml
new file mode 100644
index 0000000..5cb3c58
--- /dev/null
+++ b/galera/server/database/x509/gnocchi.yml
@@ -0,0 +1,7 @@
+parameters:
+ _param:
+ mysql_gnocchi_client_ssl_x509_subject: '/C=cz/CN=mysql-gnocchi-client/L=Prague/O=Mirantis'
+ mysql_gnocchi_client_ssl_x509_issuer: '/C=cz/CN=Salt Master CA/L=Prague/O=Mirantis'
+ mysql_gnocchi_ssl_option:
+ - SUBJECT: ${_param:mysql_gnocchi_client_ssl_x509_subject}
+ - ISSUER: ${_param:mysql_gnocchi_client_ssl_x509_issuer}
\ No newline at end of file
diff --git a/glance/control/cluster.yml b/glance/control/cluster.yml
index a9181de..4f0992d 100644
--- a/glance/control/cluster.yml
+++ b/glance/control/cluster.yml
@@ -4,10 +4,13 @@
- service.haproxy.proxy.single
- system.haproxy.proxy.listen.openstack.glance
- system.salt.minion.cert.mysql.clients.openstack.glance
+- system.salt.minion.cert.rabbitmq.clients.openstack.glance
parameters:
_param:
openstack_mysql_x509_enabled: False
galera_ssl_enabled: False
+ openstack_rabbitmq_x509_enabled: False
+ rabbitmq_ssl_enabled: False
linux:
system:
cron:
@@ -62,6 +65,13 @@
- host: ${_param:openstack_message_queue_node01_address}
- host: ${_param:openstack_message_queue_node02_address}
- host: ${_param:openstack_message_queue_node03_address}
+ x509:
+ enabled: ${_param:openstack_rabbitmq_x509_enabled}
+ ca_file: ${_param:rabbitmq_glance_ssl_ca_file}
+ key_file: ${_param:rabbitmq_glance_client_ssl_key_file}
+ cert_file: ${_param:rabbitmq_glance_client_ssl_cert_file}
+ ssl:
+ enabled: ${_param:rabbitmq_ssl_enabled}
storage:
engine: file
images: []
diff --git a/glance/control/single.yml b/glance/control/single.yml
index a036077..c233120 100644
--- a/glance/control/single.yml
+++ b/glance/control/single.yml
@@ -1,10 +1,13 @@
classes:
- service.glance.control.single
- system.salt.minion.cert.mysql.clients.openstack.glance
+- system.salt.minion.cert.rabbitmq.clients.openstack.glance
parameters:
_param:
openstack_mysql_x509_enabled: False
galera_ssl_enabled: False
+ openstack_rabbitmq_x509_enabled: False
+ rabbitmq_ssl_enabled: False
linux:
system:
cron:
@@ -30,3 +33,11 @@
identity:
region: ${_param:openstack_region}
show_multiple_locations: True
+ message_queue:
+ x509:
+ enabled: ${_param:openstack_rabbitmq_x509_enabled}
+ ca_file: ${_param:rabbitmq_glance_ssl_ca_file}
+ key_file: ${_param:rabbitmq_glance_client_ssl_key_file}
+ cert_file: ${_param:rabbitmq_glance_client_ssl_cert_file}
+ ssl:
+ enabled: ${_param:rabbitmq_ssl_enabled}
diff --git a/gnocchi/common/cluster.yml b/gnocchi/common/cluster.yml
new file mode 100644
index 0000000..8d7ae5e
--- /dev/null
+++ b/gnocchi/common/cluster.yml
@@ -0,0 +1,17 @@
+classes:
+- service.gnocchi.common.cluster
+- system.salt.minion.cert.mysql.clients.openstack.gnocchi
+parameters:
+ _param:
+ openstack_mysql_x509_enabled: False
+ galera_ssl_enabled: False
+ gnocchi:
+ common:
+ database:
+ x509:
+ enabled: ${_param:openstack_mysql_x509_enabled}
+ ca_file: ${_param:mysql_gnocchi_ssl_ca_file}
+ key_file: ${_param:mysql_gnocchi_client_ssl_key_file}
+ cert_file: ${_param:mysql_gnocchi_client_ssl_cert_file}
+ ssl:
+ enabled: ${_param:galera_ssl_enabled}
diff --git a/gnocchi/common/single.yml b/gnocchi/common/single.yml
new file mode 100644
index 0000000..1f68f5c
--- /dev/null
+++ b/gnocchi/common/single.yml
@@ -0,0 +1,17 @@
+classes:
+- service.gnocchi.common.single
+- system.salt.minion.cert.mysql.clients.openstack.gnocchi
+parameters:
+ _param:
+ openstack_mysql_x509_enabled: False
+ galera_ssl_enabled: False
+ gnocchi:
+ common:
+ database:
+ x509:
+ enabled: ${_param:openstack_mysql_x509_enabled}
+ ca_file: ${_param:mysql_gnocchi_ssl_ca_file}
+ key_file: ${_param:mysql_gnocchi_client_ssl_key_file}
+ cert_file: ${_param:mysql_gnocchi_client_ssl_cert_file}
+ ssl:
+ enabled: ${_param:galera_ssl_enabled}
diff --git a/grafana/client/datasource/gnocchi.yml b/grafana/client/datasource/gnocchi.yml
new file mode 100644
index 0000000..4266fe7
--- /dev/null
+++ b/grafana/client/datasource/gnocchi.yml
@@ -0,0 +1,23 @@
+parameters:
+ _param:
+ grafana_gnocchi_is_default: false
+ grafana_gnocchi_ds_name: gnocchi
+ grafana_gnocchi_address: ${_param:gnocchi_public_host}
+ keystone_public_url_path: /identity
+ keystone_gnocchi_user: gnocchi
+ grafana_gnocchi_domain: default
+ grafana_gnocchi_project: service
+ grafana:
+ client:
+ datasource:
+ gnocchi:
+ type: gnocchixyz-gnocchi-datasource
+ name: ${_param:grafana_gnocchi_ds_name}
+ host: ${_param:grafana_gnocchi_address}
+ url_path: ${_param:keystone_public_url_path}
+ mode: keystone
+ domain: ${_param:grafana_gnocchi_domain}
+ project: ${_param:grafana_gnocchi_project}
+ user: ${_param:keystone_gnocchi_user}
+ password: ${_param:keystone_gnocchi_password}
+ is_default: ${_param:grafana_gnocchi_is_default}
diff --git a/grafana/client/datasource/influxdb.yml b/grafana/client/datasource/influxdb.yml
index 7abe22f..7e2a459 100644
--- a/grafana/client/datasource/influxdb.yml
+++ b/grafana/client/datasource/influxdb.yml
@@ -14,4 +14,3 @@
password: ${_param:grafana_influxdb_password}
database: ${_param:grafana_influxdb_database}
is_default: ${_param:grafana_influxdb_is_default}
-
diff --git a/heat/server/cluster.yml b/heat/server/cluster.yml
index 7bbc2ac..4504e89 100644
--- a/heat/server/cluster.yml
+++ b/heat/server/cluster.yml
@@ -4,12 +4,15 @@
- service.keepalived.cluster.single
- system.haproxy.proxy.listen.openstack.heat
- system.salt.minion.cert.mysql.clients.openstack.heat
+- system.salt.minion.cert.rabbitmq.clients.openstack.heat
parameters:
_param:
cluster_public_protocol: 'https'
cluster_internal_protocol: 'http'
openstack_mysql_x509_enabled: False
+ openstack_rabbitmq_x509_enabled: False
galera_ssl_enabled: False
+ rabbitmq_ssl_enabled: False
linux:
system:
package:
@@ -77,3 +80,10 @@
- host: ${_param:openstack_message_queue_node01_address}
- host: ${_param:openstack_message_queue_node02_address}
- host: ${_param:openstack_message_queue_node03_address}
+ x509:
+ enabled: ${_param:openstack_rabbitmq_x509_enabled}
+ ca_file: ${_param:rabbitmq_heat_ssl_ca_file}
+ key_file: ${_param:rabbitmq_heat_client_ssl_key_file}
+ cert_file: ${_param:rabbitmq_heat_client_ssl_cert_file}
+ ssl:
+ enabled: ${_param:rabbitmq_ssl_enabled}
diff --git a/heat/server/single.yml b/heat/server/single.yml
index 208bdf0..9ef10c9 100644
--- a/heat/server/single.yml
+++ b/heat/server/single.yml
@@ -1,10 +1,13 @@
classes:
- service.heat.server.single
- system.salt.minion.cert.mysql.clients.openstack.heat
+- system.salt.minion.cert.rabbitmq.clients.openstack.heat
parameters:
_param:
openstack_mysql_x509_enabled: False
+ openstack_rabbitmq_x509_enabled: False
galera_ssl_enabled: False
+ rabbitmq_ssl_enabled: False
linux:
system:
package:
@@ -32,4 +35,13 @@
key_file: ${_param:mysql_heat_client_ssl_key_file}
cert_file: ${_param:mysql_heat_client_ssl_cert_file}
ssl:
- enabled: ${_param:galera_ssl_enabled}
\ No newline at end of file
+ enabled: ${_param:galera_ssl_enabled}
+ message_queue:
+ x509:
+ enabled: ${_param:openstack_rabbitmq_x509_enabled}
+ ca_file: ${_param:rabbitmq_heat_ssl_ca_file}
+ key_file: ${_param:rabbitmq_heat_client_ssl_key_file}
+ cert_file: ${_param:rabbitmq_heat_client_ssl_cert_file}
+ ssl:
+ enabled: ${_param:rabbitmq_ssl_enabled}
+
diff --git a/jenkins/client/job/deploy/lab/deploy.yml b/jenkins/client/job/deploy/lab/deploy.yml
index b1deafa..f5d34f6 100644
--- a/jenkins/client/job/deploy/lab/deploy.yml
+++ b/jenkins/client/job/deploy/lab/deploy.yml
@@ -117,9 +117,6 @@
type: string
default: ""
description: "Formulas revision to install on Salt Master bootstrap stage"
- EXTRA_FORMULAS:
- type: string
- default: ""
STATIC_MGMT_NETWORK:
type: boolean
default: 'false'
diff --git a/jenkins/client/job/git-mirrors/2way.yml b/jenkins/client/job/git-mirrors/2way.yml
index bb6b44b..742408d 100644
--- a/jenkins/client/job/git-mirrors/2way.yml
+++ b/jenkins/client/job/git-mirrors/2way.yml
@@ -24,6 +24,10 @@
source: mcp/mcp-drivetrain-model
target: Mirantis/mcp-drivetrain-model
branches: "master"
+ - name: model-manager
+ source: python-apps/model-manager
+ target: salt-formulas/django-model-manager
+ branches: "master"
template:
description: ${_param:job_description_2way}
discard:
diff --git a/jenkins/client/job/git-mirrors/upstream/pipelines.yml b/jenkins/client/job/git-mirrors/upstream/pipelines.yml
index 20f7eb6..9e82f80 100644
--- a/jenkins/client/job/git-mirrors/upstream/pipelines.yml
+++ b/jenkins/client/job/git-mirrors/upstream/pipelines.yml
@@ -6,8 +6,8 @@
- name: pipeline-library
downstream: mcp-ci/pipeline-library
upstream: "git@github.com:Mirantis/pipeline-library.git"
- branches: master
+ branches: master,release/2018.8.1
- name: mk-pipelines
downstream: mk/mk-pipelines
upstream: "git@github.com:Mirantis/mk-pipelines.git"
- branches: master
+ branches: master,release/2018.8.1
diff --git a/jenkins/client/job/oscore/cookiecutter.yml b/jenkins/client/job/oscore/cookiecutter.yml
index 5ffe289..359e84f 100644
--- a/jenkins/client/job/oscore/cookiecutter.yml
+++ b/jenkins/client/job/oscore/cookiecutter.yml
@@ -42,6 +42,16 @@
type: boolean
description: "Delete Heat stack when finished (bool)"
default: 'false'
+ OPENSTACK_ENVIRONMENT:
+ type: choice
+ description: "Target openstack environment."
+ choices:
+ - devcloud
+ - presales
+ - oscore_devcloud
+ OPENSTACK_API_CREDENTIALS:
+ type: string
+ description: "Credentials to the OpenStack API"
OPENSTACK_API_PROJECT:
type: string
default: "mcp-oscore"
@@ -113,6 +123,16 @@
type: string
default: "gerrit"
description: "ID of jenkins credentials to be used when connecting to gerrit."
+ OPENSTACK_ENVIRONMENT:
+ type: choice
+ description: "Target openstack environment."
+ choices:
+ - devcloud
+ - presales
+ - oscore_devcloud
+ OPENSTACK_API_CREDENTIALS:
+ type: string
+ description: "Credentials to the OpenStack API"
OPENSTACK_API_PROJECT:
type: string
default: "mcp-oscore-ci"
diff --git a/jenkins/client/job/oscore/test_upgrades.yml b/jenkins/client/job/oscore/test_upgrades.yml
index 26a9960..a3cf5ae 100644
--- a/jenkins/client/job/oscore/test_upgrades.yml
+++ b/jenkins/client/job/oscore/test_upgrades.yml
@@ -24,6 +24,16 @@
type: string
description: "ID of jenkins credentials to be used when connecting to gerrit."
default: "gerrit"
+ OPENSTACK_ENVIRONMENT:
+ type: choice
+ description: "Target openstack environment."
+ choices:
+ - devcloud
+ - presales
+ - oscore_devcloud
+ OPENSTACK_API_CREDENTIALS:
+ type: string
+ description: "Credentials to the OpenStack API"
OPENSTACK_API_PROJECT:
type: string
default: "mcp-oscore"
diff --git a/jenkins/client/job/salt-formulas/git-mirrors/2way.yml b/jenkins/client/job/salt-formulas/git-mirrors/2way.yml
index cae768a..85c9ac8 100644
--- a/jenkins/client/job/salt-formulas/git-mirrors/2way.yml
+++ b/jenkins/client/job/salt-formulas/git-mirrors/2way.yml
@@ -338,6 +338,9 @@
- name: sentry
branches: ${_param:salt_formulas_branches}
notification_recipients: ${_param:salt_formulas_notification_recipients}
+ - name: shibboleth
+ branches: ${_param:salt_formulas_branches}
+ notification_recipients: ${_param:salt_formulas_notification_recipients}
- name: sphinx
branches: ${_param:salt_formulas_branches}
notification_recipients: ${_param:salt_formulas_notification_recipients}
diff --git a/jenkins/client/job/salt-models/tests.yml b/jenkins/client/job/salt-models/tests.yml
index 145cfa9..c6bd2e1 100644
--- a/jenkins/client/job/salt-models/tests.yml
+++ b/jenkins/client/job/salt-models/tests.yml
@@ -48,10 +48,6 @@
PARALLEL_NODE_GROUP_SIZE:
type: string
default: "9"
- # Salt master setup extra formulas
- EXTRA_FORMULAS:
- type: string
- default: "{{extra_formulas}}"
FORMULAS_SOURCE:
type: string
default: "{{formulas_src}}"
@@ -158,10 +154,6 @@
PARALLEL_NODE_GROUP_SIZE:
type: string
default: "9"
- # Salt master setup extra formulas
- EXTRA_FORMULAS:
- type: string
- default: "{{extra_formulas}}"
FORMULAS_SOURCE:
type: string
default: "{{formulas_src}}"
@@ -295,9 +287,6 @@
type: string
default: 'nightly'
description: "Those variable will be ignored, in case gerritTrigger=>GERRIT_BRANCH. Version of bin-artifacts,passed to test-env"
- EXTRA_FORMULAS:
- type: string
- default: "aptly artifactory auditd backupninja collectd devops-portal docker elasticsearch fluentd freeipa gerrit glusterfs grafana haproxy heka horizon influxdb jenkins keepalived kibana libvirt maas memcached mysql nginx ntp openldap openscap openssh postfix prometheus rsync rsyslog rundeck sensu sphinx telegraf xtrabackup watchdog logrotate"
RECLASS_VERSION:
type: string
default: 'v1.5.4'
@@ -343,9 +332,6 @@
CREDENTIALS_ID:
type: string
default: "gerrit"
- EXTRA_FORMULAS:
- type: string
- default: ""
FORMULAS_SOURCE:
type: string
default: "pkg"
diff --git a/keystone/server/cluster.yml b/keystone/server/cluster.yml
index 24840fe..1a5f4a3 100644
--- a/keystone/server/cluster.yml
+++ b/keystone/server/cluster.yml
@@ -6,12 +6,15 @@
- system.linux.system.users.keystone
- system.keystone.server.fernet_rotation.cluster
- system.salt.minion.cert.mysql.clients.openstack.keystone
+- system.salt.minion.cert.rabbitmq.clients.openstack.keystone
parameters:
_param:
keystone_tokens_expiration: 3600
openstack_node_role: primary
openstack_mysql_x509_enabled: False
+ openstack_rabbitmq_x509_enabled: False
galera_ssl_enabled: False
+ rabbitmq_ssl_enabled: False
linux:
system:
package:
@@ -69,6 +72,13 @@
password: ${_param:rabbitmq_openstack_password}
virtual_host: '/openstack'
ha_queues: true
+ x509:
+ enabled: ${_param:openstack_rabbitmq_x509_enabled}
+ ca_file: ${_param:rabbitmq_keystone_ssl_ca_file}
+ key_file: ${_param:rabbitmq_keystone_client_ssl_key_file}
+ cert_file: ${_param:rabbitmq_keystone_client_ssl_cert_file}
+ ssl:
+ enabled: ${_param:rabbitmq_ssl_enabled}
auth_methods:
- password
- token
diff --git a/keystone/server/single.yml b/keystone/server/single.yml
index d926c0d..03cd75d 100644
--- a/keystone/server/single.yml
+++ b/keystone/server/single.yml
@@ -3,6 +3,7 @@
- system.linux.system.users.keystone
- system.keystone.server.fernet_rotation.single
- system.salt.minion.cert.mysql.clients.openstack.keystone
+- system.salt.minion.cert.rabbitmq.clients.openstack.keystone
parameters:
_param:
keystone_service_token: token
@@ -13,7 +14,9 @@
keystone_tokens_expiration: 3600
openstack_node_role: primary
openstack_mysql_x509_enabled: False
+ openstack_rabbitmq_x509_enabled: False
galera_ssl_enabled: False
+ rabbitmq_ssl_enabled: False
linux:
system:
package:
@@ -65,6 +68,13 @@
password: ${_param:rabbitmq_openstack_password}
virtual_host: '/openstack'
ha_queues: true
+ x509:
+ enabled: ${_param:openstack_rabbitmq_x509_enabled}
+ ca_file: ${_param:rabbitmq_keystone_ssl_ca_file}
+ key_file: ${_param:rabbitmq_keystone_client_ssl_key_file}
+ cert_file: ${_param:rabbitmq_keystone_client_ssl_cert_file}
+ ssl:
+ enabled: ${_param:rabbitmq_ssl_enabled}
roles:
- admin
- Member
diff --git a/kubernetes/common.yml b/kubernetes/common.yml
index bf5886b..82b3ad3 100644
--- a/kubernetes/common.yml
+++ b/kubernetes/common.yml
@@ -15,7 +15,7 @@
kubernetes_externaldns_repo: mirantis
kubernetes_genie_repo: https://docker-prod-local.artifactory.mirantis.com/artifactory/binary-prod-local/mirantis/kubernetes/cni-genie
kubernetes_flannel_repo: quay.io/coreos
- kubernetes_metallb_repo: metallb
+ kubernetes_metallb_repo: ${_param:mcp_docker_registry}/mirantis/metallb
kubernetes_sriov_repo: https://docker-prod-local.artifactory.mirantis.com/artifactory/binary-prod-local/mirantis/kubernetes/sriov-cni
kubernetes_cniplugins_repo: https://docker-prod-local.artifactory.mirantis.com/artifactory/binary-prod-local/mirantis/kubernetes/containernetworking-plugins
kubernetes_dashboard_repo: ${_param:mcp_docker_registry}/mirantis/kubernetes
@@ -44,8 +44,8 @@
kubernetes_genie_source: ${_param:kubernetes_genie_repo}/genie_v1.0-138-gbf5dbaa
kubernetes_genie_source_hash: md5=b024052ed4ecb1d5354e0cc8f51afaca
kubernetes_flannel_image: ${_param:kubernetes_flannel_repo}/flannel:v0.10.0-amd64
- kubernetes_metallb_controller_image: ${_param:kubernetes_metallb_repo}/controller:v0.7.3
- kubernetes_metallb_speaker_image: ${_param:kubernetes_metallb_repo}/speaker:v0.7.3
+ kubernetes_metallb_controller_image: ${_param:kubernetes_metallb_repo}/controller:v0.7.3-2
+ kubernetes_metallb_speaker_image: ${_param:kubernetes_metallb_repo}/speaker:v0.7.3-2
kubernetes_sriov_source: ${_param:kubernetes_sriov_repo}/sriov_v0.3-8-g8b7ed98
kubernetes_sriov_source_hash: md5=c0cc33202afd02e4cc44b977a8faf6e7
kubernetes_cniplugins_source: ${_param:kubernetes_cniplugins_repo}/cni-plugins_v0.7.1-48-g696b1f9.tar.gz
@@ -258,6 +258,8 @@
criproxy_source: ${_param:kubernetes_criproxy_checksum}
metallb:
enabled: ${_param:kubernetes_metallb_enabled}
+ controller_image: ${_param:kubernetes_metallb_controller_image}
+ speaker_image: ${_param:kubernetes_metallb_speaker_image}
pool:
enabled: false
kubelet:
diff --git a/manila/control/single.yml b/manila/control/single.yml
index b2036d3..9d5f9f6 100644
--- a/manila/control/single.yml
+++ b/manila/control/single.yml
@@ -1,5 +1,5 @@
classes:
- - system.manila.common.cluster
+ - system.manila.common.single
- system.apache.server.site.manila
parameters:
_param:
@@ -7,12 +7,12 @@
manila:
common:
dhss: false
+ default_share_type: default
version: ${_param:openstack_version}
api:
role: ${_param:openstack_node_role}
enabled: true
version: ${_param:openstack_version}
- role: ${_param:openstack_node_role}
scheduler:
enabled: true
version: ${_param:openstack_version}
diff --git a/salt/minion/cert/mysql/clients/openstack/barbican.yml b/salt/minion/cert/mysql/clients/openstack/barbican.yml
new file mode 100644
index 0000000..8d158ee
--- /dev/null
+++ b/salt/minion/cert/mysql/clients/openstack/barbican.yml
@@ -0,0 +1,27 @@
+parameters:
+ _param:
+ salt_minion_ca_host: cfg01.${_param:cluster_domain}
+ salt_minion_ca_authority: salt_master_ca
+ mysql_barbican_client_ssl_key_file: /etc/barbican/ssl/mysql/client-key.pem
+ mysql_barbican_client_ssl_cert_file: /etc/barbican/ssl/mysql/client-cert.pem
+ mysql_barbican_ssl_ca_file: /etc/barbican/ssl/mysql/ca-cert.pem
+ salt:
+ minion:
+ cert:
+ mysql-barbican-client:
+ host: ${_param:salt_minion_ca_host}
+ authority: ${_param:salt_minion_ca_authority}
+ common_name: mysql-barbican-client
+ signing_policy: cert_client
+ alternative_names: >
+ IP:${_param:cluster_local_address},
+ DNS:${_param:cluster_local_address},
+ DNS:${linux:system:name},
+ DNS:${linux:network:fqdn}
+ key_usage: "digitalSignature,nonRepudiation,keyEncipherment"
+ key_file: ${_param:mysql_barbican_client_ssl_key_file}
+ cert_file: ${_param:mysql_barbican_client_ssl_cert_file}
+ ca_file: ${_param:mysql_barbican_ssl_ca_file}
+ user: barbican
+ group: barbican
+ mode: 640
diff --git a/salt/minion/cert/mysql/clients/openstack/gnocchi.yml b/salt/minion/cert/mysql/clients/openstack/gnocchi.yml
new file mode 100644
index 0000000..1aa31c9
--- /dev/null
+++ b/salt/minion/cert/mysql/clients/openstack/gnocchi.yml
@@ -0,0 +1,27 @@
+parameters:
+ _param:
+ salt_minion_ca_host: cfg01.${_param:cluster_domain}
+ salt_minion_ca_authority: salt_master_ca
+ mysql_gnocchi_client_ssl_key_file: /etc/gnocchi/ssl/mysql/client-key.pem
+ mysql_gnocchi_client_ssl_cert_file: /etc/gnocchi/ssl/mysql/client-cert.pem
+ mysql_gnocchi_ssl_ca_file: /etc/gnocchi/ssl/mysql/ca-cert.pem
+ salt:
+ minion:
+ cert:
+ mysql-gnocchi-client:
+ host: ${_param:salt_minion_ca_host}
+ authority: ${_param:salt_minion_ca_authority}
+ common_name: mysql-gnocchi-client
+ signing_policy: cert_client
+ alternative_names: >
+ IP:${_param:cluster_local_address},
+ DNS:${_param:cluster_local_address},
+ DNS:${linux:system:name},
+ DNS:${linux:network:fqdn}
+ key_usage: "digitalSignature,nonRepudiation,keyEncipherment"
+ key_file: ${_param:mysql_gnocchi_client_ssl_key_file}
+ cert_file: ${_param:mysql_gnocchi_client_ssl_cert_file}
+ ca_file: ${_param:mysql_gnocchi_ssl_ca_file}
+ user: gnocchi
+ group: gnocchi
+ mode: 640
diff --git a/salt/minion/cert/rabbitmq/clients/openstack/cinder.yml b/salt/minion/cert/rabbitmq/clients/openstack/cinder.yml
new file mode 100644
index 0000000..576c135
--- /dev/null
+++ b/salt/minion/cert/rabbitmq/clients/openstack/cinder.yml
@@ -0,0 +1,27 @@
+parameters:
+ _param:
+ salt_minion_ca_host: cfg01.${_param:cluster_domain}
+ salt_minion_ca_authority: salt_master_ca
+ rabbitmq_cinder_client_ssl_key_file: /etc/cinder/ssl/rabbitmq/client-key.pem
+ rabbitmq_cinder_client_ssl_cert_file: /etc/cinder/ssl/rabbitmq/client-cert.pem
+ rabbitmq_cinder_ssl_ca_file: /etc/cinder/ssl/rabbitmq/ca-cert.pem
+ salt:
+ minion:
+ cert:
+ rabbitmq-cinder-client:
+ host: ${_param:salt_minion_ca_host}
+ authority: ${_param:salt_minion_ca_authority}
+ common_name: rabbitmq-cinder-client
+ signing_policy: cert_client
+ alternative_names: >
+ IP:${_param:cluster_local_address},
+ DNS:${_param:cluster_local_address},
+ DNS:${linux:system:name},
+ DNS:${linux:network:fqdn}
+ key_usage: "digitalSignature,nonRepudiation,keyEncipherment"
+ key_file: ${_param:rabbitmq_cinder_client_ssl_key_file}
+ cert_file: ${_param:rabbitmq_cinder_client_ssl_cert_file}
+ ca_file: ${_param:rabbitmq_cinder_ssl_ca_file}
+ user: cinder
+ group: cinder
+ mode: 640
diff --git a/salt/minion/cert/rabbitmq/clients/openstack/glance.yml b/salt/minion/cert/rabbitmq/clients/openstack/glance.yml
new file mode 100644
index 0000000..94749ae
--- /dev/null
+++ b/salt/minion/cert/rabbitmq/clients/openstack/glance.yml
@@ -0,0 +1,27 @@
+parameters:
+ _param:
+ salt_minion_ca_host: cfg01.${_param:cluster_domain}
+ salt_minion_ca_authority: salt_master_ca
+ rabbitmq_glance_client_ssl_key_file: /etc/glance/ssl/rabbitmq/client-key.pem
+ rabbitmq_glance_client_ssl_cert_file: /etc/glance/ssl/rabbitmq/client-cert.pem
+ rabbitmq_glance_ssl_ca_file: /etc/glance/ssl/rabbitmq/ca-cert.pem
+ salt:
+ minion:
+ cert:
+ rabbitmq-glance-client:
+ host: ${_param:salt_minion_ca_host}
+ authority: ${_param:salt_minion_ca_authority}
+ common_name: rabbitmq-glance-client
+ signing_policy: cert_client
+ alternative_names: >
+ IP:${_param:cluster_local_address},
+ DNS:${_param:cluster_local_address},
+ DNS:${linux:system:name},
+ DNS:${linux:network:fqdn}
+ key_usage: "digitalSignature,nonRepudiation,keyEncipherment"
+ key_file: ${_param:rabbitmq_glance_client_ssl_key_file}
+ cert_file: ${_param:rabbitmq_glance_client_ssl_cert_file}
+ ca_file: ${_param:rabbitmq_glance_ssl_ca_file}
+ user: glance
+ group: glance
+ mode: 640
diff --git a/salt/minion/cert/rabbitmq/clients/openstack/heat.yml b/salt/minion/cert/rabbitmq/clients/openstack/heat.yml
new file mode 100644
index 0000000..e69ab14
--- /dev/null
+++ b/salt/minion/cert/rabbitmq/clients/openstack/heat.yml
@@ -0,0 +1,27 @@
+parameters:
+ _param:
+ salt_minion_ca_host: cfg01.${_param:cluster_domain}
+ salt_minion_ca_authority: salt_master_ca
+ rabbitmq_heat_client_ssl_key_file: /etc/heat/ssl/rabbitmq/client-key.pem
+ rabbitmq_heat_client_ssl_cert_file: /etc/heat/ssl/rabbitmq/client-cert.pem
+ rabbitmq_heat_ssl_ca_file: /etc/heat/ssl/rabbitmq/ca-cert.pem
+ salt:
+ minion:
+ cert:
+ rabbitmq-heat-client:
+ host: ${_param:salt_minion_ca_host}
+ authority: ${_param:salt_minion_ca_authority}
+ common_name: rabbitmq-heat-client
+ signing_policy: cert_client
+ alternative_names: >
+ IP:${_param:cluster_local_address},
+ DNS:${_param:cluster_local_address},
+ DNS:${linux:system:name},
+ DNS:${linux:network:fqdn}
+ key_usage: "digitalSignature,nonRepudiation,keyEncipherment"
+ key_file: ${_param:rabbitmq_heat_client_ssl_key_file}
+ cert_file: ${_param:rabbitmq_heat_client_ssl_cert_file}
+ ca_file: ${_param:rabbitmq_heat_ssl_ca_file}
+ user: heat
+ group: heat
+ mode: 640
diff --git a/salt/minion/cert/rabbitmq/clients/openstack/keystone.yml b/salt/minion/cert/rabbitmq/clients/openstack/keystone.yml
new file mode 100644
index 0000000..8261f73
--- /dev/null
+++ b/salt/minion/cert/rabbitmq/clients/openstack/keystone.yml
@@ -0,0 +1,27 @@
+parameters:
+ _param:
+ salt_minion_ca_host: cfg01.${_param:cluster_domain}
+ salt_minion_ca_authority: salt_master_ca
+ rabbitmq_keystone_client_ssl_key_file: /etc/keystone/ssl/rabbitmq/client-key.pem
+ rabbitmq_keystone_client_ssl_cert_file: /etc/keystone/ssl/rabbitmq/client-cert.pem
+ rabbitmq_keystone_ssl_ca_file: /etc/keystone/ssl/rabbitmq/ca-cert.pem
+ salt:
+ minion:
+ cert:
+ rabbitmq-keystone-client:
+ host: ${_param:salt_minion_ca_host}
+ authority: ${_param:salt_minion_ca_authority}
+ common_name: rabbitmq-keystone-client
+ signing_policy: cert_client
+ alternative_names: >
+ IP:${_param:cluster_local_address},
+ DNS:${_param:cluster_local_address},
+ DNS:${linux:system:name},
+ DNS:${linux:network:fqdn}
+ key_usage: "digitalSignature,nonRepudiation,keyEncipherment"
+ key_file: ${_param:rabbitmq_keystone_client_ssl_key_file}
+ cert_file: ${_param:rabbitmq_keystone_client_ssl_cert_file}
+ ca_file: ${_param:rabbitmq_keystone_ssl_ca_file}
+ user: keystone
+ group: keystone
+ mode: 640