Merge the tip of origin/release/proposed/2019.2.0 into origin/release/2019.2.0

cc12a442 Pass in Alerta authentication details for Alertmanager to send alerts with
839491ed Pass in Alerta authentication details for Alertmanager to send alerts with
95355be3 Fix key-checking in events extracted from RabbitMQ
d68289f2 Fix typo in CIDR
c71fadcf Add pillars for keystone restore
e964e56e Add restore-backup functionality for keystone credential keys
195a671d Pin 2019.2.12 tag for cvp-sanity-tests image
be81777c Add backup functionality for keystone credentials
b4f495b8 Add srudyka user to 'services' team
e5e17b48 Add octavia_amphora_image to mine
00641c22 Bump Contrail packages to 2019.2.12
046b5a27 Bump telegraf image
dabb4fc5 Enable galeracheck
f4dde6a6 Add jenkins job for purging Openstack DB
1fb2367f Enable Alerta authentication by default.
62c107d7 Align queries with the requirements
981d465a Add second ssh key for vdrok

Change-Id: Ic708bb4fe6a46837d2c01bcd9f85e668b52878d2
diff --git a/defaults/docker_images.yml b/defaults/docker_images.yml
index ad876e2..bd82083 100644
--- a/defaults/docker_images.yml
+++ b/defaults/docker_images.yml
@@ -25,7 +25,7 @@
     docker_image_operations_api: "${_param:mcp_docker_registry}/mirantis/model-generator/operations-api:2019.2.6"
     docker_image_operations_ui: "${_param:mcp_docker_registry}/mirantis/model-generator/operations-ui:2019.2.6"
     # OpenContrail
-    opencontrail_docker_image_tag: "2019.2.11"
+    opencontrail_docker_image_tag: "2019.2.12"
     # stacklight
     # locally forked v7.4.4, updated 2020-08-06
     docker_image_alerta: "${_param:mcp_docker_registry}/openstack-docker/alerta:2019.2.11"
@@ -37,7 +37,7 @@
     docker_image_prometheus_gainsight_elasticsearch: "${_param:mcp_docker_registry}/openstack-docker/gainsight_elasticsearch:2019.2.6"
     docker_image_prometheus_relay: "${_param:mcp_docker_registry}/openstack-docker/prometheus-relay:2019.2.11"
     docker_image_pushgateway: "${_param:mcp_docker_registry}/openstack-docker/pushgateway:2019.2.6"
-    docker_image_remote_agent: "${_param:mcp_docker_registry}/openstack-docker/telegraf:2019.2.11"
+    docker_image_remote_agent: "${_param:mcp_docker_registry}/openstack-docker/telegraf:2019.2.12"
     docker_image_remote_collector: "${_param:mcp_docker_registry}/openstack-docker/heka:2019.2.6"
     docker_image_remote_storage_adapter: "${_param:mcp_docker_registry}/openstack-docker/remote_storage_adapter:2019.2.6"
     docker_image_sf_notifier: "${_param:mcp_docker_registry}/openstack-docker/sf_notifier:2019.2.4"
@@ -47,7 +47,7 @@
     docker_image_keycloak_server: "${_param:mcp_docker_registry}/mirantis/external/jboss/keycloak:4.5.0.Final"
     docker_image_keycloak_proxy: "${_param:mcp_docker_registry}/mirantis/external/jboss/keycloak:3.4.2.Final"
     # CVP
-    docker_image_cvp_sanity_checks: "${_param:mcp_docker_registry}/mirantis/cvp/cvp-sanity-checks:2019.2.11"
+    docker_image_cvp_sanity_checks: "${_param:mcp_docker_registry}/mirantis/cvp/cvp-sanity-checks:2019.2.12"
     docker_image_cvp_tempest: "${_param:mcp_docker_registry}/mirantis/cicd/ci-tempest:${_param:openstack_version}"
     docker_image_cvp_shaker_checks: "${_param:mcp_docker_registry}/mirantis/cvp/cvp-shaker:2019.2.3"
     docker_image_cvp_rally: "${_param:mcp_docker_registry}/mirantis/cvp/cvp-rally:2019.2.5"
@@ -133,7 +133,7 @@
           name: sf-reporter:2019.2.9
         - registry: ${_param:mcp_docker_registry}/openstack-docker
           target_registry: ${_param:default_local_mirrror_content:docker_client_registry_target_registry}/openstack-docker
-          name: telegraf:2019.2.11
+          name: telegraf:2019.2.12
         - registry: ${_param:mcp_docker_registry}/openstack-docker
           target_registry: ${_param:default_local_mirrror_content:docker_client_registry_target_registry}/openstack-docker
           name: remote_storage_adapter:2019.2.6
@@ -182,7 +182,7 @@
           name: cvp-shaker:2019.2.3
         - registry: ${_param:mcp_docker_registry}/mirantis/cvp
           target_registry: ${_param:default_local_mirrror_content:docker_client_registry_target_registry}/mirantis/cvp
-          name: cvp-sanity-checks:2019.2.11
+          name: cvp-sanity-checks:2019.2.12
         - registry: ${_param:mcp_docker_registry}/mirantis/external/xrally
           target_registry: ${_param:default_local_mirrror_content:docker_client_registry_target_registry}/mirantis/external/xrally
           name: xrally-openstack:0.11.2
diff --git a/docker/swarm/stack/monitoring/alerta.yml b/docker/swarm/stack/monitoring/alerta.yml
index ac16a2b..bec608c 100644
--- a/docker/swarm/stack/monitoring/alerta.yml
+++ b/docker/swarm/stack/monitoring/alerta.yml
@@ -27,8 +27,10 @@
                 - ${prometheus:alerta:config_dir}/alerta.conf:/web/config.js
                 - ${prometheus:alerta:config_dir}/alertad.conf:/app/alertad.conf
               environment:
+                ADMIN_KEY: ${_param:alerta_admin_key}
                 ADMIN_USERS: ${_param:alerta_admin_username}
                 ADMIN_PASSWORD_FILE: "/run/secrets/alerta"
+                AUTH_REQUIRED: "True"
                 MONGO_URI: ${_param:alerta_mongodb_uri}
                 PLUGINS: ""
               secrets:
diff --git a/fluentd/label/notifications/input_rabbitmq.yml b/fluentd/label/notifications/input_rabbitmq.yml
index 7f97648..6f846ac 100644
--- a/fluentd/label/notifications/input_rabbitmq.yml
+++ b/fluentd/label/notifications/input_rabbitmq.yml
@@ -83,7 +83,7 @@
                 enable_ruby: true
                 record:
                   - name: notification_type
-                    value: '${fluentd:dollar}{ record["payload"]["eventType"] && record["payload"]["eventTime"] ? "audit" : "notification" }'
+                    value: '${fluentd:dollar}{ record["payload"].key?("eventType") && record["payload"].key?("eventTime") ? "audit" : "notification" }'
             match:
               rewrite_message_tag:
                 tag: raw_notifications
diff --git a/galera/server/cluster.yml b/galera/server/cluster.yml
index a4b3f0a..2dd5962 100644
--- a/galera/server/cluster.yml
+++ b/galera/server/cluster.yml
@@ -3,3 +3,4 @@
 - system.haproxy.proxy.listen.openstack.galera
 - system.keepalived.cluster.instance.galera_vip
 - system.galera.upgrade
+- system.galera.server.clustercheck
diff --git a/glance/client/image/octavia.yml b/glance/client/image/octavia.yml
index 2a00375..c09af34 100644
--- a/glance/client/image/octavia.yml
+++ b/glance/client/image/octavia.yml
@@ -25,3 +25,7 @@
           glanceng.get_image_owner_id:
             - ${_param:amphora_image_name}
             - 'admin_identity'
+          octavia_amphora_image:
+            mine_function: glancev2.image_get_details
+            name: ${_param:amphora_image_name}
+            cloud_name: 'admin_identity'
diff --git a/haproxy/proxy/listen/openstack/galera/init.yml b/haproxy/proxy/listen/openstack/galera/init.yml
index 1dd1a1c..9f210d4 100644
--- a/haproxy/proxy/listen/openstack/galera/init.yml
+++ b/haproxy/proxy/listen/openstack/galera/init.yml
@@ -1,6 +1,6 @@
 parameters:
   _param:
-    haproxy_params_check: 'check'
+    haproxy_params_check: 'check port 9200'
   haproxy:
     proxy:
       listen:
@@ -15,12 +15,16 @@
           - name: ${_param:cluster_node01_hostname}
             host: ${_param:cluster_node01_address}
             port: 3306
-            params: ${_param:haproxy_params_check} inter 20s fastinter 2s downinter 2s rise 3 fall 3
+            params: ${_param:haproxy_params_check} inter 20s fastinter 2s downinter 2s rise 3 fall 3 on-marked-down shutdown-sessions
           - name: ${_param:cluster_node02_hostname}
             host: ${_param:cluster_node02_address}
             port: 3306
-            params: backup ${_param:haproxy_params_check} inter 20s fastinter 2s downinter 2s rise 3 fall 3
+            params: backup ${_param:haproxy_params_check} inter 20s fastinter 2s downinter 2s rise 3 fall 3 on-marked-down shutdown-sessions
           - name: ${_param:cluster_node03_hostname}
             host: ${_param:cluster_node03_address}
             port: 3306
-            params: backup ${_param:haproxy_params_check} inter 20s fastinter 2s downinter 2s rise 3 fall 3
+            params: backup ${_param:haproxy_params_check} inter 20s fastinter 2s downinter 2s rise 3 fall 3 on-marked-down shutdown-sessions
+          health-check:
+            mysql:
+              enabled: False
+
diff --git a/horizon/server/iptables.yml b/horizon/server/iptables.yml
index 4836feb..e25fad8 100644
--- a/horizon/server/iptables.yml
+++ b/horizon/server/iptables.yml
@@ -36,7 +36,7 @@
                   action: REJECT
                 501:
                   # 501-503 disable private networks
-                  rule: --dst 10.0.0.0/16
+                  rule: --dst 10.0.0.0/8
                   action: REJECT
                 502:
                   rule: --dst 172.16.0.0/12
diff --git a/jenkins/client/job/deploy/backupninja_backup.yml b/jenkins/client/job/deploy/backupninja_backup.yml
index 1089cfa..5473c1f 100644
--- a/jenkins/client/job/deploy/backupninja_backup.yml
+++ b/jenkins/client/job/deploy/backupninja_backup.yml
@@ -32,6 +32,9 @@
             BACKUP_DOGTAG:
               type: boolean
               default: 'true'
+            BACKUP_KEYSTONE_CREDENTIAL_KEYS:
+              type: boolean
+              default: 'true'
           trigger:
             timer:
               enabled: false
diff --git a/jenkins/client/job/deploy/backupninja_restore.yml b/jenkins/client/job/deploy/backupninja_restore.yml
index 76a594e..14c28ac 100644
--- a/jenkins/client/job/deploy/backupninja_restore.yml
+++ b/jenkins/client/job/deploy/backupninja_restore.yml
@@ -30,3 +30,6 @@
             RESTORE_DOGTAG:
               type: boolean
               default: 'true'
+            RESTORE_KEYSTONE_CREDENTIAL_KEYS:
+              type: boolean
+              default: 'true'
diff --git a/jenkins/client/job/deploy/cleanup.yml b/jenkins/client/job/deploy/cleanup.yml
new file mode 100644
index 0000000..1d0a2b6
--- /dev/null
+++ b/jenkins/client/job/deploy/cleanup.yml
@@ -0,0 +1,25 @@
+parameters:
+  jenkins:
+    client:
+      job:
+        openstack_database_cleanup:
+          type: workflow-scm
+          name: openstack-database-cleanup
+          display_name: "Deploy - Openstack Database Cleanup"
+          discard:
+            build:
+              keep_num: 50
+          concurrent: true
+          scm:
+            type: git
+            url: "${_param:jenkins_gerrit_url}/mk/mk-pipelines"
+            branch: "${_param:jenkins_pipelines_branch}"
+            credentials: ${_param:jenkins_gerrit_credentials}
+            script: openstack-database-cleanup.groovy
+          param:
+            SALT_MASTER_CREDENTIALS:
+              type: string
+              default: "salt"
+            SALT_MASTER_URL:
+              type: string
+              default: "${_param:jenkins_salt_api_url}"
diff --git a/jenkins/client/job/deploy/update/init.yml b/jenkins/client/job/deploy/update/init.yml
index 7abffec..c0dc152 100644
--- a/jenkins/client/job/deploy/update/init.yml
+++ b/jenkins/client/job/deploy/update/init.yml
@@ -26,3 +26,4 @@
   - system.jenkins.client.job.deploy.update.update_glusterfs_servers
   - system.jenkins.client.job.deploy.update.update_glusterfs_clients
   - system.jenkins.client.job.deploy.update.update_glusterfs_cluster_op_version
+  - system.jenkins.client.job.deploy.cleanup
diff --git a/keystone/server/fernet_rotation/cluster.yml b/keystone/server/fernet_rotation/cluster.yml
index cf7b328..4db82cc 100644
--- a/keystone/server/fernet_rotation/cluster.yml
+++ b/keystone/server/fernet_rotation/cluster.yml
@@ -1,9 +1,17 @@
+classes:
+- system.backupninja.client.single
+- system.openssh.client.root
 parameters:
   _param:
     fernet_rotation_driver: 'rsync'
     credential_rotation_driver: 'rsync'
+    openstack_control_node01_hostname: ctl01
   keystone:
     server:
+      initial_data:
+        home_dir: /srv/volumes/backup/backupninja
+        host: ${_param:openstack_control_node01_hostname}.${_param:cluster_domain}
+        source: ${_param:infra_kvm_node03_address}
       tokens:
         fernet_sync_nodes_list:
           sync_node01:
@@ -44,3 +52,10 @@
           user: keystone
           hour: 0
           minute: 0
+  backupninja:
+    client:
+      target:
+        home_dir: /srv/volumes/backup/backupninja
+        engine: rsync
+        engine_opts: "-av --delete --recursive --safe-links"
+        host: ${_param:infra_kvm_node03_address}
diff --git a/keystone/server/fernet_rotation/single.yml b/keystone/server/fernet_rotation/single.yml
index 7514086..4bd09e9 100644
--- a/keystone/server/fernet_rotation/single.yml
+++ b/keystone/server/fernet_rotation/single.yml
@@ -1,9 +1,17 @@
+classes:
+- system.backupninja.client.single
+- system.openssh.client.root
 parameters:
   _param:
+    openstack_control_node01_hostname: ctl01
     fernet_rotation_driver: 'rsync'
     credential_rotation_driver: 'rsync'
   keystone:
     server:
+      initial_data:
+        home_dir: /srv/volumes/backup/backupninja
+        host: ${_param:openstack_control_node01_hostname}.${_param:cluster_domain}
+        source: ${_param:infra_kvm_node03_address}
       tokens:
         fernet_rotation_driver: ${_param:fernet_rotation_driver}
       credential:
@@ -30,3 +38,10 @@
           user: keystone
           hour: 0
           minute: 0
+  backupninja:
+    client:
+      target:
+        home_dir: /srv/volumes/backup/backupninja
+        engine: rsync
+        engine_opts: "-av --delete --recursive --safe-links"
+        host: ${_param:infra_kvm_node03_address}
diff --git a/openssh/server/team/members/srudyka.yml b/openssh/server/team/members/srudyka.yml
new file mode 100644
index 0000000..0321ea4
--- /dev/null
+++ b/openssh/server/team/members/srudyka.yml
@@ -0,0 +1,20 @@
+parameters:
+  linux:
+    system:
+      user:
+        srudyka:
+          email: srudyka@mirantis.com
+          enabled: true
+          full_name: Sergii Rudyka
+          home: /home/srudyka
+          name: srudyka
+          email: srudyka@mirantis.com
+          sudo: ${_param:linux_system_user_sudo}
+  openssh:
+    server:
+      user:
+        srudyka:
+          enabled: true
+          public_keys:
+          - key: ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGps6KXDEuWoTRAMkCPQI/sDaLcPwnq0fDgKSTjqBd1N 
+          user: ${linux:system:user:srudyka}
diff --git a/openssh/server/team/members/vdrok.yml b/openssh/server/team/members/vdrok.yml
index 6f6cbba..3c2485b 100644
--- a/openssh/server/team/members/vdrok.yml
+++ b/openssh/server/team/members/vdrok.yml
@@ -16,4 +16,5 @@
           enabled: true
           public_keys:
           - key: ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCpnn6IyistbIGnzeV3DOWR+u/QLl1cuQspwuvcl1FxeZljkdIgLXcNVzFaFHSX+rOgrOLpcFf3X+dwnB55EoUDj85IOwKz1tVoD5Df42xZMnmjnvOaAScVTStrdcWxzpB6bWt/+GWpt1br3pLpTjqZxa1YipT7tz6bs7cNKplvQuBaoYeG/x9ycRhLIhYXFYOtHD/lxwTRqHnvpwdNKRYPtfakR/kaeZEaYQoJlVcAq0AKzws8l87InoWnjGo/NrBJTvgiLQPYw6uJ9mf17p2GVv1JGCbEpPKnRLyIitdwCFjYEwAKoSsisf2TdH9iY1DWwJEuPzsvjM2ZCPcc7baV vlad@carbon
+          - key: ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDULwqMj/zuO7sETzoX/t5vZ+lkiwTcu9hDikoA3g7iHD6iycbFuiq+n6tmSmEZGgxUEn/rxmq1BblsIHKhk3WN72eJeh95AELJQhErqFNFH8JqwN6oQVRQXWVdJnrmfffGNrHTiR/jyhCx7TEYcMbfhr4maGNwVS7CPXjKGjCe5AeHQf+esBTFekFCCX3Mh1W/ddzfF3K8ud+6pxjC0XxvebaldGNkf5tPTZIiiQZbe250k4OPknicQ3gmjyAEQM4vSEUp81hOuDbqFWET0XZqX4VjWnV5ZqxDktD9jx/vMtt8MHXirMiylt1NmyDw5dpcBmevIksSurpaSG2CYTZWzTnAaPsddxhL0Dx3ld36MbIaeCMeeEbLBus5xhdUmxgsdkcscAxsDTTpO74EmZ6MSXbHFp106mXsQca7wIuTLT4GCcODSTRxPD065c8CogbI1eSNyUmgINXc/wv24r1Q+bpvmWoojCv6IqkoYAsr+U8OMZ5Mq9aERn/9kX508c0= vdrok@Vladyslavs-MacBook-Pro.local
           user: ${linux:system:user:vdrok}
diff --git a/openssh/server/team/services.yml b/openssh/server/team/services.yml
index 1cd16bc..3a2a2d3 100644
--- a/openssh/server/team/services.yml
+++ b/openssh/server/team/services.yml
@@ -19,6 +19,7 @@
 - system.openssh.server.team.members.vkuspits
 - system.openssh.server.team.members.yisakov
 - system.openssh.server.team.members.wnawrot
+- system.openssh.server.team.members.srudyka
 parameters:
   _param:
     linux_system_user_sudo: true
diff --git a/prometheus/alerta/init.yml b/prometheus/alerta/init.yml
index 6e16b63..2e82f44 100644
--- a/prometheus/alerta/init.yml
+++ b/prometheus/alerta/init.yml
@@ -1,5 +1,5 @@
 classes:
-  - service.prometheus.alerta
+- service.prometheus.alerta
 parameters:
   prometheus:
     alerta:
diff --git a/prometheus/alertmanager/notification/alerta.yml b/prometheus/alertmanager/notification/alerta.yml
index 816aaf6..729aa26 100644
--- a/prometheus/alertmanager/notification/alerta.yml
+++ b/prometheus/alertmanager/notification/alerta.yml
@@ -16,5 +16,5 @@
             enabled: true
             webhook_configs:
               alerta:
-                url: "http://${_param:alertmanager_notification_alerta_host}:${_param:alertmanager_notification_alerta_port}/api/webhooks/prometheus"
+                url: "http://${_param:alertmanager_notification_alerta_host}:${_param:alertmanager_notification_alerta_port}/api/webhooks/prometheus?api-key=${_param:alerta_admin_key}"
                 send_resolved: true
diff --git a/prometheus/gainsight/query/openstack.yml b/prometheus/gainsight/query/openstack.yml
index daed58e..838b814 100644
--- a/prometheus/gainsight/query/openstack.yml
+++ b/prometheus/gainsight/query/openstack.yml
@@ -2,15 +2,15 @@
   prometheus:
     gainsight:
       queries:
-        vcpu_used: "'vCPU Used','avg(sum(avg_over_time(openstack_nova_used_vcpus[24h])) by (instance))'"
-        vcpu_free: "'vCPU Free','avg(sum(avg_over_time(openstack_nova_free_vcpus[24h])) by (instance))'"
-        vstorage_used: "'vStorage Used','avg(sum(avg_over_time(openstack_nova_used_disk[24h])) by (instance))'"
-        vstorage_free: "'vStorage Free','avg(sum(avg_over_time(openstack_nova_free_disk[24h])) by (instance))'"
-        vram_used: "'vRAM Used','avg(sum(avg_over_time(openstack_nova_used_ram[24h])) by (instance))'"
-        vram_free: "'vRAM Free','avg(sum(avg_over_time(openstack_nova_free_ram[24h])) by (instance))'"
-        instances: "'Instances','avg(sum(avg_over_time(openstack_nova_instances{state=\"active\"}[24h])) by (instance))'"
-        compute_nodes: "'Compute Nodes','avg(sum(openstack_nova_services{binary=~\"nova.compute\"}) by (instance))'"
-        tenants: "'Tenants','avg(sum(avg_over_time(openstack_keystone_tenants_total[24h])) by (instance))'"
+        vcpu_used: "'vCPU Used','max(sum by (instance) (avg_over_time(openstack_nova_used_vcpus[24h]) and on (hostname) (openstack_nova_service_status == 1 and openstack_nova_service_state == 1)))'"
+        vcpu_free: "'vCPU Free','max(sum by (instance) (avg_over_time(openstack_nova_free_vcpus[24h]) and on (hostname) (openstack_nova_service_status == 1 and openstack_nova_service_state == 1)))'"
+        vstorage_used: "'vStorage Used','max(sum by (instance) (avg_over_time(openstack_nova_used_disk[24h]) and on (hostname) (openstack_nova_service_status == 1 and openstack_nova_service_state == 1)))'"
+        vstorage_free: "'vStorage Free','max(sum by (instance) (avg_over_time(openstack_nova_free_disk[24h]) and on (hostname) (openstack_nova_service_status == 1 and openstack_nova_service_state == 1)))'"
+        vram_used: "'vRAM Used','max(sum by (instance) (avg_over_time(openstack_nova_used_ram[24h]) and on (hostname) (openstack_nova_service_status == 1 and openstack_nova_service_state == 1)))'"
+        vram_free: "'vRAM Free','max(sum by (instance) (avg_over_time(openstack_nova_free_ram[24h]) and on (hostname) (openstack_nova_service_status == 1 and openstack_nova_service_state == 1)))'"
+        instances: "'Instances','ceil(max(avg_over_time(openstack_nova_instances{state=\"active\"}[24h])))'"
+        compute_nodes: "'Compute Nodes','max(sum by (instance) (openstack_nova_services{binary=~\"nova.compute\"}))'"
+        tenants: "'Tenants','ceil(max(avg_over_time(openstack_keystone_tenants_total[24h])))'"
         cinder_api: "'Cinder API','avg_over_time(service_name:openstack_api_check_status:avg5m:for5m:ceil:avg5m:floor{service_name=\"cinderv2\"}[24h]) * 100'"
         nova_api: "'Nova API','avg_over_time(service_name:openstack_api_check_status:avg5m:for5m:ceil:avg5m:floor{service_name=\"nova\"}[24h]) * 100'"
         keystone_api: "'Keystone API','avg_over_time(service_name:openstack_api_check_status:avg5m:for5m:ceil:avg5m:floor{service_name=\"keystone\"}[24h]) * 100'"