Merge "Add Gnocchi datasource for Grafana"
diff --git a/barbican/server/cluster.yml b/barbican/server/cluster.yml
index 81ee5af..aac0400 100644
--- a/barbican/server/cluster.yml
+++ b/barbican/server/cluster.yml
@@ -1,9 +1,12 @@
classes:
- service.barbican.server.cluster
- system.haproxy.proxy.listen.openstack.barbican
+- system.salt.minion.cert.mysql.clients.openstack.barbican
parameters:
_param:
cluster_internal_protocol: 'http'
+ openstack_mysql_x509_enabled: False
+ galera_ssl_enabled: False
barbican:
server:
role: ${_param:openstack_node_role}
@@ -11,3 +14,16 @@
protocol: ${_param:cluster_internal_protocol}
database:
host: ${_param:openstack_database_address}
+ x509:
+ enabled: ${_param:openstack_mysql_x509_enabled}
+ ca_file: ${_param:mysql_barbican_ssl_ca_file}
+ key_file: ${_param:mysql_barbican_client_ssl_key_file}
+ cert_file: ${_param:mysql_barbican_client_ssl_cert_file}
+ ssl:
+ enabled: ${_param:galera_ssl_enabled}
+ linux:
+ system:
+ package:
+ python-pymysql:
+ fromrepo: ${_param:openstack_version}
+ version: latest
diff --git a/barbican/server/single.yml b/barbican/server/single.yml
index b115e79..6bed260 100644
--- a/barbican/server/single.yml
+++ b/barbican/server/single.yml
@@ -1,10 +1,27 @@
classes:
- service.barbican.server.single
+- system.salt.minion.cert.mysql.clients.openstack.barbican
parameters:
_param:
internal_protocol: 'http'
+ openstack_mysql_x509_enabled: False
+ galera_ssl_enabled: False
barbican:
server:
+ database:
+ x509:
+ enabled: ${_param:openstack_mysql_x509_enabled}
+ ca_file: ${_param:mysql_barbican_ssl_ca_file}
+ key_file: ${_param:mysql_barbican_client_ssl_key_file}
+ cert_file: ${_param:mysql_barbican_client_ssl_cert_file}
+ ssl:
+ enabled: ${_param:galera_ssl_enabled}
role: ${_param:openstack_node_role}
identity:
protocol: ${_param:internal_protocol}
+ linux:
+ system:
+ package:
+ python-pymysql:
+ fromrepo: ${_param:openstack_version}
+ version: latest
diff --git a/bind/server/cluster.yml b/bind/server/cluster.yml
new file mode 100644
index 0000000..1f9e943
--- /dev/null
+++ b/bind/server/cluster.yml
@@ -0,0 +1,37 @@
+classes:
+- service.bind.server.single
+parameters:
+ _param:
+ mgmt_allow_node01_address: ${_param:openstack_control_node01_address}
+ mgmt_allow_node02_address: ${_param:openstack_control_node02_address}
+ mgmt_allow_node03_address: ${_param:openstack_control_node03_address}
+ bind:
+ server:
+ key:
+ mgmt:
+ secret: "${_param:bind9_mgmt_rndc_key}"
+ algorithm: "${_param:bind9_mgmt_rndc_algorithm}"
+ allow_new_zones: true
+ query: true
+ # for local server management /etc/bind/rndc.key
+ # generated by bind9 package postinstall script
+ # will be used
+ control:
+ local:
+ enabled: true
+ bind:
+ address: 127.0.0.1
+ port: 953
+ allow:
+ - 127.0.0.1
+ mgmt:
+ enabled: true
+ bind:
+ address: ${_param:single_address}
+ port: 953
+ allow:
+ - ${_param:mgmt_allow_node01_address}
+ - ${_param:mgmt_allow_node02_address}
+ - ${_param:mgmt_allow_node03_address}
+ keys:
+ - mgmt
\ No newline at end of file
diff --git a/designate/server/backend/bind.yml b/designate/server/backend/bind.yml
index 823d52d..bbce637 100644
--- a/designate/server/backend/bind.yml
+++ b/designate/server/backend/bind.yml
@@ -38,4 +38,4 @@
key:
designate:
secret: "${_param:designate_bind9_rndc_key}"
- algorithm: "${_param:designate_bind9_rndc_algorithm}"
+ algorithm: "${_param:designate_bind9_rndc_algorithm}"
\ No newline at end of file
diff --git a/designate/server/backend/pdns.yml b/designate/server/backend/pdns.yml
index 45ad0b7..151ef10 100644
--- a/designate/server/backend/pdns.yml
+++ b/designate/server/backend/pdns.yml
@@ -23,4 +23,4 @@
enabled: true
address: ${_param:single_address}
port: ${_param:powerdns_webserver_port}
- password: ${_param:powerdns_webserver_password}
+ password: ${_param:powerdns_webserver_password}
\ No newline at end of file
diff --git a/designate/server/cluster/bind.yml b/designate/server/cluster/bind.yml
new file mode 100644
index 0000000..39c802b
--- /dev/null
+++ b/designate/server/cluster/bind.yml
@@ -0,0 +1,39 @@
+classes:
+ - system.designate.server.cluster.default
+parameters:
+ _param:
+ designate_bind9_rndc_algorithm: hmac-sha512
+ designate:
+ worker:
+ enabled: true
+ server:
+ backend:
+ bind9:
+ rndc_key: "${_param:designate_bind9_rndc_key}"
+ rndc_algorithm: "${_param:designate_bind9_rndc_algorithm}"
+ pools:
+ default:
+ description: 'default pool'
+ ns_records: ${_param:designate_pool_ns_records}
+ nameservers: ${_param:designate_pool_nameservers}
+ targets:
+ default01:
+ type: bind9
+ description: 'default target01'
+ masters: ${_param:designate_pool_target_masters}
+ options:
+ host: ${_param:openstack_dns_node01_address}
+ port: 53
+ rndc_host: ${_param:openstack_dns_node01_address}
+ rndc_port: 953
+ rndc_key_file: /etc/designate/rndc.key
+ default02:
+ type: bind9
+ description: 'default target02'
+ masters: ${_param:designate_pool_target_masters}
+ options:
+ host: ${_param:openstack_dns_node02_address}
+ port: 53
+ rndc_host: ${_param:openstack_dns_node02_address}
+ rndc_port: 953
+ rndc_key_file: /etc/designate/rndc.key
\ No newline at end of file
diff --git a/designate/server/cluster/default.yml b/designate/server/cluster/default.yml
new file mode 100644
index 0000000..de2eb43
--- /dev/null
+++ b/designate/server/cluster/default.yml
@@ -0,0 +1,59 @@
+classes:
+- service.keepalived.cluster.single
+- service.haproxy.proxy.single
+- system.haproxy.proxy.listen.openstack.designate
+- service.designate.server.cluster
+parameters:
+ _param:
+ designate_admin_api_enabled: false
+ cluster_internal_protocol: 'http'
+ linux:
+ system:
+ package:
+ python-pymysql:
+ fromrepo: ${_param:openstack_version}
+ version: latest
+ designate:
+ _support:
+ sensu:
+ enabled: false
+ server:
+ enabled: true
+ local_bind: true
+ region: ${_param:openstack_region}
+ domain_id: ${_param:designate_domain_id}
+ version: ${_param:designate_version}
+ role: ${_param:openstack_node_role}
+ admin_api:
+ enabled: ${_param:designate_admin_api_enabled}
+ enabled_extensions_admin: quotas
+ database:
+ engine: mysql
+ host: ${_param:openstack_database_address}
+ port: 3306
+ name:
+ main_database: designate
+ pool_manager: designate_pool_manager
+ user: designate
+ password: ${_param:mysql_designate_password}
+ identity:
+ engine: keystone
+ host: ${_param:openstack_control_address}
+ port: 35357
+ tenant: service
+ user: designate
+ password: ${_param:keystone_designate_password}
+ protocol: ${_param:cluster_internal_protocol}
+ bind:
+ api:
+ address: ${_param:single_address}
+ message_queue:
+ engine: rabbitmq
+ port: 5672
+ members:
+ - host: ${_param:openstack_message_queue_node01_address}
+ - host: ${_param:openstack_message_queue_node02_address}
+ - host: ${_param:openstack_message_queue_node03_address}
+ user: openstack
+ password: ${_param:rabbitmq_openstack_password}
+ virtual_host: '/openstack'
\ No newline at end of file
diff --git a/designate/server/cluster/pdns.yml b/designate/server/cluster/pdns.yml
new file mode 100644
index 0000000..7d81f90
--- /dev/null
+++ b/designate/server/cluster/pdns.yml
@@ -0,0 +1,42 @@
+classes:
+ - system.designate.server.cluster.default
+parameters:
+ _param:
+ designate_pool_manager_enabled: true
+ designate_pool_manager_periodic_sync_interval: '120'
+ designate_mdns_address: 0.0.0.0
+ # required for supermasters functionality
+ designate_mdns_port: 53
+ designate:
+ pool_manager:
+ # required for supermasters functionality
+ enabled: ${_param:designate_pool_manager_enabled}
+ periodic_sync_interval: ${_param:designate_pool_manager_periodic_sync_interval}
+ server:
+ mdns:
+ address: ${_param:designate_mdns_address}
+ port: ${_param:designate_mdns_port}
+ pools:
+ default:
+ description: 'default pool'
+ ns_records: ${_param:designate_pool_ns_records}
+ nameservers: ${_param:designate_pool_nameservers}
+ targets:
+ default:
+ type: pdns4
+ description: 'default target1'
+ masters: ${_param:designate_pool_target_masters}
+ options:
+ host: ${_param:openstack_dns_node01_address}
+ port: 53
+ api_endpoint: "http://${_param:openstack_dns_node01_address}:${_param:powerdns_webserver_port}"
+ api_token: ${_param:designate_pdns_api_key}
+ default1:
+ type: pdns4
+ description: 'default target2'
+ masters: ${_param:designate_pool_target_masters}
+ options:
+ host: ${_param:openstack_dns_node02_address}
+ port: 53
+ api_endpoint: "http://${_param:openstack_dns_node02_address}:${_param:powerdns_webserver_port}"
+ api_token: ${_param:designate_pdns_api_key}
\ No newline at end of file
diff --git a/galera/server/database/manila.yml b/galera/server/database/manila.yml
index 3339b83..d233ce9 100644
--- a/galera/server/database/manila.yml
+++ b/galera/server/database/manila.yml
@@ -1,4 +1,6 @@
parameters:
+ _param:
+ mysql_manila_ssl_option: []
mysql:
server:
database:
@@ -9,7 +11,9 @@
password: ${_param:mysql_manila_password}
host: '%'
rights: all
+ ssl_option: ${_param:mysql_manila_ssl_option}
- name: manila
password: ${_param:mysql_manila_password}
host: ${_param:cluster_local_address}
rights: all
+ ssl_option: ${_param:mysql_manila_ssl_option}
diff --git a/galera/server/database/ssl/barbican.yml b/galera/server/database/ssl/barbican.yml
new file mode 100644
index 0000000..1b1c7c1
--- /dev/null
+++ b/galera/server/database/ssl/barbican.yml
@@ -0,0 +1,4 @@
+parameters:
+ _param:
+ mysql_barbican_ssl_option:
+ - SSL: True
\ No newline at end of file
diff --git a/galera/server/database/ssl/gnocchi.yml b/galera/server/database/ssl/gnocchi.yml
new file mode 100644
index 0000000..c1bb459
--- /dev/null
+++ b/galera/server/database/ssl/gnocchi.yml
@@ -0,0 +1,4 @@
+parameters:
+ _param:
+ mysql_gnocchi_ssl_option:
+ - SSL: True
\ No newline at end of file
diff --git a/galera/server/database/ssl/manila.yml b/galera/server/database/ssl/manila.yml
new file mode 100644
index 0000000..c3b30dd
--- /dev/null
+++ b/galera/server/database/ssl/manila.yml
@@ -0,0 +1,4 @@
+parameters:
+ _param:
+ mysql_manila_ssl_option:
+ - SSL: True
\ No newline at end of file
diff --git a/galera/server/database/ssl/panko.yml b/galera/server/database/ssl/panko.yml
new file mode 100644
index 0000000..ce1c504
--- /dev/null
+++ b/galera/server/database/ssl/panko.yml
@@ -0,0 +1,4 @@
+parameters:
+ _param:
+ mysql_panko_ssl_option:
+ - SSL: True
\ No newline at end of file
diff --git a/galera/server/database/x509/barbican.yml b/galera/server/database/x509/barbican.yml
new file mode 100644
index 0000000..ae1865f
--- /dev/null
+++ b/galera/server/database/x509/barbican.yml
@@ -0,0 +1,7 @@
+parameters:
+ _param:
+ mysql_barbican_client_ssl_x509_subject: '/C=cz/CN=mysql-barbican-client/L=Prague/O=Mirantis'
+ mysql_barbican_client_ssl_x509_issuer: '/C=cz/CN=Salt Master CA/L=Prague/O=Mirantis'
+ mysql_barbican_ssl_option:
+ - SUBJECT: ${_param:mysql_barbican_client_ssl_x509_subject}
+ - ISSUER: ${_param:mysql_barbican_client_ssl_x509_issuer}
\ No newline at end of file
diff --git a/galera/server/database/x509/gnocchi.yml b/galera/server/database/x509/gnocchi.yml
new file mode 100644
index 0000000..5cb3c58
--- /dev/null
+++ b/galera/server/database/x509/gnocchi.yml
@@ -0,0 +1,7 @@
+parameters:
+ _param:
+ mysql_gnocchi_client_ssl_x509_subject: '/C=cz/CN=mysql-gnocchi-client/L=Prague/O=Mirantis'
+ mysql_gnocchi_client_ssl_x509_issuer: '/C=cz/CN=Salt Master CA/L=Prague/O=Mirantis'
+ mysql_gnocchi_ssl_option:
+ - SUBJECT: ${_param:mysql_gnocchi_client_ssl_x509_subject}
+ - ISSUER: ${_param:mysql_gnocchi_client_ssl_x509_issuer}
\ No newline at end of file
diff --git a/galera/server/database/x509/manila.yml b/galera/server/database/x509/manila.yml
new file mode 100644
index 0000000..15e6c88
--- /dev/null
+++ b/galera/server/database/x509/manila.yml
@@ -0,0 +1,7 @@
+parameters:
+ _param:
+ mysql_manila_client_ssl_x509_subject: '/C=cz/CN=mysql-manila-client/L=Prague/O=Mirantis'
+ mysql_manila_client_ssl_x509_issuer: '/C=cz/CN=Salt Master CA/L=Prague/O=Mirantis'
+ mysql_manila_ssl_option:
+ - SUBJECT: ${_param:mysql_manila_client_ssl_x509_subject}
+ - ISSUER: ${_param:mysql_manila_client_ssl_x509_issuer}
\ No newline at end of file
diff --git a/galera/server/database/x509/panko.yml b/galera/server/database/x509/panko.yml
new file mode 100644
index 0000000..15c37bf
--- /dev/null
+++ b/galera/server/database/x509/panko.yml
@@ -0,0 +1,7 @@
+parameters:
+ _param:
+ mysql_panko_client_ssl_x509_subject: '/C=cz/CN=mysql-panko-client/L=Prague/O=Mirantis'
+ mysql_panko_client_ssl_x509_issuer: '/C=cz/CN=Salt Master CA/L=Prague/O=Mirantis'
+ mysql_panko_ssl_option:
+ - SUBJECT: ${_param:mysql_panko_client_ssl_x509_subject}
+ - ISSUER: ${_param:mysql_panko_client_ssl_x509_issuer}
\ No newline at end of file
diff --git a/gnocchi/common/cluster.yml b/gnocchi/common/cluster.yml
new file mode 100644
index 0000000..8d7ae5e
--- /dev/null
+++ b/gnocchi/common/cluster.yml
@@ -0,0 +1,17 @@
+classes:
+- service.gnocchi.common.cluster
+- system.salt.minion.cert.mysql.clients.openstack.gnocchi
+parameters:
+ _param:
+ openstack_mysql_x509_enabled: False
+ galera_ssl_enabled: False
+ gnocchi:
+ common:
+ database:
+ x509:
+ enabled: ${_param:openstack_mysql_x509_enabled}
+ ca_file: ${_param:mysql_gnocchi_ssl_ca_file}
+ key_file: ${_param:mysql_gnocchi_client_ssl_key_file}
+ cert_file: ${_param:mysql_gnocchi_client_ssl_cert_file}
+ ssl:
+ enabled: ${_param:galera_ssl_enabled}
diff --git a/gnocchi/common/single.yml b/gnocchi/common/single.yml
new file mode 100644
index 0000000..1f68f5c
--- /dev/null
+++ b/gnocchi/common/single.yml
@@ -0,0 +1,17 @@
+classes:
+- service.gnocchi.common.single
+- system.salt.minion.cert.mysql.clients.openstack.gnocchi
+parameters:
+ _param:
+ openstack_mysql_x509_enabled: False
+ galera_ssl_enabled: False
+ gnocchi:
+ common:
+ database:
+ x509:
+ enabled: ${_param:openstack_mysql_x509_enabled}
+ ca_file: ${_param:mysql_gnocchi_ssl_ca_file}
+ key_file: ${_param:mysql_gnocchi_client_ssl_key_file}
+ cert_file: ${_param:mysql_gnocchi_client_ssl_cert_file}
+ ssl:
+ enabled: ${_param:galera_ssl_enabled}
diff --git a/gnocchi/common/storage/ceph.yml b/gnocchi/common/storage/ceph.yml
new file mode 100644
index 0000000..5af2456
--- /dev/null
+++ b/gnocchi/common/storage/ceph.yml
@@ -0,0 +1,11 @@
+parameters:
+ _param:
+ gnocchi_storage_ceph_pool: gnocchi
+ gnocchi_storage_ceph_user: gnocchi
+ gnocchi_storage_driver: ceph
+ gnocchi:
+ common:
+ storage:
+ driver: ${_param:gnocchi_storage_driver}
+ ceph_pool: ${_param:gnocchi_storage_ceph_pool}
+ ceph_username: ${_param:gnocchi_storage_ceph_user}
\ No newline at end of file
diff --git a/gnocchi/common/storage/incoming/ceph.yml b/gnocchi/common/storage/incoming/ceph.yml
new file mode 100644
index 0000000..9937d29
--- /dev/null
+++ b/gnocchi/common/storage/incoming/ceph.yml
@@ -0,0 +1,12 @@
+parameters:
+ _param:
+ gnocchi_storage_incoming_ceph_pool: gnocchi_incoming
+ gnocchi_storage_incoming_ceph_user: gnocchi
+ gnocchi_storage_incoming_driver: ceph
+ gnocchi:
+ common:
+ storage:
+ incoming:
+ driver: ${_param:gnocchi_storage_incoming_driver}
+ ceph_pool: ${_param:gnocchi_storage_incoming_ceph_pool}
+ ceph_username: ${_param:gnocchi_storage_incoming_ceph_user}
\ No newline at end of file
diff --git a/jenkins/client/job/deploy/lab/component/stacklight.yml b/jenkins/client/job/deploy/lab/component/stacklight.yml
index 2937b9a..d6a4a5f 100644
--- a/jenkins/client/job/deploy/lab/component/stacklight.yml
+++ b/jenkins/client/job/deploy/lab/component/stacklight.yml
@@ -2,26 +2,26 @@
- system.jenkins.client.job.deploy.lab.deploy
parameters:
_param:
+ heat_stack_zone_job_param:
+ type: string
+ default: "mcp-stacklight"
+ openstack_api_projects_job_param:
+ type: string
+ default: "mcp-stacklight"
jenkins_deploy_jobs:
- stack_name: stacklight_k8s_calico
- heat_stack_zone_job_param: "mcp-stacklight"
- openstack_api_projects_job_param: "mcp-stacklight"
stack_env: devcloud
stack_type: heat
stack_install: core,k8s,calico,stacklight
stack_test: ""
job_timer: "H H(0-6) * * *"
- stack_name: stacklight_os_contrail
- heat_stack_zone_job_param: "mcp-stacklight"
- openstack_api_projects_job_param: "mcp-stacklight"
stack_env: devcloud
stack_type: heat
stack_install: core,openstack,contrail,stacklight
stack_test: ""
job_timer: "H H(0-6) * * *"
- stack_name: stacklight_os_ovs
- heat_stack_zone_job_param: "mcp-stacklight"
- openstack_api_projects_job_param: "mcp-stacklight"
stack_env: devcloud
stack_type: heat
stack_install: core,openstack,ovs,stacklight
diff --git a/jenkins/client/job/deploy/lab/deploy.yml b/jenkins/client/job/deploy/lab/deploy.yml
index b1deafa..f5d34f6 100644
--- a/jenkins/client/job/deploy/lab/deploy.yml
+++ b/jenkins/client/job/deploy/lab/deploy.yml
@@ -117,9 +117,6 @@
type: string
default: ""
description: "Formulas revision to install on Salt Master bootstrap stage"
- EXTRA_FORMULAS:
- type: string
- default: ""
STATIC_MGMT_NETWORK:
type: boolean
default: 'false'
diff --git a/jenkins/client/job/deploy/update/upgrade.yml b/jenkins/client/job/deploy/update/upgrade.yml
index 01fdf2a..f4f5630 100644
--- a/jenkins/client/job/deploy/update/upgrade.yml
+++ b/jenkins/client/job/deploy/update/upgrade.yml
@@ -29,27 +29,19 @@
SALT_MASTER_CREDENTIALS:
type: string
default: "salt"
- STAGE_TEST_UPGRADE:
- type: boolean
- default: 'true'
- description: "Test if syncdb and APIs succeed"
- STAGE_REAL_UPGRADE:
- type: boolean
- default: 'true'
- description: "Run real control upgrade"
- STAGE_ROLLBACK_UPGRADE:
- type: boolean
- default: 'true'
- description: "Rollback if control upgrade fails"
- OPERATING_SYSTEM_RELEASE_UPGRADE:
+ OS_DIST_UPGRADE:
type: boolean
default: 'false'
- description: "Set to true if operating system release upgrade is desired. For ex. from Ubuntu 14.04 currently running on ctl and prx nodes to Ubuntu 16.04"
- SKIP_VM_RELAUNCH:
+ description: "Upgrade system packages including kernel (apt-get dist-upgrade)"
+ OS_UPGRADE:
type: boolean
default: 'false'
- description: "Set to true if vms should not be recreated"
+ description: "Upgrade all installed applications (apt-get upgrade)"
INTERACTIVE:
type: boolean
default: 'true'
description: "Ask interactive questions during pipeline run (bool)"
+ TARGET_SERVERS:
+ type: string
+ default: 'ctl*'
+ description: "Salt compound expression to get control servers to upgrade."
diff --git a/jenkins/client/job/deploy/update/upgrade_compute.yml b/jenkins/client/job/deploy/update/upgrade_compute.yml
index 706863d..b4628fa 100644
--- a/jenkins/client/job/deploy/update/upgrade_compute.yml
+++ b/jenkins/client/job/deploy/update/upgrade_compute.yml
@@ -21,7 +21,7 @@
url: "${_param:jenkins_gerrit_url}/mk/mk-pipelines"
branch: "${_param:jenkins_pipelines_branch}"
credentials: "gerrit"
- script: openstack-compute-upgrade.groovy
+ script: openstack-data-upgrade.groovy
param:
SALT_MASTER_URL:
type: string
@@ -29,18 +29,19 @@
SALT_MASTER_CREDENTIALS:
type: string
default: "salt"
- TARGET_SERVERS:
- type: string
- default: "cmp*"
- description: Salt compound target to match nodes to be updated [*, G@osfamily:debian].
- TARGET_SUBSET_TEST:
- type: string
- description: Number of nodes to list package updates, empty string means all targetted nodes.
- TARGET_SUBSET_LIVE:
- type: string
- default: '1'
- description: Number of selected nodes to live apply upgrade.
+ OS_DIST_UPGRADE:
+ type: boolean
+ default: 'false'
+ description: "Upgrade system packages including kernel (apt-get dist-upgrade)"
+ OS_UPGRADE:
+ type: boolean
+ default: 'false'
+ description: "Upgrade all installed applications (apt-get upgrade)"
INTERACTIVE:
type: boolean
default: 'true'
description: "Ask interactive questions during pipeline run (bool)"
+ TARGET_SERVERS:
+ type: string
+ default: 'cmp*'
+ description: "Salt compound expression to get control servers to upgrade."
diff --git a/jenkins/client/job/deploy/update/upgrade_ovs_gateway.yml b/jenkins/client/job/deploy/update/upgrade_ovs_gateway.yml
index b0c92b7..4753cea 100644
--- a/jenkins/client/job/deploy/update/upgrade_ovs_gateway.yml
+++ b/jenkins/client/job/deploy/update/upgrade_ovs_gateway.yml
@@ -21,7 +21,7 @@
url: "${_param:jenkins_gerrit_url}/mk/mk-pipelines"
branch: "${_param:jenkins_pipelines_branch}"
credentials: "gerrit"
- script: ovs-gateway-upgrade.groovy
+ script: openstack-data-upgrade.groovy
param:
SALT_MASTER_URL:
type: string
@@ -29,18 +29,19 @@
SALT_MASTER_CREDENTIALS:
type: string
default: "salt"
- TARGET_SERVERS:
- type: string
- default: "gtw*"
- description: Salt compound target to match nodes to be updated [*, G@osfamily:debian].
- TARGET_SUBSET_TEST:
- type: string
- description: Number of nodes to list package updates, empty string means all targetted nodes.
- TARGET_SUBSET_LIVE:
- type: string
- default: '1'
- description: Number of selected nodes to live apply upgrade.
+ OS_DIST_UPGRADE:
+ type: boolean
+ default: 'false'
+ description: "Upgrade system packages including kernel (apt-get dist-upgrade)"
+ OS_UPGRADE:
+ type: boolean
+ default: 'false'
+ description: "Upgrade all installed applications (apt-get upgrade)"
INTERACTIVE:
type: boolean
default: 'true'
description: "Ask interactive questions during pipeline run (bool)"
+ TARGET_SERVERS:
+ type: string
+ default: 'ctl*'
+ description: "Salt compound expression to get control servers to upgrade."
diff --git a/jenkins/client/job/image/centos.yml b/jenkins/client/job/image/centos.yml
deleted file mode 100644
index 5358d92..0000000
--- a/jenkins/client/job/image/centos.yml
+++ /dev/null
@@ -1,85 +0,0 @@
-classes:
- - system.jenkins.client.job.image
-parameters:
- _param:
- jenkins_packer_pipeline: "${_param:jenkins_gerrit_url}/mk/packer-templates"
- jenkins:
- client:
- job:
- build-image-centos-7:
- type: workflow-scm
- concurrent: false
- discard:
- build:
- keep_num: 5
- artifact:
- keep_num: 5
- scm:
- type: git
- url: "${_param:jenkins_packer_pipeline}"
- credentials: "gerrit"
- display_name: "[Images] Build Centos 7"
- param:
- BUILD_OS:
- type: string
- default: "centos-7"
- BUILD_ONLY:
- type: string
- default: "qemu"
- PACKER_DEBUG:
- type: boolean
- default: "false"
- PACKER_URL:
- type: string
- default: "https://releases.hashicorp.com/packer/0.8.6/packer_0.8.6_linux_amd64.zip"
- PACKER_ZIP:
- type: string
- default: "packer_0.8.6_linux_amd64.zip"
- PACKER_ZIP_MD5:
- type: string
- default: "4cda1c44cf666fada495dd8e01522e1c"
- PACKER_ARGS:
- type: string
- default: ""
- UPLOAD_URL:
- type: string
- default: "${_param:jenkins_packer_upload_url}"
- SKIP_UPLOAD:
- type: boolean
- default: "false"
- CLEANUP_OLD:
- type: boolean
- default: "true"
- CLEANUP_KEEP:
- type: string
- default: "3"
- GLANCE_UPLOAD:
- type: boolean
- default: "true"
- GLANCE_IMG_TYPES:
- type: string
- default: "qcow2"
- GLANCE_URL:
- type: string
- default: "https://cloud-cz.bud.mirantis.net:5000"
- GLANCE_CREDENTIALS_ID:
- type: string
- default: "openstack-devcloud-credentials"
- GLANCE_PROJECT:
- type: string
- default: "mcp-mk"
- GLANCE_ARGS:
- type: string
- default: ""
- GLANCE_PUBLIC:
- type: boolean
- default: "true"
- OPENSTACK_API_CLIENT:
- type: string
- default: ""
- IMAGE_NAME:
- type: string
- default: centos-7-x64
- EXTRA_VARIABLES:
- type: text
- default: ""
\ No newline at end of file
diff --git a/jenkins/client/job/image/debian.yml b/jenkins/client/job/image/debian.yml
deleted file mode 100644
index eef4740..0000000
--- a/jenkins/client/job/image/debian.yml
+++ /dev/null
@@ -1,85 +0,0 @@
-classes:
- - system.jenkins.client.job.image
-parameters:
- _param:
- jenkins_packer_pipeline: "${_param:jenkins_gerrit_url}/mk/packer-templates"
- jenkins:
- client:
- job:
- build-image-debian-8:
- type: workflow-scm
- concurrent: false
- discard:
- build:
- keep_num: 5
- artifact:
- keep_num: 5
- scm:
- type: git
- url: "${_param:jenkins_packer_pipeline}"
- credentials: "gerrit"
- display_name: "[Images] Build Debian 8 image"
- param:
- BUILD_OS:
- type: string
- default: "debian-8"
- BUILD_ONLY:
- type: string
- default: "qemu"
- PACKER_DEBUG:
- type: boolean
- default: "false"
- PACKER_URL:
- type: string
- default: "https://releases.hashicorp.com/packer/0.8.6/packer_0.8.6_linux_amd64.zip"
- PACKER_ZIP:
- type: string
- default: "packer_0.8.6_linux_amd64.zip"
- PACKER_ZIP_MD5:
- type: string
- default: "4cda1c44cf666fada495dd8e01522e1c"
- PACKER_ARGS:
- type: string
- default: ""
- UPLOAD_URL:
- type: string
- default: "${_param:jenkins_packer_upload_url}"
- SKIP_UPLOAD:
- type: boolean
- default: "false"
- CLEANUP_OLD:
- type: boolean
- default: "true"
- CLEANUP_KEEP:
- type: string
- default: "3"
- GLANCE_UPLOAD:
- type: boolean
- default: "true"
- GLANCE_IMG_TYPES:
- type: string
- default: "qcow2"
- GLANCE_URL:
- type: string
- default: "https://cloud-cz.bud.mirantis.net:5000"
- GLANCE_CREDENTIALS_ID:
- type: string
- default: "openstack-devcloud-credentials"
- GLANCE_PROJECT:
- type: string
- default: "mcp-mk"
- GLANCE_ARGS:
- type: string
- default: ""
- GLANCE_PUBLIC:
- type: boolean
- default: "true"
- OPENSTACK_API_CLIENT:
- type: string
- default: ""
- IMAGE_NAME:
- type: string
- default: debian-8-x64
- EXTRA_VARIABLES:
- type: text
- default: ""
diff --git a/jenkins/client/job/image/ubuntu.yml b/jenkins/client/job/image/ubuntu.yml
deleted file mode 100644
index e4a8251..0000000
--- a/jenkins/client/job/image/ubuntu.yml
+++ /dev/null
@@ -1,166 +0,0 @@
-classes:
- - system.jenkins.client.job.image
-parameters:
- _param:
- jenkins_packer_pipeline: "${_param:jenkins_gerrit_url}/mk/packer-templates"
- jenkins:
- client:
- job:
- build-image-ubuntu-14-04:
- type: workflow-scm
- concurrent: false
- discard:
- build:
- keep_num: 5
- keep_days: 5
- artifact:
- keep_num: 6
- keep_days: 6
- scm:
- type: git
- url: "${_param:jenkins_packer_pipeline}"
- credentials: "gerrit"
- display_name: "[Images] Build Ubuntu 14.04 image"
- param:
- BUILD_OS:
- type: string
- default: "ubuntu-14.04"
- BUILD_ONLY:
- type: string
- default: "qemu"
- PACKER_DEBUG:
- type: boolean
- default: "false"
- PACKER_URL:
- type: string
- default: "https://releases.hashicorp.com/packer/0.8.6/packer_0.8.6_linux_amd64.zip"
- PACKER_ZIP:
- type: string
- default: "packer_0.8.6_linux_amd64.zip"
- PACKER_ZIP_MD5:
- type: string
- default: "4cda1c44cf666fada495dd8e01522e1c"
- PACKER_ARGS:
- type: string
- default: ""
- UPLOAD_URL:
- type: string
- default: "${_param:jenkins_packer_upload_url}"
- SKIP_UPLOAD:
- type: boolean
- default: "false"
- CLEANUP_OLD:
- type: boolean
- default: "true"
- CLEANUP_KEEP:
- type: string
- default: "3"
- GLANCE_UPLOAD:
- type: boolean
- default: "true"
- GLANCE_IMG_TYPES:
- type: string
- default: "qcow2"
- GLANCE_URL:
- type: string
- default: "https://cloud-cz.bud.mirantis.net:5000"
- GLANCE_CREDENTIALS_ID:
- type: string
- default: "openstack-devcloud-credentials"
- GLANCE_PROJECT:
- type: string
- default: "mcp-mk"
- GLANCE_ARGS:
- type: string
- default: ""
- GLANCE_PUBLIC:
- type: boolean
- default: "true"
- OPENSTACK_API_CLIENT:
- type: string
- default: ""
- IMAGE_NAME:
- type: string
- default: ubuntu-14-04-x64
- EXTRA_VARIABLES:
- type: text
- default: ""
- build-image-ubuntu-16-04:
- type: workflow-scm
- concurrent: false
- discard:
- build:
- keep_num: 5
- keep_days: 5
- artifact:
- keep_num: 6
- keep_days: 6
- scm:
- type: git
- url: "${_param:jenkins_packer_pipeline}"
- credentials: "gerrit"
- display_name: "[Images] Build Ubuntu 16.04 image"
- param:
- BUILD_OS:
- type: string
- default: "ubuntu-16.04"
- BUILD_ONLY:
- type: string
- default: "qemu"
- PACKER_DEBUG:
- type: boolean
- default: "false"
- PACKER_URL:
- type: string
- default: "https://releases.hashicorp.com/packer/0.8.6/packer_0.8.6_linux_amd64.zip"
- PACKER_ZIP:
- type: string
- default: "packer_0.8.6_linux_amd64.zip"
- PACKER_ZIP_MD5:
- type: string
- default: "4cda1c44cf666fada495dd8e01522e1c"
- PACKER_ARGS:
- type: string
- default: ""
- UPLOAD_URL:
- type: string
- default: "${_param:jenkins_packer_upload_url}"
- SKIP_UPLOAD:
- type: boolean
- default: "false"
- CLEANUP_OLD:
- type: boolean
- default: "true"
- CLEANUP_KEEP:
- type: string
- default: "3"
- GLANCE_UPLOAD:
- type: boolean
- default: "true"
- GLANCE_IMG_TYPES:
- type: string
- default: "qcow2"
- GLANCE_URL:
- type: string
- default: "https://cloud-cz.bud.mirantis.net:5000"
- GLANCE_CREDENTIALS_ID:
- type: string
- default: "openstack-devcloud-credentials"
- GLANCE_PROJECT:
- type: string
- default: "mcp-mk"
- GLANCE_ARGS:
- type: string
- default: ""
- GLANCE_PUBLIC:
- type: boolean
- default: "true"
- OPENSTACK_API_CLIENT:
- type: string
- default: ""
- IMAGE_NAME:
- type: string
- default: ubuntu-16-04-x64
- EXTRA_VARIABLES:
- type: text
- default: ""
\ No newline at end of file
diff --git a/jenkins/client/job/k8s-test/mcp-k8s-dashboard-merge-pipeline.yml b/jenkins/client/job/k8s-test/mcp-k8s-dashboard-merge-pipeline.yml
index f6b2350..8424f6a 100644
--- a/jenkins/client/job/k8s-test/mcp-k8s-dashboard-merge-pipeline.yml
+++ b/jenkins/client/job/k8s-test/mcp-k8s-dashboard-merge-pipeline.yml
@@ -21,7 +21,7 @@
trigger:
gerrit:
project:
- kubernetes/kubernetes:
+ kubernetes/dashboard:
branches:
- compare_type: "ANT"
name: "**mcp**"
diff --git a/jenkins/client/job/k8s-test/mcp-k8s-metallb-merge-pipeline.yml b/jenkins/client/job/k8s-test/mcp-k8s-metallb-merge-pipeline.yml
index f6a3162..c4f2af0 100644
--- a/jenkins/client/job/k8s-test/mcp-k8s-metallb-merge-pipeline.yml
+++ b/jenkins/client/job/k8s-test/mcp-k8s-metallb-merge-pipeline.yml
@@ -21,7 +21,7 @@
trigger:
gerrit:
project:
- kubernetes/kubernetes:
+ kubernetes/metallb:
branches:
- compare_type: "ANT"
name: "**mcp**"
diff --git a/jenkins/client/job/salt-formulas/git-mirrors/2way.yml b/jenkins/client/job/salt-formulas/git-mirrors/2way.yml
index cae768a..85c9ac8 100644
--- a/jenkins/client/job/salt-formulas/git-mirrors/2way.yml
+++ b/jenkins/client/job/salt-formulas/git-mirrors/2way.yml
@@ -338,6 +338,9 @@
- name: sentry
branches: ${_param:salt_formulas_branches}
notification_recipients: ${_param:salt_formulas_notification_recipients}
+ - name: shibboleth
+ branches: ${_param:salt_formulas_branches}
+ notification_recipients: ${_param:salt_formulas_notification_recipients}
- name: sphinx
branches: ${_param:salt_formulas_branches}
notification_recipients: ${_param:salt_formulas_notification_recipients}
diff --git a/jenkins/client/job/salt-models/tests.yml b/jenkins/client/job/salt-models/tests.yml
index 983a88b..c6bd2e1 100644
--- a/jenkins/client/job/salt-models/tests.yml
+++ b/jenkins/client/job/salt-models/tests.yml
@@ -48,10 +48,6 @@
PARALLEL_NODE_GROUP_SIZE:
type: string
default: "9"
- # Salt master setup extra formulas
- EXTRA_FORMULAS:
- type: string
- default: "{{extra_formulas}}"
FORMULAS_SOURCE:
type: string
default: "{{formulas_src}}"
@@ -158,10 +154,6 @@
PARALLEL_NODE_GROUP_SIZE:
type: string
default: "9"
- # Salt master setup extra formulas
- EXTRA_FORMULAS:
- type: string
- default: "{{extra_formulas}}"
FORMULAS_SOURCE:
type: string
default: "{{formulas_src}}"
@@ -272,37 +264,36 @@
COOKIECUTTER_TEMPLATE_URL:
type: string
default: "${_param:jenkins_gerrit_url}/mk/{{cookiecutter_template}}"
- CREDENTIALS_ID:
- type: string
- default: gerrit
COOKIECUTTER_TEMPLATE_BRANCH:
type: string
default: master
- RECLASS_MODEL_URL:
+ description: "Those variable will be ignored, in case gerritTrigger=>GERRIT_BRANCH"
+ COOKIECUTTER_TEMPLATE_REF:
+ type: string
+ default: ""
+ description: "Example: refs/changes/49/25549/1"
+ RECLASS_SYSTEM_URL:
type: string
default: "${_param:jenkins_gerrit_url}/salt-models/reclass-system"
- RECLASS_MODEL_BRANCH:
+ RECLASS_SYSTEM_BRANCH:
type: string
default: master
+ description: "Those variable will be ignored, in case gerritTrigger=>GERRIT_BRANCH"
+ RECLASS_SYSTEM_GIT_REF:
+ type: string
+ default: ""
+ description: "Example: refs/changes/49/25549/1"
DISTRIB_REVISION:
type: string
default: 'nightly'
- SYSTEM_GIT_URL:
- type: string
- default: ""
- SYSTEM_GIT_REF:
- type: string
- default: ""
- PARALLEL_NODE_GROUP_SIZE:
- type: string
- default: "1"
- EXTRA_FORMULAS:
- type: string
- default: "aptly artifactory auditd backupninja collectd devops-portal docker elasticsearch fluentd freeipa gerrit glusterfs grafana haproxy heka horizon influxdb jenkins keepalived kibana libvirt maas memcached mysql nginx ntp openldap openssh postfix prometheus rsync rsyslog rundeck sensu sphinx telegraf xtrabackup watchdog logrotate"
+ description: "Those variable will be ignored, in case gerritTrigger=>GERRIT_BRANCH. Version of bin-artifacts,passed to test-env"
RECLASS_VERSION:
type: string
default: 'v1.5.4'
- description: "Version (branch) of Reclass we will use"
+ description: "Version (branch) of reclass PACKAGE we will use"
+ CREDENTIALS_ID:
+ type: string
+ default: gerrit
job:
test-salt-model-node:
name: test-salt-model-node
@@ -341,9 +332,6 @@
CREDENTIALS_ID:
type: string
default: "gerrit"
- EXTRA_FORMULAS:
- type: string
- default: ""
FORMULAS_SOURCE:
type: string
default: "pkg"
@@ -385,7 +373,7 @@
build:
keep_num: 300
artifact:
- keep_num: 30
+ keep_num: 300
type: workflow-scm
concurrent: true
plugin_properties:
@@ -402,5 +390,5 @@
script: test-cookiecutter-reclass-chunk.groovy
param:
EXTRA_VARIABLES_YAML:
- type: string
+ type: text
default: ""
diff --git a/jenkins/client/job/stacklight/cookiecutter.yml b/jenkins/client/job/stacklight/cookiecutter.yml
index fa97f29..0a2c6ed 100644
--- a/jenkins/client/job/stacklight/cookiecutter.yml
+++ b/jenkins/client/job/stacklight/cookiecutter.yml
@@ -19,6 +19,9 @@
credentials: "gerrit"
branch: 'master'
script: test-cookiecutter-model-pipeline.groovy
+ trigger:
+ timer:
+ spec: "H H(0-3) * * *"
param:
CREDENTIALS_ID:
type: string
@@ -57,5 +60,5 @@
default: 'core,openstack,ovs,stacklight'
STACK_DELETE:
type: boolean
- description: "Delete Heat stack when finished (bool)"
- default: 'false'
+ description: "Delete Heat stack when finished (bool). Don't enable it if you need to use the lab after"
+ default: 'true'
diff --git a/jenkins/client/job/validate.yml b/jenkins/client/job/validate.yml
index 6187e93..c0ebf40 100644
--- a/jenkins/client/job/validate.yml
+++ b/jenkins/client/job/validate.yml
@@ -133,6 +133,10 @@
type: string
default: ""
description: Rally scenarios directory or file with scenarios
+ RALLY_SL_SCENARIOS:
+ type: string
+ default: ""
+ description: Stacklight Rally scenarios directory or file with scenarios
RALLY_TASK_ARGS_FILE:
type: string
default: ""
@@ -161,6 +165,10 @@
type: boolean
default: 'false'
description: If chosen then K8S Rally test will be executed
+ STACKLIGHT_RALLY:
+ type: boolean
+ default: 'false'
+ description: If chosen then Stacklight Rally test will be executed
JOB_TIMEOUT:
type: string
default: "3"
diff --git a/keepalived/cluster/instance/openstack_barbican_vip.yml b/keepalived/cluster/instance/openstack_barbican_vip.yml
new file mode 100644
index 0000000..3c733c4
--- /dev/null
+++ b/keepalived/cluster/instance/openstack_barbican_vip.yml
@@ -0,0 +1,11 @@
+classes:
+- service.keepalived.cluster.single
+parameters:
+ _param:
+ keepalived_openstack_barbican_vip_address: ${_param:cluster_vip_address}
+ keepalived_openstack_barbican_vip_password: password
+ keepalived_openstack_barbican_vip_interface: eth1
+ keepalived_vip_virtual_router_id: 250
+ keepalived_vip_address: ${_param:keepalived_openstack_barbican_vip_address}
+ keepalived_vip_password: ${_param:keepalived_openstack_barbican_vip_password}
+ keepalived_vip_interface: ${_param:keepalived_openstack_barbican_vip_interface}
diff --git a/keepalived/cluster/instance/openstack_manila_vip.yml b/keepalived/cluster/instance/openstack_manila_vip.yml
new file mode 100644
index 0000000..d8330c4
--- /dev/null
+++ b/keepalived/cluster/instance/openstack_manila_vip.yml
@@ -0,0 +1,11 @@
+classes:
+- service.keepalived.cluster.single
+parameters:
+ _param:
+ keepalived_openstack_manila_vip_address: ${_param:cluster_vip_address}
+ keepalived_openstack_manila_vip_password: password
+ keepalived_openstack_manila_vip_interface: eth1
+ keepalived_vip_virtual_router_id: 235
+ keepalived_vip_address: ${_param:keepalived_openstack_manila_vip_address}
+ keepalived_vip_password: ${_param:keepalived_openstack_manila_vip_password}
+ keepalived_vip_interface: ${_param:keepalived_openstack_manila_vip_interface}
diff --git a/kubernetes/common.yml b/kubernetes/common.yml
index 9151987..82b3ad3 100644
--- a/kubernetes/common.yml
+++ b/kubernetes/common.yml
@@ -15,10 +15,10 @@
kubernetes_externaldns_repo: mirantis
kubernetes_genie_repo: https://docker-prod-local.artifactory.mirantis.com/artifactory/binary-prod-local/mirantis/kubernetes/cni-genie
kubernetes_flannel_repo: quay.io/coreos
- kubernetes_metallb_repo: metallb
+ kubernetes_metallb_repo: ${_param:mcp_docker_registry}/mirantis/metallb
kubernetes_sriov_repo: https://docker-prod-local.artifactory.mirantis.com/artifactory/binary-prod-local/mirantis/kubernetes/sriov-cni
kubernetes_cniplugins_repo: https://docker-prod-local.artifactory.mirantis.com/artifactory/binary-prod-local/mirantis/kubernetes/containernetworking-plugins
- kubernetes_dashboard_repo: k8s.gcr.io
+ kubernetes_dashboard_repo: ${_param:mcp_docker_registry}/mirantis/kubernetes
kubernetes_coredns_repo: coredns
# component docker images
@@ -44,16 +44,16 @@
kubernetes_genie_source: ${_param:kubernetes_genie_repo}/genie_v1.0-138-gbf5dbaa
kubernetes_genie_source_hash: md5=b024052ed4ecb1d5354e0cc8f51afaca
kubernetes_flannel_image: ${_param:kubernetes_flannel_repo}/flannel:v0.10.0-amd64
- kubernetes_metallb_controller_image: ${_param:kubernetes_metallb_repo}/controller:v0.7.3
- kubernetes_metallb_speaker_image: ${_param:kubernetes_metallb_repo}/speaker:v0.7.3
+ kubernetes_metallb_controller_image: ${_param:kubernetes_metallb_repo}/controller:v0.7.3-2
+ kubernetes_metallb_speaker_image: ${_param:kubernetes_metallb_repo}/speaker:v0.7.3-2
kubernetes_sriov_source: ${_param:kubernetes_sriov_repo}/sriov_v0.3-8-g8b7ed98
kubernetes_sriov_source_hash: md5=c0cc33202afd02e4cc44b977a8faf6e7
kubernetes_cniplugins_source: ${_param:kubernetes_cniplugins_repo}/cni-plugins_v0.7.1-48-g696b1f9.tar.gz
kubernetes_cniplugins_source_hash: md5=5ec1cf5e989097c6127ea5365e277b02
- kubernetes_dashboard_image: ${_param:kubernetes_dashboard_repo}/kubernetes-dashboard-amd64:v1.8.3
+ kubernetes_dashboard_image: ${_param:kubernetes_dashboard_repo}/kubernetes-dashboard-amd64:v1.10.0-4
kubernetes_fluentd_aggregator_image: fluent/fluentd-kubernetes-daemonset:v1.2-debian-elasticsearch
kubernetes_fluentd_logger_image: fluent/fluentd-kubernetes-daemonset:v1.2-debian-stackdriver
- kubernetes_telegraf_image: docker.io/telegraf:1.5.3
+ kubernetes_telegraf_image: ${_param:mcp_docker_registry}/openstack-docker/telegraf:2018.8.0
kubernetes_coredns_image: ${_param:kubernetes_coredns_repo}/coredns:1.2.0
kubelet_fail_on_swap: true
@@ -258,6 +258,8 @@
criproxy_source: ${_param:kubernetes_criproxy_checksum}
metallb:
enabled: ${_param:kubernetes_metallb_enabled}
+ controller_image: ${_param:kubernetes_metallb_controller_image}
+ speaker_image: ${_param:kubernetes_metallb_speaker_image}
pool:
enabled: false
kubelet:
diff --git a/manila/common/cluster.yml b/manila/common/cluster.yml
index d71364e..5c34bd6 100644
--- a/manila/common/cluster.yml
+++ b/manila/common/cluster.yml
@@ -1,8 +1,13 @@
classes:
- - service.manila.common.cluster
- - service.haproxy.proxy.single
- - system.haproxy.proxy.listen.openstack.manila
+- service.manila.common.cluster
+- service.haproxy.proxy.single
+- system.haproxy.proxy.listen.openstack.manila
+- system.salt.minion.cert.mysql.clients.openstack.manila
parameters:
+ _param:
+ openstack_mysql_x509_enabled: False
+ galera_ssl_enabled: False
+ manila_cluster_vip_address: ${_param:cluster_vip_address}
manila:
common:
version: ${_param:openstack_version}
@@ -20,10 +25,17 @@
name: manila
user: manila
password: ${_param:mysql_manila_password}
+ x509:
+ enabled: ${_param:openstack_mysql_x509_enabled}
+ ca_file: ${_param:mysql_manila_ssl_ca_file}
+ key_file: ${_param:mysql_manila_client_ssl_key_file}
+ cert_file: ${_param:mysql_manila_client_ssl_cert_file}
+ ssl:
+ enabled: ${_param:galera_ssl_enabled}
identity:
engine: keystone
region: ${_param:openstack_region}
- host: ${_param:cluster_vip_address}
+ host: ${_param:manila_cluster_vip_address}
port: 35357
user: manila
password: ${_param:keystone_manila_password}
diff --git a/manila/common/single.yml b/manila/common/single.yml
index 1b139c2..f9d8c6e 100644
--- a/manila/common/single.yml
+++ b/manila/common/single.yml
@@ -1,6 +1,10 @@
classes:
- - service.manila.common.single
+- service.manila.common.single
+- system.salt.minion.cert.mysql.clients.openstack.manila
parameters:
+ _param:
+ openstack_mysql_x509_enabled: False
+ galera_ssl_enabled: False
manila:
common:
version: ${_param:openstack_version}
@@ -18,6 +22,13 @@
name: manila
user: manila
password: ${_param:mysql_manila_password}
+ x509:
+ enabled: ${_param:openstack_mysql_x509_enabled}
+ ca_file: ${_param:mysql_manila_ssl_ca_file}
+ key_file: ${_param:mysql_manila_client_ssl_key_file}
+ cert_file: ${_param:mysql_manila_client_ssl_cert_file}
+ ssl:
+ enabled: ${_param:galera_ssl_enabled}
identity:
engine: keystone
region: ${_param:openstack_region}
diff --git a/manila/control/single.yml b/manila/control/single.yml
index 262a158..9d5f9f6 100644
--- a/manila/control/single.yml
+++ b/manila/control/single.yml
@@ -1,15 +1,18 @@
classes:
- - system.manila.common.cluster
+ - system.manila.common.single
- system.apache.server.site.manila
parameters:
+ _param:
+ openstack_node_role: primary
manila:
common:
dhss: false
+ default_share_type: default
version: ${_param:openstack_version}
api:
+ role: ${_param:openstack_node_role}
enabled: true
version: ${_param:openstack_version}
- role: ${_param:openstack_node_role}
scheduler:
enabled: true
version: ${_param:openstack_version}
diff --git a/neutron/control/openvswitch/single.yml b/neutron/control/openvswitch/single.yml
index baa710e..da8dee0 100644
--- a/neutron/control/openvswitch/single.yml
+++ b/neutron/control/openvswitch/single.yml
@@ -13,8 +13,10 @@
neutron_enable_bgp_vpn: False
neutron_bgp_vpn_driver: bagpipe
internal_protocol: 'http'
+ openstack_node_role: primary
neutron:
server:
+ role: ${_param:openstack_node_role}
global_physnet_mtu: ${_param:neutron_global_physnet_mtu}
l3_ha: ${_param:neutron_l3_ha}
dvr: ${_param:neutron_control_dvr}
diff --git a/openscap/server/init.yml b/openscap/server/init.yml
new file mode 100644
index 0000000..0f2a76f
--- /dev/null
+++ b/openscap/server/init.yml
@@ -0,0 +1,2 @@
+classes:
+- service.openscap.cis
diff --git a/panko/server/cluster.yml b/panko/server/cluster.yml
index 3a4cb65..9715456 100644
--- a/panko/server/cluster.yml
+++ b/panko/server/cluster.yml
@@ -4,6 +4,7 @@
- system.apache.server.site.panko
- system.haproxy.proxy.listen.openstack.panko
- system.keepalived.cluster.instance.openstack_telemetry_vip
+- system.salt.minion.cert.mysql.clients.openstack.panko
parameters:
_param:
panko_memcached_node01_address: ${_param:cluster_node01_address}
@@ -11,6 +12,8 @@
panko_memcached_node03_address: ${_param:cluster_node03_address}
# Keep events in database for 30 days
panko_event_time_to_live: 2592000
+ openstack_mysql_x509_enabled: False
+ galera_ssl_enabled: False
linux:
system:
cron:
@@ -25,6 +28,13 @@
host: ${_param:openstack_control_address}
database:
host: ${_param:openstack_database_address}
+ x509:
+ enabled: ${_param:openstack_mysql_x509_enabled}
+ ca_file: ${_param:mysql_panko_ssl_ca_file}
+ key_file: ${_param:mysql_panko_client_ssl_key_file}
+ cert_file: ${_param:mysql_panko_client_ssl_cert_file}
+ ssl:
+ enabled: ${_param:galera_ssl_enabled}
cache:
engine: memcached
members:
diff --git a/panko/server/single.yml b/panko/server/single.yml
index 4ba2787..cb1a449 100644
--- a/panko/server/single.yml
+++ b/panko/server/single.yml
@@ -1,10 +1,13 @@
classes:
- service.panko.server.single
- system.apache.server.site.panko
+- system.salt.minion.cert.mysql.clients.openstack.panko
parameters:
_param:
# Keep events in database for 30 days
panko_event_time_to_live: 2592000
+ openstack_mysql_x509_enabled: False
+ galera_ssl_enabled: False
linux:
system:
cron:
@@ -13,6 +16,14 @@
enabled: true
panko:
server:
+ database:
+ x509:
+ enabled: ${_param:openstack_mysql_x509_enabled}
+ ca_file: ${_param:mysql_panko_ssl_ca_file}
+ key_file: ${_param:mysql_panko_client_ssl_key_file}
+ cert_file: ${_param:mysql_panko_client_ssl_cert_file}
+ ssl:
+ enabled: ${_param:galera_ssl_enabled}
role: ${_param:openstack_node_role}
event_time_to_live: ${_param:panko_event_time_to_live}
# Check for expired events every day at 2 AM
diff --git a/powerdns/server/cluster.yml b/powerdns/server/cluster.yml
new file mode 100644
index 0000000..b4a5625
--- /dev/null
+++ b/powerdns/server/cluster.yml
@@ -0,0 +1,43 @@
+classes:
+ - service.powerdns.server.single
+parameters:
+ _param:
+ powerdns_axfr_ips_address01: ${_param:openstack_control_node01_address}
+ powerdns_axfr_ips_address02: ${_param:openstack_control_node02_address}
+ powerdns_axfr_ips_address03: ${_param:openstack_control_node03_address}
+ powerdns_supermaster_node01_address: ${_param:openstack_control_node01_address}
+ powerdns_supermaster_node02_address: ${_param:openstack_control_node02_address}
+ powerdns_supermaster_node03_address: ${_param:openstack_control_node03_address}
+ powerdns_supermaster_node01_name: ${_param:openstack_control_node01_hostname}.${_param:cluster_domain}
+ powerdns_supermaster_node02_name: ${_param:openstack_control_node02_hostname}.${_param:cluster_domain}
+ powerdns_supermaster_node03_name: ${_param:openstack_control_node03_hostname}.${_param:cluster_domain}
+ powerdns_webserver_port: 8081
+ powerdns:
+ server:
+ enabled: true
+ api:
+ enabled: true
+ key: ${_param:designate_pdns_api_key}
+ axfr_ips:
+ - ${_param:powerdns_axfr_ips_address01}
+ - ${_param:powerdns_axfr_ips_address02}
+ - ${_param:powerdns_axfr_ips_address03}
+ - 127.0.0.1
+ bind:
+ address: ${_param:single_address}
+ overwrite_supermasters: true
+ supermasters:
+ - ip: ${_param:powerdns_supermaster_node01_address}
+ nameserver: ${_param:powerdns_supermaster_node01_name}
+ account: master
+ - ip: ${_param:powerdns_supermaster_node02_address}
+ nameserver: ${_param:powerdns_supermaster_node02_name}
+ account: master
+ - ip: ${_param:powerdns_supermaster_node03_address}
+ nameserver: ${_param:powerdns_supermaster_node03_name}
+ account: master
+ webserver:
+ enabled: true
+ address: ${_param:single_address}
+ password: ${_param:powerdns_webserver_password}
+ port: ${_param:powerdns_webserver_port}
\ No newline at end of file
diff --git a/reclass/storage/system/openstack_share_multi.yml b/reclass/storage/system/openstack_share_multi.yml
index a70af28..abc52ce 100644
--- a/reclass/storage/system/openstack_share_multi.yml
+++ b/reclass/storage/system/openstack_share_multi.yml
@@ -20,6 +20,8 @@
linux_system_codename: ${_param:linux_system_codename}
single_address: ${_param:openstack_share_node01_address}
manila_share_address: ${_param:openstack_share_node01_share_address}
+ keepalived_vip_priority: 103
+ openstack_node_role: primary
openstack_share_node02:
name: ${_param:openstack_share_node02_hostname}
domain: ${_param:cluster_domain}
@@ -30,6 +32,8 @@
linux_system_codename: ${_param:linux_system_codename}
single_address: ${_param:openstack_share_node02_address}
manila_share_address: ${_param:openstack_share_node02_share_address}
+ keepalived_vip_priority: 102
+ openstack_node_role: secondary
openstack_share_node03:
name: ${_param:openstack_share_node03_hostname}
domain: ${_param:cluster_domain}
@@ -40,3 +44,5 @@
linux_system_codename: ${_param:linux_system_codename}
single_address: ${_param:openstack_share_node03_address}
manila_share_address: ${_param:openstack_share_node03_share_address}
+ keepalived_vip_priority: 101
+ openstack_node_role: secondary
diff --git a/salt/control/placement/stacklight/medium.yml b/salt/control/placement/stacklight/medium.yml
index 7f54f4d..7f35fe9 100644
--- a/salt/control/placement/stacklight/medium.yml
+++ b/salt/control/placement/stacklight/medium.yml
@@ -37,7 +37,7 @@
image: ${_param:salt_control_xenial_image}
provider: ${_param:infra_kvm_node10_hostname}.${_param:cluster_domain}
size: stacklight.log
- lop02:
+ log02:
name: ${_param:stacklight_log_node02_hostname}
image: ${_param:salt_control_xenial_image}
provider: ${_param:infra_kvm_node11_hostname}.${_param:cluster_domain}
@@ -61,4 +61,4 @@
name: ${_param:stacklight_monitor_node03_hostname}
image: ${_param:salt_control_xenial_image}
provider: ${_param:infra_kvm_node12_hostname}.${_param:cluster_domain}
- size: stacklight.server
\ No newline at end of file
+ size: stacklight.server
diff --git a/salt/master/formula/git/openscap.yml b/salt/master/formula/git/openscap.yml
new file mode 100644
index 0000000..a091ffe
--- /dev/null
+++ b/salt/master/formula/git/openscap.yml
@@ -0,0 +1,10 @@
+parameters:
+ salt:
+ master:
+ environment:
+ dev:
+ formula:
+ openscap:
+ source: git
+ address: '${_param:salt_master_environment_repository}/salt-formula-openscap.git'
+ revision: ${_param:salt_master_environment_revision}
diff --git a/salt/master/formula/pkg/openscap.yml b/salt/master/formula/pkg/openscap.yml
new file mode 100644
index 0000000..ebb6e86
--- /dev/null
+++ b/salt/master/formula/pkg/openscap.yml
@@ -0,0 +1,9 @@
+parameters:
+ salt:
+ master:
+ environment:
+ prd:
+ formula:
+ openscap:
+ source: pkg
+ name: salt-formula-openscap
diff --git a/salt/minion/cert/barbican.yml b/salt/minion/cert/barbican.yml
new file mode 100644
index 0000000..f499732
--- /dev/null
+++ b/salt/minion/cert/barbican.yml
@@ -0,0 +1,20 @@
+parameters:
+ _param:
+ salt_minion_ca_host: kmn01.${_param:cluster_domain}
+ salt_minion_ca_authority: salt_master_ca
+ barbican_cert_alternative_names: IP:127.0.0.1,IP:${_param:cluster_local_address},IP:${_param:cluster_vip_address},DNS:${linux:system:name},DNS:${linux:network:fqdn}
+ salt:
+ minion:
+ cert:
+ barbican_server:
+ host: ${_param:salt_minion_ca_host}
+ authority: ${_param:salt_minion_ca_authority}
+ common_name: barbican_server
+ signing_policy: cert_server
+ alternative_names: ${_param:barbican_cert_alternative_names}
+ key_file: ${barbican:server:ssl:key_file}
+ cert_file: ${barbican:server:ssl:cert_file}
+ all_file: ${barbican:server:ssl:all_file}
+ ca_file: ${barbican:server:ssl:ca_file}
+ enabled: true
+ engine: salt
diff --git a/salt/minion/cert/mysql/clients/openstack/barbican.yml b/salt/minion/cert/mysql/clients/openstack/barbican.yml
new file mode 100644
index 0000000..8d158ee
--- /dev/null
+++ b/salt/minion/cert/mysql/clients/openstack/barbican.yml
@@ -0,0 +1,27 @@
+parameters:
+ _param:
+ salt_minion_ca_host: cfg01.${_param:cluster_domain}
+ salt_minion_ca_authority: salt_master_ca
+ mysql_barbican_client_ssl_key_file: /etc/barbican/ssl/mysql/client-key.pem
+ mysql_barbican_client_ssl_cert_file: /etc/barbican/ssl/mysql/client-cert.pem
+ mysql_barbican_ssl_ca_file: /etc/barbican/ssl/mysql/ca-cert.pem
+ salt:
+ minion:
+ cert:
+ mysql-barbican-client:
+ host: ${_param:salt_minion_ca_host}
+ authority: ${_param:salt_minion_ca_authority}
+ common_name: mysql-barbican-client
+ signing_policy: cert_client
+ alternative_names: >
+ IP:${_param:cluster_local_address},
+ DNS:${_param:cluster_local_address},
+ DNS:${linux:system:name},
+ DNS:${linux:network:fqdn}
+ key_usage: "digitalSignature,nonRepudiation,keyEncipherment"
+ key_file: ${_param:mysql_barbican_client_ssl_key_file}
+ cert_file: ${_param:mysql_barbican_client_ssl_cert_file}
+ ca_file: ${_param:mysql_barbican_ssl_ca_file}
+ user: barbican
+ group: barbican
+ mode: 640
diff --git a/salt/minion/cert/mysql/clients/openstack/gnocchi.yml b/salt/minion/cert/mysql/clients/openstack/gnocchi.yml
new file mode 100644
index 0000000..1aa31c9
--- /dev/null
+++ b/salt/minion/cert/mysql/clients/openstack/gnocchi.yml
@@ -0,0 +1,27 @@
+parameters:
+ _param:
+ salt_minion_ca_host: cfg01.${_param:cluster_domain}
+ salt_minion_ca_authority: salt_master_ca
+ mysql_gnocchi_client_ssl_key_file: /etc/gnocchi/ssl/mysql/client-key.pem
+ mysql_gnocchi_client_ssl_cert_file: /etc/gnocchi/ssl/mysql/client-cert.pem
+ mysql_gnocchi_ssl_ca_file: /etc/gnocchi/ssl/mysql/ca-cert.pem
+ salt:
+ minion:
+ cert:
+ mysql-gnocchi-client:
+ host: ${_param:salt_minion_ca_host}
+ authority: ${_param:salt_minion_ca_authority}
+ common_name: mysql-gnocchi-client
+ signing_policy: cert_client
+ alternative_names: >
+ IP:${_param:cluster_local_address},
+ DNS:${_param:cluster_local_address},
+ DNS:${linux:system:name},
+ DNS:${linux:network:fqdn}
+ key_usage: "digitalSignature,nonRepudiation,keyEncipherment"
+ key_file: ${_param:mysql_gnocchi_client_ssl_key_file}
+ cert_file: ${_param:mysql_gnocchi_client_ssl_cert_file}
+ ca_file: ${_param:mysql_gnocchi_ssl_ca_file}
+ user: gnocchi
+ group: gnocchi
+ mode: 640
diff --git a/salt/minion/cert/mysql/clients/openstack/manila.yml b/salt/minion/cert/mysql/clients/openstack/manila.yml
new file mode 100644
index 0000000..a1ca797
--- /dev/null
+++ b/salt/minion/cert/mysql/clients/openstack/manila.yml
@@ -0,0 +1,27 @@
+parameters:
+ _param:
+ salt_minion_ca_host: cfg01.${_param:cluster_domain}
+ salt_minion_ca_authority: salt_master_ca
+ mysql_manila_client_ssl_key_file: /etc/manila/ssl/mysql/client-key.pem
+ mysql_manila_client_ssl_cert_file: /etc/manila/ssl/mysql/client-cert.pem
+ mysql_manila_ssl_ca_file: /etc/manila/ssl/mysql/ca-cert.pem
+ salt:
+ minion:
+ cert:
+ mysql-manila-client:
+ host: ${_param:salt_minion_ca_host}
+ authority: ${_param:salt_minion_ca_authority}
+ common_name: mysql-manila-client
+ signing_policy: cert_client
+ alternative_names: >
+ IP:${_param:cluster_local_address},
+ DNS:${_param:cluster_local_address},
+ DNS:${linux:system:name},
+ DNS:${linux:network:fqdn}
+ key_usage: "digitalSignature,nonRepudiation,keyEncipherment"
+ key_file: ${_param:mysql_manila_client_ssl_key_file}
+ cert_file: ${_param:mysql_manila_client_ssl_cert_file}
+ ca_file: ${_param:mysql_manila_ssl_ca_file}
+ user: manila
+ group: manila
+ mode: 640
diff --git a/salt/minion/cert/mysql/clients/openstack/panko.yml b/salt/minion/cert/mysql/clients/openstack/panko.yml
new file mode 100644
index 0000000..0593ae2
--- /dev/null
+++ b/salt/minion/cert/mysql/clients/openstack/panko.yml
@@ -0,0 +1,27 @@
+parameters:
+ _param:
+ salt_minion_ca_host: cfg01.${_param:cluster_domain}
+ salt_minion_ca_authority: salt_master_ca
+ mysql_panko_client_ssl_key_file: /etc/panko/ssl/mysql/client-key.pem
+ mysql_panko_client_ssl_cert_file: /etc/panko/ssl/mysql/client-cert.pem
+ mysql_panko_ssl_ca_file: /etc/panko/ssl/mysql/ca-cert.pem
+ salt:
+ minion:
+ cert:
+ mysql-panko-client:
+ host: ${_param:salt_minion_ca_host}
+ authority: ${_param:salt_minion_ca_authority}
+ common_name: mysql-panko-client
+ signing_policy: cert_client
+ alternative_names: >
+ IP:${_param:cluster_local_address},
+ DNS:${_param:cluster_local_address},
+ DNS:${linux:system:name},
+ DNS:${linux:network:fqdn}
+ key_usage: "digitalSignature,nonRepudiation,keyEncipherment"
+ key_file: ${_param:mysql_panko_client_ssl_key_file}
+ cert_file: ${_param:mysql_panko_client_ssl_cert_file}
+ ca_file: ${_param:mysql_panko_ssl_ca_file}
+ user: panko
+ group: panko
+ mode: 640