Merge "Switch MetalLB to downstream images"
diff --git a/barbican/server/cluster.yml b/barbican/server/cluster.yml
index 972c05d..aac0400 100644
--- a/barbican/server/cluster.yml
+++ b/barbican/server/cluster.yml
@@ -1,9 +1,12 @@
classes:
- service.barbican.server.cluster
- system.haproxy.proxy.listen.openstack.barbican
+- system.salt.minion.cert.mysql.clients.openstack.barbican
parameters:
_param:
cluster_internal_protocol: 'http'
+ openstack_mysql_x509_enabled: False
+ galera_ssl_enabled: False
barbican:
server:
role: ${_param:openstack_node_role}
@@ -11,6 +14,13 @@
protocol: ${_param:cluster_internal_protocol}
database:
host: ${_param:openstack_database_address}
+ x509:
+ enabled: ${_param:openstack_mysql_x509_enabled}
+ ca_file: ${_param:mysql_barbican_ssl_ca_file}
+ key_file: ${_param:mysql_barbican_client_ssl_key_file}
+ cert_file: ${_param:mysql_barbican_client_ssl_cert_file}
+ ssl:
+ enabled: ${_param:galera_ssl_enabled}
linux:
system:
package:
diff --git a/barbican/server/single.yml b/barbican/server/single.yml
index 207957f..6bed260 100644
--- a/barbican/server/single.yml
+++ b/barbican/server/single.yml
@@ -1,10 +1,21 @@
classes:
- service.barbican.server.single
+- system.salt.minion.cert.mysql.clients.openstack.barbican
parameters:
_param:
internal_protocol: 'http'
+ openstack_mysql_x509_enabled: False
+ galera_ssl_enabled: False
barbican:
server:
+ database:
+ x509:
+ enabled: ${_param:openstack_mysql_x509_enabled}
+ ca_file: ${_param:mysql_barbican_ssl_ca_file}
+ key_file: ${_param:mysql_barbican_client_ssl_key_file}
+ cert_file: ${_param:mysql_barbican_client_ssl_cert_file}
+ ssl:
+ enabled: ${_param:galera_ssl_enabled}
role: ${_param:openstack_node_role}
identity:
protocol: ${_param:internal_protocol}
diff --git a/galera/server/database/ssl/barbican.yml b/galera/server/database/ssl/barbican.yml
new file mode 100644
index 0000000..1b1c7c1
--- /dev/null
+++ b/galera/server/database/ssl/barbican.yml
@@ -0,0 +1,4 @@
+parameters:
+ _param:
+ mysql_barbican_ssl_option:
+ - SSL: True
\ No newline at end of file
diff --git a/galera/server/database/ssl/gnocchi.yml b/galera/server/database/ssl/gnocchi.yml
new file mode 100644
index 0000000..c1bb459
--- /dev/null
+++ b/galera/server/database/ssl/gnocchi.yml
@@ -0,0 +1,4 @@
+parameters:
+ _param:
+ mysql_gnocchi_ssl_option:
+ - SSL: True
\ No newline at end of file
diff --git a/galera/server/database/x509/barbican.yml b/galera/server/database/x509/barbican.yml
new file mode 100644
index 0000000..ae1865f
--- /dev/null
+++ b/galera/server/database/x509/barbican.yml
@@ -0,0 +1,7 @@
+parameters:
+ _param:
+ mysql_barbican_client_ssl_x509_subject: '/C=cz/CN=mysql-barbican-client/L=Prague/O=Mirantis'
+ mysql_barbican_client_ssl_x509_issuer: '/C=cz/CN=Salt Master CA/L=Prague/O=Mirantis'
+ mysql_barbican_ssl_option:
+ - SUBJECT: ${_param:mysql_barbican_client_ssl_x509_subject}
+ - ISSUER: ${_param:mysql_barbican_client_ssl_x509_issuer}
\ No newline at end of file
diff --git a/galera/server/database/x509/gnocchi.yml b/galera/server/database/x509/gnocchi.yml
new file mode 100644
index 0000000..5cb3c58
--- /dev/null
+++ b/galera/server/database/x509/gnocchi.yml
@@ -0,0 +1,7 @@
+parameters:
+ _param:
+ mysql_gnocchi_client_ssl_x509_subject: '/C=cz/CN=mysql-gnocchi-client/L=Prague/O=Mirantis'
+ mysql_gnocchi_client_ssl_x509_issuer: '/C=cz/CN=Salt Master CA/L=Prague/O=Mirantis'
+ mysql_gnocchi_ssl_option:
+ - SUBJECT: ${_param:mysql_gnocchi_client_ssl_x509_subject}
+ - ISSUER: ${_param:mysql_gnocchi_client_ssl_x509_issuer}
\ No newline at end of file
diff --git a/gnocchi/common/cluster.yml b/gnocchi/common/cluster.yml
new file mode 100644
index 0000000..8d7ae5e
--- /dev/null
+++ b/gnocchi/common/cluster.yml
@@ -0,0 +1,17 @@
+classes:
+- service.gnocchi.common.cluster
+- system.salt.minion.cert.mysql.clients.openstack.gnocchi
+parameters:
+ _param:
+ openstack_mysql_x509_enabled: False
+ galera_ssl_enabled: False
+ gnocchi:
+ common:
+ database:
+ x509:
+ enabled: ${_param:openstack_mysql_x509_enabled}
+ ca_file: ${_param:mysql_gnocchi_ssl_ca_file}
+ key_file: ${_param:mysql_gnocchi_client_ssl_key_file}
+ cert_file: ${_param:mysql_gnocchi_client_ssl_cert_file}
+ ssl:
+ enabled: ${_param:galera_ssl_enabled}
diff --git a/gnocchi/common/single.yml b/gnocchi/common/single.yml
new file mode 100644
index 0000000..1f68f5c
--- /dev/null
+++ b/gnocchi/common/single.yml
@@ -0,0 +1,17 @@
+classes:
+- service.gnocchi.common.single
+- system.salt.minion.cert.mysql.clients.openstack.gnocchi
+parameters:
+ _param:
+ openstack_mysql_x509_enabled: False
+ galera_ssl_enabled: False
+ gnocchi:
+ common:
+ database:
+ x509:
+ enabled: ${_param:openstack_mysql_x509_enabled}
+ ca_file: ${_param:mysql_gnocchi_ssl_ca_file}
+ key_file: ${_param:mysql_gnocchi_client_ssl_key_file}
+ cert_file: ${_param:mysql_gnocchi_client_ssl_cert_file}
+ ssl:
+ enabled: ${_param:galera_ssl_enabled}
diff --git a/jenkins/client/job/deploy/lab/deploy.yml b/jenkins/client/job/deploy/lab/deploy.yml
index b1deafa..f5d34f6 100644
--- a/jenkins/client/job/deploy/lab/deploy.yml
+++ b/jenkins/client/job/deploy/lab/deploy.yml
@@ -117,9 +117,6 @@
type: string
default: ""
description: "Formulas revision to install on Salt Master bootstrap stage"
- EXTRA_FORMULAS:
- type: string
- default: ""
STATIC_MGMT_NETWORK:
type: boolean
default: 'false'
diff --git a/jenkins/client/job/salt-formulas/git-mirrors/2way.yml b/jenkins/client/job/salt-formulas/git-mirrors/2way.yml
index cae768a..85c9ac8 100644
--- a/jenkins/client/job/salt-formulas/git-mirrors/2way.yml
+++ b/jenkins/client/job/salt-formulas/git-mirrors/2way.yml
@@ -338,6 +338,9 @@
- name: sentry
branches: ${_param:salt_formulas_branches}
notification_recipients: ${_param:salt_formulas_notification_recipients}
+ - name: shibboleth
+ branches: ${_param:salt_formulas_branches}
+ notification_recipients: ${_param:salt_formulas_notification_recipients}
- name: sphinx
branches: ${_param:salt_formulas_branches}
notification_recipients: ${_param:salt_formulas_notification_recipients}
diff --git a/jenkins/client/job/salt-models/tests.yml b/jenkins/client/job/salt-models/tests.yml
index 145cfa9..c6bd2e1 100644
--- a/jenkins/client/job/salt-models/tests.yml
+++ b/jenkins/client/job/salt-models/tests.yml
@@ -48,10 +48,6 @@
PARALLEL_NODE_GROUP_SIZE:
type: string
default: "9"
- # Salt master setup extra formulas
- EXTRA_FORMULAS:
- type: string
- default: "{{extra_formulas}}"
FORMULAS_SOURCE:
type: string
default: "{{formulas_src}}"
@@ -158,10 +154,6 @@
PARALLEL_NODE_GROUP_SIZE:
type: string
default: "9"
- # Salt master setup extra formulas
- EXTRA_FORMULAS:
- type: string
- default: "{{extra_formulas}}"
FORMULAS_SOURCE:
type: string
default: "{{formulas_src}}"
@@ -295,9 +287,6 @@
type: string
default: 'nightly'
description: "Those variable will be ignored, in case gerritTrigger=>GERRIT_BRANCH. Version of bin-artifacts,passed to test-env"
- EXTRA_FORMULAS:
- type: string
- default: "aptly artifactory auditd backupninja collectd devops-portal docker elasticsearch fluentd freeipa gerrit glusterfs grafana haproxy heka horizon influxdb jenkins keepalived kibana libvirt maas memcached mysql nginx ntp openldap openscap openssh postfix prometheus rsync rsyslog rundeck sensu sphinx telegraf xtrabackup watchdog logrotate"
RECLASS_VERSION:
type: string
default: 'v1.5.4'
@@ -343,9 +332,6 @@
CREDENTIALS_ID:
type: string
default: "gerrit"
- EXTRA_FORMULAS:
- type: string
- default: ""
FORMULAS_SOURCE:
type: string
default: "pkg"
diff --git a/keepalived/cluster/instance/openstack_manila_vip.yml b/keepalived/cluster/instance/openstack_manila_vip.yml
new file mode 100644
index 0000000..d8330c4
--- /dev/null
+++ b/keepalived/cluster/instance/openstack_manila_vip.yml
@@ -0,0 +1,11 @@
+classes:
+- service.keepalived.cluster.single
+parameters:
+ _param:
+ keepalived_openstack_manila_vip_address: ${_param:cluster_vip_address}
+ keepalived_openstack_manila_vip_password: password
+ keepalived_openstack_manila_vip_interface: eth1
+ keepalived_vip_virtual_router_id: 235
+ keepalived_vip_address: ${_param:keepalived_openstack_manila_vip_address}
+ keepalived_vip_password: ${_param:keepalived_openstack_manila_vip_password}
+ keepalived_vip_interface: ${_param:keepalived_openstack_manila_vip_interface}
diff --git a/manila/common/cluster.yml b/manila/common/cluster.yml
index 31024f2..5c34bd6 100644
--- a/manila/common/cluster.yml
+++ b/manila/common/cluster.yml
@@ -7,6 +7,7 @@
_param:
openstack_mysql_x509_enabled: False
galera_ssl_enabled: False
+ manila_cluster_vip_address: ${_param:cluster_vip_address}
manila:
common:
version: ${_param:openstack_version}
@@ -34,7 +35,7 @@
identity:
engine: keystone
region: ${_param:openstack_region}
- host: ${_param:cluster_vip_address}
+ host: ${_param:manila_cluster_vip_address}
port: 35357
user: manila
password: ${_param:keystone_manila_password}
diff --git a/manila/control/single.yml b/manila/control/single.yml
index b2036d3..9d5f9f6 100644
--- a/manila/control/single.yml
+++ b/manila/control/single.yml
@@ -1,5 +1,5 @@
classes:
- - system.manila.common.cluster
+ - system.manila.common.single
- system.apache.server.site.manila
parameters:
_param:
@@ -7,12 +7,12 @@
manila:
common:
dhss: false
+ default_share_type: default
version: ${_param:openstack_version}
api:
role: ${_param:openstack_node_role}
enabled: true
version: ${_param:openstack_version}
- role: ${_param:openstack_node_role}
scheduler:
enabled: true
version: ${_param:openstack_version}
diff --git a/reclass/storage/system/openstack_share_multi.yml b/reclass/storage/system/openstack_share_multi.yml
index a70af28..abc52ce 100644
--- a/reclass/storage/system/openstack_share_multi.yml
+++ b/reclass/storage/system/openstack_share_multi.yml
@@ -20,6 +20,8 @@
linux_system_codename: ${_param:linux_system_codename}
single_address: ${_param:openstack_share_node01_address}
manila_share_address: ${_param:openstack_share_node01_share_address}
+ keepalived_vip_priority: 103
+ openstack_node_role: primary
openstack_share_node02:
name: ${_param:openstack_share_node02_hostname}
domain: ${_param:cluster_domain}
@@ -30,6 +32,8 @@
linux_system_codename: ${_param:linux_system_codename}
single_address: ${_param:openstack_share_node02_address}
manila_share_address: ${_param:openstack_share_node02_share_address}
+ keepalived_vip_priority: 102
+ openstack_node_role: secondary
openstack_share_node03:
name: ${_param:openstack_share_node03_hostname}
domain: ${_param:cluster_domain}
@@ -40,3 +44,5 @@
linux_system_codename: ${_param:linux_system_codename}
single_address: ${_param:openstack_share_node03_address}
manila_share_address: ${_param:openstack_share_node03_share_address}
+ keepalived_vip_priority: 101
+ openstack_node_role: secondary
diff --git a/salt/minion/cert/mysql/clients/openstack/barbican.yml b/salt/minion/cert/mysql/clients/openstack/barbican.yml
new file mode 100644
index 0000000..8d158ee
--- /dev/null
+++ b/salt/minion/cert/mysql/clients/openstack/barbican.yml
@@ -0,0 +1,27 @@
+parameters:
+ _param:
+ salt_minion_ca_host: cfg01.${_param:cluster_domain}
+ salt_minion_ca_authority: salt_master_ca
+ mysql_barbican_client_ssl_key_file: /etc/barbican/ssl/mysql/client-key.pem
+ mysql_barbican_client_ssl_cert_file: /etc/barbican/ssl/mysql/client-cert.pem
+ mysql_barbican_ssl_ca_file: /etc/barbican/ssl/mysql/ca-cert.pem
+ salt:
+ minion:
+ cert:
+ mysql-barbican-client:
+ host: ${_param:salt_minion_ca_host}
+ authority: ${_param:salt_minion_ca_authority}
+ common_name: mysql-barbican-client
+ signing_policy: cert_client
+ alternative_names: >
+ IP:${_param:cluster_local_address},
+ DNS:${_param:cluster_local_address},
+ DNS:${linux:system:name},
+ DNS:${linux:network:fqdn}
+ key_usage: "digitalSignature,nonRepudiation,keyEncipherment"
+ key_file: ${_param:mysql_barbican_client_ssl_key_file}
+ cert_file: ${_param:mysql_barbican_client_ssl_cert_file}
+ ca_file: ${_param:mysql_barbican_ssl_ca_file}
+ user: barbican
+ group: barbican
+ mode: 640
diff --git a/salt/minion/cert/mysql/clients/openstack/gnocchi.yml b/salt/minion/cert/mysql/clients/openstack/gnocchi.yml
new file mode 100644
index 0000000..1aa31c9
--- /dev/null
+++ b/salt/minion/cert/mysql/clients/openstack/gnocchi.yml
@@ -0,0 +1,27 @@
+parameters:
+ _param:
+ salt_minion_ca_host: cfg01.${_param:cluster_domain}
+ salt_minion_ca_authority: salt_master_ca
+ mysql_gnocchi_client_ssl_key_file: /etc/gnocchi/ssl/mysql/client-key.pem
+ mysql_gnocchi_client_ssl_cert_file: /etc/gnocchi/ssl/mysql/client-cert.pem
+ mysql_gnocchi_ssl_ca_file: /etc/gnocchi/ssl/mysql/ca-cert.pem
+ salt:
+ minion:
+ cert:
+ mysql-gnocchi-client:
+ host: ${_param:salt_minion_ca_host}
+ authority: ${_param:salt_minion_ca_authority}
+ common_name: mysql-gnocchi-client
+ signing_policy: cert_client
+ alternative_names: >
+ IP:${_param:cluster_local_address},
+ DNS:${_param:cluster_local_address},
+ DNS:${linux:system:name},
+ DNS:${linux:network:fqdn}
+ key_usage: "digitalSignature,nonRepudiation,keyEncipherment"
+ key_file: ${_param:mysql_gnocchi_client_ssl_key_file}
+ cert_file: ${_param:mysql_gnocchi_client_ssl_cert_file}
+ ca_file: ${_param:mysql_gnocchi_ssl_ca_file}
+ user: gnocchi
+ group: gnocchi
+ mode: 640