Merge "configure Pushkin service credentials for Janitor"
diff --git a/.releasenotes/notes/add-prometheus-relay-df282e14ed88da8c.yaml b/.releasenotes/notes/add-prometheus-relay-df282e14ed88da8c.yaml
new file mode 100644
index 0000000..dbf8a39
--- /dev/null
+++ b/.releasenotes/notes/add-prometheus-relay-df282e14ed88da8c.yaml
@@ -0,0 +1,12 @@
+---
+
+summary: >
+  Add prometheus relay service
+
+features:
+  - The Prometheus Relay service is responsible for
+    getting PromQL queries from external components,
+    such as Grafana, passing them to all discovered
+    Prometheus servers, merging the results and returning
+    the data. Prometheus Relay can be used to handle
+    Prometheus high availability or sharding.
diff --git a/.releasenotes/notes/spawn-multiple-replicas-prometheus-b80eaede9c19b8cd.yaml b/.releasenotes/notes/spawn-multiple-replicas-prometheus-b80eaede9c19b8cd.yaml
new file mode 100644
index 0000000..cc11b73
--- /dev/null
+++ b/.releasenotes/notes/spawn-multiple-replicas-prometheus-b80eaede9c19b8cd.yaml
@@ -0,0 +1,14 @@
+summary: >
+  Spawned two replicas of Prometheus to provide HA
+
+features:
+  - Spawned two replicas of Prometheus inside Docker Swarm.
+    These two instances have the same configuration file
+    and scrape the same endpoints. Therefore, they can be
+    treated as one-to-one copies.
+    Due to a limitation, when connecting to the Prometheus
+    web UI it is not possible to choose to which of the
+    existing Prometheus servers to connect and those
+    servers may contain slightly different results for the
+    same queries. Therefore, we suggest that you use Grafana
+    to visualize the data.
diff --git a/docker/swarm/stack/monitoring/init.yml b/docker/swarm/stack/monitoring/init.yml
index 95f5f8d..e274426 100644
--- a/docker/swarm/stack/monitoring/init.yml
+++ b/docker/swarm/stack/monitoring/init.yml
@@ -15,6 +15,22 @@
               driver_opts:
                 encrypted: 1
           service:
+            relay:
+              networks:
+                - monitoring
+              deploy:
+                replicas: 2
+                labels:
+                  com.mirantis.monitoring: "relay"
+                restart_policy:
+                  condition: any
+              labels:
+                com.mirantis.monitoring: "relay"
+              image: ${_param:docker_image_prometheus_relay}
+              ports:
+                - 15016:8080
+              environment:
+                PROMETHEUS_RELAY_DNS: 'tasks.monitoring_server'
             remote_storage_adapter:
               networks:
                 - monitoring
@@ -81,7 +97,7 @@
               networks:
                 - monitoring
               deploy:
-                replicas: 1
+                replicas: 2
                 labels:
                   com.mirantis.monitoring: "prometheus"
                 restart_policy:
diff --git a/docker/swarm/stack/rundeck.yml b/docker/swarm/stack/rundeck.yml
index 0710819..8ab0554 100644
--- a/docker/swarm/stack/rundeck.yml
+++ b/docker/swarm/stack/rundeck.yml
@@ -18,7 +18,7 @@
                 restart_policy:
                   condition: any
               ports:
-                - 14440:4440
+                - ${_param:haproxy_rundeck_exposed_port}:${_param:haproxy_rundeck_bind_port}
               volumes:
                 - /srv/volumes/rundeck/etc/framework.properties:/etc/rundeck/framework.properties
                 - /srv/volumes/rundeck/etc/tokens.properties:/etc/rundeck/tokens.properties
@@ -32,4 +32,4 @@
           network:
             default:
               external:
-                name: oss_backend
\ No newline at end of file
+                name: oss_backend
diff --git a/gerrit/client/project/ci.yml b/gerrit/client/project/ci.yml
index 86ff699..3e36556 100644
--- a/gerrit/client/project/ci.yml
+++ b/gerrit/client/project/ci.yml
@@ -1,11 +1,15 @@
 parameters:
+  _param:
+    gerrit_pipeline_library_repo: https://github.com/Mirantis/pipeline-library
+    gerrit_mk_pipelines_repo: https://github.com/Mirantis/mk-pipelines
+    gerrit_decapod_pipelines_repo: https://github.com/mateuszlos/decapod-pipelines
   gerrit:
     client:
       project:
         mcp-ci/pipeline-library:
           enabled: true
           description: Jenkins pipeline libraries
-          upstream: https://github.com/Mirantis/pipeline-library
+          upstream: ${_param:gerrit_pipeline_library_repo}
           access: ${gerrit:client:default_access}
           require_change_id: true
           require_agreement: false
@@ -13,7 +17,7 @@
         mk/mk-pipelines:
           enabled: true
           description: Jenkins pipelines
-          upstream: https://github.com/Mirantis/mk-pipelines
+          upstream: ${_param:gerrit_mk_pipelines_repo}
           access: ${gerrit:client:default_access}
           require_change_id: true
           require_agreement: false
@@ -21,7 +25,7 @@
         mk/decapod-pipelines:
           enabled: true
           description: Decapod jenkins pipelines
-          upstream: https://github.com/mateuszlos/decapod-pipelines
+          upstream: ${_param:gerrit_decapod_pipelines_repo}
           access: ${gerrit:client:default_access}
           require_change_id: true
           require_agreement: false
diff --git a/haproxy/proxy/listen/oss/rundeck.yml b/haproxy/proxy/listen/oss/rundeck.yml
index fbabb38..120a9ea 100644
--- a/haproxy/proxy/listen/oss/rundeck.yml
+++ b/haproxy/proxy/listen/oss/rundeck.yml
@@ -2,6 +2,7 @@
   _param:
     haproxy_rundeck_bind_host: ${_param:haproxy_bind_address}
     haproxy_rundeck_bind_port: 4440
+    haproxy_rundeck_exposed_port: 14440
     haproxy_rundeck_ssl:
       enabled: false
   haproxy:
@@ -25,13 +26,13 @@
           servers:
             - name: ${_param:cluster_node01_name}
               host: ${_param:cluster_node01_address}
-              port: 14440
+              port: ${_param:haproxy_rundeck_exposed_port}
               params: check
             - name: ${_param:cluster_node02_name}
               host: ${_param:cluster_node02_address}
-              port: 14440
+              port: ${_param:haproxy_rundeck_exposed_port}
               params: backup check
             - name: ${_param:cluster_node03_name}
               host: ${_param:cluster_node03_address}
-              port: 14440
+              port: ${_param:haproxy_rundeck_exposed_port}
               params: backup check
diff --git a/jenkins/client/job/aptly.yml b/jenkins/client/job/aptly.yml
index c6a5755..256c04a 100644
--- a/jenkins/client/job/aptly.yml
+++ b/jenkins/client/job/aptly.yml
@@ -75,6 +75,9 @@
               RECREATE:
                 type: boolean
                 default: 'false'
+              DUMP_PUBLISH:
+                type: boolean
+                default: 'true'
               DIFF_ONLY:
                 type: boolean
                 default: '{{diff_only}}'
diff --git a/jenkins/client/job/deploy/update/config.yml b/jenkins/client/job/deploy/update/config.yml
index 9beabfb..e956736 100644
--- a/jenkins/client/job/deploy/update/config.yml
+++ b/jenkins/client/job/deploy/update/config.yml
@@ -42,4 +42,7 @@
             TARGET_BATCH_LIVE:
               type: string
               description: Batch size for the complete live config changes on all nodes, empty string means apply to all targetted nodes.
-
+            PULL_MODEL:
+              type: boolean
+              default: 'true'
+              description: Pull the latest reclass cluster model before applying the states.
diff --git a/jenkins/client/job/oss/init.yml b/jenkins/client/job/oss/init.yml
index f8b5bdc..9478ffd 100644
--- a/jenkins/client/job/oss/init.yml
+++ b/jenkins/client/job/oss/init.yml
@@ -1,4 +1,5 @@
 classes:
   - system.jenkins.client.job.oss.test_devops_portal
   - system.jenkins.client.job.oss.test_devops_portal_nightly
+  - system.jenkins.client.job.oss.test_pushkin_codebase
   - system.jenkins.client.job.oss.test_security_monkey_openstack
diff --git a/jenkins/client/job/oss/test_pushkin_codebase.yml b/jenkins/client/job/oss/test_pushkin_codebase.yml
new file mode 100644
index 0000000..245f1d8
--- /dev/null
+++ b/jenkins/client/job/oss/test_pushkin_codebase.yml
@@ -0,0 +1,50 @@
+parameters:
+  jenkins:
+    client:
+      job:
+        test-oss-pushkin-codebase:
+          name: test-oss-pushkin-codebase
+          discard:
+            build:
+              keep_num: 15
+            artifact:
+              keep_num: 15
+          type: workflow-scm
+          concurrent: true
+          scm:
+            type: git
+            url: "${_param:jenkins_gerrit_url}/oss/jenkins/pipelines"
+            credentials: "gerrit"
+            script: test-pushkin-pipeline.groovy
+          trigger:
+            gerrit:
+              project:
+                "oss/pushkin":
+                  branches:
+                    - devel
+                    - master
+              skip_vote:
+                - successful
+                - failed
+                - unstable
+                - not_built
+              event:
+                patchset:
+                  - created:
+                      excludeDrafts: false
+                      excludeTrivialRebase: false
+                      excludeNoCodeChange: false
+                comment:
+                  - addedContains:
+                      commentAddedCommentContains: '^(?s:Patch Set \d+:.*(test|recheck|reverify)\s*)$'
+          param:
+            CREDENTIALS_ID:
+              type: string
+              default: "gerrit"
+            DEFAULT_GIT_URL:
+                type: string
+                default: "${_param:jenkins_gerrit_url}/oss/pushkin"
+            DEFAULT_GIT_REF:
+                type: string
+                default: master
+                description: "Refspec in format refs/changes/, i.e. refs/changes/32/10332/4"
diff --git a/jenkins/client/node.yml b/jenkins/client/node.yml
index 321951a..e5e4d3b 100644
--- a/jenkins/client/node.yml
+++ b/jenkins/client/node.yml
@@ -7,6 +7,8 @@
         master:
           node_mode: Exclusive
           remote_home: /var/lib/jenkins
+          labels:
+            - python
           launcher:
             type: master
         slave01:
diff --git a/linux/system/repo/elasticsearch.yml b/linux/system/repo/elasticsearch.yml
index 60f6fd0..2030114 100644
--- a/linux/system/repo/elasticsearch.yml
+++ b/linux/system/repo/elasticsearch.yml
@@ -5,4 +5,8 @@
         elasticsearch:
           source: "deb http://packages.elastic.co/elasticsearch/2.x/debian stable main"
           architectures: amd64
-          key_url: "https://packages.elastic.co/GPG-KEY-elasticsearch"
\ No newline at end of file
+          key_url: "https://packages.elastic.co/GPG-KEY-elasticsearch"
+        elasticsearch_curator:
+          source: "deb http://packages.elastic.co/curator/4/debian stable main"
+          architectures: amd64
+          key_url: "https://packages.elastic.co/GPG-KEY-elasticsearch"
diff --git a/openssh/server/team/stacklight.yml b/openssh/server/team/stacklight.yml
index 1133135..fcdbce5 100644
--- a/openssh/server/team/stacklight.yml
+++ b/openssh/server/team/stacklight.yml
@@ -18,13 +18,6 @@
           full_name: Simon Pasquier
           home: /home/spasquier
           email: spasquier@mirantis.com
-        ppetit:
-          enabled: true
-          name: ppetit
-          sudo: true
-          full_name: Patrick Petit 
-          home: /home/ppetit
-          email: ppetit@mirantis.com
         obourdon:
           enabled: true
           name: obourdon
@@ -111,58 +104,53 @@
           public_keys:
           - ${public_keys:spasquier}
           user: ${linux:system:user:spasquier}
-        ppetit:
-          enabled: true
-          public_keys:
-          - ${public_keys:ppetit}
-          user: ${linux:system:user:ppetit}
         obourdon:
-          enable: true
+          enabled: true
           public_keys:
           - ${public_keys:obourdon}
           user: ${linux:system:user:obourdon}
         dkalashnik:
-          enable: true
+          enabled: true
           public_keys:
           - ${public_keys:dkalashnik}
           user: ${linux:system:user:dkalashnik}
         rpromyshlennikov:
-          enable: true
+          enabled: true
           public_keys:
           - ${public_keys:rpromyshlennikov}
           user: ${linux:system:user:rpromyshlennikov}
         vgusev:
-          enable: true
+          enabled: true
           public_keys:
           - ${public_keys:vgusev}
           user: ${linux:system:user:vgusev}
         mpolreich:
-          enable: true
+          enabled: true
           public_keys:
           - ${public_keys:mpolreich}
           user: ${linux:system:user:mpolreich}
         isvetlov:
-          enable: true
+          enabled: true
           public_keys:
           - ${public_keys:isvetlov}
           user: ${linux:system:user:isvetlov}
         akholkin:
-          enable: true
+          enabled: true
           public_keys:
           - ${public_keys:akholkin}
           user: ${linux:system:user:akholkin}
         kszukielojc:
-          enable: true
+          enabled: true
           public_keys:
           - ${public_keys:kszukielojc}
           user: ${linux:system:user:kszukielojc}
         isviridov:
-          enable: true
+          enabled: true
           public_keys:
           - ${public_keys:isviridov}
           user: ${linux:system:user:isviridov}
         nzaporozhets:
-          enable: true
+          enabled: true
           public_keys:
           - ${public_keys:nzaporozhets}
           user: ${linux:system:user:nzaporozhets}
@@ -171,8 +159,6 @@
       key: ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC3odU+3V2uDA2ptAFL9hrJRPNEEdAyztWOZFQ5Oyd9oerTGOU3p4xmrgWWjfKFKbYGhiiIUcYAol5PkTfKukGEkkjCHYA1t023soCaaAj85wCZCnw2zQNAziwxTYmAzTqgxiSvtZNMMrtJvFHRIRDzJ3M1lV0prWNWkMM1/3FAd4W49y6VT3fkMCo8uqG7CfGdgR2DgBCxf9KaNPfW5eDEPOgmE5lK8tVSEI6T+Cg7hbcTf4lFYnlFBnlQgp/0JstsM4Vbwb4B34LOpOsf2S8rrWk2xQMjwaMHXkc2s/E8iW3F5nVFuyEXYISFQIiAHw8dzC6CHgLcyHUVWwznKawZ newt@newt-dev1
     spasquier:
       key: ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCXBHKQaGUNB92DsnyvflmCbmuXnkiuNahZiue3hnyXqLA2q8jmQmzBbxReAJzexnVfJhrUCTw8IPJUpMUP27u3igvGdkhfctdUuxVf9yGJErtGNgHK/aGbeLCvUOmhw6X/xbf3IbyFL1gwxOJ2cmmjlSptYU9E1W2xFY+IMFWBhzO3vso5EABgPVli/UUMfeXUUd++lIZpoyYe2Hkri1QGNhzfbZcFjEO78+vNiLZrvjJEtkXWu7iZTYK6eE365CiFJzqFL7N6Ichb28qakcmVqR/foreuz3cOMqMGssKoOQk1213x8w4fE0yLwf9Ft8L7GMf+vXQvuNt0ZKBPWqn7 spasquier@mirantis.com
-    ppetit:
-      key: ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCUGCb+mGidT4FRa4rJxoYx39NX2vCjRw+CmCQJW/Uf6xc0NNp5WRWJ0hnyIMRVVfehvfjdXPo4bO4cXIwmo06C1Wx+DMyvjI9NvuHtt52p3QTsh+PYZe5t4hFuGh7veWQw3LuLtDLVlVS633FQMgT/BXDaBc65yfN9CuV6lHqZ6KPKoGAi3ADlcQFqhFttO+GsVkxd6uGtelnbYXsDMwylCIKop0C/obu6wG85d/8Q2/Zts5CvUcCiCNfZtl8otgNMrpfnuhC0xAsmgwDxqK2kshxUujclyFfO7ixl+E9Plc7kUJvodNbzOcAmY3YpuHVoJQkHx/Ou81/q+JOVtFxz ppetit@baobab 
     obourdon:
       key: ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDOd0PnoQhjjo/UrmCotaGZxXfpxLoMmuZ+XjKqAkEb9kE+aE0+k8t2EUs8PIctEgIcIC9vmovqOzIt5uNLV5MyN4R+pdIBKyWEQ5fQPaFhn/uZKf7AxLYhTVVW1wM+cDzrpWTyNQ0w59JBfNPZ/BDMtdpch9gTP24pwJ8yUDHHMSt1FnVqa7+Czw8jig4/oM05Mob5DQKlWOdtdUP3XYHSGJuHY4tHmc5sPvzIqs5r47uj5VD4gaCUqYeRS2C1YJcisN880qIqUHuCK0k9gQP+0DKJPVPmPPCuwebBzUUfjhKcbqiikKxPS0p4DWiprmeF8xjvmVWX+V8lP/v0hXiVgMc3wMoXJklH+XM7U5y5uzN8MF4YqAi4M/uSK5UF+TPn5dtu9s+joQmqt5XXaV4iFQe5kcdIYEMNJUGxiwMzByhvqWgC1reYSD8FquqLTH/5ITvFFmaTyQbBJMnXAE+QxdTXMfhTnfI/pbbhAUmfr5w8Z34lZG5UDnUy/rR+LlvJS76MqCr3nemZTHqhUYIrIJA8f9Xa8o9UJTy2QICdj2NidW1UzHCPybc/nH7qc6TjZJALLdhzK2QDbO6seJLOXuVHwSxjOx2Jdv5HImpFSeEfiGRQqc8bT+NGZI5V+cW+FuztU8i46VaSPXFM8t+57Ut/MdndAVYSPqgc7E3u3w== obourdon@mirantis.com
     dkalashnik:
diff --git a/postgresql/client/security_monkey.yml b/postgresql/client/security_monkey.yml
index 43e48d2..a7a341f 100644
--- a/postgresql/client/security_monkey.yml
+++ b/postgresql/client/security_monkey.yml
@@ -5,6 +5,8 @@
     secmonkey_db_host: ${_param:haproxy_postgresql_bind_host}
     secmonkey_db_user: secmonkey
     secmonkey_db_user_password: secmonkey
+    secmonkey_login_id: 11
+    secmonkey_application_id: 1
   postgresql:
     client:
       server:
@@ -24,5 +26,5 @@
                 maintenance_db: pushkin
                 force: true
                 queries:
-                - INSERT INTO login VALUES (11, 1) ON CONFLICT (id) DO UPDATE SET id = excluded.id;
-                - INSERT INTO device VALUES (1, 11, 42, 'security_audit_service', NULL, 1, NULL) ON CONFLICT (id) DO UPDATE SET id = excluded.id;
+                - INSERT INTO login VALUES (${_param:secmonkey_login_id}, ${_param:secmonkey_application_id}) ON CONFLICT (id) DO UPDATE SET id = excluded.id;
+                - INSERT INTO device VALUES (${_param:secmonkey_application_id}, ${_param:secmonkey_login_id}, 42, 'security_audit_service', NULL, 1, NULL) ON CONFLICT (id) DO UPDATE SET id = excluded.id;
diff --git a/reclass/storage/system/openstack_compute_multi.yml b/reclass/storage/system/openstack_compute_multi.yml
index 86092db..b319fa6 100644
--- a/reclass/storage/system/openstack_compute_multi.yml
+++ b/reclass/storage/system/openstack_compute_multi.yml
@@ -2,6 +2,8 @@
   _param:
     openstack_compute_node01_hostname: cmp01
     openstack_compute_node02_hostname: cmp02
+    openstack_compute_node01_address: 172.16.10.105
+    openstack_compute_node02_address: 172.16.10.106
   reclass:
     storage:
       node:
@@ -13,7 +15,7 @@
           params:
             salt_master_host: ${_param:reclass_config_master}
             linux_system_codename: ${_param:linux_system_codename}
-            single_address: 172.16.10.105
+            single_address: ${_param:openstack_compute_node01_address}
         openstack_compute_node02:
           name: ${_param:openstack_compute_node02_hostname}
           domain: ${_param:cluster_domain}
@@ -22,4 +24,4 @@
           params:
             salt_master_host: ${_param:reclass_config_master}
             linux_system_codename: ${_param:linux_system_codename}
-            single_address: 172.16.10.106
+            single_address: ${_param:openstack_compute_node02_address}
diff --git a/reclass/storage/system/openstack_compute_single.yml b/reclass/storage/system/openstack_compute_single.yml
index 215c0e6..1b16352 100644
--- a/reclass/storage/system/openstack_compute_single.yml
+++ b/reclass/storage/system/openstack_compute_single.yml
@@ -1,6 +1,7 @@
 parameters:
   _param:
     openstack_compute_node01_hostname: cmp01
+    openstack_compute_node01_address: 172.16.10.105
   reclass:
     storage:
       node:
@@ -12,4 +13,4 @@
           params:
             salt_master_host: ${_param:reclass_config_master}
             linux_system_codename: ${_param:linux_system_codename}
-            single_address: 172.16.10.105
+            single_address: ${_param:openstack_compute_node01_address}