Merge changes from topic 'rundeck-cis-fixes'
* changes:
Docker overlay network for Rundeck executions
Import OpenStack CIS Collectors Jobs
Accept RD_OPTION_* env variables from Rundeck
diff --git a/apache/server/site/ironic.yml b/apache/server/site/ironic.yml
new file mode 100644
index 0000000..74173a0
--- /dev/null
+++ b/apache/server/site/ironic.yml
@@ -0,0 +1,11 @@
+parameters:
+ apache:
+ server:
+ site:
+ ironic:
+ name: 'ironic'
+ enabled: true
+ type: 'static'
+ root: '/var/www/httproot'
+ host:
+ name: ${linux:system:name}.${linux:system:domain}
diff --git a/docker/swarm/stack/security_monkey.yml b/docker/swarm/stack/security_monkey.yml
index b3b4074..143b321 100644
--- a/docker/swarm/stack/security_monkey.yml
+++ b/docker/swarm/stack/security_monkey.yml
@@ -5,10 +5,11 @@
docker_image_security_monkey_api: docker-sandbox.sandbox.mirantis.net/vstoiko/oss/security-monkey-api:4435
docker_image_security_monkey_scheduler: docker-sandbox.sandbox.mirantis.net/vstoiko/oss/security-monkey-scheduler:4435
security_monkey_db: secmonkey
- notification_service_url: ${_param:haproxy_pushkin_bind_host}:${_param:haproxy_pushkin_bind_port}/post_notification_json
+ notification_service_url: http://${_param:haproxy_pushkin_bind_host}:${_param:haproxy_pushkin_bind_port}/post_notification_json
security_monkey_user: devopsportal@devopsportal.local
security_monkey_password: devopsportal
security_monkey_role: Justify
+ devops_portal_sm_wtf_csrf_enabled: False
security_monkey_openstack:
os_account_id: mcp_cloud
os_account_name: mcp_cloud
@@ -39,6 +40,7 @@
OS_PROJECT_DOMAIN_NAME: ${_param:security_monkey_openstack:project_domain_name}
OS_PROJECT_NAME: ${_param:security_monkey_openstack:project_name}
USER_DOMAIN_NAME: ${_param:security_monkey_openstack:user_domain_name}
+ SM_WTF_CSRF_ENABLED: ${_param:devops_portal_sm_wtf_csrf_enabled}
service:
api:
image: ${_param:docker_image_security_monkey_api}
diff --git a/galera/server/database/ironic.yml b/galera/server/database/ironic.yml
new file mode 100644
index 0000000..8cb14a3
--- /dev/null
+++ b/galera/server/database/ironic.yml
@@ -0,0 +1,15 @@
+parameters:
+ mysql:
+ server:
+ database:
+ ironic:
+ encoding: utf8
+ users:
+ - name: ironic
+ password: ${_param:mysql_ironic_password}
+ host: '%'
+ rights: all
+ - name: ironic
+ password: ${_param:mysql_ironic_password}
+ host: ${_param:cluster_local_address}
+ rights: all
diff --git a/haproxy/proxy/listen/openstack/ironic.yml b/haproxy/proxy/listen/openstack/ironic.yml
new file mode 100644
index 0000000..221a9cc
--- /dev/null
+++ b/haproxy/proxy/listen/openstack/ironic.yml
@@ -0,0 +1,25 @@
+parameters:
+ haproxy:
+ proxy:
+ listen:
+ ironic:
+ type: general-service
+ service_name: ironic
+ check: false
+ binds:
+ - address: ${_param:cluster_vip_address}
+ port: 6385
+ servers:
+ - name: ctl01
+ host: ${_param:cluster_node01_address}
+ port: 6385
+ params: check
+ - name: ctl02
+ host: ${_param:cluster_node02_address}
+ port: 6385
+ params: check
+ - name: ctl03
+ host: ${_param:cluster_node03_address}
+ port: 6385
+ params: check
+
diff --git a/horizon/server/plugin/lbaasv2.yml b/horizon/server/plugin/lbaasv2.yml
new file mode 100644
index 0000000..69e2682
--- /dev/null
+++ b/horizon/server/plugin/lbaasv2.yml
@@ -0,0 +1,9 @@
+parameters:
+ horizon:
+ server:
+ plugin:
+ lbaasv2:
+ source:
+ engine: pkg
+ name: python-horizon-neutron-lbaasv2-panel
+
diff --git a/ironic/api/cluster.yml b/ironic/api/cluster.yml
new file mode 100644
index 0000000..c476c40
--- /dev/null
+++ b/ironic/api/cluster.yml
@@ -0,0 +1,9 @@
+classes:
+- service.ironic.api.cluster
+parameters:
+ ironic:
+ api:
+ enabled: true
+ version: ${_param:ironic_version}
+ bind:
+ address: ${_param:cluster_local_address}
diff --git a/ironic/api/single.yml b/ironic/api/single.yml
new file mode 100644
index 0000000..0800579
--- /dev/null
+++ b/ironic/api/single.yml
@@ -0,0 +1,7 @@
+classes:
+- service.ironic.api.single
+parameters:
+ ironic:
+ api:
+ bind:
+ address: ${_param:single_address}
diff --git a/ironic/conductor/cluster.yml b/ironic/conductor/cluster.yml
new file mode 100644
index 0000000..ad4666f
--- /dev/null
+++ b/ironic/conductor/cluster.yml
@@ -0,0 +1,6 @@
+classes:
+- service.ironic.conductor.cluster
+parameters:
+ ironic:
+ conductor:
+ api_url: 'http://${_param:cluster_vip_address}'
diff --git a/ironic/conductor/single.yml b/ironic/conductor/single.yml
new file mode 100644
index 0000000..69e6c20
--- /dev/null
+++ b/ironic/conductor/single.yml
@@ -0,0 +1,7 @@
+classes:
+- service.ironic.conductor.single
+parameters:
+ ironic:
+ conductor:
+ enabled: true
+ version: ${_param:ironic_version}
diff --git a/ironic/tftpd_hpa.yml b/ironic/tftpd_hpa.yml
new file mode 100644
index 0000000..fc1dd74
--- /dev/null
+++ b/ironic/tftpd_hpa.yml
@@ -0,0 +1,14 @@
+classes:
+ - service.tftpd_hpa.server.single
+parameters:
+ tftpd_hpa:
+ server:
+ enabled: true
+ bind:
+ address: '0.0.0.0'
+ port: 69
+ username: 'ironic'
+ path: /var/lib/tftpboot
+ options:
+ - secure
+ - map-file: '/var/lib/tftpboot/map-file'
diff --git a/jenkins/client/job/debian/packages/salt-multi.yml b/jenkins/client/job/debian/packages/salt-multi.yml
index 85b95c7..a57a8ab 100644
--- a/jenkins/client/job/debian/packages/salt-multi.yml
+++ b/jenkins/client/job/debian/packages/salt-multi.yml
@@ -25,8 +25,6 @@
dist: trusty
- name: swift
dist: trusty
- - name: ironic
- dist: trusty
- name: ceilometer
dist: xenial
- name: cinder
@@ -47,8 +45,6 @@
dist: xenial
- name: swift
dist: xenial
- - name: ironic
- dist: xenial
template:
discard:
build:
diff --git a/jenkins/client/job/debian/packages/salt.yml b/jenkins/client/job/debian/packages/salt.yml
index 1fbee1e..0e5ab64 100644
--- a/jenkins/client/job/debian/packages/salt.yml
+++ b/jenkins/client/job/debian/packages/salt.yml
@@ -79,6 +79,8 @@
dist: trusty
- name: iptables
dist: trusty
+ - name: ironic
+ dist: trusty
- name: isc-dhcp
dist: trusty
- name: java
@@ -269,6 +271,8 @@
dist: xenial
- name: iptables
dist: xenial
+ - name: ironic
+ dist: xenial
- name: isc-dhcp
dist: xenial
- name: java
diff --git a/jenkins/client/job/deploy/update/init.yml b/jenkins/client/job/deploy/update/init.yml
index a65d440..ba3383a 100644
--- a/jenkins/client/job/deploy/update/init.yml
+++ b/jenkins/client/job/deploy/update/init.yml
@@ -3,3 +3,5 @@
- system.jenkins.client.job.deploy.update.config
- system.jenkins.client.job.deploy.update.saltenv
- system.jenkins.client.job.deploy.update.upgrade
+ - system.jenkins.client.job.deploy.update.upgrade_compute
+ - system.jenkins.client.job.deploy.update.restore_mysql
\ No newline at end of file
diff --git a/jenkins/client/job/opencontrail/build/generic.yml b/jenkins/client/job/opencontrail/build/generic.yml
index cd8a132..27e3117 100644
--- a/jenkins/client/job/opencontrail/build/generic.yml
+++ b/jenkins/client/job/opencontrail/build/generic.yml
@@ -49,6 +49,18 @@
branch: R3.2
ppa: mirantis-opencontrail/opencontrail-3.2
upload_source_package: true
+ - buildname: oc323
+ os: ubuntu
+ dist: trusty
+ branch: R3.2.3.x
+ ppa: mirantis-opencontrail/opencontrail-3.2.3
+ upload_source_package: true
+ - buildname: oc323
+ os: ubuntu
+ dist: xenial
+ branch: R3.2.3.x
+ ppa: mirantis-opencontrail/opencontrail-3.2.3
+ upload_source_package: true
- buildname: oc40
os: ubuntu
dist: trusty
diff --git a/jenkins/client/job/opencontrail/init.yml b/jenkins/client/job/opencontrail/init.yml
index e76b322..85ca57b 100644
--- a/jenkins/client/job/opencontrail/init.yml
+++ b/jenkins/client/job/opencontrail/init.yml
@@ -3,12 +3,12 @@
- system.jenkins.client.job.opencontrail.git-mirrors
parameters:
_param:
- contrail_branches: "R3.0.2.x,R3.0.3.x,R3.1,R3.1.1.x,R3.2,R4.0,master"
+ contrail_branches: "R3.0.2.x,R3.0.3.x,R3.1,R3.1.1.x,R3.2,R3.2.3.x,R4.0,master"
contrail_kubernetes_branches: "master,release-1.2"
contrail_dpdk_extra_branches: "mitaka,kilo,liberty-multiqueue,newton"
contrail_ceilometer_plugin_branches: "master,R4.0"
contrail_kubernetes_branches: "master,origin-1.1,origin-1.1.3,release-1.1,release-1.2"
- contrail_dpdk_branches: "master,R3.0.2.x,R3.0.3.x,R3.1,R3.1.1.x,R3.2,R4.0,contrail_dpdk_17_02,contrail_dpdk_1_7,contrail_dpdk_2_0,contrail_dpdk_2_1"
+ contrail_dpdk_branches: "master,R3.0.2.x,R3.0.3.x,R3.1,R3.1.1.x,R3.2,R3.2.3.x,R4.0,contrail_dpdk_17_02,contrail_dpdk_1_7,contrail_dpdk_2_0,contrail_dpdk_2_1"
jenkins:
client:
view:
diff --git a/jenkins/client/job/salt-models/generate.yml b/jenkins/client/job/salt-models/generate.yml
index 8202479..587b3c4 100644
--- a/jenkins/client/job/salt-models/generate.yml
+++ b/jenkins/client/job/salt-models/generate.yml
@@ -46,4 +46,4 @@
type: string
TEST_MODEL:
type: boolean
- default: true
+ default: false
diff --git a/jenkins/client/job/salt-models/git-mirrors.yml b/jenkins/client/job/salt-models/git-mirrors.yml
index 514663b..b8c8f13 100644
--- a/jenkins/client/job/salt-models/git-mirrors.yml
+++ b/jenkins/client/job/salt-models/git-mirrors.yml
@@ -33,7 +33,7 @@
branches: "master"
- name: ril-jamnagar
upstream_name: ril-jamnagar-lab
- branches: "master,jlab,next"
+ branches: "master,jlab,next,year4_pilot"
- name: vf-cloudstore
upstream_name: vf-cloudstore
branches: "master"
diff --git a/keystone/client/core.yml b/keystone/client/core.yml
new file mode 100644
index 0000000..0614f40
--- /dev/null
+++ b/keystone/client/core.yml
@@ -0,0 +1,32 @@
+parameters:
+ linux:
+ system:
+ job:
+ keystone_job_rotate:
+ command: '/usr/bin/keystone-manage fernet_rotate --keystone-user keystone --keystone-group keystone >> /var/log/key_rotation_log 2>> /var/log/key_rotation_log'
+ enabled: true
+ user: root
+ minute: 0
+ keystone:
+ client:
+ enabled: true
+ server:
+ identity:
+ admin:
+ host: ${_param:keystone_service_host}
+ port: 35357
+ token: ${_param:keystone_service_token}
+ roles:
+ - admin
+ - Member
+ project:
+ service:
+ description: "OpenStack Service tenant"
+ admin:
+ description: "OpenStack Admin tenant"
+ user:
+ admin:
+ is_admin: true
+ password: ${_param:keystone_admin_password}
+ email: ${_param:admin_email}
+
diff --git a/keystone/client/service/ironic.yml b/keystone/client/service/ironic.yml
new file mode 100644
index 0000000..7635e2c
--- /dev/null
+++ b/keystone/client/service/ironic.yml
@@ -0,0 +1,30 @@
+parameters:
+ _param:
+ cluster_public_protocol: https
+ keystone:
+ client:
+ server:
+ identity:
+ project:
+ service:
+ user:
+ ironic:
+ is_admin: true
+ password: ${_param:keystone_ironic_password}
+ email: ${_param:admin_email}
+ service:
+ ironic:
+ type: baremetal
+ description: OpenStack Baremetal Service
+ endpoints:
+ - region: ${_param:openstack_region}
+ public_address: ${_param:cluster_public_host}
+ public_protocol: ${_param:cluster_public_protocol}
+ public_port: 6385
+ public_path: ''
+ internal_address: ${_param:ironic_service_host}
+ internal_port: 6385
+ internal_path: ''
+ admin_address: ${_param:ironic_service_host}
+ admin_port: 6385
+ admin_path: ''
diff --git a/keystone/client/service/keystone3.yml b/keystone/client/service/keystone3.yml
index 9dd9eef..cc385f2 100644
--- a/keystone/client/service/keystone3.yml
+++ b/keystone/client/service/keystone3.yml
@@ -6,7 +6,7 @@
server:
identity:
service:
- keystone3:
+ keystone:
type: identity
description: OpenStack Identity Service v3
endpoints:
diff --git a/maas/region/single.yml b/maas/region/single.yml
index 569d475..d3227ca 100644
--- a/maas/region/single.yml
+++ b/maas/region/single.yml
@@ -2,15 +2,42 @@
- service.maas.region.single
- service.maas.region.vendor_repo
parameters:
+ _param:
+ maas_admin_username: mirantis
maas:
+ cluster:
+ enabled: true
+ role: master
+ region:
+ host: ${_param:single_address}
+ port: 5242
region:
+ salt_master_ip: ${_param:infra_config_deploy_address}
theme: mirantis
enable_iframe: True
bind:
- host: ${_param:cluster_vip_address}
+ host: ${_param:single_address}
+ admin:
+ username: ${_param:maas_admin_username}
+ password: ${_param:maas_admin_password}
+ email: email@example.com
database:
engine: postgresql
- host: 10.0.175.10
+ host: localhost
name: maasdb
- password: password
- username: maas
\ No newline at end of file
+ password: ${_param:maas_db_password}
+ username: maas
+ maas_config:
+ commissioning_distro_series: xenial
+ default_distro_series: xenial
+ default_osystem: 'ubuntu'
+ default_storage_layout: lvm
+ disk_erase_with_secure_erase: true
+ dnssec_validation: 'no'
+ enable_third_party_drivers: true
+ maas_name: mas01
+ active_discovery_interval: '600'
+ ntp_external_only: true
+ upstream_dns: ${_param:dns_server01}
+ enable_http_proxy: false
+ default_min_hwe_kernel: ''
diff --git a/mysql/client/database/ironic.yml b/mysql/client/database/ironic.yml
new file mode 100644
index 0000000..e142e64
--- /dev/null
+++ b/mysql/client/database/ironic.yml
@@ -0,0 +1,18 @@
+parameters:
+ mysql:
+ client:
+ server:
+ database:
+ database:
+ ironic:
+ encoding: utf8
+ users:
+ - name: ironic
+ password: ${_param:mysql_ironic_password}
+ host: '%'
+ rights: all
+ - name: ironic
+ password: ${_param:mysql_ironic_password}
+ host: ${_param:cluster_local_address}
+ rights: all
+
diff --git a/neutron/client/service/ironic.yml b/neutron/client/service/ironic.yml
new file mode 100644
index 0000000..c400f96
--- /dev/null
+++ b/neutron/client/service/ironic.yml
@@ -0,0 +1,19 @@
+parameters:
+ neutron:
+ client:
+ enabled: true
+ server:
+ admin_identity:
+ endpoint_type: internalURL
+ network:
+ baremetal-flat-network:
+ tenant: admin
+ shared: True
+ admin_state_up: True
+ provider_network_type: flat
+ provider_physical_network: physnet1
+ port_security_enabled: false
+ subnet:
+ baremetal-subnet:
+ cidr: 192.168.90.0/24
+ enable_dhcp: true
diff --git a/openssh/server/team/stacklight.yml b/openssh/server/team/stacklight.yml
index 6d55bee..8e28534 100644
--- a/openssh/server/team/stacklight.yml
+++ b/openssh/server/team/stacklight.yml
@@ -186,7 +186,7 @@
ityaptin:
key: ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDDLTkl8X9HIJxruAHkmGNQTovy7DCr256pH68xh2DHWinPKUW4ccsCBbqJeF56aEA41OKJlEVOYzD3gQJkDAAbDdy9BlI14oEtzmk3yAtgBwwUzUNMq7oCPrbt4xNg5U26JSb26j69r5vQ4vXA2hf0bCQ68vb3VDqMMaMbneI3rP3qSaq7dauR8sEjx1XAtNen5SygLE46k0pCObJmahGkg39HisoJ/gkjoi/xvQn1JzrYSxWObrBfUbtQN3JbCRozSp/0Env0hMbXj7cS3J/uY68zAWc7GAEFKSmPAol4d/93sRknFUSQKqZjsDaLfiGLte/7oFwLquaz6AJw+mwP ityaptin@ityaptin.local
isvetlov:
- key: ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDflz5rJEC6+yKOteNG2uzObQCtV/c/Rnu9Aku1AJWLMMlouID7RaCUrP642xH2z11kZE+sZk/4c3515M5SPQFVKhjGceftbnI9I7DI1KF4OJwMCSfmACDHM3bJcld8eiKTRBxtk32i6YPdNi6m9unHvPultTIBJCxRP/KVyxOOnQparsSSBhBj2t3Kis+3dnDZNBUJJDWyo69FD0RvAOaWZdogwes0nCl+3JJSNWsATqyS+bi4ojqJimHFKiW2sz8qMX3cMzu9uTx1OWvJWJRgOV5/tPsuuNVt75zPAOsfJnIqQJtpkdZAb4SYK+0jLFcLvB6GBgXY3aHk9nHu9MHr isvetlov@ubuntu
+ key: ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC9lvegjKq6OP7cgF9YU9mPOk1/mfJbov3YnYnhiW1Ks0hrWZyAo+0TV3O7LgWZ8jqD9abbYaOiWCt4d9ABkLUJfCLNAqOJRapJ+tybPAxJKx4eV8pptJ7UF0EdItasTdd+gqJJ4Krk869rwmqVQ4hethdykjhKyWu3bG+uVtFUF5xUj9zaT9NThA6/Xhz0idAiTO8ArmLng4W8ne45gANaHIWXpIsklo6GLUSZwl4z6j2z4joxNJsB1hrw0msT56F26ctkDo6thNMAzPMyZsLjYJBJIRYhdC1d4Up9114nVcY4pzYw76+zXU9zED2XNRLdyAaxFlwXvumAs3iMLI8Z isvetlov@isvetlov-mac.local
akholkin:
key: ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDjpy9RI6iEDH/04eOOwreDa+R32USZiWxyFiKHa8zoDAlOfwaZVg6mZWepOxzwxCJPYusPGXCwQ6Zw9tHxVWOCgtzzPpsCCfhUU4v+99Wh08//W8d/s/WFka+5vqyskAO5Z8Ekk+kQU+jpUBG8/gMxAPBjj0fFc5BNeqDY9r9nmMNK6N2RVjvA6wZ8G5hLGxL9bn5Prhf/+avui1NAfy6gsT/mRt1W+eHWTvpijyNGm+m83jU34dQO6gE48n6WdSylLh/fY/p31rzAURaq1V/AZhdbSuZ8aJYDnfHevpK5+hMjoOop3v3hb7WHEmybGujQfW5HVaaWmG7SFlHeKGE/gZ2P9T+bQ+SgO+PmEAw4LayiBkzTPAHdZ2UGZe+3BI5gdM/ayovK2WVO1jS5FNlNGIvEQW+ws9V+ph+S1jL4jobDJEjs358iXrAYpf4JL+LvxFHiuj6EL51tbo8EU22z5mmgRQQ5eFrDzBuVLhcim651A3a5iSlmCeAQ5rTmHX/Op/PbK+3vAtI8vnlK4AhycLvWQ3kK2DRx+Uhzrlk5v6E14SopAhvpGOHqrLgmoHwHp1xt/9M1JgxkOUK5gccFKTQduxLHoTNBaNcP60IOG/MjqUPcOXSBcAN4Y1RDBg+pwXe4PFgOzwKdFoYeuhvtm8y185S0IvvfCHLCD8pNfQ== akholkin@mirantis.com
kszukielojc:
diff --git a/reclass/storage/system/infra_maas_single.yml b/reclass/storage/system/infra_maas_single.yml
new file mode 100644
index 0000000..eb5a96b
--- /dev/null
+++ b/reclass/storage/system/infra_maas_single.yml
@@ -0,0 +1,16 @@
+parameters:
+ _param:
+ infra_maas_node01_hostname: mas01
+ reclass:
+ storage:
+ node:
+ infra_maas_node01:
+ name: ${_param:infra_maas_node01_hostname}
+ domain: ${_param:cluster_domain}
+ classes:
+ - cluster.${_param:cluster_name}.infra.maas
+ params:
+ salt_master_host: ${_param:infra_config_deploy_address}
+ linux_system_codename: xenial
+ single_address: ${_param:infra_maas_node01_deploy_address}
+
diff --git a/salt/control/cluster/infra_maas_single.yml b/salt/control/cluster/infra_maas_single.yml
new file mode 100644
index 0000000..d8675e8
--- /dev/null
+++ b/salt/control/cluster/infra_maas_single.yml
@@ -0,0 +1,20 @@
+parameters:
+ salt:
+ control:
+ size:
+ infra.maas:
+ cpu: 4
+ ram: 8192
+ disk_profile: small
+ net_profile: default
+ cluster:
+ internal:
+ domain: ${_param:cluster_domain}
+ engine: virt
+ node:
+ mas01:
+ name: ${_param:infra_maas_node01_hostname}
+ provider: ${_param:infra_kvm_node01_hostname}.${_param:cluster_domain}
+ image: ${_param:salt_control_xenial_image}
+ size: infra.maas
+
diff --git a/salt/master/formula/git/openstack.yml b/salt/master/formula/git/openstack.yml
index 36ddfc2..9173a4a 100644
--- a/salt/master/formula/git/openstack.yml
+++ b/salt/master/formula/git/openstack.yml
@@ -92,6 +92,10 @@
source: git
address: '${_param:salt_master_environment_repository}/salt-formula-nova.git'
revision: ${_param:salt_master_environment_revision}
+ octavia:
+ source: git
+ address: '${_param:salt_master_environment_repository}/salt-formula-octavia.git'
+ revision: ${_param:salt_master_environment_revision}
opencontrail:
source: git
address: '${_param:salt_master_environment_repository}/salt-formula-opencontrail.git'
diff --git a/salt/master/formula/pkg/openstack.yml b/salt/master/formula/pkg/openstack.yml
index b1222d1..827f096 100644
--- a/salt/master/formula/pkg/openstack.yml
+++ b/salt/master/formula/pkg/openstack.yml
@@ -70,6 +70,9 @@
nova:
source: pkg
name: salt-formula-nova
+ octavia:
+ source: pkg
+ name: salt-formula-octavia
opencontrail:
source: pkg
name: salt-formula-opencontrail