Merge "Lists of jenkins script approvals extended"
diff --git a/.releasenotes/notes/rename-options-5db6ad4bb2ff80f5.yaml b/.releasenotes/notes/rename-options-5db6ad4bb2ff80f5.yaml
new file mode 100644
index 0000000..c318d41
--- /dev/null
+++ b/.releasenotes/notes/rename-options-5db6ad4bb2ff80f5.yaml
@@ -0,0 +1,37 @@
+---
+summary: >
+ change OS-cloud credentials defining process
+
+upgrades:
+ * 'cacert_path' and 'cafile' variables for Security Audit and Cleanup services were changed to:
+
+ .. code-block:: yaml
+ security_monkey_openstack:
+ source_credentials: source/path/for/os/credentials/on/env
+ service_credentials: path/to/os/credentials/in/service/container
+
+ janitor_monkey_openstack:
+ source_credentials: source/path/for/os/credentials/on/env
+ service_credentials: path/to/os/credentials/in/service/container
+
+ Now you do not need to specify cert-file properly, need to define directory only.
+ Cert-file named 'cert.pem' by default for all services.
+ 'source_credentials' equal to 'oss_openstack_credentials_path'.
+
+ * 'oss_openstack_cert_path' was changed to:
+
+ .. code-block:: yaml
+
+ oss_openstack_credentials_path: source/path/for/os/credentials/on/env
+
+ .. code-block:: text
+
+ Changes affect cluster and system levels.
+
+fixes:
+ - https://mirantis.jira.com/browse/PROD-14863
+ - https://mirantis.jira.com/browse/PROD-14870
+
+other:
+ * full change-list:
+ https://gerrit.mcp.mirantis.net/#/q/topic:os-creds+(status:open+OR+status:merged)
diff --git a/docker/swarm/service/artifactory.yml b/docker/swarm/service/artifactory.yml
index d7f8626..36d9577 100644
--- a/docker/swarm/service/artifactory.yml
+++ b/docker/swarm/service/artifactory.yml
@@ -30,3 +30,7 @@
type: bind
source: /srv/volumes/artifactory/logs
destination: /var/opt/jfrog/artifactory/logs
+ keys:
+ type: bind
+ source: /srv/volumes/artifactory/keys
+ destination: /var/opt/jfrog/artifactory/access/etc/keys
diff --git a/docker/swarm/stack/artifactory.yml b/docker/swarm/stack/artifactory.yml
index 411b22e..caab0ee 100644
--- a/docker/swarm/stack/artifactory.yml
+++ b/docker/swarm/stack/artifactory.yml
@@ -21,3 +21,4 @@
- /srv/volumes/artifactory/backup:/var/opt/jfrog/artifactory/backup
- /srv/volumes/artifactory/etc:/var/opt/jfrog/artifactory/etc
- /srv/volumes/artifactory/logs:/var/opt/jfrog/artifactory/logs
+ - /srv/volumes/artifactory/keys:/var/opt/jfrog/artifactory/access/etc/keys
diff --git a/docker/swarm/stack/janitor_monkey.yml b/docker/swarm/stack/janitor_monkey.yml
index ffea607..2e5698a 100644
--- a/docker/swarm/stack/janitor_monkey.yml
+++ b/docker/swarm/stack/janitor_monkey.yml
@@ -33,8 +33,8 @@
username: admin
password: password
ssl_verify: False
- cacert_path: /srv/volumes/rundeck/storage/content/cis/openstack/cert.pem
- cafile: /opt/certs/cert.pem
+ source_credentials: /srv/volumes/rundeck/storage/content/cis/openstack
+ service_credentials: /opt/os_creds
docker:
client:
stack:
@@ -61,7 +61,7 @@
simianarmy.client.cloudfire.domain: ${_param:janitor_monkey_openstack:project_domain_name}
simianarmy.client.cloudfire.project: ${_param:janitor_monkey_openstack:project_name}
simianarmy.client.cloudfire.SSLVerify: ${_param:janitor_monkey_openstack:ssl_verify}
- simianarmy.client.cloudfire.cafile: ${_param:janitor_monkey_openstack:cafile}
+ simianarmy.client.cloudfire.cafile: ${_param:janitor_monkey_openstack:service_credentials}/cert.pem
simianarmy.janitor.rule.stoppedInstanceRule.instanceAgeThreshold: ${_param:janitor_monkey_instance_age_threshold}
simianarmy.janitor.notification.oss.url: ${_param:janitor_monkey_notification_oss_url}
simianarmy.janitor.notification.oss.login_id: ${_param:janitor_monkey_notification_oss_login_id}
@@ -86,7 +86,7 @@
ports:
- ${_param:haproxy_janitor_monkey_exposed_port}:${_param:janitor_monkey_bind_port}
volumes:
- - ${_param:janitor_monkey_openstack:cacert_path}:${_param:janitor_monkey_openstack:cafile}:ro
+ - ${_param:janitor_monkey_openstack:source_credentials}:${_param:janitor_monkey_openstack:service_credentials}:ro
network:
default:
external:
diff --git a/docker/swarm/stack/security_monkey.yml b/docker/swarm/stack/security_monkey.yml
index 67233c2..b5a1100 100644
--- a/docker/swarm/stack/security_monkey.yml
+++ b/docker/swarm/stack/security_monkey.yml
@@ -28,8 +28,8 @@
project_domain_name: Default
project_name: admin
user_domain_name: Default
- cacert_path: /srv/volumes/rundeck/storage/content/cis/openstack/cert.pem
- cafile: /opt/certs/cert.pem
+ source_credentials: /srv/volumes/rundeck/storage/content/cis/openstack
+ service_credentials: /opt/os_creds
endpoint_type: public
ssl_verify: False
docker:
@@ -58,7 +58,7 @@
OS_PROJECT_NAME: ${_param:security_monkey_openstack:project_name}
OS_SSL_VERIFY: ${_param:security_monkey_openstack:ssl_verify}
OS_ENDPOINT_TYPE: ${_param:security_monkey_openstack:endpoint_type}
- CACERT_PATH: ${_param:security_monkey_openstack:cafile}
+ CACERT_PATH: ${_param:security_monkey_openstack:service_credentials}/cert.pem
USER_DOMAIN_NAME: ${_param:security_monkey_openstack:user_domain_name}
SM_WTF_CSRF_ENABLED: ${_param:devops_portal_sm_wtf_csrf_enabled}
SECURITY_MONKEY_SYNC_INTERVAL: ${_param:security_monkey_sync_interval}
@@ -75,7 +75,7 @@
- ${_param:haproxy_security_monkey_exposed_port}:${_param:haproxy_security_monkey_bind_port}
volumes:
- /srv/volumes/security_monkey/logs:/var/log/security_monkey/logs
- - ${_param:security_monkey_openstack:cacert_path}:${_param:security_monkey_openstack:cafile}:ro
+ - ${_param:security_monkey_openstack:source_credentials}:${_param:security_monkey_openstack:service_credentials}:ro
security-audit-scheduler:
image: ${_param:docker_image_security_monkey_scheduler}
deploy:
@@ -84,7 +84,7 @@
condition: any
volumes:
- /srv/volumes/security_monkey/logs:/var/log/security_monkey/logs
- - ${_param:security_monkey_openstack:cacert_path}:${_param:security_monkey_openstack:cafile}:ro
+ - ${_param:security_monkey_openstack:source_credentials}:${_param:security_monkey_openstack:service_credentials}:ro
network:
default:
external:
diff --git a/openssh/server/team/l1_support.yml b/openssh/server/team/l1_support.yml
index 9d2a4c9..1db07d6 100644
--- a/openssh/server/team/l1_support.yml
+++ b/openssh/server/team/l1_support.yml
@@ -13,6 +13,7 @@
- system.openssh.server.team.members.deniskostriukov
- system.openssh.server.team.members.dmitrygoloshubov
- system.openssh.server.team.members.javierdiaz
+- system.openssh.server.team.members.jorgesorondo
- system.openssh.server.team.members.josuepalmerin
- system.openssh.server.team.members.krzysztoffranckowski
- system.openssh.server.team.members.matthewroark
diff --git a/openssh/server/team/members/jorgesorondo.yml b/openssh/server/team/members/jorgesorondo.yml
new file mode 100644
index 0000000..9f6a1c5
--- /dev/null
+++ b/openssh/server/team/members/jorgesorondo.yml
@@ -0,0 +1,22 @@
+parameters:
+ linux:
+ system:
+ user:
+ jsorondo:
+ enabled: true
+ name: jsorondo
+ sudo: ${_param:linux_system_user_sudo}
+ full_name: Jorge Sorondo
+ home: /home/jsorondo
+ email: jsorondo@mirantis.com
+ openssh:
+ server:
+ enabled: true
+ user:
+ jsorondo:
+ enabled: true
+ public_keys: ${public_keys:jsorondo}
+ user: ${linux:system:user:jsorondo}
+ public_keys:
+ jsorondo:
+ - key: ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDQifWsY+b8n8imC0NaP1zVpgihzIT+8A5w35W8dF7YyGcgGOYAcmTRV2Wqm8el9iLsW1ANOdjjulZ/jAzicVwh5IEq9MYjNl4+YjThDN9J1yvw9BjkXPs0Ymrqt4Xq9wZdE5c3P6DaoicxOCEpaL3t1ZxigAcMpQxa5qSyxeY0mvr5eb9O6I0eznEsSjikHOJPaWTdAG5Wx6acwhqB6G7gAF0fpE3Hn+enmtAiqJQVnaBKeX06isMPxyabaNgDCdw1jIJ+uHa3RFRXlucResGiJiDggP+GabKenrSkig8xUWk6UBoO3h28fzEF/J3LSJbL2dHTcWLIrdPZJFVj/0l/
diff --git a/openssh/server/team/support.yml b/openssh/server/team/support.yml
index 1005a83..f78ceac 100644
--- a/openssh/server/team/support.yml
+++ b/openssh/server/team/support.yml
@@ -10,6 +10,7 @@
- system.openssh.server.team.members.deniskostriukov
- system.openssh.server.team.members.dmitrygoloshubov
- system.openssh.server.team.members.javierdiaz
+- system.openssh.server.team.members.jorgesorondo
- system.openssh.server.team.members.josuepalmerin
- system.openssh.server.team.members.krzysztoffranckowski
- system.openssh.server.team.members.matthewroark