Merge "Define default opencontrail parameters"
diff --git a/defaults/haproxy/elasticsearch.yml b/defaults/haproxy/elasticsearch.yml
new file mode 100644
index 0000000..07db053
--- /dev/null
+++ b/defaults/haproxy/elasticsearch.yml
@@ -0,0 +1,6 @@
+parameters:
+ _param:
+ haproxy_elasticsearch_http_bind_port: 9200
+ haproxy_elasticsearch_http_exposed_port: 9200
+ haproxy_elasticsearch_binary_bind_port: 9300
+ haproxy_elasticsearch_binary_exposed_port: 9300
diff --git a/defaults/haproxy/init.yml b/defaults/haproxy/init.yml
new file mode 100644
index 0000000..499e085
--- /dev/null
+++ b/defaults/haproxy/init.yml
@@ -0,0 +1,2 @@
+classes:
+- system.defaults.haproxy.elasticsearch
diff --git a/defaults/init.yml b/defaults/init.yml
index c05e518..b37fbfb 100644
--- a/defaults/init.yml
+++ b/defaults/init.yml
@@ -27,6 +27,7 @@
- system.defaults.stacklight
- system.defaults.xtrabackup
- system.defaults.backup
+- system.defaults.haproxy
# k8s
- system.defaults.etcd
parameters:
diff --git a/defaults/openstack/init.yml b/defaults/openstack/init.yml
index 536fe60..153bca8 100644
--- a/defaults/openstack/init.yml
+++ b/defaults/openstack/init.yml
@@ -38,7 +38,7 @@
openstack_service_user_options:
ignore_change_password_upon_first_use: True
ignore_password_expiry: True
- ignore_lockout_failure_attempts: False
+ ignore_lockout_failure_attempts: True
lock_password: False
# Cinder
cinder_memcache_security_enabled: ${_param:openstack_memcache_security_enabled}
diff --git a/defaults/stacklight.yml b/defaults/stacklight.yml
index 1abbb5e..8838246 100644
--- a/defaults/stacklight.yml
+++ b/defaults/stacklight.yml
@@ -1,5 +1,8 @@
parameters:
_param:
+ fluentd_elasticsearch_host: 127.0.0.1
+ fluentd_elasticsearch_port: 9200
+ fluentd_elasticsearch_scheme: http
# ELK stack versions
elasticsearch_version: 5
kibana_version: 5
diff --git a/docker/host.yml b/docker/host.yml
index a88ff2f..894f6ee 100644
--- a/docker/host.yml
+++ b/docker/host.yml
@@ -14,6 +14,7 @@
- ${_param:cluster_vip_address}:5000
- ${_param:cluster_public_host}:5000
options:
+ bridge: none
ipv6: true
fixed-cidr-v6: fc00::/7
storage-driver: overlay2
diff --git a/elasticsearch/client/ssl.yml b/elasticsearch/client/ssl.yml
new file mode 100644
index 0000000..9f0f9c2
--- /dev/null
+++ b/elasticsearch/client/ssl.yml
@@ -0,0 +1,5 @@
+parameters:
+ elasticsearch:
+ client:
+ server:
+ scheme: https
diff --git a/fluentd/label/default_metric/prometheus_ssl.yml b/fluentd/label/default_metric/prometheus_ssl.yml
new file mode 100644
index 0000000..292c481
--- /dev/null
+++ b/fluentd/label/default_metric/prometheus_ssl.yml
@@ -0,0 +1,9 @@
+parameters:
+ fluentd:
+ agent:
+ config:
+ input:
+ prometheus:
+ metric:
+ ssl:
+ enabled: True
diff --git a/fluentd/label/default_output/elasticsearch.yml b/fluentd/label/default_output/elasticsearch.yml
index 398ea8c..daf95dd 100644
--- a/fluentd/label/default_output/elasticsearch.yml
+++ b/fluentd/label/default_output/elasticsearch.yml
@@ -2,9 +2,6 @@
- service.fluentd.agent.output.elasticsearch
- system.fluentd.label.default_output.filter.common
parameters:
- _param:
- fluentd_elasticsearch_host: 127.0.0.1
- elasticsearch_port: 9200
fluentd:
agent:
config:
@@ -13,4 +10,5 @@
match:
elasticsearch_output:
host: ${_param:fluentd_elasticsearch_host}
- port: ${_param:elasticsearch_port}
+ port: ${_param:fluentd_elasticsearch_port}
+ scheme: ${_param:fluentd_elasticsearch_scheme}
diff --git a/fluentd/label/notifications/audit.yml b/fluentd/label/notifications/audit.yml
index 6449e1e..da0c31a 100644
--- a/fluentd/label/notifications/audit.yml
+++ b/fluentd/label/notifications/audit.yml
@@ -45,7 +45,8 @@
audit_output:
tag: audit
type: elasticsearch
- host: ${_param:stacklight_log_address}
- port: ${_param:elasticsearch_port}
+ host: ${_param:fluentd_elasticsearch_host}
+ port: ${_param:fluentd_elasticsearch_port}
+ scheme: ${_param:fluentd_elasticsearch_scheme}
es_index_name: audit
tag_key: Type
diff --git a/fluentd/label/notifications/notifications.yml b/fluentd/label/notifications/notifications.yml
index 5556d6e..7d1e5c6 100644
--- a/fluentd/label/notifications/notifications.yml
+++ b/fluentd/label/notifications/notifications.yml
@@ -1,6 +1,4 @@
parameters:
- _param:
- elasticsearch_port: 9200
fluentd:
agent:
config:
@@ -118,7 +116,8 @@
notifications_output:
tag: notification
type: elasticsearch
- host: ${_param:stacklight_log_address}
- port: ${_param:elasticsearch_port}
+ host: ${_param:fluentd_elasticsearch_host}
+ port: ${_param:fluentd_elasticsearch_port}
+ scheme: ${_param:fluentd_elasticsearch_scheme}
es_index_name: notification
tag_key: Type
diff --git a/haproxy/proxy/listen/stacklight/elasticsearch.yml b/haproxy/proxy/listen/stacklight/elasticsearch.yml
index 582de6a..d684861 100644
--- a/haproxy/proxy/listen/stacklight/elasticsearch.yml
+++ b/haproxy/proxy/listen/stacklight/elasticsearch.yml
@@ -1,10 +1,6 @@
parameters:
_param:
haproxy_elasticsearch_bind_host: ${_param:cluster_vip_address}
- haproxy_elasticsearch_http_bind_port: 9200
- haproxy_elasticsearch_http_exposed_port: 9200
- haproxy_elasticsearch_binary_bind_port: 9300
- haproxy_elasticsearch_binary_exposed_port: 9300
haproxy:
proxy:
listen:
@@ -17,7 +13,7 @@
- dontlog-normal
balance: roundrobin
binds:
- - address: ${_param:haproxy_elasticsearch_bind_host}
+ - address: ${_param:cluster_vip_address}
port: ${_param:haproxy_elasticsearch_http_bind_port}
servers:
- name: ${_param:cluster_node01_hostname}
diff --git a/haproxy/proxy/listen/stacklight/elasticsearch_ssl.yml b/haproxy/proxy/listen/stacklight/elasticsearch_ssl.yml
new file mode 100644
index 0000000..a50280e
--- /dev/null
+++ b/haproxy/proxy/listen/stacklight/elasticsearch_ssl.yml
@@ -0,0 +1,55 @@
+parameters:
+ _param:
+ haproxy_elasticsearch_bind_host: ${_param:cluster_vip_address}
+ haproxy:
+ proxy:
+ listen:
+ elasticsearch:
+ mode: http
+ options:
+ - httplog
+ - http-keep-alive
+ - prefer-last-server
+ - dontlog-normal
+ balance: roundrobin
+ binds:
+ - address: ${_param:cluster_vip_address}
+ port: ${_param:haproxy_elasticsearch_http_bind_port}
+ ssl:
+ enabled: true
+ pem_file: /etc/elasticsearch/elasticsearch.pem
+ servers:
+ - name: ${_param:cluster_node01_hostname}
+ host: ${_param:cluster_node01_address}
+ port: ${_param:haproxy_elasticsearch_http_exposed_port}
+ params: 'check inter 10s fastinter 2s downinter 3s rise 3 fall 3'
+ - name: ${_param:cluster_node02_hostname}
+ host: ${_param:cluster_node02_address}
+ port: ${_param:haproxy_elasticsearch_http_exposed_port}
+ params: 'check inter 10s fastinter 2s downinter 3s rise 3 fall 3'
+ - name: ${_param:cluster_node03_hostname}
+ host: ${_param:cluster_node03_address}
+ port: ${_param:haproxy_elasticsearch_http_exposed_port}
+ params: 'check inter 10s fastinter 2s downinter 3s rise 3 fall 3'
+ elasticsearch_binary:
+ mode: tcp
+ options:
+ - tcpka
+ - tcplog
+ balance: source
+ binds:
+ - address: ${_param:cluster_vip_address}
+ port: ${_param:haproxy_elasticsearch_binary_bind_port}
+ servers:
+ - name: ${_param:cluster_node01_hostname}
+ host: ${_param:cluster_node01_address}
+ port: ${_param:haproxy_elasticsearch_binary_exposed_port}
+ params: 'check'
+ - name: ${_param:cluster_node02_hostname}
+ host: ${_param:cluster_node02_address}
+ port: ${_param:haproxy_elasticsearch_binary_exposed_port}
+ params: 'check'
+ - name: ${_param:cluster_node03_hostname}
+ host: ${_param:cluster_node03_address}
+ port: ${_param:haproxy_elasticsearch_binary_exposed_port}
+ params: 'check'
diff --git a/jenkins/client/job/deploy/update/init.yml b/jenkins/client/job/deploy/update/init.yml
index 8e58753..c3ea450 100644
--- a/jenkins/client/job/deploy/update/init.yml
+++ b/jenkins/client/job/deploy/update/init.yml
@@ -5,7 +5,6 @@
- system.jenkins.client.job.deploy.update.update_mirror_image
- system.jenkins.client.job.deploy.update.update_ceph
- system.jenkins.client.job.deploy.update.upgrade
- - system.jenkins.client.job.deploy.update.upgrade_rabbitmq
- system.jenkins.client.job.deploy.update.upgrade_compute
- system.jenkins.client.job.deploy.update.upgrade_mcp_release
- system.jenkins.client.job.deploy.update.upgrade_ovs_gateway
@@ -22,3 +21,7 @@
- system.jenkins.client.job.deploy.galera_database_backup
- system.jenkins.client.job.deploy.backupninja_backup
- system.jenkins.client.job.deploy.backupninja_restore
+ - system.jenkins.client.job.deploy.update.update_glusterfs
+ - system.jenkins.client.job.deploy.update.update_glusterfs_servers
+ - system.jenkins.client.job.deploy.update.update_glusterfs_clients
+ - system.jenkins.client.job.deploy.update.update_glusterfs_cluster_op_version
diff --git a/jenkins/client/job/deploy/update/update_glusterfs.yml b/jenkins/client/job/deploy/update/update_glusterfs.yml
new file mode 100644
index 0000000..dfdfc9e
--- /dev/null
+++ b/jenkins/client/job/deploy/update/update_glusterfs.yml
@@ -0,0 +1,31 @@
+#
+# Jobs to run given states on given Salt master environment's
+#
+parameters:
+ jenkins:
+ client:
+ job:
+ update-glusterfs:
+ type: workflow-scm
+ description: This is a general job which runs "Update glusterfs servers", "Update glusterfs clients" and "Update glusterfs cluster.op-version" jobs with default parameters. If you need/want better control of update process use those jobs.
+ concurrent: true
+ discard:
+ build:
+ keep_num: 10
+ artifact:
+ keep_num: 10
+ display_name: "Update GlusterFS"
+ scm:
+ type: git
+ url: "${_param:jenkins_gerrit_url}/mk/mk-pipelines"
+ branch: "${_param:jenkins_pipelines_branch}"
+ credentials: "gerrit"
+ script: update-glusterfs.groovy
+ param:
+ DRIVE_TRAIN_PARAMS:
+ type: text
+ description: "Yaml based DriveTrain releated params"
+ default: |
+ ---
+ SALT_MASTER_URL: "${_param:jenkins_salt_api_url}"
+ SALT_MASTER_CREDENTIALS: "salt"
diff --git a/jenkins/client/job/deploy/update/update_glusterfs_clients.yml b/jenkins/client/job/deploy/update/update_glusterfs_clients.yml
new file mode 100644
index 0000000..48a393c
--- /dev/null
+++ b/jenkins/client/job/deploy/update/update_glusterfs_clients.yml
@@ -0,0 +1,37 @@
+#
+# Jobs to run given states on given Salt master environment's
+#
+parameters:
+ jenkins:
+ client:
+ job:
+ update-glusterfs-clients:
+ type: workflow-scm
+ description: Update glusterfs-client package on corresponding hosts
+ concurrent: true
+ discard:
+ build:
+ keep_num: 10
+ artifact:
+ keep_num: 10
+ display_name: "Update glusterfs clients"
+ scm:
+ type: git
+ url: "${_param:jenkins_gerrit_url}/mk/mk-pipelines"
+ branch: "${_param:jenkins_pipelines_branch}"
+ credentials: "gerrit"
+ script: update-glusterfs-clients.groovy
+ param:
+ DRIVE_TRAIN_PARAMS:
+ type: text
+ description: "Yaml based DriveTrain releated params"
+ default: |
+ ---
+ SALT_MASTER_URL: "${_param:jenkins_salt_api_url}"
+ SALT_MASTER_CREDENTIALS: "salt"
+ # Salt compound target to match nodes to be updated [*, G@osfamily:debian].
+ TARGET_SERVERS: "I@glusterfs:client"
+ # Does not validate server availability/status before update
+ IGNORE_SERVER_STATUS: false
+ # Does not validate that all servers have been updated
+ IGNORE_SERVER_VERSION: false
diff --git a/jenkins/client/job/deploy/update/update_glusterfs_cluster_op_version.yml b/jenkins/client/job/deploy/update/update_glusterfs_cluster_op_version.yml
new file mode 100644
index 0000000..e35e4fa
--- /dev/null
+++ b/jenkins/client/job/deploy/update/update_glusterfs_cluster_op_version.yml
@@ -0,0 +1,39 @@
+#
+# Jobs to run given states on given Salt master environment's
+#
+parameters:
+ jenkins:
+ client:
+ job:
+ update-glusterfs-cluster-op-version:
+ type: workflow-scm
+ description: Update cluster.op-version global option
+ concurrent: true
+ discard:
+ build:
+ keep_num: 10
+ artifact:
+ keep_num: 10
+ display_name: "Update glusterfs cluster.op-version"
+ scm:
+ type: git
+ url: "${_param:jenkins_gerrit_url}/mk/mk-pipelines"
+ branch: "${_param:jenkins_pipelines_branch}"
+ credentials: "gerrit"
+ script: update-glusterfs-cluster-op-version.groovy
+ param:
+ DRIVE_TRAIN_PARAMS:
+ type: text
+ description: "Yaml based DriveTrain releated params"
+ default: |
+ ---
+ SALT_MASTER_URL: "${_param:jenkins_salt_api_url}"
+ SALT_MASTER_CREDENTIALS: "salt"
+ # Salt compound target to match nodes to be updated [*, G@osfamily:debian].
+ TARGET_SERVERS: "I@glusterfs:server:role:primary"
+ # GlusterFS cluster.op-verion option to set. Leave it empty to get proper version from cluster.max-op-version if available.
+ CLUSTER_OP_VERSION: ''
+ # Does not validate that all clients have been updated
+ IGNORE_CLIENT_VERSION: false
+ # Does not validate that all servers have been updated
+ IGNORE_SERVER_VERSION: false
diff --git a/jenkins/client/job/deploy/update/update_glusterfs_servers.yml b/jenkins/client/job/deploy/update/update_glusterfs_servers.yml
new file mode 100644
index 0000000..97f4e77
--- /dev/null
+++ b/jenkins/client/job/deploy/update/update_glusterfs_servers.yml
@@ -0,0 +1,37 @@
+#
+# Jobs to run given states on given Salt master environment's
+#
+parameters:
+ jenkins:
+ client:
+ job:
+ update-glusterfs-servers:
+ type: workflow-scm
+ description: Update glusterfs-server package on corresponding hosts
+ concurrent: true
+ discard:
+ build:
+ keep_num: 10
+ artifact:
+ keep_num: 10
+ display_name: "Update glusterfs servers"
+ scm:
+ type: git
+ url: "${_param:jenkins_gerrit_url}/mk/mk-pipelines"
+ branch: "${_param:jenkins_pipelines_branch}"
+ credentials: "gerrit"
+ script: update-glusterfs-servers.groovy
+ param:
+ DRIVE_TRAIN_PARAMS:
+ type: text
+ description: "Yaml based DriveTrain releated params"
+ default: |
+ ---
+ SALT_MASTER_URL: "${_param:jenkins_salt_api_url}"
+ SALT_MASTER_CREDENTIALS: "salt"
+ # Salt compound target to match nodes to be updated [*, G@osfamily:debian].
+ TARGET_SERVERS: "I@glusterfs:server"
+ # Does not validate server availability/status before update
+ IGNORE_SERVER_STATUS: false
+ # Update GlusterFS even there is a non-replicated volume
+ IGNORE_NON_REPLICATED_VOLUMES: false
diff --git a/keepalived/cluster/instance/kdt_kube_api_server_vip.yml b/keepalived/cluster/instance/kdt_kube_api_server_vip.yml
index a26748a..e76b767 100644
--- a/keepalived/cluster/instance/kdt_kube_api_server_vip.yml
+++ b/keepalived/cluster/instance/kdt_kube_api_server_vip.yml
@@ -23,6 +23,6 @@
address: ${_param:keepalived_kdt_k8s_apiserver_vip_address}
password: ${_param:keepalived_kdt_k8s_apiserver_vip_password}
interface: ${_param:keepalived_kdt_k8s_apiserver_vip_interface}
- virtual_router_id: 70
+ virtual_router_id: 71
priority: ${_param:keepalived_vip_priority}
track_script: kdt_vip
diff --git a/kibana/client/ssl.yml b/kibana/client/ssl.yml
new file mode 100644
index 0000000..76160c6
--- /dev/null
+++ b/kibana/client/ssl.yml
@@ -0,0 +1,5 @@
+parameters:
+ kibana:
+ client:
+ server:
+ scheme: https
diff --git a/kibana/server/single.yml b/kibana/server/single.yml
index 965f274..5c59588 100644
--- a/kibana/server/single.yml
+++ b/kibana/server/single.yml
@@ -13,4 +13,5 @@
engine: elasticsearch
host: ${_param:kibana_elasticsearch_host}
port: 9200
+ scheme: http
diff --git a/kibana/server/ssl.yml b/kibana/server/ssl.yml
new file mode 100644
index 0000000..5b049f8
--- /dev/null
+++ b/kibana/server/ssl.yml
@@ -0,0 +1,5 @@
+parameters:
+ kibana:
+ server:
+ database:
+ scheme: https
diff --git a/nginx/server/proxy/ssl.yml b/nginx/server/proxy/ssl.yml
index 66a1938..dd4f2cd 100644
--- a/nginx/server/proxy/ssl.yml
+++ b/nginx/server/proxy/ssl.yml
@@ -16,10 +16,10 @@
protocols:
TLSv1:
name: 'TLSv1'
- enabled: True
+ enabled: False
TLSv1.1:
name: 'TLSv1.1'
- enabled: True
+ enabled: False
TLSv1.2:
name: 'TLSv1.2'
enabled: True
@@ -28,16 +28,16 @@
ciphers:
ECDHE-ECDSA-CHACHA20-POLY1305:
name: 'ECDHE-ECDSA-CHACHA20-POLY1305'
- enabled: True
+ enabled: False
ECDHE-RSA-CHACHA20-POLY1305:
name: 'ECDHE-RSA-CHACHA20-POLY1305'
- enabled: True
+ enabled: False
ECDHE-ECDSA-AES128-GCM-SHA256:
name: 'ECDHE-ECDSA-AES128-GCM-SHA256'
- enabled: True
+ enabled: False
ECDHE-RSA-AES128-GCM-SHA256:
name: 'ECDHE-RSA-AES128-GCM-SHA256'
- enabled: True
+ enabled: False
ECDHE-ECDSA-AES256-GCM-SHA384:
name: 'ECDHE-ECDSA-AES256-GCM-SHA384'
enabled: True
@@ -46,76 +46,76 @@
enabled: True
DHE-RSA-AES128-GCM-SHA256:
name: 'DHE-RSA-AES128-GCM-SHA256'
- enabled: True
+ enabled: False
DHE-RSA-AES256-GCM-SHA384:
name: 'DHE-RSA-AES256-GCM-SHA384'
- enabled: True
+ enabled: False
ECDHE-ECDSA-AES128-SHA256:
name: 'ECDHE-ECDSA-AES128-SHA256'
- enabled: True
+ enabled: False
ECDHE-RSA-AES128-SHA256:
name: 'ECDHE-RSA-AES128-SHA256'
- enabled: True
+ enabled: False
ECDHE-ECDSA-AES128-SHA:
name: 'ECDHE-ECDSA-AES128-SHA'
- enabled: True
+ enabled: False
ECDHE-RSA-AES256-SHA384:
name: 'ECDHE-RSA-AES256-SHA384'
enabled: True
ECDHE-RSA-AES128-SHA:
name: 'ECDHE-RSA-AES128-SHA'
- enabled: True
+ enabled: False
ECDHE-ECDSA-AES256-SHA384:
name: 'ECDHE-ECDSA-AES256-SHA384'
enabled: True
ECDHE-ECDSA-AES256-SHA:
name: 'ECDHE-ECDSA-AES256-SHA'
- enabled: True
+ enabled: False
ECDHE-RSA-AES256-SHA:
name: 'ECDHE-RSA-AES256-SHA'
- enabled: True
+ enabled: False
DHE-RSA-AES128-SHA256:
name: 'DHE-RSA-AES128-SHA256'
- enabled: True
+ enabled: False
DHE-RSA-AES128-SHA:
name: 'DHE-RSA-AES128-SHA'
- enabled: True
+ enabled: False
DHE-RSA-AES256-SHA256:
name: 'DHE-RSA-AES256-SHA256'
- enabled: True
+ enabled: False
DHE-RSA-AES256-SHA:
name: 'DHE-RSA-AES256-SHA'
- enabled: True
+ enabled: False
ECDHE-ECDSA-DES-CBC3-SHA:
name: 'ECDHE-ECDSA-DES-CBC3-SHA'
- enabled: True
+ enabled: False
ECDHE-RSA-DES-CBC3-SHA:
name: 'ECDHE-RSA-DES-CBC3-SHA'
- enabled: True
+ enabled: False
EDH-RSA-DES-CBC3-SHA:
name: 'EDH-RSA-DES-CBC3-SHA'
- enabled: True
+ enabled: False
AES128-GCM-SHA256:
name: 'AES128-GCM-SHA256'
- enabled: True
+ enabled: False
AES256-GCM-SHA384:
name: 'AES256-GCM-SHA384'
- enabled: True
+ enabled: False
AES128-SHA256:
name: 'AES128-SHA256'
- enabled: True
+ enabled: False
AES256-SHA256:
name: 'AES256-SHA256'
- enabled: True
+ enabled: False
AES256-SHA:
name: 'AES256-SHA'
- enabled: True
+ enabled: False
AES128-SHA:
name: 'AES128-SHA'
- enabled: True
+ enabled: False
DES-CBC3-SHA:
name: 'DES-CBC3-SHA'
- enabled: True
+ enabled: False
removeDSS:
name: '!DSS'
- enabled: True
\ No newline at end of file
+ enabled: True
diff --git a/salt/control/placement/openstack/golden.yml b/salt/control/placement/openstack/golden.yml
index 03abda5..1212a42 100644
--- a/salt/control/placement/openstack/golden.yml
+++ b/salt/control/placement/openstack/golden.yml
@@ -31,7 +31,7 @@
openstack_proxy_backend_image: ${_param:salt_control_xenial_image_backend}
openstack_barbican_backend_image: ${_param:salt_control_xenial_image_backend}
openstack_dns_backend_image: ${_param:salt_control_xenial_image_backend}
- openstack_telemetry_backend_image: ${_param:salt_control_trusty_image_backend}
+ openstack_telemetry_backend_image: ${_param:salt_control_xenial_image_backend}
salt_control_cluster_node_cloud_init_openstack_control:
user_data:
write_files:
@@ -74,6 +74,13 @@
${salt:control:size:openstack.dns:image_layout}
owner: root:root
path: /usr/share/growlvm/image-layout.yml
+ salt_control_cluster_node_cloud_init_openstack_telemetry:
+ user_data:
+ write_files:
+ - content: |
+ ${salt:control:size:openstack.telemetry:image_layout}
+ owner: root:root
+ path: /usr/share/growlvm/image-layout.yml
salt:
control:
cluster:
@@ -194,21 +201,21 @@
mdb01:
name: ${_param:openstack_telemetry_node01_hostname}
provider: ${_param:infra_kvm_node04_hostname}.${_param:cluster_domain}
- image: ${_param:salt_control_trusty_image}
+ image: ${_param:salt_control_xenial_image}
backend: ${_param:openstack_telemetry_backend_image}
size: openstack.telemetry
cloud_init: ${_param:salt_control_cluster_node_cloud_init_openstack_telemetry}
mdb02:
name: ${_param:openstack_telemetry_node02_hostname}
provider: ${_param:infra_kvm_node05_hostname}.${_param:cluster_domain}
- image: ${_param:salt_control_trusty_image}
+ image: ${_param:salt_control_xenial_image}
backend: ${_param:openstack_telemetry_backend_image}
size: openstack.telemetry
cloud_init: ${_param:salt_control_cluster_node_cloud_init_openstack_telemetry}
mdb03:
name: ${_param:openstack_telemetry_node03_hostname}
provider: ${_param:infra_kvm_node06_hostname}.${_param:cluster_domain}
- image: ${_param:salt_control_trusty_image}
+ image: ${_param:salt_control_xenial_image}
backend: ${_param:openstack_telemetry_backend_image}
size: openstack.telemetry
cloud_init: ${_param:salt_control_cluster_node_cloud_init_openstack_telemetry}
diff --git a/salt/minion/cert/elasticsearch.yml b/salt/minion/cert/elasticsearch.yml
new file mode 100644
index 0000000..0ac232d
--- /dev/null
+++ b/salt/minion/cert/elasticsearch.yml
@@ -0,0 +1,16 @@
+parameters:
+ salt:
+ minion:
+ cert:
+ elasticsearch:
+ host: ${_param:salt_minion_ca_host}
+ authority: ${_param:salt_minion_ca_authority}
+ common_name: elasticsearch
+ signing_policy: cert_server
+ alternative_names: IP:127.0.0.1,IP:${_param:single_address},IP:${_param:stacklight_log_address},DNS:${linux:system:name},DNS:${linux:network:fqdn}
+ key_file: /etc/elasticsearch/elasticsearch.key
+ cert_file: /etc/elasticsearch/elasticsearch.crt
+ ca_file: /etc/ssl/certs/ca-${_param:salt_minion_ca_authority}.pem
+ all_file: /etc/elasticsearch/elasticsearch.pem
+ mode: '0444'
+ enabled: true
diff --git a/salt/minion/cert/fluentd_prometheus.yml b/salt/minion/cert/fluentd_prometheus.yml
new file mode 100644
index 0000000..d7f4469
--- /dev/null
+++ b/salt/minion/cert/fluentd_prometheus.yml
@@ -0,0 +1,14 @@
+parameters:
+ salt:
+ minion:
+ cert:
+ fluentd_prometheus:
+ host: ${_param:salt_minion_ca_host}
+ authority: ${_param:salt_minion_ca_authority}
+ common_name: fluentd_prometheus
+ signing_policy: cert_server
+ alternative_names: IP:127.0.0.1,IP:${_param:single_address},DNS:${linux:system:name},DNS:${linux:network:fqdn}
+ key_file: ${fluentd:agent:dir:config}/fluentd-prometheus.key
+ cert_file: ${fluentd:agent:dir:config}/fluentd-prometheus.crt
+ mode: '0444'
+ enabled: true