Merge "Enable sshd strong ciphers" into release/proposed/2019.2.0
diff --git a/aodh/server/coordination/redis.yml b/aodh/server/coordination/redis.yml
index e013e0f..16e2838 100644
--- a/aodh/server/coordination/redis.yml
+++ b/aodh/server/coordination/redis.yml
@@ -1,7 +1,20 @@
classes:
- service.redis.server.single
parameters:
+ _param:
+ aodh_coordination_url: redis://openstack:${_param:openstack_telemetry_redis_password}@${_param:redis_sentinel_node01_address}:26379?db=0&sentinel=master_1&sentinel_fallback=${_param:redis_sentinel_node02_address}:26379&sentinel_fallback=${_param:redis_sentinel_node03_address}:26379
aodh:
server:
coordination_backend:
- url: redis://${_param:single_address}:6379/${_param:cluster_node01_address}
+ url: ${_param:aodh_coordination_url}
+ engine: redis
+ redis:
+ password: ${_param:openstack_telemetry_redis_password}
+ user: openstack
+ db: ${_param:aodh_redis_db}
+ sentinel:
+ host: ${_param:redis_sentinel_node01_address}
+ master_name: ${_param:aodh_redis_sentinel_mastername}
+ fallback:
+ - host: ${_param:redis_sentinel_node02_address}
+ - host: ${_param:redis_sentinel_node03_address}
diff --git a/ceilometer/server/coordination/redis.yml b/ceilometer/server/coordination/redis.yml
index e8610f3..7b0edac 100644
--- a/ceilometer/server/coordination/redis.yml
+++ b/ceilometer/server/coordination/redis.yml
@@ -1,7 +1,20 @@
classes:
- service.redis.server.single
parameters:
+ _param:
+ ceilometer_coordination_url: redis://openstack:${_param:openstack_telemetry_redis_password}@${_param:redis_sentinel_node01_address}:26379?db=0&sentinel=master_1&sentinel_fallback=${_param:redis_sentinel_node02_address}:26379&sentinel_fallback=${_param:redis_sentinel_node03_address}:26379
ceilometer:
server:
coordination_backend:
- url: redis://${_param:single_address}:6379/${_param:cluster_node01_address}
+ url: ${_param:ceilometer_coordination_url}
+ engine: redis
+ redis:
+ password: ${_param:openstack_telemetry_redis_password}
+ user: openstack
+ db: ${_param:ceilometer_redis_db}
+ sentinel:
+ host: ${_param:redis_sentinel_node01_address}
+ master_name: ${_param:ceilometer_redis_sentinel_mastername}
+ fallback:
+ - host: ${_param:redis_sentinel_node02_address}
+ - host: ${_param:redis_sentinel_node03_address}
diff --git a/defaults/docker_images.yml b/defaults/docker_images.yml
index ae09bd0..25f61c1 100644
--- a/defaults/docker_images.yml
+++ b/defaults/docker_images.yml
@@ -23,22 +23,22 @@
docker_image_operations_api: "${_param:mcp_docker_registry}/mirantis/model-generator/operations-api:${_param:mcp_version}"
docker_image_operations_ui: "${_param:mcp_docker_registry}/mirantis/model-generator/operations-ui:${_param:mcp_version}"
# OpenContrail
- opencontrail_docker_image_tag: "2019.2.3"
+ opencontrail_docker_image_tag: "2019.2.4"
# stacklight
# 6.5.0 version, from 11/29/2018, differ from latest upstream 6.5.0 - update next cycle
docker_image_alerta: "${_param:mcp_docker_registry}/mirantis/external/alerta-web:${_param:mcp_version}"
docker_image_alertmanager: "${_param:mcp_docker_registry}/openstack-docker/alertmanager:2019.2.4"
docker_image_grafana: "${_param:mcp_docker_registry}/openstack-docker/grafana:${_param:mcp_version}"
- docker_image_prometheus_es_exporter: "${_param:mcp_docker_registry}/mirantis/external/braedon/prometheus-es-exporter:0.5.1"
+ docker_image_prometheus_es_exporter: "${_param:mcp_docker_registry}/openstack-docker/prometheus-es-exporter:0.5.1-mcp0"
docker_image_prometheus: "${_param:mcp_docker_registry}/openstack-docker/prometheus:${_param:mcp_version}"
docker_image_prometheus_gainsight: "${_param:mcp_docker_registry}/openstack-docker/gainsight:2019.2.3"
docker_image_prometheus_gainsight_elasticsearch: "${_param:mcp_docker_registry}/openstack-docker/gainsight_elasticsearch:${_param:mcp_version}"
docker_image_prometheus_relay: "${_param:mcp_docker_registry}/openstack-docker/prometheus_relay:${_param:mcp_version}"
docker_image_pushgateway: "${_param:mcp_docker_registry}/openstack-docker/pushgateway:${_param:mcp_version}"
- docker_image_remote_agent: "${_param:mcp_docker_registry}/openstack-docker/telegraf:${_param:mcp_version}"
+ docker_image_remote_agent: "${_param:mcp_docker_registry}/openstack-docker/telegraf:2019.2.4"
docker_image_remote_collector: "${_param:mcp_docker_registry}/openstack-docker/heka:${_param:mcp_version}"
docker_image_remote_storage_adapter: "${_param:mcp_docker_registry}/openstack-docker/remote_storage_adapter:${_param:mcp_version}"
- docker_image_sf_notifier: "${_param:mcp_docker_registry}/openstack-docker/sf_notifier:2019.2.3"
+ docker_image_sf_notifier: "${_param:mcp_docker_registry}/openstack-docker/sf_notifier:0.2-mcp0"
##
docker_image_cockroachdb: "${_param:mcp_docker_registry}/mirantis/external/cockroach/cockroach:v2.1.1"
# keycloak
diff --git a/defaults/glusterfs.yml b/defaults/glusterfs.yml
new file mode 100644
index 0000000..72a68da
--- /dev/null
+++ b/defaults/glusterfs.yml
@@ -0,0 +1,4 @@
+parameters:
+ _param:
+ glusterfs_allow_ips: '*'
+ glusterfs_reject_ips: none
diff --git a/defaults/haproxy/elasticsearch.yml b/defaults/haproxy/elasticsearch.yml
new file mode 100644
index 0000000..07db053
--- /dev/null
+++ b/defaults/haproxy/elasticsearch.yml
@@ -0,0 +1,6 @@
+parameters:
+ _param:
+ haproxy_elasticsearch_http_bind_port: 9200
+ haproxy_elasticsearch_http_exposed_port: 9200
+ haproxy_elasticsearch_binary_bind_port: 9300
+ haproxy_elasticsearch_binary_exposed_port: 9300
diff --git a/defaults/haproxy/init.yml b/defaults/haproxy/init.yml
new file mode 100644
index 0000000..499e085
--- /dev/null
+++ b/defaults/haproxy/init.yml
@@ -0,0 +1,2 @@
+classes:
+- system.defaults.haproxy.elasticsearch
diff --git a/defaults/init.yml b/defaults/init.yml
index 733bfe2..2763914 100644
--- a/defaults/init.yml
+++ b/defaults/init.yml
@@ -10,6 +10,7 @@
- system.defaults.linux_system_file
- system.defaults.backupninja
- system.defaults.git
+- system.defaults.glusterfs
- system.defaults.jenkins
- system.defaults.maas
- system.defaults.openstack
@@ -22,6 +23,7 @@
- system.defaults.salt
- system.defaults.stacklight
- system.defaults.xtrabackup
+- system.defaults.haproxy
parameters:
_param:
mcp_version: stable
diff --git a/defaults/openstack/init.yml b/defaults/openstack/init.yml
index 4b1960d..44b334b 100644
--- a/defaults/openstack/init.yml
+++ b/defaults/openstack/init.yml
@@ -15,6 +15,8 @@
openstack_telemetry_service_host: ${_param:openstack_telemetry_service_hostname}.${linux:system:domain}
openstack_service_user_enabled: True
openstack_upgrade_enabled: False
+ openstack_telemetry_redis_db: '0'
+ openstack_telemetry_redis_sentinel_mastername: 'master_1'
# SSL
ceilometer_agent_ssl_enabled: False
openstack_mysql_x509_enabled: False
@@ -35,7 +37,7 @@
openstack_service_user_options:
ignore_change_password_upon_first_use: True
ignore_password_expiry: True
- ignore_lockout_failure_attempts: False
+ ignore_lockout_failure_attempts: True
lock_password: False
# Cinder
cinder_memcache_security_enabled: ${_param:openstack_memcache_security_enabled}
@@ -72,16 +74,22 @@
aodh_old_version: ${_param:openstack_old_version}
aodh_version: ${_param:openstack_version}
aodh_upgrade_enabled: ${_param:openstack_upgrade_enabled}
+ aodh_redis_db: ${_param:openstack_telemetry_redis_db}
+ aodh_redis_sentinel_mastername: ${_param:openstack_telemetry_redis_sentinel_mastername}
# Ceilometer
ceilometer_old_version: ${_param:openstack_old_version}
ceilometer_version: ${_param:openstack_version}
ceilometer_upgrade_enabled: ${_param:openstack_upgrade_enabled}
+ ceilometer_redis_db: ${_param:openstack_telemetry_redis_db}
+ ceilometer_redis_sentinel_mastername: ${_param:openstack_telemetry_redis_sentinel_mastername}
# Gnocchi
gnocchi_memcache_security_enabled: ${_param:openstack_memcache_security_enabled}
gnocchi_memcache_secret_key: ''
gnocchi_version: 4.0
gnocchi_old_version: ${_param:gnocchi_version}
gnocchi_upgrade_enabled: ${_param:openstack_upgrade_enabled}
+ gnocchi_redis_db: ${_param:openstack_telemetry_redis_db}
+ gnocchi_redis_sentinel_mastername: ${_param:openstack_telemetry_redis_sentinel_mastername}
# Panko
panko_memcache_security_enabled: ${_param:openstack_memcache_security_enabled}
panko_memcache_secret_key: ''
diff --git a/defaults/salt/init.yml b/defaults/salt/init.yml
index 2e19089..feb27d7 100644
--- a/defaults/salt/init.yml
+++ b/defaults/salt/init.yml
@@ -48,3 +48,11 @@
salt_control_trusty_image: ${_param:mcp_static_images_url}/ubuntu-14-04-x64-mcp${_param:mcp_version}.qcow2
salt_control_xenial_image: ${_param:mcp_static_images_url}/ubuntu-16-04-x64-mcp${_param:mcp_version}.qcow2
+ salt_master_api_permissions:
+ - '.*'
+ - '@local'
+ - '@wheel' # to allow access to all wheel modules
+ - '@runner' # to allow access to all runner modules
+ - '@jobs' # to allow access to the jobs runner and/or wheel mo
+
+ salt_minion_ca_authority: salt_master_ca
diff --git a/defaults/stacklight.yml b/defaults/stacklight.yml
index 1abbb5e..e969319 100644
--- a/defaults/stacklight.yml
+++ b/defaults/stacklight.yml
@@ -1,5 +1,9 @@
parameters:
_param:
+ # ELK settings
+ stacklight_elasticsearch_port: 9200
+ stacklight_notification_topic: stacklight_notifications
+
# ELK stack versions
elasticsearch_version: 5
kibana_version: 5
diff --git a/docker/client/compose/service/jenkins.yml b/docker/client/compose/service/jenkins.yml
index 55aacdc..7045b66 100644
--- a/docker/client/compose/service/jenkins.yml
+++ b/docker/client/compose/service/jenkins.yml
@@ -3,7 +3,7 @@
parameters:
_param:
jenkins_master_extra_opts: ""
- jenkins_master_executors_num: 4
+ jenkins_master_executors_num: 0
jenkins_master_max_concurent_requests: 40
jenkins_home_dir_path: /var/jenkins_home
docker:
diff --git a/docker/host.yml b/docker/host.yml
index a88ff2f..894f6ee 100644
--- a/docker/host.yml
+++ b/docker/host.yml
@@ -14,6 +14,7 @@
- ${_param:cluster_vip_address}:5000
- ${_param:cluster_public_host}:5000
options:
+ bridge: none
ipv6: true
fixed-cidr-v6: fc00::/7
storage-driver: overlay2
diff --git a/docker/swarm/stack/jenkins/master.yml b/docker/swarm/stack/jenkins/master.yml
index 6af8d3e..4647521 100644
--- a/docker/swarm/stack/jenkins/master.yml
+++ b/docker/swarm/stack/jenkins/master.yml
@@ -4,7 +4,7 @@
parameters:
_param:
jenkins_master_extra_opts: ""
- jenkins_master_executors_num: 4
+ jenkins_master_executors_num: 0
jenkins_master_max_concurent_requests: 40
jenkins_home_dir_path: /var/jenkins_home
docker:
diff --git a/docker/swarm/stack/jenkins/slave_base.yml b/docker/swarm/stack/jenkins/slave_base.yml
index 1c2d6f8..91601ab 100644
--- a/docker/swarm/stack/jenkins/slave_base.yml
+++ b/docker/swarm/stack/jenkins/slave_base.yml
@@ -3,7 +3,6 @@
parameters:
_param:
jenkins_master_host: ${_param:control_vip_address}
- jenkins_secret: "7c40abc1a7df2d26dd6b2e4421af17218df75a16fcbd5e3aa6017d9f47eaeabe"
jenkins_master_url: http://${_param:jenkins_master_host}:${_param:jenkins_master_port}
jenkins_slave_user: ${_param:jenkins_client_user}
jenkins_slave_password: ${_param:jenkins_client_password}
diff --git a/docker/swarm/stack/monitoring/prometheus/init.yml b/docker/swarm/stack/monitoring/prometheus/init.yml
index 65dd5b9..d7db52c 100644
--- a/docker/swarm/stack/monitoring/prometheus/init.yml
+++ b/docker/swarm/stack/monitoring/prometheus/init.yml
@@ -32,6 +32,7 @@
volumes:
- ${prometheus:server:dir:config}:${_param:prometheus_server_config_directory}
- ${prometheus:server:dir:data}:${_param:prometheus_server_data_directory}
+ - /etc/ssl/certs/ca-certificates.crt:/etc/ssl/certs/ca-certificates.crt:ro
environment:
PROMETHEUS_CONFIG_DIR: ${_param:prometheus_server_config_directory}
PROMETHEUS_DATA_DIR: ${_param:prometheus_server_data_directory}
diff --git a/docker/swarm/stack/monitoring/sf_notifier.yml b/docker/swarm/stack/monitoring/sf_notifier.yml
index a171ce8..b8b2dd6 100644
--- a/docker/swarm/stack/monitoring/sf_notifier.yml
+++ b/docker/swarm/stack/monitoring/sf_notifier.yml
@@ -29,8 +29,6 @@
image: ${_param:docker_image_sf_notifier}
ports:
- 15018:5000
- volumes:
- - ${prometheus:sf_notifier:dir:logs}:/var/log/sf-notifier
environment:
SF_NOTIFIER_WORKERS: ${_param:sf_notifier_workers}
SF_NOTIFIER_BUFFER_SIZE: ${_param:sf_notifier_buffer_size}
diff --git a/elasticsearch/client/ssl.yml b/elasticsearch/client/ssl.yml
new file mode 100644
index 0000000..9f0f9c2
--- /dev/null
+++ b/elasticsearch/client/ssl.yml
@@ -0,0 +1,5 @@
+parameters:
+ elasticsearch:
+ client:
+ server:
+ scheme: https
diff --git a/elasticsearch/server/cluster.yml b/elasticsearch/server/cluster.yml
index 76774aa..155cfdf 100644
--- a/elasticsearch/server/cluster.yml
+++ b/elasticsearch/server/cluster.yml
@@ -5,7 +5,7 @@
_param:
java_environment_version: "8"
java_environment_platform: openjdk
- elasticsearch_cluster_name: elasticsearch
+ elasticsearch_cluster_name: ${_param:cluster_name}
linux:
system:
sysctl:
@@ -17,7 +17,6 @@
elasticsearch:
server:
version: ${_param:elasticsearch_version}
- name: ${_param:elasticsearch_cluster_name}
enabled: true
master: true
data: true
@@ -35,6 +34,7 @@
recover_after_nodes: 2
recover_after_time: 5m
cluster:
+ name: ${_param:elasticsearch_cluster_name}
multicast: false
minimum_master_nodes: 2
members:
diff --git a/fluentd/label/default_metric/prometheus_ssl.yml b/fluentd/label/default_metric/prometheus_ssl.yml
new file mode 100644
index 0000000..292c481
--- /dev/null
+++ b/fluentd/label/default_metric/prometheus_ssl.yml
@@ -0,0 +1,9 @@
+parameters:
+ fluentd:
+ agent:
+ config:
+ input:
+ prometheus:
+ metric:
+ ssl:
+ enabled: True
diff --git a/fluentd/label/default_output/elasticsearch_ssl.yml b/fluentd/label/default_output/elasticsearch_ssl.yml
new file mode 100644
index 0000000..da3a5a7
--- /dev/null
+++ b/fluentd/label/default_output/elasticsearch_ssl.yml
@@ -0,0 +1,9 @@
+parameters:
+ fluentd:
+ agent:
+ config:
+ label:
+ default_output:
+ match:
+ elasticsearch_output:
+ scheme: https
diff --git a/fluentd/label/notifications/audit.yml b/fluentd/label/notifications/audit.yml
new file mode 100644
index 0000000..49ea953
--- /dev/null
+++ b/fluentd/label/notifications/audit.yml
@@ -0,0 +1,49 @@
+parameters:
+ fluentd:
+ agent:
+ config:
+ label:
+ audit_messages:
+ filter:
+ get_payload_values:
+ tag: audit
+ type: record_transformer
+ enable_ruby: true
+ record:
+ - name: Logger
+ value: ${fluentd:dollar}{ record.dig("publisher_id") }
+ - name: Severity
+ value: ${fluentd:dollar}{ {'TRACE'=>7,'DEBUG'=>7,'INFO'=>6,'AUDIT'=>6,'WARNING'=>4,'ERROR'=>3,'CRITICAL'=>2}[record['priority']].to_i }
+ - name: Timestamp
+ value: ${fluentd:dollar}{ DateTime.strptime(record.dig("payload", "eventTime"), "%Y-%m-%dT%H:%M:%S.%N%z").strftime("%Y-%m-%dT%H:%M:%S.%3NZ") }
+ - name: notification_type
+ value: ${fluentd:dollar}{ record.dig("event_type") }
+ - name: severity_label
+ value: ${fluentd:dollar}{ record.dig("priority") }
+ - name: environment_label
+ value: ${_param:cluster_domain}
+
+ - name: action
+ value: ${fluentd:dollar}{ record.dig("payload", "action") }
+ - name: event_type
+ value: ${fluentd:dollar}{ record.dig("payload", "eventType") }
+ - name: outcome
+ value: ${fluentd:dollar}{ record.dig("payload", "outcome") }
+ pack_payload_to_json:
+ tag: audit
+ require:
+ - get_payload_values
+ type: record_transformer
+ enable_ruby: true
+ remove_keys: '["payload", "timestamp", "publisher_id", "priority"]'
+ record:
+ - name: Payload
+ value: ${fluentd:dollar}{ record["payload"].to_json }
+ match:
+ audit_output:
+ tag: audit
+ type: elasticsearch
+ host: ${_param:stacklight_log_address}
+ port: ${_param:stacklight_elasticsearch_port}
+ es_index_name: audit
+ tag_key: Type
diff --git a/fluentd/label/notifications/init.yml b/fluentd/label/notifications/init.yml
new file mode 100644
index 0000000..e4e57f8
--- /dev/null
+++ b/fluentd/label/notifications/init.yml
@@ -0,0 +1,4 @@
+classes:
+- system.fluentd.label.notifications.input_rabbitmq
+- system.fluentd.label.notifications.notifications
+- system.fluentd.label.notifications.audit
diff --git a/fluentd/label/notifications/input_rabbitmq.yml b/fluentd/label/notifications/input_rabbitmq.yml
new file mode 100644
index 0000000..7f97648
--- /dev/null
+++ b/fluentd/label/notifications/input_rabbitmq.yml
@@ -0,0 +1,105 @@
+parameters:
+ fluentd:
+ agent:
+ config:
+ label:
+ rabbitmq_notifications:
+ input:
+ tail_rabbitmq_info:
+ tag: raw_notifications
+ type: rabbitmq
+ host: ${_param:openstack_message_queue_address}
+ user: openstack
+ pass: ${_param:rabbitmq_openstack_password}
+ vhost: /openstack
+ queue: ${_param:stacklight_notification_topic}.info
+ routing_key: ${_param:stacklight_notification_topic}.info
+ parser:
+ type: json
+ tail_rabbitmq_warn:
+ tag: raw_notifications
+ type: rabbitmq
+ host: ${_param:openstack_message_queue_address}
+ user: openstack
+ pass: ${_param:rabbitmq_openstack_password}
+ vhost: /openstack
+ queue: ${_param:stacklight_notification_topic}.warn
+ routing_key: ${_param:stacklight_notification_topic}.warn
+ parser:
+ type: json
+ tail_rabbitmq_error:
+ tag: raw_notifications
+ type: rabbitmq
+ host: ${_param:openstack_message_queue_address}
+ user: openstack
+ pass: ${_param:rabbitmq_openstack_password}
+ vhost: /openstack
+ queue: ${_param:stacklight_notification_topic}.error
+ routing_key: ${_param:stacklight_notification_topic}.error
+ parser:
+ type: json
+ filter:
+ parse_json:
+ tag: raw_notifications
+ type: parser
+ key_name: oslo.message
+ reserve_data: false
+ hash_value_field: parsed
+ parser:
+ type: json
+ remove_context:
+ tag: raw_notifications
+ require:
+ - parse_json
+ type: record_transformer
+ enable_ruby: true
+ remove_keys: _dummy_1
+ record:
+ - name: _dummy_1
+ value: ${fluentd:dollar}{record['parsed'].delete_if { |k,_| k.include?('_context_') }; nil}
+ pack_parsed_to_json:
+ tag: raw_notifications
+ require:
+ - remove_context
+ type: record_transformer
+ enable_ruby: true
+ record:
+ - name: parsed
+ value: ${fluentd:dollar}{record["parsed"].to_json}
+ unpack_on_top_level:
+ tag: raw_notifications
+ require:
+ - pack_parsed_to_json
+ type: parser
+ key_name: parsed
+ reserve_data: false
+ parser:
+ type: json
+ detect_audit_notification:
+ tag: raw_notifications
+ require:
+ - unpack_on_top_level
+ type: record_transformer
+ enable_ruby: true
+ record:
+ - name: notification_type
+ value: '${fluentd:dollar}{ record["payload"]["eventType"] && record["payload"]["eventTime"] ? "audit" : "notification" }'
+ match:
+ rewrite_message_tag:
+ tag: raw_notifications
+ type: rewrite_tag_filter
+ rule:
+ - name: notification_type
+ regexp: 'audit'
+ result: audit
+ - name: notification_type
+ regexp: '/.+/'
+ result: notification
+ forward_notification:
+ tag: notification
+ type: relabel
+ label: notification_messages
+ forward_audit:
+ tag: audit
+ type: relabel
+ label: audit_messages
diff --git a/fluentd/label/notifications/notifications.yml b/fluentd/label/notifications/notifications.yml
new file mode 100644
index 0000000..22be3c6
--- /dev/null
+++ b/fluentd/label/notifications/notifications.yml
@@ -0,0 +1,122 @@
+parameters:
+ fluentd:
+ agent:
+ config:
+ label:
+ notification_messages:
+ filter:
+ parse_publuisher_host:
+ tag: notification
+ type: parser
+ key_name: publisher_id
+ reserve_data: true
+ parser:
+ type: regexp
+ format: (?<publisher>\w+).(?<hostname>\w+)
+ save_hostname:
+ tag: notification
+ require:
+ - parse_publuisher_host
+ type: record_transformer
+ enable_ruby: true
+ record:
+ - name: Hostname
+ value: ${fluentd:dollar}{ record["hostname"] }
+ parse_source:
+ tag: notification
+ require:
+ - save_hostname
+ type: parser
+ key_name: event_type
+ reserve_data: true
+ parser:
+ type: regexp
+ format: (?<event_type_logger>\w+).+
+ map_logger:
+ tag: notification
+ require:
+ - parse_source
+ type: record_transformer
+ enable_ruby: true
+ remove_keys: event_type_logger
+ record:
+ - name: Logger
+ value: ${fluentd:dollar}{ {'volume'=>'cinder', 'snapshot'=>'cinder', 'image'=>'glance', 'orchestration'=>'heat', 'identity'=>'keystone', 'compute'=>'nova', 'compute_task'=>'nova', 'scheduler'=>'nova', 'keypair'=>'nova', 'floatingip' =>'neutron', 'security_group' =>'neutron', 'security_group_rule' =>'neutron', 'network' =>'neutron', 'port' =>'neutron', 'router' =>'neutron', 'subnet' =>'neutron', 'sahara' =>'sahara'}[record["event_type_logger"]] }
+ get_payload_values:
+ tag: notification
+ require:
+ - map_logger
+ type: record_transformer
+ enable_ruby: true
+ record:
+ - name: Timestamp
+ value: ${fluentd:dollar}{ DateTime.strptime(record['timestamp'], '%Y-%m-%d %H:%M:%S.%N').strftime('%Y-%m-%dT%H:%M:%S.%3NZ') }
+ - name: severity_label
+ value: ${fluentd:dollar}{ record["priority"] }
+ - name: Severity
+ value: ${fluentd:dollar}{ {'TRACE'=>7,'DEBUG'=>7,'INFO'=>6,'AUDIT'=>6,'WARNING'=>4,'ERROR'=>3,'CRITICAL'=>2}[record['priority']].to_i }
+ - name: Hostname
+ value: '${fluentd:dollar}{ record["payload"].has_key?("host") ? record["payload"]["host"] : record["Hostname"] }'
+ - name: environment_label
+ value: ${_param:cluster_domain}
+
+ - name: tenant_id
+ value: ${fluentd:dollar}{ record.dig("payload", "tenant_id") }
+ - name: user_id
+ value: ${fluentd:dollar}{ record.dig("payload", "user_id") }
+ - name: display_name
+ value: ${fluentd:dollar}{ record.dig("payload", "display_name") }
+ - name: vcpus
+ value: ${fluentd:dollar}{ record.dig("payload", "vcpus") }
+ - name: availability_zone
+ value: ${fluentd:dollar}{ record.dig("payload", "availability_zone") }
+ - name: instance_id
+ value: ${fluentd:dollar}{ record.dig("payload", "instance_id") }
+ - name: instance_type
+ value: ${fluentd:dollar}{ record.dig("payload", "instance_type") }
+ - name: image_name
+ value: ${fluentd:dollar}{ record.dig("payload", "image_name") }
+ - name: memory_mb
+ value: ${fluentd:dollar}{ record.dig("payload", "memory_mb") }
+ - name: disk_gb
+ value: ${fluentd:dollar}{ record.dig("payload", "disk_gb") }
+ - name: state
+ value: ${fluentd:dollar}{ record.dig("payload", "state") }
+ - name: old_state
+ value: ${fluentd:dollar}{ record.dig("payload", "old_state") }
+ - name: old_task_state
+ value: ${fluentd:dollar}{ record.dig("payload", "old_task_state") }
+ - name: new_task_state
+ value: ${fluentd:dollar}{ record.dig("payload", "new_task_state") }
+ - name: network_id
+ value: ${fluentd:dollar}{ record.dig("payload", "network_id") }
+ - name: subnet_id
+ value: ${fluentd:dollar}{ record.dig("payload", "subnet_id") }
+ - name: port_id
+ value: ${fluentd:dollar}{ record.dig("payload", "port_id") }
+ - name: volume_id
+ value: ${fluentd:dollar}{ record.dig("payload", "volume_id") }
+ - name: size
+ value: ${fluentd:dollar}{ record.dig("payload", "size") }
+ - name: status
+ value: ${fluentd:dollar}{ record.dig("payload", "status") }
+ - name: replication_status
+ value: ${fluentd:dollar}{ record.dig("payload", "replication_status") }
+ pack_payload_to_json:
+ tag: notification
+ require:
+ - get_payload_values
+ type: record_transformer
+ enable_ruby: true
+ remove_keys: '["timestamp", "publisher_id", "priority", "notification_type", "payload"]'
+ record:
+ - name: Payload
+ value: ${fluentd:dollar}{ record["payload"].to_json }
+ match:
+ notifications_output:
+ tag: notification
+ type: elasticsearch
+ host: ${_param:stacklight_log_address}
+ port: ${_param:stacklight_elasticsearch_port}
+ es_index_name: notification
+ tag_key: Type
diff --git a/glance/client/image/octavia.yml b/glance/client/image/octavia.yml
index 3160cdd..2a00375 100644
--- a/glance/client/image/octavia.yml
+++ b/glance/client/image/octavia.yml
@@ -3,6 +3,7 @@
parameters:
glance:
client:
+ cloud_name: admin_identity
identity:
admin_identity:
endpoint_type: internalURL
diff --git a/glance/control/cluster.yml b/glance/control/cluster.yml
index a75f8c5..3eb7866 100644
--- a/glance/control/cluster.yml
+++ b/glance/control/cluster.yml
@@ -82,4 +82,3 @@
storage:
engine: file
images: []
- show_multiple_locations: True
diff --git a/glance/control/single.yml b/glance/control/single.yml
index ee2ae1a..24e9c3f 100644
--- a/glance/control/single.yml
+++ b/glance/control/single.yml
@@ -31,7 +31,6 @@
protocol: ${_param:internal_protocol}
registry:
protocol: ${_param:internal_protocol}
- show_multiple_locations: True
barbican:
enabled: ${_param:barbican_integration_enabled}
message_queue:
diff --git a/glusterfs/server/volume/aptly.yml b/glusterfs/server/volume/aptly.yml
index 9c9e518..095ed8e 100644
--- a/glusterfs/server/volume/aptly.yml
+++ b/glusterfs/server/volume/aptly.yml
@@ -10,6 +10,8 @@
- ${_param:cluster_node02_address}:/srv/glusterfs/aptly
- ${_param:cluster_node03_address}:/srv/glusterfs/aptly
options:
+ auth.allow: ${_param:glusterfs_allow_ips}
+ auth.reject: ${_param:glusterfs_reject_ips}
cluster.readdir-optimize: On
nfs.disable: On
network.remote-dio: On
diff --git a/glusterfs/server/volume/artifactory.yml b/glusterfs/server/volume/artifactory.yml
index f70d2f0..c903d5f 100644
--- a/glusterfs/server/volume/artifactory.yml
+++ b/glusterfs/server/volume/artifactory.yml
@@ -10,6 +10,8 @@
- ${_param:cluster_node02_address}:/srv/glusterfs/artifactory
- ${_param:cluster_node03_address}:/srv/glusterfs/artifactory
options:
+ auth.allow: ${_param:glusterfs_allow_ips}
+ auth.reject: ${_param:glusterfs_reject_ips}
cluster.readdir-optimize: On
nfs.disable: On
network.remote-dio: On
diff --git a/glusterfs/server/volume/backup.yml b/glusterfs/server/volume/backup.yml
index 22e59e2..3c86bb0 100644
--- a/glusterfs/server/volume/backup.yml
+++ b/glusterfs/server/volume/backup.yml
@@ -10,6 +10,8 @@
- ${_param:cluster_node02_address}:/srv/glusterfs/backup
- ${_param:cluster_node03_address}:/srv/glusterfs/backup
options:
+ auth.allow: ${_param:glusterfs_allow_ips}
+ auth.reject: ${_param:glusterfs_reject_ips}
cluster.readdir-optimize: On
nfs.disable: On
network.remote-dio: On
diff --git a/glusterfs/server/volume/decapod.yml b/glusterfs/server/volume/decapod.yml
index e8f4c99..9a39eaa 100644
--- a/glusterfs/server/volume/decapod.yml
+++ b/glusterfs/server/volume/decapod.yml
@@ -10,6 +10,8 @@
- ${_param:cluster_node02_address}:/srv/glusterfs/decapod
- ${_param:cluster_node03_address}:/srv/glusterfs/decapod
options:
+ auth.allow: ${_param:glusterfs_allow_ips}
+ auth.reject: ${_param:glusterfs_reject_ips}
cluster.readdir-optimize: On
nfs.disable: On
network.remote-dio: On
diff --git a/glusterfs/server/volume/devops_portal.yml b/glusterfs/server/volume/devops_portal.yml
index a2f00ba..e2116cb 100644
--- a/glusterfs/server/volume/devops_portal.yml
+++ b/glusterfs/server/volume/devops_portal.yml
@@ -10,6 +10,8 @@
- ${_param:cluster_node02_address}:/srv/glusterfs/devops_portal
- ${_param:cluster_node03_address}:/srv/glusterfs/devops_portal
options:
+ auth.allow: ${_param:glusterfs_allow_ips}
+ auth.reject: ${_param:glusterfs_reject_ips}
cluster.readdir-optimize: On
nfs.disable: On
network.remote-dio: On
diff --git a/glusterfs/server/volume/elasticsearch.yml b/glusterfs/server/volume/elasticsearch.yml
index 65cf76e..e66a388 100644
--- a/glusterfs/server/volume/elasticsearch.yml
+++ b/glusterfs/server/volume/elasticsearch.yml
@@ -10,6 +10,8 @@
- ${_param:cluster_node02_address}:/srv/glusterfs/elasticsearch
- ${_param:cluster_node03_address}:/srv/glusterfs/elasticsearch
options:
+ auth.allow: ${_param:glusterfs_allow_ips}
+ auth.reject: ${_param:glusterfs_reject_ips}
cluster.readdir-optimize: On
nfs.disable: On
network.remote-dio: On
diff --git a/glusterfs/server/volume/etcd.yml b/glusterfs/server/volume/etcd.yml
index 874119e..6300593 100644
--- a/glusterfs/server/volume/etcd.yml
+++ b/glusterfs/server/volume/etcd.yml
@@ -10,6 +10,8 @@
- ${_param:cluster_node02_address}:/srv/glusterfs/etcd
- ${_param:cluster_node03_address}:/srv/glusterfs/etcd
options:
+ auth.allow: ${_param:glusterfs_allow_ips}
+ auth.reject: ${_param:glusterfs_reject_ips}
cluster.readdir-optimize: On
nfs.disable: On
network.remote-dio: On
diff --git a/glusterfs/server/volume/gerrit.yml b/glusterfs/server/volume/gerrit.yml
index b959f82..b3b036a 100644
--- a/glusterfs/server/volume/gerrit.yml
+++ b/glusterfs/server/volume/gerrit.yml
@@ -10,6 +10,10 @@
- ${_param:cluster_node02_address}:/srv/glusterfs/gerrit
- ${_param:cluster_node03_address}:/srv/glusterfs/gerrit
options:
+ auth.allow: ${_param:glusterfs_allow_ips}
+ auth.reject: ${_param:glusterfs_reject_ips}
+ storage.owner-gid: 1000
+ storage.owner-uid: 1000
cluster.readdir-optimize: On
nfs.disable: On
network.remote-dio: On
diff --git a/glusterfs/server/volume/glance.yml b/glusterfs/server/volume/glance.yml
index d0dfdf1..38a571e 100644
--- a/glusterfs/server/volume/glance.yml
+++ b/glusterfs/server/volume/glance.yml
@@ -10,6 +10,8 @@
- ${_param:cluster_node02_address}:/srv/glusterfs/glance
- ${_param:cluster_node03_address}:/srv/glusterfs/glance
options:
+ auth.allow: ${_param:glusterfs_allow_ips}
+ auth.reject: ${_param:glusterfs_reject_ips}
cluster.readdir-optimize: On
nfs.disable: On
network.remote-dio: On
diff --git a/glusterfs/server/volume/gnocchi.yml b/glusterfs/server/volume/gnocchi.yml
index f8f5b6a..1d4ce62 100644
--- a/glusterfs/server/volume/gnocchi.yml
+++ b/glusterfs/server/volume/gnocchi.yml
@@ -10,6 +10,8 @@
- ${_param:cluster_node02_address}:/srv/glusterfs/gnocchi
- ${_param:cluster_node03_address}:/srv/glusterfs/gnocchi
options:
+ auth.allow: ${_param:glusterfs_allow_ips}
+ auth.reject: ${_param:glusterfs_reject_ips}
cluster.readdir-optimize: On
nfs.disable: On
network.remote-dio: On
diff --git a/glusterfs/server/volume/influxdb.yml b/glusterfs/server/volume/influxdb.yml
index 9a75a2f..5f56d0b 100644
--- a/glusterfs/server/volume/influxdb.yml
+++ b/glusterfs/server/volume/influxdb.yml
@@ -10,6 +10,8 @@
- ${_param:cluster_node02_address}:/srv/glusterfs/influxdb
- ${_param:cluster_node03_address}:/srv/glusterfs/influxdb
options:
+ auth.allow: ${_param:glusterfs_allow_ips}
+ auth.reject: ${_param:glusterfs_reject_ips}
cluster.readdir-optimize: On
nfs.disable: On
network.remote-dio: On
diff --git a/glusterfs/server/volume/jenkins.yml b/glusterfs/server/volume/jenkins.yml
index 9a2582a..e17cdb5 100644
--- a/glusterfs/server/volume/jenkins.yml
+++ b/glusterfs/server/volume/jenkins.yml
@@ -10,6 +10,10 @@
- ${_param:cluster_node02_address}:/srv/glusterfs/jenkins
- ${_param:cluster_node03_address}:/srv/glusterfs/jenkins
options:
+ auth.allow: ${_param:glusterfs_allow_ips}
+ auth.reject: ${_param:glusterfs_reject_ips}
+ storage.owner-gid: 1000
+ storage.owner-uid: 1000
cluster.readdir-optimize: On
nfs.disable: On
network.remote-dio: On
diff --git a/glusterfs/server/volume/jenkins_slave_multi.yml b/glusterfs/server/volume/jenkins_slave_multi.yml
new file mode 100644
index 0000000..5d2e70a
--- /dev/null
+++ b/glusterfs/server/volume/jenkins_slave_multi.yml
@@ -0,0 +1,42 @@
+classes:
+- system.glusterfs.server.volume.jenkins_slave_single
+parameters:
+ glusterfs:
+ server:
+ volumes:
+ jenkins_slave02:
+ storage: /srv/glusterfs/jenkins_slaves/slave02
+ replica: 3
+ bricks:
+ - ${_param:cluster_node01_address}:/srv/glusterfs/jenkins_slaves/slave02
+ - ${_param:cluster_node02_address}:/srv/glusterfs/jenkins_slaves/slave02
+ - ${_param:cluster_node03_address}:/srv/glusterfs/jenkins_slaves/slave02
+ options:
+ auth.allow: ${_param:glusterfs_allow_ips}
+ auth.reject: ${_param:glusterfs_reject_ips}
+ storage.owner-gid: 10000
+ storage.owner-uid: 10000
+ cluster.readdir-optimize: On
+ nfs.disable: On
+ network.remote-dio: On
+ diagnostics.client-log-level: WARNING
+ diagnostics.brick-log-level: WARNING
+ cluster.favorite-child-policy: mtime
+ jenkins_slave03:
+ storage: /srv/glusterfs/jenkins_slaves/slave03
+ replica: 3
+ bricks:
+ - ${_param:cluster_node01_address}:/srv/glusterfs/jenkins_slaves/slave03
+ - ${_param:cluster_node02_address}:/srv/glusterfs/jenkins_slaves/slave03
+ - ${_param:cluster_node03_address}:/srv/glusterfs/jenkins_slaves/slave03
+ options:
+ auth.allow: ${_param:glusterfs_allow_ips}
+ auth.reject: ${_param:glusterfs_reject_ips}
+ storage.owner-gid: 10000
+ storage.owner-uid: 10000
+ cluster.readdir-optimize: On
+ nfs.disable: On
+ network.remote-dio: On
+ diagnostics.client-log-level: WARNING
+ diagnostics.brick-log-level: WARNING
+ cluster.favorite-child-policy: mtime
diff --git a/glusterfs/server/volume/jenkins_slave_single.yml b/glusterfs/server/volume/jenkins_slave_single.yml
new file mode 100644
index 0000000..e9420b3
--- /dev/null
+++ b/glusterfs/server/volume/jenkins_slave_single.yml
@@ -0,0 +1,22 @@
+parameters:
+ glusterfs:
+ server:
+ volumes:
+ jenkins_slave01:
+ storage: /srv/glusterfs/jenkins_slaves/slave01
+ replica: 3
+ bricks:
+ - ${_param:cluster_node01_address}:/srv/glusterfs/jenkins_slaves/slave01
+ - ${_param:cluster_node02_address}:/srv/glusterfs/jenkins_slaves/slave01
+ - ${_param:cluster_node03_address}:/srv/glusterfs/jenkins_slaves/slave01
+ options:
+ auth.allow: ${_param:glusterfs_allow_ips}
+ auth.reject: ${_param:glusterfs_reject_ips}
+ storage.owner-gid: 10000
+ storage.owner-uid: 10000
+ cluster.readdir-optimize: On
+ nfs.disable: On
+ network.remote-dio: On
+ diagnostics.client-log-level: WARNING
+ diagnostics.brick-log-level: WARNING
+ cluster.favorite-child-policy: mtime
diff --git a/glusterfs/server/volume/keycloak.yml b/glusterfs/server/volume/keycloak.yml
index c8c71f0..b22d2c3 100644
--- a/glusterfs/server/volume/keycloak.yml
+++ b/glusterfs/server/volume/keycloak.yml
@@ -10,6 +10,8 @@
- ${_param:cluster_node02_address}:/srv/glusterfs/keycloak
- ${_param:cluster_node03_address}:/srv/glusterfs/keycloak
options:
+ auth.allow: ${_param:glusterfs_allow_ips}
+ auth.reject: ${_param:glusterfs_reject_ips}
cluster.readdir-optimize: On
nfs.disable: On
network.remote-dio: On
diff --git a/glusterfs/server/volume/keystone.yml b/glusterfs/server/volume/keystone.yml
index 81e14be..e549180 100644
--- a/glusterfs/server/volume/keystone.yml
+++ b/glusterfs/server/volume/keystone.yml
@@ -10,6 +10,8 @@
- ${_param:cluster_node02_address}:/srv/glusterfs/keystone-keys
- ${_param:cluster_node03_address}:/srv/glusterfs/keystone-keys
options:
+ auth.allow: ${_param:glusterfs_allow_ips}
+ auth.reject: ${_param:glusterfs_reject_ips}
cluster.readdir-optimize: On
nfs.disable: On
network.remote-dio: On
@@ -24,6 +26,8 @@
- ${_param:cluster_node02_address}:/srv/glusterfs/keystone-credential-keys
- ${_param:cluster_node03_address}:/srv/glusterfs/keystone-credential-keys
options:
+ auth.allow: ${_param:glusterfs_allow_ips}
+ auth.reject: ${_param:glusterfs_reject_ips}
cluster.readdir-optimize: On
nfs.disable: On
network.remote-dio: On
diff --git a/glusterfs/server/volume/kqueen.yml b/glusterfs/server/volume/kqueen.yml
index 0d09c51..091a93c 100644
--- a/glusterfs/server/volume/kqueen.yml
+++ b/glusterfs/server/volume/kqueen.yml
@@ -10,6 +10,8 @@
- ${_param:cluster_node02_address}:/srv/glusterfs/kqueen
- ${_param:cluster_node03_address}:/srv/glusterfs/kqueen
options:
+ auth.allow: ${_param:glusterfs_allow_ips}
+ auth.reject: ${_param:glusterfs_reject_ips}
cluster.readdir-optimize: On
nfs.disable: On
network.remote-dio: On
diff --git a/glusterfs/server/volume/mongodb.yml b/glusterfs/server/volume/mongodb.yml
index f694ad7..0cb3a8e 100644
--- a/glusterfs/server/volume/mongodb.yml
+++ b/glusterfs/server/volume/mongodb.yml
@@ -10,6 +10,8 @@
- ${_param:cluster_node02_address}:/srv/glusterfs/mongodb
- ${_param:cluster_node03_address}:/srv/glusterfs/mongodb
options:
+ auth.allow: ${_param:glusterfs_allow_ips}
+ auth.reject: ${_param:glusterfs_reject_ips}
cluster.readdir-optimize: On
nfs.disable: On
network.remote-dio: On
diff --git a/glusterfs/server/volume/mysql.yml b/glusterfs/server/volume/mysql.yml
index c473de6..b67975e 100644
--- a/glusterfs/server/volume/mysql.yml
+++ b/glusterfs/server/volume/mysql.yml
@@ -10,6 +10,10 @@
- ${_param:cluster_node02_address}:/srv/glusterfs/mysql
- ${_param:cluster_node03_address}:/srv/glusterfs/mysql
options:
+ auth.allow: ${_param:glusterfs_allow_ips}
+ auth.reject: ${_param:glusterfs_reject_ips}
+ storage.owner-gid: 999
+ storage.owner-uid: 999
cluster.readdir-optimize: On
nfs.disable: On
network.remote-dio: On
diff --git a/glusterfs/server/volume/openldap.yml b/glusterfs/server/volume/openldap.yml
index 84619c0..cc1ba5f 100644
--- a/glusterfs/server/volume/openldap.yml
+++ b/glusterfs/server/volume/openldap.yml
@@ -10,6 +10,8 @@
- ${_param:cluster_node02_address}:/srv/glusterfs/openldap
- ${_param:cluster_node03_address}:/srv/glusterfs/openldap
options:
+ auth.allow: ${_param:glusterfs_allow_ips}
+ auth.reject: ${_param:glusterfs_reject_ips}
cluster.readdir-optimize: On
nfs.disable: On
network.remote-dio: On
diff --git a/glusterfs/server/volume/openldap_k8s.yml b/glusterfs/server/volume/openldap_k8s.yml
new file mode 100644
index 0000000..24b2a26
--- /dev/null
+++ b/glusterfs/server/volume/openldap_k8s.yml
@@ -0,0 +1,40 @@
+parameters:
+ glusterfs:
+ server:
+ volumes:
+ openldap-config:
+ storage: /srv/glusterfs/openldap/config
+ replica: 3
+ bricks:
+ - ${_param:cluster_node01_address}:/srv/glusterfs/openldap/config
+ - ${_param:cluster_node02_address}:/srv/glusterfs/openldap/config
+ - ${_param:cluster_node03_address}:/srv/glusterfs/openldap/config
+ options:
+ auth.allow: ${_param:glusterfs_allow_ips}
+ auth.reject: ${_param:glusterfs_reject_ips}
+ storage.owner-gid: 999
+ storage.owner-uid: 999
+ cluster.readdir-optimize: On
+ nfs.disable: On
+ network.remote-dio: On
+ diagnostics.client-log-level: WARNING
+ diagnostics.brick-log-level: WARNING
+ cluster.favorite-child-policy: mtime
+ openldap-data:
+ storage: /srv/glusterfs/openldap/data
+ replica: 3
+ bricks:
+ - ${_param:cluster_node01_address}:/srv/glusterfs/openldap/data
+ - ${_param:cluster_node02_address}:/srv/glusterfs/openldap/data
+ - ${_param:cluster_node03_address}:/srv/glusterfs/openldap/data
+ options:
+ auth.allow: ${_param:glusterfs_allow_ips}
+ auth.reject: ${_param:glusterfs_reject_ips}
+ storage.owner-gid: 999
+ storage.owner-uid: 999
+ cluster.readdir-optimize: On
+ nfs.disable: On
+ network.remote-dio: On
+ diagnostics.client-log-level: WARNING
+ diagnostics.brick-log-level: WARNING
+ cluster.favorite-child-policy: mtime
diff --git a/glusterfs/server/volume/postgresql.yml b/glusterfs/server/volume/postgresql.yml
index c48d833..5376934 100644
--- a/glusterfs/server/volume/postgresql.yml
+++ b/glusterfs/server/volume/postgresql.yml
@@ -10,6 +10,8 @@
- ${_param:cluster_node02_address}:/srv/glusterfs/postgresql
- ${_param:cluster_node03_address}:/srv/glusterfs/postgresql
options:
+ auth.allow: ${_param:glusterfs_allow_ips}
+ auth.reject: ${_param:glusterfs_reject_ips}
cluster.readdir-optimize: On
nfs.disable: On
network.remote-dio: On
diff --git a/glusterfs/server/volume/postgresql_k8s.yml b/glusterfs/server/volume/postgresql_k8s.yml
new file mode 100644
index 0000000..523ef59
--- /dev/null
+++ b/glusterfs/server/volume/postgresql_k8s.yml
@@ -0,0 +1,22 @@
+parameters:
+ glusterfs:
+ server:
+ volumes:
+ postgresql-data:
+ storage: /srv/glusterfs/postgresql
+ replica: 3
+ bricks:
+ - ${_param:cluster_node01_address}:/srv/glusterfs/postgresql
+ - ${_param:cluster_node02_address}:/srv/glusterfs/postgresql
+ - ${_param:cluster_node03_address}:/srv/glusterfs/postgresql
+ options:
+ auth.allow: ${_param:glusterfs_allow_ips}
+ auth.reject: ${_param:glusterfs_reject_ips}
+ storage.owner-gid: 999
+ storage.owner-uid: 999
+ cluster.readdir-optimize: On
+ nfs.disable: On
+ network.remote-dio: On
+ diagnostics.client-log-level: WARNING
+ diagnostics.brick-log-level: WARNING
+ cluster.favorite-child-policy: mtime
diff --git a/glusterfs/server/volume/privatebin.yml b/glusterfs/server/volume/privatebin.yml
index e2eba2d..e78df75 100644
--- a/glusterfs/server/volume/privatebin.yml
+++ b/glusterfs/server/volume/privatebin.yml
@@ -10,6 +10,8 @@
- ${_param:cluster_node02_address}:/srv/glusterfs/privatebin
- ${_param:cluster_node03_address}:/srv/glusterfs/privatebin
options:
+ auth.allow: ${_param:glusterfs_allow_ips}
+ auth.reject: ${_param:glusterfs_reject_ips}
cluster.readdir-optimize: On
nfs.disable: On
network.remote-dio: On
diff --git a/glusterfs/server/volume/pushkin.yml b/glusterfs/server/volume/pushkin.yml
index 2d6a249..14d8b16 100644
--- a/glusterfs/server/volume/pushkin.yml
+++ b/glusterfs/server/volume/pushkin.yml
@@ -10,6 +10,8 @@
- ${_param:cluster_node02_address}:/srv/glusterfs/pushkin
- ${_param:cluster_node03_address}:/srv/glusterfs/pushkin
options:
+ auth.allow: ${_param:glusterfs_allow_ips}
+ auth.reject: ${_param:glusterfs_reject_ips}
cluster.readdir-optimize: On
nfs.disable: On
network.remote-dio: On
diff --git a/glusterfs/server/volume/registry.yml b/glusterfs/server/volume/registry.yml
index 474ce7b..19d0106 100644
--- a/glusterfs/server/volume/registry.yml
+++ b/glusterfs/server/volume/registry.yml
@@ -10,6 +10,8 @@
- ${_param:cluster_node02_address}:/srv/glusterfs/registry
- ${_param:cluster_node03_address}:/srv/glusterfs/registry
options:
+ auth.allow: ${_param:glusterfs_allow_ips}
+ auth.reject: ${_param:glusterfs_reject_ips}
cluster.readdir-optimize: On
nfs.disable: On
network.remote-dio: On
diff --git a/glusterfs/server/volume/rundeck.yml b/glusterfs/server/volume/rundeck.yml
index c0ced5b..727496a 100644
--- a/glusterfs/server/volume/rundeck.yml
+++ b/glusterfs/server/volume/rundeck.yml
@@ -10,6 +10,8 @@
- ${_param:cluster_node02_address}:/srv/glusterfs/rundeck
- ${_param:cluster_node03_address}:/srv/glusterfs/rundeck
options:
+ auth.allow: ${_param:glusterfs_allow_ips}
+ auth.reject: ${_param:glusterfs_reject_ips}
cluster.readdir-optimize: On
nfs.disable: On
network.remote-dio: On
diff --git a/glusterfs/server/volume/salt.yml b/glusterfs/server/volume/salt.yml
index e14701d..f832bce 100644
--- a/glusterfs/server/volume/salt.yml
+++ b/glusterfs/server/volume/salt.yml
@@ -10,6 +10,8 @@
- ${_param:cluster_node02_address}:/srv/glusterfs/saltmaster
- ${_param:cluster_node03_address}:/srv/glusterfs/saltmaster
options:
+ auth.allow: ${_param:glusterfs_allow_ips}
+ auth.reject: ${_param:glusterfs_reject_ips}
cluster.readdir-optimize: On
nfs.disable: On
network.remote-dio: On
diff --git a/glusterfs/server/volume/salt_pki.yml b/glusterfs/server/volume/salt_pki.yml
index 9a26bdb..8135e47 100644
--- a/glusterfs/server/volume/salt_pki.yml
+++ b/glusterfs/server/volume/salt_pki.yml
@@ -10,6 +10,8 @@
- ${_param:cluster_node02_address}:/srv/glusterfs/salt_pki
- ${_param:cluster_node03_address}:/srv/glusterfs/salt_pki
options:
+ auth.allow: ${_param:glusterfs_allow_ips}
+ auth.reject: ${_param:glusterfs_reject_ips}
cluster.readdir-optimize: On
nfs.disable: On
network.remote-dio: On
diff --git a/glusterfs/server/volume/security_monkey.yml b/glusterfs/server/volume/security_monkey.yml
index e730c90..3fa9f57 100644
--- a/glusterfs/server/volume/security_monkey.yml
+++ b/glusterfs/server/volume/security_monkey.yml
@@ -10,6 +10,8 @@
- ${_param:cluster_node02_address}:/srv/glusterfs/security_monkey
- ${_param:cluster_node03_address}:/srv/glusterfs/security_monkey
options:
+ auth.allow: ${_param:glusterfs_allow_ips}
+ auth.reject: ${_param:glusterfs_reject_ips}
cluster.readdir-optimize: On
nfs.disable: On
network.remote-dio: On
diff --git a/gnocchi/common/coordination/redis.yml b/gnocchi/common/coordination/redis.yml
index 673d9bd..f1e94b6 100644
--- a/gnocchi/common/coordination/redis.yml
+++ b/gnocchi/common/coordination/redis.yml
@@ -1,7 +1,18 @@
parameters:
_param:
- gnocchi_coordination_url: redis://${_param:single_address}:6379
+ gnocchi_coordination_url: redis://openstack:${_param:openstack_telemetry_redis_password}@${_param:redis_sentinel_node01_address}:26379?db=0&sentinel=master_1&sentinel_fallback=${_param:redis_sentinel_node02_address}:26379&sentinel_fallback=${_param:redis_sentinel_node03_address}:26379
gnocchi:
common:
coordination_backend:
url: ${_param:gnocchi_coordination_url}
+ engine: redis
+ redis:
+ password: ${_param:openstack_telemetry_redis_password}
+ user: openstack
+ db: ${_param:gnocchi_redis_db}
+ sentinel:
+ host: ${_param:redis_sentinel_node01_address}
+ master_name: ${_param:gnocchi_redis_sentinel_mastername}
+ fallback:
+ - host: ${_param:redis_sentinel_node02_address}
+ - host: ${_param:redis_sentinel_node03_address}
diff --git a/gnocchi/common/storage/incoming/redis.yml b/gnocchi/common/storage/incoming/redis.yml
index d0f04d7..77cd6c6 100644
--- a/gnocchi/common/storage/incoming/redis.yml
+++ b/gnocchi/common/storage/incoming/redis.yml
@@ -1,10 +1,20 @@
parameters:
_param:
- gnocchi_storage_incoming_redis_url: redis://${_param:single_address}:6379
+ gnocchi_storage_incoming_redis_url: redis://openstack:${_param:openstack_telemetry_redis_password}@${_param:redis_sentinel_node01_address}:26379?db=0&sentinel=master_1&sentinel_fallback=${_param:redis_sentinel_node02_address}:26379&sentinel_fallback=${_param:redis_sentinel_node03_address}:26379
gnocchi_storage_incoming_driver: redis
gnocchi:
common:
storage:
incoming:
driver: ${_param:gnocchi_storage_incoming_driver}
- redis_url: ${_param:gnocchi_storage_incoming_redis_url}
\ No newline at end of file
+ redis_url: ${_param:gnocchi_storage_incoming_redis_url}
+ redis:
+ password: ${_param:openstack_telemetry_redis_password}
+ user: openstack
+ db: ${_param:gnocchi_redis_db}
+ sentinel:
+ host: ${_param:redis_sentinel_node01_address}
+ master_name: ${_param:gnocchi_redis_sentinel_mastername}
+ fallback:
+ - host: ${_param:redis_sentinel_node02_address}
+ - host: ${_param:redis_sentinel_node03_address}
diff --git a/gnocchi/common/storage/redis.yml b/gnocchi/common/storage/redis.yml
index d71fcf0..079c887 100644
--- a/gnocchi/common/storage/redis.yml
+++ b/gnocchi/common/storage/redis.yml
@@ -1,9 +1,19 @@
parameters:
_param:
- gnocchi_storage_redis_url: redis://${_param:single_address}:6379
+ gnocchi_storage_redis_url: redis://openstack:${_param:openstack_telemetry_redis_password}@${_param:redis_sentinel_node01_address}:26379?db=0&sentinel=master_1&sentinel_fallback=${_param:redis_sentinel_node02_address}:26379&sentinel_fallback=${_param:redis_sentinel_node03_address}:26379
gnocchi_storage_driver: redis
gnocchi:
common:
storage:
driver: ${_param:gnocchi_storage_driver}
- redis_url: ${_param:gnocchi_storage_redis_url}
\ No newline at end of file
+ redis_url: ${_param:gnocchi_storage_redis_url}
+ redis:
+ password: ${_param:openstack_telemetry_redis_password}
+ user: openstack
+ db: ${_param:gnocchi_redis_db}
+ sentinel:
+ host: ${_param:redis_sentinel_node01_address}
+ master_name: ${_param:gnocchi_redis_sentinel_mastername}
+ fallback:
+ - host: ${_param:redis_sentinel_node02_address}
+ - host: ${_param:redis_sentinel_node03_address}
diff --git a/haproxy/proxy/listen/keycloak.yml b/haproxy/proxy/listen/keycloak.yml
index 89a9670..73697a3 100644
--- a/haproxy/proxy/listen/keycloak.yml
+++ b/haproxy/proxy/listen/keycloak.yml
@@ -1,7 +1,7 @@
parameters:
_param:
haproxy_keycloak_bind_host: ${_param:haproxy_bind_address}
- haproxy_keycloak_bind_port: 8080
+ haproxy_keycloak_bind_port: 8086
haproxy_keycloak_exposed_port: 18086
haproxy_keycloak_ssl:
enabled: false
diff --git a/haproxy/proxy/listen/openstack/large_setup.yml b/haproxy/proxy/listen/openstack/large_setup.yml
index 947cfce..c517779 100644
--- a/haproxy/proxy/listen/openstack/large_setup.yml
+++ b/haproxy/proxy/listen/openstack/large_setup.yml
@@ -8,4 +8,4 @@
- system.haproxy.proxy.listen.openstack.keystone.large
- system.haproxy.proxy.listen.openstack.neutron_large
- system.haproxy.proxy.listen.openstack.nova_large
-- system.haproxy.proxy.listen.openstack.novanc_large
+- system.haproxy.proxy.listen.openstack.novnc_large
diff --git a/haproxy/proxy/listen/stacklight/elasticsearch.yml b/haproxy/proxy/listen/stacklight/elasticsearch.yml
index 582de6a..d684861 100644
--- a/haproxy/proxy/listen/stacklight/elasticsearch.yml
+++ b/haproxy/proxy/listen/stacklight/elasticsearch.yml
@@ -1,10 +1,6 @@
parameters:
_param:
haproxy_elasticsearch_bind_host: ${_param:cluster_vip_address}
- haproxy_elasticsearch_http_bind_port: 9200
- haproxy_elasticsearch_http_exposed_port: 9200
- haproxy_elasticsearch_binary_bind_port: 9300
- haproxy_elasticsearch_binary_exposed_port: 9300
haproxy:
proxy:
listen:
@@ -17,7 +13,7 @@
- dontlog-normal
balance: roundrobin
binds:
- - address: ${_param:haproxy_elasticsearch_bind_host}
+ - address: ${_param:cluster_vip_address}
port: ${_param:haproxy_elasticsearch_http_bind_port}
servers:
- name: ${_param:cluster_node01_hostname}
diff --git a/haproxy/proxy/listen/stacklight/elasticsearch_ssl.yml b/haproxy/proxy/listen/stacklight/elasticsearch_ssl.yml
new file mode 100644
index 0000000..a50280e
--- /dev/null
+++ b/haproxy/proxy/listen/stacklight/elasticsearch_ssl.yml
@@ -0,0 +1,55 @@
+parameters:
+ _param:
+ haproxy_elasticsearch_bind_host: ${_param:cluster_vip_address}
+ haproxy:
+ proxy:
+ listen:
+ elasticsearch:
+ mode: http
+ options:
+ - httplog
+ - http-keep-alive
+ - prefer-last-server
+ - dontlog-normal
+ balance: roundrobin
+ binds:
+ - address: ${_param:cluster_vip_address}
+ port: ${_param:haproxy_elasticsearch_http_bind_port}
+ ssl:
+ enabled: true
+ pem_file: /etc/elasticsearch/elasticsearch.pem
+ servers:
+ - name: ${_param:cluster_node01_hostname}
+ host: ${_param:cluster_node01_address}
+ port: ${_param:haproxy_elasticsearch_http_exposed_port}
+ params: 'check inter 10s fastinter 2s downinter 3s rise 3 fall 3'
+ - name: ${_param:cluster_node02_hostname}
+ host: ${_param:cluster_node02_address}
+ port: ${_param:haproxy_elasticsearch_http_exposed_port}
+ params: 'check inter 10s fastinter 2s downinter 3s rise 3 fall 3'
+ - name: ${_param:cluster_node03_hostname}
+ host: ${_param:cluster_node03_address}
+ port: ${_param:haproxy_elasticsearch_http_exposed_port}
+ params: 'check inter 10s fastinter 2s downinter 3s rise 3 fall 3'
+ elasticsearch_binary:
+ mode: tcp
+ options:
+ - tcpka
+ - tcplog
+ balance: source
+ binds:
+ - address: ${_param:cluster_vip_address}
+ port: ${_param:haproxy_elasticsearch_binary_bind_port}
+ servers:
+ - name: ${_param:cluster_node01_hostname}
+ host: ${_param:cluster_node01_address}
+ port: ${_param:haproxy_elasticsearch_binary_exposed_port}
+ params: 'check'
+ - name: ${_param:cluster_node02_hostname}
+ host: ${_param:cluster_node02_address}
+ port: ${_param:haproxy_elasticsearch_binary_exposed_port}
+ params: 'check'
+ - name: ${_param:cluster_node03_hostname}
+ host: ${_param:cluster_node03_address}
+ port: ${_param:haproxy_elasticsearch_binary_exposed_port}
+ params: 'check'
diff --git a/jenkins/client/job/deploy/update/init.yml b/jenkins/client/job/deploy/update/init.yml
index 5a26020..964f897 100644
--- a/jenkins/client/job/deploy/update/init.yml
+++ b/jenkins/client/job/deploy/update/init.yml
@@ -5,6 +5,7 @@
- system.jenkins.client.job.deploy.update.update_mirror_image
- system.jenkins.client.job.deploy.update.update_ceph
- system.jenkins.client.job.deploy.update.upgrade
+ - system.jenkins.client.job.deploy.update.upgrade_rabbitmq
- system.jenkins.client.job.deploy.update.upgrade_compute
- system.jenkins.client.job.deploy.update.upgrade_mcp_release
- system.jenkins.client.job.deploy.update.upgrade_ovs_gateway
diff --git a/jenkins/client/job/deploy/update/upgrade_rabbitmq.yml b/jenkins/client/job/deploy/update/upgrade_rabbitmq.yml
new file mode 100644
index 0000000..73c2f1f
--- /dev/null
+++ b/jenkins/client/job/deploy/update/upgrade_rabbitmq.yml
@@ -0,0 +1,46 @@
+#
+# Jobs to upgrade RabbitMQ packages on given Salt master environment
+#
+parameters:
+ jenkins:
+ client:
+ job:
+ deploy-upgrade-rabbitmq:
+ type: workflow-scm
+ concurrent: true
+ discard:
+ build:
+ keep_num: 10
+ artifact:
+ keep_num: 10
+ display_name: "Deploy - upgrade RabbitMQ server"
+ scm:
+ type: git
+ url: "${_param:jenkins_gerrit_url}/mk/mk-pipelines"
+ branch: "${_param:jenkins_pipelines_branch}"
+ credentials: "gerrit"
+ script: openstack-rabbitmq-upgrade.groovy
+ param:
+ SALT_MASTER_URL:
+ type: string
+ default: "${_param:jenkins_salt_api_url}"
+ SALT_MASTER_CREDENTIALS:
+ type: string
+ default: "salt"
+ OS_DIST_UPGRADE:
+ type: boolean
+ default: 'false'
+ description: "Upgrade system packages including kernel (apt-get dist-upgrade)"
+ OS_UPGRADE:
+ type: boolean
+ default: 'false'
+ description: "Upgrade all installed applications (apt-get upgrade)"
+ INTERACTIVE:
+ type: boolean
+ default: 'true'
+ description: "Ask interactive questions during pipeline run (bool)"
+ TARGET_SERVERS:
+ type: string
+ default: 'msg*'
+ description: "Salt compound expression to get messaging servers to upgrade."
+
diff --git a/jenkins/client/job/validate.yml b/jenkins/client/job/validate.yml
index cca73c5..90e135f 100644
--- a/jenkins/client/job/validate.yml
+++ b/jenkins/client/job/validate.yml
@@ -248,7 +248,7 @@
description: Credentials to the Salt API
TEST_IMAGE:
type: string
- default: "xrally/xrally-openstack:0.10.1"
+ default: "xrally/xrally-openstack:0.11.2"
description: Docker image to use for running Rally/Tempest
TARGET_NODE:
type: string
@@ -308,7 +308,7 @@
description: Node where container with tempest will be run
TEST_IMAGE:
type: string
- default: "xrally/xrally-openstack:0.10.1"
+ default: "xrally/xrally-openstack:0.11.2"
description: Docker image to use for running Rally/Tempest
TARGET_NODES:
type: string
@@ -346,6 +346,53 @@
type: string
default: "https://github.com/Mirantis/cvp-configuration"
description: URL of repo where testing tools, scenarios, configs are located.
+ cvp-tempest:
+ type: workflow-scm
+ name: cvp-tempest
+ display_name: "CVP-Tempest (technical preview)"
+ discard:
+ build:
+ keep_num: 20
+ artifact:
+ keep_num: 20
+ concurrent: false
+ scm:
+ type: git
+ url: "${_param:jenkins_gerrit_url}/mk/mk-pipelines"
+ branch: "${_param:jenkins_pipelines_branch}"
+ credentials: "gerrit"
+ script: cvp-tempest.groovy
+ param:
+ PREPARE_RESOURCES:
+ type: boolean
+ default: true
+ description: Prepare resources for Tempest
+ SALT_MASTER_URL:
+ type: string
+ default: "${_param:jenkins_salt_api_url}"
+ description: SALT_MASTER_URL
+ TEMPEST_TEST_PATTERN:
+ type: string
+ default: "set=smoke"
+ description: Use set=smoke, set=full or just test name (regex)
+ TEMPEST_ENDPOINT_TYPE:
+ type: choice
+ choices:
+ - internalURL
+ - adminURL
+ - publicURL
+ description: Openstack endpoint type to use during test run.
+ EXTRA_PARAMS:
+ type: text
+ default: |
+ ---
+ DEBUG_MODE: false
+ GENERATE_CONFIG: true
+ TARGET_NODE: "I@gerrit:client"
+ SKIP_LIST_PATH: ""
+ TEST_IMAGE: "docker-prod-virtual.docker.mirantis.net/mirantis/cicd/ci-tempest:${_param:openstack_version}"
+ report_prefix: "cvp_"
+ description: YAML context with additional parameters
cvp-perf:
type: workflow-scm
name: cvp-perf
@@ -373,7 +420,7 @@
description: Path to scenario file in container
TEST_IMAGE:
type: string
- default: "xrally/xrally-openstack:0.10.1"
+ default: "xrally/xrally-openstack:0.11.2"
description: Docker image to use for running Rally/Tempest
SALT_MASTER_URL:
type: string
diff --git a/jenkins/client/node.yml b/jenkins/client/node.yml
index e5e4d3b..2de0022 100644
--- a/jenkins/client/node.yml
+++ b/jenkins/client/node.yml
@@ -7,8 +7,7 @@
master:
node_mode: Exclusive
remote_home: /var/lib/jenkins
- labels:
- - python
+ num_executors: 0
launcher:
type: master
slave01:
diff --git a/keystone/client/service/radosgw-swift.yml b/keystone/client/service/radosgw-swift.yml
index e93f9b4..c8b6569 100644
--- a/keystone/client/service/radosgw-swift.yml
+++ b/keystone/client/service/radosgw-swift.yml
@@ -8,6 +8,8 @@
client:
server:
identity:
+ roles:
+ - ResellerAdmin
project:
service:
user:
@@ -16,6 +18,11 @@
password: ${_param:keystone_swift_password}
email: ${_param:admin_email}
options: ${_param:openstack_service_user_options}
+ admin:
+ user:
+ admin:
+ roles:
+ - ResellerAdmin
service:
radosgw-swift:
type: object-store
diff --git a/keystone/client/v3/service/radosgw-swift.yml b/keystone/client/v3/service/radosgw-swift.yml
index ca06fed..2e78bb9 100644
--- a/keystone/client/v3/service/radosgw-swift.yml
+++ b/keystone/client/v3/service/radosgw-swift.yml
@@ -6,6 +6,10 @@
client:
resources:
v3:
+ roles:
+ reseller_admin:
+ name: ResellerAdmin
+ enabled: true
users:
swift:
password: ${_param:keystone_swift_password}
@@ -15,6 +19,11 @@
service_admin:
name: admin
project_id: service
+ admin:
+ roles:
+ reseller_admin:
+ name: ResellerAdmin
+ project_id: admin
services:
radosgw-swift:
type: object-store
diff --git a/keystone/server/cluster.yml b/keystone/server/cluster.yml
index 7e9ea1b..824c6b5 100644
--- a/keystone/server/cluster.yml
+++ b/keystone/server/cluster.yml
@@ -37,7 +37,7 @@
region: ${_param:openstack_region}
bind:
address: ${_param:cluster_local_address}
- private_address: ${_param:cluster_vip_address}
+ private_address: ${_param:openstack_service_host}
private_port: 35357
public_address: ${_param:cluster_vip_address}
public_port: 5000
diff --git a/kibana/client/ssl.yml b/kibana/client/ssl.yml
new file mode 100644
index 0000000..76160c6
--- /dev/null
+++ b/kibana/client/ssl.yml
@@ -0,0 +1,5 @@
+parameters:
+ kibana:
+ client:
+ server:
+ scheme: https
diff --git a/kibana/server/single.yml b/kibana/server/single.yml
index 965f274..5c59588 100644
--- a/kibana/server/single.yml
+++ b/kibana/server/single.yml
@@ -13,4 +13,5 @@
engine: elasticsearch
host: ${_param:kibana_elasticsearch_host}
port: 9200
+ scheme: http
diff --git a/kibana/server/ssl.yml b/kibana/server/ssl.yml
new file mode 100644
index 0000000..5b049f8
--- /dev/null
+++ b/kibana/server/ssl.yml
@@ -0,0 +1,5 @@
+parameters:
+ kibana:
+ server:
+ database:
+ scheme: https
diff --git a/prometheus/elasticsearch_exporter/queries/compute.yml b/prometheus/elasticsearch_exporter/queries/compute.yml
index 66904da..a17cb7f 100644
--- a/prometheus/elasticsearch_exporter/queries/compute.yml
+++ b/prometheus/elasticsearch_exporter/queries/compute.yml
@@ -27,7 +27,8 @@
"aggs": {
"host": {
"terms": {
- "field": "Hostname.keyword"
+ "field": "Hostname.keyword",
+ "min_doc_count": 0
}
}
}
@@ -56,7 +57,8 @@
"aggs": {
"host": {
"terms": {
- "field": "Hostname.keyword"
+ "field": "Hostname.keyword",
+ "min_doc_count": 0
}
}
}
@@ -83,7 +85,8 @@
"aggs": {
"host": {
"terms": {
- "field": "Hostname.keyword"
+ "field": "Hostname.keyword",
+ "min_doc_count": 0
}
}
}
@@ -110,7 +113,8 @@
"aggs": {
"host": {
"terms": {
- "field": "Hostname.keyword"
+ "field": "Hostname.keyword",
+ "min_doc_count": 0
}
}
}
diff --git a/prometheus/gainsight/query/openstack.yml b/prometheus/gainsight/query/openstack.yml
index 40a804b..b443712 100644
--- a/prometheus/gainsight/query/openstack.yml
+++ b/prometheus/gainsight/query/openstack.yml
@@ -16,3 +16,10 @@
keystone_api: "'Keystone API','avg(avg_over_time(openstack_api_check_status{name=\"keystone\"}[24h]))'"
glance_api: "'Glance API','avg(avg_over_time(openstack_api_check_status{name=\"glance\"}[24h]))'"
neutron_api: "'Neutron API','avg(avg_over_time(openstack_api_check_status{name=\"neutron\"}[24h]))'"
+ nova_vm_all: "'Total VM number','avg_over_time(total:openstack_nova_instance_all[1d])'"
+ nova_vm_failed: "'Failed VM number','avg_over_time(total:openstack_nova_instance_failed[1d])'"
+ kpi_downtime: "'KPI Downtime','1 - avg_over_time(total:openstack_nova_instance_failed[1d]) / avg_over_time(total:openstack_nova_instance_all[1d])'"
+ compute_instance_create_start: "'VM creation start','sum(compute_instance_create_start_host_doc_count)'"
+ compute_instance_create_end: "'VM creation end','sum(compute_instance_create_end_host_doc_count)'"
+ compute_instance_create_error: "'VM creation error','sum(compute_instance_create_error_host_doc_count)'"
+
diff --git a/salt/minion/cert/elasticsearch.yml b/salt/minion/cert/elasticsearch.yml
new file mode 100644
index 0000000..0ac232d
--- /dev/null
+++ b/salt/minion/cert/elasticsearch.yml
@@ -0,0 +1,16 @@
+parameters:
+ salt:
+ minion:
+ cert:
+ elasticsearch:
+ host: ${_param:salt_minion_ca_host}
+ authority: ${_param:salt_minion_ca_authority}
+ common_name: elasticsearch
+ signing_policy: cert_server
+ alternative_names: IP:127.0.0.1,IP:${_param:single_address},IP:${_param:stacklight_log_address},DNS:${linux:system:name},DNS:${linux:network:fqdn}
+ key_file: /etc/elasticsearch/elasticsearch.key
+ cert_file: /etc/elasticsearch/elasticsearch.crt
+ ca_file: /etc/ssl/certs/ca-${_param:salt_minion_ca_authority}.pem
+ all_file: /etc/elasticsearch/elasticsearch.pem
+ mode: '0444'
+ enabled: true
diff --git a/salt/minion/cert/fluentd_prometheus.yml b/salt/minion/cert/fluentd_prometheus.yml
new file mode 100644
index 0000000..d7f4469
--- /dev/null
+++ b/salt/minion/cert/fluentd_prometheus.yml
@@ -0,0 +1,14 @@
+parameters:
+ salt:
+ minion:
+ cert:
+ fluentd_prometheus:
+ host: ${_param:salt_minion_ca_host}
+ authority: ${_param:salt_minion_ca_authority}
+ common_name: fluentd_prometheus
+ signing_policy: cert_server
+ alternative_names: IP:127.0.0.1,IP:${_param:single_address},DNS:${linux:system:name},DNS:${linux:network:fqdn}
+ key_file: ${fluentd:agent:dir:config}/fluentd-prometheus.key
+ cert_file: ${fluentd:agent:dir:config}/fluentd-prometheus.crt
+ mode: '0444'
+ enabled: true
diff --git a/salt/minion/cert/telegraf_agent.yml b/salt/minion/cert/telegraf_agent.yml
new file mode 100644
index 0000000..d54520c
--- /dev/null
+++ b/salt/minion/cert/telegraf_agent.yml
@@ -0,0 +1,14 @@
+parameters:
+ salt:
+ minion:
+ cert:
+ telegraf_agent:
+ host: ${_param:salt_minion_ca_host}
+ authority: ${_param:salt_minion_ca_authority}
+ common_name: telegraf_agent
+ signing_policy: cert_server
+ alternative_names: IP:127.0.0.1,IP:${_param:single_address},DNS:${linux:system:name},DNS:${linux:network:fqdn}
+ key_file: ${telegraf:agent:dir:config}/telegraf-agent.key
+ cert_file: ${telegraf:agent:dir:config}/telegraf-agent.crt
+ mode: '0444'
+ enabled: true
diff --git a/telegraf/agent/output/prometheus_client_ssl.yml b/telegraf/agent/output/prometheus_client_ssl.yml
new file mode 100644
index 0000000..f59335f
--- /dev/null
+++ b/telegraf/agent/output/prometheus_client_ssl.yml
@@ -0,0 +1,10 @@
+parameters:
+ telegraf:
+ agent:
+ output:
+ prometheus_client:
+ scheme: https
+ tls_cert: ${telegraf:agent:dir:config}/telegraf-agent.crt
+ tls_key: ${telegraf:agent:dir:config}/telegraf-agent.key
+ tls_config:
+ ca_file: /etc/ssl/certs/ca-certificates.crt