Merge "Fixed test cookiecutter templates to improve gating process"
diff --git a/.releasenotes/notes/remove-glusterfs-prometheus-4206900d4ccfb601.yaml b/.releasenotes/notes/remove-glusterfs-prometheus-4206900d4ccfb601.yaml
new file mode 100644
index 0000000..6d6a426
--- /dev/null
+++ b/.releasenotes/notes/remove-glusterfs-prometheus-4206900d4ccfb601.yaml
@@ -0,0 +1,9 @@
+---
+summary: >
+ Removed GlusterFS requirements for Prometheus
+
+deprecations:
+ - Removed GlusterFS from Prometheus requirements.
+ Prometheus/alertmanager do not require shared storage.
+ Now, the configurations for Prometheus and Alertmanager
+ will be generated on every Docker Swarm node.
diff --git a/devops_portal/service/elasticsearch.yml b/devops_portal/service/elasticsearch.yml
index 647c4ef..6fd9afa 100644
--- a/devops_portal/service/elasticsearch.yml
+++ b/devops_portal/service/elasticsearch.yml
@@ -4,7 +4,8 @@
service:
elasticsearch:
configure_proxy: true
+ resolve_hostname: true
endpoint:
- address: ${_param:haproxy_elasticsearch_bind_host}
- port: ${_param:haproxy_elasticsearch_http_bind_port}
- https: ${_param:haproxy_elasticsearch_ssl:enabled}
+ address: ${_param:elasticsearch_bind_host}
+ port: ${_param:elasticsearch_http_bind_port}
+ https: ${_param:elasticsearch_ssl:enabled}
diff --git a/devops_portal/service/janitor_monkey.yml b/devops_portal/service/janitor_monkey.yml
index 73f2e7c..f16ae7c 100644
--- a/devops_portal/service/janitor_monkey.yml
+++ b/devops_portal/service/janitor_monkey.yml
@@ -4,7 +4,8 @@
service:
janitormonkey:
configure_proxy: true
+ resolve_hostname: true
endpoint:
- address: ${_param:haproxy_janitor_monkey_bind_host}
- port: ${_param:haproxy_janitor_monkey_bind_port}
- https: ${_param:haproxy_janitor_monkey_ssl:enabled}
+ address: ${_param:janitor_monkey_bind_host}
+ port: ${_param:janitor_monkey_bind_port}
+ https: ${_param:janitor_monkey_ssl:enabled}
diff --git a/devops_portal/service/pushkin.yml b/devops_portal/service/pushkin.yml
index 82a073c..5cd172a 100644
--- a/devops_portal/service/pushkin.yml
+++ b/devops_portal/service/pushkin.yml
@@ -4,7 +4,8 @@
service:
pushkin:
configure_proxy: true
+ resolve_hostname: true
endpoint:
- address: ${_param:haproxy_pushkin_bind_host}
- port: ${_param:haproxy_pushkin_bind_port}
- https: ${_param:haproxy_pushkin_ssl:enabled}
+ address: ${_param:pushkin_bind_host}
+ port: ${_param:pushkin_bind_port}
+ https: ${_param:pushkin_ssl:enabled}
diff --git a/devops_portal/service/rundeck.yml b/devops_portal/service/rundeck.yml
index 82fd764..ad743cf 100644
--- a/devops_portal/service/rundeck.yml
+++ b/devops_portal/service/rundeck.yml
@@ -4,6 +4,7 @@
service:
rundeck:
configure_proxy: true
+ resolve_hostname: false
credentials:
username: ${_param:rundeck_admin_username}
password: ${_param:rundeck_admin_password}
diff --git a/devops_portal/service/security_monkey.yml b/devops_portal/service/security_monkey.yml
index ba5fe81..da896a8 100644
--- a/devops_portal/service/security_monkey.yml
+++ b/devops_portal/service/security_monkey.yml
@@ -4,10 +4,11 @@
service:
securitymonkey:
configure_proxy: true
+ resolve_hostname: true
endpoint:
- address: ${_param:haproxy_security_monkey_bind_host}
- port: ${_param:haproxy_security_monkey_bind_port}
- https: ${_param:haproxy_security_monkey_ssl:enabled}
+ address: ${_param:security_monkey_bind_host}
+ port: ${_param:security_monkey_bind_port}
+ https: ${_param:security_monkey_ssl:enabled}
credentials:
username: ${_param:security_monkey_user}
password: ${_param:security_monkey_password}
diff --git a/docker/swarm/network/oss_backend.yml b/docker/swarm/network/oss_backend.yml
new file mode 100644
index 0000000..daa628e
--- /dev/null
+++ b/docker/swarm/network/oss_backend.yml
@@ -0,0 +1,10 @@
+parameters:
+ _param:
+ docker_oss_network_subnet: 10.50.0.0/24
+ docker:
+ client:
+ network:
+ oss_backend:
+ subnet: ${_param:docker_oss_network_subnet}
+ driver: overlay
+ attachable: true
\ No newline at end of file
diff --git a/docker/swarm/stack/devops_portal.yml b/docker/swarm/stack/devops_portal.yml
index f553114..f8f89f9 100644
--- a/docker/swarm/stack/devops_portal.yml
+++ b/docker/swarm/stack/devops_portal.yml
@@ -18,3 +18,9 @@
volumes:
- /srv/volumes/devops_portal/nginx:/etc/nginx/config
- /srv/volumes/devops_portal/config:/opt/devops-portal/config
+ network:
+ default:
+ external:
+ name: oss_backend
+ frontend:
+ driver: overlay
\ No newline at end of file
diff --git a/docker/swarm/stack/elasticsearch.yml b/docker/swarm/stack/elasticsearch.yml
index 1c22e8f..fe7c35e 100644
--- a/docker/swarm/stack/elasticsearch.yml
+++ b/docker/swarm/stack/elasticsearch.yml
@@ -2,6 +2,11 @@
_param:
elasticsearch_replicas: 1
docker_image_elasticsearch: docker.elastic.co/elasticsearch/elasticsearch:5.4.1
+ elasticsearch_bind_host: elasticsearch-cluster
+ elasticsearch_http_bind_port: ${_param:haproxy_elasticsearch_http_bind_port}
+ elasticsearch_binary_bind_port: ${_param:haproxy_elasticsearch_binary_bind_port}
+ elasticsearch_ssl:
+ enabled: false
elasticsearch_cluster_name: oss-cluster
elasticsearch_xpack_security_enabled: 'false'
elasticsearch_xpack_monitoring_enabled: 'false'
@@ -18,14 +23,18 @@
discovery.zen.minimum_master_nodes: ${_param:elasticsearch_discovery_zen_minimum_master_nodes}
discovery.type: ${_param:elasticsearch_discovery_type}
service:
- cluster:
+ elasticsearch-cluster:
image: ${_param:docker_image_elasticsearch}
deploy:
replicas: ${_param:elasticsearch_replicas}
restart_policy:
condition: any
+ volumes:
+ - /srv/volumes/elasticsearch:/usr/share/elasticsearch/data
ports:
- ${_param:haproxy_elasticsearch_http_exposed_port}:${_param:haproxy_elasticsearch_http_bind_port}
- ${_param:haproxy_elasticsearch_binary_exposed_port}:${_param:haproxy_elasticsearch_binary_bind_port}
- volumes:
- - /srv/volumes/elasticsearch:/usr/share/elasticsearch/data
+ network:
+ default:
+ external:
+ name: oss_backend
diff --git a/docker/swarm/stack/gerrit.yml b/docker/swarm/stack/gerrit.yml
index b59172a..95bc233 100644
--- a/docker/swarm/stack/gerrit.yml
+++ b/docker/swarm/stack/gerrit.yml
@@ -7,7 +7,7 @@
gerrit_ldap_bind_password: ""
gerrit_ldap_account_base: ""
gerrit_ldap_group_base: ""
-
+ gerrit_http_listen_url: http://*:8080/
docker:
client:
stack:
@@ -40,6 +40,7 @@
LDAP_USERNAME: ${_param:gerrit_ldap_bind_user}
LDAP_PASSWORD: ${_param:gerrit_ldap_bind_password}
WEBURL: ${_param:gerrit_public_host}
+ HTTPD_LISTENURL: ${_param:gerrit_http_listen_url}
GERRIT_ADMIN_SSH_PUBLIC: ${_param:gerrit_admin_public_key}
GERRIT_ADMIN_PWD: ${_param:gerrit_admin_password}
GERRIT_ADMIN_EMAIL: ${_param:gerrit_admin_email}
diff --git a/docker/swarm/stack/janitor_monkey.yml b/docker/swarm/stack/janitor_monkey.yml
index de7a218..08fdb5c 100644
--- a/docker/swarm/stack/janitor_monkey.yml
+++ b/docker/swarm/stack/janitor_monkey.yml
@@ -5,23 +5,32 @@
docker_mongodb_admin_username: admin
docker_mongodb_admin_password: password
docker_image_janitor_monkey: docker-prod-local.artifactory.mirantis.com/mirantis/oss/janitor-monkey
+ janitor_monkey_bind_host: cleanup-service-api
+ janitor_monkey_bind_port: 8080
+ janitor_monkey_ssl:
+ enabled: false
janitor_monkey_enabled: true
janitor_monkey_dryrun_mode: false
- janitor_monkey_base_url: http://${_param:haproxy_janitor_monkey_bind_host}:${_param:haproxy_janitor_monkey_bind_port}
- janitor_monkey_mongodb_host: ${_param:haproxy_mongodb_bind_host}
+ janitor_monkey_mongodb_host: cleanup-service-mongodb
janitor_monkey_mongodb_port: ${_param:haproxy_mongodb_bind_port}
+ mongodb_ssl:
+ enabled: false
+ janitor_monkey_base_url: http://${_param:janitor_monkey_mongodb_host}:${_param:janitor_monkey_mongodb_port}
janitor_monkey_mongodb_db: mcp_cloud
janitor_monkey_mongodb_username: janitor
janitor_monkey_mongodb_password: password
- janitor_monkey_elasticsearch: ${_param:haproxy_elasticsearch_bind_host}:${_param:haproxy_elasticsearch_binary_bind_port}
+ janitor_monkey_elasticsearch: ${_param:elasticsearch_bind_host}:${_param:elasticsearch_binary_bind_port}
janitor_monkey_cloudfire_region: RegionOne
janitor_monkey_cis_clustername: ${_param:elasticsearch_cluster_name}
janitor_monkey_openstack:
project_domain_name: default
project_name: admin
- username: ""
- password: ""
- auth_url: ""
+ auth_url: http://yourcloud.com:5000/v3/auth/tokens
+ username: admin
+ password: password
+ ssl_verify: False
+ cacert_path: /srv/volumes/rundeck/storage/content/cis/openstack/cert.pem
+ cafile: /opt/certs/cert.pem
docker:
client:
stack:
@@ -47,8 +56,10 @@
simianarmy.client.cloudfire.secretKey: ${_param:janitor_monkey_openstack:password}
simianarmy.client.cloudfire.domain: ${_param:janitor_monkey_openstack:project_domain_name}
simianarmy.client.cloudfire.project: ${_param:janitor_monkey_openstack:project_name}
+ simianarmy.client.cloudfire.SSLVerify: ${_param:janitor_monkey_openstack:ssl_verify}
+ simianarmy.client.cloudfire.cafile: ${_param:janitor_monkey_openstack:cafile}
service:
- mongodb:
+ cleanup-service-mongodb:
image: ${_param:docker_image_mongodb}
deploy:
replicas: ${_param:docker_janitor_monkey_replicas}
@@ -58,11 +69,17 @@
- ${_param:haproxy_mongodb_exposed_port}:${_param:haproxy_mongodb_bind_port}
volumes:
- /srv/volumes/mongodb:/data/db
- api:
+ cleanup-service-api:
image: ${_param:docker_image_janitor_monkey}
deploy:
replicas: ${_param:docker_janitor_monkey_replicas}
restart_policy:
condition: any
ports:
- - ${_param:haproxy_janitor_monkey_exposed_port}:8080
+ - ${_param:haproxy_janitor_monkey_exposed_port}:${_param:janitor_monkey_bind_port}
+ volumes:
+ - ${_param:janitor_monkey_openstack:cacert_path}:${_param:janitor_monkey_openstack:cafile}:ro
+ network:
+ default:
+ external:
+ name: oss_backend
diff --git a/docker/swarm/stack/monitoring/init.yml b/docker/swarm/stack/monitoring/init.yml
index 17a3a49..95f5f8d 100644
--- a/docker/swarm/stack/monitoring/init.yml
+++ b/docker/swarm/stack/monitoring/init.yml
@@ -30,13 +30,13 @@
ports:
- 15015:${prometheus:remote_storage_adapter:bind:port}
environment:
- bind_port: ${prometheus:remote_storage_adapter:bind:port}
- bind_address: ${prometheus:remote_storage_adapter:bind:address}
- influxdb_retention_policy: 'lma'
- influxdb_url: ${_param:prometheus_influxdb_url}
- influxdb_db: ${_param:prometheus_influxdb_db}
- influxdb_username: ${_param:prometheus_influxdb_username}
- influxdb_password: ${_param:prometheus_influxdb_password}
+ RSA_BIND_PORT: ${prometheus:remote_storage_adapter:bind:port}
+ RSA_BIND_ADDRESS: ${prometheus:remote_storage_adapter:bind:address}
+ RSA_INFLUXDB_RETENTION_POLICY: 'lma'
+ RSA_INFLUXDB_URL: ${_param:prometheus_influxdb_url}
+ RSA_INFLUXDB_DB: ${_param:prometheus_influxdb_db}
+ RSA_INFLUXDB_USERNAME: ${_param:prometheus_influxdb_username}
+ RSA_INFLUXDB_PASSWORD: ${_param:prometheus_influxdb_password}
alertmanager:
networks:
- monitoring
@@ -55,11 +55,11 @@
- ${prometheus:alertmanager:dir:config}:${_param:prometheus_alertmanager_config_directory}
- ${prometheus:alertmanager:dir:data}:${_param:prometheus_alertmanager_data_directory}
environment:
- config_dir: ${_param:prometheus_alertmanager_config_directory}
- data_dir: ${_param:prometheus_alertmanager_data_directory}
- bind_port: ${prometheus:alertmanager:bind:port}
- bind_address: ${prometheus:alertmanager:bind:address}
- discovery_domain: 'monitoring_alertmanager'
+ ALERTMANAGER_CONFIG_DIR: ${_param:prometheus_alertmanager_config_directory}
+ ALERTMANAGER_DATA_DIR: ${_param:prometheus_alertmanager_data_directory}
+ ALERTMANAGER_BIND_PORT: ${prometheus:alertmanager:bind:port}
+ ALERTMANAGER_BIND_ADDRESS: ${prometheus:alertmanager:bind:address}
+ ALERTMANAGER_DISCOVERY_DOMAIN: 'monitoring_alertmanager'
pushgateway:
networks:
- monitoring
@@ -70,8 +70,8 @@
restart_policy:
condition: any
environment:
- bind_port: ${prometheus:pushgateway:bind:port}
- bind_address: ${prometheus:pushgateway:bind:address}
+ PUSHGATEWAY_BIND_PORT: ${prometheus:pushgateway:bind:port}
+ PUSHGATEWAY_BIND_ADDRESS: ${prometheus:pushgateway:bind:address}
labels:
com.mirantis.monitoring: "pushgateway"
image: ${_param:docker_image_pushgateway}
diff --git a/docker/swarm/stack/postgresql.yml b/docker/swarm/stack/postgresql.yml
index 7ae4052..42ebf8f 100644
--- a/docker/swarm/stack/postgresql.yml
+++ b/docker/swarm/stack/postgresql.yml
@@ -2,6 +2,10 @@
_param:
docker_postgresql_replicas: 1
docker_image_postgresql: library/postgres:9.6
+ postgresql_bind_host: postgresql-db
+ postgresql_bind_port: ${_param:haproxy_postgresql_bind_port}
+ postgresql_ssl:
+ enabled: false
postgresql_admin_user: postgres
postgresql_admin_user_password: postgrespassword
docker:
@@ -12,13 +16,17 @@
POSTGRES_USER: ${_param:postgresql_admin_user}
POSTGRES_PASSWORD: ${_param:postgresql_admin_user_password}
service:
- db:
+ postgresql-db:
image: ${_param:docker_image_postgresql}
deploy:
replicas: ${_param:docker_postgresql_replicas}
restart_policy:
condition: any
- ports:
- - ${_param:haproxy_postgresql_exposed_port}:${_param:haproxy_postgresql_bind_port}
volumes:
- /srv/volumes/postgresql/data:/var/lib/postgresql/data
+ ports:
+ - ${_param:haproxy_postgresql_exposed_port}:${_param:haproxy_postgresql_bind_port}
+ network:
+ default:
+ external:
+ name: oss_backend
\ No newline at end of file
diff --git a/docker/swarm/stack/pushkin.yml b/docker/swarm/stack/pushkin.yml
index 106d544..71b5f5f 100644
--- a/docker/swarm/stack/pushkin.yml
+++ b/docker/swarm/stack/pushkin.yml
@@ -2,7 +2,13 @@
_param:
docker_pushkin_replicas: 1
docker_image_pushkin: docker-prod-local.artifactory.mirantis.com/mirantis/oss/pushkin
+ pushkin_bind_host: pushkin-api
+ pushkin_bind_port: ${_param:haproxy_pushkin_bind_port}
+ pushkin_ssl:
+ enabled: false
pushkin_db: pushkin
+ pushkin_smtp_host: smtp.gmail.com
+ pushkin_smtp_port: 587
docker:
client:
stack:
@@ -11,15 +17,18 @@
POSTGRES_USER: ${_param:pushkin_db_user}
POSTGRES_PASSWORD: ${_param:pushkin_db_user_password}
POSTGRES_DB: ${_param:pushkin_db}
- PUSHKINDBHOST: ${_param:pushkin_db_host}
- PUSHKINELASTICHOST: ${_param:haproxy_elasticsearch_bind_host}
+ PUSHKINDBHOST: ${_param:postgresql_bind_host}
+ PUSHKINELASTICHOST: ${_param:elasticsearch_bind_host}
WEBHOOK_FROM: ${_param:webhook_from}
+ EMAIL_SENDER_PASSWORD: ${_param:pushkin_email_sender_password}
+ SMTP_HOST: ${_param:pushkin_smtp_host}
+ SMTP_PORT: ${_param:pushkin_smtp_port}
WEBHOOK_RECIPIENTS: ${_param:webhook_recipients}
WEBHOOK_LOGIN_ID: ${_param:webhook_login_id}
WEBHOOK_APPLICATION_ID: ${_param:webhook_application_id}
WEBHOOK_SFDC_USERNAME: ${_param:webhook_sfdc_username}
service:
- api:
+ pushkin-api:
image: ${_param:docker_image_pushkin}
deploy:
replicas: ${_param:docker_pushkin_replicas}
@@ -28,4 +37,8 @@
ports:
- ${_param:haproxy_pushkin_exposed_port}:${_param:haproxy_pushkin_bind_port}
volumes:
- - /srv/volumes/pushkin/api:/var/log/pushkin
\ No newline at end of file
+ - /srv/volumes/pushkin/api:/var/log/pushkin
+ network:
+ default:
+ external:
+ name: oss_backend
diff --git a/docker/swarm/stack/rundeck.yml b/docker/swarm/stack/rundeck.yml
index 216415c..0710819 100644
--- a/docker/swarm/stack/rundeck.yml
+++ b/docker/swarm/stack/rundeck.yml
@@ -2,12 +2,16 @@
_param:
docker_rundeck_replicas: 1
docker_image_rundeck: docker-prod-local.artifactory.mirantis.com/mirantis/oss/rundeck:latest
+ rundeck_bind_host: rundeck-api
+ rundeck_bind_port: ${_param:haproxy_rundeck_bind_port}
+ rundeck_ssl:
+ enabled: false
docker:
client:
stack:
rundeck:
service:
- rundeck:
+ rundeck-api:
image: ${_param:docker_image_rundeck}
deploy:
replicas: ${_param:docker_rundeck_replicas}
@@ -25,3 +29,7 @@
- /srv/volumes/rundeck/logs:/var/lib/rundeck/logs
- /srv/volumes/rundeck/plugins:/opt/rundeck-plugins
- /srv/volumes/rundeck/storage:/var/lib/rundeck/var/storage
+ network:
+ default:
+ external:
+ name: oss_backend
\ No newline at end of file
diff --git a/docker/swarm/stack/security_monkey.yml b/docker/swarm/stack/security_monkey.yml
index 2e1c813..67233c2 100644
--- a/docker/swarm/stack/security_monkey.yml
+++ b/docker/swarm/stack/security_monkey.yml
@@ -4,26 +4,34 @@
docker_security_monkey_scheduler_replicas: 1
docker_image_security_monkey_api: docker-prod-local.artifactory.mirantis.com/mirantis/oss/security-monkey-api
docker_image_security_monkey_scheduler: docker-prod-local.artifactory.mirantis.com/mirantis/oss/security-monkey-scheduler
+ security_monkey_bind_host: security-audit-api
+ security_monkey_bind_port: ${_param:haproxy_security_monkey_bind_port}
+ security_monkey_ssl:
+ enabled: false
security_monkey_db: secmonkey
- notification_service_url: http://${_param:haproxy_pushkin_bind_host}:${_param:haproxy_pushkin_bind_port}/post_notification_json
+ notification_service_url: http://${_param:pushkin_bind_host}:${_param:haproxy_pushkin_bind_port}/post_notification_json
security_monkey_user: devopsportal@devopsportal.local
security_monkey_password: devopsportal
security_monkey_role: Justify
- security_monkey_fqdn: ${_param:haproxy_security_monkey_bind_host}
- security_monkey_web_port: ${_param:haproxy_security_monkey_bind_port}
- security_monkey_api_port: ${_param:haproxy_security_monkey_bind_port}
- security_monkey_nginx_port: ${_param:haproxy_security_monkey_bind_port}
+ security_monkey_fqdn: ${_param:security_monkey_bind_host}
+ security_monkey_web_port: ${_param:security_monkey_bind_port}
+ security_monkey_api_port: ${_param:security_monkey_bind_port}
+ security_monkey_nginx_port: ${_param:security_monkey_bind_port}
devops_portal_sm_wtf_csrf_enabled: False
security_monkey_sync_interval: 15
security_monkey_openstack:
os_account_id: mcp_cloud
os_account_name: mcp_cloud
- username: ""
- password: ""
- auth_url: ""
+ auth_url: http://yourcloud.com:5000/v3/auth/tokens
+ username: admin
+ password: password
project_domain_name: Default
project_name: admin
user_domain_name: Default
+ cacert_path: /srv/volumes/rundeck/storage/content/cis/openstack/cert.pem
+ cafile: /opt/certs/cert.pem
+ endpoint_type: public
+ ssl_verify: False
docker:
client:
stack:
@@ -32,7 +40,7 @@
SECURITY_MONKEY_POSTGRES_USER: ${_param:secmonkey_db_user}
SECURITY_MONKEY_POSTGRES_PASSWORD: ${_param:secmonkey_db_user_password}
SECURITY_MONKEY_POSTGRES_HOST: ${_param:secmonkey_db_host}
- SECURITY_MONKEY_POSTGRES_PORT: ${_param:haproxy_postgresql_bind_port}
+ SECURITY_MONKEY_POSTGRES_PORT: ${_param:postgresql_bind_port}
SECURITY_MONKEY_FQDN: ${_param:security_monkey_fqdn}
WEB_PORT: ${_param:security_monkey_web_port}
API_PORT: ${_param:security_monkey_api_port}
@@ -48,13 +56,16 @@
OS_AUTH_URL: ${_param:security_monkey_openstack:auth_url}
OS_PROJECT_DOMAIN_NAME: ${_param:security_monkey_openstack:project_domain_name}
OS_PROJECT_NAME: ${_param:security_monkey_openstack:project_name}
+ OS_SSL_VERIFY: ${_param:security_monkey_openstack:ssl_verify}
+ OS_ENDPOINT_TYPE: ${_param:security_monkey_openstack:endpoint_type}
+ CACERT_PATH: ${_param:security_monkey_openstack:cafile}
USER_DOMAIN_NAME: ${_param:security_monkey_openstack:user_domain_name}
SM_WTF_CSRF_ENABLED: ${_param:devops_portal_sm_wtf_csrf_enabled}
SECURITY_MONKEY_SYNC_INTERVAL: ${_param:security_monkey_sync_interval}
SQLALCHEMY_DATABASE_URI: postgresql://${_param:secmonkey_db_user}:${_param:secmonkey_db_user_password}@${_param:secmonkey_db_host}:${_param:haproxy_postgresql_bind_port}/${_param:security_monkey_db}
SQLALCHEMY_POOL_RECYCLE: 14400
service:
- api:
+ security-audit-api:
image: ${_param:docker_image_security_monkey_api}
deploy:
replicas: ${_param:docker_security_monkey_api_replicas}
@@ -64,7 +75,8 @@
- ${_param:haproxy_security_monkey_exposed_port}:${_param:haproxy_security_monkey_bind_port}
volumes:
- /srv/volumes/security_monkey/logs:/var/log/security_monkey/logs
- scheduler:
+ - ${_param:security_monkey_openstack:cacert_path}:${_param:security_monkey_openstack:cafile}:ro
+ security-audit-scheduler:
image: ${_param:docker_image_security_monkey_scheduler}
deploy:
replicas: ${_param:docker_security_monkey_scheduler_replicas}
@@ -72,3 +84,8 @@
condition: any
volumes:
- /srv/volumes/security_monkey/logs:/var/log/security_monkey/logs
+ - ${_param:security_monkey_openstack:cacert_path}:${_param:security_monkey_openstack:cafile}:ro
+ network:
+ default:
+ external:
+ name: oss_backend
diff --git a/glusterfs/client/volume/glance.yml b/glusterfs/client/volume/glance.yml
index ec593b9..e84ff06 100644
--- a/glusterfs/client/volume/glance.yml
+++ b/glusterfs/client/volume/glance.yml
@@ -13,3 +13,20 @@
user: glance
group: glance
opts: "defaults,backup-volfile-servers=${_param:glusterfs_node01_address}:${_param:glusterfs_node02_address}:${_param:glusterfs_node03_address}"
+ linux:
+ system:
+ user:
+ glance:
+ enabled: true
+ name: glance
+ uid: 302
+ gid: 302
+ home: /var/lib/glance
+ shell: /bin/false
+ system: True
+ group:
+ glance:
+ enabled: true
+ name: glance
+ gid: 302
+ system: True
diff --git a/glusterfs/client/volume/keystone.yml b/glusterfs/client/volume/keystone.yml
index 822b61f..39c5619 100644
--- a/glusterfs/client/volume/keystone.yml
+++ b/glusterfs/client/volume/keystone.yml
@@ -19,3 +19,20 @@
user: keystone
group: keystone
opts: "defaults,backup-volfile-servers=${_param:glusterfs_node01_address}:${_param:glusterfs_node02_address}:${_param:glusterfs_node03_address}"
+ linux:
+ system:
+ user:
+ keystone:
+ enabled: true
+ name: keystone
+ home: /var/lib/keystone
+ uid: 301
+ gid: 301
+ shell: /bin/false
+ system: True
+ group:
+ keystone:
+ enabled: true
+ name: keystone
+ gid: 301
+ system: True
diff --git a/glusterfs/client/volume/prometheus.yml b/glusterfs/client/volume/prometheus.yml
deleted file mode 100644
index 3fae59b..0000000
--- a/glusterfs/client/volume/prometheus.yml
+++ /dev/null
@@ -1,13 +0,0 @@
-parameters:
- _param:
- prometheus_glusterfs_service_host: ${_param:glusterfs_service_host}
- glusterfs_node01_address: ${_param:cluster_node01_address}
- glusterfs_node02_address: ${_param:cluster_node02_address}
- glusterfs_node03_address: ${_param:cluster_node03_address}
- glusterfs:
- client:
- volumes:
- prometheus:
- path: /srv/volumes/prometheus
- server: ${_param:prometheus_glusterfs_service_host}
- opts: "defaults,backup-volfile-servers=${_param:glusterfs_node01_address}:${_param:glusterfs_node02_address}:${_param:glusterfs_node03_address}"
diff --git a/glusterfs/server/volume/glance.yml b/glusterfs/server/volume/glance.yml
index 8276a44..0f54219 100644
--- a/glusterfs/server/volume/glance.yml
+++ b/glusterfs/server/volume/glance.yml
@@ -14,4 +14,4 @@
nfs.disable: On
network.remote-dio: On
diagnostics.client-log-level: WARNING
- diagnostics.brick-log-level: WARNING
\ No newline at end of file
+ diagnostics.brick-log-level: WARNING
diff --git a/glusterfs/server/volume/prometheus.yml b/glusterfs/server/volume/prometheus.yml
deleted file mode 100644
index 144847a..0000000
--- a/glusterfs/server/volume/prometheus.yml
+++ /dev/null
@@ -1,17 +0,0 @@
-parameters:
- glusterfs:
- server:
- volumes:
- prometheus:
- storage: /srv/glusterfs/prometheus
- replica: 3
- bricks:
- - ${_param:cluster_node01_address}:/srv/glusterfs/prometheus
- - ${_param:cluster_node02_address}:/srv/glusterfs/prometheus
- - ${_param:cluster_node03_address}:/srv/glusterfs/prometheus
- options:
- cluster.readdir-optimize: On
- nfs.disable: On
- network.remote-dio: On
- diagnostics.client-log-level: WARNING
- diagnostics.brick-log-level: WARNING
diff --git a/haproxy/proxy/listen/cicd/artifactory.yml b/haproxy/proxy/listen/cicd/artifactory.yml
index 5bf9bda..349d998 100644
--- a/haproxy/proxy/listen/cicd/artifactory.yml
+++ b/haproxy/proxy/listen/cicd/artifactory.yml
@@ -12,7 +12,7 @@
mode: http
options:
- forwardfor
- - httpchk
+# - httpchk
- httpclose
- httplog
balance: source
diff --git a/haproxy/proxy/listen/cicd/gerrit.yml b/haproxy/proxy/listen/cicd/gerrit.yml
index 51d494b..3ee21b1 100644
--- a/haproxy/proxy/listen/cicd/gerrit.yml
+++ b/haproxy/proxy/listen/cicd/gerrit.yml
@@ -13,7 +13,7 @@
mode: http
options:
- forwardfor
- - httpchk
+# - httpchk
- httpclose
- httplog
balance: source
diff --git a/haproxy/proxy/listen/docker/visualizer.yml b/haproxy/proxy/listen/docker/visualizer.yml
index 409815c..6fec3ba 100644
--- a/haproxy/proxy/listen/docker/visualizer.yml
+++ b/haproxy/proxy/listen/docker/visualizer.yml
@@ -8,7 +8,7 @@
mode: http
options:
- forwardfor
- - httpchk
+# - httpchk
- httpclose
- httplog
balance: source
diff --git a/jenkins/client/job/debian/packages/extra.yml b/jenkins/client/job/debian/packages/extra.yml
index b344c63..13ee191 100644
--- a/jenkins/client/job/debian/packages/extra.yml
+++ b/jenkins/client/job/debian/packages/extra.yml
@@ -173,6 +173,22 @@
dist: xenial
build: influxdb-relay
branch: master
+ - package: prometheus-relay
+ dist: trusty
+ build: prometheus-relay
+ branch: master
+ - package: prometheus-relay
+ dist: xenial
+ build: prometheus-relay
+ branch: master
+ - package: python-datrie
+ dist: xenial
+ build: pipeline
+ branch: debian/xenial
+ - package: contrail-api-cli
+ dist: xenial
+ build: pipeline
+ branch: debian/xenial
template:
type: workflow-scm
concurrent: false
diff --git a/jenkins/client/job/k8s-test/init.yml b/jenkins/client/job/k8s-test/init.yml
new file mode 100644
index 0000000..0157bb8
--- /dev/null
+++ b/jenkins/client/job/k8s-test/init.yml
@@ -0,0 +1,2 @@
+classes:
+- system.jenkins.client.job.k8s-test.mcp-k8s-test-pipeline
\ No newline at end of file
diff --git a/jenkins/client/job/k8s-test/mcp-k8s-test-pipeline.yml b/jenkins/client/job/k8s-test/mcp-k8s-test-pipeline.yml
new file mode 100644
index 0000000..7bc2f79
--- /dev/null
+++ b/jenkins/client/job/k8s-test/mcp-k8s-test-pipeline.yml
@@ -0,0 +1,74 @@
+parameters:
+ jenkins:
+ client:
+ job:
+ mcp_k8s_test_pipeline:
+ type: workflow-scm
+ name: mcp-k8s-test-pipeline
+ display_name: "Kubernetes tests pipeline"
+ discard:
+ build:
+ keep_num: 20
+ concurrent: false
+ scm:
+ type: git
+ url: "${_param:jenkins_gerrit_url}/kubernetes-ci/kubernetes-pipelines"
+ credentials: "gerrit"
+ script: pipelines/mcp-k8s-test-pipeline.groovy
+ trigger:
+ gerrit:
+ project:
+ kubernetes/kubernetes:
+ branches:
+ - compare_type: "ANT"
+ name: "**"
+ message:
+ build_successful: "Build successful"
+ build_unstable: "Build unstable"
+ build_failure: "Build failed"
+ event:
+ patchset:
+ - created:
+ excludeDrafts: false
+ excludeTrivialRebase: false
+ excludeNoCodeChange: false
+ comment:
+ - addedContains:
+ commentAddedCommentContains: '(recheck|reverify)'
+ param:
+ KUBE_DOCKER_REGISTRY:
+ type: string
+ default: 'docker-dev-virtual.docker.mirantis.net'
+ description: 'Docker registry for binaries and images'
+ CALICO_DOCKER_REGISTRY:
+ type: string
+ default: 'docker-prod-virtual.docker.mirantis.net'
+ description: 'Docker registry for published Calico images'
+ K8S_BASE_IMAGE:
+ type: string
+ default: '{docker-prod-virtual}/mirantis/base-images/debian-base:20161223134732'
+ description: 'Base Docker image to build k8s'
+ DOCKER_IMAGE_UNIT:
+ type: string
+ default: '{docker-prod-virtual}/mirantis/k8s-tests-images/k8s-tests-unit:latest'
+ desription: 'Docker image for k8s unit tests'
+ DOCKER_IMAGE_INTEGRATION:
+ type: string
+ default: '{docker-prod-virtual}/mirantis/k8s-tests-images/k8s-tests-integration:latest'
+ desription: 'Docker image for k8s integration tests'
+ CALICO_CNI_IMAGE_REPO:
+ type: string
+ default: 'calico/cni'
+ description: 'Custom calico/cni image repository'
+ CALICO_CNI_IMAGE_TAG:
+ type: string
+ default: 'v1.5.1'
+ description: 'Custom calico/cni image tag'
+ CALICO_DOWNSTREAM:
+ type: boolean
+ default: 'true'
+ description: 'Use Calico downstream'
+ CALICO_VER:
+ type: string
+ default: 'mcp'
+ description: 'Custom Calico version'
diff --git a/jenkins/client/job/oss/init.yml b/jenkins/client/job/oss/init.yml
index 0e23f01..f8b5bdc 100644
--- a/jenkins/client/job/oss/init.yml
+++ b/jenkins/client/job/oss/init.yml
@@ -1,3 +1,4 @@
classes:
- system.jenkins.client.job.oss.test_devops_portal
+ - system.jenkins.client.job.oss.test_devops_portal_nightly
- system.jenkins.client.job.oss.test_security_monkey_openstack
diff --git a/jenkins/client/job/oss/test_devops_portal.yml b/jenkins/client/job/oss/test_devops_portal.yml
index 4007010..7001200 100644
--- a/jenkins/client/job/oss/test_devops_portal.yml
+++ b/jenkins/client/job/oss/test_devops_portal.yml
@@ -41,3 +41,6 @@
DEFAULT_GIT_REF:
type: string
default: master
+ NIGHTLY_BUILD:
+ type: boolean
+ default: false
diff --git a/jenkins/client/job/oss/test_devops_portal_nightly.yml b/jenkins/client/job/oss/test_devops_portal_nightly.yml
new file mode 100644
index 0000000..34a8bec
--- /dev/null
+++ b/jenkins/client/job/oss/test_devops_portal_nightly.yml
@@ -0,0 +1,34 @@
+parameters:
+ jenkins:
+ client:
+ job:
+ test-oss-devops-portal-nightly:
+ name: test-oss-devops-portal-nightly
+ discard:
+ build:
+ keep_num: 15
+ artifact:
+ keep_num: 15
+ type: workflow-scm
+ concurrent: true
+ scm:
+ type: git
+ url: "${_param:jenkins_gerrit_url}/oss/jenkins/pipelines"
+ credentials: "gerrit"
+ script: test-devops-portal-pipeline.groovy
+ trigger:
+ timer:
+ spec: "0 23 * * *"
+ param:
+ CREDENTIALS_ID:
+ type: string
+ default: "gerrit"
+ DEFAULT_GIT_URL:
+ type: string
+ default: "${_param:jenkins_gerrit_url}/oss/devops-portal"
+ DEFAULT_GIT_REF:
+ type: string
+ default: master
+ NIGHTLY_BUILD:
+ type: boolean
+ default: true
diff --git a/nginx/server/proxy/cicd/gerrit.yml b/nginx/server/proxy/cicd/gerrit.yml
index 2593dd7..0baf26c 100644
--- a/nginx/server/proxy/cicd/gerrit.yml
+++ b/nginx/server/proxy/cicd/gerrit.yml
@@ -1,34 +1,23 @@
parameters:
_param:
- nginx_proxy_gerrit_server_ssl_authority: virt
- nginx_proxy_gerrit_server_proxy_host: ${_param:single_address}
- nginx_proxy_gerrit_server_proxy_port: 8082
- nginx_proxy_gerrit_server_site_host: ${linux:network:fqdn}
- nginx_proxy_gerrit_server_site_port: 8083
+ nginx_proxy_gerrit_server_proxy_host: ${_param:cicd_control_address}
+ nginx_proxy_gerrit_server_proxy_port: 8080
+ nginx_proxy_gerrit_server_site_host: ${_param:cluster_public_host}
+ nginx_proxy_gerrit_server_site_port: 8080
nginx:
server:
enabled: true
- user:
- admin:
- enabled: true
- password: password
site:
- nginx_proxy_gerrit_server:
+ nginx_proxy_gerrit:
enabled: true
type: nginx_proxy
- name: gerrit_server
- auth:
- engine: basic
+ name: gerrit
proxy:
host: ${_param:nginx_proxy_gerrit_server_proxy_host}
port: ${_param:nginx_proxy_gerrit_server_proxy_port}
protocol: http
- ssl:
- enabled: true
- engine: salt
- authority: ${_param:nginx_proxy_gerrit_server_ssl_authority}
- certificate: ${_param:nginx_proxy_gerrit_server_site_host}
- mode: secure
host:
name: ${_param:nginx_proxy_gerrit_server_site_host}
port: ${_param:nginx_proxy_gerrit_server_site_port}
+ protocol: https
+ ssl: ${_param:nginx_proxy_ssl}
diff --git a/nginx/server/proxy/cicd/jenkins.yml b/nginx/server/proxy/cicd/jenkins.yml
index 975cc4d..bd270f2 100644
--- a/nginx/server/proxy/cicd/jenkins.yml
+++ b/nginx/server/proxy/cicd/jenkins.yml
@@ -1,4 +1,9 @@
parameters:
+ _param:
+ nginx_proxy_jenkins_server_proxy_host: ${_param:cicd_control_address}
+ nginx_proxy_jenkins_server_proxy_port: 8081
+ nginx_proxy_jenkins_server_site_host: ${_param:cluster_public_host}
+ nginx_proxy_jenkins_server_site_port: 8081
nginx:
server:
enabled: true
@@ -8,11 +13,11 @@
type: nginx_proxy
name: jenkins
proxy:
- host: ${_param:foundation_intergration_address}
- port: 8080
+ host: ${_param:nginx_proxy_jenkins_server_proxy_host}
+ port: ${_param:nginx_proxy_jenkins_server_proxy_port}
protocol: http
host:
- name: ${_param:cluster_public_host}
- port: 8095
+ name: ${_param:nginx_proxy_jenkins_server_site_host}
+ port: ${_param:nginx_proxy_jenkins_server_site_port}
protocol: https
ssl: ${_param:nginx_proxy_ssl}
diff --git a/postgresql/client/alertmanager.yml b/postgresql/client/alertmanager.yml
new file mode 100644
index 0000000..8bd272a
--- /dev/null
+++ b/postgresql/client/alertmanager.yml
@@ -0,0 +1,30 @@
+classes:
+ - system.postgresql.client
+parameters:
+ _param:
+ alertmanager_db_host: ${_param:haproxy_postgresql_bind_host}
+ alertmanager_db_user: alertmanager
+ alertmanager_db_user_password: alertmanager
+ webhook_login_id: 13
+ webhook_application_id: 24
+ postgresql:
+ client:
+ server:
+ server01:
+ database:
+ alertmanager:
+ enabled: true
+ encoding: 'UTF8'
+ locale: 'en_US'
+ users:
+ - name: ${_param:alertmanager_db_user}
+ password: ${_param:alertmanager_db_user_password}
+ host: ${_param:alertmanager_db_host}
+ createdb: true
+ rights: all privileges
+ init:
+ maintenance_db: pushkin
+ force: true
+ queries:
+ - INSERT INTO login VALUES (${_param:webhook_login_id}, ${_param:webhook_application_id}) ON CONFLICT (id) DO UPDATE SET id = excluded.id;
+ - INSERT INTO device VALUES (${_param:webhook_application_id}, ${_param:webhook_login_id}, 42, 'stacklight_alertmanager', NULL, 1, NULL) ON CONFLICT (id) DO UPDATE SET id = excluded.id;
diff --git a/prometheus/alertmanager/init.yml b/prometheus/alertmanager/init.yml
index b00a4b9..bdcdafd 100644
--- a/prometheus/alertmanager/init.yml
+++ b/prometheus/alertmanager/init.yml
@@ -2,3 +2,8 @@
_param:
prometheus_alertmanager_config_directory: /srv/alertmanager
prometheus_alertmanager_data_directory: /data
+ prometheus:
+ alertmanager:
+ dir:
+ data: /srv/volumes/local/alertmanager/data
+ config: /srv/volumes/local/alertmanager/config
diff --git a/prometheus/server/init.yml b/prometheus/server/init.yml
index 2c241bd..99fdceb 100644
--- a/prometheus/server/init.yml
+++ b/prometheus/server/init.yml
@@ -5,4 +5,6 @@
prometheus:
server:
dir:
+ data: /srv/volumes/local/prometheus/data
+ config: /srv/volumes/local/prometheus/config
config_in_container: ${_param:prometheus_server_config_directory}
diff --git a/rundeck/client/project/cicd.yml b/rundeck/client/project/cicd.yml
index cb427d8..ed8b256 100644
--- a/rundeck/client/project/cicd.yml
+++ b/rundeck/client/project/cicd.yml
@@ -1,14 +1,17 @@
parameters:
_param:
- rundeck_cis_os_auth_url: none
- rundeck_cis_os_username: admin
- rundeck_cis_os_password: password
- rundeck_cis_os_project_name: admin
- rundeck_cis_os_domain_id: default
rundeck_cis_jobs_repository: https://gerrit.mcp.mirantis.net/oss/rundeck-cis-jobs
rundeck_cis_jobs_revision: master
- rundeck_cis_elasticsearch_url: none
+ rundeck_cis_elasticsearch_url: yourelastic:9200
rundeck_cis_os_docker_image: docker-prod-local.artifactory.mirantis.com/mirantis/oss/cis-openstack:latest
+ rundeck_cis_openstack:
+ auth_url: http://yourcloud.com:5000/v3/auth/tokens
+ username: admin
+ password: password
+ cert: plain-certificate
+ ssl_cert_file: cert.pem
+ project_name: admin
+ domain_id: default
rundeck:
client:
project:
@@ -38,21 +41,27 @@
cis/elasticsearch/url:
type: password
content: ${_param:rundeck_cis_elasticsearch_url}
- cis/openstack/auth_url:
- type: password
- content: ${_param:rundeck_cis_os_auth_url}
- cis/openstack/username:
- type: password
- content: ${_param:rundeck_cis_os_username}
- cis/openstack/password:
- type: password
- content: ${_param:rundeck_cis_os_password}
- cis/openstack/project_name:
- type: password
- content: ${_param:rundeck_cis_os_project_name}
- cis/openstack/domain_id:
- type: password
- content: ${_param:rundeck_cis_os_domain_id}
cis/openstack/image:
type: password
content: ${_param:rundeck_cis_os_docker_image}
+ cis/openstack/auth_url:
+ type: password
+ content: ${_param:rundeck_cis_openstack:auth_url}
+ cis/openstack/username:
+ type: password
+ content: ${_param:rundeck_cis_openstack:username}
+ cis/openstack/password:
+ type: password
+ content: ${_param:rundeck_cis_openstack:password}
+ cis/openstack/project_name:
+ type: password
+ content: ${_param:rundeck_cis_openstack:project_name}
+ cis/openstack/domain_id:
+ type: password
+ content: ${_param:rundeck_cis_openstack:domain_id}
+ cis/openstack/cert.pem:
+ type: password
+ content: ${_param:rundeck_cis_openstack:cert}
+ cis/openstack/cert_file:
+ type: password
+ content: ${_param:rundeck_cis_openstack:ssl_cert_file}
diff --git a/rundeck/server/docker.yml b/rundeck/server/docker.yml
index 1c89f4f..492d135 100644
--- a/rundeck/server/docker.yml
+++ b/rundeck/server/docker.yml
@@ -8,6 +8,7 @@
rundeck_postgresql_database: rundeck
rundeck_postgresql_host: ${_param:control_vip_address}
rundeck_postgresql_port: 5432
+ rundeck_server_ssh_timeout: 300000
rundeck:
server:
user:
@@ -30,3 +31,4 @@
user: ${_param:rundeck_runbook_user}
private_key: ${_param:rundeck_runbook_private_key}
public_key: ${_param:rundeck_runbook_public_key}
+ timeout: ${_param:rundeck_server_ssh_timeout}