Merge "Add azvyagintsev to 'drivetrain' team member"
diff --git a/aodh/server/cluster.yml b/aodh/server/cluster.yml
index db6b39b..444050a 100644
--- a/aodh/server/cluster.yml
+++ b/aodh/server/cluster.yml
@@ -4,6 +4,7 @@
- service.haproxy.proxy.single
- system.haproxy.proxy.listen.openstack.aodh
- system.keepalived.cluster.instance.openstack_telemetry_vip
+- system.salt.minion.cert.rabbitmq.clients.openstack.aodh
parameters:
_param:
openstack_event_alarm_topic: alarm.all
@@ -11,6 +12,9 @@
aodh_alarm_history_ttl: 2592000
openstack_mysql_x509_enabled: False
galera_ssl_enabled: False
+ openstack_rabbitmq_x509_enabled: False
+ rabbitmq_ssl_enabled: False
+ openstack_rabbitmq_port: 5672
linux:
system:
cron:
@@ -53,9 +57,10 @@
user: aodh
password: ${_param:keystone_aodh_password}
region: ${_param:openstack_region}
+ protocol: ${_param:cluster_internal_protocol}
message_queue:
engine: rabbitmq
- port: 5672
+ port: ${_param:openstack_rabbitmq_port}
user: openstack
password: ${_param:rabbitmq_openstack_password}
virtual_host: '/openstack'
@@ -63,6 +68,13 @@
- host: ${_param:openstack_message_queue_node01_address}
- host: ${_param:openstack_message_queue_node02_address}
- host: ${_param:openstack_message_queue_node03_address}
+ x509:
+ enabled: ${_param:openstack_rabbitmq_x509_enabled}
+ ca_file: ${_param:rabbitmq_aodh_ssl_ca_file}
+ key_file: ${_param:rabbitmq_aodh_client_ssl_key_file}
+ cert_file: ${_param:rabbitmq_aodh_client_ssl_cert_file}
+ ssl:
+ enabled: ${_param:rabbitmq_ssl_enabled}
# Check for expired alarm history every day at 2 AM
expirer:
cron:
diff --git a/aodh/server/single.yml b/aodh/server/single.yml
index f20195f..2dfdea9 100644
--- a/aodh/server/single.yml
+++ b/aodh/server/single.yml
@@ -1,6 +1,7 @@
classes:
- service.aodh.server.single
- system.salt.minion.cert.mysql.clients.openstack.aodh
+- system.salt.minion.cert.rabbitmq.clients.openstack.aodh
parameters:
_param:
openstack_event_alarm_topic: alarm.all
@@ -8,6 +9,9 @@
aodh_alarm_history_ttl: 2592000
openstack_mysql_x509_enabled: False
galera_ssl_enabled: False
+ openstack_rabbitmq_x509_enabled: False
+ rabbitmq_ssl_enabled: False
+ openstack_rabbitmq_port: 5672
linux:
system:
cron:
@@ -24,12 +28,22 @@
cert_file: ${_param:mysql_aodh_client_ssl_cert_file}
ssl:
enabled: ${_param:galera_ssl_enabled}
+ message_queue:
+ port: ${_param:openstack_rabbitmq_port}
+ x509:
+ enabled: ${_param:openstack_rabbitmq_x509_enabled}
+ ca_file: ${_param:rabbitmq_aodh_ssl_ca_file}
+ key_file: ${_param:rabbitmq_aodh_client_ssl_key_file}
+ cert_file: ${_param:rabbitmq_aodh_client_ssl_cert_file}
+ ssl:
+ enabled: ${_param:rabbitmq_ssl_enabled}
ttl: ${_param:aodh_alarm_history_ttl}
role: ${_param:openstack_node_role}
region: ${_param:openstack_region}
event_alarm_topic: ${_param:openstack_event_alarm_topic}
identity:
region: ${_param:openstack_region}
+ protocol: ${_param:internal_protocol}
# Check for expired alarm history every day at 2 AM
expirer:
cron:
diff --git a/barbican/server/cluster.yml b/barbican/server/cluster.yml
index aac0400..dd4804f 100644
--- a/barbican/server/cluster.yml
+++ b/barbican/server/cluster.yml
@@ -7,6 +7,7 @@
cluster_internal_protocol: 'http'
openstack_mysql_x509_enabled: False
galera_ssl_enabled: False
+ openstack_rabbitmq_port: 5672
barbican:
server:
role: ${_param:openstack_node_role}
@@ -21,6 +22,8 @@
cert_file: ${_param:mysql_barbican_client_ssl_cert_file}
ssl:
enabled: ${_param:galera_ssl_enabled}
+ message_queue:
+ port: ${_param:openstack_rabbitmq_port}
linux:
system:
package:
diff --git a/barbican/server/single.yml b/barbican/server/single.yml
index 6bed260..21054e3 100644
--- a/barbican/server/single.yml
+++ b/barbican/server/single.yml
@@ -6,6 +6,7 @@
internal_protocol: 'http'
openstack_mysql_x509_enabled: False
galera_ssl_enabled: False
+ openstack_rabbitmq_port: 5672
barbican:
server:
database:
@@ -19,6 +20,8 @@
role: ${_param:openstack_node_role}
identity:
protocol: ${_param:internal_protocol}
+ message_queue:
+ port: ${_param:openstack_rabbitmq_port}
linux:
system:
package:
diff --git a/ceilometer/agent/cluster.yml b/ceilometer/agent/cluster.yml
index a598ee5..cadbaa9 100644
--- a/ceilometer/agent/cluster.yml
+++ b/ceilometer/agent/cluster.yml
@@ -1,6 +1,11 @@
classes:
- service.ceilometer.agent.cluster
+- system.salt.minion.cert.rabbitmq.clients.openstack.ceilometer
parameters:
+ _param:
+ openstack_rabbitmq_port: 5672
+ openstack_rabbitmq_x509_enabled: False
+ rabbitmq_ssl_enabled: False
ceilometer:
agent:
region: ${_param:openstack_region}
@@ -15,7 +20,9 @@
user: ceilometer
password: ${_param:keystone_ceilometer_password}
region: ${_param:openstack_region}
+ protocol: ${_param:cluster_internal_protocol}
message_queue:
+ port: ${_param:openstack_rabbitmq_port}
engine: rabbitmq
members:
- host: ${_param:openstack_message_queue_node01_address}
@@ -25,6 +32,13 @@
password: ${_param:rabbitmq_openstack_password}
virtual_host: '/openstack'
ha_queues: true
+ x509:
+ enabled: ${_param:openstack_rabbitmq_x509_enabled}
+ ca_file: ${_param:rabbitmq_ceilometer_ssl_ca_file}
+ key_file: ${_param:rabbitmq_ceilometer_client_ssl_key_file}
+ cert_file: ${_param:rabbitmq_ceilometer_client_ssl_cert_file}
+ ssl:
+ enabled: ${_param:rabbitmq_ssl_enabled}
nova:
compute:
notification:
diff --git a/ceilometer/agent/single.yml b/ceilometer/agent/single.yml
index ebb1d60..3803d12 100644
--- a/ceilometer/agent/single.yml
+++ b/ceilometer/agent/single.yml
@@ -1,2 +1,21 @@
classes:
- service.ceilometer.agent.single
+- system.salt.minion.cert.rabbitmq.clients.openstack.ceilometer
+parameters:
+ _param:
+ openstack_rabbitmq_port: 5672
+ openstack_rabbitmq_x509_enabled: False
+ rabbitmq_ssl_enabled: False
+ ceilometer:
+ agent:
+ identity:
+ protocol: ${_param:internal_protocol}
+ message_queue:
+ port: ${_param:openstack_rabbitmq_port}
+ x509:
+ enabled: ${_param:openstack_rabbitmq_x509_enabled}
+ ca_file: ${_param:rabbitmq_ceilometer_ssl_ca_file}
+ key_file: ${_param:rabbitmq_ceilometer_client_ssl_key_file}
+ cert_file: ${_param:rabbitmq_ceilometer_client_ssl_cert_file}
+ ssl:
+ enabled: ${_param:rabbitmq_ssl_enabled}
diff --git a/ceilometer/agent/telemetry/cluster.yml b/ceilometer/agent/telemetry/cluster.yml
index bc67493..56ca6cc 100644
--- a/ceilometer/agent/telemetry/cluster.yml
+++ b/ceilometer/agent/telemetry/cluster.yml
@@ -1,6 +1,11 @@
classes:
- service.ceilometer.agent.cluster.common
+- system.salt.minion.cert.rabbitmq.clients.openstack.ceilometer
parameters:
+ _param:
+ openstack_rabbitmq_port: 5672
+ openstack_rabbitmq_x509_enabled: False
+ rabbitmq_ssl_enabled: False
ceilometer:
agent:
region: ${_param:openstack_region}
@@ -15,7 +20,9 @@
user: ceilometer
password: ${_param:keystone_ceilometer_password}
region: ${_param:openstack_region}
+ protocol: ${_param:cluster_internal_protocol}
message_queue:
+ port: ${_param:openstack_rabbitmq_port}
engine: rabbitmq
members:
- host: ${_param:openstack_message_queue_node01_address}
@@ -25,6 +32,13 @@
password: ${_param:rabbitmq_openstack_password}
virtual_host: '/openstack'
ha_queues: true
+ x509:
+ enabled: ${_param:openstack_rabbitmq_x509_enabled}
+ ca_file: ${_param:rabbitmq_ceilometer_ssl_ca_file}
+ key_file: ${_param:rabbitmq_ceilometer_client_ssl_key_file}
+ cert_file: ${_param:rabbitmq_ceilometer_client_ssl_cert_file}
+ ssl:
+ enabled: ${_param:rabbitmq_ssl_enabled}
nova:
compute:
notification:
diff --git a/ceilometer/agent/telemetry/single.yml b/ceilometer/agent/telemetry/single.yml
index 6b42537..a5fcd51 100644
--- a/ceilometer/agent/telemetry/single.yml
+++ b/ceilometer/agent/telemetry/single.yml
@@ -1,2 +1,21 @@
classes:
- service.ceilometer.agent.single.common
+- system.salt.minion.cert.rabbitmq.clients.openstack.ceilometer
+parameters:
+ _param:
+ openstack_rabbitmq_port: 5672
+ openstack_rabbitmq_x509_enabled: False
+ rabbitmq_ssl_enabled: False
+ ceilometer:
+ agent:
+ message_queue:
+ port: ${_param:openstack_rabbitmq_port}
+ x509:
+ enabled: ${_param:openstack_rabbitmq_x509_enabled}
+ ca_file: ${_param:rabbitmq_ceilometer_ssl_ca_file}
+ key_file: ${_param:rabbitmq_ceilometer_client_ssl_key_file}
+ cert_file: ${_param:rabbitmq_ceilometer_client_ssl_cert_file}
+ ssl:
+ enabled: ${_param:rabbitmq_ssl_enabled}
+ identity:
+ protocol: ${_param:internal_protocol}
diff --git a/ceilometer/server/cluster.yml b/ceilometer/server/cluster.yml
index ad804f8..31a0abe 100644
--- a/ceilometer/server/cluster.yml
+++ b/ceilometer/server/cluster.yml
@@ -4,7 +4,12 @@
- service.haproxy.proxy.single
- system.haproxy.proxy.listen.openstack.ceilometer
- system.keepalived.cluster.instance.openstack_telemetry_vip
+- system.salt.minion.cert.rabbitmq.clients.openstack.ceilometer
parameters:
+ _param:
+ openstack_rabbitmq_port: 5672
+ openstack_rabbitmq_x509_enabled: False
+ rabbitmq_ssl_enabled: False
ceilometer:
server:
enabled: true
@@ -30,12 +35,21 @@
user: ceilometer
password: ${_param:keystone_ceilometer_password}
region: ${_param:openstack_region}
+ protocol: ${_param:cluster_internal_protocol}
message_queue:
+ port: ${_param:openstack_rabbitmq_port}
engine: rabbitmq
members:
- host: ${_param:openstack_message_queue_node01_address}
- host: ${_param:openstack_message_queue_node02_address}
- host: ${_param:openstack_message_queue_node03_address}
+ x509:
+ enabled: ${_param:openstack_rabbitmq_x509_enabled}
+ ca_file: ${_param:rabbitmq_ceilometer_ssl_ca_file}
+ key_file: ${_param:rabbitmq_ceilometer_client_ssl_key_file}
+ cert_file: ${_param:rabbitmq_ceilometer_client_ssl_cert_file}
+ ssl:
+ enabled: ${_param:rabbitmq_ssl_enabled}
user: openstack
password: ${_param:rabbitmq_openstack_password}
virtual_host: '/openstack'
diff --git a/ceilometer/server/single.yml b/ceilometer/server/single.yml
index ae642f1..37feddc 100644
--- a/ceilometer/server/single.yml
+++ b/ceilometer/server/single.yml
@@ -1,6 +1,11 @@
classes:
- service.ceilometer.server.single
+- system.salt.minion.cert.rabbitmq.clients.openstack.ceilometer
parameters:
+ _param:
+ openstack_rabbitmq_port: 5672
+ openstack_rabbitmq_x509_enabled: False
+ rabbitmq_ssl_enabled: False
ceilometer:
server:
role: ${_param:openstack_node_role}
@@ -15,3 +20,14 @@
enabled: true
host: ${_param:stacklight_monitor_address}
port: 9200
+ message_queue:
+ port: ${_param:openstack_rabbitmq_port}
+ x509:
+ enabled: ${_param:openstack_rabbitmq_x509_enabled}
+ ca_file: ${_param:rabbitmq_ceilometer_ssl_ca_file}
+ key_file: ${_param:rabbitmq_ceilometer_client_ssl_key_file}
+ cert_file: ${_param:rabbitmq_ceilometer_client_ssl_cert_file}
+ ssl:
+ enabled: ${_param:rabbitmq_ssl_enabled}
+ identity:
+ protocol: ${_param:cluster_internal_protocol}
diff --git a/ceilometer/server/telemetry/cluster.yml b/ceilometer/server/telemetry/cluster.yml
index fdf3e03..a887536 100644
--- a/ceilometer/server/telemetry/cluster.yml
+++ b/ceilometer/server/telemetry/cluster.yml
@@ -2,7 +2,12 @@
classes:
- service.ceilometer.server.cluster.common
- system.keepalived.cluster.instance.openstack_telemetry_vip
+- system.salt.minion.cert.rabbitmq.clients.openstack.ceilometer
parameters:
+ _param:
+ openstack_rabbitmq_port: 5672
+ openstack_rabbitmq_x509_enabled: False
+ rabbitmq_ssl_enabled: False
ceilometer:
server:
enabled: true
@@ -26,7 +31,9 @@
user: ceilometer
password: ${_param:keystone_ceilometer_password}
region: ${_param:openstack_region}
+ protocol: ${_param:cluster_internal_protocol}
message_queue:
+ port: ${_param:openstack_rabbitmq_port}
engine: rabbitmq
members:
- host: ${_param:openstack_message_queue_node01_address}
@@ -35,3 +42,10 @@
user: openstack
password: ${_param:rabbitmq_openstack_password}
virtual_host: '/openstack'
+ x509:
+ enabled: ${_param:openstack_rabbitmq_x509_enabled}
+ ca_file: ${_param:rabbitmq_ceilometer_ssl_ca_file}
+ key_file: ${_param:rabbitmq_ceilometer_client_ssl_key_file}
+ cert_file: ${_param:rabbitmq_ceilometer_client_ssl_cert_file}
+ ssl:
+ enabled: ${_param:rabbitmq_ssl_enabled}
diff --git a/ceilometer/server/telemetry/single.yml b/ceilometer/server/telemetry/single.yml
index 2d8828c..9ff35d1 100644
--- a/ceilometer/server/telemetry/single.yml
+++ b/ceilometer/server/telemetry/single.yml
@@ -1,6 +1,22 @@
classes:
- service.ceilometer.server.single.common
+- system.salt.minion.cert.rabbitmq.clients.openstack.ceilometer
parameters:
+ _param:
+ openstack_rabbitmq_port: 5672
+ openstack_rabbitmq_x509_enabled: False
+ rabbitmq_ssl_enabled: False
ceilometer:
server:
role: ${_param:openstack_node_role}
+ message_queue:
+ port: ${_param:openstack_rabbitmq_port}
+ x509:
+ enabled: ${_param:openstack_rabbitmq_x509_enabled}
+ ca_file: ${_param:rabbitmq_ceilometer_ssl_ca_file}
+ key_file: ${_param:rabbitmq_ceilometer_client_ssl_key_file}
+ cert_file: ${_param:rabbitmq_ceilometer_client_ssl_cert_file}
+ ssl:
+ enabled: ${_param:rabbitmq_ssl_enabled}
+ identity:
+ protocol: ${_param:internal_protocol}
diff --git a/cinder/control/cluster.yml b/cinder/control/cluster.yml
index 503537e..e4a0718 100644
--- a/cinder/control/cluster.yml
+++ b/cinder/control/cluster.yml
@@ -12,6 +12,7 @@
galera_ssl_enabled: False
openstack_rabbitmq_x509_enabled: False
rabbitmq_ssl_enabled: False
+ openstack_rabbitmq_port: 5672
linux:
system:
package:
@@ -62,6 +63,7 @@
port: 9292
protocol: ${_param:cluster_internal_protocol}
message_queue:
+ port: ${_param:openstack_rabbitmq_port}
engine: rabbitmq
members:
- host: ${_param:openstack_message_queue_node01_address}
diff --git a/cinder/control/single.yml b/cinder/control/single.yml
index ce01579..0d29e31 100644
--- a/cinder/control/single.yml
+++ b/cinder/control/single.yml
@@ -9,6 +9,7 @@
galera_ssl_enabled: False
openstack_rabbitmq_x509_enabled: False
rabbitmq_ssl_enabled: False
+ openstack_rabbitmq_port: 5672
linux:
system:
package:
@@ -35,6 +36,7 @@
protocol: ${_param:internal_protocol}
region: ${_param:openstack_region}
message_queue:
+ port: ${_param:openstack_rabbitmq_port}
x509:
enabled: ${_param:openstack_rabbitmq_x509_enabled}
ca_file: ${_param:rabbitmq_cinder_ssl_ca_file}
diff --git a/cinder/volume/local.yml b/cinder/volume/local.yml
index d1634d0..b0e179a 100644
--- a/cinder/volume/local.yml
+++ b/cinder/volume/local.yml
@@ -8,6 +8,7 @@
galera_ssl_enabled: False
openstack_rabbitmq_x509_enabled: False
rabbitmq_ssl_enabled: False
+ openstack_rabbitmq_port: 5672
cinder:
volume:
enabled: True
@@ -23,6 +24,7 @@
glance:
host: ${_param:single_address}
message_queue:
+ port: ${_param:openstack_rabbitmq_port}
host: ${_param:single_address}
x509:
enabled: ${_param:openstack_rabbitmq_x509_enabled}
diff --git a/cinder/volume/single.yml b/cinder/volume/single.yml
index 637e45a..03c4b3c 100644
--- a/cinder/volume/single.yml
+++ b/cinder/volume/single.yml
@@ -9,6 +9,7 @@
galera_ssl_enabled: False
openstack_rabbitmq_x509_enabled: False
rabbitmq_ssl_enabled: False
+ openstack_rabbitmq_port: 5672
linux:
system:
package:
@@ -31,6 +32,7 @@
host: ${_param:openstack_control_address}
protocol: ${_param:cluster_internal_protocol}
message_queue:
+ port: ${_param:openstack_rabbitmq_port}
members:
- host: ${_param:openstack_message_queue_node01_address}
- host: ${_param:openstack_message_queue_node02_address}
diff --git a/designate/server/cluster/default.yml b/designate/server/cluster/default.yml
index 112d953..8b9e1d0 100644
--- a/designate/server/cluster/default.yml
+++ b/designate/server/cluster/default.yml
@@ -4,12 +4,16 @@
- system.haproxy.proxy.listen.openstack.designate
- service.designate.server.cluster
- system.salt.minion.cert.mysql.clients.openstack.designate
+- system.salt.minion.cert.rabbitmq.clients.openstack.designatev
parameters:
_param:
designate_admin_api_enabled: false
cluster_internal_protocol: 'http'
openstack_mysql_x509_enabled: False
galera_ssl_enabled: False
+ openstack_rabbitmq_x509_enabled: False
+ rabbitmq_ssl_enabled: False
+ openstack_rabbitmq_port: 5672
linux:
system:
package:
@@ -59,7 +63,7 @@
address: ${_param:single_address}
message_queue:
engine: rabbitmq
- port: 5672
+ port: ${_param:openstack_rabbitmq_port}
members:
- host: ${_param:openstack_message_queue_node01_address}
- host: ${_param:openstack_message_queue_node02_address}
@@ -67,3 +71,10 @@
user: openstack
password: ${_param:rabbitmq_openstack_password}
virtual_host: '/openstack'
+ x509:
+ enabled: ${_param:openstack_rabbitmq_x509_enabled}
+ ca_file: ${_param:rabbitmq_designate_ssl_ca_file}
+ key_file: ${_param:rabbitmq_designate_client_ssl_key_file}
+ cert_file: ${_param:rabbitmq_designate_client_ssl_cert_file}
+ ssl:
+ enabled: ${_param:rabbitmq_ssl_enabled}
diff --git a/designate/server/cluster/simple.yml b/designate/server/cluster/simple.yml
index 06c6a33..459ab96 100644
--- a/designate/server/cluster/simple.yml
+++ b/designate/server/cluster/simple.yml
@@ -1,12 +1,16 @@
classes:
- service.designate.server.cluster
- system.salt.minion.cert.mysql.clients.openstack.designate
+- system.salt.minion.cert.rabbitmq.clients.openstack.designate
parameters:
_param:
designate_admin_api_enabled: false
cluster_internal_protocol: 'http'
openstack_mysql_x509_enabled: False
galera_ssl_enabled: False
+ openstack_rabbitmq_x509_enabled: False
+ rabbitmq_ssl_enabled: False
+ openstack_rabbitmq_port: 5672
linux:
system:
package:
@@ -56,7 +60,7 @@
address: ${_param:single_address}
message_queue:
engine: rabbitmq
- port: 5672
+ port: ${_param:openstack_rabbitmq_port}
members:
- host: ${_param:openstack_message_queue_node01_address}
- host: ${_param:openstack_message_queue_node02_address}
@@ -64,6 +68,13 @@
user: openstack
password: ${_param:rabbitmq_openstack_password}
virtual_host: '/openstack'
+ x509:
+ enabled: ${_param:openstack_rabbitmq_x509_enabled}
+ ca_file: ${_param:rabbitmq_designate_ssl_ca_file}
+ key_file: ${_param:rabbitmq_designate_client_ssl_key_file}
+ cert_file: ${_param:rabbitmq_designate_client_ssl_cert_file}
+ ssl:
+ enabled: ${_param:rabbitmq_ssl_enabled}
pools:
default:
description: 'default pool'
diff --git a/designate/server/single.yml b/designate/server/single.yml
index 1bb51cb..e89afe1 100644
--- a/designate/server/single.yml
+++ b/designate/server/single.yml
@@ -1,12 +1,16 @@
classes:
- service.designate.server.single
- system.salt.minion.cert.mysql.clients.openstack.designate
+- system.salt.minion.cert.rabbitmq.clients.openstack.designate
parameters:
_param:
designate_admin_api_enabled: false
internal_protocol: 'http'
openstack_mysql_x509_enabled: False
galera_ssl_enabled: False
+ openstack_rabbitmq_x509_enabled: False
+ rabbitmq_ssl_enabled: False
+ openstack_rabbitmq_port: 5672
linux:
system:
package:
@@ -54,10 +58,17 @@
message_queue:
engine: rabbitmq
host: ${_param:cluster_vip_address}
- port: 5672
+ port: ${_param:openstack_rabbitmq_port}
user: openstack
password: ${_param:rabbitmq_openstack_password}
virtual_host: '/openstack'
+ x509:
+ enabled: ${_param:openstack_rabbitmq_x509_enabled}
+ ca_file: ${_param:rabbitmq_designate_ssl_ca_file}
+ key_file: ${_param:rabbitmq_designate_client_ssl_key_file}
+ cert_file: ${_param:rabbitmq_designate_client_ssl_cert_file}
+ ssl:
+ enabled: ${_param:rabbitmq_ssl_enabled}
pools:
default:
description: 'default pool'
diff --git a/docker/host.yml b/docker/host.yml
index aef7a32..bb3dffa 100644
--- a/docker/host.yml
+++ b/docker/host.yml
@@ -1,6 +1,8 @@
classes:
- service.docker.host
parameters:
+ _param:
+ docker_garbage_collection_enabled: false
docker:
host:
pkgs:
@@ -14,3 +16,16 @@
ipv6: true
fixed-cidr-v6: fc00::/7
storage-driver: overlay2
+ linux:
+ system:
+ cron:
+ user:
+ root:
+ enabled: true
+ job:
+ docker_garbage_collection:
+ command: docker system prune -f --filter until=$(date +%s -d "1 week ago")
+ enabled: ${_param:docker_garbage_collection_enabled}
+ user: root
+ hour: 6
+ minute: 0
diff --git a/glance/control/cluster.yml b/glance/control/cluster.yml
index 4f0992d..c69cf55 100644
--- a/glance/control/cluster.yml
+++ b/glance/control/cluster.yml
@@ -11,6 +11,7 @@
galera_ssl_enabled: False
openstack_rabbitmq_x509_enabled: False
rabbitmq_ssl_enabled: False
+ openstack_rabbitmq_port: 5672
linux:
system:
cron:
@@ -44,6 +45,7 @@
registry:
host: ${_param:cluster_vip_address}
port: 9191
+ protocol: ${_param:cluster_internal_protocol}
bind:
address: ${_param:cluster_local_address}
port: 9292
@@ -55,9 +57,10 @@
password: ${_param:keystone_glance_password}
region: ${_param:openstack_region}
tenant: service
+ protocol: ${_param:cluster_internal_protocol}
message_queue:
engine: rabbitmq
- port: 5672
+ port: ${_param:openstack_rabbitmq_port}
user: openstack
password: ${_param:rabbitmq_openstack_password}
virtual_host: '/openstack'
diff --git a/glance/control/single.yml b/glance/control/single.yml
index c233120..a789a56 100644
--- a/glance/control/single.yml
+++ b/glance/control/single.yml
@@ -8,6 +8,7 @@
galera_ssl_enabled: False
openstack_rabbitmq_x509_enabled: False
rabbitmq_ssl_enabled: False
+ openstack_rabbitmq_port: 5672
linux:
system:
cron:
@@ -32,8 +33,12 @@
enabled: ${_param:galera_ssl_enabled}
identity:
region: ${_param:openstack_region}
+ protocol: ${_param:internal_protocol}
+ registry:
+ protocol: ${_param:internal_protocol}
show_multiple_locations: True
message_queue:
+ port: ${_param:openstack_rabbitmq_port}
x509:
enabled: ${_param:openstack_rabbitmq_x509_enabled}
ca_file: ${_param:rabbitmq_glance_ssl_ca_file}
diff --git a/gnocchi/server/cluster.yml b/gnocchi/server/cluster.yml
index ede63c5..7de3ede 100644
--- a/gnocchi/server/cluster.yml
+++ b/gnocchi/server/cluster.yml
@@ -19,6 +19,7 @@
identity:
host: ${_param:openstack_control_address}
region: ${_param:openstack_region}
+ protocol: ${_param:cluster_internal_protocol}
cache:
engine: memcached
members:
diff --git a/gnocchi/server/single.yml b/gnocchi/server/single.yml
index 11ddf39..c4e1547 100644
--- a/gnocchi/server/single.yml
+++ b/gnocchi/server/single.yml
@@ -6,6 +6,7 @@
role: ${_param:openstack_node_role}
identity:
region: ${_param:openstack_region}
+ protocol: ${_param:internal_protocol}
metricd:
metric_processing_delay: 15
metric_reporting_delay: 30
diff --git a/haproxy/proxy/listen/opencontrail/control.yml b/haproxy/proxy/listen/opencontrail/control.yml
index 490d100..db407be 100644
--- a/haproxy/proxy/listen/opencontrail/control.yml
+++ b/haproxy/proxy/listen/opencontrail/control.yml
@@ -1,6 +1,8 @@
parameters:
_param:
opencontrail_stats_password: password
+ opencontrail_api_start_offset: 0
+ opencontrail_api_workers_count: 1
haproxy:
proxy:
listen:
@@ -15,14 +17,20 @@
host: ${_param:cluster_node01_address}
port: 9100
params: check inter 2000 rise 2 fall 3
+ port_range_length: ${_param:opencontrail_api_workers_count}
+ port_range_start_offset: ${_param:opencontrail_api_start_offset}
- name: ntw02
host: ${_param:cluster_node02_address}
port: 9100
params: check inter 2000 rise 2 fall 3
+ port_range_length: ${_param:opencontrail_api_workers_count}
+ port_range_start_offset: ${_param:opencontrail_api_start_offset}
- name: ntw03
host: ${_param:cluster_node03_address}
port: 9100
params: check inter 2000 rise 2 fall 3
+ port_range_length: ${_param:opencontrail_api_workers_count}
+ port_range_start_offset: ${_param:opencontrail_api_start_offset}
contrail_discovery:
type: contrail-api
service_name: contrail
diff --git a/haproxy/proxy/listen/openstack/aodh_large.yml b/haproxy/proxy/listen/openstack/aodh_large.yml
new file mode 100644
index 0000000..b70e1fb
--- /dev/null
+++ b/haproxy/proxy/listen/openstack/aodh_large.yml
@@ -0,0 +1,31 @@
+parameters:
+ haproxy:
+ proxy:
+ listen:
+ aodh-api:
+ type: openstack-service
+ service_name: aodh
+ binds:
+ - address: ${_param:cluster_vip_address}
+ port: 8042
+ servers:
+ - name: ${_param:cluster_node01_hostname}
+ host: ${_param:cluster_node01_address}
+ port: 8042
+ params: check inter 10s fastinter 2s downinter 3s rise 3 fall 3
+ - name: ${_param:cluster_node02_hostname}
+ host: ${_param:cluster_node02_address}
+ port: 8042
+ params: check inter 10s fastinter 2s downinter 3s rise 3 fall 3
+ - name: ${_param:cluster_node03_hostname}
+ host: ${_param:cluster_node03_address}
+ port: 8042
+ params: check inter 10s fastinter 2s downinter 3s rise 3 fall 3
+ - name: ${_param:cluster_node04_hostname}
+ host: ${_param:cluster_node04_address}
+ port: 8042
+ params: check inter 10s fastinter 2s downinter 3s rise 3 fall 3
+ - name: ${_param:cluster_node05_hostname}
+ host: ${_param:cluster_node05_address}
+ port: 8042
+ params: check inter 10s fastinter 2s downinter 3s rise 3 fall 3
diff --git a/heat/server/cluster.yml b/heat/server/cluster.yml
index 4504e89..e11feae 100644
--- a/heat/server/cluster.yml
+++ b/heat/server/cluster.yml
@@ -13,6 +13,7 @@
openstack_rabbitmq_x509_enabled: False
galera_ssl_enabled: False
rabbitmq_ssl_enabled: False
+ openstack_rabbitmq_port: 5672
linux:
system:
package:
@@ -72,7 +73,7 @@
protocol: ${_param:cluster_internal_protocol}
message_queue:
engine: rabbitmq
- port: 5672
+ port: ${_param:openstack_rabbitmq_port}
user: openstack
password: ${_param:rabbitmq_openstack_password}
virtual_host: '/openstack'
diff --git a/heat/server/single.yml b/heat/server/single.yml
index 9ef10c9..1ecb122 100644
--- a/heat/server/single.yml
+++ b/heat/server/single.yml
@@ -8,6 +8,7 @@
openstack_rabbitmq_x509_enabled: False
galera_ssl_enabled: False
rabbitmq_ssl_enabled: False
+ openstack_rabbitmq_port: 5672
linux:
system:
package:
@@ -37,6 +38,7 @@
ssl:
enabled: ${_param:galera_ssl_enabled}
message_queue:
+ port: ${_param:openstack_rabbitmq_port}
x509:
enabled: ${_param:openstack_rabbitmq_x509_enabled}
ca_file: ${_param:rabbitmq_heat_ssl_ca_file}
diff --git a/horizon/server/plugin/lbaasv2.yml b/horizon/server/plugin/lbaasv2.yml
index 69e2682..37bf013 100644
--- a/horizon/server/plugin/lbaasv2.yml
+++ b/horizon/server/plugin/lbaasv2.yml
@@ -5,5 +5,5 @@
lbaasv2:
source:
engine: pkg
- name: python-horizon-neutron-lbaasv2-panel
+ name: python-neutron-lbaas-dashboard
diff --git a/ironic/api/cluster.yml b/ironic/api/cluster.yml
index acf635e..849b923 100644
--- a/ironic/api/cluster.yml
+++ b/ironic/api/cluster.yml
@@ -1,10 +1,14 @@
classes:
- system.salt.minion.cert.mysql.clients.openstack.ironic
+- system.salt.minion.cert.rabbitmq.clients.openstack.ironic
- service.ironic.api.cluster
parameters:
_param:
openstack_mysql_x509_enabled: False
galera_ssl_enabled: False
+ openstack_rabbitmq_x509_enabled: False
+ rabbitmq_ssl_enabled: False
+ openstack_rabbitmq_port: 5672
linux:
system:
package:
@@ -26,3 +30,12 @@
cert_file: ${_param:mysql_ironic_client_ssl_cert_file}
ssl:
enabled: ${_param:galera_ssl_enabled}
+ message_queue:
+ port: ${_param:openstack_rabbitmq_port}
+ x509:
+ enabled: ${_param:openstack_rabbitmq_x509_enabled}
+ ca_file: ${_param:rabbitmq_ironic_ssl_ca_file}
+ key_file: ${_param:rabbitmq_ironic_client_ssl_key_file}
+ cert_file: ${_param:rabbitmq_ironic_client_ssl_cert_file}
+ ssl:
+ enabled: ${_param:rabbitmq_ssl_enabled}
\ No newline at end of file
diff --git a/ironic/api/single.yml b/ironic/api/single.yml
index 0d4ae09..3313eb2 100644
--- a/ironic/api/single.yml
+++ b/ironic/api/single.yml
@@ -1,10 +1,14 @@
classes:
- system.salt.minion.cert.mysql.clients.openstack.ironic
+- system.salt.minion.cert.rabbitmq.clients.openstack.ironic
- service.ironic.api.single
parameters:
_param:
openstack_mysql_x509_enabled: False
galera_ssl_enabled: False
+ openstack_rabbitmq_x509_enabled: False
+ rabbitmq_ssl_enabled: False
+ openstack_rabbitmq_port: 5672
linux:
system:
package:
@@ -24,3 +28,12 @@
cert_file: ${_param:mysql_ironic_client_ssl_cert_file}
ssl:
enabled: ${_param:galera_ssl_enabled}
+ message_queue:
+ port: ${_param:openstack_rabbitmq_port}
+ x509:
+ enabled: ${_param:openstack_rabbitmq_x509_enabled}
+ ca_file: ${_param:rabbitmq_ironic_ssl_ca_file}
+ key_file: ${_param:rabbitmq_ironic_client_ssl_key_file}
+ cert_file: ${_param:rabbitmq_ironic_client_ssl_cert_file}
+ ssl:
+ enabled: ${_param:rabbitmq_ssl_enabled}
diff --git a/ironic/conductor/cluster.yml b/ironic/conductor/cluster.yml
index c97624b..81fa2b5 100644
--- a/ironic/conductor/cluster.yml
+++ b/ironic/conductor/cluster.yml
@@ -1,10 +1,14 @@
classes:
- system.salt.minion.cert.mysql.clients.openstack.ironic
+- system.salt.minion.cert.rabbitmq.clients.openstack.ironic
- service.ironic.conductor.cluster
parameters:
_param:
openstack_mysql_x509_enabled: False
galera_ssl_enabled: False
+ openstack_rabbitmq_x509_enabled: False
+ rabbitmq_ssl_enabled: False
+ openstack_rabbitmq_port: 5672
linux:
system:
package:
@@ -22,3 +26,12 @@
cert_file: ${_param:mysql_ironic_client_ssl_cert_file}
ssl:
enabled: ${_param:galera_ssl_enabled}
+ message_queue:
+ port: ${_param:openstack_rabbitmq_port}
+ x509:
+ enabled: ${_param:openstack_rabbitmq_x509_enabled}
+ ca_file: ${_param:rabbitmq_ironic_ssl_ca_file}
+ key_file: ${_param:rabbitmq_ironic_client_ssl_key_file}
+ cert_file: ${_param:rabbitmq_ironic_client_ssl_cert_file}
+ ssl:
+ enabled: ${_param:rabbitmq_ssl_enabled}
diff --git a/ironic/conductor/single.yml b/ironic/conductor/single.yml
index 80215a5..7a24028 100644
--- a/ironic/conductor/single.yml
+++ b/ironic/conductor/single.yml
@@ -1,10 +1,14 @@
classes:
- system.salt.minion.cert.mysql.clients.openstack.ironic
+- system.salt.minion.cert.rabbitmq.clients.openstack.ironic
- service.ironic.conductor.single
parameters:
_param:
openstack_mysql_x509_enabled: False
galera_ssl_enabled: False
+ openstack_rabbitmq_x509_enabled: False
+ rabbitmq_ssl_enabled: False
+ openstack_rabbitmq_port: 5672
linux:
system:
package:
@@ -23,3 +27,12 @@
cert_file: ${_param:mysql_ironic_client_ssl_cert_file}
ssl:
enabled: ${_param:galera_ssl_enabled}
+ message_queue:
+ port: ${_param:openstack_rabbitmq_port}
+ x509:
+ enabled: ${_param:openstack_rabbitmq_x509_enabled}
+ ca_file: ${_param:rabbitmq_ironic_ssl_ca_file}
+ key_file: ${_param:rabbitmq_ironic_client_ssl_key_file}
+ cert_file: ${_param:rabbitmq_ironic_client_ssl_cert_file}
+ ssl:
+ enabled: ${_param:rabbitmq_ssl_enabled}
diff --git a/jenkins/client/job/oscore/cookiecutter.yml b/jenkins/client/job/oscore/cookiecutter.yml
index 3dd9e73..84c96d8 100644
--- a/jenkins/client/job/oscore/cookiecutter.yml
+++ b/jenkins/client/job/oscore/cookiecutter.yml
@@ -72,7 +72,7 @@
default: |-
#Extra context that will be merged with content of COOKIECUTTER_TEMPLATE_CONTEXT_FILE
default_context:
- openssh_groups: "qa_scale,oscore_devops,networking,tcpcloud,stacklight,k8s_team"
+ openssh_groups: "qa_scale,oscore_devops,networking,tcpcloud,stacklight,k8s_team,mcp_qa"
cookiecutter_template_url: https://gerrit.mcp.mirantis.net/mk/cookiecutter-templates.git
cookiecutter_template_branch: 'master'
shared_reclass_url: https://gerrit.mcp.mirantis.net/salt-models/reclass-system.git
diff --git a/jenkins/client/job/oscore/test_upgrades.yml b/jenkins/client/job/oscore/test_upgrades.yml
index b97855a..e193d58 100644
--- a/jenkins/client/job/oscore/test_upgrades.yml
+++ b/jenkins/client/job/oscore/test_upgrades.yml
@@ -55,6 +55,55 @@
description: "Yaml based scheme to be applied in testing"
default: '{"old": {"run_smoke": True, "context_file_name": "openstack-ovs-core-{{openstack_version_old}}","extra_context": {"default_context": {"openstack_version": "{{openstack_version_old}}"}}}, "new": {"run_smoke": True, "extra_context": {"default_context": {"openstack_version": "{{openstack_version_new}}"}}}}'
job:
+ oscore-test-openstack-upgrade-mitaka-newton:
+ display_name: oscore-test-openstack-upgrade-mitaka-newton
+ name: oscore-test-openstack-upgrade-mitaka-newton
+ concurrent: true
+ description: Test upgrade flow for opentack cluster
+ discard:
+ build:
+ keep_num: 60
+ artifact:
+ keep_num: 60
+ type: workflow-scm
+ scm:
+ type: git
+ url: "${_param:jenkins_gerrit_url}/openstack-ci/openstack-pipelines"
+ credentials: "gerrit"
+ branch: 'master'
+ script: test-openstack-upgrade-pipeline.groovy
+ param:
+ CREDENTIALS_ID:
+ type: string
+ description: "ID of jenkins credentials to be used when connecting to gerrit."
+ default: "gerrit"
+ OPENSTACK_ENVIRONMENT:
+ type: choice
+ description: "Target openstack environment."
+ choices:
+ - devcloud
+ - presales
+ - oscore_devcloud
+ OPENSTACK_API_CREDENTIALS:
+ type: string
+ description: "Credentials to the OpenStack API"
+ OPENSTACK_API_PROJECT:
+ type: string
+ default: "mcp-oscore"
+ HEAT_STACK_ZONE:
+ type: string
+ default: "mcp-oscore"
+ FLAVOR_PREFIX:
+ type: string
+ default: 'dev'
+ STACK_DELETE:
+ type: boolean
+ default: 'true'
+ description: Don't enable it if you need to use the lab after
+ TEST_SCHEME:
+ type: string
+ description: "Yaml based scheme to be applied in testing"
+ default: '{"old": {"run_smoke": True, "context_file_name": "openstack-ovs-core-mitaka","extra_context": {"default_context": {"openstack_version": "mitaka"}}}, "new": {"run_smoke": True, "extra_context": {"default_context": {"openstack_version": "newton"}}}}'
oscore-test-adjust-cluster-model:
display_name: oscore-test-adjust-cluster-model
name: oscore-test-adjust-cluster-model
diff --git a/jenkins/client/job/salt-models/tests.yml b/jenkins/client/job/salt-models/tests.yml
index c6bd2e1..a7bdbab 100644
--- a/jenkins/client/job/salt-models/tests.yml
+++ b/jenkins/client/job/salt-models/tests.yml
@@ -236,10 +236,10 @@
- cookiecutter_template: cookiecutter-templates
template:
discard:
- build:
- keep_num: 50
- artifact:
- keep_num: 50
+ build:
+ keep_days: 4
+ artifact:
+ keep_days: 4
type: workflow-scm
concurrent: true
scm:
@@ -371,9 +371,9 @@
name: test-mk-cookiecutter-templates-chunk
discard:
build:
- keep_num: 300
+ keep_days: 3
artifact:
- keep_num: 300
+ keep_days: 3
type: workflow-scm
concurrent: true
plugin_properties:
diff --git a/keystone/client/service/octavia.yml b/keystone/client/service/octavia.yml
index 304d70f..bf16b79 100644
--- a/keystone/client/service/octavia.yml
+++ b/keystone/client/service/octavia.yml
@@ -9,6 +9,9 @@
client:
server:
identity:
+ roles:
+ - load-balancer_member
+ - load-balancer_admin
project:
service:
user:
@@ -18,7 +21,7 @@
email: ${_param:admin_email}
service:
octavia:
- type: octavia
+ type: load-balancer
description: OpenStack Loadbalancing Service
endpoints:
- region: ${_param:openstack_region}
diff --git a/keystone/client/v3/service/octavia.yml b/keystone/client/v3/service/octavia.yml
index a43b0a9..d571105 100644
--- a/keystone/client/v3/service/octavia.yml
+++ b/keystone/client/v3/service/octavia.yml
@@ -7,6 +7,13 @@
client:
resources:
v3:
+ roles:
+ global_load_balancer_member:
+ name: load-balancer_member
+ enabled: true
+ global_load_balancer_admin:
+ name: load-balancer_admin
+ enabled: true
users:
octavia:
password: ${_param:keystone_octavia_password}
@@ -17,7 +24,7 @@
project_id: service
services:
octavia:
- type: octavia
+ type: load-balancer
description: OpenStack Loadbalancing Service
endpoints:
octavia_public:
diff --git a/keystone/server/cluster.yml b/keystone/server/cluster.yml
index 1a5f4a3..a42d3b6 100644
--- a/keystone/server/cluster.yml
+++ b/keystone/server/cluster.yml
@@ -15,6 +15,7 @@
openstack_rabbitmq_x509_enabled: False
galera_ssl_enabled: False
rabbitmq_ssl_enabled: False
+ openstack_rabbitmq_port: 5672
linux:
system:
package:
@@ -63,6 +64,7 @@
credential:
location: /var/lib/keystone/credential-keys
message_queue:
+ port: ${_param:openstack_rabbitmq_port}
engine: rabbitmq
members:
- host: ${_param:openstack_message_queue_node01_address}
diff --git a/keystone/server/single.yml b/keystone/server/single.yml
index 03cd75d..10a5331 100644
--- a/keystone/server/single.yml
+++ b/keystone/server/single.yml
@@ -17,6 +17,7 @@
openstack_rabbitmq_x509_enabled: False
galera_ssl_enabled: False
rabbitmq_ssl_enabled: False
+ openstack_rabbitmq_port: 5672
linux:
system:
package:
@@ -62,6 +63,7 @@
credential:
location: /var/lib/keystone/credential-keys
message_queue:
+ port: ${_param:openstack_rabbitmq_port}
engine: rabbitmq
host: ${_param:single_address}
user: openstack
diff --git a/kubernetes/common/addons/alertmanager.yml b/kubernetes/common/addons/alertmanager.yml
new file mode 100644
index 0000000..c7483cf
--- /dev/null
+++ b/kubernetes/common/addons/alertmanager.yml
@@ -0,0 +1,24 @@
+classes:
+- system.prometheus.alertmanager.container
+parameters:
+ _param:
+ kubernetes_alertmanager_enabled: false
+ kubernetes_alertmanager_image: ${_param:mcp_docker_registry}/openstack-docker/alertmanager:2018.8.0
+ kubernetes_alertmanager_namespace: stacklight
+ kubernetes_alertmanager_node_port: 31993
+ kubernetes:
+ common:
+ addons:
+ alertmanager:
+ enabled: ${_param:kubernetes_alertmanager_enabled}
+ image: ${_param:kubernetes_alertmanager_image}
+ namespace: ${_param:kubernetes_alertmanager_namespace}
+ dir:
+ config: ${_param:prometheus_alertmanager_config_directory}
+ data: ${_param:prometheus_alertmanager_data_directory}
+ host_config: ${prometheus:alertmanager:dir:config}
+ host_data: ${prometheus:alertmanager:dir:data}
+ bind:
+ address: ${prometheus:alertmanager:bind:address}
+ port: ${prometheus:alertmanager:bind:port}
+ node_port: ${_param:kubernetes_alertmanager_node_port}
diff --git a/kubernetes/common/init.yml b/kubernetes/common/init.yml
index 82b3ad3..8e0793b 100644
--- a/kubernetes/common/init.yml
+++ b/kubernetes/common/init.yml
@@ -19,7 +19,7 @@
kubernetes_sriov_repo: https://docker-prod-local.artifactory.mirantis.com/artifactory/binary-prod-local/mirantis/kubernetes/sriov-cni
kubernetes_cniplugins_repo: https://docker-prod-local.artifactory.mirantis.com/artifactory/binary-prod-local/mirantis/kubernetes/containernetworking-plugins
kubernetes_dashboard_repo: ${_param:mcp_docker_registry}/mirantis/kubernetes
- kubernetes_coredns_repo: coredns
+ kubernetes_coredns_repo: ${_param:mcp_docker_registry}/mirantis/coredns
# component docker images
kubernetes_docker_package: docker-engine=1.13.1-0~ubuntu-xenial
@@ -31,7 +31,7 @@
kubernetes_pause_image: ${_param:kubernetes_hyperkube_repo}/pause-amd64:v1.11.2-1
kubernetes_contrail_cni_image: ${_param:kubernetes_contrail_cni_repo}/contrail-cni:v1.2.0
kubernetes_contrail_network_controller_image: ${_param:kubernetes_contrail_network_controller_repo}/contrail-network-controller:v1.2.0
- kubernetes_virtlet_image: ${_param:kubernetes_virtlet_repo}/virtlet:v1.1.2
+ kubernetes_virtlet_image: ${_param:kubernetes_virtlet_repo}/virtlet:v1.3.0
kubernetes_criproxy_version: v0.11.1
kubernetes_criproxy_checksum: md5=a3f1f08bdc7a8d6eb73b7c8fa5bae200
kubernetes_netchecker_agent_image: ${_param:kubernetes_netchecker_agent_repo}/k8s-netchecker-agent:v1.2.2
@@ -54,7 +54,7 @@
kubernetes_fluentd_aggregator_image: fluent/fluentd-kubernetes-daemonset:v1.2-debian-elasticsearch
kubernetes_fluentd_logger_image: fluent/fluentd-kubernetes-daemonset:v1.2-debian-stackdriver
kubernetes_telegraf_image: ${_param:mcp_docker_registry}/openstack-docker/telegraf:2018.8.0
- kubernetes_coredns_image: ${_param:kubernetes_coredns_repo}/coredns:1.2.0
+ kubernetes_coredns_image: ${_param:kubernetes_coredns_repo}/coredns:v1.2.2-12
kubelet_fail_on_swap: true
kubernetes_dashboard_enabled: true
@@ -63,6 +63,7 @@
kubernetes_coredns_enabled: true
kubernetes_externaldns_provider: coredns
kubernetes_virtlet_enabled: false
+ kubernetes_virtlet_use_apparmor: false
kubernetes_flannel_enabled: false
kubernetes_genie_enabled: false
kubernetes_calico_enabled: false
@@ -256,6 +257,7 @@
image: ${_param:kubernetes_virtlet_image}
criproxy_version: ${_param:kubernetes_criproxy_version}
criproxy_source: ${_param:kubernetes_criproxy_checksum}
+ use_apparmor: ${_param:kubernetes_virtlet_use_apparmor}
metallb:
enabled: ${_param:kubernetes_metallb_enabled}
controller_image: ${_param:kubernetes_metallb_controller_image}
diff --git a/kubernetes/control/opencontrail.yml b/kubernetes/control/opencontrail.yml
index e5556fa..2a46d00 100644
--- a/kubernetes/control/opencontrail.yml
+++ b/kubernetes/control/opencontrail.yml
@@ -20,6 +20,10 @@
public_ip_range: ${_param:opencontrail_public_ip_range}
public_network: ${_param:opencontrail_public_ip_network}
private_ip_range: ${_param:opencontrail_private_ip_range}
+ cluster_network:
+ project: 'default'
+ domain: 'default-domain'
+ name: 'cluster-network'
config:
api:
host: ${_param:opencontrail_control_address}
diff --git a/linux/system/repo/keystorage/mirantis_com/init.yml b/linux/system/repo/keystorage/mirantis_com/init.yml
new file mode 100644
index 0000000..b6c9a86
--- /dev/null
+++ b/linux/system/repo/keystorage/mirantis_com/init.yml
@@ -0,0 +1,2 @@
+classes:
+- system.linux.system.repo.keystorage.mirantis_com.openstack
diff --git a/linux/system/repo/keystorage/mirantis_com/openstack.yml b/linux/system/repo/keystorage/mirantis_com/openstack.yml
new file mode 100644
index 0000000..12d5e73
--- /dev/null
+++ b/linux/system/repo/keystorage/mirantis_com/openstack.yml
@@ -0,0 +1,26 @@
+parameters:
+ linux:
+ system:
+ repo:
+ mirantis_openstack:
+ # pub 2048R/4C5289EF 2018-07-25
+ key: |
+ -----BEGIN PGP PUBLIC KEY BLOCK-----
+ Version: GnuPG v1
+
+ mQENBFtYVY8BCAC3oli93husG0ZVtv/L8I4/bcW60LFCyB0DuwEznGlSaj1fjOQu
+ C7QX9wvGRq8mRZ8mfZ6sbxGmgs0LnV5QIBle1l5I3B+AMGksf6UGEWgoN/vq86g+
+ 0Jg6kJP/D0sjGXvdlfy+bgAqjsx2bWOLjQGtHSIxhe4cE9HPBfMiYsFwGQua3XN3
+ tiGKcifszvDA6uqdjS6DuTEPCzyKiSyUevnWtBh0oUtUt//X4lG2Mx0lU91uUQGj
+ KeZ+fYXOLqgZm/FxLVT5w3g/UGK9Cbz5h4kGCJOfk0EwIZp0IRRs1phOC6gVMwoV
+ yWKCtdHmg7Ob8I4AZ8OW5HJn1UPHTprxcHBnABEBAAG0LEF1dG9idWlsZGVyIDxp
+ bmZyYSthdXRpYnVpbGRlckBtaXJhbnRpcy5jb20+iQE4BBMBAgAiBQJbWFWPAhsD
+ BgsJCAcDAgYVCAIJCgsEFgIDAQIeAQIXgAAKCRCRZVp5TFKJ70cJB/9ArWrSFyEx
+ qs7Tyo9M5WCPjqw7y2F7jd4Et3hqwc5jx6KlxGpg17SHt4oWcmtML3VBx+ziBAi0
+ 5Ry4Z4w0QqFW6gAqQepeW76Yq/OP5SoqEI9sUwzLfUY7raK/P1buvXB1eZh4mMw4
+ TFf4Hgo8yUQ3geYNnUBBfaSfkmiyBJGsMXBfW2zhlpVIyB6Cye5R823FxGNJe+li
+ hggNCQnKYqrGtr55RO6xYI1v89cgGrO2EVwPkFLA/MUnQEb433Ck+sjp1NZDUfuJ
+ U3gg8S0hT+Cf5XiknT/xqIhhTY/KzlNmynZt/51DzZzsbM+RO6JZFYJL2LuC69gB
+ +R5jrmaGu9fG
+ =sqIn
+ -----END PGP PUBLIC KEY BLOCK-----
diff --git a/linux/system/repo/mcp/apt_mirantis/hotfix/init.yml b/linux/system/repo/mcp/apt_mirantis/hotfix/init.yml
new file mode 100644
index 0000000..e9e45e6
--- /dev/null
+++ b/linux/system/repo/mcp/apt_mirantis/hotfix/init.yml
@@ -0,0 +1,2 @@
+classes:
+- system.linux.system.repo.mcp.apt_mirantis.hotfix.ubuntu
diff --git a/linux/system/repo/mcp/apt_mirantis/hotfix/ubuntu.yml b/linux/system/repo/mcp/apt_mirantis/hotfix/ubuntu.yml
new file mode 100644
index 0000000..a6dabf6
--- /dev/null
+++ b/linux/system/repo/mcp/apt_mirantis/hotfix/ubuntu.yml
@@ -0,0 +1,22 @@
+parameters:
+ _param:
+ linux_system_repo_hotfix_url: http://mirror.mirantis.com/hotfix/${_param:apt_mk_version}/
+ linux_system_repo_hotfix_ubuntu_url: ${_param:linux_system_repo_hotfix_url}/ubuntu/
+ linux:
+ system:
+ repo:
+ ubuntu_hotfix:
+ refresh_db: ${_param:linux_repo_refresh_db}
+ source: "deb [arch=amd64] ${_param:linux_system_repo_hotfix_ubuntu_url} ${_param:linux_system_codename} main restricted universe"
+ architectures: amd64
+ default: true
+ ubuntu_updates_hotfix:
+ refresh_db: ${_param:linux_repo_refresh_db}
+ source: "deb [arch=amd64] ${_param:linux_system_repo_hotfix_ubuntu_url} ${_param:linux_system_codename}-updates main restricted universe"
+ architectures: amd64
+ default: true
+ ubuntu_security_hotfix:
+ refresh_db: ${_param:linux_repo_refresh_db}
+ source: "deb [arch=amd64] ${_param:linux_system_repo_hotfix_ubuntu_url} ${_param:linux_system_codename}-security main restricted universe"
+ architectures: amd64
+ default: true
diff --git a/linux/system/repo/mcp/apt_mirantis/saltstack.yml b/linux/system/repo/mcp/apt_mirantis/saltstack.yml
index 22b3bb8..5ba85c0 100644
--- a/linux/system/repo/mcp/apt_mirantis/saltstack.yml
+++ b/linux/system/repo/mcp/apt_mirantis/saltstack.yml
@@ -13,7 +13,16 @@
source: "deb [arch=amd64] ${_param:linux_system_repo_mcp_saltstack_url}/${_param:linux_system_codename}/ ${_param:linux_system_codename} main"
architectures: amd64
clean_file: true
- pin:
- - pin: 'release o=SaltStack'
- priority: 1100
- package: '*'
+ pinning:
+ 10:
+ enabled: true
+ pin: 'release o=SaltStack'
+ # WA for https://github.com/saltstack/salt/issues/49653
+ # Should be removed with new version\fix in upstream.
+ priority: 50
+ package: 'libsodium18'
+ 20:
+ enabled: true
+ pin: 'release o=SaltStack'
+ priority: 1100
+ package: '*'
diff --git a/linux/system/repo/mcp/apt_mirantis/update/init.yml b/linux/system/repo/mcp/apt_mirantis/update/init.yml
new file mode 100644
index 0000000..167f896
--- /dev/null
+++ b/linux/system/repo/mcp/apt_mirantis/update/init.yml
@@ -0,0 +1,2 @@
+classes:
+- system.linux.system.repo.mcp.apt_mirantis.update.ubuntu
diff --git a/linux/system/repo/mcp/apt_mirantis/update/ubuntu.yml b/linux/system/repo/mcp/apt_mirantis/update/ubuntu.yml
new file mode 100644
index 0000000..24a98d1
--- /dev/null
+++ b/linux/system/repo/mcp/apt_mirantis/update/ubuntu.yml
@@ -0,0 +1,22 @@
+parameters:
+ _param:
+ linux_system_repo_update_url: http://mirror.mirantis.com/update/${_param:apt_mk_version}/
+ linux_system_repo_update_ubuntu_url: ${_param:linux_system_repo_update_url}/ubuntu/
+ linux:
+ system:
+ repo:
+ ubuntu_update:
+ refresh_db: ${_param:linux_repo_refresh_db}
+ source: "deb [arch=amd64] ${_param:linux_system_repo_update_ubuntu_url} ${_param:linux_system_codename} main restricted universe"
+ architectures: amd64
+ default: true
+ ubuntu_updates_update:
+ refresh_db: ${_param:linux_repo_refresh_db}
+ source: "deb [arch=amd64] ${_param:linux_system_repo_update_ubuntu_url} ${_param:linux_system_codename}-updates main restricted universe"
+ architectures: amd64
+ default: true
+ ubuntu_security_update:
+ refresh_db: ${_param:linux_repo_refresh_db}
+ source: "deb [arch=amd64] ${_param:linux_system_repo_update_ubuntu_url} ${_param:linux_system_codename}-security main restricted universe"
+ architectures: amd64
+ default: true
diff --git a/linux/system/repo/mcp/mirror/v1/openstack.yml b/linux/system/repo/mcp/mirror/v1/openstack.yml
index a4a369b..37482da 100644
--- a/linux/system/repo/mcp/mirror/v1/openstack.yml
+++ b/linux/system/repo/mcp/mirror/v1/openstack.yml
@@ -1,15 +1,17 @@
+classes:
+- system.linux.system.repo.keystorage.mirantis_com
parameters:
_param:
- apt_mk_version: stable
linux_system_architecture: 'amd64'
+ linux_system_repo_url: http://mirror.mirantis.com/${_param:apt_mk_version}/
+ linux_system_repo_mirantis_openstack_url: ${_param:linux_system_repo_url}/openstack-${_param:openstack_version}/
linux:
system:
repo:
mirantis_openstack:
- source: "deb http://mirror.mirantis.com/${_param:apt_mk_version}/openstack-${_param:openstack_version}/${_param:linux_system_codename} ${_param:linux_system_codename} main"
+ source: "deb ${_param:linux_system_repo_mirantis_openstack_url}/${_param:linux_system_codename} ${_param:linux_system_codename} main"
architectures: ${_param:linux_system_architecture}
clean_file: true
- key_url: https://mirror.mirantis.com/${_param:apt_mk_version}/openstack-${_param:openstack_version}/${_param:linux_system_codename}/archive-${_param:openstack_version}.key
pin:
- pin: 'release o=Mirantis'
priority: 1100
diff --git a/manila/common/cluster.yml b/manila/common/cluster.yml
index 5c34bd6..46f600b 100644
--- a/manila/common/cluster.yml
+++ b/manila/common/cluster.yml
@@ -8,12 +8,13 @@
openstack_mysql_x509_enabled: False
galera_ssl_enabled: False
manila_cluster_vip_address: ${_param:cluster_vip_address}
+ openstack_rabbitmq_port: 5672
manila:
common:
version: ${_param:openstack_version}
message_queue:
engine: rabbitmq
- port: 5672
+ port: ${_param:openstack_rabbitmq_port}
user: openstack
password: ${_param:rabbitmq_openstack_password}
virtual_host: '/openstack'
diff --git a/manila/common/single.yml b/manila/common/single.yml
index f9d8c6e..e806cde 100644
--- a/manila/common/single.yml
+++ b/manila/common/single.yml
@@ -5,12 +5,13 @@
_param:
openstack_mysql_x509_enabled: False
galera_ssl_enabled: False
+ openstack_rabbitmq_port: 5672
manila:
common:
version: ${_param:openstack_version}
message_queue:
engine: rabbitmq
- port: 5672
+ port: ${_param:openstack_rabbitmq_port}
user: openstack
password: ${_param:rabbitmq_openstack_password}
virtual_host: '/openstack'
diff --git a/neutron/client/service/public_v2.yml b/neutron/client/service/public_v2.yml
new file mode 100644
index 0000000..7c14248
--- /dev/null
+++ b/neutron/client/service/public_v2.yml
@@ -0,0 +1,24 @@
+classes:
+- service.neutron.client
+parameters:
+ neutron:
+ client:
+ resources:
+ v2:
+ admin_identity:
+ network:
+ public:
+ shared: True
+ router_external: True
+ default: True
+ provider_network_type: flat
+ provider_physical_network: physnet1
+ subnet:
+ public-subnet:
+ cidr: ${_param:openstack_public_neutron_subnet_cidr}
+ gateway_ip: ${_param:openstack_public_neutron_subnet_gateway}
+ allocation_pools:
+ - start: ${_param:openstack_public_neutron_subnet_allocation_start}
+ end: ${_param:openstack_public_neutron_subnet_allocation_end}
+ enable_dhcp: False
+ ip_version: 4
diff --git a/neutron/compute/cluster.yml b/neutron/compute/cluster.yml
index e348a93..92e3a2e 100644
--- a/neutron/compute/cluster.yml
+++ b/neutron/compute/cluster.yml
@@ -1,11 +1,15 @@
classes:
- service.neutron.compute.single
+- system.salt.minion.cert.rabbitmq.clients.openstack.neutron
parameters:
_param:
neutron_enable_qos: False
neutron_enable_vlan_aware_vms: False
neutron_enable_bgp_vpn: False
neutron_bgp_vpn_driver: bagpipe
+ openstack_rabbitmq_x509_enabled: False
+ rabbitmq_ssl_enabled: False
+ openstack_rabbitmq_port: 5672
linux:
system:
package:
@@ -25,7 +29,15 @@
backend:
tenant_network_types: ${_param:neutron_tenant_network_types}"
message_queue:
+ port: ${_param:openstack_rabbitmq_port}
members:
- host: ${_param:openstack_message_queue_node01_address}
- host: ${_param:openstack_message_queue_node02_address}
- host: ${_param:openstack_message_queue_node03_address}
+ x509:
+ enabled: ${_param:openstack_rabbitmq_x509_enabled}
+ ca_file: ${_param:rabbitmq_neutron_ssl_ca_file}
+ key_file: ${_param:rabbitmq_neutron_client_ssl_key_file}
+ cert_file: ${_param:rabbitmq_neutron_client_ssl_cert_file}
+ ssl:
+ enabled: ${_param:rabbitmq_ssl_enabled}
diff --git a/neutron/control/cluster.yml b/neutron/control/cluster.yml
index 12baf43..ceaed1d 100644
--- a/neutron/control/cluster.yml
+++ b/neutron/control/cluster.yml
@@ -5,41 +5,36 @@
- system.haproxy.proxy.listen.openstack.neutron
- system.galera.server.database.neutron
- system.salt.minion.cert.mysql.clients.openstack.neutron
+- system.salt.minion.cert.rabbitmq.clients.openstack.neutron
parameters:
_param:
cluster_internal_protocol: 'http'
openstack_mysql_x509_enabled: False
+ openstack_rabbitmq_x509_enabled: False
galera_ssl_enabled: False
+ rabbitmq_ssl_enabled: False
+ openstack_rabbitmq_port: 5672
linux:
system:
package:
python-pymysql:
fromrepo: ${_param:openstack_version}
version: latest
- haproxy:
- proxy:
- listen:
- neutron_api:
- type: openstack-service
- service_name: neutron
- binds:
- - address: ${_param:cluster_vip_address}
- port: 9696
- servers:
- - name: ${_param:cluster_node01_hostname}
- host: ${_param:cluster_node01_address}
- port: 9696
- params: check inter 10s fastinter 2s downinter 3s rise 3 fall 3
- - name: ${_param:cluster_node02_hostname}
- host: ${_param:cluster_node02_address}
- port: 9696
- params: check inter 10s fastinter 2s downinter 3s rise 3 fall 3
- - name: ${_param:cluster_node03_hostname}
- host: ${_param:cluster_node03_address}
- port: 9696
- params: check inter 10s fastinter 2s downinter 3s rise 3 fall 3
neutron:
server:
+ message_queue:
+ port: ${_param:openstack_rabbitmq_port}
+ members:
+ - host: ${_param:openstack_message_queue_node01_address}
+ - host: ${_param:openstack_message_queue_node02_address}
+ - host: ${_param:openstack_message_queue_node03_address}
+ x509:
+ enabled: ${_param:openstack_rabbitmq_x509_enabled}
+ ca_file: ${_param:rabbitmq_neutron_ssl_ca_file}
+ key_file: ${_param:rabbitmq_neutron_client_ssl_key_file}
+ cert_file: ${_param:rabbitmq_neutron_client_ssl_cert_file}
+ ssl:
+ enabled: ${_param:rabbitmq_ssl_enabled}
database:
x509:
enabled: ${_param:openstack_mysql_x509_enabled}
@@ -49,6 +44,5 @@
ssl:
enabled: ${_param:galera_ssl_enabled}
role: ${_param:openstack_node_role}
- plugin: contrail
identity:
protocol: ${_param:cluster_internal_protocol}
diff --git a/neutron/control/opencontrail/cluster.yml b/neutron/control/opencontrail/cluster.yml
index d85e554..4bc0e71 100644
--- a/neutron/control/opencontrail/cluster.yml
+++ b/neutron/control/opencontrail/cluster.yml
@@ -1,9 +1,5 @@
classes:
-- service.keepalived.cluster.single
-- service.haproxy.proxy.single
-- service.neutron.control.cluster
-- system.haproxy.proxy.listen.openstack.neutron
-- system.galera.server.database.neutron
+- system.neutron.control.cluster
parameters:
neutron:
server:
@@ -13,11 +9,6 @@
identity:
region: ${_param:openstack_region}
host: ${_param:openstack_control_address}
- message_queue:
- members:
- - host: ${_param:openstack_message_queue_node01_address}
- - host: ${_param:openstack_message_queue_node02_address}
- - host: ${_param:openstack_message_queue_node03_address}
compute:
host: ${_param:openstack_control_address}
region: ${_param:openstack_region}
@@ -28,4 +19,4 @@
user: admin
password: ${_param:keystone_admin_password}
tenant: admin
- token: ${_param:keystone_service_token}
\ No newline at end of file
+ token: ${_param:keystone_service_token}
diff --git a/neutron/control/opencontrail/single.yml b/neutron/control/opencontrail/single.yml
index 4bbd8f8..5cf06bf 100644
--- a/neutron/control/opencontrail/single.yml
+++ b/neutron/control/opencontrail/single.yml
@@ -1,5 +1,5 @@
classes:
-- service.neutron.control.single
+- system.neutron.control.single
- system.galera.server.database.neutron
parameters:
neutron:
@@ -12,7 +12,7 @@
host: ${_param:openstack_control_address}
message_queue:
members:
- - host: ${_param:openstack_message_queue_node01_address}
+ - host: ${_param:single_address}
compute:
host: ${_param:openstack_control_address}
region: ${_param:openstack_region}
@@ -23,4 +23,4 @@
user: admin
password: ${_param:keystone_admin_password}
tenant: admin
- token: ${_param:keystone_service_token}
\ No newline at end of file
+ token: ${_param:keystone_service_token}
diff --git a/neutron/control/opendaylight/cluster.yml b/neutron/control/opendaylight/cluster.yml
index 1f8142e..2f22403 100644
--- a/neutron/control/opendaylight/cluster.yml
+++ b/neutron/control/opendaylight/cluster.yml
@@ -1,7 +1,4 @@
classes:
-- service.keepalived.cluster.single
-- service.haproxy.proxy.single
-- service.neutron.control.cluster
- system.neutron.control.openvswitch.cluster
parameters:
_param:
diff --git a/neutron/control/opendaylight/single.yml b/neutron/control/opendaylight/single.yml
index 297cfa0..c12d04a 100644
--- a/neutron/control/opendaylight/single.yml
+++ b/neutron/control/opendaylight/single.yml
@@ -1,5 +1,4 @@
classes:
-- service.neutron.control.single
- system.neutron.control.openvswitch.single
parameters:
_param:
diff --git a/neutron/control/openvswitch/cluster.yml b/neutron/control/openvswitch/cluster.yml
index 5800060..094449e 100644
--- a/neutron/control/openvswitch/cluster.yml
+++ b/neutron/control/openvswitch/cluster.yml
@@ -1,8 +1,5 @@
classes:
-- service.keepalived.cluster.single
-- service.haproxy.proxy.single
-- service.neutron.control.cluster
-- system.galera.server.database.neutron
+- system.neutron.control.cluster
parameters:
_param:
neutron_control_dvr: True
@@ -40,30 +37,3 @@
identity:
region: ${_param:openstack_region}
protocol: ${_param:cluster_internal_protocol}
- message_queue:
- members:
- - host: ${_param:openstack_message_queue_node01_address}
- - host: ${_param:openstack_message_queue_node02_address}
- - host: ${_param:openstack_message_queue_node03_address}
- haproxy:
- proxy:
- listen:
- neutron_api:
- type: openstack-service
- service_name: neutron
- binds:
- - address: ${_param:cluster_vip_address}
- port: 9696
- servers:
- - name: ${_param:cluster_node01_hostname}
- host: ${_param:cluster_node01_address}
- port: 9696
- params: check inter 10s fastinter 2s downinter 3s rise 3 fall 3
- - name: ${_param:cluster_node02_hostname}
- host: ${_param:cluster_node02_address}
- port: 9696
- params: check inter 10s fastinter 2s downinter 3s rise 3 fall 3
- - name: ${_param:cluster_node03_hostname}
- host: ${_param:cluster_node03_address}
- port: 9696
- params: check inter 10s fastinter 2s downinter 3s rise 3 fall 3
diff --git a/neutron/control/openvswitch/single.yml b/neutron/control/openvswitch/single.yml
index da8dee0..5beb0ca 100644
--- a/neutron/control/openvswitch/single.yml
+++ b/neutron/control/openvswitch/single.yml
@@ -1,6 +1,5 @@
classes:
-- service.neutron.control.single
-- system.galera.server.database.neutron
+- system.neutron.control.single
parameters:
_param:
neutron_control_dvr: True
@@ -41,4 +40,4 @@
protocol: ${_param:internal_protocol}
message_queue:
members:
- - host: ${_param:openstack_message_queue_node01_address}
+ - host: ${_param:single_address}
diff --git a/neutron/control/single.yml b/neutron/control/single.yml
index 6ced2f1..27d16e1 100644
--- a/neutron/control/single.yml
+++ b/neutron/control/single.yml
@@ -2,11 +2,15 @@
- service.neutron.control.single
- system.galera.server.database.neutron
- system.salt.minion.cert.mysql.clients.openstack.neutron
+- system.salt.minion.cert.rabbitmq.clients.openstack.neutron
parameters:
_param:
internal_protocol: 'http'
openstack_mysql_x509_enabled: False
+ openstack_rabbitmq_x509_enabled: False
galera_ssl_enabled: False
+ rabbitmq_ssl_enabled: False
+ openstack_rabbitmq_port: 5672
linux:
system:
package:
@@ -17,7 +21,6 @@
server:
role: ${_param:openstack_node_role}
database:
- host: ${_param:single_address}
x509:
enabled: ${_param:openstack_mysql_x509_enabled}
ca_file: ${_param:mysql_neutron_ssl_ca_file}
@@ -25,5 +28,14 @@
cert_file: ${_param:mysql_neutron_client_ssl_cert_file}
ssl:
enabled: ${_param:galera_ssl_enabled}
+ message_queue:
+ port: ${_param:openstack_rabbitmq_port}
+ x509:
+ enabled: ${_param:openstack_rabbitmq_x509_enabled}
+ ca_file: ${_param:rabbitmq_neutron_ssl_ca_file}
+ key_file: ${_param:rabbitmq_neutron_client_ssl_key_file}
+ cert_file: ${_param:rabbitmq_neutron_client_ssl_cert_file}
+ ssl:
+ enabled: ${_param:rabbitmq_ssl_enabled}
identity:
protocol: ${_param:internal_protocol}
diff --git a/neutron/gateway/cluster.yml b/neutron/gateway/cluster.yml
index 558a814..03ab583 100644
--- a/neutron/gateway/cluster.yml
+++ b/neutron/gateway/cluster.yml
@@ -1,9 +1,13 @@
classes:
- service.neutron.gateway.single
+- system.salt.minion.cert.rabbitmq.clients.openstack.neutron
parameters:
_param:
neutron_enable_qos: False
neutron_enable_vlan_aware_vms: False
+ openstack_rabbitmq_x509_enabled: False
+ rabbitmq_ssl_enabled: False
+ openstack_rabbitmq_port: 5672
linux:
system:
kernel:
@@ -18,7 +22,15 @@
backend:
tenant_network_types: ${_param:neutron_tenant_network_types}"
message_queue:
+ port: ${_param:openstack_rabbitmq_port}
members:
- host: ${_param:openstack_message_queue_node01_address}
- host: ${_param:openstack_message_queue_node02_address}
- host: ${_param:openstack_message_queue_node03_address}
+ x509:
+ enabled: ${_param:openstack_rabbitmq_x509_enabled}
+ ca_file: ${_param:rabbitmq_neutron_ssl_ca_file}
+ key_file: ${_param:rabbitmq_neutron_client_ssl_key_file}
+ cert_file: ${_param:rabbitmq_neutron_client_ssl_cert_file}
+ ssl:
+ enabled: ${_param:rabbitmq_ssl_enabled}
diff --git a/nova/compute/cluster.yml b/nova/compute/cluster.yml
index c88dcc7..b281f4d 100644
--- a/nova/compute/cluster.yml
+++ b/nova/compute/cluster.yml
@@ -1,5 +1,6 @@
classes:
- service.nova.compute.kvm
+- system.salt.minion.cert.rabbitmq.clients.openstack.nova
parameters:
_param:
nova_vncproxy_url: https://${_param:cluster_public_host}:6080
@@ -36,6 +37,9 @@
SG9MrLHCd5l60aCUQg0UA5ed7Hd6SA314k+HwxJno9/wJ+voBeacMg==
-----END RSA PRIVATE KEY-----
cluster_internal_protocol: 'http'
+ openstack_rabbitmq_x509_enabled: False
+ rabbitmq_ssl_enabled: False
+ openstack_rabbitmq_port: 5672
openssh:
client:
enabled: True
@@ -72,7 +76,7 @@
protocol: ${_param:cluster_internal_protocol}
message_queue:
engine: rabbitmq
- port: 5672
+ port: ${_param:openstack_rabbitmq_port}
user: openstack
password: ${_param:rabbitmq_openstack_password}
virtual_host: '/openstack'
@@ -80,6 +84,13 @@
- host: ${_param:openstack_message_queue_node01_address}
- host: ${_param:openstack_message_queue_node02_address}
- host: ${_param:openstack_message_queue_node03_address}
+ x509:
+ enabled: ${_param:openstack_rabbitmq_x509_enabled}
+ ca_file: ${_param:rabbitmq_nova_ssl_ca_file}
+ key_file: ${_param:rabbitmq_nova_client_ssl_key_file}
+ cert_file: ${_param:rabbitmq_nova_client_ssl_cert_file}
+ ssl:
+ enabled: ${_param:rabbitmq_ssl_enabled}
image:
engine: glance
host: ${_param:cluster_vip_address}
diff --git a/nova/compute/single.yml b/nova/compute/single.yml
index 67c329d..32d5087 100644
--- a/nova/compute/single.yml
+++ b/nova/compute/single.yml
@@ -2,6 +2,7 @@
- nova
classes:
- service.nova.compute.kvm
+- system.salt.minion.cert.rabbitmq.clients.openstack.nova
parameters:
_param:
nova_vncproxy_url: https://${_param:cluster_public_host}:6080
@@ -36,6 +37,9 @@
SG9MrLHCd5l60aCUQg0UA5ed7Hd6SA314k+HwxJno9/wJ+voBeacMg==
-----END RSA PRIVATE KEY-----
cluster_internal_protocol: 'http'
+ openstack_rabbitmq_x509_enabled: False
+ rabbitmq_ssl_enabled: False
+ openstack_rabbitmq_port: 5672
openssh:
client:
enabled: True
@@ -72,10 +76,17 @@
message_queue:
engine: rabbitmq
host: ${_param:control_address}
- port: 5672
+ port: ${_param:openstack_rabbitmq_port}
user: openstack
password: ${_param:rabbitmq_openstack_password}
virtual_host: '/openstack'
+ x509:
+ enabled: ${_param:openstack_rabbitmq_x509_enabled}
+ ca_file: ${_param:rabbitmq_nova_ssl_ca_file}
+ key_file: ${_param:rabbitmq_nova_client_ssl_key_file}
+ cert_file: ${_param:rabbitmq_nova_client_ssl_cert_file}
+ ssl:
+ enabled: ${_param:rabbitmq_ssl_enabled}
image:
engine: glance
host: ${_param:control_address}
diff --git a/nova/control/cluster.yml b/nova/control/cluster.yml
index 2f411b5..3f0a644 100644
--- a/nova/control/cluster.yml
+++ b/nova/control/cluster.yml
@@ -5,6 +5,7 @@
- system.haproxy.proxy.listen.openstack.nova
- system.haproxy.proxy.listen.openstack.novnc
- system.salt.minion.cert.mysql.clients.openstack.nova
+- system.salt.minion.cert.rabbitmq.clients.openstack.nova
parameters:
_param:
nova_vncproxy_url: http://${_param:cluster_vip_address}:6080
@@ -15,6 +16,9 @@
cluster_internal_protocol: 'http'
openstack_mysql_x509_enabled: False
galera_ssl_enabled: False
+ openstack_rabbitmq_x509_enabled: False
+ rabbitmq_ssl_enabled: False
+ openstack_rabbitmq_port: 5672
linux:
system:
package:
@@ -65,7 +69,7 @@
protocol: ${_param:cluster_internal_protocol}
message_queue:
engine: rabbitmq
- port: 5672
+ port: ${_param:openstack_rabbitmq_port}
user: openstack
password: ${_param:rabbitmq_openstack_password}
virtual_host: '/openstack'
@@ -73,6 +77,13 @@
- host: ${_param:openstack_message_queue_node01_address}
- host: ${_param:openstack_message_queue_node02_address}
- host: ${_param:openstack_message_queue_node03_address}
+ x509:
+ enabled: ${_param:openstack_rabbitmq_x509_enabled}
+ ca_file: ${_param:rabbitmq_nova_ssl_ca_file}
+ key_file: ${_param:rabbitmq_nova_client_ssl_key_file}
+ cert_file: ${_param:rabbitmq_nova_client_ssl_cert_file}
+ ssl:
+ enabled: ${_param:rabbitmq_ssl_enabled}
glance:
host: ${_param:cluster_vip_address}
port: 9292
diff --git a/nova/control/single.yml b/nova/control/single.yml
index e7d7671..2a28cc7 100644
--- a/nova/control/single.yml
+++ b/nova/control/single.yml
@@ -1,11 +1,15 @@
classes:
- system.salt.minion.cert.mysql.clients.openstack.nova
+- system.salt.minion.cert.rabbitmq.clients.openstack.nova
- service.nova.control.single
parameters:
_param:
cluster_internal_protocol: 'http'
openstack_mysql_x509_enabled: False
galera_ssl_enabled: False
+ openstack_rabbitmq_x509_enabled: False
+ rabbitmq_ssl_enabled: False
+ openstack_rabbitmq_port: 5672
linux:
system:
package:
@@ -32,3 +36,13 @@
region: ${_param:openstack_region}
glance:
protocol: ${_param:cluster_internal_protocol}
+ message_queue:
+ port: ${_param:openstack_rabbitmq_port}
+ x509:
+ enabled: ${_param:openstack_rabbitmq_x509_enabled}
+ ca_file: ${_param:rabbitmq_nova_ssl_ca_file}
+ key_file: ${_param:rabbitmq_nova_client_ssl_key_file}
+ cert_file: ${_param:rabbitmq_nova_client_ssl_cert_file}
+ ssl:
+ enabled: ${_param:rabbitmq_ssl_enabled}
+
diff --git a/opencontrail/control/cluster4_0.yml b/opencontrail/control/cluster4_0.yml
index 4f1127f..c97196f 100644
--- a/opencontrail/control/cluster4_0.yml
+++ b/opencontrail/control/cluster4_0.yml
@@ -22,6 +22,7 @@
opencontrail_controller_container_name: opencontrail_controller_1
opencontrail_analytics_container_name: opencontrail_analytics_1
opencontrail_analyticsdb_container_name: opencontrail_analyticsdb_1
+ opencontrail_api_workers_count: 6
analytics_vip_address: ${_param:opencontrail_analytics_address}
# Temprorary fix for MOS9 packages to pin old version of kafka
linux:
@@ -81,6 +82,7 @@
host: None
api:
host: ${_param:opencontrail_control_address}
+ workers_count: ${_param:opencontrail_api_workers_count}
analytics:
members:
- host: ${_param:cluster_node01_address}
diff --git a/opencontrail/control/control4_0.yml b/opencontrail/control/control4_0.yml
index 207e9da..123392c 100644
--- a/opencontrail/control/control4_0.yml
+++ b/opencontrail/control/control4_0.yml
@@ -14,6 +14,7 @@
opencontrail_message_queue_node03_address: ${_param:openstack_message_queue_node03_address}
opencontrail_controller_image: ${_param:mcp_docker_registry}/opencontrail-${_param:linux_repo_contrail_component}/opencontrail-controller:${_param:opencontrail_image_tag}
opencontrail_controller_container_name: opencontrail_controller_1
+ opencontrail_api_workers_count: 6
analytics_vip_address: ${_param:opencontrail_analytics_address}
opencontrail:
common:
@@ -32,6 +33,7 @@
host: None
api:
host: ${_param:opencontrail_control_address}
+ workers_count: ${_param:opencontrail_api_workers_count}
analytics:
members:
- host: ${_param:opencontrail_analytics_node01_address}
diff --git a/openssh/server/team/members/obryndzii.yml b/openssh/server/team/members/obryndzii.yml
index 9f7498c..911bdd8 100644
--- a/openssh/server/team/members/obryndzii.yml
+++ b/openssh/server/team/members/obryndzii.yml
@@ -16,6 +16,5 @@
obryndzii:
enabled: true
public_keys:
- - key: ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCdHeeCZb+4YOBC925Byc0JkdFiNHnxl1DikrJlvza66n+URnfpTvtYhy70oT4jWruWf5dGAh81LK6SJfcLKqDvSNwAU4utQp1t71VllPB482oUhFSBAPOhWHElFakWcgnayOFVtMKhUZ4d5i+C7vXr+JpporBk6le7LuHD0/vNEG6SywexV3/lDZV1kahPSHblBxaED6nNeAODXXRMAOzgV25+UcDINaVTSzzQtCfUHydkVmw+TmxYc5wbdac1AtUkFmFbC6XTsv4VyZsH563jHNRf4UYPN6MP4SWv8axPiGUU5jr4laaIpDQ0TF/b+0Z+QidDxxTIsQxR0r/auUJp obryndzii@obryndzii-pc
- - key: ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDD+5Ykrt46voaBAZ4BnYCB7EjRWNd6R+IqLaoQJzHh0joXVyZj/MsV0LcegxVV21Qnecp3qSw9XQiyJ9cghJbN3/AhEFpx7yZzf7sHez7FxRFefBSCO2IYSDBabO4eyv1X8UXtJrZ88lJBmWQr8nVy3E78za1cq0jRKNlGyvTrRtwY69WDhhc6k8CxIGAUrT6uAFeNCfroRKuw3zDm0FIxoq0eExNwBNw0rIXXUowDoCafTYSVpqSQ+Sby/wfRMc12ISmUnOQ2d9A1+YWoZgdHs+G/OK1ADQu/6edaSOWhX0BGLNRig5lWfgbOmAlzIqNqcLDMaBrcwcpi2LN5pIQf obryndzii@obryndzii-pc
+ - key: ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDCHoSxtdURZfgjJbbcKDA4TUUTixKVcRkGfgISYu55IF3scjoFRynaFP4zjBIitcTzxuvo7ZlE5ymxMHC0UNm5HU8tjmVscKcQs73lrjTr7jT24dZ8mr27nEbuTOa73FotPoIH5ao0wSSDc7PDXRUvJNI3xoZAd2KW1NZVRFFJ5jo/byuIfqIJLIAvOBTyUDoIrbL+3/WFIjdZ8MPlfyC8Bi09KfrM4hmzGDja4Mcfm4M7kMcw+B2DCpTtYUFCqjuYgTNC6EbTch21Afe9MCtdVqBBddFKFDU0WZtKfcHTuOVfiSrK47jA0ljU6HdHxFGmh3cz1ajux58T6/RHfXID obryndzii@obryndzii-pc
user: ${linux:system:user:obryndzii}
diff --git a/openssh/server/team/oscore_devops.yml b/openssh/server/team/oscore_devops.yml
index 31830fc..5ba280a 100644
--- a/openssh/server/team/oscore_devops.yml
+++ b/openssh/server/team/oscore_devops.yml
@@ -12,6 +12,7 @@
- system.openssh.server.team.members.sgarbuz
- system.openssh.server.team.members.oshyshko
- system.openssh.server.team.members.pshchelo
+- system.openssh.server.team.members.obryndzii
parameters:
_param:
linux_system_user_sudo: true
diff --git a/panko/server/cluster.yml b/panko/server/cluster.yml
index 9715456..7954944 100644
--- a/panko/server/cluster.yml
+++ b/panko/server/cluster.yml
@@ -26,6 +26,7 @@
event_time_to_live: ${_param:panko_event_time_to_live}
identity:
host: ${_param:openstack_control_address}
+ protocol: ${_param:cluster_internal_protocol}
database:
host: ${_param:openstack_database_address}
x509:
diff --git a/panko/server/single.yml b/panko/server/single.yml
index cb1a449..968267c 100644
--- a/panko/server/single.yml
+++ b/panko/server/single.yml
@@ -16,6 +16,8 @@
enabled: true
panko:
server:
+ identity:
+ protocol: ${_param:internal_protocol}
database:
x509:
enabled: ${_param:openstack_mysql_x509_enabled}
diff --git a/rabbitmq/server/ssl/init.yml b/rabbitmq/server/ssl/init.yml
index 71cc1a7..961d28d 100644
--- a/rabbitmq/server/ssl/init.yml
+++ b/rabbitmq/server/ssl/init.yml
@@ -5,7 +5,7 @@
_param:
rabbitmq_ssl_enabled: true
openstack_rabbitmq_x509_enabled: false
- rabbitmq_port: 5671 # for non-ssl use 5672 / for ssl 5671
+ openstack_rabbitmq_port: 5671 # for non-ssl use 5672 / for ssl 5671
rabbitmq:
server:
ssl:
diff --git a/reclass/storage/system/kubernetes_contrail_cluster.yml b/reclass/storage/system/kubernetes_contrail_cluster.yml
index 49a70e2..c85f6f0 100644
--- a/reclass/storage/system/kubernetes_contrail_cluster.yml
+++ b/reclass/storage/system/kubernetes_contrail_cluster.yml
@@ -15,7 +15,6 @@
domain: ${_param:cluster_domain}
classes:
- cluster.${_param:cluster_name}.kubernetes.control
- - cluster.${_param:cluster_name}.opencontrail.control
params:
salt_master_host: ${_param:reclass_config_master}
linux_system_codename: ${_param:kubernetes_control_system_codename}
@@ -29,7 +28,6 @@
domain: ${_param:cluster_domain}
classes:
- cluster.${_param:cluster_name}.kubernetes.control
- - cluster.${_param:cluster_name}.opencontrail.control
params:
salt_master_host: ${_param:reclass_config_master}
linux_system_codename: ${_param:kubernetes_control_system_codename}
@@ -43,7 +41,6 @@
domain: ${_param:cluster_domain}
classes:
- cluster.${_param:cluster_name}.kubernetes.control
- - cluster.${_param:cluster_name}.opencontrail.control
params:
salt_master_host: ${_param:reclass_config_master}
linux_system_codename: ${_param:kubernetes_control_system_codename}
diff --git a/salt/minion/cert/openstack_api.yml b/salt/minion/cert/openstack_api.yml
new file mode 100644
index 0000000..1095f7e
--- /dev/null
+++ b/salt/minion/cert/openstack_api.yml
@@ -0,0 +1,22 @@
+parameters:
+ _param:
+ salt_minion_ca_host: ${linux:network:fqdn}
+ salt_minion_ca_authority: salt_master_ca
+ openstack_api_cert_alternative_names: IP:127.0.0.1,IP:${_param:cluster_local_address},IP:${_param:cluster_vip_address},DNS:${linux:system:name},DNS:${linux:network:fqdn}
+ openstack_api_cert_key_file: "/etc/ssl/private/openstack_api.key"
+ openstack_api_cert_cert_file: "/etc/ssl/certs/openstack_api.crt"
+ openstack_api_cert_all_file: "/etc/ssl/certs/openstack_api_with_chain.crt"
+ salt:
+ minion:
+ cert:
+ openstack_api:
+ host: ${_param:salt_minion_ca_host}
+ authority: ${_param:salt_minion_ca_authority}
+ common_name: openstack_api
+ signing_policy: cert_server
+ alternative_names: ${_param:openstack_api_cert_alternative_names}
+ key_file: ${_param:openstack_api_cert_key_file}
+ cert_file: ${_param:openstack_api_cert_cert_file}
+ all_file: ${_param:openstack_api_cert_all_file}
+ enabled: true
+ engine: salt
diff --git a/salt/minion/cert/rabbitmq/clients/openstack/aodh.yml b/salt/minion/cert/rabbitmq/clients/openstack/aodh.yml
new file mode 100644
index 0000000..537a3a4
--- /dev/null
+++ b/salt/minion/cert/rabbitmq/clients/openstack/aodh.yml
@@ -0,0 +1,27 @@
+parameters:
+ _param:
+ salt_minion_ca_host: cfg01.${_param:cluster_domain}
+ salt_minion_ca_authority: salt_master_ca
+ rabbitmq_aodh_client_ssl_key_file: /etc/aodh/ssl/rabbitmq/client-key.pem
+ rabbitmq_aodh_client_ssl_cert_file: /etc/aodh/ssl/rabbitmq/client-cert.pem
+ rabbitmq_aodh_ssl_ca_file: /etc/aodh/ssl/rabbitmq/ca-cert.pem
+ salt:
+ minion:
+ cert:
+ rabbitmq-aodh-client:
+ host: ${_param:salt_minion_ca_host}
+ authority: ${_param:salt_minion_ca_authority}
+ common_name: rabbitmq-aodh-client
+ signing_policy: cert_client
+ alternative_names: >
+ IP:${_param:cluster_local_address},
+ DNS:${_param:cluster_local_address},
+ DNS:${linux:system:name},
+ DNS:${linux:network:fqdn}
+ key_usage: "digitalSignature,nonRepudiation,keyEncipherment"
+ key_file: ${_param:rabbitmq_aodh_client_ssl_key_file}
+ cert_file: ${_param:rabbitmq_aodh_client_ssl_cert_file}
+ ca_file: ${_param:rabbitmq_aodh_ssl_ca_file}
+ user: aodh
+ group: aodh
+ mode: 640
diff --git a/salt/minion/cert/rabbitmq/clients/openstack/ceilometer.yml b/salt/minion/cert/rabbitmq/clients/openstack/ceilometer.yml
new file mode 100644
index 0000000..a2b91fd
--- /dev/null
+++ b/salt/minion/cert/rabbitmq/clients/openstack/ceilometer.yml
@@ -0,0 +1,22 @@
+parameters:
+ _param:
+ salt_minion_ca_host: cfg01.${_param:cluster_domain}
+ salt_minion_ca_authority: salt_master_ca
+ rabbitmq_ceilometer_client_ssl_key_file: /etc/ceilometer/ssl/rabbitmq/client-key.pem
+ rabbitmq_ceilometer_client_ssl_cert_file: /etc/ceilometer/ssl/rabbitmq/client-cert.pem
+ rabbitmq_ceilometer_ssl_ca_file: /etc/ceilometer/ssl/rabbitmq/ca-cert.pem
+ salt:
+ minion:
+ cert:
+ rabbitmq-ceilometer-client:
+ host: ${_param:salt_minion_ca_host}
+ authority: ${_param:salt_minion_ca_authority}
+ common_name: rabbitmq-ceilometer-client
+ signing_policy: cert_client
+ key_usage: "digitalSignature,nonRepudiation,keyEncipherment"
+ key_file: ${_param:rabbitmq_ceilometer_client_ssl_key_file}
+ cert_file: ${_param:rabbitmq_ceilometer_client_ssl_cert_file}
+ ca_file: ${_param:rabbitmq_ceilometer_ssl_ca_file}
+ user: ceilometer
+ group: ceilometer
+ mode: 640
diff --git a/salt/minion/cert/rabbitmq/clients/openstack/designate.yml b/salt/minion/cert/rabbitmq/clients/openstack/designate.yml
new file mode 100644
index 0000000..f5eb631
--- /dev/null
+++ b/salt/minion/cert/rabbitmq/clients/openstack/designate.yml
@@ -0,0 +1,22 @@
+parameters:
+ _param:
+ salt_minion_ca_host: cfg01.${_param:cluster_domain}
+ salt_minion_ca_authority: salt_master_ca
+ rabbitmq_designate_client_ssl_key_file: /etc/designate/ssl/rabbitmq/client-key.pem
+ rabbitmq_designate_client_ssl_cert_file: /etc/designate/ssl/rabbitmq/client-cert.pem
+ rabbitmq_designate_ssl_ca_file: /etc/designate/ssl/rabbitmq/ca-cert.pem
+ salt:
+ minion:
+ cert:
+ rabbitmq-designate-client:
+ host: ${_param:salt_minion_ca_host}
+ authority: ${_param:salt_minion_ca_authority}
+ common_name: rabbitmq-designate-client
+ signing_policy: cert_client
+ key_usage: "digitalSignature,nonRepudiation,keyEncipherment"
+ key_file: ${_param:rabbitmq_designate_client_ssl_key_file}
+ cert_file: ${_param:rabbitmq_designate_client_ssl_cert_file}
+ ca_file: ${_param:rabbitmq_designate_ssl_ca_file}
+ user: designate
+ group: designate
+ mode: 640
diff --git a/salt/minion/cert/rabbitmq/clients/openstack/ironic.yml b/salt/minion/cert/rabbitmq/clients/openstack/ironic.yml
new file mode 100644
index 0000000..f9b0d74
--- /dev/null
+++ b/salt/minion/cert/rabbitmq/clients/openstack/ironic.yml
@@ -0,0 +1,22 @@
+parameters:
+ _param:
+ salt_minion_ca_host: cfg01.${_param:cluster_domain}
+ salt_minion_ca_authority: salt_master_ca
+ rabbitmq_ironic_client_ssl_key_file: /etc/ironic/ssl/rabbitmq/client-key.pem
+ rabbitmq_ironic_client_ssl_cert_file: /etc/ironic/ssl/rabbitmq/client-cert.pem
+ rabbitmq_ironic_ssl_ca_file: /etc/ironic/ssl/rabbitmq/ca-cert.pem
+ salt:
+ minion:
+ cert:
+ rabbitmq-ironic-client:
+ host: ${_param:salt_minion_ca_host}
+ authority: ${_param:salt_minion_ca_authority}
+ common_name: rabbitmq-ironic-client
+ signing_policy: cert_client
+ key_usage: "digitalSignature,nonRepudiation,keyEncipherment"
+ key_file: ${_param:rabbitmq_ironic_client_ssl_key_file}
+ cert_file: ${_param:rabbitmq_ironic_client_ssl_cert_file}
+ ca_file: ${_param:rabbitmq_ironic_ssl_ca_file}
+ user: ironic
+ group: ironic
+ mode: 640
diff --git a/salt/minion/cert/rabbitmq/clients/openstack/neutron.yml b/salt/minion/cert/rabbitmq/clients/openstack/neutron.yml
new file mode 100644
index 0000000..2f8f5c3
--- /dev/null
+++ b/salt/minion/cert/rabbitmq/clients/openstack/neutron.yml
@@ -0,0 +1,25 @@
+parameters:
+ _param:
+ salt_minion_ca_host: cfg01.${_param:cluster_domain}
+ salt_minion_ca_authority: salt_master_ca
+ rabbitmq_neutron_client_ssl_key_file: /etc/neutron/ssl/rabbitmq/client-key.pem
+ rabbitmq_neutron_client_ssl_cert_file: /etc/neutron/ssl/rabbitmq/client-cert.pem
+ rabbitmq_neutron_ssl_ca_file: /etc/neutron/ssl/rabbitmq/ca-cert.pem
+ salt:
+ minion:
+ cert:
+ rabbitmq-neutron-client:
+ host: ${_param:salt_minion_ca_host}
+ authority: ${_param:salt_minion_ca_authority}
+ common_name: rabbitmq-neutron-client
+ signing_policy: cert_client
+ alternative_names: >
+ DNS:${linux:system:name},
+ DNS:${linux:network:fqdn}
+ key_usage: "digitalSignature,nonRepudiation,keyEncipherment"
+ key_file: ${_param:rabbitmq_neutron_client_ssl_key_file}
+ cert_file: ${_param:rabbitmq_neutron_client_ssl_cert_file}
+ ca_file: ${_param:rabbitmq_neutron_ssl_ca_file}
+ user: neutron
+ group: neutron
+ mode: 640
diff --git a/salt/minion/cert/rabbitmq/clients/openstack/nova.yml b/salt/minion/cert/rabbitmq/clients/openstack/nova.yml
new file mode 100644
index 0000000..04a6078
--- /dev/null
+++ b/salt/minion/cert/rabbitmq/clients/openstack/nova.yml
@@ -0,0 +1,27 @@
+parameters:
+ _param:
+ salt_minion_ca_host: cfg01.${_param:cluster_domain}
+ salt_minion_ca_authority: salt_master_ca
+ rabbitmq_nova_client_ssl_key_file: /etc/nova/ssl/rabbitmq/client-key.pem
+ rabbitmq_nova_client_ssl_cert_file: /etc/nova/ssl/rabbitmq/client-cert.pem
+ rabbitmq_nova_ssl_ca_file: /etc/nova/ssl/rabbitmq/ca-cert.pem
+ salt:
+ minion:
+ cert:
+ rabbitmq-nova-client:
+ host: ${_param:salt_minion_ca_host}
+ authority: ${_param:salt_minion_ca_authority}
+ common_name: rabbitmq-nova-client
+ signing_policy: cert_client
+ alternative_names: >
+ IP:${_param:cluster_local_address},
+ DNS:${_param:cluster_local_address},
+ DNS:${linux:system:name},
+ DNS:${linux:network:fqdn}
+ key_usage: "digitalSignature,nonRepudiation,keyEncipherment"
+ key_file: ${_param:rabbitmq_nova_client_ssl_key_file}
+ cert_file: ${_param:rabbitmq_nova_client_ssl_cert_file}
+ ca_file: ${_param:rabbitmq_nova_ssl_ca_file}
+ user: nova
+ group: nova
+ mode: 640