Merge "Drop odd keys from structure" into release/2019.2.0
diff --git a/defaults/docker_images.yml b/defaults/docker_images.yml
index 6adab6b..edd2197 100644
--- a/defaults/docker_images.yml
+++ b/defaults/docker_images.yml
@@ -43,7 +43,7 @@
docker_image_keycloak_server: "${_param:mcp_docker_registry}/mirantis/external/jboss/keycloak:4.5.0.Final"
docker_image_keycloak_proxy: "${_param:mcp_docker_registry}/mirantis/external/jboss/keycloak:3.4.2.Final"
# CVP
- docker_image_cvp_sanity_checks: ${_param:mcp_docker_registry}/mirantis/cvp/cvp-sanity-checks:2019.2.2
+ docker_image_cvp_sanity_checks: ${_param:mcp_docker_registry}/mirantis/cvp/cvp-sanity-checks:2019.2.3
# aptly
docker_image_aptly:
base: "${_param:mcp_docker_registry}/mirantis/cicd/aptly:${_param:mcp_version}"
diff --git a/defaults/openstack/init.yml b/defaults/openstack/init.yml
index 3c46a0d..e4f686b 100644
--- a/defaults/openstack/init.yml
+++ b/defaults/openstack/init.yml
@@ -99,6 +99,24 @@
keystone_old_version: ${_param:openstack_old_version}
keystone_version: ${_param:openstack_version}
keystone_upgrade_enabled: ${_param:openstack_upgrade_enabled}
+ # (obryndzii) Rotating keys too frequently, or with ``[fernet_tokens] max_active_keys``
+ # set too low, will cause tokens to become invalid prior to their expiration.
+ # As tokens may be fetched beyond their initial expiration period (nova live migration,
+ # cider volume backup), keys should not be fully rotated within the period of
+ # ``[token] expiration``+``[token] allow_expired_window`` seconds to prevent the tokens
+ # becoming unavailable.
+ # The max_active_keys default value was adjusted according to the following defaults:
+ # [token]/allow_expired_window = 172800 (48 hours)
+ # [token]/expiration = 3600 (1 hour)
+ # rotation_frequency = 1 hour (keystone_fernet_rotate_rsync_minute/hour 0 *)
+ # max_active_keys = (allow_expired_window + expiration)/rotation_frequency + 2
+ # In case of changing those defaults the keystone_tokens_max_active_keys value should be
+ # calculated according to the definition above.
+ keystone_tokens_expiration: 3600
+ keystone_tokens_max_active_keys: 51
+ keystone_tokens_allow_expired_window: 172800
+ keystone_fernet_rotate_rsync_minute: 0
+ keystone_fernet_rotate_rsync_hour: '*'
# Manila
manila_old_version: ${_param:openstack_old_version}
manila_version: ${_param:openstack_version}
diff --git a/jenkins/client/job/ceph/add-osd-upmap.yml b/jenkins/client/job/ceph/add-osd-upmap.yml
new file mode 100644
index 0000000..f6390a6
--- /dev/null
+++ b/jenkins/client/job/ceph/add-osd-upmap.yml
@@ -0,0 +1,32 @@
+parameters:
+ jenkins:
+ client:
+ job:
+ ceph-add-osd-upmap:
+ type: workflow-scm
+ concurrent: true
+ display_name: "Ceph - add osd"
+ description: "This pipeline requires ceph luminous version, all clients must be upgraded to luminous version to proceed."
+ discard:
+ build:
+ keep_num: 50
+ scm:
+ type: git
+ url: "${_param:jenkins_gerrit_url}/mk/mk-pipelines"
+ branch: "${_param:jenkins_pipelines_branch}"
+ credentials: "gerrit"
+ script: ceph-add-osd-upmap.groovy
+ param:
+ # general parameters
+ SALT_MASTER_URL:
+ type: string
+ description: URL of Salt master
+ default: "${_param:jenkins_salt_api_url}"
+ SALT_MASTER_CREDENTIALS:
+ type: string
+ description: Credentials for login to Salt API
+ default: salt
+ HOST:
+ type: string
+ description: OSD HOST that will be added to Ceph cluster (rgw04*)
+ default: 'osd*'
diff --git a/keystone/server/cluster.yml b/keystone/server/cluster.yml
index d64a6cb..7e9ea1b 100644
--- a/keystone/server/cluster.yml
+++ b/keystone/server/cluster.yml
@@ -11,7 +11,6 @@
- system.keystone.client.os_client_config.admin_identity
parameters:
_param:
- keystone_tokens_expiration: 3600
openstack_node_role: primary
keystone_service_protocol: ${_param:cluster_internal_protocol}
linux:
@@ -58,7 +57,8 @@
tokens:
engine: fernet
expiration: ${_param:keystone_tokens_expiration}
- max_active_keys: 3
+ max_active_keys: ${_param:keystone_tokens_max_active_keys}
+ allow_expired_window: ${_param:keystone_tokens_allow_expired_window}
location: /var/lib/keystone/fernet-keys
credential:
location: /var/lib/keystone/credential-keys
diff --git a/keystone/server/fernet_rotation/cluster.yml b/keystone/server/fernet_rotation/cluster.yml
index c34c4f8..cf7b328 100644
--- a/keystone/server/fernet_rotation/cluster.yml
+++ b/keystone/server/fernet_rotation/cluster.yml
@@ -36,7 +36,8 @@
command: '/var/lib/keystone/keystone_keys_rotate.sh -r -s -t fernet >> /var/log/keystone/keystone-rotate.log 2>> /var/log/keystone/keystone-rotate.log'
enabled: true
user: keystone
- minute: 0
+ minute: ${_param:keystone_fernet_rotate_rsync_minute}
+ hour: ${_param:keystone_fernet_rotate_rsync_hour}
keystone_credential_rotate_rsync:
command: '/var/lib/keystone/keystone_keys_rotate.sh -r -s -t credential >> /var/log/keystone/keystone-rotate.log 2>> /var/log/keystone/keystone-rotate.log'
enabled: true
diff --git a/keystone/server/fernet_rotation/single.yml b/keystone/server/fernet_rotation/single.yml
index 8a3d6fb..7514086 100644
--- a/keystone/server/fernet_rotation/single.yml
+++ b/keystone/server/fernet_rotation/single.yml
@@ -22,7 +22,8 @@
command: '/var/lib/keystone/keystone_keys_rotate.sh -r -t fernet >> /var/log/keystone/keystone-rotate.log 2>> /var/log/keystone/keystone-rotate.log'
enabled: true
user: keystone
- minute: 0
+ minute: ${_param:keystone_fernet_rotate_rsync_minute}
+ hour: ${_param:keystone_fernet_rotate_rsync_hour}
keystone_credential_rotate_rsync:
command: '/var/lib/keystone/keystone_keys_rotate.sh -r -t credential >> /var/log/keystone/keystone-rotate.log 2>> /var/log/keystone/keystone-rotate.log'
enabled: true
diff --git a/keystone/server/single.yml b/keystone/server/single.yml
index 6996968..9663488 100644
--- a/keystone/server/single.yml
+++ b/keystone/server/single.yml
@@ -13,7 +13,6 @@
mysql_admin_user: root
mysql_admin_password: password
mysql_keystone_password: password
- keystone_tokens_expiration: 3600
openstack_node_role: primary
keystone_service_protocol: ${_param:cluster_internal_protocol}
linux:
@@ -57,7 +56,8 @@
tokens:
engine: fernet
expiration: ${_param:keystone_tokens_expiration}
- max_active_keys: 3
+ max_active_keys: ${_param:keystone_tokens_max_active_keys}
+ allow_expired_window: ${_param:keystone_tokens_allow_expired_window}
location: /var/lib/keystone/fernet-keys
credential:
location: /var/lib/keystone/credential-keys