Merge "Add k8s alertmanager addon parameters"
diff --git a/aodh/server/cluster.yml b/aodh/server/cluster.yml
index db6b39b..6d756d1 100644
--- a/aodh/server/cluster.yml
+++ b/aodh/server/cluster.yml
@@ -4,6 +4,7 @@
- service.haproxy.proxy.single
- system.haproxy.proxy.listen.openstack.aodh
- system.keepalived.cluster.instance.openstack_telemetry_vip
+- system.salt.minion.cert.rabbitmq.clients.openstack.aodh
parameters:
_param:
openstack_event_alarm_topic: alarm.all
@@ -11,6 +12,8 @@
aodh_alarm_history_ttl: 2592000
openstack_mysql_x509_enabled: False
galera_ssl_enabled: False
+ openstack_rabbitmq_x509_enabled: False
+ rabbitmq_ssl_enabled: False
linux:
system:
cron:
@@ -53,6 +56,7 @@
user: aodh
password: ${_param:keystone_aodh_password}
region: ${_param:openstack_region}
+ protocol: ${_param:cluster_internal_protocol}
message_queue:
engine: rabbitmq
port: 5672
@@ -63,6 +67,13 @@
- host: ${_param:openstack_message_queue_node01_address}
- host: ${_param:openstack_message_queue_node02_address}
- host: ${_param:openstack_message_queue_node03_address}
+ x509:
+ enabled: ${_param:openstack_rabbitmq_x509_enabled}
+ ca_file: ${_param:rabbitmq_aodh_ssl_ca_file}
+ key_file: ${_param:rabbitmq_aodh_client_ssl_key_file}
+ cert_file: ${_param:rabbitmq_aodh_client_ssl_cert_file}
+ ssl:
+ enabled: ${_param:rabbitmq_ssl_enabled}
# Check for expired alarm history every day at 2 AM
expirer:
cron:
diff --git a/aodh/server/single.yml b/aodh/server/single.yml
index f20195f..b71198b 100644
--- a/aodh/server/single.yml
+++ b/aodh/server/single.yml
@@ -1,6 +1,7 @@
classes:
- service.aodh.server.single
- system.salt.minion.cert.mysql.clients.openstack.aodh
+- system.salt.minion.cert.rabbitmq.clients.openstack.aodh
parameters:
_param:
openstack_event_alarm_topic: alarm.all
@@ -8,6 +9,8 @@
aodh_alarm_history_ttl: 2592000
openstack_mysql_x509_enabled: False
galera_ssl_enabled: False
+ openstack_rabbitmq_x509_enabled: False
+ rabbitmq_ssl_enabled: False
linux:
system:
cron:
@@ -24,12 +27,21 @@
cert_file: ${_param:mysql_aodh_client_ssl_cert_file}
ssl:
enabled: ${_param:galera_ssl_enabled}
+ message_queue:
+ x509:
+ enabled: ${_param:openstack_rabbitmq_x509_enabled}
+ ca_file: ${_param:rabbitmq_aodh_ssl_ca_file}
+ key_file: ${_param:rabbitmq_aodh_client_ssl_key_file}
+ cert_file: ${_param:rabbitmq_aodh_client_ssl_cert_file}
+ ssl:
+ enabled: ${_param:rabbitmq_ssl_enabled}
ttl: ${_param:aodh_alarm_history_ttl}
role: ${_param:openstack_node_role}
region: ${_param:openstack_region}
event_alarm_topic: ${_param:openstack_event_alarm_topic}
identity:
region: ${_param:openstack_region}
+ protocol: ${_param:internal_protocol}
# Check for expired alarm history every day at 2 AM
expirer:
cron:
diff --git a/ceilometer/agent/cluster.yml b/ceilometer/agent/cluster.yml
index a598ee5..769ff68 100644
--- a/ceilometer/agent/cluster.yml
+++ b/ceilometer/agent/cluster.yml
@@ -15,6 +15,7 @@
user: ceilometer
password: ${_param:keystone_ceilometer_password}
region: ${_param:openstack_region}
+ protocol: ${_param:cluster_internal_protocol}
message_queue:
engine: rabbitmq
members:
diff --git a/ceilometer/agent/single.yml b/ceilometer/agent/single.yml
index ebb1d60..0b0bbc3 100644
--- a/ceilometer/agent/single.yml
+++ b/ceilometer/agent/single.yml
@@ -1,2 +1,7 @@
classes:
- service.ceilometer.agent.single
+parameters:
+ ceilometer:
+ agent:
+ identity:
+ protocol: ${_param:internal_protocol}
diff --git a/ceilometer/agent/telemetry/cluster.yml b/ceilometer/agent/telemetry/cluster.yml
index bc67493..b761fd0 100644
--- a/ceilometer/agent/telemetry/cluster.yml
+++ b/ceilometer/agent/telemetry/cluster.yml
@@ -15,6 +15,7 @@
user: ceilometer
password: ${_param:keystone_ceilometer_password}
region: ${_param:openstack_region}
+ protocol: ${_param:cluster_internal_protocol}
message_queue:
engine: rabbitmq
members:
diff --git a/ceilometer/agent/telemetry/single.yml b/ceilometer/agent/telemetry/single.yml
index 6b42537..93a4c27 100644
--- a/ceilometer/agent/telemetry/single.yml
+++ b/ceilometer/agent/telemetry/single.yml
@@ -1,2 +1,7 @@
classes:
- service.ceilometer.agent.single.common
+parameters:
+ ceilometer:
+ agent:
+ identity:
+ protocol: ${_param:internal_protocol}
diff --git a/ceilometer/server/cluster.yml b/ceilometer/server/cluster.yml
index ad804f8..4a24dda 100644
--- a/ceilometer/server/cluster.yml
+++ b/ceilometer/server/cluster.yml
@@ -30,6 +30,7 @@
user: ceilometer
password: ${_param:keystone_ceilometer_password}
region: ${_param:openstack_region}
+ protocol: ${_param:cluster_internal_protocol}
message_queue:
engine: rabbitmq
members:
diff --git a/ceilometer/server/single.yml b/ceilometer/server/single.yml
index ae642f1..5f56244 100644
--- a/ceilometer/server/single.yml
+++ b/ceilometer/server/single.yml
@@ -15,3 +15,5 @@
enabled: true
host: ${_param:stacklight_monitor_address}
port: 9200
+ identity:
+ protocol: ${_param:cluster_internal_protocol}
diff --git a/ceilometer/server/telemetry/cluster.yml b/ceilometer/server/telemetry/cluster.yml
index fdf3e03..9a361eb 100644
--- a/ceilometer/server/telemetry/cluster.yml
+++ b/ceilometer/server/telemetry/cluster.yml
@@ -26,6 +26,7 @@
user: ceilometer
password: ${_param:keystone_ceilometer_password}
region: ${_param:openstack_region}
+ protocol: ${_param:cluster_internal_protocol}
message_queue:
engine: rabbitmq
members:
diff --git a/ceilometer/server/telemetry/single.yml b/ceilometer/server/telemetry/single.yml
index 2d8828c..8dfb277 100644
--- a/ceilometer/server/telemetry/single.yml
+++ b/ceilometer/server/telemetry/single.yml
@@ -4,3 +4,5 @@
ceilometer:
server:
role: ${_param:openstack_node_role}
+ identity:
+ protocol: ${_param:internal_protocol}
diff --git a/gnocchi/server/cluster.yml b/gnocchi/server/cluster.yml
index ede63c5..7de3ede 100644
--- a/gnocchi/server/cluster.yml
+++ b/gnocchi/server/cluster.yml
@@ -19,6 +19,7 @@
identity:
host: ${_param:openstack_control_address}
region: ${_param:openstack_region}
+ protocol: ${_param:cluster_internal_protocol}
cache:
engine: memcached
members:
diff --git a/gnocchi/server/single.yml b/gnocchi/server/single.yml
index 11ddf39..c4e1547 100644
--- a/gnocchi/server/single.yml
+++ b/gnocchi/server/single.yml
@@ -6,6 +6,7 @@
role: ${_param:openstack_node_role}
identity:
region: ${_param:openstack_region}
+ protocol: ${_param:internal_protocol}
metricd:
metric_processing_delay: 15
metric_reporting_delay: 30
diff --git a/haproxy/proxy/listen/opencontrail/control.yml b/haproxy/proxy/listen/opencontrail/control.yml
index 490d100..db407be 100644
--- a/haproxy/proxy/listen/opencontrail/control.yml
+++ b/haproxy/proxy/listen/opencontrail/control.yml
@@ -1,6 +1,8 @@
parameters:
_param:
opencontrail_stats_password: password
+ opencontrail_api_start_offset: 0
+ opencontrail_api_workers_count: 1
haproxy:
proxy:
listen:
@@ -15,14 +17,20 @@
host: ${_param:cluster_node01_address}
port: 9100
params: check inter 2000 rise 2 fall 3
+ port_range_length: ${_param:opencontrail_api_workers_count}
+ port_range_start_offset: ${_param:opencontrail_api_start_offset}
- name: ntw02
host: ${_param:cluster_node02_address}
port: 9100
params: check inter 2000 rise 2 fall 3
+ port_range_length: ${_param:opencontrail_api_workers_count}
+ port_range_start_offset: ${_param:opencontrail_api_start_offset}
- name: ntw03
host: ${_param:cluster_node03_address}
port: 9100
params: check inter 2000 rise 2 fall 3
+ port_range_length: ${_param:opencontrail_api_workers_count}
+ port_range_start_offset: ${_param:opencontrail_api_start_offset}
contrail_discovery:
type: contrail-api
service_name: contrail
diff --git a/kubernetes/common/init.yml b/kubernetes/common/init.yml
index 52d9479..8e0793b 100644
--- a/kubernetes/common/init.yml
+++ b/kubernetes/common/init.yml
@@ -31,7 +31,7 @@
kubernetes_pause_image: ${_param:kubernetes_hyperkube_repo}/pause-amd64:v1.11.2-1
kubernetes_contrail_cni_image: ${_param:kubernetes_contrail_cni_repo}/contrail-cni:v1.2.0
kubernetes_contrail_network_controller_image: ${_param:kubernetes_contrail_network_controller_repo}/contrail-network-controller:v1.2.0
- kubernetes_virtlet_image: ${_param:kubernetes_virtlet_repo}/virtlet:v1.1.2
+ kubernetes_virtlet_image: ${_param:kubernetes_virtlet_repo}/virtlet:v1.3.0
kubernetes_criproxy_version: v0.11.1
kubernetes_criproxy_checksum: md5=a3f1f08bdc7a8d6eb73b7c8fa5bae200
kubernetes_netchecker_agent_image: ${_param:kubernetes_netchecker_agent_repo}/k8s-netchecker-agent:v1.2.2
@@ -63,6 +63,7 @@
kubernetes_coredns_enabled: true
kubernetes_externaldns_provider: coredns
kubernetes_virtlet_enabled: false
+ kubernetes_virtlet_use_apparmor: false
kubernetes_flannel_enabled: false
kubernetes_genie_enabled: false
kubernetes_calico_enabled: false
@@ -256,6 +257,7 @@
image: ${_param:kubernetes_virtlet_image}
criproxy_version: ${_param:kubernetes_criproxy_version}
criproxy_source: ${_param:kubernetes_criproxy_checksum}
+ use_apparmor: ${_param:kubernetes_virtlet_use_apparmor}
metallb:
enabled: ${_param:kubernetes_metallb_enabled}
controller_image: ${_param:kubernetes_metallb_controller_image}
diff --git a/kubernetes/control/opencontrail.yml b/kubernetes/control/opencontrail.yml
index e5556fa..2a46d00 100644
--- a/kubernetes/control/opencontrail.yml
+++ b/kubernetes/control/opencontrail.yml
@@ -20,6 +20,10 @@
public_ip_range: ${_param:opencontrail_public_ip_range}
public_network: ${_param:opencontrail_public_ip_network}
private_ip_range: ${_param:opencontrail_private_ip_range}
+ cluster_network:
+ project: 'default'
+ domain: 'default-domain'
+ name: 'cluster-network'
config:
api:
host: ${_param:opencontrail_control_address}
diff --git a/linux/system/repo/keystorage/mirantis_com/init.yml b/linux/system/repo/keystorage/mirantis_com/init.yml
new file mode 100644
index 0000000..b6c9a86
--- /dev/null
+++ b/linux/system/repo/keystorage/mirantis_com/init.yml
@@ -0,0 +1,2 @@
+classes:
+- system.linux.system.repo.keystorage.mirantis_com.openstack
diff --git a/linux/system/repo/keystorage/mirantis_com/openstack.yml b/linux/system/repo/keystorage/mirantis_com/openstack.yml
new file mode 100644
index 0000000..12d5e73
--- /dev/null
+++ b/linux/system/repo/keystorage/mirantis_com/openstack.yml
@@ -0,0 +1,26 @@
+parameters:
+ linux:
+ system:
+ repo:
+ mirantis_openstack:
+ # pub 2048R/4C5289EF 2018-07-25
+ key: |
+ -----BEGIN PGP PUBLIC KEY BLOCK-----
+ Version: GnuPG v1
+
+ mQENBFtYVY8BCAC3oli93husG0ZVtv/L8I4/bcW60LFCyB0DuwEznGlSaj1fjOQu
+ C7QX9wvGRq8mRZ8mfZ6sbxGmgs0LnV5QIBle1l5I3B+AMGksf6UGEWgoN/vq86g+
+ 0Jg6kJP/D0sjGXvdlfy+bgAqjsx2bWOLjQGtHSIxhe4cE9HPBfMiYsFwGQua3XN3
+ tiGKcifszvDA6uqdjS6DuTEPCzyKiSyUevnWtBh0oUtUt//X4lG2Mx0lU91uUQGj
+ KeZ+fYXOLqgZm/FxLVT5w3g/UGK9Cbz5h4kGCJOfk0EwIZp0IRRs1phOC6gVMwoV
+ yWKCtdHmg7Ob8I4AZ8OW5HJn1UPHTprxcHBnABEBAAG0LEF1dG9idWlsZGVyIDxp
+ bmZyYSthdXRpYnVpbGRlckBtaXJhbnRpcy5jb20+iQE4BBMBAgAiBQJbWFWPAhsD
+ BgsJCAcDAgYVCAIJCgsEFgIDAQIeAQIXgAAKCRCRZVp5TFKJ70cJB/9ArWrSFyEx
+ qs7Tyo9M5WCPjqw7y2F7jd4Et3hqwc5jx6KlxGpg17SHt4oWcmtML3VBx+ziBAi0
+ 5Ry4Z4w0QqFW6gAqQepeW76Yq/OP5SoqEI9sUwzLfUY7raK/P1buvXB1eZh4mMw4
+ TFf4Hgo8yUQ3geYNnUBBfaSfkmiyBJGsMXBfW2zhlpVIyB6Cye5R823FxGNJe+li
+ hggNCQnKYqrGtr55RO6xYI1v89cgGrO2EVwPkFLA/MUnQEb433Ck+sjp1NZDUfuJ
+ U3gg8S0hT+Cf5XiknT/xqIhhTY/KzlNmynZt/51DzZzsbM+RO6JZFYJL2LuC69gB
+ +R5jrmaGu9fG
+ =sqIn
+ -----END PGP PUBLIC KEY BLOCK-----
diff --git a/linux/system/repo/mcp/apt_mirantis/hotfix/init.yml b/linux/system/repo/mcp/apt_mirantis/hotfix/init.yml
new file mode 100644
index 0000000..e9e45e6
--- /dev/null
+++ b/linux/system/repo/mcp/apt_mirantis/hotfix/init.yml
@@ -0,0 +1,2 @@
+classes:
+- system.linux.system.repo.mcp.apt_mirantis.hotfix.ubuntu
diff --git a/linux/system/repo/mcp/apt_mirantis/hotfix/ubuntu.yml b/linux/system/repo/mcp/apt_mirantis/hotfix/ubuntu.yml
new file mode 100644
index 0000000..a6dabf6
--- /dev/null
+++ b/linux/system/repo/mcp/apt_mirantis/hotfix/ubuntu.yml
@@ -0,0 +1,22 @@
+parameters:
+ _param:
+ linux_system_repo_hotfix_url: http://mirror.mirantis.com/hotfix/${_param:apt_mk_version}/
+ linux_system_repo_hotfix_ubuntu_url: ${_param:linux_system_repo_hotfix_url}/ubuntu/
+ linux:
+ system:
+ repo:
+ ubuntu_hotfix:
+ refresh_db: ${_param:linux_repo_refresh_db}
+ source: "deb [arch=amd64] ${_param:linux_system_repo_hotfix_ubuntu_url} ${_param:linux_system_codename} main restricted universe"
+ architectures: amd64
+ default: true
+ ubuntu_updates_hotfix:
+ refresh_db: ${_param:linux_repo_refresh_db}
+ source: "deb [arch=amd64] ${_param:linux_system_repo_hotfix_ubuntu_url} ${_param:linux_system_codename}-updates main restricted universe"
+ architectures: amd64
+ default: true
+ ubuntu_security_hotfix:
+ refresh_db: ${_param:linux_repo_refresh_db}
+ source: "deb [arch=amd64] ${_param:linux_system_repo_hotfix_ubuntu_url} ${_param:linux_system_codename}-security main restricted universe"
+ architectures: amd64
+ default: true
diff --git a/linux/system/repo/mcp/mirror/v1/openstack.yml b/linux/system/repo/mcp/mirror/v1/openstack.yml
index a4a369b..37482da 100644
--- a/linux/system/repo/mcp/mirror/v1/openstack.yml
+++ b/linux/system/repo/mcp/mirror/v1/openstack.yml
@@ -1,15 +1,17 @@
+classes:
+- system.linux.system.repo.keystorage.mirantis_com
parameters:
_param:
- apt_mk_version: stable
linux_system_architecture: 'amd64'
+ linux_system_repo_url: http://mirror.mirantis.com/${_param:apt_mk_version}/
+ linux_system_repo_mirantis_openstack_url: ${_param:linux_system_repo_url}/openstack-${_param:openstack_version}/
linux:
system:
repo:
mirantis_openstack:
- source: "deb http://mirror.mirantis.com/${_param:apt_mk_version}/openstack-${_param:openstack_version}/${_param:linux_system_codename} ${_param:linux_system_codename} main"
+ source: "deb ${_param:linux_system_repo_mirantis_openstack_url}/${_param:linux_system_codename} ${_param:linux_system_codename} main"
architectures: ${_param:linux_system_architecture}
clean_file: true
- key_url: https://mirror.mirantis.com/${_param:apt_mk_version}/openstack-${_param:openstack_version}/${_param:linux_system_codename}/archive-${_param:openstack_version}.key
pin:
- pin: 'release o=Mirantis'
priority: 1100
diff --git a/neutron/compute/cluster.yml b/neutron/compute/cluster.yml
index e348a93..4263295 100644
--- a/neutron/compute/cluster.yml
+++ b/neutron/compute/cluster.yml
@@ -1,11 +1,14 @@
classes:
- service.neutron.compute.single
+- system.salt.minion.cert.rabbitmq.clients.openstack.neutron
parameters:
_param:
neutron_enable_qos: False
neutron_enable_vlan_aware_vms: False
neutron_enable_bgp_vpn: False
neutron_bgp_vpn_driver: bagpipe
+ openstack_rabbitmq_x509_enabled: False
+ rabbitmq_ssl_enabled: False
linux:
system:
package:
@@ -29,3 +32,10 @@
- host: ${_param:openstack_message_queue_node01_address}
- host: ${_param:openstack_message_queue_node02_address}
- host: ${_param:openstack_message_queue_node03_address}
+ x509:
+ enabled: ${_param:openstack_rabbitmq_x509_enabled}
+ ca_file: ${_param:rabbitmq_neutron_ssl_ca_file}
+ key_file: ${_param:rabbitmq_neutron_client_ssl_key_file}
+ cert_file: ${_param:rabbitmq_neutron_client_ssl_cert_file}
+ ssl:
+ enabled: ${_param:rabbitmq_ssl_enabled}
diff --git a/neutron/control/cluster.yml b/neutron/control/cluster.yml
index 797c378..3814a03 100644
--- a/neutron/control/cluster.yml
+++ b/neutron/control/cluster.yml
@@ -5,11 +5,14 @@
- system.haproxy.proxy.listen.openstack.neutron
- system.galera.server.database.neutron
- system.salt.minion.cert.mysql.clients.openstack.neutron
+- system.salt.minion.cert.rabbitmq.clients.openstack.neutron
parameters:
_param:
cluster_internal_protocol: 'http'
openstack_mysql_x509_enabled: False
+ openstack_rabbitmq_x509_enabled: False
galera_ssl_enabled: False
+ rabbitmq_ssl_enabled: False
linux:
system:
package:
@@ -31,6 +34,14 @@
cert_file: ${_param:mysql_neutron_client_ssl_cert_file}
ssl:
enabled: ${_param:galera_ssl_enabled}
+ message_queue:
+ x509:
+ enabled: ${_param:openstack_rabbitmq_x509_enabled}
+ ca_file: ${_param:rabbitmq_neutron_ssl_ca_file}
+ key_file: ${_param:rabbitmq_neutron_client_ssl_key_file}
+ cert_file: ${_param:rabbitmq_neutron_client_ssl_cert_file}
+ ssl:
+ enabled: ${_param:rabbitmq_ssl_enabled}
role: ${_param:openstack_node_role}
identity:
protocol: ${_param:cluster_internal_protocol}
diff --git a/neutron/control/openvswitch/cluster.yml b/neutron/control/openvswitch/cluster.yml
index 094449e..2f1982f 100644
--- a/neutron/control/openvswitch/cluster.yml
+++ b/neutron/control/openvswitch/cluster.yml
@@ -1,5 +1,6 @@
classes:
- system.neutron.control.cluster
+- system.salt.minion.cert.rabbitmq.clients.openstack.neutron
parameters:
_param:
neutron_control_dvr: True
@@ -12,6 +13,8 @@
neutron_enable_bgp_vpn: False
neutron_bgp_vpn_driver: bagpipe
cluster_internal_protocol: 'http'
+ openstack_rabbitmq_x509_enabled: False
+ rabbitmq_ssl_enabled: False
neutron:
server:
role: ${_param:openstack_node_role}
@@ -37,3 +40,15 @@
identity:
region: ${_param:openstack_region}
protocol: ${_param:cluster_internal_protocol}
+ message_queue:
+ members:
+ - host: ${_param:openstack_message_queue_node01_address}
+ - host: ${_param:openstack_message_queue_node02_address}
+ - host: ${_param:openstack_message_queue_node03_address}
+ x509:
+ enabled: ${_param:openstack_rabbitmq_x509_enabled}
+ ca_file: ${_param:rabbitmq_neutron_ssl_ca_file}
+ key_file: ${_param:rabbitmq_neutron_client_ssl_key_file}
+ cert_file: ${_param:rabbitmq_neutron_client_ssl_cert_file}
+ ssl:
+ enabled: ${_param:rabbitmq_ssl_enabled}
diff --git a/neutron/control/openvswitch/single.yml b/neutron/control/openvswitch/single.yml
index 450ab07..6c266c3 100644
--- a/neutron/control/openvswitch/single.yml
+++ b/neutron/control/openvswitch/single.yml
@@ -1,6 +1,7 @@
classes:
- system.neutron.control.single
- system.galera.server.database.neutron
+- system.salt.minion.cert.rabbitmq.clients.openstack.neutron
parameters:
_param:
neutron_control_dvr: True
@@ -14,6 +15,8 @@
neutron_bgp_vpn_driver: bagpipe
internal_protocol: 'http'
openstack_node_role: primary
+ openstack_rabbitmq_x509_enabled: False
+ rabbitmq_ssl_enabled: False
neutron:
server:
role: ${_param:openstack_node_role}
@@ -42,3 +45,10 @@
message_queue:
members:
- host: ${_param:single_address}
+ x509:
+ enabled: ${_param:openstack_rabbitmq_x509_enabled}
+ ca_file: ${_param:rabbitmq_neutron_ssl_ca_file}
+ key_file: ${_param:rabbitmq_neutron_client_ssl_key_file}
+ cert_file: ${_param:rabbitmq_neutron_client_ssl_cert_file}
+ ssl:
+ enabled: ${_param:rabbitmq_ssl_enabled}
diff --git a/neutron/control/single.yml b/neutron/control/single.yml
index 4988576..b261fe8 100644
--- a/neutron/control/single.yml
+++ b/neutron/control/single.yml
@@ -2,11 +2,14 @@
- service.neutron.control.single
- system.galera.server.database.neutron
- system.salt.minion.cert.mysql.clients.openstack.neutron
+- system.salt.minion.cert.rabbitmq.clients.openstack.neutron
parameters:
_param:
internal_protocol: 'http'
openstack_mysql_x509_enabled: False
+ openstack_rabbitmq_x509_enabled: False
galera_ssl_enabled: False
+ rabbitmq_ssl_enabled: False
linux:
system:
package:
@@ -24,5 +27,13 @@
cert_file: ${_param:mysql_neutron_client_ssl_cert_file}
ssl:
enabled: ${_param:galera_ssl_enabled}
+ message_queue:
+ x509:
+ enabled: ${_param:openstack_rabbitmq_x509_enabled}
+ ca_file: ${_param:rabbitmq_neutron_ssl_ca_file}
+ key_file: ${_param:rabbitmq_neutron_client_ssl_key_file}
+ cert_file: ${_param:rabbitmq_neutron_client_ssl_cert_file}
+ ssl:
+ enabled: ${_param:rabbitmq_ssl_enabled}
identity:
protocol: ${_param:internal_protocol}
diff --git a/neutron/gateway/cluster.yml b/neutron/gateway/cluster.yml
index 558a814..60fc4e5 100644
--- a/neutron/gateway/cluster.yml
+++ b/neutron/gateway/cluster.yml
@@ -1,9 +1,12 @@
classes:
- service.neutron.gateway.single
+- system.salt.minion.cert.rabbitmq.clients.openstack.neutron
parameters:
_param:
neutron_enable_qos: False
neutron_enable_vlan_aware_vms: False
+ openstack_rabbitmq_x509_enabled: False
+ rabbitmq_ssl_enabled: False
linux:
system:
kernel:
@@ -22,3 +25,10 @@
- host: ${_param:openstack_message_queue_node01_address}
- host: ${_param:openstack_message_queue_node02_address}
- host: ${_param:openstack_message_queue_node03_address}
+ x509:
+ enabled: ${_param:openstack_rabbitmq_x509_enabled}
+ ca_file: ${_param:rabbitmq_neutron_ssl_ca_file}
+ key_file: ${_param:rabbitmq_neutron_client_ssl_key_file}
+ cert_file: ${_param:rabbitmq_neutron_client_ssl_cert_file}
+ ssl:
+ enabled: ${_param:rabbitmq_ssl_enabled}
diff --git a/opencontrail/control/cluster4_0.yml b/opencontrail/control/cluster4_0.yml
index 4f1127f..c97196f 100644
--- a/opencontrail/control/cluster4_0.yml
+++ b/opencontrail/control/cluster4_0.yml
@@ -22,6 +22,7 @@
opencontrail_controller_container_name: opencontrail_controller_1
opencontrail_analytics_container_name: opencontrail_analytics_1
opencontrail_analyticsdb_container_name: opencontrail_analyticsdb_1
+ opencontrail_api_workers_count: 6
analytics_vip_address: ${_param:opencontrail_analytics_address}
# Temprorary fix for MOS9 packages to pin old version of kafka
linux:
@@ -81,6 +82,7 @@
host: None
api:
host: ${_param:opencontrail_control_address}
+ workers_count: ${_param:opencontrail_api_workers_count}
analytics:
members:
- host: ${_param:cluster_node01_address}
diff --git a/opencontrail/control/control4_0.yml b/opencontrail/control/control4_0.yml
index 207e9da..123392c 100644
--- a/opencontrail/control/control4_0.yml
+++ b/opencontrail/control/control4_0.yml
@@ -14,6 +14,7 @@
opencontrail_message_queue_node03_address: ${_param:openstack_message_queue_node03_address}
opencontrail_controller_image: ${_param:mcp_docker_registry}/opencontrail-${_param:linux_repo_contrail_component}/opencontrail-controller:${_param:opencontrail_image_tag}
opencontrail_controller_container_name: opencontrail_controller_1
+ opencontrail_api_workers_count: 6
analytics_vip_address: ${_param:opencontrail_analytics_address}
opencontrail:
common:
@@ -32,6 +33,7 @@
host: None
api:
host: ${_param:opencontrail_control_address}
+ workers_count: ${_param:opencontrail_api_workers_count}
analytics:
members:
- host: ${_param:opencontrail_analytics_node01_address}
diff --git a/panko/server/cluster.yml b/panko/server/cluster.yml
index 9715456..7954944 100644
--- a/panko/server/cluster.yml
+++ b/panko/server/cluster.yml
@@ -26,6 +26,7 @@
event_time_to_live: ${_param:panko_event_time_to_live}
identity:
host: ${_param:openstack_control_address}
+ protocol: ${_param:cluster_internal_protocol}
database:
host: ${_param:openstack_database_address}
x509:
diff --git a/panko/server/single.yml b/panko/server/single.yml
index cb1a449..968267c 100644
--- a/panko/server/single.yml
+++ b/panko/server/single.yml
@@ -16,6 +16,8 @@
enabled: true
panko:
server:
+ identity:
+ protocol: ${_param:internal_protocol}
database:
x509:
enabled: ${_param:openstack_mysql_x509_enabled}
diff --git a/salt/minion/cert/rabbitmq/clients/openstack/aodh.yml b/salt/minion/cert/rabbitmq/clients/openstack/aodh.yml
new file mode 100644
index 0000000..537a3a4
--- /dev/null
+++ b/salt/minion/cert/rabbitmq/clients/openstack/aodh.yml
@@ -0,0 +1,27 @@
+parameters:
+ _param:
+ salt_minion_ca_host: cfg01.${_param:cluster_domain}
+ salt_minion_ca_authority: salt_master_ca
+ rabbitmq_aodh_client_ssl_key_file: /etc/aodh/ssl/rabbitmq/client-key.pem
+ rabbitmq_aodh_client_ssl_cert_file: /etc/aodh/ssl/rabbitmq/client-cert.pem
+ rabbitmq_aodh_ssl_ca_file: /etc/aodh/ssl/rabbitmq/ca-cert.pem
+ salt:
+ minion:
+ cert:
+ rabbitmq-aodh-client:
+ host: ${_param:salt_minion_ca_host}
+ authority: ${_param:salt_minion_ca_authority}
+ common_name: rabbitmq-aodh-client
+ signing_policy: cert_client
+ alternative_names: >
+ IP:${_param:cluster_local_address},
+ DNS:${_param:cluster_local_address},
+ DNS:${linux:system:name},
+ DNS:${linux:network:fqdn}
+ key_usage: "digitalSignature,nonRepudiation,keyEncipherment"
+ key_file: ${_param:rabbitmq_aodh_client_ssl_key_file}
+ cert_file: ${_param:rabbitmq_aodh_client_ssl_cert_file}
+ ca_file: ${_param:rabbitmq_aodh_ssl_ca_file}
+ user: aodh
+ group: aodh
+ mode: 640
diff --git a/salt/minion/cert/rabbitmq/clients/openstack/neutron.yml b/salt/minion/cert/rabbitmq/clients/openstack/neutron.yml
new file mode 100644
index 0000000..2f8f5c3
--- /dev/null
+++ b/salt/minion/cert/rabbitmq/clients/openstack/neutron.yml
@@ -0,0 +1,25 @@
+parameters:
+ _param:
+ salt_minion_ca_host: cfg01.${_param:cluster_domain}
+ salt_minion_ca_authority: salt_master_ca
+ rabbitmq_neutron_client_ssl_key_file: /etc/neutron/ssl/rabbitmq/client-key.pem
+ rabbitmq_neutron_client_ssl_cert_file: /etc/neutron/ssl/rabbitmq/client-cert.pem
+ rabbitmq_neutron_ssl_ca_file: /etc/neutron/ssl/rabbitmq/ca-cert.pem
+ salt:
+ minion:
+ cert:
+ rabbitmq-neutron-client:
+ host: ${_param:salt_minion_ca_host}
+ authority: ${_param:salt_minion_ca_authority}
+ common_name: rabbitmq-neutron-client
+ signing_policy: cert_client
+ alternative_names: >
+ DNS:${linux:system:name},
+ DNS:${linux:network:fqdn}
+ key_usage: "digitalSignature,nonRepudiation,keyEncipherment"
+ key_file: ${_param:rabbitmq_neutron_client_ssl_key_file}
+ cert_file: ${_param:rabbitmq_neutron_client_ssl_cert_file}
+ ca_file: ${_param:rabbitmq_neutron_ssl_ca_file}
+ user: neutron
+ group: neutron
+ mode: 640