Merge "Update Calico to v3.1.3"
diff --git a/cinder/control/cluster.yml b/cinder/control/cluster.yml
index b5d6862..5bc5c75 100644
--- a/cinder/control/cluster.yml
+++ b/cinder/control/cluster.yml
@@ -3,9 +3,12 @@
- service.haproxy.proxy.single
- service.keepalived.cluster.single
- system.haproxy.proxy.listen.openstack.cinder
+- system.salt.minion.cert.mysql.clients.openstack.cinder
parameters:
_param:
cluster_internal_protocol: 'http'
+ openstack_mysql_x509_enabled: False
+ galera_ssl_enabled: False
linux:
system:
package:
@@ -35,6 +38,13 @@
name: cinder
user: cinder
password: ${_param:mysql_cinder_password}
+ x509:
+ enabled: ${_param:openstack_mysql_x509_enabled}
+ ca_file: ${_param:mysql_cinder_ssl_ca_file}
+ key_file: ${_param:mysql_cinder_client_ssl_key_file}
+ cert_file: ${_param:mysql_cinder_client_ssl_cert_file}
+ ssl:
+ enabled: ${_param:galera_ssl_enabled}
identity:
engine: keystone
region: ${_param:openstack_region}
diff --git a/cinder/control/single.yml b/cinder/control/single.yml
index 89c5307..f38cfb4 100644
--- a/cinder/control/single.yml
+++ b/cinder/control/single.yml
@@ -1,8 +1,11 @@
classes:
- service.cinder.control.single
+- system.salt.minion.cert.mysql.clients.openstack.cinder
parameters:
_param:
internal_protocol: 'http'
+ openstack_mysql_x509_enabled: False
+ galera_ssl_enabled: False
linux:
system:
package:
@@ -18,6 +21,13 @@
role: ${_param:openstack_node_role}
database:
host: ${_param:single_address}
+ x509:
+ enabled: ${_param:openstack_mysql_x509_enabled}
+ ca_file: ${_param:mysql_cinder_ssl_ca_file}
+ key_file: ${_param:mysql_cinder_client_ssl_key_file}
+ cert_file: ${_param:mysql_cinder_client_ssl_cert_file}
+ ssl:
+ enabled: ${_param:galera_ssl_enabled}
identity:
protocol: ${_param:internal_protocol}
region: ${_param:openstack_region}
diff --git a/cinder/volume/local.yml b/cinder/volume/local.yml
index d03d6f7..51c3ba8 100644
--- a/cinder/volume/local.yml
+++ b/cinder/volume/local.yml
@@ -1,11 +1,22 @@
classes:
- service.cinder.volume.local
+- system.salt.minion.cert.mysql.clients.openstack.cinder
parameters:
+ _param:
+ openstack_mysql_x509_enabled: False
+ galera_ssl_enabled: False
cinder:
volume:
enabled: True
database:
host: ${_param:single_address}
+ x509:
+ enabled: ${_param:openstack_mysql_x509_enabled}
+ ca_file: ${_param:mysql_cinder_ssl_ca_file}
+ key_file: ${_param:mysql_cinder_client_ssl_key_file}
+ cert_file: ${_param:mysql_cinder_client_ssl_cert_file}
+ ssl:
+ enabled: ${_param:galera_ssl_enabled}
glance:
host: ${_param:single_address}
message_queue:
diff --git a/cinder/volume/single.yml b/cinder/volume/single.yml
index f66a190..f6d4503 100644
--- a/cinder/volume/single.yml
+++ b/cinder/volume/single.yml
@@ -1,8 +1,11 @@
classes:
- service.cinder.volume.single
+- system.salt.minion.cert.mysql.clients.openstack.cinder
parameters:
_param:
cluster_internal_protocol: 'http'
+ openstack_mysql_x509_enabled: False
+ galera_ssl_enabled: False
linux:
system:
package:
@@ -14,6 +17,13 @@
enabled: True
database:
host: ${_param:openstack_database_address}
+ x509:
+ enabled: ${_param:openstack_mysql_x509_enabled}
+ ca_file: ${_param:mysql_cinder_ssl_ca_file}
+ key_file: ${_param:mysql_cinder_client_ssl_key_file}
+ cert_file: ${_param:mysql_cinder_client_ssl_cert_file}
+ ssl:
+ enabled: ${_param:galera_ssl_enabled}
glance:
host: ${_param:openstack_control_address}
protocol: ${_param:cluster_internal_protocol}
diff --git a/docker/swarm/stack/monitoring/elasticsearch_client_node.yml b/docker/swarm/stack/monitoring/elasticsearch_client_node.yml
new file mode 100644
index 0000000..2e509f1
--- /dev/null
+++ b/docker/swarm/stack/monitoring/elasticsearch_client_node.yml
@@ -0,0 +1,46 @@
+parameters:
+ _param:
+ mcp_docker_registry: 'docker-prod-local.artifactory.mirantis.com'
+ docker_image_elasticsearch: ${_param:mcp_docker_registry}/mirantis/external/elasticsearch:nightly
+ elasticsearch_client_node_publish_host: ${_param:cluster_public_host}
+ elasticsearch_cluster_name: elasticsearch
+ docker:
+ client:
+ stack:
+ monitoring:
+ network:
+ monitoring:
+ driver: overlay
+ driver_opts:
+ encrypted: 1
+ service:
+ elasticsearch_client_node:
+ networks:
+ - monitoring
+ deploy:
+ replicas: 1
+ labels:
+ com.mirantis.monitoring: "elasticsearch"
+ restart_policy:
+ condition: any
+ environment:
+ ES_JAVA_OPTS: "-Xms512m -Xmx512m"
+ cluster.name: ${_param:elasticsearch_cluster_name}
+ node.master: "false"
+ node.data: "false"
+ node.ingest: "false"
+ node.attr.client_node: "true"
+ search.remote.connect: "false"
+ network.host: 0.0.0.0
+ network.publish_host: ${_param:elasticsearch_client_node_publish_host}
+ xpack.security.enabled: "false"
+ xpack.monitoring.enabled: "false"
+ bootstrap.memory_lock: "false"
+ discovery.zen.minimum_master_nodes: 2
+ discovery.zen.ping.unicast.hosts: ${_param:stacklight_monitor_address}
+ labels:
+ com.mirantis.monitoring: "elasticsearch"
+ image: ${_param:docker_image_elasticsearch}
+ ports:
+ - 9305:9300
+ - 9205:9200
diff --git a/galera/server/database/ssl/cinder.yml b/galera/server/database/ssl/cinder.yml
new file mode 100644
index 0000000..24554a7
--- /dev/null
+++ b/galera/server/database/ssl/cinder.yml
@@ -0,0 +1,4 @@
+parameters:
+ _param:
+ mysql_cinder_ssl_option:
+ - SSL: True
\ No newline at end of file
diff --git a/galera/server/database/x509/cinder.yml b/galera/server/database/x509/cinder.yml
new file mode 100644
index 0000000..38fd75a
--- /dev/null
+++ b/galera/server/database/x509/cinder.yml
@@ -0,0 +1,7 @@
+parameters:
+ _param:
+ mysql_cinder_clietn_ssl_x509_subject: '/C=cz/CN=mysql-cinder-client/L=Prague/O=Mirantis'
+ mysql_cinder_clietn_ssl_x509_issuer: '/C=cz/CN=Salt Master CA/L=Prague/O=Mirantis'
+ mysql_cinder_ssl_option:
+ - SUBJECT: ${_param:mysql_cinder_clietn_ssl_x509_subject}
+ - ISSUER: ${_param:mysql_cinder_clietn_ssl_x509_issuer}
\ No newline at end of file
diff --git a/jenkins/client/approved_scripts.yml b/jenkins/client/approved_scripts.yml
index 0dc20b0..498cc62 100644
--- a/jenkins/client/approved_scripts.yml
+++ b/jenkins/client/approved_scripts.yml
@@ -133,6 +133,7 @@
- staticMethod org.codehaus.groovy.runtime.DefaultGroovyMethods plus java.util.List java.util.Collection
- staticMethod org.codehaus.groovy.runtime.DefaultGroovyMethods println java.lang.Object java.lang.Object
- staticMethod org.codehaus.groovy.runtime.DefaultGroovyMethods putAt java.lang.Object java.lang.String java.lang.Object
+ - staticMethod org.codehaus.groovy.runtime.DefaultGroovyMethods readLines java.lang.String
- staticMethod org.codehaus.groovy.runtime.DefaultGroovyMethods sort java.util.Collection
- staticMethod org.codehaus.groovy.runtime.DefaultGroovyMethods split java.lang.String
- staticMethod org.codehaus.groovy.runtime.DefaultGroovyMethods takeRight java.util.List int
diff --git a/jenkins/client/job/deploy/update/cloud_update.yml b/jenkins/client/job/deploy/update/cloud_update.yml
index d4a05ec..4482324 100644
--- a/jenkins/client/job/deploy/update/cloud_update.yml
+++ b/jenkins/client/job/deploy/update/cloud_update.yml
@@ -165,3 +165,7 @@
type: boolean
default: 'false'
description: "Run cloud validation pipelines before and after update"
+ MINIONS_TEST_TIMEOUT:
+ type: string
+ default: 10
+ description: "Time in seconds for a Salt result to receive a response when calling a minionsReachable method."
diff --git a/jenkins/client/job/gating.yml b/jenkins/client/job/gating.yml
index 1ed093e..513df82 100644
--- a/jenkins/client/job/gating.yml
+++ b/jenkins/client/job/gating.yml
@@ -44,6 +44,8 @@
compare_type: REG_EXP
branches:
- master
+ - compare_type: ANT
+ name: release/*
skip_vote:
- successful
- failed
diff --git a/jenkins/client/job/oscore/cookiecutter.yml b/jenkins/client/job/oscore/cookiecutter.yml
index bc180b4..5ffe289 100644
--- a/jenkins/client/job/oscore/cookiecutter.yml
+++ b/jenkins/client/job/oscore/cookiecutter.yml
@@ -97,6 +97,8 @@
compare_type: 'REG_EXP'
branches:
- master
+ - compare_type: ANT
+ name: release/*
skip_vote:
- successful
- failed
diff --git a/jenkins/client/job/salt-models/tests.yml b/jenkins/client/job/salt-models/tests.yml
index 81dfd36..983a88b 100644
--- a/jenkins/client/job/salt-models/tests.yml
+++ b/jenkins/client/job/salt-models/tests.yml
@@ -217,6 +217,8 @@
salt-models/{{name}}:
branches:
- master
+ - compare_type: ANT
+ name: release/*
event:
comment:
- addedContains:
@@ -260,6 +262,8 @@
mk/{{cookiecutter_template}}:
branches:
- master
+ - compare_type: ANT
+ name: release/*
event:
comment:
- addedContains:
diff --git a/jenkins/client/job/test_pipelines.yml b/jenkins/client/job/test_pipelines.yml
index c8eaab0..4d661da 100644
--- a/jenkins/client/job/test_pipelines.yml
+++ b/jenkins/client/job/test_pipelines.yml
@@ -35,6 +35,8 @@
"{{repo}}":
branches:
- master
+ - compare_type: ANT
+ name: release/*
event:
patchset:
- created:
diff --git a/keystone/client/core.yml b/keystone/client/core.yml
index 899f4aa..8c73b16 100644
--- a/keystone/client/core.yml
+++ b/keystone/client/core.yml
@@ -3,12 +3,13 @@
parameters:
_param:
keystone_service_protocol: http
+###TODO: the section below should be removed in the future together with same related changes in cookiecutter-templates (control_init.yml)
linux:
system:
job:
keystone_job_rotate:
command: '/usr/bin/keystone-manage fernet_rotate --keystone-user keystone --keystone-group keystone >> /var/log/key_rotation_log 2>> /var/log/key_rotation_log'
- enabled: true
+ enabled: false
user: root
minute: 0
keystone:
diff --git a/keystone/client/single.yml b/keystone/client/single.yml
index ad2d55a..b8ab7f1 100644
--- a/keystone/client/single.yml
+++ b/keystone/client/single.yml
@@ -10,12 +10,13 @@
parameters:
_param:
keystone_service_protocol: http
+###TODO: the section below should be removed in the future together with same related changes in cookiecutter-templates (control_init.yml)
linux:
system:
job:
keystone_job_rotate:
command: '/usr/bin/keystone-manage fernet_rotate --keystone-user keystone --keystone-group keystone >> /var/log/key_rotation_log 2>> /var/log/key_rotation_log'
- enabled: true
+ enabled: false
user: root
minute: 0
keystone:
diff --git a/kubernetes/common.yml b/kubernetes/common.yml
index e4c6ffc..c178ced 100644
--- a/kubernetes/common.yml
+++ b/kubernetes/common.yml
@@ -50,6 +50,9 @@
kubernetes_cniplugins_source: ${_param:kubernetes_cniplugins_repo}/cni-plugins_v0.7.1-48-g696b1f9.tar.gz
kubernetes_cniplugins_source_hash: md5=5ec1cf5e989097c6127ea5365e277b02
kubernetes_dashboard_image: ${_param:kubernetes_dashboard_repo}/kubernetes-dashboard-amd64:v1.8.3
+ kubernetes_fluentd_aggregator_image: fluent/fluentd-kubernetes-daemonset:v1.2-debian-elasticsearch
+ kubernetes_fluentd_logger_image: fluent/fluentd-kubernetes-daemonset:v1.2-debian-stackdriver
+ kubernetes_telegraf_image: docker.io/telegraf:1.5.3
kubelet_fail_on_swap: true
kubernetes_dashboard_enabled: true
@@ -65,6 +68,64 @@
kubernetes_contrail_network_controller_enabled: false
kubernetes_metallb_enabled: false
kubernetes_sriov_enabled: false
+ kubernetes_fluentd_enabled: false
+ kubernetes_telegraf_enabled: false
+
+ # the rest of fluentd related params, the non bools
+ kubernetes_fluentd_namespace: stacklight
+ kubernetes_fluentd_aggregator_resources_limits_memory: 500Mi
+ kubernetes_fluentd_aggregator_resources_requests_memory: 500Mi
+ kubernetes_fluentd_aggregator_config_forward_input_bind_port: 24224
+ kubernetes_fluentd_aggregator_config_general_time_format: '%Y-%m-%dT%H:%M:%S.%N%z'
+ kubernetes_fluentd_aggregator_config_systemd_filter_docker_parse_format: /^time="(?<time>[^)]*)" level=(?<severity>[^ ]*) msg="(?<message>[^"]*)"( err="(?<error>[^"]*)")?( statusCode=($<status_code>\d+))?/
+ kubernetes_fluentd_aggregator_config_output_log_level: 'info'
+ kubernetes_fluentd_aggregator_config_output_logstash_format: true
+ kubernetes_fluentd_aggregator_config_output_logstash_prefix: 'log'
+ kubernetes_fluentd_aggregator_config_output_logstash_dateformat: '%Y.%m.%d'
+ kubernetes_fluentd_aggregator_config_output_num_threads: 8
+ kubernetes_fluentd_aggregator_config_output_max_retry_wait: 30
+ kubernetes_fluentd_aggregator_config_output_flush_interval: '10s'
+ kubernetes_fluentd_aggregator_config_output_buffer_chunk_limit: '2m'
+ kubernetes_fluentd_aggregator_config_output_buffer_queue_limit: 32
+ kubernetes_fluentd_aggregator_config_output_request_timeout: '10s'
+ kubernetes_fluentd_aggregator_config_output_es_host: 127.0.0.1
+ kubernetes_fluentd_aggregator_config_output_es_port: 9200
+ kubernetes_fluentd_aggregator_config_output_es_scheme: http
+
+ kubernetes_fluentd_logger_resources_limits_memory: 500Mi
+ kubernetes_fluentd_logger_resources_requests_memory: 500Mi
+ kubernetes_fluentd_logger_config_kubernetes_input_time_format: '%Y-%m-%dT%H:%M:%S.%NZ'
+ kubernetes_fluentd_logger_config_forward_output_require_ack_response: true
+ kubernetes_fluentd_logger_config_forward_output_ack_response_timeout: 30
+ kubernetes_fluentd_logger_config_forward_output_recover_wait: '10s'
+ kubernetes_fluentd_logger_config_forward_output_heartbeat_interval: '1s'
+ kubernetes_fluentd_logger_config_forward_output_phi_threshold: 16
+ kubernetes_fluentd_logger_config_forward_output_send_timeout: '10s'
+ kubernetes_fluentd_logger_config_forward_output_hard_timeout: '10s'
+ kubernetes_fluentd_logger_config_forward_output_expire_dns_cache: 15
+ kubernetes_fluentd_logger_config_forward_output_heartbeat_type: 'tcp'
+ kubernetes_fluentd_logger_config_forward_output_buffer_chunk_limit: '2M'
+ kubernetes_fluentd_logger_config_forward_output_buffer_queue_limit: 32
+ kubernetes_fluentd_logger_config_forward_output_flush_interval: '5s'
+ kubernetes_fluentd_logger_config_forward_output_max_retry_wait: 15
+ kubernetes_fluentd_logger_config_forward_output_num_threads: 8
+
+ # telegraf stuff
+ kubernetes_telegraf_namespace: stacklight
+ kubernetes_telegraf_resources_limits_memory: 500Mi
+ kubernetes_telegraf_resources_requests_memory: 500Mi
+ kubernetes_telegraf_agent_interval: 15
+ kubernetes_telegraf_agent_round_interval: false
+ kubernetes_telegraf_agent_metric_batch_size: 1000
+ kubernetes_telegraf_agent_metric_buffer_limit: 10000
+ kubernetes_telegraf_agent_collection_jitter: 2
+ kubernetes_telegraf_agent_flush_interval: 10
+ kubernetes_telegraf_agent_flush_jitter: 2
+ kubernetes_telegraf_agent_precision: ms
+ kubernetes_telegraf_agent_logfile: etc/telegraf/log
+ kubernetes_telegraf_agent_debug: false
+ kubernetes_telegraf_agent_quiet: false
+ kubernetes_telegraf_agent_omit_hostname: false
docker:
host:
@@ -107,6 +168,85 @@
image: ${_param:kubernetes_contrail_network_controller_image}
flannel:
image: ${_param:kubernetes_flannel_image}
+ fluentd:
+ enabled: ${_param:kubernetes_fluentd_enabled}
+ namespace: ${_param:kubernetes_fluentd_namespace}
+ aggregator:
+ image: ${_param:kubernetes_fluentd_aggregator_image}
+ resources:
+ limits:
+ memory: ${_param:kubernetes_fluentd_aggregator_resources_limits_memory}
+ requests:
+ memory: ${_param:kubernetes_fluentd_aggregator_resources_requests_memory}
+ config:
+ forward_input:
+ bind:
+ port: ${_param:kubernetes_fluentd_aggregator_config_forward_input_bind_port}
+ general:
+ time_format: ${_param:kubernetes_fluentd_aggregator_config_general_time_format}
+ systemd_filter:
+ docker_parse_format: ${_param:kubernetes_fluentd_aggregator_config_systemd_filter_docker_parse_format}
+ output:
+ log_level: ${_param:kubernetes_fluentd_aggregator_config_output_log_level}
+ logstash_format: ${_param:kubernetes_fluentd_aggregator_config_output_logstash_format}
+ logstash_prefix: ${_param:kubernetes_fluentd_aggregator_config_output_logstash_prefix}
+ logstash_dateformat: ${_param:kubernetes_fluentd_aggregator_config_output_logstash_dateformat}
+ request_timeout: ${_param:kubernetes_fluentd_aggregator_config_output_request_timeout}
+ buffer_chunk_limit: ${_param:kubernetes_fluentd_aggregator_config_output_buffer_chunk_limit}
+ buffer_queue_limit: ${_param:kubernetes_fluentd_aggregator_config_output_buffer_queue_limit}
+ flush_interval: ${_param:kubernetes_fluentd_aggregator_config_output_flush_interval}
+ num_threads: ${_param:kubernetes_fluentd_aggregator_config_output_num_threads}
+ max_retry_wait: ${_param:kubernetes_fluentd_aggregator_config_output_max_retry_wait}
+ es:
+ host: ${_param:kubernetes_fluentd_aggregator_config_output_es_host}
+ port: ${_param:kubernetes_fluentd_aggregator_config_output_es_port}
+ scheme: ${_param:kubernetes_fluentd_aggregator_config_output_es_scheme}
+ logger:
+ image: ${_param:kubernetes_fluentd_logger_image}
+ resources:
+ limits:
+ memory: ${_param:kubernetes_fluentd_logger_resources_limits_memory}
+ requests:
+ memory: ${_param:kubernetes_fluentd_logger_resources_requests_memory}
+ config:
+ kubernetes_input:
+ time_format: ${_param:kubernetes_fluentd_logger_config_kubernetes_input_time_format}
+ forward_output:
+ require_ack_response: ${_param:kubernetes_fluentd_logger_config_forward_output_require_ack_response}
+ ack_response_timeout: ${_param:kubernetes_fluentd_logger_config_forward_output_ack_response_timeout}
+ recover_wait: ${_param:kubernetes_fluentd_logger_config_forward_output_recover_wait}
+ heartbeat_interval: ${_param:kubernetes_fluentd_logger_config_forward_output_heartbeat_interval}
+ phi_threshold: ${_param:kubernetes_fluentd_logger_config_forward_output_phi_threshold}
+ send_timeout: ${_param:kubernetes_fluentd_logger_config_forward_output_send_timeout}
+ hard_timeout: ${_param:kubernetes_fluentd_logger_config_forward_output_hard_timeout}
+ expire_dns_cache: ${_param:kubernetes_fluentd_logger_config_forward_output_expire_dns_cache}
+ heartbeat_type: ${_param:kubernetes_fluentd_logger_config_forward_output_heartbeat_type}
+ buffer_chunk_limit: ${_param:kubernetes_fluentd_logger_config_forward_output_buffer_chunk_limit}
+ buffer_queue_limit: ${_param:kubernetes_fluentd_logger_config_forward_output_buffer_queue_limit}
+ flush_interval: ${_param:kubernetes_fluentd_logger_config_forward_output_flush_interval}
+ max_retry_wait: ${_param:kubernetes_fluentd_logger_config_forward_output_max_retry_wait}
+ num_threads: ${_param:kubernetes_fluentd_logger_config_forward_output_num_threads}
+ telegraf:
+ enabled: ${_param:kubernetes_telegraf_enabled}
+ image: ${_param:kubernetes_telegraf_image}
+ resources:
+ limits:
+ memory: ${_param:kubernetes_telegraf_resources_limits_memory}
+ requests:
+ memory: ${_param:kubernetes_telegraf_resources_requests_memory}
+ agent:
+ interval: ${_param:kubernetes_telegraf_agent_interval}
+ round_interval: ${_param:kubernetes_telegraf_agent_round_interval}
+ metric_batch_size: ${_param:kubernetes_telegraf_agent_metric_batch_size}
+ metric_buffer_limit: ${_param:kubernetes_telegraf_agent_metric_buffer_limit}
+ collection_jitter: ${_param:kubernetes_telegraf_agent_collection_jitter}
+ flush_interval: ${_param:kubernetes_telegraf_agent_flush_interval}
+ flush_jitter: ${_param:kubernetes_telegraf_agent_flush_jitter}
+ precision: ${_param:kubernetes_telegraf_agent_precision}
+ logfile: ${_param:kubernetes_telegraf_agent_logfile}
+ debug: ${_param:kubernetes_telegraf_agent_debug}
+ quiet: ${_param:kubernetes_telegraf_agent_quiet}
+ omit_hostname: ${_param:kubernetes_telegraf_agent_omit_hostname}
virtlet:
enabled: ${_param:kubernetes_virtlet_enabled}
namespace: kube-system
diff --git a/maas/region/single.yml b/maas/region/single.yml
index 7c57d9e..3569fff 100644
--- a/maas/region/single.yml
+++ b/maas/region/single.yml
@@ -42,4 +42,5 @@
ntp_external_only: true
upstream_dns: ${_param:dns_server01}
enable_http_proxy: false
- default_min_hwe_kernel: ''
+ # linux-signed-image-generic-hwe-16.04
+ default_min_hwe_kernel: 'hwe-16.04'
diff --git a/nginx/server/proxy/stacklight/elasticsearch.yml b/nginx/server/proxy/stacklight/elasticsearch.yml
new file mode 100644
index 0000000..82d8bad
--- /dev/null
+++ b/nginx/server/proxy/stacklight/elasticsearch.yml
@@ -0,0 +1,25 @@
+parameters:
+ nginx:
+ server:
+ stream:
+ elasticsearch_binary:
+ backend:
+ elasticsearch:
+ address: ${_param:stacklight_monitor_address}
+ port: 9305
+ host:
+ port: 9300
+ site:
+ nginx_proxy_elasticsearch:
+ enabled: true
+ type: nginx_proxy
+ name: elasticsearch
+ proxy:
+ host: ${_param:stacklight_monitor_address}
+ port: 9205
+ protocol: http
+ host:
+ name: ${_param:cluster_public_host}
+ port: 9200
+ protocol: https
+ ssl: ${_param:nginx_proxy_ssl}
diff --git a/nginx/server/stream/gerrit_ssh.yml b/nginx/server/stream/gerrit_ssh.yml
new file mode 100644
index 0000000..13b7ba2
--- /dev/null
+++ b/nginx/server/stream/gerrit_ssh.yml
@@ -0,0 +1,16 @@
+parameters:
+ _param:
+ nginx_proxy_gerrit_server_stream_host: ${_param:cicd_control_address}
+ nginx_proxy_gerrit_server_stream_port: 29418
+ nginx_proxy_gerrit_server_site_stream_port: 29418
+ nginx:
+ server:
+ stream:
+ gerrit_ssh:
+ backend:
+ cicd:
+ address: ${_param:nginx_proxy_gerrit_server_stream_host}
+ port: ${_param:nginx_proxy_gerrit_server_stream_port}
+ host:
+ port: ${_param:nginx_proxy_gerrit_server_site_stream_port}
+
diff --git a/nova/control/cluster.yml b/nova/control/cluster.yml
index d202987..2f411b5 100644
--- a/nova/control/cluster.yml
+++ b/nova/control/cluster.yml
@@ -14,6 +14,7 @@
metadata_password: metadataPass
cluster_internal_protocol: 'http'
openstack_mysql_x509_enabled: False
+ galera_ssl_enabled: False
linux:
system:
package:
@@ -48,6 +49,11 @@
password: ${_param:mysql_nova_password}
x509:
enabled: ${_param:openstack_mysql_x509_enabled}
+ ca_file: ${_param:mysql_nova_ssl_ca_file}
+ key_file: ${_param:mysql_nova_client_ssl_key_file}
+ cert_file: ${_param:mysql_nova_client_ssl_cert_file}
+ ssl:
+ enabled: ${_param:galera_ssl_enabled}
identity:
engine: keystone
region: ${_param:openstack_region}
diff --git a/nova/control/single.yml b/nova/control/single.yml
index 4cc165d..e7d7671 100644
--- a/nova/control/single.yml
+++ b/nova/control/single.yml
@@ -5,6 +5,7 @@
_param:
cluster_internal_protocol: 'http'
openstack_mysql_x509_enabled: False
+ galera_ssl_enabled: False
linux:
system:
package:
@@ -18,6 +19,11 @@
host: ${_param:single_address}
x509:
enabled: ${_param:openstack_mysql_x509_enabled}
+ ca_file: ${_param:mysql_nova_ssl_ca_file}
+ key_file: ${_param:mysql_nova_client_ssl_key_file}
+ cert_file: ${_param:mysql_nova_client_ssl_cert_file}
+ ssl:
+ enabled: ${_param:galera_ssl_enabled}
identity:
protocol: ${_param:cluster_internal_protocol}
region: ${_param:openstack_region}
diff --git a/octavia/client/init.yml b/octavia/client/init.yml
new file mode 100644
index 0000000..f114e3d
--- /dev/null
+++ b/octavia/client/init.yml
@@ -0,0 +1,2 @@
+classes:
+- service.octavia.client
diff --git a/openssh/server/team/members/pshchelo.yml b/openssh/server/team/members/pshchelo.yml
new file mode 100644
index 0000000..52e7cc6
--- /dev/null
+++ b/openssh/server/team/members/pshchelo.yml
@@ -0,0 +1,20 @@
+parameters:
+ linux:
+ system:
+ user:
+ pshchelo:
+ enabled: true
+ name: pshchelo
+ sudo: ${_param:linux_system_user_sudo}
+ full_name: Pavlo Shchelokovskyy
+ home: /home/pshchelo
+ email: pshchelokovskyy@mirantis.com
+ openssh:
+ server:
+ enabled: true
+ user:
+ pshchelo:
+ enabled: true
+ public_keys:
+ - key: ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOns6c3H+TP0HBYWI+N6nX/ilPrGth5ElLCyN4EHJqcq pshchelo@git
+ user: ${linux:system:user:pshchelo}
diff --git a/openssh/server/team/oscore_devops.yml b/openssh/server/team/oscore_devops.yml
index f629d9e..31830fc 100644
--- a/openssh/server/team/oscore_devops.yml
+++ b/openssh/server/team/oscore_devops.yml
@@ -11,6 +11,7 @@
- system.openssh.server.team.members.kkushaev
- system.openssh.server.team.members.sgarbuz
- system.openssh.server.team.members.oshyshko
+- system.openssh.server.team.members.pshchelo
parameters:
_param:
linux_system_user_sudo: true
diff --git a/rabbitmq/server/ssl/init.yml b/rabbitmq/server/ssl/init.yml
new file mode 100644
index 0000000..7fefae7
--- /dev/null
+++ b/rabbitmq/server/ssl/init.yml
@@ -0,0 +1,11 @@
+classes:
+- system.salt.minion.cert.rabbitmq_server
+- service.rabbitmq.server.ssl
+parameters:
+ _param:
+ rabbitmq_ssl_enabled: true
+ rabbitmq_port: 5671 # for non-ssl use 5672 / for ssl 5671
+ rabbitmq:
+ server:
+ ssl:
+ enabled: ${_param:rabbitmq_ssl_enabled}
diff --git a/salt/minion/ca/octavia_ca.yml b/salt/minion/ca/octavia_ca.yml
index 453c450..e6e0ae0 100644
--- a/salt/minion/ca/octavia_ca.yml
+++ b/salt/minion/ca/octavia_ca.yml
@@ -27,7 +27,5 @@
days_valid:
authority: ${_param:octavia_ca_days_valid_authority}
certificate: ${_param:octavia_ca_days_valid_certificate}
- ca_file: ${octavia:manager:certificates:ca_certificate}
- ca_key_file: ${octavia:manager:certificates:ca_private_key}
user: octavia
group: octavia
diff --git a/salt/minion/cert/mysql/clients/openstack/cinder.yml b/salt/minion/cert/mysql/clients/openstack/cinder.yml
new file mode 100644
index 0000000..ec6a77a
--- /dev/null
+++ b/salt/minion/cert/mysql/clients/openstack/cinder.yml
@@ -0,0 +1,27 @@
+parameters:
+ _param:
+ salt_minion_ca_host: cfg01.${_param:cluster_domain}
+ salt_minion_ca_authority: salt_master_ca
+ mysql_cinder_client_ssl_key_file: /etc/pki/mysql-cinder-client/client-key.pem
+ mysql_cinder_client_ssl_cert_file: /etc/pki/mysql-cinder-client/client-cert.pem
+ mysql_cinder_ssl_ca_file: /etc/pki/mysql-cinder-client/ca-cert.pem
+ salt:
+ minion:
+ cert:
+ mysql-cinder-client:
+ host: ${_param:salt_minion_ca_host}
+ authority: ${_param:salt_minion_ca_authority}
+ common_name: mysql-cinder-client
+ signing_policy: cert_client
+ alternative_names: >
+ IP:${_param:cluster_local_address},
+ DNS:${_param:cluster_local_address},
+ DNS:${linux:system:name},
+ DNS:${linux:network:fqdn}
+ key_usage: "digitalSignature,nonRepudiation,keyEncipherment"
+ key_file: ${_param:mysql_cinder_client_ssl_key_file}
+ cert_file: ${_param:mysql_cinder_client_ssl_cert_file}
+ ca_file: ${_param:mysql_cinder_ssl_ca_file}
+ user: cinder
+ group: cinder
+ mode: 640
\ No newline at end of file