Merge "Adding tls support ceilometer agent for libvirt"
diff --git a/jenkins/client/job/deploy/update/reclass_update_check.yml b/jenkins/client/job/deploy/update/reclass_update_check.yml
new file mode 100644
index 0000000..cec8d79
--- /dev/null
+++ b/jenkins/client/job/deploy/update/reclass_update_check.yml
@@ -0,0 +1,51 @@
+#
+# Jobs to to check new Reclass package version compatibility with model
+#
+parameters:
+  _param:
+    jenkins_salt_api_url: "http://${_param:salt_master_host}:6969"
+  jenkins:
+    client:
+      job:
+        check-reclass-version:
+          type: workflow-scm
+          concurrent: true
+          discard:
+            build:
+              keep_num: 10
+            artifact:
+              keep_num: 10
+          display_name: "Upgrade - check new Reclass package"
+          scm:
+            type: git
+            url: "${_param:jenkins_gerrit_url}/mk/mk-pipelines"
+            branch: "${_param:jenkins_pipelines_branch}"
+            credentials: "gerrit"
+            script: test-reclass-package.groovy
+          param:
+            SALT_MASTER_URL:
+              type: string
+              default: "${_param:jenkins_salt_api_url}"
+            SALT_MASTER_CREDENTIALS:
+              type: string
+              default: "salt"
+            DISTRIB_REVISION:
+              type: string
+              default: 'proposed'
+              description: "Mirror version to use"
+            EXTRA_REPO_PREDEFINED:
+              type: boolean
+              default: false
+              description: "Use mcp extra repo defined on host"
+            EXTRA_REPO:
+              type: string
+              default: ''
+              description: "Extra repo to use in format (for example, deb [arch=amd64] http://apt.mirantis.com/xenial/ nightly extra)"
+            EXTRA_REPO_GPG_KEY_URL:
+              type: string
+              default: ''
+              description: "GPG key URL for extra repo"
+            TARGET_NODES:
+              type: string
+              default: '*'
+              description: "Target specification, e.g. 'I@openssh:server'"
diff --git a/linux/system/repo/keystorage/mirantis_com/extra.yml b/linux/system/repo/keystorage/mirantis_com/extra.yml
new file mode 100644
index 0000000..88e7a27
--- /dev/null
+++ b/linux/system/repo/keystorage/mirantis_com/extra.yml
@@ -0,0 +1,26 @@
+parameters:
+  linux:
+    system:
+      repo:
+        mcp_extra:
+          # pub   2048R/4C5289EF 2018-07-25
+          key: |
+            -----BEGIN PGP PUBLIC KEY BLOCK-----
+            Version: GnuPG v1
+
+            mQENBFtYVY8BCAC3oli93husG0ZVtv/L8I4/bcW60LFCyB0DuwEznGlSaj1fjOQu
+            C7QX9wvGRq8mRZ8mfZ6sbxGmgs0LnV5QIBle1l5I3B+AMGksf6UGEWgoN/vq86g+
+            0Jg6kJP/D0sjGXvdlfy+bgAqjsx2bWOLjQGtHSIxhe4cE9HPBfMiYsFwGQua3XN3
+            tiGKcifszvDA6uqdjS6DuTEPCzyKiSyUevnWtBh0oUtUt//X4lG2Mx0lU91uUQGj
+            KeZ+fYXOLqgZm/FxLVT5w3g/UGK9Cbz5h4kGCJOfk0EwIZp0IRRs1phOC6gVMwoV
+            yWKCtdHmg7Ob8I4AZ8OW5HJn1UPHTprxcHBnABEBAAG0LEF1dG9idWlsZGVyIDxp
+            bmZyYSthdXRpYnVpbGRlckBtaXJhbnRpcy5jb20+iQE4BBMBAgAiBQJbWFWPAhsD
+            BgsJCAcDAgYVCAIJCgsEFgIDAQIeAQIXgAAKCRCRZVp5TFKJ70cJB/9ArWrSFyEx
+            qs7Tyo9M5WCPjqw7y2F7jd4Et3hqwc5jx6KlxGpg17SHt4oWcmtML3VBx+ziBAi0
+            5Ry4Z4w0QqFW6gAqQepeW76Yq/OP5SoqEI9sUwzLfUY7raK/P1buvXB1eZh4mMw4
+            TFf4Hgo8yUQ3geYNnUBBfaSfkmiyBJGsMXBfW2zhlpVIyB6Cye5R823FxGNJe+li
+            hggNCQnKYqrGtr55RO6xYI1v89cgGrO2EVwPkFLA/MUnQEb433Ck+sjp1NZDUfuJ
+            U3gg8S0hT+Cf5XiknT/xqIhhTY/KzlNmynZt/51DzZzsbM+RO6JZFYJL2LuC69gB
+            +R5jrmaGu9fG
+            =sqIn
+            -----END PGP PUBLIC KEY BLOCK-----
diff --git a/linux/system/repo/keystorage/mirantis_com/init.yml b/linux/system/repo/keystorage/mirantis_com/init.yml
index b6c9a86..8a3c1de 100644
--- a/linux/system/repo/keystorage/mirantis_com/init.yml
+++ b/linux/system/repo/keystorage/mirantis_com/init.yml
@@ -1,2 +1,3 @@
 classes:
 - system.linux.system.repo.keystorage.mirantis_com.openstack
+- system.linux.system.repo.keystorage.mirantis_com.extra
diff --git a/linux/system/repo/mcp/apt_mirantis/extra.yml b/linux/system/repo/mcp/apt_mirantis/extra.yml
new file mode 100644
index 0000000..12e8adc
--- /dev/null
+++ b/linux/system/repo/mcp/apt_mirantis/extra.yml
@@ -0,0 +1,18 @@
+classes:
+- system.linux.system.repo.keystorage.mirantis_com
+parameters:
+  _param:
+    linux_system_architecture: 'amd64'
+    linux_system_repo_url: http://mirror.mirantis.com/${_param:apt_mk_version}/
+    linux_system_repo_mcp_extra_url: ${_param:linux_system_repo_url}/extra/
+  linux:
+    system:
+      repo:
+        mcp_extra:
+          source: "deb ${_param:linux_system_repo_mcp_extra_url}/${_param:linux_system_codename} ${_param:linux_system_codename} main"
+          architectures: ${_param:linux_system_architecture}
+          clean_file: true
+          pin:
+          - pin: 'release o=Mirantis'
+            priority: 1100
+            package: '*'
diff --git a/nova/compute/libvirt/ssl/init.yml b/nova/compute/libvirt/ssl/init.yml
index 87742e0..d9be1a5 100644
--- a/nova/compute/libvirt/ssl/init.yml
+++ b/nova/compute/libvirt/ssl/init.yml
@@ -1,6 +1,11 @@
 classes:
 - system.salt.minion.cert.libvirtd
 parameters:
+  _param:
+    nova_compute_libvirt_allowed_dn_list:
+      all:
+        enabled: true
+        value: '*CN=cmp*.${_param:cluster_domain}*'
   nova:
     compute:
       libvirt:
@@ -10,6 +15,7 @@
           key_file: ${_param:libvirtd_server_ssl_key_file}
           cert_file: ${_param:libvirtd_server_ssl_cert_file}
           ca_file: ${_param:libvirtd_ssl_ca_file}
+          allowed_dn_list: ${_param:nova_compute_libvirt_allowed_dn_list}
           client:
             key_file: ${_param:libvirtd_client_ssl_key_file}
             cert_file: ${_param:libvirtd_client_ssl_cert_file}
diff --git a/salt/minion/cert/libvirtd/vnc_server.yml b/salt/minion/cert/libvirtd/vnc_server.yml
index c49852e..cf60c12 100644
--- a/salt/minion/cert/libvirtd/vnc_server.yml
+++ b/salt/minion/cert/libvirtd/vnc_server.yml
@@ -22,6 +22,6 @@
           key_file: ${_param:qemu_vnc_server_ssl_key_file}
           cert_file: ${_param:qemu_vnc_server_ssl_cert_file}
           ca_file: ${_param:qemu_vnc_ssl_ca_file}
-          user: libvirt-qemu
-          group: libvirt-qemu
+          user: root
+          group: nova
           mode: 640
diff --git a/salt/minion/cert/mysql/clients/openstack/nova.yml b/salt/minion/cert/mysql/clients/openstack/nova.yml
index 955d6eb..4f03628 100644
--- a/salt/minion/cert/mysql/clients/openstack/nova.yml
+++ b/salt/minion/cert/mysql/clients/openstack/nova.yml
@@ -22,6 +22,6 @@
           key_file: ${_param:mysql_nova_client_ssl_key_file}
           cert_file: ${_param:mysql_nova_client_ssl_cert_file}
           ca_file: ${_param:mysql_nova_ssl_ca_file}
-          user: nova
+          user: root
           group: nova
           mode: 640
diff --git a/salt/minion/cert/rabbitmq/clients/openstack/nova.yml b/salt/minion/cert/rabbitmq/clients/openstack/nova.yml
index 04a6078..160acd9 100644
--- a/salt/minion/cert/rabbitmq/clients/openstack/nova.yml
+++ b/salt/minion/cert/rabbitmq/clients/openstack/nova.yml
@@ -22,6 +22,6 @@
           key_file: ${_param:rabbitmq_nova_client_ssl_key_file}
           cert_file: ${_param:rabbitmq_nova_client_ssl_cert_file}
           ca_file: ${_param:rabbitmq_nova_ssl_ca_file}
-          user: nova
+          user: root
           group: nova
           mode: 640
diff --git a/salt/minion/cert/vnc/novncproxy_client.yml b/salt/minion/cert/vnc/novncproxy_client.yml
index 9641611..0193455 100644
--- a/salt/minion/cert/vnc/novncproxy_client.yml
+++ b/salt/minion/cert/vnc/novncproxy_client.yml
@@ -22,6 +22,6 @@
           key_file: ${_param:novncproxy_client_ssl_key_file}
           cert_file: ${_param:novncproxy_client_ssl_cert_file}
           ca_file: ${_param:novncproxy_ssl_ca_file}
-          user: nova
+          user: root
           group: nova
           mode: 640
diff --git a/salt/minion/cert/vnc/novncproxy_server.yml b/salt/minion/cert/vnc/novncproxy_server.yml
index 20c24e2..9c3dd96 100644
--- a/salt/minion/cert/vnc/novncproxy_server.yml
+++ b/salt/minion/cert/vnc/novncproxy_server.yml
@@ -24,6 +24,6 @@
           key_file: ${_param:novncproxy_server_ssl_key_file}
           cert_file: ${_param:novncproxy_server_ssl_cert_file}
           ca_file: ${_param:novncproxy_ssl_ca_file}
-          user: nova
+          user: root
           group: nova
           mode: 640