Merge "Adding Qihuan Wu (Frank Wu) service member" into release/proposed/2019.2.0
diff --git a/apache/server/site/aodh.yml b/apache/server/site/aodh.yml
index 3b7fc23..abeb151 100644
--- a/apache/server/site/aodh.yml
+++ b/apache/server/site/aodh.yml
@@ -9,6 +9,10 @@
     apache_aodh_api_port: 8042
   apache:
     server:
+      enabled: true
+      default_mpm: event
+      modules:
+        - wsgi
       site:
         aodh:
           enabled: false
diff --git a/apache/server/site/barbican.yml b/apache/server/site/barbican.yml
index 7a4297b..efa1ffd 100644
--- a/apache/server/site/barbican.yml
+++ b/apache/server/site/barbican.yml
@@ -8,6 +8,9 @@
   apache:
     server:
       enabled: true
+      default_mpm: event
+      modules:
+        - wsgi
       site:
         barbican:
           enabled: false
diff --git a/apache/server/site/cinder.yml b/apache/server/site/cinder.yml
index 785817a..a07b9a8 100644
--- a/apache/server/site/cinder.yml
+++ b/apache/server/site/cinder.yml
@@ -12,6 +12,8 @@
     server:
       enabled: true
       default_mpm: event
+      modules:
+        - wsgi
       site:
         cinder:
           enabled: false
diff --git a/apache/server/site/gnocchi.yml b/apache/server/site/gnocchi.yml
index 7aaba6f..785f6f2 100644
--- a/apache/server/site/gnocchi.yml
+++ b/apache/server/site/gnocchi.yml
@@ -9,6 +9,10 @@
     apache_gnocchi_api_port: 8041
   apache:
     server:
+      enabled: true
+      default_mpm: event
+      modules:
+        - wsgi
       site:
         gnocchi:
           enabled: false
diff --git a/apache/server/site/nova-placement.yml b/apache/server/site/nova-placement.yml
index a869fea..a911fa2 100644
--- a/apache/server/site/nova-placement.yml
+++ b/apache/server/site/nova-placement.yml
@@ -12,6 +12,8 @@
     server:
       enabled: true
       default_mpm: event
+      modules:
+        - wsgi
       site:
         nova_placement:
           enabled: false
diff --git a/apache/server/site/panko.yml b/apache/server/site/panko.yml
index a34190d..fe15a68 100644
--- a/apache/server/site/panko.yml
+++ b/apache/server/site/panko.yml
@@ -9,6 +9,10 @@
     apache_panko_api_port: 8977
   apache:
     server:
+      enabled: true
+      default_mpm: event
+      modules:
+        - wsgi
       site:
         panko:
           enabled: false
diff --git a/barbican/server/cluster.yml b/barbican/server/cluster.yml
index 110ff29..558f08b 100644
--- a/barbican/server/cluster.yml
+++ b/barbican/server/cluster.yml
@@ -36,6 +36,8 @@
           enabled: ${_param:barbican_memcache_security_enabled}
           strategy: ${_param:openstack_memcache_security_strategy}
           secret_key: ${_param:barbican_memcache_secret_key}
+      # Keystone notification topic. Should be overridden from cluster level (see PROD-32645)
+      ks_notifications_topic: notifications
   linux:
     system:
       package:
diff --git a/cinder/control/cluster.yml b/cinder/control/cluster.yml
index cf5b84b..c8c25bd 100644
--- a/cinder/control/cluster.yml
+++ b/cinder/control/cluster.yml
@@ -54,6 +54,8 @@
         user: ${_param:keystone_cinder_username}
         password: ${_param:keystone_cinder_password}
         protocol: ${_param:cluster_internal_protocol}
+        service_token_roles: admin
+        service_token_roles_required: true
       glance:
         host: ${_param:cluster_vip_address}
         port: 9292
diff --git a/cinder/control/single.yml b/cinder/control/single.yml
index 3ab34e2..963e308 100644
--- a/cinder/control/single.yml
+++ b/cinder/control/single.yml
@@ -37,6 +37,8 @@
         password: ${_param:keystone_cinder_password}
         protocol: ${_param:internal_protocol}
         region: ${_param:openstack_region}
+        service_token_roles: admin
+        service_token_roles_required: true
       barbican:
         enabled: ${_param:barbican_integration_enabled}
       message_queue:
diff --git a/cinder/volume/local.yml b/cinder/volume/local.yml
index 000de98..c35129d 100644
--- a/cinder/volume/local.yml
+++ b/cinder/volume/local.yml
@@ -38,6 +38,8 @@
         password: ${_param:keystone_cinder_password}
         host: ${_param:single_address}
         region: ${_param:openstack_region}
+        service_token_roles: admin
+        service_token_roles_required: true
       cache:
         security:
           enabled: ${_param:cinder_memcache_security_enabled}
diff --git a/cinder/volume/single.yml b/cinder/volume/single.yml
index 8c62889..c40c7e9 100644
--- a/cinder/volume/single.yml
+++ b/cinder/volume/single.yml
@@ -49,6 +49,8 @@
         host: ${_param:openstack_control_address}
         protocol: ${_param:cluster_internal_protocol}
         region: ${_param:openstack_region}
+        service_token_roles: admin
+        service_token_roles_required: true
       cache:
         security:
           enabled: ${_param:cinder_memcache_security_enabled}
diff --git a/defaults/openstack/init.yml b/defaults/openstack/init.yml
index 19b3fe8..70e1004 100644
--- a/defaults/openstack/init.yml
+++ b/defaults/openstack/init.yml
@@ -142,6 +142,7 @@
     keystone_ironic_username: ironic
     ironic_memcache_security_enabled: ${_param:openstack_memcache_security_enabled}
     ironic_memcache_secret_key: ''
+    ironic_console_enabled: true
     # Keystone
     mysql_keystone_username: keystone
     keystone_old_version: ${_param:openstack_old_version}
diff --git a/glance/control/cluster.yml b/glance/control/cluster.yml
index 763ad09..0eae619 100644
--- a/glance/control/cluster.yml
+++ b/glance/control/cluster.yml
@@ -55,6 +55,8 @@
         region: ${_param:openstack_region}
         tenant: service
         protocol: ${_param:cluster_internal_protocol}
+        service_token_roles: admin
+        service_token_roles_required: true
       barbican:
         enabled: ${_param:barbican_integration_enabled}
       message_queue:
diff --git a/glance/control/single.yml b/glance/control/single.yml
index 24e9c3f..160d26d 100644
--- a/glance/control/single.yml
+++ b/glance/control/single.yml
@@ -29,6 +29,8 @@
       identity:
         region: ${_param:openstack_region}
         protocol: ${_param:internal_protocol}
+        service_token_roles: admin
+        service_token_roles_required: true
       registry:
         protocol: ${_param:internal_protocol}
       barbican:
diff --git a/ironic/api/cluster.yml b/ironic/api/cluster.yml
index 0d6587d..cd6c667 100644
--- a/ironic/api/cluster.yml
+++ b/ironic/api/cluster.yml
@@ -17,6 +17,7 @@
       bind:
         address: ${_param:cluster_baremetal_local_address}
       database:
+        user: ${_param:mysql_ironic_username}
         x509:
           enabled: ${_param:openstack_mysql_x509_enabled}
           ca_file: ${_param:mysql_ironic_ssl_ca_file}
@@ -44,3 +45,7 @@
           secret_key: ${_param:ironic_memcache_secret_key}
       identity:
         region: ${_param:openstack_region}
+        protocol: ${_param:cluster_internal_protocol}
+        user: ${_param:keystone_ironic_username}
+      middleware:
+        enable_proxy_headers_parsing: true
diff --git a/ironic/api/single.yml b/ironic/api/single.yml
index 5eb290b..db39076 100644
--- a/ironic/api/single.yml
+++ b/ironic/api/single.yml
@@ -15,6 +15,7 @@
       bind:
         address: ${_param:single_address}
       database:
+        user: ${_param:mysql_ironic_username}
         x509:
           enabled: ${_param:openstack_mysql_x509_enabled}
           ca_file: ${_param:mysql_ironic_ssl_ca_file}
@@ -38,3 +39,7 @@
           secret_key: ${_param:ironic_memcache_secret_key}
       identity:
         region: ${_param:openstack_region}
+        protocol: ${_param:cluster_internal_protocol}
+        user: ${_param:keystone_ironic_username}
+      middleware:
+        enable_proxy_headers_parsing: true
diff --git a/ironic/conductor/cluster.yml b/ironic/conductor/cluster.yml
index eb0b38f..4429410 100644
--- a/ironic/conductor/cluster.yml
+++ b/ironic/conductor/cluster.yml
@@ -3,6 +3,8 @@
 - system.salt.minion.cert.rabbitmq.clients.openstack.ironic
 - service.ironic.conductor.cluster
 parameters:
+  _param:
+    ironic_conductor_api_url_protocol: 'http'
   linux:
     system:
       package:
@@ -11,8 +13,9 @@
           version: latest
   ironic:
     conductor:
-      api_url: 'http://${_param:cluster_baremetal_vip_address}:6385'
+      api_url: '${_param:ironic_conductor_api_url_protocol}://${_param:cluster_baremetal_vip_address}:6385'
       database:
+        user: ${_param:mysql_ironic_username}
         x509:
           enabled: ${_param:openstack_mysql_x509_enabled}
           ca_file: ${_param:mysql_ironic_ssl_ca_file}
@@ -40,3 +43,15 @@
           secret_key: ${_param:ironic_memcache_secret_key}
       identity:
         region: ${_param:openstack_region}
+        protocol: ${_param:cluster_internal_protocol}
+        user: ${_param:keystone_ironic_username}
+      automated_clean: true
+      erase_devices_priority: 0
+      erase_devices_metadata_priority: 1
+      console:
+        enabled: ${_param:ironic_console_enabled}
+      enabled_console_interfaces:
+        - ipmitool-shellinabox
+        - ipmitool-socat
+        - no-console
+      pxe_append_params: 'nofb nomodeset vga=normal ipa-insecure=1'
diff --git a/ironic/conductor/single.yml b/ironic/conductor/single.yml
index 36d92be..46a06b9 100644
--- a/ironic/conductor/single.yml
+++ b/ironic/conductor/single.yml
@@ -14,6 +14,7 @@
       enabled: true
       version: ${_param:ironic_version}
       database:
+        user: ${_param:mysql_ironic_username}
         x509:
           enabled: ${_param:openstack_mysql_x509_enabled}
           ca_file: ${_param:mysql_ironic_ssl_ca_file}
@@ -37,3 +38,15 @@
           secret_key: ${_param:ironic_memcache_secret_key}
       identity:
         region: ${_param:openstack_region}
+        protocol: ${_param:cluster_internal_protocol}
+        user: ${_param:keystone_ironic_username}
+      automated_clean: true
+      erase_devices_priority: 0
+      erase_devices_metadata_priority: 1
+      console:
+        enabled: ${_param:ironic_console_enabled}
+      enabled_console_interfaces:
+        - ipmitool-shellinabox
+        - ipmitool-socat
+        - no-console
+      pxe_append_params: 'nofb nomodeset vga=normal ipa-insecure=1'
diff --git a/jenkins/client/job/deploy/openstack.yml b/jenkins/client/job/deploy/openstack.yml
index 3734741..8b82037 100644
--- a/jenkins/client/job/deploy/openstack.yml
+++ b/jenkins/client/job/deploy/openstack.yml
@@ -25,6 +25,10 @@
               type: string
               default: "core,kvm,openstack,stacklight"
               description: "Components to be installed. Valid values are 'core,kvm,k8s,openstack,contrail,ovs,ceph,oss,cicd,stacklight,sl-legacy,finalize'. For all deployments it's recommended to run 'finalize' as a final step as Salt highstate on all nodes will be run."
+            BATCH_SIZE:
+              type: string
+              default: ''
+              description: 'Use batching for states, which targeted for large amount of nodes. Can be Integer or Percentage, e.g 20 or 20%'
             # salt master
             SALT_MASTER_CREDENTIALS:
               type: string
@@ -64,3 +68,7 @@
               type: string
               default: ""
               description: "Salt compound target to match nodes to be updated [*, G@osfamily:debian]."
+            BATCH_SIZE:
+              type: string
+              default: ''
+              description: 'Use batching for states, which targeted for large amount of nodes. Can be Integer or Percentage, e.g 20 or 20%'
diff --git a/jenkins/client/job/deploy/update/package.yml b/jenkins/client/job/deploy/update/package.yml
index 7444bcc..befd7ab 100644
--- a/jenkins/client/job/deploy/update/package.yml
+++ b/jenkins/client/job/deploy/update/package.yml
@@ -31,6 +31,10 @@
               type: string
               default: "*"
               description: Salt compound target to match nodes to be updated [*, G@osfamily:debian].
+            BATCH_SIZE:
+              type: string
+              default: ''
+              description: 'Use batching for states, which targeted for large amount of nodes. Can be Integer or Percentage, e.g 20 or 20%'
             TARGET_PACKAGES:
               type: string
               description: Space delimited list of packages to be updated, empty string means updating all packages to the latest version e.g. [package1=version package2=version] or [package1 package2].
diff --git a/jenkins/client/job/deploy/update/upgrade_mcp_release.yml b/jenkins/client/job/deploy/update/upgrade_mcp_release.yml
index 091d169..2019945 100644
--- a/jenkins/client/job/deploy/update/upgrade_mcp_release.yml
+++ b/jenkins/client/job/deploy/update/upgrade_mcp_release.yml
@@ -43,13 +43,15 @@
                 ---
                 SALT_MASTER_URL: "${_param:jenkins_salt_api_url}"
                 SALT_MASTER_CREDENTIALS: "salt"
+                # Use batching for states, which targeted for large amount of nodes. Can be Integer or Percentage, e.g 20 or 20%
+                BATCH_SIZE: ''
                 # Replace `mcp_version` parameter to TARGET_MCP_VERSION in cluster level Reclass model?
                 UPDATE_CLUSTER_MODEL: true
                 # Upgrade SaltStack packages
                 UPGRADE_SALTSTACK: true
                 # Mirror pipelines from upstream/local mirror to Gerrit
                 UPDATE_PIPELINES: true
-                # se only when local repositories are present
+                # Use only when local repositories are present
                 UPDATE_LOCAL_REPOS: false
                 # Next parameters added only for test purposes and not enabled by default
                 # RECLASS_SYSTEM_BRANCH: ''
diff --git a/jenkins/client/job/validate.yml b/jenkins/client/job/validate.yml
index ec79239..0fff778 100644
--- a/jenkins/client/job/validate.yml
+++ b/jenkins/client/job/validate.yml
@@ -6,8 +6,7 @@
           enabled: true
           type: ListView
           include_regex: "validate.*"
-      CVP:
-        cvp:
+        CVP:
           enabled: true
           type: ListView
           include_regex: "cvp.*"
diff --git a/keystone/server/notification/messagingv2.yml b/keystone/server/notification/messagingv2.yml
index 2cc7e64..0bddb91 100644
--- a/keystone/server/notification/messagingv2.yml
+++ b/keystone/server/notification/messagingv2.yml
@@ -1,6 +1,8 @@
 parameters:
+  _param:
+    keystone_notification_topics: "${_param:openstack_notification_topics}"
   keystone:
     server:
       notification:
         driver: messagingv2
-        topics: "${_param:openstack_notification_topics}"
+        topics: "${_param:keystone_notification_topics}"
diff --git a/neutron/gateway/cluster.yml b/neutron/gateway/cluster.yml
index 2a4f4f4..58aaab8 100644
--- a/neutron/gateway/cluster.yml
+++ b/neutron/gateway/cluster.yml
@@ -11,6 +11,7 @@
       kernel:
         sysctl:
           fs.inotify.max_user_instances: 4096
+          fs.file-max: 400000
   neutron:
     gateway:
       dvr: ${_param:neutron_gateway_dvr}
diff --git a/nginx/server/proxy/ceph_radosgw.yml b/nginx/server/proxy/ceph_radosgw.yml
index c69ec3a..8207bda 100644
--- a/nginx/server/proxy/ceph_radosgw.yml
+++ b/nginx/server/proxy/ceph_radosgw.yml
@@ -12,7 +12,16 @@
           enabled: true
           type: nginx_proxy
           name: ceph_radosgw
+          proxy_set_header:
+            Host:
+              enabled: true
+              value: "$host"
+            X-Forwarded-For:
+              enabled: true
+              value: "$remote_addr"
           proxy:
+            size: 10240m
+            buffer_size: 10240m
             host: ${_param:nginx_proxy_radosgw_service_host}
             port: ${_param:nginx_proxy_radosgw_service_port}
             protocol: http
diff --git a/nova/compute/cluster.yml b/nova/compute/cluster.yml
index 1fdb3bd..3154a37 100644
--- a/nova/compute/cluster.yml
+++ b/nova/compute/cluster.yml
@@ -42,6 +42,8 @@
         password: ${_param:keystone_nova_password}
         tenant: service
         protocol: ${_param:cluster_internal_protocol}
+        service_token_roles: admin
+        service_token_roles_required: true
       service_user:
         enabled: ${_param:nova_service_user_enabled}
       barbican:
diff --git a/nova/compute/single.yml b/nova/compute/single.yml
index 2c47148..a6126ef 100644
--- a/nova/compute/single.yml
+++ b/nova/compute/single.yml
@@ -41,6 +41,8 @@
         tenant: service
         protocol: ${_param:cluster_internal_protocol}
         region: ${_param:openstack_region}
+        service_token_roles: admin
+        service_token_roles_required: true
       barbican:
         enabled: ${_param:barbican_integration_enabled}
       service_user:
diff --git a/nova/control/cluster.yml b/nova/control/cluster.yml
index 325c6a5..7541d28 100644
--- a/nova/control/cluster.yml
+++ b/nova/control/cluster.yml
@@ -61,6 +61,8 @@
         password: ${_param:keystone_nova_password}
         tenant: service
         protocol: ${_param:cluster_internal_protocol}
+        service_token_roles: admin
+        service_token_roles_required: true
       service_user:
         enabled: ${_param:nova_service_user_enabled}
       barbican:
diff --git a/nova/control/single.yml b/nova/control/single.yml
index 11a0f53..e964f76 100644
--- a/nova/control/single.yml
+++ b/nova/control/single.yml
@@ -25,6 +25,8 @@
       identity:
         protocol: ${_param:cluster_internal_protocol}
         region: ${_param:openstack_region}
+        service_token_roles: admin
+        service_token_roles_required: true
       service_user:
         enabled: ${_param:nova_service_user_enabled}
       network:
diff --git a/opencontrail/common/init.yml b/opencontrail/common/init.yml
new file mode 100644
index 0000000..e24a9c3
--- /dev/null
+++ b/opencontrail/common/init.yml
@@ -0,0 +1,10 @@
+parameters:
+  linux:
+    system:
+      kernel:
+        sysctl:
+          net.ipv4.tcp_keepalive_intvl: 1
+          net.ipv4.tcp_keepalive_time: 5
+          net.ipv4.tcp_keepalive_probes: 5
+          net.nf_conntrack_max: 256000
+          fs.file-max: 124165
\ No newline at end of file
diff --git a/reclass/storage/system/cicd_control_cluster.yml b/reclass/storage/system/cicd_control_cluster.yml
index 34f0de1..94687ef 100644
--- a/reclass/storage/system/cicd_control_cluster.yml
+++ b/reclass/storage/system/cicd_control_cluster.yml
@@ -19,6 +19,7 @@
             keepalived_vip_priority: 103
             cicd_database_id: 1
             glusterfs_node_role: primary
+            drivetrain_role: cicd
         cicd_control_node02:
           name: ${_param:cicd_control_node02_hostname}
           domain: ${_param:cluster_domain}
@@ -31,6 +32,7 @@
             keepalived_vip_priority: 102
             cicd_database_id: 2
             glusterfs_node_role: secondary
+            drivetrain_role: cicd
         cicd_control_node03:
           name: ${_param:cicd_control_node03_hostname}
           domain: ${_param:cluster_domain}
@@ -43,3 +45,4 @@
             keepalived_vip_priority: 101
             cicd_database_id: 3
             glusterfs_node_role: secondary
+            drivetrain_role: cicd
\ No newline at end of file