Enable and use salt_api proxy by default
* Use nginx as proxy
* Misc: define defaults for
salt_master_host
infra_config_address
reclass_config_master
jenkins_salt_api_url
* Pass certs dir for jenkins docker slaves
Related: PROD-27641(PROD:27641)
Related: PROD-30528(PROD:30528)
Change-Id: I5fac90101131a8d8d4fa7857982f18c855e0771c
diff --git a/defaults/init.yml b/defaults/init.yml
index bcee4bf..c90c404 100644
--- a/defaults/init.yml
+++ b/defaults/init.yml
@@ -11,6 +11,7 @@
- system.defaults.backupninja
- system.defaults.git
- system.defaults.glusterfs
+- system.defaults.nginx
- system.defaults.jenkins
- system.defaults.maas
- system.defaults.opencontrail
@@ -55,3 +56,6 @@
# Cloudwatch api removed from Queens
openstack_heat_cloudwatch_api_enabled: True
+ salt_master_host: '127.0.0.1'
+ infra_config_address: '127.0.0.1'
+ reclass_config_master: '127.0.0.1'
diff --git a/defaults/jenkins.yml b/defaults/jenkins.yml
index 36bcbfb..d01bf4e 100644
--- a/defaults/jenkins.yml
+++ b/defaults/jenkins.yml
@@ -3,3 +3,4 @@
jenkins_master_port: 8081
jenkins_master_protocol: http
jenkins_pipelines_branch: "master"
+ jenkins_salt_api_url: "https://${_param:salt_master_host}:${_param:nginx_proxy_salt_api_site_port}"
diff --git a/defaults/nginx.yml b/defaults/nginx.yml
new file mode 100644
index 0000000..dd47452
--- /dev/null
+++ b/defaults/nginx.yml
@@ -0,0 +1,5 @@
+parameters:
+ _param:
+ nginx_proxy_salt_api_proxy_protocol: 'http'
+ nginx_proxy_salt_api_site_port: 8969
+ nginx_proxy_salt_api_site_protocol: 'https'
diff --git a/defaults/salt/init.yml b/defaults/salt/init.yml
index feb27d7..d915fbe 100644
--- a/defaults/salt/init.yml
+++ b/defaults/salt/init.yml
@@ -56,3 +56,4 @@
- '@jobs' # to allow access to the jobs runner and/or wheel mo
salt_minion_ca_authority: salt_master_ca
+ salt_master_api_bind_address: 0.0.0.0
diff --git a/docker/swarm/stack/jenkins/slave01.yml b/docker/swarm/stack/jenkins/slave01.yml
index 4791fe3..73e8140 100644
--- a/docker/swarm/stack/jenkins/slave01.yml
+++ b/docker/swarm/stack/jenkins/slave01.yml
@@ -27,7 +27,7 @@
- "node.hostname == ${_param:jenkins_slave01_node_name}"
image: ${_param:docker_image_jenkins_slave}
volumes:
- - /etc/ssl/certs/java/cacerts:/etc/ssl/certs/java/cacerts:ro
+ - /etc/ssl/certs/:/etc/ssl/certs/:ro
- /dev/urandom:/dev/random:ro
- /var/run/docker.sock:/var/run/docker.sock
- /usr/bin/docker:/usr/bin/docker:ro
diff --git a/docker/swarm/stack/jenkins/slave02.yml b/docker/swarm/stack/jenkins/slave02.yml
index 58b5a23..ee198cb 100644
--- a/docker/swarm/stack/jenkins/slave02.yml
+++ b/docker/swarm/stack/jenkins/slave02.yml
@@ -27,7 +27,7 @@
- "node.hostname == ${_param:jenkins_slave02_node_name}"
image: ${_param:docker_image_jenkins_slave}
volumes:
- - /etc/ssl/certs/java/cacerts:/etc/ssl/certs/java/cacerts:ro
+ - /etc/ssl/certs/:/etc/ssl/certs/:ro
- /dev/urandom:/dev/random:ro
- /var/run/docker.sock:/var/run/docker.sock
- /usr/bin/docker:/usr/bin/docker:ro
diff --git a/docker/swarm/stack/jenkins/slave03.yml b/docker/swarm/stack/jenkins/slave03.yml
index cc2acbd..b04ea2a 100644
--- a/docker/swarm/stack/jenkins/slave03.yml
+++ b/docker/swarm/stack/jenkins/slave03.yml
@@ -27,7 +27,7 @@
- "node.hostname == ${_param:jenkins_slave03_node_name}"
image: ${_param:docker_image_jenkins_slave}
volumes:
- - /etc/ssl/certs/java/cacerts:/etc/ssl/certs/java/cacerts:ro
+ - /etc/ssl/certs/:/etc/ssl/certs/:ro
- /dev/urandom:/dev/random:ro
- /var/run/docker.sock:/var/run/docker.sock
- /usr/bin/docker:/usr/bin/docker:ro
diff --git a/jenkins/client/job/deploy/galera_verify_restore.yml b/jenkins/client/job/deploy/galera_verify_restore.yml
index 492d76f..73e312a 100644
--- a/jenkins/client/job/deploy/galera_verify_restore.yml
+++ b/jenkins/client/job/deploy/galera_verify_restore.yml
@@ -1,6 +1,4 @@
parameters:
- _param:
- jenkins_salt_api_url: "http://${_param:salt_master_host}:6969"
jenkins:
client:
job:
diff --git a/jenkins/client/job/deploy/openstack.yml b/jenkins/client/job/deploy/openstack.yml
index d18ccae..107b932 100644
--- a/jenkins/client/job/deploy/openstack.yml
+++ b/jenkins/client/job/deploy/openstack.yml
@@ -1,6 +1,4 @@
parameters:
- _param:
- jenkins_salt_api_url: "http://${_param:salt_master_host}:6969"
jenkins:
client:
job:
diff --git a/jenkins/client/job/deploy/try_mcp.yml b/jenkins/client/job/deploy/try_mcp.yml
index 9c161ff..3ad2878 100644
--- a/jenkins/client/job/deploy/try_mcp.yml
+++ b/jenkins/client/job/deploy/try_mcp.yml
@@ -1,6 +1,4 @@
parameters:
- _param:
- jenkins_salt_api_url: "http://${_param:salt_master_host}:6969"
jenkins:
client:
job:
diff --git a/jenkins/client/job/deploy/update/cloud_update.yml b/jenkins/client/job/deploy/update/cloud_update.yml
index aef20ce..f3fe8ef 100644
--- a/jenkins/client/job/deploy/update/cloud_update.yml
+++ b/jenkins/client/job/deploy/update/cloud_update.yml
@@ -2,8 +2,6 @@
# Jobs to update cloud packages on given Salt master environment
#
parameters:
- _param:
- jenkins_salt_api_url: "http://${_param:salt_master_host}:6969"
jenkins:
client:
job:
diff --git a/jenkins/client/job/deploy/update/config.yml b/jenkins/client/job/deploy/update/config.yml
index 47ec321..5eafd70 100644
--- a/jenkins/client/job/deploy/update/config.yml
+++ b/jenkins/client/job/deploy/update/config.yml
@@ -2,8 +2,6 @@
# Jobs to run given states on given Salt master environment's
#
parameters:
- _param:
- jenkins_salt_api_url: "http://${_param:salt_master_host}:6969"
jenkins:
client:
job:
diff --git a/jenkins/client/job/deploy/update/kubernetes_update.yml b/jenkins/client/job/deploy/update/kubernetes_update.yml
index 454d92b..ee77583 100644
--- a/jenkins/client/job/deploy/update/kubernetes_update.yml
+++ b/jenkins/client/job/deploy/update/kubernetes_update.yml
@@ -2,8 +2,6 @@
# Jobs to update cloud packages on given Salt master environment
#
parameters:
- _param:
- jenkins_salt_api_url: "http://${_param:salt_master_host}:6969"
jenkins:
client:
job:
diff --git a/jenkins/client/job/deploy/update/package.yml b/jenkins/client/job/deploy/update/package.yml
index acf1f62..65a4ac3 100644
--- a/jenkins/client/job/deploy/update/package.yml
+++ b/jenkins/client/job/deploy/update/package.yml
@@ -2,8 +2,6 @@
# Jobs to update packages on given Salt master environment
#
parameters:
- _param:
- jenkins_salt_api_url: "http://${_param:salt_master_host}:6969"
jenkins:
client:
job:
diff --git a/jenkins/client/job/deploy/update/reclass_update_check.yml b/jenkins/client/job/deploy/update/reclass_update_check.yml
index cec8d79..dd279b3 100644
--- a/jenkins/client/job/deploy/update/reclass_update_check.yml
+++ b/jenkins/client/job/deploy/update/reclass_update_check.yml
@@ -2,8 +2,6 @@
# Jobs to to check new Reclass package version compatibility with model
#
parameters:
- _param:
- jenkins_salt_api_url: "http://${_param:salt_master_host}:6969"
jenkins:
client:
job:
diff --git a/jenkins/client/job/deploy/update/restore_cassandra.yml b/jenkins/client/job/deploy/update/restore_cassandra.yml
index 34179af..8b18eb1 100644
--- a/jenkins/client/job/deploy/update/restore_cassandra.yml
+++ b/jenkins/client/job/deploy/update/restore_cassandra.yml
@@ -2,8 +2,6 @@
# Jobs to update packages on given Salt master environment
#
parameters:
- _param:
- jenkins_salt_api_url: "http://${_param:salt_master_host}:6969"
jenkins:
client:
job:
diff --git a/jenkins/client/job/deploy/update/restore_zookeeper.yml b/jenkins/client/job/deploy/update/restore_zookeeper.yml
index ebb57f7..3d0dc05 100644
--- a/jenkins/client/job/deploy/update/restore_zookeeper.yml
+++ b/jenkins/client/job/deploy/update/restore_zookeeper.yml
@@ -2,8 +2,6 @@
# Jobs to update packages on given Salt master environment
#
parameters:
- _param:
- jenkins_salt_api_url: "http://${_param:salt_master_host}:6969"
jenkins:
client:
job:
diff --git a/jenkins/client/job/deploy/update/saltenv.yml b/jenkins/client/job/deploy/update/saltenv.yml
index 734a4e5..f2b38d2 100644
--- a/jenkins/client/job/deploy/update/saltenv.yml
+++ b/jenkins/client/job/deploy/update/saltenv.yml
@@ -3,7 +3,6 @@
#
parameters:
_param:
- jenkins_salt_api_url: "http://${_param:salt_master_host}:6969"
jenkins_salt_model_name: "salt"
jenkins_salt_model_branch: "master"
jenkins:
diff --git a/jenkins/client/job/deploy/update/update_ceph.yml b/jenkins/client/job/deploy/update/update_ceph.yml
index dd8bf58..4b7603b 100644
--- a/jenkins/client/job/deploy/update/update_ceph.yml
+++ b/jenkins/client/job/deploy/update/update_ceph.yml
@@ -2,8 +2,6 @@
# Jobs to run given states on given Salt master environment's
#
parameters:
- _param:
- jenkins_salt_api_url: "http://${_param:salt_master_host}:6969"
jenkins:
client:
job:
diff --git a/jenkins/client/job/deploy/update/update_mirror_image.yml b/jenkins/client/job/deploy/update/update_mirror_image.yml
index 73fd434..96e905c 100644
--- a/jenkins/client/job/deploy/update/update_mirror_image.yml
+++ b/jenkins/client/job/deploy/update/update_mirror_image.yml
@@ -2,8 +2,6 @@
# Jobs to update Salt master environment (formulas and models)
#
parameters:
- _param:
- jenkins_salt_api_url: "http://${_param:salt_master_host}:6969"
jenkins:
client:
job:
@@ -67,4 +65,4 @@
default: 'true'
UPDATE_FILES:
type: boolean
- default: 'true'
\ No newline at end of file
+ default: 'true'
diff --git a/jenkins/client/job/deploy/update/update_opencontrail4.yml b/jenkins/client/job/deploy/update/update_opencontrail4.yml
index 72ea870..e89d622 100644
--- a/jenkins/client/job/deploy/update/update_opencontrail4.yml
+++ b/jenkins/client/job/deploy/update/update_opencontrail4.yml
@@ -2,8 +2,6 @@
# Jobs to update packages on given Salt master environment
#
parameters:
- _param:
- jenkins_salt_api_url: "http://${_param:salt_master_host}:6969"
jenkins:
client:
job:
diff --git a/jenkins/client/job/deploy/update/upgrade.yml b/jenkins/client/job/deploy/update/upgrade.yml
index f4f5630..e3b60e1 100644
--- a/jenkins/client/job/deploy/update/upgrade.yml
+++ b/jenkins/client/job/deploy/update/upgrade.yml
@@ -2,8 +2,6 @@
# Jobs to update packages on given Salt master environment
#
parameters:
- _param:
- jenkins_salt_api_url: "http://${_param:salt_master_host}:6969"
jenkins:
client:
job:
diff --git a/jenkins/client/job/deploy/update/upgrade_compute.yml b/jenkins/client/job/deploy/update/upgrade_compute.yml
index b4628fa..ed5a222 100644
--- a/jenkins/client/job/deploy/update/upgrade_compute.yml
+++ b/jenkins/client/job/deploy/update/upgrade_compute.yml
@@ -2,8 +2,6 @@
# Jobs to update packages on given Salt master environment
#
parameters:
- _param:
- jenkins_salt_api_url: "http://${_param:salt_master_host}:6969"
jenkins:
client:
job:
diff --git a/jenkins/client/job/deploy/update/upgrade_mcp_release.yml b/jenkins/client/job/deploy/update/upgrade_mcp_release.yml
index a4821f9..9d46def 100644
--- a/jenkins/client/job/deploy/update/upgrade_mcp_release.yml
+++ b/jenkins/client/job/deploy/update/upgrade_mcp_release.yml
@@ -2,8 +2,6 @@
# Jobs to upgrade MCP release
#
parameters:
- _param:
- jenkins_salt_api_url: "http://${_param:salt_master_host}:6969"
jenkins:
client:
job:
diff --git a/jenkins/client/job/deploy/update/upgrade_opencontrail.yml b/jenkins/client/job/deploy/update/upgrade_opencontrail.yml
index 0b0d945..64c3aff 100644
--- a/jenkins/client/job/deploy/update/upgrade_opencontrail.yml
+++ b/jenkins/client/job/deploy/update/upgrade_opencontrail.yml
@@ -2,8 +2,6 @@
# Jobs to update packages on given Salt master environment
#
parameters:
- _param:
- jenkins_salt_api_url: "http://${_param:salt_master_host}:6969"
jenkins:
client:
job:
diff --git a/jenkins/client/job/deploy/update/upgrade_opencontrail4_0.yml b/jenkins/client/job/deploy/update/upgrade_opencontrail4_0.yml
index c1f448c..2d7ed69 100644
--- a/jenkins/client/job/deploy/update/upgrade_opencontrail4_0.yml
+++ b/jenkins/client/job/deploy/update/upgrade_opencontrail4_0.yml
@@ -2,8 +2,6 @@
# Jobs to update packages on given Salt master environment
#
parameters:
- _param:
- jenkins_salt_api_url: "http://${_param:salt_master_host}:6969"
jenkins:
client:
job:
diff --git a/jenkins/client/job/deploy/update/upgrade_ovs_gateway.yml b/jenkins/client/job/deploy/update/upgrade_ovs_gateway.yml
index 76bf436..9d31352 100644
--- a/jenkins/client/job/deploy/update/upgrade_ovs_gateway.yml
+++ b/jenkins/client/job/deploy/update/upgrade_ovs_gateway.yml
@@ -2,8 +2,6 @@
# Jobs to update packages on given Salt master environment
#
parameters:
- _param:
- jenkins_salt_api_url: "http://${_param:salt_master_host}:6969"
jenkins:
client:
job:
diff --git a/jenkins/client/job/deploy/update/upgrade_stacklight.yml b/jenkins/client/job/deploy/update/upgrade_stacklight.yml
index d7279a6..578fd28 100644
--- a/jenkins/client/job/deploy/update/upgrade_stacklight.yml
+++ b/jenkins/client/job/deploy/update/upgrade_stacklight.yml
@@ -2,8 +2,6 @@
# Jobs to process Stacklight update
#
parameters:
- _param:
- jenkins_salt_api_url: "http://${_param:salt_master_host}:6969"
jenkins:
client:
job:
diff --git a/jenkins/client/job/deploy/update/virt_snapshot.yml b/jenkins/client/job/deploy/update/virt_snapshot.yml
index 418f0d3..feada8a 100644
--- a/jenkins/client/job/deploy/update/virt_snapshot.yml
+++ b/jenkins/client/job/deploy/update/virt_snapshot.yml
@@ -2,8 +2,6 @@
# Job to manage libvirt live snapshots
#
parameters:
- _param:
- jenkins_salt_api_url: "http://${_param:salt_master_host}:6969"
jenkins:
client:
job:
diff --git a/jenkins/client/job/validate.yml b/jenkins/client/job/validate.yml
index 90e135f..7dcdc63 100644
--- a/jenkins/client/job/validate.yml
+++ b/jenkins/client/job/validate.yml
@@ -1,6 +1,4 @@
parameters:
- _param:
- jenkins_salt_api_url: "http://${_param:salt_master_host}:6969"
jenkins:
client:
view:
diff --git a/nginx/server/proxy/salt_api.yml b/nginx/server/proxy/salt_api.yml
new file mode 100644
index 0000000..f559ef4
--- /dev/null
+++ b/nginx/server/proxy/salt_api.yml
@@ -0,0 +1,28 @@
+parameters:
+ _param:
+ nginx_proxy_salt_api_proxy_port: ${_param:salt_master_api_port}
+ nginx_proxy_ssl:
+ enabled: true
+ authority: ${_param:salt_minion_ca_authority}
+ engine: salt
+ key_file: /srv/salt/pki/${_param:cluster_name}/${salt:minion:cert:salt_api:common_name}.key
+ cert_file: /srv/salt/pki/${_param:cluster_name}/${salt:minion:cert:salt_api:common_name}.crt
+ all_file: /srv/salt/pki/${_param:cluster_name}/${salt:minion:cert:salt_api:common_name}-chain-with-key.pem
+ ca_file: /srv/salt/pki/${_param:cluster_name}/${salt:minion:cert:salt_api:common_name}-ca.pem
+ nginx:
+ server:
+ enabled: true
+ site:
+ nginx_proxy_salt_api:
+ enabled: true
+ type: nginx_proxy
+ name: salt_api
+ proxy:
+ host: ${_param:infra_config_hostname}.${_param:cluster_domain}
+ port: ${_param:nginx_proxy_salt_api_proxy_port}
+ protocol: ${_param:nginx_proxy_salt_api_proxy_protocol}
+ host:
+ name: ${_param:infra_config_hostname}.${_param:cluster_domain}
+ port: ${_param:nginx_proxy_salt_api_site_port}
+ protocol: ${_param:nginx_proxy_salt_api_site_protocol}
+ ssl: ${_param:nginx_proxy_ssl}
diff --git a/salt/master/api.yml b/salt/master/api.yml
index b5ede2f..4ed3112 100644
--- a/salt/master/api.yml
+++ b/salt/master/api.yml
@@ -1,3 +1,9 @@
+classes:
+# Enabled ssl api by default
+- system.salt.minion.cert.salt_api
+- system.nginx.server.single
+- system.nginx.server.proxy.ssl
+- system.nginx.server.proxy.salt_api
parameters:
_param:
salt_master_api_port: 6969
@@ -11,7 +17,7 @@
api:
enabled: true
bind:
- address: 0.0.0.0
+ address: ${_param:salt_master_api_bind_address}
port: ${_param:salt_master_api_port}
master:
command_timeout: 600
diff --git a/salt/minion/cert/salt_api.yml b/salt/minion/cert/salt_api.yml
index acd9bba..71441b1 100644
--- a/salt/minion/cert/salt_api.yml
+++ b/salt/minion/cert/salt_api.yml
@@ -3,9 +3,20 @@
minion:
cert:
salt_api:
+ common_name: salt_api
host: ${_param:salt_minion_ca_host}
authority: ${_param:salt_minion_ca_authority}
- common_name: salt_api
+ key_file: /srv/salt/pki/${_param:cluster_name}/${salt:minion:cert:salt_api:common_name}.key
+ cert_file: /srv/salt/pki/${_param:cluster_name}/${salt:minion:cert:salt_api:common_name}.crt
+ all_file: /srv/salt/pki/${_param:cluster_name}/${salt:minion:cert:salt_api:common_name}-chain-with-key.pem
+ ca_file: /srv/salt/pki/${_param:cluster_name}/${salt:minion:cert:salt_api:common_name}-ca.pem
signing_policy: cert_server
- alternative_names: IP:${_param:salt_master_host},IP:127.0.0.1,DNS:${_param:infra_config_hostname}.${_param:cluster_domain}
+ alternative_names: >
+ IP:${_param:salt_master_host},
+ IP:127.0.0.1,
+ IP:${_param:infra_config_address},
+ DNS:${_param:salt_master_host},
+ DNS:127.0.0.1,
+ DNS:${_param:infra_config_address},
+ DNS:${_param:infra_config_hostname}.${_param:cluster_domain}
mode: '0644'