Merge "Implement X.509 auth for MySQL and Manila"
diff --git a/galera/server/database/ssl/panko.yml b/galera/server/database/ssl/panko.yml
new file mode 100644
index 0000000..ce1c504
--- /dev/null
+++ b/galera/server/database/ssl/panko.yml
@@ -0,0 +1,4 @@
+parameters:
+ _param:
+ mysql_panko_ssl_option:
+ - SSL: True
\ No newline at end of file
diff --git a/galera/server/database/x509/panko.yml b/galera/server/database/x509/panko.yml
new file mode 100644
index 0000000..15c37bf
--- /dev/null
+++ b/galera/server/database/x509/panko.yml
@@ -0,0 +1,7 @@
+parameters:
+ _param:
+ mysql_panko_client_ssl_x509_subject: '/C=cz/CN=mysql-panko-client/L=Prague/O=Mirantis'
+ mysql_panko_client_ssl_x509_issuer: '/C=cz/CN=Salt Master CA/L=Prague/O=Mirantis'
+ mysql_panko_ssl_option:
+ - SUBJECT: ${_param:mysql_panko_client_ssl_x509_subject}
+ - ISSUER: ${_param:mysql_panko_client_ssl_x509_issuer}
\ No newline at end of file
diff --git a/gnocchi/common/storage/ceph.yml b/gnocchi/common/storage/ceph.yml
new file mode 100644
index 0000000..5af2456
--- /dev/null
+++ b/gnocchi/common/storage/ceph.yml
@@ -0,0 +1,11 @@
+parameters:
+ _param:
+ gnocchi_storage_ceph_pool: gnocchi
+ gnocchi_storage_ceph_user: gnocchi
+ gnocchi_storage_driver: ceph
+ gnocchi:
+ common:
+ storage:
+ driver: ${_param:gnocchi_storage_driver}
+ ceph_pool: ${_param:gnocchi_storage_ceph_pool}
+ ceph_username: ${_param:gnocchi_storage_ceph_user}
\ No newline at end of file
diff --git a/gnocchi/common/storage/incoming/ceph.yml b/gnocchi/common/storage/incoming/ceph.yml
new file mode 100644
index 0000000..9937d29
--- /dev/null
+++ b/gnocchi/common/storage/incoming/ceph.yml
@@ -0,0 +1,12 @@
+parameters:
+ _param:
+ gnocchi_storage_incoming_ceph_pool: gnocchi_incoming
+ gnocchi_storage_incoming_ceph_user: gnocchi
+ gnocchi_storage_incoming_driver: ceph
+ gnocchi:
+ common:
+ storage:
+ incoming:
+ driver: ${_param:gnocchi_storage_incoming_driver}
+ ceph_pool: ${_param:gnocchi_storage_incoming_ceph_pool}
+ ceph_username: ${_param:gnocchi_storage_incoming_ceph_user}
\ No newline at end of file
diff --git a/jenkins/client/job/deploy/update/upgrade.yml b/jenkins/client/job/deploy/update/upgrade.yml
index 01fdf2a..f4f5630 100644
--- a/jenkins/client/job/deploy/update/upgrade.yml
+++ b/jenkins/client/job/deploy/update/upgrade.yml
@@ -29,27 +29,19 @@
SALT_MASTER_CREDENTIALS:
type: string
default: "salt"
- STAGE_TEST_UPGRADE:
- type: boolean
- default: 'true'
- description: "Test if syncdb and APIs succeed"
- STAGE_REAL_UPGRADE:
- type: boolean
- default: 'true'
- description: "Run real control upgrade"
- STAGE_ROLLBACK_UPGRADE:
- type: boolean
- default: 'true'
- description: "Rollback if control upgrade fails"
- OPERATING_SYSTEM_RELEASE_UPGRADE:
+ OS_DIST_UPGRADE:
type: boolean
default: 'false'
- description: "Set to true if operating system release upgrade is desired. For ex. from Ubuntu 14.04 currently running on ctl and prx nodes to Ubuntu 16.04"
- SKIP_VM_RELAUNCH:
+ description: "Upgrade system packages including kernel (apt-get dist-upgrade)"
+ OS_UPGRADE:
type: boolean
default: 'false'
- description: "Set to true if vms should not be recreated"
+ description: "Upgrade all installed applications (apt-get upgrade)"
INTERACTIVE:
type: boolean
default: 'true'
description: "Ask interactive questions during pipeline run (bool)"
+ TARGET_SERVERS:
+ type: string
+ default: 'ctl*'
+ description: "Salt compound expression to get control servers to upgrade."
diff --git a/jenkins/client/job/deploy/update/upgrade_compute.yml b/jenkins/client/job/deploy/update/upgrade_compute.yml
index 706863d..b4628fa 100644
--- a/jenkins/client/job/deploy/update/upgrade_compute.yml
+++ b/jenkins/client/job/deploy/update/upgrade_compute.yml
@@ -21,7 +21,7 @@
url: "${_param:jenkins_gerrit_url}/mk/mk-pipelines"
branch: "${_param:jenkins_pipelines_branch}"
credentials: "gerrit"
- script: openstack-compute-upgrade.groovy
+ script: openstack-data-upgrade.groovy
param:
SALT_MASTER_URL:
type: string
@@ -29,18 +29,19 @@
SALT_MASTER_CREDENTIALS:
type: string
default: "salt"
- TARGET_SERVERS:
- type: string
- default: "cmp*"
- description: Salt compound target to match nodes to be updated [*, G@osfamily:debian].
- TARGET_SUBSET_TEST:
- type: string
- description: Number of nodes to list package updates, empty string means all targetted nodes.
- TARGET_SUBSET_LIVE:
- type: string
- default: '1'
- description: Number of selected nodes to live apply upgrade.
+ OS_DIST_UPGRADE:
+ type: boolean
+ default: 'false'
+ description: "Upgrade system packages including kernel (apt-get dist-upgrade)"
+ OS_UPGRADE:
+ type: boolean
+ default: 'false'
+ description: "Upgrade all installed applications (apt-get upgrade)"
INTERACTIVE:
type: boolean
default: 'true'
description: "Ask interactive questions during pipeline run (bool)"
+ TARGET_SERVERS:
+ type: string
+ default: 'cmp*'
+ description: "Salt compound expression to get control servers to upgrade."
diff --git a/jenkins/client/job/deploy/update/upgrade_ovs_gateway.yml b/jenkins/client/job/deploy/update/upgrade_ovs_gateway.yml
index b0c92b7..4753cea 100644
--- a/jenkins/client/job/deploy/update/upgrade_ovs_gateway.yml
+++ b/jenkins/client/job/deploy/update/upgrade_ovs_gateway.yml
@@ -21,7 +21,7 @@
url: "${_param:jenkins_gerrit_url}/mk/mk-pipelines"
branch: "${_param:jenkins_pipelines_branch}"
credentials: "gerrit"
- script: ovs-gateway-upgrade.groovy
+ script: openstack-data-upgrade.groovy
param:
SALT_MASTER_URL:
type: string
@@ -29,18 +29,19 @@
SALT_MASTER_CREDENTIALS:
type: string
default: "salt"
- TARGET_SERVERS:
- type: string
- default: "gtw*"
- description: Salt compound target to match nodes to be updated [*, G@osfamily:debian].
- TARGET_SUBSET_TEST:
- type: string
- description: Number of nodes to list package updates, empty string means all targetted nodes.
- TARGET_SUBSET_LIVE:
- type: string
- default: '1'
- description: Number of selected nodes to live apply upgrade.
+ OS_DIST_UPGRADE:
+ type: boolean
+ default: 'false'
+ description: "Upgrade system packages including kernel (apt-get dist-upgrade)"
+ OS_UPGRADE:
+ type: boolean
+ default: 'false'
+ description: "Upgrade all installed applications (apt-get upgrade)"
INTERACTIVE:
type: boolean
default: 'true'
description: "Ask interactive questions during pipeline run (bool)"
+ TARGET_SERVERS:
+ type: string
+ default: 'ctl*'
+ description: "Salt compound expression to get control servers to upgrade."
diff --git a/jenkins/client/job/image/centos.yml b/jenkins/client/job/image/centos.yml
deleted file mode 100644
index 5358d92..0000000
--- a/jenkins/client/job/image/centos.yml
+++ /dev/null
@@ -1,85 +0,0 @@
-classes:
- - system.jenkins.client.job.image
-parameters:
- _param:
- jenkins_packer_pipeline: "${_param:jenkins_gerrit_url}/mk/packer-templates"
- jenkins:
- client:
- job:
- build-image-centos-7:
- type: workflow-scm
- concurrent: false
- discard:
- build:
- keep_num: 5
- artifact:
- keep_num: 5
- scm:
- type: git
- url: "${_param:jenkins_packer_pipeline}"
- credentials: "gerrit"
- display_name: "[Images] Build Centos 7"
- param:
- BUILD_OS:
- type: string
- default: "centos-7"
- BUILD_ONLY:
- type: string
- default: "qemu"
- PACKER_DEBUG:
- type: boolean
- default: "false"
- PACKER_URL:
- type: string
- default: "https://releases.hashicorp.com/packer/0.8.6/packer_0.8.6_linux_amd64.zip"
- PACKER_ZIP:
- type: string
- default: "packer_0.8.6_linux_amd64.zip"
- PACKER_ZIP_MD5:
- type: string
- default: "4cda1c44cf666fada495dd8e01522e1c"
- PACKER_ARGS:
- type: string
- default: ""
- UPLOAD_URL:
- type: string
- default: "${_param:jenkins_packer_upload_url}"
- SKIP_UPLOAD:
- type: boolean
- default: "false"
- CLEANUP_OLD:
- type: boolean
- default: "true"
- CLEANUP_KEEP:
- type: string
- default: "3"
- GLANCE_UPLOAD:
- type: boolean
- default: "true"
- GLANCE_IMG_TYPES:
- type: string
- default: "qcow2"
- GLANCE_URL:
- type: string
- default: "https://cloud-cz.bud.mirantis.net:5000"
- GLANCE_CREDENTIALS_ID:
- type: string
- default: "openstack-devcloud-credentials"
- GLANCE_PROJECT:
- type: string
- default: "mcp-mk"
- GLANCE_ARGS:
- type: string
- default: ""
- GLANCE_PUBLIC:
- type: boolean
- default: "true"
- OPENSTACK_API_CLIENT:
- type: string
- default: ""
- IMAGE_NAME:
- type: string
- default: centos-7-x64
- EXTRA_VARIABLES:
- type: text
- default: ""
\ No newline at end of file
diff --git a/jenkins/client/job/image/debian.yml b/jenkins/client/job/image/debian.yml
deleted file mode 100644
index eef4740..0000000
--- a/jenkins/client/job/image/debian.yml
+++ /dev/null
@@ -1,85 +0,0 @@
-classes:
- - system.jenkins.client.job.image
-parameters:
- _param:
- jenkins_packer_pipeline: "${_param:jenkins_gerrit_url}/mk/packer-templates"
- jenkins:
- client:
- job:
- build-image-debian-8:
- type: workflow-scm
- concurrent: false
- discard:
- build:
- keep_num: 5
- artifact:
- keep_num: 5
- scm:
- type: git
- url: "${_param:jenkins_packer_pipeline}"
- credentials: "gerrit"
- display_name: "[Images] Build Debian 8 image"
- param:
- BUILD_OS:
- type: string
- default: "debian-8"
- BUILD_ONLY:
- type: string
- default: "qemu"
- PACKER_DEBUG:
- type: boolean
- default: "false"
- PACKER_URL:
- type: string
- default: "https://releases.hashicorp.com/packer/0.8.6/packer_0.8.6_linux_amd64.zip"
- PACKER_ZIP:
- type: string
- default: "packer_0.8.6_linux_amd64.zip"
- PACKER_ZIP_MD5:
- type: string
- default: "4cda1c44cf666fada495dd8e01522e1c"
- PACKER_ARGS:
- type: string
- default: ""
- UPLOAD_URL:
- type: string
- default: "${_param:jenkins_packer_upload_url}"
- SKIP_UPLOAD:
- type: boolean
- default: "false"
- CLEANUP_OLD:
- type: boolean
- default: "true"
- CLEANUP_KEEP:
- type: string
- default: "3"
- GLANCE_UPLOAD:
- type: boolean
- default: "true"
- GLANCE_IMG_TYPES:
- type: string
- default: "qcow2"
- GLANCE_URL:
- type: string
- default: "https://cloud-cz.bud.mirantis.net:5000"
- GLANCE_CREDENTIALS_ID:
- type: string
- default: "openstack-devcloud-credentials"
- GLANCE_PROJECT:
- type: string
- default: "mcp-mk"
- GLANCE_ARGS:
- type: string
- default: ""
- GLANCE_PUBLIC:
- type: boolean
- default: "true"
- OPENSTACK_API_CLIENT:
- type: string
- default: ""
- IMAGE_NAME:
- type: string
- default: debian-8-x64
- EXTRA_VARIABLES:
- type: text
- default: ""
diff --git a/jenkins/client/job/image/ubuntu.yml b/jenkins/client/job/image/ubuntu.yml
deleted file mode 100644
index e4a8251..0000000
--- a/jenkins/client/job/image/ubuntu.yml
+++ /dev/null
@@ -1,166 +0,0 @@
-classes:
- - system.jenkins.client.job.image
-parameters:
- _param:
- jenkins_packer_pipeline: "${_param:jenkins_gerrit_url}/mk/packer-templates"
- jenkins:
- client:
- job:
- build-image-ubuntu-14-04:
- type: workflow-scm
- concurrent: false
- discard:
- build:
- keep_num: 5
- keep_days: 5
- artifact:
- keep_num: 6
- keep_days: 6
- scm:
- type: git
- url: "${_param:jenkins_packer_pipeline}"
- credentials: "gerrit"
- display_name: "[Images] Build Ubuntu 14.04 image"
- param:
- BUILD_OS:
- type: string
- default: "ubuntu-14.04"
- BUILD_ONLY:
- type: string
- default: "qemu"
- PACKER_DEBUG:
- type: boolean
- default: "false"
- PACKER_URL:
- type: string
- default: "https://releases.hashicorp.com/packer/0.8.6/packer_0.8.6_linux_amd64.zip"
- PACKER_ZIP:
- type: string
- default: "packer_0.8.6_linux_amd64.zip"
- PACKER_ZIP_MD5:
- type: string
- default: "4cda1c44cf666fada495dd8e01522e1c"
- PACKER_ARGS:
- type: string
- default: ""
- UPLOAD_URL:
- type: string
- default: "${_param:jenkins_packer_upload_url}"
- SKIP_UPLOAD:
- type: boolean
- default: "false"
- CLEANUP_OLD:
- type: boolean
- default: "true"
- CLEANUP_KEEP:
- type: string
- default: "3"
- GLANCE_UPLOAD:
- type: boolean
- default: "true"
- GLANCE_IMG_TYPES:
- type: string
- default: "qcow2"
- GLANCE_URL:
- type: string
- default: "https://cloud-cz.bud.mirantis.net:5000"
- GLANCE_CREDENTIALS_ID:
- type: string
- default: "openstack-devcloud-credentials"
- GLANCE_PROJECT:
- type: string
- default: "mcp-mk"
- GLANCE_ARGS:
- type: string
- default: ""
- GLANCE_PUBLIC:
- type: boolean
- default: "true"
- OPENSTACK_API_CLIENT:
- type: string
- default: ""
- IMAGE_NAME:
- type: string
- default: ubuntu-14-04-x64
- EXTRA_VARIABLES:
- type: text
- default: ""
- build-image-ubuntu-16-04:
- type: workflow-scm
- concurrent: false
- discard:
- build:
- keep_num: 5
- keep_days: 5
- artifact:
- keep_num: 6
- keep_days: 6
- scm:
- type: git
- url: "${_param:jenkins_packer_pipeline}"
- credentials: "gerrit"
- display_name: "[Images] Build Ubuntu 16.04 image"
- param:
- BUILD_OS:
- type: string
- default: "ubuntu-16.04"
- BUILD_ONLY:
- type: string
- default: "qemu"
- PACKER_DEBUG:
- type: boolean
- default: "false"
- PACKER_URL:
- type: string
- default: "https://releases.hashicorp.com/packer/0.8.6/packer_0.8.6_linux_amd64.zip"
- PACKER_ZIP:
- type: string
- default: "packer_0.8.6_linux_amd64.zip"
- PACKER_ZIP_MD5:
- type: string
- default: "4cda1c44cf666fada495dd8e01522e1c"
- PACKER_ARGS:
- type: string
- default: ""
- UPLOAD_URL:
- type: string
- default: "${_param:jenkins_packer_upload_url}"
- SKIP_UPLOAD:
- type: boolean
- default: "false"
- CLEANUP_OLD:
- type: boolean
- default: "true"
- CLEANUP_KEEP:
- type: string
- default: "3"
- GLANCE_UPLOAD:
- type: boolean
- default: "true"
- GLANCE_IMG_TYPES:
- type: string
- default: "qcow2"
- GLANCE_URL:
- type: string
- default: "https://cloud-cz.bud.mirantis.net:5000"
- GLANCE_CREDENTIALS_ID:
- type: string
- default: "openstack-devcloud-credentials"
- GLANCE_PROJECT:
- type: string
- default: "mcp-mk"
- GLANCE_ARGS:
- type: string
- default: ""
- GLANCE_PUBLIC:
- type: boolean
- default: "true"
- OPENSTACK_API_CLIENT:
- type: string
- default: ""
- IMAGE_NAME:
- type: string
- default: ubuntu-16-04-x64
- EXTRA_VARIABLES:
- type: text
- default: ""
\ No newline at end of file
diff --git a/jenkins/client/job/k8s-test/mcp-k8s-dashboard-merge-pipeline.yml b/jenkins/client/job/k8s-test/mcp-k8s-dashboard-merge-pipeline.yml
index f6b2350..8424f6a 100644
--- a/jenkins/client/job/k8s-test/mcp-k8s-dashboard-merge-pipeline.yml
+++ b/jenkins/client/job/k8s-test/mcp-k8s-dashboard-merge-pipeline.yml
@@ -21,7 +21,7 @@
trigger:
gerrit:
project:
- kubernetes/kubernetes:
+ kubernetes/dashboard:
branches:
- compare_type: "ANT"
name: "**mcp**"
diff --git a/jenkins/client/job/k8s-test/mcp-k8s-metallb-merge-pipeline.yml b/jenkins/client/job/k8s-test/mcp-k8s-metallb-merge-pipeline.yml
index f6a3162..c4f2af0 100644
--- a/jenkins/client/job/k8s-test/mcp-k8s-metallb-merge-pipeline.yml
+++ b/jenkins/client/job/k8s-test/mcp-k8s-metallb-merge-pipeline.yml
@@ -21,7 +21,7 @@
trigger:
gerrit:
project:
- kubernetes/kubernetes:
+ kubernetes/metallb:
branches:
- compare_type: "ANT"
name: "**mcp**"
diff --git a/jenkins/client/job/salt-models/tests.yml b/jenkins/client/job/salt-models/tests.yml
index 983a88b..145cfa9 100644
--- a/jenkins/client/job/salt-models/tests.yml
+++ b/jenkins/client/job/salt-models/tests.yml
@@ -272,37 +272,39 @@
COOKIECUTTER_TEMPLATE_URL:
type: string
default: "${_param:jenkins_gerrit_url}/mk/{{cookiecutter_template}}"
- CREDENTIALS_ID:
- type: string
- default: gerrit
COOKIECUTTER_TEMPLATE_BRANCH:
type: string
default: master
- RECLASS_MODEL_URL:
+ description: "Those variable will be ignored, in case gerritTrigger=>GERRIT_BRANCH"
+ COOKIECUTTER_TEMPLATE_REF:
+ type: string
+ default: ""
+ description: "Example: refs/changes/49/25549/1"
+ RECLASS_SYSTEM_URL:
type: string
default: "${_param:jenkins_gerrit_url}/salt-models/reclass-system"
- RECLASS_MODEL_BRANCH:
+ RECLASS_SYSTEM_BRANCH:
type: string
default: master
+ description: "Those variable will be ignored, in case gerritTrigger=>GERRIT_BRANCH"
+ RECLASS_SYSTEM_GIT_REF:
+ type: string
+ default: ""
+ description: "Example: refs/changes/49/25549/1"
DISTRIB_REVISION:
type: string
default: 'nightly'
- SYSTEM_GIT_URL:
- type: string
- default: ""
- SYSTEM_GIT_REF:
- type: string
- default: ""
- PARALLEL_NODE_GROUP_SIZE:
- type: string
- default: "1"
+ description: "Those variable will be ignored, in case gerritTrigger=>GERRIT_BRANCH. Version of bin-artifacts,passed to test-env"
EXTRA_FORMULAS:
type: string
- default: "aptly artifactory auditd backupninja collectd devops-portal docker elasticsearch fluentd freeipa gerrit glusterfs grafana haproxy heka horizon influxdb jenkins keepalived kibana libvirt maas memcached mysql nginx ntp openldap openssh postfix prometheus rsync rsyslog rundeck sensu sphinx telegraf xtrabackup watchdog logrotate"
+ default: "aptly artifactory auditd backupninja collectd devops-portal docker elasticsearch fluentd freeipa gerrit glusterfs grafana haproxy heka horizon influxdb jenkins keepalived kibana libvirt maas memcached mysql nginx ntp openldap openscap openssh postfix prometheus rsync rsyslog rundeck sensu sphinx telegraf xtrabackup watchdog logrotate"
RECLASS_VERSION:
type: string
default: 'v1.5.4'
- description: "Version (branch) of Reclass we will use"
+ description: "Version (branch) of reclass PACKAGE we will use"
+ CREDENTIALS_ID:
+ type: string
+ default: gerrit
job:
test-salt-model-node:
name: test-salt-model-node
@@ -385,7 +387,7 @@
build:
keep_num: 300
artifact:
- keep_num: 30
+ keep_num: 300
type: workflow-scm
concurrent: true
plugin_properties:
@@ -402,5 +404,5 @@
script: test-cookiecutter-reclass-chunk.groovy
param:
EXTRA_VARIABLES_YAML:
- type: string
+ type: text
default: ""
diff --git a/kubernetes/common.yml b/kubernetes/common.yml
index 9151987..bf5886b 100644
--- a/kubernetes/common.yml
+++ b/kubernetes/common.yml
@@ -18,7 +18,7 @@
kubernetes_metallb_repo: metallb
kubernetes_sriov_repo: https://docker-prod-local.artifactory.mirantis.com/artifactory/binary-prod-local/mirantis/kubernetes/sriov-cni
kubernetes_cniplugins_repo: https://docker-prod-local.artifactory.mirantis.com/artifactory/binary-prod-local/mirantis/kubernetes/containernetworking-plugins
- kubernetes_dashboard_repo: k8s.gcr.io
+ kubernetes_dashboard_repo: ${_param:mcp_docker_registry}/mirantis/kubernetes
kubernetes_coredns_repo: coredns
# component docker images
@@ -50,10 +50,10 @@
kubernetes_sriov_source_hash: md5=c0cc33202afd02e4cc44b977a8faf6e7
kubernetes_cniplugins_source: ${_param:kubernetes_cniplugins_repo}/cni-plugins_v0.7.1-48-g696b1f9.tar.gz
kubernetes_cniplugins_source_hash: md5=5ec1cf5e989097c6127ea5365e277b02
- kubernetes_dashboard_image: ${_param:kubernetes_dashboard_repo}/kubernetes-dashboard-amd64:v1.8.3
+ kubernetes_dashboard_image: ${_param:kubernetes_dashboard_repo}/kubernetes-dashboard-amd64:v1.10.0-4
kubernetes_fluentd_aggregator_image: fluent/fluentd-kubernetes-daemonset:v1.2-debian-elasticsearch
kubernetes_fluentd_logger_image: fluent/fluentd-kubernetes-daemonset:v1.2-debian-stackdriver
- kubernetes_telegraf_image: docker.io/telegraf:1.5.3
+ kubernetes_telegraf_image: ${_param:mcp_docker_registry}/openstack-docker/telegraf:2018.8.0
kubernetes_coredns_image: ${_param:kubernetes_coredns_repo}/coredns:1.2.0
kubelet_fail_on_swap: true
diff --git a/manila/control/single.yml b/manila/control/single.yml
index 262a158..b2036d3 100644
--- a/manila/control/single.yml
+++ b/manila/control/single.yml
@@ -2,11 +2,14 @@
- system.manila.common.cluster
- system.apache.server.site.manila
parameters:
+ _param:
+ openstack_node_role: primary
manila:
common:
dhss: false
version: ${_param:openstack_version}
api:
+ role: ${_param:openstack_node_role}
enabled: true
version: ${_param:openstack_version}
role: ${_param:openstack_node_role}
diff --git a/neutron/control/openvswitch/single.yml b/neutron/control/openvswitch/single.yml
index baa710e..da8dee0 100644
--- a/neutron/control/openvswitch/single.yml
+++ b/neutron/control/openvswitch/single.yml
@@ -13,8 +13,10 @@
neutron_enable_bgp_vpn: False
neutron_bgp_vpn_driver: bagpipe
internal_protocol: 'http'
+ openstack_node_role: primary
neutron:
server:
+ role: ${_param:openstack_node_role}
global_physnet_mtu: ${_param:neutron_global_physnet_mtu}
l3_ha: ${_param:neutron_l3_ha}
dvr: ${_param:neutron_control_dvr}
diff --git a/openscap/server/init.yml b/openscap/server/init.yml
new file mode 100644
index 0000000..0f2a76f
--- /dev/null
+++ b/openscap/server/init.yml
@@ -0,0 +1,2 @@
+classes:
+- service.openscap.cis
diff --git a/panko/server/cluster.yml b/panko/server/cluster.yml
index 3a4cb65..9715456 100644
--- a/panko/server/cluster.yml
+++ b/panko/server/cluster.yml
@@ -4,6 +4,7 @@
- system.apache.server.site.panko
- system.haproxy.proxy.listen.openstack.panko
- system.keepalived.cluster.instance.openstack_telemetry_vip
+- system.salt.minion.cert.mysql.clients.openstack.panko
parameters:
_param:
panko_memcached_node01_address: ${_param:cluster_node01_address}
@@ -11,6 +12,8 @@
panko_memcached_node03_address: ${_param:cluster_node03_address}
# Keep events in database for 30 days
panko_event_time_to_live: 2592000
+ openstack_mysql_x509_enabled: False
+ galera_ssl_enabled: False
linux:
system:
cron:
@@ -25,6 +28,13 @@
host: ${_param:openstack_control_address}
database:
host: ${_param:openstack_database_address}
+ x509:
+ enabled: ${_param:openstack_mysql_x509_enabled}
+ ca_file: ${_param:mysql_panko_ssl_ca_file}
+ key_file: ${_param:mysql_panko_client_ssl_key_file}
+ cert_file: ${_param:mysql_panko_client_ssl_cert_file}
+ ssl:
+ enabled: ${_param:galera_ssl_enabled}
cache:
engine: memcached
members:
diff --git a/panko/server/single.yml b/panko/server/single.yml
index 4ba2787..cb1a449 100644
--- a/panko/server/single.yml
+++ b/panko/server/single.yml
@@ -1,10 +1,13 @@
classes:
- service.panko.server.single
- system.apache.server.site.panko
+- system.salt.minion.cert.mysql.clients.openstack.panko
parameters:
_param:
# Keep events in database for 30 days
panko_event_time_to_live: 2592000
+ openstack_mysql_x509_enabled: False
+ galera_ssl_enabled: False
linux:
system:
cron:
@@ -13,6 +16,14 @@
enabled: true
panko:
server:
+ database:
+ x509:
+ enabled: ${_param:openstack_mysql_x509_enabled}
+ ca_file: ${_param:mysql_panko_ssl_ca_file}
+ key_file: ${_param:mysql_panko_client_ssl_key_file}
+ cert_file: ${_param:mysql_panko_client_ssl_cert_file}
+ ssl:
+ enabled: ${_param:galera_ssl_enabled}
role: ${_param:openstack_node_role}
event_time_to_live: ${_param:panko_event_time_to_live}
# Check for expired events every day at 2 AM
diff --git a/salt/control/placement/stacklight/medium.yml b/salt/control/placement/stacklight/medium.yml
index 7f54f4d..7f35fe9 100644
--- a/salt/control/placement/stacklight/medium.yml
+++ b/salt/control/placement/stacklight/medium.yml
@@ -37,7 +37,7 @@
image: ${_param:salt_control_xenial_image}
provider: ${_param:infra_kvm_node10_hostname}.${_param:cluster_domain}
size: stacklight.log
- lop02:
+ log02:
name: ${_param:stacklight_log_node02_hostname}
image: ${_param:salt_control_xenial_image}
provider: ${_param:infra_kvm_node11_hostname}.${_param:cluster_domain}
@@ -61,4 +61,4 @@
name: ${_param:stacklight_monitor_node03_hostname}
image: ${_param:salt_control_xenial_image}
provider: ${_param:infra_kvm_node12_hostname}.${_param:cluster_domain}
- size: stacklight.server
\ No newline at end of file
+ size: stacklight.server
diff --git a/salt/master/formula/git/openscap.yml b/salt/master/formula/git/openscap.yml
new file mode 100644
index 0000000..a091ffe
--- /dev/null
+++ b/salt/master/formula/git/openscap.yml
@@ -0,0 +1,10 @@
+parameters:
+ salt:
+ master:
+ environment:
+ dev:
+ formula:
+ openscap:
+ source: git
+ address: '${_param:salt_master_environment_repository}/salt-formula-openscap.git'
+ revision: ${_param:salt_master_environment_revision}
diff --git a/salt/master/formula/pkg/openscap.yml b/salt/master/formula/pkg/openscap.yml
new file mode 100644
index 0000000..ebb6e86
--- /dev/null
+++ b/salt/master/formula/pkg/openscap.yml
@@ -0,0 +1,9 @@
+parameters:
+ salt:
+ master:
+ environment:
+ prd:
+ formula:
+ openscap:
+ source: pkg
+ name: salt-formula-openscap
diff --git a/salt/minion/cert/mysql/clients/openstack/panko.yml b/salt/minion/cert/mysql/clients/openstack/panko.yml
new file mode 100644
index 0000000..0593ae2
--- /dev/null
+++ b/salt/minion/cert/mysql/clients/openstack/panko.yml
@@ -0,0 +1,27 @@
+parameters:
+ _param:
+ salt_minion_ca_host: cfg01.${_param:cluster_domain}
+ salt_minion_ca_authority: salt_master_ca
+ mysql_panko_client_ssl_key_file: /etc/panko/ssl/mysql/client-key.pem
+ mysql_panko_client_ssl_cert_file: /etc/panko/ssl/mysql/client-cert.pem
+ mysql_panko_ssl_ca_file: /etc/panko/ssl/mysql/ca-cert.pem
+ salt:
+ minion:
+ cert:
+ mysql-panko-client:
+ host: ${_param:salt_minion_ca_host}
+ authority: ${_param:salt_minion_ca_authority}
+ common_name: mysql-panko-client
+ signing_policy: cert_client
+ alternative_names: >
+ IP:${_param:cluster_local_address},
+ DNS:${_param:cluster_local_address},
+ DNS:${linux:system:name},
+ DNS:${linux:network:fqdn}
+ key_usage: "digitalSignature,nonRepudiation,keyEncipherment"
+ key_file: ${_param:mysql_panko_client_ssl_key_file}
+ cert_file: ${_param:mysql_panko_client_ssl_cert_file}
+ ca_file: ${_param:mysql_panko_ssl_ca_file}
+ user: panko
+ group: panko
+ mode: 640