Pass secrets to containers as files instead of env variables

Related-Prod: PROD-34268
Change-Id: I8269e2c3f0402980df13430de213764a7e2f8949
diff --git a/defaults/docker_images.yml b/defaults/docker_images.yml
index 564f551..883eaa5 100644
--- a/defaults/docker_images.yml
+++ b/defaults/docker_images.yml
@@ -5,21 +5,22 @@
     # 2.6.2 version, from 12/18/2108, differ from latest 2.6.2 upstream - update next cycle
     docker_image_registry:   "${_param:mcp_docker_registry}/mirantis/external/registry:${_param:mcp_version}"
     docker_image_visualizer: "${_param:mcp_docker_registry}/mirantis/external/visualizer:${_param:mcp_version}"
-    docker_image_openldap: "${_param:mcp_docker_registry}/mirantis/external/osixia/openldap:1.2.2"
+    docker_image_openldap: "${_param:mcp_docker_registry}/mirantis/cicd/openldap:2019.2.11"
     docker_image_postgresql: "${_param:mcp_docker_registry}/mirantis/external/library/postgres:9.6.10"
     # 3.4.13, from Feb 15, differ from 3.4.13 upstream verison, from March 14 - update next cycle
     docker_image_mongodb: "${_param:mcp_docker_registry}/mirantis/external/mongo:${_param:mcp_version}"
     ###
     # phpldapadmin:0.6.12
     docker_image_phpldapadmin: "${_param:mcp_docker_registry}/mirantis/cicd/phpldapadmin:${_param:mcp_version}"
-    # gerrit:2.15.18
-    docker_image_gerrit: "${_param:mcp_docker_registry}/mirantis/cicd/gerrit:${_param:mcp_version}"
-    # mysql:5.6.48
-    docker_image_mysql: "${_param:mcp_docker_registry}/mirantis/cicd/mysql:${_param:mcp_version}"
     # jenkins:2.150.3
     docker_image_jenkins: "${_param:mcp_docker_registry}/mirantis/cicd/jenkins:${_param:mcp_version}"
-    docker_image_jenkins_jnlp_slave: "${_param:mcp_docker_registry}/mirantis/cicd/jnlp-slave:${_param:mcp_version}"
     docker_image_jenkins_ssh_slave: "${_param:mcp_docker_registry}/mirantis/cicd/ssh-slave:${_param:mcp_version}"
+    docker_image_gerrit: "${_param:mcp_docker_registry}/mirantis/cicd/gerrit:2019.2.11"
+    # mysql:5.6.48
+    docker_image_mysql: "${_param:mcp_docker_registry}/mirantis/cicd/mysql:2019.2.10"
+    # jenkins:2.204.3
+    docker_image_jenkins_jnlp_slave: "${_param:mcp_docker_registry}/mirantis/cicd/jnlp-slave:2019.2.11"
+    # TODO: fix tag
     # model-generator
     docker_image_operations_api: "${_param:mcp_docker_registry}/mirantis/model-generator/operations-api:${_param:mcp_version}"
     docker_image_operations_ui: "${_param:mcp_docker_registry}/mirantis/model-generator/operations-ui:${_param:mcp_version}"
@@ -75,8 +76,8 @@
           target_registry: ${_param:default_local_mirrror_content:docker_client_registry_target_registry}/mirantis/external/docker
           name: compose:1.17.1
         - registry: ${_param:mcp_docker_registry}/mirantis/external/osixia
-          target_registry: ${_param:default_local_mirrror_content:docker_client_registry_target_registry}/mirantis/external/osixia
-          name: openldap:1.2.2
+          target_registry: ${_param:default_local_mirrror_content:docker_client_registry_target_registry}/mirantis/cicd
+          name: openldap:2019.2.11
         - registry: ${_param:mcp_docker_registry}/mirantis/external/library
           target_registry: ${_param:default_local_mirrror_content:docker_client_registry_target_registry}/mirantis/external/library
           name: postgres:9.6.10
@@ -96,7 +97,7 @@
 
         - registry: ${_param:mcp_docker_registry}/mirantis/cicd
           target_registry: ${_param:default_local_mirrror_content:docker_client_registry_target_registry}/mirantis/cicd
-          name: jnlp-slave:${_param:mcp_version}
+          name: jnlp-slave:2019.2.11
         - registry: ${_param:mcp_docker_registry}/mirantis/cicd
           target_registry: ${_param:default_local_mirrror_content:docker_client_registry_target_registry}/mirantis/cicd
           name: ssh-slave:2019.2.5
@@ -105,7 +106,7 @@
           name: jenkins:2019.2.5
         - registry: ${_param:mcp_docker_registry}/mirantis/cicd
           target_registry: ${_param:default_local_mirrror_content:docker_client_registry_target_registry}/mirantis/cicd
-          name: gerrit:2019.2.10
+          name: gerrit:2019.2.11
           # stacklight
         - registry: ${_param:mcp_docker_registry}/openstack-docker
           target_registry: ${_param:default_local_mirrror_content:docker_client_registry_target_registry}/openstack-docker
diff --git a/docker/swarm/stack/dashboard.yml b/docker/swarm/stack/dashboard.yml
index 7b0eac5..9dfc85f 100644
--- a/docker/swarm/stack/dashboard.yml
+++ b/docker/swarm/stack/dashboard.yml
@@ -10,6 +10,7 @@
     client:
       stack:
         dashboard:
+          version: '3.7'
           service:
             grafana:
               deploy:
@@ -23,6 +24,18 @@
                 GF_DATABASE_TYPE: ${_param:grafana_database_type}
                 GF_DATABASE_NAME: grafana
                 GF_DATABASE_USER: grafana
-                GF_DATABASE_PASSWORD: ${_param:grafana_database_password}
+                GF_DATABASE_PASSWORD__FILE: /run/secrets/grafana-database
                 GF_DATABASE_HOST: "${_param:grafana_database_host}:${_param:grafana_database_port}"
-                GF_SECURITY_ADMIN_PASSWORD: ${_param:grafana_admin_password}
+                GF_SECURITY_ADMIN_PASSWORD__FILE: /run/secrets/grafana-admin
+              secrets:
+                - grafana-database
+                - grafana-admin
+          secrets:
+            grafana-database:
+              external: true
+              value: ${_param:grafana_database_password}
+            grafana-admin:
+              external: true
+              value: ${_param:grafana_admin_password}
+
+
diff --git a/docker/swarm/stack/gerrit.yml b/docker/swarm/stack/gerrit.yml
index d1a5aa7..2ce9444 100644
--- a/docker/swarm/stack/gerrit.yml
+++ b/docker/swarm/stack/gerrit.yml
@@ -16,6 +16,7 @@
     client:
       stack:
         gerrit:
+          version: '3.7'
           service:
             server:
               deploy:
@@ -30,12 +31,15 @@
                 - /etc/ssl/certs/java/cacerts:/etc/ssl/certs/java/cacerts:ro
               depends_on:
                 - db
+              secrets:
+                - mysql-gerrit
+                - ldap-gerrit
               environment:
                 #GERRIT_INIT_ARGS: ""
                 DATABASE_TYPE: "mysql"
                 DB_PORT_3306_TCP_ADDR: ${_param:cluster_vip_address}
                 DB_ENV_MYSQL_USER: gerrit
-                DB_ENV_MYSQL_PASSWORD: ${_param:mysql_gerrit_password}
+                DB_ENV_MYSQL_PASSWORD_FILE: "/run/secrets/mysql-gerrit"
                 DB_ENV_MYSQL_DB: gerrit
                 AUTH_TYPE: ${_param:gerrit_auth_type}
                 LDAP_SERVER: ${_param:gerrit_ldap_server}
@@ -43,13 +47,10 @@
                 LDAP_ACCOUNTBASE: ${_param:gerrit_ldap_account_base}
                 LDAP_GROUPBASE: ${_param:gerrit_ldap_group_base}
                 LDAP_USERNAME: ${_param:gerrit_ldap_bind_user}
-                LDAP_PASSWORD: ${_param:gerrit_ldap_bind_password}
+                LDAP_PASSWORD_FILE: "/run/secrets/ldap-gerrit"
                 WEBURL: ${_param:gerrit_public_host}
                 HTTPD_LISTENURL: ${_param:gerrit_http_listen_url}
                 HTTPD_REQUESTLOG: ${_param:gerrit_http_request_log}
-                GERRIT_ADMIN_SSH_PUBLIC: ${_param:gerrit_admin_public_key}
-                GERRIT_ADMIN_PWD: ${_param:gerrit_admin_password}
-                GERRIT_ADMIN_EMAIL: ${_param:gerrit_admin_email}
                 CANLOADINIFRAME: "true"
                 IGNORE_VERSIONCHECK: "false"
                 JAVA_OPTIONS: "-Djavax.net.ssl.trustStore=/etc/ssl/certs/java/cacerts ${_param:gerrit_extra_opts}"
@@ -57,11 +58,14 @@
                 http_proxy: ${_param:docker_http_proxy}
                 no_proxy: ${_param:docker_no_proxy}
             db:
+              secrets:
+                - mysql-gerrit
+                - mysql-root
               environment:
                 MYSQL_USER: gerrit
-                MYSQL_PASSWORD: ${_param:mysql_gerrit_password}
                 MYSQL_DATABASE: gerrit
-                MYSQL_ROOT_PASSWORD: ${_param:mysql_admin_password}
+                MYSQL_ROOT_PASSWORD_FILE: "/run/secrets/mysql-root"
+                MYSQL_PASSWORD_FILE: "/run/secrets/mysql-gerrit"
                 MYSQL_START_TIMEOUT: 300
               deploy:
                 restart_policy:
@@ -71,3 +75,13 @@
                 - ${_param:gerrit_db_publish_port}:3306
               volumes:
                 - /srv/volumes/mysql:/var/lib/mysql
+          secrets:
+            mysql-root:
+              external: true
+              value: ${_param:mysql_admin_password}
+            mysql-gerrit:
+              external: true
+              value: ${_param:mysql_gerrit_password}
+            ldap-gerrit:
+              external: true
+              value: ${_param:gerrit_ldap_bind_password}
diff --git a/docker/swarm/stack/jenkins/jnlp_slave_multi.yml b/docker/swarm/stack/jenkins/jnlp_slave_multi.yml
index 3606bad..e7bf056 100644
--- a/docker/swarm/stack/jenkins/jnlp_slave_multi.yml
+++ b/docker/swarm/stack/jenkins/jnlp_slave_multi.yml
@@ -15,7 +15,7 @@
                 JENKINS_AGENT_NAME: slave02
                 JENKINS_UPDATE_SLAVE: 'true'
                 JENKINS_LOGIN: ${_param:jenkins_client_user}
-                JENKINS_PASSWORD: ${_param:jenkins_client_password}
+                JENKINS_PASSWORD_FILE: /run/secrets/jenkins-admin
                 JAVA_OPTS: "-Dhttp.proxyHost=${_param:docker_http_proxy} -Dhttp.nonProxyHosts=|jenkins_master ${_param:jenkins_slave_extra_opts}"
                 https_proxy: ${_param:docker_https_proxy}
                 http_proxy: ${_param:docker_http_proxy}
@@ -35,13 +35,15 @@
                 - /var/run/docker.sock:/var/run/docker.sock
                 - /usr/bin/docker:/usr/bin/docker:ro
                 - /var/lib/jenkins:/var/lib/jenkins
+              secrets:
+                - jenkins-admin
             slave03:
               environment:
                 JENKINS_URL: ${_param:jenkins_master_url}
                 JENKINS_AGENT_NAME: slave03
                 JENKINS_UPDATE_SLAVE: 'true'
                 JENKINS_LOGIN: ${_param:jenkins_client_user}
-                JENKINS_PASSWORD: ${_param:jenkins_client_password}
+                JENKINS_PASSWORD_FILE: /run/secrets/jenkins-admin
                 JAVA_OPTS: "-Dhttp.proxyHost=${_param:docker_http_proxy} -Dhttp.nonProxyHosts=|jenkins_master ${_param:jenkins_slave_extra_opts}"
                 https_proxy: ${_param:docker_https_proxy}
                 http_proxy: ${_param:docker_http_proxy}
@@ -61,3 +63,9 @@
               - /var/run/docker.sock:/var/run/docker.sock
               - /usr/bin/docker:/usr/bin/docker:ro
               - /var/lib/jenkins:/var/lib/jenkins
+              secrets:
+                - jenkins-admin
+          secrets:
+            jenkins-admin:
+              external: true
+              value: ${_param:jenkins_client_password}
diff --git a/docker/swarm/stack/jenkins/jnlp_slave_single.yml b/docker/swarm/stack/jenkins/jnlp_slave_single.yml
index 956f918..6f9bff0 100644
--- a/docker/swarm/stack/jenkins/jnlp_slave_single.yml
+++ b/docker/swarm/stack/jenkins/jnlp_slave_single.yml
@@ -12,6 +12,7 @@
         - ${_param:docker_image_jenkins_jnlp_slave}
       stack:
         jenkins:
+          version: '3.7'
           service:
             slave01:
               environment:
@@ -19,7 +20,7 @@
                 JENKINS_AGENT_NAME: slave01
                 JENKINS_UPDATE_SLAVE: 'true'
                 JENKINS_LOGIN: ${_param:jenkins_client_user}
-                JENKINS_PASSWORD: ${_param:jenkins_client_password}
+                JENKINS_PASSWORD_FILE: /run/secrets/jenkins-admin
                 JAVA_OPTS: "-Dhttp.proxyHost=${_param:docker_http_proxy} -Dhttp.nonProxyHosts=|jenkins_master ${_param:jenkins_slave_extra_opts}"
                 https_proxy: ${_param:docker_https_proxy}
                 http_proxy: ${_param:docker_http_proxy}
@@ -39,3 +40,9 @@
                 - /var/run/docker.sock:/var/run/docker.sock
                 - /usr/bin/docker:/usr/bin/docker:ro
                 - /var/lib/jenkins:/var/lib/jenkins
+              secrets:
+                - jenkins-admin
+          secrets:
+            jenkins-admin:
+              external: true
+              value: ${_param:jenkins_client_password}
diff --git a/docker/swarm/stack/ldap.yml b/docker/swarm/stack/ldap.yml
index 3091983..71a646e 100644
--- a/docker/swarm/stack/ldap.yml
+++ b/docker/swarm/stack/ldap.yml
@@ -5,6 +5,7 @@
     client:
       stack:
         ldap:
+          version: '3.7'
           service:
             server:
               networks:
@@ -18,6 +19,9 @@
               ports:
                 - 1389:389
                 - 1636:636
+              secrets:
+                - openldap-admin
+                - openldap-config
               volumes:
                 - /srv/volumes/openldap/database:/var/lib/ldap
                 - /srv/volumes/openldap/config:/etc/ldap/slapd.d
@@ -31,8 +35,8 @@
                 HOSTNAME: ldap01.${_param:openldap_domain}
                 LDAP_ORGANISATION: "${_param:openldap_organisation}"
                 LDAP_DOMAIN: "${_param:openldap_domain}"
-                LDAP_ADMIN_PASSWORD: ${_param:openldap_admin_password}
-                LDAP_CONFIG_PASSWORD: ${_param:openldap_config_password}
+                LDAP_ADMIN_PASSWORD_FILE: /run/secrets/openldap-admin
+                LDAP_CONFIG_PASSWORD_FILE: /run/secrets/openldap-config
                 LDAP_TLS: "true"
                 LDAP_TLS_VERIFY_CLIENT: try
                 LDAP_TLS_CIPHER_SUITE: NORMAL:-VERS-SSL3.0:+VERS-TLS1.2:+VERS-TLS1.1:+VERS-TLS1.0
@@ -55,7 +59,6 @@
                 - ${_param:openldap_tls:certfile}:/container/service/ldap-client/assets/certs/drivetrain_ldap.crt:ro
                 - /etc/ssl/certs/ca-${_param:salt_minion_ca_authority}.pem:/container/service/ldap-client/assets/certs/ca.crt:ro
               environment:
-                PHPLDAPADMIN_LDAP_ADMIN_PASSWORD: ${_param:openldap_admin_password}
                 PHPLDAPADMIN_LDAP_HOSTS: "#PYTHON2BASH:[{'server': [{'server': [{'host': 'ldaps://${_param:cicd_control_address}', 'tls': False}]},{'login': [{'bind_id': 'cn=admin,${_param:openldap_dn}'},{'bind_pass': '$PHPLDAPADMIN_LDAP_ADMIN_PASSWORD'}]}]}]"
                 PHPLDAPADMIN_LDAP_CLIENT_TLS: "true"
                 PHPLDAPADMIN_LDAP_CLIENT_TLS_CA_CRT_FILENAME: ca.crt
@@ -73,3 +76,11 @@
               driver: overlay
               driver_opts:
                 encrypted: 1
+          secrets:
+            openldap-admin:
+              external: true
+              value: ${_param:openldap_admin_password}
+            openldap-config:
+              external: true
+              value: ${_param:openldap_config_password}
+
diff --git a/docker/swarm/stack/monitoring/alerta.yml b/docker/swarm/stack/monitoring/alerta.yml
index acd4d70..ac16a2b 100644
--- a/docker/swarm/stack/monitoring/alerta.yml
+++ b/docker/swarm/stack/monitoring/alerta.yml
@@ -8,6 +8,7 @@
     client:
       stack:
         monitoring:
+          version: '3.7'
           service:
             alerta:
               networks:
@@ -27,6 +28,13 @@
                 - ${prometheus:alerta:config_dir}/alertad.conf:/app/alertad.conf
               environment:
                 ADMIN_USERS: ${_param:alerta_admin_username}
-                ADMIN_PASSWORD: ${_param:alerta_admin_password}
+                ADMIN_PASSWORD_FILE: "/run/secrets/alerta"
                 MONGO_URI: ${_param:alerta_mongodb_uri}
                 PLUGINS: ""
+              secrets:
+                - alerta
+          secrets:
+            alerta:
+              external: true
+              value: ${_param:alerta_admin_password}
+