Merge "Fix for wrong class sequence k8s with oc4"
diff --git a/apache/server/proxy/init.yml b/apache/server/proxy/init.yml
new file mode 100644
index 0000000..06921f8
--- /dev/null
+++ b/apache/server/proxy/init.yml
@@ -0,0 +1,7 @@
+parameters:
+ apache:
+ server:
+ modules:
+ - proxy
+ - proxy_http
+ - headers
diff --git a/docker/host.yml b/docker/host.yml
index aef7a32..bb3dffa 100644
--- a/docker/host.yml
+++ b/docker/host.yml
@@ -1,6 +1,8 @@
classes:
- service.docker.host
parameters:
+ _param:
+ docker_garbage_collection_enabled: false
docker:
host:
pkgs:
@@ -14,3 +16,16 @@
ipv6: true
fixed-cidr-v6: fc00::/7
storage-driver: overlay2
+ linux:
+ system:
+ cron:
+ user:
+ root:
+ enabled: true
+ job:
+ docker_garbage_collection:
+ command: docker system prune -f --filter until=$(date +%s -d "1 week ago")
+ enabled: ${_param:docker_garbage_collection_enabled}
+ user: root
+ hour: 6
+ minute: 0
diff --git a/galera/server/database/ssl/ironic.yaml b/galera/server/database/ssl/ironic.yaml
new file mode 100644
index 0000000..eeb9dbb
--- /dev/null
+++ b/galera/server/database/ssl/ironic.yaml
@@ -0,0 +1,4 @@
+parameters:
+ _param:
+ mysql_ironic_ssl_option:
+ - SSL: True
\ No newline at end of file
diff --git a/galera/server/database/x509/ironic.yml b/galera/server/database/x509/ironic.yml
new file mode 100644
index 0000000..85082f5
--- /dev/null
+++ b/galera/server/database/x509/ironic.yml
@@ -0,0 +1,7 @@
+parameters:
+ _param:
+ mysql_ironic_client_ssl_x509_subject: '/C=cz/CN=mysql-ironic-client/L=Prague/O=Mirantis'
+ mysql_ironic_client_ssl_x509_issuer: '/C=cz/CN=Salt Master CA/L=Prague/O=Mirantis'
+ mysql_ironic_ssl_option:
+ - SUBJECT: ${_param:mysql_ironic_client_ssl_x509_subject}
+ - ISSUER: ${_param:mysql_ironic_client_ssl_x509_issuer}
\ No newline at end of file
diff --git a/glance/control/cluster.yml b/glance/control/cluster.yml
index 4f0992d..542e80e 100644
--- a/glance/control/cluster.yml
+++ b/glance/control/cluster.yml
@@ -44,6 +44,7 @@
registry:
host: ${_param:cluster_vip_address}
port: 9191
+ protocol: ${_param:cluster_internal_protocol}
bind:
address: ${_param:cluster_local_address}
port: 9292
@@ -55,6 +56,7 @@
password: ${_param:keystone_glance_password}
region: ${_param:openstack_region}
tenant: service
+ protocol: ${_param:cluster_internal_protocol}
message_queue:
engine: rabbitmq
port: 5672
diff --git a/glance/control/single.yml b/glance/control/single.yml
index c233120..d636346 100644
--- a/glance/control/single.yml
+++ b/glance/control/single.yml
@@ -32,6 +32,9 @@
enabled: ${_param:galera_ssl_enabled}
identity:
region: ${_param:openstack_region}
+ protocol: ${_param:internal_protocol}
+ registry:
+ protocol: ${_param:internal_protocol}
show_multiple_locations: True
message_queue:
x509:
diff --git a/ironic/api/cluster.yml b/ironic/api/cluster.yml
index b0bb69f..acf635e 100644
--- a/ironic/api/cluster.yml
+++ b/ironic/api/cluster.yml
@@ -1,6 +1,10 @@
classes:
+- system.salt.minion.cert.mysql.clients.openstack.ironic
- service.ironic.api.cluster
parameters:
+ _param:
+ openstack_mysql_x509_enabled: False
+ galera_ssl_enabled: False
linux:
system:
package:
@@ -14,3 +18,11 @@
role: ${_param:openstack_node_role}
bind:
address: ${_param:cluster_baremetal_local_address}
+ database:
+ x509:
+ enabled: ${_param:openstack_mysql_x509_enabled}
+ ca_file: ${_param:mysql_ironic_ssl_ca_file}
+ key_file: ${_param:mysql_ironic_client_ssl_key_file}
+ cert_file: ${_param:mysql_ironic_client_ssl_cert_file}
+ ssl:
+ enabled: ${_param:galera_ssl_enabled}
diff --git a/ironic/api/single.yml b/ironic/api/single.yml
index 51c3f9c..0d4ae09 100644
--- a/ironic/api/single.yml
+++ b/ironic/api/single.yml
@@ -1,6 +1,10 @@
classes:
+- system.salt.minion.cert.mysql.clients.openstack.ironic
- service.ironic.api.single
parameters:
+ _param:
+ openstack_mysql_x509_enabled: False
+ galera_ssl_enabled: False
linux:
system:
package:
@@ -12,3 +16,11 @@
role: ${_param:openstack_node_role}
bind:
address: ${_param:single_address}
+ database:
+ x509:
+ enabled: ${_param:openstack_mysql_x509_enabled}
+ ca_file: ${_param:mysql_ironic_ssl_ca_file}
+ key_file: ${_param:mysql_ironic_client_ssl_key_file}
+ cert_file: ${_param:mysql_ironic_client_ssl_cert_file}
+ ssl:
+ enabled: ${_param:galera_ssl_enabled}
diff --git a/ironic/conductor/cluster.yml b/ironic/conductor/cluster.yml
index 063719c..c97624b 100644
--- a/ironic/conductor/cluster.yml
+++ b/ironic/conductor/cluster.yml
@@ -1,6 +1,10 @@
classes:
+- system.salt.minion.cert.mysql.clients.openstack.ironic
- service.ironic.conductor.cluster
parameters:
+ _param:
+ openstack_mysql_x509_enabled: False
+ galera_ssl_enabled: False
linux:
system:
package:
@@ -10,3 +14,11 @@
ironic:
conductor:
api_url: 'http://${_param:cluster_baremetal_vip_address}:6385'
+ database:
+ x509:
+ enabled: ${_param:openstack_mysql_x509_enabled}
+ ca_file: ${_param:mysql_ironic_ssl_ca_file}
+ key_file: ${_param:mysql_ironic_client_ssl_key_file}
+ cert_file: ${_param:mysql_ironic_client_ssl_cert_file}
+ ssl:
+ enabled: ${_param:galera_ssl_enabled}
diff --git a/ironic/conductor/single.yml b/ironic/conductor/single.yml
index d827129..80215a5 100644
--- a/ironic/conductor/single.yml
+++ b/ironic/conductor/single.yml
@@ -1,6 +1,10 @@
classes:
+- system.salt.minion.cert.mysql.clients.openstack.ironic
- service.ironic.conductor.single
parameters:
+ _param:
+ openstack_mysql_x509_enabled: False
+ galera_ssl_enabled: False
linux:
system:
package:
@@ -11,3 +15,11 @@
conductor:
enabled: true
version: ${_param:ironic_version}
+ database:
+ x509:
+ enabled: ${_param:openstack_mysql_x509_enabled}
+ ca_file: ${_param:mysql_ironic_ssl_ca_file}
+ key_file: ${_param:mysql_ironic_client_ssl_key_file}
+ cert_file: ${_param:mysql_ironic_client_ssl_cert_file}
+ ssl:
+ enabled: ${_param:galera_ssl_enabled}
diff --git a/jenkins/client/job/git-mirrors/2way.yml b/jenkins/client/job/git-mirrors/2way.yml
index 742408d..71d8f9a 100644
--- a/jenkins/client/job/git-mirrors/2way.yml
+++ b/jenkins/client/job/git-mirrors/2way.yml
@@ -11,7 +11,7 @@
- name: mcp-common-scripts
source: mcp/mcp-common-scripts
target: Mirantis/mcp-common-scripts
- branches: "master"
+ branches: "master,release/2018.8.1"
- name: mcp-local-repo-model
source: mcp/mcp-local-repo-model
target: Mirantis/mcp-local-repo-model
diff --git a/jenkins/client/job/git-mirrors/downstream/pipelines.yml b/jenkins/client/job/git-mirrors/downstream/pipelines.yml
index 271a725..17611cb 100644
--- a/jenkins/client/job/git-mirrors/downstream/pipelines.yml
+++ b/jenkins/client/job/git-mirrors/downstream/pipelines.yml
@@ -8,8 +8,8 @@
- name: pipeline-library
downstream: mcp-ci/pipeline-library
upstream: "${_param:gerrit_pipeline_library_repo}"
- branches: master
+ branches: "master,release/2018.8.1"
- name: mk-pipelines
downstream: mk/mk-pipelines
upstream: "${_param:gerrit_mk_pipelines_repo}"
- branches: master
+ branches: "master,release/2018.8.1"
diff --git a/jenkins/client/job/k8s-test/init.yml b/jenkins/client/job/k8s-test/init.yml
index 537cd3c..59904c2 100644
--- a/jenkins/client/job/k8s-test/init.yml
+++ b/jenkins/client/job/k8s-test/init.yml
@@ -3,6 +3,8 @@
- system.jenkins.client.job.k8s-test.mcp-k8s-merge-pipeline
- system.jenkins.client.job.k8s-test.mcp-k8s-dashboard-test-pipeline
- system.jenkins.client.job.k8s-test.mcp-k8s-dashboard-merge-pipeline
+- system.jenkins.client.job.k8s-test.mcp-k8s-nginx-ingress-test-pipeline
+- system.jenkins.client.job.k8s-test.mcp-k8s-nginx-ingress-merge-pipeline
- system.jenkins.client.job.k8s-test.mcp-k8s-metallb-test-pipeline
- system.jenkins.client.job.k8s-test.mcp-k8s-metallb-merge-pipeline
- system.jenkins.client.job.k8s-test.mcp-k8s-coredns-test-pipeline
diff --git a/jenkins/client/job/k8s-test/mcp-k8s-nginx-ingress-merge-pipeline.yml b/jenkins/client/job/k8s-test/mcp-k8s-nginx-ingress-merge-pipeline.yml
new file mode 100644
index 0000000..8236536
--- /dev/null
+++ b/jenkins/client/job/k8s-test/mcp-k8s-nginx-ingress-merge-pipeline.yml
@@ -0,0 +1,43 @@
+parameters:
+ _param:
+ mcp_docker_registry: 'docker-dev-local.docker.mirantis.net'
+ mcp_prod_docker_registry: 'docker-prod-local.docker.mirantis.net'
+ jenkins:
+ client:
+ job:
+ mcp_k8s_nginx_ingress_merge_pipeline:
+ type: workflow-scm
+ name: mcp-k8s-nginx-ingress-merge-pipeline
+ display_name: "k8s nginx ingress merge pipeline"
+ discard:
+ build:
+ keep_num: 20
+ concurrent: false
+ scm:
+ type: git
+ url: "${_param:jenkins_gerrit_url}/kubernetes-ci/kubernetes-pipelines"
+ credentials: "gerrit"
+ script: pipelines/mcp-k8s-ingress-nginx-pipeline.groovy
+ trigger:
+ gerrit:
+ project:
+ kubernetes/ingress-nginx:
+ branches:
+ - compare_type: "ANT"
+ name: "**mcp**"
+ message:
+ build_successful: "Build successful"
+ build_unstable: "Build unstable"
+ build_failure: "Build failed"
+ event:
+ change:
+ - merged
+ param:
+ KUBE_DOCKER_REGISTRY:
+ type: string
+ default: ${_param:mcp_docker_registry}
+ description: 'Docker registry for binaries and images'
+ KUBE_PROD_DOCKER_REGISTRY:
+ type: string
+ default: ${_param:mcp_prod_docker_registry}
+ description: 'Prod docker registry for binaries and images'
diff --git a/jenkins/client/job/k8s-test/mcp-k8s-nginx-ingress-test-pipeline.yml b/jenkins/client/job/k8s-test/mcp-k8s-nginx-ingress-test-pipeline.yml
new file mode 100644
index 0000000..8730f0d
--- /dev/null
+++ b/jenkins/client/job/k8s-test/mcp-k8s-nginx-ingress-test-pipeline.yml
@@ -0,0 +1,48 @@
+parameters:
+ _param:
+ mcp_docker_registry: 'docker-dev-local.docker.mirantis.net'
+ jenkins:
+ client:
+ job:
+ mcp_k8s_nginx_ingress_test_pipeline:
+ type: workflow-scm
+ name: mcp-k8s-nginx-ingress-test-pipeline
+ display_name: "k8s nginx ingress tests pipeline"
+ discard:
+ build:
+ keep_num: 50
+ concurrent: true
+ scm:
+ type: git
+ url: "${_param:jenkins_gerrit_url}/kubernetes-ci/kubernetes-pipelines"
+ credentials: "gerrit"
+ script: pipelines/mcp-k8s-ingress-nginx-pipeline.groovy
+ trigger:
+ gerrit:
+ project:
+ kubernetes/ingress-nginx:
+ branches:
+ - compare_type: "ANT"
+ name: "**"
+ message:
+ build_successful: "Build successful"
+ build_unstable: "Build unstable"
+ build_failure: "Build failed"
+ event:
+ patchset:
+ - created:
+ excludeDrafts: false
+ excludeTrivialRebase: false
+ excludeNoCodeChange: false
+ comment:
+ - addedContains:
+ commentAddedCommentContains: '(recheck|reverify)'
+ override-votes:
+ gerritBuildUnstableVerifiedValue: 1
+ gerritBuildUnstableCodeReviewValue: 1
+ param:
+ KUBE_DOCKER_REGISTRY:
+ type: string
+ default: ${_param:mcp_docker_registry}
+ description: 'Docker registry for binaries and images'
+
diff --git a/jenkins/client/job/oscore/cookiecutter.yml b/jenkins/client/job/oscore/cookiecutter.yml
index 3dd9e73..84c96d8 100644
--- a/jenkins/client/job/oscore/cookiecutter.yml
+++ b/jenkins/client/job/oscore/cookiecutter.yml
@@ -72,7 +72,7 @@
default: |-
#Extra context that will be merged with content of COOKIECUTTER_TEMPLATE_CONTEXT_FILE
default_context:
- openssh_groups: "qa_scale,oscore_devops,networking,tcpcloud,stacklight,k8s_team"
+ openssh_groups: "qa_scale,oscore_devops,networking,tcpcloud,stacklight,k8s_team,mcp_qa"
cookiecutter_template_url: https://gerrit.mcp.mirantis.net/mk/cookiecutter-templates.git
cookiecutter_template_branch: 'master'
shared_reclass_url: https://gerrit.mcp.mirantis.net/salt-models/reclass-system.git
diff --git a/jenkins/client/job/salt-formulas/git-mirrors/2way.yml b/jenkins/client/job/salt-formulas/git-mirrors/2way.yml
index 85c9ac8..f2efc67 100644
--- a/jenkins/client/job/salt-formulas/git-mirrors/2way.yml
+++ b/jenkins/client/job/salt-formulas/git-mirrors/2way.yml
@@ -456,7 +456,7 @@
default: "gerrit"
BRANCHES:
type: string
- default: "master"
+ default: "master,release/2018.8.1"
git-mirror-2way-salt-formulas-cookiecutter:
description: ${_param:job_description_2way}
discard:
diff --git a/jenkins/client/job/salt-models/tests.yml b/jenkins/client/job/salt-models/tests.yml
index c6bd2e1..a7bdbab 100644
--- a/jenkins/client/job/salt-models/tests.yml
+++ b/jenkins/client/job/salt-models/tests.yml
@@ -236,10 +236,10 @@
- cookiecutter_template: cookiecutter-templates
template:
discard:
- build:
- keep_num: 50
- artifact:
- keep_num: 50
+ build:
+ keep_days: 4
+ artifact:
+ keep_days: 4
type: workflow-scm
concurrent: true
scm:
@@ -371,9 +371,9 @@
name: test-mk-cookiecutter-templates-chunk
discard:
build:
- keep_num: 300
+ keep_days: 3
artifact:
- keep_num: 300
+ keep_days: 3
type: workflow-scm
concurrent: true
plugin_properties:
diff --git a/jenkins/client/job/stacklight/cookiecutter.yml b/jenkins/client/job/stacklight/cookiecutter.yml
index 0a2c6ed..0f40403 100644
--- a/jenkins/client/job/stacklight/cookiecutter.yml
+++ b/jenkins/client/job/stacklight/cookiecutter.yml
@@ -31,6 +31,16 @@
type: string
description: "Context for cookiecutter template specified as filename"
default: 'stacklight-openstack-ovs-core-pike'
+ OPENSTACK_ENVIRONMENT:
+ type: choice
+ description: "Target openstack environment"
+ choices:
+ - devcloud
+ - presales
+ - oscore_devcloud
+ OPENSTACK_API_CREDENTIALS:
+ type: string
+ description: "Credentials to the OpenStack API"
OPENSTACK_API_PROJECT:
type: string
default: "mcp-stacklight"
diff --git a/keystone/client/service/octavia.yml b/keystone/client/service/octavia.yml
index 304d70f..fe0125a 100644
--- a/keystone/client/service/octavia.yml
+++ b/keystone/client/service/octavia.yml
@@ -18,7 +18,7 @@
email: ${_param:admin_email}
service:
octavia:
- type: octavia
+ type: load-balancer
description: OpenStack Loadbalancing Service
endpoints:
- region: ${_param:openstack_region}
diff --git a/kubernetes/common/addons/prometheus.yml b/kubernetes/common/addons/prometheus.yml
new file mode 100644
index 0000000..5f5fcea
--- /dev/null
+++ b/kubernetes/common/addons/prometheus.yml
@@ -0,0 +1,37 @@
+classes:
+- system.prometheus.server.container
+parameters:
+ _param:
+ kubernetes_prometheus_image: ${_param:mcp_docker_registry}/openstack-docker/prometheus:2018.8.0
+ kubernetes_prometheus_enabled: false
+ kubernetes_prometheus_namespace: stacklight
+ kubernetes_prometheus_server_resources_limits_memory: 500M
+ kubernetes_prometheus_server_resources_requests_memory: 500M
+ kubernetes_prometheus_server_bind_host_port: 31990
+ kubernetes_prometheus_server_storage_local_engine: persisted
+ kubernetes_prometheus_server_use_static_datadir: true
+ kubernetes:
+ common:
+ addons:
+ prometheus:
+ enabled: ${_param:kubernetes_prometheus_enabled}
+ image: ${_param:kubernetes_prometheus_image}
+ namespace: ${_param:kubernetes_prometheus_namespace}
+ server:
+ bind:
+ port: ${prometheus:server:bind:port}
+ host: ${prometheus:server:bind:address}
+ host_port: ${_param:kubernetes_prometheus_server_bind_host_port}
+ config:
+ config_dir: ${prometheus:server:dir:config_in_container}
+ host_config_dir: ${prometheus:server:dir:config}
+ data_dir: ${_param:prometheus_server_data_directory}
+ host_data_dir: ${prometheus:server:dir:data}
+ storage_local_engine: ${_param:kubernetes_prometheus_server_storage_local_engine}
+ storage_local_retention: ${prometheus:server:storage:local:retention}
+ use_static_datadir: ${_param:kubernetes_prometheus_server_use_static_datadir}
+ resources:
+ limits:
+ memory: ${_param:kubernetes_prometheus_server_resources_limits_memory}
+ requests:
+ memory: ${_param:kubernetes_prometheus_server_resources_requests_memory}
diff --git a/kubernetes/common.yml b/kubernetes/common/init.yml
similarity index 98%
rename from kubernetes/common.yml
rename to kubernetes/common/init.yml
index 82b3ad3..52d9479 100644
--- a/kubernetes/common.yml
+++ b/kubernetes/common/init.yml
@@ -19,7 +19,7 @@
kubernetes_sriov_repo: https://docker-prod-local.artifactory.mirantis.com/artifactory/binary-prod-local/mirantis/kubernetes/sriov-cni
kubernetes_cniplugins_repo: https://docker-prod-local.artifactory.mirantis.com/artifactory/binary-prod-local/mirantis/kubernetes/containernetworking-plugins
kubernetes_dashboard_repo: ${_param:mcp_docker_registry}/mirantis/kubernetes
- kubernetes_coredns_repo: coredns
+ kubernetes_coredns_repo: ${_param:mcp_docker_registry}/mirantis/coredns
# component docker images
kubernetes_docker_package: docker-engine=1.13.1-0~ubuntu-xenial
@@ -54,7 +54,7 @@
kubernetes_fluentd_aggregator_image: fluent/fluentd-kubernetes-daemonset:v1.2-debian-elasticsearch
kubernetes_fluentd_logger_image: fluent/fluentd-kubernetes-daemonset:v1.2-debian-stackdriver
kubernetes_telegraf_image: ${_param:mcp_docker_registry}/openstack-docker/telegraf:2018.8.0
- kubernetes_coredns_image: ${_param:kubernetes_coredns_repo}/coredns:1.2.0
+ kubernetes_coredns_image: ${_param:kubernetes_coredns_repo}/coredns:v1.2.2-12
kubelet_fail_on_swap: true
kubernetes_dashboard_enabled: true
diff --git a/linux/system/repo/mcp/apt_mirantis/saltstack.yml b/linux/system/repo/mcp/apt_mirantis/saltstack.yml
index 22b3bb8..5ba85c0 100644
--- a/linux/system/repo/mcp/apt_mirantis/saltstack.yml
+++ b/linux/system/repo/mcp/apt_mirantis/saltstack.yml
@@ -13,7 +13,16 @@
source: "deb [arch=amd64] ${_param:linux_system_repo_mcp_saltstack_url}/${_param:linux_system_codename}/ ${_param:linux_system_codename} main"
architectures: amd64
clean_file: true
- pin:
- - pin: 'release o=SaltStack'
- priority: 1100
- package: '*'
+ pinning:
+ 10:
+ enabled: true
+ pin: 'release o=SaltStack'
+ # WA for https://github.com/saltstack/salt/issues/49653
+ # Should be removed with new version\fix in upstream.
+ priority: 50
+ package: 'libsodium18'
+ 20:
+ enabled: true
+ pin: 'release o=SaltStack'
+ priority: 1100
+ package: '*'
diff --git a/neutron/client/service/public_v2.yml b/neutron/client/service/public_v2.yml
new file mode 100644
index 0000000..7c14248
--- /dev/null
+++ b/neutron/client/service/public_v2.yml
@@ -0,0 +1,24 @@
+classes:
+- service.neutron.client
+parameters:
+ neutron:
+ client:
+ resources:
+ v2:
+ admin_identity:
+ network:
+ public:
+ shared: True
+ router_external: True
+ default: True
+ provider_network_type: flat
+ provider_physical_network: physnet1
+ subnet:
+ public-subnet:
+ cidr: ${_param:openstack_public_neutron_subnet_cidr}
+ gateway_ip: ${_param:openstack_public_neutron_subnet_gateway}
+ allocation_pools:
+ - start: ${_param:openstack_public_neutron_subnet_allocation_start}
+ end: ${_param:openstack_public_neutron_subnet_allocation_end}
+ enable_dhcp: False
+ ip_version: 4
diff --git a/neutron/control/cluster.yml b/neutron/control/cluster.yml
index 12baf43..797c378 100644
--- a/neutron/control/cluster.yml
+++ b/neutron/control/cluster.yml
@@ -16,30 +16,13 @@
python-pymysql:
fromrepo: ${_param:openstack_version}
version: latest
- haproxy:
- proxy:
- listen:
- neutron_api:
- type: openstack-service
- service_name: neutron
- binds:
- - address: ${_param:cluster_vip_address}
- port: 9696
- servers:
- - name: ${_param:cluster_node01_hostname}
- host: ${_param:cluster_node01_address}
- port: 9696
- params: check inter 10s fastinter 2s downinter 3s rise 3 fall 3
- - name: ${_param:cluster_node02_hostname}
- host: ${_param:cluster_node02_address}
- port: 9696
- params: check inter 10s fastinter 2s downinter 3s rise 3 fall 3
- - name: ${_param:cluster_node03_hostname}
- host: ${_param:cluster_node03_address}
- port: 9696
- params: check inter 10s fastinter 2s downinter 3s rise 3 fall 3
neutron:
server:
+ message_queue:
+ members:
+ - host: ${_param:openstack_message_queue_node01_address}
+ - host: ${_param:openstack_message_queue_node02_address}
+ - host: ${_param:openstack_message_queue_node03_address}
database:
x509:
enabled: ${_param:openstack_mysql_x509_enabled}
@@ -49,6 +32,5 @@
ssl:
enabled: ${_param:galera_ssl_enabled}
role: ${_param:openstack_node_role}
- plugin: contrail
identity:
protocol: ${_param:cluster_internal_protocol}
diff --git a/neutron/control/opencontrail/cluster.yml b/neutron/control/opencontrail/cluster.yml
index d85e554..4bc0e71 100644
--- a/neutron/control/opencontrail/cluster.yml
+++ b/neutron/control/opencontrail/cluster.yml
@@ -1,9 +1,5 @@
classes:
-- service.keepalived.cluster.single
-- service.haproxy.proxy.single
-- service.neutron.control.cluster
-- system.haproxy.proxy.listen.openstack.neutron
-- system.galera.server.database.neutron
+- system.neutron.control.cluster
parameters:
neutron:
server:
@@ -13,11 +9,6 @@
identity:
region: ${_param:openstack_region}
host: ${_param:openstack_control_address}
- message_queue:
- members:
- - host: ${_param:openstack_message_queue_node01_address}
- - host: ${_param:openstack_message_queue_node02_address}
- - host: ${_param:openstack_message_queue_node03_address}
compute:
host: ${_param:openstack_control_address}
region: ${_param:openstack_region}
@@ -28,4 +19,4 @@
user: admin
password: ${_param:keystone_admin_password}
tenant: admin
- token: ${_param:keystone_service_token}
\ No newline at end of file
+ token: ${_param:keystone_service_token}
diff --git a/neutron/control/opencontrail/single.yml b/neutron/control/opencontrail/single.yml
index 4bbd8f8..5cf06bf 100644
--- a/neutron/control/opencontrail/single.yml
+++ b/neutron/control/opencontrail/single.yml
@@ -1,5 +1,5 @@
classes:
-- service.neutron.control.single
+- system.neutron.control.single
- system.galera.server.database.neutron
parameters:
neutron:
@@ -12,7 +12,7 @@
host: ${_param:openstack_control_address}
message_queue:
members:
- - host: ${_param:openstack_message_queue_node01_address}
+ - host: ${_param:single_address}
compute:
host: ${_param:openstack_control_address}
region: ${_param:openstack_region}
@@ -23,4 +23,4 @@
user: admin
password: ${_param:keystone_admin_password}
tenant: admin
- token: ${_param:keystone_service_token}
\ No newline at end of file
+ token: ${_param:keystone_service_token}
diff --git a/neutron/control/opendaylight/cluster.yml b/neutron/control/opendaylight/cluster.yml
index 1f8142e..2f22403 100644
--- a/neutron/control/opendaylight/cluster.yml
+++ b/neutron/control/opendaylight/cluster.yml
@@ -1,7 +1,4 @@
classes:
-- service.keepalived.cluster.single
-- service.haproxy.proxy.single
-- service.neutron.control.cluster
- system.neutron.control.openvswitch.cluster
parameters:
_param:
diff --git a/neutron/control/opendaylight/single.yml b/neutron/control/opendaylight/single.yml
index 297cfa0..c12d04a 100644
--- a/neutron/control/opendaylight/single.yml
+++ b/neutron/control/opendaylight/single.yml
@@ -1,5 +1,4 @@
classes:
-- service.neutron.control.single
- system.neutron.control.openvswitch.single
parameters:
_param:
diff --git a/neutron/control/openvswitch/cluster.yml b/neutron/control/openvswitch/cluster.yml
index 5800060..094449e 100644
--- a/neutron/control/openvswitch/cluster.yml
+++ b/neutron/control/openvswitch/cluster.yml
@@ -1,8 +1,5 @@
classes:
-- service.keepalived.cluster.single
-- service.haproxy.proxy.single
-- service.neutron.control.cluster
-- system.galera.server.database.neutron
+- system.neutron.control.cluster
parameters:
_param:
neutron_control_dvr: True
@@ -40,30 +37,3 @@
identity:
region: ${_param:openstack_region}
protocol: ${_param:cluster_internal_protocol}
- message_queue:
- members:
- - host: ${_param:openstack_message_queue_node01_address}
- - host: ${_param:openstack_message_queue_node02_address}
- - host: ${_param:openstack_message_queue_node03_address}
- haproxy:
- proxy:
- listen:
- neutron_api:
- type: openstack-service
- service_name: neutron
- binds:
- - address: ${_param:cluster_vip_address}
- port: 9696
- servers:
- - name: ${_param:cluster_node01_hostname}
- host: ${_param:cluster_node01_address}
- port: 9696
- params: check inter 10s fastinter 2s downinter 3s rise 3 fall 3
- - name: ${_param:cluster_node02_hostname}
- host: ${_param:cluster_node02_address}
- port: 9696
- params: check inter 10s fastinter 2s downinter 3s rise 3 fall 3
- - name: ${_param:cluster_node03_hostname}
- host: ${_param:cluster_node03_address}
- port: 9696
- params: check inter 10s fastinter 2s downinter 3s rise 3 fall 3
diff --git a/neutron/control/openvswitch/single.yml b/neutron/control/openvswitch/single.yml
index da8dee0..450ab07 100644
--- a/neutron/control/openvswitch/single.yml
+++ b/neutron/control/openvswitch/single.yml
@@ -1,5 +1,5 @@
classes:
-- service.neutron.control.single
+- system.neutron.control.single
- system.galera.server.database.neutron
parameters:
_param:
@@ -41,4 +41,4 @@
protocol: ${_param:internal_protocol}
message_queue:
members:
- - host: ${_param:openstack_message_queue_node01_address}
+ - host: ${_param:single_address}
diff --git a/neutron/control/single.yml b/neutron/control/single.yml
index 6ced2f1..4988576 100644
--- a/neutron/control/single.yml
+++ b/neutron/control/single.yml
@@ -17,7 +17,6 @@
server:
role: ${_param:openstack_node_role}
database:
- host: ${_param:single_address}
x509:
enabled: ${_param:openstack_mysql_x509_enabled}
ca_file: ${_param:mysql_neutron_ssl_ca_file}
diff --git a/prometheus/server/init.yml b/prometheus/server/init.yml
index 5d115ac..cd511d4 100644
--- a/prometheus/server/init.yml
+++ b/prometheus/server/init.yml
@@ -2,10 +2,12 @@
_param:
prometheus_server_config_directory: /srv/prometheus
prometheus_server_data_directory: /data
+ prometheus_server_host_config_directory: /srv/volumes/local/prometheus/config
+ prometheus_server_host_data_directory: /srv/volumes/local/prometheus/data
prometheus:
server:
version: 2.0
dir:
- data: /srv/volumes/local/prometheus/data
- config: /srv/volumes/local/prometheus/config
+ data: ${_param:prometheus_server_host_data_directory}
+ config: ${_param:prometheus_server_host_config_directory}
config_in_container: ${_param:prometheus_server_config_directory}
diff --git a/rabbitmq/server/ssl/init.yml b/rabbitmq/server/ssl/init.yml
index 7fefae7..71cc1a7 100644
--- a/rabbitmq/server/ssl/init.yml
+++ b/rabbitmq/server/ssl/init.yml
@@ -4,8 +4,11 @@
parameters:
_param:
rabbitmq_ssl_enabled: true
+ openstack_rabbitmq_x509_enabled: false
rabbitmq_port: 5671 # for non-ssl use 5672 / for ssl 5671
rabbitmq:
server:
ssl:
enabled: ${_param:rabbitmq_ssl_enabled}
+ x509:
+ enabled: ${_param:openstack_rabbitmq_x509_enabled}
diff --git a/salt/minion/cert/mysql/clients/openstack/ironic.yml b/salt/minion/cert/mysql/clients/openstack/ironic.yml
new file mode 100644
index 0000000..fe4aa19
--- /dev/null
+++ b/salt/minion/cert/mysql/clients/openstack/ironic.yml
@@ -0,0 +1,27 @@
+parameters:
+ _param:
+ salt_minion_ca_host: cfg01.${_param:cluster_domain}
+ salt_minion_ca_authority: salt_master_ca
+ mysql_ironic_client_ssl_key_file: /etc/ironic/ssl/mysql/client-key.pem
+ mysql_ironic_client_ssl_cert_file: /etc/ironic/ssl/mysql/client-cert.pem
+ mysql_ironic_ssl_ca_file: /etc/ironic/ssl/mysql/ca-cert.pem
+ salt:
+ minion:
+ cert:
+ mysql-ironic-client:
+ host: ${_param:salt_minion_ca_host}
+ authority: ${_param:salt_minion_ca_authority}
+ common_name: mysql-ironic-client
+ signing_policy: cert_client
+ alternative_names: >
+ IP:${_param:cluster_local_address},
+ DNS:${_param:cluster_local_address},
+ DNS:${linux:system:name},
+ DNS:${linux:network:fqdn}
+ key_usage: "digitalSignature,nonRepudiation,keyEncipherment"
+ key_file: ${_param:mysql_ironic_client_ssl_key_file}
+ cert_file: ${_param:mysql_ironic_client_ssl_cert_file}
+ ca_file: ${_param:mysql_ironic_ssl_ca_file}
+ user: ironic
+ group: ironic
+ mode: 640
diff --git a/salt/minion/cert/openstack_api.yml b/salt/minion/cert/openstack_api.yml
new file mode 100644
index 0000000..1095f7e
--- /dev/null
+++ b/salt/minion/cert/openstack_api.yml
@@ -0,0 +1,22 @@
+parameters:
+ _param:
+ salt_minion_ca_host: ${linux:network:fqdn}
+ salt_minion_ca_authority: salt_master_ca
+ openstack_api_cert_alternative_names: IP:127.0.0.1,IP:${_param:cluster_local_address},IP:${_param:cluster_vip_address},DNS:${linux:system:name},DNS:${linux:network:fqdn}
+ openstack_api_cert_key_file: "/etc/ssl/private/openstack_api.key"
+ openstack_api_cert_cert_file: "/etc/ssl/certs/openstack_api.crt"
+ openstack_api_cert_all_file: "/etc/ssl/certs/openstack_api_with_chain.crt"
+ salt:
+ minion:
+ cert:
+ openstack_api:
+ host: ${_param:salt_minion_ca_host}
+ authority: ${_param:salt_minion_ca_authority}
+ common_name: openstack_api
+ signing_policy: cert_server
+ alternative_names: ${_param:openstack_api_cert_alternative_names}
+ key_file: ${_param:openstack_api_cert_key_file}
+ cert_file: ${_param:openstack_api_cert_cert_file}
+ all_file: ${_param:openstack_api_cert_all_file}
+ enabled: true
+ engine: salt