Merge "Add 2way sync job for shibboleth formula"
diff --git a/galera/server/database/manila.yml b/galera/server/database/manila.yml
index 3339b83..d233ce9 100644
--- a/galera/server/database/manila.yml
+++ b/galera/server/database/manila.yml
@@ -1,4 +1,6 @@
parameters:
+ _param:
+ mysql_manila_ssl_option: []
mysql:
server:
database:
@@ -9,7 +11,9 @@
password: ${_param:mysql_manila_password}
host: '%'
rights: all
+ ssl_option: ${_param:mysql_manila_ssl_option}
- name: manila
password: ${_param:mysql_manila_password}
host: ${_param:cluster_local_address}
rights: all
+ ssl_option: ${_param:mysql_manila_ssl_option}
diff --git a/galera/server/database/ssl/manila.yml b/galera/server/database/ssl/manila.yml
new file mode 100644
index 0000000..c3b30dd
--- /dev/null
+++ b/galera/server/database/ssl/manila.yml
@@ -0,0 +1,4 @@
+parameters:
+ _param:
+ mysql_manila_ssl_option:
+ - SSL: True
\ No newline at end of file
diff --git a/galera/server/database/ssl/panko.yml b/galera/server/database/ssl/panko.yml
new file mode 100644
index 0000000..ce1c504
--- /dev/null
+++ b/galera/server/database/ssl/panko.yml
@@ -0,0 +1,4 @@
+parameters:
+ _param:
+ mysql_panko_ssl_option:
+ - SSL: True
\ No newline at end of file
diff --git a/galera/server/database/x509/manila.yml b/galera/server/database/x509/manila.yml
new file mode 100644
index 0000000..15e6c88
--- /dev/null
+++ b/galera/server/database/x509/manila.yml
@@ -0,0 +1,7 @@
+parameters:
+ _param:
+ mysql_manila_client_ssl_x509_subject: '/C=cz/CN=mysql-manila-client/L=Prague/O=Mirantis'
+ mysql_manila_client_ssl_x509_issuer: '/C=cz/CN=Salt Master CA/L=Prague/O=Mirantis'
+ mysql_manila_ssl_option:
+ - SUBJECT: ${_param:mysql_manila_client_ssl_x509_subject}
+ - ISSUER: ${_param:mysql_manila_client_ssl_x509_issuer}
\ No newline at end of file
diff --git a/galera/server/database/x509/panko.yml b/galera/server/database/x509/panko.yml
new file mode 100644
index 0000000..15c37bf
--- /dev/null
+++ b/galera/server/database/x509/panko.yml
@@ -0,0 +1,7 @@
+parameters:
+ _param:
+ mysql_panko_client_ssl_x509_subject: '/C=cz/CN=mysql-panko-client/L=Prague/O=Mirantis'
+ mysql_panko_client_ssl_x509_issuer: '/C=cz/CN=Salt Master CA/L=Prague/O=Mirantis'
+ mysql_panko_ssl_option:
+ - SUBJECT: ${_param:mysql_panko_client_ssl_x509_subject}
+ - ISSUER: ${_param:mysql_panko_client_ssl_x509_issuer}
\ No newline at end of file
diff --git a/jenkins/client/job/deploy/update/upgrade.yml b/jenkins/client/job/deploy/update/upgrade.yml
index 01fdf2a..f4f5630 100644
--- a/jenkins/client/job/deploy/update/upgrade.yml
+++ b/jenkins/client/job/deploy/update/upgrade.yml
@@ -29,27 +29,19 @@
SALT_MASTER_CREDENTIALS:
type: string
default: "salt"
- STAGE_TEST_UPGRADE:
- type: boolean
- default: 'true'
- description: "Test if syncdb and APIs succeed"
- STAGE_REAL_UPGRADE:
- type: boolean
- default: 'true'
- description: "Run real control upgrade"
- STAGE_ROLLBACK_UPGRADE:
- type: boolean
- default: 'true'
- description: "Rollback if control upgrade fails"
- OPERATING_SYSTEM_RELEASE_UPGRADE:
+ OS_DIST_UPGRADE:
type: boolean
default: 'false'
- description: "Set to true if operating system release upgrade is desired. For ex. from Ubuntu 14.04 currently running on ctl and prx nodes to Ubuntu 16.04"
- SKIP_VM_RELAUNCH:
+ description: "Upgrade system packages including kernel (apt-get dist-upgrade)"
+ OS_UPGRADE:
type: boolean
default: 'false'
- description: "Set to true if vms should not be recreated"
+ description: "Upgrade all installed applications (apt-get upgrade)"
INTERACTIVE:
type: boolean
default: 'true'
description: "Ask interactive questions during pipeline run (bool)"
+ TARGET_SERVERS:
+ type: string
+ default: 'ctl*'
+ description: "Salt compound expression to get control servers to upgrade."
diff --git a/jenkins/client/job/deploy/update/upgrade_compute.yml b/jenkins/client/job/deploy/update/upgrade_compute.yml
index 706863d..b4628fa 100644
--- a/jenkins/client/job/deploy/update/upgrade_compute.yml
+++ b/jenkins/client/job/deploy/update/upgrade_compute.yml
@@ -21,7 +21,7 @@
url: "${_param:jenkins_gerrit_url}/mk/mk-pipelines"
branch: "${_param:jenkins_pipelines_branch}"
credentials: "gerrit"
- script: openstack-compute-upgrade.groovy
+ script: openstack-data-upgrade.groovy
param:
SALT_MASTER_URL:
type: string
@@ -29,18 +29,19 @@
SALT_MASTER_CREDENTIALS:
type: string
default: "salt"
- TARGET_SERVERS:
- type: string
- default: "cmp*"
- description: Salt compound target to match nodes to be updated [*, G@osfamily:debian].
- TARGET_SUBSET_TEST:
- type: string
- description: Number of nodes to list package updates, empty string means all targetted nodes.
- TARGET_SUBSET_LIVE:
- type: string
- default: '1'
- description: Number of selected nodes to live apply upgrade.
+ OS_DIST_UPGRADE:
+ type: boolean
+ default: 'false'
+ description: "Upgrade system packages including kernel (apt-get dist-upgrade)"
+ OS_UPGRADE:
+ type: boolean
+ default: 'false'
+ description: "Upgrade all installed applications (apt-get upgrade)"
INTERACTIVE:
type: boolean
default: 'true'
description: "Ask interactive questions during pipeline run (bool)"
+ TARGET_SERVERS:
+ type: string
+ default: 'cmp*'
+ description: "Salt compound expression to get control servers to upgrade."
diff --git a/jenkins/client/job/deploy/update/upgrade_ovs_gateway.yml b/jenkins/client/job/deploy/update/upgrade_ovs_gateway.yml
index b0c92b7..4753cea 100644
--- a/jenkins/client/job/deploy/update/upgrade_ovs_gateway.yml
+++ b/jenkins/client/job/deploy/update/upgrade_ovs_gateway.yml
@@ -21,7 +21,7 @@
url: "${_param:jenkins_gerrit_url}/mk/mk-pipelines"
branch: "${_param:jenkins_pipelines_branch}"
credentials: "gerrit"
- script: ovs-gateway-upgrade.groovy
+ script: openstack-data-upgrade.groovy
param:
SALT_MASTER_URL:
type: string
@@ -29,18 +29,19 @@
SALT_MASTER_CREDENTIALS:
type: string
default: "salt"
- TARGET_SERVERS:
- type: string
- default: "gtw*"
- description: Salt compound target to match nodes to be updated [*, G@osfamily:debian].
- TARGET_SUBSET_TEST:
- type: string
- description: Number of nodes to list package updates, empty string means all targetted nodes.
- TARGET_SUBSET_LIVE:
- type: string
- default: '1'
- description: Number of selected nodes to live apply upgrade.
+ OS_DIST_UPGRADE:
+ type: boolean
+ default: 'false'
+ description: "Upgrade system packages including kernel (apt-get dist-upgrade)"
+ OS_UPGRADE:
+ type: boolean
+ default: 'false'
+ description: "Upgrade all installed applications (apt-get upgrade)"
INTERACTIVE:
type: boolean
default: 'true'
description: "Ask interactive questions during pipeline run (bool)"
+ TARGET_SERVERS:
+ type: string
+ default: 'ctl*'
+ description: "Salt compound expression to get control servers to upgrade."
diff --git a/jenkins/client/job/salt-models/tests.yml b/jenkins/client/job/salt-models/tests.yml
index 983a88b..145cfa9 100644
--- a/jenkins/client/job/salt-models/tests.yml
+++ b/jenkins/client/job/salt-models/tests.yml
@@ -272,37 +272,39 @@
COOKIECUTTER_TEMPLATE_URL:
type: string
default: "${_param:jenkins_gerrit_url}/mk/{{cookiecutter_template}}"
- CREDENTIALS_ID:
- type: string
- default: gerrit
COOKIECUTTER_TEMPLATE_BRANCH:
type: string
default: master
- RECLASS_MODEL_URL:
+ description: "Those variable will be ignored, in case gerritTrigger=>GERRIT_BRANCH"
+ COOKIECUTTER_TEMPLATE_REF:
+ type: string
+ default: ""
+ description: "Example: refs/changes/49/25549/1"
+ RECLASS_SYSTEM_URL:
type: string
default: "${_param:jenkins_gerrit_url}/salt-models/reclass-system"
- RECLASS_MODEL_BRANCH:
+ RECLASS_SYSTEM_BRANCH:
type: string
default: master
+ description: "Those variable will be ignored, in case gerritTrigger=>GERRIT_BRANCH"
+ RECLASS_SYSTEM_GIT_REF:
+ type: string
+ default: ""
+ description: "Example: refs/changes/49/25549/1"
DISTRIB_REVISION:
type: string
default: 'nightly'
- SYSTEM_GIT_URL:
- type: string
- default: ""
- SYSTEM_GIT_REF:
- type: string
- default: ""
- PARALLEL_NODE_GROUP_SIZE:
- type: string
- default: "1"
+ description: "Those variable will be ignored, in case gerritTrigger=>GERRIT_BRANCH. Version of bin-artifacts,passed to test-env"
EXTRA_FORMULAS:
type: string
- default: "aptly artifactory auditd backupninja collectd devops-portal docker elasticsearch fluentd freeipa gerrit glusterfs grafana haproxy heka horizon influxdb jenkins keepalived kibana libvirt maas memcached mysql nginx ntp openldap openssh postfix prometheus rsync rsyslog rundeck sensu sphinx telegraf xtrabackup watchdog logrotate"
+ default: "aptly artifactory auditd backupninja collectd devops-portal docker elasticsearch fluentd freeipa gerrit glusterfs grafana haproxy heka horizon influxdb jenkins keepalived kibana libvirt maas memcached mysql nginx ntp openldap openscap openssh postfix prometheus rsync rsyslog rundeck sensu sphinx telegraf xtrabackup watchdog logrotate"
RECLASS_VERSION:
type: string
default: 'v1.5.4'
- description: "Version (branch) of Reclass we will use"
+ description: "Version (branch) of reclass PACKAGE we will use"
+ CREDENTIALS_ID:
+ type: string
+ default: gerrit
job:
test-salt-model-node:
name: test-salt-model-node
@@ -385,7 +387,7 @@
build:
keep_num: 300
artifact:
- keep_num: 30
+ keep_num: 300
type: workflow-scm
concurrent: true
plugin_properties:
@@ -402,5 +404,5 @@
script: test-cookiecutter-reclass-chunk.groovy
param:
EXTRA_VARIABLES_YAML:
- type: string
+ type: text
default: ""
diff --git a/manila/common/cluster.yml b/manila/common/cluster.yml
index d71364e..31024f2 100644
--- a/manila/common/cluster.yml
+++ b/manila/common/cluster.yml
@@ -1,8 +1,12 @@
classes:
- - service.manila.common.cluster
- - service.haproxy.proxy.single
- - system.haproxy.proxy.listen.openstack.manila
+- service.manila.common.cluster
+- service.haproxy.proxy.single
+- system.haproxy.proxy.listen.openstack.manila
+- system.salt.minion.cert.mysql.clients.openstack.manila
parameters:
+ _param:
+ openstack_mysql_x509_enabled: False
+ galera_ssl_enabled: False
manila:
common:
version: ${_param:openstack_version}
@@ -20,6 +24,13 @@
name: manila
user: manila
password: ${_param:mysql_manila_password}
+ x509:
+ enabled: ${_param:openstack_mysql_x509_enabled}
+ ca_file: ${_param:mysql_manila_ssl_ca_file}
+ key_file: ${_param:mysql_manila_client_ssl_key_file}
+ cert_file: ${_param:mysql_manila_client_ssl_cert_file}
+ ssl:
+ enabled: ${_param:galera_ssl_enabled}
identity:
engine: keystone
region: ${_param:openstack_region}
diff --git a/manila/common/single.yml b/manila/common/single.yml
index 1b139c2..f9d8c6e 100644
--- a/manila/common/single.yml
+++ b/manila/common/single.yml
@@ -1,6 +1,10 @@
classes:
- - service.manila.common.single
+- service.manila.common.single
+- system.salt.minion.cert.mysql.clients.openstack.manila
parameters:
+ _param:
+ openstack_mysql_x509_enabled: False
+ galera_ssl_enabled: False
manila:
common:
version: ${_param:openstack_version}
@@ -18,6 +22,13 @@
name: manila
user: manila
password: ${_param:mysql_manila_password}
+ x509:
+ enabled: ${_param:openstack_mysql_x509_enabled}
+ ca_file: ${_param:mysql_manila_ssl_ca_file}
+ key_file: ${_param:mysql_manila_client_ssl_key_file}
+ cert_file: ${_param:mysql_manila_client_ssl_cert_file}
+ ssl:
+ enabled: ${_param:galera_ssl_enabled}
identity:
engine: keystone
region: ${_param:openstack_region}
diff --git a/manila/control/single.yml b/manila/control/single.yml
index 262a158..b2036d3 100644
--- a/manila/control/single.yml
+++ b/manila/control/single.yml
@@ -2,11 +2,14 @@
- system.manila.common.cluster
- system.apache.server.site.manila
parameters:
+ _param:
+ openstack_node_role: primary
manila:
common:
dhss: false
version: ${_param:openstack_version}
api:
+ role: ${_param:openstack_node_role}
enabled: true
version: ${_param:openstack_version}
role: ${_param:openstack_node_role}
diff --git a/neutron/control/openvswitch/single.yml b/neutron/control/openvswitch/single.yml
index baa710e..da8dee0 100644
--- a/neutron/control/openvswitch/single.yml
+++ b/neutron/control/openvswitch/single.yml
@@ -13,8 +13,10 @@
neutron_enable_bgp_vpn: False
neutron_bgp_vpn_driver: bagpipe
internal_protocol: 'http'
+ openstack_node_role: primary
neutron:
server:
+ role: ${_param:openstack_node_role}
global_physnet_mtu: ${_param:neutron_global_physnet_mtu}
l3_ha: ${_param:neutron_l3_ha}
dvr: ${_param:neutron_control_dvr}
diff --git a/openscap/server/init.yml b/openscap/server/init.yml
new file mode 100644
index 0000000..0f2a76f
--- /dev/null
+++ b/openscap/server/init.yml
@@ -0,0 +1,2 @@
+classes:
+- service.openscap.cis
diff --git a/panko/server/cluster.yml b/panko/server/cluster.yml
index 3a4cb65..9715456 100644
--- a/panko/server/cluster.yml
+++ b/panko/server/cluster.yml
@@ -4,6 +4,7 @@
- system.apache.server.site.panko
- system.haproxy.proxy.listen.openstack.panko
- system.keepalived.cluster.instance.openstack_telemetry_vip
+- system.salt.minion.cert.mysql.clients.openstack.panko
parameters:
_param:
panko_memcached_node01_address: ${_param:cluster_node01_address}
@@ -11,6 +12,8 @@
panko_memcached_node03_address: ${_param:cluster_node03_address}
# Keep events in database for 30 days
panko_event_time_to_live: 2592000
+ openstack_mysql_x509_enabled: False
+ galera_ssl_enabled: False
linux:
system:
cron:
@@ -25,6 +28,13 @@
host: ${_param:openstack_control_address}
database:
host: ${_param:openstack_database_address}
+ x509:
+ enabled: ${_param:openstack_mysql_x509_enabled}
+ ca_file: ${_param:mysql_panko_ssl_ca_file}
+ key_file: ${_param:mysql_panko_client_ssl_key_file}
+ cert_file: ${_param:mysql_panko_client_ssl_cert_file}
+ ssl:
+ enabled: ${_param:galera_ssl_enabled}
cache:
engine: memcached
members:
diff --git a/panko/server/single.yml b/panko/server/single.yml
index 4ba2787..cb1a449 100644
--- a/panko/server/single.yml
+++ b/panko/server/single.yml
@@ -1,10 +1,13 @@
classes:
- service.panko.server.single
- system.apache.server.site.panko
+- system.salt.minion.cert.mysql.clients.openstack.panko
parameters:
_param:
# Keep events in database for 30 days
panko_event_time_to_live: 2592000
+ openstack_mysql_x509_enabled: False
+ galera_ssl_enabled: False
linux:
system:
cron:
@@ -13,6 +16,14 @@
enabled: true
panko:
server:
+ database:
+ x509:
+ enabled: ${_param:openstack_mysql_x509_enabled}
+ ca_file: ${_param:mysql_panko_ssl_ca_file}
+ key_file: ${_param:mysql_panko_client_ssl_key_file}
+ cert_file: ${_param:mysql_panko_client_ssl_cert_file}
+ ssl:
+ enabled: ${_param:galera_ssl_enabled}
role: ${_param:openstack_node_role}
event_time_to_live: ${_param:panko_event_time_to_live}
# Check for expired events every day at 2 AM
diff --git a/salt/control/placement/stacklight/medium.yml b/salt/control/placement/stacklight/medium.yml
index 7f54f4d..7f35fe9 100644
--- a/salt/control/placement/stacklight/medium.yml
+++ b/salt/control/placement/stacklight/medium.yml
@@ -37,7 +37,7 @@
image: ${_param:salt_control_xenial_image}
provider: ${_param:infra_kvm_node10_hostname}.${_param:cluster_domain}
size: stacklight.log
- lop02:
+ log02:
name: ${_param:stacklight_log_node02_hostname}
image: ${_param:salt_control_xenial_image}
provider: ${_param:infra_kvm_node11_hostname}.${_param:cluster_domain}
@@ -61,4 +61,4 @@
name: ${_param:stacklight_monitor_node03_hostname}
image: ${_param:salt_control_xenial_image}
provider: ${_param:infra_kvm_node12_hostname}.${_param:cluster_domain}
- size: stacklight.server
\ No newline at end of file
+ size: stacklight.server
diff --git a/salt/master/formula/git/openscap.yml b/salt/master/formula/git/openscap.yml
new file mode 100644
index 0000000..a091ffe
--- /dev/null
+++ b/salt/master/formula/git/openscap.yml
@@ -0,0 +1,10 @@
+parameters:
+ salt:
+ master:
+ environment:
+ dev:
+ formula:
+ openscap:
+ source: git
+ address: '${_param:salt_master_environment_repository}/salt-formula-openscap.git'
+ revision: ${_param:salt_master_environment_revision}
diff --git a/salt/master/formula/pkg/openscap.yml b/salt/master/formula/pkg/openscap.yml
new file mode 100644
index 0000000..ebb6e86
--- /dev/null
+++ b/salt/master/formula/pkg/openscap.yml
@@ -0,0 +1,9 @@
+parameters:
+ salt:
+ master:
+ environment:
+ prd:
+ formula:
+ openscap:
+ source: pkg
+ name: salt-formula-openscap
diff --git a/salt/minion/cert/mysql/clients/openstack/manila.yml b/salt/minion/cert/mysql/clients/openstack/manila.yml
new file mode 100644
index 0000000..a1ca797
--- /dev/null
+++ b/salt/minion/cert/mysql/clients/openstack/manila.yml
@@ -0,0 +1,27 @@
+parameters:
+ _param:
+ salt_minion_ca_host: cfg01.${_param:cluster_domain}
+ salt_minion_ca_authority: salt_master_ca
+ mysql_manila_client_ssl_key_file: /etc/manila/ssl/mysql/client-key.pem
+ mysql_manila_client_ssl_cert_file: /etc/manila/ssl/mysql/client-cert.pem
+ mysql_manila_ssl_ca_file: /etc/manila/ssl/mysql/ca-cert.pem
+ salt:
+ minion:
+ cert:
+ mysql-manila-client:
+ host: ${_param:salt_minion_ca_host}
+ authority: ${_param:salt_minion_ca_authority}
+ common_name: mysql-manila-client
+ signing_policy: cert_client
+ alternative_names: >
+ IP:${_param:cluster_local_address},
+ DNS:${_param:cluster_local_address},
+ DNS:${linux:system:name},
+ DNS:${linux:network:fqdn}
+ key_usage: "digitalSignature,nonRepudiation,keyEncipherment"
+ key_file: ${_param:mysql_manila_client_ssl_key_file}
+ cert_file: ${_param:mysql_manila_client_ssl_cert_file}
+ ca_file: ${_param:mysql_manila_ssl_ca_file}
+ user: manila
+ group: manila
+ mode: 640
diff --git a/salt/minion/cert/mysql/clients/openstack/panko.yml b/salt/minion/cert/mysql/clients/openstack/panko.yml
new file mode 100644
index 0000000..0593ae2
--- /dev/null
+++ b/salt/minion/cert/mysql/clients/openstack/panko.yml
@@ -0,0 +1,27 @@
+parameters:
+ _param:
+ salt_minion_ca_host: cfg01.${_param:cluster_domain}
+ salt_minion_ca_authority: salt_master_ca
+ mysql_panko_client_ssl_key_file: /etc/panko/ssl/mysql/client-key.pem
+ mysql_panko_client_ssl_cert_file: /etc/panko/ssl/mysql/client-cert.pem
+ mysql_panko_ssl_ca_file: /etc/panko/ssl/mysql/ca-cert.pem
+ salt:
+ minion:
+ cert:
+ mysql-panko-client:
+ host: ${_param:salt_minion_ca_host}
+ authority: ${_param:salt_minion_ca_authority}
+ common_name: mysql-panko-client
+ signing_policy: cert_client
+ alternative_names: >
+ IP:${_param:cluster_local_address},
+ DNS:${_param:cluster_local_address},
+ DNS:${linux:system:name},
+ DNS:${linux:network:fqdn}
+ key_usage: "digitalSignature,nonRepudiation,keyEncipherment"
+ key_file: ${_param:mysql_panko_client_ssl_key_file}
+ cert_file: ${_param:mysql_panko_client_ssl_cert_file}
+ ca_file: ${_param:mysql_panko_ssl_ca_file}
+ user: panko
+ group: panko
+ mode: 640