Merge "[CVP] Remove 2 default parameters from cvp-tempest, rename job"
diff --git a/defaults/openstack/init.yml b/defaults/openstack/init.yml
index 2e6362d..0e940a0 100644
--- a/defaults/openstack/init.yml
+++ b/defaults/openstack/init.yml
@@ -26,6 +26,8 @@
openstack_rabbitmq_x509_enabled: False
# RabbitMQ
rabbitmq_upgrade_enabled: ${_param:openstack_upgrade_enabled}
+ # Galera
+ galera_upgrade_enabled: ${_param:openstack_upgrade_enabled}
# Openstack memcache
openstack_memcached_server_bind_address: 0.0.0.0
openstack_memcache_security_enabled: False
diff --git a/docker/swarm/stack/gerrit.yml b/docker/swarm/stack/gerrit.yml
index c164d75..ed90acf 100644
--- a/docker/swarm/stack/gerrit.yml
+++ b/docker/swarm/stack/gerrit.yml
@@ -27,6 +27,7 @@
- ${_param:gerrit_ssh_publish_port}:29418
volumes:
- /srv/volumes/gerrit:/var/gerrit/review_site
+ - /etc/ssl/certs/java/cacerts:/etc/ssl/certs/java/cacerts:ro
depends_on:
- db
environment:
@@ -50,7 +51,7 @@
GERRIT_ADMIN_PWD: ${_param:gerrit_admin_password}
GERRIT_ADMIN_EMAIL: ${_param:gerrit_admin_email}
CANLOADINIFRAME: "true"
- JAVA_OPTIONS: ${_param:gerrit_extra_opts}
+ JAVA_OPTIONS: "-Djavax.net.ssl.trustStore=/etc/ssl/certs/java/cacerts ${_param:gerrit_extra_opts}"
https_proxy: ${_param:docker_https_proxy}
http_proxy: ${_param:docker_http_proxy}
no_proxy: ${_param:docker_no_proxy}
diff --git a/docker/swarm/stack/jenkins/master.yml b/docker/swarm/stack/jenkins/master.yml
index 921f111..6ec6afb 100644
--- a/docker/swarm/stack/jenkins/master.yml
+++ b/docker/swarm/stack/jenkins/master.yml
@@ -17,7 +17,7 @@
master:
environment:
JENKINS_HOME: ${_param:jenkins_home_dir_path}
- JAVA_OPTS: " -server -XX:+AlwaysPreTouch -Xloggc:${_param:jenkins_home_dir_path}/gc-%t.log -XX:NumberOfGCLogFiles=5 -XX:+UseGCLogFileRotation -XX:GCLogFileSize=20m -XX:+PrintGC -XX:+PrintGCDateStamps -XX:+PrintGCDetails -XX:+PrintHeapAtGC -XX:+PrintGCCause -XX:+PrintTenuringDistribution -XX:+PrintReferenceGC -XX:+PrintAdaptiveSizePolicy -XX:+UseG1GC -XX:+ExplicitGCInvokesConcurrent -XX:+ParallelRefProcEnabled -XX:+UseStringDeduplication -XX:+UnlockExperimentalVMOptions -XX:G1NewSizePercent=20 -XX:+UseCGroupMemoryLimitForHeap -XX:+UnlockDiagnosticVMOptions -XX:G1SummarizeRSetStatsPeriod=1 -Djenkins.install.runSetupWizard=false -Dhudson.DNSMultiCast.disabled=true -Dhudson.udp=-1 -Dhudson.footerURL=https://www.mirantis.com ${_param:jenkins_master_extra_opts}"
+ JAVA_OPTS: " -server -XX:+AlwaysPreTouch -Xloggc:${_param:jenkins_home_dir_path}/gc-%t.log -XX:NumberOfGCLogFiles=5 -XX:+UseGCLogFileRotation -XX:GCLogFileSize=20m -XX:+PrintGC -XX:+PrintGCDateStamps -XX:+PrintGCDetails -XX:+PrintHeapAtGC -XX:+PrintGCCause -XX:+PrintTenuringDistribution -XX:+PrintReferenceGC -XX:+PrintAdaptiveSizePolicy -XX:+UseG1GC -XX:+ExplicitGCInvokesConcurrent -XX:+ParallelRefProcEnabled -XX:+UseStringDeduplication -XX:+UnlockExperimentalVMOptions -XX:G1NewSizePercent=20 -XX:+UseCGroupMemoryLimitForHeap -XX:+UnlockDiagnosticVMOptions -XX:G1SummarizeRSetStatsPeriod=1 -Djenkins.install.runSetupWizard=false -Dhudson.DNSMultiCast.disabled=true -Dhudson.udp=-1 -Dhudson.footerURL=https://www.mirantis.com -Djavax.net.ssl.trustStore=/etc/ssl/certs/java/cacerts ${_param:jenkins_master_extra_opts}"
JENKINS_NUM_EXECUTORS: ${_param:jenkins_master_executors_num}
JENKINS_OPTS: " --handlerCountMax=${_param:jenkins_master_max_concurent_requests}"
https_proxy: ${_param:docker_https_proxy}
diff --git a/docker/swarm/stack/ldap.yml b/docker/swarm/stack/ldap.yml
index b785711..1e12a4a 100644
--- a/docker/swarm/stack/ldap.yml
+++ b/docker/swarm/stack/ldap.yml
@@ -21,13 +21,24 @@
volumes:
- /srv/volumes/openldap/database:/var/lib/ldap
- /srv/volumes/openldap/config:/etc/ldap/slapd.d
+ - ${_param:openldap_tls:keyfile}:/container/service/slapd/assets/certs/drivetrain_ldap.key:ro
+ - ${_param:openldap_tls:certfile}:/container/service/slapd/assets/certs/drivetrain_ldap.crt:ro
+ - /etc/ssl/certs/ca-${_param:salt_minion_ca_authority}.pem:/container/service/slapd/assets/certs/ca.crt:ro
+ # copy to /container/run/service to avoid issues with owning certs as openldap user
+ # https://github.com/osixia/docker-openldap/issues/59
+ command: --copy-service
environment:
HOSTNAME: ldap01.${_param:openldap_domain}
LDAP_ORGANISATION: "${_param:openldap_organisation}"
LDAP_DOMAIN: "${_param:openldap_domain}"
LDAP_ADMIN_PASSWORD: ${_param:openldap_admin_password}
LDAP_CONFIG_PASSWORD: ${_param:openldap_config_password}
- LDAP_TLS: "false"
+ LDAP_TLS: "true"
+ LDAP_TLS_VERIFY_CLIENT: try
+ LDAP_TLS_CIPHER_SUITE: NORMAL:-VERS-SSL3.0:+VERS-TLS1.2:+VERS-TLS1.1:+VERS-TLS1.0
+ LDAP_TLS_CRT_FILENAME: drivetrain_ldap.crt
+ LDAP_TLS_KEY_FILENAME: drivetrain_ldap.key
+ LDAP_TLS_CA_CRT_FILENAME: ca.crt
admin:
networks:
- ldap
@@ -38,9 +49,19 @@
depends_on:
- server
hostname: ldap
+ command: --copy-service
+ volumes:
+ - ${_param:openldap_tls:keyfile}:/container/service/ldap-client/assets/certs/drivetrain_ldap.key:ro
+ - ${_param:openldap_tls:certfile}:/container/service/ldap-client/assets/certs/drivetrain_ldap.crt:ro
+ - /etc/ssl/certs/ca-${_param:salt_minion_ca_authority}.pem:/container/service/ldap-client/assets/certs/ca.crt:ro
environment:
PHPLDAPADMIN_LDAP_ADMIN_PASSWORD: ${_param:openldap_admin_password}
- PHPLDAPADMIN_LDAP_HOSTS: "#PYTHON2BASH:[{'server': [{'server': [{'tls': False}]},{'login': [{'bind_id': 'cn=admin,${_param:openldap_dn}'},{'bind_pass': '$PHPLDAPADMIN_LDAP_ADMIN_PASSWORD'}]}]}]"
+ PHPLDAPADMIN_LDAP_HOSTS: "#PYTHON2BASH:[{'server': [{'server': [{'host': 'ldaps://${_param:cicd_control_address}', 'tls': False}]},{'login': [{'bind_id': 'cn=admin,${_param:openldap_dn}'},{'bind_pass': '$PHPLDAPADMIN_LDAP_ADMIN_PASSWORD'}]}]}]"
+ PHPLDAPADMIN_LDAP_CLIENT_TLS: "true"
+ PHPLDAPADMIN_LDAP_CLIENT_TLS_CA_CRT_FILENAME: drivetrain_ldap.crt
+ PHPLDAPADMIN_LDAP_CLIENT_TLS_CRT_FILENAME: drivetrain_ldap.key
+ PHPLDAPADMIN_LDAP_CLIENT_TLS_KEY_FILENAME: ca.crt
+ PHPLDAPADMIN_LDAP_CLIENT_TLS_REQCERT: 'try'
PHPLDAPADMIN_HTTPS: "false"
PHPLDAPADMIN_TRUST_PROXY_SSL: "true"
PHPLDAPADMIN_SERVER_ADMIN: ${_param:admin_email}
diff --git a/docker/swarm/stack/monitoring/pushgateway.yml b/docker/swarm/stack/monitoring/pushgateway.yml
index 461eb0b..582dc93 100644
--- a/docker/swarm/stack/monitoring/pushgateway.yml
+++ b/docker/swarm/stack/monitoring/pushgateway.yml
@@ -15,7 +15,7 @@
networks:
- monitoring
deploy:
- replicas: 2
+ replicas: 1
labels:
com.mirantis.monitoring: "pushgateway"
restart_policy:
diff --git a/galera/server/cluster.yml b/galera/server/cluster.yml
index e215910..a4b3f0a 100644
--- a/galera/server/cluster.yml
+++ b/galera/server/cluster.yml
@@ -2,3 +2,4 @@
- service.haproxy.proxy.single
- system.haproxy.proxy.listen.openstack.galera
- system.keepalived.cluster.instance.galera_vip
+- system.galera.upgrade
diff --git a/galera/upgrade/init.yml b/galera/upgrade/init.yml
new file mode 100644
index 0000000..dd49ff2
--- /dev/null
+++ b/galera/upgrade/init.yml
@@ -0,0 +1,4 @@
+parameters:
+ galera:
+ upgrade:
+ enabled: ${_param:galera_upgrade_enabled}
diff --git a/haproxy/proxy/listen/openstack/heat.yml b/haproxy/proxy/listen/openstack/heat.yml
index 649ce99..708c97a 100644
--- a/haproxy/proxy/listen/openstack/heat.yml
+++ b/haproxy/proxy/listen/openstack/heat.yml
@@ -29,6 +29,9 @@
heat_api:
type: openstack-service
service_name: heat
+ timeout:
+ client: '2m'
+ server: '2m'
binds:
- address: ${_param:cluster_vip_address}
port: 8004
diff --git a/haproxy/proxy/listen/openstack/heat_large.yml b/haproxy/proxy/listen/openstack/heat_large.yml
index 899a691..d23947a 100644
--- a/haproxy/proxy/listen/openstack/heat_large.yml
+++ b/haproxy/proxy/listen/openstack/heat_large.yml
@@ -37,6 +37,9 @@
heat_api:
type: openstack-service
service_name: heat
+ timeout:
+ client: '2m'
+ server: '2m'
binds:
- address: ${_param:cluster_vip_address}
port: 8004
diff --git a/haproxy/proxy/listen/phpldapadmin.yml b/haproxy/proxy/listen/phpldapadmin.yml
index b2b7f93..6bbb885 100644
--- a/haproxy/proxy/listen/phpldapadmin.yml
+++ b/haproxy/proxy/listen/phpldapadmin.yml
@@ -2,6 +2,9 @@
_param:
haproxy_phpldapadmin_bind_host: ${_param:haproxy_bind_address}
haproxy_phpldapadmin_bind_port: 8089
+ haproxy_phpldapadmin_ssl:
+ enabled: true
+ pem_file: /etc/haproxy/ssl/drivetrain.pem
haproxy:
proxy:
listen:
@@ -12,9 +15,13 @@
- httpclose
- httplog
balance: source
+ http_request:
+ - action: "add-header X-Forwarded-Proto https"
+ condition: "if { ssl_fc }"
binds:
- address: ${_param:haproxy_phpldapadmin_bind_host}
port: ${_param:haproxy_phpldapadmin_bind_port}
+ ssl: ${_param:haproxy_phpldapadmin_ssl}
servers:
- name: ${_param:cluster_node01_name}
host: ${_param:cluster_node01_address}
diff --git a/jenkins/client/credential/source_git.yml b/jenkins/client/credential/source_git.yml
new file mode 100644
index 0000000..ec350f0
--- /dev/null
+++ b/jenkins/client/credential/source_git.yml
@@ -0,0 +1,10 @@
+parameters:
+ _param:
+ pipeline_library_source_credentials: source_git
+ jenkins:
+ client:
+ credential:
+ source_git:
+ desc: Credentials to source git repositories for pipelines
+ username: ${_param:source_git_username}
+ password: ${_param:source_git_password}
diff --git a/jenkins/client/job/deploy/backupninja_backup.yml b/jenkins/client/job/deploy/backupninja_backup.yml
index 881934a..ab5caf0 100644
--- a/jenkins/client/job/deploy/backupninja_backup.yml
+++ b/jenkins/client/job/deploy/backupninja_backup.yml
@@ -14,7 +14,7 @@
type: git
url: "${_param:jenkins_gerrit_url}/mk/mk-pipelines"
branch: "${_param:jenkins_pipelines_branch}"
- credentials: ${_param:jenkins_gerrit_credentials}
+ credentials: "${_param:jenkins_gerrit_credentials}"
script: backupninja-backup-pipeline.groovy
param:
SALT_MASTER_CREDENTIALS:
diff --git a/jenkins/client/job/deploy/backupninja_restore.yml b/jenkins/client/job/deploy/backupninja_restore.yml
index 7769425..192f5dc 100644
--- a/jenkins/client/job/deploy/backupninja_restore.yml
+++ b/jenkins/client/job/deploy/backupninja_restore.yml
@@ -15,7 +15,7 @@
type: git
url: "${_param:jenkins_gerrit_url}/mk/mk-pipelines"
branch: "${_param:jenkins_pipelines_branch}"
- credentials: ${_param:jenkins_gerrit_credentials}
+ credentials: "${_param:jenkins_gerrit_credentials}"
script: backupninja-restore-pipeline.groovy
param:
SALT_MASTER_CREDENTIALS:
diff --git a/jenkins/client/job/deploy/kqueen.yml b/jenkins/client/job/deploy/kqueen.yml
index 1935a43..ff4a35f 100644
--- a/jenkins/client/job/deploy/kqueen.yml
+++ b/jenkins/client/job/deploy/kqueen.yml
@@ -33,7 +33,7 @@
default: "${_param:jenkins_gerrit_url}/mk/heat-templates"
STACK_TEMPLATE_CREDENTIALS:
type: string
- default: "gerrit"
+ default: ${_param:jenkins_gerrit_credentials}
STACK_TEMPLATE_BRANCH:
type: string
default: "master"
@@ -93,7 +93,7 @@
default: "${_param:jenkins_gerrit_url}/mk/heat-templates"
STACK_TEMPLATE_CREDENTIALS:
type: string
- default: "gerrit"
+ default: ${_param:jenkins_gerrit_credentials}
STACK_TEMPLATE_BRANCH:
type: string
default: "master"
diff --git a/jenkins/client/job/deploy/lab/mom_deploy.yml b/jenkins/client/job/deploy/lab/mom_deploy.yml
index c6bbbc5..f03b485 100644
--- a/jenkins/client/job/deploy/lab/mom_deploy.yml
+++ b/jenkins/client/job/deploy/lab/mom_deploy.yml
@@ -100,7 +100,7 @@
default: "master"
STACK_TEMPLATE_CREDENTIALS:
type: string
- default: "gerrit"
+ default: "${_param:jenkins_gerrit_credentials}"
STACK_TEMPLATE_URL:
type: string
default: "${_param:jenkins_gerrit_url}/mk/heat-templates"
diff --git a/jenkins/client/job/deploy/update/init.yml b/jenkins/client/job/deploy/update/init.yml
index 753894e..c7a843f 100644
--- a/jenkins/client/job/deploy/update/init.yml
+++ b/jenkins/client/job/deploy/update/init.yml
@@ -4,6 +4,8 @@
- system.jenkins.client.job.deploy.update.update_mirror_image
- system.jenkins.client.job.deploy.update.update_ceph
- system.jenkins.client.job.deploy.update.upgrade
+ - system.jenkins.client.job.deploy.update.upgrade_rabbitmq
+ - system.jenkins.client.job.deploy.update.upgrade_galera
- system.jenkins.client.job.deploy.update.upgrade_compute
- system.jenkins.client.job.deploy.update.upgrade_mcp_release
- system.jenkins.client.job.deploy.update.upgrade_ovs_gateway
diff --git a/jenkins/client/job/deploy/update/upgrade_galera.yml b/jenkins/client/job/deploy/update/upgrade_galera.yml
new file mode 100644
index 0000000..8864529
--- /dev/null
+++ b/jenkins/client/job/deploy/update/upgrade_galera.yml
@@ -0,0 +1,49 @@
+#
+# Jobs to upgrade Galera packages on given Salt master environment
+#
+parameters:
+ jenkins:
+ client:
+ job:
+ deploy-upgrade-galera:
+ type: workflow-scm
+ concurrent: true
+ discard:
+ build:
+ keep_num: 10
+ artifact:
+ keep_num: 10
+ display_name: "Deploy - upgrade Galera cluster"
+ scm:
+ type: git
+ url: "${_param:jenkins_gerrit_url}/mk/mk-pipelines"
+ branch: "${_param:jenkins_pipelines_branch}"
+ credentials: ${_param:jenkins_gerrit_credentials}
+ script: openstack-galera-upgrade.groovy
+ param:
+ SALT_MASTER_URL:
+ type: string
+ default: "${_param:jenkins_salt_api_url}"
+ SALT_MASTER_CREDENTIALS:
+ type: string
+ default: "salt"
+ SHUTDOWN_CLUSTER:
+ type: boolean
+ default: 'false'
+ description: "Shutdown all mysql instances on target nodes during upgrade"
+ OS_DIST_UPGRADE:
+ type: boolean
+ default: 'false'
+ description: "Upgrade system packages including kernel (apt-get dist-upgrade)"
+ OS_UPGRADE:
+ type: boolean
+ default: 'false'
+ description: "Upgrade all installed applications (apt-get upgrade)"
+ INTERACTIVE:
+ type: boolean
+ default: 'true'
+ description: "Ask interactive questions during pipeline run (bool)"
+ TARGET_SERVERS:
+ type: string
+ default: 'dbs*'
+ description: "Salt compound expression to get mysql servers to upgrade."
diff --git a/jenkins/client/job/git-mirrors/downstream/init.yml b/jenkins/client/job/git-mirrors/downstream/init.yml
index 5a6257c..92a3d6d 100644
--- a/jenkins/client/job/git-mirrors/downstream/init.yml
+++ b/jenkins/client/job/git-mirrors/downstream/init.yml
@@ -19,18 +19,21 @@
type: git
url: "${_param:jenkins_gerrit_url}/mk/mk-pipelines"
branch: "${_param:jenkins_pipelines_branch}"
- credentials: ${_param:jenkins_gerrit_credentials}
+ credentials: "${_param:jenkins_gerrit_credentials}"
script: git-mirror-pipeline.groovy
param:
SOURCE_URL:
type: string
default: "{{upstream}}"
+ SOURCE_CREDENTIALS:
+ type: string
+ default: "{{source_credentials}}"
TARGET_URL:
type: string
default: "${_param:jenkins_gerrit_url}/{{downstream}}"
CREDENTIALS_ID:
type: string
- default: "gerrit"
+ default: ${_param:jenkins_gerrit_credentials}
BRANCHES:
type: string
default: "{{branches}}"
diff --git a/jenkins/client/job/git-mirrors/downstream/pipelines.yml b/jenkins/client/job/git-mirrors/downstream/pipelines.yml
index fbec27c..ea9cbe1 100644
--- a/jenkins/client/job/git-mirrors/downstream/pipelines.yml
+++ b/jenkins/client/job/git-mirrors/downstream/pipelines.yml
@@ -4,12 +4,17 @@
_param:
gerrit_pipeline_library_repo: https://github.com/Mirantis/pipeline-library
gerrit_mk_pipelines_repo: https://github.com/Mirantis/mk-pipelines
+ pipeline_library_source_credentials: ""
+ mk_pipelines_source_credentials: ${_param:pipeline_library_source_credentials}
+ vnf_onboaring_source_credentials: ${_param:pipeline_library_source_credentials}
jenkins_git_mirror_downstream_jobs:
- name: pipeline-library
downstream: mcp-ci/pipeline-library
upstream: "${_param:gerrit_pipeline_library_repo}"
branches: "*"
+ source_credentials: "${_param:pipeline_library_source_credentials}"
- name: mk-pipelines
downstream: mk/mk-pipelines
upstream: "${_param:gerrit_mk_pipelines_repo}"
- branches: "*"
\ No newline at end of file
+ branches: "*"
+ source_credentials: "${_param:mk_pipelines_source_credentials}"
\ No newline at end of file
diff --git a/jenkins/client/job/validate.yml b/jenkins/client/job/validate.yml
index 8cc8728..27b8eea 100644
--- a/jenkins/client/job/validate.yml
+++ b/jenkins/client/job/validate.yml
@@ -417,7 +417,7 @@
default: |
envs:
- tests_set=''
- - image_name='Ubuntu'
+ - image_name=Ubuntu
- networks=10.101.0.0/24
description: 'YAML context with additional parameters. Additional params: HW_NODES, CMP_HOSTS, salt_timeout, skipped_nodes, nova_timeout, iperf_prep_string, IMAGE_SIZE_MB'
cvp-shaker:
diff --git a/nginx/server/proxy/cicd/gerrit.yml b/nginx/server/proxy/cicd/gerrit.yml
index 0baf26c..72d0e12 100644
--- a/nginx/server/proxy/cicd/gerrit.yml
+++ b/nginx/server/proxy/cicd/gerrit.yml
@@ -15,7 +15,7 @@
proxy:
host: ${_param:nginx_proxy_gerrit_server_proxy_host}
port: ${_param:nginx_proxy_gerrit_server_proxy_port}
- protocol: http
+ protocol: https
host:
name: ${_param:nginx_proxy_gerrit_server_site_host}
port: ${_param:nginx_proxy_gerrit_server_site_port}
diff --git a/nginx/server/proxy/cicd/jenkins.yml b/nginx/server/proxy/cicd/jenkins.yml
index bd270f2..b348f26 100644
--- a/nginx/server/proxy/cicd/jenkins.yml
+++ b/nginx/server/proxy/cicd/jenkins.yml
@@ -15,7 +15,7 @@
proxy:
host: ${_param:nginx_proxy_jenkins_server_proxy_host}
port: ${_param:nginx_proxy_jenkins_server_proxy_port}
- protocol: http
+ protocol: https
host:
name: ${_param:nginx_proxy_jenkins_server_site_host}
port: ${_param:nginx_proxy_jenkins_server_site_port}
diff --git a/octavia/api/cluster.yml b/octavia/api/cluster.yml
index 31989b0..e698481 100644
--- a/octavia/api/cluster.yml
+++ b/octavia/api/cluster.yml
@@ -11,6 +11,7 @@
bind:
address: ${_param:cluster_local_address}
database:
+ user: ${_param:mysql_octavia_username}
host: ${_param:openstack_database_address}
x509:
enabled: ${_param:openstack_mysql_x509_enabled}
@@ -20,6 +21,7 @@
ssl:
enabled: ${_param:galera_ssl_enabled}
identity:
+ user: ${_param:keystone_octavia_username}
region: ${_param:openstack_region}
protocol: ${_param:cluster_internal_protocol}
message_queue:
diff --git a/octavia/api/single.yml b/octavia/api/single.yml
index c42009d..b359885 100644
--- a/octavia/api/single.yml
+++ b/octavia/api/single.yml
@@ -10,6 +10,7 @@
bind:
address: ${_param:single_address}
database:
+ user: ${_param:mysql_octavia_username}
host: ${_param:openstack_database_address}
x509:
enabled: ${_param:openstack_mysql_x509_enabled}
@@ -19,6 +20,7 @@
ssl:
enabled: ${_param:galera_ssl_enabled}
identity:
+ user: ${_param:keystone_octavia_username}
region: ${_param:openstack_region}
protocol: ${_param:cluster_internal_protocol}
message_queue:
diff --git a/octavia/manager/cluster.yml b/octavia/manager/cluster.yml
index f86dd80..c10e800 100644
--- a/octavia/manager/cluster.yml
+++ b/octavia/manager/cluster.yml
@@ -12,6 +12,7 @@
user: octavia
group: octavia
database:
+ user: ${_param:mysql_octavia_username}
host: ${_param:openstack_database_address}
x509:
enabled: ${_param:openstack_mysql_x509_enabled}
@@ -21,6 +22,7 @@
ssl:
enabled: ${_param:galera_ssl_enabled}
identity:
+ user: ${_param:keystone_octavia_username}
region: ${_param:openstack_region}
protocol: ${_param:cluster_internal_protocol}
message_queue:
diff --git a/octavia/manager/single.yml b/octavia/manager/single.yml
index e1e356b..51671eb 100644
--- a/octavia/manager/single.yml
+++ b/octavia/manager/single.yml
@@ -17,6 +17,7 @@
user: octavia
group: octavia
database:
+ user: ${_param:mysql_octavia_username}
host: ${_param:openstack_database_address}
x509:
enabled: ${_param:openstack_mysql_x509_enabled}
@@ -26,6 +27,7 @@
ssl:
enabled: ${_param:galera_ssl_enabled}
identity:
+ user: ${_param:keystone_octavia_username}
region: ${_param:openstack_region}
protocol: ${_param:cluster_internal_protocol}
message_queue:
diff --git a/opencontrail/control/analytics4_0.yml b/opencontrail/control/analytics4_0.yml
index 19fefcc..91868d3 100644
--- a/opencontrail/control/analytics4_0.yml
+++ b/opencontrail/control/analytics4_0.yml
@@ -94,6 +94,7 @@
- /var/crashes:/var/crashes
- /var/log/contrail:/var/log/contrail
- /var/log/journal/contrail-analytics:/var/log/journal
+ - /etc/ssl/certs/ca-certificates.crt:/etc/ssl/certs/ca-certificates.crt:ro
env_file:
- contrail.env
analyticsdb:
@@ -117,6 +118,7 @@
- /var/log/journal/contrail-analyticsdb:/var/log/journal
- ${_param:opencontrail_host_analyticsdb_log_dir}/cassandra:${_param:opencontrail_cassandra_log_dir}
- ${_param:opencontrail_host_analyticsdb_log_dir}/zookeeper:${_param:opencontrail_zookeeper_log_dir}
+ - /etc/ssl/certs/ca-certificates.crt:/etc/ssl/certs/ca-certificates.crt:ro
network_mode: "host"
privileged: true
restart: always
diff --git a/opencontrail/control/cluster4_0.yml b/opencontrail/control/cluster4_0.yml
index 6859b9c..bbba05c 100644
--- a/opencontrail/control/cluster4_0.yml
+++ b/opencontrail/control/cluster4_0.yml
@@ -162,6 +162,7 @@
- /var/log/journal/contrail-controller:/var/log/journal
- ${_param:opencontrail_host_configdb_log_dir}/cassandra:${_param:opencontrail_cassandra_log_dir}
- ${_param:opencontrail_host_configdb_log_dir}/zookeeper:${_param:opencontrail_zookeeper_log_dir}
+ - /etc/ssl/certs/ca-certificates.crt:/etc/ssl/certs/ca-certificates.crt:ro
network_mode: "host"
privileged: true
restart: always
@@ -178,6 +179,7 @@
- /etc/redis/redis.conf:/etc/redis/redis.conf
- /var/log/contrail:/var/log/contrail
- /var/log/journal/contrail-analytics:/var/log/journal
+ - /etc/ssl/certs/ca-certificates.crt:/etc/ssl/certs/ca-certificates.crt:ro
env_file:
- contrail.env
analyticsdb:
@@ -201,6 +203,7 @@
- /var/log/journal/contrail-analyticsdb:/var/log/journal
- ${_param:opencontrail_host_analyticsdb_log_dir}/cassandra:${_param:opencontrail_cassandra_log_dir}
- ${_param:opencontrail_host_analyticsdb_log_dir}/zookeeper:${_param:opencontrail_zookeeper_log_dir}
+ - /etc/ssl/certs/ca-certificates.crt:/etc/ssl/certs/ca-certificates.crt:ro
network_mode: "host"
privileged: true
restart: always
diff --git a/opencontrail/control/control4_0.yml b/opencontrail/control/control4_0.yml
index bc37f8e..67c91e2 100644
--- a/opencontrail/control/control4_0.yml
+++ b/opencontrail/control/control4_0.yml
@@ -120,6 +120,7 @@
- /var/log/journal/contrail-controller:/var/log/journal
- ${_param:opencontrail_host_configdb_log_dir}/cassandra:${_param:opencontrail_cassandra_log_dir}
- ${_param:opencontrail_host_configdb_log_dir}/zookeeper:${_param:opencontrail_zookeeper_log_dir}
+ - /etc/ssl/certs/ca-certificates.crt:/etc/ssl/certs/ca-certificates.crt:ro
network_mode: "host"
privileged: true
restart: always
diff --git a/opencontrail/control/single4_0.yml b/opencontrail/control/single4_0.yml
index 89768d3..7612638 100644
--- a/opencontrail/control/single4_0.yml
+++ b/opencontrail/control/single4_0.yml
@@ -173,6 +173,7 @@
- /etc/zookeeper/conf/log4j.properties:/etc/zookeeper/conf/log4j.properties
- /var/log/contrail:/var/log/contrail
- /var/log/journal/contrail-controller:/var/log/journal
+ - /etc/ssl/certs/ca-certificates.crt:/etc/ssl/certs/ca-certificates.crt:ro
network_mode: "host"
privileged: true
restart: always
@@ -189,6 +190,7 @@
- /etc/redis/redis.conf:/etc/redis/redis.conf
- /var/log/contrail:/var/log/contrail
- /var/log/journal/contrail-analytics:/var/log/journal
+ - /etc/ssl/certs/ca-certificates.crt:/etc/ssl/certs/ca-certificates.crt:ro
env_file:
- contrail.env
analyticsdb:
@@ -210,6 +212,7 @@
- /etc/zookeeper/conf/log4j.properties:/etc/zookeeper/conf/log4j.properties
- /var/log/contrail:/var/log/contrail
- /var/log/journal/contrail-analyticsdb:/var/log/journal
+ - /etc/ssl/certs/ca-certificates.crt:/etc/ssl/certs/ca-certificates.crt:ro
network_mode: "host"
privileged: true
restart: always
diff --git a/openldap/client/init.yml b/openldap/client/init.yml
index 25812f6..c0c20a8 100644
--- a/openldap/client/init.yml
+++ b/openldap/client/init.yml
@@ -3,7 +3,10 @@
parameters:
_param:
openldap_server: ${_param:cluster_vip_address}
- openldap_tls: false
+ openldap_tls:
+ starttls: true
+ keyfile: /etc/haproxy/ssl/drivetrain.key
+ certfile: /etc/haproxy/ssl/drivetrain.crt
openldap:
client:
server:
diff --git a/openssh/server/team/members/gmani.yml b/openssh/server/team/members/gmani.yml
new file mode 100644
index 0000000..7a25132
--- /dev/null
+++ b/openssh/server/team/members/gmani.yml
@@ -0,0 +1,20 @@
+parameters:
+ linux:
+ system:
+ user:
+ gmani:
+ enabled: true
+ name: gmani
+ sudo: ${_param:linux_system_user_sudo}
+ full_name: Gautam Mani
+ home: /home/gmani
+ email: gmani@mirantis.com
+ openssh:
+ server:
+ user:
+ gmani:
+ enabled: true
+ public_keys:
+ - key: ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC+k2aPVLU8M9AfAGoJU7m48yjBIB/AxNzqiyMi2yPy9BaH3q4zPCTY0e8CLX6W0vU/uATBOoLjtWgLUmBqW6eOTD09zb60CKJy+vQUYVLZEEV1Aa2hxJ6zl0ruwCinmKDnLFkLe5HQmcLPWHccO3IvxaKAYCKeI9LFpiV/NwzYpjqrSP35jw36cMvxK8pvkw0YEZNz/+ApSB5JQWpFPM3563b6W0oH1/sX97MdxUuggRGNmS5Xd5TrxOPiQAipIXGGBNlafT7/IfWnJGhlIWYe2yQrbefOQ9RjaUA3VlU+YGAlcTLu5VWg3rKfMgdvNsA56doxYquRc6w+Sv/C8Eip gmani@1153-MBP15.local
+ user: ${linux:system:user:gmani}
+
diff --git a/openssh/server/team/members/someara.yml b/openssh/server/team/members/someara.yml
new file mode 100644
index 0000000..eab2c90
--- /dev/null
+++ b/openssh/server/team/members/someara.yml
@@ -0,0 +1,20 @@
+parameters:
+ linux:
+ system:
+ user:
+ someara:
+ enabled: true
+ name: someara
+ sudo: ${_param:linux_system_user_sudo}
+ full_name: Shaun OMeara
+ home: /home/someara
+ email: someara@mirantis.com
+ openssh:
+ server:
+ user:
+ someara:
+ enabled: true
+ public_keys:
+ - key: ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCwH33yz82vYBUYFlJ5LJT+4NFJNUTzeBobJVlEtv6Hwd1t+xGrze5F3RZ/M1U24YOjnXoN4SutC7nciPfvUUYhLEBKA6/0n4v+yRf+pnovmH2RA6FJ4D9lKAbmdr7O0BRrzE++iUwzCnZIsDdfc+pQPfis2IYpN878x/F8jfvkMCvQRSN8Oyn3IeB2Yc/RMBWObNYD9Cm0KjtmZxwpyP+J6tzxj34e5kJRDCIAAYnS3Gmr9SJpJBx/Z80meeT44HdGz5RnKT2ouxAZUf7hxGKH6h0fYjwdwcs89QsyCBTvrXXuWPADFuBjvJcqTf5PmcqOZTIgM9lyI7rlzw6ynkxn shauno@Shauns-MacBook-Pro.local
+ user: ${linux:system:user:someara}
+
diff --git a/openssh/server/team/pm_team.yml b/openssh/server/team/pm_team.yml
new file mode 100644
index 0000000..af18aca
--- /dev/null
+++ b/openssh/server/team/pm_team.yml
@@ -0,0 +1,7 @@
+classes:
+- system.openssh.server.team.members.someara
+- system.openssh.server.team.members.gmani
+
+parameters:
+ _param:
+ linux_system_user_sudo: true
diff --git a/prometheus/gainsight/query/openstack.yml b/prometheus/gainsight/query/openstack.yml
index a826155..3ab9ed5 100644
--- a/prometheus/gainsight/query/openstack.yml
+++ b/prometheus/gainsight/query/openstack.yml
@@ -11,11 +11,11 @@
instances: "'Instances','avg(sum(avg_over_time(openstack_nova_instances{state=\"active\"}[24h])) by (instance))'"
compute_nodes: "'Compute Nodes','avg(sum(openstack_nova_services{binary=~\"nova.compute\"}) by (instance))'"
tenants: "'Tenants','avg(sum(avg_over_time(openstack_keystone_tenants_total[24h])) by (instance))'"
- cinder_api: "'Cinder API','avg(avg_over_time(openstack_api_check_status{name=\"cinderv2\"}[24h]))'"
- nova_api: "'Nova API','avg(avg_over_time(openstack_api_check_status{name=\"nova\"}[24h]))'"
- keystone_api: "'Keystone API','avg(avg_over_time(openstack_api_check_status{name=\"keystone\"}[24h]))'"
- glance_api: "'Glance API','avg(avg_over_time(openstack_api_check_status{name=\"glance\"}[24h]))'"
- neutron_api: "'Neutron API','avg(avg_over_time(openstack_api_check_status{name=\"neutron\"}[24h]))'"
+ cinder_api: "'Cinder API','avg_over_time(name:openstack_api_check_status:avg5m:for5m:ceil:avg5m:floor{name=\"cinderv2\"}[24h])'"
+ nova_api: "'Nova API','avg_over_time(name:openstack_api_check_status:avg5m:for5m:ceil:avg5m:floor{name=\"nova\"}[24h])'"
+ keystone_api: "'Keystone API','avg_over_time(name:openstack_api_check_status:avg5m:for5m:ceil:avg5m:floor{name=\"keystone\"}[24h])'"
+ glance_api: "'Glance API','avg_over_time(name:openstack_api_check_status:avg5m:for5m:ceil:avg5m:floor{name=\"glance\"}[24h])'"
+ neutron_api: "'Neutron API','avg_over_time(name:openstack_api_check_status:avg5m:for5m:ceil:avg5m:floor{name=\"neutron\"}[24h])'"
compute_instance_create_start: "'VM creation start','sum(compute_instance_create_start_event_doc_count)'"
compute_instance_create_end: "'VM creation end','sum(compute_instance_create_end_event_doc_count)'"
compute_instance_create_error: "'VM creation error','sum(compute_instance_create_error_event_doc_count)'"
diff --git a/salt/master/single.yml b/salt/master/single.yml
index c007031..64ddf88 100644
--- a/salt/master/single.yml
+++ b/salt/master/single.yml
@@ -4,11 +4,12 @@
parameters:
linux:
system:
- sysctl:
- net.core.rmem_max: 16777216
- net.core.wmem_max: 16777216
- net.ipv4.tcp_rmem: 4096 87380 16777216
- net.ipv4.tcp_wmem: 4096 87380 16777216
+ kernel:
+ sysctl:
+ net.core.rmem_max: 16777216
+ net.core.wmem_max: 16777216
+ net.ipv4.tcp_rmem: 4096 87380 16777216
+ net.ipv4.tcp_wmem: 4096 87380 16777216
salt:
master:
accept_policy: auto_accept
diff --git a/salt/minion/cert/proxy/drivetrain_ssl.yml b/salt/minion/cert/proxy/drivetrain_ssl.yml
index aecb5fb..5e7cf5f 100644
--- a/salt/minion/cert/proxy/drivetrain_ssl.yml
+++ b/salt/minion/cert/proxy/drivetrain_ssl.yml
@@ -2,7 +2,7 @@
salt:
minion:
cert:
- gerrit:
+ drivetrain:
host: ${_param:salt_minion_ca_host}
authority: ${_param:salt_minion_ca_authority}
common_name: drivetrain
diff --git a/telegraf/agent/init.yml b/telegraf/agent/init.yml
index 64ef566..213d3ba 100644
--- a/telegraf/agent/init.yml
+++ b/telegraf/agent/init.yml
@@ -1,5 +1,6 @@
classes:
- service.telegraf.agent
+- system.telegraf.agent.input.internal
- system.telegraf.agent.input.http_listener
- system.telegraf.agent.output.prometheus_client
- system.telegraf.sudo
diff --git a/telegraf/agent/input/internal.yml b/telegraf/agent/input/internal.yml
new file mode 100644
index 0000000..aba90c8
--- /dev/null
+++ b/telegraf/agent/input/internal.yml
@@ -0,0 +1,5 @@
+parameters:
+ telegraf:
+ agent:
+ input:
+ internal:
diff --git a/vnf_onboarding/common/init.yml b/vnf_onboarding/common/init.yml
index f988897..88ade04 100644
--- a/vnf_onboarding/common/init.yml
+++ b/vnf_onboarding/common/init.yml
@@ -1,7 +1,6 @@
parameters:
_param:
mcp_docker_registry: 'docker-dev-local.docker.mirantis.net'
- vnf_gerrit_credentials: "gerrit"
vnf_openstack_api_url: "${_param:cluster_public_protocol}://${_param:cluster_public_host}:5000/v2.0"
vnf_openstack_api_credentials: "test-openstack"
vnf_openstack_api_admin_credentials: "admin-openstack"
diff --git a/vnf_onboarding/common/jenkins_job.yml b/vnf_onboarding/common/jenkins_job.yml
index b63aa34..a928d2f 100644
--- a/vnf_onboarding/common/jenkins_job.yml
+++ b/vnf_onboarding/common/jenkins_job.yml
@@ -12,7 +12,7 @@
scm:
type: git
url: "${_param:jenkins_gerrit_url}/vnf-onboarding/pipelines"
- credentials: "${_param:vnf_gerrit_credentials}"
+ credentials: "${_param:jenkins_gerrit_credentials}"
script: deploy_cloudify.groovy
param:
OPENSTACK_API_URL:
@@ -33,7 +33,7 @@
default: "master"
NFV_PLATFORM_REPO_CREDENTIALS:
type: string
- default: "${_param:vnf_gerrit_credentials}"
+ default: "${_param:jenkins_gerrit_credentials}"
CFM_IMAGE:
type: string
default: "cloudify-manager-4.3.1ga"
diff --git a/vnf_onboarding/common/mirrors.yml b/vnf_onboarding/common/mirrors.yml
index 83d11c0..c830d85 100644
--- a/vnf_onboarding/common/mirrors.yml
+++ b/vnf_onboarding/common/mirrors.yml
@@ -9,7 +9,9 @@
downstream: vnf-onboarding/pipelines
upstream: ${_param:gerrit_vnf_onboaring_pipelines_repo}
branches: master
+ source_credentials: "${_param:vnf_onboaring_source_credentials}"
- name: nfv-platform
downstream: vnf-onboarding/nfv-platform
upstream: ${_param:gerrit_vnf_onboaring_nfv_platform_repo}
- branches: master
\ No newline at end of file
+ branches: master
+ source_credentials: "${_param:vnf_onboaring_source_credentials}"
\ No newline at end of file
diff --git a/vnf_onboarding/vnf/avi_loadbalancer/jenkins_template.yml b/vnf_onboarding/vnf/avi_loadbalancer/jenkins_template.yml
index 54d82fc..c4ad531 100644
--- a/vnf_onboarding/vnf/avi_loadbalancer/jenkins_template.yml
+++ b/vnf_onboarding/vnf/avi_loadbalancer/jenkins_template.yml
@@ -17,7 +17,7 @@
scm:
type: git
url: "${_param:jenkins_gerrit_url}/vnf-onboarding/pipelines"
- credentials: "${_param:vnf_gerrit_credentials}"
+ credentials: "${_param:jenkins_gerrit_credentials}"
script: test_vnf_onboarding.groovy
trigger:
gerrit:
@@ -59,7 +59,7 @@
default: "test-avi"
GERRIT_CREDENTIALS:
type: string
- default: "${_param:vnf_gerrit_credentials}"
+ default: "${_param:jenkins_gerrit_credentials}"
ELASTIC_URL:
type: string
default: "${_param:vnf_elastic_url}"
@@ -75,7 +75,7 @@
default: "master"
NFV_PLATFORM_REPO_CREDENTIALS:
type: string
- default: "${_param:vnf_gerrit_credentials}"
+ default: "${_param:jenkins_gerrit_credentials}"
CONTRAIL_ENABLED:
type: boolean
default: false
diff --git a/vnf_onboarding/vnf/avi_loadbalancer/mirrors.yml b/vnf_onboarding/vnf/avi_loadbalancer/mirrors.yml
index c74bda3..0b47570 100644
--- a/vnf_onboarding/vnf/avi_loadbalancer/mirrors.yml
+++ b/vnf_onboarding/vnf/avi_loadbalancer/mirrors.yml
@@ -7,4 +7,5 @@
- name: avi-loadbalancer
downstream: vnf-onboarding/avi-loadbalancer
upstream: ${_param:gerrit_vnf_onboaring_avi_repo}
- branches: master
\ No newline at end of file
+ branches: master
+ source_credentials: "${_param:vnf_onboaring_source_credentials}"
\ No newline at end of file
diff --git a/vnf_onboarding/vnf/metaswitch_vsbc/jenkins_job.yml b/vnf_onboarding/vnf/metaswitch_vsbc/jenkins_job.yml
index e480d46..709ab38 100644
--- a/vnf_onboarding/vnf/metaswitch_vsbc/jenkins_job.yml
+++ b/vnf_onboarding/vnf/metaswitch_vsbc/jenkins_job.yml
@@ -14,7 +14,7 @@
scm:
type: git
url: "${_param:jenkins_gerrit_url}/vnf-onboarding/pipelines"
- credentials: "${_param:vnf_gerrit_credentials}"
+ credentials: "${_param:jenkins_gerrit_credentials}"
script: test_vnf_onboarding.groovy
trigger:
gerrit:
@@ -53,7 +53,7 @@
default: "test-metaswitch"
GERRIT_CREDENTIALS:
type: string
- default: "${_param:vnf_gerrit_credentials}"
+ default: "${_param:jenkins_gerrit_credentials}"
ELASTIC_URL:
type: string
default: "${_param:vnf_elastic_url}"
@@ -70,7 +70,7 @@
default: "master"
NFV_PLATFORM_REPO_CREDENTIALS:
type: string
- default: "${_param:vnf_gerrit_credentials}"
+ default: "${_param:jenkins_gerrit_credentials}"
CONTRAIL_ENABLED:
type: boolean
default: false
@@ -146,7 +146,7 @@
scm:
type: git
url: "${_param:jenkins_gerrit_url}/vnf-onboarding/pipelines"
- credentials: "${_param:vnf_gerrit_credentials}"
+ credentials: "${_param:jenkins_gerrit_credentials}"
script: test_platform.groovy
param:
OPENSTACK_API_CREDENTIALS:
@@ -202,7 +202,7 @@
default: "master"
VNF_PLATFORM_TESTS_REPO_CREDENTIALS:
type: string
- default: "${_param:vnf_gerrit_credentials}"
+ default: "${_param:jenkins_gerrit_credentials}"
TEMPEST_IMAGE_DOCKER_REGISTRY_PATH:
type: string
description: "Path for docker image with testing tool. If empty, image will be build using VNF_PLATFORM_TESTS_* parameters."
@@ -221,7 +221,7 @@
default: "${_param:jenkins_gerrit_url}/vnf-onboarding/nfv-platform"
ELASTIC_TRANSFER_REPO_CREDENTIALS:
type: string
- default: "${_param:vnf_gerrit_credentials}"
+ default: "${_param:jenkins_gerrit_credentials}"
ELASTIC_TRANSFER_REPO_BRANCH:
type: string
default: "master"
diff --git a/vnf_onboarding/vnf/metaswitch_vsbc/mirrors.yml b/vnf_onboarding/vnf/metaswitch_vsbc/mirrors.yml
index 0a0c300..f032fb4 100644
--- a/vnf_onboarding/vnf/metaswitch_vsbc/mirrors.yml
+++ b/vnf_onboarding/vnf/metaswitch_vsbc/mirrors.yml
@@ -9,7 +9,9 @@
downstream: vnf-onboarding/metaswitch-vsbc
upstream: ${_param:gerrit_vnf_onboaring_metaswitch_repo}
branches: master
+ source_credentials: "${_param:vnf_onboaring_source_credentials}"
- name: platform-tests
downstream: vnf-onboarding/platform-tests
upstream: ${_param:gerrit_vnf_onboaring_platform_tests_repo}
- branches: master
\ No newline at end of file
+ branches: master
+ source_credentials: "${_param:vnf_onboaring_source_credentials}"
\ No newline at end of file
diff --git a/vnf_onboarding/vnf/mock_nginx/jenkins_template.yml b/vnf_onboarding/vnf/mock_nginx/jenkins_template.yml
index e2f4cbd..b72994e 100644
--- a/vnf_onboarding/vnf/mock_nginx/jenkins_template.yml
+++ b/vnf_onboarding/vnf/mock_nginx/jenkins_template.yml
@@ -18,7 +18,7 @@
scm:
type: git
url: "${_param:jenkins_gerrit_url}/vnf-onboarding/pipelines"
- credentials: "${_param:vnf_gerrit_credentials}"
+ credentials: "${_param:jenkins_gerrit_credentials}"
script: test_vnf_onboarding.groovy
trigger:
gerrit:
@@ -60,7 +60,7 @@
default: "test-nginx"
GERRIT_CREDENTIALS:
type: string
- default: "${_param:vnf_gerrit_credentials}"
+ default: "${_param:jenkins_gerrit_credentials}"
ELASTIC_URL:
type: string
default: "${_param:vnf_elastic_url}"
@@ -77,7 +77,7 @@
default: "master"
NFV_PLATFORM_REPO_CREDENTIALS:
type: string
- default: "${_param:vnf_gerrit_credentials}"
+ default: "${_param:jenkins_gerrit_credentials}"
CONTRAIL_ENABLED:
type: boolean
default: false
diff --git a/vnf_onboarding/vnf/mock_nginx/mirrors.yml b/vnf_onboarding/vnf/mock_nginx/mirrors.yml
index 6aff50c..76ca94c 100644
--- a/vnf_onboarding/vnf/mock_nginx/mirrors.yml
+++ b/vnf_onboarding/vnf/mock_nginx/mirrors.yml
@@ -7,4 +7,5 @@
- name: nginx-vnf
downstream: vnf-onboarding/nginx-vnf
upstream: ${_param:gerrit_vnf_onboaring_nginx_repo}
- branches: master
\ No newline at end of file
+ branches: master
+ source_credentials: "${_param:vnf_onboaring_source_credentials}"
\ No newline at end of file