Merge the tip of origin/release/proposed/2019.2.0 into origin/release/2019.2.0
9f5446b [CVP] Specify branch for default TOOLS_REPO
35b3587 [CVP,Q4] Remove 2 default parameters from cvp-tempest
18b19a2 Remove internal jenkins location set from default set
6d5655e add cert for radosgw
96d49da Enable querying Elasticsearch with enabled SSL
07933c0 Mount certificates to remote_agent container
cf03eb8 Enable and use salt_api proxy by default
a02e99f Removed default Elliptic Curve Cryptography Public Key Algorithm for nginx
4c3c57d Rename PATH variable to avoid colission with system vars
cbfbc6a Fix typo in jenkins enable CSRF
615d42a Bump kubernetes components (k8s 1.13.6)
bf23758 Add update glusterfs related jenkins jobs
91dda68 Mount /var/crashes dir into analytics container
97bccec Bump fs.inotify.max_user_instances on compute nodes for scale
7e50533 Host-agnostic compute queries
f0386ca Define default opencontrail parameters
e8b1c89 Host-agnostic compute queries
b0912b5 Pin sf-notifier and prometheus-es-exporter to 2019.2.4
4e3d154 Drop static passwords
78c5f6d Add missing param for golden configuration
4ae03de Move elasticsearch scheme to defaults
459193c Updated ciphers and SSL/TLS protocols suites.
2f73410 Connect jenkins slave via docker network on swarm
e5129f6 Updated Gainsight docker image to 2019.2.4 tag
ff8115a Add BACKUP_DIR param to ceph-upgrade job
2a455c1 Golden configuration - fix image for mdb nodes
e7b10f0 Add SSL for Elasticsearch
541ffb4 Add fluentd-based notification transport
215c929 Add prometheus-es-exporter compute metrics
8c04c85 Add options auth.allow and auth.reject to all glusterfs volumes
9fa80d9 Drop unused jenkins_secret key in reclass
c1a1d2e Add KPI2 queries to Gainsight
2bbfe11 Disable docker bridge to prevent network conflicts
ffe4b3e Set sf-notifier image tag to 0.2-mcp0
0df401e Set properly the cluster name for Elasticsearch cluster instance
d5e7386 [PROD-30068] Fix invalid Haproxy configuration
564c2a9 [Octavia] Switch to glancev2
05238eb Do not lockout service users on auth failures
2f37fe7 `show_multiple_locations` default was removed.
7c1d3b3 Add redis metadata for ceilometer
820e9f9 Add redis metadata for aodh
94e1c9b Add redis metadata for gnocchi
685c76a Update redis url for ceilometer
01ce608 Update redis url for aodh
2e4139d Update redis urls for gnocchi
e742eb7 Enable sshd strong ciphers
8e8df06 Add configuration option 'image_conversion_dir' for cinder.
831fc9f Bump telegraf image
5c83c14 Bump cvp-sanity-checks docker image for 2019.2.4 release
3a962b4 Add class that enables CSRF security
0cdb274 Set min_doc_count to 0 for compute queries
0345490 Do not mount volume to sf-notfier container
cf88616 Freeze prometheus-es-exporter image tag to 0.5.1-mcp0
f107e34 Disable job execution on jenkins master
da2df91 [PROD-30162] Change Keycloak Haproxy backend port
fd2d8c1 Adding ResellerAdmin role
8924409 Set OS_AUTH_URL to fqdn in keystonercv3 for CC
9de60e1 Bump AM image
e6b1f37 Add RabbitMQ system level upgrade metadata
149c56e Add upgrade_rabbitmq job
53bdd72 Add Telegraf SSL support
ee2c031 Mount /dev/urandom on Jenkins slaves to avoid issues with entropy
7efdc17 Bump OpenContrail docker image version
5c37a23 [CVP,Q4] Backport cvp-tempest pipeline
9420419 [CVP] Bump default rally version
066242d [CVP,Q4] Backport cvp jobs descriptions from master
Change-Id: Ia71aa97f64aef43e051c81b4cf9d0f15cedc22b0
diff --git a/aodh/server/coordination/redis.yml b/aodh/server/coordination/redis.yml
index e013e0f..16e2838 100644
--- a/aodh/server/coordination/redis.yml
+++ b/aodh/server/coordination/redis.yml
@@ -1,7 +1,20 @@
classes:
- service.redis.server.single
parameters:
+ _param:
+ aodh_coordination_url: redis://openstack:${_param:openstack_telemetry_redis_password}@${_param:redis_sentinel_node01_address}:26379?db=0&sentinel=master_1&sentinel_fallback=${_param:redis_sentinel_node02_address}:26379&sentinel_fallback=${_param:redis_sentinel_node03_address}:26379
aodh:
server:
coordination_backend:
- url: redis://${_param:single_address}:6379/${_param:cluster_node01_address}
+ url: ${_param:aodh_coordination_url}
+ engine: redis
+ redis:
+ password: ${_param:openstack_telemetry_redis_password}
+ user: openstack
+ db: ${_param:aodh_redis_db}
+ sentinel:
+ host: ${_param:redis_sentinel_node01_address}
+ master_name: ${_param:aodh_redis_sentinel_mastername}
+ fallback:
+ - host: ${_param:redis_sentinel_node02_address}
+ - host: ${_param:redis_sentinel_node03_address}
diff --git a/billometer/server/single.yml b/billometer/server/single.yml
index 8152202..c606303 100644
--- a/billometer/server/single.yml
+++ b/billometer/server/single.yml
@@ -7,16 +7,8 @@
- service.supervisor.server.single
parameters:
_param:
- billometer_secret_key: billometer
keystone_billometer_address: localhost
- keystone_billometer_password: password
- postgresql_billometer_password: password
- postgresql_graphite_password: password
rabbitmq_admin_name: admin
- rabbitmq_admin_password: password
- rabbitmq_secret_key: rabbitmq
- rabbitmq_billometer_password: password
- rabbitmq_graphite_password: password
postgresql:
server:
database:
diff --git a/ceilometer/server/coordination/redis.yml b/ceilometer/server/coordination/redis.yml
index e8610f3..7b0edac 100644
--- a/ceilometer/server/coordination/redis.yml
+++ b/ceilometer/server/coordination/redis.yml
@@ -1,7 +1,20 @@
classes:
- service.redis.server.single
parameters:
+ _param:
+ ceilometer_coordination_url: redis://openstack:${_param:openstack_telemetry_redis_password}@${_param:redis_sentinel_node01_address}:26379?db=0&sentinel=master_1&sentinel_fallback=${_param:redis_sentinel_node02_address}:26379&sentinel_fallback=${_param:redis_sentinel_node03_address}:26379
ceilometer:
server:
coordination_backend:
- url: redis://${_param:single_address}:6379/${_param:cluster_node01_address}
+ url: ${_param:ceilometer_coordination_url}
+ engine: redis
+ redis:
+ password: ${_param:openstack_telemetry_redis_password}
+ user: openstack
+ db: ${_param:ceilometer_redis_db}
+ sentinel:
+ host: ${_param:redis_sentinel_node01_address}
+ master_name: ${_param:ceilometer_redis_sentinel_mastername}
+ fallback:
+ - host: ${_param:redis_sentinel_node02_address}
+ - host: ${_param:redis_sentinel_node03_address}
diff --git a/cinder/control/cluster.yml b/cinder/control/cluster.yml
index 7f8e2d7..8aa97c4 100644
--- a/cinder/control/cluster.yml
+++ b/cinder/control/cluster.yml
@@ -27,6 +27,8 @@
backend: {}
version: ${_param:cinder_version}
role: ${_param:openstack_node_role}
+ # set 'image_conversion_dir' option in case of ceph deployment volume and controller running on the same node
+ image_conversion_dir: ${_param:cinder_image_conversion_dir_path}
osapi:
host: ${_param:cluster_local_address}
database:
diff --git a/cinder/control/single.yml b/cinder/control/single.yml
index b8f670d..bae7bfc 100644
--- a/cinder/control/single.yml
+++ b/cinder/control/single.yml
@@ -19,6 +19,8 @@
backend: {}
default_volume_type: ''
role: ${_param:openstack_node_role}
+ # set 'image_conversion_dir' option in case of ceph deployment volume and controller running on the same node
+ image_conversion_dir: ${_param:cinder_image_conversion_dir_path}
database:
host: ${_param:single_address}
x509:
diff --git a/cinder/volume/local.yml b/cinder/volume/local.yml
index 301946b..cd07d4d 100644
--- a/cinder/volume/local.yml
+++ b/cinder/volume/local.yml
@@ -7,6 +7,7 @@
cinder:
volume:
enabled: True
+ image_conversion_dir: ${_param:cinder_image_conversion_dir_path}
database:
host: ${_param:single_address}
x509:
diff --git a/cinder/volume/single.yml b/cinder/volume/single.yml
index 9531aa4..34f5744 100644
--- a/cinder/volume/single.yml
+++ b/cinder/volume/single.yml
@@ -13,6 +13,7 @@
cinder:
volume:
enabled: True
+ image_conversion_dir: ${_param:cinder_image_conversion_dir_path}
database:
host: ${_param:openstack_database_address}
x509:
diff --git a/defaults/docker_images.yml b/defaults/docker_images.yml
index 1c43a70..a4f7fc2 100644
--- a/defaults/docker_images.yml
+++ b/defaults/docker_images.yml
@@ -23,29 +23,29 @@
docker_image_operations_api: "${_param:mcp_docker_registry}/mirantis/model-generator/operations-api:${_param:mcp_version}"
docker_image_operations_ui: "${_param:mcp_docker_registry}/mirantis/model-generator/operations-ui:${_param:mcp_version}"
# OpenContrail
- opencontrail_docker_image_tag: "2019.2.3"
+ opencontrail_docker_image_tag: "2019.2.4"
# stacklight
# 6.5.0 version, from 11/29/2018, differ from latest upstream 6.5.0 - update next cycle
docker_image_alerta: "${_param:mcp_docker_registry}/mirantis/external/alerta-web:${_param:mcp_version}"
- docker_image_alertmanager: "${_param:mcp_docker_registry}/openstack-docker/alertmanager:${_param:mcp_version}"
+ docker_image_alertmanager: "${_param:mcp_docker_registry}/openstack-docker/alertmanager:2019.2.4"
docker_image_grafana: "${_param:mcp_docker_registry}/openstack-docker/grafana:${_param:mcp_version}"
- docker_image_prometheus_es_exporter: "${_param:mcp_docker_registry}/mirantis/external/braedon/prometheus-es-exporter:0.5.1"
+ docker_image_prometheus_es_exporter: "${_param:mcp_docker_registry}/openstack-docker/prometheus-es-exporter:2019.2.4"
docker_image_prometheus: "${_param:mcp_docker_registry}/openstack-docker/prometheus:${_param:mcp_version}"
- docker_image_prometheus_gainsight: "${_param:mcp_docker_registry}/openstack-docker/gainsight:2019.2.3"
+ docker_image_prometheus_gainsight: "${_param:mcp_docker_registry}/openstack-docker/gainsight:2019.2.4"
docker_image_prometheus_gainsight_elasticsearch: "${_param:mcp_docker_registry}/openstack-docker/gainsight_elasticsearch:${_param:mcp_version}"
docker_image_prometheus_relay: "${_param:mcp_docker_registry}/openstack-docker/prometheus_relay:${_param:mcp_version}"
docker_image_pushgateway: "${_param:mcp_docker_registry}/openstack-docker/pushgateway:${_param:mcp_version}"
- docker_image_remote_agent: "${_param:mcp_docker_registry}/openstack-docker/telegraf:${_param:mcp_version}"
+ docker_image_remote_agent: "${_param:mcp_docker_registry}/openstack-docker/telegraf:2019.2.4"
docker_image_remote_collector: "${_param:mcp_docker_registry}/openstack-docker/heka:${_param:mcp_version}"
docker_image_remote_storage_adapter: "${_param:mcp_docker_registry}/openstack-docker/remote_storage_adapter:${_param:mcp_version}"
- docker_image_sf_notifier: "${_param:mcp_docker_registry}/openstack-docker/sf_notifier:2019.2.3"
+ docker_image_sf_notifier: "${_param:mcp_docker_registry}/openstack-docker/sf_notifier:2019.2.4"
##
docker_image_cockroachdb: "${_param:mcp_docker_registry}/mirantis/external/cockroach/cockroach:v2.1.1"
# keycloak
docker_image_keycloak_server: "${_param:mcp_docker_registry}/mirantis/external/jboss/keycloak:4.5.0.Final"
docker_image_keycloak_proxy: "${_param:mcp_docker_registry}/mirantis/external/jboss/keycloak:3.4.2.Final"
# CVP
- docker_image_cvp_sanity_checks: ${_param:mcp_docker_registry}/mirantis/cvp/cvp-sanity-checks:2019.2.3
+ docker_image_cvp_sanity_checks: ${_param:mcp_docker_registry}/mirantis/cvp/cvp-sanity-checks:2019.2.4
docker_image_cvp_shaker_checks: ${_param:mcp_docker_registry}/mirantis/cvp/cvp-shaker:2019.2.3
# aptly
docker_image_aptly:
@@ -134,13 +134,13 @@
name: elasticsearch:${_param:mcp_version}
- registry: ${_param:mcp_docker_registry}/openstack-docker
target_registry: ${_param:default_local_mirrror_content:docker_client_registry_target_registry}/openstack-docker
- name: sf_notifier:${_param:mcp_version}
+ name: sf_notifier:2019.2.4
- registry: ${_param:mcp_docker_registry}/openstack-docker
target_registry: ${_param:default_local_mirrror_content:docker_client_registry_target_registry}/openstack-docker
name: gainsight_elasticsearch:${_param:mcp_version}
- registry: ${_param:mcp_docker_registry}/mirantis/external/braedon
- target_registry: ${_param:default_local_mirrror_content:docker_client_registry_target_registry}/mirantis/external/braedon
- name: prometheus-es-exporter:0.5.1
+ target_registry: ${_param:default_local_mirrror_content:docker_client_registry_target_registry}/openstack-docker
+ name: prometheus-es-exporter:2019.2.4
# QA\CVP tool-set's
- registry: ${_param:mcp_docker_registry}/mirantis/oss
diff --git a/defaults/glusterfs.yml b/defaults/glusterfs.yml
new file mode 100644
index 0000000..72a68da
--- /dev/null
+++ b/defaults/glusterfs.yml
@@ -0,0 +1,4 @@
+parameters:
+ _param:
+ glusterfs_allow_ips: '*'
+ glusterfs_reject_ips: none
diff --git a/defaults/haproxy/elasticsearch.yml b/defaults/haproxy/elasticsearch.yml
new file mode 100644
index 0000000..07db053
--- /dev/null
+++ b/defaults/haproxy/elasticsearch.yml
@@ -0,0 +1,6 @@
+parameters:
+ _param:
+ haproxy_elasticsearch_http_bind_port: 9200
+ haproxy_elasticsearch_http_exposed_port: 9200
+ haproxy_elasticsearch_binary_bind_port: 9300
+ haproxy_elasticsearch_binary_exposed_port: 9300
diff --git a/defaults/haproxy/init.yml b/defaults/haproxy/init.yml
new file mode 100644
index 0000000..499e085
--- /dev/null
+++ b/defaults/haproxy/init.yml
@@ -0,0 +1,2 @@
+classes:
+- system.defaults.haproxy.elasticsearch
diff --git a/defaults/init.yml b/defaults/init.yml
index 733bfe2..c90c404 100644
--- a/defaults/init.yml
+++ b/defaults/init.yml
@@ -10,8 +10,11 @@
- system.defaults.linux_system_file
- system.defaults.backupninja
- system.defaults.git
+- system.defaults.glusterfs
+- system.defaults.nginx
- system.defaults.jenkins
- system.defaults.maas
+- system.defaults.opencontrail
- system.defaults.openstack
- system.defaults.galera
- system.defaults.rabbitmq
@@ -20,8 +23,10 @@
- system.defaults.gerrit
- system.defaults.keepalived
- system.defaults.salt
+- system.defaults.secrets
- system.defaults.stacklight
- system.defaults.xtrabackup
+- system.defaults.haproxy
parameters:
_param:
mcp_version: stable
@@ -51,3 +56,6 @@
# Cloudwatch api removed from Queens
openstack_heat_cloudwatch_api_enabled: True
+ salt_master_host: '127.0.0.1'
+ infra_config_address: '127.0.0.1'
+ reclass_config_master: '127.0.0.1'
diff --git a/defaults/jenkins.yml b/defaults/jenkins.yml
index 36bcbfb..d01bf4e 100644
--- a/defaults/jenkins.yml
+++ b/defaults/jenkins.yml
@@ -3,3 +3,4 @@
jenkins_master_port: 8081
jenkins_master_protocol: http
jenkins_pipelines_branch: "master"
+ jenkins_salt_api_url: "https://${_param:salt_master_host}:${_param:nginx_proxy_salt_api_site_port}"
diff --git a/defaults/nginx.yml b/defaults/nginx.yml
new file mode 100644
index 0000000..dd47452
--- /dev/null
+++ b/defaults/nginx.yml
@@ -0,0 +1,5 @@
+parameters:
+ _param:
+ nginx_proxy_salt_api_proxy_protocol: 'http'
+ nginx_proxy_salt_api_site_port: 8969
+ nginx_proxy_salt_api_site_protocol: 'https'
diff --git a/defaults/opencontrail/init.yml b/defaults/opencontrail/init.yml
new file mode 100644
index 0000000..24cd68e
--- /dev/null
+++ b/defaults/opencontrail/init.yml
@@ -0,0 +1,6 @@
+parameters:
+ _param:
+ opencontrail_identity_protocol: http
+ opencontrail_identity_port: 35357
+ opencontrail_identity_version: '2.0'
+ opencontrail_admin_user: 'contrail'
diff --git a/defaults/openstack/init.yml b/defaults/openstack/init.yml
index 711ab06..cc62919 100644
--- a/defaults/openstack/init.yml
+++ b/defaults/openstack/init.yml
@@ -14,12 +14,18 @@
openstack_kmn_service_host: ${_param:openstack_kmn_service_hostname}.${linux:system:domain}
openstack_telemetry_service_host: ${_param:openstack_telemetry_service_hostname}.${linux:system:domain}
openstack_service_user_enabled: True
+ openstack_upgrade_enabled: False
+ openstack_telemetry_redis_db: '0'
+ openstack_telemetry_redis_sentinel_mastername: 'master_1'
+ openstack_region: RegionOne
# SSL
ceilometer_agent_ssl_enabled: False
openstack_mysql_x509_enabled: False
# for non-ssl use 5672 / for ssl 5671
openstack_rabbitmq_port: 5672
openstack_rabbitmq_x509_enabled: False
+ # RabbitMQ
+ rabbitmq_upgrade_enabled: ${_param:openstack_upgrade_enabled}
# Openstack memcache
openstack_memcached_server_bind_address: 0.0.0.0
openstack_memcache_security_enabled: False
@@ -28,12 +34,11 @@
openstack_memcached_proto_udp_enabled: False
openstack_version: queens
openstack_old_version: ${_param:openstack_version}
- openstack_upgrade_enabled: False
# Security compliance user options
openstack_service_user_options:
ignore_change_password_upon_first_use: True
ignore_password_expiry: True
- ignore_lockout_failure_attempts: False
+ ignore_lockout_failure_attempts: True
lock_password: False
# Cinder
cinder_memcache_security_enabled: ${_param:openstack_memcache_security_enabled}
@@ -42,6 +47,7 @@
cinder_version: ${_param:openstack_version}
cinder_upgrade_enabled: ${_param:openstack_upgrade_enabled}
cinder_service_user_enabled: ${_param:openstack_service_user_enabled}
+ cinder_image_conversion_dir_path: /var/tmp/cinder/conversion
# Nova
nova_memcache_security_enabled: ${_param:openstack_memcache_security_enabled}
nova_memcache_secret_key: ''
@@ -69,16 +75,22 @@
aodh_old_version: ${_param:openstack_old_version}
aodh_version: ${_param:openstack_version}
aodh_upgrade_enabled: ${_param:openstack_upgrade_enabled}
+ aodh_redis_db: ${_param:openstack_telemetry_redis_db}
+ aodh_redis_sentinel_mastername: ${_param:openstack_telemetry_redis_sentinel_mastername}
# Ceilometer
ceilometer_old_version: ${_param:openstack_old_version}
ceilometer_version: ${_param:openstack_version}
ceilometer_upgrade_enabled: ${_param:openstack_upgrade_enabled}
+ ceilometer_redis_db: ${_param:openstack_telemetry_redis_db}
+ ceilometer_redis_sentinel_mastername: ${_param:openstack_telemetry_redis_sentinel_mastername}
# Gnocchi
gnocchi_memcache_security_enabled: ${_param:openstack_memcache_security_enabled}
gnocchi_memcache_secret_key: ''
gnocchi_version: 4.0
gnocchi_old_version: ${_param:gnocchi_version}
gnocchi_upgrade_enabled: ${_param:openstack_upgrade_enabled}
+ gnocchi_redis_db: ${_param:openstack_telemetry_redis_db}
+ gnocchi_redis_sentinel_mastername: ${_param:openstack_telemetry_redis_sentinel_mastername}
# Panko
panko_memcache_security_enabled: ${_param:openstack_memcache_security_enabled}
panko_memcache_secret_key: ''
diff --git a/defaults/salt/init.yml b/defaults/salt/init.yml
index 2e19089..d915fbe 100644
--- a/defaults/salt/init.yml
+++ b/defaults/salt/init.yml
@@ -48,3 +48,12 @@
salt_control_trusty_image: ${_param:mcp_static_images_url}/ubuntu-14-04-x64-mcp${_param:mcp_version}.qcow2
salt_control_xenial_image: ${_param:mcp_static_images_url}/ubuntu-16-04-x64-mcp${_param:mcp_version}.qcow2
+ salt_master_api_permissions:
+ - '.*'
+ - '@local'
+ - '@wheel' # to allow access to all wheel modules
+ - '@runner' # to allow access to all runner modules
+ - '@jobs' # to allow access to the jobs runner and/or wheel mo
+
+ salt_minion_ca_authority: salt_master_ca
+ salt_master_api_bind_address: 0.0.0.0
diff --git a/defaults/secrets.yml b/defaults/secrets.yml
index 65b7bce..fe8a6a2 100644
--- a/defaults/secrets.yml
+++ b/defaults/secrets.yml
@@ -40,11 +40,19 @@
# jenkins_client_password: <<CHANGEME>>
# jenkins_security_ldap_manager_password: <<CHANGEME>>
# oss_jenkins_password: <<CHANGEME>>
+# jenkins_slave_password: <<CHANGEME>>
# Gerrit/LDAP
gerrit_ldap_bind_password: password
# Docker
+# docker_mongodb_admin_password: <<CHANGEME>>
+# janitor_monkey_mongodb_password: <<CHANGEME>>
+# janitor_monkey_openstack:
+# password: <<CHANGEME>>
+# security_monkey_password: <<CHANGEME>>
+# security_monkey_openstack:
+# password: <<CHANGEME>>
# keycloak_admin_password: <<CHANGEME>>
# kqueen_api_ldap_password: <<CHANGEME>>
# kqueen_credentials:
@@ -60,7 +68,6 @@
# nova_compute_ssh_public: <<CHANGEME>>
# nova_compute_ssh_private: <<CHANGEME>>
-
# Grafana
# grafana_password: <<CHANGEME>>
# grafana_database_password: <<CHANGEME>>
@@ -76,7 +83,6 @@
# Galera
# galera_clustercheck_password: <<CHANGEME>>
-# Generic
+# Generic
# root_private_key:
# root_public_key:
-
diff --git a/defaults/stacklight.yml b/defaults/stacklight.yml
index 1abbb5e..625d20c 100644
--- a/defaults/stacklight.yml
+++ b/defaults/stacklight.yml
@@ -1,5 +1,10 @@
parameters:
_param:
+ # ELK settings
+ stacklight_notification_topic: stacklight_notifications
+ fluentd_elasticsearch_host: 127.0.0.1
+ fluentd_elasticsearch_port: 9200
+ fluentd_elasticsearch_scheme: http
# ELK stack versions
elasticsearch_version: 5
kibana_version: 5
diff --git a/devops_portal/service/jenkins.yml b/devops_portal/service/jenkins.yml
index ee00912..b800188 100644
--- a/devops_portal/service/jenkins.yml
+++ b/devops_portal/service/jenkins.yml
@@ -1,7 +1,6 @@
parameters:
_param:
oss_jenkins_user: admin
- oss_jenkins_password: password
devops_portal:
config:
service:
diff --git a/docker/client/compose/service/gerrit.yml b/docker/client/compose/service/gerrit.yml
index 69b2a2c..67af5eb 100644
--- a/docker/client/compose/service/gerrit.yml
+++ b/docker/client/compose/service/gerrit.yml
@@ -4,7 +4,6 @@
_param:
gerrit_ldap_server: ""
gerrit_ldap_bind_user: ""
- gerrit_ldap_bind_password: ""
gerrit_ldap_account_base: ""
gerrit_ldap_group_base: ""
gerrit_http_listen_url: http://*:8080/
diff --git a/docker/client/compose/service/jenkins.yml b/docker/client/compose/service/jenkins.yml
index 55aacdc..7045b66 100644
--- a/docker/client/compose/service/jenkins.yml
+++ b/docker/client/compose/service/jenkins.yml
@@ -3,7 +3,7 @@
parameters:
_param:
jenkins_master_extra_opts: ""
- jenkins_master_executors_num: 4
+ jenkins_master_executors_num: 0
jenkins_master_max_concurent_requests: 40
jenkins_home_dir_path: /var/jenkins_home
docker:
diff --git a/docker/host.yml b/docker/host.yml
index a88ff2f..894f6ee 100644
--- a/docker/host.yml
+++ b/docker/host.yml
@@ -14,6 +14,7 @@
- ${_param:cluster_vip_address}:5000
- ${_param:cluster_public_host}:5000
options:
+ bridge: none
ipv6: true
fixed-cidr-v6: fc00::/7
storage-driver: overlay2
diff --git a/docker/swarm/stack/dashboard.yml b/docker/swarm/stack/dashboard.yml
index 62a3e14..7b0eac5 100644
--- a/docker/swarm/stack/dashboard.yml
+++ b/docker/swarm/stack/dashboard.yml
@@ -6,7 +6,6 @@
grafana_database_type: sqlite3
grafana_database_host: localhost
grafana_database_port: 3306
- grafana_database_password: password
docker:
client:
stack:
diff --git a/docker/swarm/stack/gerrit.yml b/docker/swarm/stack/gerrit.yml
index 964899d..42af606 100644
--- a/docker/swarm/stack/gerrit.yml
+++ b/docker/swarm/stack/gerrit.yml
@@ -4,7 +4,6 @@
_param:
gerrit_ldap_server: ""
gerrit_ldap_bind_user: ""
- gerrit_ldap_bind_password: ""
gerrit_ldap_account_base: ""
gerrit_ldap_group_base: ""
gerrit_http_listen_url: http://*:8080/
diff --git a/docker/swarm/stack/janitor_monkey.yml b/docker/swarm/stack/janitor_monkey.yml
index 0cb8c43..79e9561 100644
--- a/docker/swarm/stack/janitor_monkey.yml
+++ b/docker/swarm/stack/janitor_monkey.yml
@@ -2,7 +2,6 @@
_param:
docker_janitor_monkey_replicas: 1
docker_mongodb_admin_username: admin
- docker_mongodb_admin_password: password
docker_image_janitor_monkey: ${_param:mcp_docker_registry}/mirantis/oss/janitor-monkey
janitor_monkey_bind_host: cleanup-service-api
janitor_monkey_bind_port: 8080
@@ -17,7 +16,6 @@
janitor_monkey_base_url: http://${_param:janitor_monkey_mongodb_host}:${_param:janitor_monkey_mongodb_port}
janitor_monkey_mongodb_db: mcp_cloud
janitor_monkey_mongodb_username: janitor
- janitor_monkey_mongodb_password: password
janitor_monkey_elasticsearch: ${_param:elasticsearch_bind_host}:${_param:elasticsearch_binary_bind_port}
janitor_monkey_cloudfire_region: RegionOne
janitor_monkey_cis_clustername: ${_param:elasticsearch_cluster_name}
@@ -30,7 +28,6 @@
project_name: admin
auth_url: http://yourcloud.com:5000/v3/auth/tokens
username: admin
- password: password
endpoint_type: public
ssl_verify: False
source_credentials_dir: /srv/volumes/rundeck/storage
diff --git a/docker/swarm/stack/jenkins/master.yml b/docker/swarm/stack/jenkins/master.yml
index 6af8d3e..4647521 100644
--- a/docker/swarm/stack/jenkins/master.yml
+++ b/docker/swarm/stack/jenkins/master.yml
@@ -4,7 +4,7 @@
parameters:
_param:
jenkins_master_extra_opts: ""
- jenkins_master_executors_num: 4
+ jenkins_master_executors_num: 0
jenkins_master_max_concurent_requests: 40
jenkins_home_dir_path: /var/jenkins_home
docker:
diff --git a/docker/swarm/stack/jenkins/slave01.yml b/docker/swarm/stack/jenkins/slave01.yml
index f616d89..73e8140 100644
--- a/docker/swarm/stack/jenkins/slave01.yml
+++ b/docker/swarm/stack/jenkins/slave01.yml
@@ -1,5 +1,4 @@
classes:
-- system.docker
- system.docker.swarm.stack.jenkins.slave_base
parameters:
_param:
@@ -14,12 +13,12 @@
JENKINS_URL: ${_param:jenkins_master_url}
JENKINS_AGENT_NAME: slave01
JENKINS_UPDATE_SLAVE: 'true'
- JENKINS_LOGIN: ${_param:jenkins_slave_user}
- JENKINS_PASSWORD: ${_param:jenkins_slave_password}
- JAVA_OPTS: ${_param:jenkins_slave_extra_opts}
+ JENKINS_LOGIN: ${_param:jenkins_client_user}
+ JENKINS_PASSWORD: ${_param:jenkins_client_password}
+ JAVA_OPTS: "-Dhttp.proxyHost=${_param:docker_http_proxy} -Dhttp.nonProxyHosts=|jenkins_master ${_param:jenkins_slave_extra_opts}"
https_proxy: ${_param:docker_https_proxy}
http_proxy: ${_param:docker_http_proxy}
- no_proxy: ${_param:docker_no_proxy}
+ no_proxy: "jenkins_master,${_param:docker_no_proxy}"
deploy:
restart_policy:
condition: any
@@ -28,7 +27,8 @@
- "node.hostname == ${_param:jenkins_slave01_node_name}"
image: ${_param:docker_image_jenkins_slave}
volumes:
- - /etc/ssl/certs/java/cacerts:/etc/ssl/certs/java/cacerts:ro
+ - /etc/ssl/certs/:/etc/ssl/certs/:ro
+ - /dev/urandom:/dev/random:ro
- /var/run/docker.sock:/var/run/docker.sock
- /usr/bin/docker:/usr/bin/docker:ro
- /var/lib/jenkins:/var/lib/jenkins
diff --git a/docker/swarm/stack/jenkins/slave02.yml b/docker/swarm/stack/jenkins/slave02.yml
index cbece06..ee198cb 100644
--- a/docker/swarm/stack/jenkins/slave02.yml
+++ b/docker/swarm/stack/jenkins/slave02.yml
@@ -1,5 +1,4 @@
classes:
-- system.docker
- system.docker.swarm.stack.jenkins.slave_base
parameters:
_param:
@@ -14,12 +13,12 @@
JENKINS_URL: ${_param:jenkins_master_url}
JENKINS_AGENT_NAME: slave02
JENKINS_UPDATE_SLAVE: 'true'
- JENKINS_LOGIN: ${_param:jenkins_slave_user}
- JENKINS_PASSWORD: ${_param:jenkins_slave_password}
- JAVA_OPTS: ${_param:jenkins_slave_extra_opts}
+ JENKINS_LOGIN: ${_param:jenkins_client_user}
+ JENKINS_PASSWORD: ${_param:jenkins_client_password}
+ JAVA_OPTS: "-Dhttp.proxyHost=${_param:docker_http_proxy} -Dhttp.nonProxyHosts=|jenkins_master ${_param:jenkins_slave_extra_opts}"
https_proxy: ${_param:docker_https_proxy}
http_proxy: ${_param:docker_http_proxy}
- no_proxy: ${_param:docker_no_proxy}
+ no_proxy: "jenkins_master,${_param:docker_no_proxy}"
deploy:
restart_policy:
condition: any
@@ -28,7 +27,8 @@
- "node.hostname == ${_param:jenkins_slave02_node_name}"
image: ${_param:docker_image_jenkins_slave}
volumes:
- - /etc/ssl/certs/java/cacerts:/etc/ssl/certs/java/cacerts:ro
+ - /etc/ssl/certs/:/etc/ssl/certs/:ro
+ - /dev/urandom:/dev/random:ro
- /var/run/docker.sock:/var/run/docker.sock
- /usr/bin/docker:/usr/bin/docker:ro
- /var/lib/jenkins:/var/lib/jenkins
diff --git a/docker/swarm/stack/jenkins/slave03.yml b/docker/swarm/stack/jenkins/slave03.yml
index 6ff900c..b04ea2a 100644
--- a/docker/swarm/stack/jenkins/slave03.yml
+++ b/docker/swarm/stack/jenkins/slave03.yml
@@ -1,5 +1,4 @@
classes:
-- system.docker
- system.docker.swarm.stack.jenkins.slave_base
parameters:
_param:
@@ -14,12 +13,12 @@
JENKINS_URL: ${_param:jenkins_master_url}
JENKINS_AGENT_NAME: slave03
JENKINS_UPDATE_SLAVE: 'true'
- JENKINS_LOGIN: ${_param:jenkins_slave_user}
- JENKINS_PASSWORD: ${_param:jenkins_slave_password}
- JAVA_OPTS: ${_param:jenkins_slave_extra_opts}
+ JENKINS_LOGIN: ${_param:jenkins_client_user}
+ JENKINS_PASSWORD: ${_param:jenkins_client_password}
+ JAVA_OPTS: "-Dhttp.proxyHost=${_param:docker_http_proxy} -Dhttp.nonProxyHosts=|jenkins_master ${_param:jenkins_slave_extra_opts}"
https_proxy: ${_param:docker_https_proxy}
http_proxy: ${_param:docker_http_proxy}
- no_proxy: ${_param:docker_no_proxy}
+ no_proxy: "jenkins_master,${_param:docker_no_proxy}"
deploy:
restart_policy:
condition: any
@@ -28,7 +27,8 @@
- "node.hostname == ${_param:jenkins_slave03_node_name}"
image: ${_param:docker_image_jenkins_slave}
volumes:
- - /etc/ssl/certs/java/cacerts:/etc/ssl/certs/java/cacerts:ro
+ - /etc/ssl/certs/:/etc/ssl/certs/:ro
+ - /dev/urandom:/dev/random:ro
- /var/run/docker.sock:/var/run/docker.sock
- /usr/bin/docker:/usr/bin/docker:ro
- /var/lib/jenkins:/var/lib/jenkins
diff --git a/docker/swarm/stack/jenkins/slave_base.yml b/docker/swarm/stack/jenkins/slave_base.yml
index 1c2d6f8..3de4765 100644
--- a/docker/swarm/stack/jenkins/slave_base.yml
+++ b/docker/swarm/stack/jenkins/slave_base.yml
@@ -1,10 +1,7 @@
classes:
+- system.docker
- system.docker.client.images.jenkins_slave
parameters:
_param:
- jenkins_master_host: ${_param:control_vip_address}
- jenkins_secret: "7c40abc1a7df2d26dd6b2e4421af17218df75a16fcbd5e3aa6017d9f47eaeabe"
- jenkins_master_url: http://${_param:jenkins_master_host}:${_param:jenkins_master_port}
- jenkins_slave_user: ${_param:jenkins_client_user}
- jenkins_slave_password: ${_param:jenkins_client_password}
+ jenkins_master_url: http://jenkins_master:8080
jenkins_slave_extra_opts: ""
diff --git a/docker/swarm/stack/keycloak.yml b/docker/swarm/stack/keycloak.yml
index 7dcb88a..3598282 100644
--- a/docker/swarm/stack/keycloak.yml
+++ b/docker/swarm/stack/keycloak.yml
@@ -6,7 +6,6 @@
keycloak_proxy_bind_port: ${_param:haproxy_keycloak_proxy_bind_port}
# Initial admin support
keycloak_admin_username: admin
- keycloak_admin_password: password
docker:
client:
stack:
diff --git a/docker/swarm/stack/kqueen.yml b/docker/swarm/stack/kqueen.yml
index 0c61ed9..24166ed 100644
--- a/docker/swarm/stack/kqueen.yml
+++ b/docker/swarm/stack/kqueen.yml
@@ -10,7 +10,6 @@
kqueen_api_prometheus_whitelist: '172.16.10.0/24' ##REcheck with network
kqueen_api_ldap_uri: 'ldap://ldap'
kqueen_api_ldap_dn: 'cn=admin,dc=example,dc=org'
- kqueen_api_ldap_password: 'password'
kqueen_api_auth_modules: 'local'
docker_kqueen_ui_replicas: 1
kqueen_ui_bind_port: ${_param:haproxy_kqueen_ui_bind_port}
@@ -26,7 +25,6 @@
kqueen_ui_secret_key: 'pasteyoursecret'
kqueen_api_bootstrap_admin: True
kqueen_api_admin_username: admin
- kqueen_api_admin_password: default
kqueen_api_admin_organization: MirantisCloudPlatform
kqueen_api_admin_namespace: mcp
docker:
diff --git a/docker/swarm/stack/monitoring/elasticsearch_exporter.yml b/docker/swarm/stack/monitoring/elasticsearch_exporter.yml
index 5cbc05e..ce02782 100644
--- a/docker/swarm/stack/monitoring/elasticsearch_exporter.yml
+++ b/docker/swarm/stack/monitoring/elasticsearch_exporter.yml
@@ -12,7 +12,7 @@
encrypted: 1
service:
elasticsearch_exporter:
- command: --es-cluster ${_param:stacklight_log_address}:9200 --nodes-stats-disable --cluster-health-disable --indices-stats-disable
+ command: --es-cluster ${_param:fluentd_elasticsearch_scheme}://${_param:stacklight_log_address}:9200 --nodes-stats-disable --cluster-health-disable --indices-stats-disable
networks:
- monitoring
deploy:
@@ -26,3 +26,4 @@
image: ${_param:docker_image_prometheus_es_exporter}
volumes:
- "${prometheus:elasticsearch_exporter:dir:config}/elasticsearch_exporter.cfg:/usr/src/app/exporter.cfg"
+ - /etc/ssl/certs/ca-certificates.crt:/etc/ssl/certs/ca-certificates.crt:ro
diff --git a/docker/swarm/stack/monitoring/prometheus/init.yml b/docker/swarm/stack/monitoring/prometheus/init.yml
index 65dd5b9..d7db52c 100644
--- a/docker/swarm/stack/monitoring/prometheus/init.yml
+++ b/docker/swarm/stack/monitoring/prometheus/init.yml
@@ -32,6 +32,7 @@
volumes:
- ${prometheus:server:dir:config}:${_param:prometheus_server_config_directory}
- ${prometheus:server:dir:data}:${_param:prometheus_server_data_directory}
+ - /etc/ssl/certs/ca-certificates.crt:/etc/ssl/certs/ca-certificates.crt:ro
environment:
PROMETHEUS_CONFIG_DIR: ${_param:prometheus_server_config_directory}
PROMETHEUS_DATA_DIR: ${_param:prometheus_server_data_directory}
diff --git a/docker/swarm/stack/monitoring/remote_agent/init.yml b/docker/swarm/stack/monitoring/remote_agent/init.yml
index 9e9455e..3d9fd62 100644
--- a/docker/swarm/stack/monitoring/remote_agent/init.yml
+++ b/docker/swarm/stack/monitoring/remote_agent/init.yml
@@ -23,3 +23,4 @@
volumes:
- ${telegraf:remote_agent:dir:config}:/etc/telegraf
- ${telegraf:remote_agent:dir:config_d}:/etc/telegraf/telegraf.d
+ - /etc/ssl/certs/ca-certificates.crt:/etc/ssl/certs/ca-certificates.crt:ro
diff --git a/docker/swarm/stack/monitoring/sf_notifier.yml b/docker/swarm/stack/monitoring/sf_notifier.yml
index a171ce8..b8b2dd6 100644
--- a/docker/swarm/stack/monitoring/sf_notifier.yml
+++ b/docker/swarm/stack/monitoring/sf_notifier.yml
@@ -29,8 +29,6 @@
image: ${_param:docker_image_sf_notifier}
ports:
- 15018:5000
- volumes:
- - ${prometheus:sf_notifier:dir:logs}:/var/log/sf-notifier
environment:
SF_NOTIFIER_WORKERS: ${_param:sf_notifier_workers}
SF_NOTIFIER_BUFFER_SIZE: ${_param:sf_notifier_buffer_size}
diff --git a/docker/swarm/stack/postgresql.yml b/docker/swarm/stack/postgresql.yml
index b3936c6..619e0c2 100644
--- a/docker/swarm/stack/postgresql.yml
+++ b/docker/swarm/stack/postgresql.yml
@@ -7,7 +7,6 @@
postgresql_ssl:
enabled: false
postgresql_admin_user: postgres
- postgresql_admin_user_password: postgrespassword
docker:
client:
stack:
diff --git a/docker/swarm/stack/pushkin.yml b/docker/swarm/stack/pushkin.yml
index 2ee26e4..3bb1e17 100644
--- a/docker/swarm/stack/pushkin.yml
+++ b/docker/swarm/stack/pushkin.yml
@@ -13,13 +13,11 @@
pushkin_smtp_port: 587
pushkin_smtp_use_tls: true
webhook_from: your_sender@mail.com
- pushkin_email_sender_password: your_sender_password
webhook_recipients: "recepient1@mail.com,recepient2@mail.com"
webhook_login_id: 13
webhook_application_id: 24
sfdc_auth_url: https://login.salesforce.com/services/oauth2/token
sfdc_username: user@example.net
- sfdc_password: secret
sfdc_consumer_key: example_consumer_key
sfdc_consumer_secret: example_consumer_secret
sfdc_organization_id: example_organization_id
diff --git a/docker/swarm/stack/security_monkey.yml b/docker/swarm/stack/security_monkey.yml
index 5db205e..5b7046c 100644
--- a/docker/swarm/stack/security_monkey.yml
+++ b/docker/swarm/stack/security_monkey.yml
@@ -13,7 +13,6 @@
security_monkey_db: secmonkey
notification_service_url: http://${_param:pushkin_bind_host}:${_param:haproxy_pushkin_bind_port}/post_notification_json
security_monkey_user: devopsportal@devopsportal.local
- security_monkey_password: devopsportal
security_monkey_role: Justify
security_monkey_fqdn: ${_param:security_monkey_bind_host}
security_monkey_web_port: ${_param:security_monkey_bind_port}
@@ -26,7 +25,6 @@
os_account_name: mcp_cloud
auth_url: http://yourcloud.com:5000/v3/auth/tokens
username: admin
- password: password
project_domain_name: Default
project_name: admin
user_domain_name: Default
diff --git a/elasticsearch/client/ssl.yml b/elasticsearch/client/ssl.yml
new file mode 100644
index 0000000..9f0f9c2
--- /dev/null
+++ b/elasticsearch/client/ssl.yml
@@ -0,0 +1,5 @@
+parameters:
+ elasticsearch:
+ client:
+ server:
+ scheme: https
diff --git a/elasticsearch/server/cluster.yml b/elasticsearch/server/cluster.yml
index 76774aa..155cfdf 100644
--- a/elasticsearch/server/cluster.yml
+++ b/elasticsearch/server/cluster.yml
@@ -5,7 +5,7 @@
_param:
java_environment_version: "8"
java_environment_platform: openjdk
- elasticsearch_cluster_name: elasticsearch
+ elasticsearch_cluster_name: ${_param:cluster_name}
linux:
system:
sysctl:
@@ -17,7 +17,6 @@
elasticsearch:
server:
version: ${_param:elasticsearch_version}
- name: ${_param:elasticsearch_cluster_name}
enabled: true
master: true
data: true
@@ -35,6 +34,7 @@
recover_after_nodes: 2
recover_after_time: 5m
cluster:
+ name: ${_param:elasticsearch_cluster_name}
multicast: false
minimum_master_nodes: 2
members:
diff --git a/fluentd/label/default_metric/prometheus_ssl.yml b/fluentd/label/default_metric/prometheus_ssl.yml
new file mode 100644
index 0000000..292c481
--- /dev/null
+++ b/fluentd/label/default_metric/prometheus_ssl.yml
@@ -0,0 +1,9 @@
+parameters:
+ fluentd:
+ agent:
+ config:
+ input:
+ prometheus:
+ metric:
+ ssl:
+ enabled: True
diff --git a/fluentd/label/default_output/elasticsearch.yml b/fluentd/label/default_output/elasticsearch.yml
index 398ea8c..daf95dd 100644
--- a/fluentd/label/default_output/elasticsearch.yml
+++ b/fluentd/label/default_output/elasticsearch.yml
@@ -2,9 +2,6 @@
- service.fluentd.agent.output.elasticsearch
- system.fluentd.label.default_output.filter.common
parameters:
- _param:
- fluentd_elasticsearch_host: 127.0.0.1
- elasticsearch_port: 9200
fluentd:
agent:
config:
@@ -13,4 +10,5 @@
match:
elasticsearch_output:
host: ${_param:fluentd_elasticsearch_host}
- port: ${_param:elasticsearch_port}
+ port: ${_param:fluentd_elasticsearch_port}
+ scheme: ${_param:fluentd_elasticsearch_scheme}
diff --git a/fluentd/label/notifications/audit.yml b/fluentd/label/notifications/audit.yml
new file mode 100644
index 0000000..f0cabaa
--- /dev/null
+++ b/fluentd/label/notifications/audit.yml
@@ -0,0 +1,50 @@
+parameters:
+ fluentd:
+ agent:
+ config:
+ label:
+ audit_messages:
+ filter:
+ get_payload_values:
+ tag: audit
+ type: record_transformer
+ enable_ruby: true
+ record:
+ - name: Logger
+ value: ${fluentd:dollar}{ record.dig("publisher_id") }
+ - name: Severity
+ value: ${fluentd:dollar}{ {'TRACE'=>7,'DEBUG'=>7,'INFO'=>6,'AUDIT'=>6,'WARNING'=>4,'ERROR'=>3,'CRITICAL'=>2}[record['priority']].to_i }
+ - name: Timestamp
+ value: ${fluentd:dollar}{ DateTime.strptime(record.dig("payload", "eventTime"), "%Y-%m-%dT%H:%M:%S.%N%z").strftime("%Y-%m-%dT%H:%M:%S.%3NZ") }
+ - name: notification_type
+ value: ${fluentd:dollar}{ record.dig("event_type") }
+ - name: severity_label
+ value: ${fluentd:dollar}{ record.dig("priority") }
+ - name: environment_label
+ value: ${_param:cluster_domain}
+
+ - name: action
+ value: ${fluentd:dollar}{ record.dig("payload", "action") }
+ - name: event_type
+ value: ${fluentd:dollar}{ record.dig("payload", "eventType") }
+ - name: outcome
+ value: ${fluentd:dollar}{ record.dig("payload", "outcome") }
+ pack_payload_to_json:
+ tag: audit
+ require:
+ - get_payload_values
+ type: record_transformer
+ enable_ruby: true
+ remove_keys: '["payload", "timestamp", "publisher_id", "priority"]'
+ record:
+ - name: Payload
+ value: ${fluentd:dollar}{ record["payload"].to_json }
+ match:
+ audit_output:
+ tag: audit
+ type: elasticsearch
+ host: ${_param:fluentd_elasticsearch_host}
+ port: ${_param:fluentd_elasticsearch_port}
+ scheme: ${_param:fluentd_elasticsearch_scheme}
+ es_index_name: audit
+ tag_key: Type
diff --git a/fluentd/label/notifications/init.yml b/fluentd/label/notifications/init.yml
new file mode 100644
index 0000000..e4e57f8
--- /dev/null
+++ b/fluentd/label/notifications/init.yml
@@ -0,0 +1,4 @@
+classes:
+- system.fluentd.label.notifications.input_rabbitmq
+- system.fluentd.label.notifications.notifications
+- system.fluentd.label.notifications.audit
diff --git a/fluentd/label/notifications/input_rabbitmq.yml b/fluentd/label/notifications/input_rabbitmq.yml
new file mode 100644
index 0000000..7f97648
--- /dev/null
+++ b/fluentd/label/notifications/input_rabbitmq.yml
@@ -0,0 +1,105 @@
+parameters:
+ fluentd:
+ agent:
+ config:
+ label:
+ rabbitmq_notifications:
+ input:
+ tail_rabbitmq_info:
+ tag: raw_notifications
+ type: rabbitmq
+ host: ${_param:openstack_message_queue_address}
+ user: openstack
+ pass: ${_param:rabbitmq_openstack_password}
+ vhost: /openstack
+ queue: ${_param:stacklight_notification_topic}.info
+ routing_key: ${_param:stacklight_notification_topic}.info
+ parser:
+ type: json
+ tail_rabbitmq_warn:
+ tag: raw_notifications
+ type: rabbitmq
+ host: ${_param:openstack_message_queue_address}
+ user: openstack
+ pass: ${_param:rabbitmq_openstack_password}
+ vhost: /openstack
+ queue: ${_param:stacklight_notification_topic}.warn
+ routing_key: ${_param:stacklight_notification_topic}.warn
+ parser:
+ type: json
+ tail_rabbitmq_error:
+ tag: raw_notifications
+ type: rabbitmq
+ host: ${_param:openstack_message_queue_address}
+ user: openstack
+ pass: ${_param:rabbitmq_openstack_password}
+ vhost: /openstack
+ queue: ${_param:stacklight_notification_topic}.error
+ routing_key: ${_param:stacklight_notification_topic}.error
+ parser:
+ type: json
+ filter:
+ parse_json:
+ tag: raw_notifications
+ type: parser
+ key_name: oslo.message
+ reserve_data: false
+ hash_value_field: parsed
+ parser:
+ type: json
+ remove_context:
+ tag: raw_notifications
+ require:
+ - parse_json
+ type: record_transformer
+ enable_ruby: true
+ remove_keys: _dummy_1
+ record:
+ - name: _dummy_1
+ value: ${fluentd:dollar}{record['parsed'].delete_if { |k,_| k.include?('_context_') }; nil}
+ pack_parsed_to_json:
+ tag: raw_notifications
+ require:
+ - remove_context
+ type: record_transformer
+ enable_ruby: true
+ record:
+ - name: parsed
+ value: ${fluentd:dollar}{record["parsed"].to_json}
+ unpack_on_top_level:
+ tag: raw_notifications
+ require:
+ - pack_parsed_to_json
+ type: parser
+ key_name: parsed
+ reserve_data: false
+ parser:
+ type: json
+ detect_audit_notification:
+ tag: raw_notifications
+ require:
+ - unpack_on_top_level
+ type: record_transformer
+ enable_ruby: true
+ record:
+ - name: notification_type
+ value: '${fluentd:dollar}{ record["payload"]["eventType"] && record["payload"]["eventTime"] ? "audit" : "notification" }'
+ match:
+ rewrite_message_tag:
+ tag: raw_notifications
+ type: rewrite_tag_filter
+ rule:
+ - name: notification_type
+ regexp: 'audit'
+ result: audit
+ - name: notification_type
+ regexp: '/.+/'
+ result: notification
+ forward_notification:
+ tag: notification
+ type: relabel
+ label: notification_messages
+ forward_audit:
+ tag: audit
+ type: relabel
+ label: audit_messages
diff --git a/fluentd/label/notifications/notifications.yml b/fluentd/label/notifications/notifications.yml
new file mode 100644
index 0000000..7d1e5c6
--- /dev/null
+++ b/fluentd/label/notifications/notifications.yml
@@ -0,0 +1,123 @@
+parameters:
+ fluentd:
+ agent:
+ config:
+ label:
+ notification_messages:
+ filter:
+ parse_publuisher_host:
+ tag: notification
+ type: parser
+ key_name: publisher_id
+ reserve_data: true
+ parser:
+ type: regexp
+ format: (?<publisher>\w+).(?<hostname>\w+)
+ save_hostname:
+ tag: notification
+ require:
+ - parse_publuisher_host
+ type: record_transformer
+ enable_ruby: true
+ record:
+ - name: Hostname
+ value: ${fluentd:dollar}{ record["hostname"] }
+ parse_source:
+ tag: notification
+ require:
+ - save_hostname
+ type: parser
+ key_name: event_type
+ reserve_data: true
+ parser:
+ type: regexp
+ format: (?<event_type_logger>\w+).+
+ map_logger:
+ tag: notification
+ require:
+ - parse_source
+ type: record_transformer
+ enable_ruby: true
+ remove_keys: event_type_logger
+ record:
+ - name: Logger
+ value: ${fluentd:dollar}{ {'volume'=>'cinder', 'snapshot'=>'cinder', 'image'=>'glance', 'orchestration'=>'heat', 'identity'=>'keystone', 'compute'=>'nova', 'compute_task'=>'nova', 'scheduler'=>'nova', 'keypair'=>'nova', 'floatingip' =>'neutron', 'security_group' =>'neutron', 'security_group_rule' =>'neutron', 'network' =>'neutron', 'port' =>'neutron', 'router' =>'neutron', 'subnet' =>'neutron', 'sahara' =>'sahara'}[record["event_type_logger"]] }
+ get_payload_values:
+ tag: notification
+ require:
+ - map_logger
+ type: record_transformer
+ enable_ruby: true
+ record:
+ - name: Timestamp
+ value: ${fluentd:dollar}{ DateTime.strptime(record['timestamp'], '%Y-%m-%d %H:%M:%S.%N').strftime('%Y-%m-%dT%H:%M:%S.%3NZ') }
+ - name: severity_label
+ value: ${fluentd:dollar}{ record["priority"] }
+ - name: Severity
+ value: ${fluentd:dollar}{ {'TRACE'=>7,'DEBUG'=>7,'INFO'=>6,'AUDIT'=>6,'WARNING'=>4,'ERROR'=>3,'CRITICAL'=>2}[record['priority']].to_i }
+ - name: Hostname
+ value: '${fluentd:dollar}{ record["payload"].has_key?("host") ? record["payload"]["host"] : record["Hostname"] }'
+ - name: environment_label
+ value: ${_param:cluster_domain}
+
+ - name: tenant_id
+ value: ${fluentd:dollar}{ record.dig("payload", "tenant_id") }
+ - name: user_id
+ value: ${fluentd:dollar}{ record.dig("payload", "user_id") }
+ - name: display_name
+ value: ${fluentd:dollar}{ record.dig("payload", "display_name") }
+ - name: vcpus
+ value: ${fluentd:dollar}{ record.dig("payload", "vcpus") }
+ - name: availability_zone
+ value: ${fluentd:dollar}{ record.dig("payload", "availability_zone") }
+ - name: instance_id
+ value: ${fluentd:dollar}{ record.dig("payload", "instance_id") }
+ - name: instance_type
+ value: ${fluentd:dollar}{ record.dig("payload", "instance_type") }
+ - name: image_name
+ value: ${fluentd:dollar}{ record.dig("payload", "image_name") }
+ - name: memory_mb
+ value: ${fluentd:dollar}{ record.dig("payload", "memory_mb") }
+ - name: disk_gb
+ value: ${fluentd:dollar}{ record.dig("payload", "disk_gb") }
+ - name: state
+ value: ${fluentd:dollar}{ record.dig("payload", "state") }
+ - name: old_state
+ value: ${fluentd:dollar}{ record.dig("payload", "old_state") }
+ - name: old_task_state
+ value: ${fluentd:dollar}{ record.dig("payload", "old_task_state") }
+ - name: new_task_state
+ value: ${fluentd:dollar}{ record.dig("payload", "new_task_state") }
+ - name: network_id
+ value: ${fluentd:dollar}{ record.dig("payload", "network_id") }
+ - name: subnet_id
+ value: ${fluentd:dollar}{ record.dig("payload", "subnet_id") }
+ - name: port_id
+ value: ${fluentd:dollar}{ record.dig("payload", "port_id") }
+ - name: volume_id
+ value: ${fluentd:dollar}{ record.dig("payload", "volume_id") }
+ - name: size
+ value: ${fluentd:dollar}{ record.dig("payload", "size") }
+ - name: status
+ value: ${fluentd:dollar}{ record.dig("payload", "status") }
+ - name: replication_status
+ value: ${fluentd:dollar}{ record.dig("payload", "replication_status") }
+ pack_payload_to_json:
+ tag: notification
+ require:
+ - get_payload_values
+ type: record_transformer
+ enable_ruby: true
+ remove_keys: '["timestamp", "publisher_id", "priority", "notification_type", "payload"]'
+ record:
+ - name: Payload
+ value: ${fluentd:dollar}{ record["payload"].to_json }
+ match:
+ notifications_output:
+ tag: notification
+ type: elasticsearch
+ host: ${_param:fluentd_elasticsearch_host}
+ port: ${_param:fluentd_elasticsearch_port}
+ scheme: ${_param:fluentd_elasticsearch_scheme}
+ es_index_name: notification
+ tag_key: Type
diff --git a/galera/server/clustercheck.yml b/galera/server/clustercheck.yml
index a5d7137..6213c58 100644
--- a/galera/server/clustercheck.yml
+++ b/galera/server/clustercheck.yml
@@ -1,6 +1,4 @@
parameters:
- _param:
- galera_clustercheck_password: clustercheck
galera:
clustercheck:
enabled: True
diff --git a/glance/client/image/octavia.yml b/glance/client/image/octavia.yml
index 3160cdd..2a00375 100644
--- a/glance/client/image/octavia.yml
+++ b/glance/client/image/octavia.yml
@@ -3,6 +3,7 @@
parameters:
glance:
client:
+ cloud_name: admin_identity
identity:
admin_identity:
endpoint_type: internalURL
diff --git a/glance/control/cluster.yml b/glance/control/cluster.yml
index a75f8c5..3eb7866 100644
--- a/glance/control/cluster.yml
+++ b/glance/control/cluster.yml
@@ -82,4 +82,3 @@
storage:
engine: file
images: []
- show_multiple_locations: True
diff --git a/glance/control/single.yml b/glance/control/single.yml
index ee2ae1a..24e9c3f 100644
--- a/glance/control/single.yml
+++ b/glance/control/single.yml
@@ -31,7 +31,6 @@
protocol: ${_param:internal_protocol}
registry:
protocol: ${_param:internal_protocol}
- show_multiple_locations: True
barbican:
enabled: ${_param:barbican_integration_enabled}
message_queue:
diff --git a/glusterfs/server/volume/aptly.yml b/glusterfs/server/volume/aptly.yml
index 9c9e518..095ed8e 100644
--- a/glusterfs/server/volume/aptly.yml
+++ b/glusterfs/server/volume/aptly.yml
@@ -10,6 +10,8 @@
- ${_param:cluster_node02_address}:/srv/glusterfs/aptly
- ${_param:cluster_node03_address}:/srv/glusterfs/aptly
options:
+ auth.allow: ${_param:glusterfs_allow_ips}
+ auth.reject: ${_param:glusterfs_reject_ips}
cluster.readdir-optimize: On
nfs.disable: On
network.remote-dio: On
diff --git a/glusterfs/server/volume/artifactory.yml b/glusterfs/server/volume/artifactory.yml
index f70d2f0..c903d5f 100644
--- a/glusterfs/server/volume/artifactory.yml
+++ b/glusterfs/server/volume/artifactory.yml
@@ -10,6 +10,8 @@
- ${_param:cluster_node02_address}:/srv/glusterfs/artifactory
- ${_param:cluster_node03_address}:/srv/glusterfs/artifactory
options:
+ auth.allow: ${_param:glusterfs_allow_ips}
+ auth.reject: ${_param:glusterfs_reject_ips}
cluster.readdir-optimize: On
nfs.disable: On
network.remote-dio: On
diff --git a/glusterfs/server/volume/backup.yml b/glusterfs/server/volume/backup.yml
index 22e59e2..3c86bb0 100644
--- a/glusterfs/server/volume/backup.yml
+++ b/glusterfs/server/volume/backup.yml
@@ -10,6 +10,8 @@
- ${_param:cluster_node02_address}:/srv/glusterfs/backup
- ${_param:cluster_node03_address}:/srv/glusterfs/backup
options:
+ auth.allow: ${_param:glusterfs_allow_ips}
+ auth.reject: ${_param:glusterfs_reject_ips}
cluster.readdir-optimize: On
nfs.disable: On
network.remote-dio: On
diff --git a/glusterfs/server/volume/decapod.yml b/glusterfs/server/volume/decapod.yml
index e8f4c99..9a39eaa 100644
--- a/glusterfs/server/volume/decapod.yml
+++ b/glusterfs/server/volume/decapod.yml
@@ -10,6 +10,8 @@
- ${_param:cluster_node02_address}:/srv/glusterfs/decapod
- ${_param:cluster_node03_address}:/srv/glusterfs/decapod
options:
+ auth.allow: ${_param:glusterfs_allow_ips}
+ auth.reject: ${_param:glusterfs_reject_ips}
cluster.readdir-optimize: On
nfs.disable: On
network.remote-dio: On
diff --git a/glusterfs/server/volume/devops_portal.yml b/glusterfs/server/volume/devops_portal.yml
index a2f00ba..e2116cb 100644
--- a/glusterfs/server/volume/devops_portal.yml
+++ b/glusterfs/server/volume/devops_portal.yml
@@ -10,6 +10,8 @@
- ${_param:cluster_node02_address}:/srv/glusterfs/devops_portal
- ${_param:cluster_node03_address}:/srv/glusterfs/devops_portal
options:
+ auth.allow: ${_param:glusterfs_allow_ips}
+ auth.reject: ${_param:glusterfs_reject_ips}
cluster.readdir-optimize: On
nfs.disable: On
network.remote-dio: On
diff --git a/glusterfs/server/volume/elasticsearch.yml b/glusterfs/server/volume/elasticsearch.yml
index 65cf76e..e66a388 100644
--- a/glusterfs/server/volume/elasticsearch.yml
+++ b/glusterfs/server/volume/elasticsearch.yml
@@ -10,6 +10,8 @@
- ${_param:cluster_node02_address}:/srv/glusterfs/elasticsearch
- ${_param:cluster_node03_address}:/srv/glusterfs/elasticsearch
options:
+ auth.allow: ${_param:glusterfs_allow_ips}
+ auth.reject: ${_param:glusterfs_reject_ips}
cluster.readdir-optimize: On
nfs.disable: On
network.remote-dio: On
diff --git a/glusterfs/server/volume/etcd.yml b/glusterfs/server/volume/etcd.yml
index 874119e..6300593 100644
--- a/glusterfs/server/volume/etcd.yml
+++ b/glusterfs/server/volume/etcd.yml
@@ -10,6 +10,8 @@
- ${_param:cluster_node02_address}:/srv/glusterfs/etcd
- ${_param:cluster_node03_address}:/srv/glusterfs/etcd
options:
+ auth.allow: ${_param:glusterfs_allow_ips}
+ auth.reject: ${_param:glusterfs_reject_ips}
cluster.readdir-optimize: On
nfs.disable: On
network.remote-dio: On
diff --git a/glusterfs/server/volume/gerrit.yml b/glusterfs/server/volume/gerrit.yml
index b959f82..b3b036a 100644
--- a/glusterfs/server/volume/gerrit.yml
+++ b/glusterfs/server/volume/gerrit.yml
@@ -10,6 +10,10 @@
- ${_param:cluster_node02_address}:/srv/glusterfs/gerrit
- ${_param:cluster_node03_address}:/srv/glusterfs/gerrit
options:
+ auth.allow: ${_param:glusterfs_allow_ips}
+ auth.reject: ${_param:glusterfs_reject_ips}
+ storage.owner-gid: 1000
+ storage.owner-uid: 1000
cluster.readdir-optimize: On
nfs.disable: On
network.remote-dio: On
diff --git a/glusterfs/server/volume/glance.yml b/glusterfs/server/volume/glance.yml
index d0dfdf1..38a571e 100644
--- a/glusterfs/server/volume/glance.yml
+++ b/glusterfs/server/volume/glance.yml
@@ -10,6 +10,8 @@
- ${_param:cluster_node02_address}:/srv/glusterfs/glance
- ${_param:cluster_node03_address}:/srv/glusterfs/glance
options:
+ auth.allow: ${_param:glusterfs_allow_ips}
+ auth.reject: ${_param:glusterfs_reject_ips}
cluster.readdir-optimize: On
nfs.disable: On
network.remote-dio: On
diff --git a/glusterfs/server/volume/gnocchi.yml b/glusterfs/server/volume/gnocchi.yml
index f8f5b6a..1d4ce62 100644
--- a/glusterfs/server/volume/gnocchi.yml
+++ b/glusterfs/server/volume/gnocchi.yml
@@ -10,6 +10,8 @@
- ${_param:cluster_node02_address}:/srv/glusterfs/gnocchi
- ${_param:cluster_node03_address}:/srv/glusterfs/gnocchi
options:
+ auth.allow: ${_param:glusterfs_allow_ips}
+ auth.reject: ${_param:glusterfs_reject_ips}
cluster.readdir-optimize: On
nfs.disable: On
network.remote-dio: On
diff --git a/glusterfs/server/volume/influxdb.yml b/glusterfs/server/volume/influxdb.yml
index 9a75a2f..5f56d0b 100644
--- a/glusterfs/server/volume/influxdb.yml
+++ b/glusterfs/server/volume/influxdb.yml
@@ -10,6 +10,8 @@
- ${_param:cluster_node02_address}:/srv/glusterfs/influxdb
- ${_param:cluster_node03_address}:/srv/glusterfs/influxdb
options:
+ auth.allow: ${_param:glusterfs_allow_ips}
+ auth.reject: ${_param:glusterfs_reject_ips}
cluster.readdir-optimize: On
nfs.disable: On
network.remote-dio: On
diff --git a/glusterfs/server/volume/jenkins.yml b/glusterfs/server/volume/jenkins.yml
index 9a2582a..e17cdb5 100644
--- a/glusterfs/server/volume/jenkins.yml
+++ b/glusterfs/server/volume/jenkins.yml
@@ -10,6 +10,10 @@
- ${_param:cluster_node02_address}:/srv/glusterfs/jenkins
- ${_param:cluster_node03_address}:/srv/glusterfs/jenkins
options:
+ auth.allow: ${_param:glusterfs_allow_ips}
+ auth.reject: ${_param:glusterfs_reject_ips}
+ storage.owner-gid: 1000
+ storage.owner-uid: 1000
cluster.readdir-optimize: On
nfs.disable: On
network.remote-dio: On
diff --git a/glusterfs/server/volume/jenkins_slave_multi.yml b/glusterfs/server/volume/jenkins_slave_multi.yml
new file mode 100644
index 0000000..5d2e70a
--- /dev/null
+++ b/glusterfs/server/volume/jenkins_slave_multi.yml
@@ -0,0 +1,42 @@
+classes:
+- system.glusterfs.server.volume.jenkins_slave_single
+parameters:
+ glusterfs:
+ server:
+ volumes:
+ jenkins_slave02:
+ storage: /srv/glusterfs/jenkins_slaves/slave02
+ replica: 3
+ bricks:
+ - ${_param:cluster_node01_address}:/srv/glusterfs/jenkins_slaves/slave02
+ - ${_param:cluster_node02_address}:/srv/glusterfs/jenkins_slaves/slave02
+ - ${_param:cluster_node03_address}:/srv/glusterfs/jenkins_slaves/slave02
+ options:
+ auth.allow: ${_param:glusterfs_allow_ips}
+ auth.reject: ${_param:glusterfs_reject_ips}
+ storage.owner-gid: 10000
+ storage.owner-uid: 10000
+ cluster.readdir-optimize: On
+ nfs.disable: On
+ network.remote-dio: On
+ diagnostics.client-log-level: WARNING
+ diagnostics.brick-log-level: WARNING
+ cluster.favorite-child-policy: mtime
+ jenkins_slave03:
+ storage: /srv/glusterfs/jenkins_slaves/slave03
+ replica: 3
+ bricks:
+ - ${_param:cluster_node01_address}:/srv/glusterfs/jenkins_slaves/slave03
+ - ${_param:cluster_node02_address}:/srv/glusterfs/jenkins_slaves/slave03
+ - ${_param:cluster_node03_address}:/srv/glusterfs/jenkins_slaves/slave03
+ options:
+ auth.allow: ${_param:glusterfs_allow_ips}
+ auth.reject: ${_param:glusterfs_reject_ips}
+ storage.owner-gid: 10000
+ storage.owner-uid: 10000
+ cluster.readdir-optimize: On
+ nfs.disable: On
+ network.remote-dio: On
+ diagnostics.client-log-level: WARNING
+ diagnostics.brick-log-level: WARNING
+ cluster.favorite-child-policy: mtime
diff --git a/glusterfs/server/volume/jenkins_slave_single.yml b/glusterfs/server/volume/jenkins_slave_single.yml
new file mode 100644
index 0000000..e9420b3
--- /dev/null
+++ b/glusterfs/server/volume/jenkins_slave_single.yml
@@ -0,0 +1,22 @@
+parameters:
+ glusterfs:
+ server:
+ volumes:
+ jenkins_slave01:
+ storage: /srv/glusterfs/jenkins_slaves/slave01
+ replica: 3
+ bricks:
+ - ${_param:cluster_node01_address}:/srv/glusterfs/jenkins_slaves/slave01
+ - ${_param:cluster_node02_address}:/srv/glusterfs/jenkins_slaves/slave01
+ - ${_param:cluster_node03_address}:/srv/glusterfs/jenkins_slaves/slave01
+ options:
+ auth.allow: ${_param:glusterfs_allow_ips}
+ auth.reject: ${_param:glusterfs_reject_ips}
+ storage.owner-gid: 10000
+ storage.owner-uid: 10000
+ cluster.readdir-optimize: On
+ nfs.disable: On
+ network.remote-dio: On
+ diagnostics.client-log-level: WARNING
+ diagnostics.brick-log-level: WARNING
+ cluster.favorite-child-policy: mtime
diff --git a/glusterfs/server/volume/keycloak.yml b/glusterfs/server/volume/keycloak.yml
index c8c71f0..b22d2c3 100644
--- a/glusterfs/server/volume/keycloak.yml
+++ b/glusterfs/server/volume/keycloak.yml
@@ -10,6 +10,8 @@
- ${_param:cluster_node02_address}:/srv/glusterfs/keycloak
- ${_param:cluster_node03_address}:/srv/glusterfs/keycloak
options:
+ auth.allow: ${_param:glusterfs_allow_ips}
+ auth.reject: ${_param:glusterfs_reject_ips}
cluster.readdir-optimize: On
nfs.disable: On
network.remote-dio: On
diff --git a/glusterfs/server/volume/keystone.yml b/glusterfs/server/volume/keystone.yml
index 81e14be..e549180 100644
--- a/glusterfs/server/volume/keystone.yml
+++ b/glusterfs/server/volume/keystone.yml
@@ -10,6 +10,8 @@
- ${_param:cluster_node02_address}:/srv/glusterfs/keystone-keys
- ${_param:cluster_node03_address}:/srv/glusterfs/keystone-keys
options:
+ auth.allow: ${_param:glusterfs_allow_ips}
+ auth.reject: ${_param:glusterfs_reject_ips}
cluster.readdir-optimize: On
nfs.disable: On
network.remote-dio: On
@@ -24,6 +26,8 @@
- ${_param:cluster_node02_address}:/srv/glusterfs/keystone-credential-keys
- ${_param:cluster_node03_address}:/srv/glusterfs/keystone-credential-keys
options:
+ auth.allow: ${_param:glusterfs_allow_ips}
+ auth.reject: ${_param:glusterfs_reject_ips}
cluster.readdir-optimize: On
nfs.disable: On
network.remote-dio: On
diff --git a/glusterfs/server/volume/kqueen.yml b/glusterfs/server/volume/kqueen.yml
index 0d09c51..091a93c 100644
--- a/glusterfs/server/volume/kqueen.yml
+++ b/glusterfs/server/volume/kqueen.yml
@@ -10,6 +10,8 @@
- ${_param:cluster_node02_address}:/srv/glusterfs/kqueen
- ${_param:cluster_node03_address}:/srv/glusterfs/kqueen
options:
+ auth.allow: ${_param:glusterfs_allow_ips}
+ auth.reject: ${_param:glusterfs_reject_ips}
cluster.readdir-optimize: On
nfs.disable: On
network.remote-dio: On
diff --git a/glusterfs/server/volume/mongodb.yml b/glusterfs/server/volume/mongodb.yml
index f694ad7..0cb3a8e 100644
--- a/glusterfs/server/volume/mongodb.yml
+++ b/glusterfs/server/volume/mongodb.yml
@@ -10,6 +10,8 @@
- ${_param:cluster_node02_address}:/srv/glusterfs/mongodb
- ${_param:cluster_node03_address}:/srv/glusterfs/mongodb
options:
+ auth.allow: ${_param:glusterfs_allow_ips}
+ auth.reject: ${_param:glusterfs_reject_ips}
cluster.readdir-optimize: On
nfs.disable: On
network.remote-dio: On
diff --git a/glusterfs/server/volume/mysql.yml b/glusterfs/server/volume/mysql.yml
index c473de6..b67975e 100644
--- a/glusterfs/server/volume/mysql.yml
+++ b/glusterfs/server/volume/mysql.yml
@@ -10,6 +10,10 @@
- ${_param:cluster_node02_address}:/srv/glusterfs/mysql
- ${_param:cluster_node03_address}:/srv/glusterfs/mysql
options:
+ auth.allow: ${_param:glusterfs_allow_ips}
+ auth.reject: ${_param:glusterfs_reject_ips}
+ storage.owner-gid: 999
+ storage.owner-uid: 999
cluster.readdir-optimize: On
nfs.disable: On
network.remote-dio: On
diff --git a/glusterfs/server/volume/openldap.yml b/glusterfs/server/volume/openldap.yml
index 84619c0..cc1ba5f 100644
--- a/glusterfs/server/volume/openldap.yml
+++ b/glusterfs/server/volume/openldap.yml
@@ -10,6 +10,8 @@
- ${_param:cluster_node02_address}:/srv/glusterfs/openldap
- ${_param:cluster_node03_address}:/srv/glusterfs/openldap
options:
+ auth.allow: ${_param:glusterfs_allow_ips}
+ auth.reject: ${_param:glusterfs_reject_ips}
cluster.readdir-optimize: On
nfs.disable: On
network.remote-dio: On
diff --git a/glusterfs/server/volume/openldap_k8s.yml b/glusterfs/server/volume/openldap_k8s.yml
new file mode 100644
index 0000000..24b2a26
--- /dev/null
+++ b/glusterfs/server/volume/openldap_k8s.yml
@@ -0,0 +1,40 @@
+parameters:
+ glusterfs:
+ server:
+ volumes:
+ openldap-config:
+ storage: /srv/glusterfs/openldap/config
+ replica: 3
+ bricks:
+ - ${_param:cluster_node01_address}:/srv/glusterfs/openldap/config
+ - ${_param:cluster_node02_address}:/srv/glusterfs/openldap/config
+ - ${_param:cluster_node03_address}:/srv/glusterfs/openldap/config
+ options:
+ auth.allow: ${_param:glusterfs_allow_ips}
+ auth.reject: ${_param:glusterfs_reject_ips}
+ storage.owner-gid: 999
+ storage.owner-uid: 999
+ cluster.readdir-optimize: On
+ nfs.disable: On
+ network.remote-dio: On
+ diagnostics.client-log-level: WARNING
+ diagnostics.brick-log-level: WARNING
+ cluster.favorite-child-policy: mtime
+ openldap-data:
+ storage: /srv/glusterfs/openldap/data
+ replica: 3
+ bricks:
+ - ${_param:cluster_node01_address}:/srv/glusterfs/openldap/data
+ - ${_param:cluster_node02_address}:/srv/glusterfs/openldap/data
+ - ${_param:cluster_node03_address}:/srv/glusterfs/openldap/data
+ options:
+ auth.allow: ${_param:glusterfs_allow_ips}
+ auth.reject: ${_param:glusterfs_reject_ips}
+ storage.owner-gid: 999
+ storage.owner-uid: 999
+ cluster.readdir-optimize: On
+ nfs.disable: On
+ network.remote-dio: On
+ diagnostics.client-log-level: WARNING
+ diagnostics.brick-log-level: WARNING
+ cluster.favorite-child-policy: mtime
diff --git a/glusterfs/server/volume/postgresql.yml b/glusterfs/server/volume/postgresql.yml
index c48d833..5376934 100644
--- a/glusterfs/server/volume/postgresql.yml
+++ b/glusterfs/server/volume/postgresql.yml
@@ -10,6 +10,8 @@
- ${_param:cluster_node02_address}:/srv/glusterfs/postgresql
- ${_param:cluster_node03_address}:/srv/glusterfs/postgresql
options:
+ auth.allow: ${_param:glusterfs_allow_ips}
+ auth.reject: ${_param:glusterfs_reject_ips}
cluster.readdir-optimize: On
nfs.disable: On
network.remote-dio: On
diff --git a/glusterfs/server/volume/postgresql_k8s.yml b/glusterfs/server/volume/postgresql_k8s.yml
new file mode 100644
index 0000000..523ef59
--- /dev/null
+++ b/glusterfs/server/volume/postgresql_k8s.yml
@@ -0,0 +1,22 @@
+parameters:
+ glusterfs:
+ server:
+ volumes:
+ postgresql-data:
+ storage: /srv/glusterfs/postgresql
+ replica: 3
+ bricks:
+ - ${_param:cluster_node01_address}:/srv/glusterfs/postgresql
+ - ${_param:cluster_node02_address}:/srv/glusterfs/postgresql
+ - ${_param:cluster_node03_address}:/srv/glusterfs/postgresql
+ options:
+ auth.allow: ${_param:glusterfs_allow_ips}
+ auth.reject: ${_param:glusterfs_reject_ips}
+ storage.owner-gid: 999
+ storage.owner-uid: 999
+ cluster.readdir-optimize: On
+ nfs.disable: On
+ network.remote-dio: On
+ diagnostics.client-log-level: WARNING
+ diagnostics.brick-log-level: WARNING
+ cluster.favorite-child-policy: mtime
diff --git a/glusterfs/server/volume/privatebin.yml b/glusterfs/server/volume/privatebin.yml
index e2eba2d..e78df75 100644
--- a/glusterfs/server/volume/privatebin.yml
+++ b/glusterfs/server/volume/privatebin.yml
@@ -10,6 +10,8 @@
- ${_param:cluster_node02_address}:/srv/glusterfs/privatebin
- ${_param:cluster_node03_address}:/srv/glusterfs/privatebin
options:
+ auth.allow: ${_param:glusterfs_allow_ips}
+ auth.reject: ${_param:glusterfs_reject_ips}
cluster.readdir-optimize: On
nfs.disable: On
network.remote-dio: On
diff --git a/glusterfs/server/volume/pushkin.yml b/glusterfs/server/volume/pushkin.yml
index 2d6a249..14d8b16 100644
--- a/glusterfs/server/volume/pushkin.yml
+++ b/glusterfs/server/volume/pushkin.yml
@@ -10,6 +10,8 @@
- ${_param:cluster_node02_address}:/srv/glusterfs/pushkin
- ${_param:cluster_node03_address}:/srv/glusterfs/pushkin
options:
+ auth.allow: ${_param:glusterfs_allow_ips}
+ auth.reject: ${_param:glusterfs_reject_ips}
cluster.readdir-optimize: On
nfs.disable: On
network.remote-dio: On
diff --git a/glusterfs/server/volume/registry.yml b/glusterfs/server/volume/registry.yml
index 474ce7b..19d0106 100644
--- a/glusterfs/server/volume/registry.yml
+++ b/glusterfs/server/volume/registry.yml
@@ -10,6 +10,8 @@
- ${_param:cluster_node02_address}:/srv/glusterfs/registry
- ${_param:cluster_node03_address}:/srv/glusterfs/registry
options:
+ auth.allow: ${_param:glusterfs_allow_ips}
+ auth.reject: ${_param:glusterfs_reject_ips}
cluster.readdir-optimize: On
nfs.disable: On
network.remote-dio: On
diff --git a/glusterfs/server/volume/rundeck.yml b/glusterfs/server/volume/rundeck.yml
index c0ced5b..727496a 100644
--- a/glusterfs/server/volume/rundeck.yml
+++ b/glusterfs/server/volume/rundeck.yml
@@ -10,6 +10,8 @@
- ${_param:cluster_node02_address}:/srv/glusterfs/rundeck
- ${_param:cluster_node03_address}:/srv/glusterfs/rundeck
options:
+ auth.allow: ${_param:glusterfs_allow_ips}
+ auth.reject: ${_param:glusterfs_reject_ips}
cluster.readdir-optimize: On
nfs.disable: On
network.remote-dio: On
diff --git a/glusterfs/server/volume/salt.yml b/glusterfs/server/volume/salt.yml
index e14701d..f832bce 100644
--- a/glusterfs/server/volume/salt.yml
+++ b/glusterfs/server/volume/salt.yml
@@ -10,6 +10,8 @@
- ${_param:cluster_node02_address}:/srv/glusterfs/saltmaster
- ${_param:cluster_node03_address}:/srv/glusterfs/saltmaster
options:
+ auth.allow: ${_param:glusterfs_allow_ips}
+ auth.reject: ${_param:glusterfs_reject_ips}
cluster.readdir-optimize: On
nfs.disable: On
network.remote-dio: On
diff --git a/glusterfs/server/volume/salt_pki.yml b/glusterfs/server/volume/salt_pki.yml
index 9a26bdb..8135e47 100644
--- a/glusterfs/server/volume/salt_pki.yml
+++ b/glusterfs/server/volume/salt_pki.yml
@@ -10,6 +10,8 @@
- ${_param:cluster_node02_address}:/srv/glusterfs/salt_pki
- ${_param:cluster_node03_address}:/srv/glusterfs/salt_pki
options:
+ auth.allow: ${_param:glusterfs_allow_ips}
+ auth.reject: ${_param:glusterfs_reject_ips}
cluster.readdir-optimize: On
nfs.disable: On
network.remote-dio: On
diff --git a/glusterfs/server/volume/security_monkey.yml b/glusterfs/server/volume/security_monkey.yml
index e730c90..3fa9f57 100644
--- a/glusterfs/server/volume/security_monkey.yml
+++ b/glusterfs/server/volume/security_monkey.yml
@@ -10,6 +10,8 @@
- ${_param:cluster_node02_address}:/srv/glusterfs/security_monkey
- ${_param:cluster_node03_address}:/srv/glusterfs/security_monkey
options:
+ auth.allow: ${_param:glusterfs_allow_ips}
+ auth.reject: ${_param:glusterfs_reject_ips}
cluster.readdir-optimize: On
nfs.disable: On
network.remote-dio: On
diff --git a/gnocchi/common/coordination/redis.yml b/gnocchi/common/coordination/redis.yml
index 673d9bd..f1e94b6 100644
--- a/gnocchi/common/coordination/redis.yml
+++ b/gnocchi/common/coordination/redis.yml
@@ -1,7 +1,18 @@
parameters:
_param:
- gnocchi_coordination_url: redis://${_param:single_address}:6379
+ gnocchi_coordination_url: redis://openstack:${_param:openstack_telemetry_redis_password}@${_param:redis_sentinel_node01_address}:26379?db=0&sentinel=master_1&sentinel_fallback=${_param:redis_sentinel_node02_address}:26379&sentinel_fallback=${_param:redis_sentinel_node03_address}:26379
gnocchi:
common:
coordination_backend:
url: ${_param:gnocchi_coordination_url}
+ engine: redis
+ redis:
+ password: ${_param:openstack_telemetry_redis_password}
+ user: openstack
+ db: ${_param:gnocchi_redis_db}
+ sentinel:
+ host: ${_param:redis_sentinel_node01_address}
+ master_name: ${_param:gnocchi_redis_sentinel_mastername}
+ fallback:
+ - host: ${_param:redis_sentinel_node02_address}
+ - host: ${_param:redis_sentinel_node03_address}
diff --git a/gnocchi/common/storage/incoming/redis.yml b/gnocchi/common/storage/incoming/redis.yml
index d0f04d7..77cd6c6 100644
--- a/gnocchi/common/storage/incoming/redis.yml
+++ b/gnocchi/common/storage/incoming/redis.yml
@@ -1,10 +1,20 @@
parameters:
_param:
- gnocchi_storage_incoming_redis_url: redis://${_param:single_address}:6379
+ gnocchi_storage_incoming_redis_url: redis://openstack:${_param:openstack_telemetry_redis_password}@${_param:redis_sentinel_node01_address}:26379?db=0&sentinel=master_1&sentinel_fallback=${_param:redis_sentinel_node02_address}:26379&sentinel_fallback=${_param:redis_sentinel_node03_address}:26379
gnocchi_storage_incoming_driver: redis
gnocchi:
common:
storage:
incoming:
driver: ${_param:gnocchi_storage_incoming_driver}
- redis_url: ${_param:gnocchi_storage_incoming_redis_url}
\ No newline at end of file
+ redis_url: ${_param:gnocchi_storage_incoming_redis_url}
+ redis:
+ password: ${_param:openstack_telemetry_redis_password}
+ user: openstack
+ db: ${_param:gnocchi_redis_db}
+ sentinel:
+ host: ${_param:redis_sentinel_node01_address}
+ master_name: ${_param:gnocchi_redis_sentinel_mastername}
+ fallback:
+ - host: ${_param:redis_sentinel_node02_address}
+ - host: ${_param:redis_sentinel_node03_address}
diff --git a/gnocchi/common/storage/redis.yml b/gnocchi/common/storage/redis.yml
index d71fcf0..079c887 100644
--- a/gnocchi/common/storage/redis.yml
+++ b/gnocchi/common/storage/redis.yml
@@ -1,9 +1,19 @@
parameters:
_param:
- gnocchi_storage_redis_url: redis://${_param:single_address}:6379
+ gnocchi_storage_redis_url: redis://openstack:${_param:openstack_telemetry_redis_password}@${_param:redis_sentinel_node01_address}:26379?db=0&sentinel=master_1&sentinel_fallback=${_param:redis_sentinel_node02_address}:26379&sentinel_fallback=${_param:redis_sentinel_node03_address}:26379
gnocchi_storage_driver: redis
gnocchi:
common:
storage:
driver: ${_param:gnocchi_storage_driver}
- redis_url: ${_param:gnocchi_storage_redis_url}
\ No newline at end of file
+ redis_url: ${_param:gnocchi_storage_redis_url}
+ redis:
+ password: ${_param:openstack_telemetry_redis_password}
+ user: openstack
+ db: ${_param:gnocchi_redis_db}
+ sentinel:
+ host: ${_param:redis_sentinel_node01_address}
+ master_name: ${_param:gnocchi_redis_sentinel_mastername}
+ fallback:
+ - host: ${_param:redis_sentinel_node02_address}
+ - host: ${_param:redis_sentinel_node03_address}
diff --git a/grafana/server/single.yml b/grafana/server/single.yml
index 775ce38..6303430 100644
--- a/grafana/server/single.yml
+++ b/grafana/server/single.yml
@@ -4,7 +4,6 @@
_param:
grafana_port: 3000
grafana_user: admin
- grafana_password: admin
grafana:
server:
enabled: true
diff --git a/graphite/collector/single.yml b/graphite/collector/single.yml
index 5ca5715..5442a3f 100644
--- a/graphite/collector/single.yml
+++ b/graphite/collector/single.yml
@@ -2,8 +2,6 @@
- service.memcached.server.local
- service.graphite.collector.single
parameters:
- _param:
- rabbitmq_monitor_password: password
carbon:
relay:
enabled: false
diff --git a/graphite/server/single.yml b/graphite/server/single.yml
index 237c65d..9c891d3 100644
--- a/graphite/server/single.yml
+++ b/graphite/server/single.yml
@@ -7,12 +7,7 @@
parameters:
_param:
graphite_secret_key: secret
- postgresql_graphite_password: password
apache2_site_graphite_host: ${_param:single_address}
- rabbitmq_graphite_password: password
- rabbitmq_monitor_password: password
- rabbitmq_admin_password: password
- rabbitmq_secret_key: password
apache:
server:
modules:
diff --git a/haproxy/proxy/listen/keycloak.yml b/haproxy/proxy/listen/keycloak.yml
index 89a9670..73697a3 100644
--- a/haproxy/proxy/listen/keycloak.yml
+++ b/haproxy/proxy/listen/keycloak.yml
@@ -1,7 +1,7 @@
parameters:
_param:
haproxy_keycloak_bind_host: ${_param:haproxy_bind_address}
- haproxy_keycloak_bind_port: 8080
+ haproxy_keycloak_bind_port: 8086
haproxy_keycloak_exposed_port: 18086
haproxy_keycloak_ssl:
enabled: false
diff --git a/haproxy/proxy/listen/opencontrail/analytics.yml b/haproxy/proxy/listen/opencontrail/analytics.yml
index 14890ca..fd20277 100644
--- a/haproxy/proxy/listen/opencontrail/analytics.yml
+++ b/haproxy/proxy/listen/opencontrail/analytics.yml
@@ -1,6 +1,4 @@
parameters:
- _param:
- opencontrail_stats_password: password
haproxy:
proxy:
listen:
diff --git a/haproxy/proxy/listen/opencontrail/control.yml b/haproxy/proxy/listen/opencontrail/control.yml
index db407be..b704f04 100644
--- a/haproxy/proxy/listen/opencontrail/control.yml
+++ b/haproxy/proxy/listen/opencontrail/control.yml
@@ -1,6 +1,5 @@
parameters:
_param:
- opencontrail_stats_password: password
opencontrail_api_start_offset: 0
opencontrail_api_workers_count: 1
haproxy:
diff --git a/haproxy/proxy/listen/opencontrail/control4_0.yml b/haproxy/proxy/listen/opencontrail/control4_0.yml
index baeb86e..22623fd 100644
--- a/haproxy/proxy/listen/opencontrail/control4_0.yml
+++ b/haproxy/proxy/listen/opencontrail/control4_0.yml
@@ -1,6 +1,5 @@
parameters:
_param:
- opencontrail_stats_password: password
opencontrail_api_start_offset: 0
opencontrail_api_workers_count: 1
haproxy:
diff --git a/haproxy/proxy/listen/openstack/large_setup.yml b/haproxy/proxy/listen/openstack/large_setup.yml
index 947cfce..c517779 100644
--- a/haproxy/proxy/listen/openstack/large_setup.yml
+++ b/haproxy/proxy/listen/openstack/large_setup.yml
@@ -8,4 +8,4 @@
- system.haproxy.proxy.listen.openstack.keystone.large
- system.haproxy.proxy.listen.openstack.neutron_large
- system.haproxy.proxy.listen.openstack.nova_large
-- system.haproxy.proxy.listen.openstack.novanc_large
+- system.haproxy.proxy.listen.openstack.novnc_large
diff --git a/haproxy/proxy/listen/stacklight/elasticsearch.yml b/haproxy/proxy/listen/stacklight/elasticsearch.yml
index 582de6a..d684861 100644
--- a/haproxy/proxy/listen/stacklight/elasticsearch.yml
+++ b/haproxy/proxy/listen/stacklight/elasticsearch.yml
@@ -1,10 +1,6 @@
parameters:
_param:
haproxy_elasticsearch_bind_host: ${_param:cluster_vip_address}
- haproxy_elasticsearch_http_bind_port: 9200
- haproxy_elasticsearch_http_exposed_port: 9200
- haproxy_elasticsearch_binary_bind_port: 9300
- haproxy_elasticsearch_binary_exposed_port: 9300
haproxy:
proxy:
listen:
@@ -17,7 +13,7 @@
- dontlog-normal
balance: roundrobin
binds:
- - address: ${_param:haproxy_elasticsearch_bind_host}
+ - address: ${_param:cluster_vip_address}
port: ${_param:haproxy_elasticsearch_http_bind_port}
servers:
- name: ${_param:cluster_node01_hostname}
diff --git a/haproxy/proxy/listen/stacklight/elasticsearch_ssl.yml b/haproxy/proxy/listen/stacklight/elasticsearch_ssl.yml
new file mode 100644
index 0000000..a50280e
--- /dev/null
+++ b/haproxy/proxy/listen/stacklight/elasticsearch_ssl.yml
@@ -0,0 +1,55 @@
+parameters:
+ _param:
+ haproxy_elasticsearch_bind_host: ${_param:cluster_vip_address}
+ haproxy:
+ proxy:
+ listen:
+ elasticsearch:
+ mode: http
+ options:
+ - httplog
+ - http-keep-alive
+ - prefer-last-server
+ - dontlog-normal
+ balance: roundrobin
+ binds:
+ - address: ${_param:cluster_vip_address}
+ port: ${_param:haproxy_elasticsearch_http_bind_port}
+ ssl:
+ enabled: true
+ pem_file: /etc/elasticsearch/elasticsearch.pem
+ servers:
+ - name: ${_param:cluster_node01_hostname}
+ host: ${_param:cluster_node01_address}
+ port: ${_param:haproxy_elasticsearch_http_exposed_port}
+ params: 'check inter 10s fastinter 2s downinter 3s rise 3 fall 3'
+ - name: ${_param:cluster_node02_hostname}
+ host: ${_param:cluster_node02_address}
+ port: ${_param:haproxy_elasticsearch_http_exposed_port}
+ params: 'check inter 10s fastinter 2s downinter 3s rise 3 fall 3'
+ - name: ${_param:cluster_node03_hostname}
+ host: ${_param:cluster_node03_address}
+ port: ${_param:haproxy_elasticsearch_http_exposed_port}
+ params: 'check inter 10s fastinter 2s downinter 3s rise 3 fall 3'
+ elasticsearch_binary:
+ mode: tcp
+ options:
+ - tcpka
+ - tcplog
+ balance: source
+ binds:
+ - address: ${_param:cluster_vip_address}
+ port: ${_param:haproxy_elasticsearch_binary_bind_port}
+ servers:
+ - name: ${_param:cluster_node01_hostname}
+ host: ${_param:cluster_node01_address}
+ port: ${_param:haproxy_elasticsearch_binary_exposed_port}
+ params: 'check'
+ - name: ${_param:cluster_node02_hostname}
+ host: ${_param:cluster_node02_address}
+ port: ${_param:haproxy_elasticsearch_binary_exposed_port}
+ params: 'check'
+ - name: ${_param:cluster_node03_hostname}
+ host: ${_param:cluster_node03_address}
+ port: ${_param:haproxy_elasticsearch_binary_exposed_port}
+ params: 'check'
diff --git a/heka/router/single.yml b/heka/router/single.yml
index 8801e42..bba6458 100644
--- a/heka/router/single.yml
+++ b/heka/router/single.yml
@@ -12,7 +12,6 @@
heka_router_prefetch_count: 20
rabbitmq_secret_key: secret_key
rabbitmq_admin_name: admin
- rabbitmq_admin_password: workshoplearning42
kibana_elasticsearch_host: localhost
heka:
shipper:
diff --git a/jenkins/client/init.yml b/jenkins/client/init.yml
index 59faa0b..11b5430 100644
--- a/jenkins/client/init.yml
+++ b/jenkins/client/init.yml
@@ -1,12 +1,12 @@
classes:
- - service.jenkins.support
- - service.jenkins.client
- - system.jenkins.client.approved_scripts
- - system.jenkins.client.plugins
+- service.jenkins.support
+- service.jenkins.client
+- system.jenkins.client.approved_scripts
+- system.jenkins.client.plugins
+- system.jenkins.client.security.csrf
parameters:
_param:
jenkins_client_user: none
- jenkins_client_password: none
jenkins_master_host: ${_param:control_vip_address}
jenkins_aptly_storages: "local"
jenkins_offline_deployment: "false"
diff --git a/jenkins/client/job/ceph/upgrade.yml b/jenkins/client/job/ceph/upgrade.yml
index 7717761..d308845 100644
--- a/jenkins/client/job/ceph/upgrade.yml
+++ b/jenkins/client/job/ceph/upgrade.yml
@@ -73,3 +73,7 @@
type: boolean
default: 'true'
description: Select to copy the disks of Ceph VMs before upgrade and backup Ceph directories on OSD nodes.
+ BACKUP_DIR:
+ type: string
+ default: '/root'
+ description: Select the target dir to backup to when BACKUP_ENABLED
diff --git a/jenkins/client/job/deploy/galera_verify_restore.yml b/jenkins/client/job/deploy/galera_verify_restore.yml
index 492d76f..73e312a 100644
--- a/jenkins/client/job/deploy/galera_verify_restore.yml
+++ b/jenkins/client/job/deploy/galera_verify_restore.yml
@@ -1,6 +1,4 @@
parameters:
- _param:
- jenkins_salt_api_url: "http://${_param:salt_master_host}:6969"
jenkins:
client:
job:
diff --git a/jenkins/client/job/deploy/openstack.yml b/jenkins/client/job/deploy/openstack.yml
index d18ccae..107b932 100644
--- a/jenkins/client/job/deploy/openstack.yml
+++ b/jenkins/client/job/deploy/openstack.yml
@@ -1,6 +1,4 @@
parameters:
- _param:
- jenkins_salt_api_url: "http://${_param:salt_master_host}:6969"
jenkins:
client:
job:
diff --git a/jenkins/client/job/deploy/try_mcp.yml b/jenkins/client/job/deploy/try_mcp.yml
index 9c161ff..3ad2878 100644
--- a/jenkins/client/job/deploy/try_mcp.yml
+++ b/jenkins/client/job/deploy/try_mcp.yml
@@ -1,6 +1,4 @@
parameters:
- _param:
- jenkins_salt_api_url: "http://${_param:salt_master_host}:6969"
jenkins:
client:
job:
diff --git a/jenkins/client/job/deploy/update/cloud_update.yml b/jenkins/client/job/deploy/update/cloud_update.yml
index aef20ce..f3fe8ef 100644
--- a/jenkins/client/job/deploy/update/cloud_update.yml
+++ b/jenkins/client/job/deploy/update/cloud_update.yml
@@ -2,8 +2,6 @@
# Jobs to update cloud packages on given Salt master environment
#
parameters:
- _param:
- jenkins_salt_api_url: "http://${_param:salt_master_host}:6969"
jenkins:
client:
job:
diff --git a/jenkins/client/job/deploy/update/config.yml b/jenkins/client/job/deploy/update/config.yml
index 47ec321..5eafd70 100644
--- a/jenkins/client/job/deploy/update/config.yml
+++ b/jenkins/client/job/deploy/update/config.yml
@@ -2,8 +2,6 @@
# Jobs to run given states on given Salt master environment's
#
parameters:
- _param:
- jenkins_salt_api_url: "http://${_param:salt_master_host}:6969"
jenkins:
client:
job:
diff --git a/jenkins/client/job/deploy/update/init.yml b/jenkins/client/job/deploy/update/init.yml
index 5a26020..be7e82e 100644
--- a/jenkins/client/job/deploy/update/init.yml
+++ b/jenkins/client/job/deploy/update/init.yml
@@ -5,6 +5,7 @@
- system.jenkins.client.job.deploy.update.update_mirror_image
- system.jenkins.client.job.deploy.update.update_ceph
- system.jenkins.client.job.deploy.update.upgrade
+ - system.jenkins.client.job.deploy.update.upgrade_rabbitmq
- system.jenkins.client.job.deploy.update.upgrade_compute
- system.jenkins.client.job.deploy.update.upgrade_mcp_release
- system.jenkins.client.job.deploy.update.upgrade_ovs_gateway
@@ -18,3 +19,7 @@
- system.jenkins.client.job.deploy.update.cloud_update
- system.jenkins.client.job.deploy.update.kubernetes_update
- system.jenkins.client.job.deploy.galera_verify_restore
+ - system.jenkins.client.job.deploy.update.update_glusterfs
+ - system.jenkins.client.job.deploy.update.update_glusterfs_servers
+ - system.jenkins.client.job.deploy.update.update_glusterfs_clients
+ - system.jenkins.client.job.deploy.update.update_glusterfs_cluster_op_version
diff --git a/jenkins/client/job/deploy/update/kubernetes_update.yml b/jenkins/client/job/deploy/update/kubernetes_update.yml
index 454d92b..ee77583 100644
--- a/jenkins/client/job/deploy/update/kubernetes_update.yml
+++ b/jenkins/client/job/deploy/update/kubernetes_update.yml
@@ -2,8 +2,6 @@
# Jobs to update cloud packages on given Salt master environment
#
parameters:
- _param:
- jenkins_salt_api_url: "http://${_param:salt_master_host}:6969"
jenkins:
client:
job:
diff --git a/jenkins/client/job/deploy/update/package.yml b/jenkins/client/job/deploy/update/package.yml
index acf1f62..65a4ac3 100644
--- a/jenkins/client/job/deploy/update/package.yml
+++ b/jenkins/client/job/deploy/update/package.yml
@@ -2,8 +2,6 @@
# Jobs to update packages on given Salt master environment
#
parameters:
- _param:
- jenkins_salt_api_url: "http://${_param:salt_master_host}:6969"
jenkins:
client:
job:
diff --git a/jenkins/client/job/deploy/update/reclass_update_check.yml b/jenkins/client/job/deploy/update/reclass_update_check.yml
index cec8d79..dd279b3 100644
--- a/jenkins/client/job/deploy/update/reclass_update_check.yml
+++ b/jenkins/client/job/deploy/update/reclass_update_check.yml
@@ -2,8 +2,6 @@
# Jobs to to check new Reclass package version compatibility with model
#
parameters:
- _param:
- jenkins_salt_api_url: "http://${_param:salt_master_host}:6969"
jenkins:
client:
job:
diff --git a/jenkins/client/job/deploy/update/restore_cassandra.yml b/jenkins/client/job/deploy/update/restore_cassandra.yml
index 34179af..8b18eb1 100644
--- a/jenkins/client/job/deploy/update/restore_cassandra.yml
+++ b/jenkins/client/job/deploy/update/restore_cassandra.yml
@@ -2,8 +2,6 @@
# Jobs to update packages on given Salt master environment
#
parameters:
- _param:
- jenkins_salt_api_url: "http://${_param:salt_master_host}:6969"
jenkins:
client:
job:
diff --git a/jenkins/client/job/deploy/update/restore_zookeeper.yml b/jenkins/client/job/deploy/update/restore_zookeeper.yml
index ebb57f7..3d0dc05 100644
--- a/jenkins/client/job/deploy/update/restore_zookeeper.yml
+++ b/jenkins/client/job/deploy/update/restore_zookeeper.yml
@@ -2,8 +2,6 @@
# Jobs to update packages on given Salt master environment
#
parameters:
- _param:
- jenkins_salt_api_url: "http://${_param:salt_master_host}:6969"
jenkins:
client:
job:
diff --git a/jenkins/client/job/deploy/update/saltenv.yml b/jenkins/client/job/deploy/update/saltenv.yml
index 734a4e5..f2b38d2 100644
--- a/jenkins/client/job/deploy/update/saltenv.yml
+++ b/jenkins/client/job/deploy/update/saltenv.yml
@@ -3,7 +3,6 @@
#
parameters:
_param:
- jenkins_salt_api_url: "http://${_param:salt_master_host}:6969"
jenkins_salt_model_name: "salt"
jenkins_salt_model_branch: "master"
jenkins:
diff --git a/jenkins/client/job/deploy/update/update_ceph.yml b/jenkins/client/job/deploy/update/update_ceph.yml
index dd8bf58..4b7603b 100644
--- a/jenkins/client/job/deploy/update/update_ceph.yml
+++ b/jenkins/client/job/deploy/update/update_ceph.yml
@@ -2,8 +2,6 @@
# Jobs to run given states on given Salt master environment's
#
parameters:
- _param:
- jenkins_salt_api_url: "http://${_param:salt_master_host}:6969"
jenkins:
client:
job:
diff --git a/jenkins/client/job/deploy/update/update_glusterfs.yml b/jenkins/client/job/deploy/update/update_glusterfs.yml
new file mode 100644
index 0000000..dfdfc9e
--- /dev/null
+++ b/jenkins/client/job/deploy/update/update_glusterfs.yml
@@ -0,0 +1,31 @@
+#
+# Jobs to run given states on given Salt master environment's
+#
+parameters:
+ jenkins:
+ client:
+ job:
+ update-glusterfs:
+ type: workflow-scm
+ description: This is a general job which runs "Update glusterfs servers", "Update glusterfs clients" and "Update glusterfs cluster.op-version" jobs with default parameters. If you need/want better control of update process use those jobs.
+ concurrent: true
+ discard:
+ build:
+ keep_num: 10
+ artifact:
+ keep_num: 10
+ display_name: "Update GlusterFS"
+ scm:
+ type: git
+ url: "${_param:jenkins_gerrit_url}/mk/mk-pipelines"
+ branch: "${_param:jenkins_pipelines_branch}"
+ credentials: "gerrit"
+ script: update-glusterfs.groovy
+ param:
+ DRIVE_TRAIN_PARAMS:
+ type: text
+ description: "Yaml based DriveTrain releated params"
+ default: |
+ ---
+ SALT_MASTER_URL: "${_param:jenkins_salt_api_url}"
+ SALT_MASTER_CREDENTIALS: "salt"
diff --git a/jenkins/client/job/deploy/update/update_glusterfs_clients.yml b/jenkins/client/job/deploy/update/update_glusterfs_clients.yml
new file mode 100644
index 0000000..48a393c
--- /dev/null
+++ b/jenkins/client/job/deploy/update/update_glusterfs_clients.yml
@@ -0,0 +1,37 @@
+#
+# Jobs to run given states on given Salt master environment's
+#
+parameters:
+ jenkins:
+ client:
+ job:
+ update-glusterfs-clients:
+ type: workflow-scm
+ description: Update glusterfs-client package on corresponding hosts
+ concurrent: true
+ discard:
+ build:
+ keep_num: 10
+ artifact:
+ keep_num: 10
+ display_name: "Update glusterfs clients"
+ scm:
+ type: git
+ url: "${_param:jenkins_gerrit_url}/mk/mk-pipelines"
+ branch: "${_param:jenkins_pipelines_branch}"
+ credentials: "gerrit"
+ script: update-glusterfs-clients.groovy
+ param:
+ DRIVE_TRAIN_PARAMS:
+ type: text
+ description: "Yaml based DriveTrain releated params"
+ default: |
+ ---
+ SALT_MASTER_URL: "${_param:jenkins_salt_api_url}"
+ SALT_MASTER_CREDENTIALS: "salt"
+ # Salt compound target to match nodes to be updated [*, G@osfamily:debian].
+ TARGET_SERVERS: "I@glusterfs:client"
+ # Does not validate server availability/status before update
+ IGNORE_SERVER_STATUS: false
+ # Does not validate that all servers have been updated
+ IGNORE_SERVER_VERSION: false
diff --git a/jenkins/client/job/deploy/update/update_glusterfs_cluster_op_version.yml b/jenkins/client/job/deploy/update/update_glusterfs_cluster_op_version.yml
new file mode 100644
index 0000000..24b1217
--- /dev/null
+++ b/jenkins/client/job/deploy/update/update_glusterfs_cluster_op_version.yml
@@ -0,0 +1,37 @@
+#
+# Jobs to run given states on given Salt master environment's
+#
+parameters:
+ jenkins:
+ client:
+ job:
+ update-glusterfs-cluster-op-version:
+ type: workflow-scm
+ description: Update cluster.op-version global option
+ concurrent: true
+ discard:
+ build:
+ keep_num: 10
+ artifact:
+ keep_num: 10
+ display_name: "Update glusterfs cluster.op-version"
+ scm:
+ type: git
+ url: "${_param:jenkins_gerrit_url}/mk/mk-pipelines"
+ branch: "${_param:jenkins_pipelines_branch}"
+ credentials: "gerrit"
+ script: update-glusterfs-cluster-op-version.groovy
+ param:
+ DRIVE_TRAIN_PARAMS:
+ type: text
+ description: "Yaml based DriveTrain releated params"
+ default: |
+ ---
+ SALT_MASTER_URL: "${_param:jenkins_salt_api_url}"
+ SALT_MASTER_CREDENTIALS: "salt"
+ # GlusterFS cluster.op-verion option to set. Leave it empty to get proper version from cluster.max-op-version if available.
+ CLUSTER_OP_VERSION: ''
+ # Does not validate that all servers have been updated
+ IGNORE_SERVER_VERSION: false
+ # Does not validate that all clients have been updated
+ IGNORE_CLIENT_VERSION: false
diff --git a/jenkins/client/job/deploy/update/update_glusterfs_servers.yml b/jenkins/client/job/deploy/update/update_glusterfs_servers.yml
new file mode 100644
index 0000000..97f4e77
--- /dev/null
+++ b/jenkins/client/job/deploy/update/update_glusterfs_servers.yml
@@ -0,0 +1,37 @@
+#
+# Jobs to run given states on given Salt master environment's
+#
+parameters:
+ jenkins:
+ client:
+ job:
+ update-glusterfs-servers:
+ type: workflow-scm
+ description: Update glusterfs-server package on corresponding hosts
+ concurrent: true
+ discard:
+ build:
+ keep_num: 10
+ artifact:
+ keep_num: 10
+ display_name: "Update glusterfs servers"
+ scm:
+ type: git
+ url: "${_param:jenkins_gerrit_url}/mk/mk-pipelines"
+ branch: "${_param:jenkins_pipelines_branch}"
+ credentials: "gerrit"
+ script: update-glusterfs-servers.groovy
+ param:
+ DRIVE_TRAIN_PARAMS:
+ type: text
+ description: "Yaml based DriveTrain releated params"
+ default: |
+ ---
+ SALT_MASTER_URL: "${_param:jenkins_salt_api_url}"
+ SALT_MASTER_CREDENTIALS: "salt"
+ # Salt compound target to match nodes to be updated [*, G@osfamily:debian].
+ TARGET_SERVERS: "I@glusterfs:server"
+ # Does not validate server availability/status before update
+ IGNORE_SERVER_STATUS: false
+ # Update GlusterFS even there is a non-replicated volume
+ IGNORE_NON_REPLICATED_VOLUMES: false
diff --git a/jenkins/client/job/deploy/update/update_mirror_image.yml b/jenkins/client/job/deploy/update/update_mirror_image.yml
index 73fd434..96e905c 100644
--- a/jenkins/client/job/deploy/update/update_mirror_image.yml
+++ b/jenkins/client/job/deploy/update/update_mirror_image.yml
@@ -2,8 +2,6 @@
# Jobs to update Salt master environment (formulas and models)
#
parameters:
- _param:
- jenkins_salt_api_url: "http://${_param:salt_master_host}:6969"
jenkins:
client:
job:
@@ -67,4 +65,4 @@
default: 'true'
UPDATE_FILES:
type: boolean
- default: 'true'
\ No newline at end of file
+ default: 'true'
diff --git a/jenkins/client/job/deploy/update/update_opencontrail4.yml b/jenkins/client/job/deploy/update/update_opencontrail4.yml
index 72ea870..e89d622 100644
--- a/jenkins/client/job/deploy/update/update_opencontrail4.yml
+++ b/jenkins/client/job/deploy/update/update_opencontrail4.yml
@@ -2,8 +2,6 @@
# Jobs to update packages on given Salt master environment
#
parameters:
- _param:
- jenkins_salt_api_url: "http://${_param:salt_master_host}:6969"
jenkins:
client:
job:
diff --git a/jenkins/client/job/deploy/update/upgrade.yml b/jenkins/client/job/deploy/update/upgrade.yml
index f4f5630..e3b60e1 100644
--- a/jenkins/client/job/deploy/update/upgrade.yml
+++ b/jenkins/client/job/deploy/update/upgrade.yml
@@ -2,8 +2,6 @@
# Jobs to update packages on given Salt master environment
#
parameters:
- _param:
- jenkins_salt_api_url: "http://${_param:salt_master_host}:6969"
jenkins:
client:
job:
diff --git a/jenkins/client/job/deploy/update/upgrade_compute.yml b/jenkins/client/job/deploy/update/upgrade_compute.yml
index b4628fa..ed5a222 100644
--- a/jenkins/client/job/deploy/update/upgrade_compute.yml
+++ b/jenkins/client/job/deploy/update/upgrade_compute.yml
@@ -2,8 +2,6 @@
# Jobs to update packages on given Salt master environment
#
parameters:
- _param:
- jenkins_salt_api_url: "http://${_param:salt_master_host}:6969"
jenkins:
client:
job:
diff --git a/jenkins/client/job/deploy/update/upgrade_mcp_release.yml b/jenkins/client/job/deploy/update/upgrade_mcp_release.yml
index a4821f9..9d46def 100644
--- a/jenkins/client/job/deploy/update/upgrade_mcp_release.yml
+++ b/jenkins/client/job/deploy/update/upgrade_mcp_release.yml
@@ -2,8 +2,6 @@
# Jobs to upgrade MCP release
#
parameters:
- _param:
- jenkins_salt_api_url: "http://${_param:salt_master_host}:6969"
jenkins:
client:
job:
diff --git a/jenkins/client/job/deploy/update/upgrade_opencontrail.yml b/jenkins/client/job/deploy/update/upgrade_opencontrail.yml
index 0b0d945..64c3aff 100644
--- a/jenkins/client/job/deploy/update/upgrade_opencontrail.yml
+++ b/jenkins/client/job/deploy/update/upgrade_opencontrail.yml
@@ -2,8 +2,6 @@
# Jobs to update packages on given Salt master environment
#
parameters:
- _param:
- jenkins_salt_api_url: "http://${_param:salt_master_host}:6969"
jenkins:
client:
job:
diff --git a/jenkins/client/job/deploy/update/upgrade_opencontrail4_0.yml b/jenkins/client/job/deploy/update/upgrade_opencontrail4_0.yml
index c1f448c..2d7ed69 100644
--- a/jenkins/client/job/deploy/update/upgrade_opencontrail4_0.yml
+++ b/jenkins/client/job/deploy/update/upgrade_opencontrail4_0.yml
@@ -2,8 +2,6 @@
# Jobs to update packages on given Salt master environment
#
parameters:
- _param:
- jenkins_salt_api_url: "http://${_param:salt_master_host}:6969"
jenkins:
client:
job:
diff --git a/jenkins/client/job/deploy/update/upgrade_ovs_gateway.yml b/jenkins/client/job/deploy/update/upgrade_ovs_gateway.yml
index 76bf436..9d31352 100644
--- a/jenkins/client/job/deploy/update/upgrade_ovs_gateway.yml
+++ b/jenkins/client/job/deploy/update/upgrade_ovs_gateway.yml
@@ -2,8 +2,6 @@
# Jobs to update packages on given Salt master environment
#
parameters:
- _param:
- jenkins_salt_api_url: "http://${_param:salt_master_host}:6969"
jenkins:
client:
job:
diff --git a/jenkins/client/job/deploy/update/upgrade_rabbitmq.yml b/jenkins/client/job/deploy/update/upgrade_rabbitmq.yml
new file mode 100644
index 0000000..73c2f1f
--- /dev/null
+++ b/jenkins/client/job/deploy/update/upgrade_rabbitmq.yml
@@ -0,0 +1,46 @@
+#
+# Jobs to upgrade RabbitMQ packages on given Salt master environment
+#
+parameters:
+ jenkins:
+ client:
+ job:
+ deploy-upgrade-rabbitmq:
+ type: workflow-scm
+ concurrent: true
+ discard:
+ build:
+ keep_num: 10
+ artifact:
+ keep_num: 10
+ display_name: "Deploy - upgrade RabbitMQ server"
+ scm:
+ type: git
+ url: "${_param:jenkins_gerrit_url}/mk/mk-pipelines"
+ branch: "${_param:jenkins_pipelines_branch}"
+ credentials: "gerrit"
+ script: openstack-rabbitmq-upgrade.groovy
+ param:
+ SALT_MASTER_URL:
+ type: string
+ default: "${_param:jenkins_salt_api_url}"
+ SALT_MASTER_CREDENTIALS:
+ type: string
+ default: "salt"
+ OS_DIST_UPGRADE:
+ type: boolean
+ default: 'false'
+ description: "Upgrade system packages including kernel (apt-get dist-upgrade)"
+ OS_UPGRADE:
+ type: boolean
+ default: 'false'
+ description: "Upgrade all installed applications (apt-get upgrade)"
+ INTERACTIVE:
+ type: boolean
+ default: 'true'
+ description: "Ask interactive questions during pipeline run (bool)"
+ TARGET_SERVERS:
+ type: string
+ default: 'msg*'
+ description: "Salt compound expression to get messaging servers to upgrade."
+
diff --git a/jenkins/client/job/deploy/update/upgrade_stacklight.yml b/jenkins/client/job/deploy/update/upgrade_stacklight.yml
index d7279a6..578fd28 100644
--- a/jenkins/client/job/deploy/update/upgrade_stacklight.yml
+++ b/jenkins/client/job/deploy/update/upgrade_stacklight.yml
@@ -2,8 +2,6 @@
# Jobs to process Stacklight update
#
parameters:
- _param:
- jenkins_salt_api_url: "http://${_param:salt_master_host}:6969"
jenkins:
client:
job:
diff --git a/jenkins/client/job/deploy/update/virt_snapshot.yml b/jenkins/client/job/deploy/update/virt_snapshot.yml
index be92c8d..feada8a 100644
--- a/jenkins/client/job/deploy/update/virt_snapshot.yml
+++ b/jenkins/client/job/deploy/update/virt_snapshot.yml
@@ -2,8 +2,6 @@
# Job to manage libvirt live snapshots
#
parameters:
- _param:
- jenkins_salt_api_url: "http://${_param:salt_master_host}:6969"
jenkins:
client:
job:
@@ -57,7 +55,7 @@
type: string
default: "snapshot1"
description: "Snapshot name"
- PATH:
+ LIBVIRT_IMAGES_PATH:
type: string
default: "/var/lib/libvirt/images"
description: "Path where snapshot image and dumpxml are being put"
diff --git a/jenkins/client/job/validate.yml b/jenkins/client/job/validate.yml
index 176018c..e4e628a 100644
--- a/jenkins/client/job/validate.yml
+++ b/jenkins/client/job/validate.yml
@@ -1,6 +1,4 @@
parameters:
- _param:
- jenkins_salt_api_url: "http://${_param:salt_master_host}:6969"
jenkins:
client:
view:
@@ -196,10 +194,6 @@
credentials: "gerrit"
script: cvp-runner.groovy
param:
- DEBUG_MODE:
- type: boolean
- default: 'false'
- description: Enable if you need to keep container after the test and debug
IMAGE:
type: string
default: ${_param:docker_image_cvp_sanity_checks}
@@ -211,22 +205,12 @@
SALT_MASTER_CREDENTIALS:
type: string
default: "salt"
- TESTS_REPO:
- type: string
- default: ""
- description: Url for cvp-sanity-checks
- TESTS_SETTINGS:
- type: string
- default: ""
- description: e.g. skipped_nodes=nal01.local.com,ntw01.local.com
- TESTS_SET:
- type: string
- default: "cvp-sanity/cvp_checks/tests"
- description: "Leave as is for full run or add a filename, e.g. _default_path_/test_mtu.py"
- PROXY:
- type: string
- default: ""
- description: "Proxy address to use to access the Internet. For offline mode, use \"offline\" value."
+ EXTRA_PARAMS:
+ type: text
+ default: |
+ envs:
+ - tests_set=''
+ description: "YAML context with additional parameters, e.g. skipped_nodes=nal01.local.com,ntw01.local.com or tests_set='tests/test_mtu.py'"
cvp-func:
type: workflow-scm
name: cvp-func
@@ -262,7 +246,7 @@
description: Credentials to the Salt API
TEST_IMAGE:
type: string
- default: "xrally/xrally-openstack:0.10.1"
+ default: "xrally/xrally-openstack:0.11.2"
description: Docker image to use for running Rally/Tempest
TARGET_NODE:
type: string
@@ -289,7 +273,7 @@
description: URL to Tempest repo (local or remote) or path to tempest folder in container
TOOLS_REPO:
type: string
- default: "https://github.com/Mirantis/cvp-configuration"
+ default: "https://github.com/Mirantis/cvp-configuration -b 2019.2.0"
description: URL of repo where testing tools, scenarios, configs are located.
cvp-ha:
type: workflow-scm
@@ -322,7 +306,7 @@
description: Node where container with tempest will be run
TEST_IMAGE:
type: string
- default: "xrally/xrally-openstack:0.10.1"
+ default: "xrally/xrally-openstack:0.11.2"
description: Docker image to use for running Rally/Tempest
TARGET_NODES:
type: string
@@ -358,8 +342,53 @@
description: Can be repo url (local or remote) or path to folder (inside container) with Tempest
TOOLS_REPO:
type: string
- default: "https://github.com/Mirantis/cvp-configuration"
+ default: "https://github.com/Mirantis/cvp-configuration -b 2019.2.0"
description: URL of repo where testing tools, scenarios, configs are located.
+ cvp-tempest:
+ type: workflow-scm
+ name: cvp-tempest
+ display_name: "CVP-Tempest (technical preview)"
+ discard:
+ build:
+ keep_num: 20
+ artifact:
+ keep_num: 20
+ concurrent: false
+ scm:
+ type: git
+ url: "${_param:jenkins_gerrit_url}/mk/mk-pipelines"
+ branch: "${_param:jenkins_pipelines_branch}"
+ credentials: "gerrit"
+ script: cvp-tempest.groovy
+ param:
+ PREPARE_RESOURCES:
+ type: boolean
+ default: true
+ description: Prepare resources for Tempest
+ SALT_MASTER_URL:
+ type: string
+ default: "${_param:jenkins_salt_api_url}"
+ description: SALT_MASTER_URL
+ TEMPEST_TEST_PATTERN:
+ type: string
+ default: "set=smoke"
+ description: Use set=smoke, set=full or just test name (regex)
+ TEMPEST_ENDPOINT_TYPE:
+ type: choice
+ choices:
+ - internalURL
+ - adminURL
+ - publicURL
+ description: Openstack endpoint type to use during test run.
+ EXTRA_PARAMS:
+ type: text
+ default: |
+ ---
+ DEBUG_MODE: false
+ GENERATE_CONFIG: true
+ TEST_IMAGE: "docker-prod-virtual.docker.mirantis.net/mirantis/cicd/ci-tempest:${_param:openstack_version}"
+ report_prefix: "cvp_"
+ description: YAML context with additional parameters
cvp-perf:
type: workflow-scm
name: cvp-perf
@@ -387,7 +416,7 @@
description: Path to scenario file in container
TEST_IMAGE:
type: string
- default: "xrally/xrally-openstack:0.10.1"
+ default: "xrally/xrally-openstack:0.11.2"
description: Docker image to use for running Rally/Tempest
SALT_MASTER_URL:
type: string
@@ -403,7 +432,7 @@
description: Node where docker container with Rally will be run
TOOLS_REPO:
type: string
- default: "https://github.com/Mirantis/cvp-configuration"
+ default: "https://github.com/Mirantis/cvp-configuration -b 2019.2.0"
description: URL of repo where testing tools, scenarios, configs are located.
PROXY:
type: string
@@ -424,8 +453,12 @@
url: "${_param:jenkins_gerrit_url}/mk/mk-pipelines"
branch: "${_param:jenkins_pipelines_branch}"
credentials: "gerrit"
- script: cvp-stacklight.groovy
+ script: cvp-runner.groovy
param:
+ IMAGE:
+ type: string
+ default: ${_param:docker_image_cvp_sanity_checks}
+ description: Docker image with tests and all pip dependecies to use for testing
SALT_MASTER_URL:
type: string
default: "${_param:jenkins_salt_api_url}"
@@ -433,22 +466,12 @@
SALT_MASTER_CREDENTIALS:
type: string
default: "salt"
- TESTS_REPO:
- type: string
- default: "http://gerrit.mcp.mirantis.com/mcp/stacklight-pytest -b release/2019.2.0"
- description: Url for cvp-stacklight-tests
- TESTS_SETTINGS:
- type: string
- default: "SL_AUTOCONF=True;PYTHONPATH=./stacklight-pytest"
- description: "Additional environment variables to export"
- TESTS_SET:
- type: string
- default: "stacklight-pytest/stacklight_tests/tests/"
- description: "Leave as is for full run or add a filename, e.g. _default_path_/test_dashboards.py"
- PROXY:
- type: string
- default: ""
- description: "Proxy address to use to access the Internet."
+ EXTRA_PARAMS:
+ type: text
+ default: |
+ envs:
+ - SL_AUTOCONF=True
+ description: YAML context with additional parameters
cvp-spt:
type: workflow-scm
name: cvp-spt
@@ -466,10 +489,6 @@
credentials: "gerrit"
script: cvp-runner.groovy
param:
- DEBUG_MODE:
- type: boolean
- default: 'false'
- description: Enable if you need to keep container after the test and debug
IMAGE:
type: string
default: ${_param:docker_image_cvp_sanity_checks}
@@ -481,22 +500,14 @@
SALT_MASTER_CREDENTIALS:
type: string
default: "salt"
- TESTS_REPO:
- type: string
- default: ""
- description: Url for cvp-spt repository
- TESTS_SETTINGS:
- type: string
- default: ""
- description: "Additional environment variables to export, e.g. image_name, networks, HW_NODES"
- TESTS_SET:
- type: string
- default: "cvp-spt/cvp_spt/tests"
- description: "Leave as is for full run or add a filename, e.g. _default_path_/test_glance.py"
- PROXY:
- type: string
- default: ""
- description: "Proxy address to use to access the Internet. For offline mode, use \"offline\" value."
+ EXTRA_PARAMS:
+ type: text
+ default: |
+ envs:
+ - tests_set=''
+ - image_name='Ubuntu'
+ - networks=10.101.0.0/24
+ description: 'YAML context with additional parameters. Additional params: HW_NODES, CMP_HOSTS, salt_timeout, skipped_nodes, nova_timeout, iperf_prep_string, IMAGE_SIZE_MB'
cvp-shaker:
type: workflow-scm
name: cvp-shaker
diff --git a/jenkins/client/node.yml b/jenkins/client/node.yml
index e5e4d3b..2de0022 100644
--- a/jenkins/client/node.yml
+++ b/jenkins/client/node.yml
@@ -7,8 +7,7 @@
master:
node_mode: Exclusive
remote_home: /var/lib/jenkins
- labels:
- - python
+ num_executors: 0
launcher:
type: master
slave01:
diff --git a/jenkins/client/security/csrf.yml b/jenkins/client/security/csrf.yml
new file mode 100644
index 0000000..e9c8606
--- /dev/null
+++ b/jenkins/client/security/csrf.yml
@@ -0,0 +1,6 @@
+parameters:
+ jenkins:
+ client:
+ security:
+ csrf:
+ enabled: True
diff --git a/jenkins/client/security/ldap.yml b/jenkins/client/security/ldap.yml
index ba53570..d47e74f 100644
--- a/jenkins/client/security/ldap.yml
+++ b/jenkins/client/security/ldap.yml
@@ -1,7 +1,6 @@
parameters:
_param:
jenkins_security_ldap_manager_dn: ''
- jenkins_security_ldap_manager_password: ''
jenkins_security_ldap_user_search_filter: 'uid={0}'
jenkins_security_ldap_user_search_base: ''
jenkins_security_ldap_group_search_base: ''
diff --git a/jenkins/slave/init.yml b/jenkins/slave/init.yml
index 20dc641..a0d3e0e 100644
--- a/jenkins/slave/init.yml
+++ b/jenkins/slave/init.yml
@@ -7,7 +7,6 @@
java_environment_version: "8"
java_environment_platform: openjdk
jenkins_slave_user: none
- jenkins_slave_password: none
jenkins_master_host: ${_param:control_vip_address}
java:
environment:
@@ -23,8 +22,8 @@
port: ${_param:jenkins_master_port}
protocol: ${_param:jenkins_master_protocol}
user:
- name: ${_param:jenkins_slave_user}
- password: ${_param:jenkins_slave_password}
+ name: ${_param:jenkins_client_user}
+ password: ${_param:jenkins_client_password}
linux:
system:
user:
diff --git a/keepalived/cluster/instance/kube_api_server_vip.yml b/keepalived/cluster/instance/kube_api_server_vip.yml
index f7fbce8..42d95f1 100644
--- a/keepalived/cluster/instance/kube_api_server_vip.yml
+++ b/keepalived/cluster/instance/kube_api_server_vip.yml
@@ -8,7 +8,6 @@
keepalived_kube_apiserver_vrrp_script_content: "pidof haproxy && systemctl status kube-apiserver.service --quiet --no-pager"
keepalived_k8s_apiserver_vip_interface: ens3
keepalived_k8s_apiserver_vip_address: ${_param:kubernetes_control_address}
- keepalived_k8s_apiserver_vip_password: password
keepalived:
cluster:
vrrp_scripts:
@@ -25,4 +24,4 @@
interface: ${_param:keepalived_k8s_apiserver_vip_interface}
virtual_router_id: 60
priority: ${_param:keepalived_vip_priority}
- track_script: k8s_vip
\ No newline at end of file
+ track_script: k8s_vip
diff --git a/keepalived/cluster/instance/openstack_barbican_vip.yml b/keepalived/cluster/instance/openstack_barbican_vip.yml
index 3c733c4..f6e430f 100644
--- a/keepalived/cluster/instance/openstack_barbican_vip.yml
+++ b/keepalived/cluster/instance/openstack_barbican_vip.yml
@@ -3,7 +3,6 @@
parameters:
_param:
keepalived_openstack_barbican_vip_address: ${_param:cluster_vip_address}
- keepalived_openstack_barbican_vip_password: password
keepalived_openstack_barbican_vip_interface: eth1
keepalived_vip_virtual_router_id: 250
keepalived_vip_address: ${_param:keepalived_openstack_barbican_vip_address}
diff --git a/keepalived/cluster/instance/openstack_baremetal_vip.yml b/keepalived/cluster/instance/openstack_baremetal_vip.yml
index 355cf53..fe2b527 100644
--- a/keepalived/cluster/instance/openstack_baremetal_vip.yml
+++ b/keepalived/cluster/instance/openstack_baremetal_vip.yml
@@ -5,7 +5,6 @@
parameters:
_param:
keepalived_openstack_baremetal_vip_address: ${_param:cluster_baremetal_vip_address}
- keepalived_openstack_baremetal_password: password
keepalived_openstack_baremetal_vip_interface: eth1
keepalived_openstack_baremetal_vip_virtual_router_id: 132
keepalived_openstack_baremetal_vip_priority: ${_param:keepalived_vip_priority}
diff --git a/keepalived/cluster/instance/openstack_manila_vip.yml b/keepalived/cluster/instance/openstack_manila_vip.yml
index d8330c4..b87d998 100644
--- a/keepalived/cluster/instance/openstack_manila_vip.yml
+++ b/keepalived/cluster/instance/openstack_manila_vip.yml
@@ -3,7 +3,6 @@
parameters:
_param:
keepalived_openstack_manila_vip_address: ${_param:cluster_vip_address}
- keepalived_openstack_manila_vip_password: password
keepalived_openstack_manila_vip_interface: eth1
keepalived_vip_virtual_router_id: 235
keepalived_vip_address: ${_param:keepalived_openstack_manila_vip_address}
diff --git a/keepalived/cluster/instance/openstack_telemetry_vip.yml b/keepalived/cluster/instance/openstack_telemetry_vip.yml
index 5dc91a1..92aa048 100644
--- a/keepalived/cluster/instance/openstack_telemetry_vip.yml
+++ b/keepalived/cluster/instance/openstack_telemetry_vip.yml
@@ -3,7 +3,6 @@
parameters:
_param:
keepalived_openstack_telemetry_vip_address: ${_param:cluster_vip_address}
- keepalived_openstack_telemetry_vip_password: password
keepalived_openstack_telemetry_vip_interface: eth1
keepalived_vip_virtual_router_id: 230
keepalived_vip_address: ${_param:keepalived_openstack_telemetry_vip_address}
diff --git a/keepalived/cluster/instance/openstack_web_public_vip.yml b/keepalived/cluster/instance/openstack_web_public_vip.yml
index 363f23b..3efebd2 100644
--- a/keepalived/cluster/instance/openstack_web_public_vip.yml
+++ b/keepalived/cluster/instance/openstack_web_public_vip.yml
@@ -5,7 +5,6 @@
parameters:
_param:
keepalived_openstack_web_public_vip_address: ${_param:cluster_vip_address}
- keepalived_openstack_web_public_vip_password: password
keepalived_openstack_web_public_vip_interface: eth1
keepalived:
cluster:
diff --git a/keystone/client/service/radosgw-swift.yml b/keystone/client/service/radosgw-swift.yml
index e93f9b4..c8b6569 100644
--- a/keystone/client/service/radosgw-swift.yml
+++ b/keystone/client/service/radosgw-swift.yml
@@ -8,6 +8,8 @@
client:
server:
identity:
+ roles:
+ - ResellerAdmin
project:
service:
user:
@@ -16,6 +18,11 @@
password: ${_param:keystone_swift_password}
email: ${_param:admin_email}
options: ${_param:openstack_service_user_options}
+ admin:
+ user:
+ admin:
+ roles:
+ - ResellerAdmin
service:
radosgw-swift:
type: object-store
diff --git a/keystone/client/v3/service/radosgw-swift.yml b/keystone/client/v3/service/radosgw-swift.yml
index ca06fed..2e78bb9 100644
--- a/keystone/client/v3/service/radosgw-swift.yml
+++ b/keystone/client/v3/service/radosgw-swift.yml
@@ -6,6 +6,10 @@
client:
resources:
v3:
+ roles:
+ reseller_admin:
+ name: ResellerAdmin
+ enabled: true
users:
swift:
password: ${_param:keystone_swift_password}
@@ -15,6 +19,11 @@
service_admin:
name: admin
project_id: service
+ admin:
+ roles:
+ reseller_admin:
+ name: ResellerAdmin
+ project_id: admin
services:
radosgw-swift:
type: object-store
diff --git a/keystone/server/cluster.yml b/keystone/server/cluster.yml
index 7e9ea1b..824c6b5 100644
--- a/keystone/server/cluster.yml
+++ b/keystone/server/cluster.yml
@@ -37,7 +37,7 @@
region: ${_param:openstack_region}
bind:
address: ${_param:cluster_local_address}
- private_address: ${_param:cluster_vip_address}
+ private_address: ${_param:openstack_service_host}
private_port: 35357
public_address: ${_param:cluster_vip_address}
public_port: 5000
diff --git a/keystone/server/single.yml b/keystone/server/single.yml
index 9663488..014a6dc 100644
--- a/keystone/server/single.yml
+++ b/keystone/server/single.yml
@@ -9,10 +9,8 @@
parameters:
_param:
keystone_service_token: token
- keystone_admin_password: password
mysql_admin_user: root
- mysql_admin_password: password
- mysql_keystone_password: password
+ keystone_tokens_expiration: 3600
openstack_node_role: primary
keystone_service_protocol: ${_param:cluster_internal_protocol}
linux:
diff --git a/kibana/client/ssl.yml b/kibana/client/ssl.yml
new file mode 100644
index 0000000..76160c6
--- /dev/null
+++ b/kibana/client/ssl.yml
@@ -0,0 +1,5 @@
+parameters:
+ kibana:
+ client:
+ server:
+ scheme: https
diff --git a/kibana/server/single.yml b/kibana/server/single.yml
index 965f274..5c59588 100644
--- a/kibana/server/single.yml
+++ b/kibana/server/single.yml
@@ -13,4 +13,5 @@
engine: elasticsearch
host: ${_param:kibana_elasticsearch_host}
port: 9200
+ scheme: http
diff --git a/kibana/server/ssl.yml b/kibana/server/ssl.yml
new file mode 100644
index 0000000..5b049f8
--- /dev/null
+++ b/kibana/server/ssl.yml
@@ -0,0 +1,5 @@
+parameters:
+ kibana:
+ server:
+ database:
+ scheme: https
diff --git a/kubernetes/common/init.yml b/kubernetes/common/init.yml
index 3ab1085..4153f57 100644
--- a/kubernetes/common/init.yml
+++ b/kubernetes/common/init.yml
@@ -38,9 +38,9 @@
kubernetes_calico_cni_source_hash: md5=2544bc1865c1451cac7a61264c25a2cb
kubernetes_calico_cni_ipam_source: ${_param:kubernetes_calico_cni_repo}/calico-ipam-v3.3.2
kubernetes_calico_cni_ipam_source_hash: md5=b22623eeea3b29ba8ec071d859ac7055
- kubernetes_hyperkube_source: ${_param:kubernetes_hyperkube_repo}/hyperkube_v1.13.5-3_1553734030770
- kubernetes_hyperkube_source_hash: md5=50e76be5db36adcffe24ede633e428d2
- kubernetes_pause_image: ${_param:mcp_docker_registry}/mirantis/kubernetes/pause-amd64:v1.13.5-3
+ kubernetes_hyperkube_source: ${_param:kubernetes_hyperkube_repo}/hyperkube_v1.13.6-4_1559029385616
+ kubernetes_hyperkube_source_hash: md5=0746e3e541794b1a85f7c55e8280bdd7
+ kubernetes_pause_image: ${_param:mcp_docker_registry}/mirantis/kubernetes/pause-amd64:v1.13.6-4
kubernetes_virtlet_image: ${_param:kubernetes_virtlet_repo}/virtlet:v1.5.0
kubernetes_criproxy_version: v0.14.0
kubernetes_criproxy_checksum: md5=f0fa669295a156a588f3480c9909e6fd
@@ -50,7 +50,7 @@
kubernetes_dnsmasq_image: ${_param:kubernetes_kubedns_repo}/k8s-dns-dnsmasq-amd64:1.14.5
kubernetes_sidecar_image: ${_param:kubernetes_kubedns_repo}/k8s-dns-sidecar-amd64:1.14.5
kubernetes_dns_autoscaler_image: ${_param:kubernetes_kubedns_repo}/cluster-proportional-autoscaler-amd64:1.0.0
- kubernetes_externaldns_image: ${_param:kubernetes_externaldns_repo}/external-dns:v0.5.11-4
+ kubernetes_externaldns_image: ${_param:kubernetes_externaldns_repo}/external-dns:v0.5.14-5
kubernetes_genie_source: ${_param:kubernetes_genie_repo}/genie_v2.0-1-g209d3c4
kubernetes_genie_source_hash: md5=fa7a27ecbb9f800c1b705f87c64f6226
kubernetes_flannel_image: ${_param:kubernetes_flannel_repo}/flannel:v0.10.0-amd64
@@ -58,17 +58,17 @@
kubernetes_metallb_speaker_image: ${_param:kubernetes_metallb_repo}/speaker:v0.7.3-2
kubernetes_sriov_source: ${_param:kubernetes_sriov_repo}/sriov_v0.3-9-g3b31f1a
kubernetes_sriov_source_hash: md5=cd9ea01e80d260218260314447c23b30
- kubernetes_cniplugins_source: ${_param:kubernetes_cniplugins_repo}/containernetworking-plugins_v0.7.2-173-g8db2808.tar.gz
- kubernetes_cniplugins_source_hash: md5=1861ab0c880fff58e7e8299e3dad8a0b
+ kubernetes_cniplugins_source: ${_param:kubernetes_cniplugins_repo}/containernetworking-plugins_v0.8.0-7-g70fb96e.tar.gz
+ kubernetes_cniplugins_source_hash: md5=6311ce5044ab76ad7de665f359988854
kubernetes_dashboard_image: ${_param:kubernetes_dashboard_repo}/kubernetes-dashboard-amd64:v1.10.1-2
kubernetes_telegraf_image: ${_param:mcp_docker_registry}/openstack-docker/telegraf:2018.8.0
kubernetes_coredns_image: ${_param:kubernetes_coredns_repo}/coredns:v1.4.0-96
- kubernetes_ingressnginx_controller_image: ${_param:kubernetes_ingressnginx_repo}/nginx-ingress-controller-amd64:nginx-0.23.0-4
+ kubernetes_ingressnginx_controller_image: ${_param:kubernetes_ingressnginx_repo}/nginx-ingress-controller-amd64:nginx-0.24.1-5
kubernetes_corends_etcd_operator_image: ${_param:kubernetes_corends_etcd_operator_repo}/etcd-operator:v0.9.3
kubernetes_containerd_source: ${_param:kubernetes_containerd_repo}/v1.12.0/crictl-v1.12.0-linux-amd64.tar.gz
kubernetes_containerd_source_hash: md5=ff60b9ddfa5617f7ed14b3f3b6a60056
# images for formula compatibility
- kubernetes_hyperkube_image: ${_param:mcp_docker_registry}/mirantis/kubernetes/hyperkube-amd64:v1.13.5-3
+ kubernetes_hyperkube_image: ${_param:mcp_docker_registry}/mirantis/kubernetes/hyperkube-amd64:v1.13.6-4
kubernetes_calico_cni_image: ${_param:mcp_docker_registry}/mirantis/projectcalico/calico/cni:v3.3.2
kubernetes_calico_calicoctl_image: ${_param:mcp_docker_registry}/mirantis/projectcalico/calico/ctl:v3.3.2
kubernetes_containerd_package: containerd=1.2.5-2~u16.04+mcp
@@ -131,7 +131,6 @@
kubernetes_openstack_provider_binary: ${_param:kubernetes_openstack_provider_repo}/openstack-cloud-controller-manager_v0.3.0-2_1549884015986
kubernetes_openstack_provider_binary_hash: md5=fd19a97527009aac72de7997744885fb
kubernetes_openstack_provider_cloud_user: admin
- kubernetes_openstack_provider_cloud_password: secret
kubernetes_openstack_provider_cloud_auth_url: http://127.0.0.1:5000/v3
kubernetes_openstack_provider_cloud_tenant_id: tenant_id
kubernetes_openstack_provider_cloud_domain_id: default
diff --git a/kubernetes/control/opencontrail.yml b/kubernetes/control/opencontrail.yml
index 75e3b0d..8cdd97c 100644
--- a/kubernetes/control/opencontrail.yml
+++ b/kubernetes/control/opencontrail.yml
@@ -1,12 +1,10 @@
parameters:
_param:
opencontrail_identity_user: admin
- opencontrail_identity_password: contrail123
opencontrail_identity_tenant: admin
opencontrail_public_ip_range: 172.17.47.128/25
opencontrail_public_ip_network: default-domain:default-project:Public
opencontrail_private_ip_range: 10.150.0.0/16
- opencontrail_message_queue_password: guest
kubernetes:
pool:
network:
diff --git a/neutron/compute/cluster.yml b/neutron/compute/cluster.yml
index c8a0922..0766df7 100644
--- a/neutron/compute/cluster.yml
+++ b/neutron/compute/cluster.yml
@@ -14,6 +14,9 @@
python-pymysql:
fromrepo: ${_param:openstack_version}
version: latest
+ kernel:
+ sysctl:
+ fs.inotify.max_user_instances: 4096
neutron:
compute:
dvr: ${_param:neutron_compute_dvr}
diff --git a/nginx/server/proxy/salt_api.yml b/nginx/server/proxy/salt_api.yml
new file mode 100644
index 0000000..f559ef4
--- /dev/null
+++ b/nginx/server/proxy/salt_api.yml
@@ -0,0 +1,28 @@
+parameters:
+ _param:
+ nginx_proxy_salt_api_proxy_port: ${_param:salt_master_api_port}
+ nginx_proxy_ssl:
+ enabled: true
+ authority: ${_param:salt_minion_ca_authority}
+ engine: salt
+ key_file: /srv/salt/pki/${_param:cluster_name}/${salt:minion:cert:salt_api:common_name}.key
+ cert_file: /srv/salt/pki/${_param:cluster_name}/${salt:minion:cert:salt_api:common_name}.crt
+ all_file: /srv/salt/pki/${_param:cluster_name}/${salt:minion:cert:salt_api:common_name}-chain-with-key.pem
+ ca_file: /srv/salt/pki/${_param:cluster_name}/${salt:minion:cert:salt_api:common_name}-ca.pem
+ nginx:
+ server:
+ enabled: true
+ site:
+ nginx_proxy_salt_api:
+ enabled: true
+ type: nginx_proxy
+ name: salt_api
+ proxy:
+ host: ${_param:infra_config_hostname}.${_param:cluster_domain}
+ port: ${_param:nginx_proxy_salt_api_proxy_port}
+ protocol: ${_param:nginx_proxy_salt_api_proxy_protocol}
+ host:
+ name: ${_param:infra_config_hostname}.${_param:cluster_domain}
+ port: ${_param:nginx_proxy_salt_api_site_port}
+ protocol: ${_param:nginx_proxy_salt_api_site_protocol}
+ ssl: ${_param:nginx_proxy_ssl}
diff --git a/nginx/server/proxy/ssl.yml b/nginx/server/proxy/ssl.yml
index 66a1938..fdd95a5 100644
--- a/nginx/server/proxy/ssl.yml
+++ b/nginx/server/proxy/ssl.yml
@@ -8,18 +8,14 @@
dhparam:
enabled: True
numbits: 2048
- ecdh_curve:
- secp521r1:
- name: 'secp521r1'
- enabled: True
prefer_server_ciphers: "on"
protocols:
TLSv1:
name: 'TLSv1'
- enabled: True
+ enabled: False
TLSv1.1:
name: 'TLSv1.1'
- enabled: True
+ enabled: False
TLSv1.2:
name: 'TLSv1.2'
enabled: True
@@ -28,16 +24,16 @@
ciphers:
ECDHE-ECDSA-CHACHA20-POLY1305:
name: 'ECDHE-ECDSA-CHACHA20-POLY1305'
- enabled: True
+ enabled: False
ECDHE-RSA-CHACHA20-POLY1305:
name: 'ECDHE-RSA-CHACHA20-POLY1305'
- enabled: True
+ enabled: False
ECDHE-ECDSA-AES128-GCM-SHA256:
name: 'ECDHE-ECDSA-AES128-GCM-SHA256'
- enabled: True
+ enabled: False
ECDHE-RSA-AES128-GCM-SHA256:
name: 'ECDHE-RSA-AES128-GCM-SHA256'
- enabled: True
+ enabled: False
ECDHE-ECDSA-AES256-GCM-SHA384:
name: 'ECDHE-ECDSA-AES256-GCM-SHA384'
enabled: True
@@ -46,76 +42,76 @@
enabled: True
DHE-RSA-AES128-GCM-SHA256:
name: 'DHE-RSA-AES128-GCM-SHA256'
- enabled: True
+ enabled: False
DHE-RSA-AES256-GCM-SHA384:
name: 'DHE-RSA-AES256-GCM-SHA384'
- enabled: True
+ enabled: False
ECDHE-ECDSA-AES128-SHA256:
name: 'ECDHE-ECDSA-AES128-SHA256'
- enabled: True
+ enabled: False
ECDHE-RSA-AES128-SHA256:
name: 'ECDHE-RSA-AES128-SHA256'
- enabled: True
+ enabled: False
ECDHE-ECDSA-AES128-SHA:
name: 'ECDHE-ECDSA-AES128-SHA'
- enabled: True
+ enabled: False
ECDHE-RSA-AES256-SHA384:
name: 'ECDHE-RSA-AES256-SHA384'
enabled: True
ECDHE-RSA-AES128-SHA:
name: 'ECDHE-RSA-AES128-SHA'
- enabled: True
+ enabled: False
ECDHE-ECDSA-AES256-SHA384:
name: 'ECDHE-ECDSA-AES256-SHA384'
enabled: True
ECDHE-ECDSA-AES256-SHA:
name: 'ECDHE-ECDSA-AES256-SHA'
- enabled: True
+ enabled: False
ECDHE-RSA-AES256-SHA:
name: 'ECDHE-RSA-AES256-SHA'
- enabled: True
+ enabled: False
DHE-RSA-AES128-SHA256:
name: 'DHE-RSA-AES128-SHA256'
- enabled: True
+ enabled: False
DHE-RSA-AES128-SHA:
name: 'DHE-RSA-AES128-SHA'
- enabled: True
+ enabled: False
DHE-RSA-AES256-SHA256:
name: 'DHE-RSA-AES256-SHA256'
- enabled: True
+ enabled: False
DHE-RSA-AES256-SHA:
name: 'DHE-RSA-AES256-SHA'
- enabled: True
+ enabled: False
ECDHE-ECDSA-DES-CBC3-SHA:
name: 'ECDHE-ECDSA-DES-CBC3-SHA'
- enabled: True
+ enabled: False
ECDHE-RSA-DES-CBC3-SHA:
name: 'ECDHE-RSA-DES-CBC3-SHA'
- enabled: True
+ enabled: False
EDH-RSA-DES-CBC3-SHA:
name: 'EDH-RSA-DES-CBC3-SHA'
- enabled: True
+ enabled: False
AES128-GCM-SHA256:
name: 'AES128-GCM-SHA256'
- enabled: True
+ enabled: False
AES256-GCM-SHA384:
name: 'AES256-GCM-SHA384'
- enabled: True
+ enabled: False
AES128-SHA256:
name: 'AES128-SHA256'
- enabled: True
+ enabled: False
AES256-SHA256:
name: 'AES256-SHA256'
- enabled: True
+ enabled: False
AES256-SHA:
name: 'AES256-SHA'
- enabled: True
+ enabled: False
AES128-SHA:
name: 'AES128-SHA'
- enabled: True
+ enabled: False
DES-CBC3-SHA:
name: 'DES-CBC3-SHA'
- enabled: True
+ enabled: False
removeDSS:
name: '!DSS'
- enabled: True
\ No newline at end of file
+ enabled: True
diff --git a/nova/control/cluster.yml b/nova/control/cluster.yml
index 5533cf9..437f3c1 100644
--- a/nova/control/cluster.yml
+++ b/nova/control/cluster.yml
@@ -13,7 +13,6 @@
nova_cpu_allocation_ratio: 16.0
nova_ram_allocation_ratio: 1.5
nova_disk_allocation_ratio: 1.0
- metadata_password: metadataPass
linux:
system:
package:
diff --git a/opencontrail/compute/cluster.yml b/opencontrail/compute/cluster.yml
index 7cdcdf6..32153df 100644
--- a/opencontrail/compute/cluster.yml
+++ b/opencontrail/compute/cluster.yml
@@ -4,6 +4,7 @@
- opencontrail
parameters:
_param:
+ opencontrail_version: 3.0
opencontrail_compute_iface_mask: 24
opencontrail:
common:
@@ -11,25 +12,15 @@
identity:
engine: keystone
host: ${_param:openstack_control_address}
- port: 35357
+ port: ${_param:opencontrail_identity_port}
token: ${_param:keystone_service_token}
password: ${_param:keystone_admin_password}
network:
- engine: neutron
host: ${_param:opencontrail_control_address}
- port: 9696
compute:
version: ${_param:opencontrail_version}
- disable_flow_collection: true
- enabled: True
+ disable_flow_collection: True
bind:
address: ${_param:single_address}
discovery:
host: ${_param:opencontrail_control_address}
- interface:
- address: ${_param:opencontrail_compute_address}
- dev: ${_param:opencontrail_compute_iface}
- gateway: ${_param:opencontrail_compute_gateway}
- mask: ${_param:opencontrail_compute_iface_mask}
- dns: ${_param:opencontrail_compute_dns}
- mtu: 9000
diff --git a/opencontrail/compute/cluster4_0.yml b/opencontrail/compute/cluster4_0.yml
index 3cb1514..058463d 100644
--- a/opencontrail/compute/cluster4_0.yml
+++ b/opencontrail/compute/cluster4_0.yml
@@ -1,31 +1,24 @@
-classes:
- - service.opencontrail.compute.cluster
applications:
- opencontrail
+classes:
+ - service.opencontrail.compute.cluster
parameters:
_param:
+ opencontrail_version: 4.1
opencontrail_compute_iface_mask: 24
- opencontrail_version: 4.0
- linux_repo_contrail_component: oc40
opencontrail:
common:
version: ${_param:opencontrail_version}
identity:
engine: keystone
host: ${_param:openstack_control_address}
- port: 35357
+ port: ${_param:opencontrail_identity_port}
token: ${_param:keystone_service_token}
password: ${_param:opencontrail_admin_password}
network:
- engine: neutron
host: ${_param:openstack_control_address}
- port: 9696
compute:
- version: ${_param:opencontrail_version}
- disable_flow_collection: true
- enabled: True
- bind:
- address: ${_param:single_address}
+ disable_flow_collection: True
config:
members:
- host: ${_param:opencontrail_control_node01_address}
@@ -41,10 +34,3 @@
- host: ${_param:opencontrail_control_node01_address}
- host: ${_param:opencontrail_control_node02_address}
- host: ${_param:opencontrail_control_node03_address}
- interface:
- address: ${_param:opencontrail_compute_address}
- dev: ${_param:opencontrail_compute_iface}
- gateway: ${_param:opencontrail_compute_gateway}
- mask: ${_param:opencontrail_compute_iface_mask}
- dns: ${_param:opencontrail_compute_dns}
- mtu: 9000
diff --git a/opencontrail/compute/single.yml b/opencontrail/compute/single.yml
index 65426c8..2211a69 100644
--- a/opencontrail/compute/single.yml
+++ b/opencontrail/compute/single.yml
@@ -1,7 +1,10 @@
applications:
- opencontrail
+classes:
+ - service.opencontrail.compute.single
parameters:
_param:
+ opencontrail_version: 3.0
opencontrail_compute_iface_mask: 24
opencontrail:
common:
@@ -9,7 +12,7 @@
identity:
engine: keystone
host: ${_param:control_address}
- port: 35357
+ port: ${_param:opencontrail_identity_port}
token: ${_param:keystone_service_token}
password: ${_param:keystone_admin_password}
network:
@@ -17,17 +20,8 @@
host: ${_param:control_address}
port: 9696
compute:
- version: ${_param:opencontrail_version}
- enabled: True
discovery:
host: ${_param:control_address}
- interface:
- address: ${_param:opencontrail_compute_address}
- dev: ${_param:opencontrail_compute_iface}
- gateway: ${_param:opencontrail_compute_gateway}
- mask: ${_param:opencontrail_compute_iface_mask}
- dns: ${_param:opencontrail_compute_dns}
- mtu: 9000
nova:
compute:
network:
diff --git a/opencontrail/compute/single4_0.yml b/opencontrail/compute/single4_0.yml
index b98522d..952827f 100644
--- a/opencontrail/compute/single4_0.yml
+++ b/opencontrail/compute/single4_0.yml
@@ -1,9 +1,11 @@
applications:
- opencontrail
+classes:
+ - service.opencontrail.compute.single
parameters:
_param:
+ opencontrail_version: 4.1
opencontrail_compute_iface_mask: 24
- opencontrail_version: 4.0
linux_repo_contrail_component: oc40
opencontrail:
common:
@@ -11,7 +13,7 @@
identity:
engine: keystone
host: ${_param:control_address}
- port: 35357
+ port: ${_param:opencontrail_identity_port}
token: ${_param:keystone_service_token}
password: ${_param:opencontrail_admin_password}
network:
@@ -19,8 +21,6 @@
host: ${_param:control_address}
port: 9696
compute:
- version: ${_param:opencontrail_version}
- enabled: True
config:
members:
- host: ${_param:opencontrail_control_node01_address}
@@ -31,11 +31,3 @@
- host: ${_param:opencontrail_analytics_node01_address}
- host: ${_param:opencontrail_analytics_node02_address}
- host: ${_param:opencontrail_analytics_node03_address}
- interface:
- address: ${_param:opencontrail_compute_address}
- dev: ${_param:opencontrail_compute_iface}
- gateway: ${_param:opencontrail_compute_gateway}
- mask: ${_param:opencontrail_compute_iface_mask}
- dns: ${_param:opencontrail_compute_dns}
- mtu: 9000
-
diff --git a/opencontrail/control/analytics4_0.yml b/opencontrail/control/analytics4_0.yml
index eb29ead..19fefcc 100644
--- a/opencontrail/control/analytics4_0.yml
+++ b/opencontrail/control/analytics4_0.yml
@@ -18,7 +18,6 @@
opencontrail_message_queue_node02_address: ${_param:openstack_message_queue_node02_address}
opencontrail_message_queue_node03_address: ${_param:openstack_message_queue_node03_address}
opencontrail_message_queue_address: ${_param:openstack_message_queue_address}
- opencontrail_message_queue_password: guest
opencontrail_analytics_image: ${_param:mcp_docker_registry}/opencontrail-${_param:linux_repo_contrail_component}/opencontrail-analytics:${_param:opencontrail_docker_image_tag}
opencontrail_analyticsdb_image: ${_param:mcp_docker_registry}/opencontrail-${_param:linux_repo_contrail_component}/opencontrail-analyticsdb:${_param:opencontrail_docker_image_tag}
opencontrail_analytics_container_name: opencontrail_analytics_1
@@ -92,6 +91,7 @@
volumes:
- /etc/contrail:/etc/contrail
- /etc/redis/redis.conf:/etc/redis/redis.conf
+ - /var/crashes:/var/crashes
- /var/log/contrail:/var/log/contrail
- /var/log/journal/contrail-analytics:/var/log/journal
env_file:
diff --git a/opencontrail/control/cluster4_0.yml b/opencontrail/control/cluster4_0.yml
index 64cbf14..6859b9c 100644
--- a/opencontrail/control/cluster4_0.yml
+++ b/opencontrail/control/cluster4_0.yml
@@ -19,7 +19,6 @@
opencontrail_message_queue_node02_address: ${_param:openstack_control_node02_address}
opencontrail_message_queue_node03_address: ${_param:openstack_control_node03_address}
opencontrail_message_queue_address: ${_param:openstack_control_address}
- opencontrail_message_queue_password: guest
opencontrail_analytics_image: ${_param:mcp_docker_registry}/opencontrail-${_param:linux_repo_contrail_component}/opencontrail-analytics:${_param:opencontrail_docker_image_tag}
opencontrail_analyticsdb_image: ${_param:mcp_docker_registry}/opencontrail-${_param:linux_repo_contrail_component}/opencontrail-analyticsdb:${_param:opencontrail_docker_image_tag}
opencontrail_controller_image: ${_param:mcp_docker_registry}/opencontrail-${_param:linux_repo_contrail_component}/opencontrail-controller:${_param:opencontrail_docker_image_tag}
diff --git a/opencontrail/control/cluster4_0_k8s.yml b/opencontrail/control/cluster4_0_k8s.yml
index f5f34c1..77c036d 100644
--- a/opencontrail/control/cluster4_0_k8s.yml
+++ b/opencontrail/control/cluster4_0_k8s.yml
@@ -13,7 +13,6 @@
opencontrail_message_queue_node02_address: ${_param:openstack_control_node02_address}
opencontrail_message_queue_node03_address: ${_param:openstack_control_node03_address}
opencontrail_message_queue_address: ${_param:openstack_control_address}
- opencontrail_message_queue_password: guest
opencontrail_analytics_image: ${_param:mcp_docker_registry}/opencontrail-${_param:linux_repo_contrail_component}/opencontrail-analytics:${_param:opencontrail_docker_image_tag}
opencontrail_analyticsdb_image: ${_param:mcp_docker_registry}/opencontrail-${_param:linux_repo_contrail_component}/opencontrail-analyticsdb:${_param:opencontrail_docker_image_tag}
opencontrail_controller_image: ${_param:mcp_docker_registry}/opencontrail-${_param:linux_repo_contrail_component}/opencontrail-controller:${_param:opencontrail_docker_image_tag}
diff --git a/opencontrail/control/control4_0.yml b/opencontrail/control/control4_0.yml
index fe63ec1..bc37f8e 100644
--- a/opencontrail/control/control4_0.yml
+++ b/opencontrail/control/control4_0.yml
@@ -13,7 +13,6 @@
opencontrail_message_queue_node01_address: ${_param:openstack_message_queue_node01_address}
opencontrail_message_queue_node02_address: ${_param:openstack_message_queue_node02_address}
opencontrail_message_queue_node03_address: ${_param:openstack_message_queue_node03_address}
- opencontrail_message_queue_password: guest
opencontrail_controller_image: ${_param:mcp_docker_registry}/opencontrail-${_param:linux_repo_contrail_component}/opencontrail-controller:${_param:opencontrail_docker_image_tag}
opencontrail_controller_container_name: opencontrail_controller_1
opencontrail_api_workers_count: 6
diff --git a/opencontrail/control/single4_0.yml b/opencontrail/control/single4_0.yml
index d0573e9..89768d3 100644
--- a/opencontrail/control/single4_0.yml
+++ b/opencontrail/control/single4_0.yml
@@ -15,7 +15,6 @@
opencontrail_controller_container_name: opencontrail_controller_1
opencontrail_analytics_container_name: opencontrail_analytics_1
opencontrail_analyticsdb_container_name: opencontrail_analyticsdb_1
- opencontrail_message_queue_password: guest
# Temprorary fix for MOS9 packages to pin old version of kafka
linux:
system:
diff --git a/openssh/server/single.yml b/openssh/server/single.yml
index b6055aa..0288a21 100644
--- a/openssh/server/single.yml
+++ b/openssh/server/single.yml
@@ -1,3 +1,37 @@
classes:
- service.openssh.server
- service.openssh.server.cis
+# TODO: Uncomment service.openssh.server.sshd-strong-ciphers
+# when package with https://gerrit.mcp.mirantis.com/#/c/36220/
+# will be published.
+#- service.openssh.server.sshd-strong-ciphers
+# TODO: Remove parameters:openssh:server:ciphers completely
+# when package with https://gerrit.mcp.mirantis.com/#/c/36220/
+# will be published.
+parameters:
+ openssh:
+ server:
+ ciphers:
+ "3des-cbc":
+ enabled: True
+ "aes128-cbc":
+ enabled: True
+ "aes192-cbc":
+ enabled: True
+ "aes256-cbc":
+ enabled: True
+ "aes128-ctr":
+ enabled: True
+ "aes192-ctr":
+ enabled: True
+ "aes256-ctr":
+ enabled: True
+ "aes128-gcm@openssh.com":
+ enabled: True
+ "aes256-gcm@openssh.com":
+ enabled: True
+ "chacha20-poly1305@openssh.com":
+ enabled: True
+ "rijndael-cbc@lysator.liu.se":
+ enabled: True
+
diff --git a/postgresql/client/init.yml b/postgresql/client/init.yml
index 95fdcdb..1775654 100644
--- a/postgresql/client/init.yml
+++ b/postgresql/client/init.yml
@@ -1,7 +1,6 @@
parameters:
_param:
postgresql_client_user: none
- postgresql_client_password: none
postgresql_client_host: ${_param:control_vip_address}
postgresql_client_port: 5432
postgresql:
diff --git a/postgresql/client/pushkin/alertmanager.yml b/postgresql/client/pushkin/alertmanager.yml
index 8e413da..bf01013 100644
--- a/postgresql/client/pushkin/alertmanager.yml
+++ b/postgresql/client/pushkin/alertmanager.yml
@@ -4,7 +4,6 @@
_param:
alertmanager_db_host: ${_param:haproxy_postgresql_bind_host}
alertmanager_db_user: alertmanager
- alertmanager_db_user_password: alertmanager
webhook_login_id: 13
webhook_application_id: 24
postgresql:
diff --git a/postgresql/client/pushkin/init.yml b/postgresql/client/pushkin/init.yml
index 5677646..26f8abe 100644
--- a/postgresql/client/pushkin/init.yml
+++ b/postgresql/client/pushkin/init.yml
@@ -4,7 +4,6 @@
_param:
pushkin_db_host: ${_param:haproxy_postgresql_bind_host}
pushkin_db_user: pushkin
- pushkin_db_user_password: pushkin
postgresql:
client:
server:
diff --git a/postgresql/client/pushkin/janitor_monkey.yml b/postgresql/client/pushkin/janitor_monkey.yml
index b56d098..78a3b27 100644
--- a/postgresql/client/pushkin/janitor_monkey.yml
+++ b/postgresql/client/pushkin/janitor_monkey.yml
@@ -4,7 +4,6 @@
_param:
janmonkey_db_host: ${_param:haproxy_postgresql_bind_host}
janmonkey_db_user: janmonkey
- janmonkey_db_user_password: janmonkey
janmonkey_login_id: 12
janmonkey_application_id: 2
postgresql:
diff --git a/postgresql/client/pushkin/security_monkey.yml b/postgresql/client/pushkin/security_monkey.yml
index 18154cd..1ebf4f4 100644
--- a/postgresql/client/pushkin/security_monkey.yml
+++ b/postgresql/client/pushkin/security_monkey.yml
@@ -4,7 +4,6 @@
_param:
secmonkey_db_host: ${_param:haproxy_postgresql_bind_host}
secmonkey_db_user: secmonkey
- secmonkey_db_user_password: secmonkey
postgresql:
client:
server:
diff --git a/postgresql/client/pushkin/sfdc.yml b/postgresql/client/pushkin/sfdc.yml
index 57af7fe..cfb1236 100644
--- a/postgresql/client/pushkin/sfdc.yml
+++ b/postgresql/client/pushkin/sfdc.yml
@@ -4,7 +4,6 @@
_param:
sfdc_db_host: ${_param:haproxy_postgresql_bind_host}
sfdc_db_user: sfdc
- sfdc_db_user_password: sfdc
sfdc_login_id: 14
sfdc_application_id: 4
postgresql:
diff --git a/postgresql/client/rundeck.yml b/postgresql/client/rundeck.yml
index 0c1102d..d4cd256 100644
--- a/postgresql/client/rundeck.yml
+++ b/postgresql/client/rundeck.yml
@@ -4,7 +4,6 @@
_param:
rundeck_db_host: ${_param:haproxy_postgresql_bind_host}
rundeck_db_user: rundeck
- rundeck_db_user_password: password
postgresql:
client:
server:
diff --git a/postgresql/client/security_monkey.yml b/postgresql/client/security_monkey.yml
index ab7a4c8..5693d6c 100644
--- a/postgresql/client/security_monkey.yml
+++ b/postgresql/client/security_monkey.yml
@@ -4,7 +4,6 @@
_param:
secmonkey_db_host: ${_param:haproxy_postgresql_bind_host}
secmonkey_db_user: secmonkey
- secmonkey_db_user_password: secmonkey
postgresql:
client:
server:
diff --git a/prometheus/elasticsearch_exporter/queries/compute.yml b/prometheus/elasticsearch_exporter/queries/compute.yml
index 66904da..d4bd84f 100644
--- a/prometheus/elasticsearch_exporter/queries/compute.yml
+++ b/prometheus/elasticsearch_exporter/queries/compute.yml
@@ -7,29 +7,16 @@
# - compute_instance_event_doc_count{event="example"}
# - compute_instance_event_sum_other_doc_count
# - compute_instance_event_doc_count_error_upper_bound
- # - compute_instance_event_host_doc_count{host="example01",event="example"}
- # - compute_instance_event_host_sum_other_doc_count{event="example"}
- # - compute_instance_event_host_doc_count_error_upper_bound{event="example"}
#
indices: '<notification-{now/d}>'
interval: 600
json: |
{
"size": 0,
- "query": {
- "match_all": {}
- },
"aggs": {
"event": {
"terms": {
"field": "event_type.keyword"
- },
- "aggs": {
- "host": {
- "terms": {
- "field": "Hostname.keyword"
- }
- }
}
}
}
@@ -37,9 +24,9 @@
compute_instance_create_start:
# Produces metrics:
- # - compute_instance_create_start_host_doc_count{host="example01"}
- # - compute_instance_create_start_host_event_sum_other_doc_count
- # - compute_instance_create_start_host_doc_count_error_upper_bound
+ # - compute_instance_create_start_event_doc_count
+ # - compute_instance_create_start_event_sum_other_doc_count
+ # - compute_instance_create_start_event_doc_count_error_upper_bound
# - compute_instance_create_start_hits
# - compute_instance_create_start_took_milliseconds
#
@@ -48,15 +35,12 @@
json: |
{
"size": 0,
- "query": {
- "term": {
- "event_type": "compute.instance.create.start"
- }
- },
"aggs": {
- "host": {
- "terms": {
- "field": "Hostname.keyword"
+ "event": {
+ "filter": {
+ "term": {
+ "event_type.keyword": "compute.instance.create.start"
+ }
}
}
}
@@ -64,9 +48,9 @@
compute_instance_create_end:
# Produces metrics:
- # - compute_instance_create_end_host_doc_count{host="example01"}
- # - compute_instance_create_end_host_event_sum_other_doc_count
- # - compute_instance_create_end_host_doc_count_error_upper_bound
+ # - compute_instance_create_end_event_doc_count
+ # - compute_instance_create_end_event_sum_other_doc_count
+ # - compute_instance_create_end_event_doc_count_error_upper_bound
# - compute_instance_create_end_hits
# - compute_instance_create_end_took_milliseconds
#
@@ -75,15 +59,12 @@
json: |
{
"size": 0,
- "query": {
- "term": {
- "event_type": "compute.instance.create.end"
- }
- },
"aggs": {
- "host": {
- "terms": {
- "field": "Hostname.keyword"
+ "event": {
+ "filter": {
+ "term": {
+ "event_type.keyword": "compute.instance.create.end"
+ }
}
}
}
@@ -91,9 +72,9 @@
compute_instance_create_error:
# Produces metrics:
- # - compute_instance_create_error_host_doc_count{host="example01"}
- # - compute_instance_create_error_host_event_sum_other_doc_count
- # - compute_instance_create_error_host_doc_count_error_upper_bound
+ # - compute_instance_create_error_event_doc_count
+ # - compute_instance_create_error_event_sum_other_doc_count
+ # - compute_instance_create_error_event_doc_count_error_upper_bound
# - compute_instance_create_error_hits
# - compute_instance_create_error_took_milliseconds
#
@@ -102,17 +83,13 @@
json: |
{
"size": 0,
- "query": {
- "term": {
- "event_type": "compute.instance.create.error"
- }
- },
"aggs": {
- "host": {
- "terms": {
- "field": "Hostname.keyword"
+ "event": {
+ "filter": {
+ "term": {
+ "event_type.keyword": "compute.instance.create.error"
+ }
}
}
}
}
-
diff --git a/prometheus/gainsight/query/openstack.yml b/prometheus/gainsight/query/openstack.yml
index 40a804b..0e7aab6 100644
--- a/prometheus/gainsight/query/openstack.yml
+++ b/prometheus/gainsight/query/openstack.yml
@@ -16,3 +16,10 @@
keystone_api: "'Keystone API','avg(avg_over_time(openstack_api_check_status{name=\"keystone\"}[24h]))'"
glance_api: "'Glance API','avg(avg_over_time(openstack_api_check_status{name=\"glance\"}[24h]))'"
neutron_api: "'Neutron API','avg(avg_over_time(openstack_api_check_status{name=\"neutron\"}[24h]))'"
+ nova_vm_all: "'Total VM number','avg_over_time(total:openstack_nova_instance_all[1d])'"
+ nova_vm_failed: "'Failed VM number','avg_over_time(total:openstack_nova_instance_failed[1d])'"
+ kpi_downtime: "'KPI Downtime','1 - avg_over_time(total:openstack_nova_instance_failed[1d]) / avg_over_time(total:openstack_nova_instance_all[1d])'"
+ compute_instance_create_start: "'VM creation start','sum(compute_instance_create_start_event_doc_count)'"
+ compute_instance_create_end: "'VM creation end','sum(compute_instance_create_end_event_doc_count)'"
+ compute_instance_create_error: "'VM creation error','sum(compute_instance_create_error_event_doc_count)'"
+
diff --git a/rabbitmq/server/cluster.yml b/rabbitmq/server/cluster.yml
index c9de9a8..2971795 100644
--- a/rabbitmq/server/cluster.yml
+++ b/rabbitmq/server/cluster.yml
@@ -1,4 +1,5 @@
classes:
- service.rabbitmq.server.cluster
- service.keepalived.cluster.single
-- service.haproxy.proxy.single
\ No newline at end of file
+- service.haproxy.proxy.single
+- system.rabbitmq.upgrade
diff --git a/rabbitmq/server/single.yml b/rabbitmq/server/single.yml
index 6183f81..9982957 100644
--- a/rabbitmq/server/single.yml
+++ b/rabbitmq/server/single.yml
@@ -1,2 +1,3 @@
classes:
- service.rabbitmq.server.single
+- system.rabbitmq.upgrade
diff --git a/rabbitmq/server/vhost/catalog.yml b/rabbitmq/server/vhost/catalog.yml
index 23cb0f2..cd4b0cb 100644
--- a/rabbitmq/server/vhost/catalog.yml
+++ b/rabbitmq/server/vhost/catalog.yml
@@ -12,7 +12,7 @@
definition: '{"ha-mode": "all", "message-ttl": 120000}'
admin:
name: admin
- password: zeQuooQu47eed8esahpie2Lai8En9ohp
+ password: ${_param:rabbitmq_guest_password}
bind:
address: ${_param:single_address}
management:
diff --git a/rabbitmq/server/vhost/opencontrail.yml b/rabbitmq/server/vhost/opencontrail.yml
index 8f88cee..c29f7c8 100644
--- a/rabbitmq/server/vhost/opencontrail.yml
+++ b/rabbitmq/server/vhost/opencontrail.yml
@@ -5,7 +5,7 @@
'/':
enabled: true
user: guest
- password: guest
+ password: ${_param:rabbitmq_guest_password}
policies:
- name: HA
pattern: '^(?!amq\.).*'
diff --git a/rabbitmq/server/vhost/openstack/init.yml b/rabbitmq/server/vhost/openstack/init.yml
index 50b0814..5b440e7 100644
--- a/rabbitmq/server/vhost/openstack/init.yml
+++ b/rabbitmq/server/vhost/openstack/init.yml
@@ -8,7 +8,7 @@
'/':
enabled: true
user: guest
- password: guest
+ password: ${_param:rabbitmq_guest_password}
policies:
- name: HA
pattern: '^(?!amq\.).*'
diff --git a/rabbitmq/upgrade/init.yml b/rabbitmq/upgrade/init.yml
new file mode 100644
index 0000000..3a75137
--- /dev/null
+++ b/rabbitmq/upgrade/init.yml
@@ -0,0 +1,4 @@
+parameters:
+ rabbitmq:
+ upgrade:
+ enabled: ${_param:rabbitmq_upgrade_enabled}
diff --git a/salt/control/placement/openstack/golden.yml b/salt/control/placement/openstack/golden.yml
index 03abda5..1212a42 100644
--- a/salt/control/placement/openstack/golden.yml
+++ b/salt/control/placement/openstack/golden.yml
@@ -31,7 +31,7 @@
openstack_proxy_backend_image: ${_param:salt_control_xenial_image_backend}
openstack_barbican_backend_image: ${_param:salt_control_xenial_image_backend}
openstack_dns_backend_image: ${_param:salt_control_xenial_image_backend}
- openstack_telemetry_backend_image: ${_param:salt_control_trusty_image_backend}
+ openstack_telemetry_backend_image: ${_param:salt_control_xenial_image_backend}
salt_control_cluster_node_cloud_init_openstack_control:
user_data:
write_files:
@@ -74,6 +74,13 @@
${salt:control:size:openstack.dns:image_layout}
owner: root:root
path: /usr/share/growlvm/image-layout.yml
+ salt_control_cluster_node_cloud_init_openstack_telemetry:
+ user_data:
+ write_files:
+ - content: |
+ ${salt:control:size:openstack.telemetry:image_layout}
+ owner: root:root
+ path: /usr/share/growlvm/image-layout.yml
salt:
control:
cluster:
@@ -194,21 +201,21 @@
mdb01:
name: ${_param:openstack_telemetry_node01_hostname}
provider: ${_param:infra_kvm_node04_hostname}.${_param:cluster_domain}
- image: ${_param:salt_control_trusty_image}
+ image: ${_param:salt_control_xenial_image}
backend: ${_param:openstack_telemetry_backend_image}
size: openstack.telemetry
cloud_init: ${_param:salt_control_cluster_node_cloud_init_openstack_telemetry}
mdb02:
name: ${_param:openstack_telemetry_node02_hostname}
provider: ${_param:infra_kvm_node05_hostname}.${_param:cluster_domain}
- image: ${_param:salt_control_trusty_image}
+ image: ${_param:salt_control_xenial_image}
backend: ${_param:openstack_telemetry_backend_image}
size: openstack.telemetry
cloud_init: ${_param:salt_control_cluster_node_cloud_init_openstack_telemetry}
mdb03:
name: ${_param:openstack_telemetry_node03_hostname}
provider: ${_param:infra_kvm_node06_hostname}.${_param:cluster_domain}
- image: ${_param:salt_control_trusty_image}
+ image: ${_param:salt_control_xenial_image}
backend: ${_param:openstack_telemetry_backend_image}
size: openstack.telemetry
cloud_init: ${_param:salt_control_cluster_node_cloud_init_openstack_telemetry}
diff --git a/salt/master/api.yml b/salt/master/api.yml
index b5ede2f..4ed3112 100644
--- a/salt/master/api.yml
+++ b/salt/master/api.yml
@@ -1,3 +1,9 @@
+classes:
+# Enabled ssl api by default
+- system.salt.minion.cert.salt_api
+- system.nginx.server.single
+- system.nginx.server.proxy.ssl
+- system.nginx.server.proxy.salt_api
parameters:
_param:
salt_master_api_port: 6969
@@ -11,7 +17,7 @@
api:
enabled: true
bind:
- address: 0.0.0.0
+ address: ${_param:salt_master_api_bind_address}
port: ${_param:salt_master_api_port}
master:
command_timeout: 600
diff --git a/salt/minion/cert/ceph/rgw.yml b/salt/minion/cert/ceph/rgw.yml
new file mode 100644
index 0000000..23b0414
--- /dev/null
+++ b/salt/minion/cert/ceph/rgw.yml
@@ -0,0 +1,17 @@
+parameters:
+ _param:
+ ceph_rgw_cert_key_file: "/etc/ssl/private/ceph_rgw_key.key"
+ ceph_rgw_cert_cert_file: "/etc/ssl/certs/ceph_rgw.crt"
+ ceph_rgw_cert_all_file: "/etc/ssl/certs/ceph_rgw_all.crt"
+ salt:
+ minion:
+ cert:
+ ceph:
+ host: ${_param:salt_minion_ca_host}
+ signing_policy: cert_server
+ authority: ${_param:salt_minion_ca_authority}
+ common_name: ceph_rgw
+ alternative_names: DNS:${_param:ceph_rgw_hostname}.${_param:cluster_domain},IP:${_param:cluster_vip_address}
+ key_file: ${_param:ceph_rgw_cert_key_file}
+ cert_file: ${_param:ceph_rgw_cert_cert_file}
+ all_file: ${_param:ceph_rgw_cert_all_file}
diff --git a/salt/minion/cert/elasticsearch.yml b/salt/minion/cert/elasticsearch.yml
new file mode 100644
index 0000000..0ac232d
--- /dev/null
+++ b/salt/minion/cert/elasticsearch.yml
@@ -0,0 +1,16 @@
+parameters:
+ salt:
+ minion:
+ cert:
+ elasticsearch:
+ host: ${_param:salt_minion_ca_host}
+ authority: ${_param:salt_minion_ca_authority}
+ common_name: elasticsearch
+ signing_policy: cert_server
+ alternative_names: IP:127.0.0.1,IP:${_param:single_address},IP:${_param:stacklight_log_address},DNS:${linux:system:name},DNS:${linux:network:fqdn}
+ key_file: /etc/elasticsearch/elasticsearch.key
+ cert_file: /etc/elasticsearch/elasticsearch.crt
+ ca_file: /etc/ssl/certs/ca-${_param:salt_minion_ca_authority}.pem
+ all_file: /etc/elasticsearch/elasticsearch.pem
+ mode: '0444'
+ enabled: true
diff --git a/salt/minion/cert/fluentd_prometheus.yml b/salt/minion/cert/fluentd_prometheus.yml
new file mode 100644
index 0000000..d7f4469
--- /dev/null
+++ b/salt/minion/cert/fluentd_prometheus.yml
@@ -0,0 +1,14 @@
+parameters:
+ salt:
+ minion:
+ cert:
+ fluentd_prometheus:
+ host: ${_param:salt_minion_ca_host}
+ authority: ${_param:salt_minion_ca_authority}
+ common_name: fluentd_prometheus
+ signing_policy: cert_server
+ alternative_names: IP:127.0.0.1,IP:${_param:single_address},DNS:${linux:system:name},DNS:${linux:network:fqdn}
+ key_file: ${fluentd:agent:dir:config}/fluentd-prometheus.key
+ cert_file: ${fluentd:agent:dir:config}/fluentd-prometheus.crt
+ mode: '0444'
+ enabled: true
diff --git a/salt/minion/cert/salt_api.yml b/salt/minion/cert/salt_api.yml
index acd9bba..71441b1 100644
--- a/salt/minion/cert/salt_api.yml
+++ b/salt/minion/cert/salt_api.yml
@@ -3,9 +3,20 @@
minion:
cert:
salt_api:
+ common_name: salt_api
host: ${_param:salt_minion_ca_host}
authority: ${_param:salt_minion_ca_authority}
- common_name: salt_api
+ key_file: /srv/salt/pki/${_param:cluster_name}/${salt:minion:cert:salt_api:common_name}.key
+ cert_file: /srv/salt/pki/${_param:cluster_name}/${salt:minion:cert:salt_api:common_name}.crt
+ all_file: /srv/salt/pki/${_param:cluster_name}/${salt:minion:cert:salt_api:common_name}-chain-with-key.pem
+ ca_file: /srv/salt/pki/${_param:cluster_name}/${salt:minion:cert:salt_api:common_name}-ca.pem
signing_policy: cert_server
- alternative_names: IP:${_param:salt_master_host},IP:127.0.0.1,DNS:${_param:infra_config_hostname}.${_param:cluster_domain}
+ alternative_names: >
+ IP:${_param:salt_master_host},
+ IP:127.0.0.1,
+ IP:${_param:infra_config_address},
+ DNS:${_param:salt_master_host},
+ DNS:127.0.0.1,
+ DNS:${_param:infra_config_address},
+ DNS:${_param:infra_config_hostname}.${_param:cluster_domain}
mode: '0644'
diff --git a/salt/minion/cert/telegraf_agent.yml b/salt/minion/cert/telegraf_agent.yml
new file mode 100644
index 0000000..d54520c
--- /dev/null
+++ b/salt/minion/cert/telegraf_agent.yml
@@ -0,0 +1,14 @@
+parameters:
+ salt:
+ minion:
+ cert:
+ telegraf_agent:
+ host: ${_param:salt_minion_ca_host}
+ authority: ${_param:salt_minion_ca_authority}
+ common_name: telegraf_agent
+ signing_policy: cert_server
+ alternative_names: IP:127.0.0.1,IP:${_param:single_address},DNS:${linux:system:name},DNS:${linux:network:fqdn}
+ key_file: ${telegraf:agent:dir:config}/telegraf-agent.key
+ cert_file: ${telegraf:agent:dir:config}/telegraf-agent.crt
+ mode: '0444'
+ enabled: true
diff --git a/sensu/server/cluster.yml b/sensu/server/cluster.yml
index 5c8fe85..7f17a2c 100644
--- a/sensu/server/cluster.yml
+++ b/sensu/server/cluster.yml
@@ -6,10 +6,6 @@
- service.sensu.server.single
parameters:
_param:
- rabbitmq_secret_key: secret
- rabbitmq_admin_password: password
- rabbitmq_cold_password: password
- rabbitmq_monitor_password: password
sensu_message_queue_host: ${_param:cluster_vip_address}
cluster_redis_port: 6379
sensu:
diff --git a/sensu/server/dashboard.yml b/sensu/server/dashboard.yml
index 7cabe2b..98f480f 100644
--- a/sensu/server/dashboard.yml
+++ b/sensu/server/dashboard.yml
@@ -5,7 +5,6 @@
- service.sensu.server.single
parameters:
_param:
- rabbitmq_monitor_password: password
sensu_message_queue_host: 127.0.0.1
sensu:
dashboard:
diff --git a/sensu/server/single.yml b/sensu/server/single.yml
index 806b9ef..e3c4df9 100644
--- a/sensu/server/single.yml
+++ b/sensu/server/single.yml
@@ -4,5 +4,4 @@
- service.sensu.server.single
parameters:
_param:
- rabbitmq_monitor_password: password
sensu_message_queue_host: 127.0.0.1
diff --git a/telegraf/agent/output/prometheus_client_ssl.yml b/telegraf/agent/output/prometheus_client_ssl.yml
new file mode 100644
index 0000000..f59335f
--- /dev/null
+++ b/telegraf/agent/output/prometheus_client_ssl.yml
@@ -0,0 +1,10 @@
+parameters:
+ telegraf:
+ agent:
+ output:
+ prometheus_client:
+ scheme: https
+ tls_cert: ${telegraf:agent:dir:config}/telegraf-agent.crt
+ tls_key: ${telegraf:agent:dir:config}/telegraf-agent.key
+ tls_config:
+ ca_file: /etc/ssl/certs/ca-certificates.crt