The Castellan (Barbican client) has different parameters to control
the used CA file.
This patch uses them.
Moreover, this aligns Barbican with other services by defaulting
its client config to the internal endpoint.

See also [1].

[1] https://bugs.launchpad.net/castellan/+bug/1876102

Closes-Bug: #1886615

Change-Id: I6a174468bd91d214c08477b93c88032a45c137be

The etcd service protocol is currently configured with internal_protocol.
The etcd service is not load balanced by a HAProxy container, so
there is no proxy layer to do TLS termination when internal_protocol
is configured to be "https".

Until the etcd service is configured to deploy with native TLS
termination, the etcd uses should be independent of
internal_protocol, and "http" by default.

Change-Id: I730c02331514244e44004aa06e9399c01264c65d
Closes-Bug: 1884137

When installing kolla with external ceph, ceph_cinder_user
var has to be set per documentation instead of ceph_cinder_volume_user.
This value is also rendered in example etc/kolla/globals.yml file.

This patch is fixing this bug or, let's say typo.

Change-Id: Id82b07867f4bc0e5d5e56363f0122014df6892bc

The use of default(omit) is for module parameters, not templates. We
define a default value for openstack_cacert, so it should never be
undefined anyway.

Change-Id: Idfa73097ca168c76559dc4f3aa8bb30b7113ab28

Change-Id: I9395ae32378f4ff1fd57be78d7daec7745579e04
Closes-Bug: #1869133

To make the configuration easier for the user, and to allow non-standard
ceph authentication ids - introduce ceph_*_user variables.

Change-Id: I24e01c43c826b62b6748d93a498f4b7d8ce9e309

Include a reference to the globally configured Certificate Authority to
all services. Services use the CA to verify HTTPs connections.

Change-Id: I38da931cdd7ff46cce1994763b5c713652b096cc
Partially-Implements: blueprint support-trusted-ca-certificate-file

Currently External Ceph Cinder config requires the user to create cinder
service custom configuration.

This change alters the if/else statements to template out cinder backends
configuration when cinder_backend_ceph is True.

Change-Id: I143c3b44d2839e56d1dbf28484c0eaae0a753dc9

To fix instability and availability issues:

etcd3 is not available in repos for binary kolla images.

etcd3 does not support eventlet-based services [1].

[1] https://review.opendev.org/466098

Change-Id: I430bab735da204fc81696130b17931a89214c876
Closes-bug: #1852086
Closes-bug: #1854932

Introduce kolla_address filter.
Introduce put_address_in_context filter.

Add AF config to vars.

Address contexts:
- raw (default): <ADDR>
- memcache: inet6:[<ADDR>]
- url: [<ADDR>]

Other changes:

globals.yml - mention just IP in comment

prechecks/port_checks (api_intf) - kolla_address handles validation

3x interface conditional (swift configs: replication/storage)

2x interface variable definition with hostname
(haproxy listens; api intf)

1x interface variable definition with hostname with bifrost exclusion
(baremetal pre-install /etc/hosts; api intf)

neutron's ml2 'overlay_ip_version' set to 6 for IPv6 on tunnel network

basic multinode source CI job for IPv6

prechecks for rabbitmq and qdrouterd use proper NSS database now

MariaDB Galera Cluster WSREP SST mariabackup workaround
(socat and IPv6)

Ceph naming workaround in CI
TODO: probably needs documenting

RabbitMQ IPv6-only proto_dist

Ceph ms switch to IPv6 mode

Remove neutron-server ml2_type_vxlan/vxlan_group setting
as it is not used (let's avoid any confusion)
and could break setups without proper multicast routing
if it started working (also IPv4-only)

haproxy upgrade checks for slaves based on ipv6 addresses

TODO:

ovs-dpdk grabs ipv4 network address (w/ prefix len / submask)
not supported, invalid by default because neutron_external has no address
No idea whether ovs-dpdk works at all atm.

ml2 for xenapi
Xen is not supported too well.
This would require working with XenAPI facts.

rp_filter setting
This would require meddling with ip6tables (there is no sysctl param).
By default nothing is dropped.
Unlikely we really need it.

ironic dnsmasq is configured IPv4-only
dnsmasq needs DHCPv6 options and testing in vivo.

KNOWN ISSUES (beyond us):

One cannot use IPv6 address to reference the image for docker like we
currently do, see: https://github.com/moby/moby/issues/39033
(docker_registry; docker API 400 - invalid reference format)
workaround: use hostname/FQDN

RabbitMQ may fail to bind to IPv6 if hostname resolves also to IPv4.
This is due to old RabbitMQ versions available in images.
IPv4 is preferred by default and may fail in the IPv6-only scenario.
This should be no problem in real life as IPv6-only is indeed IPv6-only.
Also, when new RabbitMQ (3.7.16/3.8+) makes it into images, this will
no longer be relevant as we supply all the necessary config.
See: https://github.com/rabbitmq/rabbitmq-server/pull/1982

For reliable runs, at least Ansible 2.8 is required (2.8.5 confirmed
to work well). Older Ansible versions are known to miss IPv6 addresses
in interface facts. This may affect redeploys, reconfigures and
upgrades which run after VIP address is assigned.
See: https://github.com/ansible/ansible/issues/63227

Bifrost Train does not support IPv6 deployments.
See: https://storyboard.openstack.org/#!/story/2006689



Change-Id: Ia34e6916ea4f99e9522cd2ddde03a0a4776f7e2c
Implements: blueprint ipv6-control-plane
Signed-off-by: Radosław Piliszek <radoslaw.piliszek@gmail.com>

This is to allow operator to prevent enabling redis and/or
etcd from magically configuring cinder coordinator.

Note this change is backwards-compatible.

Change-Id: Ie10be55968e43e3b9cc347b1b58771c1f7b1b910
Related-Bug: #1840070
Signed-off-by: Radosław Piliszek <radoslaw.piliszek@gmail.com>

The Hitachi NAS Platform iSCSI driver was marked as not supported by
Cinder in the Ocata realease[1].

[1] https://review.opendev.org/#/c/444287/

Change-Id: I1a25789374fddaefc57bc59badec06f91ee6a52a
Closes-Bug: #1832821

* When using redis as the backend of osprofiler, it cannot connect to
redis because the redis_connection_string is incorrect.

* Let other places that use redis also use this variable.

Change-Id: I14de6597932d05cd7f804a35c6764ba4ae9087cd
Closes-Bug: #1833200
Signed-off-by: ZijianGuo <guozijn@gmail.com>

This allows swift service endpoints to use custom hostnames, and adds the
following variables:

* swift_internal_fqdn
* swift_external_fqdn

These default to the old values of kolla_internal_fqdn or
kolla_external_fqdn.

This also adds a swift_proxy_server_listen_port option, which defaults to
swift_proxy_server_port for backward compatibility.

This option allow the user to differentiate between the port the
service listens on, and the port the service is reachable on. This is
useful for external load balancers which live on the same host as the
service itself.

While we're in here, use the ``internal_protocol`` variable for the swift
endpoint in cinder's swift backup driver configuration, instead of hardcoding
to ``http``.

Change-Id: Ibc01618383c26e16c0067f7f6b9cf5160d968d1e
Implements: blueprint service-hostnames

This allows cinder service endpoints to use custom hostnames, and adds the
following variables:

* cinder_internal_fqdn
* cinder_external_fqdn

These default to the old values of kolla_internal_fqdn or
kolla_external_fqdn.

This also adds a cinder_api_listen_port option, which defaults to
cinder_api_port for backward compatibility.

This option allow the user to differentiate between the port the
service listens on, and the port the service is reachable on. This is
useful for external load balancers which live on the same host as the
service itself.

Change-Id: I2a5036456afac6135dca3723ae754ea9f8bc8475
Implements: blueprint service-hostnames

We're duplicating code to build the keystone URLs in nearly every
config, where we've already done it in group_vars. Replace the
redundancy with a variable that does the same thing.

Change-Id: I207d77870e2535c1cdcbc5eaf704f0448ac85a7a

The iscsi_helper option was deprecated in favour of target_helper in
Queens, and will be removed in the Stein release.

This also renames the cinder_iscsi_helper variable to
cinder_target_helper, deprecating but still supporting the former name
until the Train release.

Change-Id: Ie38c09b2dd8598f62b0733c8444eec5f6ce3daac

This allows glance service endpoints to use custom hostnames, and adds the
following variables:

* glance_internal_fqdn
* glance_external_fqdn

These default to the old values of kolla_internal_fqdn or
kolla_external_fqdn.

This also adds a glance_api_listen_port option, which defaults to
glance_api_port for backward compatibility.

This option allow the user to differentiate between the port the
service listens on, and the port the service is reachable on. This is
useful for external load balancers which live on the same host as the
service itself.

Change-Id: Icb91f728533e2db1908b23dabb0501cf9f8a2b75
Implements: blueprint service-hostnames

Add an enable_cinder_backend_quobyte option to etc/kolla/globals.yml to
enable use the Quobyte Cinder backend.
Change the bind mounts for /var/lib/nova/mnt to include the shared
propogation if Quobyte is enabled.
Update the documentation to include a section on configuring the Cinder.

Implements: blueprint cinder-quobyte-backend

Change-Id: I364939407ad244fe81cea40f880effdbcaa8a20d

According [1], vitrage notification has to be configured in Nova,
Neutron, Cinder & Aodh config file.

[1] https://review.openstack.org/#/c/302802/

Change-Id: Iaf8cd7d40e6eb988adf4d208e6ad784f1004caa5

Coordination is required for active-active cinder volume.

Change-Id: I9b26831fd951a24c483840a55824fae06ccbbf81
Closes-Bug: #1796615

Cinder has dropped [1] support for legacy backup services. It is now
necessary to specify the full class of the backup driver, rather than
just the module name. This was causing the kolla-ansible ceph jobs to
fail.

[1] https://review.openstack.org/#/c/595372

Change-Id: Icf0ee475ba73f013d4266332d999362651d9475b

Option auth_uri from group keystone_authtoken is deprecated[1].
Use option www_authenticate_uri from group keystone_authtoken.

[1]https://review.openstack.org/#/c/508522/



Co-Authored-By: confi-surya <singh.surya64mnnit@gmail.com>
Change-Id: Ifd8527d404f1df807ae8196eac2b3849911ddc26
Closes-Bug: #1761907

Currently osprofiler only choose elasticsearch,
which is only supported on x86.
On other platform like aarch64 osprofiler can
not be used since no elasticsearch package.

Enable osprofiler by enable_osprofiler: "yes",
which choose elasticsearch by default.
Choose redis by enable_redis: "yes" & osprofiler_backend: "redis"
On platform without elasticsearch support like aarch64
set enable_elasticsearch: "no"

Change-Id: I68fe7a33e11d28684962fc5d0b3d326e90784d78

Cinder requires access to Nova during Nova assisted backups and
snapshots. Both fail without proper Nova authentication section
in cinder.conf file.

Change-Id: I5d1fc3b466bf2df919e426d2052c1ee31c27030d
Closes-Bug: #1772959

Cinder cannot run with both snapshots or backups of volumes and
secure NAS feature. Choosing the former as the latter does not function
well everywhere.

Change-Id: Iba3783b2acb79dd0e765862ef972a568c96ec108
Closes-Bug: #1726836

If SSL is enabled, api of multiple services returns
wrong external URL without https prefix.

Removal of condition for deletion of http  header.

Change-Id: I4264e04d0d6b9a3e11ef7dd7add6c5e166cf9fb4
Closes-Bug: #1749155
Closes-Bug: #1717491

- Keystone
- Glance
- Nova
- Cinder

This will copy only yaml or json policy file if they exist.

Change-Id: I4a9415d82322aed68c9b7650bdf346f58fa49e2a
Implements: blueprint support-custom-policy-yaml
Co-authored-By: Duong Ha-Quang <duonghq@vn.fujitsu.com>

Change-Id: I36d7d62514416104c1f2f36cbd29c26c34c0d20d
Closes-Bug: #1733304

This commit separates the messaging rpc and notify transports in order
to support separate and different oslo.messaging backends

This patch:
* add rpc and notify variables
* update service role conf templates
* add example to globals.yaml
* add release note

Implements: blueprint hybrid-messaging
Change-Id: I34691c2895c8563f1f322f0850ecff98d11b5185

Change-Id: Ifaf6bca0a02e382d36a3a6168572ebb63878a496

Change-Id: I5bbd20a390f385a60ff2f330cc8fa7fb1117a42a
Closes-Bug: #1721292

We need set glance_api_version = 2 in cinder
configure to support upload volume to image.

Change-Id: I6162b94833043edb06b434bc578f4caa47213b94
Closes-bug: #1720048

my_ip is used by iscsi_ip_address in cinder.conf. Configure it to
api_interface_address.

Change-Id: Ib9f9140668f807b26bdaec849fc0cef0a63a8ca0
Closes-Bug: #1719274

Added configuration to enable Oracle ZFS Storage Appliance:
https://docs.openstack.org/cinder/pike/configuration/block-storage/drivers/zfssa-iscsi-driver.html

Change-Id: Id5807f0d4567e16a68283cace7e126eddc4dea20
Implements: blueprint zfssa-cinder-support

Introduced new option enable_cinder_backup, that controls
whether to deploy cinder-backup service.

Change-Id: Ibb0ca0a478748d4caba4df434456ead0df95ffca
Signed-off-by: Pavel Glushchak <pglushchak@virtuozzo.com>

volume_backend_name is required when using volume type.

Change-Id: Idab2ab98dea4940ba9404b219dbed935db0d51ed
Closes-Bug: #1705657

kolla-kubernetes is using its own configuration generation[0], so it is
time for kolla-ansible to remove the related code to simplify the
logical.

[0] https://github.com/openstack/kolla-kubernetes/tree/master/ansible

Change-Id: I7bb0b7fe3b8eea906613e936d5e9d19f4f2e80bb
Implements: blueprint clean-k8s-config

Add VMware VMDK driver supports to cinder service.
The VMware driver for OpenStack Block Storage is recommended and
should be used for managing volumes based on vSphere data stores.
see
https://docs.openstack.org/ocata/config-reference/compute/hypervisor-vmware.html
https://docs.openstack.org/ocata/config-reference/block-storage/drivers/vmware-vmdk-driver.html#block-storage-vmdk-driver

Partially-implements: blueprint kolla-ansible-support-vsphere

Change-Id: Ic3eb7ae34c1e8584945b3d97f8b427ee67ea8fba

Change-Id: I32de4c37f531a3d22bf80e1eca6635631e489842
Closes-Bug: #1702842