Existing container was out of date and did not work
for the db restore example. Updates to a rocky-9
example.

Change-Id: I5f57467a18d3e42e0c71826cc3a7740110162af7
(cherry picked from commit 3564f9de)

harden the TLS default config according to the mozilla
"modern" recommendation:

https://ssl-config.mozilla.org/#server=haproxy&version=2.1&config=modern&openssl=1.1.1k&guideline=5.7



if you want to revert to the old settings, set:

kolla_haproxy_ssl_settings: "legacy" in globals.yaml
alternatively you can also set it to "intermediate"
for a middle ground between security and accessibility.

this also adjusts the glance and neutron tls proxy ssl settings
in their dedicated haproxy config templates to use the same mechanism.

also add some haproxy related docs to the TLS guide and cross reference
it from the haproxy-guide.

Closes-Bug: #2060787

Signed-off-by: Sven Kieske <kieske@osism.tech>
Change-Id: I311c374b34f22c78cc5bcf91e5ce3924c62568b6

Closes-Bug: #2070051

Depends-On: https://review.opendev.org/c/openstack/ansible-collection-kolla/+/923544

Change-Id: I221eb136e77c61aef39e8646b48b927352d1419d

Closes-Bug: #1793323
Depends-On: https://review.opendev.org/c/openstack/kolla-ansible/+/903178
Depends-On: https://review.opendev.org/c/openstack/kolla/+/902057
Change-Id: Ibebd6e04de215e1a1aaff52c55d28c4741af98f2

Just some minor formatting and wording updates

Change-Id: Ia42944512f8d14a1993bd4ae3d09f0f2ab431322

This commit addresses a few shortcomings in the etcd service:
  * Adding or removing etcd nodes required manual intervention.

  * The etcd service would have brief outages during upgrades or
    reconfigures because restarts weren't always serialised.

This makes the etcd service follow a similar pattern to mariadb:
  * There is now a distiction between bootstrapping the cluster
    and adding / removing another member.

  * This more closely follows etcd's upstream bootstrapping
    guidelines.

  * The etcd role now serialises restarts internally so the
    kolla_serial pattern is no longer appropriate (or necessary).

This does not remove the need for manual intervention in all
failure modes: the documentation has been updated to address the
most common issues.

Note that there's repetition in the container specifications: this
is somewhat deliberate. In a future cleanup, it's intended to reduce
the duplication.

Change-Id: I39829ba0c5894f8e549f9b83b416e6db4fafd96f

Add support for automatic provisioning and renewal of HTTPS
certificates via LetsEncrypt.

Spec is available at:
https://etherpad.opendev.org/p/kolla-ansible-letsencrypt-https

Depends-On: https://review.opendev.org/c/openstack/kolla/+/887347


Co-Authored-By: Michal Arbet <michal.arbet@ultimum.io>
Implements: blueprint letsencrypt-https
Change-Id: I35317ea0343f0db74ddc0e587862e95408e9e106

Some time ago we dropped RHEL as one of possible options. During 'Zed'
cycle we added Rocky Linux 9 as alternative to CentOS Stream 9.

This change updates some mentions of both.

Change-Id: I9ed93efcb7d1ff97b1c7d8342db8252aba2a9887

Change-Id: I63673761959a560e97c848f092f086ceba25839a

Change-Id: Id05122cb564f3e7475b2b76da8c111e2c72601b8

Change-Id: I2e6b6ecd3717ff0811b47892aad406376c89a18c

Per [1] and exchange on IRC.

[1] http://lists.openstack.org/pipermail/openstack-discuss/2021-December/026437.html

Change-Id: I322500e7204eb129d7bf085006627e8c4aaaa934

Change-Id: Iede747ceaafa54a00186761943fe2f4ac13f9559

Change-Id: I08030ac88911d3594c75cb2184767067ad177139

This option disables copy of certificates from the operator host to
kolla-ansible managed hosts.

This is especially useful if you already have some mechanisms to handle
your certificates directly on your hosts.

Co-Authored-By: Marc 'risson' Schmitt <marc.schmitt@risson.space>
Change-Id: Ie18b2464cb5a65a88c4ac191a921b8074a14f504

There are inconsitencies across the documentation and the source code files
when it comes to project's name (Kolla Ansible vs. Kolla-Ansible). This
commit aims at unifying it so that the naming becomes consistent everywhere.

Change-Id: I903b2e08f5458b1a1abc4af3abefe20b66c23a54

Change-Id: Id93e7a91253b46e42d4817785d42ccc52564c330

Add TLS support for backend Neutron API Server communication using
HAProxy to perform TLS termination. When used in conjunction with
enabling TLS for service API endpoints, network communication will be
encrypted end to end, from client through HAProxy to the Neutron
service.

Change-Id: Ib333a1f1bd12491df72a9e52d961161210e2d330
Partially-Implements: blueprint add-ssl-internal-network

All docs are included.

Change-Id: Ie29ff7ca340812c8dc0dac493518c87cf7bf137b
Partially-Implements: blueprint letsencrypt-https

This change adds support for encryption of communication between
OpenStack services and RabbitMQ. Server certificates are supported, but
currently client certificates are not.

The kolla-ansible certificates command has been updated to support
generating certificates for RabbitMQ for development and testing.

RabbitMQ TLS is enabled in the all-in-one source CI jobs, or when
The Zuul 'tls_enabled' variable is true.

Change-Id: I4f1d04150fb2b5af085b762890092f87ae6076b5
Implements: blueprint message-queue-ssl-support

remove cluster_interface from project.
update storage_interface docs.and remove
storage_interface_address variable

Change-Id: I3f811db988234f94b5ed0cc9d24233f70784f58d

Updated TLS documentation to reflect new features and configuration
options added in Ussuri.

Change-Id: I74550eaf394287b14fc521293cc4b5ea8074192c
Partially-Implements: blueprint add-ssl-internal-network

Moved the TLS documentation from "advanced-configuration" doc to its
own TLS document. This is in preparation for improving it.

Change-Id: I4c83f1810ef1222aaa3560174c1ba39328853c4e
Co-Authored-By: James Kirsch <generalfuzz@gmail.com>

Change-Id: I0495c1e33696cea36765f027bc453b9d3e8563e0

Add TLS support for Glance api using HAProxy to perform TLS termination.

Change-Id: I77051baaeb5d3f7dd9002262534e7d35f3926809
Partially-Implements: blueprint add-ssl-internal-network

This update clears up an additional path that was mentioned in the
Advanced Configuration documentation, but not actually picked up in the
playbooks.

This specifically affects Service Configuration overrides. The docs have
been cleaned up to reflect the way the playbooks pick up the override
files.

Change-Id: Id15fe139af6462217c2ac26d7d21c5eac5368e12
Closes-Bug: 1873782
Signed-off-by: Raimund Hook <openstack@sting-ray.za.net>

This patch introduces an optional backend encryption for Keystone
service. When used in conjunction with enabling TLS for service API
endpoints, network communcation will be encrypted end to end, from
client through HAProxy to the Keystone service.

Change-Id: I6351147ddaff8b2ae629179a9bc3bae2ebac9519
Partially-Implements: blueprint add-ssl-internal-network

Kolla-Ansible Ceph deployment mechanism has been deprecated in Train [1].

This change removes the Ansible code and associated CI jobs.

[1]: https://review.opendev.org/669214

Change-Id: Ie2167f02ad2f525d3b0f553e2c047516acf55bc2

Generate both internal and external self signed TLS certificates.
Duplicate the certificate if internal and external VIPs are the same.

Change-Id: I16b345c0b29ff13e042eed8798efe644e0ad2c74
Partially-Implements: blueprint custom-cacerts

When kolla_copy_ca_into_containers is set to "yes", the Certificate
Authority in /etc/kolla/certificates will be copied into service
containers to enable trust for that CA. This is especially useful when
the CA is self signed, and would not be trusted by default.

Partially-Implements: blueprint custom-cacerts

Change-Id: I4368f8994147580460ebe7533850cf63a419d0b4

It advertises C7 as an IPv6-compatible platform.
This is possible thanks to fixes in [1] and [2].

[1] https://review.opendev.org/699458
aka 7054b27d
[2] https://review.opendev.org/699172
aka 908bffcf

Change-Id: Ia353a1663a16f48ac83e5ee9a2cf1d6e183ac3a3
Closes-bug: #1848444
Closes-bug: #1848452
Related-bug: #1856532
Related-bug: #1856725

Change-Id: I401a073eb6225e90b6f9d6b2a32f33d22d1d7a79

Currently, Xtrabackup is used for database backups. However, Xtrabackup
is not compatible with MariaDB 10.3. This change switches to use
mariabackup [1], which is available in the mariadb image.

The documented full and incremental restore procedures have been
modified to use mariabackup, following [2] and [3].

[1] https://mariadb.com/kb/en/library/mariabackup-overview/
[2] https://mariadb.com/kb/en/library/full-backup-and-restore-with-mariabackup/
[3] https://mariadb.com/kb/en/library/incremental-backup-and-restore-with-mariabackup/

Change-Id: Id52b9b1f7b013277e401b1f6b8aed34473d2b2c4
Closes-Bug: #1843043
Depends-On: https://review.opendev.org/691290

IPv6 control plane implementation [1] follow-up.

[1] Ia34e6916ea4f99e9522cd2ddde03a0a4776f7e2c

Change-Id: Icc25463320c23fd510073bff0a8144437a3607a6

Change-Id: I80b4fb4addf4c633172f1c1a99cdf6a6feac3145

This is to avoid split-brain.

This change also adds relevant docs that sort out the
HA/quorum questions.

Change-Id: I9a8c2ec4dbbd0318beb488548b2cde8f4e487dc1
Closes-Bug: #1837761
Co-authored-by: Radosław Piliszek <radoslaw.piliszek@gmail.com>

The main motivation here is to document a mechanism which can be
used to configure Nova cells on a per-cell basis without introducing
a myriad of additional locations to put config files. The
following changes are made:

- Remove the note about only ini files being supported because
  merge_yaml is now used
- Expand on supported config file locations
- Add a section on using conditionals in the config file

Partially Implements: blueprint support-nova-cells
Change-Id: I92599e501506fdacaf3adb94cc6fffcf6fea2af3

This review is the first one in a series of patches and it introduces an
optional encryption for internal openstack endpoints, implementing part
of the add-ssl-internal-network spec.

Change-Id: I6589751626486279bf24725f22e71da8cd7f0a43

When integrating 3rd party component into openstack with kolla-ansible,
maybe have to mount some extra volumes to container.

Change-Id: I69108209320edad4c4ffa37dabadff62d7340939
Implements: blueprint support-extra-volumes

Adds support to seperate Swift access and replication traffic from other storage traffic.

In a deployment where both Ceph and Swift have been deployed,
this changes adds functionalality to support optional seperation
of storage network traffic. This adds two new network interfaces
'swift_storage_interface' and 'swift_replication_interface' which maintain
backwards compatibility.

The Swift access network interface is configured via 'swift_storage_interface',
which defaults to 'storage_interface'. The Swift replication network
interface is configured via 'swift_replication_interface', which
defaults to 'swift_storage_interface'.

If a separate replication network is used, Kolla Ansible now deploys separate
replication servers for the accounts, containers and objects, that listen on
this network. In this case, these services handle only replication traffic, and
the original account-, container- and object- servers only handle storage
user requests.

Change-Id: Ib39e081574e030126f2d08f51de89641ddb0d42e