This avoids the need to use a proxy, or some other means, to connect to
Prometheus. This is disabled by default and can be enabled by setting
enable_prometheus_server_external to true.

Change-Id: Ia0af044ff436c2a204b357750a16ff49fcdfec45

Add support for automatic provisioning and renewal of HTTPS
certificates via LetsEncrypt.

Spec is available at:
https://etherpad.opendev.org/p/kolla-ansible-letsencrypt-https

Depends-On: https://review.opendev.org/c/openstack/kolla/+/887347


Co-Authored-By: Michal Arbet <michal.arbet@ultimum.io>
Implements: blueprint letsencrypt-https
Change-Id: I35317ea0343f0db74ddc0e587862e95408e9e106

Following Monasca initial removal in [1]

[1]: I6fc7842bcda18e417a3fd21c11e28979a470f1cf

Change-Id: I94d6f102e8da3882f37f3007639b917c49f907a9

* Zun currently has a dependency on a combination of Docker and
  etcd that is no longer installable (or supported) in newer
  distros.
* These components are core dependencies of other systems and
  vendoring them will be very painful.
* Work to update Zun past this is scheduled for the 'C' cycle.
* If Zun regains compatibility, backports to this series will be
  considered.

Change-Id: I6a2a4ffdcaf1c4fab1097e94d5f255ffb9a2947d

This change introduces haproxy_enable_http2 to let operators enable
http/2 on HAProxy frontends when kolla_enable_tls_external is enabled.

Change-Id: I2e00d3e9193a3052d43a228915ea249794490afe
Closes-Bug: #1850924

Closes-Bug: #2036741

Change-Id: Ib448d04e43dff78e344064161beadae917c41206

* When the Debian job got upgraded from Bullseye
  to Bookworm, the non-voting Zun job started failing.
* This is because Debian Bookworm doesn't support the
  required Docker 20 pinning.
* Until Zun gains support for newer dependencies this
  job will keep failing.

Change-Id: I1e1d9ea7c76d1b2f77b09b7948f138b88ef483d2

Up till now the ARA plugin has been pinned to a very old version,
and is no longer functional.

This installs a much newer version of ARA and adds a README file
to guide developers on how to view the sqlite file.

The ARA plugin is installed by default, but not activated. This
is intended to catch a small amount of regressions and
integration failures.

Developers can enable the plugin by adding the string `#ara`
to their commit message. This avoids extra load on the CI.

Change-Id: Id8328e374c9590b1363026fa2b2b24e191183987

Change-Id: I0aff87f0392b43671c6e9fc3fae3cdb0f7ce118a

This command can be invoked with ``kolla-ansible rabbitmq-reset-state``.
This is primarily designed to be used when enabling HA queues[1].

As such, this also updates the RabbitMQ documentation to use this
command.

[1] https://docs.openstack.org/kolla-ansible/latest/reference/message-queues/rabbitmq.html#high-availability

Change-Id: I6ad95a3618fc1a34af56657ef99ef14dc979f17a

Depends-On: https://review.opendev.org/c/openstack/ansible-collection-kolla/+/892323

Change-Id: I11db700511233aa60229ee65d0cc96e46aafdf90

While this section of the guide does not need to explain every command
available, ``kolla-ansible genconfig`` is a useful command for people
newer to using KA, so it seems worth mentioning in the guide.

Change-Id: I6f58bb395012b701ad349e967fb3d2f16e9373c7

Change-Id: I149bc646d2e5fb1e32be9c94c6a8d75fd92893e1

Under the Glance section of the external Ceph guide, to enable
copy-on-write the config heading should be ``[DEFAULT]``, rather than
``[GLOBAL]``. For reference, see the Glance docs:
https://docs.openstack.org/glance/latest/configuration/glance_api.html#DEFAULT.show_image_direct_url

Closes-Bug: #2017643
Change-Id: I2d77e01637ecae0bd10319eac4bc75340dd6f61f

Use case: exposing single external https frontend and
load balancing services using FQDNs.

Support different ports for internal and external endpoints.

Introduced kolla_url filter to normalize urls like:
- https://magnum.external:443/v1
- http://magnum.external:80/v1



Change-Id: I9fb03fe1cebce5c7198d523e015280c69f139cd0
Co-Authored-By: Jakub Darmach <jakub@stackhpc.com>

Replaces the instance label on prometheus metrics with the inventory
hostname as opposed to the ip address. The ip address is still used as
the target address which means that there is no issue of the hostname
being unresolvable. Can be optionally enabled or set to FQDNs by
changing the prometheus_instance_label variable as mentioned in the
release notes.

Co-Authored-By: Will Szumski <will@stackhpc.com>
Change-Id: I387c9d8f5c01baf6054381834ecf4e554d0fff35

Ansible 2.14.3 introduced a change that broke the method used for
restarting MariaDB and RabbitMQ serially [1][2]. In
I57425680a4cdbf0daeb9b2cc35920f1b933aa4a8 we limited to 2.14.2 to work
around this. Ansible upstream claim this behaviour was unintentional,
and will not fix it.

This change moves to a different approach where we use separate plays
with a 'serial' keyword to execute the restart.

This change also removes the restriction on the maximum supported
version of 2.14.2 on ansible-core - any 2.14 release is now supported.

[1] https://github.com/ansible/ansible/commit/65366f663de7d044f42ae6dd53368fd4c1f88b35
[2] https://github.com/ansible/ansible/issues/80848

Depends-On: https://review.opendev.org/c/openstack/kolla/+/884208

Change-Id: I5a12670d07077d24047aaff57ce8d33ccf7156ff

This patch is adding a feature for an option to copy different
ceph configuration files and corresponding keyrings for cinder,
glance, manila, gnocchi and nova services.

This is especially useful when the deployment uses availability
zones as below example.

  - Individual compute can read/write to individual ceph
    cluster in same AZ.
  - Cinder can write to several ceph clusters in several AZs.
  - Glance can use multistore and upload images to
    several ceph clusters in several AZs at once.

Change-Id: Ie4d8ab5a3df748137835cae1c943b9180cd10eb1

Followup on I34fd1dcb52cffd9d545d10526109772aeebc2393

Change-Id: I3a14f85fbe5be6ae635774c49872e17f5daea805
Signed-off-by: Maksim Malchuk <maksim.malchuk@gmail.com>

Where a list item has multiple paragraphs, the additional paragraphs
must be indented by three spaces (i.e. the level of the first paragraph)
to be considered part of the list item.

Change-Id: I34fd1dcb52cffd9d545d10526109772aeebc2393
Signed-off-by: Stephen Finucane <stephenfin@redhat.com>

The ``[pci]`` options in the Nova SRIOV documentation are incorrect.
``alias`` is a JSON object but mentioned as a list of object here.
``through_whitelist`` is deprecated [1] in favour of ``device_spec``.

[1] https://docs.openstack.org/nova/2023.1/configuration/config.html#id116

Closes-Bug: #2019985
Change-Id: I4f9bce297bc3385f9749e4221f4721c1841700a1

Depends-On: https://review.opendev.org/c/openstack/neutron/+/878535
Change-Id: I05d8b29b59a7de76da488f68775547a8f0f11d0f

We limit to 2.14.2 due to a regression in ansible-core [1] that breaks
conditional include_task loops in handlers. This is used for controlled
restarts of MariaDB and RabbitMQ.

[1]: https://github.com/ansible/ansible/commit/65366f663de7d044f42ae6dd53368fd4c1f88b35



Change-Id: I57425680a4cdbf0daeb9b2cc35920f1b933aa4a8
Co-Authored-By: Michal Nasiadka <michal@stackhpc.com>

The section just after this one says the exact same thing with more details, so
we can remove it.

Change-Id: Iaa6c5a092b471728eec6f89d05546091aa4b17d9

Adds a flag ``kolla-ansible octavia-certificates --check-expiry <days>``
to the ``octavia-certificates`` command to check if the certificates
will expire within a given number of days.

Change-Id: I869b8afd85fe282d823ecf3593aa22f94a61b2a0

This reverts commit 9867060b.

Reason for revert: seems this broke some jobs

Change-Id: I1ca81214ece403351c0a522ea05bf07802e4c4c0

Currently, the process of enabling RabbitMQ HA with the variable
``om_enable_rabbitmq_high_availbility`` requires some manual steps to
migrate from transient to mirrored queues. In preparation for setting
this variable to ``True`` by default, this adds a precheck that will
fail if a system is currently running non-mirrored queues and
``om_enable_rabbitmq_high_availbility`` is set to ``True``.

Includes a helpful message informing the operator of their choice.
Either follow the manual procedure to migrate the queues described in
the docs, or set ``om_enable_rabbitmq_high_availbility`` to ``False``.

The RabbitMQ HA section of the reference docs is updated to include
these instructions.

Change-Id: Ic5e64998bd01923162204f7bb289cc110187feec

Change-Id: Ibc9cc91f64b0450de3cae6e2830b4ff2c52c0395

Remove notes referring to old releases (Train, Victoria). Add a note to
cover migration to RL9.

Change-Id: I57bcc9c3967fb6cdea56cb9a252255322ec2f1c9

As reported in bug #1914814, common ways to generate ceph config files
result in files that have leading tabs. These tabs make Kolla Ansible's
ini parser unhappy, so add a note to remind users to remove them.

Closes-Bug: #1914814
Change-Id: I4b06eae75bf238f2f093bfb76ba37c7f75dfd616

Related-Bug: #2007142

Change-Id: I9ce2a9ce5413e77625201f3986967e31a679ad9c

Change-Id: I0ff303a2fad2edbcedbe88486b272d2efa765d8d

Users running on a Focal host will now fail in prechecks.

Change-Id: Icaef4b25458490e46f623b055658abc678d2f1c6

As per the RBAC new direction in Zed cycle, we have dropped the
system scope from API policies and all the policies are hardcoded
to project scoped so that any user accessing APIs using system scope
will get 403 error. It is dropped from all the OpenStack services
except for the Ironic service which will have system scope and to
support ironic only deployment, we are keeping system as well as project
scope in Keystone.

Complete discussion and direction can be found in the below gerrit
change and TC goal direction:

- https://review.opendev.org/c/openstack/governance/+/847418
- https://governance.openstack.org/tc/goals/selected/consistent-and-secure-rbac.html#the-issues-we-are-facing-with-scope-concept

As phase-2 of RBAC goal, services will start enabling the new
defaults and project scope by default. For example: Nova did in
- https://review.opendev.org/c/openstack/nova/+/866218

Kolla who start accessing the services using system scope token
- https://review.opendev.org/c/openstack/kolla-ansible/+/692179

This commit partially revert the above change except keeping
system scope usage for Keystone and Ironic. Rest all services are changed
to use the project scope token.

And enable the scope and new defaults for Nova which was disabled
by https://review.opendev.org/c/openstack/kolla-ansible/+/870804

Change-Id: I0adbe0a6c39e11d7c9542569085fc5d580f26c9d

This change serialises the neutron l3 agent restart process and adds a
user configurable delay between restarts. This can prevent connectivity
loss due to all agents being restarted at the same time.

Routers increase the recovery time, making this issue more prevalent.

Change-Id: I3be0ebfa12965e6ae32d1b5f13f8fd23c3f52b8c

Makes sure the facts required to generate octavia.conf are available
when using genconfig.

This change also ensures that the necessary tasks run when using Ansible
check mode.

Closes-Bug: #1987299
Change-Id: Ib8fbee2d3abdcfd2eae0f9b3e9b69eeb0e3086e0

A combination of durable queues and classic queue mirroring can be used
to provide high availability of RabbitMQ. However, these options should
only be used together, otherwise the system will become unstable. Using
the flag ``om_enable_rabbitmq_high_availability`` will either enable
both options at once, or neither of them.

There are some queues that should not be mirrored:
* ``reply`` queues (these have a single consumer and TTL policy)
* ``fanout`` queues (these have a TTL policy)
* ``amq`` queues (these are auto-delete queues, with a single consumer)
An exclusionary pattern is used in the classic mirroring policy. This
pattern is ``^(?!(amq\\.)|(.*_fanout_)|(reply_)).*``

Change-Id: I51c8023b260eb40b2eaa91bd276b46890c215c25

Change-Id: I8855bd60c2fd77f33fb55d4123131a94327bd166

Users of aarch64 architecture need to set tag suffix if they use
official images.

Change-Id: Iefc2e736d23e0e86ed55d8225e71857fb997a4c3

In the quickstart there is need the git package to install
kolla-ansible from the source for deployment or evaluation and
to clone repository for development.

Closes-Bug: #1999370
Change-Id: Ia623694c801c03b151944947141551ecbc1d24f5
Signed-off-by: Maksim Malchuk <maksim.malchuk@gmail.com>