In case Kolla's users want to deploy with both of
binary and source image, we should have a variable
install type that define install type for each project.

We also add specific image tag for each Openstack project.

This commit is implemented for Ironic, Kabor,
Keystone project and iscsi as well.

Change-Id: I134d840b1c0e24171a32dec0c7daa6dc2e9ecd87
Implements: blueprint mixing-binary-and-source-image

OSprofile allows user/devs trace OpenStack requests.

Implements: blueprint enable-osprofiler
Co-Authored-By: Bertrand Lallau <bertrand.lallau@gmail.com>
Change-Id: I82ea85d726011ef6cbf99380f395452d6d7f8053

Many of the templates use 600, remove unnecessary permission
on these templates to bring them in line with the others.

Change-Id: I30fe1b3822b9c7bb6ab98729fc519dc1d603db27

Useful api_interface_address variable has been define here:
https://github.com/openstack/kolla-ansible/blob/master/ansible/group_vars/all.yml#L57
In order to simplify codebase we must use it as much as possible.

Change-Id: I18fec19bf69e05a22a4142a9cd1165eccd022455

wait_for module waits 300 seconds for the port started or stopped.  This
is meaningless and useless in precheck. This patch change timeout to 1
seconds.

Change-Id: I9b251ec4ba17ce446655917e8ef5e152ef947298
Closes-Bug: #1688152

The current module 'kolla_sanity' was written as a shim before full
shade support was added to Ansible. This should now no longer be needed,
we can implement the checks using Ansible provided modules.

Begin by updating the Keystone check to use 'os_auth' to fetch a token,
I think this is a good basic smoke test to verify Keystone is working.

Change-Id: I16049d9201fd8138c781ef2e1e0c1827ea817259
Partially-implements: blueprint sanity-check-container

Option "secure_proxy_ssl_header" from group "DEFAULT" is deprecated
in Keystone.

see
https://docs.openstack.org/ocata/config-reference/identity/samples/keystone.conf.html

Change-Id: I390969fce5b592c0267399969abc54e5caffbfc8
Closes-Bug: #1675982

nova quota fail to create due a recent change.
Keystone endpoint cannot have version v3 in the url.

During upgrade to Pike nova endpoint must be changed
to be versionless.

Change-Id: Idb433d526f7d44dfe4fd02ee918bd67e05c523f6
Depends-On: I568db4559428525ac6c5083cfc20cffc20be6342
Closes-Bug: #1668663

Change-Id: Ic2890d0ea2dd0927b327b880bf25532fbb2efe07

Add support for basic multiple regions, that is to say, many OpenStack
with a shared Keystone (same users) and Horizon. The shared Keystone
and Horizon are deployed into one region, for instance RegionOne.
Services of other regions have an access to this Keystone. This
support assumes that the operator knows the name of all OpenStack
regions in advance, and considers as many Kolla runs as there are
regions.

The new variable, multiple_regions_names, contains the name of
regions. It is needed by the region that includes Keystone and
Horizon. In register.yml, it specifies to create as many Keystone
endpoints as there are regiones, so that services of other regions can
connect to Keystone. In local_settings.j2, it changes the render to
support multiple regions in Horizon. The multi-regions.rst explains
how to perform a multiple regions deployment.

Implements: blueprint multi-kolla-config
Change-Id: Icab2aebfc4de0e3bc609950956e0af397705f403

* Move the tasks to the role
* Skip the task when container is already running

Change-Id: I1990d4dd2a02efa2b3766329000aa23419e0ff17
Closes-Bug: #1670286

The wrapper keystone_bootstrap.sh expects to parse output from the
keystone-manage command. Somewhere along the line this command stopped
logging to stderr resulting in it not being able to report it's changed
status correctly.

Closes-Bug: #1668220

Change-Id: I895ebe11b88fd239fa8cb6e1a2fed779743e4139

There is inconsistent use of either `/usr/bin/python` or
`/usr/bin/env python`. This makes for unexpected results when a
user might be using a virtualenv.

Change-Id: Ibb030f920a8869f9113ade70b66a921cc815060d

- add "item.value.enabled | bool"
- add "| bool" to keystone
- add group check for searchlight

Change-Id: Id4555a0a96ea1670e99c88a1da9d3e07bf253497

revoke api is only used when using kvs revoke driver. In most of case it
is useless and unnecessary.

Change-Id: I6afaf32574330e3ee57435f688c41ae74dbdf7ed
Closes-Bug: #1664026

Change-Id: I2bf2e8a6ba17c813bb2b9cdf05d3062f29d9fdf6
Closes-Bug: #1653168

Change-Id: I1577cc3afef4dadd3a188c8ba749c9cdfad313ae

Co-Authored-By: Mauricio Lima <mauriciolimab@gmail.com>
Change-Id: I9a4a6b6523dee4b388513386b7d85d421f2b7b89

A config generation check was added to a few services but the action
name checked was "genconfig" where the kolla-ansible genconfig command
actually uses the action name "config".

Stop run the handlers when action is "config".

Co-Authored-By: Jeffrey Zhang <jeffrey.zhang@99cloud.net>
Partially-implements: blueprint better-reconfigure
Change-Id: I9d3be2f674087f340108b176c8e8e2209ffa8806

Change-Id: I15c23a3445ab1cbc92c4c1258f37844bf244ebf0
Partically-implements: blueprint better-reconfigure

When pull keystone image, it will failed, msg is "image' is undefined",
this patch fix it.

Change-Id: I510030cc20a44410a847ab0a6ef36effae716975

Change-Id: I5290c923530338682808205cc9c3957178de469c
Partially-implements: blueprint condition-pre-check

Change-Id: I00d2dcb0895548ba169ab85764cf546c2214cbf5

Partically-implements: blueprint better-reconfigure
Change-Id: Ieab308ea1ec90300e319db4e1bcf8bd0cfef7619

Default user group should be set much earlier in deployment
and should be used consistently accross all projects.

Change-Id: Id399f9ddebc903bb9c3eeb5a0ff6f33ca6d6828c
Closes-Bug: #1650501

The task for keystone is missing a 'per service' entry for it's config
augments. This means for example that users could not add:

/etc/kolla/config/keystone/keystone-fernet.conf

or

/etc/kolla/config/keystone/keystone.conf

and have keystone.conf augmented for those services only.

Change-Id: I8d2570b4a52dc6c3552397b0a6fa7866133dc2f1
Closes-Bug: #1646898

Include custom policy.json files in service-api.json.j2 files

Change-Id: Ic55bfc6f61131aa72c3497ce8b2282056bcc7f92
Partially-Implements: blueprint custom-policies

Currently, policy.json is put in
"{{ node_config_directory }}/{{ service_name }}"
in target nodes.

Relocation policy.json to "{{ node_config_directory }}/{{ item }}"
with item is corresponding service compoment config directory.

Currently, the policy.json is copied to all services, but it
should be reviewed and left only in neccesary service
(at many cases, only API service needs that).

Redundant files will be removed in follow up patchset.

Change-Id: I0e997dccf4ec438c9c0436db71ec2fd06650f50d
Closes-Bug: #1639686

Keystone uses fernet as default provider in its code now. This patch
adds provider=token in keystone.conf file explicitly.

TrivialFix

Change-Id: Id7142ff4f00ee99579ad420573eafefea0f4dcb7

* Merge prechecks.yml and site.yml playbook
* Create empty precheck.yml into all roles.

Change-Id: I8a138558a26c0a2a66c5fd48ed37be657c99c1dd
Implements: blueprint condition-pre-check

Allow operators to use their custom policy files.
Avoid maintain policy files in kolla repos, only copying
the files when an operator add their custom config.

Implements: blueprint custom-policies
Change-Id: Icf3c961b87cbc7a1f1dd2ffbfffcf271d151d862

Previous version of keystone reconfigure fails at adding fernet
components to fact variable "keystone_item".
Ansible can not create fact variable using newly created variable
in a same task.

This patch set split this task into two tasks, first create variable
containing fernet components, then merge it to "keystone_item".

Change-Id: I15571ab20d6104d30350e8b922401b462336fca0
Closes-Bug: #1636047

TrivialFix

Change-Id: I817aa52caf56b7d54b266e553db6db1ceb38b773
Signed-off-by: Jeffrey Zhang <zhang.lei.fly@gmail.com>

Change-Id: I211d9f2dbdd9647ec99e8b43be6332c8ad64114e
Partial-Bug: #1631503

* install openssh client in keystone-fernet container
* install rsync in keystone-ssh container
* fix syntax issue in ssh configuration
* copy ssh configuration into keystone-fernet container
* copy id_rsa.pub into keystone-ssh container
* copy id_rsa into keystone-fernet container
* use full path to ssh binary in used scripts
* add missing newlines at EOF
* when using type source set /var/lib/keystone as home
  directory for the user keystone

Co-Authored-By: Jeffrey Zhang <jeffrey.zhang@99cloud.net>
Change-Id: Id6b41030056a69f6516a054beb2fc0e08226e876
Closes-bug: #1623013

TrivialFix

Change-Id: I2f0945c444016227a09486d62cec53db51ac1ec9

By default CADF events added even if they are disbaled in all.yml.
Boolean check is missing is added so that CADF configurations will
be added only if it is enabled.

Change-Id: I757ae176228cc4e74d06ce85b27200bdcdd5dd5c
Closes-Bug: #1607904

TrivialFix

Change-Id: I23d74821c7f65cdf20c214f7622f4df0d3c0e172

do_reconfigure.yml is introduced to use serial directive. But we use
it in wrong. Now serial has moved to playbook file. So it is time to
remove the do_reconfigure.yml file

Closes-Bug: #1628152
Change-Id: I8d42d27e6bc302a0e575b0353956eaef9b2ca9fd

The use of the admin_token_auth middleware presents a security risk
and was removed from [pipeline:api_v3], [pipeline:admin_api],
and [pipeline:public_api].

Change-Id: I3a3ca2e74c0ae341105d3481f97956c6da473046
Closes-bug: #1587747