Build upon changes in kolla which change strategy of installing projects
in containers when in dev mode. This fixes problems where when package
file manifest changes, the changes were not reflected in to
devmode-enabled container.

It changes the strategy of installing projects in dev mode in containers.
Instead of bind mounting the project's git repository to the venv
of the container, the repository is bind mounted to
/dev-mode/<project_name> from which the it is installed using pip
on every startup of the container using kolla_install_projects script.

Also updates docs to reflect the changes.

Depends-On: https://review.opendev.org/c/openstack/kolla/+/925712


Closes-Bug: #1814515
Singed-off-by: Roman Krček <roman.krcek@tietoevry.com>
Change-Id: If191cd0e3fcf362ee058549a1b6c244d109b6d9a

harden the TLS default config according to the mozilla
"modern" recommendation:

https://ssl-config.mozilla.org/#server=haproxy&version=2.1&config=modern&openssl=1.1.1k&guideline=5.7



if you want to revert to the old settings, set:

kolla_haproxy_ssl_settings: "legacy" in globals.yaml
alternatively you can also set it to "intermediate"
for a middle ground between security and accessibility.

this also adjusts the glance and neutron tls proxy ssl settings
in their dedicated haproxy config templates to use the same mechanism.

also add some haproxy related docs to the TLS guide and cross reference
it from the haproxy-guide.

Closes-Bug: #2060787

Signed-off-by: Sven Kieske <kieske@osism.tech>
Change-Id: I311c374b34f22c78cc5bcf91e5ce3924c62568b6

When cert generation during upgrade was fixed
it was omitted to also redirect stderr to the log file.

This commit fixes that.

Introduced-By: Ib257f8342c392b78e02ae31588ce5c6f8943f5b8
Closes-Bug: #2078364

Signed-off-by: Sven Kieske <kieske@osism.tech>
Change-Id: I43ca7d782bdcc53dcbc59dcf82ac1daa48e85ad5

There is a bug in current `tests/upgrade.sh`. If a
developer adds a new type of certificate i.e. for
RabbitMQ, it is not generated on upgrade because the
script does not run the `certificates` role.
This fix adds the `certificates` role to the script.

Change-Id: Ib257f8342c392b78e02ae31588ce5c6f8943f5b8

The prometheus-msteams project is no longer maintained [1]. As a result
support for deploying prometheus-msteams via kolla-ansible has been
dropped. Users are encouraged to migrate to the native Prometheus
Alertmanager integration with Microsoft Teams [2].

[1] https://github.com/prometheus-msteams/prometheus-msteams/issues/343
[2] https://prometheus.io/docs/alerting/latest/configuration/#msteams_config

Change-Id: I93d28ef138b4e784465f3a7eaa11101ea5877050

Moving on py3 as the default runtime for tox to avoid to update this at
each new cycle.

Change-Id: I9e3eb3aca01fb94a92153e26659c2c412de98093

check if generated prometheus config is valid
via promtool.

This should help prevent bugs like:
https://bugs.launchpad.net/kolla-ansible/+bug/2076660

prior art: haproxy config validation:
https://review.opendev.org/c/openstack/kolla-ansible/+/922840



also add some basic documentation for the
`kolla-ansible validate-config` command.

Signed-off-by: Sven Kieske <kieske@osism.tech>
Change-Id: Ief90861b2c422e0e6c2dd9cb605c94e86c0f2ba1

license taken from https://github.com/hvac/hvac/blob/main/LICENSE.txt



Signed-off-by: Sven Kieske <kieske@osism.tech>
Change-Id: I1e619cbf17d49a5ff1496637f8084a03ace9b599

Library "distutils" is deprecated in Python 3.10:
https://peps.python.org/pep-0632/

The versions previously referenced using StrictVersion should be old
enough that they will not be used in a Dalmatian deployment:

- Ansible 2.11
- Docker API 1.42, included since Docker engine 23.0.0

Change-Id: Ie315004715a1cb5a91dd54bc64b0a8fd0af650ec

From OpenStack 2023.2 (Bobcat) the Pure Storage Cinder driver
supports NVMe-TCP as a dataplane protocol. This patch adds support
for this new driver type.

Change-Id: I3c0ad7652a03388ab2eafa173c644a55b0405cc6

Signed-off-by: Sven Kieske <kieske@osism.tech>
Change-Id: I66e471d3f199a9044a4b8aa8c51c2ad687926af3

This patch adds REQUESTS_CA_BUNDLE as it's described
in requests documentation [1].

This is needed because some ansible modules inside uses
python request library and some users of course using
their own CAs.

[1] https://requests.readthedocs.io/en/latest/user/advanced/#ssl-cert-verification

Closes-Bug: #1967132

Change-Id: I901c2bc8ac477f15d2833e68566b19e437f4b6d1