When deploying with tls enabled in public
endpoints, ansible modules fails due SSL certificates
are self-signed.

This change adds a new variable to allow customization
on which endpoints ansible should connect.
Defaults to admin because admin auth parameters defaults
to admin endpoint.

Change-Id: Ic3ed58cf9c9579cae08a11bbfe6fce983b5a9cbc
Closes-Bug: #1720995

Actually Openstack services configuration can be overriden using many
files:
- /etc/kolla/config/<< service name >>/<< config file >>
- /etc/kolla/config/<< service name >>/<<host>>/<< config file >>
- /etc/kolla/config/global.conf
- /etc/kolla/config/database.conf
- /etc/kolla/config/messaging.conf

Only per-service configuration is actually documented here:
https://github.com/openstack/kolla-ansible/blob/master/doc/advanced-configuration.rst#L164

Allowing to globally modify service configuration can be perform too,
but it can be done in 3 different manners, all not documented:
- /etc/kolla/config/global.conf
- /etc/kolla/config/database.conf
- /etc/kolla/config/messaging.conf

database.conf and messaging.conf seems redundant with global.conf.
In order to simplify codebase it seems logical to remove them.

Documentation has been added for overriding configuration globally and
release note has been added too.

Closes-Bug: #1682479
Change-Id: I5d922dfc0d938173bad34ac64e490b78db1b7e31

TrivialFix

Change-Id: Ia54ee5cae2ffcdcca24cb162699e09b0808a1037
Depends-on: Ida2ed62eaba8908fb0bd50bb0be00fb5f9b1adc3

Init fernet task fails if keystone_fernet container
is not running and ssh port bind.
This change add a check to ensure all keystone_fernet containers
are running before init fernet tokens.

Change-Id: Ib95bb5a47a9174f1a00b82cc8b697c0dc19c848e
Closes-Bug: #1704758

adding cors section to keystone and gnocchi templates when
grafana is enabled

Change-Id: I54f4c06ed64254df0f9481e461c9393a399212a3
Closes-bug: #1651796

Trace method is enabled in default for httpd. There is security risk
with trace enabled. So disable it in default. more info please check[0].

[0] https://security.stackexchange.com/a/7711

Change-Id: I4496a6d058d88e1abfb210085f189e7a610e0362
Closes-Bug: #1705160

kolla-kubernetes is using its own configuration generation[0], so it is
time for kolla-ansible to remove the related code to simplify the
logical.

[0] https://github.com/openstack/kolla-kubernetes/tree/master/ansible

Change-Id: I7bb0b7fe3b8eea906613e936d5e9d19f4f2e80bb
Implements: blueprint clean-k8s-config

* "bool" filter is removed when not required
* 'not' is used instead of '== False' check

Change-Id: I85a5bb9a5ea874ac1c397cbf8de416147d2424c3

In ansible 2.3.1, conditional statement should not include jinja2
templating delimiters (e.g. {{ ).  So, this change removes the
delimiters from when statemant, and also removes unnesessary
parentheses from until statement.

Closes-Bug: 1702607

Change-Id: I071ffd5ba6175ee1bc61719a84b805c022753459

Custom file was check on remote target instead of local.

Change-Id: I9426056e7bb284eb8b3ad539d61ecb1e1f6370e4
Closes-Bug: #1702490

In order to speed up deployment time some "local" actions should be run
only once using 'run_once: True'.
This will decrease deployment time in case of multihost configuration.

Change-Id: I6015d772d35c15e96c52f577013b6e41197cb41a

Some roles have a symlink to deploy.yml file
for reconfigure. This is causing some issues.
"included task files must contain a list of tasks"

Change-Id: Ie7ade52900a61bc1c5b867fa7a8f75fc541a6426
Closes-Bug: #1694251

No handler named "Restart keystone containers", and we should restart
the keystone and the keystone-fernet container according to the context

Closes-Bug: #1699924

Change-Id: I62512dc022426cc762ff603d8554e48651fa621f

Sometimes Ansible is faster running tasks that haproxy tagging Keystone
services as UP. Keystone bootstrap uses SQL directly but the default
user role creation requires the API, and because of that it may fail.

Retry in case the backend is not yet available.

Change-Id: I9dfc030bbf92ca0a3dcb008d55e9fa2055f900ec
Closes-Bug: 1699096

when create database user, it should use
database_user, not database_name.

Change-Id: I4dfa01d1a5a46c5c58f1fc47b0be71b186462764
Closes-Bug: #1698762

Condition check are already performed here:
https://github.com/openstack/kolla-ansible/blob/master/ansible/site.yml
In order to simplify codebase, these checks can be removed for
standalone services.

Change-Id: Ib9842cd5363a1c7e56234a5e91dc264f89e2838f

Ansible task support vars directive, no need implement another one in
merge_config. This patch remove the vars directive in merge_config
action plugin.

Change-Id: I33648a2b6e39b4d49ce76eb66fbf2522721f8c68

keystone-paste.ini file is introduced by
I3a3ca2e74c0ae341105d3481f97956c6da473046 for a security risk of
admin_token_auth middleware. Now this middleware is removed by
I57586ccfa0ad1309cc806d95377dc1ecad015914. So it is safe to use upstream
keystone-paste.ini file.

This patch also keep custom paste file feature. Just put the file to
/etc/kolla/config/keystone/keyston-paste.ini path.

Closes-Bug: #1695023
Partially-Implements: blueprint custom-paste
Change-Id: Ieb983b6a9edb6a156928f6b56a4bd2dbed4281e2

Change-Id: Idb40cbed763382bef9965c6b090e71156b671590

[WARNING]: when statements should not include jinja2 templating
delimiters such as {{ }} or {% %}. Found: {{
(keystone_bootstrap.stdout | from_json).changed }}

Closes-Bug: #1689550

Change-Id: Ib6fdbcde02319011b072990f06fbd5e74b8d2d93

In case Kolla's users want to deploy with both of
binary and source image, we should have a variable
install type that define install type for each project.

We also add specific image tag for each Openstack project.

This commit is implemented for Ironic, Kabor,
Keystone project and iscsi as well.

Change-Id: I134d840b1c0e24171a32dec0c7daa6dc2e9ecd87
Implements: blueprint mixing-binary-and-source-image

OSprofile allows user/devs trace OpenStack requests.

Implements: blueprint enable-osprofiler
Co-Authored-By: Bertrand Lallau <bertrand.lallau@gmail.com>
Change-Id: I82ea85d726011ef6cbf99380f395452d6d7f8053

Many of the templates use 600, remove unnecessary permission
on these templates to bring them in line with the others.

Change-Id: I30fe1b3822b9c7bb6ab98729fc519dc1d603db27

Useful api_interface_address variable has been define here:
https://github.com/openstack/kolla-ansible/blob/master/ansible/group_vars/all.yml#L57
In order to simplify codebase we must use it as much as possible.

Change-Id: I18fec19bf69e05a22a4142a9cd1165eccd022455

wait_for module waits 300 seconds for the port started or stopped.  This
is meaningless and useless in precheck. This patch change timeout to 1
seconds.

Change-Id: I9b251ec4ba17ce446655917e8ef5e152ef947298
Closes-Bug: #1688152

The current module 'kolla_sanity' was written as a shim before full
shade support was added to Ansible. This should now no longer be needed,
we can implement the checks using Ansible provided modules.

Begin by updating the Keystone check to use 'os_auth' to fetch a token,
I think this is a good basic smoke test to verify Keystone is working.

Change-Id: I16049d9201fd8138c781ef2e1e0c1827ea817259
Partially-implements: blueprint sanity-check-container

Option "secure_proxy_ssl_header" from group "DEFAULT" is deprecated
in Keystone.

see
https://docs.openstack.org/ocata/config-reference/identity/samples/keystone.conf.html

Change-Id: I390969fce5b592c0267399969abc54e5caffbfc8
Closes-Bug: #1675982

nova quota fail to create due a recent change.
Keystone endpoint cannot have version v3 in the url.

During upgrade to Pike nova endpoint must be changed
to be versionless.

Change-Id: Idb433d526f7d44dfe4fd02ee918bd67e05c523f6
Depends-On: I568db4559428525ac6c5083cfc20cffc20be6342
Closes-Bug: #1668663

Change-Id: Ic2890d0ea2dd0927b327b880bf25532fbb2efe07

Add support for basic multiple regions, that is to say, many OpenStack
with a shared Keystone (same users) and Horizon. The shared Keystone
and Horizon are deployed into one region, for instance RegionOne.
Services of other regions have an access to this Keystone. This
support assumes that the operator knows the name of all OpenStack
regions in advance, and considers as many Kolla runs as there are
regions.

The new variable, multiple_regions_names, contains the name of
regions. It is needed by the region that includes Keystone and
Horizon. In register.yml, it specifies to create as many Keystone
endpoints as there are regiones, so that services of other regions can
connect to Keystone. In local_settings.j2, it changes the render to
support multiple regions in Horizon. The multi-regions.rst explains
how to perform a multiple regions deployment.

Implements: blueprint multi-kolla-config
Change-Id: Icab2aebfc4de0e3bc609950956e0af397705f403

* Move the tasks to the role
* Skip the task when container is already running

Change-Id: I1990d4dd2a02efa2b3766329000aa23419e0ff17
Closes-Bug: #1670286

The wrapper keystone_bootstrap.sh expects to parse output from the
keystone-manage command. Somewhere along the line this command stopped
logging to stderr resulting in it not being able to report it's changed
status correctly.

Closes-Bug: #1668220

Change-Id: I895ebe11b88fd239fa8cb6e1a2fed779743e4139

There is inconsistent use of either `/usr/bin/python` or
`/usr/bin/env python`. This makes for unexpected results when a
user might be using a virtualenv.

Change-Id: Ibb030f920a8869f9113ade70b66a921cc815060d

- add "item.value.enabled | bool"
- add "| bool" to keystone
- add group check for searchlight

Change-Id: Id4555a0a96ea1670e99c88a1da9d3e07bf253497

revoke api is only used when using kvs revoke driver. In most of case it
is useless and unnecessary.

Change-Id: I6afaf32574330e3ee57435f688c41ae74dbdf7ed
Closes-Bug: #1664026

Change-Id: I2bf2e8a6ba17c813bb2b9cdf05d3062f29d9fdf6
Closes-Bug: #1653168

Change-Id: I1577cc3afef4dadd3a188c8ba749c9cdfad313ae

Co-Authored-By: Mauricio Lima <mauriciolimab@gmail.com>
Change-Id: I9a4a6b6523dee4b388513386b7d85d421f2b7b89

A config generation check was added to a few services but the action
name checked was "genconfig" where the kolla-ansible genconfig command
actually uses the action name "config".

Stop run the handlers when action is "config".

Co-Authored-By: Jeffrey Zhang <jeffrey.zhang@99cloud.net>
Partially-implements: blueprint better-reconfigure
Change-Id: I9d3be2f674087f340108b176c8e8e2209ffa8806

Change-Id: I15c23a3445ab1cbc92c4c1258f37844bf244ebf0
Partically-implements: blueprint better-reconfigure