The ``ironic-inspector`` service user is now assigned the system scope
``all``. This allows it to create baremetal ports during node inspection
again.

Default project and domain vars are removed as you cannot combine these
with system scope.

Closes-Bug: #2064655
Change-Id: I5e3c29faae4c2531b269c37874ade368c1aab39f

Adds support for setting the system scope to user role assignments.
Also updates the domain assignment so it can be customised.

Note that the scope assignments follow the precedence of
project->domain->system [1]. As such, the previous default value of
domain was being ignored as we always set a project, so the removal of
the default domain in this patch has no effect on existing behaviour.

1. https://docs.ansible.com/ansible/latest/collections/openstack/cloud/role_assignment_module.html#parameter-system

Change-Id: Ie7fe78ab67b1bf8a19def25fef321de5c2d80aa9

fix bug: cyborg-api in controller does not work at kolla_external_fqdn with
port 6666, there is no haproxy setting for cyborg module

Closes-Bug: #2020088

Change-Id: I9d0b332420d97f4c5b02d50ce153fabd4bfd6b10

I have no clue how it worked previously in CI, but now
it's using default path to the inventory - which does
not exist.

In addition to that, type=int in cliff will default to
None, so the check had to be rewritten - because we
always did cert expiry check instead of generating them.

Change-Id: I84d71558c2666ba2cfa47054f782d25ff0c1f691

Rework the base jobs structure to include a mid-level
kolla-ansible-scenario-base that includes common
files: stanza.

Change-Id: I548b22b27dff111d625361835029354557d8c9ca

Also rewrite/reformat while here.

Change-Id: Ife2acdb0d4360c58c7de68cf259a0ed4a86234c2

One task in destroy role was missing arguments that were
supplied by the old bash CLI but not supplied by
the new python CLI.

Closes-Bug: #2086187
Change-Id: I6ced070ca10b63c4d27ac76c1e82dc4312c1b165
Signed-off-by: Roman Krček <roman.krcek@tietoevry.com>

Closes-Bug: #2086171
Change-Id: I4001ddad198dcf40f71e9196e126cc78a19d1437

Multiple parameters in the URL should be prefixed with an ampersand.

Closes-Bug: #2085908
Change-Id: Ia9e43f7043c0757e11e1924c3df9fe16c037d484

When installing kolla-ansible with `pip install ./kolla-ansible`, pip
always creates a direct_url.json file, even when not using an editable
installation.

We see this behaviour with Python 3.12, while direct_url.json is only
created for editable installations on Python 3.9, which was used when
this code was initially developed for Kayobe.

When using a regular (non-editable) installation, this would make
kolla-ansible invoke site.yml from the source directory instead of the
virtualenv installation, causing a failure to load Ansible collections:

    Invalid plugin FQCN (ansible.utils.ipaddr): unable to locate collection ansible.utils

Fix by returning the source URL only if dir_info.editable is True.

Change-Id: Icdc2cedaa6a6e3a6b4351b1f4369e2e8b3a2dc97

Change-Id: Ic15b8cb334c207a6923aa8d1908f98ecf8710c1e

Add file to the reno documentation build to show release notes for
stable/2024.2.

Use pbr instruction to increment the minor version number
automatically so that master versions are higher than the versions on
stable/2024.2.

Sem-Ver: feature
Change-Id: I6065eeffd397f5e14b570f5e4731e40d92d06b99

Moving the CLI to python allows for easier
maintenance and larger feature-set.

This patch introduces a few breaking changes!
The changes stem the nature of the cliff package.
- the order of parameters must be
  kolla-ansible <action> <arguments>
- mariadb_backup and mariadb_recovery now are
  mariadb-backup and mariadb-recovery

Closes-bug: #1589020
Signed-off-by: Roman Krček <roman.krcek@tietoevry.com>
Change-Id: I9749b320d4f5eeec601a055b597dfa7d8fb97ce2

This patch enables internal TLS database
connection for Keystone.

Change-Id: I816d051e933a560629d9b9c95362f668abe4ade7

This patch ads an ability to receive TLS connections
to ProxySQL. Certificates and variable lookups are
added in order for TLS to be enabled by
<project_name>_database_internal_tls_enable.
Note that in order for this to work, mysql
connection strings need to have TLS enabled,
which can be added in separate per-service patches

Change-Id: I2c06ce5e138f52259c1725dae37f25c1b00d1e6b

Change-Id: I33a3ec11b0cdef94b08cd7551008284755824cb7

It has been removed in I23867aa98f68298beb5db4558c66c1ffd4e7d6f1

Change-Id: I12d287b9f7f1e5ddf754b7f2ca1dee39778e710e

This commit adds TLS connection between ProxySQL and MariaDB.
Frontend TLS ( between services and ProxySQL) will be
added in another commit.

Parialy Implements: mariadb-ssl-support

Change-Id: I154cbb096469c5515c9d8156c2c1c5dd07b95849
Signed-off-by: Matus Jenca <matus.jenca@dnation.cloud>

Ubuntu package does not have that in dependencies and cephadm
fails without that. See [1].

[1]: https://bugs.launchpad.net/ubuntu/+source/ceph/+bug/2085603

Change-Id: I5124f7078e15645979b68986dceb51948c89a520

The MySQL monitor user privileges were updated to include
the REPLICATION CLIENT privilege in addition to USAGE in
order to align with ProxySQL documentation [1].
This change ensures that the monitor user can check replication
lag, as previously only the USAGE privilege was granted,
which was sufficient for basic connection and read-only
checks but not for replication monitoring.

[1] https://proxysql.com/documentation/backend-monitoring/

Change-Id: I4172cf1d49e9f988cbf2bbe3c3f6835f0de4944d

We are not testing mariadb backup, let's test
it in mariadb scenario.

Change-Id: I81d6ee944b3ed0e75129772bb993ce7a6147c3e8

After switching to ProxySQL as default we see following logs:
CRITICAL neutron [None req-c214fdae-5da7-402d-92b0-0572c278a5b5 - - - - - -] Unhandled error: sqlalchemy.exc.OperationalError: (pymysql.err.OperationalError) (9001, 'Max connect timeout reached while reaching hostgroup 0 after 10150ms')

Mainly in upgrade jobs, which otherwise pass successfuly - just fail on this
check.

Change-Id: I4336ec62a0a2dfbe815842f1bacb02135bcf4c0e