Change-Id: I701aca07eb8b3fd82f14a7f70a2fd96633389231

Change-Id: I0e07271312bbed49be7a986a2beda04f316dfc8f
(cherry picked from commit b5d594d3)

This patch ads an ability to receive TLS connections
to ProxySQL. Certificates and variable lookups are
added in order for TLS to be enabled by
<project_name>_database_internal_tls_enable.
Note that in order for this to work, mysql
connection strings need to have TLS enabled,
which can be added in separate per-service patches

Change-Id: I2c06ce5e138f52259c1725dae37f25c1b00d1e6b

It has been removed in I23867aa98f68298beb5db4558c66c1ffd4e7d6f1

Change-Id: I12d287b9f7f1e5ddf754b7f2ca1dee39778e710e

This commit adds TLS connection between ProxySQL and MariaDB.
Frontend TLS ( between services and ProxySQL) will be
added in another commit.

Parialy Implements: mariadb-ssl-support

Change-Id: I154cbb096469c5515c9d8156c2c1c5dd07b95849
Signed-off-by: Matus Jenca <matus.jenca@dnation.cloud>

It's been some time since ProxySQL has been
with us in Kolla. Let's switch the load balancer
for MariaDB connections from HAProxy to ProxySQL.

Depends-On: https://review.opendev.org/c/openstack/kolla/+/928956
Change-Id: I42ba4fb83b5bb31058e888f0d39d47c27b844de5

In single-node clusters, ProxySQL shuns the server on MySQL
errors, causing failures during upgrades or container restarts.
This change increases the timeout to 10 seconds, allowing
the backend time to recover and preventing immediate errors
in CI environments.

Change-Id: I70becdc3fcb4ca8f7ae31d26097d95bdc6dd67eb

Change-Id: Ie2b0b2d5fca7b9d7c613a67a134c4650de2a5af6

This update enhances the monitoring of the databasecluster
in ProxySQL. The default monitoring intervals were insufficient
for reliably detecting failures in the Galera cluster environment.

A detailed configuration for monitoring intervals has been
introduced, providing better control over how quickly and accurately
ProxySQL can identify issues.

  - Variables such as `mariadb_monitor_connect_interval`,
    `mariadb_monitor_galera_healthcheck_interval, and
    `mariadb_monitor_ping_interval` significantly reduce
    the time between connection checks.

  - Timeouts like `mariadb_monitor_galera_healthcheck_timeout`
    and `mariadb_monitor_ping_timeout` allow faster failure
    detection, while `mariadb_monitor_galera_healthcheck_max_timeout_count`
    sets the maximum number of allowed timeouts before marking a node as down.

Calculation:

 - Galera healthcheck:

   4 seconds (interval) + 1 second (timeout) + 4 seconds (interval)
   + 1 second (timeout) = 10 seconds.

 - Ping healthcheck:

   3 seconds (interval) + 2 seconds (timeout) + 3 seconds (interval)
   + 2 seconds (timeout) = 10 seconds.

Both the health check and ping check mechanisms will detect a node failure
within a maximum of 10 seconds. Both processes (health check and ping)
operate independently, and failure in either mechanism will mark the node
as failed.

Health Check Failure Detection: Up to 10 seconds.
Ping Failure Detection: Up to 10 seconds.
Connect Attempts: ProxySQL also tries to connect every 2 seconds, which
helps monitor connectivity.

These changes ensure that ProxySQL can detect issues in 10 seconds
as haproxy, significantly reducing downtime compared to default settings.
This adjustment enables faster and more reliable monitoring, improving system
stability and reducing potential downtime in production environments.

Change-Id: Ic28801519cdb35ed2387a1468b9df661847a5476

This change adds the ability to configure Huawei backends in Cinder
as described in [1] by adding the additional configuration XML files
to the cinder-volume containers. However, this change does not
provide the default configuration options for the cinder.conf due to
the wide range of Huawei hardware that is supported. Operators may
also wish to configure multiple backends, so they should use the
standard method of overriding backend sections to use these XML
files, as described in [2].

1. https://docs.openstack.org/cinder/latest/configuration/block-storage/drivers/huawei-storage-driver.html
2. https://docs.openstack.org/kolla-ansible/latest/admin/advanced-configuration.html#openstack-service-configuration-in-kolla



Implements: blueprint cinder-huawei-backend
Co-Authored-By: Juan Pablo Suazo <jsuazo@whitestack.com>
Co-Authored-By: Maksim Malchuk <maksim.malchuk@gmail.com>
Change-Id: Ic8624b2e956b1f48f5fb96d6d8a0150b67236d20
Signed-off-by: Maksim Malchuk <maksim.malchuk@gmail.com>

This patch removes the hardcoded `distro_python_version`
mapping and usage from the configuration and templates,
aligning with the dynamic Python version detection
introduced in the dependent patch below.

The changes simplify the kolla-ansible roles by using
general `python3` paths, ensuring compatibility across
distributions without requiring version-specific handling.

Template files for Horizon, Ironic, Skyline, and others
have been updated to reflect this,
improving maintainability and reducing complexity.

Depends-On: https://review.opendev.org/c/openstack/kolla/+/926744
Change-Id: I85431b058b4184d96600cf17aaf8de871a018d61

From version 2.1, ProxySQL has a built-in ProxySQL
Prometheus exporter. This patch adds an option to
easily enable this exporter [1].

[1] https://proxysql.com/documentation/prometheus-exporter

Change-Id: I8776cdc0a6ec9e4e35a2424dd0984488514a711f

harden the TLS default config according to the mozilla
"modern" recommendation:

https://ssl-config.mozilla.org/#server=haproxy&version=2.1&config=modern&openssl=1.1.1k&guideline=5.7



if you want to revert to the old settings, set:

kolla_haproxy_ssl_settings: "legacy" in globals.yaml
alternatively you can also set it to "intermediate"
for a middle ground between security and accessibility.

this also adjusts the glance and neutron tls proxy ssl settings
in their dedicated haproxy config templates to use the same mechanism.

also add some haproxy related docs to the TLS guide and cross reference
it from the haproxy-guide.

Closes-Bug: #2060787

Signed-off-by: Sven Kieske <kieske@osism.tech>
Change-Id: I311c374b34f22c78cc5bcf91e5ce3924c62568b6

The prometheus-msteams project is no longer maintained [1]. As a result
support for deploying prometheus-msteams via kolla-ansible has been
dropped. Users are encouraged to migrate to the native Prometheus
Alertmanager integration with Microsoft Teams [2].

[1] https://github.com/prometheus-msteams/prometheus-msteams/issues/343
[2] https://prometheus.io/docs/alerting/latest/configuration/#msteams_config

Change-Id: I93d28ef138b4e784465f3a7eaa11101ea5877050

From OpenStack 2023.2 (Bobcat) the Pure Storage Cinder driver
supports NVMe-TCP as a dataplane protocol. This patch adds support
for this new driver type.

Change-Id: I3c0ad7652a03388ab2eafa173c644a55b0405cc6

The variable kolla_same_external_internal_vip in group_vars/all.yml
was set to true or false depending on the jinja2 equality operator
- == - which only checks if two objects are the same.

This is problematic because IPs can be the same but have different
string representations, e.g. leading zeroes in some octets, but still
repesent the same instance of an IP.

Example: 192.168.1.1 and 192.168.001.001 are the same.

Fix this, by using the ansible.utils.ipaddr() jinja2 filter instead
to increase robustness.

Closes-Bug: #2076889
Introduced-By: https://review.opendev.org/c/openstack/kolla/+/285005



Signed-off-by: Sven Kieske <kieske@osism.tech>
Change-Id: Ied43b9d0c4b33bb514d367f3f99c2e30e104d139

For possible config options see docs
https://docs.openstack.org/keystonemiddleware/latest/middlewarearchitecture.html#memcache-protection



Closes-bug: #1850733
Signed-off-by: Roman Krček <roman.krcek@tietoevry.com>
Change-Id: I169e27899f7350f5eb8adb1f81a062c51e6cbdfc

Adapt files to match new requirements, add assertIn to whitelist

Change-Id: I516bbbb3a0f194e8fa08d04c0290b586963b8b55

The Kolla project supports building images with
user-defined prefixes. However, Kolla-ansible is unable
to use those images for installation.

This patch fixes that issue.

Closes-Bug: #2073541
Change-Id: Ia8140b289aa76fcd584e0e72686e3786215c5a99

Previously Kolla Ansible hard-coded Neutron physical networks starting
at physnet1 up to physnetN, matching the number of interfaces in
neutron_external_interface and bridges in neutron_bridge_name.

Sometimes we may want to customise the physical network names used. This
may be to allow for not all hosts having access to all physical
networks, or to use more descriptive names.

For example, in an environment with a separate physical network for
Ironic provisioning, controllers might have access to two physical
networks, while compute nodes have access to one.

This change adds a neutron_physical_networks variable, making it
possible to customise the Neutron physical network names used for the
OVS, OVN, Linux bridge and OVS DPDK plugins. The default behaviour is
unchanged.

Change-Id: Ib5b8ea727014964919c6b3bd2352bac4a4ac1787

This reverts commit 5b431f0f.

Reason for revert: the any_errors_fatal play parameter is not templated
by Ansible (tested up to ansible-core 2.15.9). This behaviour is
demonstrated in [1].

This means that "{{ kolla_ansible_setup_any_errors_fatal }}" is always
interpreted as 'true', regardless of the value of
kolla_ansible_setup_any_errors_fatal.  This is particularly bad because
the default value of kolla_ansible_setup_any_errors_fatal is false.

We now have gather_facts_max_fail_percentage which can be set to 0 to
provide the same functionality.

[1] https://github.com/markgoddard/ansible-experiments/tree/master/15-fatal-errors

Change-Id: I2e0ea49701b5900eae26434bcdb6b1bb44507ee7

This change automates the prometheus blackbox monitoring configuration
for common endpoints. Custom endpoints can be added to
prometheus_blackbox_exporter_endpoints_custom.

Change-Id: Id6f51a2bebee3ab63b84ca7032aad17c2933838c

Depends-On: https://review.opendev.org/c/openstack/cloudkitty/+/880739
Change-Id: Ib8d7182cc4b8a0c7d320ba2c51b2157782030317

neutron-fwaas has become active again

Depends-On: https://review.opendev.org/c/openstack/kolla/+/914855

Change-Id: Ie5a7b2da9a351e8f47a1ae830bb2fee0a8e35e38

It was deprecated in Antelope cycle.

Change-Id: I499e69ec6db63e4067e49376e2a1f3e01e48fe62

It's inactive and hasn't produced a 2024.1 release [1].
In addition to that, there's a CVE that hasn't really been patched [2].

Also drop outward_rabbitmq that was used only with Murano.

[1]: https://governance.openstack.org/tc/reference/emerging-technology-and-inactive-projects.html#current-inactive-projects
[2]: https://lists.openstack.org/archives/list/openstack-announce@lists.openstack.org/thread/4FYM6GSIM5WZSJQIG4TT5Q3UBKQIHLWX/

Change-Id: I691205730b0e10a42ce61f3340cc39ee51bd1010

It's inactive and hasn't produced a 2024.1 release [1].

[1]: https://governance.openstack.org/tc/reference/emerging-technology-and-inactive-projects.html#current-inactive-projects

Change-Id: I217b3633f07e5b2c657e20b19aaa4fbb46535a97

It's inactive and hasn't produced a 2024.1 release [1].

[1]: https://governance.openstack.org/tc/reference/emerging-technology-and-inactive-projects.html#current-inactive-projects

Change-Id: I888963751b6e1ed080588297c2889e700431516c

It's inactive and hasn't produced a 2024.1 release [1].

[1]: https://governance.openstack.org/tc/reference/emerging-technology-and-inactive-projects.html#current-inactive-projects

Change-Id: Ic988295bc5b8acb19df008fe0d52a3bcc6de2135

It's inactive and hasn't produced a 2024.1 release [1].
There are some efforts to restore Freezer, but let's remove it for now.

[1]: https://governance.openstack.org/tc/reference/emerging-technology-and-inactive-projects.html#current-inactive-projects

Change-Id: Ie42012af9e5c64bca23a6e6826bfc4651fd194bd

Fix existing spelling errors

Change-Id: Ie689cf5a344aaa630a4860448b09242333a8e119

Change-Id: I5b4a30e605bb143cf342f83f0c811c25046269ef

Change-Id: I0a086c59076120aa53e6a05526dbab88e393c1c7

Tooz 6.0.1 includes commit [1], which introduced
parsing the username from the Redis connection URL.
As a result, services started authenticating as admin
which, by the way, was incorrect even before, as either
a created user or the default one should have been used.

The reason it worked before is simply because the username
'admin' wasn't parsed anywhere.

This patch fixes the user being used and sets the correct
'default' one.

[1] https://review.opendev.org/c/openstack/tooz/+/907656

Closes-Bug: #2056667
Depends-On: https://review.opendev.org/c/openstack/kolla/+/911703
Change-Id: I5568dba15fa98e009ad4a9e41756aba0fa659371

This patch basically does a simple thing, on the basis
of a variable neutron_dns_integration it enables/disables
DNS integration.

There is also precheck added which checks whether dns_domain
in neutron.conf has a non-default value if DNS integration is
enabled as this is requirement.

[1] https://docs.openstack.org/neutron/latest/admin/config-dns-int.html
[2] https://docs.openstack.org/neutron/latest/admin/config-dns-int-ext-serv.html#config-dns-int-ext-serv

Closes-Bug: #2049503

Change-Id: I90f0f8dcec6fa0112179f050d96e9d9db5956cf8

Service user passwords will now be updated in keystone if services are
reconfigured with new passwords set in config. This behaviour can be
overridden.

Closes-Bug: #2045990
Change-Id: I91671dda2242255e789b521d19348b0cccec266f

Change-Id: Ib0325c12cf965e7df7c1ac6b17ca87187a4cb91d

* Remove docker's cluster-store option. This option was removed from
  the latest version of docker so we removed it.
* Switch kuryr's capability_scope from "global" to "local". The "global"
  scope relies on a cluster store but docker no longer supports it.

Change-Id: Ie62396184552938d099223f9d325a41c9a5067c3

Enables modifying the interval and sets the recommended default value.

[1] https://docs.ceph.com/en/latest/mgr/prometheus/#configuration

Change-Id: I4b91d184485aa52b3c06011f9dbb6b34bcad3ca8

Change-Id: I081aa1345603fa27c390e4e09231a5ff226bcb39