Both swift.conf and proxy-server.conf are affected be
/etc/kolla/config/swift/proxy-server.conf. However, some options in
proxy-server.conf are not valid in swift.conf.

This change keeps this path for proxy-server.conf, but modifies the path
for swift.conf to /etc/kolla/config/swift/proxy-server/swift.conf. The
same applies for other services, object-*, account-*, container-*.

Change-Id: I600891a15244ce705861f6ec93eec1d5ba83c1b8
Closes-Bug: #1849265

Tacker requires config for storing CSAR vnf packages.
This patch adds it as well as relevant docs.
Only one Tacker Conductor is deployed by default due to
lack of a shared filesystem.

Change-Id: Iad391f35105e79fa9319502256528990915df9b7
Co-authored-by: Radosław Piliszek <radoslaw.piliszek@gmail.com>
Closes-Bug: #1845142

IPv6 control plane implementation [1] follow-up.

[1] Ia34e6916ea4f99e9522cd2ddde03a0a4776f7e2c

Change-Id: Ia18fdaf3fbfb2bfcb565eaa0f06447d00a3d46f5

This also enables Placement when Zun is enabled like Kolla Ansible
already does with Nova.

Change-Id: Id2a09f702e8503b49d2b9e73e06b2ce9f4d168a9
Closes-bug: #1840573

Adds "| bool".

Backportable to Stein.

Change-Id: Ifa2aa387be46beb6da1d3c5a5e0da1b561af8cee
Closes-bug: #1848937

Depends-On: https://review.opendev.org/688636/

Change-Id: I9918ff6a91acde2a7d184e44b8a1014462596e39

Add documentation about deploying nova with multiple cells.

Change-Id: I89ee276917e5b9170746e07b7f644c7593b03da1
Depends-On: https://review.opendev.org/#/c/675659/
Related: blueprint bp/support-nova-cells

IPv6 need not have been disabled in Tempest before either.

Change-Id: I77f691b6b028d1a7f57537442a79557ede5f861e

neutron_legacy_iptables option sets the KOLLA_LEGACY_IPTABLES
environment variable in the neutron-l3-agent, neutron-linuxbridge-agent
and neutron_openvswich_agent container where it should be consumed
by kolla_extended_start script resulting in setting iptables-legacy.

Depends-On: https://review.opendev.org/#/c/683679/
Change-Id: Iaa8b46a2227b61a729b8d54bbe4b20f389f251d1

Change-Id: I324c250e57125910b64fad6c06a4d68acf0600b4

OpenSSL certificate should default to FQDN if possible.
Using IP addresses is not recommended, complicates dual stack
and limits addressing flexibility.

IPv6 control plane implementation [1] follow-up.

[1] Ia34e6916ea4f99e9522cd2ddde03a0a4776f7e2c

Change-Id: Ibfc02f933ddcc170e9d616d401e294ba0ff5e981

IPv6 control plane implementation [1] follow-up.

[1] Ia34e6916ea4f99e9522cd2ddde03a0a4776f7e2c

Change-Id: I4c2bd81e77fc09a04838a62f008e5d6c5dc1483d

This patch adds initial support for deploying multiple Nova cells.

Splitting a nova-cell role out from the Nova role allows a more granular
approach to deploying and configuring Nova services.

A new enable_cells flag has been added that enables the support of
multiple cells via the introduction of a super conductor in addition to
cell-specific conductors. When this flag is not set (the default), nova
is configured in the same manner as before - with a single conductor.

The nova role now deploys the global services:

* nova-api
* nova-scheduler
* nova-super-conductor (if enable_cells is true)

The nova-cell role handles services specific to a cell:

* nova-compute
* nova-compute-ironic
* nova-conductor
* nova-libvirt
* nova-novncproxy
* nova-serialproxy
* nova-spicehtml5proxy
* nova-ssh

This patch does not support using a single cell controller for managing
more than one cell. Support for sharing a cell controller will be added
in a future patch.

This patch should be backwards compatible and is tested by existing CI
jobs. A new CI job has been added that tests a multi-cell environment.

ceph-mon has been removed from the play hosts list as it is not
necessary - delegate_to does not require the host to be in the play.

Documentation will be added in a separate patch.

Partially Implements: blueprint support-nova-cells
Co-Authored-By: Mark Goddard <mark@stackhpc.com>
Change-Id: I810aad7d49db3f5a7fd9a2f0f746fd912fe03917

Change-Id: I4050c243f05571bbebab07b08c101e61879cda67
Closes-Bug: 1848363

The missing boolean breaks Neutron FWaaS deployment.

Change-Id: I169246a6ce8b15af76fd84b32029437016bd3c42
Closes-Bug: #1847562

Upgrade jobs like to timeout in the 2-hour window when they must
build their images.
This increase is already applied in ceph jobs.

Change-Id: Ic1118760d9192cc15e1ebf37fb8adf3440f18a78

Introduce kolla_address filter.
Introduce put_address_in_context filter.

Add AF config to vars.

Address contexts:
- raw (default): <ADDR>
- memcache: inet6:[<ADDR>]
- url: [<ADDR>]

Other changes:

globals.yml - mention just IP in comment

prechecks/port_checks (api_intf) - kolla_address handles validation

3x interface conditional (swift configs: replication/storage)

2x interface variable definition with hostname
(haproxy listens; api intf)

1x interface variable definition with hostname with bifrost exclusion
(baremetal pre-install /etc/hosts; api intf)

neutron's ml2 'overlay_ip_version' set to 6 for IPv6 on tunnel network

basic multinode source CI job for IPv6

prechecks for rabbitmq and qdrouterd use proper NSS database now

MariaDB Galera Cluster WSREP SST mariabackup workaround
(socat and IPv6)

Ceph naming workaround in CI
TODO: probably needs documenting

RabbitMQ IPv6-only proto_dist

Ceph ms switch to IPv6 mode

Remove neutron-server ml2_type_vxlan/vxlan_group setting
as it is not used (let's avoid any confusion)
and could break setups without proper multicast routing
if it started working (also IPv4-only)

haproxy upgrade checks for slaves based on ipv6 addresses

TODO:

ovs-dpdk grabs ipv4 network address (w/ prefix len / submask)
not supported, invalid by default because neutron_external has no address
No idea whether ovs-dpdk works at all atm.

ml2 for xenapi
Xen is not supported too well.
This would require working with XenAPI facts.

rp_filter setting
This would require meddling with ip6tables (there is no sysctl param).
By default nothing is dropped.
Unlikely we really need it.

ironic dnsmasq is configured IPv4-only
dnsmasq needs DHCPv6 options and testing in vivo.

KNOWN ISSUES (beyond us):

One cannot use IPv6 address to reference the image for docker like we
currently do, see: https://github.com/moby/moby/issues/39033
(docker_registry; docker API 400 - invalid reference format)
workaround: use hostname/FQDN

RabbitMQ may fail to bind to IPv6 if hostname resolves also to IPv4.
This is due to old RabbitMQ versions available in images.
IPv4 is preferred by default and may fail in the IPv6-only scenario.
This should be no problem in real life as IPv6-only is indeed IPv6-only.
Also, when new RabbitMQ (3.7.16/3.8+) makes it into images, this will
no longer be relevant as we supply all the necessary config.
See: https://github.com/rabbitmq/rabbitmq-server/pull/1982

For reliable runs, at least Ansible 2.8 is required (2.8.5 confirmed
to work well). Older Ansible versions are known to miss IPv6 addresses
in interface facts. This may affect redeploys, reconfigures and
upgrades which run after VIP address is assigned.
See: https://github.com/ansible/ansible/issues/63227

Bifrost Train does not support IPv6 deployments.
See: https://storyboard.openstack.org/#!/story/2006689



Change-Id: Ia34e6916ea4f99e9522cd2ddde03a0a4776f7e2c
Implements: blueprint ipv6-control-plane
Signed-off-by: Radosław Piliszek <radoslaw.piliszek@gmail.com>

Attempts affect pre failures.
This means we can increase stability of jobs by rejecting nodes
that fail pre without failing runs at the same time (unless we
are really unlucky and hit b0rken nodes 5 times in a row).

Change-Id: I17b7f878c742fa8db66f738526855a02ab9f1905

1. Fix yamllint errors in .yamllint file(!)

YAML lint is currently failling on its own configuration file,
.yamllint. This change fixes the issues.

2. Run bindep role in Zuul jobs

This fixes an issue where libffi is not available.

Change-Id: Ic08a8e53a6905a68f0fe26d4b28184e62a64324f

The method `Fernet.generate_key()` generates a binary string in Python 3:
```
>>> Fernet.generate_key()
b'qSMZlOK23pZUw_Uyy-ZRPUfPskMXKGCGmhG6AHCFiV8='
```

Unless properly written as a string to the Kolla `passwords.yml` file,
the Fernet key will end up in the final Barbican config like this:
```
[simple_crypto_plugin]
kek = b'qSMZlOK23pZUw_Uyy-ZRPUfPskMXKGCGmhG6AHCFiV8='
```

Due to the fact that the key is incorrectly written to the barbican
config file (it should be written as a string), every barbican secret
store fails with:

```
barbican.api.controllers   File "/var/lib/kolla/venv/lib/python3.6/site-packages/barbican/plugin/store_crypto.py", line 83, in store_secret
barbican.api.controllers     encrypting_plugin, context.project_model)
barbican.api.controllers   File "/var/lib/kolla/venv/lib/python3.6/site-packages/barbican/plugin/store_crypto.py", line 290, in _find_or_create_kek_objects
barbican.api.controllers     kek_meta_dto = plugin_inst.bind_kek_metadata(kek_meta_dto)
barbican.api.controllers   File "/var/lib/kolla/venv/lib/python3.6/site-packages/barbican/plugin/crypto/simple_crypto.py", line 104, in bind_kek_metadata
barbican.api.controllers     encryptor = fernet.Fernet(self.master_kek)
barbican.api.controllers   File "/var/lib/kolla/venv/lib/python3.6/site-packages/cryptography/fernet.py", line 38, in __init__
barbican.api.controllers     "Fernet key must be 32 url-safe base64-encoded bytes."
barbican.api.controllers ValueError: Fernet key must be 32 url-safe base64-encoded bytes.
```

This commit fixes the issue described above by properly writing
the Fernet key as a string to the Kolla `passwords.yml` file.

Closes-Bug: #1848191
Change-Id: I27fc0159c889bc2e1576fdd69b7d02a320b620f8

Deployment fails because the variable "glance_registry_port" in
"ansible/roles/glance/templates/glance-cache.conf.j2" hasn't been configured
anywhere.

Also, "registry_host" and "registry_port" were deprecated since Queens[1], so
they should be removed.

[1] https://specs.openstack.org/openstack/glance-specs/specs/queens/approved/glance/deprecate-registry.html

Closes-Bug: #1848146

Change-Id: I3dd5f5d2ba73d491366791986fdbdf16b75538ef