Also fixes similar issues introduced by the same recent change.
Added FIXME note about possible TLS malfunction regarding horizon.

Change-Id: I5f46a9306139eb550d3849757c8bdf0767537c78
Closes-Bug: #1844016
Signed-off-by: Radosław Piliszek <radoslaw.piliszek@gmail.com>

Change-Id: I593b06c447d156c7a981d1c617f4f9baa82884de
Closes-Bug: #1841175

This commit adds the necessary configuration to the Swift account,
container and object configuration files to enable the Swift recon
cli.

In order to give the object server on each Swift host access to the
recon files, a Docker volume is mounted into each container which
generates them. The volume is then mounted read only into the object
server container. Note that multiple containers append to the same
file. This should not be a problem since Swift uses a lock when
appending.

Change-Id: I343d8f45a78ebc3c11ed0c68fe8bec24f9ea7929
Co-authored-by: Doug Szumski <doug@stackhpc.com>

This is required for the dict2items filter.

Change-Id: I60a04e839bf06506ff36c2631a286130d5fde972

According to [1]:
IP address used in the IP options can be in either IPv4 or IPv6 format.
DNS can be used for IPv4 only, IPv6 only and dual stack.

Also should have FQDNs in subjectAltName per current[2].

[1] https://www.openssl.org/docs/man1.0.2/man5/x509v3_config.html
[2] https://support.google.com/chrome/a/answer/7391219

Partially-Implements: blueprint ipv6-control-plane

Change-Id: Ibad8f8c734984aeda8ddac1a5db39875bc242bbf

From version 1.3, the web admin interface is no longer available
in InfluxDB.
https://docs.influxdata.com/influxdb/v1.3/administration/differences/#web-admin-ui-removal

Change-Id: I1dce61a9c40a407882cfcd520ca491b4dee734ae

Change-Id: Idee76f6da357c600d52b4280d29b685ed443191a

After the integration with placement [1], we need to configure how
zun-compute is going to work with nova-compute.

* If zun-compute and nova-compute run on the same compute node,
  we need to set 'host_shared_with_nova' as true so that Zun
  will use the resource provider (compute node) created by nova.
  In this mode, containers and VMs could claim allocations against
  the same resource provider.
* If zun-compute runs on a node without nova-compute, no extra
  configuration is needed. By default, each zun-compute will create
  a resource provider in placement to represent the compute node
  it manages.

[1] https://blueprints.launchpad.net/zun/+spec/use-placement-resource-management

Change-Id: I2d85911c4504e541d2994ce3d48e2fbb1090b813

Change-Id: I124cba4bfe85e76f732ae618619594004a5c911f

Instead of changing Docker daemon command line let's change config
for Docker instead. In /etc/docker/daemon.json file as it should be.

Custom Docker options can be set with 'docker_custom_config' variable.

Old 'docker_custom_option' is still present but should be avoided.

Co-Authored-By: Radosław Piliszek <radoslaw.piliszek@gmail.com>
Change-Id: I1215e04ec15b01c0b43bac8c0e81293f6724f278

add clear old environment
set openstack client to use internalURL
set manila client to use internalURL

Change-Id: I263fa11ff5439b28d63a6a9ce7ba460cb56fb8e2

The output from `nova-manage cell_v2 list_cells --verbose` contains
an extra column, stating whether the cell is enabled or not. This means
that the regex never matches, so existing_cells is always empty.

This fix updates the regex by adding a match group for this field which
may be used in a later change.

Unfortuately the CLI doesn't output in JSON format, which would make
this a lot less messy.

Closes-Bug: #1842460
Change-Id: Ib6400b33785f3ef674bffc9329feb3e33bd3f9a3

Allows enabling neutron port forwarding plugin
and l3 extension to forward ports from floating
IP to a fixed neutron port.

Change-Id: Ic25c96a0ddcf4f69acbfb7a58acafec82c3b0aed
Implements: blueprint enable-l3-port-forwarding

Commit d6864438 disabled these
deprecated plugins more than three years ago.

Change-Id: I2dd2a89a7aa2c4a54882a8b0aa8d23d874c0e4cc
Closes-Bug: #1839172

nova.conf currently uses the [neutron] "url" parameter which has been
deprecated since 17.0.0. In multi-region environments this can
cause Nova to look up the Neutron endpoint for a different region.
Remove this parameter and set region_name and
valid_interfaces to allow the correct lookup to be performed.

Change-Id: I1bbc73728439a460447bc8edd264f9f2d3c814e0
Closes-Bug: #1836952

Upstream ironic went from $net_default_ip to $net_default_mac in
ironic/drivers/modules/master_grub_cfg.txt with
https://review.opendev.org/#/c/578959/

This commit makes the same change for
ansible/roles/ironic/templates/ironic_pxe_uefi.default.j2

Using $net_default_ip breaks ironic standalone deployments with
[dhcp]dhcp_provider = none

Change-Id: I2ca9a66d2bdb0aab5cd9936c8be8206e6ade3bd5
Closes-Bug: 1842078

This resolves an issue where the web browser would complain that it
was trying to connect to insecure websocket when using HTTPS with
horizon.

Change-Id: Ib75cc2bc1b3811bc31badd5fda3db3ed0c59b119
Closes-Bug: #1841914

Change-Id: Ic80dbe1f4f7289fe2c2143125a381cec4586f7ef
Closes-Bug: #1841908

octavia.conf is missing configuration values required to do service
catalog lookups in multiple region environments. Without them Octavia
can try to contact a service in a different region than its own. Specify
region_name and endpoint_type for the glance, neutron, and nova services
to prevent this from happening.

Change-Id: I753cf443c1506bbd7b69fc47e2e0a9b39857509c
Closes-Bug: #1841479

This makes WS (so e.g. console) always work with the way we
deploy Zun. Otherwise it used the first IP address.

Change-Id: Ib31c5944be2f6fa00cdf5da3e638a590e6bace40
Closes-bug: #1841243
Signed-off-by: Radosław Piliszek <radoslaw.piliszek@gmail.com>

The internal FQDN assumes that HAProxy is set up to route traffic to the
DB; other services default to the value of database_address.

Change-Id: I9a333a89adfa4f620f211c831d659b8d52e307d5

The Placement API has moved out of the Nova role and is no
longer defined in `nova_services`.

Change-Id: I7b9601334c7e4c6b075a233557669ad414556e09

This review is the first one in a series of patches and it introduces an
optional encryption for internal openstack endpoints, implementing part
of the add-ssl-internal-network spec.

Change-Id: I6589751626486279bf24725f22e71da8cd7f0a43

The baremetal role does not currently assume too much about the
inventory, and in kayobe the seed is deployed using a very minimal
inventory.

Icf3f01516185afb7b9f642407b06a0204c36ecbe added a reference to the etcd
group in the baremetal role, which causes kayobe seed deployment to fail
with the following error:

    AnsibleUndefinedVariable: 'dict object' has no attribute 'etcd'

This change defaults the group lookup to an empty list.

Change-Id: Ib3252143a97652c5cf70b56cbfd7c7ce69f93a55
Closes-Bug: #1841073

In order to orchestrate smooth transition to fluentd 0.14.x
aka 1.0 stable branch aka td-agent 3
from td-agent repository - use image labels (fluentd_version
and fluentd_binary).

Depends-On: https://review.opendev.org/676411
Change-Id: Iab8518c34ef876056c6abcdb5f2e9fc9f1f7dbdd

Nova-consoleauth support was removed in
I099080979f5497537e390f531005a517ab12aa7a, but these variables were
left.

Change-Id: I1ce1631119bba991225835e8e409f11d53276550

Sometimes mgr dashboard enablement fails with following message:
"Error ENOENT: all mgr daemons do not support module 'dashboard',
pass --force to force enablement"

Change-Id: Ie7052dbdccb855e02da849dbc207b5d1778e2c82

The meta is missing, this PS to add it

Change-Id: Ib7e39820a48659202ddd1c1f91b2e8c3f0529443

Change-Id: I71f3e8ab50426246b595755a8f3298ba7ca0a50d
Closes-Bug: #1803029

The MariaDB role HAProxy config section exposes MariaDB on the
mariadb_port which may not always be the same as database_port. The
HAProxy role checks that the database_port is free, and not the
mariadb_port. This could mean that the check passes, but the actual
port which HAProxy will attempt to use is taken.

This change configures HAProxy to talk to the MariaDB instances on
the mariadb_port, and maps them to the database_port which is used by
most services as part of the DB connection string.

There is a small risk that it may break someones override config.

Change-Id: I9507ee709cb21eb743112107770ed3170c61ef74

The monasca_grafana docker volume currently persists across container
builds, causing changes to installed plugins during build to be ignored.
This change deletes the volume entirely and forces plugin changes to be
applied via rebuild.

Change-Id: I36e62235a085e5c1955fdb5ae31f603be8ba69bf

The previous default timeout was 10 seconds, which does not always
allow services enough time to shut down safely.

Change-Id: I54eff91567108a7e5d99f067829ae4a6900cd859

Zun was misconfigured and defaulted to using public endpoints
which are likely inaccessible from the internal network.
This patch fixes that and removes unused and deprecated
options. Validity of options confirmed from Queens to Train
against respective docs.

Change-Id: I25cc8792351c43eb9ff45465e49fa72ceccd6cb5
Closes-bug: #1840572
Signed-off-by: Radosław Piliszek <radoslaw.piliszek@gmail.com>

Change-Id: Icf3f01516185afb7b9f642407b06a0204c36ecbe
Closes-Bug: #1840315
Signed-off-by: Radosław Piliszek <radoslaw.piliszek@gmail.com>

This commit adds the functionality for an operator to specify
their own trusted CA certificate file for interacting with the
Keystone API.

Implements: blueprint support-trusted-ca-certificate-file
Change-Id: I84f9897cc8e107658701fb309ec318c0f805883b

Change-Id: I7d0ed4ad94e3d07220de131b2a0fcd399d942782
Signed-off-by: Radosław Piliszek <radoslaw.piliszek@gmail.com>

After all of the discussions we had on
"https://review.opendev.org/#/c/670626/2", I studied all projects that
have an "oslo_messaging" section. Afterwards, I applied the same method
that is already used in "oslo_messaging" section in Nova, Cinder, and
others. This guarantees that we have a consistent method to
enable/disable notifications across projects based on components (e.g.
Ceilometer) being enabled or disabled. Here follows the list of
components, and the respective changes I did.

* Aodh:
The section is declared, but it is not used. Therefore, it will
be removed in an upcomming PR.

* Congress:
The section is declared, but it is not used. Therefore, it will
be removed in an upcomming PR.

* Cinder:
It was already properly configured.

* Octavia:
The section is declared, but it is not used. Therefore, it will
be removed in an upcomming PR.

* Heat:
It was already using a similar scheme; I just modified it a little bit
to be the same as we have in all other components

* Ceilometer:
Ceilometer publishes some messages in the rabbitMQ. However, the
default driver is "messagingv2", and not ''(empty) as defined in Oslo;
these configurations are defined in ceilometer/publisher/messaging.py.
Therefore, we do not need to do anything for the
"oslo_messaging_notifications" section in Ceilometer

* Tacker:
It was already using a similar scheme; I just modified it a little bit
to be the same as we have in all other components

* Neutron:
It was already properly configured.

* Nova
It was already properly configured. However, we found another issue
with its configuration. Kolla-ansible does not configure nova
notifications as it should. If 'searchlight' is not installed (enabled)
the 'notification_format' should be 'unversioned'. The default is
'both'; so nova will send a notification to the queue
versioned_notifications; but that queue has no consumer when
'searchlight' is disabled. In our case, the queue got 511k messages.
The huge amount of "stuck" messages made the Rabbitmq cluster
unstable.

https://bugzilla.redhat.com/show_bug.cgi?id=1478274
https://bugs.launchpad.net/ceilometer/+bug/1665449

* Nova_hyperv:
I added the same configurations as in Nova project.

* Vitrage
It was already using a similar scheme; I just modified it a little bit
to be the same as we have in all other components

* Searchlight
I created a mechanism similar to what we have in AODH, Cinder, Nova,
and others.

* Ironic
I created a mechanism similar to what we have in AODH, Cinder, Nova,
and others.

* Glance
It was already properly configured.

* Trove
It was already using a similar scheme; I just modified it a little bit
to be the same as we have in all other components

* Blazar
It was already using a similar scheme; I just modified it a little bit
to be the same as we have in all other components

* Sahara
It was already using a similar scheme; I just modified it a little bit
to be the same as we have in all other components

* Watcher
I created a mechanism similar to what we have in AODH, Cinder, Nova,
and others.

* Barbican
I created a mechanism similar to what we have in Cinder, Nova,
and others. I also added a configuration to 'keystone_notifications'
section. Barbican needs its own queue to capture events from Keystone.
Otherwise, it has an impact on Ceilometer and other systems that are
connected to the "notifications" default queue.

* Keystone
Keystone is the system that triggered this work with the discussions
that followed on https://review.opendev.org/#/c/670626/2

. After a long
discussion, we agreed to apply the same approach that we have in Nova,
Cinder and other systems in Keystone. That is what we did. Moreover, we
introduce a new topic "barbican_notifications" when barbican is
enabled. We also removed the "variable" enable_cadf_notifications, as
it is obsolete, and the default in Keystone is CADF.

* Mistral:
It was hardcoded "noop" as the driver. However, that does not seem a
good practice. Instead, I applied the same standard of using the driver
and pushing to "notifications" queue if Ceilometer is enabled.

* Cyborg:
I created a mechanism similar to what we have in AODH, Cinder, Nova,
and others.

* Murano
It was already using a similar scheme; I just modified it a little bit
to be the same as we have in all other components

* Senlin
It was already using a similar scheme; I just modified it a little bit
to be the same as we have in all other components

* Manila
It was already using a similar scheme; I just modified it a little bit
to be the same as we have in all other components

* Zun
The section is declared, but it is not used. Therefore, it will
be removed in an upcomming PR.

* Designate
It was already using a similar scheme; I just modified it a little bit
to be the same as we have in all other components

* Magnum
It was already using a similar scheme; I just modified it a little bit
to be the same as we have in all other components

Closes-Bug: #1838985

Change-Id: I88bdb004814f37c81c9a9c4e5e491fac69f6f202
Signed-off-by: Rafael Weingärtner <rafael@apache.org>

Masakari provides Instances High Availability Service for
OpenStack clouds by automatically recovering failed Instances.

Depends-On: https://review.openstack.org/#/c/615469/


Change-Id: I0b3457232ee86576022cff64eb2e227ff9bbf0aa
Implements: blueprint ansible-masakari
Co-Authored-By: Gaëtan Trellu <gaetan.trellu@incloudus.com>

Explicitly wait for the database to be accessible via the load balancer.
Sometimes it can reject connections even when all database services are up,
possibly due to the health check polling in HAProxy.

Closes-Bug: #1840145
Change-Id: I7601bb710097a78f6b29bc4018c71f2c6283eef2

This is to allow operator to prevent enabling redis and/or
etcd from magically configuring cinder coordinator.

Note this change is backwards-compatible.

Change-Id: Ie10be55968e43e3b9cc347b1b58771c1f7b1b910
Related-Bug: #1840070
Signed-off-by: Radosław Piliszek <radoslaw.piliszek@gmail.com>