The variable {{ node_config_directory }} is used for the configuration
directory on the remote hosts, and should not be used for paths on the
deploy host (localhost).

This changes the default value of the TLS certificate and CA file to
reference {{ CONFIG_DIR }}, in line with the directory used for
admin-openrc.sh (as of I0709482ead4b7a67e82796e17f85bde151e71bc0).

This change also introduces a variable, {{ node_config }}, that
references {{ CONFIG_DIR | default('/etc/kolla') }}, to remove
duplication.

Change-Id: Ibd82ac78630ebfff5824c329d7399e1e900c0ee0
Closes-Bug: #1804025

Having all services in one giant haproxy file makes altering
configuration for a service both painful and dangerous. Each service
should be configured with a simple set of variables and rendered with a
single unified template.

Available are two new templates:

* haproxy_single_service_listen.cfg.j2: close to the original style, but
only one service per file
* haproxy_single_service_split.cfg.j2: using the newer haproxy syntax
for separated frontend and backend

For now the default will be the single listen block, for ease of
transition.

Change-Id: I6e237438fbc0aa3c89a3c8bd706a53b74e71904b

Now kolla dev mode only support clone master branch from git,
add version tag to support clone dedicated branch.

Change-Id: I88de238e5dc7461ba0662a3ecea9a2d80fd0db60

With the more recent versions of ansible, we should now use
"is" instead of the "|"

This should update it.

Change-Id: I6fba56fca182349972e8b0ee5452b37aa4090e0c

This commit is to apply resource-constraints to a few more OpenStack services.
Commit to  apply constraints to the last set of services will be made in
the upcoming commit.

Depends-on: Icafa54baca24d2de64238222a5677b9d8b90e2aa
Change-Id: I39004f54281f97d53dfa4b1dbcf248650ad6f186

include is marked as deprecated since ansible 2.4[0]

[0] https://docs.ansible.com/ansible/2.4/include_module.html#deprecated



Co-Authored-By: confi-surya <singh.surya64mnnit@gmail.com>
Change-Id: Ic9d71e1865d1c728890625aeddf424a5734c0a8a

1. Add the role enabled check for some projects
2. adjust the file created positon for keystone to keep
consistence with others

Change-Id: Id2b893ba546b3adf41d97927f8d20dca403a0457

Change-Id: Ib2ca736e08f48da88bb74feb5cd1efce3b860ab7
Partially-Implements: blueprint ansible-check-mode

Add become to all tasks that use the module "kolla_docker"

Change-Id: I4309c4011687b88ec31d739fd8f834fe2326ff10
Partial-Implements: blueprint ansible-specific-task-become

- rename action and serial to kolla_ansible and kolla_serial
- use become instead of "sudo <command>" in shell
- Remove quota for failed_when and changed_when in rabbitmq tasks

Change-Id: I78cb60168aaa40bb6439198283546b7faf33917c
Implements: blueprint migrate-to-ansible-2-2-0

- remove uesless module_extra_vars, this is a historical issue. In the
  past, we use 'docker exec kolla_toolbox ansible xxx' to run module on
  target node, so complex data have to pass through extra_vars. Now we
  are using kolla_toolbox module, no need to use extra_vars anymore.
- Remove some useless until.

Change-Id: I72ed28001202917f9a82a1c3ea33cd6319911ec8

keystone_* containers are created via the kolla_docker ansible module
with common_options set to docker_common_options. However, when the
containers are checked, common_options are not passed to the
kolla_docker ansible module. This can cause the keystone_* containers
to be restarted during a reconfigure when there are no changes to
keystone configuration.

Add the common_options argument to the kolla_docker ansible module when
checking the keystone containers and set it to docker_common_options.

Change-Id: I44aefcf3d71faecaf1ffe384fd5a2f611e584a37
Closes-Bug: #1759922

This change makes it so that if preconfigured database users are used,
the attempt to change the log_bin_trust_function_creators mysql
variable isn't made anymore.

Also updated the upgrade docs

Change-Id: I356313952d435de6d3b5444c0dd8a71f45aee452
Closes-Bug: 1748269

- Keystone
- Glance
- Nova
- Cinder

This will copy only yaml or json policy file if they exist.

Change-Id: I4a9415d82322aed68c9b7650bdf346f58fa49e2a
Implements: blueprint support-custom-policy-yaml
Co-authored-By: Duong Ha-Quang <duonghq@vn.fujitsu.com>

This change allows the following use cases:

1. Using an already-configured MariaDB / MySQL server / Cluster
2. Using already-created DB users, without requiring root DB access.

Update: added external mariadb precheck

Change-Id: I78b0d178306d7c5293b0bf53e445f19f18b4b824
Implements: blueprint external-mariadb-support.
Closes-Bug: #1603121

Provide support fot kolla dev mode in Keystone. When
'kolla_dev_mode' or 'keystone_dev_mode' variables are
enabled, source code of Keystone project is cloned
and bindmounted.

Partially implements: blueprint mount-sources

Change-Id: Ie4cf401ecd9a507e739a53dfdf16f65292ab57e5

  1- Expand and migrate database in first keystone node
  2- Upgrade all nodes sequentially along with updation of each node's
     configuration file with latest release version
  3- Last keystone node, contract database

With this patch, there is small downtime when all containers are
restarted. It will be fixed in other patch.

[1] http://docs.openstack.org/developer/keystone/upgrading.html#upgrading-without-downtime



Co-Authored-By: Surya Prakash Singh <surya.singh@nectechnologies.in>
Co-Authored-By: Eduardo Gonzalez <dabarren@gmail.com>
Co-Authored-By: Duong Ha-Quang <duonghq@vn.fujitsu.com>

Partially-Implements: blueprint ks-rolling-upgrade-role

Change-Id: I2159af567c40848840ff5e483e7d1f6de760b435

Endpoints are updated in pike upgrade,  queens and later
dont need such action.

Change-Id: I13723bafc4bf09c24d9bcd2ec7b4e002ae83aec0

Add become to only neccesary tasks in roles:
- glance
- heat
- horizon
- keystone
- neutron
- nova
- openvswitch

Gate is also updated to use 'become' feature

Change-Id: I2f3f27306e9f384148e1ad4d54d8da2ebef34d00
Partial-Implements: blueprint ansible-specific-task-become

When deploying with tls enabled in public
endpoints, ansible modules fails due SSL certificates
are self-signed.

This change adds a new variable to allow customization
on which endpoints ansible should connect.
Defaults to admin because admin auth parameters defaults
to admin endpoint.

Change-Id: Ic3ed58cf9c9579cae08a11bbfe6fce983b5a9cbc
Closes-Bug: #1720995

Actually Openstack services configuration can be overriden using many
files:
- /etc/kolla/config/<< service name >>/<< config file >>
- /etc/kolla/config/<< service name >>/<<host>>/<< config file >>
- /etc/kolla/config/global.conf
- /etc/kolla/config/database.conf
- /etc/kolla/config/messaging.conf

Only per-service configuration is actually documented here:
https://github.com/openstack/kolla-ansible/blob/master/doc/advanced-configuration.rst#L164

Allowing to globally modify service configuration can be perform too,
but it can be done in 3 different manners, all not documented:
- /etc/kolla/config/global.conf
- /etc/kolla/config/database.conf
- /etc/kolla/config/messaging.conf

database.conf and messaging.conf seems redundant with global.conf.
In order to simplify codebase it seems logical to remove them.

Documentation has been added for overriding configuration globally and
release note has been added too.

Closes-Bug: #1682479
Change-Id: I5d922dfc0d938173bad34ac64e490b78db1b7e31

Init fernet task fails if keystone_fernet container
is not running and ssh port bind.
This change add a check to ensure all keystone_fernet containers
are running before init fernet tokens.

Change-Id: Ib95bb5a47a9174f1a00b82cc8b697c0dc19c848e
Closes-Bug: #1704758

* "bool" filter is removed when not required
* 'not' is used instead of '== False' check

Change-Id: I85a5bb9a5ea874ac1c397cbf8de416147d2424c3

In ansible 2.3.1, conditional statement should not include jinja2
templating delimiters (e.g. {{ ).  So, this change removes the
delimiters from when statemant, and also removes unnesessary
parentheses from until statement.

Closes-Bug: 1702607

Change-Id: I071ffd5ba6175ee1bc61719a84b805c022753459

Custom file was check on remote target instead of local.

Change-Id: I9426056e7bb284eb8b3ad539d61ecb1e1f6370e4
Closes-Bug: #1702490

In order to speed up deployment time some "local" actions should be run
only once using 'run_once: True'.
This will decrease deployment time in case of multihost configuration.

Change-Id: I6015d772d35c15e96c52f577013b6e41197cb41a

Some roles have a symlink to deploy.yml file
for reconfigure. This is causing some issues.
"included task files must contain a list of tasks"

Change-Id: Ie7ade52900a61bc1c5b867fa7a8f75fc541a6426
Closes-Bug: #1694251

No handler named "Restart keystone containers", and we should restart
the keystone and the keystone-fernet container according to the context

Closes-Bug: #1699924

Change-Id: I62512dc022426cc762ff603d8554e48651fa621f

Sometimes Ansible is faster running tasks that haproxy tagging Keystone
services as UP. Keystone bootstrap uses SQL directly but the default
user role creation requires the API, and because of that it may fail.

Retry in case the backend is not yet available.

Change-Id: I9dfc030bbf92ca0a3dcb008d55e9fa2055f900ec
Closes-Bug: 1699096

when create database user, it should use
database_user, not database_name.

Change-Id: I4dfa01d1a5a46c5c58f1fc47b0be71b186462764
Closes-Bug: #1698762

Condition check are already performed here:
https://github.com/openstack/kolla-ansible/blob/master/ansible/site.yml
In order to simplify codebase, these checks can be removed for
standalone services.

Change-Id: Ib9842cd5363a1c7e56234a5e91dc264f89e2838f

Ansible task support vars directive, no need implement another one in
merge_config. This patch remove the vars directive in merge_config
action plugin.

Change-Id: I33648a2b6e39b4d49ce76eb66fbf2522721f8c68

keystone-paste.ini file is introduced by
I3a3ca2e74c0ae341105d3481f97956c6da473046 for a security risk of
admin_token_auth middleware. Now this middleware is removed by
I57586ccfa0ad1309cc806d95377dc1ecad015914. So it is safe to use upstream
keystone-paste.ini file.

This patch also keep custom paste file feature. Just put the file to
/etc/kolla/config/keystone/keyston-paste.ini path.

Closes-Bug: #1695023
Partially-Implements: blueprint custom-paste
Change-Id: Ieb983b6a9edb6a156928f6b56a4bd2dbed4281e2

Change-Id: Idb40cbed763382bef9965c6b090e71156b671590

[WARNING]: when statements should not include jinja2 templating
delimiters such as {{ }} or {% %}. Found: {{
(keystone_bootstrap.stdout | from_json).changed }}

Closes-Bug: #1689550

Change-Id: Ib6fdbcde02319011b072990f06fbd5e74b8d2d93

Useful api_interface_address variable has been define here:
https://github.com/openstack/kolla-ansible/blob/master/ansible/group_vars/all.yml#L57
In order to simplify codebase we must use it as much as possible.

Change-Id: I18fec19bf69e05a22a4142a9cd1165eccd022455

wait_for module waits 300 seconds for the port started or stopped.  This
is meaningless and useless in precheck. This patch change timeout to 1
seconds.

Change-Id: I9b251ec4ba17ce446655917e8ef5e152ef947298
Closes-Bug: #1688152

The current module 'kolla_sanity' was written as a shim before full
shade support was added to Ansible. This should now no longer be needed,
we can implement the checks using Ansible provided modules.

Begin by updating the Keystone check to use 'os_auth' to fetch a token,
I think this is a good basic smoke test to verify Keystone is working.

Change-Id: I16049d9201fd8138c781ef2e1e0c1827ea817259
Partially-implements: blueprint sanity-check-container

nova quota fail to create due a recent change.
Keystone endpoint cannot have version v3 in the url.

During upgrade to Pike nova endpoint must be changed
to be versionless.

Change-Id: Idb433d526f7d44dfe4fd02ee918bd67e05c523f6
Depends-On: I568db4559428525ac6c5083cfc20cffc20be6342
Closes-Bug: #1668663

Change-Id: Ic2890d0ea2dd0927b327b880bf25532fbb2efe07