This allows for more config flexibility - e.g. running multiple
backends with a common frontend.
It is not possible with the 'listen' approach (which enforces
frontend).
Additionally, it does not really make sense to support two ways
to do the exact same thing as the process is automated and
'listen' is really meant for humans not willing to write separate
sections.
Hence this deprecates 'listen' variant.

At the moment both templates work exactly the same.
The real flexibility comes in following patches.

Note this is a building block for future work on letsencrypt
validator (which should offer backend and share frontend with
any service running off 80/443 - which would be only horizon
in the current default config), as well as any work towards
single port (that is single frontend) and multiple services
anchored at paths of it (which is the new recommended default).

Change-Id: I2362aaa3e8069fe146d42947b8dddf49376174b5
Partially-Implements: blueprint letsencrypt-https

haproxy_single_service_listen (the default template) was already fine.

Closes-Bug: #1896591
TrivialFix

Change-Id: Id68fe19ea87565aa36fb74f2a2ca66cb951169f6

replace harcode 'internal' with {{ openstack_interface }}

Change-Id: I885622967ffde2a7a1a08fedbde2eb0e4e330e22

Change-Id: Iabc0115d3476a626df134cc70cb473bf6e72487e
Closes-Bug: #1890439

tox command install dependencies from the ``requirements.txt``,
``test-requirements.txt`` and ``doc/requirements.txt`` files

Change-Id: I21ee208d2484615ee3f9d9eca7602275382c920b

It should been done in https://review.opendev.org/#/c/752436/ but missing

Change-Id: Iae22e8d8133afecd7e897f82ca58afd6ea33e1c0

Change-Id: Ifcedcc72307732393a92a702a7567addc043b5b2

in 'victoria' cycle, we should test py38 by default.

Change-Id: Ic0bfb7f6a8b2123f609e0be0be9945bbf4d73520

Since change [1] merged we have two mariadb images (mariadb and mariadb-server)
Let's use mariadb-server in kolla-ansible, so we can deprecate mariadb image.

[1]: https://review.opendev.org/#/c/710217/

Change-Id: I4ae2ccaaba8fb516f469f4ce8628e8c61de03f0d

replace 'openstack aggregate create' command with ansible
os_nova_host_aggregate module and remove TODO

Change-Id: I727f9e4acc9e22f59735c65190ac38cc75e5f781

If we don't set it, then Zun chooses one randomly (the first one
from Neutron).
This may break if it is a network that is not available on
target hosts, e.g. external via L3 agent router.

Since capsules do not support nets yet [1], this patch ensures
desired network creation order in init-runonce instead.

[1] https://bugs.launchpad.net/zun/+bug/1895263

Change-Id: Iaa113dcfb826164a2772d2c91d34ec0236be0817

This reverts commit 316b0496, because
ironic-inspector is not ready to use WSGI. It would need to be split
into two separate containers, one running ironic-inspector-api-wsgi and
another running ironic-inspector-conductor.

Change-Id: I7e6c59dc8ad4fdee0cc6d96313fe66bc1d001bf7

Per the recent Kayobe brekage due to TLS support in Ironic [1],
let's test Ironic Inspector API as well.

[1] https://review.opendev.org/750804

Change-Id: I7ccf0c4286f8907bc2fa2eabc41ec2876c9815a9

Change-Id: Ia4626479e092be8b033bcd4e75e78a33167423d3

requirements.txt is unnecessary when run tox -e releasenotes,
releasenotes relative stuffs is in doc/requirements.txt, this ps to
remove the requirements.txt from tox.ini and reuse [docs] deps

Change-Id: Ia6c51f9ffe1257f16e9bd55fe21cc832b634cbf3

The Kolla-Ansible part.

This switches Kolla-Ansible to use the kolla-build-config role
instead of generating config locally.

Depends-On: https://review.opendev.org/607159
Change-Id: I859acbe4f84ccbdc53764574a58e6f0fab4094a3

Change-Id: I5609812d4f92d88b04bc887886d1ba08893505d9
Story: 2007865
Task: 40199
Closes-Bug: #1886298

This is confusing as it is not meant to be used by users.
Also, various tools show duplicated matches due to both locations
containing the exact same content.

Change-Id: I2debe121f64954e57788270d3258775f29f1cbb0

As per [1] and [2] - it solves a problem, where neutron-ovn-metadata-agent will
spawn high number of workers (defaults to half number of CPUs).

[1]: http://lists.openstack.org/pipermail/openstack-discuss/2020-September/016960.html
[2]: https://bugs.launchpad.net/neutron/+bug/1893656

Change-Id: Id69f9399fe76ff7c4e2e17b5ab5ec7df1a01c5c9

The Python 2.7 Support has been dropped since Ussuri.

Change-Id: I9927a83748a4b13c57bcadd081c60ea9609ced55

The variable was documented as database_username, but should be database_user.

Change-Id: Ia1fd8f9a9336c26520041fa2138c763a8c382bca

The Prometheus OpenStack exporter was needlessly configured to use the
prometheus Docker volume and change permissions of /data, which does
not exist in the container image.

This must have been copy-pasted from existing Prometheus code.

Change-Id: I96017c17e68ca7a00a2d5ac41f2f43ef87694514

This patch introduces an optional backend encryption for the Ironic API
and Ironic Inspector service. When used in conjunction with enabling
TLS for service API endpoints, network communcation will be encrypted
end to end, from client through HAProxy to the Ironic service.

Change-Id: I3e82c8ec112e53f907e89fea0c8c849072dcf957
Partially-Implements: blueprint add-ssl-internal-network
Depends-On: https://review.opendev.org/#/c/742776/

Including tasks has a performance penalty when compared with importing
tasks. If the include has a condition associated with it, then the
overhead of the include may be lower than the overhead of skipping all
imported tasks. In the case of the register.yml and bootstrap.yml
includes, all of the tasks in the included file use run_once: True.
The run_once flag improves performance at scale drastically, so
importing these tasks unconditionally will have a lower overhead than a
conditional include task.  It therefore makes sense to switch to use
import_tasks there.

See [1] for benchmarks of run_once.

[1] https://github.com/stackhpc/ansible-scaling/blob/master/doc/run-once.md

Change-Id: Ic67631ca3ea3fb2081a6f8978e85b1522522d40d
Partially-Implements: blueprint performance-improvements