From version 2.1, ProxySQL has a built-in ProxySQL
Prometheus exporter. This patch adds an option to
easily enable this exporter [1].

[1] https://proxysql.com/documentation/prometheus-exporter

Change-Id: I8776cdc0a6ec9e4e35a2424dd0984488514a711f

harden the TLS default config according to the mozilla
"modern" recommendation:

https://ssl-config.mozilla.org/#server=haproxy&version=2.1&config=modern&openssl=1.1.1k&guideline=5.7



if you want to revert to the old settings, set:

kolla_haproxy_ssl_settings: "legacy" in globals.yaml
alternatively you can also set it to "intermediate"
for a middle ground between security and accessibility.

this also adjusts the glance and neutron tls proxy ssl settings
in their dedicated haproxy config templates to use the same mechanism.

also add some haproxy related docs to the TLS guide and cross reference
it from the haproxy-guide.

Closes-Bug: #2060787

Signed-off-by: Sven Kieske <kieske@osism.tech>
Change-Id: I311c374b34f22c78cc5bcf91e5ce3924c62568b6

The prometheus-msteams project is no longer maintained [1]. As a result
support for deploying prometheus-msteams via kolla-ansible has been
dropped. Users are encouraged to migrate to the native Prometheus
Alertmanager integration with Microsoft Teams [2].

[1] https://github.com/prometheus-msteams/prometheus-msteams/issues/343
[2] https://prometheus.io/docs/alerting/latest/configuration/#msteams_config

Change-Id: I93d28ef138b4e784465f3a7eaa11101ea5877050

From OpenStack 2023.2 (Bobcat) the Pure Storage Cinder driver
supports NVMe-TCP as a dataplane protocol. This patch adds support
for this new driver type.

Change-Id: I3c0ad7652a03388ab2eafa173c644a55b0405cc6

The variable kolla_same_external_internal_vip in group_vars/all.yml
was set to true or false depending on the jinja2 equality operator
- == - which only checks if two objects are the same.

This is problematic because IPs can be the same but have different
string representations, e.g. leading zeroes in some octets, but still
repesent the same instance of an IP.

Example: 192.168.1.1 and 192.168.001.001 are the same.

Fix this, by using the ansible.utils.ipaddr() jinja2 filter instead
to increase robustness.

Closes-Bug: #2076889
Introduced-By: https://review.opendev.org/c/openstack/kolla/+/285005



Signed-off-by: Sven Kieske <kieske@osism.tech>
Change-Id: Ied43b9d0c4b33bb514d367f3f99c2e30e104d139

For possible config options see docs
https://docs.openstack.org/keystonemiddleware/latest/middlewarearchitecture.html#memcache-protection



Closes-bug: #1850733
Signed-off-by: Roman Krček <roman.krcek@tietoevry.com>
Change-Id: I169e27899f7350f5eb8adb1f81a062c51e6cbdfc

Adapt files to match new requirements, add assertIn to whitelist

Change-Id: I516bbbb3a0f194e8fa08d04c0290b586963b8b55

The Kolla project supports building images with
user-defined prefixes. However, Kolla-ansible is unable
to use those images for installation.

This patch fixes that issue.

Closes-Bug: #2073541
Change-Id: Ia8140b289aa76fcd584e0e72686e3786215c5a99

Previously Kolla Ansible hard-coded Neutron physical networks starting
at physnet1 up to physnetN, matching the number of interfaces in
neutron_external_interface and bridges in neutron_bridge_name.

Sometimes we may want to customise the physical network names used. This
may be to allow for not all hosts having access to all physical
networks, or to use more descriptive names.

For example, in an environment with a separate physical network for
Ironic provisioning, controllers might have access to two physical
networks, while compute nodes have access to one.

This change adds a neutron_physical_networks variable, making it
possible to customise the Neutron physical network names used for the
OVS, OVN, Linux bridge and OVS DPDK plugins. The default behaviour is
unchanged.

Change-Id: Ib5b8ea727014964919c6b3bd2352bac4a4ac1787

This reverts commit 5b431f0f.

Reason for revert: the any_errors_fatal play parameter is not templated
by Ansible (tested up to ansible-core 2.15.9). This behaviour is
demonstrated in [1].

This means that "{{ kolla_ansible_setup_any_errors_fatal }}" is always
interpreted as 'true', regardless of the value of
kolla_ansible_setup_any_errors_fatal.  This is particularly bad because
the default value of kolla_ansible_setup_any_errors_fatal is false.

We now have gather_facts_max_fail_percentage which can be set to 0 to
provide the same functionality.

[1] https://github.com/markgoddard/ansible-experiments/tree/master/15-fatal-errors

Change-Id: I2e0ea49701b5900eae26434bcdb6b1bb44507ee7

Depends-On: https://review.opendev.org/c/openstack/cloudkitty/+/880739
Change-Id: Ib8d7182cc4b8a0c7d320ba2c51b2157782030317

neutron-fwaas has become active again

Depends-On: https://review.opendev.org/c/openstack/kolla/+/914855

Change-Id: Ie5a7b2da9a351e8f47a1ae830bb2fee0a8e35e38

It was deprecated in Antelope cycle.

Change-Id: I499e69ec6db63e4067e49376e2a1f3e01e48fe62

It's inactive and hasn't produced a 2024.1 release [1].
In addition to that, there's a CVE that hasn't really been patched [2].

Also drop outward_rabbitmq that was used only with Murano.

[1]: https://governance.openstack.org/tc/reference/emerging-technology-and-inactive-projects.html#current-inactive-projects
[2]: https://lists.openstack.org/archives/list/openstack-announce@lists.openstack.org/thread/4FYM6GSIM5WZSJQIG4TT5Q3UBKQIHLWX/

Change-Id: I691205730b0e10a42ce61f3340cc39ee51bd1010

It's inactive and hasn't produced a 2024.1 release [1].

[1]: https://governance.openstack.org/tc/reference/emerging-technology-and-inactive-projects.html#current-inactive-projects

Change-Id: I217b3633f07e5b2c657e20b19aaa4fbb46535a97

It's inactive and hasn't produced a 2024.1 release [1].

[1]: https://governance.openstack.org/tc/reference/emerging-technology-and-inactive-projects.html#current-inactive-projects

Change-Id: I888963751b6e1ed080588297c2889e700431516c

It's inactive and hasn't produced a 2024.1 release [1].

[1]: https://governance.openstack.org/tc/reference/emerging-technology-and-inactive-projects.html#current-inactive-projects

Change-Id: Ic988295bc5b8acb19df008fe0d52a3bcc6de2135

It's inactive and hasn't produced a 2024.1 release [1].
There are some efforts to restore Freezer, but let's remove it for now.

[1]: https://governance.openstack.org/tc/reference/emerging-technology-and-inactive-projects.html#current-inactive-projects

Change-Id: Ie42012af9e5c64bca23a6e6826bfc4651fd194bd

Fix existing spelling errors

Change-Id: Ie689cf5a344aaa630a4860448b09242333a8e119

Change-Id: I5b4a30e605bb143cf342f83f0c811c25046269ef

Change-Id: I0a086c59076120aa53e6a05526dbab88e393c1c7

Tooz 6.0.1 includes commit [1], which introduced
parsing the username from the Redis connection URL.
As a result, services started authenticating as admin
which, by the way, was incorrect even before, as either
a created user or the default one should have been used.

The reason it worked before is simply because the username
'admin' wasn't parsed anywhere.

This patch fixes the user being used and sets the correct
'default' one.

[1] https://review.opendev.org/c/openstack/tooz/+/907656

Closes-Bug: #2056667
Depends-On: https://review.opendev.org/c/openstack/kolla/+/911703
Change-Id: I5568dba15fa98e009ad4a9e41756aba0fa659371

This patch basically does a simple thing, on the basis
of a variable neutron_dns_integration it enables/disables
DNS integration.

There is also precheck added which checks whether dns_domain
in neutron.conf has a non-default value if DNS integration is
enabled as this is requirement.

[1] https://docs.openstack.org/neutron/latest/admin/config-dns-int.html
[2] https://docs.openstack.org/neutron/latest/admin/config-dns-int-ext-serv.html#config-dns-int-ext-serv

Closes-Bug: #2049503

Change-Id: I90f0f8dcec6fa0112179f050d96e9d9db5956cf8

Service user passwords will now be updated in keystone if services are
reconfigured with new passwords set in config. This behaviour can be
overridden.

Closes-Bug: #2045990
Change-Id: I91671dda2242255e789b521d19348b0cccec266f

Change-Id: Ib0325c12cf965e7df7c1ac6b17ca87187a4cb91d

* Remove docker's cluster-store option. This option was removed from
  the latest version of docker so we removed it.
* Switch kuryr's capability_scope from "global" to "local". The "global"
  scope relies on a cluster store but docker no longer supports it.

Change-Id: Ie62396184552938d099223f9d325a41c9a5067c3

Enables modifying the interval and sets the recommended default value.

[1] https://docs.ceph.com/en/latest/mgr/prometheus/#configuration

Change-Id: I4b91d184485aa52b3c06011f9dbb6b34bcad3ca8

Change-Id: I081aa1345603fa27c390e4e09231a5ff226bcb39

This implements a global toggle `om_enable_rabbitmq_quorum_queues`
to enable quorum queues for each service in RabbitMQ, similar to
what was done for HA[0].

Quorum Queues are enabled by default.

Quorum queues are more reliable, safer, simpler and faster than
replicated mirrored classic queues[1].

Mirrored classic queues are deprecated and scheduled for removal
in RabbitMQ 4.0[2].

Notice, that we do not need a new policy in the RabbitMQ definitions
template, because their usage is enabled on the client side and can't
be set using a policy[3].

Notice also, that quorum queues are not yet enabled in oslo.messaging
for the usage of reply_ and fanout_ queues (transient queues).
This will change once[4] is merged.

[0]: https://review.opendev.org/c/openstack/kolla-ansible/+/867771
[1]: https://www.rabbitmq.com/quorum-queues.html
[2]: https://blog.rabbitmq.com/posts/2021/08/4.0-deprecation-announcements/
[3]: https://www.rabbitmq.com/quorum-queues.html#declaring
[4]: https://review.opendev.org/c/openstack/oslo.messaging/+/888479



Signed-off-by: Sven Kieske <kieske@osism.tech>
Change-Id: I6c033d460a5c9b93c346e9e47e93b159d3c27830

This reverts commit b86c304a.

Reason for revert: We want to enable Quorum Queues by default in Caracal, without requiring two queue migrations between releases. See etherpad for details: https://etherpad.opendev.org/p/kolla-ansible-rmq-quorum-queues-proposal

Change-Id: Ia19ab97f538125475297976347c5da332a7fdda7

Closes-Bug: #2043831
Change-Id: I010fabd255d93d5329de82af2b5d21c8fa7d93c4

Adds configurations and changes tasks to enable the
systemd plugin. Additionaly, the plugin is set to
read logs from the /var/log/journal directory

Implements: enable-fluent-plugin-systemd
Signed-off-by: Juan Pablo Suazo <jsuazo@whitestack.com>
Change-Id: Ic714a341befa5f906d9c0f78fa86f4c934df87cd

This avoids the need to use a proxy, or some other means, to connect to
Prometheus. This is disabled by default and can be enabled by setting
enable_prometheus_server_external to true.

Change-Id: Ia0af044ff436c2a204b357750a16ff49fcdfec45

Add support for automatic provisioning and renewal of HTTPS
certificates via LetsEncrypt.

Spec is available at:
https://etherpad.opendev.org/p/kolla-ansible-letsencrypt-https

Depends-On: https://review.opendev.org/c/openstack/kolla/+/887347


Co-Authored-By: Michal Arbet <michal.arbet@ultimum.io>
Implements: blueprint letsencrypt-https
Change-Id: I35317ea0343f0db74ddc0e587862e95408e9e106

Enable the jobboard feature for the Octavia amphora provider. This
requires Redis as a dependency, a precheck is added to ensure proper
configuration.

https://docs.openstack.org/octavia/latest/install/install-amphorav2.html

Change-Id: Iec3c8a4b4e257557dc8ec995c41d0ad7e88e13e2

Kolla Ansible should deploy Glance and Cinder Backup with
S3 backend support working out-of-the-box.

The S3 backend had been re-introduced in Ussuri after being
deprecated around the Mitaka timeframe, and having some local
object storage options is nice for testing..

Closes-Bug: #1977515
Change-Id: I4ca58382d1ee568bfca2ad108495422163f81260
Co-authored-by: Juan Pablo Suazo <jsuazo@whitestack.com>
Co-authored-by: Maksim Malchuk <maksim.malchuk@gmail.com>

This change adds basic deployment based on Podman
container manager as an alternative to Docker.

Signed-off-by: Ivan Halomi <i.halomi@partner.samsung.com>
Signed-off-by: Martin Hiner <m.hiner@partner.samsung.com>
Signed-off-by: Petr Tuma <p.tuma@partner.samsung.com>
Change-Id: I2b52964906ba8b19b8b1098717b9423ab954fa3d
Depends-On: Ie4b4c1cf8fe6e7ce41eaa703b423dedcb41e3afc

Adding missing group_vars for gnocchi service.
Using proper variables in haproxy config for vitrage and venus services.

Closes-Bug: #2038904
Change-Id: I06e8f29440c13864a866ea03ce0a0821fbe846f8

Adds the needed changes and configurations in
order to use the neutron plugin, tap-as-a-service,
to create port mirrors using `openstack tap` commands.

Implements: configure-taas-plugin
Depends-On: https://review.opendev.org/c/openstack/kolla/+/885151


Change-Id: Ia09e1f8b423d43c0466fe2d6605ce383fd813544
Signed-off-by: Juan Pablo Suazo <jsuazo@whitestack.com>

Change-Id: Ic153a91beb30daa334ccbb0430ce8340bd6c480f