The ``ironic-inspector`` service user is now assigned the system scope
``all``. This allows it to create baremetal ports during node inspection
again.

Default project and domain vars are removed as you cannot combine these
with system scope.

Closes-Bug: #2064655
Change-Id: I5e3c29faae4c2531b269c37874ade368c1aab39f

Adds support for setting the system scope to user role assignments.
Also updates the domain assignment so it can be customised.

Note that the scope assignments follow the precedence of
project->domain->system [1]. As such, the previous default value of
domain was being ignored as we always set a project, so the removal of
the default domain in this patch has no effect on existing behaviour.

1. https://docs.ansible.com/ansible/latest/collections/openstack/cloud/role_assignment_module.html#parameter-system

Change-Id: Ie7fe78ab67b1bf8a19def25fef321de5c2d80aa9

From OpenStack 2023.2 (Bobcat) the Pure Storage Cinder driver
supports NVMe-TCP as a dataplane protocol. This patch adds support
for this new driver type.

Change-Id: I3c0ad7652a03388ab2eafa173c644a55b0405cc6

This patch adds REQUESTS_CA_BUNDLE as it's described
in requests documentation [1].

This is needed because some ansible modules inside uses
python request library and some users of course using
their own CAs.

[1] https://requests.readthedocs.io/en/latest/user/advanced/#ssl-cert-verification

Closes-Bug: #1967132

Change-Id: I901c2bc8ac477f15d2833e68566b19e437f4b6d1

This patch removes the nova_libvirt_secret container volume because
it is a complete antipattern, and during testing, I found that
it causes problems. When it was necessary to copy libvirt secrets
from /etc/kolla/nova-libvirt/secrets, the container logs reported that
the resource is busy - precisely because it was a mounted container
volume. This, of course, is unnecessary because the secrets are copied
to the kolla host in /etc/kolla/nova-libvirt/secrets.

Closes-Bug: #2073678
Change-Id: I715a6a95f9d32d62a8199727ddbaddd0dd7baa2d

This change fixes a bug in the prometheus.yml template which breaks
alertmanager configuration

Closes-Bug: 2076660
Change-Id: I9adf34747a22d7d5aef31fad3f68f7880e18f022

The variable kolla_same_external_internal_vip in group_vars/all.yml
was set to true or false depending on the jinja2 equality operator
- == - which only checks if two objects are the same.

This is problematic because IPs can be the same but have different
string representations, e.g. leading zeroes in some octets, but still
repesent the same instance of an IP.

Example: 192.168.1.1 and 192.168.001.001 are the same.

Fix this, by using the ansible.utils.ipaddr() jinja2 filter instead
to increase robustness.

Closes-Bug: #2076889
Introduced-By: https://review.opendev.org/c/openstack/kolla/+/285005



Signed-off-by: Sven Kieske <kieske@osism.tech>
Change-Id: Ied43b9d0c4b33bb514d367f3f99c2e30e104d139

Required before a SLURP upgrade

Change-Id: I09a45d26a6075554b204e007f64122f23de5f53c

By default, the watch timer in Fluentd is set to True.
To save CPU and I/O consumption this can be set to False, which
kolla-ansible has been hardcoding so far.

When the watch timer is disabled, in_tail relies entirely
on inotify. In certain constellations, this may not work
reliably. In these cases, the watch timer needs to be activated, so this
change adds a variable to make the setting configurable.

Change-Id: Ic8ce6fbc3ed8f31d5d090e114b35703532679729

Change I60162b54bc06e158534d29311d4474b34750c64d
removed the '/v3' suffix from horizon_keystone_url variable,
but the version is needed for some operations.
This patch fixes the "Change password" Horizon function
until Horizon bug #2073639 is resolved.

Closes-Bug: #2073159
Change-Id: I6ff46b47e9109d0757f2e5ce8019ba591b9892e1

A host that is in the manila-share group, but not in controllers
network, etc., will fail service deployment if it is not using the
generic manila driver (eg, if it is using the CephFS native driver).
This is because deployment of openvswitch-vswitchd is predicated on
the drivers enabled for manila-share.  However, this predicate is not
universally applied.  Where inventory group membership is used the
dependency on openvswitch-vswitchd presence will fail.

Closes-Bug: #1993285

Change-Id: I821e513d24f2a1c59240d65ad68c3b5f2080e439

Adapt files to match new requirements, add assertIn to whitelist

Change-Id: I516bbbb3a0f194e8fa08d04c0290b586963b8b55

This fixes an issue where it is not possible to customise the `host`
config option in the Nova Compute Ironic config file without breaking
detection of the service.

This is a backwards compatible fix, which allows a user to set the
`host` config option using Ansible host or group vars.

Other reasons for not using the default host setting of
`{{ ansible_hostname }}-ironic` are covered in [1].

[1] https://specs.openstack.org/openstack/nova-specs/specs/2024.1/approved/ironic-shards.html#migrate-from-peer-list-to-shard-key.

Closes-Bug: #2056571
Change-Id: I9b562f6a5722f21b7dbec2a4d53a46a57c829155

The Kolla project supports building images with
user-defined prefixes. However, Kolla-ansible is unable
to use those images for installation.

This patch fixes that issue.

Closes-Bug: #2073541
Change-Id: Ia8140b289aa76fcd584e0e72686e3786215c5a99

After OVN DB leader restarts there is a period before a new leader has
been elected where the old leader is returned in the cluster status.
This can result in a failure to apply the connection settings if a
different leader is elected.

Wait for a few seconds for the leader election to complete.

Change-Id: I20f08c986fa6b4b3ec668dad649e69f23119796b
Closes-Bug: #2059124

This patch modifies tasks that are delegated to
localhost to use local connection.
Firstly, this is correct since SSH connection is not used,
and secondly, it fixes the issue when kolla-ansible is
packaged in a docker container. If the local connection
is not used, the tasks will fail because temporary data are
stored outside the container, whereas we need it to be
stored inside the container so we can read them and set_facts.

Closes-Bug: #2073370
Change-Id: I9547d5da78da30bfeea8e97056cfa9308c977098

Fixes an deploy opensearch whith enable TLS on the internal VIP

Closes-Bug: #2073224
Change-Id: I50ce48c4e3c645e2f3aeee4913a9bc9ee506040a

Barbican switched to oslo.db as per [1]
This patch is fixing kolla-ansible config
for barbican.

[1] https://review.opendev.org/c/openstack/barbican/+/848011

Closes-Bug: #2072554
Change-Id: Idc7bcd1aa2cbb9a08facb3140eed0f22d5d7e99f

There was a bug where setting the test command
for the health check to 'NONE' would throw an error
in podman_worker. This was problematic since K-A
uses 'NONE' as an indicator that the health check is not enabled.

Closes-Bug: #2071912
Change-Id: I3140bb79eace58b23f579be3da569c502c52c38c
Signed-off-by: Ivan Halomi <ivan.halomi@tietoevry.com>

ansible-core 2.16 and later requires python 3.10+ (see [1])

[1]: https://docs.ansible.com/ansible/latest/reference_appendices/release_and_maintenance.html#ansible-core-support-matrix

Change-Id: Id5e10872de413e7b476c5343360d73c109b9667a

Currently, service-cert-copy role used to copy certs and CA
into containers has 'when' statements  that check if HAProxy is
defined and enabled for the service. However, some services like
RabbitMQ, ProxySQL or Redis don't use HAProxy

This patch removes the when condition, as it is not necessary.

PartiallyImplements: mariadb-ssl
Change-Id: I8864e05212e0ed76ea3a0108b00ed9dd04b1a697

Most roles are not leveraging the jinja filters available.
According to [1] filtering the list of services makes the execution
faster than skipping the tasks.

This patchset also includes some cosmetic changes to genconfig.
Individual services are now also using a jinja filter. This has
no impact on performance, just makes the tasks look cleaner.

Naming of some vars in genconfig was changed to "service" to make
the tasks more uniform as some were previously using
the service name and some were using "service".

Three metrics from the deployment were taken and those were
- overall deployment time [s]
- time spent on the specific role [s]
- CPU usage (measured with perf) [-]
Overall genconfig time went down on avg. from 209s to 195s
Time spent on the loadbalancer role went down on avg. from 27s to 23s
Time spent on the neutron role went down on avg from 102s to 95s
Time spent on the nova-cell role went down on avg. from 54s to 52s
Also the average CPUs utilized reported by perf went down
from 3.31 to 3.15.
For details of how this was measured see the comments in gerrit.

[1] - https://github.com/stackhpc/ansible-scaling/blob/master/doc/skip.md



Change-Id: Ib0f00aadb6c7022de6e8b455ac4b9b8cd6be5b1b
Signed-off-by: Roman Krček <roman.krcek@tietoevry.com>

Change-Id: I96151bb6809a4bf0f17dd3e0e97a654730881869

This enables you to scrape external targets more easily.

Change-Id: I55b612d2f5f5a3fc8d21c6d2f71d6c58d89d4e31

When using short notations like `1g` or `512m` to define the
container dimensions, we are always getting the container to
being restarted in each kolla-ansible run, even with no real
changes in the container configs.

Change-Id: Ic8e2dd42b95a8f5c2141a820c55642a3ed7beabd
Closes-Bug: #2070494

Fix kolla systemd unit template to prevent restart
all kolla services with docker.service restart

Change-Id: I70dd1751dea6bfc9bb265aeda04b3392e135324c
Closes-Bug: 2065168

Change the skyline nginx config to point to the internal port.

Closes-Bug: #2069855
Change-Id: Ia29d89b2594a604c687469850a67f7fe29d0eb5d

Previously Kolla Ansible hard-coded Neutron physical networks starting
at physnet1 up to physnetN, matching the number of interfaces in
neutron_external_interface and bridges in neutron_bridge_name.

Sometimes we may want to customise the physical network names used. This
may be to allow for not all hosts having access to all physical
networks, or to use more descriptive names.

For example, in an environment with a separate physical network for
Ironic provisioning, controllers might have access to two physical
networks, while compute nodes have access to one.

This change adds a neutron_physical_networks variable, making it
possible to customise the Neutron physical network names used for the
OVS, OVN, Linux bridge and OVS DPDK plugins. The default behaviour is
unchanged.

Change-Id: Ib5b8ea727014964919c6b3bd2352bac4a4ac1787

Task `Check if extra configuration file exists` picks up all files in
`{{ node_custom_config }}/grafana` including those that get handled
specially later on.
While `prometheus.yml` and `provisioning.yml` are best excluded from
extra config , because their treatment requires more than just copying,
`grafana_home_dashboard.json` may simply be treated as extra config,
which saves the execution of two additional tasks.

Closes-Bug: 2067999

Change-Id: I7bce1fe3d0a96816f1782107b202d6dac7d1291d
Signed-off-by: Jan Horstmann <horstmann@osism.tech>

List of strings CONTAINER_PARAMS is missing comma separators,
which makes it an implicit concatenation of list items
that should be separate.

Closes-Bug: #2067278
Change-Id: Iec9a8de184481dae058377fa8d7bbd8da729d62c
Signed-off-by: Martin Hiner <martin.hiner@tietoevry.com>

This reverts commit 5b431f0f.

Reason for revert: the any_errors_fatal play parameter is not templated
by Ansible (tested up to ansible-core 2.15.9). This behaviour is
demonstrated in [1].

This means that "{{ kolla_ansible_setup_any_errors_fatal }}" is always
interpreted as 'true', regardless of the value of
kolla_ansible_setup_any_errors_fatal.  This is particularly bad because
the default value of kolla_ansible_setup_any_errors_fatal is false.

We now have gather_facts_max_fail_percentage which can be set to 0 to
provide the same functionality.

[1] https://github.com/markgoddard/ansible-experiments/tree/master/15-fatal-errors

Change-Id: I2e0ea49701b5900eae26434bcdb6b1bb44507ee7

If the container image used by Mariabackup is different than the
one used by MariaDB server, it's possible that mariabackup and mariadb
are incompatible. This may cause backup operations to fail.

This change queries the running MariaDB server container's image and
uses it when taking a backup. If MariaDB server isn't running on the
host it falls back to the image defined in configuration.

The separate mariabackup_image, mariabackup_tag and
mariabackup_image_full variables are no longer required and have been
removed.

Closes-Bug: #2058644
Change-Id: I45f3f90ec1973dae92131ea16a7b248ab7a8ae69

Also rename task to "Copying over custom pipeline.yaml file" for
clarity.

Change-Id: I04e3eb9620830a15781f9bab2549b557a9d1d9cb

Depends-On: https://review.opendev.org/c/openstack/cloudkitty/+/880739
Change-Id: Ib8d7182cc4b8a0c7d320ba2c51b2157782030317

Update Sykline stop task to use the
service-stop role to symplify the task
and make sure it is using kolla_container.

Authored-By: Roman Krček <roman.krcek@tietoevry.com>
Change-Id: I7b11359cee931273a058364160b64fe1fb606b5e

Configure cloudkitty_influxdb_use_ssl automatically based on the value
of kolla_enable_tls_internal. Set cloudkitty_elasticsearch_cafile,
cloudkitty_influxdb_cafile and cloudkitty_prometheus_cafile to
openstack_cacert.

Disable certificate validation when bootstrapping the InfluxDB database:
the influxdb_database module and the InfluxDB 1.x Python client don't
support specifying a CA certificate file.

This fixes bootstrap and execution of CloudKitty with internal TLS.

Closes-Bug: #1998831
Change-Id: I5524169b9567819d379726099bf70c692c85acc1

Also enable these after an upgrade.

Partial-Bug: #2058512
Change-Id: Ib9bdae2e25c2b6cce30e4c8024015ab5875bc1ff

Add file to the reno documentation build to show release notes for
stable/2024.1.

Use pbr instruction to increment the minor version number
automatically so that master versions are higher than the versions on
stable/2024.1.

Sem-Ver: feature
Change-Id: I6e25de71b55d37a9d0492e65751ddc73c6a6dbdc

Change-Id: I9e4933cecd5c1e336b1bdc1072925fa73cd0c8ee

Change-Id: I79fa2dde62dceea656cff011fd28659f08d9e304