This patch introduces an optional backend encryption for Horizon and
Placement services. When used in conjunction with enabling TLS for
service API endpoints, network communcation will be encrypted end to
end, from client through HAProxy to the Horizon and Placement services.

Change-Id: I9cb274141c95aea20e733baa623da071b30acf2d
Partially-Implements: blueprint add-ssl-internal-network

The "balance" keyword is not valid in a frontend section. From the
HAProxy documentation[1]:

balance <algorithm> [ <arguments> ]
balance url_param <param> [check_post [<max_wait>]]
  Define the load balancing algorithm to be used in a backend.
  May be used in sections :   defaults | frontend | listen | backend
                                 yes   |    no    |   yes  |   yes

When running HAProxy using the "split" template style, where a
frontend/backend pair are used instead of one listen section, HAProxy
will emit warnings for the Horizon config due to this.

[1]: https://www.haproxy.org/download/1.5/doc/configuration.txt

Closes-Bug: #1872540
Change-Id: I91cee275d91a51944298618493f4ea0cd80282cc

Some services look for /etc/timezone on Debian/Ubuntu, so we should
introduce it to the containers.

In addition, added prechecks for /etc/localtime and /etc/timezone.

Closes-Bug: #1821592
Change-Id: I9fef14643d1bcc7eee9547eb87fa1fb436d8a6b3

In dev mode currently the python source is mounted under python2.7
site-packages. This change fixes this to use the distro_python_version
variable to ensure dev mode works with Python 3 images.

Change-Id: Ieae3778a02f1b79023b4f1c20eff27b37f481077
Partially-Implements: blueprint python-3

For the CentOS 7 to 8 transition, we will have a period where both
CentOS 7 and 8 images are available. We differentiate these images via a
tag - the CentOS 8 images will have a tag of train-centos8 (or
master-centos8 temporarily).

To achieve this, and maintain backwards compatibility for the
openstack_release variable, we introduce a new 'openstack_tag' variable.
This variable is based on openstack_release, but has a suffix of
'openstack_tag_suffix', which is empty except on CentOS 8 where it has a
value of '-centos8'.

Change-Id: I12ce4661afb3c255136cdc1aabe7cbd25560d625
Partially-Implements: blueprint centos-rhel-8

Variable added to evaluate "ENABLE_MONASCA" env for 'kolla/horizon'. In
case 'enable_horizon_monasca' is true, 'policy_item' would be called for
Monasca.

Change-Id: Ie9ecb8ab5d4e74af9b83a5b00ccced5b630ab1ed
Implements: blueprint monasca-ui
Signed-off-by: Hamed Bahadorzadeh <h.bahadorzadeh@gmail.com>

Introduce kolla_address filter.
Introduce put_address_in_context filter.

Add AF config to vars.

Address contexts:
- raw (default): <ADDR>
- memcache: inet6:[<ADDR>]
- url: [<ADDR>]

Other changes:

globals.yml - mention just IP in comment

prechecks/port_checks (api_intf) - kolla_address handles validation

3x interface conditional (swift configs: replication/storage)

2x interface variable definition with hostname
(haproxy listens; api intf)

1x interface variable definition with hostname with bifrost exclusion
(baremetal pre-install /etc/hosts; api intf)

neutron's ml2 'overlay_ip_version' set to 6 for IPv6 on tunnel network

basic multinode source CI job for IPv6

prechecks for rabbitmq and qdrouterd use proper NSS database now

MariaDB Galera Cluster WSREP SST mariabackup workaround
(socat and IPv6)

Ceph naming workaround in CI
TODO: probably needs documenting

RabbitMQ IPv6-only proto_dist

Ceph ms switch to IPv6 mode

Remove neutron-server ml2_type_vxlan/vxlan_group setting
as it is not used (let's avoid any confusion)
and could break setups without proper multicast routing
if it started working (also IPv4-only)

haproxy upgrade checks for slaves based on ipv6 addresses

TODO:

ovs-dpdk grabs ipv4 network address (w/ prefix len / submask)
not supported, invalid by default because neutron_external has no address
No idea whether ovs-dpdk works at all atm.

ml2 for xenapi
Xen is not supported too well.
This would require working with XenAPI facts.

rp_filter setting
This would require meddling with ip6tables (there is no sysctl param).
By default nothing is dropped.
Unlikely we really need it.

ironic dnsmasq is configured IPv4-only
dnsmasq needs DHCPv6 options and testing in vivo.

KNOWN ISSUES (beyond us):

One cannot use IPv6 address to reference the image for docker like we
currently do, see: https://github.com/moby/moby/issues/39033
(docker_registry; docker API 400 - invalid reference format)
workaround: use hostname/FQDN

RabbitMQ may fail to bind to IPv6 if hostname resolves also to IPv4.
This is due to old RabbitMQ versions available in images.
IPv4 is preferred by default and may fail in the IPv6-only scenario.
This should be no problem in real life as IPv6-only is indeed IPv6-only.
Also, when new RabbitMQ (3.7.16/3.8+) makes it into images, this will
no longer be relevant as we supply all the necessary config.
See: https://github.com/rabbitmq/rabbitmq-server/pull/1982

For reliable runs, at least Ansible 2.8 is required (2.8.5 confirmed
to work well). Older Ansible versions are known to miss IPv6 addresses
in interface facts. This may affect redeploys, reconfigures and
upgrades which run after VIP address is assigned.
See: https://github.com/ansible/ansible/issues/63227

Bifrost Train does not support IPv6 deployments.
See: https://storyboard.openstack.org/#!/story/2006689



Change-Id: Ia34e6916ea4f99e9522cd2ddde03a0a4776f7e2c
Implements: blueprint ipv6-control-plane
Signed-off-by: Radosław Piliszek <radoslaw.piliszek@gmail.com>

This review is the first one in a series of patches and it introduces an
optional encryption for internal openstack endpoints, implementing part
of the add-ssl-internal-network spec.

Change-Id: I6589751626486279bf24725f22e71da8cd7f0a43

Masakari provides Instances High Availability Service for
OpenStack clouds by automatically recovering failed Instances.

Depends-On: https://review.openstack.org/#/c/615469/


Change-Id: I0b3457232ee86576022cff64eb2e227ff9bbf0aa
Implements: blueprint ansible-masakari
Co-Authored-By: Gaëtan Trellu <gaetan.trellu@incloudus.com>

Change-Id: Ib5490d504a5b7c9a37dda7babf1257aa661c11de

The project has been retired and there will be no Train release [1].
This patch removes Neutron LBaaS support in Kolla.

[1] https://review.opendev.org/#/c/658494/

Change-Id: Ic0d3da02b9556a34d8c27ca21a1ebb3af1f5d34c

Qinling is an OpenStack project to provide "Function as a Service".
This project aims to provide a platform to support serverless functions.

Change-Id: I239a0130f8c8b061b531dab530d65172b0914d7c
Implements: blueprint ansible-qinling-support
Story: 2005760
Task: 33468

When integrating 3rd party component into openstack with kolla-ansible,
maybe have to mount some extra volumes to container.

Change-Id: I69108209320edad4c4ffa37dabadff62d7340939
Implements: blueprint support-extra-volumes

"v3" is supposed to be part of the OPENSTACK_KEYSTONE_URL:
https://docs.openstack.org/horizon/latest/admin/customize-configure.html#configure-the-dashboard

Closes-Bug: #1822257

Change-Id: I5fd2d36305172d351fbfa9141c7cbc7c5af98f3b

This adds a horizon_listen_port option, which defaults to horizon_port
for backward compatibility.

This option allow the user to differentiate between the port the
service listens on, and the port the service is reachable on. This is
useful for external load balancers which live on the same host as the
service itself.

Change-Id: I1e47e9524fd9c41bbb2cd2fc80560e53d9296599
Implements: blueprint service-hostnames

Use <project>_install_type instead of kolla_install_type
to set python_path. For example, general kolla_install_type
is 'binary', but user wants to deploy Horizon from 'source'.
Horizon templates still use python_path=/usr/share/openstack-dashboard,
it is wrong.

Change-Id: Ide6a24e17b1f8ab6506aa5e53f70693706830418

Having all services in one giant haproxy file makes altering
configuration for a service both painful and dangerous. Each service
should be configured with a simple set of variables and rendered with a
single unified template.

Available are two new templates:

* haproxy_single_service_listen.cfg.j2: close to the original style, but
only one service per file
* haproxy_single_service_split.cfg.j2: using the newer haproxy syntax
for separated frontend and backend

For now the default will be the single listen block, for ease of
transition.

Change-Id: I6e237438fbc0aa3c89a3c8bd706a53b74e71904b

Now kolla dev mode only support clone master branch from git,
add version tag to support clone dedicated branch.

Change-Id: I88de238e5dc7461ba0662a3ecea9a2d80fd0db60

This commit is to apply resource-constraints to a few more OpenStack services.
Commit to  apply constraints to the last set of services will be made in
the upcoming commit.

Depends-on: Icafa54baca24d2de64238222a5677b9d8b90e2aa
Change-Id: I39004f54281f97d53dfa4b1dbcf248650ad6f186

neutron-vpnaas-dashboard is split into standalone repo. Need enable it
dynamic.

Depends-On: Ife1e39d4fff9e878a101ff716545166a30091f69
Change-Id: Ia3faa5b52f9321349e57902b5b1d90068d388cc0
Closes-Bug: #1777750

Change-Id: I9e94daaa2054e7aa4b814516f8cf2b6a4981465c
Depends-on: I5cd0cc2c884530525b3019c22c04a782a181a3bf

Change-Id: Ie1ce8f29199dc36c0fe7671be48e7a655d997eb1
Deponds-on: I67876c734d147593a188ba385b60e02350b44fae

Change-Id: I2f5d70bb5707b940387d613879bf2caab35d6bd9

This commit introduces a new variable, horizon_keystone_url, which
allows the administrator to specify the Keystone URL.

This defaults to the internal Keystone URL for backwards compatibility's
sake.

Closes-Bug: #1759623

Change-Id: Idf178a6398000fcb2d02b6f37b8ef408218b94ee
Signed-off-by: Nick Jones <nick@stackhpc.com>

This change allows the following use cases:

1. Using an already-configured MariaDB / MySQL server / Cluster
2. Using already-created DB users, without requiring root DB access.

Update: added external mariadb precheck

Change-Id: I78b0d178306d7c5293b0bf53e445f19f18b4b824
Implements: blueprint external-mariadb-support.
Closes-Bug: #1603121

through the database_address has beed defined in groups_vars/all.yml, we should
better use it, this way, if we want to use external database, we just need to
redefined in all.yml

refer to https://github.com/openstack/kolla-ansible/blob/master/ansible/group_vars/all.yml#L83


Co-Authored-By: chenqiaomin <chen.qiaomin@99cloud.net>

Change-Id: Ie559301451954e16347ceaabf02f594c5c5cbe56

Depends-On: I5846b48d336583ae82743f61bfbdadc99c755e8d
Change-Id: Iaf15dad5e4d527b8721409e56fc081043c1cb174
Implements: blueprint vitrage-roles

heat dashboard is split from horizon code base in Queens cycle.[0][1]

[0] https://review.openstack.org/#/c/523402/
[1] https://github.com/openstack/heat-dashboard

Depends-On: I920394b8cb6eb7027df9110fe88de6842d2bd8b3
Change-Id: I14ce4886ec7c6cf4ce284c9768493919dd65c83b
Close-Bug: #1737475

Added ``horizon_keystone_domain_choices`` hash. It can be used to set the
available domains to choose from on the horizon login page. This feature
was introduced in pike release.

Change-Id: Ia7d2bc45e518848a04ce78e7833e1cf9a0ef21ce

the auth is used for registry, but the horizon not need, so the
openstack_horizon_auth should be remove.
refer to https://github.com/openstack/kolla-ansible/blob/master/ansible/roles/nova/tasks/register.yml#L13

Change-Id: Ibd8985651bd64cba3e30c15596f0ae6d692b973b

neutron-fwaas-dashboard is split into standalone repo. Need enable it
dynamic.

Depends-On: Ic1ff58df2c23db77aace95fd6d4eabbd62227e3b
Change-Id: I37b3258a394a7722b0837d6b1707326d7e37c9ba
Closes-Bug: #1719147

When uploading an image through horizon, the image is saved in /tmp
folder temporarily. Since the container root is only 10GB, a big image
will crash horizon container.
This patch mounts the host /tmp folder to horizon container.

[0] https://docs.djangoproject.com/en/1.11/topics/http/file-uploads/#where-uploaded-data-is-stored

Change-Id: Idf6a137d09d9e45105c3ec86e6337dd1826f7a03
Closes-Bug: #1712453

Includes murano-dashboard plugin

Change-Id: If99b0310dac75776ca462034926dd57794572ce9

This change [0] reverted designate dashboard change because
designate was not finished, we forgot to enable again.

[0] https://review.openstack.org/#/c/408714/

Change-Id: Ibaf7e5a5dc8cbef619d86a0f2b240d384984e8bd

Depends-On: Ie0e02253bd706cad6a568e1574aa4c4bd83744e5

Change-Id: I10e64ea5a104109a7ced3712b29b3b526c55f7f1
Closes-Bug: #1677922

Co-Authored-By: Jeffrey Zhang <jeffrey.zhang@99cloud.net>
Change-Id: Ieb44258cd99744a92ef1aa958e3bdccf9519f212
Partially-implements: blueprint better-reconfigure

Default user group should be set much earlier in deployment
and should be used consistently accross all projects.

Change-Id: Id399f9ddebc903bb9c3eeb5a0ff6f33ca6d6828c
Closes-Bug: #1650501

TrivialFix

Change-Id: Ic474306223b9c6f5fa730ef765ca60c59d76f24b

Database-backed sessions are scalable (using an appropriate database
strategy), persistent, and can be made high-concurrency and
highly-available [0]

Default is off.

[0] http://docs.openstack.org/developer/horizon/topics/deployment.html#database



Co-Authored-By: Vladislav Belogrudov <vladislav.belogrudov@oracle.com>
Closes-Bug: 1618781

Change-Id: Ib68a21397dc020d20e07dcc51d3d0fdc1de102ff

The horizon need a normal exist in the keystone.

Change-Id: Ia3e4fb5245b4a943fc833f29a5a8d5eb1ee48fe9
Closes-Bug: #1579822