Backport to Ussuri unmodified. Backport to Train and Stein without
DEFAULT_BOOT_SOURCE.

Closes-Bug: #1891024

Change-Id: If8fe490c3f698ab3eb37735fbfcb8ab0d5fa8a06

STATIC_ROOT in local_settings.py should be configured
to path which is also configured in apache's config.

For debian, ubuntu binary setup it is
/var/lib/openstack-dashboard/static.

Reason why it is "accidentaly" working is:

For debian package:
Package is overriding STATIC_ROOT in
/etc/openstack-dashboard/local_settings.d/_0003_debian_static_root.py.
But this is going to be removed from settings in
https://review.opendev.org/733607.

For ubuntu package:
Ubuntu package is adding patch to package which is including
PYTHON_PATH do /usr/share/openstack-dashboard/
And also they are creating several dirty symlinks to get it working.

This patch is fixing this behaviour more clearly.

Change-Id: I9862ac7ab462ca9018b684d63f26458ddda9f73a

Introduce kolla_address filter.
Introduce put_address_in_context filter.

Add AF config to vars.

Address contexts:
- raw (default): <ADDR>
- memcache: inet6:[<ADDR>]
- url: [<ADDR>]

Other changes:

globals.yml - mention just IP in comment

prechecks/port_checks (api_intf) - kolla_address handles validation

3x interface conditional (swift configs: replication/storage)

2x interface variable definition with hostname
(haproxy listens; api intf)

1x interface variable definition with hostname with bifrost exclusion
(baremetal pre-install /etc/hosts; api intf)

neutron's ml2 'overlay_ip_version' set to 6 for IPv6 on tunnel network

basic multinode source CI job for IPv6

prechecks for rabbitmq and qdrouterd use proper NSS database now

MariaDB Galera Cluster WSREP SST mariabackup workaround
(socat and IPv6)

Ceph naming workaround in CI
TODO: probably needs documenting

RabbitMQ IPv6-only proto_dist

Ceph ms switch to IPv6 mode

Remove neutron-server ml2_type_vxlan/vxlan_group setting
as it is not used (let's avoid any confusion)
and could break setups without proper multicast routing
if it started working (also IPv4-only)

haproxy upgrade checks for slaves based on ipv6 addresses

TODO:

ovs-dpdk grabs ipv4 network address (w/ prefix len / submask)
not supported, invalid by default because neutron_external has no address
No idea whether ovs-dpdk works at all atm.

ml2 for xenapi
Xen is not supported too well.
This would require working with XenAPI facts.

rp_filter setting
This would require meddling with ip6tables (there is no sysctl param).
By default nothing is dropped.
Unlikely we really need it.

ironic dnsmasq is configured IPv4-only
dnsmasq needs DHCPv6 options and testing in vivo.

KNOWN ISSUES (beyond us):

One cannot use IPv6 address to reference the image for docker like we
currently do, see: https://github.com/moby/moby/issues/39033
(docker_registry; docker API 400 - invalid reference format)
workaround: use hostname/FQDN

RabbitMQ may fail to bind to IPv6 if hostname resolves also to IPv4.
This is due to old RabbitMQ versions available in images.
IPv4 is preferred by default and may fail in the IPv6-only scenario.
This should be no problem in real life as IPv6-only is indeed IPv6-only.
Also, when new RabbitMQ (3.7.16/3.8+) makes it into images, this will
no longer be relevant as we supply all the necessary config.
See: https://github.com/rabbitmq/rabbitmq-server/pull/1982

For reliable runs, at least Ansible 2.8 is required (2.8.5 confirmed
to work well). Older Ansible versions are known to miss IPv6 addresses
in interface facts. This may affect redeploys, reconfigures and
upgrades which run after VIP address is assigned.
See: https://github.com/ansible/ansible/issues/63227

Bifrost Train does not support IPv6 deployments.
See: https://storyboard.openstack.org/#!/story/2006689



Change-Id: Ia34e6916ea4f99e9522cd2ddde03a0a4776f7e2c
Implements: blueprint ipv6-control-plane
Signed-off-by: Radosław Piliszek <radoslaw.piliszek@gmail.com>

Also fixes similar issues introduced by the same recent change.
Added FIXME note about possible TLS malfunction regarding horizon.

Change-Id: I5f46a9306139eb550d3849757c8bdf0767537c78
Closes-Bug: #1844016
Signed-off-by: Radosław Piliszek <radoslaw.piliszek@gmail.com>

This review is the first one in a series of patches and it introduces an
optional encryption for internal openstack endpoints, implementing part
of the add-ssl-internal-network spec.

Change-Id: I6589751626486279bf24725f22e71da8cd7f0a43

Change-Id: I71f3e8ab50426246b595755a8f3298ba7ca0a50d
Closes-Bug: #1803029

This commit adds the functionality for an operator to specify
their own trusted CA certificate file for interacting with the
Keystone API.

Implements: blueprint support-trusted-ca-certificate-file
Change-Id: I84f9897cc8e107658701fb309ec318c0f805883b

1.Use opendev.org instead of git.openstack.org.
2.Use review.opendev.org instead of review.openstack.org.

You can see the discussion below:
http://lists.openstack.org/pipermail/openstack-discuss/2019-March/003603.html

Change-Id: Ice4509204df788a1a44a06fb89fb44cfe6b54b94

We're duplicating code to build the keystone URLs in nearly every
config, where we've already done it in group_vars. Replace the
redundancy with a variable that does the same thing.

Change-Id: I207d77870e2535c1cdcbc5eaf704f0448ac85a7a

kolla-ansible should provide a mechanism to allow operators to overwrite
the default (or not exposed through configuration) options for the
local_settings.

local_settings.j2 may be good place to configure horizon but requires
operator to sync it every release.

custom_local_settings.j2 can be used to overwrite things from
local_settings.j2 without a need of syncing it first.

This patch also adds a release note and a documentation section
under the advanced configuration page.

Partial-Bug: #1769970
Depends-On: https://review.openstack.org/#/c/567006/
Change-Id: I84b54ba737276114e512d4577ac4b9010682bb98

This commit introduces a new variable, horizon_keystone_url, which
allows the administrator to specify the Keystone URL.

This defaults to the internal Keystone URL for backwards compatibility's
sake.

Closes-Bug: #1759623

Change-Id: Idf178a6398000fcb2d02b6f37b8ef408218b94ee
Signed-off-by: Nick Jones <nick@stackhpc.com>

Murano offers optional Barbican integration for apps using sensitive
data [0]

This patch adds the necessary config pieces to allow these apps to work out of
the box.

[0] https://docs.openstack.org/murano/latest/admin/appdev-guide/encrypting_properties.html

Change-Id: Ia78f53b12619deb518111a1c02c00d73bf5acdb1

Added ``horizon_keystone_domain_choices`` hash. It can be used to set the
available domains to choose from on the horizon login page. This feature
was introduced in pike release.

Change-Id: Ia7d2bc45e518848a04ce78e7833e1cf9a0ef21ce

Added horizon_keystone_multidomain flag. It can be now overriden
in globals.yml. Default set to False.

Change-Id: I6f8f261cf4b9779e57c2443ac219cdddb1731f52

Introduced new option enable_cinder_backup, that controls
whether to deploy cinder-backup service.

Change-Id: Ibb0ca0a478748d4caba4df434456ead0df95ffca
Signed-off-by: Pavel Glushchak <pglushchak@virtuozzo.com>

Change-Id: I8c340cfe33789badb4f8df93f0c13f56fdea5dbf

kolla-kubernetes is using its own configuration generation[0], so it is
time for kolla-ansible to remove the related code to simplify the
logical.

[0] https://github.com/openstack/kolla-kubernetes/tree/master/ansible

Change-Id: I7bb0b7fe3b8eea906613e936d5e9d19f4f2e80bb
Implements: blueprint clean-k8s-config

Add support for basic multiple regions, that is to say, many OpenStack
with a shared Keystone (same users) and Horizon. The shared Keystone
and Horizon are deployed into one region, for instance RegionOne.
Services of other regions have an access to this Keystone. This
support assumes that the operator knows the name of all OpenStack
regions in advance, and considers as many Kolla runs as there are
regions.

The new variable, multiple_regions_names, contains the name of
regions. It is needed by the region that includes Keystone and
Horizon. In register.yml, it specifies to create as many Keystone
endpoints as there are regiones, so that services of other regions can
connect to Keystone. In local_settings.j2, it changes the render to
support multiple regions in Horizon. The multi-regions.rst explains
how to perform a multiple regions deployment.

Implements: blueprint multi-kolla-config
Change-Id: Icab2aebfc4de0e3bc609950956e0af397705f403

See bug for more details.

Change-Id: Ieb80b8edb122bba7cde85cb4840730ebdb31f0a9
Closes-Bug: #1659725

* Add ENABLE_MURANO environment in horizon
* Add murano related setting in local_settings.j2 file

Change-Id: I172b6d07536210623b2e2066ba4f1cc768479e33
Closes-Bug: #1640679

Default user group should be set much earlier in deployment
and should be used consistently accross all projects.

Change-Id: Id399f9ddebc903bb9c3eeb5a0ff6f33ca6d6828c
Closes-Bug: #1650501

Change-Id: I0a436f60f649dc7c16c59c61f3afa7a88ce7a50d
Closes-Bug: #1643261

TrivialFix

Change-Id: Ic474306223b9c6f5fa730ef765ca60c59d76f24b

TrivialFix

Change-Id: Id73897a44d20ddf024657e09716f9f4ee68621d2

Horizon and Neutron mistakenly were using keystone_public_url
for authentication.  This works without error in deployments
when the internal services happen to have access to the
public network, but it is still wrong.  This fails to work
when the internal services can not access the public URLs,
for example when TLS is enabled on the public endppoints.

This patches corrects horizon and neutron to use
keystone_internal_url for auth.

Change-Id: I59b9094364bef375036028ba86a771dabf28c963
Closes-bug: #1625648

Horizon was missing SESSION_ENGINE from it's conf which means it was not
making use of memcached.

Change-Id: I450aee05f59e344902f1e92d913f4c1ce9e8dcc6
Closes-Bug: 1630509

Thgis PS add missing check for Kubernetes orchestration engine,
without these changes, running kolla-ansible genconfig fails
for Kubernetes environment.

TrivialFix

Change-Id: I25eeb7ae3ddba7c924f6d48aa24afdbe74227170

Database-backed sessions are scalable (using an appropriate database
strategy), persistent, and can be made high-concurrency and
highly-available [0]

Default is off.

[0] http://docs.openstack.org/developer/horizon/topics/deployment.html#database



Co-Authored-By: Vladislav Belogrudov <vladislav.belogrudov@oracle.com>
Closes-Bug: 1618781

Change-Id: Ib68a21397dc020d20e07dcc51d3d0fdc1de102ff

local_settings.j2 is out of date, sync with the horizon

TrivialFix

Change-Id: I4771452504a7f0caeeac7b8801dcc2350e70b6ca

The horizon need a normal exist in the keystone.

Change-Id: Ia3e4fb5245b4a943fc833f29a5a8d5eb1ee48fe9
Closes-Bug: #1579822

When setting multi memcached servers, the value should be a list
rather then a comma joined string

This patch set I586ce1c6c3300254c4e2a398ff46645df576aeb0 set it in
wrong

TrivialFix

Change-Id: Ic612658ab0310c6764310bbca92c925da6d47f6c

Note: This should not result in any behavior changes in regular Kolla, just
Kolla-Kubernetes and only when you've overridden stuff in globals.yml

Allows override of interface address and memcached pools, so that Kubernetes
can do the right thing.

There are some significant architectural issues involved in memcached pooling
in the Kolla-kubernetes world.  Avoiding them right now.

Current working with this Kolla-Kubernetes globals.yml file:

api_interface_address: "0.0.0.0"

memcached_servers: "memcached"

keystone_database_address: "mariadb"
keystone_admin_url: "http://keystone-admin:35357/v3"
keystone_internal_url: "http://keystone-public:5000/v3"
keystone_public_url: "http://keystone-public:5000/v3

"

Three tings to note:
 * In Kolla-Kubernetes, the service is not using net=host, so a
   0.0.0.0 interface address is totally OK.  That patch has been merged.
 * In Kolla-Kubernetes, the global.yml file doesn't do var substitution
   so you have to be explicit about the URLs, otherwise Keystone will
   look like it was provisioned but it won't quite be provisioned right.
 * In order to not duplicate tons of code, moved the keystone_admin_url /
   keystone_internal_url / keystone_public_url to the common defaults
   from the keystone defaults.

Co-Authored-By: Ryan Hallisey <rhallise@redhat.com>
Change-Id: I586ce1c6c3300254c4e2a398ff46645df576aeb0
Partially-implements: blueprint api-interface-bind-address-override

When using multi memcached servers, a list of servers should be used
rather than a comma joined servers string.

Change-Id: I93ed68947465b3e6b0c7fa3cf6c8c4ac94ed0bf2
Closes-Bug: #1600082

The horizon default is to prevent multidomain login. While allowing
multidomain login wont prevent default domain login. Overhead is we
must type in domain to login even if its default domain.

Change-Id: I965c3612eb584e88071c619037e1f42b3f4c7cd0
Closes-Bug: #1560683

TLS can be used to encrypt and authenticate the connection with
OpenStack endpoints.  This patch provides the necessary
parameters and changes the resulting service configurations to
enable TLS for the Kolla deployed OpenStack cloud.

The new input parameters are:

kolla_enable_tls_external: "yes" or "no" (default is "no")
kolla_external_fqdn_cert: "/etc/kolla/certificates/haproxy.pem"
kolla_external_fqdn_cacert: "/etc/kolla/certificates/haproxy-ca.crt"

Implements: blueprint kolla-ssl

Change-Id: I48ef8a781c3035d58817f9bf6f36d59a488bab41

Due to poor planning on our variable names we have a situation where
we have "internal_address" which must be a VIP, but "external_address"
which should be a DNS name. Now with two vips "external_vip_address"
is a new variable.

This corrects that issue by deprecating kolla_internal_address and
replacing it with 4 nicely named variables.

kolla_internal_vip_address
kolla_internal_fqdn
kolla_external_vip_address
kolla_external_fqdn

The default behaviour will remain the same, and the way the variable
inheritance is setup the kolla_internal_address variable can still be
set in globals.yml and propogate out to these 4 new variables like it
normally would, but all reference to kolla_internal_address has been
completely removed.

Change-Id: I4556dcdbf4d91a8d2751981ef9c64bad44a719e5
Partially-Implements: blueprint ssl-kolla

To allow for TLS to protect the service endpoints, the protocol
in the URLs for the endpoints will be either http or https.

This patch removes the hardcoded values of http and replaces them
with variables that can be adjusted accordingly in future patches.

Change-Id: Ibca6f8aac09c65115d1ac9957410e7f81ac7671e
Partially-implements: blueprint ssl-kolla

In heterogeneous environment, api_interfaces are different each other.
So we should specify it from hostvars.

Implements: bp configure-network-interface
Change-Id: Id15d70bfb9ebb62a64a3847a6b77407efb171dbe

Unfortunately there was no was to avoid memcache for consoleauth, so
we might as well take advantage of it for Horizon as well.

Change-Id: Idd338a025b031f6b50fe0c9f03c2c8d862f9d4c0
Closes-Bug: #1504606
Closes-Bug: #1504800

Without this set the CSS is messed up again

TrivialFix
backport: liberty

Change-Id: I9e4cfc53d9791f75d4fdd52abe562c58035b0979