The goal for this push request is to normalize the construction and use
 of internal, external, and admin URLs. While extending Kolla-ansible
 to enable a more flexible method to manage external URLs, we noticed
 that the same URL was constructed multiple times in different parts
 of the code. This can make it difficult for people that want to work
 with these URLs and create inconsistencies in a large code base with
 time. Therefore, we are proposing here the use of
 "single Kolla-ansible variable" per endpoint URL, which facilitates
 for people that are interested in overriding/extending these URLs.

As an example, we extended Kolla-ansible to facilitate the "override"
of public (external) URLs with the following standard
"<component/serviceName>.<companyBaseUrl>".
Therefore, the "NAT/redirect" in the SSL termination system (HAproxy,
HTTPD or some other) is done via the service name, and not by the port.
This allows operators to easily and automatically create more friendly
 URL names. To develop this feature, we first applied this patch that
 we are sending now to the community. We did that to reduce the surface
  of changes in Kolla-ansible.

Another example is the integration of Kolla-ansible and Consul, which
we also implemented internally, and also requires URLs changes.
Therefore, this PR is essential to reduce code duplicity, and to
facility users/developers to work/customize the services URLs.

Change-Id: I73d483e01476e779a5155b2e18dd5ea25f514e93
Signed-off-by: Rafael Weingärtner <rafael@apache.org>

Change-Id: I18f8855a758703968aba032add68add24b31f673
Closes-bug: #1875588

The use of default(omit) is for module parameters, not templates. We
define a default value for openstack_cacert, so it should never be
undefined anyway.

Change-Id: Idfa73097ca168c76559dc4f3aa8bb30b7113ab28

Include a reference to the globally configured Certificate Authority to
all services. Services use the CA to verify HTTPs connections.

Change-Id: I38da931cdd7ff46cce1994763b5c713652b096cc
Partially-Implements: blueprint support-trusted-ca-certificate-file

Introduce kolla_address filter.
Introduce put_address_in_context filter.

Add AF config to vars.

Address contexts:
- raw (default): <ADDR>
- memcache: inet6:[<ADDR>]
- url: [<ADDR>]

Other changes:

globals.yml - mention just IP in comment

prechecks/port_checks (api_intf) - kolla_address handles validation

3x interface conditional (swift configs: replication/storage)

2x interface variable definition with hostname
(haproxy listens; api intf)

1x interface variable definition with hostname with bifrost exclusion
(baremetal pre-install /etc/hosts; api intf)

neutron's ml2 'overlay_ip_version' set to 6 for IPv6 on tunnel network

basic multinode source CI job for IPv6

prechecks for rabbitmq and qdrouterd use proper NSS database now

MariaDB Galera Cluster WSREP SST mariabackup workaround
(socat and IPv6)

Ceph naming workaround in CI
TODO: probably needs documenting

RabbitMQ IPv6-only proto_dist

Ceph ms switch to IPv6 mode

Remove neutron-server ml2_type_vxlan/vxlan_group setting
as it is not used (let's avoid any confusion)
and could break setups without proper multicast routing
if it started working (also IPv4-only)

haproxy upgrade checks for slaves based on ipv6 addresses

TODO:

ovs-dpdk grabs ipv4 network address (w/ prefix len / submask)
not supported, invalid by default because neutron_external has no address
No idea whether ovs-dpdk works at all atm.

ml2 for xenapi
Xen is not supported too well.
This would require working with XenAPI facts.

rp_filter setting
This would require meddling with ip6tables (there is no sysctl param).
By default nothing is dropped.
Unlikely we really need it.

ironic dnsmasq is configured IPv4-only
dnsmasq needs DHCPv6 options and testing in vivo.

KNOWN ISSUES (beyond us):

One cannot use IPv6 address to reference the image for docker like we
currently do, see: https://github.com/moby/moby/issues/39033
(docker_registry; docker API 400 - invalid reference format)
workaround: use hostname/FQDN

RabbitMQ may fail to bind to IPv6 if hostname resolves also to IPv4.
This is due to old RabbitMQ versions available in images.
IPv4 is preferred by default and may fail in the IPv6-only scenario.
This should be no problem in real life as IPv6-only is indeed IPv6-only.
Also, when new RabbitMQ (3.7.16/3.8+) makes it into images, this will
no longer be relevant as we supply all the necessary config.
See: https://github.com/rabbitmq/rabbitmq-server/pull/1982

For reliable runs, at least Ansible 2.8 is required (2.8.5 confirmed
to work well). Older Ansible versions are known to miss IPv6 addresses
in interface facts. This may affect redeploys, reconfigures and
upgrades which run after VIP address is assigned.
See: https://github.com/ansible/ansible/issues/63227

Bifrost Train does not support IPv6 deployments.
See: https://storyboard.openstack.org/#!/story/2006689



Change-Id: Ia34e6916ea4f99e9522cd2ddde03a0a4776f7e2c
Implements: blueprint ipv6-control-plane
Signed-off-by: Radosław Piliszek <radoslaw.piliszek@gmail.com>

In the Train cycle, ironic added a [nova] section to its configuration.
This is used to configure access to Nova API, for sending power state
callbacks.

This change adds the [nova] section to ironic.conf.

Change-Id: Ib891af1db2a2c838c887e858ea0721f5e6a4fab0
Closes-Bug: #1843070

The ironic configuration in ironic.conf uses several options which have
been removed in the Train cycle:

[glance] glance_api_servers was removed in https://review.opendev.org/#/c/665929.
[neutron] url was removed in https://review.opendev.org/#/c/672971.

We should use the endpoint catalog instead of specifying the endpoint
for both of these, and also ironic inspector. region_name and
valid_interfaces have been added for that purpose.

Other options are deprecated.

[conductor] api_url: Use [service_catalog] section to lookup ironic API
endpoint instead.

[inspector] enabled: No longer used.

Change-Id: If07c4ff9bfea7d780aeff5c3295a0ace7d10ecdc
Closes-Bug: #1843067

Change-Id: Ic80dbe1f4f7289fe2c2143125a381cec4586f7ef
Closes-Bug: #1841908

After all of the discussions we had on
"https://review.opendev.org/#/c/670626/2", I studied all projects that
have an "oslo_messaging" section. Afterwards, I applied the same method
that is already used in "oslo_messaging" section in Nova, Cinder, and
others. This guarantees that we have a consistent method to
enable/disable notifications across projects based on components (e.g.
Ceilometer) being enabled or disabled. Here follows the list of
components, and the respective changes I did.

* Aodh:
The section is declared, but it is not used. Therefore, it will
be removed in an upcomming PR.

* Congress:
The section is declared, but it is not used. Therefore, it will
be removed in an upcomming PR.

* Cinder:
It was already properly configured.

* Octavia:
The section is declared, but it is not used. Therefore, it will
be removed in an upcomming PR.

* Heat:
It was already using a similar scheme; I just modified it a little bit
to be the same as we have in all other components

* Ceilometer:
Ceilometer publishes some messages in the rabbitMQ. However, the
default driver is "messagingv2", and not ''(empty) as defined in Oslo;
these configurations are defined in ceilometer/publisher/messaging.py.
Therefore, we do not need to do anything for the
"oslo_messaging_notifications" section in Ceilometer

* Tacker:
It was already using a similar scheme; I just modified it a little bit
to be the same as we have in all other components

* Neutron:
It was already properly configured.

* Nova
It was already properly configured. However, we found another issue
with its configuration. Kolla-ansible does not configure nova
notifications as it should. If 'searchlight' is not installed (enabled)
the 'notification_format' should be 'unversioned'. The default is
'both'; so nova will send a notification to the queue
versioned_notifications; but that queue has no consumer when
'searchlight' is disabled. In our case, the queue got 511k messages.
The huge amount of "stuck" messages made the Rabbitmq cluster
unstable.

https://bugzilla.redhat.com/show_bug.cgi?id=1478274
https://bugs.launchpad.net/ceilometer/+bug/1665449

* Nova_hyperv:
I added the same configurations as in Nova project.

* Vitrage
It was already using a similar scheme; I just modified it a little bit
to be the same as we have in all other components

* Searchlight
I created a mechanism similar to what we have in AODH, Cinder, Nova,
and others.

* Ironic
I created a mechanism similar to what we have in AODH, Cinder, Nova,
and others.

* Glance
It was already properly configured.

* Trove
It was already using a similar scheme; I just modified it a little bit
to be the same as we have in all other components

* Blazar
It was already using a similar scheme; I just modified it a little bit
to be the same as we have in all other components

* Sahara
It was already using a similar scheme; I just modified it a little bit
to be the same as we have in all other components

* Watcher
I created a mechanism similar to what we have in AODH, Cinder, Nova,
and others.

* Barbican
I created a mechanism similar to what we have in Cinder, Nova,
and others. I also added a configuration to 'keystone_notifications'
section. Barbican needs its own queue to capture events from Keystone.
Otherwise, it has an impact on Ceilometer and other systems that are
connected to the "notifications" default queue.

* Keystone
Keystone is the system that triggered this work with the discussions
that followed on https://review.opendev.org/#/c/670626/2

. After a long
discussion, we agreed to apply the same approach that we have in Nova,
Cinder and other systems in Keystone. That is what we did. Moreover, we
introduce a new topic "barbican_notifications" when barbican is
enabled. We also removed the "variable" enable_cadf_notifications, as
it is obsolete, and the default in Keystone is CADF.

* Mistral:
It was hardcoded "noop" as the driver. However, that does not seem a
good practice. Instead, I applied the same standard of using the driver
and pushing to "notifications" queue if Ceilometer is enabled.

* Cyborg:
I created a mechanism similar to what we have in AODH, Cinder, Nova,
and others.

* Murano
It was already using a similar scheme; I just modified it a little bit
to be the same as we have in all other components

* Senlin
It was already using a similar scheme; I just modified it a little bit
to be the same as we have in all other components

* Manila
It was already using a similar scheme; I just modified it a little bit
to be the same as we have in all other components

* Zun
The section is declared, but it is not used. Therefore, it will
be removed in an upcomming PR.

* Designate
It was already using a similar scheme; I just modified it a little bit
to be the same as we have in all other components

* Magnum
It was already using a similar scheme; I just modified it a little bit
to be the same as we have in all other components

Closes-Bug: #1838985

Change-Id: I88bdb004814f37c81c9a9c4e5e491fac69f6f202
Signed-off-by: Rafael Weingärtner <rafael@apache.org>

This allows ironic service endpoints to use custom hostnames, and adds the
following variables:

* ironic_internal_fqdn
* ironic_external_fqdn
* ironic_inspector_internal_fqdn
* ironic_inspector_external_fqdn

These default to the old values of kolla_internal_fqdn or
kolla_external_fqdn.

This also adds ironic_api_listen_port and ironic_inspector_listen_port
options, which default to ironic_api_port and ironic_inspector_port for
backward compatibility.

These options allow the user to differentiate between the port the
service listens on, and the port the service is reachable on. This is
useful for external load balancers which live on the same host as the
service itself.

Change-Id: I45b175e85866b4cfecad8451b202a5a27f888a84
Implements: blueprint service-hostnames

We're duplicating code to build the keystone URLs in nearly every
config, where we've already done it in group_vars. Replace the
redundancy with a variable that does the same thing.

Change-Id: I207d77870e2535c1cdcbc5eaf704f0448ac85a7a

Adds a new flag, 'enable_openstack_core', which defaults to 'yes'.
Setting this flag to 'no' will disable the core OpenStack services,
including Glance, Heat, Horizon, Keystone, Neutron, and Nova.

Improves the default configuration of OpenStack Ironic when used in
standalone mode. In particular, configures a noauth mode when Keystone
is disabled, and allows the iPXE server to be used for provisioning as
well as inspection if Neutron is disabled.

Documentation for standalone ironic will be updated separately.

This patch was developed and tested using Bikolla [1].

[1] https://github.com/markgoddard/bikolla

Change-Id: Ic47f5ad81b8126a51e52a445097f7950dba233cd
Implements: blueprint standalone-ironic

This allows neutron service endpoints to use custom hostnames, and adds the
following variables:

* neutron_internal_fqdn
* neutron_external_fqdn

These default to the old values of kolla_internal_fqdn or
kolla_external_fqdn.

This also adds a neutron_server_listen_port option, which defaults to
neutron_server_port for backward compatibility.

This option allow the user to differentiate between the port the
service listens on, and the port the service is reachable on. This is
useful for external load balancers which live on the same host as the
service itself.

Change-Id: I87d7387326b6eaa6adae1600b48d480319d10676
Implements: blueprint service-hostnames

This allows glance service endpoints to use custom hostnames, and adds the
following variables:

* glance_internal_fqdn
* glance_external_fqdn

These default to the old values of kolla_internal_fqdn or
kolla_external_fqdn.

This also adds a glance_api_listen_port option, which defaults to
glance_api_port for backward compatibility.

This option allow the user to differentiate between the port the
service listens on, and the port the service is reachable on. This is
useful for external load balancers which live on the same host as the
service itself.

Change-Id: Icb91f728533e2db1908b23dabb0501cf9f8a2b75
Implements: blueprint service-hostnames

The ironic TFTP server should be accessed via the internal API network.
For ironic inspector, dnsmasq.conf advertises this correctly:

dhcp-option=option:tftp-server,'api_interface_address'
dhcp-option=option:server-ip-address,'api_interface_address'

However, ironic conductor does not set the [pxe] tftp_server variable.
This means the TFTP server advertised gets the default value of $my_ip,
which is set by
https://docs.openstack.org/oslo.utils/latest/reference/netutils.html#oslo_utils.netutils.get_my_ipv4,
typically the source IP for the default route.

This change sets [pxe] tftp_server to 'api_interface_address'.

Change-Id: Ic3e688b3f2b92ad9515322f49cd5f4f29d763e49
Closes-Bug: #1808347

Option auth_uri from group keystone_authtoken is deprecated[1].
Use option www_authenticate_uri from group keystone_authtoken.

[1]https://review.openstack.org/#/c/508522/



Co-Authored-By: confi-surya <singh.surya64mnnit@gmail.com>
Change-Id: Ifd8527d404f1df807ae8196eac2b3849911ddc26
Closes-Bug: #1761907

Ironic requires the Keystone credentials to communicate with Cinder if
booting from volume.

Change-Id: Id9a90d986e391e84c8ad918af371a5aef33a3524
Closes-Bug: #1785201

This patchset apply Ironic rolling upgrade logic [1][2]
[1] https://docs.openstack.org/ironic/latest/contributor/rolling-upgrades.html
[2] https://docs.openstack.org/ironic/latest/admin/upgrade-guide.html#rolling-upgrades

Depends-On: https://review.openstack.org/#/c/575594/

Co-author: Ha Manh Dong <donghm@vn.fujitsu.com>
Change-Id: Id68244951dc66d5c3423ef44324bd72058f4ba67
Implements: blueprint apply-service-upgrade-procedure

Both the driver and the enabled_drivers options are being removed
this week. Stop setting them to avoid breakages.

Change-Id: I0e0bf851424b8f5839b159ef83f1cc65c30e2fb3

When enable_ironic_ipxe is set in /etc/kolla/globals.yml,
the following happens:

- a new docker container, ironic_ipxe, is created. This contains
  an apache webserver used to serve up the boot images
- ironic is configured to use ipxe

Change-Id: I08fca1864a00afb768494406c49e968920c83ae7
Implements: blueprint ironic-ipxe

If SSL is enabled, api of multiple services returns
wrong external URL without https prefix.

Removal of condition for deletion of http  header.

Change-Id: I4264e04d0d6b9a3e11ef7dd7add6c5e166cf9fb4
Closes-Bug: #1749155
Closes-Bug: #1717491

- Heat
- Ironic
- Magum
- Manila
- Mistral

This will copy only yaml or json policy file if they exist.

Change-Id: I1ab71e2758dc99dd6654d433ece79600f0c44ce8
Implements: blueprint support-custom-policy-yaml
Co-authored-By: Duong Ha-Quang <duonghq@vn.fujitsu.com>

Fixes a bug where the Baremetal Introspection service's public endpoint
registered in the Identity service referenced the internal API endpoint.

Also updates keystone endpoints for the Baremetal and Baremetal
Introspection services during reconfigure and upgrade operations.
Previously this was only done during deploy.

Change-Id: I32d475f288bb4a3834c13cc86f0c53b5437c3d25
Closes-Bug: #1738418

This commit separates the messaging rpc and notify transports in order
to support separate and different oslo.messaging backends

This patch:
* add rpc and notify variables
* update service role conf templates
* add example to globals.yaml
* add release note

Implements: blueprint hybrid-messaging
Change-Id: I34691c2895c8563f1f322f0850ecff98d11b5185

The admin_password and admin_user in default section is discarded
in code, no longer be used anymore.

Change-Id: I1d31faf0781cb61d13aa6a76534e38783e4f920f

*_ssh driver is not supported by ironic now,
see: https://review.openstack.org/#/c/481688

Closes-Bug: #1713624

Change-Id: I49c6975c79e172e7c85560e597fee6cfa6372328

This patch fixes Jinja2 syntax error in ironic.conf.j2.

All kolla-kubernetes configurations was recently removed by [1], but the
commit overlooked to remove a '{% endif %}' statement in ironic.conf.j2.

[1] cacf08f0

Change-Id: I115fedfd026f14409b62f9552ff401956909f8a8
Closes-Bug: #1706230

The Ironic templates and roles assume Keystone is enabled and they don't
make use of the `enable_keystone var. This patch changes the behavior so
that `noauth` is used as auth method for Ironic if keystone is not
enabled, the Ironic endpoint is not registered if keystone is not
enabled and the keystone section is not created in the config file.

Change-Id: I813de42d10ac264eec81076cb107b58af09ff686

This reverts commit 898155df.

The default value of the ironic configuration option default_boot_option
will eventually change from netboot to local. The netboot option is
incompatible with multitenancy in ironic, as it requires a PXE
environment in the tenant network, so it was no longer deemed a suitable
default value.

Ironic added a warning message when this option is not explicitly set,
presumably to alert operators to the change. The commit being reverted
set the option to 'netboot'. This will cause operators to continue to
use the netboot option even after the default value changes, which was
presumably not the intention of the ironic team in changing the default
value. It also hides the warning message from the operator that could
alert them to the fact that this default is changing.

Change-Id: I0ebb1d5ffbead50b034488337e6c93a2f48aaf69
Related-Bug: #1696636

kolla-kubernetes is using its own configuration generation[0], so it is
time for kolla-ansible to remove the related code to simplify the
logical.

[0] https://github.com/openstack/kolla-kubernetes/tree/master/ansible

Change-Id: I7bb0b7fe3b8eea906613e936d5e9d19f4f2e80bb
Implements: blueprint clean-k8s-config

As described here:
https://github.com/openstack/keystone/blob/master/keystone/resource/core.py#L841
https://github.com/openstack/keystone/blob/master/keystone/conf/identity.py#L21

* default project domain name MUST be named 'Default'
* default project domain id MUST be named 'default'
* default project user name MUST be named 'Default'
* default project user id MUST be named 'default'

Change-Id: I610a0416647fdea31bb04889364da5395d8c8d74

As of [1], the ironic configuration for neutron, glance, swift,
inspector and service_catalog requires explicit configuration of
authentication parameters for communication with these services.

This change adds the required parameters to [neutron], [glance] and
[inspector] sections of ironic.conf. Kolla-ansible does not configure
the [swift] or [service_discovery] sections currently.

We also replace option [glance] glance_hosts with [glance]
glance_api_servers as the former is deprecated.

Since we no longer need to support generating configuration for
kolla-kubernetes[2], some related options have been cleaned.

[1]
https://github.com/openstack/ironic/commit/4f9035c24f0465be5728ed9a8a6df76cd6f46ed3
[2]
https://blueprints.launchpad.net/kolla-ansible/+spec/clean-k8s-config

Change-Id: Ifc239af5f3e44a508fedc9dea08cb06160c4f7f3
Closes-Bug: #1701713

Add webconsole support in ironic by pxe_ipmitool driver.
Serial speed must be the same as the serial configuration in
the BIOS settings, so that the operating system boot process
can be seen in the web console.

see:
https://docs.openstack.org/project-install-guide/baremetal/draft/advanced.html#appending-kernel-parameters-to-boot-instances

Change-Id: I967ed2f63a50d024c54e0762ec6c0ae09b66d6bd

The default value of default_boot_option configuration will
change eventually from "netboot" to "local".
It is recommended to set an explicit value for it during the
transition period

Change-Id: Ic42b84e82d4ad27e371536ad9915b5a32118012d
Closes-Bug: #1696636

XenServer drivers can be used to deploy hosts with Ironic by
using XenServer VMs to simulate bare metal nodes.

Ironic provides support via the pxe_ssh and agent_ssh drivers
for using a XenServer VM as a bare metal target and do provisioning on it.

Change-Id: Icd39f9f4573cf7c8c654591256f0228ef21d6117

Useful api_interface_address variable has been define here:
https://github.com/openstack/kolla-ansible/blob/master/ansible/group_vars/all.yml#L57
In order to simplify codebase we must use it as much as possible.

Change-Id: I18fec19bf69e05a22a4142a9cd1165eccd022455

* Ironic do not support multi glance ips.
* Write the nova-compute-ironic binary log to nova-compute-ironic.log
file

Change-Id: I87359c47a5845c4d7a6ab9daaefcc94a51c92eb0
Closes-Bug: #1671989

Fixing ironic configs for kolla-kubernetes

Change-Id: Id1b1cc3bb3c1790a77f9449ec5b0b5d1c67f91e4
Closes-Bug: #1664269

Ironic supports collecting log from IPA for debugging,
But it's not defined in kolla.

This is default settings about collecting log from IPA.

Closes-Bug: #1661468

Change-Id: Iccb47a70b12effb5a704435f334faee29538f9d2
Signed-off-by: jangpro2 <jangseon.ryu@gmail.com>

Currently it's not working in ironic-api, in spite of
setting openstack_service_workers config in globals.yml.

Because it's not implement about workers in ironic.

Closes-Bug: #1661173

Change-Id: I89de95fe03813ae44bcdbf9aac22b7337ffe4968
Signed-off-by: jangpro2 <jangseon.ryu@gmail.com>