Add TLS support for Glance api using HAProxy to perform TLS termination.

Change-Id: I77051baaeb5d3f7dd9002262534e7d35f3926809
Partially-Implements: blueprint add-ssl-internal-network

This patch updates the octavia controller deployment to use the
latest octavia certificate configuration guide [1]. The dual CA changes
were introduced in Train.

[1] https://docs.openstack.org/octavia/latest/admin/guides/certificates.html

Change-Id: If89ec0d631568db70690f1a69d00115c59abe678
Closes-Bug: #1862133

Change-Id: Ie3022d1721f43dc84e4228331d0d2f6f3a3c7ebd
Closes-Bug: 1875613

Debian defaults to Python2 which is not complete in aarch64 images.
This patch changes CI to always use Python3.

We need to install several Python modules to have working ussuri jobs.

"Failed to import the required Python library (setuptools) on primary's Python /usr/bin/python3."

And then several Python2 ones for train->ussuri upgrade jobs:

"Unable to find any of pip2 to use. pip needs to be installed."

Change-Id: Ia0d3ff15d97d1cabbb0b8e7f32e8712ca3f94732

Change-Id: I18f8855a758703968aba032add68add24b31f673
Closes-bug: #1875588

The octavia service communicates to the barbican service with
public endpoint_type by default[1], it should use internal
like other services.

[1] https://github.com/openstack/octavia/blob/0056b5175f89070164849501ec6d960549b95e34/octavia/common/config.py#L533-L537

Closes-Bug: #1875618
Change-Id: I90d2b0aeac090a3e2366341e260232fc1f0d6492

Adds necessary "region_name" to octavia.conf when
"enable_barbican" is set to "true".

Closes-Bug: #1867926

Change-Id: Ida61cef4b9c9622a5e925bac4583fba281469a39

Since haproxy is orchestrated via site.yml in a single play,
it does not need flushing handlers as handlers run will
happen at the end of this play.

Change-Id: Ia3743575da707325be93c39b4a2bcae9211cacb2
Related-Bug: #1864810
Closes-Bug: #1875228

Follow-up on [1] "Avoid multiple haproxy restarts after
reconfiguration".

There is no need to duplicate handler name in listen.
The issue was because we had two handlers with the same
name in the same environment.
This causes Ansible not to mark handler as already run.

[1] https://review.opendev.org/708385

Change-Id: I5425a8037b6860ef71bce59becff8dfe5b601d4c
Related-Bug: #1864810

Removes and/or replaces all mentions of py27.

Cleans up obsolete requirements and their lower-constraints.

Separates test-requirements.

Makes lower-constraints pass outside of CI (MarkupSafe).

Adds FIXMEs about some hacky Mocks that may misbehave.

Change-Id: Ifc090bf3c1db17d8542ee591c91e8225a597bfe2

Update Skydive Analyzer's configuration to use Keystone as its backend
for authenticating users.  Any user with a role in the project defined
by the variable skydive_admin_tenant_name will be able to access
Skydive.

Change-Id: I64c811d5eb72c7406fd52b649fa00edaf2d0c07b
Closes-Bug: 1870903

Adds a support matrix page to documentation.

Change-Id: Ia783f7c42219617cde2accd3f1db013c9bda7679

Bashate warned on init-swift.sh because of E043 -- arithmetic
compound has inconsistent return semantics: (( next_port++ ))
New Zuul reported that on every change as a warning.
This is fixed here.

This change makes Bashate always produce errors so that we do not
introduce such warnings again.

Change-Id: I40166b377ec2580e17901375b636183bca492d3a

This patch introduces an optional backend encryption for Heat
service. When used in conjunction with enabling TLS for service API
endpoints, network communcation will be encrypted end to end, from
client through HAProxy to the Heat service.

Change-Id: Ic12f7574135dcaed2a462e902c775a55176ff03b
Partially-Implements: blueprint add-ssl-internal-network
Depends-On: https://review.opendev.org/722028/

Just making it slightly more readable - there was an extra 'an'.

TrivialFix

Change-Id: I488f702449e217335321988874b6c3ee3136f497
Signed-off-by: Raimund Hook <openstack@sting-ray.za.net>

Add privileged capability to cyborg agent.

Change-Id: Id237df1acb1b44c4e6442b39838058be1a95fcc6
Closes-bug: #1873715

Looks like none of supported distros has it so why bother?

Change-Id: I3411c00664eac4e5ba9b79bff39f3d8b7514ad24

Change-Id: I150c8952aad7b6fdb1260b343c26a96fb2360bce