Due to an incompatibility between oslo.messaging and new kombu/amqp mix -
Nova RMQ TLS is not working. See [1] and [2].

[1]: https://launchpad.net/bugs/1902696
[2]: https://review.opendev.org/#/c/761194/

Change-Id: Ibffd96fe008b6fcefcd73ac3c1bc579507dca5c7

UPPER_CONSTRAINTS_FILE is old name and deprecated
This allows to use lower-constraints file as more
readable way instead of UPPER_CONSTRAINTS_FILE=<lower-constraints file>.

  -https://zuul-ci.org/docs/zuul-jobs/python-roles.html#rolevar-tox.tox_constraints_file

Change-Id: Ia33b5dcaddee1414b4c79a50595970745d31c8db

UPPER_CONSTRAINTS_FILE is old name and deprecated
-https://zuul-ci.org/docs/zuul-jobs/python-roles.html#rolevar-tox.tox_constraints_file
This allows to use lower-constraints file as more
readable way instead of UPPER_CONSTRAINTS_FILE=<lower-constraints file>.

[1] https://review.opendev.org/#/c/722814/

Change-Id: I10cf355191f4060eda95c6a8ee3abaaf28d16a74

just like the ". /etc/kolla/admin-openrc.sh" [1]

[1]: https://github.com/openstack/kolla-ansible/blob/master/doc/source/user/quickstart.rst

Change-Id: I9c288f31c36654f2ec49e6b3b0fcfc1178e4ad90

TrivialFix

Change-Id: I8bfdfa3102e126563ded04a0c0ed4284436701d8

Change-Id: I733d412ba6c92c2c9bcc2e9681d6ac8333fb661b
Implements: blueprint implement-automatic-deploy-of-octavia

fix the rest of  mistakes, and remove duplicated line.

Change-Id: Id50dfd9cfa794526bdb69ee6372a29c0584310d3

The openstack Ussuri and Victoria versions no longer support the
Centos7 and pyrhon2 environment packages. Correct the missing
problems in the latest document

Change-Id: I55fd1bf451d2bdae696ab32d1faffaba72701229

During a deploy, if keystone Fernet key rotation happens before the
keystone container starts, the rotation may fail with 'permission
denied'. This happens because config.json for Keystone sets the
permissions for /etc/keystone/fernet-keys.

This change fixes the issue by also setting the permissions for
/etc/keystone/fernet-keys in config.json for keystone-fernet and
keystone-ssh.

Change-Id: I561e4171d14dcaad8a2a9a36ccab84a670daa904
Closes-Bug: #1888512

Currently we check the age of the primary Fernet key on Keystone
startup, and fail if it is older than the rotation interval. While this
may seem sensible, there are various reasons why the key may be older
than this:

* if the rotation interval is not a factor of the number of seconds in a
  week, the rotation schedule will be lumpy, with the last rotation
  being up to twice the nominal rotation interval
* if a keystone host is unavailable at its scheduled rotation time,
  rotation will not happen. This may happen multiple times

We could do several things to avoid this issue:

1. remove the check on the age of the key
2. multiply the rotation interval by some factor to determine the
   allowed key age

This change goes for the more simple option 1. It also cleans up some
terminology in the keystone-startup.sh script.

Closes-Bug: #1895723

Change-Id: I2c35f59ae9449cb1646e402e0a9f28ad61f918a8

Change-Id: I8e3e0268faae871a197dc01d1c9447d00ef5d1e0

The correct path according to Ubuntu cron manpage [1] is
/var/spool/cron/crontabs/$USER

[1]: http://manpages.ubuntu.com/manpages/trusty/man8/cron.8.html

Closes-Bug: #1898765
Change-Id: Id5fc354e3e32cae2468cd2557a2967859e3b4e16

Nova has reversed their deprecation of the VMware driver, and the Kolla
community has shown an interest in it.

Change-Id: I82f1074da56ed16c08317d1f92ed7f0a6f4a149a

trivial fix

Change-Id: Id6f06bb746fd211a58692c58540c7fd6eef20002

Config plays do not need to check containers. This avoids skipping
tasks during the genconfig action.

Ironic and Glance rolling upgrades are handled specially.

Swift and Bifrost do not use the handlers at all.

Partially-Implements: blueprint performance-improvements
Change-Id: I140bf71d62e8f0932c96270d1f08940a5ba4542a

Add TLS support for backend Neutron API Server communication using
HAProxy to perform TLS termination. When used in conjunction with
enabling TLS for service API endpoints, network communication will be
encrypted end to end, from client through HAProxy to the Neutron
service.

Change-Id: Ib333a1f1bd12491df72a9e52d961161210e2d330
Partially-Implements: blueprint add-ssl-internal-network

Change-Id: I639145a709f1d3b9882bbdfb20a754646d1f5270

remove redundant space line
replace octavia user with {{ octavia_keystone_user }}

Change-Id: I284acc580a1a530eede3e0227febe8667dea5d47

If iptables is not installed, e.g. in the CentOS 8 cloud image, and
Docker iptables management is enabled, we get the following errors:

Failed to find iptables: exec: \"iptables\": executable file not found
in $PATH failed to start daemon: Error initializing network controller:
error obtaining controller instance: failed to create NAT chain DOCKER:
Iptables not found

This change installs the iptables package Docker iptables management is
enabled.

Change-Id: I3ba5318debccafb28c3cbce8e4e9813c28b086fc
Closes-Bug: #1899060

This fixes the `certificates` command to not include CSRs in
the haproxy bundle.
The regex was wrong.

Change-Id: If25a6d5dd40f507fea4470be01baeeb7c8a790b4

we use octavia user to upload image currently, so it is better to
create a octavia openrc file for user

Implements: blueprint implement-automatic-deploy-of-octavia

Change-Id: Ib53d00fa4a6ee59b8a0b2245f83786a6af0cbf53

implemented as a separate command (kolla-ansible octavia-certificates)

Implements: blueprint implement-automatic-deploy-of-octavia

Co-Authored-By: wu.chunyang <wuchunyang@yovole.com>
Co-Authored-By: Radosław Piliszek <radoslaw.piliszek@gmail.com>

Change-Id: I2c5b26ce9e363f35c523865904a582f7960aa682