This patchset implements policy overrides for keystone.  It uses the
code in charmhelpers.

Closed-Bug: #1741723
Change-Id: I187f4493392178d87ef7dbd67de841bbeae0c65d

Change-Id: I6216604292a41c0a65509716d5ead0bb022247d2

Change-Id: Iad76ecbb4850941bc9b184f4d0327f1a18b3770a

When ``certificates-relation-changed`` hook is called before the
certificate data is present on the relation do not attempt to
configure apache.

Change-Id: If915451d4b0846023355edcf3a49f643e12c7522
Closes-Bug: #1822952

Change-Id: Iaa7db0b453c7697ad10347721d1005d816562be6

As a part of the Stein release, we need to ensure
that charmhelpers is up to date.

Change-Id: I151549108c53572868c796e452c5dc3dd7f8133d

The latest audit updates allow Keystone to pass the
file-ownership and file-permissions audits.

Change-Id: Ib274ba7fcf8c4a299cda3509cc87a10bff990142
Func-Test-PR: https://github.com/openstack-charmers/zaza/pull/204

This charm adds the general ownership audits, as well
as keystone specific security checklist audits.

Change-Id: Iee093b36c54081f14a07c95e677ea08c72d72ca4

Using the new version of the sync tool which removes the charmhelpers
directory before syncing, run charm helpers sync to find any unexpected
missing dependencies.

Change-Id: I3ba0142a09966c3cf61bec547668db6d357a916e

Change-Id: I88636002d5038c6a5b4f87635a15393f8f1d8910

Change-Id: If60057b137f1eea7059dff87c089e6ebd098ea9c

Change-Id: I0af42ea9642f3bd9181d729d73219753621e29be
Closes-Bug: #1810910

Change-Id: Id77f0e887afb781ca8602eb41888e607f25bb6e8

Use the generate_ha_relation_data helper from charmhelpers to
generate the data to send down the relation to the hacluster
charm.

This results in a few changes in behaviour:

1) The charm will no longer specify a nic name to bind the vip. This
   is because Pacemaker VIP resources are able to automatically
   detect and configure correct iface and netmask parameters based
   on local configuration of the unit.
2) The original iface named VIP resource will be stopped and deleted
   prior to the creation of the new short hash named VIP resource.

Change-Id: I906e96ad8cbcf2ca2d1cdbfd091070c21427214c

Due to a change to PY3, the charmhelpers directory is not in the
CHARMDIR rather than in CHARMDIR/hooks.  This broke the
copy_nrpe_checks() function in c-h.  c-h has been updated, to look in
both CHARMDIR and CHARMDIR/hooks for the charmhelpers directory, and
this patchset includes the new function definition.

Change-Id: Ifc0baabee4e06b79015e02b95634bce879ae84af
Closes-Bug: #1796830

Change-Id: Ieb4af8c1d48c009232905506c102f5e0df67c24f

Switch package install to Python 3 for OpenStack Rocky or later.

When upgrading, remove any python-* packages that were explicitly
installated and then autoremove --purge any dependencies that are
no longer required.

Also drop the python2 shebang from hooks/manager.py in favor of
specifying the interpreter on the subprocess call. The python
interpreter version must match the python version of the OpenStack
payload due to the keystoneclient library imports.

Depends-On: I18996e15d2d08b1dacf0533132eae880cbb9aa32
Change-Id: If973ebc2be3b32ee3ff2122b5874dad96cda9fec

At present the Keystone charm frequently initiates updates to its
relations before it has reached a stable state.

Make use information from ``juju goal-state`` to predict scale and gate
initial update of relations on having reached expected scale.

Depends-On: https://github.com/juju/charm-helpers/pull/226
Change-Id: I96d4aff7c4ec9fb9ea160c7e294581bab3103df8

Add a tactical change which is already merged into charm-helpers.

This needs to go into all charms to solve the chicken:egg issue
where cosmic is untestable until this change exists.

Reference:

https://github.com/juju/charm-helpers/commit/4835c6c167c429527ef0a0291d17cf559c9cf880

Change-Id: If4c1f27b7e5da8dbd8352aed629e9b483f67d8c1

Implement the series-upgrade feature allowing to move between Ubuntu
series.

Change-Id: I77aebf205cb88ae4da4cdbb33b9336b21c31ee32

Change-Id: I4429687492dbac75dcbf9310d2144f8f6dcf9c79

Change-Id: Ibf8a509de4ce49700aa0207b9401dff43e4cb8fd

Add support for keystone to request and receive certificates from
the ls-certificates relation.

Change-Id: I6222e5eb9c8a0a5f079ecc2e5e5c97abc1c39515

Retry keystone_wait_for_propagation() on exception.

Closes-Bug: #1668954
Change-Id: I5e5689dbd5cd974b11e017b6d0f06575cabcceb2

There was a mid-air collision with charm helpers syncs. The critical
piece is the removal of a second stats socket line from the haproxy
templates which breaks on trusty.

All other amulet tests that include keystone will fail on trusty until
this is landed.

Change-Id: Ide3b7cbda238b9a7b93f0625c21d43335bc10e81

Change bionic test from dev to gate for 18.05.

Change-Id: I1cea7c9773a06eafa84ec6e4303cfc49219823a7

Change-Id: I936d8ea071ca4d72f525094ff2ae7bae52f73ee2

This tightens up the security on the SSL keys stored in
/etc/apache2/ssl/<service> to be no longer world readable.

Change-Id: I0951deff4ec95b1fc7f4389dc083c8957f8db6f0
Closes-Bug: #1761305

The comparison of bytes vs string of the CA certificate produces a
false negative. This leads to rewriting certificates and affecting
connectivity to services.

Read in the certificate as bytes as well for a bytes vs bytes
comparison.

Closes-Bug: #1762431

Change-Id: Ic226149cc124ac5b84ab30d95a590f08489c67f2

Openstack PKI token support was dropped in the Pike release.
The following update ensures that PKI token validation is
only run if the release is supported when the sync leader
broadcasts any service credentials to its peers.

In this case; if the release is <= pike. then we can sync
token certs and ensure the pki permissions are valid.
Otherwise this action will be skipped.

Closes-Bug: 1759403
Change-Id: I3d8ba6d3cac3a3505a3722a5082c3a6933a9ef67

Change-Id: I28e9aa3687e24cacb70a2a54f1306f6be86f4c74

For Queens keystone v2 has been dropped. V3 is the only valid API
version. The charm has already made this change. This change is to
bring the amulet test up to match by creating a separate class.

Charm-helpers sync

Enlarging the amulet timeout value.

Change-Id: I822624bdf45bfb060dd75ba3b10e71984bc10e48

Notable issues resolved:

openstack_upgrade_available() broken for swift
https://bugs.launchpad.net/charm-swift-proxy/+bug/1743847

haproxy context doesn't consider bindings
https://bugs.launchpad.net/charm-helpers/+bug/1735421

regression in haproxy check
https://bugs.launchpad.net/charm-helpers/+bug/1743287

Change-Id: Ia65aadc4b024802826d81953dec1183f3785a0eb

Drop support for deployment from Git repositories, as deprecated
in the 17.02 charm release.  This feature is unmaintained and has
no known users.

Change-Id: Ic054e29ef55d8890a3130af16b48f105efcf8f6a

The default HAProxy timeout values are fairly strict. On a busy cloud
it is common to exceed one or more of these timeouts. The only
indication that HAProxy has exceeded a timeout and dropped the
connection is errors such as "BadStatusLine" or "EOF." These can be
very difficult to diagnose when intermittent.

This charm-helpers sync pulls in the change to update the default
timeout values to more real world settings. These values have been
extensively tested in ServerStack. Configured values will not be
overridden.

Partial Bug: #1736171

Change-Id: I973962a5c1538b0d9afbebea8cebf50d938ecfb5

Change-Id: Ic6469d4af7edd755c22d4e31b87d9a36937d3134

Make default func27-smoke xenial-pike
Charm-helpers sync

Change-Id: I289d38e4170d204fbf9b0281b28be28c9e847e65