Upgraded to stable/17.08.

Install and configure memcached on the keystone units and configure
keystone to use the cache. This should speed up token access for
existing tokens.

Change-Id: I26af0a97660e5bbe293a32e6b9e3d209338f905a
Closes-Bug: #1722541

Ensure that a valid entry point is used for the uuid token
backend, resolving compatibility with later OpenStack releases.

Change-Id: I566e6a2e9c0aa1fc1afe02dbc9f899cfb0c7a9f6
Closes-Bug: 1722909

Install OpenStack using snaps. By setting openstack-origin to
snap:track/channel or snap:track the charm will use snaps to
install rather than debs. If channel is left off it defaults to
stable. For example: snap:ocata/edge will install the edge version of
Ocata and snap:pike will install the stable version of Pike.

Charm helpers sync for snap related helpers.

Change-Id: I6e3540e4ffe081540404f91061e5c9b7039b3eac

Only enable the [signing] section of the keystone configuration
if PKI token format is in use; other token formats don't have
support for token revocation retrieval.

Note that PKI format tokens are no longer supported >= Pike.

Change-Id: I8179ecc5d37d866588147f639ebc77a870408dfe
Closes-Bug: 1709189

Use the 'uuid' entry point for token configuration; this has been
supported for some time and future proofs the charm against changes
in the internals of keystone.

Change-Id: I9f16a4b38487069379069c698d713f5b498eb718

Refresh v2 and v3 portion of policy.json from upstream keystone
repository @ commit
d4a890a6c8bd6927e229f4b665a982a51c130073

Add functional tests to verify effect of policy

Update functional tests to use keystone_configure_api_version
from charm-helpers

Update functional tests to correctly validate cinder services
when openstack release >= ocata

Enable functional test for ocata, set appropriate cinder
configuration.

Change-Id: Idf07ff3a7c9d7e7eb30792719541319ab3426a41
Closes-Bug: 1651989
Closes-Bug: 1649446

Enable support for domain specific drivers, managed via
configuration files (instead of directly using the API and
database).

Using multiple domains means that calls to users.list must
be scoped to a specific domain; ensure that v3 calls to this
method are appropriately scoped.

Change-Id: I7ed84b7210597ab1633eba343a0c68741a5a8578
Partial-Bug: 1645803

The WSGI template and context code has been moved to charm-helpers.
This change updates the charm to use the common code from charm-helpers.

Change-Id: I6a3efdb0811c8d50c657f6f8b923b076e3de6716

More work is needed on policy changes before we can have fine
grained RBAC for service accounts.

Add service project to cloud_admin rule to maintain service access
to admin-only calls.

Change-Id: I3d6776ec821e97353d63d2709b36efd9091f0123
Closes-Bug: 1655028

keystone.conf:
- Change log_config to log_config_append DEPRECATED
- Remove verbose DEPRECATED
- Remove eventlet_server section DEPRECATED
- Remove ec2 section, no longer available in Keystone
  It has been moved to the keystonemiddleware package
- Update driver names. Using full module path is DEPRECATED
- Add resource section and specify admin_project_domain_name
  and admin_project_name

mitaka/policy.json:
- Refresh from upstream stable/mitaka
- Apply stricter rule:service_role
- Allow identity:list_projects to rule:service_role

newton/policy.json:
- Refresh from upstream stable/newton
- Apply stricter rule:service_role
- Allow identity:list_projects to rule:service_role

hooks/keystone_context.py:
- Add admin_domain_name to Keystone context

tests/basic_deployment.py:
- Add config check for changes for Mitaka and newer releases

Partial-Bug: 1636098
Change-Id: Ib267418f34066eaf6e4885627010d2a18e312192

The default_domain_id is used to specify a domain when the client
hasn't explicitly set one. It defaults to 'default' which is fine
for liberty and previous because the id of the default domain is,
 oddly, 'default' rather than a uuid. On Mitaka and higher it is
a uuid so when keystone assumes the default domains id is 'default'
it fails.

Change-Id: Iaa5e6a07a229815cf2281858cb68a4e120aa2af3
Closes-Bug: 1626889

The keystone charm runs the keystone API under apache2 for liberty
and above. This patch enables the keystone API to run under apache2
when deployed from source for liberty and above.

Change-Id: I5eccf38aad9668248f4f94523d61f7bd40ed5c30

When use_syslog = False, the keystone-token-flush cronjob omits the
keystone username in the cron tab file, which causes cron to skip
the entry and report errors into the cron job. This change fixes
the problem.

Change-Id: I2e96eba9e55d9a7e3b9ade2090f88a74467ba334
Closes-Bug: 1578914

The Kilo release of openstack deprecated the eventlet wsgi server in favor of
using apache with mod_wsgi. This changes disables the keystone service and
adds a vhost to the existing apache server to run keystone using mod_wsgi.

Change-Id: I8125d8081c14550e86cd77b25185f27f500e368b
Closes-Bug: 1515628