An arbitarary repository can currently be specified, but it was not yet
made clear in the documentation that a corresponding public key for
accessing this repository could be added. This change specifies that
under the description for the openstack-origin option. Public key can
be added by appending to the deb url, so the below example would work:
juju set openstack-origin nova-compute openstack-origin="deb http://ppa
.launchpad.net/billy-olsen/testfix-kilo/ubuntu vivid main|FA0FD8E1"

Change-Id: I262a2164d4f7b37b4185bdee650371de7be50a55
Closes-Bug: 1503440

When keystone is deployed with multiple units but without hacluster one
off scenarios occur where one non-leader unit will fail to update its
client relations.

This change runs all identity client relations when the database
relation is complete thus guaranteeing all keystone units update there
identity relation data with clients.

Small timing fix to amulet tests.

Closes-Bug: #1761562
Change-Id: I338e500dbc155b75c75b9261a9b5b471bd73088a

This tightens up the security on the SSL keys stored in
/etc/apache2/ssl/<service> to be no longer world readable.

Change-Id: I0951deff4ec95b1fc7f4389dc083c8957f8db6f0
Closes-Bug: #1761305

The comparison of bytes vs string of the CA certificate produces a
false negative. This leads to rewriting certificates and affecting
connectivity to services.

Read in the certificate as bytes as well for a bytes vs bytes
comparison.

Closes-Bug: #1762431

Change-Id: Ic226149cc124ac5b84ab30d95a590f08489c67f2

No-impact (besides satisfying my inner grammarian) change to exercise
gerrit workflow.

Change-Id: I962b9f202d650084d31e8f2258a8f0cdc5a8596a

Openstack PKI token support was dropped in the Pike release.
The following update ensures that PKI token validation is
only run if the release is supported when the sync leader
broadcasts any service credentials to its peers.

In this case; if the release is <= pike. then we can sync
token certs and ensure the pki permissions are valid.
Otherwise this action will be skipped.

Closes-Bug: 1759403
Change-Id: I3d8ba6d3cac3a3505a3722a5082c3a6933a9ef67

Remove soon-to-be deprecated release combos from amulet tests

Change-Id: I425410a41a86138b9e6d77e9273a2b10d541e8cc

As of pip 10.0, --allow-unverified is not permitted.

Use of the flag in this repo was previously used to force
installation of python-apt to accommodate certain unit tests.

The unverified package, python-apt, is no longer necessary
for test execution.

Related-Bug: #1760720

Change-Id: Ieca3f4978e947ce52d645ddab0f4523c90d03c75

The README documentation implies that use-https and
https-service-endpoints are required when enabling SSL/https
with your own CA, SSL cert, and key. Update the README and
config.yaml to explain that config options use-https and
https-service-endpoints should not be set when using ssl_*
config options.

Change-Id: I2e0140f909ef2c57182895f37cf191b6bc80157b
Closes-Bug: #1754682

The glance swift store configuration requires use of the domain
id for the service domain; update data set for identity-service
relation to include service_domain_id.

Change-Id: Ie6e2733f34de10a4d34b18dbf1fd9ba623af0e18
Closes-Bug: 1752027

Change-Id: I28e9aa3687e24cacb70a2a54f1306f6be86f4c74

For Queens keystone v2 has been dropped. V3 is the only valid API
version. The charm has already made this change. This change is to
bring the amulet test up to match by creating a separate class.

Charm-helpers sync

Enlarging the amulet timeout value.

Change-Id: I822624bdf45bfb060dd75ba3b10e71984bc10e48

A trivial change to test gerrit setup.

Change-Id: I7883eb1edd53fd3bd29dc878c667397ba6b4506a

Notable issues resolved:

openstack_upgrade_available() broken for swift
https://bugs.launchpad.net/charm-swift-proxy/+bug/1743847

haproxy context doesn't consider bindings
https://bugs.launchpad.net/charm-helpers/+bug/1735421

regression in haproxy check
https://bugs.launchpad.net/charm-helpers/+bug/1743287

Change-Id: Ia65aadc4b024802826d81953dec1183f3785a0eb

Drop support for deployment from Git repositories, as deprecated
in the 17.02 charm release.  This feature is unmaintained and has
no known users.

Change-Id: Ic054e29ef55d8890a3130af16b48f105efcf8f6a

Whenm generating a username associated with multiple charm the
username was derived from the keys of an unordered dict making the
username liable to change. This patch sorts the keys and makes the
username stable.

Change-Id: I0f857d7c2d5c4abf4843bc3fe1a9848164048fe2
Closes-Bug: #1739409

Remove postgresql DB support; This feature is untested as part
of the charms, is not in use and was deprecated as part of
the 1708 charms release.

Change-Id: Ia57a7358fd3567fe0250c45f3e00c07fa83f329c

Keystone@Queens removes support for the v2 API; switch default
to v3 API from Queens onwards and ensure that charm users can
only provide 3 as via the preferred-api-version for >= Queens.

Change-Id: I58fcbaa7fc385bef77544be349c7d461e3e5559b

The default HAProxy timeout values are fairly strict. On a busy cloud
it is common to exceed one or more of these timeouts. The only
indication that HAProxy has exceeded a timeout and dropped the
connection is errors such as "BadStatusLine" or "EOF." These can be
very difficult to diagnose when intermittent.

This charm-helpers sync pulls in the change to update the default
timeout values to more real world settings. These values have been
extensively tested in ServerStack. Configured values will not be
overridden.

Partial Bug: #1736171

Change-Id: I973962a5c1538b0d9afbebea8cebf50d938ecfb5

Bionic, being the next LTS, is important to enable for dev
and test as early as possible ahead of 18.02.

Zesty goes EOL in Jan 2018. The next stable charms release (18.02)
will not provide Zesty series support, as it was an interim
(non-LTS) release.

Change-Id: I02e8eb5c3c2f7fb08a0b6556db12e09b300f3a95

Change-Id: Ic6469d4af7edd755c22d4e31b87d9a36937d3134

Make default func27-smoke xenial-pike
Charm-helpers sync

Change-Id: I289d38e4170d204fbf9b0281b28be28c9e847e65

There was a race where the https apache2 site,
openstack_https_frontend.conf, would be rendered in one hook, then
subsequently the config-changed hook would run and enable that site.
However, the subsequent config-changed hook would see the template as
having not changed and therefore it would fail to restart apache2.
This lead to apache2 failing to listen on the correct ports.

This was due to CONFIGS.write_all() being called but a2ensite not
being called. This change fixes this race and adds a call to
configure_https() to ensure the configuration completes and apache2
is restarted.

Change-Id: I229d25c707a0630c9d609fd20a962a0de2e42c77
Closes-Bug: #1723892

ssl_ca is not necessary when ssl_cert is signed by
a trusted CA, such as GeoTrust, because a trusted
cert chain is in the system already. Users can just
provide ssl_cert and ssl_key to enable SSL endpoint
in that case.

Closes-Bug: #1711354
Change-Id: I4a34df1a2c2bf5705e02b713d968a22f4bbf57cf

Change-Id: I5d4ec43dd7eb3c2512d330262cceceda4c3a55eb
Closes-Bug: #1721200

This change ensures that any password expiry has been removed from
the user that runs unison to synchronize data. The fix is entirely
in charm-helpers so this patch is a simple sync.

Change-Id: I75d6ac0e9be19a87efe16a1095b1afd44f41dc17
Closes-Bug: #1686085

Install and configure memcached on the keystone units and configure
keystone to use the cache. This should speed up token access for
existing tokens.

Change-Id: I26af0a97660e5bbe293a32e6b9e3d209338f905a
Closes-Bug: #1722541

Ensure that a valid entry point is used for the uuid token
backend, resolving compatibility with later OpenStack releases.

Change-Id: I566e6a2e9c0aa1fc1afe02dbc9f899cfb0c7a9f6
Closes-Bug: 1722909

We are currently seeing amulet test runs fail due
to keystone ports not being open. This is a result
of haproxy not being restarted once its config has
been setup. This patch fixes this issue by catching
more cases where haproxy config can be changed.

Change-Id: I1d6aa20ba0415cb8bf37b07fd1b128f20a0f8720

The current charm design is to perform a sweep of all units
related on the identity-service interface to ensure that
they have all the correct setting values applied. If the
leader unit is deleted and a new one is elected this will
not happen until some event e.g. config-changed occurs. This
can result in remote units malfunctioning since they think they
are not configured. We resolve this by always doing a sweep when
the leader-elected hook fires.

Also fixes infinite loop edge case when ssl-cert-master switches
as a result of leader switch.

Change-Id: Icd68cc70d81d7d518c918e831056f686dbc7db1e
Closes-Bug: 1721269