Change-Id: I5d4ec43dd7eb3c2512d330262cceceda4c3a55eb
Closes-Bug: #1721200
(cherry picked from commit b4d8247f)

The current charm design is to perform a sweep of all units
related on the identity-service interface to ensure that
they have all the correct setting values applied. If the
leader unit is deleted and a new one is elected this will
not happen until some event e.g. config-changed occurs. This
can result in remote units malfunctioning since they think they
are not configured. We resolve this by always doing a sweep when
the leader-elected hook fires.

Also fixes infinite loop edge case when ssl-cert-master switches
as a result of leader switch.

Also includes cherry-pick of commit:
- ID: a59de539
- Title: Fix issue with haproxy not restarted

Change-Id: Icd68cc70d81d7d518c918e831056f686dbc7db1e
Closes-Bug: 1721269
(cherry picked from commit 68a0c872)

Set default branch for git review/gerrit.

Switch amulet tests to stable.

Switch to using stable charm-helpers branch.

Change-Id: I91b95577f1f3963541f6196381e2ce881847a19f

Reset the os_release cache during the OpenStack upgrade process,
ensuring that any post dist-upgrade operations are made in the
context of the new OpenStack release, not the old one.

Change-Id: I3d3584dd8e97f85e16c38e1143f627b03fa63bd0
Closes-Bug: 1715624

The cluster-change-departed hook is tied to the cluster-changed
hook. In the cluster changed hook, there is logic to ensure the
initial admin exists which makes calls to the keystone service.
If the remote database has already been removed (as seen in recent
CI runs), then this will cause the hook to fail execution.

This is safe to remove as the primary purpose of the cluster-changed
hook is to sync the SSL keys and update identity relation units.
There should be no need to sync the keys when a unit is departing
the cluster relation. Likewise, the update of the identity relations
are not needed either as the VIP is used for access to the keystone
services by remote units and the access credentials won't change.

Change-Id: Id8fed284557f67f5676189ec8951b778cf506c97
Closes-Bug: #1713108

Change-Id: I9bd7bf8f07690e89e1f6f9acaafa7ed1a1458526

Change-Id: Ide22dd42fcdc1969c988cdc6eb1a37f6e3c05c0e

Unconfigured keystone service listening on ports destined for haproxy
race with start of haproxy service.

Change-Id: I9f601344e72bd67738429f82151f9683f5ecf8e4
Closes-Bug: #1648396

The code relies on a undocumented (and probably unstable) feature
of CPython to close a file when the reference is GCed.  However,
it's pretty poor practice to do so, so this patchset replaces them
with "with ..." statements to ensure that the files are closed
when no longer being used.

Change-Id: I6f24bc042a820ddd0147247267ee159753cfc1fb

Merge "Modify tests.yaml which specifies bundletester config params with the following key:value pairs:"

Enable dual stack IPv4 and IPv6 VIPs on the same interface.
HAProxy always listens on both IPv4 and IPv6 allowing connectivity
on either protocol.

Update edge cases for is_ssl_cert_master for Bug #1709356.

Update amulet tests for keystoneauth1 tests.

charm-helpers sync for HAProxy template changes.

Closes-Bug: #1709356

Change-Id: I401071fcdd66252f389475d45e8136fc68c474f1

with the following key:value pairs:

- reset_timeout: 600

Change-Id: I7bbb42430bfef4ab658901f86db120ab162de560

Add Panko service to the supported services to support Panko charm
deployment.

Change-Id: Ief1829768bfd9db20923d5684ce621095832e3db

Add gnocchi service to catalog of supported service types
to support gnocchi charm deployment.

Change-Id: I9946374ed42eeb3b580d4b66fc00d16b72da12eb

Use the 'uuid' entry point for token configuration; this has been
supported for some time and future proofs the charm against changes
in the internals of keystone.

Change-Id: I9f16a4b38487069379069c698d713f5b498eb718

Change-Id: I62d6452cf1372afeb99a1e1d9fb8d90adaf8909d

Update charm icon with new version that fits with new circular
design for Juju GUI.

Change-Id: I679de2a437dfb13c3f9cb824ab52b5aaf5787c6b
Closes-Bug: 1686947

Resync charmhelpers for pike version support.

Add pike tests but leave disabled until all charms support pike.

Add support for volumev3 service type for Cinder.

Skip execution of PKI setup for >= pike as its been dropped from
keystone.

Change-Id: I9a4e452cc7b1b90126d1885c37f5a64b8241479d

Use the get_relation_ip function for selecting addresses for the
cluster relationship. Including overrides for the admin, internal,
and public config settings or extra bindings.

Change-Id: I6d92523be1707549751d7153cd395f7bae217952
Partial-Bug: #1687439

- Turn on Zesty-Ocata Amulet test definitions.
- Standardize test-requirements.txt
- Sync charm helpers for various fixes

Change-Id: Ia86ed2cf9557d9eb11f577d641eb3e6920ff9e3e

- sync charmhelpers with fix-alpha helpers
- fix up code where the alpha comparisons are done
- fix tests which assumed mocks would just work on os_release()

Change-Id: I9f4a3b15e53c757c2ae5ffb2eb45b6cdaecf4c8e
Related-Bug: #1659575

When the percona-cluster charm sets an access-network but the default
unit-get address is not on that network extra shared-db relations get
executed. This is specifically a problem when running upgrades and
trying to avoid API downtime.

The root cause is that the access-network is not checked until the
SharedDBContext is consulted. But then db_joined function will
change it back to the wrong ip on subsequent runs.

This change adds a check for access-network on the relation during
the db_joined function and pushes IP selection off to
get_relation_ip.

Charm helpers sync to pull in changes to get_relation_ip.

Change-Id: If1246bbe68d231df0aefea45598dc8c7cd904b87
Partial-bug: #1677647

Resync charm-helpers to pickup the latest code for calculation
of worker process configuration, creating better default
worker configuration when deploying in LXD containers.

Switch the skew between public and admin processes to favour
public 0.75/0.25 as the public API endpoints of a service will
typically get a larger number of hits.

Fixup unit test for minor behavioural change in charm-helpers.

Change-Id: I4ab1d28f907ce29d5602b48ba7a438fc3690277c
Closes-Bug: 1665270
Closes-Bug: 1686049

This is needed for Contrail 3.2

Change-Id: Id27d3b21a31a03d285d33986e8653fbd772d1e39

This ensures that if the config changes and for example
os-admin-network is set/changed then that info will be
propagated to the cluster relation as required by things
like HAProxyContext to properly configure backends.

Change-Id: Ia820b7dc86ba081b6737007f63e5c1a7789fba0c
Closes-Bug: 1641870

It is possible for the keystone charm to poll identity-relation
before their remote unit has set values. This patch fixes a
corner cases that cause a hook exception under this
circumstance.

Change-Id: I3339870b87adcd712a341ae5074b4af1e924f64a
Closes-Bug: 1674786

- Add Zesty as a supported series to metadata.yaml.
- Turn on Xenial-Ocata Amulet test definitions.
- Sync charm helpers to get Juju 2.x amulet compatibility.
- Keeping Zesty-Ocata Amulet test definitions turned off until the
  metadata.yaml changes propagate to the charm store.

Change-Id: If89406dabee66cfcf395bbb214457bdd1e576aad

Refresh v2 and v3 portion of policy.json from upstream keystone
repository @ commit
d4a890a6c8bd6927e229f4b665a982a51c130073

Add functional tests to verify effect of policy

Update functional tests to use keystone_configure_api_version
from charm-helpers

Update functional tests to correctly validate cinder services
when openstack release >= ocata

Enable functional test for ocata, set appropriate cinder
configuration.

Change-Id: Idf07ff3a7c9d7e7eb30792719541319ab3426a41
Closes-Bug: 1651989
Closes-Bug: 1649446

Check if VIP or dns-ha is set to determine if the unit expects to be
in HA. This is less racey that just checking for the ha relation.
Wait until clustered to run the client relation hooks.

This fixes bugs where client charms receive the private-address
rather than the VIP on initial client relations.

Charmhelper sync.

Change-Id: I48b15113360ef892e38235ec4518173ec78ad143
Partial-bug: #1661392

When the keystone charm is upgraded the apache mod_wisgi
configuration file name has changed. With duplicate configuration
files apache fails to start up. Generalize the function
disable_unused_apache_sites to handle any sites we may need cleaned
up now or in the future.

Change-Id: I13111bf9788ba3bfbef3efedb7b027323c84a6b8
Closes-bug: #1665044

Also fix and improve the README on https in the keystone charm.

Change-Id: I42e12d8d0c159e9f2d66523b17d144c1e912e676
Closes-Bug: 1647193

Change-Id: I9f4952e222138bcb5f23c0c40cfce5deb07bf61a

The lack of zaqar in the valid_services dict leads to an error if
it tries to establish a relationship with keystone.

Change-Id: I8dcf14c103bf4d8a70d2f580e7743f3374f4327b