Enable dual stack IPv4 and IPv6 VIPs on the same interface.
HAProxy always listens on both IPv4 and IPv6 allowing connectivity
on either protocol.

Update edge cases for is_ssl_cert_master for Bug #1709356.

Update amulet tests for keystoneauth1 tests.

charm-helpers sync for HAProxy template changes.

Closes-Bug: #1709356

Change-Id: I401071fcdd66252f389475d45e8136fc68c474f1

Add Panko service to the supported services to support Panko charm
deployment.

Change-Id: Ief1829768bfd9db20923d5684ce621095832e3db

Add gnocchi service to catalog of supported service types
to support gnocchi charm deployment.

Change-Id: I9946374ed42eeb3b580d4b66fc00d16b72da12eb

Use the 'uuid' entry point for token configuration; this has been
supported for some time and future proofs the charm against changes
in the internals of keystone.

Change-Id: I9f16a4b38487069379069c698d713f5b498eb718

Change-Id: I62d6452cf1372afeb99a1e1d9fb8d90adaf8909d

Update charm icon with new version that fits with new circular
design for Juju GUI.

Change-Id: I679de2a437dfb13c3f9cb824ab52b5aaf5787c6b
Closes-Bug: 1686947

Resync charmhelpers for pike version support.

Add pike tests but leave disabled until all charms support pike.

Add support for volumev3 service type for Cinder.

Skip execution of PKI setup for >= pike as its been dropped from
keystone.

Change-Id: I9a4e452cc7b1b90126d1885c37f5a64b8241479d

Use the get_relation_ip function for selecting addresses for the
cluster relationship. Including overrides for the admin, internal,
and public config settings or extra bindings.

Change-Id: I6d92523be1707549751d7153cd395f7bae217952
Partial-Bug: #1687439

- Turn on Zesty-Ocata Amulet test definitions.
- Standardize test-requirements.txt
- Sync charm helpers for various fixes

Change-Id: Ia86ed2cf9557d9eb11f577d641eb3e6920ff9e3e

- sync charmhelpers with fix-alpha helpers
- fix up code where the alpha comparisons are done
- fix tests which assumed mocks would just work on os_release()

Change-Id: I9f4a3b15e53c757c2ae5ffb2eb45b6cdaecf4c8e
Related-Bug: #1659575

When the percona-cluster charm sets an access-network but the default
unit-get address is not on that network extra shared-db relations get
executed. This is specifically a problem when running upgrades and
trying to avoid API downtime.

The root cause is that the access-network is not checked until the
SharedDBContext is consulted. But then db_joined function will
change it back to the wrong ip on subsequent runs.

This change adds a check for access-network on the relation during
the db_joined function and pushes IP selection off to
get_relation_ip.

Charm helpers sync to pull in changes to get_relation_ip.

Change-Id: If1246bbe68d231df0aefea45598dc8c7cd904b87
Partial-bug: #1677647

Resync charm-helpers to pickup the latest code for calculation
of worker process configuration, creating better default
worker configuration when deploying in LXD containers.

Switch the skew between public and admin processes to favour
public 0.75/0.25 as the public API endpoints of a service will
typically get a larger number of hits.

Fixup unit test for minor behavioural change in charm-helpers.

Change-Id: I4ab1d28f907ce29d5602b48ba7a438fc3690277c
Closes-Bug: 1665270
Closes-Bug: 1686049

This is needed for Contrail 3.2

Change-Id: Id27d3b21a31a03d285d33986e8653fbd772d1e39

This ensures that if the config changes and for example
os-admin-network is set/changed then that info will be
propagated to the cluster relation as required by things
like HAProxyContext to properly configure backends.

Change-Id: Ia820b7dc86ba081b6737007f63e5c1a7789fba0c
Closes-Bug: 1641870

It is possible for the keystone charm to poll identity-relation
before their remote unit has set values. This patch fixes a
corner cases that cause a hook exception under this
circumstance.

Change-Id: I3339870b87adcd712a341ae5074b4af1e924f64a
Closes-Bug: 1674786

- Add Zesty as a supported series to metadata.yaml.
- Turn on Xenial-Ocata Amulet test definitions.
- Sync charm helpers to get Juju 2.x amulet compatibility.
- Keeping Zesty-Ocata Amulet test definitions turned off until the
  metadata.yaml changes propagate to the charm store.

Change-Id: If89406dabee66cfcf395bbb214457bdd1e576aad

Refresh v2 and v3 portion of policy.json from upstream keystone
repository @ commit
d4a890a6c8bd6927e229f4b665a982a51c130073

Add functional tests to verify effect of policy

Update functional tests to use keystone_configure_api_version
from charm-helpers

Update functional tests to correctly validate cinder services
when openstack release >= ocata

Enable functional test for ocata, set appropriate cinder
configuration.

Change-Id: Idf07ff3a7c9d7e7eb30792719541319ab3426a41
Closes-Bug: 1651989
Closes-Bug: 1649446

Check if VIP or dns-ha is set to determine if the unit expects to be
in HA. This is less racey that just checking for the ha relation.
Wait until clustered to run the client relation hooks.

This fixes bugs where client charms receive the private-address
rather than the VIP on initial client relations.

Charmhelper sync.

Change-Id: I48b15113360ef892e38235ec4518173ec78ad143
Partial-bug: #1661392

When the keystone charm is upgraded the apache mod_wisgi
configuration file name has changed. With duplicate configuration
files apache fails to start up. Generalize the function
disable_unused_apache_sites to handle any sites we may need cleaned
up now or in the future.

Change-Id: I13111bf9788ba3bfbef3efedb7b027323c84a6b8
Closes-bug: #1665044

Also fix and improve the README on https in the keystone charm.

Change-Id: I42e12d8d0c159e9f2d66523b17d144c1e912e676
Closes-Bug: 1647193

Change-Id: I9f4952e222138bcb5f23c0c40cfce5deb07bf61a

The lack of zaqar in the valid_services dict leads to an error if
it tries to establish a relationship with keystone.

Change-Id: I8dcf14c103bf4d8a70d2f580e7743f3374f4327b

Support configuration of domains via suboridnate charms that
implement the new 'keystone-domain-backend' relation type; these
charms will create domain specific configuration files in
/etc/keystone/domains, and will notify the keystone charm when
configuration is complete, and the domain is ready for creation
in the keystone database.

Subordinate charms can also request a restart of keystone by
setting or changing the value of the 'restart-nonce' key in the
relation.

Change-Id: Ia2b171e910d7f3a5e6e09ba5b18dddc0a734e57a
Partial-Bug: 1645803

Enable support for domain specific drivers, managed via
configuration files (instead of directly using the API and
database).

Using multiple domains means that calls to users.list must
be scoped to a specific domain; ensure that v3 calls to this
method are appropriately scoped.

Change-Id: I7ed84b7210597ab1633eba343a0c68741a5a8578
Partial-Bug: 1645803

TrivialFix

Change-Id: I377cf8f07e5acf9247182924519f9e3b16aa33d7

The WSGI template and context code has been moved to charm-helpers.
This change updates the charm to use the common code from charm-helpers.

Change-Id: I6a3efdb0811c8d50c657f6f8b923b076e3de6716

Update the identity admin relation to support passing api-version
keystone is using and the extra credential information needed for
authenticating a v3 client

Change-Id: Ied2d8641096fa5ccf90878d8d7fca81835d844c3

Avoid calling update_password() if the password has not
changed since it will actually change the db value
regardless resulting in a revocation event and all current
tokens being invalidated.

Change-Id: Icb901b5e87d9cd716fa1a0d146e2252339e5678b
Closes-Bug: 1648677

More work is needed on policy changes before we can have fine
grained RBAC for service accounts.

Add service project to cloud_admin rule to maintain service access
to admin-only calls.

Change-Id: I3d6776ec821e97353d63d2709b36efd9091f0123
Closes-Bug: 1655028

The current code for test 910 references self.keystone_sentry
this was replaced by an array in commit
4d2ab666.

There was probably a race between the commits and functional
tests was not run on a updated version of the tree prior to
commit 49f99398.

After the addition of running keystone clustered in commit
4d2ab666 the test in 910 has
transient failures. Add call to set_api_version after removal
and addition of percona-cluster relation as it will retry and
verify authentication accross all nodes making sure that
configuration has settled before performing final test.

Change-Id: Ib5505adb0ace7c86384bb922008b9a8d73f60f24

Currently the Keystone leader charm creates new domains and stores
the UUIDs locally on disk. This approach predates charm relation-/
leader- storage, is error prone, and causes problems in HA setups.

Move to leader storage and remove old interfaces. There is no need
to migrate the on-disk stored data as it is read from the deployment
and stored as a part of the upgrade process.

Do not set default values for service_tenant_id, admin_domain_id and
default_domain_id. This will cause context to be incomplete on peer
units until the values are actually available.

Change functional tests to run on Keystone cluster to verify contents of
configuration and operation of services in clustered environment.

Closes-Bug: 1637453
Change-Id: Id0eaf7bfceead627cc691e9b52dd889d60c05fa9

Current version of function does not scope its search for users to
a domain.

Change-Id: I435b7edf61adbe7196b00b2e58b08d5c4de7ed5c
Closes-Bug: 1644606