These features are disabled by default, a majority of our
users provide certificates through configuration.

At present the cluster relation carries information required
for these features even when they are not enabled. This makes
processing of cluster relation changes unnecessarily heavy
and vulnerable to bugs.

Notice of deprecation and removal in next release was given
as part of the 18.05 release notes.

Change-Id: I8b07c7e0d5c2c623c115c83dc8aff230b554a986
Closes-Bug: #1755897
Related-Bug: #1744990

Add support for keystone to request and receive certificates from
the ls-certificates relation.

Change-Id: I6222e5eb9c8a0a5f079ecc2e5e5c97abc1c39515

* add support for relating with subordinate charms providing Service
Provider functionality via apache2 authentication modules;
* enable additional authentication methods on the keystone side to
accept parsed assertion data provided via apache2 authentication module
variables exported to WSGI environment;
* move https frontend and WSGI API apache config files to keystone
instead of relying on charm-helpers as modifications are needed there to
add IncludeOptional directives. openstack_https_frontend.conf is added
on purpose as ServerName cannot be correctly determined after ProxyPass
which results in TLS errors during SAML exchange process;
* add an additional relation to openstack-dashboard to provide URL
information necessary to trust 'origin' parameter in WebSSO URLs used by
horizon during the authentication process. Also add a context to render
the federation section that is used to render this information in
keystone.conf;

Subordinates can choose to use different apache2 authentication modules.
If those modules support vhost-level variables then multiple
subordinates for the same module can be used. For example,
mod_auth_mellon can be used multiple times in different vhosts to
protect federated token endpoints related to different identity provider
and protocol combinations).

Trusted dashboard relation could be used to provide dashboard origin URL
from a different site via cross-model relations.

NOTE: this functionality will be triggered only on Ocata+ (inclusive)

Change-Id: I1ef623b0b0e2a9f68cec4be550965c5e15e5f561

When keystone is deployed with multiple units but without hacluster one
off scenarios occur where one non-leader unit will fail to update its
client relations.

This change runs all identity client relations when the database
relation is complete thus guaranteeing all keystone units update there
identity relation data with clients.

Small timing fix to amulet tests.

Closes-Bug: #1761562
Change-Id: I338e500dbc155b75c75b9261a9b5b471bd73088a

This tightens up the security on the SSL keys stored in
/etc/apache2/ssl/<service> to be no longer world readable.

Change-Id: I0951deff4ec95b1fc7f4389dc083c8957f8db6f0
Closes-Bug: #1761305

Openstack PKI token support was dropped in the Pike release.
The following update ensures that PKI token validation is
only run if the release is supported when the sync leader
broadcasts any service credentials to its peers.

In this case; if the release is <= pike. then we can sync
token certs and ensure the pki permissions are valid.
Otherwise this action will be skipped.

Closes-Bug: 1759403
Change-Id: I3d8ba6d3cac3a3505a3722a5082c3a6933a9ef67

The glance swift store configuration requires use of the domain
id for the service domain; update data set for identity-service
relation to include service_domain_id.

Change-Id: Ie6e2733f34de10a4d34b18dbf1fd9ba623af0e18
Closes-Bug: 1752027

Drop support for deployment from Git repositories, as deprecated
in the 17.02 charm release.  This feature is unmaintained and has
no known users.

Change-Id: Ic054e29ef55d8890a3130af16b48f105efcf8f6a

Whenm generating a username associated with multiple charm the
username was derived from the keys of an unordered dict making the
username liable to change. This patch sorts the keys and makes the
username stable.

Change-Id: I0f857d7c2d5c4abf4843bc3fe1a9848164048fe2
Closes-Bug: #1739409

Remove postgresql DB support; This feature is untested as part
of the charms, is not in use and was deprecated as part of
the 1708 charms release.

Change-Id: Ia57a7358fd3567fe0250c45f3e00c07fa83f329c

Keystone@Queens removes support for the v2 API; switch default
to v3 API from Queens onwards and ensure that charm users can
only provide 3 as via the preferred-api-version for >= Queens.

Change-Id: I58fcbaa7fc385bef77544be349c7d461e3e5559b

There was a race where the https apache2 site,
openstack_https_frontend.conf, would be rendered in one hook, then
subsequently the config-changed hook would run and enable that site.
However, the subsequent config-changed hook would see the template as
having not changed and therefore it would fail to restart apache2.
This lead to apache2 failing to listen on the correct ports.

This was due to CONFIGS.write_all() being called but a2ensite not
being called. This change fixes this race and adds a call to
configure_https() to ensure the configuration completes and apache2
is restarted.

Change-Id: I229d25c707a0630c9d609fd20a962a0de2e42c77
Closes-Bug: #1723892

ssl_ca is not necessary when ssl_cert is signed by
a trusted CA, such as GeoTrust, because a trusted
cert chain is in the system already. Users can just
provide ssl_cert and ssl_key to enable SSL endpoint
in that case.

Closes-Bug: #1711354
Change-Id: I4a34df1a2c2bf5705e02b713d968a22f4bbf57cf

Install and configure memcached on the keystone units and configure
keystone to use the cache. This should speed up token access for
existing tokens.

Change-Id: I26af0a97660e5bbe293a32e6b9e3d209338f905a
Closes-Bug: #1722541

We are currently seeing amulet test runs fail due
to keystone ports not being open. This is a result
of haproxy not being restarted once its config has
been setup. This patch fixes this issue by catching
more cases where haproxy config can be changed.

Change-Id: I1d6aa20ba0415cb8bf37b07fd1b128f20a0f8720

The current charm design is to perform a sweep of all units
related on the identity-service interface to ensure that
they have all the correct setting values applied. If the
leader unit is deleted and a new one is elected this will
not happen until some event e.g. config-changed occurs. This
can result in remote units malfunctioning since they think they
are not configured. We resolve this by always doing a sweep when
the leader-elected hook fires.

Also fixes infinite loop edge case when ssl-cert-master switches
as a result of leader switch.

Change-Id: Icd68cc70d81d7d518c918e831056f686dbc7db1e
Closes-Bug: 1721269

Install OpenStack using snaps. By setting openstack-origin to
snap:track/channel or snap:track the charm will use snaps to
install rather than debs. If channel is left off it defaults to
stable. For example: snap:ocata/edge will install the edge version of
Ocata and snap:pike will install the stable version of Pike.

Charm helpers sync for snap related helpers.

Change-Id: I6e3540e4ffe081540404f91061e5c9b7039b3eac

When using Keystone v3, the relation data set by
add_credentials_to_keystone now includes a 'domain'.

Change-Id: I2a4ff4d7c20d4f274479dfe0615dd00940e64d8b
Closes-Bug: 1719751

Reset the os_release cache during the OpenStack upgrade process,
ensuring that any post dist-upgrade operations are made in the
context of the new OpenStack release, not the old one.

Change-Id: I3d3584dd8e97f85e16c38e1143f627b03fa63bd0
Closes-Bug: 1715624

The cluster-change-departed hook is tied to the cluster-changed
hook. In the cluster changed hook, there is logic to ensure the
initial admin exists which makes calls to the keystone service.
If the remote database has already been removed (as seen in recent
CI runs), then this will cause the hook to fail execution.

This is safe to remove as the primary purpose of the cluster-changed
hook is to sync the SSL keys and update identity relation units.
There should be no need to sync the keys when a unit is departing
the cluster relation. Likewise, the update of the identity relations
are not needed either as the VIP is used for access to the keystone
services by remote units and the access credentials won't change.

Change-Id: Id8fed284557f67f5676189ec8951b778cf506c97
Closes-Bug: #1713108

Unconfigured keystone service listening on ports destined for haproxy
race with start of haproxy service.

Change-Id: I9f601344e72bd67738429f82151f9683f5ecf8e4
Closes-Bug: #1648396

The code relies on a undocumented (and probably unstable) feature
of CPython to close a file when the reference is GCed.  However,
it's pretty poor practice to do so, so this patchset replaces them
with "with ..." statements to ensure that the files are closed
when no longer being used.

Change-Id: I6f24bc042a820ddd0147247267ee159753cfc1fb

Enable dual stack IPv4 and IPv6 VIPs on the same interface.
HAProxy always listens on both IPv4 and IPv6 allowing connectivity
on either protocol.

Update edge cases for is_ssl_cert_master for Bug #1709356.

Update amulet tests for keystoneauth1 tests.

charm-helpers sync for HAProxy template changes.

Closes-Bug: #1709356

Change-Id: I401071fcdd66252f389475d45e8136fc68c474f1

Only enable the [signing] section of the keystone configuration
if PKI token format is in use; other token formats don't have
support for token revocation retrieval.

Note that PKI format tokens are no longer supported >= Pike.

Change-Id: I8179ecc5d37d866588147f639ebc77a870408dfe
Closes-Bug: 1709189

Add Panko service to the supported services to support Panko charm
deployment.

Change-Id: Ief1829768bfd9db20923d5684ce621095832e3db

Add gnocchi service to catalog of supported service types
to support gnocchi charm deployment.

Change-Id: I9946374ed42eeb3b580d4b66fc00d16b72da12eb

Resync charmhelpers for pike version support.

Add pike tests but leave disabled until all charms support pike.

Add support for volumev3 service type for Cinder.

Skip execution of PKI setup for >= pike as its been dropped from
keystone.

Change-Id: I9a4e452cc7b1b90126d1885c37f5a64b8241479d

Use the get_relation_ip function for selecting addresses for the
cluster relationship. Including overrides for the admin, internal,
and public config settings or extra bindings.

Change-Id: I6d92523be1707549751d7153cd395f7bae217952
Partial-Bug: #1687439

- sync charmhelpers with fix-alpha helpers
- fix up code where the alpha comparisons are done
- fix tests which assumed mocks would just work on os_release()

Change-Id: I9f4a3b15e53c757c2ae5ffb2eb45b6cdaecf4c8e
Related-Bug: #1659575

When the percona-cluster charm sets an access-network but the default
unit-get address is not on that network extra shared-db relations get
executed. This is specifically a problem when running upgrades and
trying to avoid API downtime.

The root cause is that the access-network is not checked until the
SharedDBContext is consulted. But then db_joined function will
change it back to the wrong ip on subsequent runs.

This change adds a check for access-network on the relation during
the db_joined function and pushes IP selection off to
get_relation_ip.

Charm helpers sync to pull in changes to get_relation_ip.

Change-Id: If1246bbe68d231df0aefea45598dc8c7cd904b87
Partial-bug: #1677647

This is needed for Contrail 3.2

Change-Id: Id27d3b21a31a03d285d33986e8653fbd772d1e39

This ensures that if the config changes and for example
os-admin-network is set/changed then that info will be
propagated to the cluster relation as required by things
like HAProxyContext to properly configure backends.

Change-Id: Ia820b7dc86ba081b6737007f63e5c1a7789fba0c
Closes-Bug: 1641870

It is possible for the keystone charm to poll identity-relation
before their remote unit has set values. This patch fixes a
corner cases that cause a hook exception under this
circumstance.

Change-Id: I3339870b87adcd712a341ae5074b4af1e924f64a
Closes-Bug: 1674786

Check if VIP or dns-ha is set to determine if the unit expects to be
in HA. This is less racey that just checking for the ha relation.
Wait until clustered to run the client relation hooks.

This fixes bugs where client charms receive the private-address
rather than the VIP on initial client relations.

Charmhelper sync.

Change-Id: I48b15113360ef892e38235ec4518173ec78ad143
Partial-bug: #1661392

When the keystone charm is upgraded the apache mod_wisgi
configuration file name has changed. With duplicate configuration
files apache fails to start up. Generalize the function
disable_unused_apache_sites to handle any sites we may need cleaned
up now or in the future.

Change-Id: I13111bf9788ba3bfbef3efedb7b027323c84a6b8
Closes-bug: #1665044

Change-Id: I9f4952e222138bcb5f23c0c40cfce5deb07bf61a

The lack of zaqar in the valid_services dict leads to an error if
it tries to establish a relationship with keystone.

Change-Id: I8dcf14c103bf4d8a70d2f580e7743f3374f4327b

Support configuration of domains via suboridnate charms that
implement the new 'keystone-domain-backend' relation type; these
charms will create domain specific configuration files in
/etc/keystone/domains, and will notify the keystone charm when
configuration is complete, and the domain is ready for creation
in the keystone database.

Subordinate charms can also request a restart of keystone by
setting or changing the value of the 'restart-nonce' key in the
relation.

Change-Id: Ia2b171e910d7f3a5e6e09ba5b18dddc0a734e57a
Partial-Bug: 1645803

Enable support for domain specific drivers, managed via
configuration files (instead of directly using the API and
database).

Using multiple domains means that calls to users.list must
be scoped to a specific domain; ensure that v3 calls to this
method are appropriately scoped.

Change-Id: I7ed84b7210597ab1633eba343a0c68741a5a8578
Partial-Bug: 1645803

TrivialFix

Change-Id: I377cf8f07e5acf9247182924519f9e3b16aa33d7