Change-Id: Ibf8a509de4ce49700aa0207b9401dff43e4cb8fd

Add support for keystone to request and receive certificates from
the ls-certificates relation.

Change-Id: I6222e5eb9c8a0a5f079ecc2e5e5c97abc1c39515

Retry keystone_wait_for_propagation() on exception.

Closes-Bug: #1668954
Change-Id: I5e5689dbd5cd974b11e017b6d0f06575cabcceb2

There was a mid-air collision with charm helpers syncs. The critical
piece is the removal of a second stats socket line from the haproxy
templates which breaks on trusty.

All other amulet tests that include keystone will fail on trusty until
this is landed.

Change-Id: Ide3b7cbda238b9a7b93f0625c21d43335bc10e81

Change bionic test from dev to gate for 18.05.

Change-Id: I1cea7c9773a06eafa84ec6e4303cfc49219823a7

Change-Id: I936d8ea071ca4d72f525094ff2ae7bae52f73ee2

When keystone is deployed with multiple units but without hacluster one
off scenarios occur where one non-leader unit will fail to update its
client relations.

This change runs all identity client relations when the database
relation is complete thus guaranteeing all keystone units update there
identity relation data with clients.

Small timing fix to amulet tests.

Closes-Bug: #1761562
Change-Id: I338e500dbc155b75c75b9261a9b5b471bd73088a

Openstack PKI token support was dropped in the Pike release.
The following update ensures that PKI token validation is
only run if the release is supported when the sync leader
broadcasts any service credentials to its peers.

In this case; if the release is <= pike. then we can sync
token certs and ensure the pki permissions are valid.
Otherwise this action will be skipped.

Closes-Bug: 1759403
Change-Id: I3d8ba6d3cac3a3505a3722a5082c3a6933a9ef67

Remove soon-to-be deprecated release combos from amulet tests

Change-Id: I425410a41a86138b9e6d77e9273a2b10d541e8cc

Change-Id: I28e9aa3687e24cacb70a2a54f1306f6be86f4c74

For Queens keystone v2 has been dropped. V3 is the only valid API
version. The charm has already made this change. This change is to
bring the amulet test up to match by creating a separate class.

Charm-helpers sync

Enlarging the amulet timeout value.

Change-Id: I822624bdf45bfb060dd75ba3b10e71984bc10e48

Notable issues resolved:

openstack_upgrade_available() broken for swift
https://bugs.launchpad.net/charm-swift-proxy/+bug/1743847

haproxy context doesn't consider bindings
https://bugs.launchpad.net/charm-helpers/+bug/1735421

regression in haproxy check
https://bugs.launchpad.net/charm-helpers/+bug/1743287

Change-Id: Ia65aadc4b024802826d81953dec1183f3785a0eb

Drop support for deployment from Git repositories, as deprecated
in the 17.02 charm release.  This feature is unmaintained and has
no known users.

Change-Id: Ic054e29ef55d8890a3130af16b48f105efcf8f6a

Whenm generating a username associated with multiple charm the
username was derived from the keys of an unordered dict making the
username liable to change. This patch sorts the keys and makes the
username stable.

Change-Id: I0f857d7c2d5c4abf4843bc3fe1a9848164048fe2
Closes-Bug: #1739409

The default HAProxy timeout values are fairly strict. On a busy cloud
it is common to exceed one or more of these timeouts. The only
indication that HAProxy has exceeded a timeout and dropped the
connection is errors such as "BadStatusLine" or "EOF." These can be
very difficult to diagnose when intermittent.

This charm-helpers sync pulls in the change to update the default
timeout values to more real world settings. These values have been
extensively tested in ServerStack. Configured values will not be
overridden.

Partial Bug: #1736171

Change-Id: I973962a5c1538b0d9afbebea8cebf50d938ecfb5

Bionic, being the next LTS, is important to enable for dev
and test as early as possible ahead of 18.02.

Zesty goes EOL in Jan 2018. The next stable charms release (18.02)
will not provide Zesty series support, as it was an interim
(non-LTS) release.

Change-Id: I02e8eb5c3c2f7fb08a0b6556db12e09b300f3a95

Change-Id: Ic6469d4af7edd755c22d4e31b87d9a36937d3134

Make default func27-smoke xenial-pike
Charm-helpers sync

Change-Id: I289d38e4170d204fbf9b0281b28be28c9e847e65

This change ensures that any password expiry has been removed from
the user that runs unison to synchronize data. The fix is entirely
in charm-helpers so this patch is a simple sync.

Change-Id: I75d6ac0e9be19a87efe16a1095b1afd44f41dc17
Closes-Bug: #1686085

Install and configure memcached on the keystone units and configure
keystone to use the cache. This should speed up token access for
existing tokens.

Change-Id: I26af0a97660e5bbe293a32e6b9e3d209338f905a
Closes-Bug: #1722541

Install OpenStack using snaps. By setting openstack-origin to
snap:track/channel or snap:track the charm will use snaps to
install rather than debs. If channel is left off it defaults to
stable. For example: snap:ocata/edge will install the edge version of
Ocata and snap:pike will install the stable version of Pike.

Charm helpers sync for snap related helpers.

Change-Id: I6e3540e4ffe081540404f91061e5c9b7039b3eac

Change-Id: I60eabd566d204c784229ae109a2566dbc501d6a2

Change-Id: I9bd7bf8f07690e89e1f6f9acaafa7ed1a1458526

Change-Id: Ide22dd42fcdc1969c988cdc6eb1a37f6e3c05c0e

Unconfigured keystone service listening on ports destined for haproxy
race with start of haproxy service.

Change-Id: I9f601344e72bd67738429f82151f9683f5ecf8e4
Closes-Bug: #1648396

Enable dual stack IPv4 and IPv6 VIPs on the same interface.
HAProxy always listens on both IPv4 and IPv6 allowing connectivity
on either protocol.

Update edge cases for is_ssl_cert_master for Bug #1709356.

Update amulet tests for keystoneauth1 tests.

charm-helpers sync for HAProxy template changes.

Closes-Bug: #1709356

Change-Id: I401071fcdd66252f389475d45e8136fc68c474f1

with the following key:value pairs:

- reset_timeout: 600

Change-Id: I7bbb42430bfef4ab658901f86db120ab162de560

Resync charmhelpers for pike version support.

Add pike tests but leave disabled until all charms support pike.

Add support for volumev3 service type for Cinder.

Skip execution of PKI setup for >= pike as its been dropped from
keystone.

Change-Id: I9a4e452cc7b1b90126d1885c37f5a64b8241479d

- Turn on Zesty-Ocata Amulet test definitions.
- Standardize test-requirements.txt
- Sync charm helpers for various fixes

Change-Id: Ia86ed2cf9557d9eb11f577d641eb3e6920ff9e3e

- sync charmhelpers with fix-alpha helpers
- fix up code where the alpha comparisons are done
- fix tests which assumed mocks would just work on os_release()

Change-Id: I9f4a3b15e53c757c2ae5ffb2eb45b6cdaecf4c8e
Related-Bug: #1659575

Resync charm-helpers to pickup the latest code for calculation
of worker process configuration, creating better default
worker configuration when deploying in LXD containers.

Switch the skew between public and admin processes to favour
public 0.75/0.25 as the public API endpoints of a service will
typically get a larger number of hits.

Fixup unit test for minor behavioural change in charm-helpers.

Change-Id: I4ab1d28f907ce29d5602b48ba7a438fc3690277c
Closes-Bug: 1665270
Closes-Bug: 1686049

- Add Zesty as a supported series to metadata.yaml.
- Turn on Xenial-Ocata Amulet test definitions.
- Sync charm helpers to get Juju 2.x amulet compatibility.
- Keeping Zesty-Ocata Amulet test definitions turned off until the
  metadata.yaml changes propagate to the charm store.

Change-Id: If89406dabee66cfcf395bbb214457bdd1e576aad

Refresh v2 and v3 portion of policy.json from upstream keystone
repository @ commit
d4a890a6c8bd6927e229f4b665a982a51c130073

Add functional tests to verify effect of policy

Update functional tests to use keystone_configure_api_version
from charm-helpers

Update functional tests to correctly validate cinder services
when openstack release >= ocata

Enable functional test for ocata, set appropriate cinder
configuration.

Change-Id: Idf07ff3a7c9d7e7eb30792719541319ab3426a41
Closes-Bug: 1651989
Closes-Bug: 1649446

Check if VIP or dns-ha is set to determine if the unit expects to be
in HA. This is less racey that just checking for the ha relation.
Wait until clustered to run the client relation hooks.

This fixes bugs where client charms receive the private-address
rather than the VIP on initial client relations.

Charmhelper sync.

Change-Id: I48b15113360ef892e38235ec4518173ec78ad143
Partial-bug: #1661392

Enable support for domain specific drivers, managed via
configuration files (instead of directly using the API and
database).

Using multiple domains means that calls to users.list must
be scoped to a specific domain; ensure that v3 calls to this
method are appropriately scoped.

Change-Id: I7ed84b7210597ab1633eba343a0c68741a5a8578
Partial-Bug: 1645803

The WSGI template and context code has been moved to charm-helpers.
This change updates the charm to use the common code from charm-helpers.

Change-Id: I6a3efdb0811c8d50c657f6f8b923b076e3de6716

Avoid calling update_password() if the password has not
changed since it will actually change the db value
regardless resulting in a revocation event and all current
tokens being invalidated.

Change-Id: Icb901b5e87d9cd716fa1a0d146e2252339e5678b
Closes-Bug: 1648677

More work is needed on policy changes before we can have fine
grained RBAC for service accounts.

Add service project to cloud_admin rule to maintain service access
to admin-only calls.

Change-Id: I3d6776ec821e97353d63d2709b36efd9091f0123
Closes-Bug: 1655028

The current code for test 910 references self.keystone_sentry
this was replaced by an array in commit
4d2ab666.

There was probably a race between the commits and functional
tests was not run on a updated version of the tree prior to
commit 49f99398.

After the addition of running keystone clustered in commit
4d2ab666 the test in 910 has
transient failures. Add call to set_api_version after removal
and addition of percona-cluster relation as it will retry and
verify authentication accross all nodes making sure that
configuration has settled before performing final test.

Change-Id: Ib5505adb0ace7c86384bb922008b9a8d73f60f24

Currently the Keystone leader charm creates new domains and stores
the UUIDs locally on disk. This approach predates charm relation-/
leader- storage, is error prone, and causes problems in HA setups.

Move to leader storage and remove old interfaces. There is no need
to migrate the on-disk stored data as it is read from the deployment
and stored as a part of the upgrade process.

Do not set default values for service_tenant_id, admin_domain_id and
default_domain_id. This will cause context to be incomplete on peer
units until the values are actually available.

Change functional tests to run on Keystone cluster to verify contents of
configuration and operation of services in clustered environment.

Closes-Bug: 1637453
Change-Id: Id0eaf7bfceead627cc691e9b52dd889d60c05fa9