These features are disabled by default, a majority of our
users provide certificates through configuration.

At present the cluster relation carries information required
for these features even when they are not enabled. This makes
processing of cluster relation changes unnecessarily heavy
and vulnerable to bugs.

Notice of deprecation and removal in next release was given
as part of the 18.05 release notes.

Change-Id: I8b07c7e0d5c2c623c115c83dc8aff230b554a986
Closes-Bug: #1755897
Related-Bug: #1744990

Add support for keystone to request and receive certificates from
the ls-certificates relation.

Change-Id: I6222e5eb9c8a0a5f079ecc2e5e5c97abc1c39515

* add support for relating with subordinate charms providing Service
Provider functionality via apache2 authentication modules;
* enable additional authentication methods on the keystone side to
accept parsed assertion data provided via apache2 authentication module
variables exported to WSGI environment;
* move https frontend and WSGI API apache config files to keystone
instead of relying on charm-helpers as modifications are needed there to
add IncludeOptional directives. openstack_https_frontend.conf is added
on purpose as ServerName cannot be correctly determined after ProxyPass
which results in TLS errors during SAML exchange process;
* add an additional relation to openstack-dashboard to provide URL
information necessary to trust 'origin' parameter in WebSSO URLs used by
horizon during the authentication process. Also add a context to render
the federation section that is used to render this information in
keystone.conf;

Subordinates can choose to use different apache2 authentication modules.
If those modules support vhost-level variables then multiple
subordinates for the same module can be used. For example,
mod_auth_mellon can be used multiple times in different vhosts to
protect federated token endpoints related to different identity provider
and protocol combinations).

Trusted dashboard relation could be used to provide dashboard origin URL
from a different site via cross-model relations.

NOTE: this functionality will be triggered only on Ocata+ (inclusive)

Change-Id: I1ef623b0b0e2a9f68cec4be550965c5e15e5f561

When keystone is deployed with multiple units but without hacluster one
off scenarios occur where one non-leader unit will fail to update its
client relations.

This change runs all identity client relations when the database
relation is complete thus guaranteeing all keystone units update there
identity relation data with clients.

Small timing fix to amulet tests.

Closes-Bug: #1761562
Change-Id: I338e500dbc155b75c75b9261a9b5b471bd73088a

The glance swift store configuration requires use of the domain
id for the service domain; update data set for identity-service
relation to include service_domain_id.

Change-Id: Ie6e2733f34de10a4d34b18dbf1fd9ba623af0e18
Closes-Bug: 1752027

Notable issues resolved:

openstack_upgrade_available() broken for swift
https://bugs.launchpad.net/charm-swift-proxy/+bug/1743847

haproxy context doesn't consider bindings
https://bugs.launchpad.net/charm-helpers/+bug/1735421

regression in haproxy check
https://bugs.launchpad.net/charm-helpers/+bug/1743287

Change-Id: Ia65aadc4b024802826d81953dec1183f3785a0eb

Drop support for deployment from Git repositories, as deprecated
in the 17.02 charm release.  This feature is unmaintained and has
no known users.

Change-Id: Ic054e29ef55d8890a3130af16b48f105efcf8f6a

Whenm generating a username associated with multiple charm the
username was derived from the keys of an unordered dict making the
username liable to change. This patch sorts the keys and makes the
username stable.

Change-Id: I0f857d7c2d5c4abf4843bc3fe1a9848164048fe2
Closes-Bug: #1739409

Remove postgresql DB support; This feature is untested as part
of the charms, is not in use and was deprecated as part of
the 1708 charms release.

Change-Id: Ia57a7358fd3567fe0250c45f3e00c07fa83f329c

Keystone@Queens removes support for the v2 API; switch default
to v3 API from Queens onwards and ensure that charm users can
only provide 3 as via the preferred-api-version for >= Queens.

Change-Id: I58fcbaa7fc385bef77544be349c7d461e3e5559b

Make default func27-smoke xenial-pike
Charm-helpers sync

Change-Id: I289d38e4170d204fbf9b0281b28be28c9e847e65

There was a race where the https apache2 site,
openstack_https_frontend.conf, would be rendered in one hook, then
subsequently the config-changed hook would run and enable that site.
However, the subsequent config-changed hook would see the template as
having not changed and therefore it would fail to restart apache2.
This lead to apache2 failing to listen on the correct ports.

This was due to CONFIGS.write_all() being called but a2ensite not
being called. This change fixes this race and adds a call to
configure_https() to ensure the configuration completes and apache2
is restarted.

Change-Id: I229d25c707a0630c9d609fd20a962a0de2e42c77
Closes-Bug: #1723892

ssl_ca is not necessary when ssl_cert is signed by
a trusted CA, such as GeoTrust, because a trusted
cert chain is in the system already. Users can just
provide ssl_cert and ssl_key to enable SSL endpoint
in that case.

Closes-Bug: #1711354
Change-Id: I4a34df1a2c2bf5705e02b713d968a22f4bbf57cf

Install and configure memcached on the keystone units and configure
keystone to use the cache. This should speed up token access for
existing tokens.

Change-Id: I26af0a97660e5bbe293a32e6b9e3d209338f905a
Closes-Bug: #1722541

The current charm design is to perform a sweep of all units
related on the identity-service interface to ensure that
they have all the correct setting values applied. If the
leader unit is deleted and a new one is elected this will
not happen until some event e.g. config-changed occurs. This
can result in remote units malfunctioning since they think they
are not configured. We resolve this by always doing a sweep when
the leader-elected hook fires.

Also fixes infinite loop edge case when ssl-cert-master switches
as a result of leader switch.

Change-Id: Icd68cc70d81d7d518c918e831056f686dbc7db1e
Closes-Bug: 1721269

Commit 01816c84 forgot to mock out calls to
service_start() and service_stop() that were
added to the install hook which causes test runs
to fail if not run as root.

Change-Id: I07e17242356a80e32c43c289b94c650a299e16b3

Install OpenStack using snaps. By setting openstack-origin to
snap:track/channel or snap:track the charm will use snaps to
install rather than debs. If channel is left off it defaults to
stable. For example: snap:ocata/edge will install the edge version of
Ocata and snap:pike will install the stable version of Pike.

Charm helpers sync for snap related helpers.

Change-Id: I6e3540e4ffe081540404f91061e5c9b7039b3eac

When using Keystone v3, the relation data set by
add_credentials_to_keystone now includes a 'domain'.

Change-Id: I2a4ff4d7c20d4f274479dfe0615dd00940e64d8b
Closes-Bug: 1719751

According to http://docs.python.org/2/library/unittest.html
assert(Not)Equals is a deprecated alias of assert(Not)Equal.

Change-Id: I90c835b3c7cdae6dceb5da061e5ed42bcfd77f4b
Closes-Bug: #1329757

Reset the os_release cache during the OpenStack upgrade process,
ensuring that any post dist-upgrade operations are made in the
context of the new OpenStack release, not the old one.

Change-Id: I3d3584dd8e97f85e16c38e1143f627b03fa63bd0
Closes-Bug: 1715624

The code relies on a undocumented (and probably unstable) feature
of CPython to close a file when the reference is GCed.  However,
it's pretty poor practice to do so, so this patchset replaces them
with "with ..." statements to ensure that the files are closed
when no longer being used.

Change-Id: I6f24bc042a820ddd0147247267ee159753cfc1fb

Enable dual stack IPv4 and IPv6 VIPs on the same interface.
HAProxy always listens on both IPv4 and IPv6 allowing connectivity
on either protocol.

Update edge cases for is_ssl_cert_master for Bug #1709356.

Update amulet tests for keystoneauth1 tests.

charm-helpers sync for HAProxy template changes.

Closes-Bug: #1709356

Change-Id: I401071fcdd66252f389475d45e8136fc68c474f1

Resync charmhelpers for pike version support.

Add pike tests but leave disabled until all charms support pike.

Add support for volumev3 service type for Cinder.

Skip execution of PKI setup for >= pike as its been dropped from
keystone.

Change-Id: I9a4e452cc7b1b90126d1885c37f5a64b8241479d

Use the get_relation_ip function for selecting addresses for the
cluster relationship. Including overrides for the admin, internal,
and public config settings or extra bindings.

Change-Id: I6d92523be1707549751d7153cd395f7bae217952
Partial-Bug: #1687439

- sync charmhelpers with fix-alpha helpers
- fix up code where the alpha comparisons are done
- fix tests which assumed mocks would just work on os_release()

Change-Id: I9f4a3b15e53c757c2ae5ffb2eb45b6cdaecf4c8e
Related-Bug: #1659575

When the percona-cluster charm sets an access-network but the default
unit-get address is not on that network extra shared-db relations get
executed. This is specifically a problem when running upgrades and
trying to avoid API downtime.

The root cause is that the access-network is not checked until the
SharedDBContext is consulted. But then db_joined function will
change it back to the wrong ip on subsequent runs.

This change adds a check for access-network on the relation during
the db_joined function and pushes IP selection off to
get_relation_ip.

Charm helpers sync to pull in changes to get_relation_ip.

Change-Id: If1246bbe68d231df0aefea45598dc8c7cd904b87
Partial-bug: #1677647

Resync charm-helpers to pickup the latest code for calculation
of worker process configuration, creating better default
worker configuration when deploying in LXD containers.

Switch the skew between public and admin processes to favour
public 0.75/0.25 as the public API endpoints of a service will
typically get a larger number of hits.

Fixup unit test for minor behavioural change in charm-helpers.

Change-Id: I4ab1d28f907ce29d5602b48ba7a438fc3690277c
Closes-Bug: 1665270
Closes-Bug: 1686049

This ensures that if the config changes and for example
os-admin-network is set/changed then that info will be
propagated to the cluster relation as required by things
like HAProxyContext to properly configure backends.

Change-Id: Ia820b7dc86ba081b6737007f63e5c1a7789fba0c
Closes-Bug: 1641870

Check if VIP or dns-ha is set to determine if the unit expects to be
in HA. This is less racey that just checking for the ha relation.
Wait until clustered to run the client relation hooks.

This fixes bugs where client charms receive the private-address
rather than the VIP on initial client relations.

Charmhelper sync.

Change-Id: I48b15113360ef892e38235ec4518173ec78ad143
Partial-bug: #1661392

When the keystone charm is upgraded the apache mod_wisgi
configuration file name has changed. With duplicate configuration
files apache fails to start up. Generalize the function
disable_unused_apache_sites to handle any sites we may need cleaned
up now or in the future.

Change-Id: I13111bf9788ba3bfbef3efedb7b027323c84a6b8
Closes-bug: #1665044

Support configuration of domains via suboridnate charms that
implement the new 'keystone-domain-backend' relation type; these
charms will create domain specific configuration files in
/etc/keystone/domains, and will notify the keystone charm when
configuration is complete, and the domain is ready for creation
in the keystone database.

Subordinate charms can also request a restart of keystone by
setting or changing the value of the 'restart-nonce' key in the
relation.

Change-Id: Ia2b171e910d7f3a5e6e09ba5b18dddc0a734e57a
Partial-Bug: 1645803

The WSGI template and context code has been moved to charm-helpers.
This change updates the charm to use the common code from charm-helpers.

Change-Id: I6a3efdb0811c8d50c657f6f8b923b076e3de6716

Avoid calling update_password() if the password has not
changed since it will actually change the db value
regardless resulting in a revocation event and all current
tokens being invalidated.

Change-Id: Icb901b5e87d9cd716fa1a0d146e2252339e5678b
Closes-Bug: 1648677

More work is needed on policy changes before we can have fine
grained RBAC for service accounts.

Add service project to cloud_admin rule to maintain service access
to admin-only calls.

Change-Id: I3d6776ec821e97353d63d2709b36efd9091f0123
Closes-Bug: 1655028

Currently the Keystone leader charm creates new domains and stores
the UUIDs locally on disk. This approach predates charm relation-/
leader- storage, is error prone, and causes problems in HA setups.

Move to leader storage and remove old interfaces. There is no need
to migrate the on-disk stored data as it is read from the deployment
and stored as a part of the upgrade process.

Do not set default values for service_tenant_id, admin_domain_id and
default_domain_id. This will cause context to be incomplete on peer
units until the values are actually available.

Change functional tests to run on Keystone cluster to verify contents of
configuration and operation of services in clustered environment.

Closes-Bug: 1637453
Change-Id: Id0eaf7bfceead627cc691e9b52dd889d60c05fa9

Current version of function does not scope its search for users to
a domain.

Change-Id: I435b7edf61adbe7196b00b2e58b08d5c4de7ed5c
Closes-Bug: 1644606

Cleanup code that references users, projects or domains without
necessary scoping or filtering throughout the charm.  Add logging
of domain name in contexts where this is relevant.

Tighten rule:service_role to require role:service and token scoped
to project config('service-tenant') created in SERVICE_DOMAIN. This
ensures that if you have a deployment with end-user access to assign
roles within their own domains they will not gain privileged access
simply by assigning the service role to one of their own users.

Allow users authorized by rule:service_role to perform
identity:list_projects. This is required to allow Ceilometer
to operate without Admin privileges.

Services are given a user in project config('service-tenant') in
SERVICE_DOMAIN for v3 authentication / authorization.  As of Mitaka
Keystone v3 policy the 'service' role is sufficient for services to
validate tokens.

Services are also given a user in project config('service-tenant') in
DEFAULT_DOMAIN to support services still configured with v2.0
authentication / authorization.

This will allow us to transition from v2.0 based authentication /
authorization and existing services and charms will continue to
operate as before.  This will also allow the end-user to roll their
deployment up to api_version 3 and back to api_version 2 as needed.

Services and charms that has made the transition to fully use the
v3 API for authentication and authorization will gain full access to
domains and projects across the deployment.  The first charm to make
use of this is charm-ceilometer.

Closes-Bug: 1636098
Change-Id: If1518029c43476a5e14bf94596197eabe663499c

The default_domain_id is used to specify a domain when the client
hasn't explicitly set one. It defaults to 'default' which is fine
for liberty and previous because the id of the default domain is,
 oddly, 'default' rather than a uuid. On Mitaka and higher it is
a uuid so when keystone assumes the default domains id is 'default'
it fails.

Change-Id: Iaa5e6a07a229815cf2281858cb68a4e120aa2af3
Closes-Bug: 1626889

Juju 2.0 provides support for display of the version of
an application deployed by a charm in juju status.

Insert the os_application_version_set function into the
existing assess_status function - this gets called after
all hook executions, and periodically after that, so any
changes in package versions due to normal system updates
will also be reflected in the status output.

This review also includes a resync of charm-helpers to
pickup hookenv and contrib.openstack support for this
feature.

Change-Id: I5734e87d39e62c1fb791b0b79ff216e30a784d1f

The keystone charm runs the keystone API under apache2 for liberty
and above. This patch enables the keystone API to run under apache2
when deployed from source for liberty and above.

Change-Id: I5eccf38aad9668248f4f94523d61f7bd40ed5c30