Ensure that oslo.middleware parses any proxy information
forwarded from haproxy/apache with regards to protocol;
this ensures that https connections are correctly detected.

Includes charm helper sync to bring in oslo middleware
template.

Change-Id: I2ce75a4a2033d8d3c07bd9f7ce6e4f5f6d9488cf
Closes-Bug: 1758675

Change-Id: Ibf8a509de4ce49700aa0207b9401dff43e4cb8fd

These features are disabled by default, a majority of our
users provide certificates through configuration.

At present the cluster relation carries information required
for these features even when they are not enabled. This makes
processing of cluster relation changes unnecessarily heavy
and vulnerable to bugs.

Notice of deprecation and removal in next release was given
as part of the 18.05 release notes.

Change-Id: I8b07c7e0d5c2c623c115c83dc8aff230b554a986
Closes-Bug: #1755897
Related-Bug: #1744990

Source: 166eced28b15335f816134806bf5bb6b50c222cd

Remove v2 section from template as Queens is v3 only.

Change-Id: Ic2b1215421ad870096fab7e1aee1f7604c1892a2
Closes-Bug: #1774716

Add support for keystone to request and receive certificates from
the ls-certificates relation.

Change-Id: I6222e5eb9c8a0a5f079ecc2e5e5c97abc1c39515

Specifically for... `enable-pki`, `https-service-endpoints` and
`use-https`.

Change-Id: Ica2dfc39dc550b1aa43e178ae29fb333eeaca572

* add support for relating with subordinate charms providing Service
Provider functionality via apache2 authentication modules;
* enable additional authentication methods on the keystone side to
accept parsed assertion data provided via apache2 authentication module
variables exported to WSGI environment;
* move https frontend and WSGI API apache config files to keystone
instead of relying on charm-helpers as modifications are needed there to
add IncludeOptional directives. openstack_https_frontend.conf is added
on purpose as ServerName cannot be correctly determined after ProxyPass
which results in TLS errors during SAML exchange process;
* add an additional relation to openstack-dashboard to provide URL
information necessary to trust 'origin' parameter in WebSSO URLs used by
horizon during the authentication process. Also add a context to render
the federation section that is used to render this information in
keystone.conf;

Subordinates can choose to use different apache2 authentication modules.
If those modules support vhost-level variables then multiple
subordinates for the same module can be used. For example,
mod_auth_mellon can be used multiple times in different vhosts to
protect federated token endpoints related to different identity provider
and protocol combinations).

Trusted dashboard relation could be used to provide dashboard origin URL
from a different site via cross-model relations.

NOTE: this functionality will be triggered only on Ocata+ (inclusive)

Change-Id: I1ef623b0b0e2a9f68cec4be550965c5e15e5f561

Retry keystone_wait_for_propagation() on exception.

Closes-Bug: #1668954
Change-Id: I5e5689dbd5cd974b11e017b6d0f06575cabcceb2

There was a mid-air collision with charm helpers syncs. The critical
piece is the removal of a second stats socket line from the haproxy
templates which breaks on trusty.

All other amulet tests that include keystone will fail on trusty until
this is landed.

Change-Id: Ide3b7cbda238b9a7b93f0625c21d43335bc10e81

An arbitarary repository can currently be specified, but it was not yet
made clear in the documentation that a corresponding public key for
accessing this repository could be added. This change specifies that
under the description for the openstack-origin option. Public key can
be added by appending to the deb url, so the below example would work:
juju set openstack-origin nova-compute openstack-origin="deb http://ppa
.launchpad.net/billy-olsen/testfix-kilo/ubuntu vivid main|FA0FD8E1"

Change-Id: I262a2164d4f7b37b4185bdee650371de7be50a55
Closes-Bug: 1503440

Change bionic test from dev to gate for 18.05.

Change-Id: I1cea7c9773a06eafa84ec6e4303cfc49219823a7

Change-Id: I936d8ea071ca4d72f525094ff2ae7bae52f73ee2

Change-Id: I606fc94f1c113d6429016ea9450aeb4bc103a313
Signed-off-by: Vern Hart <v-openstack@vern.com>

When keystone is deployed with multiple units but without hacluster one
off scenarios occur where one non-leader unit will fail to update its
client relations.

This change runs all identity client relations when the database
relation is complete thus guaranteeing all keystone units update there
identity relation data with clients.

Small timing fix to amulet tests.

Closes-Bug: #1761562
Change-Id: I338e500dbc155b75c75b9261a9b5b471bd73088a

This tightens up the security on the SSL keys stored in
/etc/apache2/ssl/<service> to be no longer world readable.

Change-Id: I0951deff4ec95b1fc7f4389dc083c8957f8db6f0
Closes-Bug: #1761305

The comparison of bytes vs string of the CA certificate produces a
false negative. This leads to rewriting certificates and affecting
connectivity to services.

Read in the certificate as bytes as well for a bytes vs bytes
comparison.

Closes-Bug: #1762431

Change-Id: Ic226149cc124ac5b84ab30d95a590f08489c67f2

No-impact (besides satisfying my inner grammarian) change to exercise
gerrit workflow.

Change-Id: I962b9f202d650084d31e8f2258a8f0cdc5a8596a

Openstack PKI token support was dropped in the Pike release.
The following update ensures that PKI token validation is
only run if the release is supported when the sync leader
broadcasts any service credentials to its peers.

In this case; if the release is <= pike. then we can sync
token certs and ensure the pki permissions are valid.
Otherwise this action will be skipped.

Closes-Bug: 1759403
Change-Id: I3d8ba6d3cac3a3505a3722a5082c3a6933a9ef67

Remove soon-to-be deprecated release combos from amulet tests

Change-Id: I425410a41a86138b9e6d77e9273a2b10d541e8cc

As of pip 10.0, --allow-unverified is not permitted.

Use of the flag in this repo was previously used to force
installation of python-apt to accommodate certain unit tests.

The unverified package, python-apt, is no longer necessary
for test execution.

Related-Bug: #1760720

Change-Id: Ieca3f4978e947ce52d645ddab0f4523c90d03c75

The README documentation implies that use-https and
https-service-endpoints are required when enabling SSL/https
with your own CA, SSL cert, and key. Update the README and
config.yaml to explain that config options use-https and
https-service-endpoints should not be set when using ssl_*
config options.

Change-Id: I2e0140f909ef2c57182895f37cf191b6bc80157b
Closes-Bug: #1754682

The glance swift store configuration requires use of the domain
id for the service domain; update data set for identity-service
relation to include service_domain_id.

Change-Id: Ie6e2733f34de10a4d34b18dbf1fd9ba623af0e18
Closes-Bug: 1752027

Change-Id: I28e9aa3687e24cacb70a2a54f1306f6be86f4c74

For Queens keystone v2 has been dropped. V3 is the only valid API
version. The charm has already made this change. This change is to
bring the amulet test up to match by creating a separate class.

Charm-helpers sync

Enlarging the amulet timeout value.

Change-Id: I822624bdf45bfb060dd75ba3b10e71984bc10e48

A trivial change to test gerrit setup.

Change-Id: I7883eb1edd53fd3bd29dc878c667397ba6b4506a

Notable issues resolved:

openstack_upgrade_available() broken for swift
https://bugs.launchpad.net/charm-swift-proxy/+bug/1743847

haproxy context doesn't consider bindings
https://bugs.launchpad.net/charm-helpers/+bug/1735421

regression in haproxy check
https://bugs.launchpad.net/charm-helpers/+bug/1743287

Change-Id: Ia65aadc4b024802826d81953dec1183f3785a0eb

Drop support for deployment from Git repositories, as deprecated
in the 17.02 charm release.  This feature is unmaintained and has
no known users.

Change-Id: Ic054e29ef55d8890a3130af16b48f105efcf8f6a