2019-02-07:  FG;  Updated metadata, so default version downloaded with charm pull is the last one (38, at time of writing).

Change-Id: Id4c8e57ce407870c6c358d60952878de98ff5fec

Ensure that EOL releases are removed from metadata
and tests, and that the current dev release is enabled
in metadata.  Dev release tests are enabled separately
because of chickens and eggs.

Change-Id: I7fc1db909aa2059f039a09b694c1058322883f4a

On every call to update_all_identity_relation_units()
apache was reconfigured and all configuration files written.

This was used for the legacy management of self signed
certificates which now has been removed.

Change-Id: I7480575bc06287f6898ce469b420fd63206015e2

Change-Id: I46c7f5d459ae4d3e66777639c4a7f92b94e73f9b

Ensure that oslo.middleware parses any proxy information
forwarded from haproxy/apache with regards to protocol;
this ensures that https connections are correctly detected.

Includes charm helper sync to bring in oslo middleware
template.

Change-Id: I2ce75a4a2033d8d3c07bd9f7ce6e4f5f6d9488cf
Closes-Bug: 1758675

Python 3.6 is installed by default in Ubuntu 18.04 LTS.
Therefore, according to Transition Plan [1],
it'll be handy to have py36 testenv.

For more details, please check Python2 Deprecation Timeline [2]
and Python3-first Goal - Completion Criteria [3].

[1] https://wiki.ubuntu.com/Python/Python36Transition
[2] https://governance.openstack.org/tc/resolutions/20180529-python2-deprecation-timeline.html
[3] https://review.openstack.org/#/c/575933/8/goals/stein/python3-first.rst@42

Change-Id: I41eb6ecb09b3862fc5d5d5530623d594085acf0a

Change-Id: Ibf8a509de4ce49700aa0207b9401dff43e4cb8fd

The only config change is in keystone.conf to enable totp auth plugin.

A secret can be generated via an arbitrary tool and uploaded to Keystone
via credential api by specifying "totp" credential type, secret and a
user id.

https://developer.openstack.org/api-ref/identity/v3/#create-credential

https://blueprints.launchpad.net/keystone/+spec/totp-auth
https://docs.openstack.org/keystone/pike/advanced-topics/auth-totp.html#configuring-totp

Change-Id: Ie3e4d828aae1f0918ace94adbdfdb81ffdc12878

These features are disabled by default, a majority of our
users provide certificates through configuration.

At present the cluster relation carries information required
for these features even when they are not enabled. This makes
processing of cluster relation changes unnecessarily heavy
and vulnerable to bugs.

Notice of deprecation and removal in next release was given
as part of the 18.05 release notes.

Change-Id: I8b07c7e0d5c2c623c115c83dc8aff230b554a986
Closes-Bug: #1755897
Related-Bug: #1744990

Source: 166eced28b15335f816134806bf5bb6b50c222cd

Remove v2 section from template as Queens is v3 only.

Change-Id: Ic2b1215421ad870096fab7e1aee1f7604c1892a2
Closes-Bug: #1774716

Add support for keystone to request and receive certificates from
the ls-certificates relation.

Change-Id: I6222e5eb9c8a0a5f079ecc2e5e5c97abc1c39515

Specifically for... `enable-pki`, `https-service-endpoints` and
`use-https`.

Change-Id: Ica2dfc39dc550b1aa43e178ae29fb333eeaca572

* add support for relating with subordinate charms providing Service
Provider functionality via apache2 authentication modules;
* enable additional authentication methods on the keystone side to
accept parsed assertion data provided via apache2 authentication module
variables exported to WSGI environment;
* move https frontend and WSGI API apache config files to keystone
instead of relying on charm-helpers as modifications are needed there to
add IncludeOptional directives. openstack_https_frontend.conf is added
on purpose as ServerName cannot be correctly determined after ProxyPass
which results in TLS errors during SAML exchange process;
* add an additional relation to openstack-dashboard to provide URL
information necessary to trust 'origin' parameter in WebSSO URLs used by
horizon during the authentication process. Also add a context to render
the federation section that is used to render this information in
keystone.conf;

Subordinates can choose to use different apache2 authentication modules.
If those modules support vhost-level variables then multiple
subordinates for the same module can be used. For example,
mod_auth_mellon can be used multiple times in different vhosts to
protect federated token endpoints related to different identity provider
and protocol combinations).

Trusted dashboard relation could be used to provide dashboard origin URL
from a different site via cross-model relations.

NOTE: this functionality will be triggered only on Ocata+ (inclusive)

Change-Id: I1ef623b0b0e2a9f68cec4be550965c5e15e5f561

Retry keystone_wait_for_propagation() on exception.

Closes-Bug: #1668954
Change-Id: I5e5689dbd5cd974b11e017b6d0f06575cabcceb2

There was a mid-air collision with charm helpers syncs. The critical
piece is the removal of a second stats socket line from the haproxy
templates which breaks on trusty.

All other amulet tests that include keystone will fail on trusty until
this is landed.

Change-Id: Ide3b7cbda238b9a7b93f0625c21d43335bc10e81

An arbitarary repository can currently be specified, but it was not yet
made clear in the documentation that a corresponding public key for
accessing this repository could be added. This change specifies that
under the description for the openstack-origin option. Public key can
be added by appending to the deb url, so the below example would work:
juju set openstack-origin nova-compute openstack-origin="deb http://ppa
.launchpad.net/billy-olsen/testfix-kilo/ubuntu vivid main|FA0FD8E1"

Change-Id: I262a2164d4f7b37b4185bdee650371de7be50a55
Closes-Bug: 1503440