`syncdb` subcommand was deprecated in django 1.7
and subsequently removed in 1.9.

Use `subprocess.check_call()` so we catch errors.

Add `shared-db` relation and enable debug logging in deployment
used in functional test.  Add functional test that authenticates
through the dashboard.

Update unit tests.

Change-Id: I567461e57ec431fc470d7a2a31d3f16e9dc50e8b
Closes-Bug: #1777358

There is a eluding issue that currently makes the
first request to the OpenStack Dashboard error out
with 500 Internal Server Error in CI.  Temporarilly
add retry logic to unwedge the gate.  This issue
should be revisited and root caused properly when time
allows.

Change-Id: Id828082416c7cbdd88247d9b6750c0f77467bc26

The horizon interface enables/displays actions based on the
keystonev3_policy.json file provided. The keystonev3_policy.json file
included by the charm has rules for various actions that depend on the
target object's domain id (user, group, project). The buttons displayed
for creating and deleting the objects (shown above the tables) are also
based on these policy rules but no target object exists because they are
bound to the table and not a specific target object.

This patch changes some of the policy rules to create/delete users,
projects, and groups to not require the target object's domain_id. This
is safe to do because the table is shown within the context of the
target domain_id already. Additionally, the actual ability to alter
objects is controlled by the actual policy installed in Keystone and not
the Horizon UI.

Without this change, actions such as "Create User" will only show for
a user who is a cloud admin and not for any domain admins (even if the
domain admin is allowed to perform the action via the API or CLI).

Change-Id: Ie0a85e11e6a171083deb19b0eb26c7e552390c00
Closes-Bug: #1775224
Closes-Bug: #1775229

Support for dfs was dropped in commit b4019e45

Remove orphan symlink in the actions/ directory.

Change-Id: Ie353de9da422a863e53a92983d9819c324761667

Change-Id: I9170b428ad504664c6045f26ed2ad34d5159fcb3

Change bionic test from dev to gate for 18.05.

Change-Id: I5e1214055d49a0ab170ad3ebc1c4fccca0eb7ebc

* add support for relating with subordinate charms providing Service
Provider functionality via apache2 authentication modules;
* retrieve protocol, identity provider and user-facing name info from
  keystone service provider charm subordinates;
* provide trusted dashboard information to keystone charm

Change-Id: I15ca0dd1616ec12c7ad47dc05961b51bb45bb770

The comparison of bytes vs string of the CA certificate produces a
false negative. This leads to rewriting certificates and affecting
connectivity to services.

Read in the certificate as bytes as well for a bytes vs bytes
comparison.

Change-Id: I3b233a79689858db0962bafe71eba0a0667c2bf0
Closes-Bug: #1762431

Change-Id: I8e7f986035935a742b4acb320f71887e23989dbb
Partial-bug: #1755027

As of pip 10.0, --allow-unverified is not permitted.

Use of the flag in this repo was previously used to force
installation of python-apt to accommodate certain unit tests.

The unverified package, python-apt, is no longer necessary
for test execution.

Related-Bug: #1760720

Change-Id: I15a489755a94d0df0f2a6331410add716e56e091

Change-Id: I4265c92ad7ca8ce7c924b3b861d349b0cef7529e

This runs the Apache conf for Ocata under horizon:horizon as we
already do for other releases.

Change-Id: I07775bd13c117b8a56295f348a9383c8ecb1ed76
Partial-bug: #1755027

Automatically configure WSGI worker processes inline with other
charms using the worker-multiplier configuration option and the
WSGI worker configuration context from charm-helpers.

Change-Id: Ib8af4a5a54fcff13a05ba4f4094bf123d5282c4a

Add the xenial/queens functional tests to the gate

Change-Id: I96dcbf2b4ab402a1918d1aa9073acb3467965bbc

Change-Id: I296f081e9de99da2fefe5a581dfc2ffe5fba4429

The Heat dashboard was split from horizon in Queens, and
therefore needs to be installed separately.

The Designate dashboard was never installed by the charm
before but should be.

Change-Id: Ie0790fd1e1a6422465f4a4e00769efcd667d28e2
Closes-Bug: #1746031
Closes-Bug: #1747934

Notable issues resolved:

openstack_upgrade_available() broken for swift
https://bugs.launchpad.net/charm-swift-proxy/+bug/1743847

haproxy context doesn't consider bindings
https://bugs.launchpad.net/charm-helpers/+bug/1735421

regression in haproxy check
https://bugs.launchpad.net/charm-helpers/+bug/1743287

This change also breaks the inheritance between
HorizonHAProxyContext and HAProxyContext (as this was
not needed) and aligns the code in HorizonHAProxyContext
to the behaviour in HAProxyContext of using get_relation_ip
instead of unit_get.

Change-Id: I72600b01744a07e140a29255efc2823ea39ce730

Previously the single domain mode has been implemented. This is a
follow-up commit to set the value properly as boolean instead of string.

Change-Id: I0e34d93d05693bf0ca5e8f68bc9af198fd29680a
Closes-Bug: #1744346
Related-Bug: #1712999

This binding is required so that the DNS-HA code can find the
address to use for the hostname specified by os-public-hostname.

This also deprecates the os-internal-hostname and os-admin-hostname
options, as there is no binding to use them with.

Change-Id: I57609c5ab641e2ae6377c6fbad5c9e7b8cf6495c
Closes-Bug: #1742548

Drop support for deployment from Git repositories, as deprecated
in the 17.02 charm release.  This feature is unmaintained and has
no known users.

Change-Id: I19732b50483ab7284723f847f182fd1cfa67e425

The default HAProxy timeout values are fairly strict. On a busy cloud
it is common to exceed one or more of these timeouts. The only
indication that HAProxy has exceeded a timeout and dropped the
connection is errors such as "BadStatusLine" or "EOF." These can be
very difficult to diagnose when intermittent.

This charm-helpers sync pulls in the change to update the default
timeout values to more real world settings. These values have been
extensively tested in ServerStack. Configured values will not be
overridden.

Partial Bug: #1736171

Change-Id: Ida7949113594b9b859ab7b4ba8b2bb440bab6e7d

For Mitaka -> Ocata, add image_formats to local_settings.py.

Change-Id: I582e516eb306a52cdee2a0bd4b31046b45af7a51
Closes-bug: 1724271

Bionic, being the next LTS, is important to enable for dev
and test as early as possible ahead of 18.02.

Zesty goes EOL in Jan 2018. The next stable charms release (18.02)
will not provide Zesty series support, as it was an interim
(non-LTS) release.

Change-Id: If96d593120b3b334819fca892042ec17c7403dd6

Change-Id: I34389860a4f9258178aa151aae16044643417413

Make default func27-smoke xenial-pike
Charm-helpers sync

Change-Id: I0278a3c133c160f2543195c6a4c8a7c2735d13ac

Now that Horizon upstream added the ability to configure the default
"create volume" value when launching an instance (See. LP: #1678109),
expose it as a new charm config.

Change-Id: I68a6f199a72c11ad4eff2b587cb4279c91da52ae
Closes-Bug: #1711342

Set WEBROOT in openstack-dashboard's local_settings.py to the value
of webroot from the charm's config (see config.yaml).

Add /horizon/static alias to apache2 config in addition to /static
to cover both paths to static resources.

Change-Id: I29a156d322bac91ca02fb0f08f291fc805e59110
Closes-Bug: #1728086

Horizon tries to inhibit browsers' password autocompletion by default.
Offer a configurable option in the charm so that admin can allow
password autocompletion if necessary.

Change-Id: I461752d1d1175f777de5bff26953b200efb17137
Closes-Bug: 1714676

HSTS is helpful to bring more protection to users, but on the other
hand, it locks down users to use HTTPS only until max-age expires. To
enable HSTS, admins must enable enforce-ssl option and set non-zero
value to hsts-max-age-seconds explicitly.

Content Security Policy (CSP) is not enabled this time. Horizon upstream
may need some work: https://bugs.launchpad.net/horizon/+bug/1618024

Change-Id: I7fd774ba9a1c292d51625d6d36a086b2a531ae75
Partial-Bug: #1713202

Horizon can be setup in a more secure way. Enable more headers:
 - X-XSS-Protection "1; mode=block"
 - X-Content-Type-Options "nosniff"
 - CSRF_COOKIE_SECURE, SESSION_COOKIE_SECURE in Django

Change-Id: I84605bd7e00df64da522b805b4e9a88521d1e0f6
Partial-Bug: #1713202

Removes essex, folsom, grizzly, havana and juno
templates since those versions are
out-of-support.

Change-Id: If4a256793060a0935b40397fb50c201eeee9fe68

This commit adds the default-domain config option to limit
the login page to only the specifed domain. For use with a single
domain environment where users are only given a login.

When considering a single domain usecase for users (admin_domain for
administration, then example_domain for all other users), it would
be handy for users not to input their domain name, but only username
and password to login.

By setting two lines below, we can create a separate dashboard instance
for non-admin users only.

OPENSTACK_KEYSTONE_MULTIDOMAIN_SUPPORT=False
OPENSTACK_KEYSTONE_DEFAULT_DOMAIN=example_domain

However, the current local_settings.py template does not allow that.

This change adds the 'default-domain' configuration option which modifies
local_policy.py to set the two configuration flags outlined in the bug.
If the config option is not set the charm will behave as before, enabling
the user to specify the domain at login.

This does no validation to ensure the domain exists, so it is up to the user
to supply a valid domain name.

Closes-Bug: 1712999
Change-Id: I316372ae305a4ba10e4d8ba047f23a317836b960