- Set default branch for git review/gerrit to stable/zed
- Switch tests to stable.
- Switch to using stable charm-helpers branch.
- Switch to using stable charm.openstack branch.
- Switch to using stable zaza, zaza-openstack-tests
  branch
- (reactive charms) Add build.lock file
- (classic charms) make sync
- (reactive: not reactive plugin): lock charm-tools < 3.1
- (reactive: with reactive plugin): lock charm snap to 3.x/stable

Change-Id: I15d6662d536704eb15d8b64698bda559bdb02b8f

Tox 4.0.0 was recently released and it has several breaking changes.
We pin to < 4.0.0 here. We are planning to move forward only on the
master charm branches.

Tox is also pinned to < 4.0.0 for stable branches in upstream
openstack-zuul-jobs as well as in zosci-config. However, the
requires= section in the charm's tox.ini file ends up installing
tox>4, wiping out the zuul-pinned tox<4 that was already installed
installed. This patch fixes that.

Change-Id: I63617e671dbf1ffdba19d17f1a9d18269b558c91

The relation data for for the LocalSettings context could cause the
priority sorting to break if the priority key wasn't cmpable (e.g. using
<, > or ==).  This patch fixes the associated bug, by making the sorting
extra robust and ensuring that un-cmp-able values are 'greater' (e.g.
further down the list) that cmp-able values, and equal to each other.
E.g. a partially ordered set.

This change also pins jsonschema in test-requirements.txt to fix
py310 failures due to newer versions of jsonschema pulling in rpds-py
and therefore the Rust toolchain.

Change-Id: I6bbf7e5f81a772ffc6ea859c9ab7c05f2eb9fdc5
Closes-bug: #2023404
(cherry picked from commit e8d0ca3)

…elation

This is a rebuild/make sync for charms to pickup the fix in charmhelpers to fix
any inadvertant accesses of ['ca'] in the relation data before it is available
from vault in the certificates relation.  Fix in charmhelpers is in [1].

[1] juju/charm-helpers#826
Closes-Bug: #2028683

Change-Id: I484443c470efe4d3cd89f5b6527576fea7414a03

openstack-dashboard exposes the hostnames (and IP addresses) that can be
used by users to load Horizon. There are 3 possible sources, they are
juju units ingress-address, os-public-hostname and vip config options

Closes-Bug: #2030094
Change-Id: I5eb524c6258f72980ef43175f2bed21d7ca078be
(cherry picked from commit 484b7d8)

Bug LP 1863232 introduced a new Apache configuration option called
WSGISocketRotation which allows users to disable wsgi socket
rotation. This patch makes this configurable with a new
wsgi-socket-rotation config option that defaults to the Apache
default and can optionally be set to False.

Closes-Bug: #2021550
Change-Id: Ic89feaf34f6f9060fa1fde4a9dacb7446dd7b532

The commit 484b7d8 introduced a new relation that relies on an
application databag to exchange data, although only the leader can write
to it, and the original patch didn't guard the relation_set() call with
a is_leader(), this patch addresses that problem wich produces a hook
failure on follower units when openstack-dashboard is deployed in HA.

Closes-Bug: #2046257
Related-Bug: #2030094
Change-Id: I1930b0b96f65cb627f896db67dddc6370cf6a413
(cherry picked from commit 4d55814)

If network calls to retrieve ports and floating IPs take too long,
then the project > instances page cannot be loaded. This config
allows disabling the network calls when loading the page with
minor side-effects, as a workaround to avoid downtime while other
performance optimizations can be done on the side to allow
the page the load so the workaround is no longer needed.

Closes-bug: #2051003
Related-bug: #2045168
Change-Id: Iedad6ef48cbe0b776594f4ad8276d3d713cd360c
(cherry picked from commit 6b93e9d)
(cherry picked from commit 45a86be)
(cherry picked from commit 1ec179b)

Many years ago change Ida7949113594b9b859ab7b4ba8b2bb440bab6e7d
attempted to change the timeouts of haproxy but did not succeed,
as deployments were still using the values from the charm's
templates/haproxy.cfg file, being effectively set to 30 seconds
and causing timeouts (see bug). Additionally, the description
of the config options became inaccurate, stating the default to
be a value that they were really not.

This patch addresses the timeout value discrepancy, adjusting
to the original change's intended values.

Closes-bug: #2045168
Change-Id: I83405727b4a116ec6f47b61211bf8ef3d2d9fbd6
(cherry picked from commit 09c5871)
(cherry picked from commit 2f430d1)
(cherry picked from commit f013b18)

If this header is set to deny, then operations cannot be performed from
the network topology page as the <svg> tag is a kind of <embed> and
access is restricted from there. Setting it to sameorigin allows
operations from the network topology page as long as they belong to the
same web application (same origin).
Related-Bug: #2077024

Change-Id: Ifcc9725bad34178a3eb606e9f822d2a68f5bf987
(cherry picked from commit ef031d4)

If this header is set to deny, then operations cannot be performed from
the network topology page as the <svg> tag is a kind of <embed> and
access is restricted from there. This was previously set only for the
HTTP virtual host (commit ef031d4). This patch adds the same
configuration for HTTPS.

Closes-Bug: #2077024

Change-Id: I9b0819890750391d1980c4d1ee9c171ba6d38c8b
(cherry picked from commit 0f5fc5e)

The frontend create/delete role buttons on
Identity>Roles page rely on a backend config
OPENSTACK_KEYSTONE_BACKEND that is defined in
the config file. However, the setting is not being
returned to the frontend because there is another
setting called REST_API_REQUIRED_SETTINGS that lists
the settings that are returned to the frontend.

This patch adds OPENSTACK_KEYSTONE_BACKEND to
REST_API_REQUIRED_SETTINGS which was also done upstream
on commit 9c19b07 back in 2019.

Closes-bug: #2056377
Change-Id: Ia8a18e66610f7149399fe1614b1e515ecf799f55
(cherry picked from commit 2f52ca2)

Secure cookies where enabled on the local_settings.py template by the
flag ssl_configured that was not set anywhere. Setting now that flag on
the ApacheSSLContext class.

Closes-Bug: #2118778

Change-Id: Ic73b1a6a878efae126c87764d2a26afbfce4d740
Signed-off-by: Jorge Merlino <jorge.merlino@canonical.com>
(cherry picked from commit 2c43ae4)

Adding a configuration parameter csp-options that, when set, adds a
Content-Security-Policy header to the apache configuration.
This header can prevent or minimize the risk of certain types of
security threats by placing restrictions on the things the web page's
code can do.

Closes-Bug: #2118835

Change-Id: I06f0b1c2787fa56460e5a196d3ca07c0a85c14e3
Signed-off-by: Jorge Merlino <jorge.merlino@canonical.com>
(cherry picked from commit 41250d9)

This setting breaks Single Sign On as it prevents the forms to submit to
an external site, which is exactly what the login form does when SSO is
enabled.

Closes-Bug: #2138262
Change-Id: Ia0e9df362b1ccc4c797a6cfe0f6d10a660f7c924
Signed-off-by: Jorge Merlino <jorge.merlino@canonical.com>
(cherry picked from commit 40a8e74)

* update:
  - charmcraft.yaml for v3
  - tox.ini to use py3.10 by default
  - test-requirements.in to use zaza for juju3
  - update test bundles to work with charmcraft v3
* generate:
  - merged-requirements-py310.txt
  - test-requirements-py310.txt
* add:
   - update-requirements env to tox.ini
* .zuul.yaml:
  - switch to charm jobs to get py310 support

Change-Id: I834671920624de60bbf72bffc8b40a70079c8cea
Signed-off-by: Arif Ali <arif-ali@ubuntu.com>