stackhpc · Alex-Welsh · Apr 20, 2026 · Mar 25, 2026 · Mar 18, 2026 · Feb 6, 2026
@@ -298,15 +298,11 @@ om_rabbitmq_qos_prefetch_count: "1"
 
 om_enable_rabbitmq_stream_fanout: true
 
-# OpenStack authentication string. You should only need to override these if you
-# are changing the admin tenant/project or user.
 openstack_auth:
-  auth_url: "{{ keystone_internal_url }}"
-  username: "{{ keystone_admin_user }}"
   password: "{{ keystone_admin_password }}"
-  project_name: "{{ keystone_admin_project }}"
-  domain_name: "default"
-  user_domain_name: "default"
+
+openstack_auth_cloud: "kolla-admin-internal"
+openstack_auth_cloud_system: "kolla-admin-system-internal"
 
 ####################
 # OpenStack options

@@ -38,6 +38,12 @@ enable_nova_horizon_policy_file: "{{ enable_nova }}"
 # TLS
 horizon_enable_tls_backend: "{{ kolla_enable_tls_backend }}"
 
+# Cache
+horizon_session_cache_backend: >-
+  {{ 'valkey' if enable_valkey | bool
+      else 'memcached' if enable_memcached | bool
+      else 'disabled' }}
+
 # Ports
 horizon_internal_fqdn: "{{ kolla_internal_fqdn }}"
 horizon_external_fqdn: "{{ kolla_external_fqdn }}"

@@ -31,3 +31,6 @@ octavia_api_port: "9876"
 octavia_api_listen_port: "{{ octavia_api_port }}"
 octavia_api_public_port: "{{ haproxy_single_external_frontend_public_port if haproxy_single_external_frontend | bool else octavia_api_port }}"
 octavia_health_manager_port: "5555"
+# Project that Octavia will use to interact with other services.  Note that in
+# Train and earlier releases this was "admin".
+octavia_service_auth_project: "service"
@@ -23,6 +23,7 @@ enable_prometheus_libvirt_exporter: "{{ enable_prometheus | bool and enable_nova
 enable_prometheus_etcd_integration: "{{ enable_prometheus | bool and enable_etcd | bool }}"
 enable_prometheus_proxysql_exporter: "{{ enable_prometheus | bool and enable_proxysql | bool }}"
 enable_prometheus_valkey_exporter: "{{ enable_prometheus | bool and enable_valkey | bool }}"
+enable_prometheus_openstack_network_exporter: "{{ enable_prometheus | bool }}"
 
 prometheus_alertmanager_user: "admin"
 prometheus_ceph_exporter_interval: "{{ prometheus_scrape_interval }}"
@@ -81,5 +82,8 @@ prometheus_elasticsearch_exporter_port: "9108"
 # Prometheus blackbox-exporter ports
 prometheus_blackbox_exporter_port: "9115"
 
+# Prometheus network exporter ports
+prometheus_openstack_network_exporter_port: "1981"
+
 # Prometheus instance label to use for metrics
 prometheus_instance_label:
@@ -175,10 +175,10 @@ common
 [fluentd:children]
 common
 
-[kolla-toolbox:children]
+[kolla_logs:children]
 common
 
-[kolla_logs:children]
+[kolla_toolbox:children]
 common
 
 [opensearch:children]
@@ -239,6 +239,9 @@ neutron
 [neutron-metadata-agent:children]
 neutron
 
+[neutron-ovn-vpn-agent:children]
+neutron
+
 [neutron-metering-agent:children]
 neutron
 
@@ -543,6 +546,10 @@ monitoring
 [prometheus-libvirt-exporter:children]
 compute
 
+[prometheus-openstack-network-exporter:children]
+compute
+network
+
 [prometheus-valkey-exporter:children]
 valkey
 

@@ -193,15 +193,11 @@ common
 [fluentd:children]
 common
 
-[kolla-toolbox:children]
+[kolla_logs:children]
 common
 
-[kolla_logs:children]
-control
-network
-compute
-storage
-monitoring
+[kolla_toolbox:children]
+common
 
 [opensearch:children]
 control
@@ -284,6 +280,9 @@ control
 compute
 network
 
+[neutron-ovn-vpn-agent:children]
+neutron
+
 # Cinder
 [cinder-api:children]
 cinder
@@ -565,6 +564,10 @@ monitoring
 [prometheus-libvirt-exporter:children]
 compute
 
+[prometheus-openstack-network-exporter:children]
+compute
+network
+
 [prometheus-valkey-exporter:children]
 valkey
 

@@ -18,7 +18,7 @@
     - name: Template out clouds.yaml
       become: "{{ needs_root }}"
       ansible.builtin.template:
-        src: "roles/common/templates/clouds.yaml.j2"
+        src: "templates/clouds.yaml.j2"
         dest: "{{ node_config }}/clouds.yaml"
         owner: "{{ ansible_facts.user_uid }}"
         group: "{{ ansible_facts.user_gid }}"
@@ -30,7 +30,7 @@
     - name: Template out admin-openrc.sh
       become: "{{ needs_root }}"
       ansible.builtin.template:
-        src: "roles/common/templates/admin-openrc.sh.j2"
+        src: "templates/admin-openrc.sh.j2"
         dest: "{{ node_config }}/admin-openrc.sh"
         owner: "{{ ansible_facts.user_uid }}"
         group: "{{ ansible_facts.user_gid }}"
@@ -39,7 +39,7 @@
     - name: Template out admin-openrc-system.sh
       become: "{{ needs_root }}"
       ansible.builtin.template:
-        src: "roles/common/templates/admin-openrc-system.sh.j2"
+        src: "templates/admin-openrc-system.sh.j2"
         dest: "{{ node_config }}/admin-openrc-system.sh"
         owner: "{{ ansible_facts.user_uid }}"
         group: "{{ ansible_facts.user_gid }}"
@@ -48,7 +48,7 @@
     - name: Template out public-openrc.sh
       become: "{{ needs_root }}"
       ansible.builtin.template:
-        src: "roles/common/templates/public-openrc.sh.j2"
+        src: "templates/public-openrc.sh.j2"
         dest: "{{ node_config }}/public-openrc.sh"
         owner: "{{ ansible_facts.user_uid }}"
         group: "{{ ansible_facts.user_gid }}"
@@ -57,7 +57,7 @@
     - name: Template out public-openrc-system.sh
       become: "{{ needs_root }}"
       ansible.builtin.template:
-        src: "roles/common/templates/public-openrc-system.sh.j2"
+        src: "templates/public-openrc-system.sh.j2"
         dest: "{{ node_config }}/public-openrc-system.sh"
         owner: "{{ ansible_facts.user_uid }}"
         group: "{{ ansible_facts.user_gid }}"

@@ -43,7 +43,8 @@
     container_engine: "{{ kolla_container_engine }}"
     module_name: os_nova_host_aggregate
     module_args:
-      auth: "{{ openstack_auth }}"
+      auth: "{{ openstack_blazar_auth }}"
+      cloud: "{{ openstack_auth_cloud }}"
       cacert: "{{ openstack_cacert }}"
       endpoint_type: "{{ openstack_interface }}"
       region_name: "{{ openstack_region_name }}"

@@ -1,7 +1,13 @@
 {
     "command": "kolla_toolbox",
     "config_files": [
-        {% if enable_rabbitmq | bool %}{
+        {
+            "source": "{{ container_config_directory }}/clouds.yaml",
+            "dest": "/var/lib/ansible/.config/openstack/clouds.yaml",
+            "owner": "ansible",
+            "perm": "0600"
+        }{% if enable_rabbitmq | bool %},
+        {
             "source": "{{ container_config_directory }}/rabbitmq-erlang.cookie",
             "dest": "/var/lib/rabbitmq/.erlang.cookie",
             "owner": "rabbitmq",
@@ -18,7 +24,7 @@
             "dest": "/etc/rabbitmq/erl_inetrc",
             "owner": "rabbitmq",
             "perm": "0600"
-        }{% endif %}{% if kolla_copy_ca_into_containers | bool %}{% if enable_rabbitmq | bool %},{% endif %}
+        }{% endif %}{% if kolla_copy_ca_into_containers | bool %},
         {
             "source": "{{ container_config_directory }}/ca-certificates",
             "dest": "/var/lib/kolla/share/ca-certificates",

@@ -260,8 +260,8 @@ heat_ks_roles:
   - "{{ heat_stack_user_role }}"
 
 heat_ks_user_roles:
-  - project: "{{ openstack_auth.project_name }}"
-    user: "{{ openstack_auth.username }}"
+  - project: "{{ keystone_admin_project }}"
+    user: "{{ keystone_admin_user }}"
     role: "{{ heat_stack_owner_role }}"
 
 ####################

@@ -10,13 +10,13 @@
     environment:
       KOLLA_BOOTSTRAP:
       KOLLA_CONFIG_STRATEGY: "{{ config_strategy }}"
-      OS_AUTH_URL: "{{ openstack_auth.auth_url }}"
+      OS_AUTH_URL: "{{ keystone_internal_url }}"
       OS_IDENTITY_API_VERSION: "3"
       OS_INTERFACE: "internal"
-      OS_USERNAME: "{{ openstack_auth.username }}"
-      OS_PASSWORD: "{{ openstack_auth.password }}"
-      OS_PROJECT_NAME: "{{ openstack_auth.project_name }}"
-      OS_USER_DOMAIN_NAME: "{{ openstack_auth.user_domain_name }}"
+      OS_USERNAME: "{{ keystone_admin_user }}"
+      OS_PASSWORD: "{{ keystone_admin_password }}"
+      OS_PROJECT_NAME: "{{ keystone_admin_project }}"
+      OS_USER_DOMAIN_NAME: "{{ default_user_domain_name }}"
       OS_REGION_NAME: "{{ openstack_region_name }}"
       OS_CACERT: "{{ openstack_cacert | default(omit) }}"
       HEAT_DOMAIN_ADMIN_PASSWORD: "{{ heat_domain_admin_password }}"

@@ -8,18 +8,51 @@ ALLOWED_HOSTS = ['*']
 SESSION_ENGINE = 'django.contrib.sessions.backends.db'
 DATABASES = {
     'default': {
-    'ENGINE': 'django.db.backends.mysql',
-    'NAME': '{{ horizon_database_name }}',
-    'USER': '{{ horizon_database_user }}',
-    'PASSWORD': '{{ horizon_database_password }}',
-    'HOST': '{{ database_address }}',
-    'PORT': '{{ database_port }}'
+        'ENGINE': 'django.db.backends.mysql',
+        'NAME': '{{ horizon_database_name }}',
+        'USER': '{{ horizon_database_user }}',
+        'PASSWORD': '{{ horizon_database_password }}',
+        'HOST': '{{ database_address }}',
+        'PORT': '{{ database_port }}'
     }
 }
-{% elif groups['memcached'] | length > 0 and not horizon_backend_database | bool %}
+{% elif horizon_session_cache_backend == 'valkey' %}
 SESSION_ENGINE = 'django.contrib.sessions.backends.cache'
-CACHES['default']['LOCATION'] = [{% for host in groups['memcached'] %}'{{ 'api' | kolla_address(host) | put_address_in_context('url') }}:{{ memcached_port }}'{% if not loop.last %},{% endif %}{% endfor %}]
-CACHES['default']['OPTIONS'] = {'ignore_exc': True}
+CACHES = {
+    'default': {
+        'BACKEND': 'django_redis.cache.RedisCache',
+        'LOCATION': 'redis://{{ valkey_sentinel_monitor_name }}/0',
+        'OPTIONS': {
+            'CLIENT_CLASS': 'django_redis.client.SentinelClient',
+            'CONNECTION_FACTORY': 'django_redis.pool.SentinelConnectionFactory',
+            'SENTINELS': [
+{%     for host in groups['valkey'] %}
+                ('{{ 'api' | kolla_address(host) | put_address_in_context('url') }}', {{ valkey_sentinel_port }}),
+{%     endfor %}
+            ],
+            'PASSWORD': '{{ valkey_master_password }}',
+            'CONNECTION_POOL_KWARGS': {
+                'retry_on_timeout': True,
+            },
+            'IGNORE_EXCEPTIONS': False,
+        }
+    }
+}
+{% elif horizon_session_cache_backend == 'memcached' %}
+SESSION_ENGINE = 'django.contrib.sessions.backends.cache'
+CACHES = {
+    'default': {
+        'BACKEND': 'django.core.cache.backends.memcached.PyMemcacheCache',
+        'LOCATION': [
+{%     for host in groups['memcached'] %}
+            '{{ 'api' | kolla_address(host) | put_address_in_context('url') }}:{{ memcached_port }}'{% if not loop.last %},{% endif %}
+{%     endfor %}
+        ],
+        'OPTIONS': {
+            'ignore_exc': True,
+        }
+    }
+}
 {% endif %}
 
 {% if kolla_enable_tls_external | bool or kolla_enable_tls_internal | bool %}
@@ -35,9 +68,9 @@ OPENSTACK_API_VERSIONS = {
 OPENSTACK_KEYSTONE_MULTIDOMAIN_SUPPORT = {{ horizon_keystone_multidomain | bool }}
 OPENSTACK_KEYSTONE_DOMAIN_DROPDOWN = {{ 'True' if horizon_keystone_domain_choices | length > 1 else 'False' }}
 OPENSTACK_KEYSTONE_DOMAIN_CHOICES = (
-{% for key, value in horizon_keystone_domain_choices.items() %}
+    {% for key, value in horizon_keystone_domain_choices.items() %}
     ('{{ key }}', '{{ value }}'),
-{% endfor %}
+    {% endfor %}
 )
 
 LOCAL_PATH = '/tmp'
@@ -373,4 +406,3 @@ REST_API_REQUIRED_SETTINGS = [
     'OPENSTACK_KEYSTONE_BACKEND',
     'OPENSTACK_KEYSTONE_DEFAULT_DOMAIN',
 ]
-
@@ -52,19 +52,13 @@
 
 - name: Wait for Ironic nodes not to wait
   become: true
-  vars:
-    ironic_auth:
-      auth_url: "{{ openstack_auth.auth_url }}"
-      username: "{{ openstack_auth.username }}"
-      password: "{{ openstack_auth.password }}"
-      user_domain_name: "{{ openstack_auth.user_domain_name }}"
-      system_scope: "all"
   kolla_toolbox:
     container_engine: "{{ kolla_container_engine }}"
     module_name: "openstack.cloud.baremetal_node_info"
     module_args:
       region_name: "{{ openstack_region_name }}"
-      auth: "{{ ironic_auth }}"
+      auth: "{{ openstack_auth }}"
+      cloud: "{{ openstack_auth_cloud_system }}"
       interface: "{{ openstack_interface }}"
       cacert: "{{ openstack_cacert }}"
   register: ironic_nodes

@@ -48,7 +48,7 @@ keystone_services:
   keystone-httpd:
     container_name: "keystone_httpd"
     group: "keystone"
-    enabled: "{{ enable_keystone_federation | bool }}"
+    enabled: "{{ enable_keystone_federation | bool and keystone_wsgi_provider == 'uwsgi' }}"
     image: "{{ keystone_httpd_image_full }}"
     volumes: "{{ keystone_httpd_default_volumes + keystone_httpd_extra_volumes }}"
     dimensions: "{{ keystone_httpd_dimensions }}"
@@ -265,7 +265,10 @@ keystone_remote_id_attribute_oidc: "HTTP_OIDC_ISS"
 keystone_container_federation_oidc_metadata_folder: "{{ '/etc/apache2/metadata' if kolla_base_distro in ['debian', 'ubuntu'] else '/etc/httpd/metadata' }}"
 keystone_container_federation_oidc_idp_certificate_folder: "{{ '/etc/apache2/cert' if kolla_base_distro in ['debian', 'ubuntu'] else '/etc/httpd/cert' }}"
 keystone_container_federation_oidc_attribute_mappings_folder: "{{ container_config_directory }}/federation/oidc/attribute_maps"
-keystone_host_federation_base_folder: "{{ node_config_directory }}/keystone/federation"
+keystone_host_federation_base_folder: >-
+  {{ node_config_directory }}/{{
+  'keystone-httpd' if keystone_wsgi_provider == 'uwsgi' else 'keystone'
+  }}/federation
 keystone_host_federation_oidc_metadata_folder: "{{ keystone_host_federation_base_folder }}/oidc/metadata"
 keystone_host_federation_oidc_idp_certificate_folder: "{{ keystone_host_federation_base_folder }}/oidc/cert"
 keystone_host_federation_oidc_attribute_mappings_folder: "{{ keystone_host_federation_base_folder }}/oidc/attribute_maps"

@@ -3,13 +3,15 @@
   become: true
   ansible.builtin.command: >
     {{ kolla_container_engine }} exec keystone kolla_keystone_bootstrap
-    {{ openstack_auth.username }} {{ openstack_auth.password }} {{ openstack_auth.project_name }}
-    admin {{ keystone_internal_url }} {{ keystone_public_url }} {{ item }}
+    {{ keystone_admin_user }} {{ keystone_admin_password }} {{ keystone_admin_project }}
+    admin {{ keystone_internal_url }} {{ keystone_public_url }} {{ region }}
   register: keystone_bootstrap
   changed_when: (keystone_bootstrap.stdout | from_json).changed
   failed_when: (keystone_bootstrap.stdout | from_json).failed
   run_once: true
-  with_items: "{{ multiple_regions_names }}"
+  loop: "{{ multiple_regions_names }}"
+  loop_control:
+    loop_var: region
 
 - name: Register keystone service, endpoints, and users in Keystone
   ansible.builtin.import_role:
@@ -27,6 +29,7 @@
     module_args:
       name: "{{ keystone_default_user_role }}"
       auth: "{{ openstack_keystone_auth }}"
+      cloud: "{{ openstack_auth_cloud }}"
       endpoint_type: "{{ openstack_interface }}"
       cacert: "{{ openstack_cacert }}"
       region_name: "{{ openstack_region_name }}"