---
prelude: >
    This change deprecates the novajoin and the composable service that
    enables TLS-Everywhere using novajoin.  Instead, TLS Everywhere will be
    implemented using the tripleo-ipa ansible module.
upgrade:
  - This change deprecates novajoin and the service that depends on novajoin
    to enable TLS-Everywhere.  From now on, TLS-Everywhere will be set up
    using the tripleo-ansible ansible module instead.
  - When the undercloud is upgraded, for TLS Everywhere systems, a new
    composable service will run to remove the novajoin containers.
  - A pre-upgrade validation has been written to ensure that some necessary
    permissions and ACIs have been added to the IPA server.  As these changes
    require admin privileges, they cannot be automated in THT.
  - The environments/ssl/enable-internal-tls.j2.yaml file has been modified
    to automatically point to the new service that implements TLS-Everywhere
    using tripleo-ansible.  Assuming you are adding this environment file to
    your templates (which is typically the case when setting up
    TLS-Everywhere) no other changes are required.
deprecations:
  - This change deprecates novajoin, the service that deploys it on the
    undercloud, and the corresponding service that implements TLS-Everywhere
    using novajoin.  TLS everywhere will be implemented from now on using
    the tripleo-ipa ansible module instead.
  - These services are novajoin-container-puppet.yaml and
    ipaclient-baremetal-ansible.yaml
  - On undercloud upgrade, a new composable service will remove the novajoin
    and novajoin-notifier containers from the undercloud.