)]}'
{"dib/ironic-python-agent-ramdisk/install.d/ironic-python-agent-ramdisk-source-install/ironic-python-agent.conf":[{"author":{"_account_id":10239,"name":"Dmitry Tantsur","email":"dtantsur@protonmail.com","username":"dtantsur"},"change_message_id":"360cce3d1d7c5ca1c695b805a217fee0fdb6123c","unresolved":false,"context_lines":[{"line_number":19,"context_line":"    echo Starting Ironic Python Agent"},{"line_number":20,"context_line":"end script"},{"line_number":21,"context_line":""},{"line_number":22,"context_line":"exec /usr/local/bin/ironic-python-agent --config-dir /etc/ironic-python-agent.d/"}],"source_content_type":"text/plain","patch_set":3,"id":"9f560f44_3594238b","line":22,"updated":"2020-09-07 13:05:52.000000000","message":"Could you make the same change to tinyIPA for consistency? (can be a follow-up)","commit_id":"61c2116013fbec92c0c3936e1e396509e96daeb3"}],"dib/ironic-python-agent-tls/README.rst":[{"author":{"_account_id":10239,"name":"Dmitry Tantsur","email":"dtantsur@protonmail.com","username":"dtantsur"},"change_message_id":"2e8a680838de8fb908d5255a24dfd5b0091e89cf","unresolved":false,"context_lines":[{"line_number":19,"context_line":""},{"line_number":20,"context_line":"If having a certificate generated, you can configure how it\u0027s generated:"},{"line_number":21,"context_line":" - ``DIB_IPA_CERT_HOSTNAME`` the CN for the generated"},{"line_number":22,"context_line":"   certificate. Defaults to \"ipa-ramdisk.example.com\"."},{"line_number":23,"context_line":" - ``DIB_IPA_CERT_EXPIRATION`` expiration, in days, for the certificate."},{"line_number":24,"context_line":"    Defaults to 1095 (three years)."},{"line_number":25,"context_line":""}],"source_content_type":"text/x-rst","patch_set":2,"id":"9f560f44_dfb75820","line":22,"updated":"2020-08-27 15:53:25.000000000","message":"Should we elaborate that it MUST be the actual hostname? And how to make callback_url contain it?","commit_id":"90237baaf9b1c524fb2090e2a5ca1ef60bbee87c"},{"author":{"_account_id":10239,"name":"Dmitry Tantsur","email":"dtantsur@protonmail.com","username":"dtantsur"},"change_message_id":"82332dfb1879658470744dfd4d4a01ceaa6a2b09","unresolved":false,"context_lines":[{"line_number":19,"context_line":""},{"line_number":20,"context_line":"If having a certificate generated, you can configure how it\u0027s generated:"},{"line_number":21,"context_line":" - ``DIB_IPA_CERT_HOSTNAME`` the CN for the generated"},{"line_number":22,"context_line":"   certificate. Defaults to \"ipa-ramdisk.example.com\"."},{"line_number":23,"context_line":" - ``DIB_IPA_CERT_EXPIRATION`` expiration, in days, for the certificate."},{"line_number":24,"context_line":"    Defaults to 1095 (three years)."},{"line_number":25,"context_line":""}],"source_content_type":"text/x-rst","patch_set":2,"id":"9f560f44_9f516065","line":22,"in_reply_to":"9f560f44_1fbc30b9","updated":"2020-08-27 16:12:56.000000000","message":"Well, only if you turn off host validation completely. Is it your plan?\n\nFor what I\u0027m doing I planned to use subjectAltName to provide the IP address, similar to what I\u0027m doing in https://review.opendev.org/#/c/747921/20/playbooks/roles/bifrost-tls/tasks/main.yml@29","commit_id":"90237baaf9b1c524fb2090e2a5ca1ef60bbee87c"},{"author":{"_account_id":10239,"name":"Dmitry Tantsur","email":"dtantsur@protonmail.com","username":"dtantsur"},"change_message_id":"ae96808b9a3de86da85c62f08a762ea7aeaf1626","unresolved":false,"context_lines":[{"line_number":19,"context_line":""},{"line_number":20,"context_line":"If having a certificate generated, you can configure how it\u0027s generated:"},{"line_number":21,"context_line":" - ``DIB_IPA_CERT_HOSTNAME`` the CN for the generated"},{"line_number":22,"context_line":"   certificate. Defaults to \"ipa-ramdisk.example.com\"."},{"line_number":23,"context_line":" - ``DIB_IPA_CERT_EXPIRATION`` expiration, in days, for the certificate."},{"line_number":24,"context_line":"    Defaults to 1095 (three years)."},{"line_number":25,"context_line":""}],"source_content_type":"text/x-rst","patch_set":2,"id":"9f560f44_1a039e0e","line":22,"in_reply_to":"9f560f44_7f11ec5c","updated":"2020-08-27 16:28:31.000000000","message":"In other words, the approach here is fine, let\u0027s just document that the user will have to set agent_verify_ca\u003dFalse in driver_info.","commit_id":"90237baaf9b1c524fb2090e2a5ca1ef60bbee87c"},{"author":{"_account_id":10342,"name":"Jay Faulkner","display_name":"JayF","email":"jay@jvf.cc","username":"JayF","status":"youtube.com/@oss-gr / podcast.gr-oss.io"},"change_message_id":"67ba00da0afc2a9eafdb071042a2b23c6a4c6349","unresolved":false,"context_lines":[{"line_number":19,"context_line":""},{"line_number":20,"context_line":"If having a certificate generated, you can configure how it\u0027s generated:"},{"line_number":21,"context_line":" - ``DIB_IPA_CERT_HOSTNAME`` the CN for the generated"},{"line_number":22,"context_line":"   certificate. Defaults to \"ipa-ramdisk.example.com\"."},{"line_number":23,"context_line":" - ``DIB_IPA_CERT_EXPIRATION`` expiration, in days, for the certificate."},{"line_number":24,"context_line":"    Defaults to 1095 (three years)."},{"line_number":25,"context_line":""}],"source_content_type":"text/x-rst","patch_set":2,"id":"9f560f44_bf7704d4","line":22,"in_reply_to":"9f560f44_9f516065","updated":"2020-08-27 16:22:46.000000000","message":"My assumption was:\n- You want a \"real\" cert for each IPA node. In that case, you\u0027ll likely provide DIB_IPA_*_FILE.\n- You want TLS support for IPA, without validation. In that case, hostname doesn\u0027t matter.\n\nI am not aware of many utilities that allow you to choose partial validation -- e.g. \"does the SAN/CN match hostname?\" without \"do I trust this CA?\". Even if tooling allows that, checking hostname on a certificate which you don\u0027t trust is dubious additional security benefit.","commit_id":"90237baaf9b1c524fb2090e2a5ca1ef60bbee87c"},{"author":{"_account_id":10239,"name":"Dmitry Tantsur","email":"dtantsur@protonmail.com","username":"dtantsur"},"change_message_id":"af3110287c26b107a25cb3f06eab83ceaefd3193","unresolved":false,"context_lines":[{"line_number":19,"context_line":""},{"line_number":20,"context_line":"If having a certificate generated, you can configure how it\u0027s generated:"},{"line_number":21,"context_line":" - ``DIB_IPA_CERT_HOSTNAME`` the CN for the generated"},{"line_number":22,"context_line":"   certificate. Defaults to \"ipa-ramdisk.example.com\"."},{"line_number":23,"context_line":" - ``DIB_IPA_CERT_EXPIRATION`` expiration, in days, for the certificate."},{"line_number":24,"context_line":"    Defaults to 1095 (three years)."},{"line_number":25,"context_line":""}],"source_content_type":"text/x-rst","patch_set":2,"id":"9f560f44_7f11ec5c","line":22,"in_reply_to":"9f560f44_bf7704d4","updated":"2020-08-27 16:27:05.000000000","message":"Maybe using IP address is excessive indeed and we can just auto-generate the certificate, but, as you say, I don\u0027t know how to tell Python \"use this certificate, but don\u0027t verify host\". Meaning, you\u0027ll have to use verify\u003dFalse. Meaning, any certificate will match, not only the one you generate here.","commit_id":"90237baaf9b1c524fb2090e2a5ca1ef60bbee87c"},{"author":{"_account_id":10342,"name":"Jay Faulkner","display_name":"JayF","email":"jay@jvf.cc","username":"JayF","status":"youtube.com/@oss-gr / podcast.gr-oss.io"},"change_message_id":"8b0f07c373055595859a69ac4c1d3418df2fcd6b","unresolved":false,"context_lines":[{"line_number":19,"context_line":""},{"line_number":20,"context_line":"If having a certificate generated, you can configure how it\u0027s generated:"},{"line_number":21,"context_line":" - ``DIB_IPA_CERT_HOSTNAME`` the CN for the generated"},{"line_number":22,"context_line":"   certificate. Defaults to \"ipa-ramdisk.example.com\"."},{"line_number":23,"context_line":" - ``DIB_IPA_CERT_EXPIRATION`` expiration, in days, for the certificate."},{"line_number":24,"context_line":"    Defaults to 1095 (three years)."},{"line_number":25,"context_line":""}],"source_content_type":"text/x-rst","patch_set":2,"id":"9f560f44_1fbc30b9","line":22,"in_reply_to":"9f560f44_dfb75820","updated":"2020-08-27 16:04:37.000000000","message":"It\u0027s a self-signed certificate, that\u0027s being embedded (theoretically) into a single ramdisk that\u0027ll be run on multiple nodes.\n\nI don\u0027t think the hostname matters.","commit_id":"90237baaf9b1c524fb2090e2a5ca1ef60bbee87c"}],"dib/ironic-python-agent-tls/extra-data.d/10-configure-ipa-tls":[{"author":{"_account_id":10239,"name":"Dmitry Tantsur","email":"dtantsur@protonmail.com","username":"dtantsur"},"change_message_id":"f8d90c7853b1cb7c030a2d7cafe000928f6a803b","unresolved":false,"context_lines":[{"line_number":1,"context_line":"#!/bin/bash"},{"line_number":2,"context_line":""},{"line_number":3,"context_line":"KEYDIR\u003d$TMP_MOUNT_PATH/opt/ironic-python-agent.d"},{"line_number":4,"context_line":"CONFFILE\u003d$TMP_MOUNT_PATH/etc/ironic-python-agent.d/10-configure-tls.conf"},{"line_number":5,"context_line":""},{"line_number":6,"context_line":"if [[ -z $DIB_IPA_CERT_FILE ]] \u0026\u0026 [[ -z $DIB_IPA_KEY_FILE ]]; then"}],"source_content_type":"application/x-shellscript","patch_set":1,"id":"9f560f44_8a37a5b0","line":3,"updated":"2020-08-24 12:14:32.000000000","message":"/etc/ironic-python-agent/ looks more natural to me\n\nalso let\u0027s make sure it exists","commit_id":"bf2da2120cab075dcbd65351dfd483d79023d45f"},{"author":{"_account_id":10342,"name":"Jay Faulkner","display_name":"JayF","email":"jay@jvf.cc","username":"JayF","status":"youtube.com/@oss-gr / podcast.gr-oss.io"},"change_message_id":"a888c8cb36300e0aa650b4d13b40e95cf07d8e05","unresolved":false,"context_lines":[{"line_number":1,"context_line":"#!/bin/bash"},{"line_number":2,"context_line":""},{"line_number":3,"context_line":"KEYDIR\u003d$TMP_MOUNT_PATH/opt/ironic-python-agent.d"},{"line_number":4,"context_line":"CONFFILE\u003d$TMP_MOUNT_PATH/etc/ironic-python-agent.d/10-configure-tls.conf"},{"line_number":5,"context_line":""},{"line_number":6,"context_line":"if [[ -z $DIB_IPA_CERT_FILE ]] \u0026\u0026 [[ -z $DIB_IPA_KEY_FILE ]]; then"}],"source_content_type":"application/x-shellscript","patch_set":1,"id":"9f560f44_121587e5","line":3,"in_reply_to":"9f560f44_8a37a5b0","updated":"2020-08-24 16:17:46.000000000","message":"This is a complete typo. Can do the check that it exists as well.","commit_id":"bf2da2120cab075dcbd65351dfd483d79023d45f"},{"author":{"_account_id":10239,"name":"Dmitry Tantsur","email":"dtantsur@protonmail.com","username":"dtantsur"},"change_message_id":"f8d90c7853b1cb7c030a2d7cafe000928f6a803b","unresolved":false,"context_lines":[{"line_number":5,"context_line":""},{"line_number":6,"context_line":"if [[ -z $DIB_IPA_CERT_FILE ]] \u0026\u0026 [[ -z $DIB_IPA_KEY_FILE ]]; then"},{"line_number":7,"context_line":"    echo \"Both DIB_IPA_CERT_FILE and DIB_IPA_KEY_FILE are not set; generating self-signed cert\""},{"line_number":8,"context_line":"    openssl req -new -newkey rsa:4096 -days 1095 -nodes -x509 -subj \"/C\u003dUS/ST\u003dNA/L\u003dNA/O\u003dNA/CN\u003dipa-ramdisk.example.com\" -keyout $KEYDIR/agent.key -out $KEYDIR/agent.crt"},{"line_number":9,"context_line":"else"},{"line_number":10,"context_line":"    sudo cp $DIB_IPA_CERT_FILE $KEYDIR/agent.crt"},{"line_number":11,"context_line":"    sudo cp $DIB_IPA_KEY_FILE $KEYDIR/agent.key"}],"source_content_type":"application/x-shellscript","patch_set":1,"id":"9f560f44_6a3cd192","line":8,"updated":"2020-08-24 12:14:32.000000000","message":"ipa-ramdisk.example.com seems like something we should parameterize?\n\nand maybe the lifetime as well","commit_id":"bf2da2120cab075dcbd65351dfd483d79023d45f"},{"author":{"_account_id":10342,"name":"Jay Faulkner","display_name":"JayF","email":"jay@jvf.cc","username":"JayF","status":"youtube.com/@oss-gr / podcast.gr-oss.io"},"change_message_id":"a888c8cb36300e0aa650b4d13b40e95cf07d8e05","unresolved":false,"context_lines":[{"line_number":5,"context_line":""},{"line_number":6,"context_line":"if [[ -z $DIB_IPA_CERT_FILE ]] \u0026\u0026 [[ -z $DIB_IPA_KEY_FILE ]]; then"},{"line_number":7,"context_line":"    echo \"Both DIB_IPA_CERT_FILE and DIB_IPA_KEY_FILE are not set; generating self-signed cert\""},{"line_number":8,"context_line":"    openssl req -new -newkey rsa:4096 -days 1095 -nodes -x509 -subj \"/C\u003dUS/ST\u003dNA/L\u003dNA/O\u003dNA/CN\u003dipa-ramdisk.example.com\" -keyout $KEYDIR/agent.key -out $KEYDIR/agent.crt"},{"line_number":9,"context_line":"else"},{"line_number":10,"context_line":"    sudo cp $DIB_IPA_CERT_FILE $KEYDIR/agent.crt"},{"line_number":11,"context_line":"    sudo cp $DIB_IPA_KEY_FILE $KEYDIR/agent.key"}],"source_content_type":"application/x-shellscript","patch_set":1,"id":"9f560f44_92deb73b","line":8,"in_reply_to":"9f560f44_6a3cd192","updated":"2020-08-24 16:17:46.000000000","message":"Makes sense. Will-do.","commit_id":"bf2da2120cab075dcbd65351dfd483d79023d45f"},{"author":{"_account_id":10239,"name":"Dmitry Tantsur","email":"dtantsur@protonmail.com","username":"dtantsur"},"change_message_id":"f8d90c7853b1cb7c030a2d7cafe000928f6a803b","unresolved":false,"context_lines":[{"line_number":20,"context_line":"key_file \u003d /etc/ironic-python-agent.d/agent.key"},{"line_number":21,"context_line":"EOF"},{"line_number":22,"context_line":""},{"line_number":23,"context_line":"if [[ ! -z $DIB_IPA_CA_FILE ]]; then"},{"line_number":24,"context_line":"    echo \"DIB_IPA_CA_FILE set, configuring IPA to validate client certificates\""},{"line_number":25,"context_line":"    cp $DIB_IPA_CA_FILE $KEYDIR/agent.cacert.pem"},{"line_number":26,"context_line":"    sudo echo \"ca_file \u003d /opt/ironic-python-agent/agent.cacert.pem\" \u003e\u003e $CONFFILE"}],"source_content_type":"application/x-shellscript","patch_set":1,"id":"9f560f44_ca3d1d8f","line":23,"updated":"2020-08-24 12:14:32.000000000","message":"nit: ! -z is -n IIRC","commit_id":"bf2da2120cab075dcbd65351dfd483d79023d45f"},{"author":{"_account_id":10239,"name":"Dmitry Tantsur","email":"dtantsur@protonmail.com","username":"dtantsur"},"change_message_id":"f8d90c7853b1cb7c030a2d7cafe000928f6a803b","unresolved":false,"context_lines":[{"line_number":23,"context_line":"if [[ ! -z $DIB_IPA_CA_FILE ]]; then"},{"line_number":24,"context_line":"    echo \"DIB_IPA_CA_FILE set, configuring IPA to validate client certificates\""},{"line_number":25,"context_line":"    cp $DIB_IPA_CA_FILE $KEYDIR/agent.cacert.pem"},{"line_number":26,"context_line":"    sudo echo \"ca_file \u003d /opt/ironic-python-agent/agent.cacert.pem\" \u003e\u003e $CONFFILE"},{"line_number":27,"context_line":"fi"}],"source_content_type":"application/x-shellscript","patch_set":1,"id":"9f560f44_aa42690d","line":26,"updated":"2020-08-24 12:14:32.000000000","message":"s/opt/etc/ ?","commit_id":"bf2da2120cab075dcbd65351dfd483d79023d45f"},{"author":{"_account_id":10342,"name":"Jay Faulkner","display_name":"JayF","email":"jay@jvf.cc","username":"JayF","status":"youtube.com/@oss-gr / podcast.gr-oss.io"},"change_message_id":"a888c8cb36300e0aa650b4d13b40e95cf07d8e05","unresolved":false,"context_lines":[{"line_number":23,"context_line":"if [[ ! -z $DIB_IPA_CA_FILE ]]; then"},{"line_number":24,"context_line":"    echo \"DIB_IPA_CA_FILE set, configuring IPA to validate client certificates\""},{"line_number":25,"context_line":"    cp $DIB_IPA_CA_FILE $KEYDIR/agent.cacert.pem"},{"line_number":26,"context_line":"    sudo echo \"ca_file \u003d /opt/ironic-python-agent/agent.cacert.pem\" \u003e\u003e $CONFFILE"},{"line_number":27,"context_line":"fi"}],"source_content_type":"application/x-shellscript","patch_set":1,"id":"9f560f44_12eaa7d6","line":26,"in_reply_to":"9f560f44_aa42690d","updated":"2020-08-24 16:17:46.000000000","message":"I should also make this a *separate* conf file, since this is setup for confdir now.","commit_id":"bf2da2120cab075dcbd65351dfd483d79023d45f"}]}