)]}'
{"/PATCHSET_LEVEL":[{"author":{"_account_id":14200,"name":"Maksim Malchuk","email":"maksim.malchuk@gmail.com","username":"mmalchuk"},"change_message_id":"798adc7aad29d07994bcbc902929c23cb0284d40","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":15,"id":"fbf30f52_2f06e3f5","updated":"2021-10-15 11:16:21.000000000","message":"recheck ubuntu mirror fail","commit_id":"f0682266b486790a84a7add635637bcc8dce9a38"},{"author":{"_account_id":14200,"name":"Maksim Malchuk","email":"maksim.malchuk@gmail.com","username":"mmalchuk"},"change_message_id":"f73173f33662c35d933a77f889bc37d5d8598898","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":17,"id":"a9c3ae97_0e485cca","updated":"2022-02-10 00:09:54.000000000","message":"recheck\n\u003cclass \u0027oslo_db.exception.DBConnectionError\u0027\u003e (HTTP 500) (Request-ID: req-a24b8459-29e1-45a1-8ecc-2e06053f6a29)\n","commit_id":"c218ab6faba958d168919bec66b78014f529bea6"},{"author":{"_account_id":14200,"name":"Maksim Malchuk","email":"maksim.malchuk@gmail.com","username":"mmalchuk"},"change_message_id":"279cb301fc0e28f1abb282f734d21c287d738095","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":19,"id":"af42fe49_45a14bd8","updated":"2022-04-05 17:52:15.000000000","message":"recheck","commit_id":"fa911b116cfc1c5b59d98deb9138d7e46eec27ea"},{"author":{"_account_id":14200,"name":"Maksim Malchuk","email":"maksim.malchuk@gmail.com","username":"mmalchuk"},"change_message_id":"3fa01e28d318799ac8ca983c9dccb0ec695765c8","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":19,"id":"419ee6c4_23661f79","updated":"2022-04-05 15:16:45.000000000","message":"recheck\n","commit_id":"fa911b116cfc1c5b59d98deb9138d7e46eec27ea"},{"author":{"_account_id":14200,"name":"Maksim Malchuk","email":"maksim.malchuk@gmail.com","username":"mmalchuk"},"change_message_id":"40e3f5498297cba5e5b821bc1fef0a40ca3b34d4","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":21,"id":"fcdd4b32_44025556","updated":"2022-09-29 18:27:30.000000000","message":"recheck CI fixed, passed for Idd9a67d3b3b403ac4d705d2b9ffd2ab87567a55b","commit_id":"b83d42bc1a8d32bb85efedc2bace9c189ef4845f"},{"author":{"_account_id":14200,"name":"Maksim Malchuk","email":"maksim.malchuk@gmail.com","username":"mmalchuk"},"change_message_id":"4d1e616433c6c9937246adb60134d76c9b3aacdb","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":23,"id":"6b6b032d_1f022ac8","updated":"2023-04-02 00:29:02.000000000","message":"recheck\nbm1: Creating a server\nRequest to https://192.168.33.2:8774/v2.1/servers/9925817b-d91a-4f9b-bc1a-c9a9d737a230 timed out\n","commit_id":"638a3866087e408a9dbb3387b2f4394dbe654cea"},{"author":{"_account_id":14826,"name":"Mark Goddard","email":"markgoddard86@gmail.com","username":"mgoddard"},"change_message_id":"cc1b95852279cdc0bb7db109ae644a6107e3cc70","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":25,"id":"5ab7f153_8242f8d9","updated":"2023-11-01 13:49:57.000000000","message":"This would be easier to review if the variable sync were separated from the CA certificate changes, but I won\u0027t block on that. The variable sync is fairly easy to approve. I\u0027m less sure about the details of the CA certificate change. I\u0027ll try to leave some thoughts.","commit_id":"181d62d06e4de1ef4bbd8d9c45736f0cd80fccb5"},{"author":{"_account_id":14200,"name":"Maksim Malchuk","email":"maksim.malchuk@gmail.com","username":"mmalchuk"},"change_message_id":"9e40e6b8a69aa46a4ea5b1662c72398e34eae634","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":25,"id":"fc03db5d_1c7007dd","updated":"2023-11-01 11:56:37.000000000","message":"lets wait for https://review.opendev.org/c/openstack/kayobe/+/868199\nand I\u0027ll rework this a little","commit_id":"181d62d06e4de1ef4bbd8d9c45736f0cd80fccb5"},{"author":{"_account_id":14200,"name":"Maksim Malchuk","email":"maksim.malchuk@gmail.com","username":"mmalchuk"},"change_message_id":"8915978ba4eb350aea6ef5c6ab5ea483fcf69f4b","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":25,"id":"b1475768_bd4dc5a4","in_reply_to":"5ab7f153_8242f8d9","updated":"2023-11-28 00:26:16.000000000","message":"there only 3 variables, one of them is dependent for this change, so it will be easy to review since you\u0027ve made I9e1cc20579cf80525d6ef732a1aac99a65bc171b.","commit_id":"181d62d06e4de1ef4bbd8d9c45736f0cd80fccb5"},{"author":{"_account_id":28048,"name":"Will Szumski","email":"will@stackhpc.com","username":"jovial"},"change_message_id":"10c0d4e9ab72a71672c96b40b4373db9a8929bd8","unresolved":true,"context_lines":[],"source_content_type":"","patch_set":29,"id":"81ece067_37c9b2c2","updated":"2023-12-08 16:03:39.000000000","message":"Thanks for the patch. Copying the CA into the system trust store does look like it could be useful. My only concern is we are mixing the kolla and kayobe related variables. I\u0027m wondering if we could make it more extendable e.g:\n  \n  controller_system_cacerts: []\n  compute_system_caerts: []\n  seed_system_cacerts: []\n  ...\n\n(open to better variables names)\n\nMy suggestion is to begin with we could add these variables as empty lists; I think that would be uncontroversial. But a follow up patch could propose defaults:\n\n  controller_system_cacerts:\n    # or make this a directory path? \n    - caert: \"{{ lookup(\u0027file\u0027, kayobe_env_config_path ~ \u0027/kolla/certificates/ca/root.crt\u0027)) }}\"\n      enabled: {{ kolla_internally_trusted_ca }}\"\n\nWill take a closer look in due course.","commit_id":"548760482b0d2f07a59ebe35b8a9328a8c45c37d"},{"author":{"_account_id":14200,"name":"Maksim Malchuk","email":"maksim.malchuk@gmail.com","username":"mmalchuk"},"change_message_id":"bdb6061515e78892d26175f01706ff19093435a7","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":29,"id":"7cabadfb_28618e7d","updated":"2024-11-06 14:11:55.000000000","message":"please review and merge","commit_id":"548760482b0d2f07a59ebe35b8a9328a8c45c37d"},{"author":{"_account_id":14200,"name":"Maksim Malchuk","email":"maksim.malchuk@gmail.com","username":"mmalchuk"},"change_message_id":"87bebdb796e00ddd3cd81e0679dc79a08eca7f51","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":29,"id":"71c71ed7_69e34601","updated":"2023-11-28 12:51:48.000000000","message":"recheck timedatectl sees the system clock as unsynchronized","commit_id":"548760482b0d2f07a59ebe35b8a9328a8c45c37d"},{"author":{"_account_id":14200,"name":"Maksim Malchuk","email":"maksim.malchuk@gmail.com","username":"mmalchuk"},"change_message_id":"4a63f4fdca2aef31c7803519b6a8b64d6a221cf9","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":29,"id":"e4913a69_fba02af0","updated":"2024-04-09 15:34:05.000000000","message":"sorry for delay in reply","commit_id":"548760482b0d2f07a59ebe35b8a9328a8c45c37d"},{"author":{"_account_id":14200,"name":"Maksim Malchuk","email":"maksim.malchuk@gmail.com","username":"mmalchuk"},"change_message_id":"a63ac9c3c76fb562eb368ad541cdcd5404b864f2","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":29,"id":"c916cc13_bfc153ca","in_reply_to":"81ece067_37c9b2c2","updated":"2024-04-09 15:33:07.000000000","message":"looks like an overkill. please propose a followup after.","commit_id":"548760482b0d2f07a59ebe35b8a9328a8c45c37d"},{"author":{"_account_id":28048,"name":"Will Szumski","email":"will@stackhpc.com","username":"jovial"},"change_message_id":"f36b751c5cc2559f6e53bd7e3ef0ca79d611ddb5","unresolved":true,"context_lines":[],"source_content_type":"","patch_set":29,"id":"86cc066f_9810a81f","in_reply_to":"c916cc13_bfc153ca","updated":"2024-11-06 14:40:33.000000000","message":"Again, this is how I think we should implement the the bit that adds certificates to the trust store. It is very strange behavior to blanket add all the kolla internal certificate authorities to the system trust store on the seed and controllers. Ordinarily, the seed should not be using internal endpoints on the control plane. This generic mechanism would allow YOU to do that if you so wished, but I don\u0027t think it is something we should encourage.\n\nI\u0027m open to adding the kolla TLS variables in a separate patch.","commit_id":"548760482b0d2f07a59ebe35b8a9328a8c45c37d"}],"ansible/group_vars/all/kolla":[{"author":{"_account_id":14826,"name":"Mark Goddard","email":"markgoddard86@gmail.com","username":"mgoddard"},"change_message_id":"0530f3a6ec4b77f38eb03aceedd1fb0be3fd2c18","unresolved":true,"context_lines":[{"line_number":480,"context_line":"# Whether TLS is enabled for the backend services."},{"line_number":481,"context_line":"kolla_enable_tls_backend: \"no\""},{"line_number":482,"context_line":""},{"line_number":483,"context_line":"# Whether TLS connection is verified in the HAProxy."},{"line_number":484,"context_line":"kolla_verify_tls_backend: \"yes\""},{"line_number":485,"context_line":""},{"line_number":486,"context_line":"# Whether debug logging is enabled."},{"line_number":487,"context_line":"kolla_openstack_logging_debug: \"False\""}],"source_content_type":"application/octet-stream","patch_set":5,"id":"2d6af7ff_d15e7099","line":484,"range":{"start_line":483,"start_character":0,"end_line":484,"end_character":31},"updated":"2021-06-03 10:25:14.000000000","message":"I\u0027d rather not expose this one, since it\u0027s not recommended to change it.","commit_id":"723e62702275259d3dbb4701e1d5d91e35d8f512"},{"author":{"_account_id":14200,"name":"Maksim Malchuk","email":"maksim.malchuk@gmail.com","username":"mmalchuk"},"change_message_id":"49215f8e364986e38508919a46d0c3c529ac18f8","unresolved":true,"context_lines":[{"line_number":480,"context_line":"# Whether TLS is enabled for the backend services."},{"line_number":481,"context_line":"kolla_enable_tls_backend: \"no\""},{"line_number":482,"context_line":""},{"line_number":483,"context_line":"# Whether TLS connection is verified in the HAProxy."},{"line_number":484,"context_line":"kolla_verify_tls_backend: \"yes\""},{"line_number":485,"context_line":""},{"line_number":486,"context_line":"# Whether debug logging is enabled."},{"line_number":487,"context_line":"kolla_openstack_logging_debug: \"False\""}],"source_content_type":"application/octet-stream","patch_set":5,"id":"b832f5c1_d4c6a943","line":484,"range":{"start_line":483,"start_character":0,"end_line":484,"end_character":31},"in_reply_to":"2d6af7ff_d15e7099","updated":"2021-06-03 11:16:52.000000000","message":"But we need it. Can add the note \u0027Not recommended to disable.\u0027","commit_id":"723e62702275259d3dbb4701e1d5d91e35d8f512"},{"author":{"_account_id":14200,"name":"Maksim Malchuk","email":"maksim.malchuk@gmail.com","username":"mmalchuk"},"change_message_id":"be675b2a03987e6dcd2054ba4549d3ff955cb249","unresolved":false,"context_lines":[{"line_number":480,"context_line":"# Whether TLS is enabled for the backend services."},{"line_number":481,"context_line":"kolla_enable_tls_backend: \"no\""},{"line_number":482,"context_line":""},{"line_number":483,"context_line":"# Whether TLS connection is verified in the HAProxy."},{"line_number":484,"context_line":"kolla_verify_tls_backend: \"yes\""},{"line_number":485,"context_line":""},{"line_number":486,"context_line":"# Whether debug logging is enabled."},{"line_number":487,"context_line":"kolla_openstack_logging_debug: \"False\""}],"source_content_type":"application/octet-stream","patch_set":5,"id":"9b3d939e_a9240613","line":484,"range":{"start_line":483,"start_character":0,"end_line":484,"end_character":31},"in_reply_to":"8314c7d8_75a97004","updated":"2021-06-09 13:25:37.000000000","message":"Done","commit_id":"723e62702275259d3dbb4701e1d5d91e35d8f512"},{"author":{"_account_id":14826,"name":"Mark Goddard","email":"markgoddard86@gmail.com","username":"mgoddard"},"change_message_id":"4e7ee5aac3d9118ea285bc20930497963ab26a25","unresolved":true,"context_lines":[{"line_number":480,"context_line":"# Whether TLS is enabled for the backend services."},{"line_number":481,"context_line":"kolla_enable_tls_backend: \"no\""},{"line_number":482,"context_line":""},{"line_number":483,"context_line":"# Whether TLS connection is verified in the HAProxy."},{"line_number":484,"context_line":"kolla_verify_tls_backend: \"yes\""},{"line_number":485,"context_line":""},{"line_number":486,"context_line":"# Whether debug logging is enabled."},{"line_number":487,"context_line":"kolla_openstack_logging_debug: \"False\""}],"source_content_type":"application/octet-stream","patch_set":5,"id":"befbe817_c0a83a5d","line":484,"range":{"start_line":483,"start_character":0,"end_line":484,"end_character":31},"in_reply_to":"b832f5c1_d4c6a943","updated":"2021-06-09 09:22:59.000000000","message":"You can set any kolla-ansible variable in etc/kayobe/kolla/globals.yml. We expose some of the main ones in kayobe, but we should not try to pass through every variable, it would be a maintenance nightmare.","commit_id":"723e62702275259d3dbb4701e1d5d91e35d8f512"},{"author":{"_account_id":14200,"name":"Maksim Malchuk","email":"maksim.malchuk@gmail.com","username":"mmalchuk"},"change_message_id":"7a3409bfde82910d876545923fc2dd66f9b1c0d5","unresolved":true,"context_lines":[{"line_number":480,"context_line":"# Whether TLS is enabled for the backend services."},{"line_number":481,"context_line":"kolla_enable_tls_backend: \"no\""},{"line_number":482,"context_line":""},{"line_number":483,"context_line":"# Whether TLS connection is verified in the HAProxy."},{"line_number":484,"context_line":"kolla_verify_tls_backend: \"yes\""},{"line_number":485,"context_line":""},{"line_number":486,"context_line":"# Whether debug logging is enabled."},{"line_number":487,"context_line":"kolla_openstack_logging_debug: \"False\""}],"source_content_type":"application/octet-stream","patch_set":5,"id":"8314c7d8_75a97004","line":484,"range":{"start_line":483,"start_character":0,"end_line":484,"end_character":31},"in_reply_to":"befbe817_c0a83a5d","updated":"2021-06-09 13:07:44.000000000","message":"For TLS we have only several options, not thousands! Have them divided to the several configuration files is a big nightmare. Also, as a Kayobe user I shouldn\u0027t know all Kolla-Ansible available extra TLS options. It is desirable to have them in a single place.","commit_id":"723e62702275259d3dbb4701e1d5d91e35d8f512"}],"ansible/inventory/group_vars/all/kolla":[{"author":{"_account_id":14826,"name":"Mark Goddard","email":"markgoddard86@gmail.com","username":"mgoddard"},"change_message_id":"2502a3f14d676b84aa78a0f7ab105dc47d5befb3","unresolved":true,"context_lines":[{"line_number":643,"context_line":"# controller hosts."},{"line_number":644,"context_line":"kolla_copy_ca_into_containers: \"no\""},{"line_number":645,"context_line":""},{"line_number":646,"context_line":"# Path to a CA certificate file to use for the OS_CACERT environment variable"},{"line_number":647,"context_line":"# in the both admin-openrc.sh and public-openrc.sh files when TLS is enabled,"},{"line_number":648,"context_line":"# instead of Kolla-Ansible\u0027s default."},{"line_number":649,"context_line":"kolla_admin_openrc_cacert:"},{"line_number":650,"context_line":""},{"line_number":651,"context_line":"###############################################################################"},{"line_number":652,"context_line":"# Proxy configuration"}],"source_content_type":"application/octet-stream","patch_set":22,"id":"1757f9c9_09823334","line":649,"range":{"start_line":646,"start_character":0,"end_line":649,"end_character":26},"updated":"2022-12-20 11:12:31.000000000","message":"I\u0027ve factored out this fix into X. I disagree with removing kolla_external_fqdn_cacert, but I have renamed it to match.","commit_id":"5247cef39efe9da86eacbe93b090f8644c4a722a"},{"author":{"_account_id":14826,"name":"Mark Goddard","email":"markgoddard86@gmail.com","username":"mgoddard"},"change_message_id":"e69d9c5d3451208391a8953ca9bedea3f2c9056f","unresolved":true,"context_lines":[{"line_number":643,"context_line":"# controller hosts."},{"line_number":644,"context_line":"kolla_copy_ca_into_containers: \"no\""},{"line_number":645,"context_line":""},{"line_number":646,"context_line":"# Path to a CA certificate file to use for the OS_CACERT environment variable"},{"line_number":647,"context_line":"# in the both admin-openrc.sh and public-openrc.sh files when TLS is enabled,"},{"line_number":648,"context_line":"# instead of Kolla-Ansible\u0027s default."},{"line_number":649,"context_line":"kolla_admin_openrc_cacert:"},{"line_number":650,"context_line":""},{"line_number":651,"context_line":"###############################################################################"},{"line_number":652,"context_line":"# Proxy configuration"}],"source_content_type":"application/octet-stream","patch_set":22,"id":"dc3eadba_a024df08","line":649,"range":{"start_line":646,"start_character":0,"end_line":649,"end_character":26},"in_reply_to":"1757f9c9_09823334","updated":"2022-12-20 11:13:02.000000000","message":"X\u003dhttps://review.opendev.org/c/openstack/kayobe/+/868199","commit_id":"5247cef39efe9da86eacbe93b090f8644c4a722a"},{"author":{"_account_id":14200,"name":"Maksim Malchuk","email":"maksim.malchuk@gmail.com","username":"mmalchuk"},"change_message_id":"3debc10d090199f66d3e1b851f0140f13ca75a9c","unresolved":false,"context_lines":[{"line_number":643,"context_line":"# controller hosts."},{"line_number":644,"context_line":"kolla_copy_ca_into_containers: \"no\""},{"line_number":645,"context_line":""},{"line_number":646,"context_line":"# Path to a CA certificate file to use for the OS_CACERT environment variable"},{"line_number":647,"context_line":"# in the both admin-openrc.sh and public-openrc.sh files when TLS is enabled,"},{"line_number":648,"context_line":"# instead of Kolla-Ansible\u0027s default."},{"line_number":649,"context_line":"kolla_admin_openrc_cacert:"},{"line_number":650,"context_line":""},{"line_number":651,"context_line":"###############################################################################"},{"line_number":652,"context_line":"# Proxy configuration"}],"source_content_type":"application/octet-stream","patch_set":22,"id":"4d742719_44d99230","line":649,"range":{"start_line":646,"start_character":0,"end_line":649,"end_character":26},"in_reply_to":"47f6598f_5e9efbad","updated":"2022-12-20 14:50:55.000000000","message":"yep, possible, but no need an extra cacert variable for this because is provides the path to the bundle which should contain all the needed CAs (system + internal + external if them differs).","commit_id":"5247cef39efe9da86eacbe93b090f8644c4a722a"},{"author":{"_account_id":14826,"name":"Mark Goddard","email":"markgoddard86@gmail.com","username":"mgoddard"},"change_message_id":"7fa6ef605a7a3a76b1551ba9e208e7e6d8044413","unresolved":true,"context_lines":[{"line_number":643,"context_line":"# controller hosts."},{"line_number":644,"context_line":"kolla_copy_ca_into_containers: \"no\""},{"line_number":645,"context_line":""},{"line_number":646,"context_line":"# Path to a CA certificate file to use for the OS_CACERT environment variable"},{"line_number":647,"context_line":"# in the both admin-openrc.sh and public-openrc.sh files when TLS is enabled,"},{"line_number":648,"context_line":"# instead of Kolla-Ansible\u0027s default."},{"line_number":649,"context_line":"kolla_admin_openrc_cacert:"},{"line_number":650,"context_line":""},{"line_number":651,"context_line":"###############################################################################"},{"line_number":652,"context_line":"# Proxy configuration"}],"source_content_type":"application/octet-stream","patch_set":22,"id":"47f6598f_5e9efbad","line":649,"range":{"start_line":646,"start_character":0,"end_line":649,"end_character":26},"in_reply_to":"c6c10c3d_9455846f","updated":"2022-12-20 13:38:47.000000000","message":"It\u0027s quite possible to have a different public facing CA and internal CA. I\u0027ve done it.","commit_id":"5247cef39efe9da86eacbe93b090f8644c4a722a"},{"author":{"_account_id":14200,"name":"Maksim Malchuk","email":"maksim.malchuk@gmail.com","username":"mmalchuk"},"change_message_id":"0d44490d383059ded0c359ae1a1be1cc5b95657f","unresolved":true,"context_lines":[{"line_number":643,"context_line":"# controller hosts."},{"line_number":644,"context_line":"kolla_copy_ca_into_containers: \"no\""},{"line_number":645,"context_line":""},{"line_number":646,"context_line":"# Path to a CA certificate file to use for the OS_CACERT environment variable"},{"line_number":647,"context_line":"# in the both admin-openrc.sh and public-openrc.sh files when TLS is enabled,"},{"line_number":648,"context_line":"# instead of Kolla-Ansible\u0027s default."},{"line_number":649,"context_line":"kolla_admin_openrc_cacert:"},{"line_number":650,"context_line":""},{"line_number":651,"context_line":"###############################################################################"},{"line_number":652,"context_line":"# Proxy configuration"}],"source_content_type":"application/octet-stream","patch_set":22,"id":"c6c10c3d_9455846f","line":649,"range":{"start_line":646,"start_character":0,"end_line":649,"end_character":26},"in_reply_to":"dc3eadba_a024df08","updated":"2022-12-20 11:54:00.000000000","message":"You\u0027re incorrect, The CA is one and only for cloud. This is synced with K-A.","commit_id":"5247cef39efe9da86eacbe93b090f8644c4a722a"}],"ansible/inventory/group_vars/all/openstack":[{"author":{"_account_id":14826,"name":"Mark Goddard","email":"markgoddard86@gmail.com","username":"mgoddard"},"change_message_id":"2502a3f14d676b84aa78a0f7ab105dc47d5befb3","unresolved":true,"context_lines":[{"line_number":28,"context_line":"  auth_url: \"{{ lookup(\u0027env\u0027, \u0027OS_AUTH_URL\u0027) }}\""},{"line_number":29,"context_line":""},{"line_number":30,"context_line":"# Overcloud CA certificate path."},{"line_number":31,"context_line":"openstack_cacert_default: \"/etc/{{ \u0027ssl/certs/ca-certificates.crt\u0027 if kolla_base_distro in [\u0027debian\u0027, \u0027ubuntu\u0027] else \u0027pki/tls/certs/ca-bundle.crt\u0027 }}\""},{"line_number":32,"context_line":"openstack_cacert: \"{{ lookup(\u0027env\u0027, \u0027OS_CACERT\u0027) | default(openstack_cacert_default, true) }}\""},{"line_number":33,"context_line":""},{"line_number":34,"context_line":"# Overcloud interface (public, internal, admin)."}],"source_content_type":"application/octet-stream","patch_set":22,"id":"6012f4e1_3683b06e","line":31,"range":{"start_line":31,"start_character":70,"end_line":31,"end_character":87},"updated":"2022-12-20 11:12:31.000000000","message":"This should be dependent upon the host distro, not the container distro","commit_id":"5247cef39efe9da86eacbe93b090f8644c4a722a"},{"author":{"_account_id":14200,"name":"Maksim Malchuk","email":"maksim.malchuk@gmail.com","username":"mmalchuk"},"change_message_id":"3debc10d090199f66d3e1b851f0140f13ca75a9c","unresolved":false,"context_lines":[{"line_number":28,"context_line":"  auth_url: \"{{ lookup(\u0027env\u0027, \u0027OS_AUTH_URL\u0027) }}\""},{"line_number":29,"context_line":""},{"line_number":30,"context_line":"# Overcloud CA certificate path."},{"line_number":31,"context_line":"openstack_cacert_default: \"/etc/{{ \u0027ssl/certs/ca-certificates.crt\u0027 if kolla_base_distro in [\u0027debian\u0027, \u0027ubuntu\u0027] else \u0027pki/tls/certs/ca-bundle.crt\u0027 }}\""},{"line_number":32,"context_line":"openstack_cacert: \"{{ lookup(\u0027env\u0027, \u0027OS_CACERT\u0027) | default(openstack_cacert_default, true) }}\""},{"line_number":33,"context_line":""},{"line_number":34,"context_line":"# Overcloud interface (public, internal, admin)."}],"source_content_type":"application/octet-stream","patch_set":22,"id":"b1d6af33_93e259e0","line":31,"range":{"start_line":31,"start_character":70,"end_line":31,"end_character":87},"in_reply_to":"0e5f952b_d0d91714","updated":"2022-12-20 14:50:55.000000000","message":"don\u0027t agree, as You already said, there can be different certificates signed by the different CAs, so all of them should exist in the cacert bundle.","commit_id":"5247cef39efe9da86eacbe93b090f8644c4a722a"},{"author":{"_account_id":14200,"name":"Maksim Malchuk","email":"maksim.malchuk@gmail.com","username":"mmalchuk"},"change_message_id":"0d44490d383059ded0c359ae1a1be1cc5b95657f","unresolved":true,"context_lines":[{"line_number":28,"context_line":"  auth_url: \"{{ lookup(\u0027env\u0027, \u0027OS_AUTH_URL\u0027) }}\""},{"line_number":29,"context_line":""},{"line_number":30,"context_line":"# Overcloud CA certificate path."},{"line_number":31,"context_line":"openstack_cacert_default: \"/etc/{{ \u0027ssl/certs/ca-certificates.crt\u0027 if kolla_base_distro in [\u0027debian\u0027, \u0027ubuntu\u0027] else \u0027pki/tls/certs/ca-bundle.crt\u0027 }}\""},{"line_number":32,"context_line":"openstack_cacert: \"{{ lookup(\u0027env\u0027, \u0027OS_CACERT\u0027) | default(openstack_cacert_default, true) }}\""},{"line_number":33,"context_line":""},{"line_number":34,"context_line":"# Overcloud interface (public, internal, admin)."}],"source_content_type":"application/octet-stream","patch_set":22,"id":"696e12db_ca40761a","line":31,"range":{"start_line":31,"start_character":70,"end_line":31,"end_character":87},"in_reply_to":"6012f4e1_3683b06e","updated":"2022-12-20 11:54:00.000000000","message":"don\u0027t agree, there is no difference in this case. also it seems strange to have rhel like os on host and debian like os inside containers.","commit_id":"5247cef39efe9da86eacbe93b090f8644c4a722a"},{"author":{"_account_id":14826,"name":"Mark Goddard","email":"markgoddard86@gmail.com","username":"mgoddard"},"change_message_id":"7fa6ef605a7a3a76b1551ba9e208e7e6d8044413","unresolved":true,"context_lines":[{"line_number":28,"context_line":"  auth_url: \"{{ lookup(\u0027env\u0027, \u0027OS_AUTH_URL\u0027) }}\""},{"line_number":29,"context_line":""},{"line_number":30,"context_line":"# Overcloud CA certificate path."},{"line_number":31,"context_line":"openstack_cacert_default: \"/etc/{{ \u0027ssl/certs/ca-certificates.crt\u0027 if kolla_base_distro in [\u0027debian\u0027, \u0027ubuntu\u0027] else \u0027pki/tls/certs/ca-bundle.crt\u0027 }}\""},{"line_number":32,"context_line":"openstack_cacert: \"{{ lookup(\u0027env\u0027, \u0027OS_CACERT\u0027) | default(openstack_cacert_default, true) }}\""},{"line_number":33,"context_line":""},{"line_number":34,"context_line":"# Overcloud interface (public, internal, admin)."}],"source_content_type":"application/octet-stream","patch_set":22,"id":"0e5f952b_d0d91714","line":31,"range":{"start_line":31,"start_character":70,"end_line":31,"end_character":87},"in_reply_to":"696e12db_ca40761a","updated":"2022-12-20 13:38:47.000000000","message":"It is strange, probably not recommended, but possible.\n\nI think what would be better is a better default in kolla-ansible for openstack_cacert, then we don\u0027t need to set it in kayobe at all. Using this logic:\n\n if copy_ca_into_containers:\n   openstack_cacert\u003d\u003csystem CA\u003e\n else\n   openstack_cacert\u003d\"\"\n   \n(obviously rewrite in jinja)\n\nThen openstack_cacert in kayobe could be just for the host CA file.","commit_id":"5247cef39efe9da86eacbe93b090f8644c4a722a"},{"author":{"_account_id":14826,"name":"Mark Goddard","email":"markgoddard86@gmail.com","username":"mgoddard"},"change_message_id":"8da220aa3b526b3fe008afb4ab2a17e37fda50c1","unresolved":true,"context_lines":[{"line_number":29,"context_line":""},{"line_number":30,"context_line":"# Overcloud CA certificate path."},{"line_number":31,"context_line":"openstack_cacert_default: \"/etc/{{ \u0027ssl/certs/ca-certificates.crt\u0027 if kolla_base_distro in [\u0027debian\u0027, \u0027ubuntu\u0027] else \u0027pki/tls/certs/ca-bundle.crt\u0027 }}\""},{"line_number":32,"context_line":"openstack_cacert: \"{{ lookup(\u0027env\u0027, \u0027OS_CACERT\u0027) | default(openstack_cacert_default, true) }}\""},{"line_number":33,"context_line":""},{"line_number":34,"context_line":"# Overcloud interface (public, internal, admin)."},{"line_number":35,"context_line":"openstack_interface: internal"}],"source_content_type":"application/octet-stream","patch_set":25,"id":"067903de_b7d18770","line":32,"updated":"2024-01-03 10:26:22.000000000","message":"Is this just working around the fact that we didn\u0027t change to use the \"new\" kolla_admin_openrc_cacert kolla ansible variable? If we set that variable correctly then the admin-openrc.sh file should contain the correct OS_CACERT.","commit_id":"181d62d06e4de1ef4bbd8d9c45736f0cd80fccb5"},{"author":{"_account_id":14200,"name":"Maksim Malchuk","email":"maksim.malchuk@gmail.com","username":"mmalchuk"},"change_message_id":"a63ac9c3c76fb562eb368ad541cdcd5404b864f2","unresolved":false,"context_lines":[{"line_number":29,"context_line":""},{"line_number":30,"context_line":"# Overcloud CA certificate path."},{"line_number":31,"context_line":"openstack_cacert_default: \"/etc/{{ \u0027ssl/certs/ca-certificates.crt\u0027 if kolla_base_distro in [\u0027debian\u0027, \u0027ubuntu\u0027] else \u0027pki/tls/certs/ca-bundle.crt\u0027 }}\""},{"line_number":32,"context_line":"openstack_cacert: \"{{ lookup(\u0027env\u0027, \u0027OS_CACERT\u0027) | default(openstack_cacert_default, true) }}\""},{"line_number":33,"context_line":""},{"line_number":34,"context_line":"# Overcloud interface (public, internal, admin)."},{"line_number":35,"context_line":"openstack_interface: internal"}],"source_content_type":"application/octet-stream","patch_set":25,"id":"cd32b5bd_4f9988f5","line":32,"in_reply_to":"067903de_b7d18770","updated":"2024-04-09 15:33:07.000000000","message":"openrc files can be changed by hand in real environments so OS_CACERT should have precedence.","commit_id":"181d62d06e4de1ef4bbd8d9c45736f0cd80fccb5"}],"ansible/kolla-host.yml":[{"author":{"_account_id":14826,"name":"Mark Goddard","email":"markgoddard86@gmail.com","username":"mgoddard"},"change_message_id":"be102b1d3281ba5826adde1c9b751d73ff8f58db","unresolved":true,"context_lines":[{"line_number":22,"context_line":"        # with this error message."},{"line_number":23,"context_line":"        - \u0027\"Could not find the requested service\" not in result.msg\u0027"},{"line_number":24,"context_line":"      when: kolla_enable_ironic | bool"},{"line_number":25,"context_line":""},{"line_number":26,"context_line":"- name: Update seed and controllers CA certificates"},{"line_number":27,"context_line":"  hosts: seed:controllers"},{"line_number":28,"context_line":"  tags:"},{"line_number":29,"context_line":"    - kolla-ansible"},{"line_number":30,"context_line":"    - kolla-host"},{"line_number":31,"context_line":"  become: true"},{"line_number":32,"context_line":"  tasks:"},{"line_number":33,"context_line":"    - name: Ensure CA certificates directory exist"},{"line_number":34,"context_line":"      stat:"},{"line_number":35,"context_line":"        path: \"{{ kolla_config_path }}/certificates/ca/\""},{"line_number":36,"context_line":"      register: ca_directory"},{"line_number":37,"context_line":""},{"line_number":38,"context_line":"    - block:"},{"line_number":39,"context_line":"        - name: Ensure CA certificates exist"},{"line_number":40,"context_line":"          copy:"},{"line_number":41,"context_line":"            src: \"{{ kolla_config_path }}/certificates/ca/\""},{"line_number":42,"context_line":"            dest: \"{{ \u0027/etc/pki/ca-trust/source/anchors/\u0027 if ansible_os_family \u003d\u003d \u0027RedHat\u0027 else \u0027/usr/local/share/ca-certificates/\u0027 }}\""},{"line_number":43,"context_line":"            mode: \"0644\""},{"line_number":44,"context_line":"          register: copy_result"},{"line_number":45,"context_line":"          when:"},{"line_number":46,"context_line":"            - kolla_copy_ca_into_containers | bool"},{"line_number":47,"context_line":""},{"line_number":48,"context_line":"        - name: Update CA certificates bundle"},{"line_number":49,"context_line":"          command: \"{{ \u0027update-ca-trust\u0027 if ansible_os_family \u003d\u003d \u0027RedHat\u0027 else \u0027update-ca-certificates\u0027 }}\""},{"line_number":50,"context_line":"          failed_when: false"},{"line_number":51,"context_line":"          when:"},{"line_number":52,"context_line":"            - kolla_copy_ca_into_containers | bool"},{"line_number":53,"context_line":"            - copy_result is changed"},{"line_number":54,"context_line":"      when: ca_directory.stat.isdir is defined and ca_directory.stat.isdir"}],"source_content_type":"text/x-yaml","patch_set":9,"id":"f4fad6d2_7deb21df","line":54,"range":{"start_line":25,"start_character":0,"end_line":54,"end_character":74},"updated":"2021-06-16 08:53:14.000000000","message":"I think this is going beyond the scope and intention of kolla_copy_ca_into_containers. It\u0027s more than just syncing with kolla-ansible, I\u0027d suggest a new variable, and a new patch.","commit_id":"d06a03c9e2c3cb1b2eca34ddc2b77caf11635869"},{"author":{"_account_id":14200,"name":"Maksim Malchuk","email":"maksim.malchuk@gmail.com","username":"mmalchuk"},"change_message_id":"e12fd46e62093e3d7850c1846a60bc9bff500a79","unresolved":false,"context_lines":[{"line_number":22,"context_line":"        # with this error message."},{"line_number":23,"context_line":"        - \u0027\"Could not find the requested service\" not in result.msg\u0027"},{"line_number":24,"context_line":"      when: kolla_enable_ironic | bool"},{"line_number":25,"context_line":""},{"line_number":26,"context_line":"- name: Update seed and controllers CA certificates"},{"line_number":27,"context_line":"  hosts: seed:controllers"},{"line_number":28,"context_line":"  tags:"},{"line_number":29,"context_line":"    - kolla-ansible"},{"line_number":30,"context_line":"    - kolla-host"},{"line_number":31,"context_line":"  become: true"},{"line_number":32,"context_line":"  tasks:"},{"line_number":33,"context_line":"    - name: Ensure CA certificates directory exist"},{"line_number":34,"context_line":"      stat:"},{"line_number":35,"context_line":"        path: \"{{ kolla_config_path }}/certificates/ca/\""},{"line_number":36,"context_line":"      register: ca_directory"},{"line_number":37,"context_line":""},{"line_number":38,"context_line":"    - block:"},{"line_number":39,"context_line":"        - name: Ensure CA certificates exist"},{"line_number":40,"context_line":"          copy:"},{"line_number":41,"context_line":"            src: \"{{ kolla_config_path }}/certificates/ca/\""},{"line_number":42,"context_line":"            dest: \"{{ \u0027/etc/pki/ca-trust/source/anchors/\u0027 if ansible_os_family \u003d\u003d \u0027RedHat\u0027 else \u0027/usr/local/share/ca-certificates/\u0027 }}\""},{"line_number":43,"context_line":"            mode: \"0644\""},{"line_number":44,"context_line":"          register: copy_result"},{"line_number":45,"context_line":"          when:"},{"line_number":46,"context_line":"            - kolla_copy_ca_into_containers | bool"},{"line_number":47,"context_line":""},{"line_number":48,"context_line":"        - name: Update CA certificates bundle"},{"line_number":49,"context_line":"          command: \"{{ \u0027update-ca-trust\u0027 if ansible_os_family \u003d\u003d \u0027RedHat\u0027 else \u0027update-ca-certificates\u0027 }}\""},{"line_number":50,"context_line":"          failed_when: false"},{"line_number":51,"context_line":"          when:"},{"line_number":52,"context_line":"            - kolla_copy_ca_into_containers | bool"},{"line_number":53,"context_line":"            - copy_result is changed"},{"line_number":54,"context_line":"      when: ca_directory.stat.isdir is defined and ca_directory.stat.isdir"}],"source_content_type":"text/x-yaml","patch_set":9,"id":"7828439c_2eea6343","line":54,"range":{"start_line":25,"start_character":0,"end_line":54,"end_character":74},"in_reply_to":"35642b36_f97b52e0","updated":"2021-06-16 09:21:57.000000000","message":"Done","commit_id":"d06a03c9e2c3cb1b2eca34ddc2b77caf11635869"},{"author":{"_account_id":28048,"name":"Will Szumski","email":"will@stackhpc.com","username":"jovial"},"change_message_id":"b4b1ed221184bf49b4cf2b9da3dbe07b80ea8c63","unresolved":true,"context_lines":[{"line_number":22,"context_line":"        # with this error message."},{"line_number":23,"context_line":"        - \u0027\"Could not find the requested service\" not in result.msg\u0027"},{"line_number":24,"context_line":"      when: kolla_enable_ironic | bool"},{"line_number":25,"context_line":""},{"line_number":26,"context_line":"- name: Update seed and controllers CA certificates"},{"line_number":27,"context_line":"  hosts: seed:controllers"},{"line_number":28,"context_line":"  tags:"},{"line_number":29,"context_line":"    - kolla-ansible"},{"line_number":30,"context_line":"    - kolla-host"},{"line_number":31,"context_line":"  become: true"},{"line_number":32,"context_line":"  tasks:"},{"line_number":33,"context_line":"    - name: Ensure CA certificates directory exist"},{"line_number":34,"context_line":"      stat:"},{"line_number":35,"context_line":"        path: \"{{ kolla_config_path }}/certificates/ca/\""},{"line_number":36,"context_line":"      register: ca_directory"},{"line_number":37,"context_line":""},{"line_number":38,"context_line":"    - block:"},{"line_number":39,"context_line":"        - name: Ensure CA certificates exist"},{"line_number":40,"context_line":"          copy:"},{"line_number":41,"context_line":"            src: \"{{ kolla_config_path }}/certificates/ca/\""},{"line_number":42,"context_line":"            dest: \"{{ \u0027/etc/pki/ca-trust/source/anchors/\u0027 if ansible_os_family \u003d\u003d \u0027RedHat\u0027 else \u0027/usr/local/share/ca-certificates/\u0027 }}\""},{"line_number":43,"context_line":"            mode: \"0644\""},{"line_number":44,"context_line":"          register: copy_result"},{"line_number":45,"context_line":"          when:"},{"line_number":46,"context_line":"            - kolla_copy_ca_into_containers | bool"},{"line_number":47,"context_line":""},{"line_number":48,"context_line":"        - name: Update CA certificates bundle"},{"line_number":49,"context_line":"          command: \"{{ \u0027update-ca-trust\u0027 if ansible_os_family \u003d\u003d \u0027RedHat\u0027 else \u0027update-ca-certificates\u0027 }}\""},{"line_number":50,"context_line":"          failed_when: false"},{"line_number":51,"context_line":"          when:"},{"line_number":52,"context_line":"            - kolla_copy_ca_into_containers | bool"},{"line_number":53,"context_line":"            - copy_result is changed"},{"line_number":54,"context_line":"      when: ca_directory.stat.isdir is defined and ca_directory.stat.isdir"}],"source_content_type":"text/x-yaml","patch_set":9,"id":"3f814e57_07ec77a0","line":54,"range":{"start_line":25,"start_character":0,"end_line":54,"end_character":74},"in_reply_to":"7828439c_2eea6343","updated":"2024-11-06 14:51:29.000000000","message":"Agree with Mark\u0027s comments about the scope of kolla_copy_ca_into_containers","commit_id":"d06a03c9e2c3cb1b2eca34ddc2b77caf11635869"},{"author":{"_account_id":14200,"name":"Maksim Malchuk","email":"maksim.malchuk@gmail.com","username":"mmalchuk"},"change_message_id":"bf4cc59756b8f6ba612a15ef98bec569138d8d17","unresolved":true,"context_lines":[{"line_number":22,"context_line":"        # with this error message."},{"line_number":23,"context_line":"        - \u0027\"Could not find the requested service\" not in result.msg\u0027"},{"line_number":24,"context_line":"      when: kolla_enable_ironic | bool"},{"line_number":25,"context_line":""},{"line_number":26,"context_line":"- name: Update seed and controllers CA certificates"},{"line_number":27,"context_line":"  hosts: seed:controllers"},{"line_number":28,"context_line":"  tags:"},{"line_number":29,"context_line":"    - kolla-ansible"},{"line_number":30,"context_line":"    - kolla-host"},{"line_number":31,"context_line":"  become: true"},{"line_number":32,"context_line":"  tasks:"},{"line_number":33,"context_line":"    - name: Ensure CA certificates directory exist"},{"line_number":34,"context_line":"      stat:"},{"line_number":35,"context_line":"        path: \"{{ kolla_config_path }}/certificates/ca/\""},{"line_number":36,"context_line":"      register: ca_directory"},{"line_number":37,"context_line":""},{"line_number":38,"context_line":"    - block:"},{"line_number":39,"context_line":"        - name: Ensure CA certificates exist"},{"line_number":40,"context_line":"          copy:"},{"line_number":41,"context_line":"            src: \"{{ kolla_config_path }}/certificates/ca/\""},{"line_number":42,"context_line":"            dest: \"{{ \u0027/etc/pki/ca-trust/source/anchors/\u0027 if ansible_os_family \u003d\u003d \u0027RedHat\u0027 else \u0027/usr/local/share/ca-certificates/\u0027 }}\""},{"line_number":43,"context_line":"            mode: \"0644\""},{"line_number":44,"context_line":"          register: copy_result"},{"line_number":45,"context_line":"          when:"},{"line_number":46,"context_line":"            - kolla_copy_ca_into_containers | bool"},{"line_number":47,"context_line":""},{"line_number":48,"context_line":"        - name: Update CA certificates bundle"},{"line_number":49,"context_line":"          command: \"{{ \u0027update-ca-trust\u0027 if ansible_os_family \u003d\u003d \u0027RedHat\u0027 else \u0027update-ca-certificates\u0027 }}\""},{"line_number":50,"context_line":"          failed_when: false"},{"line_number":51,"context_line":"          when:"},{"line_number":52,"context_line":"            - kolla_copy_ca_into_containers | bool"},{"line_number":53,"context_line":"            - copy_result is changed"},{"line_number":54,"context_line":"      when: ca_directory.stat.isdir is defined and ca_directory.stat.isdir"}],"source_content_type":"text/x-yaml","patch_set":9,"id":"35642b36_f97b52e0","line":54,"range":{"start_line":25,"start_character":0,"end_line":54,"end_character":74},"in_reply_to":"f4fad6d2_7deb21df","updated":"2021-06-16 09:18:56.000000000","message":"don\u0027t agree! if we enable TLS for endpoints and didn\u0027t update CA everywhere all the tasks executed from the openstacksdk venvs will fail, so we can\u0027t split this.","commit_id":"d06a03c9e2c3cb1b2eca34ddc2b77caf11635869"},{"author":{"_account_id":14826,"name":"Mark Goddard","email":"markgoddard86@gmail.com","username":"mgoddard"},"change_message_id":"2502a3f14d676b84aa78a0f7ab105dc47d5befb3","unresolved":true,"context_lines":[{"line_number":1,"context_line":"---"},{"line_number":2,"context_line":"- name: Update seed and controllers CA certificates"},{"line_number":3,"context_line":"  hosts: seed:controllers"},{"line_number":4,"context_line":"  tags:"}],"source_content_type":"text/x-yaml","patch_set":22,"id":"4cbe5b4d_f2992f91","line":1,"updated":"2022-12-20 11:12:31.000000000","message":"Rename playbook to e.g. ca-certs.yml","commit_id":"5247cef39efe9da86eacbe93b090f8644c4a722a"},{"author":{"_account_id":14200,"name":"Maksim Malchuk","email":"maksim.malchuk@gmail.com","username":"mmalchuk"},"change_message_id":"4dd5cc165f947730dbbdb942417e93abaf3f6a5b","unresolved":false,"context_lines":[{"line_number":1,"context_line":"---"},{"line_number":2,"context_line":"- name: Update seed and controllers CA certificates"},{"line_number":3,"context_line":"  hosts: seed:controllers"},{"line_number":4,"context_line":"  tags:"}],"source_content_type":"text/x-yaml","patch_set":22,"id":"96bdc4c9_feac4de2","line":1,"in_reply_to":"4cbe5b4d_f2992f91","updated":"2023-04-01 22:15:48.000000000","message":"this code is correctly backported to the Xena where this playbook still exist. I know about extended maintenance, but as I said before this change were created in Ussuri cycle and still supported by me and used in production.","commit_id":"5247cef39efe9da86eacbe93b090f8644c4a722a"},{"author":{"_account_id":14826,"name":"Mark Goddard","email":"markgoddard86@gmail.com","username":"mgoddard"},"change_message_id":"2502a3f14d676b84aa78a0f7ab105dc47d5befb3","unresolved":true,"context_lines":[{"line_number":1,"context_line":"---"},{"line_number":2,"context_line":"- name: Update seed and controllers CA certificates"},{"line_number":3,"context_line":"  hosts: seed:controllers"},{"line_number":4,"context_line":"  tags:"},{"line_number":5,"context_line":"    - kolla-ansible"},{"line_number":6,"context_line":"    - kolla-host"}],"source_content_type":"text/x-yaml","patch_set":22,"id":"f6929080_87c7a422","line":3,"range":{"start_line":3,"start_character":9,"end_line":3,"end_character":25},"updated":"2022-12-20 11:12:31.000000000","message":"Why does the seed need these certs?","commit_id":"5247cef39efe9da86eacbe93b090f8644c4a722a"},{"author":{"_account_id":14200,"name":"Maksim Malchuk","email":"maksim.malchuk@gmail.com","username":"mmalchuk"},"change_message_id":"3debc10d090199f66d3e1b851f0140f13ca75a9c","unresolved":false,"context_lines":[{"line_number":1,"context_line":"---"},{"line_number":2,"context_line":"- name: Update seed and controllers CA certificates"},{"line_number":3,"context_line":"  hosts: seed:controllers"},{"line_number":4,"context_line":"  tags:"},{"line_number":5,"context_line":"    - kolla-ansible"},{"line_number":6,"context_line":"    - kolla-host"}],"source_content_type":"text/x-yaml","patch_set":22,"id":"cfb2b298_7c6a213c","line":3,"range":{"start_line":3,"start_character":9,"end_line":3,"end_character":25},"in_reply_to":"95a01a23_ce7cc724","updated":"2022-12-20 14:50:55.000000000","message":"yes. Kayobe at least have tasks which run locally and uses openstackclients (provision-net.yml for example) which would fail without correct cacerts when tls enabled.","commit_id":"5247cef39efe9da86eacbe93b090f8644c4a722a"},{"author":{"_account_id":14826,"name":"Mark Goddard","email":"markgoddard86@gmail.com","username":"mgoddard"},"change_message_id":"7fa6ef605a7a3a76b1551ba9e208e7e6d8044413","unresolved":true,"context_lines":[{"line_number":1,"context_line":"---"},{"line_number":2,"context_line":"- name: Update seed and controllers CA certificates"},{"line_number":3,"context_line":"  hosts: seed:controllers"},{"line_number":4,"context_line":"  tags:"},{"line_number":5,"context_line":"    - kolla-ansible"},{"line_number":6,"context_line":"    - kolla-host"}],"source_content_type":"text/x-yaml","patch_set":22,"id":"95a01a23_ce7cc724","line":3,"range":{"start_line":3,"start_character":9,"end_line":3,"end_character":25},"in_reply_to":"d79adbc1_dc45c369","updated":"2022-12-20 13:38:47.000000000","message":"so you\u0027re saying the deployment host also may need the certs (which might not be the same as the seed)?","commit_id":"5247cef39efe9da86eacbe93b090f8644c4a722a"},{"author":{"_account_id":14200,"name":"Maksim Malchuk","email":"maksim.malchuk@gmail.com","username":"mmalchuk"},"change_message_id":"0d44490d383059ded0c359ae1a1be1cc5b95657f","unresolved":true,"context_lines":[{"line_number":1,"context_line":"---"},{"line_number":2,"context_line":"- name: Update seed and controllers CA certificates"},{"line_number":3,"context_line":"  hosts: seed:controllers"},{"line_number":4,"context_line":"  tags:"},{"line_number":5,"context_line":"    - kolla-ansible"},{"line_number":6,"context_line":"    - kolla-host"}],"source_content_type":"text/x-yaml","patch_set":22,"id":"d79adbc1_dc45c369","line":3,"range":{"start_line":3,"start_character":9,"end_line":3,"end_character":25},"in_reply_to":"f6929080_87c7a422","updated":"2022-12-20 11:54:00.000000000","message":"because in some deploys seed and deployment host can be the same host. also, seed can contain other services with TLS enabled.","commit_id":"5247cef39efe9da86eacbe93b090f8644c4a722a"},{"author":{"_account_id":14826,"name":"Mark Goddard","email":"markgoddard86@gmail.com","username":"mgoddard"},"change_message_id":"2502a3f14d676b84aa78a0f7ab105dc47d5befb3","unresolved":true,"context_lines":[{"line_number":2,"context_line":"- name: Update seed and controllers CA certificates"},{"line_number":3,"context_line":"  hosts: seed:controllers"},{"line_number":4,"context_line":"  tags:"},{"line_number":5,"context_line":"    - kolla-ansible"},{"line_number":6,"context_line":"    - kolla-host"},{"line_number":7,"context_line":"  become: true"},{"line_number":8,"context_line":"  tasks:"},{"line_number":9,"context_line":"    - name: Ensure source CA certificates directory exist"}],"source_content_type":"text/x-yaml","patch_set":22,"id":"3c07a6b9_ba741abc","line":6,"range":{"start_line":5,"start_character":5,"end_line":6,"end_character":16},"updated":"2022-12-20 11:12:31.000000000","message":"ca-certs","commit_id":"5247cef39efe9da86eacbe93b090f8644c4a722a"},{"author":{"_account_id":14200,"name":"Maksim Malchuk","email":"maksim.malchuk@gmail.com","username":"mmalchuk"},"change_message_id":"4dd5cc165f947730dbbdb942417e93abaf3f6a5b","unresolved":false,"context_lines":[{"line_number":2,"context_line":"- name: Update seed and controllers CA certificates"},{"line_number":3,"context_line":"  hosts: seed:controllers"},{"line_number":4,"context_line":"  tags:"},{"line_number":5,"context_line":"    - kolla-ansible"},{"line_number":6,"context_line":"    - kolla-host"},{"line_number":7,"context_line":"  become: true"},{"line_number":8,"context_line":"  tasks:"},{"line_number":9,"context_line":"    - name: Ensure source CA certificates directory exist"}],"source_content_type":"text/x-yaml","patch_set":22,"id":"b3fe6294_53c09657","line":6,"range":{"start_line":5,"start_character":5,"end_line":6,"end_character":16},"in_reply_to":"3c07a6b9_ba741abc","updated":"2023-04-01 22:15:48.000000000","message":"ditto","commit_id":"5247cef39efe9da86eacbe93b090f8644c4a722a"},{"author":{"_account_id":14826,"name":"Mark Goddard","email":"markgoddard86@gmail.com","username":"mgoddard"},"change_message_id":"2502a3f14d676b84aa78a0f7ab105dc47d5befb3","unresolved":true,"context_lines":[{"line_number":8,"context_line":"  tasks:"},{"line_number":9,"context_line":"    - name: Ensure source CA certificates directory exist"},{"line_number":10,"context_line":"      stat:"},{"line_number":11,"context_line":"        path: \"{{ kayobe_config_path }}/kolla/certificates/ca/\""},{"line_number":12,"context_line":"      delegate_to: localhost"},{"line_number":13,"context_line":"      run_once: true"},{"line_number":14,"context_line":"      register: ca_directory"}],"source_content_type":"text/x-yaml","patch_set":22,"id":"6245cb8e_3a63a827","line":11,"range":{"start_line":11,"start_character":18,"end_line":11,"end_character":36},"updated":"2022-12-20 11:12:31.000000000","message":"kayobe_env_config_path","commit_id":"5247cef39efe9da86eacbe93b090f8644c4a722a"},{"author":{"_account_id":14200,"name":"Maksim Malchuk","email":"maksim.malchuk@gmail.com","username":"mmalchuk"},"change_message_id":"4dd5cc165f947730dbbdb942417e93abaf3f6a5b","unresolved":false,"context_lines":[{"line_number":8,"context_line":"  tasks:"},{"line_number":9,"context_line":"    - name: Ensure source CA certificates directory exist"},{"line_number":10,"context_line":"      stat:"},{"line_number":11,"context_line":"        path: \"{{ kayobe_config_path }}/kolla/certificates/ca/\""},{"line_number":12,"context_line":"      delegate_to: localhost"},{"line_number":13,"context_line":"      run_once: true"},{"line_number":14,"context_line":"      register: ca_directory"}],"source_content_type":"text/x-yaml","patch_set":22,"id":"eb910ae0_04bcd5c7","line":11,"range":{"start_line":11,"start_character":18,"end_line":11,"end_character":36},"in_reply_to":"6245cb8e_3a63a827","updated":"2023-04-01 22:15:48.000000000","message":"Ack","commit_id":"5247cef39efe9da86eacbe93b090f8644c4a722a"},{"author":{"_account_id":14826,"name":"Mark Goddard","email":"markgoddard86@gmail.com","username":"mgoddard"},"change_message_id":"2502a3f14d676b84aa78a0f7ab105dc47d5befb3","unresolved":true,"context_lines":[{"line_number":18,"context_line":"        - name: Ensure remote CA certificates exist"},{"line_number":19,"context_line":"          copy:"},{"line_number":20,"context_line":"            src: \"{{ kayobe_config_path }}/kolla/certificates/ca/\""},{"line_number":21,"context_line":"            dest: \"{{ \u0027/etc/pki/ca-trust/source/anchors/\u0027 if ansible_os_family \u003d\u003d \u0027RedHat\u0027 else \u0027/usr/local/share/ca-certificates/\u0027 }}\""},{"line_number":22,"context_line":"            mode: \"0644\""},{"line_number":23,"context_line":"          register: copy_result"},{"line_number":24,"context_line":"          when:"}],"source_content_type":"text/x-yaml","patch_set":22,"id":"beec8145_c8268834","line":21,"range":{"start_line":21,"start_character":61,"end_line":21,"end_character":78},"updated":"2022-12-20 11:12:31.000000000","message":"ansible_facts.os_family","commit_id":"5247cef39efe9da86eacbe93b090f8644c4a722a"},{"author":{"_account_id":14200,"name":"Maksim Malchuk","email":"maksim.malchuk@gmail.com","username":"mmalchuk"},"change_message_id":"0d44490d383059ded0c359ae1a1be1cc5b95657f","unresolved":false,"context_lines":[{"line_number":18,"context_line":"        - name: Ensure remote CA certificates exist"},{"line_number":19,"context_line":"          copy:"},{"line_number":20,"context_line":"            src: \"{{ kayobe_config_path }}/kolla/certificates/ca/\""},{"line_number":21,"context_line":"            dest: \"{{ \u0027/etc/pki/ca-trust/source/anchors/\u0027 if ansible_os_family \u003d\u003d \u0027RedHat\u0027 else \u0027/usr/local/share/ca-certificates/\u0027 }}\""},{"line_number":22,"context_line":"            mode: \"0644\""},{"line_number":23,"context_line":"          register: copy_result"},{"line_number":24,"context_line":"          when:"}],"source_content_type":"text/x-yaml","patch_set":22,"id":"dfaff290_9b71869f","line":21,"range":{"start_line":21,"start_character":61,"end_line":21,"end_character":78},"in_reply_to":"beec8145_c8268834","updated":"2022-12-20 11:54:00.000000000","message":"correct. will fix it.","commit_id":"5247cef39efe9da86eacbe93b090f8644c4a722a"},{"author":{"_account_id":14826,"name":"Mark Goddard","email":"markgoddard86@gmail.com","username":"mgoddard"},"change_message_id":"8da220aa3b526b3fe008afb4ab2a17e37fda50c1","unresolved":true,"context_lines":[{"line_number":1,"context_line":"---"},{"line_number":2,"context_line":"- name: Update seed and controllers CA certificates"},{"line_number":3,"context_line":"  hosts: seed:controllers"},{"line_number":4,"context_line":"  tags:"},{"line_number":5,"context_line":"    - kolla-ansible"},{"line_number":6,"context_line":"    - kolla-host"}],"source_content_type":"text/x-yaml","patch_set":25,"id":"ef4d4eb4_00a84900","line":3,"updated":"2024-01-03 10:26:22.000000000","message":"I don\u0027t think the seed needs to be included here.","commit_id":"181d62d06e4de1ef4bbd8d9c45736f0cd80fccb5"},{"author":{"_account_id":14200,"name":"Maksim Malchuk","email":"maksim.malchuk@gmail.com","username":"mmalchuk"},"change_message_id":"a63ac9c3c76fb562eb368ad541cdcd5404b864f2","unresolved":false,"context_lines":[{"line_number":1,"context_line":"---"},{"line_number":2,"context_line":"- name: Update seed and controllers CA certificates"},{"line_number":3,"context_line":"  hosts: seed:controllers"},{"line_number":4,"context_line":"  tags:"},{"line_number":5,"context_line":"    - kolla-ansible"},{"line_number":6,"context_line":"    - kolla-host"}],"source_content_type":"text/x-yaml","patch_set":25,"id":"f615c4d4_64a63659","line":3,"in_reply_to":"ef4d4eb4_00a84900","updated":"2024-04-09 15:33:07.000000000","message":"seed along with controllers (at least 1st one) used to issue API calls, so operator also can use for example \u0027curl\u0027 command on the host and it would fail without ca certs. some configurations (my for example) have combined seed and deployment host, so it should have the ca certs.","commit_id":"181d62d06e4de1ef4bbd8d9c45736f0cd80fccb5"},{"author":{"_account_id":14826,"name":"Mark Goddard","email":"markgoddard86@gmail.com","username":"mgoddard"},"change_message_id":"8da220aa3b526b3fe008afb4ab2a17e37fda50c1","unresolved":true,"context_lines":[{"line_number":8,"context_line":"  tasks:"},{"line_number":9,"context_line":"    - name: Ensure source CA certificates directory exist"},{"line_number":10,"context_line":"      stat:"},{"line_number":11,"context_line":"        path: \"{{ kayobe_env_config_path }}/kolla/certificates/ca/\""},{"line_number":12,"context_line":"      delegate_to: localhost"},{"line_number":13,"context_line":"      run_once: true"},{"line_number":14,"context_line":"      register: ca_directory"}],"source_content_type":"text/x-yaml","patch_set":25,"id":"307a5393_c961f919","line":11,"updated":"2024-01-03 10:26:22.000000000","message":"If this was a variable (with this default) it could be more flexible. cacert_local_path?","commit_id":"181d62d06e4de1ef4bbd8d9c45736f0cd80fccb5"},{"author":{"_account_id":14200,"name":"Maksim Malchuk","email":"maksim.malchuk@gmail.com","username":"mmalchuk"},"change_message_id":"a63ac9c3c76fb562eb368ad541cdcd5404b864f2","unresolved":false,"context_lines":[{"line_number":8,"context_line":"  tasks:"},{"line_number":9,"context_line":"    - name: Ensure source CA certificates directory exist"},{"line_number":10,"context_line":"      stat:"},{"line_number":11,"context_line":"        path: \"{{ kayobe_env_config_path }}/kolla/certificates/ca/\""},{"line_number":12,"context_line":"      delegate_to: localhost"},{"line_number":13,"context_line":"      run_once: true"},{"line_number":14,"context_line":"      register: ca_directory"}],"source_content_type":"text/x-yaml","patch_set":25,"id":"5433aba4_8b31a12f","line":11,"in_reply_to":"307a5393_c961f919","updated":"2024-04-09 15:33:07.000000000","message":"not sure. no need in a new variable.","commit_id":"181d62d06e4de1ef4bbd8d9c45736f0cd80fccb5"},{"author":{"_account_id":14826,"name":"Mark Goddard","email":"markgoddard86@gmail.com","username":"mgoddard"},"change_message_id":"8da220aa3b526b3fe008afb4ab2a17e37fda50c1","unresolved":true,"context_lines":[{"line_number":18,"context_line":"        - name: Ensure remote CA certificates exist"},{"line_number":19,"context_line":"          copy:"},{"line_number":20,"context_line":"            src: \"{{ kayobe_env_config_path }}/kolla/certificates/ca/\""},{"line_number":21,"context_line":"            dest: \"{{ \u0027/etc/pki/ca-trust/source/anchors/\u0027 if ansible_facts.os_family \u003d\u003d \u0027RedHat\u0027 else \u0027/usr/local/share/ca-certificates/\u0027 }}\""},{"line_number":22,"context_line":"            mode: \"0644\""},{"line_number":23,"context_line":"          register: copy_result"},{"line_number":24,"context_line":"          when:"}],"source_content_type":"text/x-yaml","patch_set":25,"id":"8aa3ff32_9cee20f8","line":21,"updated":"2024-01-03 10:26:22.000000000","message":"The Kolla copy_cacert.sh script [1] adds a kolla-customca- prefix to all copied CA files. This avoids collisions with other CA files and allows them to be removed (it first removes all matching files). I think this is useful and important behaviour to allow us to remove a CA from the trust store.\n\n[1] https://opendev.org/openstack/kolla/src/branch/master/docker/base/copy_cacerts.sh","commit_id":"181d62d06e4de1ef4bbd8d9c45736f0cd80fccb5"},{"author":{"_account_id":14200,"name":"Maksim Malchuk","email":"maksim.malchuk@gmail.com","username":"mmalchuk"},"change_message_id":"a63ac9c3c76fb562eb368ad541cdcd5404b864f2","unresolved":false,"context_lines":[{"line_number":18,"context_line":"        - name: Ensure remote CA certificates exist"},{"line_number":19,"context_line":"          copy:"},{"line_number":20,"context_line":"            src: \"{{ kayobe_env_config_path }}/kolla/certificates/ca/\""},{"line_number":21,"context_line":"            dest: \"{{ \u0027/etc/pki/ca-trust/source/anchors/\u0027 if ansible_facts.os_family \u003d\u003d \u0027RedHat\u0027 else \u0027/usr/local/share/ca-certificates/\u0027 }}\""},{"line_number":22,"context_line":"            mode: \"0644\""},{"line_number":23,"context_line":"          register: copy_result"},{"line_number":24,"context_line":"          when:"}],"source_content_type":"text/x-yaml","patch_set":25,"id":"0881819a_0f1c7b05","line":21,"in_reply_to":"8aa3ff32_9cee20f8","updated":"2024-04-09 15:33:07.000000000","message":"should we need to restart containers? imho the bad idea.","commit_id":"181d62d06e4de1ef4bbd8d9c45736f0cd80fccb5"},{"author":{"_account_id":14826,"name":"Mark Goddard","email":"markgoddard86@gmail.com","username":"mgoddard"},"change_message_id":"8da220aa3b526b3fe008afb4ab2a17e37fda50c1","unresolved":true,"context_lines":[{"line_number":22,"context_line":"            mode: \"0644\""},{"line_number":23,"context_line":"          register: copy_result"},{"line_number":24,"context_line":"          when:"},{"line_number":25,"context_line":"            - kolla_copy_ca_into_containers | bool"},{"line_number":26,"context_line":""},{"line_number":27,"context_line":"        - name: Update CA certificates bundle"},{"line_number":28,"context_line":"          command: \"{{ \u0027update-ca-trust\u0027 if ansible_os_family \u003d\u003d \u0027RedHat\u0027 else \u0027update-ca-certificates\u0027 }}\""}],"source_content_type":"text/x-yaml","patch_set":25,"id":"adb29a1e_6c902338","line":25,"updated":"2024-01-03 10:26:22.000000000","message":"Let\u0027s make another variable for the host CA certs. It could take kolla_copy_ca_into_containers as the default. cacert_copy_into_host?","commit_id":"181d62d06e4de1ef4bbd8d9c45736f0cd80fccb5"},{"author":{"_account_id":14200,"name":"Maksim Malchuk","email":"maksim.malchuk@gmail.com","username":"mmalchuk"},"change_message_id":"a63ac9c3c76fb562eb368ad541cdcd5404b864f2","unresolved":false,"context_lines":[{"line_number":22,"context_line":"            mode: \"0644\""},{"line_number":23,"context_line":"          register: copy_result"},{"line_number":24,"context_line":"          when:"},{"line_number":25,"context_line":"            - kolla_copy_ca_into_containers | bool"},{"line_number":26,"context_line":""},{"line_number":27,"context_line":"        - name: Update CA certificates bundle"},{"line_number":28,"context_line":"          command: \"{{ \u0027update-ca-trust\u0027 if ansible_os_family \u003d\u003d \u0027RedHat\u0027 else \u0027update-ca-certificates\u0027 }}\""}],"source_content_type":"text/x-yaml","patch_set":25,"id":"6fb0069f_f3467a76","line":25,"in_reply_to":"adb29a1e_6c902338","updated":"2024-04-09 15:33:07.000000000","message":"not sure. the same about a new variable.","commit_id":"181d62d06e4de1ef4bbd8d9c45736f0cd80fccb5"},{"author":{"_account_id":14826,"name":"Mark Goddard","email":"markgoddard86@gmail.com","username":"mgoddard"},"change_message_id":"8da220aa3b526b3fe008afb4ab2a17e37fda50c1","unresolved":true,"context_lines":[{"line_number":26,"context_line":""},{"line_number":27,"context_line":"        - name: Update CA certificates bundle"},{"line_number":28,"context_line":"          command: \"{{ \u0027update-ca-trust\u0027 if ansible_os_family \u003d\u003d \u0027RedHat\u0027 else \u0027update-ca-certificates\u0027 }}\""},{"line_number":29,"context_line":"          failed_when: false"},{"line_number":30,"context_line":"          when:"},{"line_number":31,"context_line":"            - kolla_copy_ca_into_containers | bool"},{"line_number":32,"context_line":"            - copy_result is changed"}],"source_content_type":"text/x-yaml","patch_set":25,"id":"fd894af0_d4a4ad5a","line":29,"updated":"2024-01-03 10:26:22.000000000","message":"Why might it fail?","commit_id":"181d62d06e4de1ef4bbd8d9c45736f0cd80fccb5"},{"author":{"_account_id":14200,"name":"Maksim Malchuk","email":"maksim.malchuk@gmail.com","username":"mmalchuk"},"change_message_id":"a63ac9c3c76fb562eb368ad541cdcd5404b864f2","unresolved":false,"context_lines":[{"line_number":26,"context_line":""},{"line_number":27,"context_line":"        - name: Update CA certificates bundle"},{"line_number":28,"context_line":"          command: \"{{ \u0027update-ca-trust\u0027 if ansible_os_family \u003d\u003d \u0027RedHat\u0027 else \u0027update-ca-certificates\u0027 }}\""},{"line_number":29,"context_line":"          failed_when: false"},{"line_number":30,"context_line":"          when:"},{"line_number":31,"context_line":"            - kolla_copy_ca_into_containers | bool"},{"line_number":32,"context_line":"            - copy_result is changed"}],"source_content_type":"text/x-yaml","patch_set":25,"id":"48bd1c7a_49c91a15","line":29,"in_reply_to":"fd894af0_d4a4ad5a","updated":"2024-04-09 15:33:07.000000000","message":"yep. the ca-certificates package may be broken/removed or whatever on upgrade for example. faced some issue years ago... anyway this is the external command which can fail.","commit_id":"181d62d06e4de1ef4bbd8d9c45736f0cd80fccb5"}],"ansible/overcloud-host-configure.yml":[{"author":{"_account_id":14826,"name":"Mark Goddard","email":"markgoddard86@gmail.com","username":"mgoddard"},"change_message_id":"8da220aa3b526b3fe008afb4ab2a17e37fda50c1","unresolved":true,"context_lines":[{"line_number":27,"context_line":"- import_playbook: \"kolla-pip.yml\""},{"line_number":28,"context_line":"- import_playbook: \"kolla-target-venv.yml\""},{"line_number":29,"context_line":"- import_playbook: \"kolla-packages.yml\""},{"line_number":30,"context_line":"- import_playbook: \"kolla-host.yml\""},{"line_number":31,"context_line":"- import_playbook: \"docker.yml\""},{"line_number":32,"context_line":"- import_playbook: \"apparmor-libvirt.yml\""},{"line_number":33,"context_line":"- import_playbook: \"swift-block-devices.yml\""}],"source_content_type":"text/x-yaml","patch_set":25,"id":"1a74e06c_436f59b9","line":30,"updated":"2024-01-03 10:26:22.000000000","message":"cacert.yml would be more specific.","commit_id":"181d62d06e4de1ef4bbd8d9c45736f0cd80fccb5"},{"author":{"_account_id":14200,"name":"Maksim Malchuk","email":"maksim.malchuk@gmail.com","username":"mmalchuk"},"change_message_id":"a63ac9c3c76fb562eb368ad541cdcd5404b864f2","unresolved":false,"context_lines":[{"line_number":27,"context_line":"- import_playbook: \"kolla-pip.yml\""},{"line_number":28,"context_line":"- import_playbook: \"kolla-target-venv.yml\""},{"line_number":29,"context_line":"- import_playbook: \"kolla-packages.yml\""},{"line_number":30,"context_line":"- import_playbook: \"kolla-host.yml\""},{"line_number":31,"context_line":"- import_playbook: \"docker.yml\""},{"line_number":32,"context_line":"- import_playbook: \"apparmor-libvirt.yml\""},{"line_number":33,"context_line":"- import_playbook: \"swift-block-devices.yml\""}],"source_content_type":"text/x-yaml","patch_set":25,"id":"7d5697fb_55f874de","line":30,"in_reply_to":"1a74e06c_436f59b9","updated":"2024-04-09 15:33:07.000000000","message":"its for backward compatible. as I said before we use and backport this for a long time since Ussuri.","commit_id":"181d62d06e4de1ef4bbd8d9c45736f0cd80fccb5"}],"ansible/roles/kolla-ansible/vars/Debian.yml":[{"author":{"_account_id":14826,"name":"Mark Goddard","email":"markgoddard86@gmail.com","username":"mgoddard"},"change_message_id":"2502a3f14d676b84aa78a0f7ab105dc47d5befb3","unresolved":true,"context_lines":[{"line_number":7,"context_line":"  - python3-dev"},{"line_number":8,"context_line":"  - python3-pip"},{"line_number":9,"context_line":"  - python3-venv"},{"line_number":10,"context_line":"  - ca-certificates"}],"source_content_type":"text/x-yaml","patch_set":22,"id":"70b5641f_b691899e","line":10,"range":{"start_line":10,"start_character":3,"end_line":10,"end_character":19},"updated":"2022-12-20 11:12:31.000000000","message":"This is on the Ansible control host. Is it necessary there?","commit_id":"5247cef39efe9da86eacbe93b090f8644c4a722a"},{"author":{"_account_id":14200,"name":"Maksim Malchuk","email":"maksim.malchuk@gmail.com","username":"mmalchuk"},"change_message_id":"0d44490d383059ded0c359ae1a1be1cc5b95657f","unresolved":false,"context_lines":[{"line_number":7,"context_line":"  - python3-dev"},{"line_number":8,"context_line":"  - python3-pip"},{"line_number":9,"context_line":"  - python3-venv"},{"line_number":10,"context_line":"  - ca-certificates"}],"source_content_type":"text/x-yaml","patch_set":22,"id":"df7883eb_343ce1f3","line":10,"range":{"start_line":10,"start_character":3,"end_line":10,"end_character":19},"in_reply_to":"70b5641f_b691899e","updated":"2022-12-20 11:54:00.000000000","message":"answered above.","commit_id":"5247cef39efe9da86eacbe93b090f8644c4a722a"},{"author":{"_account_id":14826,"name":"Mark Goddard","email":"markgoddard86@gmail.com","username":"mgoddard"},"change_message_id":"8da220aa3b526b3fe008afb4ab2a17e37fda50c1","unresolved":true,"context_lines":[{"line_number":8,"context_line":"  - python3-pip"},{"line_number":9,"context_line":"  - python3-venv"},{"line_number":10,"context_line":"  - rsync"},{"line_number":11,"context_line":"  - ca-certificates"}],"source_content_type":"text/x-yaml","patch_set":25,"id":"d100bdb0_793fd9d4","line":11,"updated":"2024-01-03 10:26:22.000000000","message":"This affects only the Ansible control host. Do we need it on other hosts as well?","commit_id":"181d62d06e4de1ef4bbd8d9c45736f0cd80fccb5"},{"author":{"_account_id":14200,"name":"Maksim Malchuk","email":"maksim.malchuk@gmail.com","username":"mmalchuk"},"change_message_id":"a63ac9c3c76fb562eb368ad541cdcd5404b864f2","unresolved":false,"context_lines":[{"line_number":8,"context_line":"  - python3-pip"},{"line_number":9,"context_line":"  - python3-venv"},{"line_number":10,"context_line":"  - rsync"},{"line_number":11,"context_line":"  - ca-certificates"}],"source_content_type":"text/x-yaml","patch_set":25,"id":"1284dfa9_19b2be80","line":11,"in_reply_to":"d100bdb0_793fd9d4","updated":"2024-04-09 15:33:07.000000000","message":"ditto.","commit_id":"181d62d06e4de1ef4bbd8d9c45736f0cd80fccb5"}],"ansible/roles/public-openrc/templates/public-openrc.sh.j2":[{"author":{"_account_id":14826,"name":"Mark Goddard","email":"markgoddard86@gmail.com","username":"mgoddard"},"change_message_id":"0530f3a6ec4b77f38eb03aceedd1fb0be3fd2c18","unresolved":true,"context_lines":[{"line_number":11,"context_line":"export OS_MANILA_ENDPOINT_TYPE\u003dpublicURL"},{"line_number":12,"context_line":"{% elif \"export OS_MISTRAL_ENDPOINT_TYPE\" in line %}"},{"line_number":13,"context_line":"export OS_MISTRAL_ENDPOINT_TYPE\u003dpublicURL"},{"line_number":14,"context_line":"{% elif \"export OS_CACERT\" in line and kolla_external_fqdn_cacert is not none %}"},{"line_number":15,"context_line":"export OS_CACERT\u003d{{ kolla_external_fqdn_cacert }}"},{"line_number":16,"context_line":"{% else %}"},{"line_number":17,"context_line":"{{ line }}"},{"line_number":18,"context_line":"{% endif %}"}],"source_content_type":"text/x-jinja2","patch_set":5,"id":"c5a37adf_45a74c8e","side":"PARENT","line":15,"range":{"start_line":14,"start_character":0,"end_line":15,"end_character":49},"updated":"2021-06-03 10:25:14.000000000","message":"There is potentially a case in Kayobe where you want a different CA cert file for the admin and public endpoints. The option does not exist in Kolla Ansible, since it only generates admin-openrc.sh. Perhaps we need to keep kolla_external_fqdn_cacert in Kayobe?","commit_id":"1e14fa3a24fa64b84cc993c985e696a9cba78dea"},{"author":{"_account_id":14826,"name":"Mark Goddard","email":"markgoddard86@gmail.com","username":"mgoddard"},"change_message_id":"e37496c13f301fbb5dad4e8ee86e2852048dfb0f","unresolved":true,"context_lines":[{"line_number":11,"context_line":"export OS_MANILA_ENDPOINT_TYPE\u003dpublicURL"},{"line_number":12,"context_line":"{% elif \"export OS_MISTRAL_ENDPOINT_TYPE\" in line %}"},{"line_number":13,"context_line":"export OS_MISTRAL_ENDPOINT_TYPE\u003dpublicURL"},{"line_number":14,"context_line":"{% elif \"export OS_CACERT\" in line and kolla_external_fqdn_cacert is not none %}"},{"line_number":15,"context_line":"export OS_CACERT\u003d{{ kolla_external_fqdn_cacert }}"},{"line_number":16,"context_line":"{% else %}"},{"line_number":17,"context_line":"{{ line }}"},{"line_number":18,"context_line":"{% endif %}"}],"source_content_type":"text/x-jinja2","patch_set":5,"id":"ca615adf_e9100c07","side":"PARENT","line":15,"range":{"start_line":14,"start_character":0,"end_line":15,"end_character":49},"in_reply_to":"00acc8d9_f2409ba1","updated":"2021-06-09 09:25:48.000000000","message":"Kolla ansible removed the different variables, because it only generates one file - admin-openrc.sh. However, kayobe also generates public-openrc.sh, which provides admin credentials on the public endpoint.","commit_id":"1e14fa3a24fa64b84cc993c985e696a9cba78dea"},{"author":{"_account_id":14826,"name":"Mark Goddard","email":"markgoddard86@gmail.com","username":"mgoddard"},"change_message_id":"be102b1d3281ba5826adde1c9b751d73ff8f58db","unresolved":true,"context_lines":[{"line_number":11,"context_line":"export OS_MANILA_ENDPOINT_TYPE\u003dpublicURL"},{"line_number":12,"context_line":"{% elif \"export OS_MISTRAL_ENDPOINT_TYPE\" in line %}"},{"line_number":13,"context_line":"export OS_MISTRAL_ENDPOINT_TYPE\u003dpublicURL"},{"line_number":14,"context_line":"{% elif \"export OS_CACERT\" in line and kolla_external_fqdn_cacert is not none %}"},{"line_number":15,"context_line":"export OS_CACERT\u003d{{ kolla_external_fqdn_cacert }}"},{"line_number":16,"context_line":"{% else %}"},{"line_number":17,"context_line":"{{ line }}"},{"line_number":18,"context_line":"{% endif %}"}],"source_content_type":"text/x-jinja2","patch_set":5,"id":"86c21053_04120a92","side":"PARENT","line":15,"range":{"start_line":14,"start_character":0,"end_line":15,"end_character":49},"in_reply_to":"15826d71_51218213","updated":"2021-06-16 08:53:14.000000000","message":"Kolla Ansible never uses the public API, so it does not need to know about a CA cert that might be required for it.","commit_id":"1e14fa3a24fa64b84cc993c985e696a9cba78dea"},{"author":{"_account_id":14826,"name":"Mark Goddard","email":"markgoddard86@gmail.com","username":"mgoddard"},"change_message_id":"0dda454c20ffce31edd92c866f14964757a4d961","unresolved":true,"context_lines":[{"line_number":11,"context_line":"export OS_MANILA_ENDPOINT_TYPE\u003dpublicURL"},{"line_number":12,"context_line":"{% elif \"export OS_MISTRAL_ENDPOINT_TYPE\" in line %}"},{"line_number":13,"context_line":"export OS_MISTRAL_ENDPOINT_TYPE\u003dpublicURL"},{"line_number":14,"context_line":"{% elif \"export OS_CACERT\" in line and kolla_external_fqdn_cacert is not none %}"},{"line_number":15,"context_line":"export OS_CACERT\u003d{{ kolla_external_fqdn_cacert }}"},{"line_number":16,"context_line":"{% else %}"},{"line_number":17,"context_line":"{{ line }}"},{"line_number":18,"context_line":"{% endif %}"}],"source_content_type":"text/x-jinja2","patch_set":5,"id":"89c5f811_45d78ec8","side":"PARENT","line":15,"range":{"start_line":14,"start_character":0,"end_line":15,"end_character":49},"in_reply_to":"687d6130_68c5e4f0","updated":"2021-06-09 13:11:41.000000000","message":"Well in this case \"they\" is me, and I can tell you it is because we had two variables to perform one task 😊\n\nThat is the default system trust store, but it\u0027s also possible to specify another location for most tools, e.g. OS_CACERT for openstack clients (which don\u0027t default to use the system trust store, else we wouldn\u0027t be having this conversation)","commit_id":"1e14fa3a24fa64b84cc993c985e696a9cba78dea"},{"author":{"_account_id":14200,"name":"Maksim Malchuk","email":"maksim.malchuk@gmail.com","username":"mmalchuk"},"change_message_id":"bf4cc59756b8f6ba612a15ef98bec569138d8d17","unresolved":true,"context_lines":[{"line_number":11,"context_line":"export OS_MANILA_ENDPOINT_TYPE\u003dpublicURL"},{"line_number":12,"context_line":"{% elif \"export OS_MISTRAL_ENDPOINT_TYPE\" in line %}"},{"line_number":13,"context_line":"export OS_MISTRAL_ENDPOINT_TYPE\u003dpublicURL"},{"line_number":14,"context_line":"{% elif \"export OS_CACERT\" in line and kolla_external_fqdn_cacert is not none %}"},{"line_number":15,"context_line":"export OS_CACERT\u003d{{ kolla_external_fqdn_cacert }}"},{"line_number":16,"context_line":"{% else %}"},{"line_number":17,"context_line":"{{ line }}"},{"line_number":18,"context_line":"{% endif %}"}],"source_content_type":"text/x-jinja2","patch_set":5,"id":"ac096581_4ac56efe","side":"PARENT","line":15,"range":{"start_line":14,"start_character":0,"end_line":15,"end_character":49},"in_reply_to":"86c21053_04120a92","updated":"2021-06-16 09:18:56.000000000","message":"yep, so we don\u0027t need kolla_external_fqdn_cacert and need only one CA.","commit_id":"1e14fa3a24fa64b84cc993c985e696a9cba78dea"},{"author":{"_account_id":14200,"name":"Maksim Malchuk","email":"maksim.malchuk@gmail.com","username":"mmalchuk"},"change_message_id":"7aaf8a4f06eef0cba1f51ee8432acd72faaa0efa","unresolved":true,"context_lines":[{"line_number":11,"context_line":"export OS_MANILA_ENDPOINT_TYPE\u003dpublicURL"},{"line_number":12,"context_line":"{% elif \"export OS_MISTRAL_ENDPOINT_TYPE\" in line %}"},{"line_number":13,"context_line":"export OS_MISTRAL_ENDPOINT_TYPE\u003dpublicURL"},{"line_number":14,"context_line":"{% elif \"export OS_CACERT\" in line and kolla_external_fqdn_cacert is not none %}"},{"line_number":15,"context_line":"export OS_CACERT\u003d{{ kolla_external_fqdn_cacert }}"},{"line_number":16,"context_line":"{% else %}"},{"line_number":17,"context_line":"{{ line }}"},{"line_number":18,"context_line":"{% endif %}"}],"source_content_type":"text/x-jinja2","patch_set":5,"id":"15826d71_51218213","side":"PARENT","line":15,"range":{"start_line":14,"start_character":0,"end_line":15,"end_character":49},"in_reply_to":"89c5f811_45d78ec8","updated":"2021-06-09 13:24:45.000000000","message":"\"they\" I mean variables) Okay, You did the correct change in the Kolla-Ansible, no matter what the purpose. Could You please provide the real case when in the Kayobe You can use the two different CA stores when the Kolla-Ansible used by it deployed OpenStack with only one?!","commit_id":"1e14fa3a24fa64b84cc993c985e696a9cba78dea"},{"author":{"_account_id":14200,"name":"Maksim Malchuk","email":"maksim.malchuk@gmail.com","username":"mmalchuk"},"change_message_id":"4e87cd9794185bfd43f59855d21d500e364859bd","unresolved":false,"context_lines":[{"line_number":11,"context_line":"export OS_MANILA_ENDPOINT_TYPE\u003dpublicURL"},{"line_number":12,"context_line":"{% elif \"export OS_MISTRAL_ENDPOINT_TYPE\" in line %}"},{"line_number":13,"context_line":"export OS_MISTRAL_ENDPOINT_TYPE\u003dpublicURL"},{"line_number":14,"context_line":"{% elif \"export OS_CACERT\" in line and kolla_external_fqdn_cacert is not none %}"},{"line_number":15,"context_line":"export OS_CACERT\u003d{{ kolla_external_fqdn_cacert }}"},{"line_number":16,"context_line":"{% else %}"},{"line_number":17,"context_line":"{{ line }}"},{"line_number":18,"context_line":"{% endif %}"}],"source_content_type":"text/x-jinja2","patch_set":5,"id":"33bb9151_605083a4","side":"PARENT","line":15,"range":{"start_line":14,"start_character":0,"end_line":15,"end_character":49},"in_reply_to":"ac096581_4ac56efe","updated":"2021-10-15 09:45:26.000000000","message":"Done","commit_id":"1e14fa3a24fa64b84cc993c985e696a9cba78dea"},{"author":{"_account_id":14200,"name":"Maksim Malchuk","email":"maksim.malchuk@gmail.com","username":"mmalchuk"},"change_message_id":"49215f8e364986e38508919a46d0c3c529ac18f8","unresolved":true,"context_lines":[{"line_number":11,"context_line":"export OS_MANILA_ENDPOINT_TYPE\u003dpublicURL"},{"line_number":12,"context_line":"{% elif \"export OS_MISTRAL_ENDPOINT_TYPE\" in line %}"},{"line_number":13,"context_line":"export OS_MISTRAL_ENDPOINT_TYPE\u003dpublicURL"},{"line_number":14,"context_line":"{% elif \"export OS_CACERT\" in line and kolla_external_fqdn_cacert is not none %}"},{"line_number":15,"context_line":"export OS_CACERT\u003d{{ kolla_external_fqdn_cacert }}"},{"line_number":16,"context_line":"{% else %}"},{"line_number":17,"context_line":"{{ line }}"},{"line_number":18,"context_line":"{% endif %}"}],"source_content_type":"text/x-jinja2","patch_set":5,"id":"00acc8d9_f2409ba1","side":"PARENT","line":15,"range":{"start_line":14,"start_character":0,"end_line":15,"end_character":49},"in_reply_to":"c5a37adf_45a74c8e","updated":"2021-06-03 11:16:52.000000000","message":"this is not the case, there are no problem to add all possible ca in the one bundle because each are unique! btw kolla-ansible already removed different variables which are not usabe anymore!","commit_id":"1e14fa3a24fa64b84cc993c985e696a9cba78dea"},{"author":{"_account_id":14200,"name":"Maksim Malchuk","email":"maksim.malchuk@gmail.com","username":"mmalchuk"},"change_message_id":"7a3409bfde82910d876545923fc2dd66f9b1c0d5","unresolved":true,"context_lines":[{"line_number":11,"context_line":"export OS_MANILA_ENDPOINT_TYPE\u003dpublicURL"},{"line_number":12,"context_line":"{% elif \"export OS_MISTRAL_ENDPOINT_TYPE\" in line %}"},{"line_number":13,"context_line":"export OS_MISTRAL_ENDPOINT_TYPE\u003dpublicURL"},{"line_number":14,"context_line":"{% elif \"export OS_CACERT\" in line and kolla_external_fqdn_cacert is not none %}"},{"line_number":15,"context_line":"export OS_CACERT\u003d{{ kolla_external_fqdn_cacert }}"},{"line_number":16,"context_line":"{% else %}"},{"line_number":17,"context_line":"{{ line }}"},{"line_number":18,"context_line":"{% endif %}"}],"source_content_type":"text/x-jinja2","patch_set":5,"id":"687d6130_68c5e4f0","side":"PARENT","line":15,"range":{"start_line":14,"start_character":0,"end_line":15,"end_character":49},"in_reply_to":"ca615adf_e9100c07","updated":"2021-06-09 13:07:44.000000000","message":"They removed in the Kolla-Ansible not because of one openrc file. This is because in the Linux OS we have only one place for the CA bundle, it can be optionally changed (for testing purposes for example), but by default in most cases this is /etc/ssl/certs/ca-certificates.crt or /etc/pki/tls/certs/ca-bundle.crt no matter which endpoint used for connection.","commit_id":"1e14fa3a24fa64b84cc993c985e696a9cba78dea"}],"doc/source/configuration/reference/kolla-ansible.rst":[{"author":{"_account_id":14826,"name":"Mark Goddard","email":"markgoddard86@gmail.com","username":"mgoddard"},"change_message_id":"2502a3f14d676b84aa78a0f7ab105dc47d5befb3","unresolved":true,"context_lines":[{"line_number":386,"context_line":"       backend-cert.pem"},{"line_number":387,"context_line":"       backend-key.pem"},{"line_number":388,"context_line":""},{"line_number":389,"context_line":"See the :kolla-ansible-doc:`Kolla Ansible documentation\u003cadmin/tls.html\u003e` for"},{"line_number":390,"context_line":"how to provide service and/or host-specific certificates and keys."},{"line_number":391,"context_line":""},{"line_number":392,"context_line":"Custom Global Variables"},{"line_number":393,"context_line":"-----------------------"}],"source_content_type":"text/x-rst","patch_set":22,"id":"3c22fdb0_752bc542","line":390,"range":{"start_line":389,"start_character":0,"end_line":390,"end_character":66},"updated":"2022-12-20 11:12:31.000000000","message":"Please pull out into a fix we can backport","commit_id":"5247cef39efe9da86eacbe93b090f8644c4a722a"},{"author":{"_account_id":14200,"name":"Maksim Malchuk","email":"maksim.malchuk@gmail.com","username":"mmalchuk"},"change_message_id":"0d44490d383059ded0c359ae1a1be1cc5b95657f","unresolved":true,"context_lines":[{"line_number":386,"context_line":"       backend-cert.pem"},{"line_number":387,"context_line":"       backend-key.pem"},{"line_number":388,"context_line":""},{"line_number":389,"context_line":"See the :kolla-ansible-doc:`Kolla Ansible documentation\u003cadmin/tls.html\u003e` for"},{"line_number":390,"context_line":"how to provide service and/or host-specific certificates and keys."},{"line_number":391,"context_line":""},{"line_number":392,"context_line":"Custom Global Variables"},{"line_number":393,"context_line":"-----------------------"}],"source_content_type":"text/x-rst","patch_set":22,"id":"cea82c54_547981e9","line":390,"range":{"start_line":389,"start_character":0,"end_line":390,"end_character":66},"in_reply_to":"3c22fdb0_752bc542","updated":"2022-12-20 11:54:00.000000000","message":"I backport this to Xena since first release till today.","commit_id":"5247cef39efe9da86eacbe93b090f8644c4a722a"},{"author":{"_account_id":14200,"name":"Maksim Malchuk","email":"maksim.malchuk@gmail.com","username":"mmalchuk"},"change_message_id":"231c05cbc8d6cd9151e0937e9a44764383b1f48a","unresolved":false,"context_lines":[{"line_number":386,"context_line":"       backend-cert.pem"},{"line_number":387,"context_line":"       backend-key.pem"},{"line_number":388,"context_line":""},{"line_number":389,"context_line":"See the :kolla-ansible-doc:`Kolla Ansible documentation\u003cadmin/tls.html\u003e` for"},{"line_number":390,"context_line":"how to provide service and/or host-specific certificates and keys."},{"line_number":391,"context_line":""},{"line_number":392,"context_line":"Custom Global Variables"},{"line_number":393,"context_line":"-----------------------"}],"source_content_type":"text/x-rst","patch_set":22,"id":"ec047361_6f4aec47","line":390,"range":{"start_line":389,"start_character":0,"end_line":390,"end_character":66},"in_reply_to":"cea82c54_547981e9","updated":"2023-04-01 22:18:31.000000000","message":"will backport this myself when merged.","commit_id":"5247cef39efe9da86eacbe93b090f8644c4a722a"}],"doc/source/contributor/automated.rst":[{"author":{"_account_id":28048,"name":"Will Szumski","email":"will@stackhpc.com","username":"jovial"},"change_message_id":"b4b1ed221184bf49b4cf2b9da3dbe07b80ea8c63","unresolved":true,"context_lines":[{"line_number":109,"context_line":""},{"line_number":110,"context_line":".. code-block:: yaml"},{"line_number":111,"context_line":""},{"line_number":112,"context_line":"   kolla_copy_ca_into_containers: \"yes\""},{"line_number":113,"context_line":"   openstack_cacert: \"{% if os_distribution \u003d\u003d \u0027ubuntu\u0027 %}/etc/ssl/certs/ca-certificates.crt{% else %}/etc/pki/tls/certs/ca-bundle.crt{% endif %}\""},{"line_number":114,"context_line":"   kolla_admin_openrc_cacert: \"{% if os_distribution \u003d\u003d \u0027ubuntu\u0027 %}/etc/ssl/certs/ca-certificates.crt{% else %}/etc/pki/tls/certs/ca-bundle.crt{% endif %}\""},{"line_number":115,"context_line":""}],"source_content_type":"text/x-rst","patch_set":29,"id":"5a3ddaec_24b0f69c","side":"PARENT","line":112,"updated":"2024-11-06 14:51:29.000000000","message":"Docs show setting this one in globals.yml. This would at least need to be be updated.","commit_id":"14bcaba0a360537f0575ae6545d91d860d4c6399"}]}