)]}'
{"/COMMIT_MSG":[{"author":{"_account_id":14826,"name":"Mark Goddard","email":"markgoddard86@gmail.com","username":"mgoddard"},"change_message_id":"c7616964fe3589c4449c71025ab4e92c36a861ac","unresolved":true,"context_lines":[{"line_number":6,"context_line":""},{"line_number":7,"context_line":"Set defaults for openstack_cacert"},{"line_number":8,"context_line":""},{"line_number":9,"context_line":"Since I0fd596d93a0e575a391250d4bed261ad370a3664 we always have the"},{"line_number":10,"context_line":"\u0027ca-certificates\u0027 package installed in the all containers so its fine"},{"line_number":11,"context_line":"to set defaults but leave an ability to override the \u0027openstack_cacert\u0027"},{"line_number":12,"context_line":"via environment variable too. All supported systems already install"},{"line_number":13,"context_line":"the \u0027ca-certificates\u0027 package by default but for sure we install it"}],"source_content_type":"text/x-gerrit-commit-message","patch_set":1,"id":"4252b6b8_e321e3a7","line":10,"range":{"start_line":9,"start_character":0,"end_line":10,"end_character":57},"updated":"2021-06-03 10:14:22.000000000","message":"The kayobe openstack_cacert variable is relevant to the host, not containers.","commit_id":"5551c6dfaa55a0598a242a98c788b5e3a0767802"},{"author":{"_account_id":14200,"name":"Maksim Malchuk","email":"maksim.malchuk@gmail.com","username":"mmalchuk"},"change_message_id":"23f608fa848e4c75d533cf5137dae9b14222be17","unresolved":true,"context_lines":[{"line_number":6,"context_line":""},{"line_number":7,"context_line":"Set defaults for openstack_cacert"},{"line_number":8,"context_line":""},{"line_number":9,"context_line":"Since I0fd596d93a0e575a391250d4bed261ad370a3664 we always have the"},{"line_number":10,"context_line":"\u0027ca-certificates\u0027 package installed in the all containers so its fine"},{"line_number":11,"context_line":"to set defaults but leave an ability to override the \u0027openstack_cacert\u0027"},{"line_number":12,"context_line":"via environment variable too. All supported systems already install"},{"line_number":13,"context_line":"the \u0027ca-certificates\u0027 package by default but for sure we install it"}],"source_content_type":"text/x-gerrit-commit-message","patch_set":1,"id":"5d0b48ea_d735d253","line":10,"range":{"start_line":9,"start_character":0,"end_line":10,"end_character":57},"in_reply_to":"4252b6b8_e321e3a7","updated":"2021-06-03 11:10:17.000000000","message":"are You sure? I38da931cdd7ff46cce1994763b5c713652b096cc","commit_id":"5551c6dfaa55a0598a242a98c788b5e3a0767802"},{"author":{"_account_id":14826,"name":"Mark Goddard","email":"markgoddard86@gmail.com","username":"mgoddard"},"change_message_id":"a89fd2b8794418d52078fccc0bd00cf118c1ade0","unresolved":true,"context_lines":[{"line_number":6,"context_line":""},{"line_number":7,"context_line":"Set defaults for openstack_cacert"},{"line_number":8,"context_line":""},{"line_number":9,"context_line":"Since I0fd596d93a0e575a391250d4bed261ad370a3664 we always have the"},{"line_number":10,"context_line":"\u0027ca-certificates\u0027 package installed in the all containers so its fine"},{"line_number":11,"context_line":"to set defaults but leave an ability to override the \u0027openstack_cacert\u0027"},{"line_number":12,"context_line":"via environment variable too. All supported systems already install"},{"line_number":13,"context_line":"the \u0027ca-certificates\u0027 package by default but for sure we install it"}],"source_content_type":"text/x-gerrit-commit-message","patch_set":1,"id":"9915967b_9fecc4c6","line":10,"range":{"start_line":9,"start_character":0,"end_line":10,"end_character":57},"in_reply_to":"5d0b48ea_d735d253","updated":"2021-06-09 09:26:17.000000000","message":"openstack_cacert is used both in Kayobe \u0026 kolla-ansible, but the variables have different meanings. Confusing, I realise.","commit_id":"5551c6dfaa55a0598a242a98c788b5e3a0767802"},{"author":{"_account_id":14200,"name":"Maksim Malchuk","email":"maksim.malchuk@gmail.com","username":"mmalchuk"},"change_message_id":"3bc1f2779e26df22324b378de85c1a2358f0b9ed","unresolved":false,"context_lines":[{"line_number":6,"context_line":""},{"line_number":7,"context_line":"Set defaults for openstack_cacert"},{"line_number":8,"context_line":""},{"line_number":9,"context_line":"Since I0fd596d93a0e575a391250d4bed261ad370a3664 we always have the"},{"line_number":10,"context_line":"\u0027ca-certificates\u0027 package installed in the all containers so its fine"},{"line_number":11,"context_line":"to set defaults but leave an ability to override the \u0027openstack_cacert\u0027"},{"line_number":12,"context_line":"via environment variable too. All supported systems already install"},{"line_number":13,"context_line":"the \u0027ca-certificates\u0027 package by default but for sure we install it"}],"source_content_type":"text/x-gerrit-commit-message","patch_set":1,"id":"4413eff9_f648eb0d","line":10,"range":{"start_line":9,"start_character":0,"end_line":10,"end_character":57},"in_reply_to":"9915967b_9fecc4c6","updated":"2021-06-09 12:26:05.000000000","message":"Done","commit_id":"5551c6dfaa55a0598a242a98c788b5e3a0767802"}],"ansible/group_vars/all/openstack":[{"author":{"_account_id":14826,"name":"Mark Goddard","email":"markgoddard86@gmail.com","username":"mgoddard"},"change_message_id":"c7616964fe3589c4449c71025ab4e92c36a861ac","unresolved":true,"context_lines":[{"line_number":29,"context_line":""},{"line_number":30,"context_line":"# Overcloud CA certificate path."},{"line_number":31,"context_line":"openstack_cacert_default: \"/etc/{{ \u0027ssl/certs/ca-certificates.crt\u0027 if kolla_base_distro in [\u0027debian\u0027, \u0027ubuntu\u0027] else \u0027pki/tls/certs/ca-bundle.crt\u0027 }}\""},{"line_number":32,"context_line":"openstack_cacert: \"{{ lookup(\u0027env\u0027, \u0027OS_CACERT\u0027) | default(openstack_cacert_default, true) }}\""},{"line_number":33,"context_line":""},{"line_number":34,"context_line":"# Overcloud interface (public, internal, admin)."},{"line_number":35,"context_line":"openstack_interface: internal"}],"source_content_type":"application/octet-stream","patch_set":1,"id":"7d816b1f_65e48cdc","line":32,"range":{"start_line":32,"start_character":37,"end_line":32,"end_character":46},"updated":"2021-06-03 10:14:22.000000000","message":"Why not just ensure that OS_CACERT is set?","commit_id":"5551c6dfaa55a0598a242a98c788b5e3a0767802"},{"author":{"_account_id":14200,"name":"Maksim Malchuk","email":"maksim.malchuk@gmail.com","username":"mmalchuk"},"change_message_id":"23f608fa848e4c75d533cf5137dae9b14222be17","unresolved":true,"context_lines":[{"line_number":29,"context_line":""},{"line_number":30,"context_line":"# Overcloud CA certificate path."},{"line_number":31,"context_line":"openstack_cacert_default: \"/etc/{{ \u0027ssl/certs/ca-certificates.crt\u0027 if kolla_base_distro in [\u0027debian\u0027, \u0027ubuntu\u0027] else \u0027pki/tls/certs/ca-bundle.crt\u0027 }}\""},{"line_number":32,"context_line":"openstack_cacert: \"{{ lookup(\u0027env\u0027, \u0027OS_CACERT\u0027) | default(openstack_cacert_default, true) }}\""},{"line_number":33,"context_line":""},{"line_number":34,"context_line":"# Overcloud interface (public, internal, admin)."},{"line_number":35,"context_line":"openstack_interface: internal"}],"source_content_type":"application/octet-stream","patch_set":1,"id":"b0fd13b0_6950f331","line":32,"range":{"start_line":32,"start_character":37,"end_line":32,"end_character":46},"in_reply_to":"7d816b1f_65e48cdc","updated":"2021-06-03 11:10:17.000000000","message":"we did it using filter default with second parameter. what\u0027s wrong?","commit_id":"5551c6dfaa55a0598a242a98c788b5e3a0767802"},{"author":{"_account_id":14826,"name":"Mark Goddard","email":"markgoddard86@gmail.com","username":"mgoddard"},"change_message_id":"7b20e153fa59c5cdbe9d79f4a0c1ae59ffe58ec3","unresolved":true,"context_lines":[{"line_number":29,"context_line":""},{"line_number":30,"context_line":"# Overcloud CA certificate path."},{"line_number":31,"context_line":"openstack_cacert_default: \"/etc/{{ \u0027ssl/certs/ca-certificates.crt\u0027 if kolla_base_distro in [\u0027debian\u0027, \u0027ubuntu\u0027] else \u0027pki/tls/certs/ca-bundle.crt\u0027 }}\""},{"line_number":32,"context_line":"openstack_cacert: \"{{ lookup(\u0027env\u0027, \u0027OS_CACERT\u0027) | default(openstack_cacert_default, true) }}\""},{"line_number":33,"context_line":""},{"line_number":34,"context_line":"# Overcloud interface (public, internal, admin)."},{"line_number":35,"context_line":"openstack_interface: internal"}],"source_content_type":"application/octet-stream","patch_set":1,"id":"ea0bb17f_5e41fbf3","line":32,"range":{"start_line":32,"start_character":37,"end_line":32,"end_character":46},"in_reply_to":"b0fd13b0_6950f331","updated":"2021-06-09 09:27:41.000000000","message":"I\u0027m just not sure if it is always a good default. If the user did not ask for OS_CACERT, they might be surprised to get one.","commit_id":"5551c6dfaa55a0598a242a98c788b5e3a0767802"},{"author":{"_account_id":14200,"name":"Maksim Malchuk","email":"maksim.malchuk@gmail.com","username":"mmalchuk"},"change_message_id":"47624245aa6ef974785fefa434eb4bdeb8c3de35","unresolved":false,"context_lines":[{"line_number":29,"context_line":""},{"line_number":30,"context_line":"# Overcloud CA certificate path."},{"line_number":31,"context_line":"openstack_cacert_default: \"/etc/{{ \u0027ssl/certs/ca-certificates.crt\u0027 if kolla_base_distro in [\u0027debian\u0027, \u0027ubuntu\u0027] else \u0027pki/tls/certs/ca-bundle.crt\u0027 }}\""},{"line_number":32,"context_line":"openstack_cacert: \"{{ lookup(\u0027env\u0027, \u0027OS_CACERT\u0027) | default(openstack_cacert_default, true) }}\""},{"line_number":33,"context_line":""},{"line_number":34,"context_line":"# Overcloud interface (public, internal, admin)."},{"line_number":35,"context_line":"openstack_interface: internal"}],"source_content_type":"application/octet-stream","patch_set":1,"id":"e2268539_8b451d38","line":32,"range":{"start_line":32,"start_character":37,"end_line":32,"end_character":46},"in_reply_to":"bdd5f75d_607671c4","updated":"2021-10-15 09:45:08.000000000","message":"Done","commit_id":"5551c6dfaa55a0598a242a98c788b5e3a0767802"},{"author":{"_account_id":14200,"name":"Maksim Malchuk","email":"maksim.malchuk@gmail.com","username":"mmalchuk"},"change_message_id":"3bc1f2779e26df22324b378de85c1a2358f0b9ed","unresolved":true,"context_lines":[{"line_number":29,"context_line":""},{"line_number":30,"context_line":"# Overcloud CA certificate path."},{"line_number":31,"context_line":"openstack_cacert_default: \"/etc/{{ \u0027ssl/certs/ca-certificates.crt\u0027 if kolla_base_distro in [\u0027debian\u0027, \u0027ubuntu\u0027] else \u0027pki/tls/certs/ca-bundle.crt\u0027 }}\""},{"line_number":32,"context_line":"openstack_cacert: \"{{ lookup(\u0027env\u0027, \u0027OS_CACERT\u0027) | default(openstack_cacert_default, true) }}\""},{"line_number":33,"context_line":""},{"line_number":34,"context_line":"# Overcloud interface (public, internal, admin)."},{"line_number":35,"context_line":"openstack_interface: internal"}],"source_content_type":"application/octet-stream","patch_set":1,"id":"bdd5f75d_607671c4","line":32,"range":{"start_line":32,"start_character":37,"end_line":32,"end_character":46},"in_reply_to":"ea0bb17f_5e41fbf3","updated":"2021-06-09 12:26:05.000000000","message":"There are always defaults! For containers atleast in the https://review.opendev.org/c/openstack/kolla/+/686121/8/docker/base/copy_cacerts.sh on lines 18 and 25 we generate them. For any host all Linux binaries (curl for example) awaits file exist in the default path.","commit_id":"5551c6dfaa55a0598a242a98c788b5e3a0767802"}],"ansible/roles/kolla-ansible/templates/globals.yml.j2":[{"author":{"_account_id":14826,"name":"Mark Goddard","email":"markgoddard86@gmail.com","username":"mgoddard"},"change_message_id":"223fcaaee8610602a0495a603a4fd50c44e9da5e","unresolved":true,"context_lines":[{"line_number":181,"context_line":"{% if kolla_internal_tls_cert is not none and kolla_internal_tls_cert | length \u003e 0 %}"},{"line_number":182,"context_line":"kolla_internal_fqdn_cert: \"{{ kolla_internal_fqdn_cert }}\""},{"line_number":183,"context_line":"{% endif %}"},{"line_number":184,"context_line":"openstack_cacert: \"{{ openstack_cacert }}\""},{"line_number":185,"context_line":"kolla_external_fqdn_cacert: \"{{ kolla_external_fqdn_cacert }}\""},{"line_number":186,"context_line":"kolla_internal_fqdn_cacert: \"{{ kolla_internal_fqdn_cacert }}\""},{"line_number":187,"context_line":""}],"source_content_type":"text/x-jinja2","patch_set":3,"id":"c4a4c9d0_ea67944e","line":184,"range":{"start_line":184,"start_character":0,"end_line":184,"end_character":42},"updated":"2021-06-16 08:55:11.000000000","message":"These are different variables with different meanings. We should not pass it through like this.","commit_id":"9ec5776024393e41c5ac1d8146bb44ad196c4a05"},{"author":{"_account_id":14200,"name":"Maksim Malchuk","email":"maksim.malchuk@gmail.com","username":"mmalchuk"},"change_message_id":"a9df292f94a18d9975727c43cdb3871762bab7fc","unresolved":false,"context_lines":[{"line_number":181,"context_line":"{% if kolla_internal_tls_cert is not none and kolla_internal_tls_cert | length \u003e 0 %}"},{"line_number":182,"context_line":"kolla_internal_fqdn_cert: \"{{ kolla_internal_fqdn_cert }}\""},{"line_number":183,"context_line":"{% endif %}"},{"line_number":184,"context_line":"openstack_cacert: \"{{ openstack_cacert }}\""},{"line_number":185,"context_line":"kolla_external_fqdn_cacert: \"{{ kolla_external_fqdn_cacert }}\""},{"line_number":186,"context_line":"kolla_internal_fqdn_cacert: \"{{ kolla_internal_fqdn_cacert }}\""},{"line_number":187,"context_line":""}],"source_content_type":"text/x-jinja2","patch_set":3,"id":"5d6be829_fd2ef8b1","line":184,"range":{"start_line":184,"start_character":0,"end_line":184,"end_character":42},"in_reply_to":"18917abf_d49a044d","updated":"2021-06-16 14:52:37.000000000","message":"It should be the same, depend on OS used. And btw we set default here: https://review.opendev.org/c/openstack/kayobe/+/793703/3/ansible/group_vars/all/openstack#31","commit_id":"9ec5776024393e41c5ac1d8146bb44ad196c4a05"},{"author":{"_account_id":14826,"name":"Mark Goddard","email":"markgoddard86@gmail.com","username":"mgoddard"},"change_message_id":"d89df2abe90a3a35b5a1653bc182caa844928e63","unresolved":false,"context_lines":[{"line_number":181,"context_line":"{% if kolla_internal_tls_cert is not none and kolla_internal_tls_cert | length \u003e 0 %}"},{"line_number":182,"context_line":"kolla_internal_fqdn_cert: \"{{ kolla_internal_fqdn_cert }}\""},{"line_number":183,"context_line":"{% endif %}"},{"line_number":184,"context_line":"openstack_cacert: \"{{ openstack_cacert }}\""},{"line_number":185,"context_line":"kolla_external_fqdn_cacert: \"{{ kolla_external_fqdn_cacert }}\""},{"line_number":186,"context_line":"kolla_internal_fqdn_cacert: \"{{ kolla_internal_fqdn_cacert }}\""},{"line_number":187,"context_line":""}],"source_content_type":"text/x-jinja2","patch_set":3,"id":"18917abf_d49a044d","line":184,"range":{"start_line":184,"start_character":0,"end_line":184,"end_character":42},"in_reply_to":"705586ba_2691ba1a","updated":"2021-06-16 13:25:04.000000000","message":"Perhaps, but the former refers to a path on the host, and the latter to a path in containers. We can\u0027t guarantee they are the same.","commit_id":"9ec5776024393e41c5ac1d8146bb44ad196c4a05"},{"author":{"_account_id":14200,"name":"Maksim Malchuk","email":"maksim.malchuk@gmail.com","username":"mmalchuk"},"change_message_id":"4a42c947e70eef40d3971efc022be269858ef78e","unresolved":false,"context_lines":[{"line_number":181,"context_line":"{% if kolla_internal_tls_cert is not none and kolla_internal_tls_cert | length \u003e 0 %}"},{"line_number":182,"context_line":"kolla_internal_fqdn_cert: \"{{ kolla_internal_fqdn_cert }}\""},{"line_number":183,"context_line":"{% endif %}"},{"line_number":184,"context_line":"openstack_cacert: \"{{ openstack_cacert }}\""},{"line_number":185,"context_line":"kolla_external_fqdn_cacert: \"{{ kolla_external_fqdn_cacert }}\""},{"line_number":186,"context_line":"kolla_internal_fqdn_cacert: \"{{ kolla_internal_fqdn_cacert }}\""},{"line_number":187,"context_line":""}],"source_content_type":"text/x-jinja2","patch_set":3,"id":"705586ba_2691ba1a","line":184,"range":{"start_line":184,"start_character":0,"end_line":184,"end_character":42},"in_reply_to":"c4a4c9d0_ea67944e","updated":"2021-06-16 09:28:30.000000000","message":"wrong! the CA certificates used by the enduser via openrc file and used by all the kolla-ansible tasks which interact with Openstack API via cacert parameter set to the openstack_cacert are the same.","commit_id":"9ec5776024393e41c5ac1d8146bb44ad196c4a05"}]}