)]}'
{"/PATCHSET_LEVEL":[{"author":{"_account_id":14200,"name":"Maksim Malchuk","email":"maksim.malchuk@gmail.com","username":"mmalchuk"},"change_message_id":"924e06b617d64d33cf80ee28ff23d7b4504ec96e","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":1,"id":"833d48cc_7397939d","updated":"2022-12-20 11:38:01.000000000","message":"seems strange to have two different cacert variables. the certificate authority is one and only in the concrete deployed cloud. all the certificates external/internal/backend are signed with it.","commit_id":"e039d0515564583787b513b3f6edbc0aea1ec195"},{"author":{"_account_id":14200,"name":"Maksim Malchuk","email":"maksim.malchuk@gmail.com","username":"mmalchuk"},"change_message_id":"a5f0114fb891d3a023568799bc815f2dfffa9d85","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":1,"id":"15bfcbbe_bf214656","updated":"2022-12-20 11:39:19.000000000","message":"the https://review.opendev.org/c/openstack/kayobe/+/793697 fixes the issue with missing variable for default deploy, but this change nothing solves.","commit_id":"e039d0515564583787b513b3f6edbc0aea1ec195"},{"author":{"_account_id":14200,"name":"Maksim Malchuk","email":"maksim.malchuk@gmail.com","username":"mmalchuk"},"change_message_id":"180f1786b0813c71b475c1b34900efe8f7c45928","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":1,"id":"89410ea7_f4131d78","in_reply_to":"0b737824_7b437238","updated":"2022-12-20 14:41:46.000000000","message":"Yep, this is possible, but we don\u0027t have the tasks which works with two different CAs in the K-A. In other words, the OS_CACERT provide the path to the bundle, not another one file with one CA certificate, but the file which can contain all the CAs (default system from ca-certificates package + user defined external and internal if them differs from each other). no need to provide extra cacert variable. take a deeper look at my review which I provide more then year ago, we still use it in our deploys from the Xena cycle in the production.","commit_id":"e039d0515564583787b513b3f6edbc0aea1ec195"},{"author":{"_account_id":14826,"name":"Mark Goddard","email":"markgoddard86@gmail.com","username":"mgoddard"},"change_message_id":"b35c273fa785578f86939ee4091d24926b67ea9d","unresolved":true,"context_lines":[],"source_content_type":"","patch_set":1,"id":"f0a2f031_56008dda","in_reply_to":"11e910a6_15467d49","updated":"2023-11-01 10:56:15.000000000","message":"I agree that we need to add CA certs to the hosts for some tasks, but that is a separate issue.\n\nI also understand that you can add multiple CAs into a bundle, but you might not always want to do that.\n\nLet\u0027s merge this one and resolve one part of the TLS sync.","commit_id":"e039d0515564583787b513b3f6edbc0aea1ec195"},{"author":{"_account_id":14826,"name":"Mark Goddard","email":"markgoddard86@gmail.com","username":"mgoddard"},"change_message_id":"e10375c2573aa0bde29808f456ba03fc32061ba0","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":1,"id":"0b737824_7b437238","in_reply_to":"833d48cc_7397939d","updated":"2022-12-20 13:41:57.000000000","message":"It\u0027s certainly possible to use separate CAs for public facing and internal APIs. I\u0027ve done it.","commit_id":"e039d0515564583787b513b3f6edbc0aea1ec195"},{"author":{"_account_id":14826,"name":"Mark Goddard","email":"markgoddard86@gmail.com","username":"mgoddard"},"change_message_id":"ed2c5b71efb2a9c037007d17729c3e90c4055b8d","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":1,"id":"bbebfb16_2fdc02ad","in_reply_to":"89410ea7_f4131d78","updated":"2022-12-20 14:46:40.000000000","message":"Kolla-ansible doesn\u0027t use the public API, only internal. Kayobe supports a public-openrc.sh file which is the same as admin-openrc.sh, but targets the public API. This is where the public_openrc_cacert variable may get used, when generating public-openrc.sh","commit_id":"e039d0515564583787b513b3f6edbc0aea1ec195"},{"author":{"_account_id":14200,"name":"Maksim Malchuk","email":"maksim.malchuk@gmail.com","username":"mmalchuk"},"change_message_id":"5a863580439172a2732c03c681df0f8e85ffc13a","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":1,"id":"11e910a6_15467d49","in_reply_to":"bbebfb16_2fdc02ad","updated":"2022-12-20 14:58:03.000000000","message":"Yes, I know, but it resides on the same filesystem, alongside with admin openrc, and still not usable without public cacers added to the system, we don\u0027t have any ansible tasks in Kayobe (which exist in my review - ansible/kolla-host.yml).","commit_id":"e039d0515564583787b513b3f6edbc0aea1ec195"},{"author":{"_account_id":14200,"name":"Maksim Malchuk","email":"maksim.malchuk@gmail.com","username":"mmalchuk"},"change_message_id":"9fe0d13681b5b80731977542c1a61bfe73fe8ef0","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":1,"id":"6cfe982e_6a87f182","in_reply_to":"f0a2f031_56008dda","updated":"2023-11-01 11:55:31.000000000","message":"ok, lgtm, as agreed I need to make changes on top of this.","commit_id":"e039d0515564583787b513b3f6edbc0aea1ec195"},{"author":{"_account_id":14200,"name":"Maksim Malchuk","email":"maksim.malchuk@gmail.com","username":"mmalchuk"},"change_message_id":"098b099645dd3b393cd6ff4e58899ad6a17bd58e","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":2,"id":"b96a4a70_6594bd1f","updated":"2023-11-08 20:18:28.000000000","message":"recheck nova-api got signal 12","commit_id":"95729405a38e6292a828c26347406e70132136b2"}]}