)]}'
{"/COMMIT_MSG":[{"author":{"_account_id":14826,"name":"Mark Goddard","email":"markgoddard86@gmail.com","username":"mgoddard"},"change_message_id":"d3c78551939f1ec19b5f46039e78215489c3926f","unresolved":false,"context_lines":[{"line_number":9,"context_line":"This patch introduces an optional backend encryption that can be added"},{"line_number":10,"context_line":"to openstack services."},{"line_number":11,"context_line":""},{"line_number":12,"context_line":"Change-Id: I216507940014e99f3fc1746016625cf0ff5f0efb"}],"source_content_type":"text/x-gerrit-commit-message","patch_set":8,"id":"3fa7e38b_ce1dad61","line":12,"updated":"2020-01-27 14:02:20.000000000","message":"Needs a bp. add-ssl-internal-network?","commit_id":"62f59fab9ac36ad7b87b07bda8d11ae6b3445c44"}],"ansible/group_vars/all.yml":[{"author":{"_account_id":14826,"name":"Mark Goddard","email":"markgoddard86@gmail.com","username":"mgoddard"},"change_message_id":"e8185244e808b3e6956688068e2f4153130e22fd","unresolved":false,"context_lines":[{"line_number":457,"context_line":"internal_protocol: \"{{ \u0027https\u0027 if kolla_enable_tls_internal | bool else \u0027http\u0027 }}\""},{"line_number":458,"context_line":"admin_protocol: \"{{ \u0027https\u0027 if kolla_enable_tls_internal | bool else \u0027http\u0027 }}\""},{"line_number":459,"context_line":""},{"line_number":460,"context_line":"# XXX(kklimonda): I\u0027d prefer to have that enabled even if only"},{"line_number":461,"context_line":"# `kolla_enable_tls_external` is set to true but that would change the"},{"line_number":462,"context_line":"# behaviour on upgrades."},{"line_number":463,"context_line":"keystone_tls_backend_enabled: \"{{ \u0027yes\u0027 if kolla_enable_tls_internal else \u0027no\u0027 }}\""},{"line_number":464,"context_line":""},{"line_number":465,"context_line":"####################"}],"source_content_type":"text/x-yaml","patch_set":2,"id":"7faddb67_bf703674","line":462,"range":{"start_line":460,"start_character":0,"end_line":462,"end_character":24},"updated":"2019-07-12 09:15:23.000000000","message":"Not sure I follow this.","commit_id":"de44f094feb05a06a362ee4558a5a20cc5168eb2"},{"author":{"_account_id":14826,"name":"Mark Goddard","email":"markgoddard86@gmail.com","username":"mgoddard"},"change_message_id":"e8185244e808b3e6956688068e2f4153130e22fd","unresolved":false,"context_lines":[{"line_number":460,"context_line":"# XXX(kklimonda): I\u0027d prefer to have that enabled even if only"},{"line_number":461,"context_line":"# `kolla_enable_tls_external` is set to true but that would change the"},{"line_number":462,"context_line":"# behaviour on upgrades."},{"line_number":463,"context_line":"keystone_tls_backend_enabled: \"{{ \u0027yes\u0027 if kolla_enable_tls_internal else \u0027no\u0027 }}\""},{"line_number":464,"context_line":""},{"line_number":465,"context_line":"####################"},{"line_number":466,"context_line":"# OpenStack options"}],"source_content_type":"text/x-yaml","patch_set":2,"id":"7faddb67_3f0a06d2","line":463,"range":{"start_line":463,"start_character":43,"end_line":463,"end_character":68},"updated":"2019-07-12 09:15:23.000000000","message":"Should we have a kolla_enable_tls_backend as a default for all backends? We might need to make it false by default for backwards compatiblity.\n\nAlso could this be a role default variable?","commit_id":"de44f094feb05a06a362ee4558a5a20cc5168eb2"},{"author":{"_account_id":14826,"name":"Mark Goddard","email":"markgoddard86@gmail.com","username":"mgoddard"},"change_message_id":"d3c78551939f1ec19b5f46039e78215489c3926f","unresolved":false,"context_lines":[{"line_number":747,"context_line":"####################"},{"line_number":748,"context_line":"# TLS options"},{"line_number":749,"context_line":"####################"},{"line_number":750,"context_line":"kolla_verify_tls: \"yes\""},{"line_number":751,"context_line":"# Directory on deploy node (localhost) in which certificates are generated."},{"line_number":752,"context_line":"kolla_certificates_dir: \"{{ node_config }}/certificates\""},{"line_number":753,"context_line":"kolla_cacerts_dir: \"/etc/ssl/certs\""}],"source_content_type":"text/x-yaml","patch_set":8,"id":"3fa7e38b_2e2ec18c","line":750,"range":{"start_line":750,"start_character":0,"end_line":750,"end_character":16},"updated":"2020-01-27 14:02:20.000000000","message":"This is a bit more specific than the name suggests - it\u0027s about HAProxy verifying the backend TLS, right? kolla_verify_backend_tls?","commit_id":"62f59fab9ac36ad7b87b07bda8d11ae6b3445c44"},{"author":{"_account_id":14826,"name":"Mark Goddard","email":"markgoddard86@gmail.com","username":"mgoddard"},"change_message_id":"d3c78551939f1ec19b5f46039e78215489c3926f","unresolved":false,"context_lines":[{"line_number":749,"context_line":"####################"},{"line_number":750,"context_line":"kolla_verify_tls: \"yes\""},{"line_number":751,"context_line":"# Directory on deploy node (localhost) in which certificates are generated."},{"line_number":752,"context_line":"kolla_certificates_dir: \"{{ node_config }}/certificates\""},{"line_number":753,"context_line":"kolla_cacerts_dir: \"/etc/ssl/certs\""},{"line_number":754,"context_line":"kolla_enable_tls_backend: \"no\""},{"line_number":755,"context_line":""}],"source_content_type":"text/x-yaml","patch_set":8,"id":"3fa7e38b_4e29bd80","line":752,"range":{"start_line":752,"start_character":0,"end_line":752,"end_character":22},"updated":"2020-01-27 14:02:20.000000000","message":"This refactor could be done separately.","commit_id":"62f59fab9ac36ad7b87b07bda8d11ae6b3445c44"},{"author":{"_account_id":14826,"name":"Mark Goddard","email":"markgoddard86@gmail.com","username":"mgoddard"},"change_message_id":"d3c78551939f1ec19b5f46039e78215489c3926f","unresolved":false,"context_lines":[{"line_number":765,"context_line":"kolla_external_fqdn_cacert: \"{{ kolla_certificates_dir }}/ca/haproxy.crt\""},{"line_number":766,"context_line":"kolla_internal_fqdn_cacert: \"{{ kolla_certificates_dir }}/ca/haproxy-internal.crt\""},{"line_number":767,"context_line":"kolla_copy_ca_into_containers: \"no\""},{"line_number":768,"context_line":"haproxy_backend_cacerts: \"{{ \u0027ca-certificates.crt\u0027 if kolla_base_distro in [\u0027debian\u0027, \u0027ubuntu\u0027] else \u0027ca-bundle.trust.crt\u0027 }}\""},{"line_number":769,"context_line":""},{"line_number":770,"context_line":"####################"},{"line_number":771,"context_line":"# Kibana options"}],"source_content_type":"text/x-yaml","patch_set":8,"id":"3fa7e38b_ae6871bb","line":768,"range":{"start_line":768,"start_character":22,"end_line":768,"end_character":23},"updated":"2020-01-27 14:02:20.000000000","message":"Is it actually plural?","commit_id":"62f59fab9ac36ad7b87b07bda8d11ae6b3445c44"},{"author":{"_account_id":14826,"name":"Mark Goddard","email":"markgoddard86@gmail.com","username":"mgoddard"},"change_message_id":"b3e97f5d125b5a0f66952594df7bbc0bd26a047a","unresolved":false,"context_lines":[{"line_number":766,"context_line":"haproxy_backend_cacert_dir: \"/etc/ssl/certs\""},{"line_number":767,"context_line":"kolla_enable_tls_backend: \"no\""},{"line_number":768,"context_line":"kolla_backend_internal_cert: \"\""},{"line_number":769,"context_line":"kolla_backend_internal_key: \"\""},{"line_number":770,"context_line":""},{"line_number":771,"context_line":"####################"},{"line_number":772,"context_line":"# Kibana options"}],"source_content_type":"text/x-yaml","patch_set":19,"id":"3fa7e38b_391afe6a","line":769,"range":{"start_line":769,"start_character":14,"end_line":769,"end_character":22},"updated":"2020-02-21 17:39:49.000000000","message":"What does internal reference here?","commit_id":"dc45bafbc7456e7b286c42761d7007e78a462ddd"},{"author":{"_account_id":30810,"name":"James Kirsch","email":"generalfuzz@gmail.com","username":"generalfuzz"},"change_message_id":"61eae6974735a2058c79d9304349bf582984d3dd","unresolved":false,"context_lines":[{"line_number":766,"context_line":"haproxy_backend_cacert_dir: \"/etc/ssl/certs\""},{"line_number":767,"context_line":"kolla_enable_tls_backend: \"no\""},{"line_number":768,"context_line":"kolla_backend_internal_cert: \"\""},{"line_number":769,"context_line":"kolla_backend_internal_key: \"\""},{"line_number":770,"context_line":""},{"line_number":771,"context_line":"####################"},{"line_number":772,"context_line":"# Kibana options"}],"source_content_type":"text/x-yaml","patch_set":19,"id":"1fa4df85_2918a01b","line":769,"range":{"start_line":769,"start_character":14,"end_line":769,"end_character":22},"in_reply_to":"3fa7e38b_391afe6a","updated":"2020-02-25 23:32:15.000000000","message":"It references the internal certificate used for backend encryption. This is for in the case we have a separate backend cert/key for external vip.","commit_id":"dc45bafbc7456e7b286c42761d7007e78a462ddd"}],"ansible/roles/haproxy-config/templates/haproxy_single_service_listen.cfg.j2":[{"author":{"_account_id":14826,"name":"Mark Goddard","email":"markgoddard86@gmail.com","username":"mgoddard"},"change_message_id":"e8185244e808b3e6956688068e2f4153130e22fd","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":2,"id":"7faddb67_eb15419d","updated":"2019-07-12 09:15:23.000000000","message":"There is another haproxy config, haproxy_single_service_split.cfg.j2","commit_id":"de44f094feb05a06a362ee4558a5a20cc5168eb2"},{"author":{"_account_id":14826,"name":"Mark Goddard","email":"markgoddard86@gmail.com","username":"mgoddard"},"change_message_id":"e8185244e808b3e6956688068e2f4153130e22fd","unresolved":false,"context_lines":[{"line_number":58,"context_line":"            {% endfor %}"},{"line_number":59,"context_line":"        {% else %}"},{"line_number":60,"context_line":"            {% set backend_tls_info \u003d \u0027\u0027 %}"},{"line_number":61,"context_line":"            {% if kolla_enable_tls_internal|bool and tls_backend|bool %}"},{"line_number":62,"context_line":"                {% set haproxy_health_check_final \u003d haproxy_health_check_ssl %}"},{"line_number":63,"context_line":"                {% if kolla_verify_tls|bool %}"},{"line_number":64,"context_line":"                    {% set backend_tls_info \u003d \u0027ssl verify required ca-file %s\u0027|format(haproxy_ca_certs_bundle) %}"}],"source_content_type":"text/x-jinja2","patch_set":2,"id":"7faddb67_8b3dad2c","line":61,"range":{"start_line":61,"start_character":18,"end_line":61,"end_character":53},"updated":"2019-07-12 09:15:23.000000000","message":"Strictly, these could be independent, agree?","commit_id":"de44f094feb05a06a362ee4558a5a20cc5168eb2"},{"author":{"_account_id":14826,"name":"Mark Goddard","email":"markgoddard86@gmail.com","username":"mgoddard"},"change_message_id":"e8185244e808b3e6956688068e2f4153130e22fd","unresolved":false,"context_lines":[{"line_number":72,"context_line":"                {% set api_interface \u003d \"ansible_%s\"|format(hostvars[host][\u0027api_interface\u0027]) %}"},{"line_number":73,"context_line":"                {% set host_name \u003d hostvars[host][\u0027ansible_hostname\u0027] %}"},{"line_number":74,"context_line":"                {% set host_ip \u003d hostvars[host][api_interface][\u0027ipv4\u0027][\u0027address\u0027] %}"},{"line_number":75,"context_line":"    server {{ host_name }} {{ host_ip }}:{{ listen_port }} {{ haproxy_health_check_final }} {{ backend_tls_info }}"},{"line_number":76,"context_line":"            {% endfor %}"},{"line_number":77,"context_line":"        {% endif %}"},{"line_number":78,"context_line":"    {% endif %}"}],"source_content_type":"text/x-jinja2","patch_set":2,"id":"7faddb67_4beed5b4","line":75,"range":{"start_line":75,"start_character":95,"end_line":75,"end_character":111},"updated":"2019-07-12 09:15:23.000000000","message":"Not defined in the non-TLS case.","commit_id":"de44f094feb05a06a362ee4558a5a20cc5168eb2"}],"ansible/roles/haproxy/templates/haproxy_main.cfg.j2":[{"author":{"_account_id":14826,"name":"Mark Goddard","email":"markgoddard86@gmail.com","username":"mgoddard"},"change_message_id":"e8185244e808b3e6956688068e2f4153130e22fd","unresolved":false,"context_lines":[{"line_number":18,"context_line":"    ssl-default-bind-options no-sslv3 no-tlsv10 no-tlsv11"},{"line_number":19,"context_line":"    tune.ssl.default-dh-param 4096"},{"line_number":20,"context_line":"    {% endif %}"},{"line_number":21,"context_line":"    {% if kolla_enable_tls_internal|bool or kolla_enable_tls_external|bool %}"},{"line_number":22,"context_line":"    ca-base /etc/ssl/certs"},{"line_number":23,"context_line":"    {% endif %}"},{"line_number":24,"context_line":""}],"source_content_type":"text/x-jinja2","patch_set":2,"id":"7faddb67_cb85e5d0","line":21,"range":{"start_line":21,"start_character":44,"end_line":21,"end_character":74},"updated":"2019-07-12 09:15:23.000000000","message":"Why did we not need this before?","commit_id":"de44f094feb05a06a362ee4558a5a20cc5168eb2"},{"author":{"_account_id":14826,"name":"Mark Goddard","email":"markgoddard86@gmail.com","username":"mgoddard"},"change_message_id":"d3c78551939f1ec19b5f46039e78215489c3926f","unresolved":false,"context_lines":[{"line_number":19,"context_line":"    tune.ssl.default-dh-param 4096"},{"line_number":20,"context_line":"    {% endif %}"},{"line_number":21,"context_line":"    {% if kolla_enable_tls_internal|bool or kolla_enable_tls_external|bool %}"},{"line_number":22,"context_line":"    ca-base {{ kolla_cacerts_dir }}"},{"line_number":23,"context_line":"    {% endif %}"},{"line_number":24,"context_line":""},{"line_number":25,"context_line":"defaults"}],"source_content_type":"text/x-jinja2","patch_set":8,"id":"3fa7e38b_ee97499b","line":22,"range":{"start_line":22,"start_character":15,"end_line":22,"end_character":32},"updated":"2020-01-27 14:02:20.000000000","message":"haproxy_backend_cacert_dir?","commit_id":"62f59fab9ac36ad7b87b07bda8d11ae6b3445c44"},{"author":{"_account_id":29543,"name":"Scott Solkhon","email":"scott.solkhon@gresearch.co.uk","username":"scott.solkhon"},"change_message_id":"94b61a41bd89a8d25c78c06e72c90d3bb4926763","unresolved":false,"context_lines":[{"line_number":18,"context_line":"    ssl-default-bind-options no-sslv3 no-tlsv10 no-tlsv11"},{"line_number":19,"context_line":"    tune.ssl.default-dh-param 4096"},{"line_number":20,"context_line":"    {% endif %}"},{"line_number":21,"context_line":"    {% if kolla_enable_tls_internal|bool or kolla_enable_tls_external|bool %}"},{"line_number":22,"context_line":"    ca-base {{ haproxy_backend_cacert_dir }}"},{"line_number":23,"context_line":"    {% endif %}"},{"line_number":24,"context_line":""}],"source_content_type":"text/x-jinja2","patch_set":9,"id":"3fa7e38b_1ec5a835","line":21,"range":{"start_line":21,"start_character":10,"end_line":21,"end_character":74},"updated":"2020-02-05 16:49:06.000000000","message":"nit: no spacing on |bool","commit_id":"99bc53ac3d05eebff2471538df819295f94b36c3"}],"ansible/roles/keystone/tasks/config.yml":[{"author":{"_account_id":14826,"name":"Mark Goddard","email":"markgoddard86@gmail.com","username":"mgoddard"},"change_message_id":"e8185244e808b3e6956688068e2f4153130e22fd","unresolved":false,"context_lines":[{"line_number":85,"context_line":"    - Restart keystone container"},{"line_number":86,"context_line":"    - Restart keystone-fernet container"},{"line_number":87,"context_line":""},{"line_number":88,"context_line":"- name: Register local keystone TLS certificate and key path"},{"line_number":89,"context_line":"  set_fact:"},{"line_number":90,"context_line":"    keystone_backend_tls_cert: \"{{ lookup(\u0027first_found\u0027, certs) }}\""},{"line_number":91,"context_line":"    keystone_backend_tls_key: \"{{ lookup(\u0027first_found\u0027, keys) }}\""}],"source_content_type":"text/x-yaml","patch_set":2,"id":"7faddb67_ebf1c16c","line":88,"updated":"2019-07-12 09:15:23.000000000","message":"Once we have established a pattern, it might be nice to extract this into a common role that we import here. We have examples of doing this with the haproxy-config and service-stop roles.","commit_id":"de44f094feb05a06a362ee4558a5a20cc5168eb2"},{"author":{"_account_id":14826,"name":"Mark Goddard","email":"markgoddard86@gmail.com","username":"mgoddard"},"change_message_id":"e8185244e808b3e6956688068e2f4153130e22fd","unresolved":false,"context_lines":[{"line_number":91,"context_line":"    keystone_backend_tls_key: \"{{ lookup(\u0027first_found\u0027, keys) }}\""},{"line_number":92,"context_line":"  vars:"},{"line_number":93,"context_line":"    certs:"},{"line_number":94,"context_line":"      - \"{{ node_config }}/certificates/{{ inventory_hostname }}/keystone.pem\""},{"line_number":95,"context_line":"      - \"{{ node_config }}/certificates/{{ inventory_hostname }}.pem\""},{"line_number":96,"context_line":"      - \"{{ node_config }}/certificates/private/haproxy-internal.crt\""},{"line_number":97,"context_line":"    keys:"}],"source_content_type":"text/x-yaml","patch_set":2,"id":"7faddb67_cbd3a5d4","line":94,"range":{"start_line":94,"start_character":9,"end_line":94,"end_character":39},"updated":"2019-07-12 09:15:23.000000000","message":"Perhaps this should be a variable, I can see it getting used a lot. We have certificates_dir in the certificates role, could move that out to group_vars/all.yml.","commit_id":"de44f094feb05a06a362ee4558a5a20cc5168eb2"},{"author":{"_account_id":14826,"name":"Mark Goddard","email":"markgoddard86@gmail.com","username":"mgoddard"},"change_message_id":"e8185244e808b3e6956688068e2f4153130e22fd","unresolved":false,"context_lines":[{"line_number":93,"context_line":"    certs:"},{"line_number":94,"context_line":"      - \"{{ node_config }}/certificates/{{ inventory_hostname }}/keystone.pem\""},{"line_number":95,"context_line":"      - \"{{ node_config }}/certificates/{{ inventory_hostname }}.pem\""},{"line_number":96,"context_line":"      - \"{{ node_config }}/certificates/private/haproxy-internal.crt\""},{"line_number":97,"context_line":"    keys:"},{"line_number":98,"context_line":"      - \"{{ node_config }}/certificates/{{ inventory_hostname }}/keystone.key\""},{"line_number":99,"context_line":"      - \"{{ node_config }}/certificates/{{ inventory_hostname }}.key\""}],"source_content_type":"text/x-yaml","patch_set":2,"id":"7faddb67_cb5e4575","line":96,"range":{"start_line":96,"start_character":40,"end_line":96,"end_character":47},"updated":"2019-07-12 09:15:23.000000000","message":"Why the private directory only for this one?","commit_id":"de44f094feb05a06a362ee4558a5a20cc5168eb2"},{"author":{"_account_id":14826,"name":"Mark Goddard","email":"markgoddard86@gmail.com","username":"mgoddard"},"change_message_id":"e8185244e808b3e6956688068e2f4153130e22fd","unresolved":false,"context_lines":[{"line_number":93,"context_line":"    certs:"},{"line_number":94,"context_line":"      - \"{{ node_config }}/certificates/{{ inventory_hostname }}/keystone.pem\""},{"line_number":95,"context_line":"      - \"{{ node_config }}/certificates/{{ inventory_hostname }}.pem\""},{"line_number":96,"context_line":"      - \"{{ node_config }}/certificates/private/haproxy-internal.crt\""},{"line_number":97,"context_line":"    keys:"},{"line_number":98,"context_line":"      - \"{{ node_config }}/certificates/{{ inventory_hostname }}/keystone.key\""},{"line_number":99,"context_line":"      - \"{{ node_config }}/certificates/{{ inventory_hostname }}.key\""}],"source_content_type":"text/x-yaml","patch_set":2,"id":"7faddb67_9d965493","line":96,"range":{"start_line":96,"start_character":56,"end_line":96,"end_character":64},"updated":"2019-07-12 09:15:23.000000000","message":"nit: This isn\u0027t really for haproxy, it\u0027s for backends.","commit_id":"de44f094feb05a06a362ee4558a5a20cc5168eb2"},{"author":{"_account_id":14826,"name":"Mark Goddard","email":"markgoddard86@gmail.com","username":"mgoddard"},"change_message_id":"e8185244e808b3e6956688068e2f4153130e22fd","unresolved":false,"context_lines":[{"line_number":110,"context_line":"    - item.key in [ \"keystone\" ]"},{"line_number":111,"context_line":"    - item.value.enabled | bool"},{"line_number":112,"context_line":"    - keystone_tls_backend_enabled | bool"},{"line_number":113,"context_line":"  with_dict: \"{{ keystone_services }}\""},{"line_number":114,"context_line":"  notify:"},{"line_number":115,"context_line":"    - Restart keystone container"},{"line_number":116,"context_line":""}],"source_content_type":"text/x-yaml","patch_set":2,"id":"7faddb67_bd7b1079","line":113,"range":{"start_line":113,"start_character":2,"end_line":113,"end_character":38},"updated":"2019-07-12 09:15:23.000000000","message":"How about a single task that iterates over [\u0027pem\u0027, \u0027key\u0027] (or similar), to avoid a bunch of skipped tasks?","commit_id":"de44f094feb05a06a362ee4558a5a20cc5168eb2"}],"ansible/roles/keystone/tasks/copy-certs.yml":[{"author":{"_account_id":14826,"name":"Mark Goddard","email":"markgoddard86@gmail.com","username":"mgoddard"},"change_message_id":"0a07f73f17d75da7cdb79cf21ad1b397e4ab762d","unresolved":false,"context_lines":[{"line_number":5,"context_line":"  vars:"},{"line_number":6,"context_line":"    project_services: \"{{ keystone_services }}\""},{"line_number":7,"context_line":"    service_name: \"keystone\""},{"line_number":8,"context_line":"    backend_encrypted: \"{{ keystone_tls_backend_enabled }}\""}],"source_content_type":"text/x-yaml","patch_set":9,"id":"3fa7e38b_c253a0dd","line":8,"range":{"start_line":8,"start_character":4,"end_line":8,"end_character":59},"updated":"2020-02-06 16:45:04.000000000","message":"Not necessary (see later comment)","commit_id":"99bc53ac3d05eebff2471538df819295f94b36c3"},{"author":{"_account_id":14826,"name":"Mark Goddard","email":"markgoddard86@gmail.com","username":"mgoddard"},"change_message_id":"b3e97f5d125b5a0f66952594df7bbc0bd26a047a","unresolved":false,"context_lines":[{"line_number":4,"context_line":"    role: service-cert-copy"},{"line_number":5,"context_line":"  vars:"},{"line_number":6,"context_line":"    project_services: \"{{ keystone_services }}\""},{"line_number":7,"context_line":"    service_name: \"keystone\""},{"line_number":8,"context_line":"    backend_encrypted: \"{{ keystone_tls_backend_enabled }}\""}],"source_content_type":"text/x-yaml","patch_set":19,"id":"3fa7e38b_796e36cc","line":7,"range":{"start_line":7,"start_character":4,"end_line":7,"end_character":16},"updated":"2020-02-21 17:39:49.000000000","message":"We already have project_name in keystone defaults. Can we use that instead?","commit_id":"dc45bafbc7456e7b286c42761d7007e78a462ddd"},{"author":{"_account_id":14826,"name":"Mark Goddard","email":"markgoddard86@gmail.com","username":"mgoddard"},"change_message_id":"b3e97f5d125b5a0f66952594df7bbc0bd26a047a","unresolved":false,"context_lines":[{"line_number":5,"context_line":"  vars:"},{"line_number":6,"context_line":"    project_services: \"{{ keystone_services }}\""},{"line_number":7,"context_line":"    service_name: \"keystone\""},{"line_number":8,"context_line":"    backend_encrypted: \"{{ keystone_tls_backend_enabled }}\""}],"source_content_type":"text/x-yaml","patch_set":19,"id":"3fa7e38b_1934e2d6","line":8,"range":{"start_line":8,"start_character":0,"end_line":8,"end_character":59},"updated":"2020-02-21 17:39:49.000000000","message":"I think we shouldn\u0027t need to pass this through.","commit_id":"dc45bafbc7456e7b286c42761d7007e78a462ddd"}],"ansible/roles/keystone/templates/wsgi-keystone.conf.j2":[{"author":{"_account_id":14826,"name":"Mark Goddard","email":"markgoddard86@gmail.com","username":"mgoddard"},"change_message_id":"d3c78551939f1ec19b5f46039e78215489c3926f","unresolved":false,"context_lines":[{"line_number":48,"context_line":""},{"line_number":49,"context_line":"{% if keystone_tls_backend_enabled | bool %}"},{"line_number":50,"context_line":"    SSLEngine on"},{"line_number":51,"context_line":"    SSLCertificateFile /etc/keystone/keystone.pem"},{"line_number":52,"context_line":"    SSLCertificateKeyFile /etc/keystone/keystone.key"},{"line_number":53,"context_line":"{% endif %}"},{"line_number":54,"context_line":"\u003c/VirtualHost\u003e"},{"line_number":55,"context_line":""}],"source_content_type":"text/x-jinja2","patch_set":8,"id":"3fa7e38b_8ea6d50c","line":52,"range":{"start_line":51,"start_character":0,"end_line":52,"end_character":52},"updated":"2020-01-27 14:02:20.000000000","message":"I\u0027m not sure about /etc/keystone. At least they probably need a subdirectory.","commit_id":"62f59fab9ac36ad7b87b07bda8d11ae6b3445c44"},{"author":{"_account_id":29344,"name":"白永君","email":"bai.yongjun@99cloud.net","username":"yj.bai"},"change_message_id":"263b23ca45cdce9cda8b61927748676bd91a4cbc","unresolved":false,"context_lines":[{"line_number":48,"context_line":""},{"line_number":49,"context_line":"{% if keystone_tls_backend_enabled | bool %}"},{"line_number":50,"context_line":"    SSLEngine on"},{"line_number":51,"context_line":"    SSLCertificateFile /etc/keystone/certs/keystone.pem"},{"line_number":52,"context_line":"    SSLCertificateKeyFile /etc/keystone/certs/keystone.key"},{"line_number":53,"context_line":"{% endif %}"},{"line_number":54,"context_line":"\u003c/VirtualHost\u003e"}],"source_content_type":"text/x-jinja2","patch_set":9,"id":"3fa7e38b_62c98178","line":51,"range":{"start_line":51,"start_character":43,"end_line":51,"end_character":55},"updated":"2020-02-07 07:25:22.000000000","message":"I think we should use unified  cert file  and key  for backend  not  just keystone.pem  and keystone.key","commit_id":"99bc53ac3d05eebff2471538df819295f94b36c3"},{"author":{"_account_id":29344,"name":"白永君","email":"bai.yongjun@99cloud.net","username":"yj.bai"},"change_message_id":"becdb7d8b381205496173f9b71536391502d5fcf","unresolved":false,"context_lines":[{"line_number":48,"context_line":""},{"line_number":49,"context_line":"{% if keystone_tls_backend_enabled | bool %}"},{"line_number":50,"context_line":"    SSLEngine on"},{"line_number":51,"context_line":"    SSLCertificateFile /etc/keystone/certs/keystone.pem"},{"line_number":52,"context_line":"    SSLCertificateKeyFile /etc/keystone/certs/keystone.key"},{"line_number":53,"context_line":"{% endif %}"},{"line_number":54,"context_line":"\u003c/VirtualHost\u003e"}],"source_content_type":"text/x-jinja2","patch_set":9,"id":"3fa7e38b_a8891ac8","line":51,"range":{"start_line":51,"start_character":43,"end_line":51,"end_character":55},"in_reply_to":"3fa7e38b_1a890dc7","updated":"2020-02-17 03:40:28.000000000","message":"Your mean is in this place we should use keystone.key file? not keystone.pem?\nhttps://httpd.apache.org/docs/current/mod/mod_ssl.html#sslcertificatefile","commit_id":"99bc53ac3d05eebff2471538df819295f94b36c3"},{"author":{"_account_id":14826,"name":"Mark Goddard","email":"markgoddard86@gmail.com","username":"mgoddard"},"change_message_id":"4a2ddd670f2586aa5df6de25cab46d0ebb1918ff","unresolved":false,"context_lines":[{"line_number":48,"context_line":""},{"line_number":49,"context_line":"{% if keystone_tls_backend_enabled | bool %}"},{"line_number":50,"context_line":"    SSLEngine on"},{"line_number":51,"context_line":"    SSLCertificateFile /etc/keystone/certs/keystone.pem"},{"line_number":52,"context_line":"    SSLCertificateKeyFile /etc/keystone/certs/keystone.key"},{"line_number":53,"context_line":"{% endif %}"},{"line_number":54,"context_line":"\u003c/VirtualHost\u003e"}],"source_content_type":"text/x-jinja2","patch_set":9,"id":"3fa7e38b_1a890dc7","line":51,"range":{"start_line":51,"start_character":43,"end_line":51,"end_character":55},"in_reply_to":"3fa7e38b_62c98178","updated":"2020-02-07 15:40:19.000000000","message":"I looked at that option, but httpd docs recommend using separate files.","commit_id":"99bc53ac3d05eebff2471538df819295f94b36c3"},{"author":{"_account_id":30810,"name":"James Kirsch","email":"generalfuzz@gmail.com","username":"generalfuzz"},"change_message_id":"be970a06a3e704849014368c2f08c084f0b90c37","unresolved":false,"context_lines":[{"line_number":48,"context_line":""},{"line_number":49,"context_line":"{% if keystone_tls_backend_enabled | bool %}"},{"line_number":50,"context_line":"    SSLEngine on"},{"line_number":51,"context_line":"    SSLCertificateFile /etc/keystone/certs/keystone.pem"},{"line_number":52,"context_line":"    SSLCertificateKeyFile /etc/keystone/certs/keystone.key"},{"line_number":53,"context_line":"{% endif %}"},{"line_number":54,"context_line":"\u003c/VirtualHost\u003e"}],"source_content_type":"text/x-jinja2","patch_set":9,"id":"3fa7e38b_e808722e","line":51,"range":{"start_line":51,"start_character":43,"end_line":51,"end_character":55},"in_reply_to":"3fa7e38b_a8891ac8","updated":"2020-02-17 04:43:20.000000000","message":"we use both the key and pem files. For example, I am using a LetsEncrypt certificate for validation / testing, which by default generates a separate certificate (pem) and keyfile (key).","commit_id":"99bc53ac3d05eebff2471538df819295f94b36c3"},{"author":{"_account_id":30810,"name":"James Kirsch","email":"generalfuzz@gmail.com","username":"generalfuzz"},"change_message_id":"4525a3af5d0e12f8e46047640323f5abc9792bc6","unresolved":false,"context_lines":[{"line_number":48,"context_line":""},{"line_number":49,"context_line":"{% if keystone_tls_backend_enabled | bool %}"},{"line_number":50,"context_line":"    SSLEngine on"},{"line_number":51,"context_line":"    SSLCertificateFile /etc/keystone/certs/keystone.pem"},{"line_number":52,"context_line":"    SSLCertificateKeyFile /etc/keystone/certs/keystone.key"},{"line_number":53,"context_line":"{% endif %}"},{"line_number":54,"context_line":"\u003c/VirtualHost\u003e"}],"source_content_type":"text/x-jinja2","patch_set":9,"id":"3fa7e38b_cee7b4d7","line":51,"range":{"start_line":51,"start_character":43,"end_line":51,"end_character":55},"in_reply_to":"3fa7e38b_e31f336e","updated":"2020-02-17 18:00:22.000000000","message":"I believe they are the exactly the same files, just different file extension name.","commit_id":"99bc53ac3d05eebff2471538df819295f94b36c3"},{"author":{"_account_id":29344,"name":"白永君","email":"bai.yongjun@99cloud.net","username":"yj.bai"},"change_message_id":"bb1fe411b8709a0e31a73f0fba173769b1812e14","unresolved":false,"context_lines":[{"line_number":48,"context_line":""},{"line_number":49,"context_line":"{% if keystone_tls_backend_enabled | bool %}"},{"line_number":50,"context_line":"    SSLEngine on"},{"line_number":51,"context_line":"    SSLCertificateFile /etc/keystone/certs/keystone.pem"},{"line_number":52,"context_line":"    SSLCertificateKeyFile /etc/keystone/certs/keystone.key"},{"line_number":53,"context_line":"{% endif %}"},{"line_number":54,"context_line":"\u003c/VirtualHost\u003e"}],"source_content_type":"text/x-jinja2","patch_set":9,"id":"3fa7e38b_e31f336e","line":51,"range":{"start_line":51,"start_character":43,"end_line":51,"end_character":55},"in_reply_to":"3fa7e38b_e808722e","updated":"2020-02-17 07:48:30.000000000","message":"sorry I wrote it wrong.\nI want to ask why this place use keystone.pem not keystone.crt？\n\nbut see your (james) answer   keystone.pem batter than keystone.crt?","commit_id":"99bc53ac3d05eebff2471538df819295f94b36c3"},{"author":{"_account_id":14826,"name":"Mark Goddard","email":"markgoddard86@gmail.com","username":"mgoddard"},"change_message_id":"b3e97f5d125b5a0f66952594df7bbc0bd26a047a","unresolved":false,"context_lines":[{"line_number":1,"context_line":"{% set keystone_log_dir \u003d \u0027/var/log/kolla/keystone\u0027 %}"},{"line_number":2,"context_line":"{% if keystone_install_type \u003d\u003d \u0027binary\u0027 %}"},{"line_number":3,"context_line":"{% set python_path \u003d \u0027/usr/lib/python3/dist-packages\u0027 if kolla_base_distro in [\u0027debian\u0027, \u0027ubuntu\u0027] else \u0027/usr/lib/python2.7/site-packages\u0027 %}"},{"line_number":4,"context_line":"{% else %}"}],"source_content_type":"text/x-jinja2","patch_set":19,"id":"3fa7e38b_19a2a2fa","line":1,"updated":"2020-02-21 17:39:49.000000000","message":"We proposed making the WSGI config use a common role to avoid duplication. Is that something you or Yongjun Bai would be able to pick up before we start adding WSGI configs everywhere?","commit_id":"dc45bafbc7456e7b286c42761d7007e78a462ddd"}],"ansible/roles/nova/defaults/main.yml":[{"author":{"_account_id":14826,"name":"Mark Goddard","email":"markgoddard86@gmail.com","username":"mgoddard"},"change_message_id":"b3e97f5d125b5a0f66952594df7bbc0bd26a047a","unresolved":false,"context_lines":[{"line_number":10,"context_line":"    privileged: True"},{"line_number":11,"context_line":"    volumes: \"{{ nova_api_default_volumes + nova_api_extra_volumes }}\""},{"line_number":12,"context_line":"    dimensions: \"{{ nova_api_dimensions }}\""},{"line_number":13,"context_line":"    user: \"root\""},{"line_number":14,"context_line":"    haproxy:"},{"line_number":15,"context_line":"      nova_api:"},{"line_number":16,"context_line":"        enabled: \"{{ enable_nova }}\""}],"source_content_type":"text/x-yaml","patch_set":19,"id":"3fa7e38b_1eecc803","line":13,"range":{"start_line":13,"start_character":4,"end_line":13,"end_character":16},"updated":"2020-02-21 17:39:49.000000000","message":"We normally set this in the image, although that might be a hard transition for tripleo.","commit_id":"dc45bafbc7456e7b286c42761d7007e78a462ddd"}],"ansible/roles/nova/tasks/config.yml":[{"author":{"_account_id":14826,"name":"Mark Goddard","email":"markgoddard86@gmail.com","username":"mgoddard"},"change_message_id":"b3e97f5d125b5a0f66952594df7bbc0bd26a047a","unresolved":false,"context_lines":[{"line_number":31,"context_line":"  when:"},{"line_number":32,"context_line":"    - nova_policy.results"},{"line_number":33,"context_line":""},{"line_number":34,"context_line":"- include_tasks: copy-certs.yml"},{"line_number":35,"context_line":"  when:"},{"line_number":36,"context_line":"    - kolla_copy_ca_into_containers | bool or nova_tls_backend_enabled | bool"},{"line_number":37,"context_line":""},{"line_number":38,"context_line":"- name: Copying over config.json files for services"},{"line_number":39,"context_line":"  become: true"}],"source_content_type":"text/x-yaml","patch_set":19,"id":"3fa7e38b_59d81a50","line":36,"range":{"start_line":34,"start_character":0,"end_line":36,"end_character":77},"updated":"2020-02-21 17:39:49.000000000","message":"I would suggest that we do this verbose change for every role in a separate review - initially just for the CA copy.","commit_id":"dc45bafbc7456e7b286c42761d7007e78a462ddd"}],"ansible/roles/nova/templates/wsgi-nova-api.conf.j2":[{"author":{"_account_id":14826,"name":"Mark Goddard","email":"markgoddard86@gmail.com","username":"mgoddard"},"change_message_id":"b3e97f5d125b5a0f66952594df7bbc0bd26a047a","unresolved":false,"context_lines":[{"line_number":43,"context_line":"    CustomLog \"{{ nova_log_dir }}/nova-api-error.log\" logformat"},{"line_number":44,"context_line":"\u003c/VirtualHost\u003e"},{"line_number":45,"context_line":""},{"line_number":46,"context_line":"\u003cVirtualHost *:{{ nova_metadata_listen_port }}\u003e"},{"line_number":47,"context_line":"    WSGIDaemonProcess nova-metadata processes\u003d{{ openstack_service_workers }} threads\u003d1 user\u003dnova group\u003dnova display-name\u003d%{GROUP} python-path\u003d{{ python_path }}"},{"line_number":48,"context_line":"    WSGIProcessGroup nova-metadata"},{"line_number":49,"context_line":"    WSGIScriptAlias / {{ binary_path }}/nova-metadata-wsgi"}],"source_content_type":"text/x-jinja2","patch_set":19,"id":"3fa7e38b_f98f8674","line":46,"updated":"2020-02-21 17:39:49.000000000","message":"SSL for metadata too?","commit_id":"dc45bafbc7456e7b286c42761d7007e78a462ddd"}],"ansible/roles/service-cert-copy/tasks/copy_backend_certs.yml":[{"author":{"_account_id":14826,"name":"Mark Goddard","email":"markgoddard86@gmail.com","username":"mgoddard"},"change_message_id":"b3e97f5d125b5a0f66952594df7bbc0bd26a047a","unresolved":false,"context_lines":[{"line_number":1,"context_line":"---"},{"line_number":2,"context_line":"- name: \"{{ project_name }} | Copying over backend internal TLS certificate\""},{"line_number":3,"context_line":"  vars:"},{"line_number":4,"context_line":"    certs:"}],"source_content_type":"text/x-yaml","patch_set":19,"id":"3fa7e38b_fef1ac98","line":1,"updated":"2020-02-21 17:39:49.000000000","message":"We\u0027re doing an unnecessary amount of looping here - we should only copy once per service. We need to copy if any of the service\u0027s haproxy items have tls_backend set. Something like this might help:\n\nwhen:\n  - service.haproxy is defined\n  - service.haproxy.values() | selectattr(\u0027tls_backend\u0027, \u0027defined\u0027) | selectattr(\u0027tls_backend\u0027, \u0027bool\u0027) | length \u003e 0","commit_id":"dc45bafbc7456e7b286c42761d7007e78a462ddd"}],"ansible/roles/service-cert-copy/tasks/main.yml":[{"author":{"_account_id":14826,"name":"Mark Goddard","email":"markgoddard86@gmail.com","username":"mgoddard"},"change_message_id":"d3c78551939f1ec19b5f46039e78215489c3926f","unresolved":false,"context_lines":[{"line_number":1,"context_line":"---"},{"line_number":2,"context_line":"- block:"},{"line_number":3,"context_line":"    - name: Copying over extra CA certificates"},{"line_number":4,"context_line":"      become: true"},{"line_number":5,"context_line":"      copy:"}],"source_content_type":"text/x-yaml","patch_set":8,"id":"3fa7e38b_0e4c259b","line":2,"range":{"start_line":2,"start_character":2,"end_line":2,"end_character":7},"updated":"2020-01-27 14:02:20.000000000","message":"Why the block?","commit_id":"62f59fab9ac36ad7b87b07bda8d11ae6b3445c44"},{"author":{"_account_id":14826,"name":"Mark Goddard","email":"markgoddard86@gmail.com","username":"mgoddard"},"change_message_id":"d3c78551939f1ec19b5f46039e78215489c3926f","unresolved":false,"context_lines":[{"line_number":3,"context_line":"    - name: Copying over extra CA certificates"},{"line_number":4,"context_line":"      become: true"},{"line_number":5,"context_line":"      copy:"},{"line_number":6,"context_line":"        src: \"{{ node_config }}/certificates/ca/\""},{"line_number":7,"context_line":"        dest: \"{{ node_config_directory }}/{{ item.key }}/ca-certificates\""},{"line_number":8,"context_line":"        mode: \"0644\""},{"line_number":9,"context_line":"      when:"}],"source_content_type":"text/x-yaml","patch_set":8,"id":"3fa7e38b_4e221db9","line":6,"range":{"start_line":6,"start_character":13,"end_line":6,"end_character":44},"updated":"2020-01-27 14:02:20.000000000","message":"kolla_certificates_dir?","commit_id":"62f59fab9ac36ad7b87b07bda8d11ae6b3445c44"},{"author":{"_account_id":14826,"name":"Mark Goddard","email":"markgoddard86@gmail.com","username":"mgoddard"},"change_message_id":"d3c78551939f1ec19b5f46039e78215489c3926f","unresolved":false,"context_lines":[{"line_number":12,"context_line":"        - kolla_copy_ca_into_containers | bool"},{"line_number":13,"context_line":"      with_dict: \"{{ project_services }}\""},{"line_number":14,"context_line":""},{"line_number":15,"context_line":"    - name: Register local {{ project_name }} backend TLS certificate and key path"},{"line_number":16,"context_line":"      set_fact:"},{"line_number":17,"context_line":"        backend_tls_cert: \"{{ lookup(\u0027first_found\u0027, certs) }}\""},{"line_number":18,"context_line":"        backend_tls_key: \"{{ lookup(\u0027first_found\u0027, keys) }}\""}],"source_content_type":"text/x-yaml","patch_set":8,"id":"3fa7e38b_3114e0e9","line":15,"updated":"2020-01-27 14:02:20.000000000","message":"I\u0027ve used this pattern in other shared roles:\n\nname: \"{{ project_name }} | ...\"","commit_id":"62f59fab9ac36ad7b87b07bda8d11ae6b3445c44"},{"author":{"_account_id":14826,"name":"Mark Goddard","email":"markgoddard86@gmail.com","username":"mgoddard"},"change_message_id":"d3c78551939f1ec19b5f46039e78215489c3926f","unresolved":false,"context_lines":[{"line_number":24,"context_line":"        keys:"},{"line_number":25,"context_line":"          - \"{{ kolla_certificates_dir }}/{{ inventory_hostname }}/{{ service_name }}.key\""},{"line_number":26,"context_line":"          - \"{{ kolla_certificates_dir }}/{{ inventory_hostname }}.key\""},{"line_number":27,"context_line":"          - \"{{ kolla_certificates_dir }}/private/internal/internal.key\""},{"line_number":28,"context_line":"      when: keystone_tls_backend_enabled | bool"},{"line_number":29,"context_line":""},{"line_number":30,"context_line":"    - name: Copying over {{ project_name }} backend internal TLS certificate"}],"source_content_type":"text/x-yaml","patch_set":8,"id":"3fa7e38b_f15c08f1","line":27,"range":{"start_line":27,"start_character":10,"end_line":27,"end_character":72},"updated":"2020-01-27 14:02:20.000000000","message":"I think we need to use a different name for the backend key.","commit_id":"62f59fab9ac36ad7b87b07bda8d11ae6b3445c44"},{"author":{"_account_id":30810,"name":"James Kirsch","email":"generalfuzz@gmail.com","username":"generalfuzz"},"change_message_id":"84607ca16881289dbcf19e6068e0e42b8b347b18","unresolved":false,"context_lines":[{"line_number":24,"context_line":"        keys:"},{"line_number":25,"context_line":"          - \"{{ kolla_certificates_dir }}/{{ inventory_hostname }}/{{ service_name }}.key\""},{"line_number":26,"context_line":"          - \"{{ kolla_certificates_dir }}/{{ inventory_hostname }}.key\""},{"line_number":27,"context_line":"          - \"{{ kolla_certificates_dir }}/private/internal/internal.key\""},{"line_number":28,"context_line":"      when: keystone_tls_backend_enabled | bool"},{"line_number":29,"context_line":""},{"line_number":30,"context_line":"    - name: Copying over {{ project_name }} backend internal TLS certificate"}],"source_content_type":"text/x-yaml","patch_set":8,"id":"3fa7e38b_ac5cdcef","line":27,"range":{"start_line":27,"start_character":10,"end_line":27,"end_character":72},"in_reply_to":"3fa7e38b_f15c08f1","updated":"2020-01-29 01:14:32.000000000","message":"This is name of the key generated by our certificate generation code. It is useful for testing backend encryption when cert verification is disabled. Would you suggest we generate a different name for the key (\"haproxy-internal.key\") in the cert generation code?","commit_id":"62f59fab9ac36ad7b87b07bda8d11ae6b3445c44"},{"author":{"_account_id":14826,"name":"Mark Goddard","email":"markgoddard86@gmail.com","username":"mgoddard"},"change_message_id":"d3c78551939f1ec19b5f46039e78215489c3926f","unresolved":false,"context_lines":[{"line_number":25,"context_line":"          - \"{{ kolla_certificates_dir }}/{{ inventory_hostname }}/{{ service_name }}.key\""},{"line_number":26,"context_line":"          - \"{{ kolla_certificates_dir }}/{{ inventory_hostname }}.key\""},{"line_number":27,"context_line":"          - \"{{ kolla_certificates_dir }}/private/internal/internal.key\""},{"line_number":28,"context_line":"      when: keystone_tls_backend_enabled | bool"},{"line_number":29,"context_line":""},{"line_number":30,"context_line":"    - name: Copying over {{ project_name }} backend internal TLS certificate"},{"line_number":31,"context_line":"      copy:"}],"source_content_type":"text/x-yaml","patch_set":8,"id":"3fa7e38b_71c25888","line":28,"range":{"start_line":28,"start_character":12,"end_line":28,"end_character":20},"updated":"2020-01-27 14:02:20.000000000","message":"Needs to be generic. Could use a role variable that gets assigned when the role is imported.","commit_id":"62f59fab9ac36ad7b87b07bda8d11ae6b3445c44"},{"author":{"_account_id":14826,"name":"Mark Goddard","email":"markgoddard86@gmail.com","username":"mgoddard"},"change_message_id":"d3c78551939f1ec19b5f46039e78215489c3926f","unresolved":false,"context_lines":[{"line_number":29,"context_line":""},{"line_number":30,"context_line":"    - name: Copying over {{ project_name }} backend internal TLS certificate"},{"line_number":31,"context_line":"      copy:"},{"line_number":32,"context_line":"        src: \"{{ backend_tls_cert }}\""},{"line_number":33,"context_line":"        dest: \"{{ node_config_directory }}/{{ service_name }}/{{ service_name }}.pem\""},{"line_number":34,"context_line":"        mode: \"0644\""},{"line_number":35,"context_line":"      become: true"}],"source_content_type":"text/x-yaml","patch_set":8,"id":"3fa7e38b_d1230c56","line":32,"range":{"start_line":32,"start_character":17,"end_line":32,"end_character":33},"updated":"2020-01-27 14:02:20.000000000","message":"This could just be a task scoped variable.","commit_id":"62f59fab9ac36ad7b87b07bda8d11ae6b3445c44"},{"author":{"_account_id":14826,"name":"Mark Goddard","email":"markgoddard86@gmail.com","username":"mgoddard"},"change_message_id":"d3c78551939f1ec19b5f46039e78215489c3926f","unresolved":false,"context_lines":[{"line_number":35,"context_line":"      become: true"},{"line_number":36,"context_line":"      when:"},{"line_number":37,"context_line":"        - inventory_hostname in groups[item.value.group]"},{"line_number":38,"context_line":"        - item.key in [ service_name ]"},{"line_number":39,"context_line":"        - item.value.enabled | bool"},{"line_number":40,"context_line":"      with_dict: \"{{ project_services }}\""},{"line_number":41,"context_line":""}],"source_content_type":"text/x-yaml","patch_set":8,"id":"3fa7e38b_d10a2cce","line":38,"range":{"start_line":38,"start_character":10,"end_line":38,"end_character":38},"updated":"2020-01-27 14:02:20.000000000","message":"I\u0027m not sure what this is doing.","commit_id":"62f59fab9ac36ad7b87b07bda8d11ae6b3445c44"},{"author":{"_account_id":14826,"name":"Mark Goddard","email":"markgoddard86@gmail.com","username":"mgoddard"},"change_message_id":"d3c78551939f1ec19b5f46039e78215489c3926f","unresolved":false,"context_lines":[{"line_number":43,"context_line":"      copy:"},{"line_number":44,"context_line":"        src: \"{{ backend_tls_key }}\""},{"line_number":45,"context_line":"        dest: \"{{ node_config_directory }}/{{ service_name }}/{{ service_name }}.key\""},{"line_number":46,"context_line":"        mode: \"0644\""},{"line_number":47,"context_line":"      become: true"},{"line_number":48,"context_line":"      when:"},{"line_number":49,"context_line":"        - inventory_hostname in groups[item.value.group]"}],"source_content_type":"text/x-yaml","patch_set":8,"id":"3fa7e38b_d1554cc2","line":46,"range":{"start_line":46,"start_character":15,"end_line":46,"end_character":19},"updated":"2020-01-27 14:02:20.000000000","message":"600 for the key.","commit_id":"62f59fab9ac36ad7b87b07bda8d11ae6b3445c44"},{"author":{"_account_id":14826,"name":"Mark Goddard","email":"markgoddard86@gmail.com","username":"mgoddard"},"change_message_id":"0a07f73f17d75da7cdb79cf21ad1b397e4ab762d","unresolved":false,"context_lines":[{"line_number":15,"context_line":"    - name: \"{{ project_name }} | Copying over backend internal TLS certificate\""},{"line_number":16,"context_line":"      vars:"},{"line_number":17,"context_line":"        certs:"},{"line_number":18,"context_line":"          - \"{{ kolla_certificates_dir }}/{{ inventory_hostname }}/{{ service_name }}.pem\""},{"line_number":19,"context_line":"          - \"{{ kolla_certificates_dir }}/{{ inventory_hostname }}.pem\""},{"line_number":20,"context_line":"          - \"{{ kolla_certificates_dir }}/ca/haproxy-internal.crt\""},{"line_number":21,"context_line":"        backend_tls_cert: \"{{ lookup(\u0027first_found\u0027, certs) }}\""},{"line_number":22,"context_line":"      copy:"},{"line_number":23,"context_line":"        src: \"{{ backend_tls_cert }}\""}],"source_content_type":"text/x-yaml","patch_set":9,"id":"3fa7e38b_6210acf5","line":20,"range":{"start_line":18,"start_character":10,"end_line":20,"end_character":66},"updated":"2020-02-06 16:45:04.000000000","message":"Maybe also a global per-service one?\n\n- \"{{ kolla_certificates_dir }}/{{ inventory_hostname }}/{{ service_name }}.pem\"\n- \"{{ kolla_certificates_dir }}/{{ inventory_hostname }}.pem\"\n- \"{{ kolla_certificates_dir }}/{{ service_name }}.pem\"\n- \"{{ kolla_certificates_dir }}/ca/haproxy-internal.crt\"\n\nAnd should they be under the ca/ directory? Not sure.","commit_id":"99bc53ac3d05eebff2471538df819295f94b36c3"},{"author":{"_account_id":14826,"name":"Mark Goddard","email":"markgoddard86@gmail.com","username":"mgoddard"},"change_message_id":"0a07f73f17d75da7cdb79cf21ad1b397e4ab762d","unresolved":false,"context_lines":[{"line_number":17,"context_line":"        certs:"},{"line_number":18,"context_line":"          - \"{{ kolla_certificates_dir }}/{{ inventory_hostname }}/{{ service_name }}.pem\""},{"line_number":19,"context_line":"          - \"{{ kolla_certificates_dir }}/{{ inventory_hostname }}.pem\""},{"line_number":20,"context_line":"          - \"{{ kolla_certificates_dir }}/ca/haproxy-internal.crt\""},{"line_number":21,"context_line":"        backend_tls_cert: \"{{ lookup(\u0027first_found\u0027, certs) }}\""},{"line_number":22,"context_line":"      copy:"},{"line_number":23,"context_line":"        src: \"{{ backend_tls_cert }}\""}],"source_content_type":"text/x-yaml","patch_set":9,"id":"3fa7e38b_c2f96082","line":20,"range":{"start_line":20,"start_character":12,"end_line":20,"end_character":66},"updated":"2020-02-06 16:45:04.000000000","message":"This is a CA cert, rather than a server cert. Probably makes sense for it to be a variable.","commit_id":"99bc53ac3d05eebff2471538df819295f94b36c3"},{"author":{"_account_id":14826,"name":"Mark Goddard","email":"markgoddard86@gmail.com","username":"mgoddard"},"change_message_id":"0a07f73f17d75da7cdb79cf21ad1b397e4ab762d","unresolved":false,"context_lines":[{"line_number":27,"context_line":"      when:"},{"line_number":28,"context_line":"        - inventory_hostname in groups[item.value.group]"},{"line_number":29,"context_line":"        - item.value.enabled | bool"},{"line_number":30,"context_line":"      with_dict: \"{{ project_services }}\""},{"line_number":31,"context_line":""},{"line_number":32,"context_line":"    - name: \"{{ project_name }} | Copying over backend internal TLS key\""},{"line_number":33,"context_line":"      vars:"}],"source_content_type":"text/x-yaml","patch_set":9,"id":"3fa7e38b_a23f8482","line":30,"range":{"start_line":30,"start_character":21,"end_line":30,"end_character":37},"updated":"2020-02-06 16:45:04.000000000","message":"This will copy the cert for keystone, keystone-ssh and keystone-fernet containers, but only keystone is required. \n\nThe backend_encrypted property needs to come from the service\u0027s haproxy.tls_backend attribute (which may be ommitted).","commit_id":"99bc53ac3d05eebff2471538df819295f94b36c3"},{"author":{"_account_id":14826,"name":"Mark Goddard","email":"markgoddard86@gmail.com","username":"mgoddard"},"change_message_id":"0a07f73f17d75da7cdb79cf21ad1b397e4ab762d","unresolved":false,"context_lines":[{"line_number":32,"context_line":"    - name: \"{{ project_name }} | Copying over backend internal TLS key\""},{"line_number":33,"context_line":"      vars:"},{"line_number":34,"context_line":"        keys:"},{"line_number":35,"context_line":"          - \"{{ kolla_certificates_dir }}/{{ inventory_hostname }}/{{ service_name }}.key\""},{"line_number":36,"context_line":"          - \"{{ kolla_certificates_dir }}/{{ inventory_hostname }}.key\""},{"line_number":37,"context_line":"          - \"{{ kolla_certificates_dir }}/private/internal/internal.key\""},{"line_number":38,"context_line":"        backend_tls_key: \"{{ lookup(\u0027first_found\u0027, keys) }}\""},{"line_number":39,"context_line":"      copy:"},{"line_number":40,"context_line":"        src: \"{{ backend_tls_key }}\""}],"source_content_type":"text/x-yaml","patch_set":9,"id":"3fa7e38b_e2d9fc54","line":37,"range":{"start_line":35,"start_character":10,"end_line":37,"end_character":72},"updated":"2020-02-06 16:45:04.000000000","message":"As above","commit_id":"99bc53ac3d05eebff2471538df819295f94b36c3"},{"author":{"_account_id":14826,"name":"Mark Goddard","email":"markgoddard86@gmail.com","username":"mgoddard"},"change_message_id":"0a07f73f17d75da7cdb79cf21ad1b397e4ab762d","unresolved":false,"context_lines":[{"line_number":34,"context_line":"        keys:"},{"line_number":35,"context_line":"          - \"{{ kolla_certificates_dir }}/{{ inventory_hostname }}/{{ service_name }}.key\""},{"line_number":36,"context_line":"          - \"{{ kolla_certificates_dir }}/{{ inventory_hostname }}.key\""},{"line_number":37,"context_line":"          - \"{{ kolla_certificates_dir }}/private/internal/internal.key\""},{"line_number":38,"context_line":"        backend_tls_key: \"{{ lookup(\u0027first_found\u0027, keys) }}\""},{"line_number":39,"context_line":"      copy:"},{"line_number":40,"context_line":"        src: \"{{ backend_tls_key }}\""}],"source_content_type":"text/x-yaml","patch_set":9,"id":"3fa7e38b_42981075","line":37,"range":{"start_line":37,"start_character":12,"end_line":37,"end_character":72},"updated":"2020-02-06 16:45:04.000000000","message":"This seems a bit tied to the layout of the certificates role, which isn\u0027t what you\u0027d use in production. As above, it should be a variable.","commit_id":"99bc53ac3d05eebff2471538df819295f94b36c3"},{"author":{"_account_id":14826,"name":"Mark Goddard","email":"markgoddard86@gmail.com","username":"mgoddard"},"change_message_id":"b3e97f5d125b5a0f66952594df7bbc0bd26a047a","unresolved":false,"context_lines":[{"line_number":6,"context_line":"    dest: \"{{ node_config_directory }}/{{ item.key }}/ca-certificates\""},{"line_number":7,"context_line":"    mode: \"0644\""},{"line_number":8,"context_line":"  when:"},{"line_number":9,"context_line":"    - item.value.enabled | bool"},{"line_number":10,"context_line":"    - inventory_hostname in groups[item.value.group]"},{"line_number":11,"context_line":"    - kolla_copy_ca_into_containers | bool"},{"line_number":12,"context_line":"  with_dict: \"{{ project_services }}\""},{"line_number":13,"context_line":""}],"source_content_type":"text/x-yaml","patch_set":19,"id":"3fa7e38b_f942260e","line":10,"range":{"start_line":9,"start_character":0,"end_line":10,"end_character":52},"updated":"2020-02-21 17:39:49.000000000","message":"We need to handle services that use host_in_groups rather than group. You can use the service filters for that:\n\nwith_dict: \"{{ project_services | select_services_enabled_and_mapped_to_host }}\"\n\nhttps://opendev.org/openstack/kolla-ansible/src/branch/master/kolla_ansible/filters.py#L86","commit_id":"dc45bafbc7456e7b286c42761d7007e78a462ddd"},{"author":{"_account_id":14826,"name":"Mark Goddard","email":"markgoddard86@gmail.com","username":"mgoddard"},"change_message_id":"b3e97f5d125b5a0f66952594df7bbc0bd26a047a","unresolved":false,"context_lines":[{"line_number":15,"context_line":"  vars:"},{"line_number":16,"context_line":"    haproxy: \"{{ item.value.haproxy }}\""},{"line_number":17,"context_line":"  when:"},{"line_number":18,"context_line":"    - inventory_hostname in groups[item.value.group]"},{"line_number":19,"context_line":"    - item.value.enabled | bool"},{"line_number":20,"context_line":"    - item.value.haproxy is defined"},{"line_number":21,"context_line":"    - backend_encrypted | bool"},{"line_number":22,"context_line":"  with_dict: \"{{ project_services }}\""}],"source_content_type":"text/x-yaml","patch_set":19,"id":"3fa7e38b_9900d2b2","line":19,"range":{"start_line":18,"start_character":0,"end_line":19,"end_character":31},"updated":"2020-02-21 17:39:49.000000000","message":"Same here","commit_id":"dc45bafbc7456e7b286c42761d7007e78a462ddd"}],"releasenotes/notes/encrypt-backend-haproxy-109baa71bb95dc91.yaml":[{"author":{"_account_id":14826,"name":"Mark Goddard","email":"markgoddard86@gmail.com","username":"mgoddard"},"change_message_id":"d3c78551939f1ec19b5f46039e78215489c3926f","unresolved":false,"context_lines":[{"line_number":3,"context_line":"  - |"},{"line_number":4,"context_line":"    Added configuration options to enable backend TLS encryption from HAProxy"},{"line_number":5,"context_line":"    to openstack services. When used in conjunction with enabling TLS for"},{"line_number":6,"context_line":"    service API endpoints, network communcation with be encrpyted end to end,"},{"line_number":7,"context_line":"    from client through HAProxy to openstack services."}],"source_content_type":"text/x-yaml","patch_set":8,"id":"3fa7e38b_91def439","line":6,"range":{"start_line":6,"start_character":48,"end_line":6,"end_character":52},"updated":"2020-01-27 14:02:20.000000000","message":"will","commit_id":"62f59fab9ac36ad7b87b07bda8d11ae6b3445c44"}]}