)]}'
{"/COMMIT_MSG":[{"author":{"_account_id":14826,"name":"Mark Goddard","email":"markgoddard86@gmail.com","username":"mgoddard"},"change_message_id":"87ea06d17f327de8cff8432185bf44bcd5b40b1c","unresolved":false,"context_lines":[{"line_number":7,"context_line":"Custom CA certificates deployment"},{"line_number":8,"context_line":""},{"line_number":9,"context_line":"This commit adds custom CA certificates deployment mechanism to"},{"line_number":10,"context_line":"Kolla-Ansible. Adds support for disabling verification of"},{"line_number":11,"context_line":"self-signed TLS certificates when ansible executes REST"},{"line_number":12,"context_line":"methods to configure services."},{"line_number":13,"context_line":""},{"line_number":14,"context_line":"Change-Id: I50751de1d295d922c5827c21b94c389183c0e217"}],"source_content_type":"text/x-gerrit-commit-message","patch_set":27,"id":"3fa7e38b_bc05c77b","line":12,"range":{"start_line":10,"start_character":15,"end_line":12,"end_character":30},"updated":"2019-12-16 13:59:54.000000000","message":"This is no longer true.","commit_id":"f1601e4105a3d3a63894e082f82c4e01310e8ef1"},{"author":{"_account_id":14826,"name":"Mark Goddard","email":"markgoddard86@gmail.com","username":"mgoddard"},"change_message_id":"87ea06d17f327de8cff8432185bf44bcd5b40b1c","unresolved":false,"context_lines":[{"line_number":11,"context_line":"self-signed TLS certificates when ansible executes REST"},{"line_number":12,"context_line":"methods to configure services."},{"line_number":13,"context_line":""},{"line_number":14,"context_line":"Change-Id: I50751de1d295d922c5827c21b94c389183c0e217"}],"source_content_type":"text/x-gerrit-commit-message","patch_set":27,"id":"3fa7e38b_9c000b6c","line":14,"updated":"2019-12-16 13:59:54.000000000","message":"Partially-Implements: blueprint add-ssl-internal-network","commit_id":"f1601e4105a3d3a63894e082f82c4e01310e8ef1"}],"ansible/group_vars/all.yml":[{"author":{"_account_id":30491,"name":"Radosław Piliszek","display_name":"Radek","email":"radek@piliszek.it","username":"yoctozepto","status":"self-employed techologist, collaborating mostly with 7bulls.com"},"change_message_id":"2da6cd02c362767f2a360fc4bb3d0dcb1286ba7d","unresolved":false,"context_lines":[{"line_number":747,"context_line":"kolla_external_fqdn_cert: \"{{ node_config }}/certificates/external.pem\""},{"line_number":748,"context_line":"kolla_internal_fqdn_cert: \"{{ node_config }}/certificates/internal.pem\""},{"line_number":749,"context_line":"kolla_external_fqdn_cacert: \"{{ node_config }}/certificates/ca/external.crt\""},{"line_number":750,"context_line":"kolla_internal_fqdn_cacert: \"{{ node_config }}/certificates/ca/internal.crt\""},{"line_number":751,"context_line":""},{"line_number":752,"context_line":""},{"line_number":753,"context_line":"####################"}],"source_content_type":"text/x-yaml","patch_set":16,"id":"3fa7e38b_4b653944","line":750,"updated":"2019-11-21 12:16:58.000000000","message":"needs noting change in releasenote for upgraders","commit_id":"ad3fa0b7c6a7903f64f8161a02012f3fcb25eb07"},{"author":{"_account_id":14826,"name":"Mark Goddard","email":"markgoddard86@gmail.com","username":"mgoddard"},"change_message_id":"87ea06d17f327de8cff8432185bf44bcd5b40b1c","unresolved":false,"context_lines":[{"line_number":742,"context_line":"haproxy_enable_external_vip: \"{{ \u0027no\u0027 if kolla_same_external_internal_vip | bool else \u0027yes\u0027 }}\""},{"line_number":743,"context_line":"kolla_enable_tls_internal: \"no\""},{"line_number":744,"context_line":"kolla_enable_tls_external: \"{{ kolla_enable_tls_internal if kolla_same_external_internal_vip | bool else \u0027no\u0027 }}\""},{"line_number":745,"context_line":"kolla_external_fqdn_cert: \"{{ node_config }}/certificates/external.pem\""},{"line_number":746,"context_line":"kolla_internal_fqdn_cert: \"{{ node_config }}/certificates/internal.pem\""},{"line_number":747,"context_line":"kolla_external_fqdn_cacert: \"{{ node_config }}/certificates/ca/external.crt\""},{"line_number":748,"context_line":"kolla_internal_fqdn_cacert: \"{{ node_config }}/certificates/ca/internal.crt\""},{"line_number":749,"context_line":"kolla_validate_internal_cert: \"yes\""},{"line_number":750,"context_line":""},{"line_number":751,"context_line":""}],"source_content_type":"text/x-yaml","patch_set":27,"id":"3fa7e38b_3cf1d797","line":748,"range":{"start_line":745,"start_character":0,"end_line":748,"end_character":76},"updated":"2019-12-16 13:59:54.000000000","message":"I can see that we\u0027re changing these to put the CAs in a directory, but it\u0027s not backwards compatible.\n\nWhat will happen for a user that has certs in the previous location?\n\nPossible alternative is to loop over the two files for each service. Although it\u0027s actually only the internal CA we need in containers, right?","commit_id":"f1601e4105a3d3a63894e082f82c4e01310e8ef1"},{"author":{"_account_id":14826,"name":"Mark Goddard","email":"markgoddard86@gmail.com","username":"mgoddard"},"change_message_id":"87ea06d17f327de8cff8432185bf44bcd5b40b1c","unresolved":false,"context_lines":[{"line_number":746,"context_line":"kolla_internal_fqdn_cert: \"{{ node_config }}/certificates/internal.pem\""},{"line_number":747,"context_line":"kolla_external_fqdn_cacert: \"{{ node_config }}/certificates/ca/external.crt\""},{"line_number":748,"context_line":"kolla_internal_fqdn_cacert: \"{{ node_config }}/certificates/ca/internal.crt\""},{"line_number":749,"context_line":"kolla_validate_internal_cert: \"yes\""},{"line_number":750,"context_line":""},{"line_number":751,"context_line":""},{"line_number":752,"context_line":"####################"}],"source_content_type":"text/x-yaml","patch_set":27,"id":"3fa7e38b_fcea5f9e","line":749,"range":{"start_line":749,"start_character":0,"end_line":749,"end_character":35},"updated":"2019-12-16 13:59:54.000000000","message":"Do we still need this?","commit_id":"f1601e4105a3d3a63894e082f82c4e01310e8ef1"}],"ansible/roles/aodh/tasks/config.yml":[{"author":{"_account_id":14826,"name":"Mark Goddard","email":"markgoddard86@gmail.com","username":"mgoddard"},"change_message_id":"87ea06d17f327de8cff8432185bf44bcd5b40b1c","unresolved":false,"context_lines":[{"line_number":55,"context_line":"    - item.value.enabled | bool"},{"line_number":56,"context_line":"    - inventory_hostname in groups[item.value.group]"},{"line_number":57,"context_line":"    - kolla_enable_tls_internal | bool"},{"line_number":58,"context_line":"  with_dict: \"{{ aodh_services }}\""},{"line_number":59,"context_line":""},{"line_number":60,"context_line":"- name: Copying over config.json files for services"},{"line_number":61,"context_line":"  template:"}],"source_content_type":"text/x-yaml","patch_set":27,"id":"3fa7e38b_dcde83da","line":58,"updated":"2019-12-16 13:59:54.000000000","message":"I think this should be optional. If your API is publicly reachable and uses a trusted CA, you shouldn\u0027t need to copy certs into containers. Nor if you have baked certs into your images.\n\nEither approach would speed up deployment compared to copying each cert for every service.","commit_id":"f1601e4105a3d3a63894e082f82c4e01310e8ef1"}],"ansible/roles/aodh/templates/aodh.conf.j2":[{"author":{"_account_id":14826,"name":"Mark Goddard","email":"markgoddard86@gmail.com","username":"mgoddard"},"change_message_id":"87ea06d17f327de8cff8432185bf44bcd5b40b1c","unresolved":false,"context_lines":[{"line_number":25,"context_line":"password \u003d {{ aodh_keystone_password }}"},{"line_number":26,"context_line":"auth_url \u003d {{ keystone_admin_url }}"},{"line_number":27,"context_line":"auth_type \u003d password"},{"line_number":28,"context_line":"cafile \u003d {{ openstack_cacert | default(omit) }}"},{"line_number":29,"context_line":""},{"line_number":30,"context_line":"[oslo_middleware]"},{"line_number":31,"context_line":"enable_proxy_headers_parsing \u003d True"}],"source_content_type":"text/x-jinja2","patch_set":27,"id":"3fa7e38b_3cfb1749","line":28,"range":{"start_line":28,"start_character":39,"end_line":28,"end_character":43},"updated":"2019-12-16 13:59:54.000000000","message":"Can you make these changes separately, since they are a continuation of the openstack_cacert change and we should backport to train.","commit_id":"f1601e4105a3d3a63894e082f82c4e01310e8ef1"}],"ansible/roles/ceph/tasks/config.yml":[{"author":{"_account_id":14826,"name":"Mark Goddard","email":"markgoddard86@gmail.com","username":"mgoddard"},"change_message_id":"87ea06d17f327de8cff8432185bf44bcd5b40b1c","unresolved":false,"context_lines":[{"line_number":36,"context_line":"    - name: \"ceph-mds\""},{"line_number":37,"context_line":"      group: ceph-mds"},{"line_number":38,"context_line":"    - name: \"ceph-nfs\""},{"line_number":39,"context_line":"      group: ceph-nfs"},{"line_number":40,"context_line":""},{"line_number":41,"context_line":"- name: Copying over config.json files for services"},{"line_number":42,"context_line":"  template:"}],"source_content_type":"text/x-yaml","patch_set":27,"id":"3fa7e38b_dc28c399","line":39,"updated":"2019-12-16 13:59:54.000000000","message":"Do we expect ceph to need a CA?","commit_id":"f1601e4105a3d3a63894e082f82c4e01310e8ef1"}],"ansible/roles/certificates/tasks/generate.yml":[{"author":{"_account_id":14826,"name":"Mark Goddard","email":"markgoddard86@gmail.com","username":"mgoddard"},"change_message_id":"87ea06d17f327de8cff8432185bf44bcd5b40b1c","unresolved":false,"context_lines":[{"line_number":1,"context_line":"---"},{"line_number":2,"context_line":"- name: Ensuring private directory exist"},{"line_number":3,"context_line":"  file:"},{"line_number":4,"context_line":"    path: \"{{ certificates_dir }}/private\""}],"source_content_type":"text/x-yaml","patch_set":27,"id":"3fa7e38b_bc306708","line":1,"updated":"2019-12-16 13:59:54.000000000","message":"Could you make this change to the kolla-ansible certificates command in a separate patch?","commit_id":"f1601e4105a3d3a63894e082f82c4e01310e8ef1"},{"author":{"_account_id":29344,"name":"白永君","email":"bai.yongjun@99cloud.net","username":"yj.bai"},"change_message_id":"566a618b98d2a0576e10fdceb3ee4a03ea5899a9","unresolved":false,"context_lines":[{"line_number":116,"context_line":"    - name: Creating internal Server PEM File"},{"line_number":117,"context_line":"      assemble:"},{"line_number":118,"context_line":"        src: \"{{ certificates_dir }}/private\""},{"line_number":119,"context_line":"        dest: \"{{ kolla_internal_fqdn_cert }}\""},{"line_number":120,"context_line":"        mode: \"0660\""},{"line_number":121,"context_line":"  when:"},{"line_number":122,"context_line":"    - kolla_enable_tls_internal | bool"}],"source_content_type":"text/x-yaml","patch_set":27,"id":"3fa7e38b_53aa15d3","line":119,"range":{"start_line":119,"start_character":18,"end_line":119,"end_character":42},"updated":"2019-12-25 08:31:09.000000000","message":"The pem generated here is just an external certificate","commit_id":"f1601e4105a3d3a63894e082f82c4e01310e8ef1"}],"ansible/roles/certificates/templates/openssl-kolla-internal.cnf.j2":[{"author":{"_account_id":30491,"name":"Radosław Piliszek","display_name":"Radek","email":"radek@piliszek.it","username":"yoctozepto","status":"self-employed techologist, collaborating mostly with 7bulls.com"},"change_message_id":"2da6cd02c362767f2a360fc4bb3d0dcb1286ba7d","unresolved":false,"context_lines":[{"line_number":14,"context_line":"subjectAltName \u003d @alt_names"},{"line_number":15,"context_line":""},{"line_number":16,"context_line":"[alt_names]"},{"line_number":17,"context_line":"IP.1 \u003d {{ kolla_internal_vip_address }}"},{"line_number":18,"context_line":"# NOTE(Xing Zhang): Add IPv6 internal VIP address to IP.2 when"},{"line_number":19,"context_line":"# ipv6-control-plane is implemented."},{"line_number":20,"context_line":"#IP.2 \u003d"},{"line_number":21,"context_line":"{% if kolla_internal_fqdn !\u003d kolla_internal_vip_address %}"},{"line_number":22,"context_line":"DNS.1 \u003d {{ kolla_internal_fqdn }}"},{"line_number":23,"context_line":"{% endif %}"}],"source_content_type":"text/x-jinja2","patch_set":16,"id":"3fa7e38b_ab762dd7","line":23,"range":{"start_line":17,"start_character":0,"end_line":23,"end_character":11},"updated":"2019-11-21 12:16:58.000000000","message":"should follow logic from external one","commit_id":"ad3fa0b7c6a7903f64f8161a02012f3fcb25eb07"}],"ansible/roles/chrony/tasks/config.yml":[{"author":{"_account_id":30491,"name":"Radosław Piliszek","display_name":"Radek","email":"radek@piliszek.it","username":"yoctozepto","status":"self-employed techologist, collaborating mostly with 7bulls.com"},"change_message_id":"2da6cd02c362767f2a360fc4bb3d0dcb1286ba7d","unresolved":false,"context_lines":[{"line_number":16,"context_line":"  with_items:"},{"line_number":17,"context_line":"    - \"chrony\""},{"line_number":18,"context_line":""},{"line_number":19,"context_line":""},{"line_number":20,"context_line":"- name: Copying over extra CA certificates"},{"line_number":21,"context_line":"  become: true"},{"line_number":22,"context_line":"  copy:"}],"source_content_type":"text/x-yaml","patch_set":16,"id":"3fa7e38b_cb7129e0","line":19,"updated":"2019-11-21 12:16:58.000000000","message":"that line... is unnecessary!","commit_id":"ad3fa0b7c6a7903f64f8161a02012f3fcb25eb07"},{"author":{"_account_id":14826,"name":"Mark Goddard","email":"markgoddard86@gmail.com","username":"mgoddard"},"change_message_id":"87ea06d17f327de8cff8432185bf44bcd5b40b1c","unresolved":false,"context_lines":[{"line_number":26,"context_line":"    - item.value.enabled | bool"},{"line_number":27,"context_line":"    - inventory_hostname in groups[item.value.group]"},{"line_number":28,"context_line":"    - kolla_enable_tls_internal | bool"},{"line_number":29,"context_line":"  with_dict: \"{{ chrony_services }}\""},{"line_number":30,"context_line":""},{"line_number":31,"context_line":"- name: Copying over config.json files for services"},{"line_number":32,"context_line":"  vars:"}],"source_content_type":"text/x-yaml","patch_set":27,"id":"3fa7e38b_1c1f3b72","line":29,"updated":"2019-12-16 13:59:54.000000000","message":"Do we expect chrony to need a CA?","commit_id":"f1601e4105a3d3a63894e082f82c4e01310e8ef1"}],"ansible/roles/elasticsearch/tasks/upgrade.yml":[{"author":{"_account_id":30491,"name":"Radosław Piliszek","display_name":"Radek","email":"radek@piliszek.it","username":"yoctozepto","status":"self-employed techologist, collaborating mostly with 7bulls.com"},"change_message_id":"f7ad407583d9e951905b5f64e7cdc5c750d963ec","unresolved":false,"context_lines":[{"line_number":9,"context_line":"    return_content: yes"},{"line_number":10,"context_line":"    body: {\"transient\":{\"cluster.routing.allocation.enable\": \"none\"}}"},{"line_number":11,"context_line":"    body_format: json"},{"line_number":12,"context_line":"    validate_certs: \"{{ \u0027no\u0027 if kolla_validate_internal_cert \u003d\u003d \u0027no\u0027 and kolla_enable_tls_internal \u003d\u003d \u0027yes\u0027 else omit }}\""},{"line_number":13,"context_line":"  delegate_to: \"{{ groups[\u0027elasticsearch\u0027][0] }}\""},{"line_number":14,"context_line":"  run_once: true"},{"line_number":15,"context_line":""}],"source_content_type":"text/x-yaml","patch_set":26,"id":"3fa7e38b_1eac8133","line":12,"range":{"start_line":12,"start_character":24,"end_line":12,"end_character":117},"updated":"2019-12-07 15:12:51.000000000","message":"kolla_enable_tls_internal|bool and kolla_validate_internal_cert|bool","commit_id":"71b9db11bfb9aaf1d0a9cdee45e5c17986c05f5d"},{"author":{"_account_id":30810,"name":"James Kirsch","email":"generalfuzz@gmail.com","username":"generalfuzz"},"change_message_id":"b6395523a30ee4f34b0dc903e5640a275fee7300","unresolved":false,"context_lines":[{"line_number":9,"context_line":"    return_content: yes"},{"line_number":10,"context_line":"    body: {\"transient\":{\"cluster.routing.allocation.enable\": \"none\"}}"},{"line_number":11,"context_line":"    body_format: json"},{"line_number":12,"context_line":"    validate_certs: \"{{ \u0027no\u0027 if kolla_validate_internal_cert \u003d\u003d \u0027no\u0027 and kolla_enable_tls_internal \u003d\u003d \u0027yes\u0027 else omit }}\""},{"line_number":13,"context_line":"  delegate_to: \"{{ groups[\u0027elasticsearch\u0027][0] }}\""},{"line_number":14,"context_line":"  run_once: true"},{"line_number":15,"context_line":""}],"source_content_type":"text/x-yaml","patch_set":26,"id":"3fa7e38b_8c984bcc","line":12,"range":{"start_line":12,"start_character":24,"end_line":12,"end_character":117},"in_reply_to":"3fa7e38b_1eac8133","updated":"2019-12-08 03:40:59.000000000","message":"ultimately kolla_validate_internal_cert is enough. When I tested with TLS disabled, this value is ignored","commit_id":"71b9db11bfb9aaf1d0a9cdee45e5c17986c05f5d"},{"author":{"_account_id":14826,"name":"Mark Goddard","email":"markgoddard86@gmail.com","username":"mgoddard"},"change_message_id":"87ea06d17f327de8cff8432185bf44bcd5b40b1c","unresolved":false,"context_lines":[{"line_number":9,"context_line":"    return_content: yes"},{"line_number":10,"context_line":"    body: {\"transient\":{\"cluster.routing.allocation.enable\": \"none\"}}"},{"line_number":11,"context_line":"    body_format: json"},{"line_number":12,"context_line":"    validate_certs: \"{{ kolla_validate_internal_cert }}\""},{"line_number":13,"context_line":"  delegate_to: \"{{ groups[\u0027elasticsearch\u0027][0] }}\""},{"line_number":14,"context_line":"  run_once: true"},{"line_number":15,"context_line":""}],"source_content_type":"text/x-yaml","patch_set":27,"id":"3fa7e38b_5f03650d","line":12,"updated":"2019-12-16 13:59:54.000000000","message":"Do we need this because this gets executed on the host? Could we avoid it by using the kolla_toolbox module to execute the module in a container (which has the CA)?","commit_id":"f1601e4105a3d3a63894e082f82c4e01310e8ef1"}],"ansible/roles/haproxy/tasks/config.yml":[{"author":{"_account_id":14826,"name":"Mark Goddard","email":"markgoddard86@gmail.com","username":"mgoddard"},"change_message_id":"87ea06d17f327de8cff8432185bf44bcd5b40b1c","unresolved":false,"context_lines":[{"line_number":46,"context_line":"    - item.value.enabled | bool"},{"line_number":47,"context_line":"    - inventory_hostname in groups[item.value.group]"},{"line_number":48,"context_line":"    - kolla_enable_tls_internal | bool"},{"line_number":49,"context_line":"  with_dict: \"{{ haproxy_services }}\""},{"line_number":50,"context_line":""},{"line_number":51,"context_line":"- name: Copying over config.json files for services"},{"line_number":52,"context_line":"  template:"}],"source_content_type":"text/x-yaml","patch_set":27,"id":"3fa7e38b_df2f5587","line":49,"updated":"2019-12-16 13:59:54.000000000","message":"Is this required for HAProxy? Perhaps for when backends can be TLS?","commit_id":"f1601e4105a3d3a63894e082f82c4e01310e8ef1"}],"ansible/roles/haproxy/tasks/precheck.yml":[{"author":{"_account_id":14826,"name":"Mark Goddard","email":"markgoddard86@gmail.com","username":"mgoddard"},"change_message_id":"87ea06d17f327de8cff8432185bf44bcd5b40b1c","unresolved":false,"context_lines":[{"line_number":105,"context_line":"  check_mode: no"},{"line_number":106,"context_line":"  run_once: true"},{"line_number":107,"context_line":""},{"line_number":108,"context_line":"- name: Checking if external certificate exists"},{"line_number":109,"context_line":"  run_once: true"},{"line_number":110,"context_line":"  stat:"},{"line_number":111,"context_line":"    path: \"{{ kolla_external_fqdn_cert }}\""},{"line_number":112,"context_line":"  delegate_to: localhost"},{"line_number":113,"context_line":"  register: external_cert_file"},{"line_number":114,"context_line":"  changed_when: false"},{"line_number":115,"context_line":"  when: kolla_enable_tls_external | bool"},{"line_number":116,"context_line":""},{"line_number":117,"context_line":"- name: Fail if external certificate is absent"},{"line_number":118,"context_line":"  run_once: true"},{"line_number":119,"context_line":"  fail:"},{"line_number":120,"context_line":"    msg: \"External certificate file is not found. It is configured via \u0027kolla_external_fqdn_cert\u0027\""},{"line_number":121,"context_line":"  when:"},{"line_number":122,"context_line":"    - kolla_enable_tls_external | bool"},{"line_number":123,"context_line":"    - external_cert_file.stat.exists \u003d\u003d false"},{"line_number":124,"context_line":""},{"line_number":125,"context_line":"- name: Checking if internal haproxy certificate exists"},{"line_number":126,"context_line":"  run_once: true"}],"source_content_type":"text/x-yaml","patch_set":27,"id":"3fa7e38b_9f479d53","line":123,"range":{"start_line":108,"start_character":0,"end_line":123,"end_character":45},"updated":"2019-12-16 13:59:54.000000000","message":"I don\u0027t think we need to change this wording. At least keep it consistent with the internal stuff below.","commit_id":"f1601e4105a3d3a63894e082f82c4e01310e8ef1"}],"ansible/roles/multipathd/tasks/config.yml":[{"author":{"_account_id":14826,"name":"Mark Goddard","email":"markgoddard86@gmail.com","username":"mgoddard"},"change_message_id":"87ea06d17f327de8cff8432185bf44bcd5b40b1c","unresolved":false,"context_lines":[{"line_number":29,"context_line":"    - item.value.enabled | bool"},{"line_number":30,"context_line":"    - inventory_hostname in groups[item.value.group]"},{"line_number":31,"context_line":"    - kolla_enable_tls_internal | bool"},{"line_number":32,"context_line":"  with_dict: \"{{ multipathd_services }}\""},{"line_number":33,"context_line":""},{"line_number":34,"context_line":"- name: Copying over config.json files for services"},{"line_number":35,"context_line":"  template:"}],"source_content_type":"text/x-yaml","patch_set":27,"id":"3fa7e38b_dfb2f54a","line":32,"updated":"2019-12-16 13:59:54.000000000","message":"Doubt we need it for multipathd","commit_id":"f1601e4105a3d3a63894e082f82c4e01310e8ef1"}],"ansible/roles/nova-hyperv/templates/nova_hyperv.conf.j2":[{"author":{"_account_id":14826,"name":"Mark Goddard","email":"markgoddard86@gmail.com","username":"mgoddard"},"change_message_id":"87ea06d17f327de8cff8432185bf44bcd5b40b1c","unresolved":false,"context_lines":[{"line_number":33,"context_line":""},{"line_number":34,"context_line":"[glance]"},{"line_number":35,"context_line":"api_servers \u003d {{ internal_protocol }}://{{ glance_internal_fqdn | put_address_in_context(\u0027url\u0027) }}:{{ glance_api_port }}"},{"line_number":36,"context_line":"api_servers \u003d {{ internal_protocol }}://{{ glance_internal_fqdn }}:{{ glance_api_port }}"},{"line_number":37,"context_line":"cafile \u003d {{ openstack_cacert | default(omit) }}"},{"line_number":38,"context_line":""},{"line_number":39,"context_line":""}],"source_content_type":"text/x-jinja2","patch_set":27,"id":"3fa7e38b_9f7ebd6b","line":36,"range":{"start_line":36,"start_character":0,"end_line":36,"end_character":88},"updated":"2019-12-16 13:59:54.000000000","message":"duplicate option","commit_id":"f1601e4105a3d3a63894e082f82c4e01310e8ef1"}],"releasenotes/notes/custom-CA-certificates-deployment-mechanism-c0785592916ac57d.yaml":[{"author":{"_account_id":14826,"name":"Mark Goddard","email":"markgoddard86@gmail.com","username":"mgoddard"},"change_message_id":"87ea06d17f327de8cff8432185bf44bcd5b40b1c","unresolved":false,"context_lines":[{"line_number":1,"context_line":"---"},{"line_number":2,"context_line":"features:"},{"line_number":3,"context_line":"  - |"},{"line_number":4,"context_line":"    Adds a custom CA certificates deployment mechanism to Kolla-Ansible. The"},{"line_number":5,"context_line":"    certificates generated with the \"kolla-ansible certificates\" command will"},{"line_number":6,"context_line":"    now be distributed to service containers when the global"},{"line_number":7,"context_line":"    \"openstack_cacert\" variable is configured with file path of the generated"},{"line_number":8,"context_line":"    certificate. That certificate will be trusted since it is also injected"}],"source_content_type":"text/x-yaml","patch_set":27,"id":"3fa7e38b_bfe85915","line":5,"range":{"start_line":4,"start_character":73,"end_line":5,"end_character":72},"updated":"2019-12-16 13:59:54.000000000","message":"Let\u0027s not imply this is the only way to use certs. As they are self-signed it\u0027s not actually recommended.","commit_id":"f1601e4105a3d3a63894e082f82c4e01310e8ef1"},{"author":{"_account_id":14826,"name":"Mark Goddard","email":"markgoddard86@gmail.com","username":"mgoddard"},"change_message_id":"87ea06d17f327de8cff8432185bf44bcd5b40b1c","unresolved":false,"context_lines":[{"line_number":3,"context_line":"  - |"},{"line_number":4,"context_line":"    Adds a custom CA certificates deployment mechanism to Kolla-Ansible. The"},{"line_number":5,"context_line":"    certificates generated with the \"kolla-ansible certificates\" command will"},{"line_number":6,"context_line":"    now be distributed to service containers when the global"},{"line_number":7,"context_line":"    \"openstack_cacert\" variable is configured with file path of the generated"},{"line_number":8,"context_line":"    certificate. That certificate will be trusted since it is also injected"},{"line_number":9,"context_line":"    into the docker container during install."},{"line_number":10,"context_line":""},{"line_number":11,"context_line":"    The default path for ubuntu is: \"/usr/local/share/ca-certificates/\""}],"source_content_type":"text/x-yaml","patch_set":27,"id":"3fa7e38b_ff88116c","line":8,"range":{"start_line":6,"start_character":45,"end_line":8,"end_character":15},"updated":"2019-12-16 13:59:54.000000000","message":"Is that really what happens? Not seeing it.","commit_id":"f1601e4105a3d3a63894e082f82c4e01310e8ef1"},{"author":{"_account_id":14826,"name":"Mark Goddard","email":"markgoddard86@gmail.com","username":"mgoddard"},"change_message_id":"87ea06d17f327de8cff8432185bf44bcd5b40b1c","unresolved":false,"context_lines":[{"line_number":34,"context_line":"    kolla_internal_fqdn_cacert:"},{"line_number":35,"context_line":"       \"{{ node_config }}/certificates/ca/internal.crt\""},{"line_number":36,"context_line":""},{"line_number":37,"context_line":"    Kolla Ansible is transitioning from only implementing TLS termination"},{"line_number":38,"context_line":"    using HAproxy to having some services perform their own native TLS"},{"line_number":39,"context_line":"    termination."}],"source_content_type":"text/x-yaml","patch_set":27,"id":"3fa7e38b_3fd4694b","line":39,"range":{"start_line":37,"start_character":3,"end_line":39,"end_character":16},"updated":"2019-12-16 13:59:54.000000000","message":"Correct, but that\u0027s not what\u0027s happening here.","commit_id":"f1601e4105a3d3a63894e082f82c4e01310e8ef1"}],"tests/templates/globals-default.j2":[{"author":{"_account_id":14826,"name":"Mark Goddard","email":"markgoddard86@gmail.com","username":"mgoddard"},"change_message_id":"87ea06d17f327de8cff8432185bf44bcd5b40b1c","unresolved":false,"context_lines":[{"line_number":118,"context_line":"kolla_enable_tls_external: \"yes\""},{"line_number":119,"context_line":"kolla_enable_tls_internal: \"yes\""},{"line_number":120,"context_line":"kolla_validate_internal_cert: \"no\""},{"line_number":121,"context_line":"{% if base_distro \u003d\u003d \"ubuntu\" %}"},{"line_number":122,"context_line":"openstack_cacert: \"/usr/local/share/ca-certificates/kolla-customca-internal.crt\""},{"line_number":123,"context_line":"{% endif %}"},{"line_number":124,"context_line":"{% if base_distro \u003d\u003d \"centos\" %}"},{"line_number":125,"context_line":"openstack_cacert: \"/etc/pki/ca-trust/source/anchors/kolla-customca-internal.crt\""},{"line_number":126,"context_line":"{% endif %}"},{"line_number":127,"context_line":"{% endif %}"}],"source_content_type":"text/x-jinja2","patch_set":27,"id":"3fa7e38b_1fc08d7d","line":126,"range":{"start_line":121,"start_character":0,"end_line":126,"end_character":11},"updated":"2019-12-16 13:59:54.000000000","message":"I thought the idea was that the script in the images would add the certs to the trust store? I briefly tried it locally and it didn\u0027t work though.","commit_id":"f1601e4105a3d3a63894e082f82c4e01310e8ef1"}],"tests/test-dashboard.sh":[{"author":{"_account_id":14826,"name":"Mark Goddard","email":"markgoddard86@gmail.com","username":"mgoddard"},"change_message_id":"87ea06d17f327de8cff8432185bf44bcd5b40b1c","unresolved":false,"context_lines":[{"line_number":12,"context_line":"    DASHBOARD_URL\u003d${OS_AUTH_URL%:*}"},{"line_number":13,"context_line":"    output_path\u003d$1"},{"line_number":14,"context_line":""},{"line_number":15,"context_line":"    DASHBOARD_URL\u003d${OS_AUTH_URL%:*}"},{"line_number":16,"context_line":"    output_path\u003d$1"},{"line_number":17,"context_line":"    args\u003d("},{"line_number":18,"context_line":"        --include"},{"line_number":19,"context_line":"        --location"}],"source_content_type":"text/x-sh","patch_set":27,"id":"3fa7e38b_3fbd4903","line":16,"range":{"start_line":15,"start_character":3,"end_line":16,"end_character":18},"updated":"2019-12-16 13:59:54.000000000","message":"Duplicated","commit_id":"f1601e4105a3d3a63894e082f82c4e01310e8ef1"}],"tests/upgrade.sh":[{"author":{"_account_id":14826,"name":"Mark Goddard","email":"markgoddard86@gmail.com","username":"mgoddard"},"change_message_id":"87ea06d17f327de8cff8432185bf44bcd5b40b1c","unresolved":false,"context_lines":[{"line_number":9,"context_line":""},{"line_number":10,"context_line":"function upgrade {"},{"line_number":11,"context_line":"    RAW_INVENTORY\u003d/etc/kolla/inventory"},{"line_number":12,"context_line":"    if [[ \"$SCENARIO\" \u003d\u003d \"tls\" ]]; then"},{"line_number":13,"context_line":"        tools/kolla-ansible -i ${RAW_INVENTORY} -vvv certificates \u003e /tmp/logs/ansible/certificates"},{"line_number":14,"context_line":"    fi"},{"line_number":15,"context_line":"    tools/kolla-ansible -i ${RAW_INVENTORY} -vvv prechecks \u0026\u003e /tmp/logs/ansible/upgrade-prechecks"},{"line_number":16,"context_line":"    tools/kolla-ansible -i ${RAW_INVENTORY} -vvv pull \u0026\u003e /tmp/logs/ansible/pull-upgrade"},{"line_number":17,"context_line":"    tools/kolla-ansible -i ${RAW_INVENTORY} -vvv upgrade \u0026\u003e /tmp/logs/ansible/upgrade"}],"source_content_type":"text/x-sh","patch_set":27,"id":"3fa7e38b_5f3b659a","line":14,"range":{"start_line":12,"start_character":0,"end_line":14,"end_character":6},"updated":"2019-12-16 13:59:54.000000000","message":"I don\u0027t think we\u0027re exercising this currently are we?","commit_id":"f1601e4105a3d3a63894e082f82c4e01310e8ef1"}],"zuul.d/jobs.yaml":[{"author":{"_account_id":14826,"name":"Mark Goddard","email":"markgoddard86@gmail.com","username":"mgoddard"},"change_message_id":"87ea06d17f327de8cff8432185bf44bcd5b40b1c","unresolved":false,"context_lines":[{"line_number":204,"context_line":"      base_distro: ubuntu"},{"line_number":205,"context_line":"      install_type: source"},{"line_number":206,"context_line":""},{"line_number":207,"context_line":"- job:"},{"line_number":208,"context_line":"    name: kolla-ansible-ubuntu-source-scenario-tls"},{"line_number":209,"context_line":"    parent: kolla-ansible-base"},{"line_number":210,"context_line":"    nodeset: kolla-ansible-bionic"},{"line_number":211,"context_line":"    voting: false"},{"line_number":212,"context_line":"    vars:"},{"line_number":213,"context_line":"      base_distro: ubuntu"},{"line_number":214,"context_line":"      install_type: source"},{"line_number":215,"context_line":"      scenario: tls"},{"line_number":216,"context_line":""},{"line_number":217,"context_line":"- job:"},{"line_number":218,"context_line":"    name: kolla-ansible-centos-source-scenario-tls"},{"line_number":219,"context_line":"    parent: kolla-ansible-base"},{"line_number":220,"context_line":"    nodeset: kolla-ansible-bionic"},{"line_number":221,"context_line":"    voting: false"},{"line_number":222,"context_line":"    vars:"},{"line_number":223,"context_line":"      base_distro: centos"},{"line_number":224,"context_line":"      install_type: source"},{"line_number":225,"context_line":"      scenario: tls"},{"line_number":226,"context_line":""},{"line_number":227,"context_line":"- job:"},{"line_number":228,"context_line":"    name: kolla-ansible-centos-source-scenario-nfv"}],"source_content_type":"text/x-yaml","patch_set":27,"id":"3fa7e38b_ff4b3125","line":225,"range":{"start_line":207,"start_character":0,"end_line":225,"end_character":19},"updated":"2019-12-16 13:59:54.000000000","message":"How would you feel about just enabling TLS in one of the existing jobs rather than adding new jobs? We have quite a lot already. Perhaps we could have aio use TLS, and multinode plain text? Or the other way around?","commit_id":"f1601e4105a3d3a63894e082f82c4e01310e8ef1"}],"zuul.d/project.yaml":[{"author":{"_account_id":22348,"name":"Zuul","username":"zuul","tags":["SERVICE_USER"]},"tag":"autogenerated:zuul:check","change_message_id":"5190c17c9ddda7b804141dc60d2e272fabb64323","unresolved":false,"context_lines":[{"line_number":1,"context_line":"---"},{"line_number":2,"context_line":"- project:"},{"line_number":3,"context_line":"    templates:"},{"line_number":4,"context_line":"      - check-requirements"},{"line_number":5,"context_line":"      - deploy-guide-jobs"},{"line_number":6,"context_line":"      - openstack-cover-jobs"},{"line_number":7,"context_line":"      - openstack-lower-constraints-jobs"},{"line_number":8,"context_line":"      - openstack-python3-ussuri-jobs"},{"line_number":9,"context_line":"      - publish-openstack-docs-pti"},{"line_number":10,"context_line":"      - release-notes-jobs-python3"},{"line_number":11,"context_line":"      - periodic-stable-jobs"},{"line_number":12,"context_line":"    check:"},{"line_number":13,"context_line":"      jobs:"},{"line_number":14,"context_line":"        - kolla-ansible-centos-source"},{"line_number":15,"context_line":"        - kolla-ansible-debian-source"},{"line_number":16,"context_line":"        - kolla-ansible-ubuntu-source"},{"line_number":17,"context_line":"        - kolla-ansible-ubuntu-source-multinode-ipv6"},{"line_number":18,"context_line":"        - kolla-ansible-ubuntu-source-ceph"},{"line_number":19,"context_line":"        - kolla-ansible-centos-source-ceph"},{"line_number":20,"context_line":"        - kolla-ansible-ubuntu-source-cinder-lvm:"},{"line_number":21,"context_line":"            files:"},{"line_number":22,"context_line":"              - ^ansible/roles/(cinder|iscsi)/"},{"line_number":23,"context_line":"              - ^tests/setup_disks.sh"},{"line_number":24,"context_line":"              - ^tests/test-core-openstack.sh"},{"line_number":25,"context_line":"              - ^tests/test-dashboard.sh"},{"line_number":26,"context_line":"        - kolla-ansible-centos-source-cinder-lvm:"},{"line_number":27,"context_line":"            files:"},{"line_number":28,"context_line":"              - ^ansible/roles/(cinder|iscsi)/"},{"line_number":29,"context_line":"              - ^tests/setup_disks.sh"},{"line_number":30,"context_line":"              - ^tests/test-core-openstack.sh"},{"line_number":31,"context_line":"              - ^tests/test-dashboard.sh"},{"line_number":32,"context_line":"        - kolla-ansible-bifrost-centos-source:"},{"line_number":33,"context_line":"            files:"},{"line_number":34,"context_line":"              - ^ansible/roles/bifrost/"},{"line_number":35,"context_line":"              - ^tests/test-bifrost.sh"},{"line_number":36,"context_line":"        - kolla-ansible-centos-source-zun"},{"line_number":37,"context_line":"        - kolla-ansible-ubuntu-source-zun"},{"line_number":38,"context_line":"        - kolla-ansible-centos-source-swift"},{"line_number":39,"context_line":"        - kolla-ansible-ubuntu-source-swift"},{"line_number":40,"context_line":"        - kolla-ansible-centos-source-scenario-nfv:"},{"line_number":41,"context_line":"            files:"},{"line_number":42,"context_line":"              - ^ansible/roles/(barbican|heat|mistral|redis|tacker)/"},{"line_number":43,"context_line":"              - ^tests/test-scenario-nfv.sh"},{"line_number":44,"context_line":"              - ^tests/test-dashboard.sh"},{"line_number":45,"context_line":"        - kolla-ansible-ubuntu-source-masakari:"},{"line_number":46,"context_line":"            files:"},{"line_number":47,"context_line":"              - ^ansible/roles/masakari/"},{"line_number":48,"context_line":"              - ^tests/test-masakari.sh"},{"line_number":49,"context_line":"              - ^tests/test-dashboard.sh"},{"line_number":50,"context_line":"        - kolla-ansible-centos-source-masakari:"},{"line_number":51,"context_line":"            files:"},{"line_number":52,"context_line":"              - ^ansible/roles/masakari/"},{"line_number":53,"context_line":"              - ^tests/test-masakari.sh"},{"line_number":54,"context_line":"              - ^tests/test-dashboard.sh"},{"line_number":55,"context_line":"        - kolla-ansible-centos-source-ironic"},{"line_number":56,"context_line":"        - kolla-ansible-centos-binary-ironic"},{"line_number":57,"context_line":"        - kolla-ansible-ubuntu-source-ironic"},{"line_number":58,"context_line":"        - kolla-ansible-ubuntu-source-scenario-tls"},{"line_number":59,"context_line":"        - kolla-ansible-centos-source-scenario-tls"},{"line_number":60,"context_line":"        - kolla-ansible-centos-source-upgrade"},{"line_number":61,"context_line":"        - kolla-ansible-ubuntu-source-upgrade"},{"line_number":62,"context_line":"        - kolla-ansible-centos-source-upgrade-ceph"},{"line_number":63,"context_line":"        - kolla-ansible-ubuntu-source-upgrade-ceph"},{"line_number":64,"context_line":"        - kolla-ansible-centos-binary"},{"line_number":65,"context_line":"        - kolla-ansible-ubuntu-binary"},{"line_number":66,"context_line":"        - kolla-ansible-centos-source-cells"},{"line_number":67,"context_line":"        - kolla-ansible-centos-source-mariadb:"},{"line_number":68,"context_line":"            files:"},{"line_number":69,"context_line":"              - ^ansible/roles/mariadb/"},{"line_number":70,"context_line":"              - ^tests/test-mariadb.sh"},{"line_number":71,"context_line":"        - kolla-ansible-ubuntu-source-mariadb:"},{"line_number":72,"context_line":"            files:"},{"line_number":73,"context_line":"              - ^ansible/roles/mariadb/"},{"line_number":74,"context_line":"              - ^tests/test-mariadb.sh"},{"line_number":75,"context_line":"    gate:"},{"line_number":76,"context_line":"      queue: kolla"},{"line_number":77,"context_line":"      jobs:"},{"line_number":78,"context_line":"        - kolla-ansible-centos-source"},{"line_number":79,"context_line":"        - kolla-ansible-ubuntu-source"},{"line_number":80,"context_line":"        - kolla-ansible-centos-source-upgrade"},{"line_number":81,"context_line":"        - kolla-ansible-ubuntu-source-upgrade"},{"line_number":82,"context_line":"    periodic:"},{"line_number":83,"context_line":"      jobs:"},{"line_number":84,"context_line":"        - kolla-ansible-bifrost-centos-source"},{"line_number":85,"context_line":"        - kolla-ansible-centos-source-zun"},{"line_number":86,"context_line":"        - kolla-ansible-ubuntu-source-zun"},{"line_number":87,"context_line":"        - kolla-ansible-ubuntu-source-masakari"},{"line_number":88,"context_line":"        - kolla-ansible-centos-source-masakari"},{"line_number":89,"context_line":"        - kolla-ansible-centos-source-scenario-nfv"},{"line_number":90,"context_line":"        - kolla-ansible-ubuntu-source-cinder-lvm"},{"line_number":91,"context_line":"        - kolla-ansible-centos-source-cinder-lvm"},{"line_number":92,"context_line":"        - kolla-ansible-centos-source-ironic"},{"line_number":93,"context_line":"        - kolla-ansible-centos-binary-ironic"},{"line_number":94,"context_line":"        - kolla-ansible-ubuntu-source-ironic"},{"line_number":95,"context_line":"        - kolla-ansible-ubuntu-source-scenario-tls"},{"line_number":96,"context_line":"        - kolla-ansible-centos-source-scenario-tls"},{"line_number":97,"context_line":"        - kolla-ansible-centos-source-upgrade"},{"line_number":98,"context_line":"        - kolla-ansible-ubuntu-source-upgrade"},{"line_number":99,"context_line":"        - kolla-ansible-centos-source-upgrade-ceph"},{"line_number":100,"context_line":"        - kolla-ansible-ubuntu-source-upgrade-ceph"},{"line_number":101,"context_line":"        - kolla-ansible-centos-source-mariadb"},{"line_number":102,"context_line":"        - kolla-ansible-ubuntu-source-mariadb"}],"source_content_type":"text/x-yaml","patch_set":28,"id":"3fa7e38b_731e31bd","line":102,"range":{"start_line":2,"start_character":2,"end_line":102,"end_character":0},"updated":"2019-12-25 11:26:37.000000000","message":"Job kolla-ansible-ubuntu-source-scenario-tls not defined","commit_id":"006a2841eb703487588aeac0433dc24fe0979825"}]}