)]}'
{"doc/source/admin/tls-deployment.rst":[{"author":{"_account_id":30491,"name":"Radosław Piliszek","display_name":"Radek","email":"radek@piliszek.it","username":"yoctozepto","status":"self-employed techologist, collaborating mostly with 7bulls.com"},"change_message_id":"a886f2e89e8d5d1f5d942ea75b60c081843d3e02","unresolved":false,"context_lines":[{"line_number":223,"context_line":"Self-Signed Certificates"},{"line_number":224,"context_line":"~~~~~~~~~~~~~~~~~~~~~~~~"},{"line_number":225,"context_line":""},{"line_number":226,"context_line":".. note::"},{"line_number":227,"context_line":""},{"line_number":228,"context_line":"  Self-signed certificates should never be used in production."},{"line_number":229,"context_line":""}],"source_content_type":"text/x-rst","patch_set":2,"id":"bf51134e_c353c7e1","line":226,"range":{"start_line":226,"start_character":3,"end_line":226,"end_character":7},"updated":"2020-07-03 07:20:27.000000000","message":"I would raise this to warning","commit_id":"20cdb2ada7d66b52df5b63b98c380f6bb87360a1"}],"doc/source/admin/tls.rst":[{"author":{"_account_id":14826,"name":"Mark Goddard","email":"markgoddard86@gmail.com","username":"mgoddard"},"change_message_id":"ea30edcecef84b86b6a2dfe956bca12fba24da2f","unresolved":false,"context_lines":[{"line_number":8,"context_line":"with OpenStack services."},{"line_number":9,"context_line":""},{"line_number":10,"context_line":"When an OpenStack service exposes an API endpoint, kolla-ansible will deploy"},{"line_number":11,"context_line":"an additional HAProxy container alongside the service to listen on the internal"},{"line_number":12,"context_line":"and/or external VIP address. The HAProxy container load-balances requests on"},{"line_number":13,"context_line":"the VIPs to the nodes running the service container."},{"line_number":14,"context_line":""}],"source_content_type":"text/x-rst","patch_set":3,"id":"9f560f44_cf9e7306","line":11,"range":{"start_line":11,"start_character":0,"end_line":11,"end_character":53},"updated":"2020-07-27 10:27:15.000000000","message":"this suggests there is one per service, but its shared (and not necessarily on the same host)","commit_id":"ee62172f272bbc151bfc3eb8aeead9c166a3704e"},{"author":{"_account_id":14826,"name":"Mark Goddard","email":"markgoddard86@gmail.com","username":"mgoddard"},"change_message_id":"ea30edcecef84b86b6a2dfe956bca12fba24da2f","unresolved":false,"context_lines":[{"line_number":14,"context_line":""},{"line_number":15,"context_line":"There are two different layers of TLS configuration:"},{"line_number":16,"context_line":""},{"line_number":17,"context_line":"1) Enabling TLS on the internal and/or external VIP, so communication between"},{"line_number":18,"context_line":"an OpenStack client and the HAProxy listening on the VIP is secure."},{"line_number":19,"context_line":"2) Enabling TLS on the backend network, so both communication between HAProxy"},{"line_number":20,"context_line":"and the services and the communication between services are secure."}],"source_content_type":"text/x-rst","patch_set":3,"id":"9f560f44_0f886bc4","line":17,"updated":"2020-07-27 10:27:15.000000000","message":"These get formatted on the same line. Use this:\n\n1. \n2.","commit_id":"ee62172f272bbc151bfc3eb8aeead9c166a3704e"},{"author":{"_account_id":14826,"name":"Mark Goddard","email":"markgoddard86@gmail.com","username":"mgoddard"},"change_message_id":"ea30edcecef84b86b6a2dfe956bca12fba24da2f","unresolved":false,"context_lines":[{"line_number":16,"context_line":""},{"line_number":17,"context_line":"1) Enabling TLS on the internal and/or external VIP, so communication between"},{"line_number":18,"context_line":"an OpenStack client and the HAProxy listening on the VIP is secure."},{"line_number":19,"context_line":"2) Enabling TLS on the backend network, so both communication between HAProxy"},{"line_number":20,"context_line":"and the services and the communication between services are secure."},{"line_number":21,"context_line":""},{"line_number":22,"context_line":".. note::"},{"line_number":23,"context_line":""}],"source_content_type":"text/x-rst","patch_set":3,"id":"9f560f44_0fb18b90","line":20,"range":{"start_line":19,"start_character":43,"end_line":20,"end_character":55},"updated":"2020-07-27 10:27:15.000000000","message":"... so communication between HAProxy and the backend API services is secure","commit_id":"ee62172f272bbc151bfc3eb8aeead9c166a3704e"},{"author":{"_account_id":14826,"name":"Mark Goddard","email":"markgoddard86@gmail.com","username":"mgoddard"},"change_message_id":"ea30edcecef84b86b6a2dfe956bca12fba24da2f","unresolved":false,"context_lines":[{"line_number":25,"context_line":"  trusted Certificate Authorities. Examples of commercial CAs are Comodo,"},{"line_number":26,"context_line":"  Symantec, GoDaddy, and GlobalSign. Letsencrypt.org is a CA that will"},{"line_number":27,"context_line":"  provide trusted certificates at no charge. If using a trusted CA is not"},{"line_number":28,"context_line":"  possible for your project, you can use `OpenSSL \u003chttps://www.openssl.org\u003e`__"},{"line_number":29,"context_line":"  to create a certificate for your domain, or see the section below about"},{"line_number":30,"context_line":"  using kolla-generated self-signed certificates."},{"line_number":31,"context_line":""}],"source_content_type":"text/x-rst","patch_set":3,"id":"9f560f44_2fa8cf1d","line":28,"range":{"start_line":28,"start_character":41,"end_line":28,"end_character":78},"updated":"2020-07-27 10:27:15.000000000","message":"a private CA, e.g. Hashicorp Vault","commit_id":"ee62172f272bbc151bfc3eb8aeead9c166a3704e"},{"author":{"_account_id":14826,"name":"Mark Goddard","email":"markgoddard86@gmail.com","username":"mgoddard"},"change_message_id":"ea30edcecef84b86b6a2dfe956bca12fba24da2f","unresolved":false,"context_lines":[{"line_number":27,"context_line":"  provide trusted certificates at no charge. If using a trusted CA is not"},{"line_number":28,"context_line":"  possible for your project, you can use `OpenSSL \u003chttps://www.openssl.org\u003e`__"},{"line_number":29,"context_line":"  to create a certificate for your domain, or see the section below about"},{"line_number":30,"context_line":"  using kolla-generated self-signed certificates."},{"line_number":31,"context_line":""},{"line_number":32,"context_line":"Quick Start"},{"line_number":33,"context_line":"~~~~~~~~~~~"}],"source_content_type":"text/x-rst","patch_set":3,"id":"9f560f44_0f0d0b3e","line":30,"range":{"start_line":30,"start_character":24,"end_line":30,"end_character":35},"updated":"2020-07-27 10:27:15.000000000","message":"see below","commit_id":"ee62172f272bbc151bfc3eb8aeead9c166a3704e"},{"author":{"_account_id":14826,"name":"Mark Goddard","email":"markgoddard86@gmail.com","username":"mgoddard"},"change_message_id":"ea30edcecef84b86b6a2dfe956bca12fba24da2f","unresolved":false,"context_lines":[{"line_number":32,"context_line":"Quick Start"},{"line_number":33,"context_line":"~~~~~~~~~~~"},{"line_number":34,"context_line":""},{"line_number":35,"context_line":"To deploy OpenStack with TLS enabled, configure the following in"},{"line_number":36,"context_line":"/etc/kolla/global.yml:"},{"line_number":37,"context_line":""},{"line_number":38,"context_line":".. code-block:: yaml"}],"source_content_type":"text/x-rst","patch_set":3,"id":"9f560f44_cf3af3e5","line":35,"range":{"start_line":35,"start_character":29,"end_line":35,"end_character":36},"updated":"2020-07-27 10:27:15.000000000","message":"for the external, internal and backend APIs","commit_id":"ee62172f272bbc151bfc3eb8aeead9c166a3704e"},{"author":{"_account_id":14826,"name":"Mark Goddard","email":"markgoddard86@gmail.com","username":"mgoddard"},"change_message_id":"ea30edcecef84b86b6a2dfe956bca12fba24da2f","unresolved":false,"context_lines":[{"line_number":46,"context_line":""},{"line_number":47,"context_line":".. code-block:: yaml"},{"line_number":48,"context_line":""},{"line_number":49,"context_line":"  openstack_cacert: \"/etc/pki/tls/certs/ca-bundle.crt\""},{"line_number":50,"context_line":""},{"line_number":51,"context_line":"If on CentOS:"},{"line_number":52,"context_line":""},{"line_number":53,"context_line":".. code-block:: yaml"},{"line_number":54,"context_line":""},{"line_number":55,"context_line":"  openstack_cacert: \"/etc/pki/tls/certs/ca-bundle.crt\""},{"line_number":56,"context_line":""},{"line_number":57,"context_line":"The kolla-ansible \"certificate\" task generates a test root Certificate"},{"line_number":58,"context_line":"Authority and self-signed certificates for the enabled VIP(s) to test TLS in"}],"source_content_type":"text/x-rst","patch_set":3,"id":"9f560f44_722c6c99","line":55,"range":{"start_line":49,"start_character":0,"end_line":55,"end_character":54},"updated":"2020-07-27 10:27:15.000000000","message":"these are the same","commit_id":"ee62172f272bbc151bfc3eb8aeead9c166a3704e"},{"author":{"_account_id":14826,"name":"Mark Goddard","email":"markgoddard86@gmail.com","username":"mgoddard"},"change_message_id":"ea30edcecef84b86b6a2dfe956bca12fba24da2f","unresolved":false,"context_lines":[{"line_number":54,"context_line":""},{"line_number":55,"context_line":"  openstack_cacert: \"/etc/pki/tls/certs/ca-bundle.crt\""},{"line_number":56,"context_line":""},{"line_number":57,"context_line":"The kolla-ansible \"certificate\" task generates a test root Certificate"},{"line_number":58,"context_line":"Authority and self-signed certificates for the enabled VIP(s) to test TLS in"},{"line_number":59,"context_line":"your OpenStack deployment. Assuming you are using the “multinode” inventory:"},{"line_number":60,"context_line":""}],"source_content_type":"text/x-rst","patch_set":3,"id":"9f560f44_0f24ebc5","line":57,"range":{"start_line":57,"start_character":19,"end_line":57,"end_character":30},"updated":"2020-07-27 10:27:15.000000000","message":"certificates command","commit_id":"ee62172f272bbc151bfc3eb8aeead9c166a3704e"},{"author":{"_account_id":14826,"name":"Mark Goddard","email":"markgoddard86@gmail.com","username":"mgoddard"},"change_message_id":"ea30edcecef84b86b6a2dfe956bca12fba24da2f","unresolved":false,"context_lines":[{"line_number":64,"context_line":""},{"line_number":65,"context_line":".. note::"},{"line_number":66,"context_line":""},{"line_number":67,"context_line":"  These certificates generated by kolla-ansible are self-signed and are not"},{"line_number":68,"context_line":"  suitable for a production deployment. Only certificates signed by a trusted"},{"line_number":69,"context_line":"  Certificate Authority should be used in a production deployment."},{"line_number":70,"context_line":""}],"source_content_type":"text/x-rst","patch_set":3,"id":"9f560f44_af185f81","line":67,"range":{"start_line":67,"start_character":52,"end_line":67,"end_character":63},"updated":"2020-07-27 10:27:15.000000000","message":"see below","commit_id":"ee62172f272bbc151bfc3eb8aeead9c166a3704e"},{"author":{"_account_id":14826,"name":"Mark Goddard","email":"markgoddard86@gmail.com","username":"mgoddard"},"change_message_id":"ea30edcecef84b86b6a2dfe956bca12fba24da2f","unresolved":false,"context_lines":[{"line_number":66,"context_line":""},{"line_number":67,"context_line":"  These certificates generated by kolla-ansible are self-signed and are not"},{"line_number":68,"context_line":"  suitable for a production deployment. Only certificates signed by a trusted"},{"line_number":69,"context_line":"  Certificate Authority should be used in a production deployment."},{"line_number":70,"context_line":""},{"line_number":71,"context_line":"TLS Configuration for internal/external VIP"},{"line_number":72,"context_line":"~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~"}],"source_content_type":"text/x-rst","patch_set":3,"id":"9f560f44_f237dce2","line":69,"updated":"2020-07-27 10:27:15.000000000","message":"Note at the top of quick start?","commit_id":"ee62172f272bbc151bfc3eb8aeead9c166a3704e"},{"author":{"_account_id":14826,"name":"Mark Goddard","email":"markgoddard86@gmail.com","username":"mgoddard"},"change_message_id":"ea30edcecef84b86b6a2dfe956bca12fba24da2f","unresolved":false,"context_lines":[{"line_number":74,"context_line":"The configuration variables that control TLS for the internal and/or external"},{"line_number":75,"context_line":"VIP:"},{"line_number":76,"context_line":""},{"line_number":77,"context_line":"- kolla_enable_tls_external"},{"line_number":78,"context_line":"- kolla_enable_tls_internal"},{"line_number":79,"context_line":"- kolla_internal_fqdn_cert"},{"line_number":80,"context_line":"- kolla_external_fqdn_cert"},{"line_number":81,"context_line":""},{"line_number":82,"context_line":".. note::"},{"line_number":83,"context_line":""}],"source_content_type":"text/x-rst","patch_set":3,"id":"9f560f44_72510c0f","line":80,"range":{"start_line":77,"start_character":0,"end_line":80,"end_character":26},"updated":"2020-07-27 10:27:15.000000000","message":"``var``","commit_id":"ee62172f272bbc151bfc3eb8aeead9c166a3704e"},{"author":{"_account_id":14826,"name":"Mark Goddard","email":"markgoddard86@gmail.com","username":"mgoddard"},"change_message_id":"ea30edcecef84b86b6a2dfe956bca12fba24da2f","unresolved":false,"context_lines":[{"line_number":113,"context_line":"the CA certificate file will need to be distributed to the client. This is"},{"line_number":114,"context_line":"discussed in more detail in the \"Adding CA Certificates to the Service"},{"line_number":115,"context_line":"Containers\" section."},{"line_number":116,"context_line":""},{"line_number":117,"context_line":"The location for the CA certificate for the OpenStack client is configured"},{"line_number":118,"context_line":"with the ``kolla_admin_openrc_cacert`` parameter."},{"line_number":119,"context_line":""}],"source_content_type":"text/x-rst","patch_set":3,"id":"9f560f44_326034cf","line":116,"updated":"2020-07-27 10:27:15.000000000","message":"Let\u0027s make this a new section","commit_id":"ee62172f272bbc151bfc3eb8aeead9c166a3704e"},{"author":{"_account_id":14826,"name":"Mark Goddard","email":"markgoddard86@gmail.com","username":"mgoddard"},"change_message_id":"ea30edcecef84b86b6a2dfe956bca12fba24da2f","unresolved":false,"context_lines":[{"line_number":114,"context_line":"discussed in more detail in the \"Adding CA Certificates to the Service"},{"line_number":115,"context_line":"Containers\" section."},{"line_number":116,"context_line":""},{"line_number":117,"context_line":"The location for the CA certificate for the OpenStack client is configured"},{"line_number":118,"context_line":"with the ``kolla_admin_openrc_cacert`` parameter."},{"line_number":119,"context_line":""},{"line_number":120,"context_line":"When TLS is enabled on a VIP, an OpenStack client will have settings similar"}],"source_content_type":"text/x-rst","patch_set":3,"id":"9f560f44_727aac88","line":117,"range":{"start_line":117,"start_character":44,"end_line":117,"end_character":60},"updated":"2020-07-27 10:27:15.000000000","message":"admin-openrc.sh file","commit_id":"ee62172f272bbc151bfc3eb8aeead9c166a3704e"},{"author":{"_account_id":14826,"name":"Mark Goddard","email":"markgoddard86@gmail.com","username":"mgoddard"},"change_message_id":"ea30edcecef84b86b6a2dfe956bca12fba24da2f","unresolved":false,"context_lines":[{"line_number":115,"context_line":"Containers\" section."},{"line_number":116,"context_line":""},{"line_number":117,"context_line":"The location for the CA certificate for the OpenStack client is configured"},{"line_number":118,"context_line":"with the ``kolla_admin_openrc_cacert`` parameter."},{"line_number":119,"context_line":""},{"line_number":120,"context_line":"When TLS is enabled on a VIP, an OpenStack client will have settings similar"},{"line_number":121,"context_line":"to this configured by the /etc/kolla/admin-openrc.sh:"}],"source_content_type":"text/x-rst","patch_set":3,"id":"9f560f44_d26f38c3","line":118,"updated":"2020-07-27 10:27:15.000000000","message":"This must be a valid path on all hosts where admin-openrc.sh is used.","commit_id":"ee62172f272bbc151bfc3eb8aeead9c166a3704e"},{"author":{"_account_id":14826,"name":"Mark Goddard","email":"markgoddard86@gmail.com","username":"mgoddard"},"change_message_id":"ea30edcecef84b86b6a2dfe956bca12fba24da2f","unresolved":false,"context_lines":[{"line_number":136,"context_line":"  export OS_REGION_NAME\u003dRegionOne"},{"line_number":137,"context_line":"  export OS_AUTH_PLUGIN\u003dpassword"},{"line_number":138,"context_line":"  # os_cacert is optional for trusted certificates"},{"line_number":139,"context_line":"  export OS_CACERT\u003d/etc/pki/ca/root.crt"},{"line_number":140,"context_line":""},{"line_number":141,"context_line":""},{"line_number":142,"context_line":"Adding CA Certificates to the Service Containers"}],"source_content_type":"text/x-rst","patch_set":3,"id":"9f560f44_f2651ce3","line":139,"range":{"start_line":139,"start_character":19,"end_line":139,"end_character":39},"updated":"2020-07-27 10:27:15.000000000","message":"/etc/pki/tls/certs/ca-bundle.crt","commit_id":"ee62172f272bbc151bfc3eb8aeead9c166a3704e"},{"author":{"_account_id":14826,"name":"Mark Goddard","email":"markgoddard86@gmail.com","username":"mgoddard"},"change_message_id":"ea30edcecef84b86b6a2dfe956bca12fba24da2f","unresolved":false,"context_lines":[{"line_number":153,"context_line":"service containers to enable trust for those CA certificates. This is required"},{"line_number":154,"context_line":"for any certificates that are either self-signed or signed by a private CA,"},{"line_number":155,"context_line":"and are not already present in the service image trust store. Kolla will"},{"line_number":156,"context_line":"install these certificates in the container system wide trust store as"},{"line_number":157,"context_line":"during OpenStack deployment."},{"line_number":158,"context_line":""},{"line_number":159,"context_line":"All certificate file names will have the \"kolla-customca-\" prefix prepended to"},{"line_number":160,"context_line":"them when they are copied into the containers. For example, if a certificate"}],"source_content_type":"text/x-rst","patch_set":3,"id":"9f560f44_12aed0e6","line":157,"range":{"start_line":156,"start_character":68,"end_line":157,"end_character":27},"updated":"2020-07-27 10:27:15.000000000","message":"when the container starts","commit_id":"ee62172f272bbc151bfc3eb8aeead9c166a3704e"},{"author":{"_account_id":14826,"name":"Mark Goddard","email":"markgoddard86@gmail.com","username":"mgoddard"},"change_message_id":"ea30edcecef84b86b6a2dfe956bca12fba24da2f","unresolved":false,"context_lines":[{"line_number":167,"context_line":"For Centos and Red Hat Linux containers, the certificate files will be copied"},{"line_number":168,"context_line":"to the ``/etc/pki/ca-trust/source/anchors/`` directory."},{"line_number":169,"context_line":""},{"line_number":170,"context_line":"In addition, the ``openstack_cacert`` parameter should be configured with the"},{"line_number":171,"context_line":"path to the CA Certificate in the container. If the certificate task was used"},{"line_number":172,"context_line":"and the deployment is on Ubuntu, the path would be:"},{"line_number":173,"context_line":"``/etc/ssl/certs/ca-certificates.crt``."},{"line_number":174,"context_line":""},{"line_number":175,"context_line":"For Centos, the path would be: ``/etc/pki/tls/certs/ca-bundle.crt``"},{"line_number":176,"context_line":""},{"line_number":177,"context_line":"Back-end TLS Configuration"},{"line_number":178,"context_line":"~~~~~~~~~~~~~~~~~~~~~~~~~~"}],"source_content_type":"text/x-rst","patch_set":3,"id":"9f560f44_92830057","line":175,"range":{"start_line":170,"start_character":0,"end_line":175,"end_character":67},"updated":"2020-07-27 10:27:15.000000000","message":"This could be a separate section.","commit_id":"ee62172f272bbc151bfc3eb8aeead9c166a3704e"},{"author":{"_account_id":14826,"name":"Mark Goddard","email":"markgoddard86@gmail.com","username":"mgoddard"},"change_message_id":"ea30edcecef84b86b6a2dfe956bca12fba24da2f","unresolved":false,"context_lines":[{"line_number":187,"context_line":"The configuration variables that control back-end TLS for service endpoints"},{"line_number":188,"context_line":"are:"},{"line_number":189,"context_line":""},{"line_number":190,"context_line":"- kolla_enable_tls_backend"},{"line_number":191,"context_line":"- kolla_tls_backend_cert"},{"line_number":192,"context_line":"- kolla_tls_backend_key"},{"line_number":193,"context_line":"- haproxy_backend_cacert"}],"source_content_type":"text/x-rst","patch_set":3,"id":"9f560f44_b282844e","line":190,"range":{"start_line":190,"start_character":2,"end_line":190,"end_character":26},"updated":"2020-07-27 10:27:15.000000000","message":"``var``","commit_id":"ee62172f272bbc151bfc3eb8aeead9c166a3704e"},{"author":{"_account_id":14826,"name":"Mark Goddard","email":"markgoddard86@gmail.com","username":"mgoddard"},"change_message_id":"ea30edcecef84b86b6a2dfe956bca12fba24da2f","unresolved":false,"context_lines":[{"line_number":194,"context_line":"- haproxy_backend_cacert_dir"},{"line_number":195,"context_line":""},{"line_number":196,"context_line":"The default values for haproxy_backend_cacert and haproxy_backend_cacert_dir"},{"line_number":197,"context_line":"should suffice if ``kolla_copy_ca_into_containers`` is set to “yes”."},{"line_number":198,"context_line":"Otherwise, they should be configured to a location of the custom CA"},{"line_number":199,"context_line":"certificate installed on the service containers."},{"line_number":200,"context_line":""}],"source_content_type":"text/x-rst","patch_set":3,"id":"9f560f44_328e7478","line":197,"range":{"start_line":197,"start_character":18,"end_line":197,"end_character":68},"updated":"2020-07-27 10:27:15.000000000","message":"The certificate is in the system trust store.","commit_id":"ee62172f272bbc151bfc3eb8aeead9c166a3704e"},{"author":{"_account_id":14826,"name":"Mark Goddard","email":"markgoddard86@gmail.com","username":"mgoddard"},"change_message_id":"ea30edcecef84b86b6a2dfe956bca12fba24da2f","unresolved":false,"context_lines":[{"line_number":196,"context_line":"The default values for haproxy_backend_cacert and haproxy_backend_cacert_dir"},{"line_number":197,"context_line":"should suffice if ``kolla_copy_ca_into_containers`` is set to “yes”."},{"line_number":198,"context_line":"Otherwise, they should be configured to a location of the custom CA"},{"line_number":199,"context_line":"certificate installed on the service containers."},{"line_number":200,"context_line":""},{"line_number":201,"context_line":"The default state for back-end TLS is disabled. To enable TLS for the back-end"},{"line_number":202,"context_line":"communication:"}],"source_content_type":"text/x-rst","patch_set":3,"id":"9f560f44_72ed8c24","line":199,"range":{"start_line":199,"start_character":22,"end_line":199,"end_character":24},"updated":"2020-07-27 10:27:15.000000000","message":"in","commit_id":"ee62172f272bbc151bfc3eb8aeead9c166a3704e"},{"author":{"_account_id":14826,"name":"Mark Goddard","email":"markgoddard86@gmail.com","username":"mgoddard"},"change_message_id":"ea30edcecef84b86b6a2dfe956bca12fba24da2f","unresolved":false,"context_lines":[{"line_number":207,"context_line":"  kolla_tls_backend_cert: \"\u003cpath-to-cert\u003e\""},{"line_number":208,"context_line":"  kolla_tls_backend_key: \"\u003cpath-to-key\u003e\""},{"line_number":209,"context_line":""},{"line_number":210,"context_line":".. note::"},{"line_number":211,"context_line":"  The back-end TLS cert/key can be the same certificate that is used for the"},{"line_number":212,"context_line":"  VIP."},{"line_number":213,"context_line":""},{"line_number":214,"context_line":"By default, the TLS certificate will be verified as trustable by the"},{"line_number":215,"context_line":"OpenStack services. To disable verification of the backend certificate:"}],"source_content_type":"text/x-rst","patch_set":3,"id":"9f560f44_f2d87c80","line":212,"range":{"start_line":210,"start_character":0,"end_line":212,"end_character":6},"updated":"2020-07-27 10:27:15.000000000","message":"This has some conditions attached","commit_id":"ee62172f272bbc151bfc3eb8aeead9c166a3704e"},{"author":{"_account_id":14826,"name":"Mark Goddard","email":"markgoddard86@gmail.com","username":"mgoddard"},"change_message_id":"ea30edcecef84b86b6a2dfe956bca12fba24da2f","unresolved":false,"context_lines":[{"line_number":218,"context_line":""},{"line_number":219,"context_line":"  kolla_verify_tls_backend: “no”"},{"line_number":220,"context_line":""},{"line_number":221,"context_line":"Self-Signed Certificates"},{"line_number":222,"context_line":"~~~~~~~~~~~~~~~~~~~~~~~~"},{"line_number":223,"context_line":""},{"line_number":224,"context_line":".. note::"}],"source_content_type":"text/x-rst","patch_set":3,"id":"9f560f44_72646cba","line":221,"range":{"start_line":221,"start_character":0,"end_line":221,"end_character":24},"updated":"2020-07-27 10:27:15.000000000","message":"Since we added the root CA, the certificates are no longer self-signed. It\u0027s just a very basic private CA. I think we should still not recommend it for production use, since there are better tools out there.","commit_id":"ee62172f272bbc151bfc3eb8aeead9c166a3704e"}]}
