)]}'
{"/PATCHSET_LEVEL":[{"author":{"_account_id":37013,"name":"Ivan Vnučko","display_name":"Ivan Vnucko","email":"ivan@vnucko.com","username":"ivnucko"},"change_message_id":"176155839932224f6f14cd7c1ffcba0834e76efb","unresolved":true,"context_lines":[],"source_content_type":"","patch_set":3,"id":"a925f24b_c8609f55","updated":"2024-05-16 12:38:33.000000000","message":"recheck timeout waiting for mariadb","commit_id":"f80c129d885b5022e60fa1b3b6d58a251198844f"},{"author":{"_account_id":37013,"name":"Ivan Vnučko","display_name":"Ivan Vnucko","email":"ivan@vnucko.com","username":"ivnucko"},"change_message_id":"9a3e650dd4565802dd5f347aea2db6d3e2088bba","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":3,"id":"900b9d09_a07e8cbc","in_reply_to":"a925f24b_c8609f55","updated":"2024-05-16 14:26:20.000000000","message":"Done","commit_id":"f80c129d885b5022e60fa1b3b6d58a251198844f"},{"author":{"_account_id":32553,"name":"Sven Kieske","email":"sven_oss@posteo.de","username":"skieske"},"change_message_id":"a393d6b51b861f2101156d532d86366bc46e6139","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":10,"id":"aafd8b00_f97e1add","updated":"2024-09-03 15:34:39.000000000","message":"code looks overall good to me.","commit_id":"e42f3a33d54d94d4674d15fe094dc8de4a920c14"}],"ansible/certificates.yml":[{"author":{"_account_id":32553,"name":"Sven Kieske","email":"sven_oss@posteo.de","username":"skieske"},"change_message_id":"f906b40b45ec11bf7525abe799d19cd3b847bb59","unresolved":true,"context_lines":[{"line_number":3,"context_line":"  when: \u003e-"},{"line_number":4,"context_line":"    kolla_enable_tls_backend | default(false) | bool or"},{"line_number":5,"context_line":"    rabbitmq_enable_tls | default(false) | bool or"},{"line_number":6,"context_line":"    rabbitmq_enable_tls_backend | default(false) | bool or"},{"line_number":7,"context_line":"    certificates_generate_libvirt | default(libvirt_tls) | default(false) | bool"},{"line_number":8,"context_line":""},{"line_number":9,"context_line":"- name: Apply role certificates"}],"source_content_type":"text/x-yaml","patch_set":6,"id":"665ace81_536bc7ec","line":6,"range":{"start_line":6,"start_character":4,"end_line":6,"end_character":31},"updated":"2024-06-17 08:28:47.000000000","message":"I\u0027m not sure if the value of being able to separately toggle rabbitmq backend tls outweighs the increase in complexity in this when conditional.\n\nMaybe we should just hardcode `rabbitmq_enable_tls_backend` to always have the same value as `kolla_enable_tls_backend` and thus this additional condition could be removed?","commit_id":"0e97c8e369f031a76e62a30de50f9de93dc792bf"},{"author":{"_account_id":37013,"name":"Ivan Vnučko","display_name":"Ivan Vnucko","email":"ivan@vnucko.com","username":"ivnucko"},"change_message_id":"60012dd0bae11f0c34bdfde5e4afb16099bd9c18","unresolved":true,"context_lines":[{"line_number":3,"context_line":"  when: \u003e-"},{"line_number":4,"context_line":"    kolla_enable_tls_backend | default(false) | bool or"},{"line_number":5,"context_line":"    rabbitmq_enable_tls | default(false) | bool or"},{"line_number":6,"context_line":"    rabbitmq_enable_tls_backend | default(false) | bool or"},{"line_number":7,"context_line":"    certificates_generate_libvirt | default(libvirt_tls) | default(false) | bool"},{"line_number":8,"context_line":""},{"line_number":9,"context_line":"- name: Apply role certificates"}],"source_content_type":"text/x-yaml","patch_set":6,"id":"d35380ba_bb10520f","line":6,"range":{"start_line":6,"start_character":4,"end_line":6,"end_character":31},"in_reply_to":"665ace81_536bc7ec","updated":"2024-06-21 14:11:04.000000000","message":"It seems to be more complex then only this conditional. There is one similar in the `ansible/roles/certificates/tasks/main.yml` which then generates backend certificates only if these conditions are met. In both places the condition is bound only to the general `kolla_enable_tls_backend` value or specific toggles for rabbitmq, but almost all services (keystone, nova, horizon,...) have such specific toggle (\u003c\u003cservice\u003e\u003e_enable_tls_backend), none of them are included in these two conditionals meaning that setting `kolla_enable_tls_backend: \"no\"` and only turning some of the service specific backend tls on will not trigger the certificates role to generate the backend certificates.\nThis probably wasn\u0027t a real issue as the certificates role is only meant to be used in development and testing and also there is probably little incentive to separately toggle only some services backend TLS instead of the general `kolla_enable_tls_backend`. Yet I think this should be handled in some consistent way. \nMaybe replace it with checking of the length of groups[\u0027tls-backend\u0027]?","commit_id":"0e97c8e369f031a76e62a30de50f9de93dc792bf"},{"author":{"_account_id":37013,"name":"Ivan Vnučko","display_name":"Ivan Vnucko","email":"ivan@vnucko.com","username":"ivnucko"},"change_message_id":"444f529d90d4a66afd868fdd46f2fa81145f1c1e","unresolved":false,"context_lines":[{"line_number":3,"context_line":"  when: \u003e-"},{"line_number":4,"context_line":"    kolla_enable_tls_backend | default(false) | bool or"},{"line_number":5,"context_line":"    rabbitmq_enable_tls | default(false) | bool or"},{"line_number":6,"context_line":"    rabbitmq_enable_tls_backend | default(false) | bool or"},{"line_number":7,"context_line":"    certificates_generate_libvirt | default(libvirt_tls) | default(false) | bool"},{"line_number":8,"context_line":""},{"line_number":9,"context_line":"- name: Apply role certificates"}],"source_content_type":"text/x-yaml","patch_set":6,"id":"9f4ca1c2_7dd935ec","line":6,"range":{"start_line":6,"start_character":4,"end_line":6,"end_character":31},"in_reply_to":"d35380ba_bb10520f","updated":"2024-07-18 08:10:11.000000000","message":"I added a specific task to aggregate all the services backend TLS setup flags, which then controls the need to generate the backend certificate.","commit_id":"0e97c8e369f031a76e62a30de50f9de93dc792bf"},{"author":{"_account_id":32553,"name":"Sven Kieske","email":"sven_oss@posteo.de","username":"skieske"},"change_message_id":"e05b2f93962026ee48b31f117773ed4727bfe5e5","unresolved":true,"context_lines":[{"line_number":1,"context_line":"---"},{"line_number":2,"context_line":"- name: Backend certificates requirement"},{"line_number":3,"context_line":"  hosts: localhost"},{"line_number":4,"context_line":"  vars:"},{"line_number":5,"context_line":"    backend_tls_flag_pattern: _enable_tls_backend"},{"line_number":6,"context_line":"  tasks:"},{"line_number":7,"context_line":"    - name: If backend certificates are needed"},{"line_number":8,"context_line":"      set_fact:"},{"line_number":9,"context_line":"        backend_certificate_needed: \u003e-"},{"line_number":10,"context_line":"          {{"},{"line_number":11,"context_line":"            backend_certificate_needed | default(false) | bool or"},{"line_number":12,"context_line":"            vars[item] | default(false) | bool"},{"line_number":13,"context_line":"          }}"},{"line_number":14,"context_line":"      with_items: \u003e-"},{"line_number":15,"context_line":"        {{"},{"line_number":16,"context_line":"          vars | dict2items |"},{"line_number":17,"context_line":"          selectattr(\u0027key\u0027, \u0027search\u0027, backend_tls_flag_pattern) |"},{"line_number":18,"context_line":"          map(attribute\u003d\u0027key\u0027)"},{"line_number":19,"context_line":"        }}"},{"line_number":20,"context_line":""},{"line_number":21,"context_line":"- import_playbook: gather-facts.yml"},{"line_number":22,"context_line":"  when: \u003e-"},{"line_number":23,"context_line":"    backend_certificate_needed or"}],"source_content_type":"text/x-yaml","patch_set":7,"id":"e2660e6b_6beb99c4","line":20,"range":{"start_line":2,"start_character":1,"end_line":20,"end_character":1},"updated":"2024-07-18 10:01:14.000000000","message":"this seems rather complicated but I have currently no good idea how to simplify this.","commit_id":"1ee2fa9c14168f193850b0b690e26b7563d25f61"},{"author":{"_account_id":37013,"name":"Ivan Vnučko","display_name":"Ivan Vnucko","email":"ivan@vnucko.com","username":"ivnucko"},"change_message_id":"727c2af8fbbd1b337ec24dda96268967fcbaff5f","unresolved":false,"context_lines":[{"line_number":1,"context_line":"---"},{"line_number":2,"context_line":"- name: Backend certificates requirement"},{"line_number":3,"context_line":"  hosts: localhost"},{"line_number":4,"context_line":"  vars:"},{"line_number":5,"context_line":"    backend_tls_flag_pattern: _enable_tls_backend"},{"line_number":6,"context_line":"  tasks:"},{"line_number":7,"context_line":"    - name: If backend certificates are needed"},{"line_number":8,"context_line":"      set_fact:"},{"line_number":9,"context_line":"        backend_certificate_needed: \u003e-"},{"line_number":10,"context_line":"          {{"},{"line_number":11,"context_line":"            backend_certificate_needed | default(false) | bool or"},{"line_number":12,"context_line":"            vars[item] | default(false) | bool"},{"line_number":13,"context_line":"          }}"},{"line_number":14,"context_line":"      with_items: \u003e-"},{"line_number":15,"context_line":"        {{"},{"line_number":16,"context_line":"          vars | dict2items |"},{"line_number":17,"context_line":"          selectattr(\u0027key\u0027, \u0027search\u0027, backend_tls_flag_pattern) |"},{"line_number":18,"context_line":"          map(attribute\u003d\u0027key\u0027)"},{"line_number":19,"context_line":"        }}"},{"line_number":20,"context_line":""},{"line_number":21,"context_line":"- import_playbook: gather-facts.yml"},{"line_number":22,"context_line":"  when: \u003e-"},{"line_number":23,"context_line":"    backend_certificate_needed or"}],"source_content_type":"text/x-yaml","patch_set":7,"id":"ff9d0300_ddb8a7d7","line":20,"range":{"start_line":2,"start_character":1,"end_line":20,"end_character":1},"in_reply_to":"e2660e6b_6beb99c4","updated":"2024-07-23 04:54:40.000000000","message":"I agree, but I didn\u0027t find a better way. \nThis should only be used when testing, not in production deployments, and the role has the expected behaviour now.","commit_id":"1ee2fa9c14168f193850b0b690e26b7563d25f61"}],"ansible/group_vars/all.yml":[{"author":{"_account_id":32553,"name":"Sven Kieske","email":"sven_oss@posteo.de","username":"skieske"},"change_message_id":"50b8c779e2753a0ef3e9f1e73d25dec515420a4e","unresolved":true,"context_lines":[{"line_number":593,"context_line":"proxysql_admin_port: \"6032\""},{"line_number":594,"context_line":""},{"line_number":595,"context_line":"rabbitmq_port: \"{{ \u00275671\u0027 if rabbitmq_enable_tls | bool else \u00275672\u0027 }}\""},{"line_number":596,"context_line":"rabbitmq_management_port: \"{{ \u002715671\u0027 if rabbitmq_enable_tls_backend | bool else \u002715672\u0027 }}\""},{"line_number":597,"context_line":"rabbitmq_cluster_port: \"25672\""},{"line_number":598,"context_line":"rabbitmq_epmd_port: \"4369\""},{"line_number":599,"context_line":"rabbitmq_prometheus_port: \"15692\""}],"source_content_type":"text/x-yaml","patch_set":3,"id":"f85017ef_b610a6b0","line":596,"range":{"start_line":596,"start_character":0,"end_line":596,"end_character":2},"updated":"2024-06-06 09:54:15.000000000","message":"why is this changed?","commit_id":"f80c129d885b5022e60fa1b3b6d58a251198844f"},{"author":{"_account_id":37013,"name":"Ivan Vnučko","display_name":"Ivan Vnucko","email":"ivan@vnucko.com","username":"ivnucko"},"change_message_id":"79b81aa66dd44d67c12e685217ce37f3cacd9670","unresolved":false,"context_lines":[{"line_number":593,"context_line":"proxysql_admin_port: \"6032\""},{"line_number":594,"context_line":""},{"line_number":595,"context_line":"rabbitmq_port: \"{{ \u00275671\u0027 if rabbitmq_enable_tls | bool else \u00275672\u0027 }}\""},{"line_number":596,"context_line":"rabbitmq_management_port: \"{{ \u002715671\u0027 if rabbitmq_enable_tls_backend | bool else \u002715672\u0027 }}\""},{"line_number":597,"context_line":"rabbitmq_cluster_port: \"25672\""},{"line_number":598,"context_line":"rabbitmq_epmd_port: \"4369\""},{"line_number":599,"context_line":"rabbitmq_prometheus_port: \"15692\""}],"source_content_type":"text/x-yaml","patch_set":3,"id":"d1ce01f0_224f0595","line":596,"range":{"start_line":596,"start_character":0,"end_line":596,"end_character":2},"in_reply_to":"1e87ff7f_78c23a33","updated":"2024-06-11 17:21:19.000000000","message":"Done","commit_id":"f80c129d885b5022e60fa1b3b6d58a251198844f"},{"author":{"_account_id":32553,"name":"Sven Kieske","email":"sven_oss@posteo.de","username":"skieske"},"change_message_id":"d773503582acf8b81337bdcb6d016de04578d14f","unresolved":true,"context_lines":[{"line_number":593,"context_line":"proxysql_admin_port: \"6032\""},{"line_number":594,"context_line":""},{"line_number":595,"context_line":"rabbitmq_port: \"{{ \u00275671\u0027 if rabbitmq_enable_tls | bool else \u00275672\u0027 }}\""},{"line_number":596,"context_line":"rabbitmq_management_port: \"{{ \u002715671\u0027 if rabbitmq_enable_tls_backend | bool else \u002715672\u0027 }}\""},{"line_number":597,"context_line":"rabbitmq_cluster_port: \"25672\""},{"line_number":598,"context_line":"rabbitmq_epmd_port: \"4369\""},{"line_number":599,"context_line":"rabbitmq_prometheus_port: \"15692\""}],"source_content_type":"text/x-yaml","patch_set":3,"id":"1e87ff7f_78c23a33","line":596,"range":{"start_line":596,"start_character":0,"end_line":596,"end_character":2},"in_reply_to":"7ed9eaec_c95901f7","updated":"2024-06-10 13:45:04.000000000","message":"okay, this seems like a good reason, but please at least document that in the upgrade notes part of the release notes so people are aware, thanks.","commit_id":"f80c129d885b5022e60fa1b3b6d58a251198844f"},{"author":{"_account_id":37013,"name":"Ivan Vnučko","display_name":"Ivan Vnucko","email":"ivan@vnucko.com","username":"ivnucko"},"change_message_id":"c35607c73da8b8024c6b4771f29c80d4a827c096","unresolved":true,"context_lines":[{"line_number":593,"context_line":"proxysql_admin_port: \"6032\""},{"line_number":594,"context_line":""},{"line_number":595,"context_line":"rabbitmq_port: \"{{ \u00275671\u0027 if rabbitmq_enable_tls | bool else \u00275672\u0027 }}\""},{"line_number":596,"context_line":"rabbitmq_management_port: \"{{ \u002715671\u0027 if rabbitmq_enable_tls_backend | bool else \u002715672\u0027 }}\""},{"line_number":597,"context_line":"rabbitmq_cluster_port: \"25672\""},{"line_number":598,"context_line":"rabbitmq_epmd_port: \"4369\""},{"line_number":599,"context_line":"rabbitmq_prometheus_port: \"15692\""}],"source_content_type":"text/x-yaml","patch_set":3,"id":"7ed9eaec_c95901f7","line":596,"range":{"start_line":596,"start_character":0,"end_line":596,"end_character":2},"in_reply_to":"f85017ef_b610a6b0","updated":"2024-06-06 11:30:54.000000000","message":"To adhere to the convention - TLS enabled management UI is accessible on 15671, plain HTTP on 15672 - https://www.rabbitmq.com/docs/networking#ports","commit_id":"f80c129d885b5022e60fa1b3b6d58a251198844f"}],"ansible/roles/rabbitmq/defaults/main.yml":[{"author":{"_account_id":32553,"name":"Sven Kieske","email":"sven_oss@posteo.de","username":"skieske"},"change_message_id":"a393d6b51b861f2101156d532d86366bc46e6139","unresolved":true,"context_lines":[{"line_number":103,"context_line":"####################"},{"line_number":104,"context_line":"# TLS"},{"line_number":105,"context_line":"####################"},{"line_number":106,"context_line":"kolla_externally_managed_cert: False"},{"line_number":107,"context_line":"rabbitmq_enable_tls_backend: \"{{ kolla_enable_tls_backend }}\""}],"source_content_type":"text/x-yaml","patch_set":10,"id":"743ba992_39dd3c29","line":106,"range":{"start_line":106,"start_character":0,"end_line":106,"end_character":2},"updated":"2024-09-03 15:34:39.000000000","message":"do we want/require it, that the user is able to manage these certs externally as well?\nI would like to hear opinions of other reviewers here.\n\nIt\u0027s certainly no hard requirements, because it was not enabled in the past, but the rabbitmq tls backend can now be enabled way easier if the user enables `kolla_enable_tls_backend`, thus maybe also raising the priority of being able to manage the certs for this as well?","commit_id":"e42f3a33d54d94d4674d15fe094dc8de4a920c14"},{"author":{"_account_id":37013,"name":"Ivan Vnučko","display_name":"Ivan Vnucko","email":"ivan@vnucko.com","username":"ivnucko"},"change_message_id":"e0639b63cfce5e27227d7701bad1c7020f78c572","unresolved":false,"context_lines":[{"line_number":103,"context_line":"####################"},{"line_number":104,"context_line":"# TLS"},{"line_number":105,"context_line":"####################"},{"line_number":106,"context_line":"kolla_externally_managed_cert: False"},{"line_number":107,"context_line":"rabbitmq_enable_tls_backend: \"{{ kolla_enable_tls_backend }}\""}],"source_content_type":"text/x-yaml","patch_set":10,"id":"48b6037c_20b6b4d2","line":106,"range":{"start_line":106,"start_character":0,"end_line":106,"end_character":2},"in_reply_to":"3f3b18ca_f015ee73","updated":"2024-09-03 16:20:25.000000000","message":"Created a change request for that: https://review.opendev.org/c/openstack/kolla-ansible/+/927853","commit_id":"e42f3a33d54d94d4674d15fe094dc8de4a920c14"},{"author":{"_account_id":37013,"name":"Ivan Vnučko","display_name":"Ivan Vnucko","email":"ivan@vnucko.com","username":"ivnucko"},"change_message_id":"0aab74688da9441683d6c5e5e087ee1c7751fad2","unresolved":true,"context_lines":[{"line_number":103,"context_line":"####################"},{"line_number":104,"context_line":"# TLS"},{"line_number":105,"context_line":"####################"},{"line_number":106,"context_line":"kolla_externally_managed_cert: False"},{"line_number":107,"context_line":"rabbitmq_enable_tls_backend: \"{{ kolla_enable_tls_backend }}\""}],"source_content_type":"text/x-yaml","patch_set":10,"id":"3f3b18ca_f015ee73","line":106,"range":{"start_line":106,"start_character":0,"end_line":106,"end_character":2},"in_reply_to":"743ba992_39dd3c29","updated":"2024-09-03 16:04:14.000000000","message":"I noticed this too, that `kolla_externally_managed_cert` only applies to internal/external. In fact I made a patchset, which I didn\u0027t put up for review yet, where it is also applied in the `service-cert-copy` role, which covers it for the backend. But I wasn\u0027t sure if it is desired so. I can create change request for that and the discussion can be had there.","commit_id":"e42f3a33d54d94d4674d15fe094dc8de4a920c14"}],"ansible/roles/rabbitmq/tasks/copy-certs.yml":[{"author":{"_account_id":36624,"name":"Matúš Jenča","email":"matus.jenca@dnation.cloud","username":"matusjenca"},"change_message_id":"663c288f9a788c9fb89a8b4c9776162d8c97b51f","unresolved":true,"context_lines":[{"line_number":51,"context_line":"  notify:"},{"line_number":52,"context_line":"    - Restart rabbitmq container"},{"line_number":53,"context_line":""},{"line_number":54,"context_line":"- name: Copying over backend TLS certificate"},{"line_number":55,"context_line":"  become: true"},{"line_number":56,"context_line":"  vars:"},{"line_number":57,"context_line":"    service: \"{{ rabbitmq_services[\u0027rabbitmq\u0027] }}\""}],"source_content_type":"text/x-yaml","patch_set":3,"id":"0943b0fa_5024619e","line":54,"updated":"2024-05-29 12:21:49.000000000","message":"I think this should use updated `service-cert-copy` role from patch \nhttps://review.opendev.org/c/openstack/kolla-ansible/+/915901\n\n\nThen you can add the patch with\nDepends-On: https://review.opendev.org/c/openstack/kolla-ansible/+/915901","commit_id":"f80c129d885b5022e60fa1b3b6d58a251198844f"},{"author":{"_account_id":36624,"name":"Matúš Jenča","email":"matus.jenca@dnation.cloud","username":"matusjenca"},"change_message_id":"47af14a8cbc46820a89e76729675fe0202994801","unresolved":true,"context_lines":[{"line_number":51,"context_line":"  notify:"},{"line_number":52,"context_line":"    - Restart rabbitmq container"},{"line_number":53,"context_line":""},{"line_number":54,"context_line":"- name: Copying over backend TLS certificate"},{"line_number":55,"context_line":"  become: true"},{"line_number":56,"context_line":"  vars:"},{"line_number":57,"context_line":"    service: \"{{ rabbitmq_services[\u0027rabbitmq\u0027] }}\""}],"source_content_type":"text/x-yaml","patch_set":3,"id":"73ccba57_e10c6915","line":54,"in_reply_to":"0943b0fa_5024619e","updated":"2024-05-29 13:01:51.000000000","message":"Seems to work otherwise.","commit_id":"f80c129d885b5022e60fa1b3b6d58a251198844f"},{"author":{"_account_id":37013,"name":"Ivan Vnučko","display_name":"Ivan Vnucko","email":"ivan@vnucko.com","username":"ivnucko"},"change_message_id":"444f529d90d4a66afd868fdd46f2fa81145f1c1e","unresolved":false,"context_lines":[{"line_number":51,"context_line":"  notify:"},{"line_number":52,"context_line":"    - Restart rabbitmq container"},{"line_number":53,"context_line":""},{"line_number":54,"context_line":"- name: Copying over backend TLS certificate"},{"line_number":55,"context_line":"  become: true"},{"line_number":56,"context_line":"  vars:"},{"line_number":57,"context_line":"    service: \"{{ rabbitmq_services[\u0027rabbitmq\u0027] }}\""}],"source_content_type":"text/x-yaml","patch_set":3,"id":"590f4997_10b90846","line":54,"in_reply_to":"1df57efa_780b9677","updated":"2024-07-18 08:10:11.000000000","message":"As there doesn\u0027t seem to be a clear use case for distinct certificates I simplified the certificates copy with the copy role as advised earlier.","commit_id":"f80c129d885b5022e60fa1b3b6d58a251198844f"},{"author":{"_account_id":37013,"name":"Ivan Vnučko","display_name":"Ivan Vnucko","email":"ivan@vnucko.com","username":"ivnucko"},"change_message_id":"4f3a8ad422549f768d9bc0e78c529ff8348c3020","unresolved":true,"context_lines":[{"line_number":51,"context_line":"  notify:"},{"line_number":52,"context_line":"    - Restart rabbitmq container"},{"line_number":53,"context_line":""},{"line_number":54,"context_line":"- name: Copying over backend TLS certificate"},{"line_number":55,"context_line":"  become: true"},{"line_number":56,"context_line":"  vars:"},{"line_number":57,"context_line":"    service: \"{{ rabbitmq_services[\u0027rabbitmq\u0027] }}\""}],"source_content_type":"text/x-yaml","patch_set":3,"id":"82b1d7f0_303f8c48","line":54,"in_reply_to":"73ccba57_e10c6915","updated":"2024-06-06 11:43:12.000000000","message":"There are more cert/key file names considered in this rabbitmq specific copy role as in the `service-cert-copy` to provide the possibility to set distinct certificates for backend and client connections, but also use the same for both. But I\u0027m not sure if it has a real usecase.","commit_id":"f80c129d885b5022e60fa1b3b6d58a251198844f"},{"author":{"_account_id":32553,"name":"Sven Kieske","email":"sven_oss@posteo.de","username":"skieske"},"change_message_id":"87209310a4edcb14d3b965ecf7fa524b4204f5ca","unresolved":true,"context_lines":[{"line_number":51,"context_line":"  notify:"},{"line_number":52,"context_line":"    - Restart rabbitmq container"},{"line_number":53,"context_line":""},{"line_number":54,"context_line":"- name: Copying over backend TLS certificate"},{"line_number":55,"context_line":"  become: true"},{"line_number":56,"context_line":"  vars:"},{"line_number":57,"context_line":"    service: \"{{ rabbitmq_services[\u0027rabbitmq\u0027] }}\""}],"source_content_type":"text/x-yaml","patch_set":3,"id":"1df57efa_780b9677","line":54,"in_reply_to":"82b1d7f0_303f8c48","updated":"2024-06-25 08:12:22.000000000","message":"Can anybody come up with a scenario where distinct certificates for backend and client connections gain us some security or other advantage?\n\nThe only thing I can come up with, is that if you have some kind of problem with e.g. \"only\" the client certificates, your backend certs still work, if they don\u0027t share the failure because they were generated the same way.\n\nSo currently I don\u0027t see enough advantage to warrant distinct certs here.","commit_id":"f80c129d885b5022e60fa1b3b6d58a251198844f"}],"doc/source/reference/message-queues/rabbitmq.rst":[{"author":{"_account_id":32553,"name":"Sven Kieske","email":"sven_oss@posteo.de","username":"skieske"},"change_message_id":"d773503582acf8b81337bdcb6d016de04578d14f","unresolved":true,"context_lines":[{"line_number":83,"context_line":"internal VIP. As such, traffic to this endpoint is encrypted when"},{"line_number":84,"context_line":"``kolla_enable_tls_internal`` is ``true``. See :ref:`tls-configuration`."},{"line_number":85,"context_line":""},{"line_number":86,"context_line":"Backend traffic between HAProxy and management API and UI is enabled by setting"},{"line_number":87,"context_line":"``rabbitmq_enable_tls_backend`` to ``true``, which is by default set from"},{"line_number":88,"context_line":"``kolla_enable_tls_backend``. Additionally, certificates and keys must"},{"line_number":89,"context_line":"be available in the following subpaths of ``{{ kolla_certificates_dir }}/``"}],"source_content_type":"text/x-rst","patch_set":3,"id":"ac1b6a02_f0d9ec36","line":86,"range":{"start_line":86,"start_character":61,"end_line":86,"end_character":68},"updated":"2024-06-10 13:45:04.000000000","message":"```suggestion\nBackend traffic between HAProxy and management API and UI is encrypted by setting\n```","commit_id":"f80c129d885b5022e60fa1b3b6d58a251198844f"},{"author":{"_account_id":37013,"name":"Ivan Vnučko","display_name":"Ivan Vnucko","email":"ivan@vnucko.com","username":"ivnucko"},"change_message_id":"79b81aa66dd44d67c12e685217ce37f3cacd9670","unresolved":false,"context_lines":[{"line_number":83,"context_line":"internal VIP. As such, traffic to this endpoint is encrypted when"},{"line_number":84,"context_line":"``kolla_enable_tls_internal`` is ``true``. See :ref:`tls-configuration`."},{"line_number":85,"context_line":""},{"line_number":86,"context_line":"Backend traffic between HAProxy and management API and UI is enabled by setting"},{"line_number":87,"context_line":"``rabbitmq_enable_tls_backend`` to ``true``, which is by default set from"},{"line_number":88,"context_line":"``kolla_enable_tls_backend``. Additionally, certificates and keys must"},{"line_number":89,"context_line":"be available in the following subpaths of ``{{ kolla_certificates_dir }}/``"}],"source_content_type":"text/x-rst","patch_set":3,"id":"39054bb0_0887134b","line":86,"range":{"start_line":86,"start_character":61,"end_line":86,"end_character":68},"in_reply_to":"ac1b6a02_f0d9ec36","updated":"2024-06-11 17:21:19.000000000","message":"Done","commit_id":"f80c129d885b5022e60fa1b3b6d58a251198844f"},{"author":{"_account_id":32553,"name":"Sven Kieske","email":"sven_oss@posteo.de","username":"skieske"},"change_message_id":"c151ba3f7286a35dc941f29c09cd27c2cd488729","unresolved":true,"context_lines":[{"line_number":84,"context_line":"``kolla_enable_tls_internal`` is ``true``. See :ref:`tls-configuration`."},{"line_number":85,"context_line":""},{"line_number":86,"context_line":"Backend traffic between HAProxy and management API and UI is encrypted by"},{"line_number":87,"context_line":"setting ``rabbitmq_enable_tls_backend`` to ``true``, which is by default set"},{"line_number":88,"context_line":"from `kolla_enable_tls_backend``. Additionally, certificates and keys must"},{"line_number":89,"context_line":"be available in the following subpaths of ``{{ kolla_certificates_dir }}/``"},{"line_number":90,"context_line":"(in priority order):"}],"source_content_type":"text/x-rst","patch_set":4,"id":"95cf4c1e_90c2ef55","line":87,"range":{"start_line":87,"start_character":62,"end_line":87,"end_character":76},"updated":"2024-06-12 09:24:44.000000000","message":"```suggestion\nsetting ``rabbitmq_enable_tls_backend`` to ``true``, which is set by default\n```","commit_id":"9a0d22338e1550228f683d928f630927cebd2714"},{"author":{"_account_id":37013,"name":"Ivan Vnučko","display_name":"Ivan Vnucko","email":"ivan@vnucko.com","username":"ivnucko"},"change_message_id":"13712f2172032a68eb3ed8b6e9481635849a3a23","unresolved":false,"context_lines":[{"line_number":84,"context_line":"``kolla_enable_tls_internal`` is ``true``. See :ref:`tls-configuration`."},{"line_number":85,"context_line":""},{"line_number":86,"context_line":"Backend traffic between HAProxy and management API and UI is encrypted by"},{"line_number":87,"context_line":"setting ``rabbitmq_enable_tls_backend`` to ``true``, which is by default set"},{"line_number":88,"context_line":"from `kolla_enable_tls_backend``. Additionally, certificates and keys must"},{"line_number":89,"context_line":"be available in the following subpaths of ``{{ kolla_certificates_dir }}/``"},{"line_number":90,"context_line":"(in priority order):"}],"source_content_type":"text/x-rst","patch_set":4,"id":"6fd10ac3_e2ad52cb","line":87,"range":{"start_line":87,"start_character":62,"end_line":87,"end_character":76},"in_reply_to":"95cf4c1e_90c2ef55","updated":"2024-06-12 10:29:10.000000000","message":"Done","commit_id":"9a0d22338e1550228f683d928f630927cebd2714"},{"author":{"_account_id":32553,"name":"Sven Kieske","email":"sven_oss@posteo.de","username":"skieske"},"change_message_id":"c151ba3f7286a35dc941f29c09cd27c2cd488729","unresolved":true,"context_lines":[{"line_number":86,"context_line":"Backend traffic between HAProxy and management API and UI is encrypted by"},{"line_number":87,"context_line":"setting ``rabbitmq_enable_tls_backend`` to ``true``, which is by default set"},{"line_number":88,"context_line":"from `kolla_enable_tls_backend``. Additionally, certificates and keys must"},{"line_number":89,"context_line":"be available in the following subpaths of ``{{ kolla_certificates_dir }}/``"},{"line_number":90,"context_line":"(in priority order):"},{"line_number":91,"context_line":""},{"line_number":92,"context_line":"Certificates:"}],"source_content_type":"text/x-rst","patch_set":4,"id":"5f8892bf_2995c3d6","line":89,"range":{"start_line":89,"start_character":3,"end_line":89,"end_character":15},"updated":"2024-06-12 09:24:44.000000000","message":"```suggestion\nbe available in any of the following paths ``{{ kolla_certificates_dir }}/``\n```\n\nthe current sentence could be read as \"certificates and keys must be available in ALL of the following paths, where they need to be only present in one.\n\nI hope my suggestion can clarify this a little bit.","commit_id":"9a0d22338e1550228f683d928f630927cebd2714"},{"author":{"_account_id":37013,"name":"Ivan Vnučko","display_name":"Ivan Vnucko","email":"ivan@vnucko.com","username":"ivnucko"},"change_message_id":"13712f2172032a68eb3ed8b6e9481635849a3a23","unresolved":false,"context_lines":[{"line_number":86,"context_line":"Backend traffic between HAProxy and management API and UI is encrypted by"},{"line_number":87,"context_line":"setting ``rabbitmq_enable_tls_backend`` to ``true``, which is by default set"},{"line_number":88,"context_line":"from `kolla_enable_tls_backend``. Additionally, certificates and keys must"},{"line_number":89,"context_line":"be available in the following subpaths of ``{{ kolla_certificates_dir }}/``"},{"line_number":90,"context_line":"(in priority order):"},{"line_number":91,"context_line":""},{"line_number":92,"context_line":"Certificates:"}],"source_content_type":"text/x-rst","patch_set":4,"id":"8f70139b_21f938d7","line":89,"range":{"start_line":89,"start_character":3,"end_line":89,"end_character":15},"in_reply_to":"5f8892bf_2995c3d6","updated":"2024-06-12 10:29:10.000000000","message":"Done","commit_id":"9a0d22338e1550228f683d928f630927cebd2714"},{"author":{"_account_id":32553,"name":"Sven Kieske","email":"sven_oss@posteo.de","username":"skieske"},"change_message_id":"c151ba3f7286a35dc941f29c09cd27c2cd488729","unresolved":true,"context_lines":[{"line_number":107,"context_line":""},{"line_number":108,"context_line":"The default for ``kolla_certificates_dir`` is ``/etc/kolla/certificates``."},{"line_number":109,"context_line":""},{"line_number":110,"context_line":"The certificates must be valid for the IP address of the host running RabbitMQ"},{"line_number":111,"context_line":"on the API network."},{"line_number":112,"context_line":""},{"line_number":113,"context_line":"Passing arguments to RabbitMQ server\u0027s Erlang VM"}],"source_content_type":"text/x-rst","patch_set":4,"id":"8a060485_3f161664","line":110,"updated":"2024-06-12 09:24:44.000000000","message":"I would mark this as important for the operator.\n\n```suggestion\n.. important::\n    The certificates must be valid for the IP address of the host running RabbitMQ\n```","commit_id":"9a0d22338e1550228f683d928f630927cebd2714"},{"author":{"_account_id":37013,"name":"Ivan Vnučko","display_name":"Ivan Vnucko","email":"ivan@vnucko.com","username":"ivnucko"},"change_message_id":"13712f2172032a68eb3ed8b6e9481635849a3a23","unresolved":false,"context_lines":[{"line_number":107,"context_line":""},{"line_number":108,"context_line":"The default for ``kolla_certificates_dir`` is ``/etc/kolla/certificates``."},{"line_number":109,"context_line":""},{"line_number":110,"context_line":"The certificates must be valid for the IP address of the host running RabbitMQ"},{"line_number":111,"context_line":"on the API network."},{"line_number":112,"context_line":""},{"line_number":113,"context_line":"Passing arguments to RabbitMQ server\u0027s Erlang VM"}],"source_content_type":"text/x-rst","patch_set":4,"id":"69f39fff_a5e9dec3","line":110,"in_reply_to":"8a060485_3f161664","updated":"2024-06-12 10:29:10.000000000","message":"Done","commit_id":"9a0d22338e1550228f683d928f630927cebd2714"},{"author":{"_account_id":32553,"name":"Sven Kieske","email":"sven_oss@posteo.de","username":"skieske"},"change_message_id":"f906b40b45ec11bf7525abe799d19cd3b847bb59","unresolved":true,"context_lines":[{"line_number":108,"context_line":"The default for ``kolla_certificates_dir`` is ``/etc/kolla/certificates``."},{"line_number":109,"context_line":""},{"line_number":110,"context_line":".. important::"},{"line_number":111,"context_line":"   The certificates must be valid for the IP address of the host running"},{"line_number":112,"context_line":"   RabbitMQ on the API network."},{"line_number":113,"context_line":""},{"line_number":114,"context_line":"Passing arguments to RabbitMQ server\u0027s Erlang VM"},{"line_number":115,"context_line":"~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~"}],"source_content_type":"text/x-rst","patch_set":6,"id":"296aa7d7_406e36c5","line":112,"range":{"start_line":111,"start_character":4,"end_line":112,"end_character":31},"updated":"2024-06-17 08:28:47.000000000","message":"should we add an example on how to generate such a certificate?","commit_id":"0e97c8e369f031a76e62a30de50f9de93dc792bf"},{"author":{"_account_id":37013,"name":"Ivan Vnučko","display_name":"Ivan Vnucko","email":"ivan@vnucko.com","username":"ivnucko"},"change_message_id":"60012dd0bae11f0c34bdfde5e4afb16099bd9c18","unresolved":true,"context_lines":[{"line_number":108,"context_line":"The default for ``kolla_certificates_dir`` is ``/etc/kolla/certificates``."},{"line_number":109,"context_line":""},{"line_number":110,"context_line":".. important::"},{"line_number":111,"context_line":"   The certificates must be valid for the IP address of the host running"},{"line_number":112,"context_line":"   RabbitMQ on the API network."},{"line_number":113,"context_line":""},{"line_number":114,"context_line":"Passing arguments to RabbitMQ server\u0027s Erlang VM"},{"line_number":115,"context_line":"~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~"}],"source_content_type":"text/x-rst","patch_set":6,"id":"aba8893b_c09eb0fd","line":112,"range":{"start_line":111,"start_character":4,"end_line":112,"end_character":31},"in_reply_to":"296aa7d7_406e36c5","updated":"2024-06-21 14:11:04.000000000","message":"I think that the process of certificates generation/deployment has/should have its own section in the TLS chapter as it is the same for all backend services. I only now realized that I did copy this remark from the previous section about the Client-server communication encryption and this rabbit specific chapter should handle this information consistently, maybe a link to the TLS chapter?","commit_id":"0e97c8e369f031a76e62a30de50f9de93dc792bf"},{"author":{"_account_id":37013,"name":"Ivan Vnučko","display_name":"Ivan Vnucko","email":"ivan@vnucko.com","username":"ivnucko"},"change_message_id":"444f529d90d4a66afd868fdd46f2fa81145f1c1e","unresolved":false,"context_lines":[{"line_number":108,"context_line":"The default for ``kolla_certificates_dir`` is ``/etc/kolla/certificates``."},{"line_number":109,"context_line":""},{"line_number":110,"context_line":".. important::"},{"line_number":111,"context_line":"   The certificates must be valid for the IP address of the host running"},{"line_number":112,"context_line":"   RabbitMQ on the API network."},{"line_number":113,"context_line":""},{"line_number":114,"context_line":"Passing arguments to RabbitMQ server\u0027s Erlang VM"},{"line_number":115,"context_line":"~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~"}],"source_content_type":"text/x-rst","patch_set":6,"id":"53082cc2_bfe3f620","line":112,"range":{"start_line":111,"start_character":4,"end_line":112,"end_character":31},"in_reply_to":"76cf9f2f_8162baba","updated":"2024-07-18 08:10:11.000000000","message":"As the setup for backend certificates for RabbitMQ management UI doesn\u0027t differ from other services now, I replaced the specific info about the certificates with a link to TLS chapter.","commit_id":"0e97c8e369f031a76e62a30de50f9de93dc792bf"},{"author":{"_account_id":32553,"name":"Sven Kieske","email":"sven_oss@posteo.de","username":"skieske"},"change_message_id":"87209310a4edcb14d3b965ecf7fa524b4204f5ca","unresolved":true,"context_lines":[{"line_number":108,"context_line":"The default for ``kolla_certificates_dir`` is ``/etc/kolla/certificates``."},{"line_number":109,"context_line":""},{"line_number":110,"context_line":".. important::"},{"line_number":111,"context_line":"   The certificates must be valid for the IP address of the host running"},{"line_number":112,"context_line":"   RabbitMQ on the API network."},{"line_number":113,"context_line":""},{"line_number":114,"context_line":"Passing arguments to RabbitMQ server\u0027s Erlang VM"},{"line_number":115,"context_line":"~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~"}],"source_content_type":"text/x-rst","patch_set":6,"id":"76cf9f2f_8162baba","line":112,"range":{"start_line":111,"start_character":4,"end_line":112,"end_character":31},"in_reply_to":"aba8893b_c09eb0fd","updated":"2024-06-25 08:12:22.000000000","message":"after reading the TLS chapter again I agree there should at least be a link to the TLS chapter.\n\nThat being said, it\u0027s really sad that we don\u0027t have any guide on how to actually setup a production setup with a proper certifcation chain, even in the TLS guide, besides referring to Let\u0027s Encrypt, which is not applicable here.","commit_id":"0e97c8e369f031a76e62a30de50f9de93dc792bf"}],"releasenotes/notes/rabbitmq-management-haproxy-tls-cc285f8ad7390c4e.yaml":[{"author":{"_account_id":15197,"name":"Pierre Riteau","email":"pierre@stackhpc.com","username":"priteau","status":"StackHPC"},"change_message_id":"353603d7227b80aae60f383e2c69bd37a295aaf5","unresolved":true,"context_lines":[],"source_content_type":"","patch_set":1,"id":"cfb0196e_1b8fe46f","line":10,"range":{"start_line":4,"start_character":0,"end_line":10,"end_character":0},"updated":"2024-05-11 07:37:46.000000000","message":"Please use double backticks and remove the extra newline at the end of the file (keep just one).","commit_id":"c1048b4b52010dbee929182c01d7d0a9871d90fb"},{"author":{"_account_id":15197,"name":"Pierre Riteau","email":"pierre@stackhpc.com","username":"priteau","status":"StackHPC"},"change_message_id":"c83080bb2e6f4a85076280f426eff955a453442c","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":1,"id":"60abbced_7b3d69bd","line":10,"range":{"start_line":4,"start_character":0,"end_line":10,"end_character":0},"in_reply_to":"cfb0196e_1b8fe46f","updated":"2024-05-14 20:14:59.000000000","message":"Done","commit_id":"c1048b4b52010dbee929182c01d7d0a9871d90fb"},{"author":{"_account_id":32553,"name":"Sven Kieske","email":"sven_oss@posteo.de","username":"skieske"},"change_message_id":"d773503582acf8b81337bdcb6d016de04578d14f","unresolved":true,"context_lines":[],"source_content_type":"","patch_set":3,"id":"c62e87c6_feb9209d","line":9,"updated":"2024-06-10 13:45:04.000000000","message":"please mention here that the port for the management portal changes when traffic is encrypted in the \"upgrades\" section, thanks.","commit_id":"f80c129d885b5022e60fa1b3b6d58a251198844f"},{"author":{"_account_id":37013,"name":"Ivan Vnučko","display_name":"Ivan Vnucko","email":"ivan@vnucko.com","username":"ivnucko"},"change_message_id":"79b81aa66dd44d67c12e685217ce37f3cacd9670","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":3,"id":"0109df12_c1f2f14b","line":9,"in_reply_to":"c62e87c6_feb9209d","updated":"2024-06-11 17:21:19.000000000","message":"Done","commit_id":"f80c129d885b5022e60fa1b3b6d58a251198844f"}]}