)]}'
{"/COMMIT_MSG":[{"author":{"_account_id":32657,"name":"Piotr Parczewski","email":"piotr@stackhpc.com","username":"piotrp"},"change_message_id":"491119d1f41c365f75a251eac1949260fd7bc63e","unresolved":true,"context_lines":[{"line_number":6,"context_line":""},{"line_number":7,"context_line":"Fix TLS settings when letsencrypt turned on"},{"line_number":8,"context_line":""},{"line_number":9,"context_line":"- Introduced `letsencrypt_managed_certs`"},{"line_number":10,"context_line":"  variable to handle whether letsencrypt"},{"line_number":11,"context_line":"  will generate internal, external or both"},{"line_number":12,"context_line":"  certificates."}],"source_content_type":"text/x-gerrit-commit-message","patch_set":16,"id":"d8f58244_dd149043","line":9,"updated":"2024-10-09 12:55:32.000000000","message":"Docs need updating?","commit_id":"3ff3c1717acadfae39b97013158619661afc9e5f"},{"author":{"_account_id":27339,"name":"Michal Arbet","email":"michal.arbet@ultimum.io","username":"michalarbet"},"change_message_id":"48c77792a3097e5d4db1962374c1e01fba5f16b2","unresolved":false,"context_lines":[{"line_number":6,"context_line":""},{"line_number":7,"context_line":"Fix TLS settings when letsencrypt turned on"},{"line_number":8,"context_line":""},{"line_number":9,"context_line":"- Introduced `letsencrypt_managed_certs`"},{"line_number":10,"context_line":"  variable to handle whether letsencrypt"},{"line_number":11,"context_line":"  will generate internal, external or both"},{"line_number":12,"context_line":"  certificates."}],"source_content_type":"text/x-gerrit-commit-message","patch_set":16,"id":"a746dabc_65462e2c","line":9,"in_reply_to":"d8f58244_dd149043","updated":"2024-10-30 15:36:37.000000000","message":"Done","commit_id":"3ff3c1717acadfae39b97013158619661afc9e5f"}],"/PATCHSET_LEVEL":[{"author":{"_account_id":22629,"name":"Michal Nasiadka","email":"mnasiadka@gmail.com","username":"mnasiadka"},"change_message_id":"2209939f9d6a37246663384d0c7f910fbeac2123","unresolved":true,"context_lines":[],"source_content_type":"","patch_set":1,"id":"3a7e7bdf_7f6d0e94","updated":"2024-08-09 08:58:37.000000000","message":"I think you need to change this line as well: https://github.com/openstack/kolla-ansible/blob/b8a4f4c7fc86944df4683d55d5117f39e1d61ef9/ansible/roles/loadbalancer/tasks/config.yml#L214","commit_id":"b0d01795c5087e25e995633db7afcdf26afbd19f"},{"author":{"_account_id":22629,"name":"Michal Nasiadka","email":"mnasiadka@gmail.com","username":"mnasiadka"},"change_message_id":"195eda4f9d439f451cdfdd790e7c8127a8060b7c","unresolved":true,"context_lines":[],"source_content_type":"","patch_set":1,"id":"7297f06e_2ddeb030","updated":"2024-08-08 15:52:01.000000000","message":"Should we have a scenario that tests this approach - because it seems like it\u0027s something normal most users would do?","commit_id":"b0d01795c5087e25e995633db7afcdf26afbd19f"},{"author":{"_account_id":22629,"name":"Michal Nasiadka","email":"mnasiadka@gmail.com","username":"mnasiadka"},"change_message_id":"af2af364860a2b4c69b6600f35324945cebb08d0","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":1,"id":"33f26fa2_89c637c8","in_reply_to":"3a7e7bdf_7f6d0e94","updated":"2024-08-13 13:44:56.000000000","message":"Done","commit_id":"b0d01795c5087e25e995633db7afcdf26afbd19f"},{"author":{"_account_id":27339,"name":"Michal Arbet","email":"michal.arbet@ultimum.io","username":"michalarbet"},"change_message_id":"cb17806f4eb04e65b149f2da417dba421f917986","unresolved":true,"context_lines":[],"source_content_type":"","patch_set":1,"id":"e3056a56_e319a91c","in_reply_to":"6269abe4_ffdc0d86","updated":"2024-09-11 14:47:30.000000000","message":"I tested locally various combinations letsencrypt public + internal self-generated ... both internal and external letsencrypt with my local acme ...etc ..etc ...etc \n\nMaybe we should switch to LE external_vip !\u003d internal_vip in CI (as now it\u0027s same ...it means just internal is allowed ). And generate LE for public and local cert for internal ? \n\nWhat do you think ?","commit_id":"b0d01795c5087e25e995633db7afcdf26afbd19f"},{"author":{"_account_id":32553,"name":"Sven Kieske","email":"sven_oss@posteo.de","username":"skieske"},"change_message_id":"2410dddcf5dd40f2699a07d10727b46a7b1e0794","unresolved":true,"context_lines":[],"source_content_type":"","patch_set":1,"id":"9b808cae_37b17c91","in_reply_to":"7297f06e_2ddeb030","updated":"2024-08-09 08:24:46.000000000","message":"maybe just extend the let\u0027s encrypt scenario for that, what do you think?","commit_id":"b0d01795c5087e25e995633db7afcdf26afbd19f"},{"author":{"_account_id":27339,"name":"Michal Arbet","email":"michal.arbet@ultimum.io","username":"michalarbet"},"change_message_id":"fd4e07ae4d02017df208aea046b87c865f940324","unresolved":true,"context_lines":[],"source_content_type":"","patch_set":1,"id":"6269abe4_ffdc0d86","in_reply_to":"9b808cae_37b17c91","updated":"2024-09-10 13:35:03.000000000","message":"Now i think every combination will work. So, just let me know what combination you will want to setup and i will do it.","commit_id":"b0d01795c5087e25e995633db7afcdf26afbd19f"},{"author":{"_account_id":27339,"name":"Michal Arbet","email":"michal.arbet@ultimum.io","username":"michalarbet"},"change_message_id":"b01735c8dc00ac62cd4c362bf16a51bf3e763409","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":1,"id":"39133280_7c5f9ac4","in_reply_to":"d8804caf_a3c86570","updated":"2024-09-29 14:29:40.000000000","message":"mark as resolved, open new comment if you don\u0027t agree with the latest one.","commit_id":"b0d01795c5087e25e995633db7afcdf26afbd19f"},{"author":{"_account_id":32553,"name":"Sven Kieske","email":"sven_oss@posteo.de","username":"skieske"},"change_message_id":"1cc886201d048c23e798ce212516b1f0c7effa96","unresolved":true,"context_lines":[],"source_content_type":"","patch_set":1,"id":"d8804caf_a3c86570","in_reply_to":"e3056a56_e319a91c","updated":"2024-09-12 09:22:15.000000000","message":"I think I like the idea, would you want to add it to this Change or propose a new one?","commit_id":"b0d01795c5087e25e995633db7afcdf26afbd19f"},{"author":{"_account_id":32553,"name":"Sven Kieske","email":"sven_oss@posteo.de","username":"skieske"},"change_message_id":"01e202fbf375e16ffc6bc8d505d982b714dc176f","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":2,"id":"894112c8_352bc5cf","updated":"2024-08-12 12:48:21.000000000","message":"Code LGTM now, please fix the reno as suggested though, thanks!","commit_id":"4edb30989c3fe69fd730b8ed9e03542b50b9517b"},{"author":{"_account_id":27339,"name":"Michal Arbet","email":"michal.arbet@ultimum.io","username":"michalarbet"},"change_message_id":"7ee60ef866dda329e41236b429c252b967ad013e","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":3,"id":"7d10a794_1cb8c629","updated":"2024-08-20 10:25:07.000000000","message":"Hmm, i think this is not properly fixed. As letsencrypt can also provide cert for internal TLS (but you need of course your local ACME server instead of public letsencrypt ACME server... and change the server in globals). I think better is something as combination of current conditionals and some check if file exist in /etc/kolla/certificates/haproxy{-internal}.pem.\n\nCurrent CI scenario works also for internal with current code, but acme server points to local one https://github.com/openstack/kolla-ansible/blob/5081197e58fd772f4481454c05881914483a4dda/tests/templates/globals-default.j2#L252","commit_id":"e364eb34f21312c2091189c602cef4958ca58e54"},{"author":{"_account_id":14826,"name":"Mark Goddard","email":"markgoddard86@gmail.com","username":"mgoddard"},"change_message_id":"3ee7fb14e5acdcd21e70a2c3672d66d0e8a67cec","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":3,"id":"14b5d111_8d02aaf9","updated":"2024-09-06 10:39:48.000000000","message":"It does seem to me like there\u0027s a larger issue here in the letsencrypt support. It looks like the letsencrypt role wants to request certs for both the external and internal APIs by default. This doesn\u0027t seem right - in the common case of using public LE and a private internal API, the ACME HTTP challenge won\u0027t work for the internal API.","commit_id":"e364eb34f21312c2091189c602cef4958ca58e54"},{"author":{"_account_id":27339,"name":"Michal Arbet","email":"michal.arbet@ultimum.io","username":"michalarbet"},"change_message_id":"8fd8ba74fb10a61c137555d0682e9d3139555d09","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":3,"id":"ef9fb372_229572e3","updated":"2024-09-10 12:15:14.000000000","message":"Well, the logic is.\n\n1. ACME used - not copying anything, generate temp cert, letsencrypt will replace \n    - TLS_INTERNAL_ENABLED - you are using ACME - you have to provide your ACME server\n    - TLS_PUBLIC_ENABLED - if you want to also INTERNAL as above - again you need to provide your ACME, if INTERNAL_DISABLED - you are fine with default \n    \nFrom my point of view we can add another variable somethins as letsencrypt_cert_maintained: {both,internal,public} and based on this just change the logic above and add conditionals .. i think it\u0027s easy ..","commit_id":"e364eb34f21312c2091189c602cef4958ca58e54"},{"author":{"_account_id":32553,"name":"Sven Kieske","email":"sven_oss@posteo.de","username":"skieske"},"change_message_id":"4a999d06e9bd4b4ae8d30485f47e28e7e7173dac","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":3,"id":"e55d60fa_6488eb04","updated":"2024-09-06 14:08:29.000000000","message":"this seems to need some more discussion.","commit_id":"e364eb34f21312c2091189c602cef4958ca58e54"},{"author":{"_account_id":22629,"name":"Michal Nasiadka","email":"mnasiadka@gmail.com","username":"mnasiadka"},"change_message_id":"b08e925409b7d996ccb0d8611490a36ebb6d1182","unresolved":true,"context_lines":[],"source_content_type":"","patch_set":3,"id":"f717df87_595bce5c","in_reply_to":"14b5d111_8d02aaf9","updated":"2024-09-06 11:56:40.000000000","message":"Seems the logic in https://github.com/openstack/kolla-ansible/blob/master/ansible/roles/letsencrypt/templates/crontab.j2 could be improved (and also readability of that file).\n@piotr@stackhpc.com can you have a look there as well?","commit_id":"e364eb34f21312c2091189c602cef4958ca58e54"},{"author":{"_account_id":32657,"name":"Piotr Parczewski","email":"piotr@stackhpc.com","username":"piotrp"},"change_message_id":"69684078240c19feca9c0cb422502cbf0ec63ab8","unresolved":true,"context_lines":[],"source_content_type":"","patch_set":3,"id":"60a673dc_2803fc4a","in_reply_to":"33158e85_a25db1bd","updated":"2024-09-09 06:40:12.000000000","message":"Sven, the fact that some exotic scenario is possible to implement, does not necessarily mean it should be supported in Kolla - is that correct? Looks like it\u0027s not entirely clear which deployment variants are/should be possible with LE enabled - a simple table in the docs would solve this. It does not make much sense to submit bug fixes with this uncertainty.\n\nThis patch aimed to fix quite a simple thing: an initial deployment with custom CA trusted on all systems, LE enabled **aftwerwards**, in preparation for go-live and boooom, this blows up your entire cloud which had happened to me.","commit_id":"e364eb34f21312c2091189c602cef4958ca58e54"},{"author":{"_account_id":27339,"name":"Michal Arbet","email":"michal.arbet@ultimum.io","username":"michalarbet"},"change_message_id":"fd4e07ae4d02017df208aea046b87c865f940324","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":3,"id":"190f128f_f792f4b9","in_reply_to":"431ce82e_a45d0582","updated":"2024-09-10 13:35:03.000000000","message":"Let\u0027s close this and wait for updated patchset.","commit_id":"e364eb34f21312c2091189c602cef4958ca58e54"},{"author":{"_account_id":36220,"name":"Mr.R","email":"shay@threeyourmind.com"},"change_message_id":"693a197d1327023aa6ff24be40bb857e1c96daf4","unresolved":true,"context_lines":[],"source_content_type":"","patch_set":3,"id":"9afb29b4_99c964f0","in_reply_to":"60a673dc_2803fc4a","updated":"2024-09-09 14:24:12.000000000","message":"It also happens on a fresh deployment with self signed certs for tls and LE for vips","commit_id":"e364eb34f21312c2091189c602cef4958ca58e54"},{"author":{"_account_id":22629,"name":"Michal Nasiadka","email":"mnasiadka@gmail.com","username":"mnasiadka"},"change_message_id":"0ffe7c30c44bcb9bce11f329f6d23c210be91703","unresolved":true,"context_lines":[],"source_content_type":"","patch_set":3,"id":"be58e913_23975143","in_reply_to":"7d10a794_1cb8c629","updated":"2024-08-22 06:49:00.000000000","message":"Why do we need to check if file exists? We do it here: https://github.com/openstack/kolla-ansible/blob/251febffcc43911f0517c31927eb9d4d2fe0617c/ansible/roles/loadbalancer/templates/haproxy/haproxy_run.sh.j2#L21","commit_id":"e364eb34f21312c2091189c602cef4958ca58e54"},{"author":{"_account_id":27339,"name":"Michal Arbet","email":"michal.arbet@ultimum.io","username":"michalarbet"},"change_message_id":"fd4e07ae4d02017df208aea046b87c865f940324","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":3,"id":"e537e8ce_f687d8ec","in_reply_to":"9afb29b4_99c964f0","updated":"2024-09-10 13:35:03.000000000","message":"@mark@stackhpc.com Nope, by default it\u0027s not requesting both internal and external certificates - it is under condition ...if fqdn is set and also if vips are same or not ...\n\n@mnasiadka@gmail.com cron is OK ..but little bit improved + one conditional.\n\nPublic LE tested locally, with internal generated, ci will handle internal LE.","commit_id":"e364eb34f21312c2091189c602cef4958ca58e54"},{"author":{"_account_id":32657,"name":"Piotr Parczewski","email":"piotr@stackhpc.com","username":"piotrp"},"change_message_id":"12d4ed78f39f9cc1a697cfe08036006386e1dc18","unresolved":true,"context_lines":[],"source_content_type":"","patch_set":3,"id":"431ce82e_a45d0582","in_reply_to":"be58e913_23975143","updated":"2024-09-05 10:46:47.000000000","message":"Anything to add here? Would appreciate a second look","commit_id":"e364eb34f21312c2091189c602cef4958ca58e54"},{"author":{"_account_id":32553,"name":"Sven Kieske","email":"sven_oss@posteo.de","username":"skieske"},"change_message_id":"4a999d06e9bd4b4ae8d30485f47e28e7e7173dac","unresolved":true,"context_lines":[],"source_content_type":"","patch_set":3,"id":"33158e85_a25db1bd","in_reply_to":"f717df87_595bce5c","updated":"2024-09-06 14:08:29.000000000","message":"I somewhat disagree, you can just run your \"internal\" API on public IPs with public DNS just fine and let\u0027s encrypt should work, no? Yes, this might be a niche usecase, I admit as much.\n\nWe should not let this depend on \"internal\" or \"external\" API, which is an artificial distinction, but on global routeable addresses imho. so if your internal API endpoint resolves to something non global routeable, we should either disable let\u0027s encrypt or have a precheck that says: please configure your private ACME server if you want to use private IP ranges with LE.\n\nWhat do you think?\n\nBut yes, the current approach is maybe a little bit naive :)","commit_id":"e364eb34f21312c2091189c602cef4958ca58e54"},{"author":{"_account_id":27339,"name":"Michal Arbet","email":"michal.arbet@ultimum.io","username":"michalarbet"},"change_message_id":"8969860aee021b78d4534a7190f588a0d383bdc5","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":4,"id":"1ca14011_67f99bc1","updated":"2024-09-10 13:30:29.000000000","message":"Let\u0027s see .. i think it will pass","commit_id":"9bfb74c7e9d27e809a9da1a2e0c2a00d016f0b8b"},{"author":{"_account_id":27339,"name":"Michal Arbet","email":"michal.arbet@ultimum.io","username":"michalarbet"},"change_message_id":"2cce9db3b9d61bf38be42cd9b4c14c70f82b0fb6","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":13,"id":"ccc9435e_5a0c7951","updated":"2024-09-11 14:48:00.000000000","message":"Let\u0027s see if pass ... I think it will :). \n\nThen I will amend the commit message slightly","commit_id":"2c32998f0957c806d5c766d2e61ad01c4d946a7d"},{"author":{"_account_id":32553,"name":"Sven Kieske","email":"sven_oss@posteo.de","username":"skieske"},"change_message_id":"dc29af6fd93039abeb8ca85993558911742f7d98","unresolved":true,"context_lines":[],"source_content_type":"","patch_set":15,"id":"c8cd517f_eb5f3566","updated":"2024-09-28 09:13:24.000000000","message":"-1 because at least one check is missing to ever reach the \"internal,external\" branch logic, it will always stick with \"internal\" in the current form.","commit_id":"3e1f656796021b6abef276efb8453f95f754299c"},{"author":{"_account_id":27339,"name":"Michal Arbet","email":"michal.arbet@ultimum.io","username":"michalarbet"},"change_message_id":"4552dbdc1e628bbba8b3175ff00191510b05b0e8","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":15,"id":"a86d9ff4_d3b8c5f3","in_reply_to":"216a9f82_860cd504","updated":"2024-10-07 13:50:31.000000000","message":"Ping ?","commit_id":"3e1f656796021b6abef276efb8453f95f754299c"},{"author":{"_account_id":27339,"name":"Michal Arbet","email":"michal.arbet@ultimum.io","username":"michalarbet"},"change_message_id":"b01735c8dc00ac62cd4c362bf16a51bf3e763409","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":15,"id":"216a9f82_860cd504","in_reply_to":"89378ce7_a723e446","updated":"2024-09-29 14:29:40.000000000","message":"Test provided ... marking as resolved for now - it\u0027s working good.","commit_id":"3e1f656796021b6abef276efb8453f95f754299c"},{"author":{"_account_id":27339,"name":"Michal Arbet","email":"michal.arbet@ultimum.io","username":"michalarbet"},"change_message_id":"e3c4ce9a9d1d7c5da1bcaf2ef5205560862be137","unresolved":true,"context_lines":[],"source_content_type":"","patch_set":15,"id":"89378ce7_a723e446","in_reply_to":"c8cd517f_eb5f3566","updated":"2024-09-29 11:10:58.000000000","message":"No, it will not ..i\u0027ve tested everything on my cloud. What are u talking about ?","commit_id":"3e1f656796021b6abef276efb8453f95f754299c"},{"author":{"_account_id":32553,"name":"Sven Kieske","email":"sven_oss@posteo.de","username":"skieske"},"change_message_id":"b339af9ca93f775ccde09c7d12f929a6e06b0573","unresolved":true,"context_lines":[],"source_content_type":"","patch_set":25,"id":"745bce3c_462d2506","updated":"2024-11-07 13:02:34.000000000","message":"at least some of the code duplication should be removed (having two tasks for internal/external certs). I provided an example how to copy certs with one task only.\n\nthe haproxy cert copy operation could imho also be simplified in a similar fashion.\n\nthe rest of the code LGTM, especially the better checks now. thanks for working on this!","commit_id":"28f043a228b3c66785229e399ea7ea1407539b6d"},{"author":{"_account_id":27339,"name":"Michal Arbet","email":"michal.arbet@ultimum.io","username":"michalarbet"},"change_message_id":"e5d9a407b86f46cc752a6aa81eaf05facd3786a0","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":25,"id":"f00a4b8a_e5525336","in_reply_to":"745bce3c_462d2506","updated":"2024-11-07 14:05:40.000000000","message":"I agree, and I’m constantly working on improving this, which will be included as an additional patch. However, I don’t think we should be doing code refactoring in a review for a BUG.\n\nThis is also because the fewer changes you make, the easier it is to backport the code to an older version if necessary.\n\nIf you don\u0027t agree, please reopen this topic in new comment.","commit_id":"28f043a228b3c66785229e399ea7ea1407539b6d"},{"author":{"_account_id":27339,"name":"Michal Arbet","email":"michal.arbet@ultimum.io","username":"michalarbet"},"change_message_id":"8c3d47586529bf38219431a7a6fffd5d78f56e60","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":26,"id":"eeff5335_02c4b712","updated":"2024-11-20 06:15:27.000000000","message":"recheck retry limit","commit_id":"2e1fdd1cbe15163ef1ccc417f1fc966e7bf715b0"}],"ansible/group_vars/all.yml":[{"author":{"_account_id":32553,"name":"Sven Kieske","email":"sven_oss@posteo.de","username":"skieske"},"change_message_id":"1cc886201d048c23e798ce212516b1f0c7effa96","unresolved":true,"context_lines":[{"line_number":462,"context_line":"kuryr_port: \"23750\""},{"line_number":463,"context_line":""},{"line_number":464,"context_line":"letsencrypt_webserver_port: \"8081\""},{"line_number":465,"context_line":"letsencrypt_managed_certs: \"{{ \u0027internal\u0027 if enable_letsencrypt | bool and kolla_same_external_internal_vip | bool and letsencrypt_internal_cert_server !\u003d \u0027\u0027 else (\u0027internal,external\u0027 if enable_letsencrypt | bool and letsencrypt_internal_cert_server !\u003d \u0027\u0027 and letsencrypt_external_cert_server !\u003d \u0027\u0027 else (\u0027internal\u0027 if enable_letsencrypt | bool and letsencrypt_internal_cert_server !\u003d \u0027\u0027 else (\u0027external\u0027 if enable_letsencrypt | bool and not kolla_same_external_internal_vip | bool and letsencrypt_external_cert_server !\u003d \u0027\u0027 else \u0027\u0027))) }}\""},{"line_number":466,"context_line":"letsencrypt_external_cert_server: \"\""},{"line_number":467,"context_line":"letsencrypt_internal_cert_server: \"\""},{"line_number":468,"context_line":""}],"source_content_type":"text/x-yaml","patch_set":15,"id":"c1067525_c626f3dd","line":465,"range":{"start_line":465,"start_character":0,"end_line":465,"end_character":2},"updated":"2024-09-12 09:22:15.000000000","message":"can we add a comment here maybe that explains why all these checks are necessary and what usecases these are for?\nI don\u0027t see that we can simplify the code, but I think a comment explaining it would be good for the future, no?\n\ne.g:\n\n\n```\n# set to internal if external and internal VIP match and an internal LE server is configured and LE is enabled\n# set to internal and external if LE is enabled, external and internal VIP match and internal and external LE servers are configured\n# [...]\nletsencrypt_managed_certs: \"{{ \u0027internal\u0027 if enable_letsencrypt | bool and kolla_same_external_internal_vip | bool and letsencrypt_internal_cert_server !\u003d \u0027\u0027 else (\u0027internal,external\u0027 if enable_letsencrypt | bool and letsencrypt_internal_cert_server !\u003d \u0027\u0027 and letsencrypt_external_cert_server !\u003d \u0027\u0027 else (\u0027internal\u0027 if enable_letsencrypt | bool and letsencrypt_internal_cert_server !\u003d \u0027\u0027 else (\u0027external\u0027 if enable_letsencrypt | bool and not kolla_same_external_internal_vip | bool and letsencrypt_external_cert_server !\u003d \u0027\u0027 else \u0027\u0027))) }}\"\n```\n\nwriting it down in such a way imho already revealed a bug, the conditions for \"internal\" and \"internal,external\" are basically the same, except for the  external LE Server check, no? how does this code ever reach the `else` part for the \"internal,external\" part?\n\nShouldn\u0027t it read like this?\n\n```suggestion\nletsencrypt_managed_certs: \"{{ \u0027internal\u0027 if enable_letsencrypt | bool and kolla_same_external_internal_vip | bool and letsencrypt_internal_cert_server !\u003d \u0027\u0027 and letsencrypt_external_cert_server \u003d \u0027\u0027 else (\u0027internal,external\u0027 if enable_letsencrypt | bool and letsencrypt_internal_cert_server !\u003d \u0027\u0027 and letsencrypt_external_cert_server !\u003d \u0027\u0027 else (\u0027internal\u0027 if enable_letsencrypt | bool and letsencrypt_internal_cert_server !\u003d \u0027\u0027 else (\u0027external\u0027 if enable_letsencrypt | bool and not kolla_same_external_internal_vip | bool and letsencrypt_external_cert_server !\u003d \u0027\u0027 else \u0027\u0027))) }}\"\n```","commit_id":"3e1f656796021b6abef276efb8453f95f754299c"},{"author":{"_account_id":27339,"name":"Michal Arbet","email":"michal.arbet@ultimum.io","username":"michalarbet"},"change_message_id":"e3c4ce9a9d1d7c5da1bcaf2ef5205560862be137","unresolved":true,"context_lines":[{"line_number":462,"context_line":"kuryr_port: \"23750\""},{"line_number":463,"context_line":""},{"line_number":464,"context_line":"letsencrypt_webserver_port: \"8081\""},{"line_number":465,"context_line":"letsencrypt_managed_certs: \"{{ \u0027internal\u0027 if enable_letsencrypt | bool and kolla_same_external_internal_vip | bool and letsencrypt_internal_cert_server !\u003d \u0027\u0027 else (\u0027internal,external\u0027 if enable_letsencrypt | bool and letsencrypt_internal_cert_server !\u003d \u0027\u0027 and letsencrypt_external_cert_server !\u003d \u0027\u0027 else (\u0027internal\u0027 if enable_letsencrypt | bool and letsencrypt_internal_cert_server !\u003d \u0027\u0027 else (\u0027external\u0027 if enable_letsencrypt | bool and not kolla_same_external_internal_vip | bool and letsencrypt_external_cert_server !\u003d \u0027\u0027 else \u0027\u0027))) }}\""},{"line_number":466,"context_line":"letsencrypt_external_cert_server: \"\""},{"line_number":467,"context_line":"letsencrypt_internal_cert_server: \"\""},{"line_number":468,"context_line":""}],"source_content_type":"text/x-yaml","patch_set":15,"id":"b72eca6c_844292fb","line":465,"range":{"start_line":465,"start_character":0,"end_line":465,"end_character":2},"in_reply_to":"4c440a45_1a039af3","updated":"2024-09-29 11:10:58.000000000","message":"But this is working for now very well, maybe","commit_id":"3e1f656796021b6abef276efb8453f95f754299c"},{"author":{"_account_id":32553,"name":"Sven Kieske","email":"sven_oss@posteo.de","username":"skieske"},"change_message_id":"0d071aebf3d0a3d03782d3f4e4b9cb843d5da24a","unresolved":true,"context_lines":[{"line_number":462,"context_line":"kuryr_port: \"23750\""},{"line_number":463,"context_line":""},{"line_number":464,"context_line":"letsencrypt_webserver_port: \"8081\""},{"line_number":465,"context_line":"letsencrypt_managed_certs: \"{{ \u0027internal\u0027 if enable_letsencrypt | bool and kolla_same_external_internal_vip | bool and letsencrypt_internal_cert_server !\u003d \u0027\u0027 else (\u0027internal,external\u0027 if enable_letsencrypt | bool and letsencrypt_internal_cert_server !\u003d \u0027\u0027 and letsencrypt_external_cert_server !\u003d \u0027\u0027 else (\u0027internal\u0027 if enable_letsencrypt | bool and letsencrypt_internal_cert_server !\u003d \u0027\u0027 else (\u0027external\u0027 if enable_letsencrypt | bool and not kolla_same_external_internal_vip | bool and letsencrypt_external_cert_server !\u003d \u0027\u0027 else \u0027\u0027))) }}\""},{"line_number":466,"context_line":"letsencrypt_external_cert_server: \"\""},{"line_number":467,"context_line":"letsencrypt_internal_cert_server: \"\""},{"line_number":468,"context_line":""}],"source_content_type":"text/x-yaml","patch_set":15,"id":"4d8558bb_fa72bffa","line":465,"range":{"start_line":465,"start_character":0,"end_line":465,"end_character":2},"in_reply_to":"4c440a45_1a039af3","updated":"2024-09-28 09:11:58.000000000","message":"I think you really just missed that one condition I highlighted, if you add it, it should work. Caveat: I _didn\u0027t_ write down a truth table, so maybe I also missed something else.\n\nThe proper thing to do would to construct a finite state machine for this, because it\u0027s not only about the correct values but what state transitions are allowed if a certain setting is turned on/off.","commit_id":"3e1f656796021b6abef276efb8453f95f754299c"},{"author":{"_account_id":27339,"name":"Michal Arbet","email":"michal.arbet@ultimum.io","username":"michalarbet"},"change_message_id":"ac08b26a8561708e37874a8339ee52355435483e","unresolved":true,"context_lines":[{"line_number":462,"context_line":"kuryr_port: \"23750\""},{"line_number":463,"context_line":""},{"line_number":464,"context_line":"letsencrypt_webserver_port: \"8081\""},{"line_number":465,"context_line":"letsencrypt_managed_certs: \"{{ \u0027internal\u0027 if enable_letsencrypt | bool and kolla_same_external_internal_vip | bool and letsencrypt_internal_cert_server !\u003d \u0027\u0027 else (\u0027internal,external\u0027 if enable_letsencrypt | bool and letsencrypt_internal_cert_server !\u003d \u0027\u0027 and letsencrypt_external_cert_server !\u003d \u0027\u0027 else (\u0027internal\u0027 if enable_letsencrypt | bool and letsencrypt_internal_cert_server !\u003d \u0027\u0027 else (\u0027external\u0027 if enable_letsencrypt | bool and not kolla_same_external_internal_vip | bool and letsencrypt_external_cert_server !\u003d \u0027\u0027 else \u0027\u0027))) }}\""},{"line_number":466,"context_line":"letsencrypt_external_cert_server: \"\""},{"line_number":467,"context_line":"letsencrypt_internal_cert_server: \"\""},{"line_number":468,"context_line":""}],"source_content_type":"text/x-yaml","patch_set":15,"id":"4c440a45_1a039af3","line":465,"range":{"start_line":465,"start_character":0,"end_line":465,"end_character":2},"in_reply_to":"909c2a44_6589bbe9","updated":"2024-09-27 07:45:26.000000000","message":"You’re probably right. I wrote down all the possible options—a truth table—and wrote a foolproof conditional statement. It’s possible that some branches could be cut off, of course, like the one you mentioned :) … But I’m not sure if I have the energy to try it again right now, even though it’s quite an important patch...","commit_id":"3e1f656796021b6abef276efb8453f95f754299c"},{"author":{"_account_id":27339,"name":"Michal Arbet","email":"michal.arbet@ultimum.io","username":"michalarbet"},"change_message_id":"d5311b68b032e4687e43b12ba6686f97b4a8f541","unresolved":false,"context_lines":[{"line_number":462,"context_line":"kuryr_port: \"23750\""},{"line_number":463,"context_line":""},{"line_number":464,"context_line":"letsencrypt_webserver_port: \"8081\""},{"line_number":465,"context_line":"letsencrypt_managed_certs: \"{{ \u0027internal\u0027 if enable_letsencrypt | bool and kolla_same_external_internal_vip | bool and letsencrypt_internal_cert_server !\u003d \u0027\u0027 else (\u0027internal,external\u0027 if enable_letsencrypt | bool and letsencrypt_internal_cert_server !\u003d \u0027\u0027 and letsencrypt_external_cert_server !\u003d \u0027\u0027 else (\u0027internal\u0027 if enable_letsencrypt | bool and letsencrypt_internal_cert_server !\u003d \u0027\u0027 else (\u0027external\u0027 if enable_letsencrypt | bool and not kolla_same_external_internal_vip | bool and letsencrypt_external_cert_server !\u003d \u0027\u0027 else \u0027\u0027))) }}\""},{"line_number":466,"context_line":"letsencrypt_external_cert_server: \"\""},{"line_number":467,"context_line":"letsencrypt_internal_cert_server: \"\""},{"line_number":468,"context_line":""}],"source_content_type":"text/x-yaml","patch_set":15,"id":"ff74a94f_ac0ddd3d","line":465,"range":{"start_line":465,"start_character":0,"end_line":465,"end_character":2},"in_reply_to":"b72eca6c_844292fb","updated":"2024-09-29 14:26:25.000000000","message":"Sven, your suggestion don\u0027t work for below parameters.\n\nTest case 4:\n  Input parameters: {\u0027enable_letsencrypt\u0027: True, \u0027kolla_same_external_internal_vip\u0027: True, \u0027letsencrypt_internal_cert_server\u0027: \u0027server\u0027, \u0027letsencrypt_external_cert_server\u0027: \u0027server\u0027}\n  Expected: \"internal\"\n  Got: \"internal,external\"\n  Result: Failed!\n \nThis just means that if you are using same VIP  - it just means that you are using internal setup only. So - even if user defined letsencrypt_external_cert_server, it will generate only against internal ACME and will be used for both andpoints (same as certificates do it now - without LE). Simply said - you need to ignore settings for external.\n\nDocs - https://github.com/openstack/kolla-ansible/blob/f35cf5572cd9582502ae39d0217a7509387d6102/doc/source/admin/tls.rst?plain\u003d1#L94-L96\n\nYou can test that your suggestion don\u0027t work here \n\nhttps://github.com/keuko/sven-kolla/blob/master/test.py\n\nI\u0027ve also shortened the conditional from 511 chars to 434 -\u003e 77 chars\n\nMarking as resolved.","commit_id":"3e1f656796021b6abef276efb8453f95f754299c"},{"author":{"_account_id":27339,"name":"Michal Arbet","email":"michal.arbet@ultimum.io","username":"michalarbet"},"change_message_id":"6edc431061598958fc6718b17688b519dab96d7f","unresolved":true,"context_lines":[{"line_number":462,"context_line":"kuryr_port: \"23750\""},{"line_number":463,"context_line":""},{"line_number":464,"context_line":"letsencrypt_webserver_port: \"8081\""},{"line_number":465,"context_line":"letsencrypt_managed_certs: \"{{ \u0027internal\u0027 if enable_letsencrypt | bool and kolla_same_external_internal_vip | bool and letsencrypt_internal_cert_server !\u003d \u0027\u0027 else (\u0027internal,external\u0027 if enable_letsencrypt | bool and letsencrypt_internal_cert_server !\u003d \u0027\u0027 and letsencrypt_external_cert_server !\u003d \u0027\u0027 else (\u0027internal\u0027 if enable_letsencrypt | bool and letsencrypt_internal_cert_server !\u003d \u0027\u0027 else (\u0027external\u0027 if enable_letsencrypt | bool and not kolla_same_external_internal_vip | bool and letsencrypt_external_cert_server !\u003d \u0027\u0027 else \u0027\u0027))) }}\""},{"line_number":466,"context_line":"letsencrypt_external_cert_server: \"\""},{"line_number":467,"context_line":"letsencrypt_internal_cert_server: \"\""},{"line_number":468,"context_line":""}],"source_content_type":"text/x-yaml","patch_set":15,"id":"909c2a44_6589bbe9","line":465,"range":{"start_line":465,"start_character":0,"end_line":465,"end_character":2},"in_reply_to":"c1067525_c626f3dd","updated":"2024-09-12 11:19:43.000000000","message":"Do you want to say there is  a bug in functionality ? I am not saying it can be simplified.\n\nkolla_same_external_internal_vip, letsencrypt_internal_cert_server, letsencrypt_external_cert_server, enable_letsencrypt, Result\n\ntrue    \"FOO\"   \"\"      true    \"internal\"\ntrue    \"FOO\"   \"FOO\"   true    \"internal\"\nfalse   \"FOO\"   \"\"      true    \"internal\"\nfalse   \"FOO\"   \"FOO\"   true    \"internal,external\"","commit_id":"3e1f656796021b6abef276efb8453f95f754299c"},{"author":{"_account_id":32657,"name":"Piotr Parczewski","email":"piotr@stackhpc.com","username":"piotrp"},"change_message_id":"491119d1f41c365f75a251eac1949260fd7bc63e","unresolved":true,"context_lines":[{"line_number":495,"context_line":"kuryr_port: \"23750\""},{"line_number":496,"context_line":""},{"line_number":497,"context_line":"letsencrypt_webserver_port: \"8081\""},{"line_number":498,"context_line":"letsencrypt_managed_certs: \"{{ \u0027\u0027 if not enable_letsencrypt | bool else (\u0027internal\u0027 if letsencrypt_internal_cert_server !\u003d \u0027\u0027 and kolla_same_external_internal_vip | bool else (\u0027internal,external\u0027 if letsencrypt_internal_cert_server !\u003d \u0027\u0027 and letsencrypt_external_cert_server !\u003d \u0027\u0027 else (\u0027internal\u0027 if letsencrypt_internal_cert_server !\u003d \u0027\u0027 else (\u0027external\u0027 if letsencrypt_external_cert_server !\u003d \u0027\u0027 and not kolla_same_external_internal_vip | bool else \u0027\u0027)))) }}\""},{"line_number":499,"context_line":"letsencrypt_external_cert_server: \"\""},{"line_number":500,"context_line":"letsencrypt_internal_cert_server: \"\""},{"line_number":501,"context_line":""}],"source_content_type":"text/x-yaml","patch_set":16,"id":"1700124c_7ca92924","line":498,"updated":"2024-10-09 12:55:32.000000000","message":"Perhaps it could be split into multiple lines for improved readability? https://github.com/ansible/ansible/issues/69676#issuecomment-633158762","commit_id":"3ff3c1717acadfae39b97013158619661afc9e5f"},{"author":{"_account_id":27339,"name":"Michal Arbet","email":"michal.arbet@ultimum.io","username":"michalarbet"},"change_message_id":"cef8055a43c914e3835f57a54b87e79eea148691","unresolved":true,"context_lines":[{"line_number":495,"context_line":"kuryr_port: \"23750\""},{"line_number":496,"context_line":""},{"line_number":497,"context_line":"letsencrypt_webserver_port: \"8081\""},{"line_number":498,"context_line":"letsencrypt_managed_certs: \"{{ \u0027\u0027 if not enable_letsencrypt | bool else (\u0027internal\u0027 if letsencrypt_internal_cert_server !\u003d \u0027\u0027 and kolla_same_external_internal_vip | bool else (\u0027internal,external\u0027 if letsencrypt_internal_cert_server !\u003d \u0027\u0027 and letsencrypt_external_cert_server !\u003d \u0027\u0027 else (\u0027internal\u0027 if letsencrypt_internal_cert_server !\u003d \u0027\u0027 else (\u0027external\u0027 if letsencrypt_external_cert_server !\u003d \u0027\u0027 and not kolla_same_external_internal_vip | bool else \u0027\u0027)))) }}\""},{"line_number":499,"context_line":"letsencrypt_external_cert_server: \"\""},{"line_number":500,"context_line":"letsencrypt_internal_cert_server: \"\""},{"line_number":501,"context_line":""}],"source_content_type":"text/x-yaml","patch_set":16,"id":"dad2b4ef_769a0985","line":498,"in_reply_to":"1700124c_7ca92924","updated":"2024-10-09 13:17:27.000000000","message":"Here is a test how logic works https://github.com/keuko/sven-kolla/blob/master/test.py , can u please advise me how you want to change ? I will test it.","commit_id":"3ff3c1717acadfae39b97013158619661afc9e5f"},{"author":{"_account_id":27339,"name":"Michal Arbet","email":"michal.arbet@ultimum.io","username":"michalarbet"},"change_message_id":"0fc5f5406ad9affc83d1cc1d157f77efd98d5685","unresolved":false,"context_lines":[{"line_number":495,"context_line":"kuryr_port: \"23750\""},{"line_number":496,"context_line":""},{"line_number":497,"context_line":"letsencrypt_webserver_port: \"8081\""},{"line_number":498,"context_line":"letsencrypt_managed_certs: \"{{ \u0027\u0027 if not enable_letsencrypt | bool else (\u0027internal\u0027 if letsencrypt_internal_cert_server !\u003d \u0027\u0027 and kolla_same_external_internal_vip | bool else (\u0027internal,external\u0027 if letsencrypt_internal_cert_server !\u003d \u0027\u0027 and letsencrypt_external_cert_server !\u003d \u0027\u0027 else (\u0027internal\u0027 if letsencrypt_internal_cert_server !\u003d \u0027\u0027 else (\u0027external\u0027 if letsencrypt_external_cert_server !\u003d \u0027\u0027 and not kolla_same_external_internal_vip | bool else \u0027\u0027)))) }}\""},{"line_number":499,"context_line":"letsencrypt_external_cert_server: \"\""},{"line_number":500,"context_line":"letsencrypt_internal_cert_server: \"\""},{"line_number":501,"context_line":""}],"source_content_type":"text/x-yaml","patch_set":16,"id":"d05cccbb_03ecf5be","line":498,"in_reply_to":"5ad022d6_d330a562","updated":"2024-11-07 15:02:05.000000000","message":"Done","commit_id":"3ff3c1717acadfae39b97013158619661afc9e5f"},{"author":{"_account_id":27339,"name":"Michal Arbet","email":"michal.arbet@ultimum.io","username":"michalarbet"},"change_message_id":"48c77792a3097e5d4db1962374c1e01fba5f16b2","unresolved":true,"context_lines":[{"line_number":495,"context_line":"kuryr_port: \"23750\""},{"line_number":496,"context_line":""},{"line_number":497,"context_line":"letsencrypt_webserver_port: \"8081\""},{"line_number":498,"context_line":"letsencrypt_managed_certs: \"{{ \u0027\u0027 if not enable_letsencrypt | bool else (\u0027internal\u0027 if letsencrypt_internal_cert_server !\u003d \u0027\u0027 and kolla_same_external_internal_vip | bool else (\u0027internal,external\u0027 if letsencrypt_internal_cert_server !\u003d \u0027\u0027 and letsencrypt_external_cert_server !\u003d \u0027\u0027 else (\u0027internal\u0027 if letsencrypt_internal_cert_server !\u003d \u0027\u0027 else (\u0027external\u0027 if letsencrypt_external_cert_server !\u003d \u0027\u0027 and not kolla_same_external_internal_vip | bool else \u0027\u0027)))) }}\""},{"line_number":499,"context_line":"letsencrypt_external_cert_server: \"\""},{"line_number":500,"context_line":"letsencrypt_internal_cert_server: \"\""},{"line_number":501,"context_line":""}],"source_content_type":"text/x-yaml","patch_set":16,"id":"5ad022d6_d330a562","line":498,"in_reply_to":"dad2b4ef_769a0985","updated":"2024-10-30 15:36:37.000000000","message":"Done","commit_id":"3ff3c1717acadfae39b97013158619661afc9e5f"}],"ansible/roles/certificates/tasks/generate.yml":[{"author":{"_account_id":32657,"name":"Piotr Parczewski","email":"piotr@stackhpc.com","username":"piotrp"},"change_message_id":"491119d1f41c365f75a251eac1949260fd7bc63e","unresolved":true,"context_lines":[{"line_number":67,"context_line":"        dest: \"{{ kolla_external_fqdn_cert }}\""},{"line_number":68,"context_line":"        mode: \"0660\""},{"line_number":69,"context_line":"  when:"},{"line_number":70,"context_line":"    - letsencrypt_managed_certs \u003d\u003d \u0027internal\u0027 or letsencrypt_managed_certs \u003d\u003d \u0027\u0027"},{"line_number":71,"context_line":"    - kolla_enable_tls_external | bool"},{"line_number":72,"context_line":""},{"line_number":73,"context_line":"- block:"}],"source_content_type":"text/x-yaml","patch_set":16,"id":"842013d7_277e1f24","line":70,"updated":"2024-10-09 12:55:32.000000000","message":"Feels like the best practice should be one conditional per line? How about the below:\n\nletsencrypt_managed_certs !\u003d \u0027external\u0027","commit_id":"3ff3c1717acadfae39b97013158619661afc9e5f"},{"author":{"_account_id":27339,"name":"Michal Arbet","email":"michal.arbet@ultimum.io","username":"michalarbet"},"change_message_id":"cef8055a43c914e3835f57a54b87e79eea148691","unresolved":false,"context_lines":[{"line_number":67,"context_line":"        dest: \"{{ kolla_external_fqdn_cert }}\""},{"line_number":68,"context_line":"        mode: \"0660\""},{"line_number":69,"context_line":"  when:"},{"line_number":70,"context_line":"    - letsencrypt_managed_certs \u003d\u003d \u0027internal\u0027 or letsencrypt_managed_certs \u003d\u003d \u0027\u0027"},{"line_number":71,"context_line":"    - kolla_enable_tls_external | bool"},{"line_number":72,"context_line":""},{"line_number":73,"context_line":"- block:"}],"source_content_type":"text/x-yaml","patch_set":16,"id":"b016e949_c0b1077e","line":70,"in_reply_to":"842013d7_277e1f24","updated":"2024-10-09 13:17:27.000000000","message":"letsencrypt_managed_certs: \"internal,external\"    - letsencrypt handle both internal and external certs\nletsencrypt_managed_certs: \"internal\"             - letsencrypt handle both internal only\nletsencrypt_managed_certs: \"external\"             - letsencrypt handle both external only\nletsencrypt_managed_certs: \"\"                     - letsenrypt disabled\n\n\n\nNOW \n\n- letsencrypt_managed_certs \u003d\u003d \u0027internal\u0027 or letsencrypt_managed_certs \u003d\u003d \u0027\u0027   \u003d\u003e This will happen if letsencrypt maintain ONLY internal OR letsencrypt is turned off\n\nSUGGESTED:  \n\n- letsencrypt_managed_certs !\u003d \u0027external\u0027     \u003d\u003e This is not OK and WILL NOT work correctly because if letsencrypt_managed_certs \u003d \u0027internal,external\u0027  which fullfill the condtional \n                                                                                  letsencrypt_managed_certs !\u003d \u0027external\u0027  it\u0027s of course bad and breaks the logic","commit_id":"3ff3c1717acadfae39b97013158619661afc9e5f"},{"author":{"_account_id":32553,"name":"Sven Kieske","email":"sven_oss@posteo.de","username":"skieske"},"change_message_id":"b339af9ca93f775ccde09c7d12f929a6e06b0573","unresolved":true,"context_lines":[{"line_number":151,"context_line":"        mode: \"0660\""},{"line_number":152,"context_line":"        state: file"},{"line_number":153,"context_line":"  when:"},{"line_number":154,"context_line":"    - letsencrypt_managed_certs \u003d\u003d \u0027external\u0027 or letsencrypt_managed_certs \u003d\u003d \u0027\u0027 or database_enable_tls_internal | bool"},{"line_number":155,"context_line":"    - kolla_enable_tls_internal | bool or database_enable_tls_internal | bool"},{"line_number":156,"context_line":"    - not kolla_same_external_internal_vip | bool"},{"line_number":157,"context_line":""},{"line_number":158,"context_line":"- name: Creating internal Server PEM File"}],"source_content_type":"text/x-yaml","patch_set":25,"id":"3346ad70_e858ce43","line":155,"range":{"start_line":154,"start_character":0,"end_line":155,"end_character":77},"updated":"2024-11-07 13:02:34.000000000","message":"nit: this can be simplified a tiny bit (omitting one `database_enable_tls_internal` check) by shuffling the logic around, not sure if it\u0027s worth it though.\n\n```suggestion\n    - database_enable_tls_internal | bool or ( letsencrypt_managed_certs \u003d\u003d \u0027external\u0027 or letsencrypt_managed_certs \u003d\u003d \u0027\u0027 and kolla_enable_tls_internal | bool )\n```","commit_id":"28f043a228b3c66785229e399ea7ea1407539b6d"},{"author":{"_account_id":27339,"name":"Michal Arbet","email":"michal.arbet@ultimum.io","username":"michalarbet"},"change_message_id":"412c079017c808f34f2a2e2849d82fb4e46cc764","unresolved":true,"context_lines":[{"line_number":151,"context_line":"        mode: \"0660\""},{"line_number":152,"context_line":"        state: file"},{"line_number":153,"context_line":"  when:"},{"line_number":154,"context_line":"    - letsencrypt_managed_certs \u003d\u003d \u0027external\u0027 or letsencrypt_managed_certs \u003d\u003d \u0027\u0027 or database_enable_tls_internal | bool"},{"line_number":155,"context_line":"    - kolla_enable_tls_internal | bool or database_enable_tls_internal | bool"},{"line_number":156,"context_line":"    - not kolla_same_external_internal_vip | bool"},{"line_number":157,"context_line":""},{"line_number":158,"context_line":"- name: Creating internal Server PEM File"}],"source_content_type":"text/x-yaml","patch_set":25,"id":"f5fb23ec_50754568","line":155,"range":{"start_line":154,"start_character":0,"end_line":155,"end_character":77},"in_reply_to":"3346ad70_e858ce43","updated":"2024-11-07 14:20:32.000000000","message":"I understand; originally, it was like this:\n\n```\n- letsencrypt_managed_certs \u003d\u003d \u0027external\u0027 or letsencrypt_managed_certs \u003d\u003d \u0027\u0027\n- kolla_enable_tls_internal | bool\n```\n\nBut when merging \\o/ \u003dTLS\u003d\u003e proxysql \u003dTLS\u003d\u003e mariadb TLS, I added: \n```\nor database_enable_tls_internal | bool\n```\n\n\nAgain, my intention was to make it possible to backport this (even if it had to be in a downstream git… because you would just remove this condition and wouldn’t have to examine the entire changed line). Furthermore, I plan to remove this completely in future commits when I rework the role to simplify it, as I mentioned in the comments above.\n\nThis means that, in the end, it will only be:\n\ncsharp\nCopy code\n\n\n```\n- letsencrypt_managed_certs \u003d\u003d \u0027external\u0027 or letsencrypt_managed_certs \u003d\u003d \u0027\u0027\n- kolla_enable_tls_internal | bool\n```\n\nI won’t close this right away, but if you understand and agree… I\u0027ll close it. Please confirm this for me.","commit_id":"28f043a228b3c66785229e399ea7ea1407539b6d"},{"author":{"_account_id":32553,"name":"Sven Kieske","email":"sven_oss@posteo.de","username":"skieske"},"change_message_id":"dc587ad58002efa600113bcc468d3398d194e995","unresolved":false,"context_lines":[{"line_number":151,"context_line":"        mode: \"0660\""},{"line_number":152,"context_line":"        state: file"},{"line_number":153,"context_line":"  when:"},{"line_number":154,"context_line":"    - letsencrypt_managed_certs \u003d\u003d \u0027external\u0027 or letsencrypt_managed_certs \u003d\u003d \u0027\u0027 or database_enable_tls_internal | bool"},{"line_number":155,"context_line":"    - kolla_enable_tls_internal | bool or database_enable_tls_internal | bool"},{"line_number":156,"context_line":"    - not kolla_same_external_internal_vip | bool"},{"line_number":157,"context_line":""},{"line_number":158,"context_line":"- name: Creating internal Server PEM File"}],"source_content_type":"text/x-yaml","patch_set":25,"id":"79e8e87b_9f996f59","line":155,"range":{"start_line":154,"start_character":0,"end_line":155,"end_character":77},"in_reply_to":"f5fb23ec_50754568","updated":"2024-11-07 14:54:31.000000000","message":"Acknowledged","commit_id":"28f043a228b3c66785229e399ea7ea1407539b6d"},{"author":{"_account_id":32553,"name":"Sven Kieske","email":"sven_oss@posteo.de","username":"skieske"},"change_message_id":"b339af9ca93f775ccde09c7d12f929a6e06b0573","unresolved":true,"context_lines":[{"line_number":166,"context_line":"    - kolla_enable_tls_internal | bool"},{"line_number":167,"context_line":"    - not kolla_same_external_internal_vip | bool"},{"line_number":168,"context_line":""},{"line_number":169,"context_line":"- block:"},{"line_number":170,"context_line":"    - name: Copy Certificate for ProxySQL"},{"line_number":171,"context_line":"      copy:"},{"line_number":172,"context_line":"        src: \"{{ internal_dir }}/internal.crt\""},{"line_number":173,"context_line":"        dest: \"{{ kolla_certificates_dir }}/proxysql-cert.pem\""},{"line_number":174,"context_line":"        mode: \"0660\""},{"line_number":175,"context_line":""},{"line_number":176,"context_line":"    - name: Copy Key for ProxySQL"},{"line_number":177,"context_line":"      copy:"},{"line_number":178,"context_line":"        src: \"{{ internal_dir }}/internal.key\""},{"line_number":179,"context_line":"        dest: \"{{ kolla_certificates_dir }}/proxysql-key.pem\""},{"line_number":180,"context_line":"        mode: \"0660\""},{"line_number":181,"context_line":"  when:"},{"line_number":182,"context_line":"    - database_enable_tls_internal | bool"},{"line_number":183,"context_line":"    - not kolla_same_external_internal_vip | bool"}],"source_content_type":"text/x-yaml","patch_set":25,"id":"15737afc_e09d1dbc","line":183,"range":{"start_line":169,"start_character":0,"end_line":183,"end_character":49},"updated":"2024-11-07 13:02:34.000000000","message":"this is the same code as in lines 77-90 with the only change being using `internal_dir` instead of `external_dir` when the value of `kolla_same_external_internal_vip` is reversed.\n\nI think this should be simplified to one block which just checks the external/internal vip variable and sets the source path accordingly, avoiding the code duplication and getting rid of one skipped task in the process.\n\ne.g:\n\n\n```suggestion\n- block:\n    - name: Set source directory\n      set_fact:\n        source_dir: \"{{ external_dir if kolla_same_external_internal_vip | bool else internal_dir }}\"\n\n    - name: Copy Certificate for ProxySQL\n      copy:\n        src: \"{{ source_dir }}/{{ \u0027external\u0027 if kolla_same_external_internal_vip | bool else \u0027internal\u0027 }}.crt\"\n        dest: \"{{ kolla_certificates_dir }}/proxysql-cert.pem\"\n        mode: \"0660\"\n\n    - name: Copy Key for ProxySQL\n      copy:\n        src: \"{{ source_dir }}/{{ \u0027external\u0027 if kolla_same_external_internal_vip | bool else \u0027internal\u0027 }}.key\"\n        dest: \"{{ kolla_certificates_dir }}/proxysql-key.pem\"\n        mode: \"0660\"\n  when:\n    - database_enable_tls_internal | bool\n```","commit_id":"28f043a228b3c66785229e399ea7ea1407539b6d"},{"author":{"_account_id":27339,"name":"Michal Arbet","email":"michal.arbet@ultimum.io","username":"michalarbet"},"change_message_id":"1b369c083c73fd9c4a5832a0f5aa85ec073a6a6d","unresolved":false,"context_lines":[{"line_number":166,"context_line":"    - kolla_enable_tls_internal | bool"},{"line_number":167,"context_line":"    - not kolla_same_external_internal_vip | bool"},{"line_number":168,"context_line":""},{"line_number":169,"context_line":"- block:"},{"line_number":170,"context_line":"    - name: Copy Certificate for ProxySQL"},{"line_number":171,"context_line":"      copy:"},{"line_number":172,"context_line":"        src: \"{{ internal_dir }}/internal.crt\""},{"line_number":173,"context_line":"        dest: \"{{ kolla_certificates_dir }}/proxysql-cert.pem\""},{"line_number":174,"context_line":"        mode: \"0660\""},{"line_number":175,"context_line":""},{"line_number":176,"context_line":"    - name: Copy Key for ProxySQL"},{"line_number":177,"context_line":"      copy:"},{"line_number":178,"context_line":"        src: \"{{ internal_dir }}/internal.key\""},{"line_number":179,"context_line":"        dest: \"{{ kolla_certificates_dir }}/proxysql-key.pem\""},{"line_number":180,"context_line":"        mode: \"0660\""},{"line_number":181,"context_line":"  when:"},{"line_number":182,"context_line":"    - database_enable_tls_internal | bool"},{"line_number":183,"context_line":"    - not kolla_same_external_internal_vip | bool"}],"source_content_type":"text/x-yaml","patch_set":25,"id":"b409189e_8910c16c","line":183,"range":{"start_line":169,"start_character":0,"end_line":183,"end_character":49},"in_reply_to":"15737afc_e09d1dbc","updated":"2024-11-07 14:12:09.000000000","message":"Same answer – this is code for a bugfix, not a rework/refactor of the code. I’ll provide another patch, as you can see, I’m working on it on top, though it’s still not finished.\n\nI’ll also simplify the code for certificate generation because, normally, we generate for HAProxy – internal, external, and then we generate the backend. But I don’t understand why we’re also generating for etcd, ProxySQL, and RabbitMQ... it’s unnecessary and harder to maintain.","commit_id":"28f043a228b3c66785229e399ea7ea1407539b6d"},{"author":{"_account_id":32553,"name":"Sven Kieske","email":"sven_oss@posteo.de","username":"skieske"},"change_message_id":"dc76a3bd03bc4e51e238fbb727e3837c616336c4","unresolved":false,"context_lines":[{"line_number":166,"context_line":"    - kolla_enable_tls_internal | bool"},{"line_number":167,"context_line":"    - not kolla_same_external_internal_vip | bool"},{"line_number":168,"context_line":""},{"line_number":169,"context_line":"- block:"},{"line_number":170,"context_line":"    - name: Copy Certificate for ProxySQL"},{"line_number":171,"context_line":"      copy:"},{"line_number":172,"context_line":"        src: \"{{ internal_dir }}/internal.crt\""},{"line_number":173,"context_line":"        dest: \"{{ kolla_certificates_dir }}/proxysql-cert.pem\""},{"line_number":174,"context_line":"        mode: \"0660\""},{"line_number":175,"context_line":""},{"line_number":176,"context_line":"    - name: Copy Key for ProxySQL"},{"line_number":177,"context_line":"      copy:"},{"line_number":178,"context_line":"        src: \"{{ internal_dir }}/internal.key\""},{"line_number":179,"context_line":"        dest: \"{{ kolla_certificates_dir }}/proxysql-key.pem\""},{"line_number":180,"context_line":"        mode: \"0660\""},{"line_number":181,"context_line":"  when:"},{"line_number":182,"context_line":"    - database_enable_tls_internal | bool"},{"line_number":183,"context_line":"    - not kolla_same_external_internal_vip | bool"}],"source_content_type":"text/x-yaml","patch_set":25,"id":"abcf7636_3072eaed","line":183,"range":{"start_line":169,"start_character":0,"end_line":183,"end_character":49},"in_reply_to":"15737afc_e09d1dbc","updated":"2024-11-07 14:10:09.000000000","message":"will be simplified in another patchset","commit_id":"28f043a228b3c66785229e399ea7ea1407539b6d"}],"ansible/roles/letsencrypt/templates/letsencrypt-lego-run.sh.j2":[{"author":{"_account_id":22629,"name":"Michal Nasiadka","email":"mnasiadka@gmail.com","username":"mnasiadka"},"change_message_id":"f1944390f91b97b35b06eeb3fb465cbe942c171c","unresolved":true,"context_lines":[{"line_number":5,"context_line":"{% if (kolla_external_vip_address !\u003d kolla_internal_vip_address and kolla_external_fqdn !\u003d kolla_external_vip_address) and (letsencrypt_managed_certs \u003d\u003d \u0027external\u0027 or letsencrypt_managed_certs \u003d\u003d \u0027both\u0027) %}"},{"line_number":6,"context_line":"# 1. kolla_external_vip_address !\u003d kolla_internal_vip_address # \u003d\u003e We are using different VIP for internal/external, we need to generate ALSO external certificate"},{"line_number":7,"context_line":"# 2. kolla_external_fqdn !\u003d kolla_external_vip_address # \u003d\u003e External fqdn is set and it is not VIP, we need to generate ALSO external certificate"},{"line_number":8,"context_line":"/usr/bin/letsencrypt-certificates --external --fqdns {% for fqdn in letsencrypt_external_fqdns %}{{ fqdn }}{% if not loop.last %},{% endif %}{% endfor %} --days {{ letsencrypt_cert_valid_days }} --port {{ letsencrypt_webserver_port }} --mail {{ letsencrypt_email }} --acme {{ letsencrypt_cert_server }} --vips {% if not kolla_same_external_internal_vip %}{{ kolla_external_vip_address }},{% endif %}{{ kolla_internal_vip_address }} --haproxies-ssh {% for host in groups[\u0027loadbalancer\u0027] %}{{ \u0027api\u0027 | kolla_address(host) | put_address_in_context(\u0027url\u0027) }}:{{ haproxy_ssh_port }}{% if not loop.last %},{% endif %}{% endfor %} 2\u003e\u00261 | tee -a /var/log/kolla/letsencrypt/letsencrypt-lego.log"},{"line_number":9,"context_line":"{% endif %}"},{"line_number":10,"context_line":"{% if (kolla_external_vip_address \u003d\u003d kolla_internal_vip_address and kolla_internal_fqdn !\u003d kolla_internal_vip_address) and (letsencrypt_managed_certs \u003d\u003d \u0027internal\u0027 or letsencrypt_managed_certs \u003d\u003d \u0027both\u0027) %}"},{"line_number":11,"context_line":"# 1. kolla_external_vip_address \u003d\u003d kolla_internal_vip_address # \u003d\u003e We are using same VIP for internal/external, we need to generate ONLY internal certificate"}],"source_content_type":"text/x-jinja2","patch_set":11,"id":"25debd2c_88ade9c8","line":8,"updated":"2024-09-11 05:08:33.000000000","message":"I think readability of that is a drama - can we maybe move that into vars/ or defaults/ and do multiline yaml there, so it\u0027s readable (or do anything else)?","commit_id":"3fb5668ddb9984fa22485b8523d8b68c1ec18f17"},{"author":{"_account_id":27339,"name":"Michal Arbet","email":"michal.arbet@ultimum.io","username":"michalarbet"},"change_message_id":"3154d5a10e1612aa4f5cd5241e5407d2f24e29ec","unresolved":true,"context_lines":[{"line_number":5,"context_line":"{% if (kolla_external_vip_address !\u003d kolla_internal_vip_address and kolla_external_fqdn !\u003d kolla_external_vip_address) and (letsencrypt_managed_certs \u003d\u003d \u0027external\u0027 or letsencrypt_managed_certs \u003d\u003d \u0027both\u0027) %}"},{"line_number":6,"context_line":"# 1. kolla_external_vip_address !\u003d kolla_internal_vip_address # \u003d\u003e We are using different VIP for internal/external, we need to generate ALSO external certificate"},{"line_number":7,"context_line":"# 2. kolla_external_fqdn !\u003d kolla_external_vip_address # \u003d\u003e External fqdn is set and it is not VIP, we need to generate ALSO external certificate"},{"line_number":8,"context_line":"/usr/bin/letsencrypt-certificates --external --fqdns {% for fqdn in letsencrypt_external_fqdns %}{{ fqdn }}{% if not loop.last %},{% endif %}{% endfor %} --days {{ letsencrypt_cert_valid_days }} --port {{ letsencrypt_webserver_port }} --mail {{ letsencrypt_email }} --acme {{ letsencrypt_cert_server }} --vips {% if not kolla_same_external_internal_vip %}{{ kolla_external_vip_address }},{% endif %}{{ kolla_internal_vip_address }} --haproxies-ssh {% for host in groups[\u0027loadbalancer\u0027] %}{{ \u0027api\u0027 | kolla_address(host) | put_address_in_context(\u0027url\u0027) }}:{{ haproxy_ssh_port }}{% if not loop.last %},{% endif %}{% endfor %} 2\u003e\u00261 | tee -a /var/log/kolla/letsencrypt/letsencrypt-lego.log"},{"line_number":9,"context_line":"{% endif %}"},{"line_number":10,"context_line":"{% if (kolla_external_vip_address \u003d\u003d kolla_internal_vip_address and kolla_internal_fqdn !\u003d kolla_internal_vip_address) and (letsencrypt_managed_certs \u003d\u003d \u0027internal\u0027 or letsencrypt_managed_certs \u003d\u003d \u0027both\u0027) %}"},{"line_number":11,"context_line":"# 1. kolla_external_vip_address \u003d\u003d kolla_internal_vip_address # \u003d\u003e We are using same VIP for internal/external, we need to generate ONLY internal certificate"}],"source_content_type":"text/x-jinja2","patch_set":11,"id":"9ad11d5a_6b9fe0ef","line":8,"in_reply_to":"25debd2c_88ade9c8","updated":"2024-09-11 06:56:36.000000000","message":"well, that\u0027s the reason why I marked as work in progress :)","commit_id":"3fb5668ddb9984fa22485b8523d8b68c1ec18f17"},{"author":{"_account_id":27339,"name":"Michal Arbet","email":"michal.arbet@ultimum.io","username":"michalarbet"},"change_message_id":"a008a700ea5be88f7a18994dce7bb660cf6e7980","unresolved":false,"context_lines":[{"line_number":5,"context_line":"{% if (kolla_external_vip_address !\u003d kolla_internal_vip_address and kolla_external_fqdn !\u003d kolla_external_vip_address) and (letsencrypt_managed_certs \u003d\u003d \u0027external\u0027 or letsencrypt_managed_certs \u003d\u003d \u0027both\u0027) %}"},{"line_number":6,"context_line":"# 1. kolla_external_vip_address !\u003d kolla_internal_vip_address # \u003d\u003e We are using different VIP for internal/external, we need to generate ALSO external certificate"},{"line_number":7,"context_line":"# 2. kolla_external_fqdn !\u003d kolla_external_vip_address # \u003d\u003e External fqdn is set and it is not VIP, we need to generate ALSO external certificate"},{"line_number":8,"context_line":"/usr/bin/letsencrypt-certificates --external --fqdns {% for fqdn in letsencrypt_external_fqdns %}{{ fqdn }}{% if not loop.last %},{% endif %}{% endfor %} --days {{ letsencrypt_cert_valid_days }} --port {{ letsencrypt_webserver_port }} --mail {{ letsencrypt_email }} --acme {{ letsencrypt_cert_server }} --vips {% if not kolla_same_external_internal_vip %}{{ kolla_external_vip_address }},{% endif %}{{ kolla_internal_vip_address }} --haproxies-ssh {% for host in groups[\u0027loadbalancer\u0027] %}{{ \u0027api\u0027 | kolla_address(host) | put_address_in_context(\u0027url\u0027) }}:{{ haproxy_ssh_port }}{% if not loop.last %},{% endif %}{% endfor %} 2\u003e\u00261 | tee -a /var/log/kolla/letsencrypt/letsencrypt-lego.log"},{"line_number":9,"context_line":"{% endif %}"},{"line_number":10,"context_line":"{% if (kolla_external_vip_address \u003d\u003d kolla_internal_vip_address and kolla_internal_fqdn !\u003d kolla_internal_vip_address) and (letsencrypt_managed_certs \u003d\u003d \u0027internal\u0027 or letsencrypt_managed_certs \u003d\u003d \u0027both\u0027) %}"},{"line_number":11,"context_line":"# 1. kolla_external_vip_address \u003d\u003d kolla_internal_vip_address # \u003d\u003e We are using same VIP for internal/external, we need to generate ONLY internal certificate"}],"source_content_type":"text/x-jinja2","patch_set":11,"id":"dfe6ed44_51b3aae1","line":8,"in_reply_to":"9ad11d5a_6b9fe0ef","updated":"2024-09-11 14:45:01.000000000","message":"This is actually just two lines..\nBut reworked logic so now it\u0027s really more readable ..just two ifs.","commit_id":"3fb5668ddb9984fa22485b8523d8b68c1ec18f17"}],"ansible/roles/loadbalancer/tasks/precheck.yml":[{"author":{"_account_id":22629,"name":"Michal Nasiadka","email":"mnasiadka@gmail.com","username":"mnasiadka"},"change_message_id":"b5f86d4284f4f84c6a075080440122b4a2b12314","unresolved":true,"context_lines":[{"line_number":74,"context_line":"    fail_msg: \"External haproxy certificate file is not found. It is configured via \u0027kolla_external_fqdn_cert\u0027\""},{"line_number":75,"context_line":"  when:"},{"line_number":76,"context_line":"    - not kolla_externally_managed_cert | bool"},{"line_number":77,"context_line":"    - letsencrypt_managed_certs \u003d\u003d \u0027internal\u0027 or letsencrypt_managed_certs \u003d\u003d \u0027\u0027"},{"line_number":78,"context_line":"    - kolla_enable_tls_external | bool"},{"line_number":79,"context_line":""},{"line_number":80,"context_line":"- name: Checking if internal haproxy certificate exists"}],"source_content_type":"text/x-yaml","patch_set":16,"id":"c2c8c44a_7eeae58e","line":77,"updated":"2024-10-09 08:46:15.000000000","message":"nit: we could make a block for both of these tasks to deduplicate when:","commit_id":"3ff3c1717acadfae39b97013158619661afc9e5f"},{"author":{"_account_id":27339,"name":"Michal Arbet","email":"michal.arbet@ultimum.io","username":"michalarbet"},"change_message_id":"48c77792a3097e5d4db1962374c1e01fba5f16b2","unresolved":false,"context_lines":[{"line_number":74,"context_line":"    fail_msg: \"External haproxy certificate file is not found. It is configured via \u0027kolla_external_fqdn_cert\u0027\""},{"line_number":75,"context_line":"  when:"},{"line_number":76,"context_line":"    - not kolla_externally_managed_cert | bool"},{"line_number":77,"context_line":"    - letsencrypt_managed_certs \u003d\u003d \u0027internal\u0027 or letsencrypt_managed_certs \u003d\u003d \u0027\u0027"},{"line_number":78,"context_line":"    - kolla_enable_tls_external | bool"},{"line_number":79,"context_line":""},{"line_number":80,"context_line":"- name: Checking if internal haproxy certificate exists"}],"source_content_type":"text/x-yaml","patch_set":16,"id":"c8c07f6c_1bd2c573","line":77,"in_reply_to":"63894158_63ea847c","updated":"2024-10-30 15:36:37.000000000","message":"Done","commit_id":"3ff3c1717acadfae39b97013158619661afc9e5f"},{"author":{"_account_id":27339,"name":"Michal Arbet","email":"michal.arbet@ultimum.io","username":"michalarbet"},"change_message_id":"1bdb3eb4141192c33aade23efead0dcceae07d03","unresolved":true,"context_lines":[{"line_number":74,"context_line":"    fail_msg: \"External haproxy certificate file is not found. It is configured via \u0027kolla_external_fqdn_cert\u0027\""},{"line_number":75,"context_line":"  when:"},{"line_number":76,"context_line":"    - not kolla_externally_managed_cert | bool"},{"line_number":77,"context_line":"    - letsencrypt_managed_certs \u003d\u003d \u0027internal\u0027 or letsencrypt_managed_certs \u003d\u003d \u0027\u0027"},{"line_number":78,"context_line":"    - kolla_enable_tls_external | bool"},{"line_number":79,"context_line":""},{"line_number":80,"context_line":"- name: Checking if internal haproxy certificate exists"}],"source_content_type":"text/x-yaml","patch_set":16,"id":"63894158_63ea847c","line":77,"in_reply_to":"c2c8c44a_7eeae58e","updated":"2024-10-09 08:51:28.000000000","message":"yeah, why not ..it can go into block of course.","commit_id":"3ff3c1717acadfae39b97013158619661afc9e5f"},{"author":{"_account_id":32553,"name":"Sven Kieske","email":"sven_oss@posteo.de","username":"skieske"},"change_message_id":"b339af9ca93f775ccde09c7d12f929a6e06b0573","unresolved":true,"context_lines":[{"line_number":68,"context_line":"      run_once: true"},{"line_number":69,"context_line":"      assert:"},{"line_number":70,"context_line":"        that: haproxy_cert_file.stat.exists"},{"line_number":71,"context_line":"        fail_msg: \"External haproxy certificate file is not found. It is configured via \u0027kolla_external_fqdn_cert\u0027\""},{"line_number":72,"context_line":"  when:"},{"line_number":73,"context_line":"    - not kolla_externally_managed_cert | bool"},{"line_number":74,"context_line":"    - letsencrypt_managed_certs \u003d\u003d \u0027internal\u0027 or letsencrypt_managed_certs \u003d\u003d \u0027\u0027"}],"source_content_type":"text/x-yaml","patch_set":25,"id":"348aff38_f2b5684b","line":71,"range":{"start_line":71,"start_character":0,"end_line":71,"end_character":2},"updated":"2024-11-07 13:02:34.000000000","message":"nit:\n```suggestion\n        fail_msg: \"ERROR: External haproxy certificate file can\u0027t be found. It is configured via \u0027kolla_external_fqdn_cert\u0027\"\n```","commit_id":"28f043a228b3c66785229e399ea7ea1407539b6d"},{"author":{"_account_id":27339,"name":"Michal Arbet","email":"michal.arbet@ultimum.io","username":"michalarbet"},"change_message_id":"b981cb466243356c6f50bdb410e53921770e4601","unresolved":false,"context_lines":[{"line_number":68,"context_line":"      run_once: true"},{"line_number":69,"context_line":"      assert:"},{"line_number":70,"context_line":"        that: haproxy_cert_file.stat.exists"},{"line_number":71,"context_line":"        fail_msg: \"External haproxy certificate file is not found. It is configured via \u0027kolla_external_fqdn_cert\u0027\""},{"line_number":72,"context_line":"  when:"},{"line_number":73,"context_line":"    - not kolla_externally_managed_cert | bool"},{"line_number":74,"context_line":"    - letsencrypt_managed_certs \u003d\u003d \u0027internal\u0027 or letsencrypt_managed_certs \u003d\u003d \u0027\u0027"}],"source_content_type":"text/x-yaml","patch_set":25,"id":"00dcc312_ed38963f","line":71,"range":{"start_line":71,"start_character":0,"end_line":71,"end_character":2},"in_reply_to":"348aff38_f2b5684b","updated":"2024-11-07 14:02:12.000000000","message":"It\u0027s fail_msg and it\u0027s even red in ansible log, i don\u0027t think there is need to add extra ERROR: string. If you want to grep in ansible log you can grep \u0027failed\u0027 keyword ...\n\nAlso, I am following common practise in our code as you can see below \n\n```\nansible/roles/iscsi/tasks/precheck.yml:    fail_msg: \u003e\nansible/roles/neutron/tasks/neutron_plugin_agent_check.yml:    fail_msg: \"ML2/OVN agent detected, neutron_plugin_agent is not set to \u0027ovn\u0027, Kolla-Ansible does not support this migration operation.\"\nansible/roles/neutron/tasks/neutron_plugin_agent_check.yml:    fail_msg: \"ML2/OVS agent detected, neutron_plugin_agent is not set to \u0027openvswitch\u0027, Kolla-Ansible does not support this migration operation.\"\nansible/roles/neutron/tasks/precheck.yml:    fail_msg: \"Number of network agents are less than two when enabling agent ha\"\nansible/roles/neutron/tasks/precheck.yml:    fail_msg: \"Tenant network type \u0027{{ item }}\u0027 is not in type drivers [{{ neutron_type_drivers }}]\"\nansible/roles/neutron/tasks/precheck.yml:    fail_msg: \"Ironic must be enabled when using networking-baremetal/ironic-neutron-agent\"\nansible/roles/neutron/tasks/precheck.yml:    fail_msg: \"The neutron_dns_domain value has to be non-empty and must end with a period \u0027.\u0027\"\nansible/roles/octavia/tasks/precheck.yml:    fail_msg: \"Redis must be enabled when using octavia jobboard\"\nansible/roles/prechecks/tasks/host_os_checks.yml:    fail_msg: \u003e-\nansible/roles/prechecks/tasks/host_os_checks.yml:    fail_msg: \u003e-\nansible/roles/prechecks/tasks/inventory_checks.yml:    fail_msg: \u003e-\nansible/roles/prechecks/tasks/package_checks.yml:    fail_msg: \u003e-\nansible/roles/rabbitmq/tasks/precheck.yml:    fail_msg: No TLS certificate provided for RabbitMQ.\nansible/roles/rabbitmq/tasks/precheck.yml:    fail_msg: No TLS key provided for RabbitMQ.\nansible/roles/rabbitmq/tasks/precheck.yml:    fail_msg: No TLS certificate provided for outward RabbitMQ.\nansible/roles/rabbitmq/tasks/precheck.yml:        fail_msg: \u003e\nansible/roles/rabbitmq/tasks/precheck.yml:        fail_msg: \u003e\nansible/roles/zun/tasks/precheck.yml:    fail_msg: \"kuryr is required but not enabled\"\nansible/roles/loadbalancer/tasks/precheck.yml:    fail_msg: \"External haproxy certificate file is not found. It is configured via \u0027kolla_external_fqdn_cert\u0027\"\nansible/roles/loadbalancer/tasks/precheck.yml:    fail_msg: \"Internal haproxy certificate file is not found. It is configured via \u0027kolla_internal_fqdn_cert\u0027\"\nansible/roles/loadbalancer/tasks/precheck.yml:    fail_msg: \"Please check the kolla_external_vip_interface property - interface {{ kolla_external_vip_interface }} not found\"\nansible/roles/loadbalancer/tasks/precheck.yml:    fail_msg: \"Please check the kolla_external_vip_interface settings - interface {{ kolla_external_vip_interface }} is not active\"\nansible/roles/letsencrypt/tasks/precheck.yml:    fail_msg: \"Letsencrypt contact email value didn\u0027t pass validation.\"\nroles/multi-node-vxlan-overlay/tasks/main.yml:    fail_msg: \u003e-\n```\n\nClosing this comment, please open new one and we can discuss if we are going to add ERROR: to all fail_msg, probably in new review.","commit_id":"28f043a228b3c66785229e399ea7ea1407539b6d"},{"author":{"_account_id":32553,"name":"Sven Kieske","email":"sven_oss@posteo.de","username":"skieske"},"change_message_id":"b339af9ca93f775ccde09c7d12f929a6e06b0573","unresolved":true,"context_lines":[{"line_number":87,"context_line":"      run_once: true"},{"line_number":88,"context_line":"      assert:"},{"line_number":89,"context_line":"        that: haproxy_internal_cert_file.stat.exists"},{"line_number":90,"context_line":"        fail_msg: \"Internal haproxy certificate file is not found. It is configured via \u0027kolla_internal_fqdn_cert\u0027\""},{"line_number":91,"context_line":"  when:"},{"line_number":92,"context_line":"    - not kolla_externally_managed_cert | bool"},{"line_number":93,"context_line":"    - letsencrypt_managed_certs \u003d\u003d \u0027external\u0027 or letsencrypt_managed_certs \u003d\u003d \u0027\u0027"}],"source_content_type":"text/x-yaml","patch_set":25,"id":"ceb1bb21_38916f69","line":90,"range":{"start_line":90,"start_character":0,"end_line":90,"end_character":2},"updated":"2024-11-07 13:02:34.000000000","message":"nit:\n```suggestion\n        fail_msg: \"ERROR: Internal haproxy certificate file can\u0027t be found. It is configured via \u0027kolla_internal_fqdn_cert\u0027\"\n```","commit_id":"28f043a228b3c66785229e399ea7ea1407539b6d"},{"author":{"_account_id":27339,"name":"Michal Arbet","email":"michal.arbet@ultimum.io","username":"michalarbet"},"change_message_id":"5b819f0e97fa2a6b7433a381379094aadba8520f","unresolved":true,"context_lines":[{"line_number":87,"context_line":"      run_once: true"},{"line_number":88,"context_line":"      assert:"},{"line_number":89,"context_line":"        that: haproxy_internal_cert_file.stat.exists"},{"line_number":90,"context_line":"        fail_msg: \"Internal haproxy certificate file is not found. It is configured via \u0027kolla_internal_fqdn_cert\u0027\""},{"line_number":91,"context_line":"  when:"},{"line_number":92,"context_line":"    - not kolla_externally_managed_cert | bool"},{"line_number":93,"context_line":"    - letsencrypt_managed_certs \u003d\u003d \u0027external\u0027 or letsencrypt_managed_certs \u003d\u003d \u0027\u0027"}],"source_content_type":"text/x-yaml","patch_set":25,"id":"b3bba7ae_fad76a09","line":90,"range":{"start_line":90,"start_character":0,"end_line":90,"end_character":2},"in_reply_to":"2876f18d_7bf50388","updated":"2024-11-07 14:02:51.000000000","message":"Ditto","commit_id":"28f043a228b3c66785229e399ea7ea1407539b6d"},{"author":{"_account_id":27339,"name":"Michal Arbet","email":"michal.arbet@ultimum.io","username":"michalarbet"},"change_message_id":"e36df84f7af6daa490bfce8b46970de951e27b72","unresolved":false,"context_lines":[{"line_number":87,"context_line":"      run_once: true"},{"line_number":88,"context_line":"      assert:"},{"line_number":89,"context_line":"        that: haproxy_internal_cert_file.stat.exists"},{"line_number":90,"context_line":"        fail_msg: \"Internal haproxy certificate file is not found. It is configured via \u0027kolla_internal_fqdn_cert\u0027\""},{"line_number":91,"context_line":"  when:"},{"line_number":92,"context_line":"    - not kolla_externally_managed_cert | bool"},{"line_number":93,"context_line":"    - letsencrypt_managed_certs \u003d\u003d \u0027external\u0027 or letsencrypt_managed_certs \u003d\u003d \u0027\u0027"}],"source_content_type":"text/x-yaml","patch_set":25,"id":"e81d5530_3dcfa763","line":90,"range":{"start_line":90,"start_character":0,"end_line":90,"end_character":2},"in_reply_to":"b3bba7ae_fad76a09","updated":"2024-11-07 14:03:00.000000000","message":"Done","commit_id":"28f043a228b3c66785229e399ea7ea1407539b6d"},{"author":{"_account_id":27339,"name":"Michal Arbet","email":"michal.arbet@ultimum.io","username":"michalarbet"},"change_message_id":"b981cb466243356c6f50bdb410e53921770e4601","unresolved":true,"context_lines":[{"line_number":87,"context_line":"      run_once: true"},{"line_number":88,"context_line":"      assert:"},{"line_number":89,"context_line":"        that: haproxy_internal_cert_file.stat.exists"},{"line_number":90,"context_line":"        fail_msg: \"Internal haproxy certificate file is not found. It is configured via \u0027kolla_internal_fqdn_cert\u0027\""},{"line_number":91,"context_line":"  when:"},{"line_number":92,"context_line":"    - not kolla_externally_managed_cert | bool"},{"line_number":93,"context_line":"    - letsencrypt_managed_certs \u003d\u003d \u0027external\u0027 or letsencrypt_managed_certs \u003d\u003d \u0027\u0027"}],"source_content_type":"text/x-yaml","patch_set":25,"id":"2876f18d_7bf50388","line":90,"range":{"start_line":90,"start_character":0,"end_line":90,"end_character":2},"in_reply_to":"ceb1bb21_38916f69","updated":"2024-11-07 14:02:12.000000000","message":"Ditto","commit_id":"28f043a228b3c66785229e399ea7ea1407539b6d"}],"releasenotes/notes/bug-2076331-f4ef64ad0a12aa85.yaml":[{"author":{"_account_id":22629,"name":"Michal Nasiadka","email":"mnasiadka@gmail.com","username":"mnasiadka"},"change_message_id":"b5f86d4284f4f84c6a075080440122b4a2b12314","unresolved":true,"context_lines":[{"line_number":8,"context_line":"    certificate generation."},{"line_number":9,"context_line":"upgrade:"},{"line_number":10,"context_line":"  - |"},{"line_number":11,"context_line":"    Users who have previously used the Let\u0027s Encrypt role for an"},{"line_number":12,"context_line":"    external certificate generation need to migrate their previous"},{"line_number":13,"context_line":"    default value (or their overridden value) of the variable"},{"line_number":14,"context_line":"    ``letsencrypt_cert_server`` and set it to"}],"source_content_type":"text/x-yaml","patch_set":16,"id":"c886ae43_f80958c4","line":11,"updated":"2024-10-09 08:46:15.000000000","message":"If we want to backport that as a fix - it can\u0027t rely on users adapting their configuration","commit_id":"3ff3c1717acadfae39b97013158619661afc9e5f"},{"author":{"_account_id":27339,"name":"Michal Arbet","email":"michal.arbet@ultimum.io","username":"michalarbet"},"change_message_id":"48c77792a3097e5d4db1962374c1e01fba5f16b2","unresolved":false,"context_lines":[{"line_number":8,"context_line":"    certificate generation."},{"line_number":9,"context_line":"upgrade:"},{"line_number":10,"context_line":"  - |"},{"line_number":11,"context_line":"    Users who have previously used the Let\u0027s Encrypt role for an"},{"line_number":12,"context_line":"    external certificate generation need to migrate their previous"},{"line_number":13,"context_line":"    default value (or their overridden value) of the variable"},{"line_number":14,"context_line":"    ``letsencrypt_cert_server`` and set it to"}],"source_content_type":"text/x-yaml","patch_set":16,"id":"59b3fb60_691db5f5","line":11,"in_reply_to":"4901515c_45a43923","updated":"2024-10-30 15:36:37.000000000","message":"Done","commit_id":"3ff3c1717acadfae39b97013158619661afc9e5f"},{"author":{"_account_id":22629,"name":"Michal Nasiadka","email":"mnasiadka@gmail.com","username":"mnasiadka"},"change_message_id":"9ee25c32bf043f7ae282bab6b2a1b12cc6999ff4","unresolved":false,"context_lines":[{"line_number":8,"context_line":"    certificate generation."},{"line_number":9,"context_line":"upgrade:"},{"line_number":10,"context_line":"  - |"},{"line_number":11,"context_line":"    Users who have previously used the Let\u0027s Encrypt role for an"},{"line_number":12,"context_line":"    external certificate generation need to migrate their previous"},{"line_number":13,"context_line":"    default value (or their overridden value) of the variable"},{"line_number":14,"context_line":"    ``letsencrypt_cert_server`` and set it to"}],"source_content_type":"text/x-yaml","patch_set":16,"id":"e1927fbb_d8df0131","line":11,"in_reply_to":"59b3fb60_691db5f5","updated":"2024-12-18 06:54:49.000000000","message":"Well, bug fixes should be backported, I don\u0027t see how this can be backported with forcing users to migrate","commit_id":"3ff3c1717acadfae39b97013158619661afc9e5f"},{"author":{"_account_id":27339,"name":"Michal Arbet","email":"michal.arbet@ultimum.io","username":"michalarbet"},"change_message_id":"1bdb3eb4141192c33aade23efead0dcceae07d03","unresolved":true,"context_lines":[{"line_number":8,"context_line":"    certificate generation."},{"line_number":9,"context_line":"upgrade:"},{"line_number":10,"context_line":"  - |"},{"line_number":11,"context_line":"    Users who have previously used the Let\u0027s Encrypt role for an"},{"line_number":12,"context_line":"    external certificate generation need to migrate their previous"},{"line_number":13,"context_line":"    default value (or their overridden value) of the variable"},{"line_number":14,"context_line":"    ``letsencrypt_cert_server`` and set it to"}],"source_content_type":"text/x-yaml","patch_set":16,"id":"4901515c_45a43923","line":11,"in_reply_to":"c886ae43_f80958c4","updated":"2024-10-09 08:51:28.000000000","message":"Well, this logic is bulletproof, but the original is actually a bug itself. There\u0027s probably no need to backport this, but it would be good to merge it into the new version.","commit_id":"3ff3c1717acadfae39b97013158619661afc9e5f"},{"author":{"_account_id":32553,"name":"Sven Kieske","email":"sven_oss@posteo.de","username":"skieske"},"change_message_id":"b339af9ca93f775ccde09c7d12f929a6e06b0573","unresolved":true,"context_lines":[{"line_number":1,"context_line":"---"},{"line_number":2,"context_line":"features:"},{"line_number":3,"context_line":"  - |"},{"line_number":4,"context_line":"    Adds a new variables to be used by the letsencrypt role,"},{"line_number":5,"context_line":"    ``letsencrypt_external_cert_server`` and"},{"line_number":6,"context_line":"    ``letsencrypt_internal_cert_server``, It allows to"},{"line_number":7,"context_line":"    configure ACME server for internal, external"}],"source_content_type":"text/x-yaml","patch_set":25,"id":"daf414c6_9b4cb77a","line":4,"range":{"start_line":4,"start_character":0,"end_line":4,"end_character":2},"updated":"2024-11-07 13:02:34.000000000","message":"nit:\n```suggestion\n    Adds new variables to be used by the letsencrypt role,\n```","commit_id":"28f043a228b3c66785229e399ea7ea1407539b6d"},{"author":{"_account_id":32553,"name":"Sven Kieske","email":"sven_oss@posteo.de","username":"skieske"},"change_message_id":"dc587ad58002efa600113bcc468d3398d194e995","unresolved":false,"context_lines":[{"line_number":1,"context_line":"---"},{"line_number":2,"context_line":"features:"},{"line_number":3,"context_line":"  - |"},{"line_number":4,"context_line":"    Adds a new variables to be used by the letsencrypt role,"},{"line_number":5,"context_line":"    ``letsencrypt_external_cert_server`` and"},{"line_number":6,"context_line":"    ``letsencrypt_internal_cert_server``, It allows to"},{"line_number":7,"context_line":"    configure ACME server for internal, external"}],"source_content_type":"text/x-yaml","patch_set":25,"id":"c33a006a_cc8bbba4","line":4,"range":{"start_line":4,"start_character":0,"end_line":4,"end_character":2},"in_reply_to":"daf414c6_9b4cb77a","updated":"2024-11-07 14:54:31.000000000","message":"Done","commit_id":"28f043a228b3c66785229e399ea7ea1407539b6d"},{"author":{"_account_id":32553,"name":"Sven Kieske","email":"sven_oss@posteo.de","username":"skieske"},"change_message_id":"b339af9ca93f775ccde09c7d12f929a6e06b0573","unresolved":true,"context_lines":[{"line_number":8,"context_line":"    certificate generation."},{"line_number":9,"context_line":"upgrade:"},{"line_number":10,"context_line":"  - |"},{"line_number":11,"context_line":"    Users who have previously used the Let\u0027s Encrypt role for an"},{"line_number":12,"context_line":"    external certificate generation need to migrate their previous"},{"line_number":13,"context_line":"    default value (or their overridden value) of the variable"},{"line_number":14,"context_line":"    ``letsencrypt_cert_server`` and set it to"}],"source_content_type":"text/x-yaml","patch_set":25,"id":"12d3a3d5_d1fb8c76","line":11,"range":{"start_line":11,"start_character":39,"end_line":11,"end_character":52},"updated":"2024-11-07 13:02:34.000000000","message":"nit: we should keep the names of roles consistent, not sure if it should be \"letsencrypt\" or \"Let\u0027s Encrypt\" (I guess the former would be easier to grep for)","commit_id":"28f043a228b3c66785229e399ea7ea1407539b6d"},{"author":{"_account_id":32553,"name":"Sven Kieske","email":"sven_oss@posteo.de","username":"skieske"},"change_message_id":"dc587ad58002efa600113bcc468d3398d194e995","unresolved":false,"context_lines":[{"line_number":8,"context_line":"    certificate generation."},{"line_number":9,"context_line":"upgrade:"},{"line_number":10,"context_line":"  - |"},{"line_number":11,"context_line":"    Users who have previously used the Let\u0027s Encrypt role for an"},{"line_number":12,"context_line":"    external certificate generation need to migrate their previous"},{"line_number":13,"context_line":"    default value (or their overridden value) of the variable"},{"line_number":14,"context_line":"    ``letsencrypt_cert_server`` and set it to"}],"source_content_type":"text/x-yaml","patch_set":25,"id":"98158b44_bcc08fd5","line":11,"range":{"start_line":11,"start_character":39,"end_line":11,"end_character":52},"in_reply_to":"12d3a3d5_d1fb8c76","updated":"2024-11-07 14:54:31.000000000","message":"Done","commit_id":"28f043a228b3c66785229e399ea7ea1407539b6d"}],"releasenotes/notes/fix-internal-tls-when-using-le-6b633cd2086e44c6.yaml":[{"author":{"_account_id":32553,"name":"Sven Kieske","email":"sven_oss@posteo.de","username":"skieske"},"change_message_id":"01e202fbf375e16ffc6bc8d505d982b714dc176f","unresolved":true,"context_lines":[{"line_number":1,"context_line":"---"},{"line_number":2,"context_line":"fixes:"},{"line_number":3,"context_line":"  - |"},{"line_number":4,"context_line":"    Fixes an issue with internal TLS certificate not being copied to HAproxy"},{"line_number":5,"context_line":"    container when Let\u0027s Encrypt is enabled."}],"source_content_type":"text/x-yaml","patch_set":2,"id":"3a1b5fd1_8aa0f8e9","line":5,"range":{"start_line":4,"start_character":1,"end_line":5,"end_character":44},"updated":"2024-08-12 12:48:21.000000000","message":"Please link also to the bug report in the reno:\n\n```suggestion\n    Fixes an issue with internal TLS certificate not being copied to HAproxy\n    container when Let\u0027s Encrypt is enabled.\n    `LP#2076331 \u003chttps://launchpad.net/bugs/2076331\u003e`__\n```","commit_id":"4edb30989c3fe69fd730b8ed9e03542b50b9517b"},{"author":{"_account_id":32553,"name":"Sven Kieske","email":"sven_oss@posteo.de","username":"skieske"},"change_message_id":"eedfdefa8a8d8ddcb7db3166735058b5d5f0a37f","unresolved":false,"context_lines":[{"line_number":1,"context_line":"---"},{"line_number":2,"context_line":"fixes:"},{"line_number":3,"context_line":"  - |"},{"line_number":4,"context_line":"    Fixes an issue with internal TLS certificate not being copied to HAproxy"},{"line_number":5,"context_line":"    container when Let\u0027s Encrypt is enabled."}],"source_content_type":"text/x-yaml","patch_set":2,"id":"832e65a5_7a2341fe","line":5,"range":{"start_line":4,"start_character":1,"end_line":5,"end_character":44},"in_reply_to":"3a1b5fd1_8aa0f8e9","updated":"2024-08-13 13:42:22.000000000","message":"Done","commit_id":"4edb30989c3fe69fd730b8ed9e03542b50b9517b"},{"author":{"_account_id":32657,"name":"Piotr Parczewski","email":"piotr@stackhpc.com","username":"piotrp"},"change_message_id":"12d4ed78f39f9cc1a697cfe08036006386e1dc18","unresolved":false,"context_lines":[{"line_number":1,"context_line":"---"},{"line_number":2,"context_line":"fixes:"},{"line_number":3,"context_line":"  - |"},{"line_number":4,"context_line":"    Fixes an issue with internal TLS certificate not being copied to HAproxy"},{"line_number":5,"context_line":"    container when Let\u0027s Encrypt is enabled."}],"source_content_type":"text/x-yaml","patch_set":2,"id":"db40c109_22ac590b","line":5,"range":{"start_line":4,"start_character":1,"end_line":5,"end_character":44},"in_reply_to":"3a1b5fd1_8aa0f8e9","updated":"2024-09-05 10:46:47.000000000","message":"Fix applied.","commit_id":"4edb30989c3fe69fd730b8ed9e03542b50b9517b"}],"tests/templates/globals-default.j2":[{"author":{"_account_id":32553,"name":"Sven Kieske","email":"sven_oss@posteo.de","username":"skieske"},"change_message_id":"b339af9ca93f775ccde09c7d12f929a6e06b0573","unresolved":true,"context_lines":[{"line_number":243,"context_line":""},{"line_number":244,"context_line":"{% if scenario \u003d\u003d \"lets-encrypt\" %}"},{"line_number":245,"context_line":"enable_letsencrypt: \"yes\""},{"line_number":246,"context_line":"rabbitmq_enable_tls: \"yes\""},{"line_number":247,"context_line":"letsencrypt_email: \"usero@openstack.test\""},{"line_number":248,"context_line":"letsencrypt_cert_server: \"https://pebble:14000/dir\""},{"line_number":249,"context_line":"kolla_internal_fqdn: \"{{ kolla_internal_fqdn }}\""}],"source_content_type":"text/x-jinja2","patch_set":25,"id":"bbf8a11c_fe83a44d","side":"PARENT","line":246,"range":{"start_line":246,"start_character":0,"end_line":246,"end_character":2},"updated":"2024-11-07 13:02:34.000000000","message":"maybe I missed it, but why is this no longer necessary?","commit_id":"5ebda806715dee836bfb199b3746f14a989a2033"},{"author":{"_account_id":27339,"name":"Michal Arbet","email":"michal.arbet@ultimum.io","username":"michalarbet"},"change_message_id":"5783e1753062fc46102e52dd0c7f05c8846ce52d","unresolved":false,"context_lines":[{"line_number":243,"context_line":""},{"line_number":244,"context_line":"{% if scenario \u003d\u003d \"lets-encrypt\" %}"},{"line_number":245,"context_line":"enable_letsencrypt: \"yes\""},{"line_number":246,"context_line":"rabbitmq_enable_tls: \"yes\""},{"line_number":247,"context_line":"letsencrypt_email: \"usero@openstack.test\""},{"line_number":248,"context_line":"letsencrypt_cert_server: \"https://pebble:14000/dir\""},{"line_number":249,"context_line":"kolla_internal_fqdn: \"{{ kolla_internal_fqdn }}\""}],"source_content_type":"text/x-jinja2","patch_set":25,"id":"72b5a93f_b3196ff7","side":"PARENT","line":246,"range":{"start_line":246,"start_character":0,"end_line":246,"end_character":2},"in_reply_to":"bbf8a11c_fe83a44d","updated":"2024-11-07 13:55:52.000000000","message":"Because if it is in if block for scenario \u003d\u003d \u0027letsencrypt\u0027 it\u0027s rendered twice in globals.yml on CI. (rabbitmq_enable_tls is rendered in scenario for TLS). So, if letsencrypt is turned on, it means also tls in on ...so this is only because deduplication. No need to have rabbitmq_enable_tls twice in a code.\n\nhttps://aa215ec0c297538f736c-5e9e014bbb914c03e8d5277ea7a5cf3c.ssl.cf1.rackcdn.com/925971/25/check/kolla-ansible-ubuntu-lets-encrypt/58c159a/primary/logs/kolla_configs/globals.yml\n\nCheck globals-default.yml in tests.","commit_id":"5ebda806715dee836bfb199b3746f14a989a2033"}]}
