)]}'
{"defaults/main.yml":[{"author":{"_account_id":25023,"name":"Jonathan Rosser","email":"jonathan.rosser@rd.bbc.co.uk","username":"jrosser"},"change_message_id":"a02f8dda5e11a0dbe75942b94429cf73a3e4b79d","unresolved":true,"context_lines":[{"line_number":84,"context_line":"haproxy_ssl: true"},{"line_number":85,"context_line":"haproxy_ssl_all_vips: false"},{"line_number":86,"context_line":"haproxy_ssl_dh_param: 2048"},{"line_number":87,"context_line":"haproxy_ssl_cert_path: /etc/ssl/certs/"},{"line_number":88,"context_line":"haproxy_ssl_ca_path: /etc/ssl/private/"},{"line_number":89,"context_line":"haproxy_ssl_cipher_suite: \"{{ ssl_cipher_suite | default(\u0027ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:!aNULL:!MD5:!DSS\u0027) }}\""},{"line_number":90,"context_line":"haproxy_ssl_bind_options: \"force-tlsv12\""},{"line_number":91,"context_line":""}],"source_content_type":"text/x-yaml","patch_set":9,"id":"eff5e03a_b47c1d14","line":88,"range":{"start_line":87,"start_character":0,"end_line":88,"end_character":38},"updated":"2021-06-24 13:23:33.000000000","message":"i think we should probably make this like https://github.com/openstack/openstack-ansible-rabbitmq_server/blob/master/defaults/main.yml#L160-L181 so that there is a dedicated directory just for haproxy certs/keys.\n\nthere will then become other similar dirs alongside as other services get certs","commit_id":"22b9b990ddccd2dfa750a84f4bc2db478768e482"}],"handlers/main.yml":[{"author":{"_account_id":25023,"name":"Jonathan Rosser","email":"jonathan.rosser@rd.bbc.co.uk","username":"jrosser"},"change_message_id":"2abfd278765bfd7e2916ae17f5e60298f91543a4","unresolved":true,"context_lines":[{"line_number":13,"context_line":"# See the License for the specific language governing permissions and"},{"line_number":14,"context_line":"# limitations under the License."},{"line_number":15,"context_line":""},{"line_number":16,"context_line":"- name: regen pem"},{"line_number":17,"context_line":"  shell: \u003e"},{"line_number":18,"context_line":"    cat {{ haproxy_ssl_cert_path ~ \u0027haproxy_\u0027 ~ ansible_facts[\u0027hostname\u0027] ~ \u0027-\u0027 ~ item  ~ \u0027.crt\u0027 }} {{ haproxy_ssl_cert_path ~ \u0027haproxy_\u0027 ~ ansible_facts[\u0027hostname\u0027] ~ \u0027-\u0027 ~ item  ~ \u0027-ca.crt\u0027) }} {{ haproxy_ssl_key_path ~ \u0027haproxy_\u0027 ~ ansible_facts[\u0027hostname\u0027] ~ \u0027-\u0027 ~ item  ~ \u0027.key\u0027 }} \u003e {{ haproxy_ssl_key_path ~ \u0027haproxy_\u0027 ~ ansible_facts[\u0027hostname\u0027] ~ \u0027-\u0027 ~ item  ~ \u0027.pem\u0027 }}"},{"line_number":19,"context_line":"  notify: Reload haproxy"},{"line_number":20,"context_line":"  with_items: \"{{ _haproxy_tls_vip_binds }}\""},{"line_number":21,"context_line":"  listen:"},{"line_number":22,"context_line":"    - cert installed"},{"line_number":23,"context_line":""}],"source_content_type":"text/x-yaml","patch_set":3,"id":"06cfbcce_270a5dfc","line":20,"range":{"start_line":16,"start_character":0,"end_line":20,"end_character":44},"updated":"2021-06-18 13:09:59.000000000","message":"Will also be necessary to update this https://github.com/openstack/openstack-ansible-haproxy_server/blob/master/templates/haproxy.cfg.j2#L43 to pick up the right filename in the config file","commit_id":"0458ac5e3ef1d480859621d41757fc4d7a1a7ff9"},{"author":{"_account_id":28619,"name":"Dmitriy Rabotyagov","email":"noonedeadpunk@gmail.com","username":"noonedeadpunk"},"change_message_id":"9f6bcfee507012b10136f94df3567ebf1420f32a","unresolved":true,"context_lines":[{"line_number":13,"context_line":"# See the License for the specific language governing permissions and"},{"line_number":14,"context_line":"# limitations under the License."},{"line_number":15,"context_line":""},{"line_number":16,"context_line":"- name: regen pem"},{"line_number":17,"context_line":"  shell: \u003e"},{"line_number":18,"context_line":"    cat {{ haproxy_ssl_cert_path ~ \u0027haproxy_\u0027 ~ ansible_facts[\u0027hostname\u0027] ~ \u0027-\u0027 ~ item  ~ \u0027.crt\u0027 }} {{ haproxy_ssl_cert_path ~ \u0027haproxy_\u0027 ~ ansible_facts[\u0027hostname\u0027] ~ \u0027-\u0027 ~ item  ~ \u0027-ca.crt\u0027) }} {{ haproxy_ssl_key_path ~ \u0027haproxy_\u0027 ~ ansible_facts[\u0027hostname\u0027] ~ \u0027-\u0027 ~ item  ~ \u0027.key\u0027 }} \u003e {{ haproxy_ssl_key_path ~ \u0027haproxy_\u0027 ~ ansible_facts[\u0027hostname\u0027] ~ \u0027-\u0027 ~ item  ~ \u0027.pem\u0027 }}"},{"line_number":19,"context_line":"  notify: Reload haproxy"},{"line_number":20,"context_line":"  with_items: \"{{ _haproxy_tls_vip_binds }}\""},{"line_number":21,"context_line":"  listen:"},{"line_number":22,"context_line":"    - cert installed"},{"line_number":23,"context_line":""}],"source_content_type":"text/x-yaml","patch_set":3,"id":"21255d20_0907524b","line":20,"range":{"start_line":16,"start_character":0,"end_line":20,"end_character":44},"in_reply_to":"06cfbcce_270a5dfc","updated":"2021-06-18 13:22:49.000000000","message":"oh, yes.. and it\u0027s a bit tough in terms what cert to pick 😞 I guess internalip would be fair choice.","commit_id":"0458ac5e3ef1d480859621d41757fc4d7a1a7ff9"}],"tasks/haproxy_ssl.yml":[{"author":{"_account_id":25023,"name":"Jonathan Rosser","email":"jonathan.rosser@rd.bbc.co.uk","username":"jrosser"},"change_message_id":"2abfd278765bfd7e2916ae17f5e60298f91543a4","unresolved":true,"context_lines":[{"line_number":1,"context_line":"---"},{"line_number":2,"context_line":"# Copyright 2015, Rackspace US, Inc."},{"line_number":3,"context_line":"#"},{"line_number":4,"context_line":"# Licensed under the Apache License, Version 2.0 (the \"License\");"}],"source_content_type":"text/x-yaml","patch_set":3,"id":"b1879281_8539ff74","side":"PARENT","line":1,"updated":"2021-06-18 13:09:59.000000000","message":"does this task move somewhere? maybe missing changes to tasks/main.yml from the review?","commit_id":"834b2927a70ff0482cc4066f6797ab89240da47c"},{"author":{"_account_id":28619,"name":"Dmitriy Rabotyagov","email":"noonedeadpunk@gmail.com","username":"noonedeadpunk"},"change_message_id":"9f6bcfee507012b10136f94df3567ebf1420f32a","unresolved":true,"context_lines":[{"line_number":1,"context_line":"---"},{"line_number":2,"context_line":"# Copyright 2015, Rackspace US, Inc."},{"line_number":3,"context_line":"#"},{"line_number":4,"context_line":"# Licensed under the Apache License, Version 2.0 (the \"License\");"}],"source_content_type":"text/x-yaml","patch_set":3,"id":"f690cf39_af16f4c9","side":"PARENT","line":1,"in_reply_to":"b1879281_8539ff74","updated":"2021-06-18 13:22:49.000000000","message":"It hasn\u0027t been included anywhere. Instead it\u0027s just in main.yml https://opendev.org/openstack/openstack-ansible-haproxy_server/src/branch/master/tasks/main.yml#L36-L50\n\nDunno when this has happened, but we need to pick one option (whatever it will be)","commit_id":"834b2927a70ff0482cc4066f6797ab89240da47c"}],"vars/main.yml":[{"author":{"_account_id":25023,"name":"Jonathan Rosser","email":"jonathan.rosser@rd.bbc.co.uk","username":"jrosser"},"change_message_id":"2abfd278765bfd7e2916ae17f5e60298f91543a4","unresolved":true,"context_lines":[{"line_number":54,"context_line":"  %}"},{"line_number":55,"context_line":"  {% set _ \u003d _pki_install.append("},{"line_number":56,"context_line":"      {"},{"line_number":57,"context_line":"        \u0027src\u0027: haproxy_user_ssl_cert | default(haproxy_pki_certs_path ~ _cert_basename ~ \u0027.pem\u0027),"},{"line_number":58,"context_line":"        \u0027dest\u0027: haproxy_ssl_key_path ~ _cert_basename  ~ \u0027.key\u0027,"},{"line_number":59,"context_line":"        \u0027owner\u0027: \u0027root\u0027,"},{"line_number":60,"context_line":"        \u0027group\u0027: \u0027root\u0027,"}],"source_content_type":"text/x-yaml","patch_set":3,"id":"01bbbb98_e3886924","line":57,"range":{"start_line":57,"start_character":15,"end_line":57,"end_character":36},"updated":"2021-06-18 13:09:59.000000000","message":"should this be the key?","commit_id":"0458ac5e3ef1d480859621d41757fc4d7a1a7ff9"},{"author":{"_account_id":28619,"name":"Dmitriy Rabotyagov","email":"noonedeadpunk@gmail.com","username":"noonedeadpunk"},"change_message_id":"9f6bcfee507012b10136f94df3567ebf1420f32a","unresolved":true,"context_lines":[{"line_number":54,"context_line":"  %}"},{"line_number":55,"context_line":"  {% set _ \u003d _pki_install.append("},{"line_number":56,"context_line":"      {"},{"line_number":57,"context_line":"        \u0027src\u0027: haproxy_user_ssl_cert | default(haproxy_pki_certs_path ~ _cert_basename ~ \u0027.pem\u0027),"},{"line_number":58,"context_line":"        \u0027dest\u0027: haproxy_ssl_key_path ~ _cert_basename  ~ \u0027.key\u0027,"},{"line_number":59,"context_line":"        \u0027owner\u0027: \u0027root\u0027,"},{"line_number":60,"context_line":"        \u0027group\u0027: \u0027root\u0027,"}],"source_content_type":"text/x-yaml","patch_set":3,"id":"6e792d14_fdc34945","line":57,"range":{"start_line":57,"start_character":15,"end_line":57,"end_character":36},"in_reply_to":"01bbbb98_e3886924","updated":"2021-06-18 13:22:49.000000000","message":"well, this is good question. As we need to somehow also deploy user-provided certs. So with this change we copy same certs for each IP. I think we can separate or re-think the way of providing user certs (to be able to provide different ones per private/public vip) as step 2?","commit_id":"0458ac5e3ef1d480859621d41757fc4d7a1a7ff9"}]}