)]}'
{"/PATCHSET_LEVEL":[{"author":{"_account_id":32755,"name":"Christian Rohmann","email":"christian.rohmann@inovex.de","username":"frittentheke"},"change_message_id":"6d5ddd42b23a461230440d58758f36d8b4084517","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":1,"id":"2b288056_9fc83997","updated":"2023-08-07 09:35:07.000000000","message":"We ourselves use a dedicated PKI for Prometheus and its exporters.\nThis change add support to configure that via\n\na) a dedicated serving cert for stats\nb) support for enabling client cert authentication on the stats endpoint","commit_id":"3b9c8214518e474878c7386f93575c8518b316f3"},{"author":{"_account_id":28619,"name":"Dmitriy Rabotyagov","email":"noonedeadpunk@gmail.com","username":"noonedeadpunk"},"change_message_id":"4544c8e50329710e9217e20462686bf2caa5f38b","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":2,"id":"b99961e5_2cfd2544","updated":"2023-09-27 08:11:43.000000000","message":"I believe that linters failure is unrelated to the patch. We\u0027re checking on that","commit_id":"d675e0559037fc8139dc82e9ad87e7915e98c3cf"},{"author":{"_account_id":25023,"name":"Jonathan Rosser","email":"jonathan.rosser@rd.bbc.co.uk","username":"jrosser"},"change_message_id":"a1b23157ac891f9195f7f67611d67c6231c3c692","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":3,"id":"e6faf962_69cf90e9","updated":"2023-09-28 16:03:45.000000000","message":"recheck - rocky9 timeout","commit_id":"04a8f8532a4234adbf90cc8afa3b57c93935d4db"},{"author":{"_account_id":28619,"name":"Dmitriy Rabotyagov","email":"noonedeadpunk@gmail.com","username":"noonedeadpunk"},"change_message_id":"3cad5f2c8da3a5b2730556729af523b43aa6214f","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":3,"id":"ad645bcc_f1cb12e3","updated":"2023-10-05 14:15:33.000000000","message":"recheck rocky tls timeout","commit_id":"04a8f8532a4234adbf90cc8afa3b57c93935d4db"},{"author":{"_account_id":28619,"name":"Dmitriy Rabotyagov","email":"noonedeadpunk@gmail.com","username":"noonedeadpunk"},"change_message_id":"106a56bc52f76dd77ddb7fe6af926b4e05c36aad","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":3,"id":"68c97d78_83d7f818","updated":"2023-10-06 16:04:59.000000000","message":"recheck rocky upgrade job","commit_id":"04a8f8532a4234adbf90cc8afa3b57c93935d4db"},{"author":{"_account_id":32755,"name":"Christian Rohmann","email":"christian.rohmann@inovex.de","username":"frittentheke"},"change_message_id":"b05800c89f870c8a2cd83d96a40e040bf12aa488","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":3,"id":"9387033f_9cd1c5e5","updated":"2023-10-16 19:12:00.000000000","message":"recheck rocky upgrade job","commit_id":"04a8f8532a4234adbf90cc8afa3b57c93935d4db"}],"defaults/main.yml":[{"author":{"_account_id":28619,"name":"Dmitriy Rabotyagov","email":"noonedeadpunk@gmail.com","username":"noonedeadpunk"},"change_message_id":"64dc93f5a6dd6b17079e92b8a570405a768de92e","unresolved":true,"context_lines":[{"line_number":31,"context_line":"haproxy_stats_bind_address: 127.0.0.1"},{"line_number":32,"context_line":"haproxy_stats_port: 1936"},{"line_number":33,"context_line":"haproxy_stats_ssl: \"{{ haproxy_ssl }}\""},{"line_number":34,"context_line":"haproxy_stats_ssl_cert_path: \"{{ haproxy_ssl_cert_path }}/haproxy_{{ ansible_facts[\u0027hostname\u0027] }}-{{ haproxy_bind_internal_lb_vip_address }}.pem\""},{"line_number":35,"context_line":"# haproxy_stats_ssl_client_cert_ca: \"{{ haproxy_ssl_cert_path }}/somecustomrootca.pem\""},{"line_number":36,"context_line":"haproxy_username: admin"},{"line_number":37,"context_line":"haproxy_stats_password: secrete"}],"source_content_type":"text/x-yaml","patch_set":1,"id":"10e4efcc_085b1272","line":34,"range":{"start_line":34,"start_character":58,"end_line":34,"end_character":144},"updated":"2023-08-07 09:49:56.000000000","message":"I think it\u0027s incomplete, as in case of binding to the interface, the path would be different.\nCheck the logic of haproxy cert name here:\nhttps://opendev.org/openstack/openstack-ansible-haproxy_server/src/commit/97390e88e06557f3bafd68661c960ff5f94e024d/handlers/main.yml#L22-L23","commit_id":"3b9c8214518e474878c7386f93575c8518b316f3"},{"author":{"_account_id":32755,"name":"Christian Rohmann","email":"christian.rohmann@inovex.de","username":"frittentheke"},"change_message_id":"76618a3e99e5d11b6eb92c5b86f6619c2c4dac0f","unresolved":true,"context_lines":[{"line_number":31,"context_line":"haproxy_stats_bind_address: 127.0.0.1"},{"line_number":32,"context_line":"haproxy_stats_port: 1936"},{"line_number":33,"context_line":"haproxy_stats_ssl: \"{{ haproxy_ssl }}\""},{"line_number":34,"context_line":"haproxy_stats_ssl_cert_path: \"{{ haproxy_ssl_cert_path }}/haproxy_{{ ansible_facts[\u0027hostname\u0027] }}-{{ haproxy_bind_internal_lb_vip_address }}.pem\""},{"line_number":35,"context_line":"# haproxy_stats_ssl_client_cert_ca: \"{{ haproxy_ssl_cert_path }}/somecustomrootca.pem\""},{"line_number":36,"context_line":"haproxy_username: admin"},{"line_number":37,"context_line":"haproxy_stats_password: secrete"}],"source_content_type":"text/x-yaml","patch_set":1,"id":"4512ac75_4c4432f7","line":34,"range":{"start_line":34,"start_character":58,"end_line":34,"end_character":144},"in_reply_to":"10e4efcc_085b1272","updated":"2023-08-26 17:58:38.000000000","message":"As you can see I simply moved the \"static\" path from the config to a variable which could be set, but there was no logic there.\n\nCould you maybe explain the logic behind https://opendev.org/openstack/openstack-ansible-haproxy_server/src/commit/97390e88e06557f3bafd68661c960ff5f94e024d/handlers/main.yml#L22-L23 a little more for me to understand and I gladly make the adjustment to this change here.","commit_id":"3b9c8214518e474878c7386f93575c8518b316f3"},{"author":{"_account_id":28619,"name":"Dmitriy Rabotyagov","email":"noonedeadpunk@gmail.com","username":"noonedeadpunk"},"change_message_id":"d3d7c37eff0a53bf4b6a491e089fac65daaa9ba5","unresolved":true,"context_lines":[{"line_number":31,"context_line":"haproxy_stats_bind_address: 127.0.0.1"},{"line_number":32,"context_line":"haproxy_stats_port: 1936"},{"line_number":33,"context_line":"haproxy_stats_ssl: \"{{ haproxy_ssl }}\""},{"line_number":34,"context_line":"haproxy_stats_ssl_cert_path: \"{{ haproxy_ssl_cert_path }}/haproxy_{{ ansible_facts[\u0027hostname\u0027] }}-{{ haproxy_bind_internal_lb_vip_address }}.pem\""},{"line_number":35,"context_line":"# haproxy_stats_ssl_client_cert_ca: \"{{ haproxy_ssl_cert_path }}/somecustomrootca.pem\""},{"line_number":36,"context_line":"haproxy_username: admin"},{"line_number":37,"context_line":"haproxy_stats_password: secrete"}],"source_content_type":"text/x-yaml","patch_set":1,"id":"45639371_fedd9808","line":34,"range":{"start_line":34,"start_character":58,"end_line":34,"end_character":144},"in_reply_to":"4512ac75_4c4432f7","updated":"2023-08-29 11:41:29.000000000","message":"So there might be a usecase, where `haproxy_bind_internal_lb_vip_address: *` and `haproxy_bind_external_lb_vip_address: *`.\n\nThen, to properly bind haproxy, user defines an interface. Then in order to distinguish internal/external certs we add an interface name to resulting path.\n\nBy default `interface` is not defined, so it is needed to check for it\u0027s existance among keys and add it if it\u0027s present.\n\nIn your code interface is ignored, so in case it is provided - path for the certificate will differ from the actual one.","commit_id":"3b9c8214518e474878c7386f93575c8518b316f3"}]}