)]}'
{"/PATCHSET_LEVEL":[{"author":{"_account_id":34411,"name":"Neil Hanlon","email":"neil@shrug.pw","username":"nhanlon"},"change_message_id":"7aec065ae73c595a72d7ad694dfe4ff8ce1b3fc4","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":11,"id":"5f8e7faa_92076bd2","updated":"2025-04-25 13:02:48.000000000","message":"editing pass on documentation. technical side works great!","commit_id":"57e61659e4a3def78c60026111ce9f3eb2ca05ad"},{"author":{"_account_id":34411,"name":"Neil Hanlon","email":"neil@shrug.pw","username":"nhanlon"},"change_message_id":"85ba60e5e3c127a53350729f9a53709d4ca22b6c","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":14,"id":"b9020b6a_89613630","updated":"2025-05-15 15:50:01.000000000","message":"Had this in a tab on my laptop to review and test.. which I did right before the laptop died.\n\n+2! This is an awesome change and great to have. Thank you","commit_id":"6a600eb981aeda03fb558efa2ba3f38af0fd6b20"}],"encrypt_secrets/README.rst":[{"author":{"_account_id":34411,"name":"Neil Hanlon","email":"neil@shrug.pw","username":"nhanlon"},"change_message_id":"7aec065ae73c595a72d7ad694dfe4ff8ce1b3fc4","unresolved":true,"context_lines":[{"line_number":2,"context_line":"Encrypting secrets"},{"line_number":3,"context_line":"\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d"},{"line_number":4,"context_line":""},{"line_number":5,"context_line":"We will describe supported operations and ways to execute in corresponding"},{"line_number":6,"context_line":"sections below."},{"line_number":7,"context_line":""},{"line_number":8,"context_line":"Ansible-Vault"},{"line_number":9,"context_line":"\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d"}],"source_content_type":"text/x-rst","patch_set":11,"id":"ca07b80d_ea7f0066","line":6,"range":{"start_line":5,"start_character":0,"end_line":6,"end_character":15},"updated":"2025-04-25 13:02:48.000000000","message":"```suggestion\nThis document describes the supported operations for encrypting secrets and explains how to perform them using the appropriate tooling.\n```","commit_id":"57e61659e4a3def78c60026111ce9f3eb2ca05ad"},{"author":{"_account_id":28619,"name":"Dmitriy Rabotyagov","email":"noonedeadpunk@gmail.com","username":"noonedeadpunk"},"change_message_id":"770bdeb9339361290259cd9d617aa71f69957fd8","unresolved":false,"context_lines":[{"line_number":2,"context_line":"Encrypting secrets"},{"line_number":3,"context_line":"\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d"},{"line_number":4,"context_line":""},{"line_number":5,"context_line":"We will describe supported operations and ways to execute in corresponding"},{"line_number":6,"context_line":"sections below."},{"line_number":7,"context_line":""},{"line_number":8,"context_line":"Ansible-Vault"},{"line_number":9,"context_line":"\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d"}],"source_content_type":"text/x-rst","patch_set":11,"id":"787d1067_edd8d8ab","line":6,"range":{"start_line":5,"start_character":0,"end_line":6,"end_character":15},"in_reply_to":"ca07b80d_ea7f0066","updated":"2025-04-25 13:46:35.000000000","message":"Fix applied.","commit_id":"57e61659e4a3def78c60026111ce9f3eb2ca05ad"},{"author":{"_account_id":34411,"name":"Neil Hanlon","email":"neil@shrug.pw","username":"nhanlon"},"change_message_id":"7aec065ae73c595a72d7ad694dfe4ff8ce1b3fc4","unresolved":true,"context_lines":[{"line_number":8,"context_line":"Ansible-Vault"},{"line_number":9,"context_line":"\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d"},{"line_number":10,"context_line":""},{"line_number":11,"context_line":"At the moment we do have a tooling for encryption and rotation"},{"line_number":12,"context_line":"of secret files and various keypairs produced by OpenStack-Ansible through"},{"line_number":13,"context_line":"Ansible Vault."},{"line_number":14,"context_line":""},{"line_number":15,"context_line":"Role defaults"},{"line_number":16,"context_line":"-------------"}],"source_content_type":"text/x-rst","patch_set":11,"id":"73a8038d_8fa287ca","line":13,"range":{"start_line":11,"start_character":0,"end_line":13,"end_character":14},"updated":"2025-04-25 13:02:48.000000000","message":"```suggestion\nOpenStack-Ansible provides tooling to encrypt and rotate secret files and keypairs using Ansible Vault.\n```","commit_id":"57e61659e4a3def78c60026111ce9f3eb2ca05ad"},{"author":{"_account_id":28619,"name":"Dmitriy Rabotyagov","email":"noonedeadpunk@gmail.com","username":"noonedeadpunk"},"change_message_id":"770bdeb9339361290259cd9d617aa71f69957fd8","unresolved":false,"context_lines":[{"line_number":8,"context_line":"Ansible-Vault"},{"line_number":9,"context_line":"\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d"},{"line_number":10,"context_line":""},{"line_number":11,"context_line":"At the moment we do have a tooling for encryption and rotation"},{"line_number":12,"context_line":"of secret files and various keypairs produced by OpenStack-Ansible through"},{"line_number":13,"context_line":"Ansible Vault."},{"line_number":14,"context_line":""},{"line_number":15,"context_line":"Role defaults"},{"line_number":16,"context_line":"-------------"}],"source_content_type":"text/x-rst","patch_set":11,"id":"c418ee43_7d5b59c0","line":13,"range":{"start_line":11,"start_character":0,"end_line":13,"end_character":14},"in_reply_to":"73a8038d_8fa287ca","updated":"2025-04-25 13:46:35.000000000","message":"Fix applied.","commit_id":"57e61659e4a3def78c60026111ce9f3eb2ca05ad"},{"author":{"_account_id":34411,"name":"Neil Hanlon","email":"neil@shrug.pw","username":"nhanlon"},"change_message_id":"7aec065ae73c595a72d7ad694dfe4ff8ce1b3fc4","unresolved":true,"context_lines":[{"line_number":12,"context_line":"of secret files and various keypairs produced by OpenStack-Ansible through"},{"line_number":13,"context_line":"Ansible Vault."},{"line_number":14,"context_line":""},{"line_number":15,"context_line":"Role defaults"},{"line_number":16,"context_line":"-------------"},{"line_number":17,"context_line":""},{"line_number":18,"context_line":".. literalinclude:: ../../encrypt_secrets/roles/ansible_vault/defaults/main.yml"}],"source_content_type":"text/x-rst","patch_set":11,"id":"f1d542c3_2f1d8aa4","line":15,"range":{"start_line":15,"start_character":5,"end_line":15,"end_character":13},"updated":"2025-04-25 13:02:48.000000000","message":"```suggestion\nRole Defaults\n```","commit_id":"57e61659e4a3def78c60026111ce9f3eb2ca05ad"},{"author":{"_account_id":28619,"name":"Dmitriy Rabotyagov","email":"noonedeadpunk@gmail.com","username":"noonedeadpunk"},"change_message_id":"770bdeb9339361290259cd9d617aa71f69957fd8","unresolved":false,"context_lines":[{"line_number":12,"context_line":"of secret files and various keypairs produced by OpenStack-Ansible through"},{"line_number":13,"context_line":"Ansible Vault."},{"line_number":14,"context_line":""},{"line_number":15,"context_line":"Role defaults"},{"line_number":16,"context_line":"-------------"},{"line_number":17,"context_line":""},{"line_number":18,"context_line":".. literalinclude:: ../../encrypt_secrets/roles/ansible_vault/defaults/main.yml"}],"source_content_type":"text/x-rst","patch_set":11,"id":"09d887f6_250455eb","line":15,"range":{"start_line":15,"start_character":5,"end_line":15,"end_character":13},"in_reply_to":"f1d542c3_2f1d8aa4","updated":"2025-04-25 13:46:35.000000000","message":"Fix applied.","commit_id":"57e61659e4a3def78c60026111ce9f3eb2ca05ad"},{"author":{"_account_id":34411,"name":"Neil Hanlon","email":"neil@shrug.pw","username":"nhanlon"},"change_message_id":"7aec065ae73c595a72d7ad694dfe4ff8ce1b3fc4","unresolved":true,"context_lines":[{"line_number":19,"context_line":"   :language: yaml"},{"line_number":20,"context_line":"   :start-after: under the License."},{"line_number":21,"context_line":""},{"line_number":22,"context_line":"Installing collection"},{"line_number":23,"context_line":"---------------------"},{"line_number":24,"context_line":""},{"line_number":25,"context_line":"You can install this collection by defining it in your region deployment"}],"source_content_type":"text/x-rst","patch_set":11,"id":"8ccf27bb_915e8738","line":22,"range":{"start_line":22,"start_character":0,"end_line":22,"end_character":2},"updated":"2025-04-25 13:02:48.000000000","message":"```suggestion\nInstalling the Collection\n```","commit_id":"57e61659e4a3def78c60026111ce9f3eb2ca05ad"},{"author":{"_account_id":28619,"name":"Dmitriy Rabotyagov","email":"noonedeadpunk@gmail.com","username":"noonedeadpunk"},"change_message_id":"770bdeb9339361290259cd9d617aa71f69957fd8","unresolved":false,"context_lines":[{"line_number":19,"context_line":"   :language: yaml"},{"line_number":20,"context_line":"   :start-after: under the License."},{"line_number":21,"context_line":""},{"line_number":22,"context_line":"Installing collection"},{"line_number":23,"context_line":"---------------------"},{"line_number":24,"context_line":""},{"line_number":25,"context_line":"You can install this collection by defining it in your region deployment"}],"source_content_type":"text/x-rst","patch_set":11,"id":"ca24a4c3_b561d5b5","line":22,"range":{"start_line":22,"start_character":0,"end_line":22,"end_character":2},"in_reply_to":"8ccf27bb_915e8738","updated":"2025-04-25 13:46:35.000000000","message":"Fix applied.","commit_id":"57e61659e4a3def78c60026111ce9f3eb2ca05ad"},{"author":{"_account_id":34411,"name":"Neil Hanlon","email":"neil@shrug.pw","username":"nhanlon"},"change_message_id":"7aec065ae73c595a72d7ad694dfe4ff8ce1b3fc4","unresolved":true,"context_lines":[{"line_number":22,"context_line":"Installing collection"},{"line_number":23,"context_line":"---------------------"},{"line_number":24,"context_line":""},{"line_number":25,"context_line":"You can install this collection by defining it in your region deployment"},{"line_number":26,"context_line":"configuration, specifically in ``/etc/openstack_deploy/user-collection-requirements.yml``"},{"line_number":27,"context_line":"as following:"},{"line_number":28,"context_line":""},{"line_number":29,"context_line":".. code-block:: yaml"},{"line_number":30,"context_line":""}],"source_content_type":"text/x-rst","patch_set":11,"id":"af6c239a_7498c7ba","line":27,"range":{"start_line":25,"start_character":0,"end_line":27,"end_character":13},"updated":"2025-04-25 13:02:48.000000000","message":"```suggestion\nTo install the collection, define it in your region deployment configuration file, located at `/etc/openstack_deploy/user-collection-requirements.yml`, as shown below:\n```","commit_id":"57e61659e4a3def78c60026111ce9f3eb2ca05ad"},{"author":{"_account_id":28619,"name":"Dmitriy Rabotyagov","email":"noonedeadpunk@gmail.com","username":"noonedeadpunk"},"change_message_id":"770bdeb9339361290259cd9d617aa71f69957fd8","unresolved":false,"context_lines":[{"line_number":22,"context_line":"Installing collection"},{"line_number":23,"context_line":"---------------------"},{"line_number":24,"context_line":""},{"line_number":25,"context_line":"You can install this collection by defining it in your region deployment"},{"line_number":26,"context_line":"configuration, specifically in ``/etc/openstack_deploy/user-collection-requirements.yml``"},{"line_number":27,"context_line":"as following:"},{"line_number":28,"context_line":""},{"line_number":29,"context_line":".. code-block:: yaml"},{"line_number":30,"context_line":""}],"source_content_type":"text/x-rst","patch_set":11,"id":"7e68dc19_5aec74ab","line":27,"range":{"start_line":25,"start_character":0,"end_line":27,"end_character":13},"in_reply_to":"af6c239a_7498c7ba","updated":"2025-04-25 13:46:35.000000000","message":"Fix applied.","commit_id":"57e61659e4a3def78c60026111ce9f3eb2ca05ad"},{"author":{"_account_id":34411,"name":"Neil Hanlon","email":"neil@shrug.pw","username":"nhanlon"},"change_message_id":"7aec065ae73c595a72d7ad694dfe4ff8ce1b3fc4","unresolved":true,"context_lines":[{"line_number":33,"context_line":"    version: master"},{"line_number":34,"context_line":"    source: https://opendev.org/openstack/openstack-ansible-ops#/encrypt_secrets"},{"line_number":35,"context_line":""},{"line_number":36,"context_line":"Then, running ``./scripts/bootstrap-ansible.sh`` should install the collection."},{"line_number":37,"context_line":""},{"line_number":38,"context_line":"Initial encryption of secret files"},{"line_number":39,"context_line":"----------------------------------"}],"source_content_type":"text/x-rst","patch_set":11,"id":"ce33da32_765ce6a1","line":36,"range":{"start_line":36,"start_character":0,"end_line":36,"end_character":2},"updated":"2025-04-25 13:02:48.000000000","message":"```suggestion\nThen, run `./scripts/bootstrap-ansible.sh` to install the collection.\n```","commit_id":"57e61659e4a3def78c60026111ce9f3eb2ca05ad"},{"author":{"_account_id":28619,"name":"Dmitriy Rabotyagov","email":"noonedeadpunk@gmail.com","username":"noonedeadpunk"},"change_message_id":"770bdeb9339361290259cd9d617aa71f69957fd8","unresolved":false,"context_lines":[{"line_number":33,"context_line":"    version: master"},{"line_number":34,"context_line":"    source: https://opendev.org/openstack/openstack-ansible-ops#/encrypt_secrets"},{"line_number":35,"context_line":""},{"line_number":36,"context_line":"Then, running ``./scripts/bootstrap-ansible.sh`` should install the collection."},{"line_number":37,"context_line":""},{"line_number":38,"context_line":"Initial encryption of secret files"},{"line_number":39,"context_line":"----------------------------------"}],"source_content_type":"text/x-rst","patch_set":11,"id":"2df776ce_20d6636c","line":36,"range":{"start_line":36,"start_character":0,"end_line":36,"end_character":2},"in_reply_to":"ce33da32_765ce6a1","updated":"2025-04-25 13:46:35.000000000","message":"Fix applied.","commit_id":"57e61659e4a3def78c60026111ce9f3eb2ca05ad"},{"author":{"_account_id":34411,"name":"Neil Hanlon","email":"neil@shrug.pw","username":"nhanlon"},"change_message_id":"7aec065ae73c595a72d7ad694dfe4ff8ce1b3fc4","unresolved":true,"context_lines":[{"line_number":35,"context_line":""},{"line_number":36,"context_line":"Then, running ``./scripts/bootstrap-ansible.sh`` should install the collection."},{"line_number":37,"context_line":""},{"line_number":38,"context_line":"Initial encryption of secret files"},{"line_number":39,"context_line":"----------------------------------"},{"line_number":40,"context_line":""},{"line_number":41,"context_line":"When you initialize the region for the first time, you might want to encrypt"}],"source_content_type":"text/x-rst","patch_set":11,"id":"3bc4f4e1_56a8a8f9","line":38,"range":{"start_line":38,"start_character":0,"end_line":38,"end_character":2},"updated":"2025-04-25 13:02:48.000000000","message":"```suggestion\nInitial Encryption of Secret Files\n```","commit_id":"57e61659e4a3def78c60026111ce9f3eb2ca05ad"},{"author":{"_account_id":28619,"name":"Dmitriy Rabotyagov","email":"noonedeadpunk@gmail.com","username":"noonedeadpunk"},"change_message_id":"770bdeb9339361290259cd9d617aa71f69957fd8","unresolved":false,"context_lines":[{"line_number":35,"context_line":""},{"line_number":36,"context_line":"Then, running ``./scripts/bootstrap-ansible.sh`` should install the collection."},{"line_number":37,"context_line":""},{"line_number":38,"context_line":"Initial encryption of secret files"},{"line_number":39,"context_line":"----------------------------------"},{"line_number":40,"context_line":""},{"line_number":41,"context_line":"When you initialize the region for the first time, you might want to encrypt"}],"source_content_type":"text/x-rst","patch_set":11,"id":"dfa5d5ef_d8de3226","line":38,"range":{"start_line":38,"start_character":0,"end_line":38,"end_character":2},"in_reply_to":"3bc4f4e1_56a8a8f9","updated":"2025-04-25 13:46:35.000000000","message":"Fix applied.","commit_id":"57e61659e4a3def78c60026111ce9f3eb2ca05ad"},{"author":{"_account_id":34411,"name":"Neil Hanlon","email":"neil@shrug.pw","username":"nhanlon"},"change_message_id":"7aec065ae73c595a72d7ad694dfe4ff8ce1b3fc4","unresolved":true,"context_lines":[{"line_number":38,"context_line":"Initial encryption of secret files"},{"line_number":39,"context_line":"----------------------------------"},{"line_number":40,"context_line":""},{"line_number":41,"context_line":"When you initialize the region for the first time, you might want to encrypt"},{"line_number":42,"context_line":"secrets and generated private keys before storing them in Git."},{"line_number":43,"context_line":""},{"line_number":44,"context_line":"This process can be run either on the localhost or on the remote deploy"},{"line_number":45,"context_line":"host."},{"line_number":46,"context_line":""},{"line_number":47,"context_line":".. NOTE::"},{"line_number":48,"context_line":""}],"source_content_type":"text/x-rst","patch_set":11,"id":"83f50a7f_1221f00c","line":45,"range":{"start_line":41,"start_character":0,"end_line":45,"end_character":5},"updated":"2025-04-25 13:02:48.000000000","message":"```suggestion\nWhen initializing a region for the first time, you should encrypt secrets and generated private keys before storing them in Git. You can perform this process locally or on the deployment host.\n```","commit_id":"57e61659e4a3def78c60026111ce9f3eb2ca05ad"},{"author":{"_account_id":28619,"name":"Dmitriy Rabotyagov","email":"noonedeadpunk@gmail.com","username":"noonedeadpunk"},"change_message_id":"770bdeb9339361290259cd9d617aa71f69957fd8","unresolved":false,"context_lines":[{"line_number":38,"context_line":"Initial encryption of secret files"},{"line_number":39,"context_line":"----------------------------------"},{"line_number":40,"context_line":""},{"line_number":41,"context_line":"When you initialize the region for the first time, you might want to encrypt"},{"line_number":42,"context_line":"secrets and generated private keys before storing them in Git."},{"line_number":43,"context_line":""},{"line_number":44,"context_line":"This process can be run either on the localhost or on the remote deploy"},{"line_number":45,"context_line":"host."},{"line_number":46,"context_line":""},{"line_number":47,"context_line":".. NOTE::"},{"line_number":48,"context_line":""}],"source_content_type":"text/x-rst","patch_set":11,"id":"872895e0_9eb82ef1","line":45,"range":{"start_line":41,"start_character":0,"end_line":45,"end_character":5},"in_reply_to":"83f50a7f_1221f00c","updated":"2025-04-25 13:46:35.000000000","message":"Fix applied.","commit_id":"57e61659e4a3def78c60026111ce9f3eb2ca05ad"},{"author":{"_account_id":34411,"name":"Neil Hanlon","email":"neil@shrug.pw","username":"nhanlon"},"change_message_id":"7aec065ae73c595a72d7ad694dfe4ff8ce1b3fc4","unresolved":true,"context_lines":[{"line_number":46,"context_line":""},{"line_number":47,"context_line":".. NOTE::"},{"line_number":48,"context_line":""},{"line_number":49,"context_line":"    You may need to re-run the process whenever new service or keypairs"},{"line_number":50,"context_line":"    are generated, which might happen at later stages of deployment."},{"line_number":51,"context_line":""},{"line_number":52,"context_line":"Encryption on localhost"},{"line_number":53,"context_line":"~~~~~~~~~~~~~~~~~~~~~~~"}],"source_content_type":"text/x-rst","patch_set":11,"id":"6e60db38_1ff744d3","line":50,"range":{"start_line":49,"start_character":4,"end_line":50,"end_character":68},"updated":"2025-04-25 13:02:48.000000000","message":"```suggestion\n   You must re-run the encryption process whenever new services or keypairs are generated, which may occur at later deployment stages.\n```","commit_id":"57e61659e4a3def78c60026111ce9f3eb2ca05ad"},{"author":{"_account_id":28619,"name":"Dmitriy Rabotyagov","email":"noonedeadpunk@gmail.com","username":"noonedeadpunk"},"change_message_id":"770bdeb9339361290259cd9d617aa71f69957fd8","unresolved":false,"context_lines":[{"line_number":46,"context_line":""},{"line_number":47,"context_line":".. NOTE::"},{"line_number":48,"context_line":""},{"line_number":49,"context_line":"    You may need to re-run the process whenever new service or keypairs"},{"line_number":50,"context_line":"    are generated, which might happen at later stages of deployment."},{"line_number":51,"context_line":""},{"line_number":52,"context_line":"Encryption on localhost"},{"line_number":53,"context_line":"~~~~~~~~~~~~~~~~~~~~~~~"}],"source_content_type":"text/x-rst","patch_set":11,"id":"a555f4cc_4784e19f","line":50,"range":{"start_line":49,"start_character":4,"end_line":50,"end_character":68},"in_reply_to":"6e60db38_1ff744d3","updated":"2025-04-25 13:46:35.000000000","message":"Fix applied.","commit_id":"57e61659e4a3def78c60026111ce9f3eb2ca05ad"},{"author":{"_account_id":34411,"name":"Neil Hanlon","email":"neil@shrug.pw","username":"nhanlon"},"change_message_id":"7aec065ae73c595a72d7ad694dfe4ff8ce1b3fc4","unresolved":true,"context_lines":[{"line_number":49,"context_line":"    You may need to re-run the process whenever new service or keypairs"},{"line_number":50,"context_line":"    are generated, which might happen at later stages of deployment."},{"line_number":51,"context_line":""},{"line_number":52,"context_line":"Encryption on localhost"},{"line_number":53,"context_line":"~~~~~~~~~~~~~~~~~~~~~~~"},{"line_number":54,"context_line":""},{"line_number":55,"context_line":"Process of encryption will look quite alike to the generation on the deploy host,"}],"source_content_type":"text/x-rst","patch_set":11,"id":"fd0324d5_ae71cf62","line":52,"range":{"start_line":52,"start_character":0,"end_line":52,"end_character":2},"updated":"2025-04-25 13:02:48.000000000","message":"```suggestion\nEncrypting Secrets Locally\n```","commit_id":"57e61659e4a3def78c60026111ce9f3eb2ca05ad"},{"author":{"_account_id":28619,"name":"Dmitriy Rabotyagov","email":"noonedeadpunk@gmail.com","username":"noonedeadpunk"},"change_message_id":"770bdeb9339361290259cd9d617aa71f69957fd8","unresolved":false,"context_lines":[{"line_number":49,"context_line":"    You may need to re-run the process whenever new service or keypairs"},{"line_number":50,"context_line":"    are generated, which might happen at later stages of deployment."},{"line_number":51,"context_line":""},{"line_number":52,"context_line":"Encryption on localhost"},{"line_number":53,"context_line":"~~~~~~~~~~~~~~~~~~~~~~~"},{"line_number":54,"context_line":""},{"line_number":55,"context_line":"Process of encryption will look quite alike to the generation on the deploy host,"}],"source_content_type":"text/x-rst","patch_set":11,"id":"09b5d291_98e052ed","line":52,"range":{"start_line":52,"start_character":0,"end_line":52,"end_character":2},"in_reply_to":"fd0324d5_ae71cf62","updated":"2025-04-25 13:46:35.000000000","message":"Fix applied.","commit_id":"57e61659e4a3def78c60026111ce9f3eb2ca05ad"},{"author":{"_account_id":34411,"name":"Neil Hanlon","email":"neil@shrug.pw","username":"nhanlon"},"change_message_id":"7aec065ae73c595a72d7ad694dfe4ff8ce1b3fc4","unresolved":true,"context_lines":[{"line_number":52,"context_line":"Encryption on localhost"},{"line_number":53,"context_line":"~~~~~~~~~~~~~~~~~~~~~~~"},{"line_number":54,"context_line":""},{"line_number":55,"context_line":"Process of encryption will look quite alike to the generation on the deploy host,"},{"line_number":56,"context_line":"except some context available only for the OpenStack-Ansible will be unavaliable,"},{"line_number":57,"context_line":"so some variables must be supplied manually. It also assumes that you do have an"},{"line_number":58,"context_line":"existing virtual environment with Ansible installed into it."},{"line_number":59,"context_line":""},{"line_number":60,"context_line":"1. Generate a password for the Ansible Vault and store it safely. On deploy"},{"line_number":61,"context_line":"   host that can look like"}],"source_content_type":"text/x-rst","patch_set":11,"id":"b88fd226_abd63454","line":58,"range":{"start_line":55,"start_character":0,"end_line":58,"end_character":60},"updated":"2025-04-25 13:02:48.000000000","message":"```suggestion\nThe process for encrypting secrets locally is similar to running it on the deploy host, but some context-specific variables required by OpenStack-Ansible may be unavailable and must be supplied manually.\n\nEnsure you have a Python virtual environment with Ansible installed before proceeding.\n```","commit_id":"57e61659e4a3def78c60026111ce9f3eb2ca05ad"},{"author":{"_account_id":28619,"name":"Dmitriy Rabotyagov","email":"noonedeadpunk@gmail.com","username":"noonedeadpunk"},"change_message_id":"770bdeb9339361290259cd9d617aa71f69957fd8","unresolved":false,"context_lines":[{"line_number":52,"context_line":"Encryption on localhost"},{"line_number":53,"context_line":"~~~~~~~~~~~~~~~~~~~~~~~"},{"line_number":54,"context_line":""},{"line_number":55,"context_line":"Process of encryption will look quite alike to the generation on the deploy host,"},{"line_number":56,"context_line":"except some context available only for the OpenStack-Ansible will be unavaliable,"},{"line_number":57,"context_line":"so some variables must be supplied manually. It also assumes that you do have an"},{"line_number":58,"context_line":"existing virtual environment with Ansible installed into it."},{"line_number":59,"context_line":""},{"line_number":60,"context_line":"1. Generate a password for the Ansible Vault and store it safely. On deploy"},{"line_number":61,"context_line":"   host that can look like"}],"source_content_type":"text/x-rst","patch_set":11,"id":"df32128c_32a2d3d4","line":58,"range":{"start_line":55,"start_character":0,"end_line":58,"end_character":60},"in_reply_to":"b88fd226_abd63454","updated":"2025-04-25 13:46:35.000000000","message":"Fix applied.","commit_id":"57e61659e4a3def78c60026111ce9f3eb2ca05ad"},{"author":{"_account_id":34411,"name":"Neil Hanlon","email":"neil@shrug.pw","username":"nhanlon"},"change_message_id":"7aec065ae73c595a72d7ad694dfe4ff8ce1b3fc4","unresolved":true,"context_lines":[{"line_number":57,"context_line":"so some variables must be supplied manually. It also assumes that you do have an"},{"line_number":58,"context_line":"existing virtual environment with Ansible installed into it."},{"line_number":59,"context_line":""},{"line_number":60,"context_line":"1. Generate a password for the Ansible Vault and store it safely. On deploy"},{"line_number":61,"context_line":"   host that can look like"},{"line_number":62,"context_line":""},{"line_number":63,"context_line":".. code-block:: bash"},{"line_number":64,"context_line":""}],"source_content_type":"text/x-rst","patch_set":11,"id":"994c1bc5_eea19cf1","line":61,"range":{"start_line":60,"start_character":4,"end_line":61,"end_character":26},"updated":"2025-04-25 13:02:48.000000000","message":"```suggestion\n1. Generate a password for the Ansible Vault and store it securely:\n```","commit_id":"57e61659e4a3def78c60026111ce9f3eb2ca05ad"},{"author":{"_account_id":28619,"name":"Dmitriy Rabotyagov","email":"noonedeadpunk@gmail.com","username":"noonedeadpunk"},"change_message_id":"770bdeb9339361290259cd9d617aa71f69957fd8","unresolved":false,"context_lines":[{"line_number":57,"context_line":"so some variables must be supplied manually. It also assumes that you do have an"},{"line_number":58,"context_line":"existing virtual environment with Ansible installed into it."},{"line_number":59,"context_line":""},{"line_number":60,"context_line":"1. Generate a password for the Ansible Vault and store it safely. On deploy"},{"line_number":61,"context_line":"   host that can look like"},{"line_number":62,"context_line":""},{"line_number":63,"context_line":".. code-block:: bash"},{"line_number":64,"context_line":""}],"source_content_type":"text/x-rst","patch_set":11,"id":"6d2ef49b_60b52e74","line":61,"range":{"start_line":60,"start_character":4,"end_line":61,"end_character":26},"in_reply_to":"994c1bc5_eea19cf1","updated":"2025-04-25 13:46:35.000000000","message":"Fix applied.","commit_id":"57e61659e4a3def78c60026111ce9f3eb2ca05ad"},{"author":{"_account_id":34411,"name":"Neil Hanlon","email":"neil@shrug.pw","username":"nhanlon"},"change_message_id":"7aec065ae73c595a72d7ad694dfe4ff8ce1b3fc4","unresolved":true,"context_lines":[{"line_number":64,"context_line":""},{"line_number":65,"context_line":"  pwgen 36 1 \u003e /tmp/vault.secret"},{"line_number":66,"context_line":""},{"line_number":67,"context_line":"2. Run the playbook to encrypt secrets"},{"line_number":68,"context_line":""},{"line_number":69,"context_line":".. code-block:: bash"},{"line_number":70,"context_line":""}],"source_content_type":"text/x-rst","patch_set":11,"id":"4c5e8265_7279fd4c","line":67,"range":{"start_line":67,"start_character":3,"end_line":67,"end_character":38},"updated":"2025-04-25 13:02:48.000000000","message":"```suggestion\n2. Run the encryption playbook:\n```","commit_id":"57e61659e4a3def78c60026111ce9f3eb2ca05ad"},{"author":{"_account_id":28619,"name":"Dmitriy Rabotyagov","email":"noonedeadpunk@gmail.com","username":"noonedeadpunk"},"change_message_id":"770bdeb9339361290259cd9d617aa71f69957fd8","unresolved":false,"context_lines":[{"line_number":64,"context_line":""},{"line_number":65,"context_line":"  pwgen 36 1 \u003e /tmp/vault.secret"},{"line_number":66,"context_line":""},{"line_number":67,"context_line":"2. Run the playbook to encrypt secrets"},{"line_number":68,"context_line":""},{"line_number":69,"context_line":".. code-block:: bash"},{"line_number":70,"context_line":""}],"source_content_type":"text/x-rst","patch_set":11,"id":"63fdb70e_eac6ec05","line":67,"range":{"start_line":67,"start_character":3,"end_line":67,"end_character":38},"in_reply_to":"4c5e8265_7279fd4c","updated":"2025-04-25 13:46:35.000000000","message":"Fix applied.","commit_id":"57e61659e4a3def78c60026111ce9f3eb2ca05ad"},{"author":{"_account_id":34411,"name":"Neil Hanlon","email":"neil@shrug.pw","username":"nhanlon"},"change_message_id":"7aec065ae73c595a72d7ad694dfe4ff8ce1b3fc4","unresolved":true,"context_lines":[{"line_number":70,"context_line":""},{"line_number":71,"context_line":"  ansible-playbook osa_ops.encrypt_secrets.ansible_vault -e ansible_vault_region\u003d${REGION_NAME} -e ansible_vault_pw\u003d/tmp/vault.secret"},{"line_number":72,"context_line":""},{"line_number":73,"context_line":"3. Place the contents of `/tmp/vault.secret` to the deploy host, ie under `/etc/openstack/vault.secret`"},{"line_number":74,"context_line":"4. Define path to the secret in your ``/etc/openstack_deploy/user.rc`` file:"},{"line_number":75,"context_line":""},{"line_number":76,"context_line":".. code-block:: bash"}],"source_content_type":"text/x-rst","patch_set":11,"id":"b8449ee9_492097e1","line":73,"range":{"start_line":73,"start_character":3,"end_line":73,"end_character":103},"updated":"2025-04-25 13:02:48.000000000","message":"```suggestion\n3. Copy the contents of `/tmp/vault.secret` to the deployment host, for example to `/etc/openstack/vault.secret`.\n```","commit_id":"57e61659e4a3def78c60026111ce9f3eb2ca05ad"},{"author":{"_account_id":28619,"name":"Dmitriy Rabotyagov","email":"noonedeadpunk@gmail.com","username":"noonedeadpunk"},"change_message_id":"770bdeb9339361290259cd9d617aa71f69957fd8","unresolved":false,"context_lines":[{"line_number":70,"context_line":""},{"line_number":71,"context_line":"  ansible-playbook osa_ops.encrypt_secrets.ansible_vault -e ansible_vault_region\u003d${REGION_NAME} -e ansible_vault_pw\u003d/tmp/vault.secret"},{"line_number":72,"context_line":""},{"line_number":73,"context_line":"3. Place the contents of `/tmp/vault.secret` to the deploy host, ie under `/etc/openstack/vault.secret`"},{"line_number":74,"context_line":"4. Define path to the secret in your ``/etc/openstack_deploy/user.rc`` file:"},{"line_number":75,"context_line":""},{"line_number":76,"context_line":".. code-block:: bash"}],"source_content_type":"text/x-rst","patch_set":11,"id":"698a399c_4520231f","line":73,"range":{"start_line":73,"start_character":3,"end_line":73,"end_character":103},"in_reply_to":"b8449ee9_492097e1","updated":"2025-04-25 13:46:35.000000000","message":"Fix applied.","commit_id":"57e61659e4a3def78c60026111ce9f3eb2ca05ad"},{"author":{"_account_id":34411,"name":"Neil Hanlon","email":"neil@shrug.pw","username":"nhanlon"},"change_message_id":"7aec065ae73c595a72d7ad694dfe4ff8ce1b3fc4","unresolved":true,"context_lines":[{"line_number":71,"context_line":"  ansible-playbook osa_ops.encrypt_secrets.ansible_vault -e ansible_vault_region\u003d${REGION_NAME} -e ansible_vault_pw\u003d/tmp/vault.secret"},{"line_number":72,"context_line":""},{"line_number":73,"context_line":"3. Place the contents of `/tmp/vault.secret` to the deploy host, ie under `/etc/openstack/vault.secret`"},{"line_number":74,"context_line":"4. Define path to the secret in your ``/etc/openstack_deploy/user.rc`` file:"},{"line_number":75,"context_line":""},{"line_number":76,"context_line":".. code-block:: bash"},{"line_number":77,"context_line":""},{"line_number":78,"context_line":"  export ANSIBLE_VAULT_PASSWORD_FILE\u003d/etc/openstack/vault.secret"}],"source_content_type":"text/x-rst","patch_set":11,"id":"b2f2b096_09c140b5","line":75,"range":{"start_line":74,"start_character":4,"end_line":75,"end_character":1},"updated":"2025-04-25 13:02:48.000000000","message":"```suggestion\n4. Define the vault secret path in `/etc/openstack_deploy/user.rc`:\n\n```","commit_id":"57e61659e4a3def78c60026111ce9f3eb2ca05ad"},{"author":{"_account_id":28619,"name":"Dmitriy Rabotyagov","email":"noonedeadpunk@gmail.com","username":"noonedeadpunk"},"change_message_id":"770bdeb9339361290259cd9d617aa71f69957fd8","unresolved":false,"context_lines":[{"line_number":71,"context_line":"  ansible-playbook osa_ops.encrypt_secrets.ansible_vault -e ansible_vault_region\u003d${REGION_NAME} -e ansible_vault_pw\u003d/tmp/vault.secret"},{"line_number":72,"context_line":""},{"line_number":73,"context_line":"3. Place the contents of `/tmp/vault.secret` to the deploy host, ie under `/etc/openstack/vault.secret`"},{"line_number":74,"context_line":"4. Define path to the secret in your ``/etc/openstack_deploy/user.rc`` file:"},{"line_number":75,"context_line":""},{"line_number":76,"context_line":".. code-block:: bash"},{"line_number":77,"context_line":""},{"line_number":78,"context_line":"  export ANSIBLE_VAULT_PASSWORD_FILE\u003d/etc/openstack/vault.secret"}],"source_content_type":"text/x-rst","patch_set":11,"id":"e804d2cc_9cf641e5","line":75,"range":{"start_line":74,"start_character":4,"end_line":75,"end_character":1},"in_reply_to":"b2f2b096_09c140b5","updated":"2025-04-25 13:46:35.000000000","message":"Done","commit_id":"57e61659e4a3def78c60026111ce9f3eb2ca05ad"},{"author":{"_account_id":34411,"name":"Neil Hanlon","email":"neil@shrug.pw","username":"nhanlon"},"change_message_id":"7aec065ae73c595a72d7ad694dfe4ff8ce1b3fc4","unresolved":true,"context_lines":[{"line_number":77,"context_line":""},{"line_number":78,"context_line":"  export ANSIBLE_VAULT_PASSWORD_FILE\u003d/etc/openstack/vault.secret"},{"line_number":79,"context_line":""},{"line_number":80,"context_line":"5. Store the password in your password manager of choice"},{"line_number":81,"context_line":"6. Push changes to your git"},{"line_number":82,"context_line":"7. Don\u0027t forget to decrypt some secrets on the deploy host"},{"line_number":83,"context_line":""},{"line_number":84,"context_line":"Encryption on the deployment host"},{"line_number":85,"context_line":"~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~"}],"source_content_type":"text/x-rst","patch_set":11,"id":"ba27d182_6bbb529c","line":82,"range":{"start_line":80,"start_character":0,"end_line":82,"end_character":58},"updated":"2025-04-25 13:02:48.000000000","message":"```suggestion\n5. Store the password securely in your preferred password manager.\n6. Push the changes to your Git repository.\n7. Ensure that the deploy host decrypts any required secrets.\n```","commit_id":"57e61659e4a3def78c60026111ce9f3eb2ca05ad"},{"author":{"_account_id":28619,"name":"Dmitriy Rabotyagov","email":"noonedeadpunk@gmail.com","username":"noonedeadpunk"},"change_message_id":"770bdeb9339361290259cd9d617aa71f69957fd8","unresolved":false,"context_lines":[{"line_number":77,"context_line":""},{"line_number":78,"context_line":"  export ANSIBLE_VAULT_PASSWORD_FILE\u003d/etc/openstack/vault.secret"},{"line_number":79,"context_line":""},{"line_number":80,"context_line":"5. Store the password in your password manager of choice"},{"line_number":81,"context_line":"6. Push changes to your git"},{"line_number":82,"context_line":"7. Don\u0027t forget to decrypt some secrets on the deploy host"},{"line_number":83,"context_line":""},{"line_number":84,"context_line":"Encryption on the deployment host"},{"line_number":85,"context_line":"~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~"}],"source_content_type":"text/x-rst","patch_set":11,"id":"d97847cf_f34b71ea","line":82,"range":{"start_line":80,"start_character":0,"end_line":82,"end_character":58},"in_reply_to":"ba27d182_6bbb529c","updated":"2025-04-25 13:46:35.000000000","message":"Fix applied.","commit_id":"57e61659e4a3def78c60026111ce9f3eb2ca05ad"},{"author":{"_account_id":34411,"name":"Neil Hanlon","email":"neil@shrug.pw","username":"nhanlon"},"change_message_id":"7aec065ae73c595a72d7ad694dfe4ff8ce1b3fc4","unresolved":true,"context_lines":[{"line_number":81,"context_line":"6. Push changes to your git"},{"line_number":82,"context_line":"7. Don\u0027t forget to decrypt some secrets on the deploy host"},{"line_number":83,"context_line":""},{"line_number":84,"context_line":"Encryption on the deployment host"},{"line_number":85,"context_line":"~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~"},{"line_number":86,"context_line":""},{"line_number":87,"context_line":"Encryption process on the deploy host will look like this:"}],"source_content_type":"text/x-rst","patch_set":11,"id":"63d17065_24ce92f0","line":84,"range":{"start_line":84,"start_character":0,"end_line":84,"end_character":2},"updated":"2025-04-25 13:02:48.000000000","message":"```suggestion\nEncrypting Secrets on the Deployment Host\n```","commit_id":"57e61659e4a3def78c60026111ce9f3eb2ca05ad"},{"author":{"_account_id":28619,"name":"Dmitriy Rabotyagov","email":"noonedeadpunk@gmail.com","username":"noonedeadpunk"},"change_message_id":"770bdeb9339361290259cd9d617aa71f69957fd8","unresolved":false,"context_lines":[{"line_number":81,"context_line":"6. Push changes to your git"},{"line_number":82,"context_line":"7. Don\u0027t forget to decrypt some secrets on the deploy host"},{"line_number":83,"context_line":""},{"line_number":84,"context_line":"Encryption on the deployment host"},{"line_number":85,"context_line":"~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~"},{"line_number":86,"context_line":""},{"line_number":87,"context_line":"Encryption process on the deploy host will look like this:"}],"source_content_type":"text/x-rst","patch_set":11,"id":"a2fdded9_6b6c7ca4","line":84,"range":{"start_line":84,"start_character":0,"end_line":84,"end_character":2},"in_reply_to":"63d17065_24ce92f0","updated":"2025-04-25 13:46:35.000000000","message":"Fix applied.","commit_id":"57e61659e4a3def78c60026111ce9f3eb2ca05ad"},{"author":{"_account_id":34411,"name":"Neil Hanlon","email":"neil@shrug.pw","username":"nhanlon"},"change_message_id":"7aec065ae73c595a72d7ad694dfe4ff8ce1b3fc4","unresolved":true,"context_lines":[{"line_number":84,"context_line":"Encryption on the deployment host"},{"line_number":85,"context_line":"~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~"},{"line_number":86,"context_line":""},{"line_number":87,"context_line":"Encryption process on the deploy host will look like this:"},{"line_number":88,"context_line":""},{"line_number":89,"context_line":"1. Generate a password for the Ansible Vault and store it safely. On deploy"},{"line_number":90,"context_line":"   host that can look like:"}],"source_content_type":"text/x-rst","patch_set":11,"id":"0a385939_baa3623d","line":87,"range":{"start_line":87,"start_character":0,"end_line":87,"end_character":2},"updated":"2025-04-25 13:02:48.000000000","message":"```suggestion\nFollow these steps to encrypt secrets directly on the deployment host:\n```","commit_id":"57e61659e4a3def78c60026111ce9f3eb2ca05ad"},{"author":{"_account_id":28619,"name":"Dmitriy Rabotyagov","email":"noonedeadpunk@gmail.com","username":"noonedeadpunk"},"change_message_id":"770bdeb9339361290259cd9d617aa71f69957fd8","unresolved":false,"context_lines":[{"line_number":84,"context_line":"Encryption on the deployment host"},{"line_number":85,"context_line":"~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~"},{"line_number":86,"context_line":""},{"line_number":87,"context_line":"Encryption process on the deploy host will look like this:"},{"line_number":88,"context_line":""},{"line_number":89,"context_line":"1. Generate a password for the Ansible Vault and store it safely. On deploy"},{"line_number":90,"context_line":"   host that can look like:"}],"source_content_type":"text/x-rst","patch_set":11,"id":"158bd2b6_e4de5242","line":87,"range":{"start_line":87,"start_character":0,"end_line":87,"end_character":2},"in_reply_to":"0a385939_baa3623d","updated":"2025-04-25 13:46:35.000000000","message":"Fix applied.","commit_id":"57e61659e4a3def78c60026111ce9f3eb2ca05ad"},{"author":{"_account_id":34411,"name":"Neil Hanlon","email":"neil@shrug.pw","username":"nhanlon"},"change_message_id":"7aec065ae73c595a72d7ad694dfe4ff8ce1b3fc4","unresolved":true,"context_lines":[{"line_number":86,"context_line":""},{"line_number":87,"context_line":"Encryption process on the deploy host will look like this:"},{"line_number":88,"context_line":""},{"line_number":89,"context_line":"1. Generate a password for the Ansible Vault and store it safely. On deploy"},{"line_number":90,"context_line":"   host that can look like:"},{"line_number":91,"context_line":""},{"line_number":92,"context_line":".. code-block:: bash"},{"line_number":93,"context_line":""}],"source_content_type":"text/x-rst","patch_set":11,"id":"95c64e13_bd2213e5","line":90,"range":{"start_line":89,"start_character":1,"end_line":90,"end_character":27},"updated":"2025-04-25 13:02:48.000000000","message":"```suggestion\n1. Generate a password and store it securely:\n```","commit_id":"57e61659e4a3def78c60026111ce9f3eb2ca05ad"},{"author":{"_account_id":28619,"name":"Dmitriy Rabotyagov","email":"noonedeadpunk@gmail.com","username":"noonedeadpunk"},"change_message_id":"770bdeb9339361290259cd9d617aa71f69957fd8","unresolved":false,"context_lines":[{"line_number":86,"context_line":""},{"line_number":87,"context_line":"Encryption process on the deploy host will look like this:"},{"line_number":88,"context_line":""},{"line_number":89,"context_line":"1. Generate a password for the Ansible Vault and store it safely. On deploy"},{"line_number":90,"context_line":"   host that can look like:"},{"line_number":91,"context_line":""},{"line_number":92,"context_line":".. code-block:: bash"},{"line_number":93,"context_line":""}],"source_content_type":"text/x-rst","patch_set":11,"id":"617074f3_1c0b0038","line":90,"range":{"start_line":89,"start_character":1,"end_line":90,"end_character":27},"in_reply_to":"95c64e13_bd2213e5","updated":"2025-04-25 13:46:35.000000000","message":"Fix applied.","commit_id":"57e61659e4a3def78c60026111ce9f3eb2ca05ad"},{"author":{"_account_id":34411,"name":"Neil Hanlon","email":"neil@shrug.pw","username":"nhanlon"},"change_message_id":"7aec065ae73c595a72d7ad694dfe4ff8ce1b3fc4","unresolved":true,"context_lines":[{"line_number":93,"context_line":""},{"line_number":94,"context_line":"  pwgen 36 1 \u003e /etc/openstack/vault.secret"},{"line_number":95,"context_line":""},{"line_number":96,"context_line":"2. Define path to the secret in your ``/etc/openstack_deploy/user.rc`` file:"},{"line_number":97,"context_line":""},{"line_number":98,"context_line":".. code-block:: bash"},{"line_number":99,"context_line":""}],"source_content_type":"text/x-rst","patch_set":11,"id":"7044669d_6ab69190","line":96,"range":{"start_line":96,"start_character":0,"end_line":96,"end_character":2},"updated":"2025-04-25 13:02:48.000000000","message":"```suggestion\n2. Define the vault secret path in `/etc/openstack_deploy/user.rc`:\n```","commit_id":"57e61659e4a3def78c60026111ce9f3eb2ca05ad"},{"author":{"_account_id":28619,"name":"Dmitriy Rabotyagov","email":"noonedeadpunk@gmail.com","username":"noonedeadpunk"},"change_message_id":"770bdeb9339361290259cd9d617aa71f69957fd8","unresolved":false,"context_lines":[{"line_number":93,"context_line":""},{"line_number":94,"context_line":"  pwgen 36 1 \u003e /etc/openstack/vault.secret"},{"line_number":95,"context_line":""},{"line_number":96,"context_line":"2. Define path to the secret in your ``/etc/openstack_deploy/user.rc`` file:"},{"line_number":97,"context_line":""},{"line_number":98,"context_line":".. code-block:: bash"},{"line_number":99,"context_line":""}],"source_content_type":"text/x-rst","patch_set":11,"id":"36f53195_368aea5b","line":96,"range":{"start_line":96,"start_character":0,"end_line":96,"end_character":2},"in_reply_to":"7044669d_6ab69190","updated":"2025-04-25 13:46:35.000000000","message":"Fix applied.","commit_id":"57e61659e4a3def78c60026111ce9f3eb2ca05ad"},{"author":{"_account_id":34411,"name":"Neil Hanlon","email":"neil@shrug.pw","username":"nhanlon"},"change_message_id":"7aec065ae73c595a72d7ad694dfe4ff8ce1b3fc4","unresolved":true,"context_lines":[{"line_number":99,"context_line":""},{"line_number":100,"context_line":"  export ANSIBLE_VAULT_PASSWORD_FILE\u003d/etc/openstack/vault.secret"},{"line_number":101,"context_line":""},{"line_number":102,"context_line":"3. Run the playbook"},{"line_number":103,"context_line":""},{"line_number":104,"context_line":".. code-block:: bash"},{"line_number":105,"context_line":""}],"source_content_type":"text/x-rst","patch_set":11,"id":"6eaee26b_4e2678e3","line":102,"range":{"start_line":102,"start_character":0,"end_line":102,"end_character":2},"updated":"2025-04-25 13:02:48.000000000","message":"```suggestion\n3. Run the encryption playbook:\n```","commit_id":"57e61659e4a3def78c60026111ce9f3eb2ca05ad"},{"author":{"_account_id":28619,"name":"Dmitriy Rabotyagov","email":"noonedeadpunk@gmail.com","username":"noonedeadpunk"},"change_message_id":"770bdeb9339361290259cd9d617aa71f69957fd8","unresolved":false,"context_lines":[{"line_number":99,"context_line":""},{"line_number":100,"context_line":"  export ANSIBLE_VAULT_PASSWORD_FILE\u003d/etc/openstack/vault.secret"},{"line_number":101,"context_line":""},{"line_number":102,"context_line":"3. Run the playbook"},{"line_number":103,"context_line":""},{"line_number":104,"context_line":".. code-block:: bash"},{"line_number":105,"context_line":""}],"source_content_type":"text/x-rst","patch_set":11,"id":"35e05c6d_933c04fd","line":102,"range":{"start_line":102,"start_character":0,"end_line":102,"end_character":2},"in_reply_to":"6eaee26b_4e2678e3","updated":"2025-04-25 13:46:35.000000000","message":"Fix applied.","commit_id":"57e61659e4a3def78c60026111ce9f3eb2ca05ad"},{"author":{"_account_id":34411,"name":"Neil Hanlon","email":"neil@shrug.pw","username":"nhanlon"},"change_message_id":"7aec065ae73c595a72d7ad694dfe4ff8ce1b3fc4","unresolved":true,"context_lines":[{"line_number":105,"context_line":""},{"line_number":106,"context_line":"  openstack-ansible osa_ops.encrypt_secrets.ansible_vault"},{"line_number":107,"context_line":""},{"line_number":108,"context_line":"4. Push changes for /etc/openstack_deploy to your git."},{"line_number":109,"context_line":"5. Store password for Ansible Vault (`/etc/openstack/vault.secret`) in your password manager."},{"line_number":110,"context_line":"6. Ensure decrypting some secrets back before running any OpenStack playbooks."},{"line_number":111,"context_line":""},{"line_number":112,"context_line":""},{"line_number":113,"context_line":"Decryption of keypairs on deploy host"}],"source_content_type":"text/x-rst","patch_set":11,"id":"9ff48b38_3b29dfc4","line":110,"range":{"start_line":108,"start_character":1,"end_line":110,"end_character":78},"updated":"2025-04-25 13:02:48.000000000","message":"```suggestion\n4. Commit and push changes to `/etc/openstack_deploy` in your Git repository.\n5. Save the vault password (`/etc/openstack/vault.secret`) in a secure password manager.\n6. Decrypt any necessary secrets before running OpenStack playbooks.\n```","commit_id":"57e61659e4a3def78c60026111ce9f3eb2ca05ad"},{"author":{"_account_id":28619,"name":"Dmitriy Rabotyagov","email":"noonedeadpunk@gmail.com","username":"noonedeadpunk"},"change_message_id":"770bdeb9339361290259cd9d617aa71f69957fd8","unresolved":false,"context_lines":[{"line_number":105,"context_line":""},{"line_number":106,"context_line":"  openstack-ansible osa_ops.encrypt_secrets.ansible_vault"},{"line_number":107,"context_line":""},{"line_number":108,"context_line":"4. Push changes for /etc/openstack_deploy to your git."},{"line_number":109,"context_line":"5. Store password for Ansible Vault (`/etc/openstack/vault.secret`) in your password manager."},{"line_number":110,"context_line":"6. Ensure decrypting some secrets back before running any OpenStack playbooks."},{"line_number":111,"context_line":""},{"line_number":112,"context_line":""},{"line_number":113,"context_line":"Decryption of keypairs on deploy host"}],"source_content_type":"text/x-rst","patch_set":11,"id":"4074e9e9_16d3cbbd","line":110,"range":{"start_line":108,"start_character":1,"end_line":110,"end_character":78},"in_reply_to":"9ff48b38_3b29dfc4","updated":"2025-04-25 13:46:35.000000000","message":"Fix applied.","commit_id":"57e61659e4a3def78c60026111ce9f3eb2ca05ad"},{"author":{"_account_id":34411,"name":"Neil Hanlon","email":"neil@shrug.pw","username":"nhanlon"},"change_message_id":"7aec065ae73c595a72d7ad694dfe4ff8ce1b3fc4","unresolved":true,"context_lines":[{"line_number":110,"context_line":"6. Ensure decrypting some secrets back before running any OpenStack playbooks."},{"line_number":111,"context_line":""},{"line_number":112,"context_line":""},{"line_number":113,"context_line":"Decryption of keypairs on deploy host"},{"line_number":114,"context_line":"-------------------------------------"},{"line_number":115,"context_line":""},{"line_number":116,"context_line":"While OpenStack-Ansible PKI role does not support private keys being stored in"}],"source_content_type":"text/x-rst","patch_set":11,"id":"48734e07_16e97453","line":113,"range":{"start_line":113,"start_character":0,"end_line":113,"end_character":2},"updated":"2025-04-25 13:02:48.000000000","message":"```suggestion\nDecrypting Keypairs on the Deploy Host\n```","commit_id":"57e61659e4a3def78c60026111ce9f3eb2ca05ad"},{"author":{"_account_id":28619,"name":"Dmitriy Rabotyagov","email":"noonedeadpunk@gmail.com","username":"noonedeadpunk"},"change_message_id":"770bdeb9339361290259cd9d617aa71f69957fd8","unresolved":false,"context_lines":[{"line_number":110,"context_line":"6. Ensure decrypting some secrets back before running any OpenStack playbooks."},{"line_number":111,"context_line":""},{"line_number":112,"context_line":""},{"line_number":113,"context_line":"Decryption of keypairs on deploy host"},{"line_number":114,"context_line":"-------------------------------------"},{"line_number":115,"context_line":""},{"line_number":116,"context_line":"While OpenStack-Ansible PKI role does not support private keys being stored in"}],"source_content_type":"text/x-rst","patch_set":11,"id":"0607f435_750d3ba6","line":113,"range":{"start_line":113,"start_character":0,"end_line":113,"end_character":2},"in_reply_to":"48734e07_16e97453","updated":"2025-04-25 13:46:35.000000000","message":"Fix applied.","commit_id":"57e61659e4a3def78c60026111ce9f3eb2ca05ad"},{"author":{"_account_id":34411,"name":"Neil Hanlon","email":"neil@shrug.pw","username":"nhanlon"},"change_message_id":"7aec065ae73c595a72d7ad694dfe4ff8ce1b3fc4","unresolved":true,"context_lines":[{"line_number":113,"context_line":"Decryption of keypairs on deploy host"},{"line_number":114,"context_line":"-------------------------------------"},{"line_number":115,"context_line":""},{"line_number":116,"context_line":"While OpenStack-Ansible PKI role does not support private keys being stored in"},{"line_number":117,"context_line":"encrypted format on deploy host, one must configure pipeline to decrypt them"},{"line_number":118,"context_line":"once being placed on the deployment host."},{"line_number":119,"context_line":"Thus, they need to be stored in unencrypted way on deployment host, while they"},{"line_number":120,"context_line":"still be stored as encrypted ones on your git repository."},{"line_number":121,"context_line":""},{"line_number":122,"context_line":"In order to decrypt previously encrypted keypairs you can run following playbook:"},{"line_number":123,"context_line":""},{"line_number":124,"context_line":".. code-block:: bash"},{"line_number":125,"context_line":""}],"source_content_type":"text/x-rst","patch_set":11,"id":"81c7b132_3bd56ea3","line":122,"range":{"start_line":116,"start_character":0,"end_line":122,"end_character":81},"updated":"2025-04-25 13:02:48.000000000","message":"```suggestion\nThe OpenStack-Ansible PKI role does not support storing private keys in encrypted format on the deployment host. Instead, configure a pipeline that decrypts the keys after placing them on the deploy host.\n\nEncrypted keypairs should be committed to the Git repository, but stored unencrypted on the deployment host.\n\nTo decrypt them, run the following playbook:\n```","commit_id":"57e61659e4a3def78c60026111ce9f3eb2ca05ad"},{"author":{"_account_id":28619,"name":"Dmitriy Rabotyagov","email":"noonedeadpunk@gmail.com","username":"noonedeadpunk"},"change_message_id":"770bdeb9339361290259cd9d617aa71f69957fd8","unresolved":false,"context_lines":[{"line_number":113,"context_line":"Decryption of keypairs on deploy host"},{"line_number":114,"context_line":"-------------------------------------"},{"line_number":115,"context_line":""},{"line_number":116,"context_line":"While OpenStack-Ansible PKI role does not support private keys being stored in"},{"line_number":117,"context_line":"encrypted format on deploy host, one must configure pipeline to decrypt them"},{"line_number":118,"context_line":"once being placed on the deployment host."},{"line_number":119,"context_line":"Thus, they need to be stored in unencrypted way on deployment host, while they"},{"line_number":120,"context_line":"still be stored as encrypted ones on your git repository."},{"line_number":121,"context_line":""},{"line_number":122,"context_line":"In order to decrypt previously encrypted keypairs you can run following playbook:"},{"line_number":123,"context_line":""},{"line_number":124,"context_line":".. code-block:: bash"},{"line_number":125,"context_line":""}],"source_content_type":"text/x-rst","patch_set":11,"id":"c87216ac_20593381","line":122,"range":{"start_line":116,"start_character":0,"end_line":122,"end_character":81},"in_reply_to":"81c7b132_3bd56ea3","updated":"2025-04-25 13:46:35.000000000","message":"Fix applied.","commit_id":"57e61659e4a3def78c60026111ce9f3eb2ca05ad"},{"author":{"_account_id":34411,"name":"Neil Hanlon","email":"neil@shrug.pw","username":"nhanlon"},"change_message_id":"7aec065ae73c595a72d7ad694dfe4ff8ce1b3fc4","unresolved":true,"context_lines":[{"line_number":126,"context_line":"  openstack-ansible osa_ops.encrypt_secrets.ansible_vault -e ansible_vault_action\u003ddecrypt"},{"line_number":127,"context_line":""},{"line_number":128,"context_line":""},{"line_number":129,"context_line":"Ansible Vault secret rotation"},{"line_number":130,"context_line":"-----------------------------"},{"line_number":131,"context_line":""},{"line_number":132,"context_line":"From time to time it might be required to rotate Ansible Vault encryption"}],"source_content_type":"text/x-rst","patch_set":11,"id":"f05a7a05_2837110c","line":129,"range":{"start_line":129,"start_character":0,"end_line":129,"end_character":2},"updated":"2025-04-25 13:02:48.000000000","message":"```suggestion\nRotating the Ansible Vault Secret\n```","commit_id":"57e61659e4a3def78c60026111ce9f3eb2ca05ad"},{"author":{"_account_id":28619,"name":"Dmitriy Rabotyagov","email":"noonedeadpunk@gmail.com","username":"noonedeadpunk"},"change_message_id":"770bdeb9339361290259cd9d617aa71f69957fd8","unresolved":false,"context_lines":[{"line_number":126,"context_line":"  openstack-ansible osa_ops.encrypt_secrets.ansible_vault -e ansible_vault_action\u003ddecrypt"},{"line_number":127,"context_line":""},{"line_number":128,"context_line":""},{"line_number":129,"context_line":"Ansible Vault secret rotation"},{"line_number":130,"context_line":"-----------------------------"},{"line_number":131,"context_line":""},{"line_number":132,"context_line":"From time to time it might be required to rotate Ansible Vault encryption"}],"source_content_type":"text/x-rst","patch_set":11,"id":"4a1bbc89_1169588a","line":129,"range":{"start_line":129,"start_character":0,"end_line":129,"end_character":2},"in_reply_to":"f05a7a05_2837110c","updated":"2025-04-25 13:46:35.000000000","message":"Fix applied.","commit_id":"57e61659e4a3def78c60026111ce9f3eb2ca05ad"},{"author":{"_account_id":34411,"name":"Neil Hanlon","email":"neil@shrug.pw","username":"nhanlon"},"change_message_id":"7aec065ae73c595a72d7ad694dfe4ff8ce1b3fc4","unresolved":true,"context_lines":[{"line_number":129,"context_line":"Ansible Vault secret rotation"},{"line_number":130,"context_line":"-----------------------------"},{"line_number":131,"context_line":""},{"line_number":132,"context_line":"From time to time it might be required to rotate Ansible Vault encryption"},{"line_number":133,"context_line":"key. This operation requires to re-encrypt all data stored in the repository."},{"line_number":134,"context_line":""},{"line_number":135,"context_line":"Assuming, that original key is located at ``/tmp/vault.secret``, process of"},{"line_number":136,"context_line":"the key rotation is the following:"},{"line_number":137,"context_line":""},{"line_number":138,"context_line":"1. Generate a new secret key which will be used for encryption"},{"line_number":139,"context_line":""}],"source_content_type":"text/x-rst","patch_set":11,"id":"091ae288_c44de0ce","line":136,"range":{"start_line":132,"start_character":0,"end_line":136,"end_character":34},"updated":"2025-04-25 13:02:48.000000000","message":"```suggestion\nRotating the Ansible Vault password requires re-encrypting all secrets in the repository. Assuming the original password is stored in `/tmp/vault.secret`, follow these steps:\n```","commit_id":"57e61659e4a3def78c60026111ce9f3eb2ca05ad"},{"author":{"_account_id":28619,"name":"Dmitriy Rabotyagov","email":"noonedeadpunk@gmail.com","username":"noonedeadpunk"},"change_message_id":"770bdeb9339361290259cd9d617aa71f69957fd8","unresolved":false,"context_lines":[{"line_number":129,"context_line":"Ansible Vault secret rotation"},{"line_number":130,"context_line":"-----------------------------"},{"line_number":131,"context_line":""},{"line_number":132,"context_line":"From time to time it might be required to rotate Ansible Vault encryption"},{"line_number":133,"context_line":"key. This operation requires to re-encrypt all data stored in the repository."},{"line_number":134,"context_line":""},{"line_number":135,"context_line":"Assuming, that original key is located at ``/tmp/vault.secret``, process of"},{"line_number":136,"context_line":"the key rotation is the following:"},{"line_number":137,"context_line":""},{"line_number":138,"context_line":"1. Generate a new secret key which will be used for encryption"},{"line_number":139,"context_line":""}],"source_content_type":"text/x-rst","patch_set":11,"id":"bf31ea00_ea71a67e","line":136,"range":{"start_line":132,"start_character":0,"end_line":136,"end_character":34},"in_reply_to":"091ae288_c44de0ce","updated":"2025-04-25 13:46:35.000000000","message":"Fix applied.","commit_id":"57e61659e4a3def78c60026111ce9f3eb2ca05ad"},{"author":{"_account_id":34411,"name":"Neil Hanlon","email":"neil@shrug.pw","username":"nhanlon"},"change_message_id":"7aec065ae73c595a72d7ad694dfe4ff8ce1b3fc4","unresolved":true,"context_lines":[{"line_number":135,"context_line":"Assuming, that original key is located at ``/tmp/vault.secret``, process of"},{"line_number":136,"context_line":"the key rotation is the following:"},{"line_number":137,"context_line":""},{"line_number":138,"context_line":"1. Generate a new secret key which will be used for encryption"},{"line_number":139,"context_line":""},{"line_number":140,"context_line":".. code-block:: bash"},{"line_number":141,"context_line":""}],"source_content_type":"text/x-rst","patch_set":11,"id":"b71b1e1d_ea597e90","line":138,"range":{"start_line":138,"start_character":0,"end_line":138,"end_character":2},"updated":"2025-04-25 13:02:48.000000000","message":"```suggestion\n1. Generate a new vault password/encryption key:\n```","commit_id":"57e61659e4a3def78c60026111ce9f3eb2ca05ad"},{"author":{"_account_id":28619,"name":"Dmitriy Rabotyagov","email":"noonedeadpunk@gmail.com","username":"noonedeadpunk"},"change_message_id":"770bdeb9339361290259cd9d617aa71f69957fd8","unresolved":false,"context_lines":[{"line_number":135,"context_line":"Assuming, that original key is located at ``/tmp/vault.secret``, process of"},{"line_number":136,"context_line":"the key rotation is the following:"},{"line_number":137,"context_line":""},{"line_number":138,"context_line":"1. Generate a new secret key which will be used for encryption"},{"line_number":139,"context_line":""},{"line_number":140,"context_line":".. code-block:: bash"},{"line_number":141,"context_line":""}],"source_content_type":"text/x-rst","patch_set":11,"id":"777dd6ae_1f3a05ee","line":138,"range":{"start_line":138,"start_character":0,"end_line":138,"end_character":2},"in_reply_to":"b71b1e1d_ea597e90","updated":"2025-04-25 13:46:35.000000000","message":"Fix applied.","commit_id":"57e61659e4a3def78c60026111ce9f3eb2ca05ad"},{"author":{"_account_id":34411,"name":"Neil Hanlon","email":"neil@shrug.pw","username":"nhanlon"},"change_message_id":"7aec065ae73c595a72d7ad694dfe4ff8ce1b3fc4","unresolved":true,"context_lines":[{"line_number":141,"context_line":""},{"line_number":142,"context_line":"  pwgen 45 1 \u003e /tmp/vault.secret.new"},{"line_number":143,"context_line":""},{"line_number":144,"context_line":"2. Run the playbook in a following way"},{"line_number":145,"context_line":""},{"line_number":146,"context_line":".. code-block:: bash"},{"line_number":147,"context_line":""}],"source_content_type":"text/x-rst","patch_set":11,"id":"bf500589_a11c328b","line":144,"updated":"2025-04-25 13:02:48.000000000","message":"```suggestion\n2. Re-encrypt all secrets using the new password:\n```","commit_id":"57e61659e4a3def78c60026111ce9f3eb2ca05ad"},{"author":{"_account_id":28619,"name":"Dmitriy Rabotyagov","email":"noonedeadpunk@gmail.com","username":"noonedeadpunk"},"change_message_id":"770bdeb9339361290259cd9d617aa71f69957fd8","unresolved":false,"context_lines":[{"line_number":141,"context_line":""},{"line_number":142,"context_line":"  pwgen 45 1 \u003e /tmp/vault.secret.new"},{"line_number":143,"context_line":""},{"line_number":144,"context_line":"2. Run the playbook in a following way"},{"line_number":145,"context_line":""},{"line_number":146,"context_line":".. code-block:: bash"},{"line_number":147,"context_line":""}],"source_content_type":"text/x-rst","patch_set":11,"id":"77df3c24_b3778812","line":144,"in_reply_to":"bf500589_a11c328b","updated":"2025-04-25 13:46:35.000000000","message":"Fix applied.","commit_id":"57e61659e4a3def78c60026111ce9f3eb2ca05ad"},{"author":{"_account_id":34411,"name":"Neil Hanlon","email":"neil@shrug.pw","username":"nhanlon"},"change_message_id":"7aec065ae73c595a72d7ad694dfe4ff8ce1b3fc4","unresolved":true,"context_lines":[{"line_number":147,"context_line":""},{"line_number":148,"context_line":"  ANSIBLE_VAULT_PASSWORD_FILE\u003d/tmp/vault.secret ansible-playbook osa_ops.encrypt_secrets.ansible_vault -e ansible_vault_action\u003drotate"},{"line_number":149,"context_line":""},{"line_number":150,"context_line":"3. Transfer the new key to the deploy host and store it in the password"},{"line_number":151,"context_line":"   manager of the choice."}],"source_content_type":"text/x-rst","patch_set":11,"id":"ba82af41_3477ddf1","line":151,"range":{"start_line":150,"start_character":3,"end_line":151,"end_character":25},"updated":"2025-04-25 13:02:48.000000000","message":"```suggestion\n3. Transfer the new password to the deployment host and store it securely in a password manager.\n```","commit_id":"57e61659e4a3def78c60026111ce9f3eb2ca05ad"},{"author":{"_account_id":28619,"name":"Dmitriy Rabotyagov","email":"noonedeadpunk@gmail.com","username":"noonedeadpunk"},"change_message_id":"770bdeb9339361290259cd9d617aa71f69957fd8","unresolved":false,"context_lines":[{"line_number":147,"context_line":""},{"line_number":148,"context_line":"  ANSIBLE_VAULT_PASSWORD_FILE\u003d/tmp/vault.secret ansible-playbook osa_ops.encrypt_secrets.ansible_vault -e ansible_vault_action\u003drotate"},{"line_number":149,"context_line":""},{"line_number":150,"context_line":"3. Transfer the new key to the deploy host and store it in the password"},{"line_number":151,"context_line":"   manager of the choice."}],"source_content_type":"text/x-rst","patch_set":11,"id":"3b8bfe16_f8f70324","line":151,"range":{"start_line":150,"start_character":3,"end_line":151,"end_character":25},"in_reply_to":"ba82af41_3477ddf1","updated":"2025-04-25 13:46:35.000000000","message":"Fix applied.","commit_id":"57e61659e4a3def78c60026111ce9f3eb2ca05ad"}]}