)]}'
{"/PATCHSET_LEVEL":[{"author":{"_account_id":25023,"name":"Jonathan Rosser","email":"jonathan.rosser@rd.bbc.co.uk","username":"jrosser"},"change_message_id":"b7a8f3489af8d9f88c790a4b390c286cb96f946a","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":5,"id":"a858c251_af643961","updated":"2025-07-08 09:31:55.000000000","message":"recheck - depends-on patch updated","commit_id":"34bdb05657171d53305408bfb7e8eedc7457befe"},{"author":{"_account_id":25023,"name":"Jonathan Rosser","email":"jonathan.rosser@rd.bbc.co.uk","username":"jrosser"},"change_message_id":"009694a851f1908516eb0f0596446e7b8df40290","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":8,"id":"5237aa63_5993730b","updated":"2025-07-11 11:42:21.000000000","message":"recheck - depends-on patches updated","commit_id":"6af8b13843293efd6259fa3a8dbdcdbcc3db3f65"}],"defaults/main.yml":[{"author":{"_account_id":32666,"name":"Damian Dąbrowski","email":"damian@dabrowski.cloud","username":"ddabrowski"},"change_message_id":"c470e65884d71bb37b7d6a13daf0d8d52e15e0f2","unresolved":true,"context_lines":[{"line_number":383,"context_line":"glance_pki_install_certificates:"},{"line_number":384,"context_line":"  - src: \"{{ glance_user_ssl_cert }}\""},{"line_number":385,"context_line":"    name: \"{{ \u0027glance_\u0027 ~ ansible_facts[\u0027hostname\u0027] }}\""},{"line_number":386,"context_line":"    type: \"certificate_chain\""},{"line_number":387,"context_line":"    dest: \"{{ glance_ssl_cert }}\""},{"line_number":388,"context_line":"    owner: \"{{ glance_system_user_name }}\""},{"line_number":389,"context_line":"    group: \"{{ glance_system_user_name }}\""}],"source_content_type":"text/x-yaml","patch_set":2,"id":"138910df_1e9a2dc7","line":386,"updated":"2025-07-07 16:12:02.000000000","message":"it would be problematic for hashi_vault backend because it accepts `type` to be either string or a list:\n\nif it\u0027s a string: it just puts a certificate in a specified format to the specified destination\nif it\u0027s a list: it combines multiple formats together into the destination file.\n\nin most cases we define the following:\n\n\n```\ntype: certificate\ntype: private_key\ntype: [\u0027certificate\u0027, \u0027ca_chain\u0027]\ntype: ca_chain\n```\n\n\nhttps://opendev.org/openstack/ansible-role-pki/src/commit/00545ffa46446372b0baf7fdb8a4b99e3eb5926a/tasks/hashi_vault/sign_cert.yml#L65-L97","commit_id":"f952ed0ebd6fcf2e3ebbb6f7a85d3ea79d8d163a"},{"author":{"_account_id":32666,"name":"Damian Dąbrowski","email":"damian@dabrowski.cloud","username":"ddabrowski"},"change_message_id":"85c902c2ea3107c05c474c86bb0b409fb37f6605","unresolved":true,"context_lines":[{"line_number":383,"context_line":"glance_pki_install_certificates:"},{"line_number":384,"context_line":"  - src: \"{{ glance_user_ssl_cert }}\""},{"line_number":385,"context_line":"    name: \"{{ \u0027glance_\u0027 ~ ansible_facts[\u0027hostname\u0027] }}\""},{"line_number":386,"context_line":"    type: \"certificate_chain\""},{"line_number":387,"context_line":"    dest: \"{{ glance_ssl_cert }}\""},{"line_number":388,"context_line":"    owner: \"{{ glance_system_user_name }}\""},{"line_number":389,"context_line":"    group: \"{{ glance_system_user_name }}\""}],"source_content_type":"text/x-yaml","patch_set":2,"id":"73de7873_df18271d","line":386,"in_reply_to":"138910df_1e9a2dc7","updated":"2025-07-07 16:22:00.000000000","message":"potential workaround may be to create some mappings like:\n\n`certificate_chain` (user-input) -\u003e `[\u0027certificate\u0027, \u0027ca_chain\u0027]` (hashi_vault internals), but it\u0027s quite nasty.","commit_id":"f952ed0ebd6fcf2e3ebbb6f7a85d3ea79d8d163a"},{"author":{"_account_id":32666,"name":"Damian Dąbrowski","email":"damian@dabrowski.cloud","username":"ddabrowski"},"change_message_id":"740495b5eda039e5dc87aa23cc4f7919e6fbb3e9","unresolved":true,"context_lines":[{"line_number":383,"context_line":"glance_pki_install_certificates:"},{"line_number":384,"context_line":"  - src: \"{{ glance_user_ssl_cert }}\""},{"line_number":385,"context_line":"    name: \"{{ \u0027glance_\u0027 ~ ansible_facts[\u0027hostname\u0027] }}\""},{"line_number":386,"context_line":"    type: \"certificate_chain\""},{"line_number":387,"context_line":"    dest: \"{{ glance_ssl_cert }}\""},{"line_number":388,"context_line":"    owner: \"{{ glance_system_user_name }}\""},{"line_number":389,"context_line":"    group: \"{{ glance_system_user_name }}\""}],"source_content_type":"text/x-yaml","patch_set":2,"id":"6024d625_c899ed5d","line":386,"in_reply_to":"43e2a684_eeee8c59","updated":"2025-07-07 17:40:08.000000000","message":"in openstack context, it\u0027s strictly required when we want to install certificate + ca bundle in a same file(which happens in most of our roles).\n\nbut outside of openstack context, I believe there may be plenty of usecases where people may want to combine multiple cert formats in the same file. Sometimes it\u0027s even cert + ca_bundle + private_key.","commit_id":"f952ed0ebd6fcf2e3ebbb6f7a85d3ea79d8d163a"},{"author":{"_account_id":25023,"name":"Jonathan Rosser","email":"jonathan.rosser@rd.bbc.co.uk","username":"jrosser"},"change_message_id":"f705c9c1ad9f8331b0a74156e80a31aa7d7299a7","unresolved":true,"context_lines":[{"line_number":383,"context_line":"glance_pki_install_certificates:"},{"line_number":384,"context_line":"  - src: \"{{ glance_user_ssl_cert }}\""},{"line_number":385,"context_line":"    name: \"{{ \u0027glance_\u0027 ~ ansible_facts[\u0027hostname\u0027] }}\""},{"line_number":386,"context_line":"    type: \"certificate_chain\""},{"line_number":387,"context_line":"    dest: \"{{ glance_ssl_cert }}\""},{"line_number":388,"context_line":"    owner: \"{{ glance_system_user_name }}\""},{"line_number":389,"context_line":"    group: \"{{ glance_system_user_name }}\""}],"source_content_type":"text/x-yaml","patch_set":2,"id":"05e81992_848c5f44","line":386,"in_reply_to":"6024d625_c899ed5d","updated":"2025-07-07 18:18:15.000000000","message":"I think we are putting too much of the hashicorp implementation into the externals of the PKI role. If we added a different backend with yet another set of semantics then it would all need to be changed again.\n\nIt is probably not actually too bad to implement the mapping that you talk about to go from a single string to the list of parts required in vault.\n\nAdding a type of `certificate_chain` is not so bad imho because it offers an abstraction away from the actual implementation details.","commit_id":"f952ed0ebd6fcf2e3ebbb6f7a85d3ea79d8d163a"},{"author":{"_account_id":25023,"name":"Jonathan Rosser","email":"jonathan.rosser@rd.bbc.co.uk","username":"jrosser"},"change_message_id":"76153ab33956b6bc10536f3097c70b88efcfd8d3","unresolved":true,"context_lines":[{"line_number":383,"context_line":"glance_pki_install_certificates:"},{"line_number":384,"context_line":"  - src: \"{{ glance_user_ssl_cert }}\""},{"line_number":385,"context_line":"    name: \"{{ \u0027glance_\u0027 ~ ansible_facts[\u0027hostname\u0027] }}\""},{"line_number":386,"context_line":"    type: \"certificate_chain\""},{"line_number":387,"context_line":"    dest: \"{{ glance_ssl_cert }}\""},{"line_number":388,"context_line":"    owner: \"{{ glance_system_user_name }}\""},{"line_number":389,"context_line":"    group: \"{{ glance_system_user_name }}\""}],"source_content_type":"text/x-yaml","patch_set":2,"id":"43e2a684_eeee8c59","line":386,"in_reply_to":"73de7873_df18271d","updated":"2025-07-07 16:54:31.000000000","message":"Do you have an example of where the list form is required? Is it to replace this? https://opendev.org/openstack/openstack-ansible-os_octavia/src/branch/master/tasks/main.yml#L139-L154","commit_id":"f952ed0ebd6fcf2e3ebbb6f7a85d3ea79d8d163a"},{"author":{"_account_id":28619,"name":"Dmitriy Rabotyagov","email":"noonedeadpunk@gmail.com","username":"noonedeadpunk"},"change_message_id":"a2a26432ff8fecf3dd7c7f44020fdd463600dde5","unresolved":true,"context_lines":[{"line_number":375,"context_line":"glance_ssl_cert: /etc/glance/glance.pem"},{"line_number":376,"context_line":"glance_ssl_key: /etc/glance/glance.key"},{"line_number":377,"context_line":""},{"line_number":378,"context_line":"# User supplied certificates/keys, provide the path to the files on the deployment host"},{"line_number":379,"context_line":"glance_user_ssl_cert: \"\""},{"line_number":380,"context_line":"glance_user_ssl_key: \"\""},{"line_number":381,"context_line":""},{"line_number":382,"context_line":"# Installation details for SSL certificates"},{"line_number":383,"context_line":"glance_pki_install_certificates:"}],"source_content_type":"text/x-yaml","patch_set":9,"id":"81037433_d2dce377","line":380,"range":{"start_line":378,"start_character":0,"end_line":380,"end_character":23},"updated":"2025-07-24 08:10:30.000000000","message":"these vars are right above already, aren\u0027t they?","commit_id":"cb8bfc2655c5c4a73e0b893e703ddf45ddfc4de4"},{"author":{"_account_id":28619,"name":"Dmitriy Rabotyagov","email":"noonedeadpunk@gmail.com","username":"noonedeadpunk"},"change_message_id":"bb88a022ec21e56ae41d46a984acf8d02f259a39","unresolved":true,"context_lines":[{"line_number":375,"context_line":"glance_ssl_cert: /etc/glance/glance.pem"},{"line_number":376,"context_line":"glance_ssl_key: /etc/glance/glance.key"},{"line_number":377,"context_line":""},{"line_number":378,"context_line":"# User supplied certificates/keys, provide the path to the files on the deployment host"},{"line_number":379,"context_line":"glance_user_ssl_cert: \"\""},{"line_number":380,"context_line":"glance_user_ssl_key: \"\""},{"line_number":381,"context_line":""},{"line_number":382,"context_line":"# Installation details for SSL certificates"},{"line_number":383,"context_line":"glance_pki_install_certificates:"}],"source_content_type":"text/x-yaml","patch_set":9,"id":"a8daea22_0a483bf5","line":380,"range":{"start_line":378,"start_character":0,"end_line":380,"end_character":23},"in_reply_to":"488ef1b9_8ec50ea4","updated":"2025-07-24 09:59:27.000000000","message":"The we should drop them on L399-401? Or well - uncomment there instead?","commit_id":"cb8bfc2655c5c4a73e0b893e703ddf45ddfc4de4"},{"author":{"_account_id":25023,"name":"Jonathan Rosser","email":"jonathan.rosser@rd.bbc.co.uk","username":"jrosser"},"change_message_id":"0e7572161c1f023787d29d8f9db8f703b8037e26","unresolved":true,"context_lines":[{"line_number":375,"context_line":"glance_ssl_cert: /etc/glance/glance.pem"},{"line_number":376,"context_line":"glance_ssl_key: /etc/glance/glance.key"},{"line_number":377,"context_line":""},{"line_number":378,"context_line":"# User supplied certificates/keys, provide the path to the files on the deployment host"},{"line_number":379,"context_line":"glance_user_ssl_cert: \"\""},{"line_number":380,"context_line":"glance_user_ssl_key: \"\""},{"line_number":381,"context_line":""},{"line_number":382,"context_line":"# Installation details for SSL certificates"},{"line_number":383,"context_line":"glance_pki_install_certificates:"}],"source_content_type":"text/x-yaml","patch_set":9,"id":"488ef1b9_8ec50ea4","line":380,"range":{"start_line":378,"start_character":0,"end_line":380,"end_character":23},"in_reply_to":"81037433_d2dce377","updated":"2025-07-24 09:51:04.000000000","message":"the ones above are the installation destination on the target, these are the source location on the deploy host for a user supplied cert/key","commit_id":"cb8bfc2655c5c4a73e0b893e703ddf45ddfc4de4"}],"tasks/main.yml":[{"author":{"_account_id":28619,"name":"Dmitriy Rabotyagov","email":"noonedeadpunk@gmail.com","username":"noonedeadpunk"},"change_message_id":"5dd1ce3df1a84ce692242124c0fdc46796e3eba2","unresolved":true,"context_lines":[{"line_number":108,"context_line":"  vars:"},{"line_number":109,"context_line":"    pki_setup_host: \"{{ glance_pki_setup_host }}\""},{"line_number":110,"context_line":"    pki_dir: \"{{ glance_pki_dir }}\""},{"line_number":111,"context_line":"    pki_create_certificates: \"{{ glance_user_ssl_cert is not defined and glance_user_ssl_key is not defined }}\""},{"line_number":112,"context_line":"    pki_regen_cert: \"{{ glance_pki_regen_cert }}\""},{"line_number":113,"context_line":"    pki_certificates: \"{{ glance_pki_certificates }}\""},{"line_number":114,"context_line":"    pki_install_certificates: \"{{ glance_pki_install_certificates }}\""}],"source_content_type":"text/x-yaml","patch_set":9,"id":"e06f2207_6b6081c7","side":"PARENT","line":111,"range":{"start_line":111,"start_character":0,"end_line":111,"end_character":111},"updated":"2025-07-24 10:32:56.000000000","message":"We probably should not remove this condition? As then self-signed certs would still be generated even if we don\u0027t need them and have user-provided ones?","commit_id":"c51c845231a83e69b9b31d5fec16bb71ab5740fd"},{"author":{"_account_id":28619,"name":"Dmitriy Rabotyagov","email":"noonedeadpunk@gmail.com","username":"noonedeadpunk"},"change_message_id":"9451bf87a5d3ccb404549e79efd84cbe4da1de00","unresolved":true,"context_lines":[{"line_number":108,"context_line":"  vars:"},{"line_number":109,"context_line":"    pki_setup_host: \"{{ glance_pki_setup_host }}\""},{"line_number":110,"context_line":"    pki_dir: \"{{ glance_pki_dir }}\""},{"line_number":111,"context_line":"    pki_create_certificates: \"{{ glance_user_ssl_cert is not defined and glance_user_ssl_key is not defined }}\""},{"line_number":112,"context_line":"    pki_regen_cert: \"{{ glance_pki_regen_cert }}\""},{"line_number":113,"context_line":"    pki_certificates: \"{{ glance_pki_certificates }}\""},{"line_number":114,"context_line":"    pki_install_certificates: \"{{ glance_pki_install_certificates }}\""}],"source_content_type":"text/x-yaml","patch_set":9,"id":"fd085670_f3561d0a","side":"PARENT","line":111,"range":{"start_line":111,"start_character":0,"end_line":111,"end_character":111},"in_reply_to":"e06f2207_6b6081c7","updated":"2025-07-24 10:34:31.000000000","message":"probably just needs to be changed to checking length or smth like that","commit_id":"c51c845231a83e69b9b31d5fec16bb71ab5740fd"}]}