)]}'
{"/PATCHSET_LEVEL":[{"author":{"_account_id":32666,"name":"Damian Dąbrowski","email":"damian@dabrowski.cloud","username":"ddabrowski"},"change_message_id":"f05b5fa998835393b88d1e9883ffb609ff77cd51","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":5,"id":"1afeb721_8e0c5de0","updated":"2025-07-29 15:23:03.000000000","message":"recheck","commit_id":"86093ca16d3ed55b10bab259101bb114ab050da8"},{"author":{"_account_id":32666,"name":"Damian Dąbrowski","email":"damian@dabrowski.cloud","username":"ddabrowski"},"change_message_id":"d714c23b73f8dd8709cc6dbd989d94db7668ae04","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":8,"id":"17a10921_cd3d95c1","updated":"2025-08-05 13:55:28.000000000","message":"recheck - dependent patches were updated","commit_id":"f62580da7f87e09e146156dc0d2ed71e855ba0dc"},{"author":{"_account_id":28619,"name":"Dmitriy Rabotyagov","email":"noonedeadpunk@gmail.com","username":"noonedeadpunk"},"change_message_id":"5f01b9be88a2f85a2a116608293bc5ed6f52e256","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":9,"id":"a05620db_655ea6a0","updated":"2025-09-25 12:06:47.000000000","message":"I\u0027d still prefer a better readability for `san` given it\u0027s now a proper YAML mapping, but I think it\u0027s good otherwise?","commit_id":"9470837e5da64ad8c342078361f6750a277db01b"},{"author":{"_account_id":28619,"name":"Dmitriy Rabotyagov","email":"noonedeadpunk@gmail.com","username":"noonedeadpunk"},"change_message_id":"fda3b9ad1b21017dc6689c5aa0aea051a9fdf1c8","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":10,"id":"d1cf1156_3a2b67c9","updated":"2025-09-26 12:45:39.000000000","message":"I think it lgtm","commit_id":"77e79e8c4f3f520ae1283ce777c34ce2bec0d975"},{"author":{"_account_id":32666,"name":"Damian Dąbrowski","email":"damian@dabrowski.cloud","username":"ddabrowski"},"change_message_id":"3fb3ac30b43b5536bbdee5be27c0a1b3064e999b","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":11,"id":"9c379eda_18791ffd","updated":"2025-10-09 13:54:20.000000000","message":"recheck","commit_id":"576090fa6606c10a10b78e4db5195f16eb04b637"},{"author":{"_account_id":32666,"name":"Damian Dąbrowski","email":"damian@dabrowski.cloud","username":"ddabrowski"},"change_message_id":"499d7ad7211479318fe1124d0d3ffce842dc34e5","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":11,"id":"f2eb7d34_f3923bf9","updated":"2025-10-09 19:27:15.000000000","message":"recheck - parent change passed CI jobs","commit_id":"576090fa6606c10a10b78e4db5195f16eb04b637"}],"defaults/main.yml":[{"author":{"_account_id":25023,"name":"Jonathan Rosser","email":"jonathan.rosser@rd.bbc.co.uk","username":"jrosser"},"change_message_id":"b09ec0285b5999ce373ff027ff3596f5560d5617","unresolved":true,"context_lines":[{"line_number":733,"context_line":"    src: \"{{ neutron_user_ssl_cert | default(neutron_pki_certs_path ~ \u0027neutron_\u0027 ~ ansible_facts[\u0027hostname\u0027] ~ \u0027-chain.crt\u0027) }}\""},{"line_number":734,"context_line":"    # hashi_vault backend only"},{"line_number":735,"context_line":"    cert: \"neutron_{{ ansible_facts[\u0027hostname\u0027] }}\""},{"line_number":736,"context_line":"    type: [\u0027certificate\u0027, \u0027ca_chain\u0027]"},{"line_number":737,"context_line":"  - dest: \"{{ neutron_ssl_key }}\""},{"line_number":738,"context_line":"    owner: \"{{ neutron_system_user_name }}\""},{"line_number":739,"context_line":"    group: \"{{ neutron_system_user_name }}\""}],"source_content_type":"text/x-yaml","patch_set":2,"id":"d0de0170_f20f8695","line":736,"range":{"start_line":736,"start_character":0,"end_line":736,"end_character":37},"updated":"2025-07-07 16:59:20.000000000","message":"why is the type cert + ca_chain with the vault backend but only the -chain form with the standalone backend?","commit_id":"736a1ceb71fe1844990685b65f67e92485c28553"},{"author":{"_account_id":32666,"name":"Damian Dąbrowski","email":"damian@dabrowski.cloud","username":"ddabrowski"},"change_message_id":"2b7a3d397b0baf5757544a492951aa11d2281365","unresolved":true,"context_lines":[{"line_number":733,"context_line":"    src: \"{{ neutron_user_ssl_cert | default(neutron_pki_certs_path ~ \u0027neutron_\u0027 ~ ansible_facts[\u0027hostname\u0027] ~ \u0027-chain.crt\u0027) }}\""},{"line_number":734,"context_line":"    # hashi_vault backend only"},{"line_number":735,"context_line":"    cert: \"neutron_{{ ansible_facts[\u0027hostname\u0027] }}\""},{"line_number":736,"context_line":"    type: [\u0027certificate\u0027, \u0027ca_chain\u0027]"},{"line_number":737,"context_line":"  - dest: \"{{ neutron_ssl_key }}\""},{"line_number":738,"context_line":"    owner: \"{{ neutron_system_user_name }}\""},{"line_number":739,"context_line":"    group: \"{{ neutron_system_user_name }}\""}],"source_content_type":"text/x-yaml","patch_set":2,"id":"b3e26743_ec2deeeb","line":736,"range":{"start_line":736,"start_character":0,"end_line":736,"end_character":37},"in_reply_to":"2e6d847e_760036ec","updated":"2025-07-07 17:37:24.000000000","message":"while in hashivault API, \u0027ca_chain\u0027 does not include the certificate itself(which is a more reasonable behavior).","commit_id":"736a1ceb71fe1844990685b65f67e92485c28553"},{"author":{"_account_id":32666,"name":"Damian Dąbrowski","email":"damian@dabrowski.cloud","username":"ddabrowski"},"change_message_id":"94bda19272c35c44719fafbefa14d85c0d9bbd9d","unresolved":false,"context_lines":[{"line_number":733,"context_line":"    src: \"{{ neutron_user_ssl_cert | default(neutron_pki_certs_path ~ \u0027neutron_\u0027 ~ ansible_facts[\u0027hostname\u0027] ~ \u0027-chain.crt\u0027) }}\""},{"line_number":734,"context_line":"    # hashi_vault backend only"},{"line_number":735,"context_line":"    cert: \"neutron_{{ ansible_facts[\u0027hostname\u0027] }}\""},{"line_number":736,"context_line":"    type: [\u0027certificate\u0027, \u0027ca_chain\u0027]"},{"line_number":737,"context_line":"  - dest: \"{{ neutron_ssl_key }}\""},{"line_number":738,"context_line":"    owner: \"{{ neutron_system_user_name }}\""},{"line_number":739,"context_line":"    group: \"{{ neutron_system_user_name }}\""}],"source_content_type":"text/x-yaml","patch_set":2,"id":"efea3c56_70e4a469","line":736,"range":{"start_line":736,"start_character":0,"end_line":736,"end_character":37},"in_reply_to":"59c1c2ef_30f36766","updated":"2026-03-16 19:29:58.000000000","message":"Done","commit_id":"736a1ceb71fe1844990685b65f67e92485c28553"},{"author":{"_account_id":32666,"name":"Damian Dąbrowski","email":"damian@dabrowski.cloud","username":"ddabrowski"},"change_message_id":"9bc7ca0097fbab8a461e956f5c886e3d7993e464","unresolved":true,"context_lines":[{"line_number":733,"context_line":"    src: \"{{ neutron_user_ssl_cert | default(neutron_pki_certs_path ~ \u0027neutron_\u0027 ~ ansible_facts[\u0027hostname\u0027] ~ \u0027-chain.crt\u0027) }}\""},{"line_number":734,"context_line":"    # hashi_vault backend only"},{"line_number":735,"context_line":"    cert: \"neutron_{{ ansible_facts[\u0027hostname\u0027] }}\""},{"line_number":736,"context_line":"    type: [\u0027certificate\u0027, \u0027ca_chain\u0027]"},{"line_number":737,"context_line":"  - dest: \"{{ neutron_ssl_key }}\""},{"line_number":738,"context_line":"    owner: \"{{ neutron_system_user_name }}\""},{"line_number":739,"context_line":"    group: \"{{ neutron_system_user_name }}\""}],"source_content_type":"text/x-yaml","patch_set":2,"id":"59c1c2ef_30f36766","line":736,"range":{"start_line":736,"start_character":0,"end_line":736,"end_character":37},"in_reply_to":"ad7e4ee1_542f8367","updated":"2025-07-21 22:34:29.000000000","message":"but we implemented `certificate_chain` here, so we\u0027re good I think? https://review.opendev.org/c/openstack/ansible-role-pki/+/954239\n\n(please keep in mind that this comment is about outdated patchset. Currently, we have: `type: certificate_chain`)","commit_id":"736a1ceb71fe1844990685b65f67e92485c28553"},{"author":{"_account_id":25023,"name":"Jonathan Rosser","email":"jonathan.rosser@rd.bbc.co.uk","username":"jrosser"},"change_message_id":"5b54beb6fb5e14885dc26c448a12b85afbd4cc1c","unresolved":true,"context_lines":[{"line_number":733,"context_line":"    src: \"{{ neutron_user_ssl_cert | default(neutron_pki_certs_path ~ \u0027neutron_\u0027 ~ ansible_facts[\u0027hostname\u0027] ~ \u0027-chain.crt\u0027) }}\""},{"line_number":734,"context_line":"    # hashi_vault backend only"},{"line_number":735,"context_line":"    cert: \"neutron_{{ ansible_facts[\u0027hostname\u0027] }}\""},{"line_number":736,"context_line":"    type: [\u0027certificate\u0027, \u0027ca_chain\u0027]"},{"line_number":737,"context_line":"  - dest: \"{{ neutron_ssl_key }}\""},{"line_number":738,"context_line":"    owner: \"{{ neutron_system_user_name }}\""},{"line_number":739,"context_line":"    group: \"{{ neutron_system_user_name }}\""}],"source_content_type":"text/x-yaml","patch_set":2,"id":"ad7e4ee1_542f8367","line":736,"range":{"start_line":736,"start_character":0,"end_line":736,"end_character":37},"in_reply_to":"b3e26743_ec2deeeb","updated":"2025-07-18 15:18:50.000000000","message":"So it feels like we are leaking implementation details of the backends into the input data. We should implement \"fullchain\" and \"ca_chain\" for the standalone backend too.","commit_id":"736a1ceb71fe1844990685b65f67e92485c28553"},{"author":{"_account_id":32666,"name":"Damian Dąbrowski","email":"damian@dabrowski.cloud","username":"ddabrowski"},"change_message_id":"736aece843f0bdccb7034c132c0a658036be8caa","unresolved":true,"context_lines":[{"line_number":733,"context_line":"    src: \"{{ neutron_user_ssl_cert | default(neutron_pki_certs_path ~ \u0027neutron_\u0027 ~ ansible_facts[\u0027hostname\u0027] ~ \u0027-chain.crt\u0027) }}\""},{"line_number":734,"context_line":"    # hashi_vault backend only"},{"line_number":735,"context_line":"    cert: \"neutron_{{ ansible_facts[\u0027hostname\u0027] }}\""},{"line_number":736,"context_line":"    type: [\u0027certificate\u0027, \u0027ca_chain\u0027]"},{"line_number":737,"context_line":"  - dest: \"{{ neutron_ssl_key }}\""},{"line_number":738,"context_line":"    owner: \"{{ neutron_system_user_name }}\""},{"line_number":739,"context_line":"    group: \"{{ neutron_system_user_name }}\""}],"source_content_type":"text/x-yaml","patch_set":2,"id":"2e6d847e_760036ec","line":736,"range":{"start_line":736,"start_character":0,"end_line":736,"end_character":37},"in_reply_to":"d0de0170_f20f8695","updated":"2025-07-07 17:35:34.000000000","message":"\"*-chain.crt\" for standalone backend implies that it\u0027s a fullchain(cert + ca bundle)\n\n\nhttps://opendev.org/openstack/ansible-role-pki/src/commit/83fb106afd27291b6c69204b7b51c89d8daf7726/tasks/standalone/create_cert.yml#L84","commit_id":"736a1ceb71fe1844990685b65f67e92485c28553"},{"author":{"_account_id":25023,"name":"Jonathan Rosser","email":"jonathan.rosser@rd.bbc.co.uk","username":"jrosser"},"change_message_id":"5b54beb6fb5e14885dc26c448a12b85afbd4cc1c","unresolved":true,"context_lines":[{"line_number":581,"context_line":"  - name: \"neutron_ovn_{{ ansible_facts[\u0027hostname\u0027] }}\""},{"line_number":582,"context_line":"    cn: \"{{ ansible_facts[\u0027hostname\u0027] }}\""},{"line_number":583,"context_line":"    san: \"{{ {\u0027dns\u0027: [ansible_facts[\u0027hostname\u0027]], \u0027ip\u0027: [neutron_ovn_node_address]} }}\""},{"line_number":584,"context_line":"    backend: \"{{ neutron_pki_backend }}\""},{"line_number":585,"context_line":"    # standalone backend only"},{"line_number":586,"context_line":"    provider: ownca"},{"line_number":587,"context_line":"    signed_by: \"{{ neutron_ovn_pki_intermediate_cert_name }}\""}],"source_content_type":"text/x-yaml","patch_set":3,"id":"94502240_92620c47","line":584,"range":{"start_line":584,"start_character":4,"end_line":584,"end_character":40},"updated":"2025-07-18 15:18:50.000000000","message":"pki_backend: \"foo\" in group_vars would do the same thing\n\nwith the code like this i don\u0027t think there is a way to pick a specific backend for just one of the certs without overriding the whole of neutron_ovn_pki_certificates","commit_id":"2ba9b37168932d681b379135c7f08b3ca431c26a"},{"author":{"_account_id":32666,"name":"Damian Dąbrowski","email":"damian@dabrowski.cloud","username":"ddabrowski"},"change_message_id":"29444d644f785c20f4f9c77d0d231420efbbb0a3","unresolved":false,"context_lines":[{"line_number":581,"context_line":"  - name: \"neutron_ovn_{{ ansible_facts[\u0027hostname\u0027] }}\""},{"line_number":582,"context_line":"    cn: \"{{ ansible_facts[\u0027hostname\u0027] }}\""},{"line_number":583,"context_line":"    san: \"{{ {\u0027dns\u0027: [ansible_facts[\u0027hostname\u0027]], \u0027ip\u0027: [neutron_ovn_node_address]} }}\""},{"line_number":584,"context_line":"    backend: \"{{ neutron_pki_backend }}\""},{"line_number":585,"context_line":"    # standalone backend only"},{"line_number":586,"context_line":"    provider: ownca"},{"line_number":587,"context_line":"    signed_by: \"{{ neutron_ovn_pki_intermediate_cert_name }}\""}],"source_content_type":"text/x-yaml","patch_set":3,"id":"b5543046_bc337ddf","line":584,"range":{"start_line":584,"start_character":4,"end_line":584,"end_character":40},"in_reply_to":"50fb5269_a82f29ea","updated":"2025-07-24 18:51:42.000000000","message":"you\u0027re right, it\u0027s not necessary. removed all `backend: \"{{ neutron_pki_backend }}\"` definitions.","commit_id":"2ba9b37168932d681b379135c7f08b3ca431c26a"},{"author":{"_account_id":32666,"name":"Damian Dąbrowski","email":"damian@dabrowski.cloud","username":"ddabrowski"},"change_message_id":"9bc7ca0097fbab8a461e956f5c886e3d7993e464","unresolved":true,"context_lines":[{"line_number":581,"context_line":"  - name: \"neutron_ovn_{{ ansible_facts[\u0027hostname\u0027] }}\""},{"line_number":582,"context_line":"    cn: \"{{ ansible_facts[\u0027hostname\u0027] }}\""},{"line_number":583,"context_line":"    san: \"{{ {\u0027dns\u0027: [ansible_facts[\u0027hostname\u0027]], \u0027ip\u0027: [neutron_ovn_node_address]} }}\""},{"line_number":584,"context_line":"    backend: \"{{ neutron_pki_backend }}\""},{"line_number":585,"context_line":"    # standalone backend only"},{"line_number":586,"context_line":"    provider: ownca"},{"line_number":587,"context_line":"    signed_by: \"{{ neutron_ovn_pki_intermediate_cert_name }}\""}],"source_content_type":"text/x-yaml","patch_set":3,"id":"a87d5f08_98f2dab2","line":584,"range":{"start_line":584,"start_character":4,"end_line":584,"end_character":40},"in_reply_to":"94502240_92620c47","updated":"2025-07-21 22:34:29.000000000","message":"I\u0027m not sure if I understand. What exactly do you suggest to do?\n\nwhen it comes to `group_vars`, yes, in thousands of other places we could define non-prefixed variables in group_vars. So for example, `neutron_ovn_pki_certificates` could be just `ovn_pki_certificates` in neutron group vars. But we don\u0027t do that.","commit_id":"2ba9b37168932d681b379135c7f08b3ca431c26a"},{"author":{"_account_id":28619,"name":"Dmitriy Rabotyagov","email":"noonedeadpunk@gmail.com","username":"noonedeadpunk"},"change_message_id":"3b8f7ddbd9a80d83e0bbfd079585d4ac3c7bdabc","unresolved":true,"context_lines":[{"line_number":581,"context_line":"  - name: \"neutron_ovn_{{ ansible_facts[\u0027hostname\u0027] }}\""},{"line_number":582,"context_line":"    cn: \"{{ ansible_facts[\u0027hostname\u0027] }}\""},{"line_number":583,"context_line":"    san: \"{{ {\u0027dns\u0027: [ansible_facts[\u0027hostname\u0027]], \u0027ip\u0027: [neutron_ovn_node_address]} }}\""},{"line_number":584,"context_line":"    backend: \"{{ neutron_pki_backend }}\""},{"line_number":585,"context_line":"    # standalone backend only"},{"line_number":586,"context_line":"    provider: ownca"},{"line_number":587,"context_line":"    signed_by: \"{{ neutron_ovn_pki_intermediate_cert_name }}\""}],"source_content_type":"text/x-yaml","patch_set":3,"id":"ac784cab_4307ebf1","line":584,"range":{"start_line":584,"start_character":4,"end_line":584,"end_character":40},"in_reply_to":"a87d5f08_98f2dab2","updated":"2025-07-24 06:48:54.000000000","message":"I guess the intention was to point out, that potentially we don\u0027t need to define `\u003cservice\u003e_pki_backend` on a role level at all.\n\nAnd while I agree that it is highly unlikely that anybody will be ever having a mix of backends, and we can even state explicitly that this is not what is supported (like mix of `distro` and `source`),\n\n\u003e pki_backend: \"foo\" in group_vars would do the same thing\n\nBut I do not agree with that.\n\nAs setting `pki_backend: \"foo\"` for `neutron_ovn_controller` group would also affect Nova, VNC consoles, and literally everything if that\u0027s HCI metal setup.\n\nThis is pretty much the reason why we still wanna have role-level vars to scope effect of them to the specific component rather then a group, which can be co-locating a lot of stuff.","commit_id":"2ba9b37168932d681b379135c7f08b3ca431c26a"},{"author":{"_account_id":32666,"name":"Damian Dąbrowski","email":"damian@dabrowski.cloud","username":"ddabrowski"},"change_message_id":"ad0d7df154c598573b3ed0380e759ca3cfe3dc7d","unresolved":true,"context_lines":[{"line_number":581,"context_line":"  - name: \"neutron_ovn_{{ ansible_facts[\u0027hostname\u0027] }}\""},{"line_number":582,"context_line":"    cn: \"{{ ansible_facts[\u0027hostname\u0027] }}\""},{"line_number":583,"context_line":"    san: \"{{ {\u0027dns\u0027: [ansible_facts[\u0027hostname\u0027]], \u0027ip\u0027: [neutron_ovn_node_address]} }}\""},{"line_number":584,"context_line":"    backend: \"{{ neutron_pki_backend }}\""},{"line_number":585,"context_line":"    # standalone backend only"},{"line_number":586,"context_line":"    provider: ownca"},{"line_number":587,"context_line":"    signed_by: \"{{ neutron_ovn_pki_intermediate_cert_name }}\""}],"source_content_type":"text/x-yaml","patch_set":3,"id":"b77c7da7_c41974d6","line":584,"range":{"start_line":584,"start_character":4,"end_line":584,"end_character":40},"in_reply_to":"ac784cab_4307ebf1","updated":"2025-07-24 10:11:38.000000000","message":"yes, we won\u0027t need to define `neutron_pki_backend` at all, but it would mean that changing pki backend for a single role would require overriding the whole`_pki_certificates` var. It may be acceptable because people won\u0027t do that often. I don\u0027t have a strong opinion here.","commit_id":"2ba9b37168932d681b379135c7f08b3ca431c26a"},{"author":{"_account_id":28619,"name":"Dmitriy Rabotyagov","email":"noonedeadpunk@gmail.com","username":"noonedeadpunk"},"change_message_id":"e1eb3974d35c2637866ad4044ca4cd46d393a003","unresolved":true,"context_lines":[{"line_number":581,"context_line":"  - name: \"neutron_ovn_{{ ansible_facts[\u0027hostname\u0027] }}\""},{"line_number":582,"context_line":"    cn: \"{{ ansible_facts[\u0027hostname\u0027] }}\""},{"line_number":583,"context_line":"    san: \"{{ {\u0027dns\u0027: [ansible_facts[\u0027hostname\u0027]], \u0027ip\u0027: [neutron_ovn_node_address]} }}\""},{"line_number":584,"context_line":"    backend: \"{{ neutron_pki_backend }}\""},{"line_number":585,"context_line":"    # standalone backend only"},{"line_number":586,"context_line":"    provider: ownca"},{"line_number":587,"context_line":"    signed_by: \"{{ neutron_ovn_pki_intermediate_cert_name }}\""}],"source_content_type":"text/x-yaml","patch_set":3,"id":"cd4f5b73_f4f0354b","line":584,"range":{"start_line":584,"start_character":4,"end_line":584,"end_character":40},"in_reply_to":"b77c7da7_c41974d6","updated":"2025-07-24 10:49:09.000000000","message":"Ok, so I guess let me re-phrase this.\n\nWe probably don\u0027t need to define `backend` for each cert, as it does not make much sense outside of Octavia role.\n\nSo we can drop all `backend` statements in `_pki_install_certificates` and `_pki_certificates` and instead during include of PKI role pass `pki_backend: \"{{ neutron_pki_backend }}\"`","commit_id":"2ba9b37168932d681b379135c7f08b3ca431c26a"},{"author":{"_account_id":28619,"name":"Dmitriy Rabotyagov","email":"noonedeadpunk@gmail.com","username":"noonedeadpunk"},"change_message_id":"cb02d7d82619d3e78909a62996aeebd259fdaba9","unresolved":true,"context_lines":[{"line_number":581,"context_line":"  - name: \"neutron_ovn_{{ ansible_facts[\u0027hostname\u0027] }}\""},{"line_number":582,"context_line":"    cn: \"{{ ansible_facts[\u0027hostname\u0027] }}\""},{"line_number":583,"context_line":"    san: \"{{ {\u0027dns\u0027: [ansible_facts[\u0027hostname\u0027]], \u0027ip\u0027: [neutron_ovn_node_address]} }}\""},{"line_number":584,"context_line":"    backend: \"{{ neutron_pki_backend }}\""},{"line_number":585,"context_line":"    # standalone backend only"},{"line_number":586,"context_line":"    provider: ownca"},{"line_number":587,"context_line":"    signed_by: \"{{ neutron_ovn_pki_intermediate_cert_name }}\""}],"source_content_type":"text/x-yaml","patch_set":3,"id":"50fb5269_a82f29ea","line":584,"range":{"start_line":584,"start_character":4,"end_line":584,"end_character":40},"in_reply_to":"cd4f5b73_f4f0354b","updated":"2025-07-24 10:50:31.000000000","message":"And I totally missed that you already doing that... So what\u0027s the point of having it per cert as well?","commit_id":"2ba9b37168932d681b379135c7f08b3ca431c26a"},{"author":{"_account_id":25023,"name":"Jonathan Rosser","email":"jonathan.rosser@rd.bbc.co.uk","username":"jrosser"},"change_message_id":"5b54beb6fb5e14885dc26c448a12b85afbd4cc1c","unresolved":true,"context_lines":[{"line_number":696,"context_line":"neutron_pki_regen_cert: \"\""},{"line_number":697,"context_line":"neutron_pki_san: \"{{ openstack_pki_san | default({\u0027dns\u0027: [ansible_facts[\u0027hostname\u0027]], \u0027ip\u0027: [management_address]}) }}\""},{"line_number":698,"context_line":"neutron_pki_backend: \u003e-"},{"line_number":699,"context_line":"  {{ \u0027standalone\u0027 if neutron_user_ssl_cert is defined or neutron_user_ssl_key is defined else openstack_ | default(\u0027standalone\u0027) }}"},{"line_number":700,"context_line":"neutron_pki_certificates:"},{"line_number":701,"context_line":"  - name: \"neutron_{{ ansible_facts[\u0027hostname\u0027] }}\""},{"line_number":702,"context_line":"    cn: \"{{ ansible_facts[\u0027hostname\u0027] }}\""}],"source_content_type":"text/x-yaml","patch_set":3,"id":"870da622_215b554f","line":699,"range":{"start_line":699,"start_character":0,"end_line":699,"end_character":131},"updated":"2025-07-18 15:18:50.000000000","message":"why don\u0027t we make this a shortcut in the pki role, that anything in this list that specifies `src` is implicitly installed from a file with that name, the backend choice doesnt really apply.\n\nThis also makes it \"all or nothing\" for user supplied certs for the whole role, which may not be the case more complex roles with a more complicated list of certs. Perhaps you only want to provide one from the user and the rest from the PKI role.","commit_id":"2ba9b37168932d681b379135c7f08b3ca431c26a"},{"author":{"_account_id":32666,"name":"Damian Dąbrowski","email":"damian@dabrowski.cloud","username":"ddabrowski"},"change_message_id":"94bda19272c35c44719fafbefa14d85c0d9bbd9d","unresolved":false,"context_lines":[{"line_number":696,"context_line":"neutron_pki_regen_cert: \"\""},{"line_number":697,"context_line":"neutron_pki_san: \"{{ openstack_pki_san | default({\u0027dns\u0027: [ansible_facts[\u0027hostname\u0027]], \u0027ip\u0027: [management_address]}) }}\""},{"line_number":698,"context_line":"neutron_pki_backend: \u003e-"},{"line_number":699,"context_line":"  {{ \u0027standalone\u0027 if neutron_user_ssl_cert is defined or neutron_user_ssl_key is defined else openstack_ | default(\u0027standalone\u0027) }}"},{"line_number":700,"context_line":"neutron_pki_certificates:"},{"line_number":701,"context_line":"  - name: \"neutron_{{ ansible_facts[\u0027hostname\u0027] }}\""},{"line_number":702,"context_line":"    cn: \"{{ ansible_facts[\u0027hostname\u0027] }}\""}],"source_content_type":"text/x-yaml","patch_set":3,"id":"5905de06_7605396b","line":699,"range":{"start_line":699,"start_character":0,"end_line":699,"end_character":131},"in_reply_to":"0c914a0d_8344d4c1","updated":"2026-03-16 19:29:58.000000000","message":"Done","commit_id":"2ba9b37168932d681b379135c7f08b3ca431c26a"},{"author":{"_account_id":32666,"name":"Damian Dąbrowski","email":"damian@dabrowski.cloud","username":"ddabrowski"},"change_message_id":"9bc7ca0097fbab8a461e956f5c886e3d7993e464","unresolved":true,"context_lines":[{"line_number":696,"context_line":"neutron_pki_regen_cert: \"\""},{"line_number":697,"context_line":"neutron_pki_san: \"{{ openstack_pki_san | default({\u0027dns\u0027: [ansible_facts[\u0027hostname\u0027]], \u0027ip\u0027: [management_address]}) }}\""},{"line_number":698,"context_line":"neutron_pki_backend: \u003e-"},{"line_number":699,"context_line":"  {{ \u0027standalone\u0027 if neutron_user_ssl_cert is defined or neutron_user_ssl_key is defined else openstack_ | default(\u0027standalone\u0027) }}"},{"line_number":700,"context_line":"neutron_pki_certificates:"},{"line_number":701,"context_line":"  - name: \"neutron_{{ ansible_facts[\u0027hostname\u0027] }}\""},{"line_number":702,"context_line":"    cn: \"{{ ansible_facts[\u0027hostname\u0027] }}\""}],"source_content_type":"text/x-yaml","patch_set":3,"id":"f976ac86_0d86d3c1","line":699,"range":{"start_line":699,"start_character":0,"end_line":699,"end_character":131},"in_reply_to":"870da622_215b554f","updated":"2025-07-21 22:34:29.000000000","message":"it\u0027s not that simple because `src` is only specified in `*_pki_install_certificates`, while `neutron_pki_backend` is used also in `*_pki_certificates`.\n\n\nFor more complex scenarios, overriding the whole `*_pki_install_certificates` and `*_pki_certificates` may be required, yes.","commit_id":"2ba9b37168932d681b379135c7f08b3ca431c26a"},{"author":{"_account_id":32666,"name":"Damian Dąbrowski","email":"damian@dabrowski.cloud","username":"ddabrowski"},"change_message_id":"ac296d81c04a3b7dcf84907cb347086f0a624a9d","unresolved":true,"context_lines":[{"line_number":696,"context_line":"neutron_pki_regen_cert: \"\""},{"line_number":697,"context_line":"neutron_pki_san: \"{{ openstack_pki_san | default({\u0027dns\u0027: [ansible_facts[\u0027hostname\u0027]], \u0027ip\u0027: [management_address]}) }}\""},{"line_number":698,"context_line":"neutron_pki_backend: \u003e-"},{"line_number":699,"context_line":"  {{ \u0027standalone\u0027 if neutron_user_ssl_cert is defined or neutron_user_ssl_key is defined else openstack_ | default(\u0027standalone\u0027) }}"},{"line_number":700,"context_line":"neutron_pki_certificates:"},{"line_number":701,"context_line":"  - name: \"neutron_{{ ansible_facts[\u0027hostname\u0027] }}\""},{"line_number":702,"context_line":"    cn: \"{{ ansible_facts[\u0027hostname\u0027] }}\""}],"source_content_type":"text/x-yaml","patch_set":3,"id":"0c914a0d_8344d4c1","line":699,"range":{"start_line":699,"start_character":0,"end_line":699,"end_character":131},"in_reply_to":"b29b3ebd_aaab0088","updated":"2025-07-23 18:33:03.000000000","message":"ouh, `openstack_` is a mistake introduced in patchset 3. Fixed along with the brackets for the `default`","commit_id":"2ba9b37168932d681b379135c7f08b3ca431c26a"},{"author":{"_account_id":28619,"name":"Dmitriy Rabotyagov","email":"noonedeadpunk@gmail.com","username":"noonedeadpunk"},"change_message_id":"c9452ad072c3cf28b8a86c61c51370cdadd137f0","unresolved":true,"context_lines":[{"line_number":696,"context_line":"neutron_pki_regen_cert: \"\""},{"line_number":697,"context_line":"neutron_pki_san: \"{{ openstack_pki_san | default({\u0027dns\u0027: [ansible_facts[\u0027hostname\u0027]], \u0027ip\u0027: [management_address]}) }}\""},{"line_number":698,"context_line":"neutron_pki_backend: \u003e-"},{"line_number":699,"context_line":"  {{ \u0027standalone\u0027 if neutron_user_ssl_cert is defined or neutron_user_ssl_key is defined else openstack_ | default(\u0027standalone\u0027) }}"},{"line_number":700,"context_line":"neutron_pki_certificates:"},{"line_number":701,"context_line":"  - name: \"neutron_{{ ansible_facts[\u0027hostname\u0027] }}\""},{"line_number":702,"context_line":"    cn: \"{{ ansible_facts[\u0027hostname\u0027] }}\""}],"source_content_type":"text/x-yaml","patch_set":3,"id":"b29b3ebd_aaab0088","line":699,"range":{"start_line":699,"start_character":0,"end_line":699,"end_character":131},"in_reply_to":"f976ac86_0d86d3c1","updated":"2025-07-23 08:39:21.000000000","message":"what does `else openstack_ | default(\u0027standalone\u0027)` mean? Is `openstack_` a typo? Does `default` meant to be applied to whole conditional or to `else` part only?\n\nOn other note, I somehow find `if/else` harder to read then `ternary` filter, but it could be only me.","commit_id":"2ba9b37168932d681b379135c7f08b3ca431c26a"},{"author":{"_account_id":25023,"name":"Jonathan Rosser","email":"jonathan.rosser@rd.bbc.co.uk","username":"jrosser"},"change_message_id":"5b54beb6fb5e14885dc26c448a12b85afbd4cc1c","unresolved":true,"context_lines":[{"line_number":703,"context_line":"    san: \"{{ neutron_pki_san }}\""},{"line_number":704,"context_line":"    backend: \"{{ neutron_pki_backend }}\""},{"line_number":705,"context_line":"    # standalone backend only"},{"line_number":706,"context_line":"    provider: ownca"},{"line_number":707,"context_line":"    signed_by: \"{{ neutron_pki_intermediate_cert_name }}\""},{"line_number":708,"context_line":""},{"line_number":709,"context_line":"# neutron destination files for SSL certificates"}],"source_content_type":"text/x-yaml","patch_set":3,"id":"81304eb3_30bd1e57","line":706,"range":{"start_line":706,"start_character":0,"end_line":706,"end_character":19},"updated":"2025-07-18 15:18:50.000000000","message":"is there a need for \u0027provider\u0027 here? is it used at all for installation?","commit_id":"2ba9b37168932d681b379135c7f08b3ca431c26a"},{"author":{"_account_id":32666,"name":"Damian Dąbrowski","email":"damian@dabrowski.cloud","username":"ddabrowski"},"change_message_id":"9bc7ca0097fbab8a461e956f5c886e3d7993e464","unresolved":true,"context_lines":[{"line_number":703,"context_line":"    san: \"{{ neutron_pki_san }}\""},{"line_number":704,"context_line":"    backend: \"{{ neutron_pki_backend }}\""},{"line_number":705,"context_line":"    # standalone backend only"},{"line_number":706,"context_line":"    provider: ownca"},{"line_number":707,"context_line":"    signed_by: \"{{ neutron_pki_intermediate_cert_name }}\""},{"line_number":708,"context_line":""},{"line_number":709,"context_line":"# neutron destination files for SSL certificates"}],"source_content_type":"text/x-yaml","patch_set":3,"id":"a87efe72_981efdda","line":706,"range":{"start_line":706,"start_character":0,"end_line":706,"end_character":19},"in_reply_to":"81304eb3_30bd1e57","updated":"2025-07-21 22:34:29.000000000","message":"it\u0027s used here https://opendev.org/openstack/ansible-role-pki/src/branch/master/tasks/standalone/create_cert.yml#L65\n\nbut to be honest, I\u0027m not sure what was the intention.\nMy focus was mainly on adding new pki backend, not on fixing existing one.","commit_id":"2ba9b37168932d681b379135c7f08b3ca431c26a"},{"author":{"_account_id":28619,"name":"Dmitriy Rabotyagov","email":"noonedeadpunk@gmail.com","username":"noonedeadpunk"},"change_message_id":"c9452ad072c3cf28b8a86c61c51370cdadd137f0","unresolved":true,"context_lines":[{"line_number":703,"context_line":"    san: \"{{ neutron_pki_san }}\""},{"line_number":704,"context_line":"    backend: \"{{ neutron_pki_backend }}\""},{"line_number":705,"context_line":"    # standalone backend only"},{"line_number":706,"context_line":"    provider: ownca"},{"line_number":707,"context_line":"    signed_by: \"{{ neutron_pki_intermediate_cert_name }}\""},{"line_number":708,"context_line":""},{"line_number":709,"context_line":"# neutron destination files for SSL certificates"}],"source_content_type":"text/x-yaml","patch_set":3,"id":"e94af07c_37ba8c4c","line":706,"range":{"start_line":706,"start_character":0,"end_line":706,"end_character":19},"in_reply_to":"a87efe72_981efdda","updated":"2025-07-23 08:39:21.000000000","message":"potentially, this could be used for `acme` https://docs.ansible.com/ansible/latest/collections/community/crypto/x509_certificate_module.html#parameter-provider\n\nSo I would not drop it now, given we already have it. As I still think that ACME is smth we should implement sooner or later as well.\n\nNo idea though if we should be using `provider` in x509 or using separate `acme_certificate` module instead:\nhttps://docs.ansible.com/ansible/latest/collections/community/crypto/acme_certificate_module.html#ansible-collections-community-crypto-acme-certificate-module","commit_id":"2ba9b37168932d681b379135c7f08b3ca431c26a"},{"author":{"_account_id":28619,"name":"Dmitriy Rabotyagov","email":"noonedeadpunk@gmail.com","username":"noonedeadpunk"},"change_message_id":"6f6c201daaa48f47503a239871b1e40f8c0c9fae","unresolved":false,"context_lines":[{"line_number":703,"context_line":"    san: \"{{ neutron_pki_san }}\""},{"line_number":704,"context_line":"    backend: \"{{ neutron_pki_backend }}\""},{"line_number":705,"context_line":"    # standalone backend only"},{"line_number":706,"context_line":"    provider: ownca"},{"line_number":707,"context_line":"    signed_by: \"{{ neutron_pki_intermediate_cert_name }}\""},{"line_number":708,"context_line":""},{"line_number":709,"context_line":"# neutron destination files for SSL certificates"}],"source_content_type":"text/x-yaml","patch_set":3,"id":"2200185b_b1da8c55","line":706,"range":{"start_line":706,"start_character":0,"end_line":706,"end_character":19},"in_reply_to":"e94af07c_37ba8c4c","updated":"2025-09-25 12:03:17.000000000","message":"Done","commit_id":"2ba9b37168932d681b379135c7f08b3ca431c26a"},{"author":{"_account_id":28619,"name":"Dmitriy Rabotyagov","email":"noonedeadpunk@gmail.com","username":"noonedeadpunk"},"change_message_id":"c9452ad072c3cf28b8a86c61c51370cdadd137f0","unresolved":true,"context_lines":[{"line_number":726,"context_line":"    dest: \"{{ neutron_ssl_key }}\""},{"line_number":727,"context_line":"    owner: \"{{ neutron_system_user_name }}\""},{"line_number":728,"context_line":"    group: \"{{ neutron_system_user_name }}\""},{"line_number":729,"context_line":"    mode: \"0600\""},{"line_number":730,"context_line":"    backend: \"{{ neutron_pki_backend }}\""},{"line_number":731,"context_line":"    # standalone backend only"},{"line_number":732,"context_line":"    src: \"{{ neutron_user_ssl_key }}\""}],"source_content_type":"text/x-yaml","patch_set":3,"id":"3ee5930f_3ed93cb3","line":729,"range":{"start_line":729,"start_character":4,"end_line":729,"end_character":16},"updated":"2025-07-23 08:39:21.000000000","message":"can we handle mode in `pki` role based on the `type`? As it would feel like more error-prone approach.","commit_id":"2ba9b37168932d681b379135c7f08b3ca431c26a"},{"author":{"_account_id":28619,"name":"Dmitriy Rabotyagov","email":"noonedeadpunk@gmail.com","username":"noonedeadpunk"},"change_message_id":"7a734b2da5e6c56b6414303201d057bd819dc8e7","unresolved":true,"context_lines":[{"line_number":726,"context_line":"    dest: \"{{ neutron_ssl_key }}\""},{"line_number":727,"context_line":"    owner: \"{{ neutron_system_user_name }}\""},{"line_number":728,"context_line":"    group: \"{{ neutron_system_user_name }}\""},{"line_number":729,"context_line":"    mode: \"0600\""},{"line_number":730,"context_line":"    backend: \"{{ neutron_pki_backend }}\""},{"line_number":731,"context_line":"    # standalone backend only"},{"line_number":732,"context_line":"    src: \"{{ neutron_user_ssl_key }}\""}],"source_content_type":"text/x-yaml","patch_set":3,"id":"d9a4ad06_9abc0d3f","line":729,"range":{"start_line":729,"start_character":4,"end_line":729,"end_character":16},"in_reply_to":"01ac01f1_6447b0da","updated":"2025-08-18 10:41:08.000000000","message":"I\u0027d say it\u0027s generally makes sense to not set any more open permissions to private keys, but indeed it\u0027s more comment to 954239","commit_id":"2ba9b37168932d681b379135c7f08b3ca431c26a"},{"author":{"_account_id":32666,"name":"Damian Dąbrowski","email":"damian@dabrowski.cloud","username":"ddabrowski"},"change_message_id":"ac296d81c04a3b7dcf84907cb347086f0a624a9d","unresolved":true,"context_lines":[{"line_number":726,"context_line":"    dest: \"{{ neutron_ssl_key }}\""},{"line_number":727,"context_line":"    owner: \"{{ neutron_system_user_name }}\""},{"line_number":728,"context_line":"    group: \"{{ neutron_system_user_name }}\""},{"line_number":729,"context_line":"    mode: \"0600\""},{"line_number":730,"context_line":"    backend: \"{{ neutron_pki_backend }}\""},{"line_number":731,"context_line":"    # standalone backend only"},{"line_number":732,"context_line":"    src: \"{{ neutron_user_ssl_key }}\""}],"source_content_type":"text/x-yaml","patch_set":3,"id":"76c04c3c_6acb1cd2","line":729,"range":{"start_line":729,"start_character":4,"end_line":729,"end_character":16},"in_reply_to":"3ee5930f_3ed93cb3","updated":"2025-07-23 18:33:03.000000000","message":"I think we can but it would require a change in both standalone and hashi_vault backends.\n\nIf we want to do that, we need to decide how to proceed with hashi_vault.\n\nIt can be either included in https://review.opendev.org/c/openstack/ansible-role-pki/+/954239/17 or another change in this chain is needed.","commit_id":"2ba9b37168932d681b379135c7f08b3ca431c26a"},{"author":{"_account_id":28619,"name":"Dmitriy Rabotyagov","email":"noonedeadpunk@gmail.com","username":"noonedeadpunk"},"change_message_id":"11c434be8bcb85433239973c6cf0f5f239e03a37","unresolved":true,"context_lines":[{"line_number":726,"context_line":"    dest: \"{{ neutron_ssl_key }}\""},{"line_number":727,"context_line":"    owner: \"{{ neutron_system_user_name }}\""},{"line_number":728,"context_line":"    group: \"{{ neutron_system_user_name }}\""},{"line_number":729,"context_line":"    mode: \"0600\""},{"line_number":730,"context_line":"    backend: \"{{ neutron_pki_backend }}\""},{"line_number":731,"context_line":"    # standalone backend only"},{"line_number":732,"context_line":"    src: \"{{ neutron_user_ssl_key }}\""}],"source_content_type":"text/x-yaml","patch_set":3,"id":"f2a3cc5c_3da9bd4d","line":729,"range":{"start_line":729,"start_character":4,"end_line":729,"end_character":16},"in_reply_to":"76c04c3c_6acb1cd2","updated":"2025-07-24 06:32:02.000000000","message":"\u003e If we want to do that, we need to decide how to proceed with hashi_vault.\n\nI\u0027m not sure what does this imply? I think I\u0027m missing some kind of limitation in hashi-vault that is being held in multiple places (like `pki regen` handler concern).\n\nIs that related to the fact that we can\u0027t fetch the key from vault for the second time and this doesn\u0027t fit the current logic or smth in line with that?\n\nAs this currently supposed to be pasting from deploy host to remote one, so I\u0027m not sure how setting permissions in driver is problematic...","commit_id":"2ba9b37168932d681b379135c7f08b3ca431c26a"},{"author":{"_account_id":28619,"name":"Dmitriy Rabotyagov","email":"noonedeadpunk@gmail.com","username":"noonedeadpunk"},"change_message_id":"6f6c201daaa48f47503a239871b1e40f8c0c9fae","unresolved":false,"context_lines":[{"line_number":726,"context_line":"    dest: \"{{ neutron_ssl_key }}\""},{"line_number":727,"context_line":"    owner: \"{{ neutron_system_user_name }}\""},{"line_number":728,"context_line":"    group: \"{{ neutron_system_user_name }}\""},{"line_number":729,"context_line":"    mode: \"0600\""},{"line_number":730,"context_line":"    backend: \"{{ neutron_pki_backend }}\""},{"line_number":731,"context_line":"    # standalone backend only"},{"line_number":732,"context_line":"    src: \"{{ neutron_user_ssl_key }}\""}],"source_content_type":"text/x-yaml","patch_set":3,"id":"a9870a3c_1d1e38d9","line":729,"range":{"start_line":729,"start_character":4,"end_line":729,"end_character":16},"in_reply_to":"d9a4ad06_9abc0d3f","updated":"2025-09-25 12:03:17.000000000","message":"Done","commit_id":"2ba9b37168932d681b379135c7f08b3ca431c26a"},{"author":{"_account_id":32666,"name":"Damian Dąbrowski","email":"damian@dabrowski.cloud","username":"ddabrowski"},"change_message_id":"ad0d7df154c598573b3ed0380e759ca3cfe3dc7d","unresolved":true,"context_lines":[{"line_number":726,"context_line":"    dest: \"{{ neutron_ssl_key }}\""},{"line_number":727,"context_line":"    owner: \"{{ neutron_system_user_name }}\""},{"line_number":728,"context_line":"    group: \"{{ neutron_system_user_name }}\""},{"line_number":729,"context_line":"    mode: \"0600\""},{"line_number":730,"context_line":"    backend: \"{{ neutron_pki_backend }}\""},{"line_number":731,"context_line":"    # standalone backend only"},{"line_number":732,"context_line":"    src: \"{{ neutron_user_ssl_key }}\""}],"source_content_type":"text/x-yaml","patch_set":3,"id":"01ac01f1_6447b0da","line":729,"range":{"start_line":729,"start_character":4,"end_line":729,"end_character":16},"in_reply_to":"f2a3cc5c_3da9bd4d","updated":"2025-07-24 10:11:38.000000000","message":"sorry, I meant \"If we want to do that, we need to decide how to proceed with standalone backend.\"\n\n\nImplementing it in hashi_vault is easy because it\u0027s a new backend.\nBut we will need to add support for this in standalone backend as well, and I\u0027m not sure if it can be added directly to https://review.opendev.org/c/openstack/ansible-role-pki/+/954239/17 or we need to create a separate change for this and add it to the relation chain. I think that\u0027s a question to jrosser.","commit_id":"2ba9b37168932d681b379135c7f08b3ca431c26a"},{"author":{"_account_id":28619,"name":"Dmitriy Rabotyagov","email":"noonedeadpunk@gmail.com","username":"noonedeadpunk"},"change_message_id":"0cf22bb5a0dd3d6e7b5c9718f1f3fd8dda1b61d5","unresolved":true,"context_lines":[{"line_number":580,"context_line":"neutron_ovn_pki_certificates:"},{"line_number":581,"context_line":"  - name: \"neutron_ovn_{{ ansible_facts[\u0027hostname\u0027] }}\""},{"line_number":582,"context_line":"    cn: \"{{ ansible_facts[\u0027hostname\u0027] }}\""},{"line_number":583,"context_line":"    san: \"{{ {\u0027dns\u0027: [ansible_facts[\u0027hostname\u0027]], \u0027ip\u0027: [neutron_ovn_node_address]} }}\""},{"line_number":584,"context_line":"    backend: \"{{ neutron_pki_backend }}\""},{"line_number":585,"context_line":"    # standalone backend only"},{"line_number":586,"context_line":"    provider: ownca"}],"source_content_type":"text/x-yaml","patch_set":4,"id":"3f7f8398_c92f42d9","line":583,"range":{"start_line":583,"start_character":4,"end_line":583,"end_character":87},"updated":"2025-07-24 08:25:39.000000000","message":"```\nsan:\n  dns:\n    - \"{{ ansible_facts[\u0027hostname\u0027] }}\"\n  ip:\n    - \"{{ neutron_ovn_node_address }}\"\n```\n?","commit_id":"6b786573f664cffad4edb667b0aec5275ac04220"},{"author":{"_account_id":32666,"name":"Damian Dąbrowski","email":"damian@dabrowski.cloud","username":"ddabrowski"},"change_message_id":"db0ac0b4068c4082da7b89df4ac4ea8a6aa9b0b7","unresolved":true,"context_lines":[{"line_number":580,"context_line":"neutron_ovn_pki_certificates:"},{"line_number":581,"context_line":"  - name: \"neutron_ovn_{{ ansible_facts[\u0027hostname\u0027] }}\""},{"line_number":582,"context_line":"    cn: \"{{ ansible_facts[\u0027hostname\u0027] }}\""},{"line_number":583,"context_line":"    san: \"{{ {\u0027dns\u0027: [ansible_facts[\u0027hostname\u0027]], \u0027ip\u0027: [neutron_ovn_node_address]} }}\""},{"line_number":584,"context_line":"    backend: \"{{ neutron_pki_backend }}\""},{"line_number":585,"context_line":"    # standalone backend only"},{"line_number":586,"context_line":"    provider: ownca"}],"source_content_type":"text/x-yaml","patch_set":4,"id":"4c37e42c_26823243","line":583,"range":{"start_line":583,"start_character":4,"end_line":583,"end_character":87},"in_reply_to":"28583b1a_3ff52a4b","updated":"2025-09-26 12:47:42.000000000","message":"fixed, but to be honest, I\u0027m not sure how to rewrite `neutron_pki_san` to the multi-line dict because we have a default() filter there","commit_id":"6b786573f664cffad4edb667b0aec5275ac04220"},{"author":{"_account_id":32666,"name":"Damian Dąbrowski","email":"damian@dabrowski.cloud","username":"ddabrowski"},"change_message_id":"ad0d7df154c598573b3ed0380e759ca3cfe3dc7d","unresolved":true,"context_lines":[{"line_number":580,"context_line":"neutron_ovn_pki_certificates:"},{"line_number":581,"context_line":"  - name: \"neutron_ovn_{{ ansible_facts[\u0027hostname\u0027] }}\""},{"line_number":582,"context_line":"    cn: \"{{ ansible_facts[\u0027hostname\u0027] }}\""},{"line_number":583,"context_line":"    san: \"{{ {\u0027dns\u0027: [ansible_facts[\u0027hostname\u0027]], \u0027ip\u0027: [neutron_ovn_node_address]} }}\""},{"line_number":584,"context_line":"    backend: \"{{ neutron_pki_backend }}\""},{"line_number":585,"context_line":"    # standalone backend only"},{"line_number":586,"context_line":"    provider: ownca"}],"source_content_type":"text/x-yaml","patch_set":4,"id":"ef332041_99bd8ac3","line":583,"range":{"start_line":583,"start_character":4,"end_line":583,"end_character":87},"in_reply_to":"3f7f8398_c92f42d9","updated":"2025-07-24 10:11:38.000000000","message":"what does this question mark mean? :D \n\nis it gonna work? yes\n\ndo we want to define it like this? I\u0027m not sure.\nIt would be easier to understand, but it requires more lines of code.\n\nWhat do you think?\n\nPS. If we decide to convert it to the multi-line dict, it would be good to consider what to do with `neutron_pki_san` because we use similar format there as well.","commit_id":"6b786573f664cffad4edb667b0aec5275ac04220"},{"author":{"_account_id":32666,"name":"Damian Dąbrowski","email":"damian@dabrowski.cloud","username":"ddabrowski"},"change_message_id":"5beb8fd156a5f8132c7455e5975794a27293d442","unresolved":false,"context_lines":[{"line_number":580,"context_line":"neutron_ovn_pki_certificates:"},{"line_number":581,"context_line":"  - name: \"neutron_ovn_{{ ansible_facts[\u0027hostname\u0027] }}\""},{"line_number":582,"context_line":"    cn: \"{{ ansible_facts[\u0027hostname\u0027] }}\""},{"line_number":583,"context_line":"    san: \"{{ {\u0027dns\u0027: [ansible_facts[\u0027hostname\u0027]], \u0027ip\u0027: [neutron_ovn_node_address]} }}\""},{"line_number":584,"context_line":"    backend: \"{{ neutron_pki_backend }}\""},{"line_number":585,"context_line":"    # standalone backend only"},{"line_number":586,"context_line":"    provider: ownca"}],"source_content_type":"text/x-yaml","patch_set":4,"id":"301d710b_a1f9962f","line":583,"range":{"start_line":583,"start_character":4,"end_line":583,"end_character":87},"in_reply_to":"4c37e42c_26823243","updated":"2026-03-16 19:27:39.000000000","message":"Done","commit_id":"6b786573f664cffad4edb667b0aec5275ac04220"},{"author":{"_account_id":28619,"name":"Dmitriy Rabotyagov","email":"noonedeadpunk@gmail.com","username":"noonedeadpunk"},"change_message_id":"ada73a9e077f02b1dad2c4037df2b610ab0e2623","unresolved":true,"context_lines":[{"line_number":580,"context_line":"neutron_ovn_pki_certificates:"},{"line_number":581,"context_line":"  - name: \"neutron_ovn_{{ ansible_facts[\u0027hostname\u0027] }}\""},{"line_number":582,"context_line":"    cn: \"{{ ansible_facts[\u0027hostname\u0027] }}\""},{"line_number":583,"context_line":"    san: \"{{ {\u0027dns\u0027: [ansible_facts[\u0027hostname\u0027]], \u0027ip\u0027: [neutron_ovn_node_address]} }}\""},{"line_number":584,"context_line":"    backend: \"{{ neutron_pki_backend }}\""},{"line_number":585,"context_line":"    # standalone backend only"},{"line_number":586,"context_line":"    provider: ownca"}],"source_content_type":"text/x-yaml","patch_set":4,"id":"28583b1a_3ff52a4b","line":583,"range":{"start_line":583,"start_character":4,"end_line":583,"end_character":87},"in_reply_to":"ef332041_99bd8ac3","updated":"2025-08-08 07:04:54.000000000","message":"Question mark means - any reason not to do dict definition in YAML rather then in Jinja.\n\nI;m not sure about \"more lines of code\", as that\u0027s really just variable definition. If we were talking about complex logic in it and simplifying such logic - then sure.\n\nIn this case I\u0027d say that readability is more important.\n\nAnd sure, this would apply to `neutron_pki_san` as well.\n\nAs we had to define it this way before because of \"string\" concat, and dict allows us to supply more readable defennition, which is nice benefit.","commit_id":"6b786573f664cffad4edb667b0aec5275ac04220"},{"author":{"_account_id":28619,"name":"Dmitriy Rabotyagov","email":"noonedeadpunk@gmail.com","username":"noonedeadpunk"},"change_message_id":"3b8f7ddbd9a80d83e0bbfd079585d4ac3c7bdabc","unresolved":true,"context_lines":[{"line_number":695,"context_line":"neutron_pki_intermediate_cert_name: \"{{ openstack_pki_service_intermediate_cert_name | default(\u0027ExampleCorpIntermediate\u0027) }}\""},{"line_number":696,"context_line":"neutron_pki_regen_cert: \"\""},{"line_number":697,"context_line":"neutron_pki_san: \"{{ openstack_pki_san | default({\u0027dns\u0027: [ansible_facts[\u0027hostname\u0027]], \u0027ip\u0027: [management_address]}) }}\""},{"line_number":698,"context_line":"neutron_pki_backend: \u003e-"},{"line_number":699,"context_line":"  {{ \u0027standalone\u0027 if neutron_user_ssl_cert is defined or neutron_user_ssl_key is defined else (openstack_pki_backend | default(\u0027standalone\u0027)) }}"},{"line_number":700,"context_line":"neutron_pki_certificates:"},{"line_number":701,"context_line":"  - name: \"neutron_{{ ansible_facts[\u0027hostname\u0027] }}\""},{"line_number":702,"context_line":"    cn: \"{{ ansible_facts[\u0027hostname\u0027] }}\""}],"source_content_type":"text/x-yaml","patch_set":4,"id":"9ed73d9b_2f41d34f","line":699,"range":{"start_line":698,"start_character":0,"end_line":699,"end_character":144},"updated":"2025-07-24 06:48:54.000000000","message":"Thinking about that...\n\nHow is it different from `neutron_pki_backend: \"{{ openstack_pki_backend | default(\u0027standalone\u0027) }}` ?\n\nAs I don\u0027t think we need to be actually calculating that?\n\nThis is a new variable and it does have same default and behavior as before. So if somebody does override `openstack_pki_backend` - that would be their choice.\n\nOtherwise, if `neutron_user_ssl_cert` and `neutron_user_ssl_key` defined (yes, we need `and` here, as cert without key is useless) - it\u0027s still gonna be `standalone`.","commit_id":"6b786573f664cffad4edb667b0aec5275ac04220"},{"author":{"_account_id":25023,"name":"Jonathan Rosser","email":"jonathan.rosser@rd.bbc.co.uk","username":"jrosser"},"change_message_id":"8f3ea329b59692692fa2b26d9c1ae9f5761296d1","unresolved":true,"context_lines":[{"line_number":695,"context_line":"neutron_pki_intermediate_cert_name: \"{{ openstack_pki_service_intermediate_cert_name | default(\u0027ExampleCorpIntermediate\u0027) }}\""},{"line_number":696,"context_line":"neutron_pki_regen_cert: \"\""},{"line_number":697,"context_line":"neutron_pki_san: \"{{ openstack_pki_san | default({\u0027dns\u0027: [ansible_facts[\u0027hostname\u0027]], \u0027ip\u0027: [management_address]}) }}\""},{"line_number":698,"context_line":"neutron_pki_backend: \u003e-"},{"line_number":699,"context_line":"  {{ \u0027standalone\u0027 if neutron_user_ssl_cert is defined or neutron_user_ssl_key is defined else (openstack_pki_backend | default(\u0027standalone\u0027)) }}"},{"line_number":700,"context_line":"neutron_pki_certificates:"},{"line_number":701,"context_line":"  - name: \"neutron_{{ ansible_facts[\u0027hostname\u0027] }}\""},{"line_number":702,"context_line":"    cn: \"{{ ansible_facts[\u0027hostname\u0027] }}\""}],"source_content_type":"text/x-yaml","patch_set":4,"id":"8bf3797e_73308aa6","line":699,"range":{"start_line":698,"start_character":0,"end_line":699,"end_character":144},"updated":"2026-03-10 17:46:52.000000000","message":"the logic is wrong here - the change i made to the pki role and os_glance now detects a truthy string rather than `is defined`","commit_id":"6b786573f664cffad4edb667b0aec5275ac04220"},{"author":{"_account_id":32666,"name":"Damian Dąbrowski","email":"damian@dabrowski.cloud","username":"ddabrowski"},"change_message_id":"29444d644f785c20f4f9c77d0d231420efbbb0a3","unresolved":false,"context_lines":[{"line_number":695,"context_line":"neutron_pki_intermediate_cert_name: \"{{ openstack_pki_service_intermediate_cert_name | default(\u0027ExampleCorpIntermediate\u0027) }}\""},{"line_number":696,"context_line":"neutron_pki_regen_cert: \"\""},{"line_number":697,"context_line":"neutron_pki_san: \"{{ openstack_pki_san | default({\u0027dns\u0027: [ansible_facts[\u0027hostname\u0027]], \u0027ip\u0027: [management_address]}) }}\""},{"line_number":698,"context_line":"neutron_pki_backend: \u003e-"},{"line_number":699,"context_line":"  {{ \u0027standalone\u0027 if neutron_user_ssl_cert is defined or neutron_user_ssl_key is defined else (openstack_pki_backend | default(\u0027standalone\u0027)) }}"},{"line_number":700,"context_line":"neutron_pki_certificates:"},{"line_number":701,"context_line":"  - name: \"neutron_{{ ansible_facts[\u0027hostname\u0027] }}\""},{"line_number":702,"context_line":"    cn: \"{{ ansible_facts[\u0027hostname\u0027] }}\""}],"source_content_type":"text/x-yaml","patch_set":4,"id":"2e17f80a_f9108980","line":699,"range":{"start_line":698,"start_character":0,"end_line":699,"end_character":144},"in_reply_to":"211a78fc_e853eaaa","updated":"2025-07-24 18:51:42.000000000","message":"Done","commit_id":"6b786573f664cffad4edb667b0aec5275ac04220"},{"author":{"_account_id":32666,"name":"Damian Dąbrowski","email":"damian@dabrowski.cloud","username":"ddabrowski"},"change_message_id":"5beb8fd156a5f8132c7455e5975794a27293d442","unresolved":false,"context_lines":[{"line_number":695,"context_line":"neutron_pki_intermediate_cert_name: \"{{ openstack_pki_service_intermediate_cert_name | default(\u0027ExampleCorpIntermediate\u0027) }}\""},{"line_number":696,"context_line":"neutron_pki_regen_cert: \"\""},{"line_number":697,"context_line":"neutron_pki_san: \"{{ openstack_pki_san | default({\u0027dns\u0027: [ansible_facts[\u0027hostname\u0027]], \u0027ip\u0027: [management_address]}) }}\""},{"line_number":698,"context_line":"neutron_pki_backend: \u003e-"},{"line_number":699,"context_line":"  {{ \u0027standalone\u0027 if neutron_user_ssl_cert is defined or neutron_user_ssl_key is defined else (openstack_pki_backend | default(\u0027standalone\u0027)) }}"},{"line_number":700,"context_line":"neutron_pki_certificates:"},{"line_number":701,"context_line":"  - name: \"neutron_{{ ansible_facts[\u0027hostname\u0027] }}\""},{"line_number":702,"context_line":"    cn: \"{{ ansible_facts[\u0027hostname\u0027] }}\""}],"source_content_type":"text/x-yaml","patch_set":4,"id":"df951081_baed9e7d","line":699,"range":{"start_line":698,"start_character":0,"end_line":699,"end_character":144},"in_reply_to":"8bf3797e_73308aa6","updated":"2026-03-16 19:27:39.000000000","message":"fixed, sorry that logic shouldn\u0027t be there at all, some time ago we decided to stick just to:\n\n```\nneutron_pki_backend: \"{{ openstack_pki_backend | default(\u0027standalone\u0027) }}\"\n```\n\nwithout any additional logic","commit_id":"6b786573f664cffad4edb667b0aec5275ac04220"},{"author":{"_account_id":32666,"name":"Damian Dąbrowski","email":"damian@dabrowski.cloud","username":"ddabrowski"},"change_message_id":"ad0d7df154c598573b3ed0380e759ca3cfe3dc7d","unresolved":true,"context_lines":[{"line_number":695,"context_line":"neutron_pki_intermediate_cert_name: \"{{ openstack_pki_service_intermediate_cert_name | default(\u0027ExampleCorpIntermediate\u0027) }}\""},{"line_number":696,"context_line":"neutron_pki_regen_cert: \"\""},{"line_number":697,"context_line":"neutron_pki_san: \"{{ openstack_pki_san | default({\u0027dns\u0027: [ansible_facts[\u0027hostname\u0027]], \u0027ip\u0027: [management_address]}) }}\""},{"line_number":698,"context_line":"neutron_pki_backend: \u003e-"},{"line_number":699,"context_line":"  {{ \u0027standalone\u0027 if neutron_user_ssl_cert is defined or neutron_user_ssl_key is defined else (openstack_pki_backend | default(\u0027standalone\u0027)) }}"},{"line_number":700,"context_line":"neutron_pki_certificates:"},{"line_number":701,"context_line":"  - name: \"neutron_{{ ansible_facts[\u0027hostname\u0027] }}\""},{"line_number":702,"context_line":"    cn: \"{{ ansible_facts[\u0027hostname\u0027] }}\""}],"source_content_type":"text/x-yaml","patch_set":4,"id":"211a78fc_e853eaaa","line":699,"range":{"start_line":698,"start_character":0,"end_line":699,"end_character":144},"in_reply_to":"9ed73d9b_2f41d34f","updated":"2025-07-24 10:11:38.000000000","message":"we discussed it a bit on IRC today.\n\nI\u0027m fine with:\n\n`neutron_pki_backend: \"{{ openstack_pki_backend | default(\u0027standalone\u0027) }}`\n\nI\u0027m also fine with removing this variable","commit_id":"6b786573f664cffad4edb667b0aec5275ac04220"}]}