)]}'
{"/COMMIT_MSG":[{"author":{"_account_id":25023,"name":"Jonathan Rosser","email":"jonathan.rosser@rd.bbc.co.uk","username":"jrosser"},"change_message_id":"c47887f7e4680998221883a4afc10c37d2443cbc","unresolved":true,"context_lines":[{"line_number":1,"context_line":"Parent:     aa05a3fa (Refactor galera_use_ssl behaviour)"},{"line_number":2,"context_line":"Author:     James Gibson \u003cjames.gibson@bbc.co.uk\u003e"},{"line_number":3,"context_line":"AuthorDate: 2021-10-25 08:32:04 +0100"},{"line_number":4,"context_line":"Commit:     James Gibson \u003cjames.gibson@bbc.co.uk\u003e"}],"source_content_type":"text/x-gerrit-commit-message","patch_set":1,"id":"6dc50014_b59f2dff","line":1,"updated":"2021-10-25 09:25:12.000000000","message":"probably needs a depends-on: https://review.opendev.org/c/openstack/ansible-role-pki/+/815007","commit_id":"9c4e9afbd6d6120f3ae56832527766fc45c1736e"},{"author":{"_account_id":31749,"name":"James Gibson","email":"james.gibson@bbc.co.uk","username":"jamesgibo"},"change_message_id":"1ccfeb26d7f6a67c26a2a42abc7408bf8ab3a8cf","unresolved":false,"context_lines":[{"line_number":1,"context_line":"Parent:     aa05a3fa (Refactor galera_use_ssl behaviour)"},{"line_number":2,"context_line":"Author:     James Gibson \u003cjames.gibson@bbc.co.uk\u003e"},{"line_number":3,"context_line":"AuthorDate: 2021-10-25 08:32:04 +0100"},{"line_number":4,"context_line":"Commit:     James Gibson \u003cjames.gibson@bbc.co.uk\u003e"}],"source_content_type":"text/x-gerrit-commit-message","patch_set":1,"id":"12dbe56a_d6b9ed27","line":1,"in_reply_to":"6dc50014_b59f2dff","updated":"2021-11-03 16:14:43.000000000","message":"Done","commit_id":"9c4e9afbd6d6120f3ae56832527766fc45c1736e"}],"/PATCHSET_LEVEL":[{"author":{"_account_id":28619,"name":"Dmitriy Rabotyagov","email":"noonedeadpunk@gmail.com","username":"noonedeadpunk"},"change_message_id":"ae54d6f9ac56e6d04bc18a8a49c5f81b4e912861","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":11,"id":"dbdcba2c_398c6241","updated":"2021-11-10 10:53:25.000000000","message":"I think this should work for start for sure","commit_id":"ad8bda5f641c88bb74055197aa248d2b16993d16"},{"author":{"_account_id":31749,"name":"James Gibson","email":"james.gibson@bbc.co.uk","username":"jamesgibo"},"change_message_id":"2acfa34d89f887cf153bb6039813f15e6ba973d5","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":11,"id":"8b0cfefe_becfd879","updated":"2021-11-09 11:54:31.000000000","message":"recheck","commit_id":"ad8bda5f641c88bb74055197aa248d2b16993d16"}],"defaults/main.yml":[{"author":{"_account_id":25023,"name":"Jonathan Rosser","email":"jonathan.rosser@rd.bbc.co.uk","username":"jrosser"},"change_message_id":"c47887f7e4680998221883a4afc10c37d2443cbc","unresolved":true,"context_lines":[{"line_number":541,"context_line":"# Delegated host for operating the certificate authority"},{"line_number":542,"context_line":"nova_pki_setup_host: \"{{ openstack_pki_setup_host | default(\u0027localhost\u0027) }}\""},{"line_number":543,"context_line":""},{"line_number":544,"context_line":"# Create a certificate authority if one does not already exist"},{"line_number":545,"context_line":"nova_pki_create_ca: \"{{ openstack_pki_authorities is not defined | bool }}\""},{"line_number":546,"context_line":"nova_pki_regen_ca: \u0027\u0027"},{"line_number":547,"context_line":"nova_pki_authorities:"},{"line_number":548,"context_line":"  - name: \"novaRoot\""},{"line_number":549,"context_line":"    country: \"GB\""},{"line_number":550,"context_line":"    state_or_province_name: \"England\""},{"line_number":551,"context_line":"    organization_name: \"Example Corporation\""},{"line_number":552,"context_line":"    organizational_unit_name: \"IT Security\""},{"line_number":553,"context_line":"    cn: \"nova Root CA\""},{"line_number":554,"context_line":"    provider: selfsigned"},{"line_number":555,"context_line":"    basic_constraints: \"CA:TRUE\""},{"line_number":556,"context_line":"    key_usage:"},{"line_number":557,"context_line":"      - digitalSignature"},{"line_number":558,"context_line":"      - cRLSign"},{"line_number":559,"context_line":"      - keyCertSign"},{"line_number":560,"context_line":"    not_after: \"+3650d\""},{"line_number":561,"context_line":"  - name: \"novaIntermediate\""},{"line_number":562,"context_line":"    country: \"GB\""},{"line_number":563,"context_line":"    state_or_province_name: \"England\""},{"line_number":564,"context_line":"    organization_name: \"Example Corporation\""},{"line_number":565,"context_line":"    organizational_unit_name: \"IT Security\""},{"line_number":566,"context_line":"    cn: \"nova Intermediate CA\""},{"line_number":567,"context_line":"    provider: ownca"},{"line_number":568,"context_line":"    basic_constraints: \"CA:TRUE,pathlen:0\""},{"line_number":569,"context_line":"    key_usage:"},{"line_number":570,"context_line":"      - digitalSignature"},{"line_number":571,"context_line":"      - cRLSign"},{"line_number":572,"context_line":"      - keyCertSign"},{"line_number":573,"context_line":"    not_after: \"+3650d\""},{"line_number":574,"context_line":"    signed_by: \"novaRoot\""},{"line_number":575,"context_line":""},{"line_number":576,"context_line":"# Installation details for certificate authorities"},{"line_number":577,"context_line":"nova_pki_install_ca:"}],"source_content_type":"text/x-yaml","patch_set":1,"id":"3eb42b6a_11a6a044","line":574,"range":{"start_line":544,"start_character":0,"end_line":574,"end_character":25},"updated":"2021-10-25 09:25:12.000000000","message":"as this role is not really usable outside of openstack-ansible i think it\u0027s fair to assume that the deployment-wide CA has already been created","commit_id":"9c4e9afbd6d6120f3ae56832527766fc45c1736e"},{"author":{"_account_id":31749,"name":"James Gibson","email":"james.gibson@bbc.co.uk","username":"jamesgibo"},"change_message_id":"1ccfeb26d7f6a67c26a2a42abc7408bf8ab3a8cf","unresolved":false,"context_lines":[{"line_number":541,"context_line":"# Delegated host for operating the certificate authority"},{"line_number":542,"context_line":"nova_pki_setup_host: \"{{ openstack_pki_setup_host | default(\u0027localhost\u0027) }}\""},{"line_number":543,"context_line":""},{"line_number":544,"context_line":"# Create a certificate authority if one does not already exist"},{"line_number":545,"context_line":"nova_pki_create_ca: \"{{ openstack_pki_authorities is not defined | bool }}\""},{"line_number":546,"context_line":"nova_pki_regen_ca: \u0027\u0027"},{"line_number":547,"context_line":"nova_pki_authorities:"},{"line_number":548,"context_line":"  - name: \"novaRoot\""},{"line_number":549,"context_line":"    country: \"GB\""},{"line_number":550,"context_line":"    state_or_province_name: \"England\""},{"line_number":551,"context_line":"    organization_name: \"Example Corporation\""},{"line_number":552,"context_line":"    organizational_unit_name: \"IT Security\""},{"line_number":553,"context_line":"    cn: \"nova Root CA\""},{"line_number":554,"context_line":"    provider: selfsigned"},{"line_number":555,"context_line":"    basic_constraints: \"CA:TRUE\""},{"line_number":556,"context_line":"    key_usage:"},{"line_number":557,"context_line":"      - digitalSignature"},{"line_number":558,"context_line":"      - cRLSign"},{"line_number":559,"context_line":"      - keyCertSign"},{"line_number":560,"context_line":"    not_after: \"+3650d\""},{"line_number":561,"context_line":"  - name: \"novaIntermediate\""},{"line_number":562,"context_line":"    country: \"GB\""},{"line_number":563,"context_line":"    state_or_province_name: \"England\""},{"line_number":564,"context_line":"    organization_name: \"Example Corporation\""},{"line_number":565,"context_line":"    organizational_unit_name: \"IT Security\""},{"line_number":566,"context_line":"    cn: \"nova Intermediate CA\""},{"line_number":567,"context_line":"    provider: ownca"},{"line_number":568,"context_line":"    basic_constraints: \"CA:TRUE,pathlen:0\""},{"line_number":569,"context_line":"    key_usage:"},{"line_number":570,"context_line":"      - digitalSignature"},{"line_number":571,"context_line":"      - cRLSign"},{"line_number":572,"context_line":"      - keyCertSign"},{"line_number":573,"context_line":"    not_after: \"+3650d\""},{"line_number":574,"context_line":"    signed_by: \"novaRoot\""},{"line_number":575,"context_line":""},{"line_number":576,"context_line":"# Installation details for certificate authorities"},{"line_number":577,"context_line":"nova_pki_install_ca:"}],"source_content_type":"text/x-yaml","patch_set":1,"id":"abf92d4a_d6daf5f9","line":574,"range":{"start_line":544,"start_character":0,"end_line":574,"end_character":25},"in_reply_to":"3eb42b6a_11a6a044","updated":"2021-11-03 16:14:43.000000000","message":"Thanks, will remove, was just copied from RabbitMq role.","commit_id":"9c4e9afbd6d6120f3ae56832527766fc45c1736e"},{"author":{"_account_id":25023,"name":"Jonathan Rosser","email":"jonathan.rosser@rd.bbc.co.uk","username":"jrosser"},"change_message_id":"c47887f7e4680998221883a4afc10c37d2443cbc","unresolved":true,"context_lines":[{"line_number":584,"context_line":"nova_pki_intermediate_cert_name: \"{{ openstack_pki_service_intermediate_cert_name | default(\u0027novaIntermediate\u0027) }}\""},{"line_number":585,"context_line":"nova_pki_intermediate_cert_path: \"{{ nova_pki_dir ~ \u0027/roots/\u0027 ~ nova_pki_intermediate_cert_name ~ \u0027/certs/\u0027 ~ nova_pki_intermediate_cert_name ~ \u0027.crt\u0027 }}\""},{"line_number":586,"context_line":"nova_pki_regen_cert: \u0027\u0027"},{"line_number":587,"context_line":"nova_pki_certificates:"},{"line_number":588,"context_line":"  - name: \"nova_{{ ansible_facts[\u0027hostname\u0027] }}\""},{"line_number":589,"context_line":"    provider: ownca"},{"line_number":590,"context_line":"    cn: \"{{ ansible_facts[\u0027hostname\u0027] }}\""},{"line_number":591,"context_line":"    san: \"{{ \u0027DNS:\u0027 ~ ansible_facts[\u0027hostname\u0027] ~ \u0027,IP:\u0027 ~ ansible_host }}\""},{"line_number":592,"context_line":"    signed_by: \"{{ nova_pki_intermediate_cert_name }}\""},{"line_number":593,"context_line":"    key_usage:"},{"line_number":594,"context_line":"      - digitalSignature"},{"line_number":595,"context_line":"      - keyAgreement"},{"line_number":596,"context_line":"    extended_key_usage:"},{"line_number":597,"context_line":"      - clientAuth"},{"line_number":598,"context_line":"      - serverAuth"},{"line_number":599,"context_line":""},{"line_number":600,"context_line":"# libvirt destination files for SSL certificates"},{"line_number":601,"context_line":"nova_libvirt_ssl_dir: /etc/pki/qemu/"}],"source_content_type":"text/x-yaml","patch_set":1,"id":"a386c412_f3b53f98","line":598,"range":{"start_line":587,"start_character":0,"end_line":598,"end_character":18},"updated":"2021-10-25 09:25:12.000000000","message":"is this making one cert/key which we use for both client and server authentication?","commit_id":"9c4e9afbd6d6120f3ae56832527766fc45c1736e"},{"author":{"_account_id":31749,"name":"James Gibson","email":"james.gibson@bbc.co.uk","username":"jamesgibo"},"change_message_id":"1ccfeb26d7f6a67c26a2a42abc7408bf8ab3a8cf","unresolved":true,"context_lines":[{"line_number":584,"context_line":"nova_pki_intermediate_cert_name: \"{{ openstack_pki_service_intermediate_cert_name | default(\u0027novaIntermediate\u0027) }}\""},{"line_number":585,"context_line":"nova_pki_intermediate_cert_path: \"{{ nova_pki_dir ~ \u0027/roots/\u0027 ~ nova_pki_intermediate_cert_name ~ \u0027/certs/\u0027 ~ nova_pki_intermediate_cert_name ~ \u0027.crt\u0027 }}\""},{"line_number":586,"context_line":"nova_pki_regen_cert: \u0027\u0027"},{"line_number":587,"context_line":"nova_pki_certificates:"},{"line_number":588,"context_line":"  - name: \"nova_{{ ansible_facts[\u0027hostname\u0027] }}\""},{"line_number":589,"context_line":"    provider: ownca"},{"line_number":590,"context_line":"    cn: \"{{ ansible_facts[\u0027hostname\u0027] }}\""},{"line_number":591,"context_line":"    san: \"{{ \u0027DNS:\u0027 ~ ansible_facts[\u0027hostname\u0027] ~ \u0027,IP:\u0027 ~ ansible_host }}\""},{"line_number":592,"context_line":"    signed_by: \"{{ nova_pki_intermediate_cert_name }}\""},{"line_number":593,"context_line":"    key_usage:"},{"line_number":594,"context_line":"      - digitalSignature"},{"line_number":595,"context_line":"      - keyAgreement"},{"line_number":596,"context_line":"    extended_key_usage:"},{"line_number":597,"context_line":"      - clientAuth"},{"line_number":598,"context_line":"      - serverAuth"},{"line_number":599,"context_line":""},{"line_number":600,"context_line":"# libvirt destination files for SSL certificates"},{"line_number":601,"context_line":"nova_libvirt_ssl_dir: /etc/pki/qemu/"}],"source_content_type":"text/x-yaml","patch_set":1,"id":"a8d6c783_344bd4db","line":598,"range":{"start_line":587,"start_character":0,"end_line":598,"end_character":18},"in_reply_to":"a386c412_f3b53f98","updated":"2021-11-03 16:14:43.000000000","message":"Yeah, libvirt supports having a separate cert for client and server auth, but didn\u0027t see a reason why we would not just have one cert signed for both uses.","commit_id":"9c4e9afbd6d6120f3ae56832527766fc45c1736e"},{"author":{"_account_id":25023,"name":"Jonathan Rosser","email":"jonathan.rosser@rd.bbc.co.uk","username":"jrosser"},"change_message_id":"59dffb688f47c7766cb6035d13d81f12e8ef57a8","unresolved":true,"context_lines":[{"line_number":536,"context_line":"nova_pci_alias: []"},{"line_number":537,"context_line":""},{"line_number":538,"context_line":"# Storage location for SSL certificate authority"},{"line_number":539,"context_line":"nova_pki_dir: \"{{ openstack_pki_dir | default(\u0027/etc/pki/nova-ca\u0027) }}\""},{"line_number":540,"context_line":""},{"line_number":541,"context_line":"# Delegated host for operating the certificate authority"},{"line_number":542,"context_line":"nova_pki_setup_host: \"{{ openstack_pki_setup_host | default(\u0027localhost\u0027) }}\""}],"source_content_type":"text/x-yaml","patch_set":8,"id":"79f678bf_0cc4fd11","line":539,"range":{"start_line":539,"start_character":38,"end_line":539,"end_character":65},"updated":"2021-10-29 08:46:53.000000000","message":"i think we can remove this","commit_id":"c88ddedbaf7a77a7666b0cb6b0bd1c6b49a773be"},{"author":{"_account_id":31749,"name":"James Gibson","email":"james.gibson@bbc.co.uk","username":"jamesgibo"},"change_message_id":"1ccfeb26d7f6a67c26a2a42abc7408bf8ab3a8cf","unresolved":false,"context_lines":[{"line_number":536,"context_line":"nova_pci_alias: []"},{"line_number":537,"context_line":""},{"line_number":538,"context_line":"# Storage location for SSL certificate authority"},{"line_number":539,"context_line":"nova_pki_dir: \"{{ openstack_pki_dir | default(\u0027/etc/pki/nova-ca\u0027) }}\""},{"line_number":540,"context_line":""},{"line_number":541,"context_line":"# Delegated host for operating the certificate authority"},{"line_number":542,"context_line":"nova_pki_setup_host: \"{{ openstack_pki_setup_host | default(\u0027localhost\u0027) }}\""}],"source_content_type":"text/x-yaml","patch_set":8,"id":"a105b6b1_48450bcd","line":539,"range":{"start_line":539,"start_character":38,"end_line":539,"end_character":65},"in_reply_to":"79f678bf_0cc4fd11","updated":"2021-11-03 16:14:43.000000000","message":"Done","commit_id":"c88ddedbaf7a77a7666b0cb6b0bd1c6b49a773be"},{"author":{"_account_id":25023,"name":"Jonathan Rosser","email":"jonathan.rosser@rd.bbc.co.uk","username":"jrosser"},"change_message_id":"59dffb688f47c7766cb6035d13d81f12e8ef57a8","unresolved":true,"context_lines":[{"line_number":544,"context_line":"# nova server certificate"},{"line_number":545,"context_line":"nova_pki_keys_path: \"{{ nova_pki_dir ~ \u0027/certs/private/\u0027 }}\""},{"line_number":546,"context_line":"nova_pki_certs_path: \"{{ nova_pki_dir ~ \u0027/certs/certs/\u0027 }}\""},{"line_number":547,"context_line":"nova_pki_intermediate_cert_name: \"{{ openstack_pki_service_intermediate_cert_name | default(\u0027novaIntermediate\u0027) }}\""},{"line_number":548,"context_line":"nova_pki_intermediate_cert_path: \"{{ nova_pki_dir ~ \u0027/roots/\u0027 ~ nova_pki_intermediate_cert_name ~ \u0027/certs/\u0027 ~ nova_pki_intermediate_cert_name ~ \u0027.crt\u0027 }}\""},{"line_number":549,"context_line":"nova_pki_regen_cert: \u0027\u0027"},{"line_number":550,"context_line":"nova_pki_certificates:"}],"source_content_type":"text/x-yaml","patch_set":8,"id":"4cc5fd64_bc8caad6","line":547,"range":{"start_line":547,"start_character":93,"end_line":547,"end_character":109},"updated":"2021-10-29 08:46:53.000000000","message":"i dont think that this is defined, we can remove the default","commit_id":"c88ddedbaf7a77a7666b0cb6b0bd1c6b49a773be"},{"author":{"_account_id":31749,"name":"James Gibson","email":"james.gibson@bbc.co.uk","username":"jamesgibo"},"change_message_id":"1ccfeb26d7f6a67c26a2a42abc7408bf8ab3a8cf","unresolved":false,"context_lines":[{"line_number":544,"context_line":"# nova server certificate"},{"line_number":545,"context_line":"nova_pki_keys_path: \"{{ nova_pki_dir ~ \u0027/certs/private/\u0027 }}\""},{"line_number":546,"context_line":"nova_pki_certs_path: \"{{ nova_pki_dir ~ \u0027/certs/certs/\u0027 }}\""},{"line_number":547,"context_line":"nova_pki_intermediate_cert_name: \"{{ openstack_pki_service_intermediate_cert_name | default(\u0027novaIntermediate\u0027) }}\""},{"line_number":548,"context_line":"nova_pki_intermediate_cert_path: \"{{ nova_pki_dir ~ \u0027/roots/\u0027 ~ nova_pki_intermediate_cert_name ~ \u0027/certs/\u0027 ~ nova_pki_intermediate_cert_name ~ \u0027.crt\u0027 }}\""},{"line_number":549,"context_line":"nova_pki_regen_cert: \u0027\u0027"},{"line_number":550,"context_line":"nova_pki_certificates:"}],"source_content_type":"text/x-yaml","patch_set":8,"id":"d56e596d_5351665d","line":547,"range":{"start_line":547,"start_character":93,"end_line":547,"end_character":109},"in_reply_to":"4cc5fd64_bc8caad6","updated":"2021-11-03 16:14:43.000000000","message":"Done","commit_id":"c88ddedbaf7a77a7666b0cb6b0bd1c6b49a773be"},{"author":{"_account_id":25023,"name":"Jonathan Rosser","email":"jonathan.rosser@rd.bbc.co.uk","username":"jrosser"},"change_message_id":"59dffb688f47c7766cb6035d13d81f12e8ef57a8","unresolved":true,"context_lines":[{"line_number":547,"context_line":"nova_pki_intermediate_cert_name: \"{{ openstack_pki_service_intermediate_cert_name | default(\u0027novaIntermediate\u0027) }}\""},{"line_number":548,"context_line":"nova_pki_intermediate_cert_path: \"{{ nova_pki_dir ~ \u0027/roots/\u0027 ~ nova_pki_intermediate_cert_name ~ \u0027/certs/\u0027 ~ nova_pki_intermediate_cert_name ~ \u0027.crt\u0027 }}\""},{"line_number":549,"context_line":"nova_pki_regen_cert: \u0027\u0027"},{"line_number":550,"context_line":"nova_pki_certificates:"},{"line_number":551,"context_line":"  - name: \"nova_{{ ansible_facts[\u0027hostname\u0027] }}\""},{"line_number":552,"context_line":"    provider: ownca"},{"line_number":553,"context_line":"    cn: \"{{ ansible_facts[\u0027nodename\u0027] }}\""}],"source_content_type":"text/x-yaml","patch_set":8,"id":"18da8b41_1150958f","line":550,"range":{"start_line":550,"start_character":0,"end_line":550,"end_character":22},"updated":"2021-10-29 08:46:53.000000000","message":"should we be using different server and client certificates?","commit_id":"c88ddedbaf7a77a7666b0cb6b0bd1c6b49a773be"},{"author":{"_account_id":31749,"name":"James Gibson","email":"james.gibson@bbc.co.uk","username":"jamesgibo"},"change_message_id":"1ccfeb26d7f6a67c26a2a42abc7408bf8ab3a8cf","unresolved":true,"context_lines":[{"line_number":547,"context_line":"nova_pki_intermediate_cert_name: \"{{ openstack_pki_service_intermediate_cert_name | default(\u0027novaIntermediate\u0027) }}\""},{"line_number":548,"context_line":"nova_pki_intermediate_cert_path: \"{{ nova_pki_dir ~ \u0027/roots/\u0027 ~ nova_pki_intermediate_cert_name ~ \u0027/certs/\u0027 ~ nova_pki_intermediate_cert_name ~ \u0027.crt\u0027 }}\""},{"line_number":549,"context_line":"nova_pki_regen_cert: \u0027\u0027"},{"line_number":550,"context_line":"nova_pki_certificates:"},{"line_number":551,"context_line":"  - name: \"nova_{{ ansible_facts[\u0027hostname\u0027] }}\""},{"line_number":552,"context_line":"    provider: ownca"},{"line_number":553,"context_line":"    cn: \"{{ ansible_facts[\u0027nodename\u0027] }}\""}],"source_content_type":"text/x-yaml","patch_set":8,"id":"549a170a_5e1e489b","line":550,"range":{"start_line":550,"start_character":0,"end_line":550,"end_character":22},"in_reply_to":"18da8b41_1150958f","updated":"2021-11-03 16:14:43.000000000","message":"I don\u0027t think so, the only reason i can think to why you might want separate server and client certs is to reduce the risk if one of the certificates was compromised, but if that happens I think you have a bigger problem.","commit_id":"c88ddedbaf7a77a7666b0cb6b0bd1c6b49a773be"},{"author":{"_account_id":25023,"name":"Jonathan Rosser","email":"jonathan.rosser@rd.bbc.co.uk","username":"jrosser"},"change_message_id":"59dffb688f47c7766cb6035d13d81f12e8ef57a8","unresolved":true,"context_lines":[{"line_number":567,"context_line":""},{"line_number":568,"context_line":""},{"line_number":569,"context_line":"# Installation details for SSL certificates"},{"line_number":570,"context_line":"nova_pki_install_certificates:"},{"line_number":571,"context_line":"  - src: \"{{ nova_user_ssl_cert | default(nova_pki_certs_path ~ \u0027nova_\u0027 ~ ansible_facts[\u0027hostname\u0027] ~ \u0027-chain.crt\u0027) }}\""},{"line_number":572,"context_line":"    dest: \"{{ nova_libvirt_ssl_dir }}/servercert.pem\""},{"line_number":573,"context_line":"    owner: \"root\""}],"source_content_type":"text/x-yaml","patch_set":8,"id":"34e7c51c_a35358a3","line":570,"range":{"start_line":570,"start_character":0,"end_line":570,"end_character":29},"updated":"2021-10-29 08:46:53.000000000","message":"can we install the client/server certs/keys for libvirt and qemu once and have them both reference the same path? Doubling the number of install tasks for each compute node is a fair overhead?","commit_id":"c88ddedbaf7a77a7666b0cb6b0bd1c6b49a773be"},{"author":{"_account_id":25023,"name":"Jonathan Rosser","email":"jonathan.rosser@rd.bbc.co.uk","username":"jrosser"},"change_message_id":"0bd8e6ce560aa832da82d941e9476b6e403419ee","unresolved":true,"context_lines":[{"line_number":567,"context_line":""},{"line_number":568,"context_line":""},{"line_number":569,"context_line":"# Installation details for SSL certificates"},{"line_number":570,"context_line":"nova_pki_install_certificates:"},{"line_number":571,"context_line":"  - src: \"{{ nova_user_ssl_cert | default(nova_pki_certs_path ~ \u0027nova_\u0027 ~ ansible_facts[\u0027hostname\u0027] ~ \u0027-chain.crt\u0027) }}\""},{"line_number":572,"context_line":"    dest: \"{{ nova_libvirt_ssl_dir }}/servercert.pem\""},{"line_number":573,"context_line":"    owner: \"root\""}],"source_content_type":"text/x-yaml","patch_set":8,"id":"bb7c528c_6cfdf6c1","line":570,"range":{"start_line":570,"start_character":0,"end_line":570,"end_character":29},"in_reply_to":"2410a0b0_8baa4946","updated":"2021-11-03 16:36:26.000000000","message":"Is it possible to configure either of libvirt or qemu to look at an alternative certificate path, through the config file? That would avoid needing to do any symlinking. This may of course be an unnecessary optimisation.","commit_id":"c88ddedbaf7a77a7666b0cb6b0bd1c6b49a773be"},{"author":{"_account_id":31749,"name":"James Gibson","email":"james.gibson@bbc.co.uk","username":"jamesgibo"},"change_message_id":"1ccfeb26d7f6a67c26a2a42abc7408bf8ab3a8cf","unresolved":true,"context_lines":[{"line_number":567,"context_line":""},{"line_number":568,"context_line":""},{"line_number":569,"context_line":"# Installation details for SSL certificates"},{"line_number":570,"context_line":"nova_pki_install_certificates:"},{"line_number":571,"context_line":"  - src: \"{{ nova_user_ssl_cert | default(nova_pki_certs_path ~ \u0027nova_\u0027 ~ ansible_facts[\u0027hostname\u0027] ~ \u0027-chain.crt\u0027) }}\""},{"line_number":572,"context_line":"    dest: \"{{ nova_libvirt_ssl_dir }}/servercert.pem\""},{"line_number":573,"context_line":"    owner: \"root\""}],"source_content_type":"text/x-yaml","patch_set":8,"id":"2410a0b0_8baa4946","line":570,"range":{"start_line":570,"start_character":0,"end_line":570,"end_character":29},"in_reply_to":"34e7c51c_a35358a3","updated":"2021-11-03 16:14:43.000000000","message":"I did think about this, but then wasn\u0027t sure where that could be neatly added, as the PKI role just supports copy, not symlinks.\nWould that be best to be added in the nova role as a separate task?","commit_id":"c88ddedbaf7a77a7666b0cb6b0bd1c6b49a773be"},{"author":{"_account_id":28619,"name":"Dmitriy Rabotyagov","email":"noonedeadpunk@gmail.com","username":"noonedeadpunk"},"change_message_id":"ae54d6f9ac56e6d04bc18a8a49c5f81b4e912861","unresolved":true,"context_lines":[{"line_number":567,"context_line":""},{"line_number":568,"context_line":""},{"line_number":569,"context_line":"# Installation details for SSL certificates"},{"line_number":570,"context_line":"nova_pki_install_certificates:"},{"line_number":571,"context_line":"  - src: \"{{ nova_user_ssl_cert | default(nova_pki_certs_path ~ \u0027nova_\u0027 ~ ansible_facts[\u0027hostname\u0027] ~ \u0027-chain.crt\u0027) }}\""},{"line_number":572,"context_line":"    dest: \"{{ nova_libvirt_ssl_dir }}/servercert.pem\""},{"line_number":573,"context_line":"    owner: \"root\""}],"source_content_type":"text/x-yaml","patch_set":8,"id":"f882e752_35ec108e","line":570,"range":{"start_line":570,"start_character":0,"end_line":570,"end_character":29},"in_reply_to":"b44bffbf_d0d3b380","updated":"2021-11-10 10:53:25.000000000","message":"Let\u0027s reduce complexity where possible imo.","commit_id":"c88ddedbaf7a77a7666b0cb6b0bd1c6b49a773be"},{"author":{"_account_id":31749,"name":"James Gibson","email":"james.gibson@bbc.co.uk","username":"jamesgibo"},"change_message_id":"f9a91e9428c2be1ba618e5b9583b0437a9e1d67d","unresolved":true,"context_lines":[{"line_number":567,"context_line":""},{"line_number":568,"context_line":""},{"line_number":569,"context_line":"# Installation details for SSL certificates"},{"line_number":570,"context_line":"nova_pki_install_certificates:"},{"line_number":571,"context_line":"  - src: \"{{ nova_user_ssl_cert | default(nova_pki_certs_path ~ \u0027nova_\u0027 ~ ansible_facts[\u0027hostname\u0027] ~ \u0027-chain.crt\u0027) }}\""},{"line_number":572,"context_line":"    dest: \"{{ nova_libvirt_ssl_dir }}/servercert.pem\""},{"line_number":573,"context_line":"    owner: \"root\""}],"source_content_type":"text/x-yaml","patch_set":8,"id":"b44bffbf_d0d3b380","line":570,"range":{"start_line":570,"start_character":0,"end_line":570,"end_character":29},"in_reply_to":"bb7c528c_6cfdf6c1","updated":"2021-11-08 14:09:57.000000000","message":"It is possible to configure libvirt\u0027s server cert file path, but not the client cert file path\nhttps://libvirt.org/remote.html#Remote_libvirtd_configuration\n\nFor QEMU it possible to set the directory but not the filename and unhelpfully libvirt uses `servercert.pem` and qemu `server-cert.pem`\nhttps://github.com/libvirt/libvirt/blob/8970094afd473234a3cbf0d8f1f8cbe6e2e421b7/src/qemu/qemu.conf#L25\n\nSo to reduce the number of copy operations we could set libvirt to use the server cert and CA in /etc/pki/qemu/\nBut libvirt would still used the client cert in /etc/pki/libvirt/\nThis would remove 3 copies per compute host.\n\nDo you think this is worth the increased complexity?\nOr we could add symlinks?","commit_id":"c88ddedbaf7a77a7666b0cb6b0bd1c6b49a773be"},{"author":{"_account_id":31749,"name":"James Gibson","email":"james.gibson@bbc.co.uk","username":"jamesgibo"},"change_message_id":"ce08ba56a8ef49b207fc8089c09022e6271a7309","unresolved":false,"context_lines":[{"line_number":567,"context_line":""},{"line_number":568,"context_line":""},{"line_number":569,"context_line":"# Installation details for SSL certificates"},{"line_number":570,"context_line":"nova_pki_install_certificates:"},{"line_number":571,"context_line":"  - src: \"{{ nova_user_ssl_cert | default(nova_pki_certs_path ~ \u0027nova_\u0027 ~ ansible_facts[\u0027hostname\u0027] ~ \u0027-chain.crt\u0027) }}\""},{"line_number":572,"context_line":"    dest: \"{{ nova_libvirt_ssl_dir }}/servercert.pem\""},{"line_number":573,"context_line":"    owner: \"root\""}],"source_content_type":"text/x-yaml","patch_set":8,"id":"fdd266e1_960c194e","line":570,"range":{"start_line":570,"start_character":0,"end_line":570,"end_character":29},"in_reply_to":"f882e752_35ec108e","updated":"2021-11-11 14:37:16.000000000","message":"Done","commit_id":"c88ddedbaf7a77a7666b0cb6b0bd1c6b49a773be"},{"author":{"_account_id":25023,"name":"Jonathan Rosser","email":"jonathan.rosser@rd.bbc.co.uk","username":"jrosser"},"change_message_id":"59dffb688f47c7766cb6035d13d81f12e8ef57a8","unresolved":true,"context_lines":[{"line_number":608,"context_line":"    owner: \"root\""},{"line_number":609,"context_line":"    group: \"{{ nova_qemu_user }}\""},{"line_number":610,"context_line":"    mode: \"0640\""},{"line_number":611,"context_line":"  - src: \"{{ nova_user_ssl_ca_cert | default(nova_pki_intermediate_cert_path) }}\""},{"line_number":612,"context_line":"    dest: \"{{ nova_qemu_ssl_dir }}/ca-cert.pem\""},{"line_number":613,"context_line":"    owner: \"root\""},{"line_number":614,"context_line":"    group: \"root\""}],"source_content_type":"text/x-yaml","patch_set":8,"id":"4e76f533_80dc8e9a","line":611,"range":{"start_line":611,"start_character":0,"end_line":611,"end_character":81},"updated":"2021-10-29 08:46:53.000000000","message":"this installs a user defined CA and defaults to the intermediate, is this right?","commit_id":"c88ddedbaf7a77a7666b0cb6b0bd1c6b49a773be"},{"author":{"_account_id":28619,"name":"Dmitriy Rabotyagov","email":"noonedeadpunk@gmail.com","username":"noonedeadpunk"},"change_message_id":"1d5d9b112037bef524f56c6647b9777875e67d01","unresolved":true,"context_lines":[{"line_number":608,"context_line":"    owner: \"root\""},{"line_number":609,"context_line":"    group: \"{{ nova_qemu_user }}\""},{"line_number":610,"context_line":"    mode: \"0640\""},{"line_number":611,"context_line":"  - src: \"{{ nova_user_ssl_ca_cert | default(nova_pki_intermediate_cert_path) }}\""},{"line_number":612,"context_line":"    dest: \"{{ nova_qemu_ssl_dir }}/ca-cert.pem\""},{"line_number":613,"context_line":"    owner: \"root\""},{"line_number":614,"context_line":"    group: \"root\""}],"source_content_type":"text/x-yaml","patch_set":8,"id":"9a1ade01_6f092185","line":611,"range":{"start_line":611,"start_character":0,"end_line":611,"end_character":81},"in_reply_to":"1d6fd9cc_e9456be4","updated":"2021-11-11 14:45:27.000000000","message":"Yeah, I meant smth we\u0027ve done in rabbitmq. I agree that it\u0027s not a requirement as os_nova can\u0027t be used as standalone role (as jrosser already mentioned), but it\u0027s still might be valid usecase to use different CA I guess.\nWe can implement this later though.","commit_id":"c88ddedbaf7a77a7666b0cb6b0bd1c6b49a773be"},{"author":{"_account_id":28619,"name":"Dmitriy Rabotyagov","email":"noonedeadpunk@gmail.com","username":"noonedeadpunk"},"change_message_id":"ae54d6f9ac56e6d04bc18a8a49c5f81b4e912861","unresolved":false,"context_lines":[{"line_number":608,"context_line":"    owner: \"root\""},{"line_number":609,"context_line":"    group: \"{{ nova_qemu_user }}\""},{"line_number":610,"context_line":"    mode: \"0640\""},{"line_number":611,"context_line":"  - src: \"{{ nova_user_ssl_ca_cert | default(nova_pki_intermediate_cert_path) }}\""},{"line_number":612,"context_line":"    dest: \"{{ nova_qemu_ssl_dir }}/ca-cert.pem\""},{"line_number":613,"context_line":"    owner: \"root\""},{"line_number":614,"context_line":"    group: \"root\""}],"source_content_type":"text/x-yaml","patch_set":8,"id":"f3302860_8219dc4a","line":611,"range":{"start_line":611,"start_character":0,"end_line":611,"end_character":81},"in_reply_to":"26a64d5e_1eabdff0","updated":"2021-11-10 10:53:25.000000000","message":"Well in addition to that I believe the usecase where separate from golobal openstack CA might be used specifically for libvirt is valid one.\n\nAnd here we don\u0027t provide an option to easily re-define/overwirte CA used for nova and pretty opionated what CA to use.\n\nWhile this will work, would be great to allow deployer to configure CA within role if needed. Could be done as follow-up though","commit_id":"c88ddedbaf7a77a7666b0cb6b0bd1c6b49a773be"},{"author":{"_account_id":31749,"name":"James Gibson","email":"james.gibson@bbc.co.uk","username":"jamesgibo"},"change_message_id":"1ccfeb26d7f6a67c26a2a42abc7408bf8ab3a8cf","unresolved":false,"context_lines":[{"line_number":608,"context_line":"    owner: \"root\""},{"line_number":609,"context_line":"    group: \"{{ nova_qemu_user }}\""},{"line_number":610,"context_line":"    mode: \"0640\""},{"line_number":611,"context_line":"  - src: \"{{ nova_user_ssl_ca_cert | default(nova_pki_intermediate_cert_path) }}\""},{"line_number":612,"context_line":"    dest: \"{{ nova_qemu_ssl_dir }}/ca-cert.pem\""},{"line_number":613,"context_line":"    owner: \"root\""},{"line_number":614,"context_line":"    group: \"root\""}],"source_content_type":"text/x-yaml","patch_set":8,"id":"6117c853_c3f307dc","line":611,"range":{"start_line":611,"start_character":0,"end_line":611,"end_character":81},"in_reply_to":"4e76f533_80dc8e9a","updated":"2021-11-03 16:14:43.000000000","message":"This should install the Root CA, will update.\nMight need changing in rabbitMQ role as well?\nhttps://github.com/openstack/openstack-ansible-rabbitmq_server/blob/a2b11fcad936abd2997a4a45af8c8f8e54fb5368/defaults/main.yml#L177","commit_id":"c88ddedbaf7a77a7666b0cb6b0bd1c6b49a773be"},{"author":{"_account_id":25023,"name":"Jonathan Rosser","email":"jonathan.rosser@rd.bbc.co.uk","username":"jrosser"},"change_message_id":"0bd8e6ce560aa832da82d941e9476b6e403419ee","unresolved":false,"context_lines":[{"line_number":608,"context_line":"    owner: \"root\""},{"line_number":609,"context_line":"    group: \"{{ nova_qemu_user }}\""},{"line_number":610,"context_line":"    mode: \"0640\""},{"line_number":611,"context_line":"  - src: \"{{ nova_user_ssl_ca_cert | default(nova_pki_intermediate_cert_path) }}\""},{"line_number":612,"context_line":"    dest: \"{{ nova_qemu_ssl_dir }}/ca-cert.pem\""},{"line_number":613,"context_line":"    owner: \"root\""},{"line_number":614,"context_line":"    group: \"root\""}],"source_content_type":"text/x-yaml","patch_set":8,"id":"26a64d5e_1eabdff0","line":611,"range":{"start_line":611,"start_character":0,"end_line":611,"end_character":81},"in_reply_to":"6117c853_c3f307dc","updated":"2021-11-03 16:36:26.000000000","message":"The rabbitmq role is much more universal and can be used outside of openstack-ansible so it is completely self contained, to the point of being able to manage it\u0027s own CA. Thats not necessary for os_nova.","commit_id":"c88ddedbaf7a77a7666b0cb6b0bd1c6b49a773be"},{"author":{"_account_id":31749,"name":"James Gibson","email":"james.gibson@bbc.co.uk","username":"jamesgibo"},"change_message_id":"39a56cb609c9b87420e3e739788cfcbf031dd330","unresolved":false,"context_lines":[{"line_number":608,"context_line":"    owner: \"root\""},{"line_number":609,"context_line":"    group: \"{{ nova_qemu_user }}\""},{"line_number":610,"context_line":"    mode: \"0640\""},{"line_number":611,"context_line":"  - src: \"{{ nova_user_ssl_ca_cert | default(nova_pki_intermediate_cert_path) }}\""},{"line_number":612,"context_line":"    dest: \"{{ nova_qemu_ssl_dir }}/ca-cert.pem\""},{"line_number":613,"context_line":"    owner: \"root\""},{"line_number":614,"context_line":"    group: \"root\""}],"source_content_type":"text/x-yaml","patch_set":8,"id":"c107a5e0_5412bb92","line":611,"range":{"start_line":611,"start_character":0,"end_line":611,"end_character":81},"in_reply_to":"9a1ade01_6f092185","updated":"2021-11-11 14:53:27.000000000","message":"Done","commit_id":"c88ddedbaf7a77a7666b0cb6b0bd1c6b49a773be"},{"author":{"_account_id":31749,"name":"James Gibson","email":"james.gibson@bbc.co.uk","username":"jamesgibo"},"change_message_id":"ce08ba56a8ef49b207fc8089c09022e6271a7309","unresolved":true,"context_lines":[{"line_number":608,"context_line":"    owner: \"root\""},{"line_number":609,"context_line":"    group: \"{{ nova_qemu_user }}\""},{"line_number":610,"context_line":"    mode: \"0640\""},{"line_number":611,"context_line":"  - src: \"{{ nova_user_ssl_ca_cert | default(nova_pki_intermediate_cert_path) }}\""},{"line_number":612,"context_line":"    dest: \"{{ nova_qemu_ssl_dir }}/ca-cert.pem\""},{"line_number":613,"context_line":"    owner: \"root\""},{"line_number":614,"context_line":"    group: \"root\""}],"source_content_type":"text/x-yaml","patch_set":8,"id":"1d6fd9cc_e9456be4","line":611,"range":{"start_line":611,"start_character":0,"end_line":611,"end_character":81},"in_reply_to":"f3302860_8219dc4a","updated":"2021-11-11 14:37:16.000000000","message":"When you say \"we don\u0027t provide an option to easily re-define/overwirte CA used for nova\", what are you suggesting? Something similar to what is done in the RabbitMQ role, where it can create its on CA? https://github.com/openstack/openstack-ansible-rabbitmq_server/blob/a2b11fcad936abd2997a4a45af8c8f8e54fb5368/defaults/main.yml#L110-L146\n\nThere is an option to use a user provided cert and corresponding CA by setting the following vars\n# Define user-provided SSL certificates in:\n# /etc/openstack_deploy/user_variables.yml\n#nova_user_ssl_cert: \u003cpath to cert on ansible deployment host\u003e\n#nova_user_ssl_key: \u003cpath to cert on ansible deployment host\u003e\n#nova_user_ssl_ca_cert: \u003cpath to cert on ansible deployment host","commit_id":"c88ddedbaf7a77a7666b0cb6b0bd1c6b49a773be"},{"author":{"_account_id":25023,"name":"Jonathan Rosser","email":"jonathan.rosser@rd.bbc.co.uk","username":"jrosser"},"change_message_id":"59dffb688f47c7766cb6035d13d81f12e8ef57a8","unresolved":true,"context_lines":[{"line_number":613,"context_line":"    owner: \"root\""},{"line_number":614,"context_line":"    group: \"root\""},{"line_number":615,"context_line":"    mode: \"0644\""},{"line_number":616,"context_line":"  - src: \"{{ nova_user_ssl_ca_cert | default(nova_pki_intermediate_cert_path) }}\""},{"line_number":617,"context_line":"    dest: \"/etc/pki/CA/cacert.pem\""},{"line_number":618,"context_line":"    owner: \"root\""},{"line_number":619,"context_line":"    group: \"root\""}],"source_content_type":"text/x-yaml","patch_set":8,"id":"c4512c9b_c07e84a1","line":616,"range":{"start_line":616,"start_character":1,"end_line":616,"end_character":81},"updated":"2021-10-29 08:46:53.000000000","message":"this installs the user CA and defaults to the intermediate, these are different things?","commit_id":"c88ddedbaf7a77a7666b0cb6b0bd1c6b49a773be"},{"author":{"_account_id":31749,"name":"James Gibson","email":"james.gibson@bbc.co.uk","username":"jamesgibo"},"change_message_id":"1ccfeb26d7f6a67c26a2a42abc7408bf8ab3a8cf","unresolved":false,"context_lines":[{"line_number":613,"context_line":"    owner: \"root\""},{"line_number":614,"context_line":"    group: \"root\""},{"line_number":615,"context_line":"    mode: \"0644\""},{"line_number":616,"context_line":"  - src: \"{{ nova_user_ssl_ca_cert | default(nova_pki_intermediate_cert_path) }}\""},{"line_number":617,"context_line":"    dest: \"/etc/pki/CA/cacert.pem\""},{"line_number":618,"context_line":"    owner: \"root\""},{"line_number":619,"context_line":"    group: \"root\""}],"source_content_type":"text/x-yaml","patch_set":8,"id":"e6c9e03b_aa778862","line":616,"range":{"start_line":616,"start_character":1,"end_line":616,"end_character":81},"in_reply_to":"c4512c9b_c07e84a1","updated":"2021-11-03 16:14:43.000000000","message":"Done","commit_id":"c88ddedbaf7a77a7666b0cb6b0bd1c6b49a773be"},{"author":{"_account_id":25023,"name":"Jonathan Rosser","email":"jonathan.rosser@rd.bbc.co.uk","username":"jrosser"},"change_message_id":"59dffb688f47c7766cb6035d13d81f12e8ef57a8","unresolved":true,"context_lines":[{"line_number":614,"context_line":"    group: \"root\""},{"line_number":615,"context_line":"    mode: \"0644\""},{"line_number":616,"context_line":"  - src: \"{{ nova_user_ssl_ca_cert | default(nova_pki_intermediate_cert_path) }}\""},{"line_number":617,"context_line":"    dest: \"/etc/pki/CA/cacert.pem\""},{"line_number":618,"context_line":"    owner: \"root\""},{"line_number":619,"context_line":"    group: \"root\""},{"line_number":620,"context_line":"    mode: \"0644\""}],"source_content_type":"text/x-yaml","patch_set":8,"id":"49474990_edf508ba","line":617,"range":{"start_line":617,"start_character":4,"end_line":617,"end_character":34},"updated":"2021-10-29 08:46:53.000000000","message":"is this right?","commit_id":"c88ddedbaf7a77a7666b0cb6b0bd1c6b49a773be"},{"author":{"_account_id":31749,"name":"James Gibson","email":"james.gibson@bbc.co.uk","username":"jamesgibo"},"change_message_id":"1ccfeb26d7f6a67c26a2a42abc7408bf8ab3a8cf","unresolved":false,"context_lines":[{"line_number":614,"context_line":"    group: \"root\""},{"line_number":615,"context_line":"    mode: \"0644\""},{"line_number":616,"context_line":"  - src: \"{{ nova_user_ssl_ca_cert | default(nova_pki_intermediate_cert_path) }}\""},{"line_number":617,"context_line":"    dest: \"/etc/pki/CA/cacert.pem\""},{"line_number":618,"context_line":"    owner: \"root\""},{"line_number":619,"context_line":"    group: \"root\""},{"line_number":620,"context_line":"    mode: \"0644\""}],"source_content_type":"text/x-yaml","patch_set":8,"id":"87ae82c4_a20488e8","line":617,"range":{"start_line":617,"start_character":4,"end_line":617,"end_character":34},"in_reply_to":"49474990_edf508ba","updated":"2021-11-03 16:14:43.000000000","message":"Done","commit_id":"c88ddedbaf7a77a7666b0cb6b0bd1c6b49a773be"},{"author":{"_account_id":25023,"name":"Jonathan Rosser","email":"jonathan.rosser@rd.bbc.co.uk","username":"jrosser"},"change_message_id":"59dffb688f47c7766cb6035d13d81f12e8ef57a8","unresolved":true,"context_lines":[{"line_number":613,"context_line":"    owner: \"root\""},{"line_number":614,"context_line":"    group: \"root\""},{"line_number":615,"context_line":"    mode: \"0644\""},{"line_number":616,"context_line":"  - src: \"{{ nova_user_ssl_ca_cert | default(nova_pki_intermediate_cert_path) }}\""},{"line_number":617,"context_line":"    dest: \"/etc/pki/CA/cacert.pem\""},{"line_number":618,"context_line":"    owner: \"root\""},{"line_number":619,"context_line":"    group: \"root\""},{"line_number":620,"context_line":"    mode: \"0644\""},{"line_number":621,"context_line":""},{"line_number":622,"context_line":"# Define user-provided SSL certificates in:"},{"line_number":623,"context_line":"# /etc/openstack_deploy/user_variables.yml"}],"source_content_type":"text/x-yaml","patch_set":8,"id":"2a570535_88b48f72","line":620,"range":{"start_line":616,"start_character":0,"end_line":620,"end_character":16},"updated":"2021-10-29 08:46:53.000000000","message":"why do we put the intermediate in the CA store, this feels wrong?","commit_id":"c88ddedbaf7a77a7666b0cb6b0bd1c6b49a773be"},{"author":{"_account_id":31749,"name":"James Gibson","email":"james.gibson@bbc.co.uk","username":"jamesgibo"},"change_message_id":"1ccfeb26d7f6a67c26a2a42abc7408bf8ab3a8cf","unresolved":false,"context_lines":[{"line_number":613,"context_line":"    owner: \"root\""},{"line_number":614,"context_line":"    group: \"root\""},{"line_number":615,"context_line":"    mode: \"0644\""},{"line_number":616,"context_line":"  - src: \"{{ nova_user_ssl_ca_cert | default(nova_pki_intermediate_cert_path) }}\""},{"line_number":617,"context_line":"    dest: \"/etc/pki/CA/cacert.pem\""},{"line_number":618,"context_line":"    owner: \"root\""},{"line_number":619,"context_line":"    group: \"root\""},{"line_number":620,"context_line":"    mode: \"0644\""},{"line_number":621,"context_line":""},{"line_number":622,"context_line":"# Define user-provided SSL certificates in:"},{"line_number":623,"context_line":"# /etc/openstack_deploy/user_variables.yml"}],"source_content_type":"text/x-yaml","patch_set":8,"id":"502cc9ea_d0eedddd","line":620,"range":{"start_line":616,"start_character":0,"end_line":620,"end_character":16},"in_reply_to":"2a570535_88b48f72","updated":"2021-11-03 16:14:43.000000000","message":"Done","commit_id":"c88ddedbaf7a77a7666b0cb6b0bd1c6b49a773be"},{"author":{"_account_id":25023,"name":"Jonathan Rosser","email":"jonathan.rosser@rd.bbc.co.uk","username":"jrosser"},"change_message_id":"0bd8e6ce560aa832da82d941e9476b6e403419ee","unresolved":true,"context_lines":[{"line_number":608,"context_line":"    owner: \"root\""},{"line_number":609,"context_line":"    group: \"{{ nova_qemu_user }}\""},{"line_number":610,"context_line":"    mode: \"0640\""},{"line_number":611,"context_line":"  - src: \"{{ nova_user_ssl_ca_cert | default(nova_pki_root_cert_path) }}\""},{"line_number":612,"context_line":"    dest: \"{{ nova_qemu_ssl_dir }}/ca-cert.pem\""},{"line_number":613,"context_line":"    owner: \"root\""},{"line_number":614,"context_line":"    group: \"root\""},{"line_number":615,"context_line":"    mode: \"0644\""},{"line_number":616,"context_line":"  - src: \"{{ nova_user_ssl_ca_cert | default(nova_pki_root_cert_path) }}\""},{"line_number":617,"context_line":"    dest: \"/etc/pki/CA/cacert.pem\""},{"line_number":618,"context_line":"    owner: \"root\""},{"line_number":619,"context_line":"    group: \"root\""},{"line_number":620,"context_line":"    mode: \"0644\""},{"line_number":621,"context_line":""},{"line_number":622,"context_line":"# Define user-provided SSL certificates in:"},{"line_number":623,"context_line":"# /etc/openstack_deploy/user_variables.yml"}],"source_content_type":"text/x-yaml","patch_set":9,"id":"5e5dc4ce_e7bfec98","line":620,"range":{"start_line":611,"start_character":0,"end_line":620,"end_character":16},"updated":"2021-11-03 16:36:26.000000000","message":"installation of CA certificates is done in the openstack_hosts role, i\u0027m not sure we need to deal with installing user defined CA within the nova role.","commit_id":"924e9299ec1367f3ce418bb06d8c6ea3944cc660"},{"author":{"_account_id":25023,"name":"Jonathan Rosser","email":"jonathan.rosser@rd.bbc.co.uk","username":"jrosser"},"change_message_id":"57d9c713327d82f8f19def12009407ac6ea18f42","unresolved":true,"context_lines":[{"line_number":608,"context_line":"    owner: \"root\""},{"line_number":609,"context_line":"    group: \"{{ nova_qemu_user }}\""},{"line_number":610,"context_line":"    mode: \"0640\""},{"line_number":611,"context_line":"  - src: \"{{ nova_user_ssl_ca_cert | default(nova_pki_root_cert_path) }}\""},{"line_number":612,"context_line":"    dest: \"{{ nova_qemu_ssl_dir }}/ca-cert.pem\""},{"line_number":613,"context_line":"    owner: \"root\""},{"line_number":614,"context_line":"    group: \"root\""},{"line_number":615,"context_line":"    mode: \"0644\""},{"line_number":616,"context_line":"  - src: \"{{ nova_user_ssl_ca_cert | default(nova_pki_root_cert_path) }}\""},{"line_number":617,"context_line":"    dest: \"/etc/pki/CA/cacert.pem\""},{"line_number":618,"context_line":"    owner: \"root\""},{"line_number":619,"context_line":"    group: \"root\""},{"line_number":620,"context_line":"    mode: \"0644\""},{"line_number":621,"context_line":""},{"line_number":622,"context_line":"# Define user-provided SSL certificates in:"},{"line_number":623,"context_line":"# /etc/openstack_deploy/user_variables.yml"}],"source_content_type":"text/x-yaml","patch_set":9,"id":"a88fad16_9cc83c83","line":620,"range":{"start_line":611,"start_character":0,"end_line":620,"end_character":16},"in_reply_to":"5e5dc4ce_e7bfec98","updated":"2021-11-03 16:37:06.000000000","message":"See https://github.com/openstack/openstack-ansible-openstack_hosts/commit/9d1110a9781f72dadd9365bc2cde735fcdba63f1","commit_id":"924e9299ec1367f3ce418bb06d8c6ea3944cc660"},{"author":{"_account_id":31749,"name":"James Gibson","email":"james.gibson@bbc.co.uk","username":"jamesgibo"},"change_message_id":"f9a91e9428c2be1ba618e5b9583b0437a9e1d67d","unresolved":true,"context_lines":[{"line_number":608,"context_line":"    owner: \"root\""},{"line_number":609,"context_line":"    group: \"{{ nova_qemu_user }}\""},{"line_number":610,"context_line":"    mode: \"0640\""},{"line_number":611,"context_line":"  - src: \"{{ nova_user_ssl_ca_cert | default(nova_pki_root_cert_path) }}\""},{"line_number":612,"context_line":"    dest: \"{{ nova_qemu_ssl_dir }}/ca-cert.pem\""},{"line_number":613,"context_line":"    owner: \"root\""},{"line_number":614,"context_line":"    group: \"root\""},{"line_number":615,"context_line":"    mode: \"0644\""},{"line_number":616,"context_line":"  - src: \"{{ nova_user_ssl_ca_cert | default(nova_pki_root_cert_path) }}\""},{"line_number":617,"context_line":"    dest: \"/etc/pki/CA/cacert.pem\""},{"line_number":618,"context_line":"    owner: \"root\""},{"line_number":619,"context_line":"    group: \"root\""},{"line_number":620,"context_line":"    mode: \"0644\""},{"line_number":621,"context_line":""},{"line_number":622,"context_line":"# Define user-provided SSL certificates in:"},{"line_number":623,"context_line":"# /etc/openstack_deploy/user_variables.yml"}],"source_content_type":"text/x-yaml","patch_set":9,"id":"635e4b57_c00cdbdd","line":620,"range":{"start_line":611,"start_character":0,"end_line":620,"end_character":16},"in_reply_to":"a88fad16_9cc83c83","updated":"2021-11-08 14:09:57.000000000","message":"But that role would not install it in the correct location for libvirt/qemu would it?","commit_id":"924e9299ec1367f3ce418bb06d8c6ea3944cc660"}],"tasks/nova_compute.yml":[{"author":{"_account_id":28619,"name":"Dmitriy Rabotyagov","email":"noonedeadpunk@gmail.com","username":"noonedeadpunk"},"change_message_id":"f2a6958dbacc7f314cc7905d1155cbe4dc6c880e","unresolved":true,"context_lines":[{"line_number":21,"context_line":"  tags:"},{"line_number":22,"context_line":"    - always"},{"line_number":23,"context_line":""},{"line_number":24,"context_line":"- import_tasks: nova_compute_key_populate.yml"},{"line_number":25,"context_line":"  tags:"},{"line_number":26,"context_line":"    - nova-config"},{"line_number":27,"context_line":"    - nova-key"}],"source_content_type":"text/x-yaml","patch_set":5,"id":"015320e1_3fe53168","line":24,"range":{"start_line":24,"start_character":2,"end_line":24,"end_character":14},"updated":"2021-10-28 10:58:03.000000000","message":"include_tasks","commit_id":"d0bba58fe085c09e4df393968dd2f9c943029df9"},{"author":{"_account_id":31749,"name":"James Gibson","email":"james.gibson@bbc.co.uk","username":"jamesgibo"},"change_message_id":"1ccfeb26d7f6a67c26a2a42abc7408bf8ab3a8cf","unresolved":false,"context_lines":[{"line_number":21,"context_line":"  tags:"},{"line_number":22,"context_line":"    - always"},{"line_number":23,"context_line":""},{"line_number":24,"context_line":"- import_tasks: nova_compute_key_populate.yml"},{"line_number":25,"context_line":"  tags:"},{"line_number":26,"context_line":"    - nova-config"},{"line_number":27,"context_line":"    - nova-key"}],"source_content_type":"text/x-yaml","patch_set":5,"id":"9ff0d0eb_057221e5","line":24,"range":{"start_line":24,"start_character":2,"end_line":24,"end_character":14},"in_reply_to":"015320e1_3fe53168","updated":"2021-11-03 16:14:43.000000000","message":"Done","commit_id":"d0bba58fe085c09e4df393968dd2f9c943029df9"},{"author":{"_account_id":28619,"name":"Dmitriy Rabotyagov","email":"noonedeadpunk@gmail.com","username":"noonedeadpunk"},"change_message_id":"f2a6958dbacc7f314cc7905d1155cbe4dc6c880e","unresolved":true,"context_lines":[{"line_number":22,"context_line":"    - always"},{"line_number":23,"context_line":""},{"line_number":24,"context_line":"- import_tasks: nova_compute_key_populate.yml"},{"line_number":25,"context_line":"  tags:"},{"line_number":26,"context_line":"    - nova-config"},{"line_number":27,"context_line":"    - nova-key"},{"line_number":28,"context_line":"  when:"},{"line_number":29,"context_line":"    - nova_libvirtd_listen_tls \u003d\u003d 1"},{"line_number":30,"context_line":""}],"source_content_type":"text/x-yaml","patch_set":5,"id":"8b6dc263_151b0e0f","line":27,"range":{"start_line":25,"start_character":0,"end_line":27,"end_character":14},"updated":"2021-10-28 10:58:03.000000000","message":"also properly apply tags for include","commit_id":"d0bba58fe085c09e4df393968dd2f9c943029df9"},{"author":{"_account_id":31749,"name":"James Gibson","email":"james.gibson@bbc.co.uk","username":"jamesgibo"},"change_message_id":"1ccfeb26d7f6a67c26a2a42abc7408bf8ab3a8cf","unresolved":false,"context_lines":[{"line_number":22,"context_line":"    - always"},{"line_number":23,"context_line":""},{"line_number":24,"context_line":"- import_tasks: nova_compute_key_populate.yml"},{"line_number":25,"context_line":"  tags:"},{"line_number":26,"context_line":"    - nova-config"},{"line_number":27,"context_line":"    - nova-key"},{"line_number":28,"context_line":"  when:"},{"line_number":29,"context_line":"    - nova_libvirtd_listen_tls \u003d\u003d 1"},{"line_number":30,"context_line":""}],"source_content_type":"text/x-yaml","patch_set":5,"id":"d1e0b854_090d0966","line":27,"range":{"start_line":25,"start_character":0,"end_line":27,"end_character":14},"in_reply_to":"8b6dc263_151b0e0f","updated":"2021-11-03 16:14:43.000000000","message":"Done","commit_id":"d0bba58fe085c09e4df393968dd2f9c943029df9"},{"author":{"_account_id":28619,"name":"Dmitriy Rabotyagov","email":"noonedeadpunk@gmail.com","username":"noonedeadpunk"},"change_message_id":"f2a6958dbacc7f314cc7905d1155cbe4dc6c880e","unresolved":true,"context_lines":[{"line_number":28,"context_line":"  when:"},{"line_number":29,"context_line":"    - nova_libvirtd_listen_tls \u003d\u003d 1"},{"line_number":30,"context_line":""},{"line_number":31,"context_line":"- import_tasks: nova_compute_key_distribute.yml"},{"line_number":32,"context_line":"  tags:"},{"line_number":33,"context_line":"    - nova-config"},{"line_number":34,"context_line":"    - nova-key"},{"line_number":35,"context_line":"  when:"},{"line_number":36,"context_line":"   - nova_libvirtd_listen_tls \u003d\u003d 1"},{"line_number":37,"context_line":""},{"line_number":38,"context_line":"- name: Run the systemd mount role"},{"line_number":39,"context_line":"  include_role:"}],"source_content_type":"text/x-yaml","patch_set":5,"id":"b8bf4b8d_d899ad20","line":36,"range":{"start_line":31,"start_character":0,"end_line":36,"end_character":34},"updated":"2021-10-28 10:58:03.000000000","message":"ditto","commit_id":"d0bba58fe085c09e4df393968dd2f9c943029df9"},{"author":{"_account_id":31749,"name":"James Gibson","email":"james.gibson@bbc.co.uk","username":"jamesgibo"},"change_message_id":"1ccfeb26d7f6a67c26a2a42abc7408bf8ab3a8cf","unresolved":false,"context_lines":[{"line_number":28,"context_line":"  when:"},{"line_number":29,"context_line":"    - nova_libvirtd_listen_tls \u003d\u003d 1"},{"line_number":30,"context_line":""},{"line_number":31,"context_line":"- import_tasks: nova_compute_key_distribute.yml"},{"line_number":32,"context_line":"  tags:"},{"line_number":33,"context_line":"    - nova-config"},{"line_number":34,"context_line":"    - nova-key"},{"line_number":35,"context_line":"  when:"},{"line_number":36,"context_line":"   - nova_libvirtd_listen_tls \u003d\u003d 1"},{"line_number":37,"context_line":""},{"line_number":38,"context_line":"- name: Run the systemd mount role"},{"line_number":39,"context_line":"  include_role:"}],"source_content_type":"text/x-yaml","patch_set":5,"id":"79224f66_6cd3fca8","line":36,"range":{"start_line":31,"start_character":0,"end_line":36,"end_character":34},"in_reply_to":"b8bf4b8d_d899ad20","updated":"2021-11-03 16:14:43.000000000","message":"Done","commit_id":"d0bba58fe085c09e4df393968dd2f9c943029df9"}]}
