)]}'
{"specs/wallaby/ssl-root-ca.rst":[{"author":{"_account_id":25023,"name":"Jonathan Rosser","email":"jonathan.rosser@rd.bbc.co.uk","username":"jrosser"},"change_message_id":"9dcfdb0040a65293cc79191f070dfc35651548ff","unresolved":true,"context_lines":[{"line_number":7,"context_line":"  * https://blueprints.launchpad.net/openstack-ansible/+spec/ssl-root-ca"},{"line_number":8,"context_line":""},{"line_number":9,"context_line":"Having SSL encryption is a vital part of every service in the modern world."},{"line_number":10,"context_line":"OpenStack-Ansible already provide deployoers options how to cover public"},{"line_number":11,"context_line":"and internal endpoints with SSL certificates and allows to generate and"},{"line_number":12,"context_line":"use self-signed certificates. However we can make these certificates"},{"line_number":13,"context_line":"\"verified\" by usage of the root CA, which will be distrivuted across all"}],"source_content_type":"text/x-rst","patch_set":3,"id":"edf8aaa8_ee8bf223","line":10,"range":{"start_line":10,"start_character":26,"end_line":10,"end_character":44},"updated":"2021-02-01 13:03:28.000000000","message":"provides deployers","commit_id":"0b89241a26502ab86c4ab8df9e6b9179e0c52399"},{"author":{"_account_id":28619,"name":"Dmitriy Rabotyagov","email":"noonedeadpunk@gmail.com","username":"noonedeadpunk"},"change_message_id":"27725bc64ffcaa39b5e7c055371355afd3f7213a","unresolved":false,"context_lines":[{"line_number":7,"context_line":"  * https://blueprints.launchpad.net/openstack-ansible/+spec/ssl-root-ca"},{"line_number":8,"context_line":""},{"line_number":9,"context_line":"Having SSL encryption is a vital part of every service in the modern world."},{"line_number":10,"context_line":"OpenStack-Ansible already provide deployoers options how to cover public"},{"line_number":11,"context_line":"and internal endpoints with SSL certificates and allows to generate and"},{"line_number":12,"context_line":"use self-signed certificates. However we can make these certificates"},{"line_number":13,"context_line":"\"verified\" by usage of the root CA, which will be distrivuted across all"}],"source_content_type":"text/x-rst","patch_set":3,"id":"798d70bf_6aaf34f2","line":10,"range":{"start_line":10,"start_character":26,"end_line":10,"end_character":44},"in_reply_to":"edf8aaa8_ee8bf223","updated":"2021-02-01 14:25:27.000000000","message":"Done","commit_id":"0b89241a26502ab86c4ab8df9e6b9179e0c52399"},{"author":{"_account_id":25023,"name":"Jonathan Rosser","email":"jonathan.rosser@rd.bbc.co.uk","username":"jrosser"},"change_message_id":"9dcfdb0040a65293cc79191f070dfc35651548ff","unresolved":true,"context_lines":[{"line_number":8,"context_line":""},{"line_number":9,"context_line":"Having SSL encryption is a vital part of every service in the modern world."},{"line_number":10,"context_line":"OpenStack-Ansible already provide deployoers options how to cover public"},{"line_number":11,"context_line":"and internal endpoints with SSL certificates and allows to generate and"},{"line_number":12,"context_line":"use self-signed certificates. However we can make these certificates"},{"line_number":13,"context_line":"\"verified\" by usage of the root CA, which will be distrivuted across all"},{"line_number":14,"context_line":"containers and services. This will encrease security as users will be"}],"source_content_type":"text/x-rst","patch_set":3,"id":"c1a714b9_ed30a4b3","line":11,"range":{"start_line":11,"start_character":56,"end_line":11,"end_character":67},"updated":"2021-02-01 13:03:28.000000000","message":"the generation","commit_id":"0b89241a26502ab86c4ab8df9e6b9179e0c52399"},{"author":{"_account_id":28619,"name":"Dmitriy Rabotyagov","email":"noonedeadpunk@gmail.com","username":"noonedeadpunk"},"change_message_id":"27725bc64ffcaa39b5e7c055371355afd3f7213a","unresolved":false,"context_lines":[{"line_number":8,"context_line":""},{"line_number":9,"context_line":"Having SSL encryption is a vital part of every service in the modern world."},{"line_number":10,"context_line":"OpenStack-Ansible already provide deployoers options how to cover public"},{"line_number":11,"context_line":"and internal endpoints with SSL certificates and allows to generate and"},{"line_number":12,"context_line":"use self-signed certificates. However we can make these certificates"},{"line_number":13,"context_line":"\"verified\" by usage of the root CA, which will be distrivuted across all"},{"line_number":14,"context_line":"containers and services. This will encrease security as users will be"}],"source_content_type":"text/x-rst","patch_set":3,"id":"8edbbea1_7dc73205","line":11,"range":{"start_line":11,"start_character":56,"end_line":11,"end_character":67},"in_reply_to":"c1a714b9_ed30a4b3","updated":"2021-02-01 14:25:27.000000000","message":"Done","commit_id":"0b89241a26502ab86c4ab8df9e6b9179e0c52399"},{"author":{"_account_id":25023,"name":"Jonathan Rosser","email":"jonathan.rosser@rd.bbc.co.uk","username":"jrosser"},"change_message_id":"9dcfdb0040a65293cc79191f070dfc35651548ff","unresolved":true,"context_lines":[{"line_number":10,"context_line":"OpenStack-Ansible already provide deployoers options how to cover public"},{"line_number":11,"context_line":"and internal endpoints with SSL certificates and allows to generate and"},{"line_number":12,"context_line":"use self-signed certificates. However we can make these certificates"},{"line_number":13,"context_line":"\"verified\" by usage of the root CA, which will be distrivuted across all"},{"line_number":14,"context_line":"containers and services. This will encrease security as users will be"},{"line_number":15,"context_line":"alerted in case of the certificate mismatch, since certificate verification"},{"line_number":16,"context_line":"will be enabled."}],"source_content_type":"text/x-rst","patch_set":3,"id":"3d3d08a9_f225d17a","line":13,"range":{"start_line":13,"start_character":50,"end_line":13,"end_character":61},"updated":"2021-02-01 13:03:28.000000000","message":"distributed","commit_id":"0b89241a26502ab86c4ab8df9e6b9179e0c52399"},{"author":{"_account_id":28619,"name":"Dmitriy Rabotyagov","email":"noonedeadpunk@gmail.com","username":"noonedeadpunk"},"change_message_id":"27725bc64ffcaa39b5e7c055371355afd3f7213a","unresolved":false,"context_lines":[{"line_number":10,"context_line":"OpenStack-Ansible already provide deployoers options how to cover public"},{"line_number":11,"context_line":"and internal endpoints with SSL certificates and allows to generate and"},{"line_number":12,"context_line":"use self-signed certificates. However we can make these certificates"},{"line_number":13,"context_line":"\"verified\" by usage of the root CA, which will be distrivuted across all"},{"line_number":14,"context_line":"containers and services. This will encrease security as users will be"},{"line_number":15,"context_line":"alerted in case of the certificate mismatch, since certificate verification"},{"line_number":16,"context_line":"will be enabled."}],"source_content_type":"text/x-rst","patch_set":3,"id":"dde40c0a_aec07b9f","line":13,"range":{"start_line":13,"start_character":50,"end_line":13,"end_character":61},"in_reply_to":"3d3d08a9_f225d17a","updated":"2021-02-01 14:25:27.000000000","message":"Done","commit_id":"0b89241a26502ab86c4ab8df9e6b9179e0c52399"},{"author":{"_account_id":25023,"name":"Jonathan Rosser","email":"jonathan.rosser@rd.bbc.co.uk","username":"jrosser"},"change_message_id":"9dcfdb0040a65293cc79191f070dfc35651548ff","unresolved":true,"context_lines":[{"line_number":11,"context_line":"and internal endpoints with SSL certificates and allows to generate and"},{"line_number":12,"context_line":"use self-signed certificates. However we can make these certificates"},{"line_number":13,"context_line":"\"verified\" by usage of the root CA, which will be distrivuted across all"},{"line_number":14,"context_line":"containers and services. This will encrease security as users will be"},{"line_number":15,"context_line":"alerted in case of the certificate mismatch, since certificate verification"},{"line_number":16,"context_line":"will be enabled."},{"line_number":17,"context_line":""}],"source_content_type":"text/x-rst","patch_set":3,"id":"428e6bb6_d4ded2de","line":14,"range":{"start_line":14,"start_character":35,"end_line":14,"end_character":43},"updated":"2021-02-01 13:03:28.000000000","message":"increase","commit_id":"0b89241a26502ab86c4ab8df9e6b9179e0c52399"},{"author":{"_account_id":28619,"name":"Dmitriy Rabotyagov","email":"noonedeadpunk@gmail.com","username":"noonedeadpunk"},"change_message_id":"27725bc64ffcaa39b5e7c055371355afd3f7213a","unresolved":false,"context_lines":[{"line_number":11,"context_line":"and internal endpoints with SSL certificates and allows to generate and"},{"line_number":12,"context_line":"use self-signed certificates. However we can make these certificates"},{"line_number":13,"context_line":"\"verified\" by usage of the root CA, which will be distrivuted across all"},{"line_number":14,"context_line":"containers and services. This will encrease security as users will be"},{"line_number":15,"context_line":"alerted in case of the certificate mismatch, since certificate verification"},{"line_number":16,"context_line":"will be enabled."},{"line_number":17,"context_line":""}],"source_content_type":"text/x-rst","patch_set":3,"id":"382840e3_364ab68f","line":14,"range":{"start_line":14,"start_character":35,"end_line":14,"end_character":43},"in_reply_to":"428e6bb6_d4ded2de","updated":"2021-02-01 14:25:27.000000000","message":"Done","commit_id":"0b89241a26502ab86c4ab8df9e6b9179e0c52399"},{"author":{"_account_id":25023,"name":"Jonathan Rosser","email":"jonathan.rosser@rd.bbc.co.uk","username":"jrosser"},"change_message_id":"9dcfdb0040a65293cc79191f070dfc35651548ff","unresolved":true,"context_lines":[{"line_number":12,"context_line":"use self-signed certificates. However we can make these certificates"},{"line_number":13,"context_line":"\"verified\" by usage of the root CA, which will be distrivuted across all"},{"line_number":14,"context_line":"containers and services. This will encrease security as users will be"},{"line_number":15,"context_line":"alerted in case of the certificate mismatch, since certificate verification"},{"line_number":16,"context_line":"will be enabled."},{"line_number":17,"context_line":""},{"line_number":18,"context_line":"Problem description"}],"source_content_type":"text/x-rst","patch_set":3,"id":"f4dc8bbe_282cdc60","line":15,"range":{"start_line":15,"start_character":35,"end_line":15,"end_character":43},"updated":"2021-02-01 13:03:28.000000000","message":"verification failure","commit_id":"0b89241a26502ab86c4ab8df9e6b9179e0c52399"},{"author":{"_account_id":28619,"name":"Dmitriy Rabotyagov","email":"noonedeadpunk@gmail.com","username":"noonedeadpunk"},"change_message_id":"27725bc64ffcaa39b5e7c055371355afd3f7213a","unresolved":false,"context_lines":[{"line_number":12,"context_line":"use self-signed certificates. However we can make these certificates"},{"line_number":13,"context_line":"\"verified\" by usage of the root CA, which will be distrivuted across all"},{"line_number":14,"context_line":"containers and services. This will encrease security as users will be"},{"line_number":15,"context_line":"alerted in case of the certificate mismatch, since certificate verification"},{"line_number":16,"context_line":"will be enabled."},{"line_number":17,"context_line":""},{"line_number":18,"context_line":"Problem description"}],"source_content_type":"text/x-rst","patch_set":3,"id":"a8291e55_5850deb4","line":15,"range":{"start_line":15,"start_character":35,"end_line":15,"end_character":43},"in_reply_to":"f4dc8bbe_282cdc60","updated":"2021-02-01 14:25:27.000000000","message":"Done","commit_id":"0b89241a26502ab86c4ab8df9e6b9179e0c52399"},{"author":{"_account_id":25023,"name":"Jonathan Rosser","email":"jonathan.rosser@rd.bbc.co.uk","username":"jrosser"},"change_message_id":"9dcfdb0040a65293cc79191f070dfc35651548ff","unresolved":true,"context_lines":[{"line_number":18,"context_line":"Problem description"},{"line_number":19,"context_line":"\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d"},{"line_number":20,"context_line":""},{"line_number":21,"context_line":"At the moment bunch of roles do create self-singed certificates their own way"},{"line_number":22,"context_line":"which does not provide any consistency and pretty hard to maintain. Moreover,"},{"line_number":23,"context_line":"these certificates are self-signed ones, which means that certificate"},{"line_number":24,"context_line":"verification has to be disabled for such certificates. So in case of the"}],"source_content_type":"text/x-rst","patch_set":3,"id":"91a5226a_c23aa879","line":21,"range":{"start_line":21,"start_character":14,"end_line":21,"end_character":22},"updated":"2021-02-01 13:03:28.000000000","message":"several openstack-ansible","commit_id":"0b89241a26502ab86c4ab8df9e6b9179e0c52399"},{"author":{"_account_id":25023,"name":"Jonathan Rosser","email":"jonathan.rosser@rd.bbc.co.uk","username":"jrosser"},"change_message_id":"9dcfdb0040a65293cc79191f070dfc35651548ff","unresolved":true,"context_lines":[{"line_number":18,"context_line":"Problem description"},{"line_number":19,"context_line":"\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d"},{"line_number":20,"context_line":""},{"line_number":21,"context_line":"At the moment bunch of roles do create self-singed certificates their own way"},{"line_number":22,"context_line":"which does not provide any consistency and pretty hard to maintain. Moreover,"},{"line_number":23,"context_line":"these certificates are self-signed ones, which means that certificate"},{"line_number":24,"context_line":"verification has to be disabled for such certificates. So in case of the"}],"source_content_type":"text/x-rst","patch_set":3,"id":"cc8381f0_d2e83cbf","line":21,"range":{"start_line":21,"start_character":44,"end_line":21,"end_character":50},"updated":"2021-02-01 13:03:28.000000000","message":"signed","commit_id":"0b89241a26502ab86c4ab8df9e6b9179e0c52399"},{"author":{"_account_id":25023,"name":"Jonathan Rosser","email":"jonathan.rosser@rd.bbc.co.uk","username":"jrosser"},"change_message_id":"9dcfdb0040a65293cc79191f070dfc35651548ff","unresolved":true,"context_lines":[{"line_number":18,"context_line":"Problem description"},{"line_number":19,"context_line":"\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d"},{"line_number":20,"context_line":""},{"line_number":21,"context_line":"At the moment bunch of roles do create self-singed certificates their own way"},{"line_number":22,"context_line":"which does not provide any consistency and pretty hard to maintain. Moreover,"},{"line_number":23,"context_line":"these certificates are self-signed ones, which means that certificate"},{"line_number":24,"context_line":"verification has to be disabled for such certificates. So in case of the"}],"source_content_type":"text/x-rst","patch_set":3,"id":"0eab29b8_2c06dd9f","line":21,"range":{"start_line":21,"start_character":14,"end_line":21,"end_character":19},"updated":"2021-02-01 13:03:28.000000000","message":"the openstack-ansible","commit_id":"0b89241a26502ab86c4ab8df9e6b9179e0c52399"},{"author":{"_account_id":28619,"name":"Dmitriy Rabotyagov","email":"noonedeadpunk@gmail.com","username":"noonedeadpunk"},"change_message_id":"27725bc64ffcaa39b5e7c055371355afd3f7213a","unresolved":false,"context_lines":[{"line_number":18,"context_line":"Problem description"},{"line_number":19,"context_line":"\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d"},{"line_number":20,"context_line":""},{"line_number":21,"context_line":"At the moment bunch of roles do create self-singed certificates their own way"},{"line_number":22,"context_line":"which does not provide any consistency and pretty hard to maintain. Moreover,"},{"line_number":23,"context_line":"these certificates are self-signed ones, which means that certificate"},{"line_number":24,"context_line":"verification has to be disabled for such certificates. So in case of the"}],"source_content_type":"text/x-rst","patch_set":3,"id":"47e84193_c0ee87cf","line":21,"range":{"start_line":21,"start_character":14,"end_line":21,"end_character":22},"in_reply_to":"91a5226a_c23aa879","updated":"2021-02-01 14:25:27.000000000","message":"Done","commit_id":"0b89241a26502ab86c4ab8df9e6b9179e0c52399"},{"author":{"_account_id":28619,"name":"Dmitriy Rabotyagov","email":"noonedeadpunk@gmail.com","username":"noonedeadpunk"},"change_message_id":"27725bc64ffcaa39b5e7c055371355afd3f7213a","unresolved":false,"context_lines":[{"line_number":18,"context_line":"Problem description"},{"line_number":19,"context_line":"\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d"},{"line_number":20,"context_line":""},{"line_number":21,"context_line":"At the moment bunch of roles do create self-singed certificates their own way"},{"line_number":22,"context_line":"which does not provide any consistency and pretty hard to maintain. Moreover,"},{"line_number":23,"context_line":"these certificates are self-signed ones, which means that certificate"},{"line_number":24,"context_line":"verification has to be disabled for such certificates. So in case of the"}],"source_content_type":"text/x-rst","patch_set":3,"id":"c92a4deb_6d75245f","line":21,"range":{"start_line":21,"start_character":44,"end_line":21,"end_character":50},"in_reply_to":"cc8381f0_d2e83cbf","updated":"2021-02-01 14:25:27.000000000","message":"Done","commit_id":"0b89241a26502ab86c4ab8df9e6b9179e0c52399"},{"author":{"_account_id":25023,"name":"Jonathan Rosser","email":"jonathan.rosser@rd.bbc.co.uk","username":"jrosser"},"change_message_id":"9dcfdb0040a65293cc79191f070dfc35651548ff","unresolved":true,"context_lines":[{"line_number":19,"context_line":"\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d"},{"line_number":20,"context_line":""},{"line_number":21,"context_line":"At the moment bunch of roles do create self-singed certificates their own way"},{"line_number":22,"context_line":"which does not provide any consistency and pretty hard to maintain. Moreover,"},{"line_number":23,"context_line":"these certificates are self-signed ones, which means that certificate"},{"line_number":24,"context_line":"verification has to be disabled for such certificates. So in case of the"},{"line_number":25,"context_line":"certificate \"impersonation\" you won\u0027t be laerted, and ecrypted data might"}],"source_content_type":"text/x-rst","patch_set":3,"id":"2f6ebfe3_cc1ba068","line":22,"range":{"start_line":22,"start_character":39,"end_line":22,"end_character":42},"updated":"2021-02-01 13:03:28.000000000","message":"and is","commit_id":"0b89241a26502ab86c4ab8df9e6b9179e0c52399"},{"author":{"_account_id":28619,"name":"Dmitriy Rabotyagov","email":"noonedeadpunk@gmail.com","username":"noonedeadpunk"},"change_message_id":"27725bc64ffcaa39b5e7c055371355afd3f7213a","unresolved":false,"context_lines":[{"line_number":19,"context_line":"\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d"},{"line_number":20,"context_line":""},{"line_number":21,"context_line":"At the moment bunch of roles do create self-singed certificates their own way"},{"line_number":22,"context_line":"which does not provide any consistency and pretty hard to maintain. Moreover,"},{"line_number":23,"context_line":"these certificates are self-signed ones, which means that certificate"},{"line_number":24,"context_line":"verification has to be disabled for such certificates. So in case of the"},{"line_number":25,"context_line":"certificate \"impersonation\" you won\u0027t be laerted, and ecrypted data might"}],"source_content_type":"text/x-rst","patch_set":3,"id":"ed5da23d_977020f3","line":22,"range":{"start_line":22,"start_character":39,"end_line":22,"end_character":42},"in_reply_to":"2f6ebfe3_cc1ba068","updated":"2021-02-01 14:25:27.000000000","message":"Done","commit_id":"0b89241a26502ab86c4ab8df9e6b9179e0c52399"},{"author":{"_account_id":25023,"name":"Jonathan Rosser","email":"jonathan.rosser@rd.bbc.co.uk","username":"jrosser"},"change_message_id":"9dcfdb0040a65293cc79191f070dfc35651548ff","unresolved":true,"context_lines":[{"line_number":22,"context_line":"which does not provide any consistency and pretty hard to maintain. Moreover,"},{"line_number":23,"context_line":"these certificates are self-signed ones, which means that certificate"},{"line_number":24,"context_line":"verification has to be disabled for such certificates. So in case of the"},{"line_number":25,"context_line":"certificate \"impersonation\" you won\u0027t be laerted, and ecrypted data might"},{"line_number":26,"context_line":"be not secure anymore."},{"line_number":27,"context_line":"Futhermore, for mysql SSL usage, it is required to place Root CA on"},{"line_number":28,"context_line":"the containers for mysqlclient to reach DB, while at the moment we"}],"source_content_type":"text/x-rst","patch_set":3,"id":"204efe83_df9a0d16","line":25,"range":{"start_line":25,"start_character":41,"end_line":25,"end_character":48},"updated":"2021-02-01 13:03:28.000000000","message":"alerted","commit_id":"0b89241a26502ab86c4ab8df9e6b9179e0c52399"},{"author":{"_account_id":25023,"name":"Jonathan Rosser","email":"jonathan.rosser@rd.bbc.co.uk","username":"jrosser"},"change_message_id":"9dcfdb0040a65293cc79191f070dfc35651548ff","unresolved":true,"context_lines":[{"line_number":22,"context_line":"which does not provide any consistency and pretty hard to maintain. Moreover,"},{"line_number":23,"context_line":"these certificates are self-signed ones, which means that certificate"},{"line_number":24,"context_line":"verification has to be disabled for such certificates. So in case of the"},{"line_number":25,"context_line":"certificate \"impersonation\" you won\u0027t be laerted, and ecrypted data might"},{"line_number":26,"context_line":"be not secure anymore."},{"line_number":27,"context_line":"Futhermore, for mysql SSL usage, it is required to place Root CA on"},{"line_number":28,"context_line":"the containers for mysqlclient to reach DB, while at the moment we"}],"source_content_type":"text/x-rst","patch_set":3,"id":"e77440de_9d54db82","line":25,"range":{"start_line":25,"start_character":54,"end_line":25,"end_character":62},"updated":"2021-02-01 13:03:28.000000000","message":"encrypted","commit_id":"0b89241a26502ab86c4ab8df9e6b9179e0c52399"},{"author":{"_account_id":28619,"name":"Dmitriy Rabotyagov","email":"noonedeadpunk@gmail.com","username":"noonedeadpunk"},"change_message_id":"27725bc64ffcaa39b5e7c055371355afd3f7213a","unresolved":false,"context_lines":[{"line_number":22,"context_line":"which does not provide any consistency and pretty hard to maintain. Moreover,"},{"line_number":23,"context_line":"these certificates are self-signed ones, which means that certificate"},{"line_number":24,"context_line":"verification has to be disabled for such certificates. So in case of the"},{"line_number":25,"context_line":"certificate \"impersonation\" you won\u0027t be laerted, and ecrypted data might"},{"line_number":26,"context_line":"be not secure anymore."},{"line_number":27,"context_line":"Futhermore, for mysql SSL usage, it is required to place Root CA on"},{"line_number":28,"context_line":"the containers for mysqlclient to reach DB, while at the moment we"}],"source_content_type":"text/x-rst","patch_set":3,"id":"8fb6d7ae_9d7b1120","line":25,"range":{"start_line":25,"start_character":41,"end_line":25,"end_character":48},"in_reply_to":"204efe83_df9a0d16","updated":"2021-02-01 14:25:27.000000000","message":"Done","commit_id":"0b89241a26502ab86c4ab8df9e6b9179e0c52399"},{"author":{"_account_id":28619,"name":"Dmitriy Rabotyagov","email":"noonedeadpunk@gmail.com","username":"noonedeadpunk"},"change_message_id":"27725bc64ffcaa39b5e7c055371355afd3f7213a","unresolved":false,"context_lines":[{"line_number":22,"context_line":"which does not provide any consistency and pretty hard to maintain. Moreover,"},{"line_number":23,"context_line":"these certificates are self-signed ones, which means that certificate"},{"line_number":24,"context_line":"verification has to be disabled for such certificates. So in case of the"},{"line_number":25,"context_line":"certificate \"impersonation\" you won\u0027t be laerted, and ecrypted data might"},{"line_number":26,"context_line":"be not secure anymore."},{"line_number":27,"context_line":"Futhermore, for mysql SSL usage, it is required to place Root CA on"},{"line_number":28,"context_line":"the containers for mysqlclient to reach DB, while at the moment we"}],"source_content_type":"text/x-rst","patch_set":3,"id":"c2f08e60_add45cc5","line":25,"range":{"start_line":25,"start_character":54,"end_line":25,"end_character":62},"in_reply_to":"e77440de_9d54db82","updated":"2021-02-01 14:25:27.000000000","message":"Done","commit_id":"0b89241a26502ab86c4ab8df9e6b9179e0c52399"},{"author":{"_account_id":25023,"name":"Jonathan Rosser","email":"jonathan.rosser@rd.bbc.co.uk","username":"jrosser"},"change_message_id":"9dcfdb0040a65293cc79191f070dfc35651548ff","unresolved":true,"context_lines":[{"line_number":25,"context_line":"certificate \"impersonation\" you won\u0027t be laerted, and ecrypted data might"},{"line_number":26,"context_line":"be not secure anymore."},{"line_number":27,"context_line":"Futhermore, for mysql SSL usage, it is required to place Root CA on"},{"line_number":28,"context_line":"the containers for mysqlclient to reach DB, while at the moment we"},{"line_number":29,"context_line":"have only server side encryption covered, while Root CA distribution lies on"},{"line_number":30,"context_line":"the deployer shoulders."},{"line_number":31,"context_line":"Another good example is nova, where in order to disable tunneling for the"}],"source_content_type":"text/x-rst","patch_set":3,"id":"29113f68_75d90835","line":28,"range":{"start_line":28,"start_character":4,"end_line":28,"end_character":14},"updated":"2021-02-01 13:03:28.000000000","message":"client containers","commit_id":"0b89241a26502ab86c4ab8df9e6b9179e0c52399"},{"author":{"_account_id":25023,"name":"Jonathan Rosser","email":"jonathan.rosser@rd.bbc.co.uk","username":"jrosser"},"change_message_id":"9dcfdb0040a65293cc79191f070dfc35651548ff","unresolved":true,"context_lines":[{"line_number":25,"context_line":"certificate \"impersonation\" you won\u0027t be laerted, and ecrypted data might"},{"line_number":26,"context_line":"be not secure anymore."},{"line_number":27,"context_line":"Futhermore, for mysql SSL usage, it is required to place Root CA on"},{"line_number":28,"context_line":"the containers for mysqlclient to reach DB, while at the moment we"},{"line_number":29,"context_line":"have only server side encryption covered, while Root CA distribution lies on"},{"line_number":30,"context_line":"the deployer shoulders."},{"line_number":31,"context_line":"Another good example is nova, where in order to disable tunneling for the"}],"source_content_type":"text/x-rst","patch_set":3,"id":"e1ab7df2_e7471d44","line":28,"range":{"start_line":28,"start_character":40,"end_line":28,"end_character":42},"updated":"2021-02-01 13:03:28.000000000","message":"the database","commit_id":"0b89241a26502ab86c4ab8df9e6b9179e0c52399"},{"author":{"_account_id":28619,"name":"Dmitriy Rabotyagov","email":"noonedeadpunk@gmail.com","username":"noonedeadpunk"},"change_message_id":"27725bc64ffcaa39b5e7c055371355afd3f7213a","unresolved":false,"context_lines":[{"line_number":25,"context_line":"certificate \"impersonation\" you won\u0027t be laerted, and ecrypted data might"},{"line_number":26,"context_line":"be not secure anymore."},{"line_number":27,"context_line":"Futhermore, for mysql SSL usage, it is required to place Root CA on"},{"line_number":28,"context_line":"the containers for mysqlclient to reach DB, while at the moment we"},{"line_number":29,"context_line":"have only server side encryption covered, while Root CA distribution lies on"},{"line_number":30,"context_line":"the deployer shoulders."},{"line_number":31,"context_line":"Another good example is nova, where in order to disable tunneling for the"}],"source_content_type":"text/x-rst","patch_set":3,"id":"be5d15d0_85372608","line":28,"range":{"start_line":28,"start_character":4,"end_line":28,"end_character":14},"in_reply_to":"29113f68_75d90835","updated":"2021-02-01 14:25:27.000000000","message":"Done","commit_id":"0b89241a26502ab86c4ab8df9e6b9179e0c52399"},{"author":{"_account_id":28619,"name":"Dmitriy Rabotyagov","email":"noonedeadpunk@gmail.com","username":"noonedeadpunk"},"change_message_id":"27725bc64ffcaa39b5e7c055371355afd3f7213a","unresolved":false,"context_lines":[{"line_number":25,"context_line":"certificate \"impersonation\" you won\u0027t be laerted, and ecrypted data might"},{"line_number":26,"context_line":"be not secure anymore."},{"line_number":27,"context_line":"Futhermore, for mysql SSL usage, it is required to place Root CA on"},{"line_number":28,"context_line":"the containers for mysqlclient to reach DB, while at the moment we"},{"line_number":29,"context_line":"have only server side encryption covered, while Root CA distribution lies on"},{"line_number":30,"context_line":"the deployer shoulders."},{"line_number":31,"context_line":"Another good example is nova, where in order to disable tunneling for the"}],"source_content_type":"text/x-rst","patch_set":3,"id":"e56f12fc_5b9c94ef","line":28,"range":{"start_line":28,"start_character":40,"end_line":28,"end_character":42},"in_reply_to":"e1ab7df2_e7471d44","updated":"2021-02-01 14:25:27.000000000","message":"Done","commit_id":"0b89241a26502ab86c4ab8df9e6b9179e0c52399"},{"author":{"_account_id":25023,"name":"Jonathan Rosser","email":"jonathan.rosser@rd.bbc.co.uk","username":"jrosser"},"change_message_id":"9dcfdb0040a65293cc79191f070dfc35651548ff","unresolved":true,"context_lines":[{"line_number":26,"context_line":"be not secure anymore."},{"line_number":27,"context_line":"Futhermore, for mysql SSL usage, it is required to place Root CA on"},{"line_number":28,"context_line":"the containers for mysqlclient to reach DB, while at the moment we"},{"line_number":29,"context_line":"have only server side encryption covered, while Root CA distribution lies on"},{"line_number":30,"context_line":"the deployer shoulders."},{"line_number":31,"context_line":"Another good example is nova, where in order to disable tunneling for the"},{"line_number":32,"context_line":"live migrations and use block migrations, we need to secure connection with"}],"source_content_type":"text/x-rst","patch_set":3,"id":"dd3b25f9_7d3ca8fc","line":29,"range":{"start_line":29,"start_character":42,"end_line":29,"end_character":47},"updated":"2021-02-01 13:03:28.000000000","message":"but","commit_id":"0b89241a26502ab86c4ab8df9e6b9179e0c52399"},{"author":{"_account_id":28619,"name":"Dmitriy Rabotyagov","email":"noonedeadpunk@gmail.com","username":"noonedeadpunk"},"change_message_id":"27725bc64ffcaa39b5e7c055371355afd3f7213a","unresolved":false,"context_lines":[{"line_number":26,"context_line":"be not secure anymore."},{"line_number":27,"context_line":"Futhermore, for mysql SSL usage, it is required to place Root CA on"},{"line_number":28,"context_line":"the containers for mysqlclient to reach DB, while at the moment we"},{"line_number":29,"context_line":"have only server side encryption covered, while Root CA distribution lies on"},{"line_number":30,"context_line":"the deployer shoulders."},{"line_number":31,"context_line":"Another good example is nova, where in order to disable tunneling for the"},{"line_number":32,"context_line":"live migrations and use block migrations, we need to secure connection with"}],"source_content_type":"text/x-rst","patch_set":3,"id":"2f3f6bac_4086480f","line":29,"range":{"start_line":29,"start_character":42,"end_line":29,"end_character":47},"in_reply_to":"dd3b25f9_7d3ca8fc","updated":"2021-02-01 14:25:27.000000000","message":"Done","commit_id":"0b89241a26502ab86c4ab8df9e6b9179e0c52399"},{"author":{"_account_id":25023,"name":"Jonathan Rosser","email":"jonathan.rosser@rd.bbc.co.uk","username":"jrosser"},"change_message_id":"9dcfdb0040a65293cc79191f070dfc35651548ff","unresolved":true,"context_lines":[{"line_number":26,"context_line":"be not secure anymore."},{"line_number":27,"context_line":"Futhermore, for mysql SSL usage, it is required to place Root CA on"},{"line_number":28,"context_line":"the containers for mysqlclient to reach DB, while at the moment we"},{"line_number":29,"context_line":"have only server side encryption covered, while Root CA distribution lies on"},{"line_number":30,"context_line":"the deployer shoulders."},{"line_number":31,"context_line":"Another good example is nova, where in order to disable tunneling for the"},{"line_number":32,"context_line":"live migrations and use block migrations, we need to secure connection with"},{"line_number":33,"context_line":"\"self-signed\" certificates."}],"source_content_type":"text/x-rst","patch_set":3,"id":"295510d5_78056f97","line":30,"range":{"start_line":29,"start_character":69,"end_line":30,"end_character":22},"updated":"2021-02-01 13:03:28.000000000","message":"remains the responsibility of the deployer","commit_id":"0b89241a26502ab86c4ab8df9e6b9179e0c52399"},{"author":{"_account_id":28619,"name":"Dmitriy Rabotyagov","email":"noonedeadpunk@gmail.com","username":"noonedeadpunk"},"change_message_id":"27725bc64ffcaa39b5e7c055371355afd3f7213a","unresolved":false,"context_lines":[{"line_number":26,"context_line":"be not secure anymore."},{"line_number":27,"context_line":"Futhermore, for mysql SSL usage, it is required to place Root CA on"},{"line_number":28,"context_line":"the containers for mysqlclient to reach DB, while at the moment we"},{"line_number":29,"context_line":"have only server side encryption covered, while Root CA distribution lies on"},{"line_number":30,"context_line":"the deployer shoulders."},{"line_number":31,"context_line":"Another good example is nova, where in order to disable tunneling for the"},{"line_number":32,"context_line":"live migrations and use block migrations, we need to secure connection with"},{"line_number":33,"context_line":"\"self-signed\" certificates."}],"source_content_type":"text/x-rst","patch_set":3,"id":"7505e71e_3d5f086b","line":30,"range":{"start_line":29,"start_character":69,"end_line":30,"end_character":22},"in_reply_to":"295510d5_78056f97","updated":"2021-02-01 14:25:27.000000000","message":"Done","commit_id":"0b89241a26502ab86c4ab8df9e6b9179e0c52399"},{"author":{"_account_id":25023,"name":"Jonathan Rosser","email":"jonathan.rosser@rd.bbc.co.uk","username":"jrosser"},"change_message_id":"9dcfdb0040a65293cc79191f070dfc35651548ff","unresolved":true,"context_lines":[{"line_number":29,"context_line":"have only server side encryption covered, while Root CA distribution lies on"},{"line_number":30,"context_line":"the deployer shoulders."},{"line_number":31,"context_line":"Another good example is nova, where in order to disable tunneling for the"},{"line_number":32,"context_line":"live migrations and use block migrations, we need to secure connection with"},{"line_number":33,"context_line":"\"self-signed\" certificates."},{"line_number":34,"context_line":""},{"line_number":35,"context_line":"To resolve all of the problems above we need:"}],"source_content_type":"text/x-rst","patch_set":3,"id":"b99b2cf2_ce3632b8","line":32,"range":{"start_line":32,"start_character":24,"end_line":32,"end_character":29},"updated":"2021-02-01 13:03:28.000000000","message":"block device","commit_id":"0b89241a26502ab86c4ab8df9e6b9179e0c52399"},{"author":{"_account_id":25023,"name":"Jonathan Rosser","email":"jonathan.rosser@rd.bbc.co.uk","username":"jrosser"},"change_message_id":"9dcfdb0040a65293cc79191f070dfc35651548ff","unresolved":true,"context_lines":[{"line_number":29,"context_line":"have only server side encryption covered, while Root CA distribution lies on"},{"line_number":30,"context_line":"the deployer shoulders."},{"line_number":31,"context_line":"Another good example is nova, where in order to disable tunneling for the"},{"line_number":32,"context_line":"live migrations and use block migrations, we need to secure connection with"},{"line_number":33,"context_line":"\"self-signed\" certificates."},{"line_number":34,"context_line":""},{"line_number":35,"context_line":"To resolve all of the problems above we need:"}],"source_content_type":"text/x-rst","patch_set":3,"id":"4440adc1_97c7c6d4","line":32,"range":{"start_line":32,"start_character":45,"end_line":32,"end_character":52},"updated":"2021-02-01 13:03:28.000000000","message":"should be securing the","commit_id":"0b89241a26502ab86c4ab8df9e6b9179e0c52399"},{"author":{"_account_id":25023,"name":"Jonathan Rosser","email":"jonathan.rosser@rd.bbc.co.uk","username":"jrosser"},"change_message_id":"9dcfdb0040a65293cc79191f070dfc35651548ff","unresolved":true,"context_lines":[{"line_number":29,"context_line":"have only server side encryption covered, while Root CA distribution lies on"},{"line_number":30,"context_line":"the deployer shoulders."},{"line_number":31,"context_line":"Another good example is nova, where in order to disable tunneling for the"},{"line_number":32,"context_line":"live migrations and use block migrations, we need to secure connection with"},{"line_number":33,"context_line":"\"self-signed\" certificates."},{"line_number":34,"context_line":""},{"line_number":35,"context_line":"To resolve all of the problems above we need:"}],"source_content_type":"text/x-rst","patch_set":3,"id":"2a171287_341b9dc4","line":32,"range":{"start_line":32,"start_character":20,"end_line":32,"end_character":23},"updated":"2021-02-01 13:03:28.000000000","message":"to use","commit_id":"0b89241a26502ab86c4ab8df9e6b9179e0c52399"},{"author":{"_account_id":28619,"name":"Dmitriy Rabotyagov","email":"noonedeadpunk@gmail.com","username":"noonedeadpunk"},"change_message_id":"27725bc64ffcaa39b5e7c055371355afd3f7213a","unresolved":false,"context_lines":[{"line_number":29,"context_line":"have only server side encryption covered, while Root CA distribution lies on"},{"line_number":30,"context_line":"the deployer shoulders."},{"line_number":31,"context_line":"Another good example is nova, where in order to disable tunneling for the"},{"line_number":32,"context_line":"live migrations and use block migrations, we need to secure connection with"},{"line_number":33,"context_line":"\"self-signed\" certificates."},{"line_number":34,"context_line":""},{"line_number":35,"context_line":"To resolve all of the problems above we need:"}],"source_content_type":"text/x-rst","patch_set":3,"id":"195d611d_3c6df875","line":32,"range":{"start_line":32,"start_character":20,"end_line":32,"end_character":23},"in_reply_to":"2a171287_341b9dc4","updated":"2021-02-01 14:25:27.000000000","message":"Done","commit_id":"0b89241a26502ab86c4ab8df9e6b9179e0c52399"},{"author":{"_account_id":28619,"name":"Dmitriy Rabotyagov","email":"noonedeadpunk@gmail.com","username":"noonedeadpunk"},"change_message_id":"27725bc64ffcaa39b5e7c055371355afd3f7213a","unresolved":false,"context_lines":[{"line_number":29,"context_line":"have only server side encryption covered, while Root CA distribution lies on"},{"line_number":30,"context_line":"the deployer shoulders."},{"line_number":31,"context_line":"Another good example is nova, where in order to disable tunneling for the"},{"line_number":32,"context_line":"live migrations and use block migrations, we need to secure connection with"},{"line_number":33,"context_line":"\"self-signed\" certificates."},{"line_number":34,"context_line":""},{"line_number":35,"context_line":"To resolve all of the problems above we need:"}],"source_content_type":"text/x-rst","patch_set":3,"id":"0d492a07_1d40cbed","line":32,"range":{"start_line":32,"start_character":45,"end_line":32,"end_character":52},"in_reply_to":"4440adc1_97c7c6d4","updated":"2021-02-01 14:25:27.000000000","message":"Done","commit_id":"0b89241a26502ab86c4ab8df9e6b9179e0c52399"},{"author":{"_account_id":28619,"name":"Dmitriy Rabotyagov","email":"noonedeadpunk@gmail.com","username":"noonedeadpunk"},"change_message_id":"27725bc64ffcaa39b5e7c055371355afd3f7213a","unresolved":false,"context_lines":[{"line_number":29,"context_line":"have only server side encryption covered, while Root CA distribution lies on"},{"line_number":30,"context_line":"the deployer shoulders."},{"line_number":31,"context_line":"Another good example is nova, where in order to disable tunneling for the"},{"line_number":32,"context_line":"live migrations and use block migrations, we need to secure connection with"},{"line_number":33,"context_line":"\"self-signed\" certificates."},{"line_number":34,"context_line":""},{"line_number":35,"context_line":"To resolve all of the problems above we need:"}],"source_content_type":"text/x-rst","patch_set":3,"id":"2875aac7_adf8699f","line":32,"range":{"start_line":32,"start_character":24,"end_line":32,"end_character":29},"in_reply_to":"b99b2cf2_ce3632b8","updated":"2021-02-01 14:25:27.000000000","message":"Done","commit_id":"0b89241a26502ab86c4ab8df9e6b9179e0c52399"},{"author":{"_account_id":25023,"name":"Jonathan Rosser","email":"jonathan.rosser@rd.bbc.co.uk","username":"jrosser"},"change_message_id":"9dcfdb0040a65293cc79191f070dfc35651548ff","unresolved":true,"context_lines":[{"line_number":30,"context_line":"the deployer shoulders."},{"line_number":31,"context_line":"Another good example is nova, where in order to disable tunneling for the"},{"line_number":32,"context_line":"live migrations and use block migrations, we need to secure connection with"},{"line_number":33,"context_line":"\"self-signed\" certificates."},{"line_number":34,"context_line":""},{"line_number":35,"context_line":"To resolve all of the problems above we need:"},{"line_number":36,"context_line":""}],"source_content_type":"text/x-rst","patch_set":3,"id":"5f01b592_34c99e9b","line":33,"range":{"start_line":33,"start_character":1,"end_line":33,"end_character":13},"updated":"2021-02-01 13:03:28.000000000","message":"mutually verifiable","commit_id":"0b89241a26502ab86c4ab8df9e6b9179e0c52399"},{"author":{"_account_id":28619,"name":"Dmitriy Rabotyagov","email":"noonedeadpunk@gmail.com","username":"noonedeadpunk"},"change_message_id":"27725bc64ffcaa39b5e7c055371355afd3f7213a","unresolved":false,"context_lines":[{"line_number":30,"context_line":"the deployer shoulders."},{"line_number":31,"context_line":"Another good example is nova, where in order to disable tunneling for the"},{"line_number":32,"context_line":"live migrations and use block migrations, we need to secure connection with"},{"line_number":33,"context_line":"\"self-signed\" certificates."},{"line_number":34,"context_line":""},{"line_number":35,"context_line":"To resolve all of the problems above we need:"},{"line_number":36,"context_line":""}],"source_content_type":"text/x-rst","patch_set":3,"id":"f2296307_d67623f4","line":33,"range":{"start_line":33,"start_character":1,"end_line":33,"end_character":13},"in_reply_to":"5f01b592_34c99e9b","updated":"2021-02-01 14:25:27.000000000","message":"Done","commit_id":"0b89241a26502ab86c4ab8df9e6b9179e0c52399"},{"author":{"_account_id":25023,"name":"Jonathan Rosser","email":"jonathan.rosser@rd.bbc.co.uk","username":"jrosser"},"change_message_id":"9dcfdb0040a65293cc79191f070dfc35651548ff","unresolved":true,"context_lines":[{"line_number":57,"context_line":"Create role in separate repo which would consist from 2 parts (galera way) which"},{"line_number":58,"context_line":"would be included wherever needed:"},{"line_number":59,"context_line":""},{"line_number":60,"context_line":"  # Create or verify existance provided CA on the deploy host."},{"line_number":61,"context_line":"  Included in openstack_hosts, to distribute CA to certificate storage"},{"line_number":62,"context_line":"  # Create or verify existing key and certificate, which would be also stored"},{"line_number":63,"context_line":"  on the deploy host. Will be included in required roles during their runtime"}],"source_content_type":"text/x-rst","patch_set":3,"id":"b110a6d9_f6c84666","line":60,"range":{"start_line":60,"start_character":21,"end_line":60,"end_character":30},"updated":"2021-02-01 13:03:28.000000000","message":"existing","commit_id":"0b89241a26502ab86c4ab8df9e6b9179e0c52399"},{"author":{"_account_id":28619,"name":"Dmitriy Rabotyagov","email":"noonedeadpunk@gmail.com","username":"noonedeadpunk"},"change_message_id":"27725bc64ffcaa39b5e7c055371355afd3f7213a","unresolved":false,"context_lines":[{"line_number":57,"context_line":"Create role in separate repo which would consist from 2 parts (galera way) which"},{"line_number":58,"context_line":"would be included wherever needed:"},{"line_number":59,"context_line":""},{"line_number":60,"context_line":"  # Create or verify existance provided CA on the deploy host."},{"line_number":61,"context_line":"  Included in openstack_hosts, to distribute CA to certificate storage"},{"line_number":62,"context_line":"  # Create or verify existing key and certificate, which would be also stored"},{"line_number":63,"context_line":"  on the deploy host. Will be included in required roles during their runtime"}],"source_content_type":"text/x-rst","patch_set":3,"id":"d9996149_686b10f0","line":60,"range":{"start_line":60,"start_character":21,"end_line":60,"end_character":30},"in_reply_to":"b110a6d9_f6c84666","updated":"2021-02-01 14:25:27.000000000","message":"Done","commit_id":"0b89241a26502ab86c4ab8df9e6b9179e0c52399"},{"author":{"_account_id":31749,"name":"James Gibson","email":"james.gibson@bbc.co.uk","username":"jamesgibo"},"change_message_id":"221318579fc192eb82adbbf6c5de83fd32703e44","unresolved":true,"context_lines":[{"line_number":60,"context_line":"  # Create or verify existance provided CA on the deploy host."},{"line_number":61,"context_line":"  Included in openstack_hosts, to distribute CA to certificate storage"},{"line_number":62,"context_line":"  # Create or verify existing key and certificate, which would be also stored"},{"line_number":63,"context_line":"  on the deploy host. Will be included in required roles during their runtime"},{"line_number":64,"context_line":"  Each instance of each component uses a unique certificate."},{"line_number":65,"context_line":"  # Decide what we \u0027call\u0027 the internal VIP if it\u0027s needed to verify the dns name against subject name in an SSL certificate"},{"line_number":66,"context_line":""}],"source_content_type":"text/x-rst","patch_set":3,"id":"cf097b3a_43a6f2d9","line":63,"updated":"2021-02-01 14:26:40.000000000","message":"This verification should probably include a check if the server certificate or it\u0027s chain of trust are not due to expire within a defined period.","commit_id":"0b89241a26502ab86c4ab8df9e6b9179e0c52399"},{"author":{"_account_id":28619,"name":"Dmitriy Rabotyagov","email":"noonedeadpunk@gmail.com","username":"noonedeadpunk"},"change_message_id":"067c9ee5e5b4c34434906e09d78faafe735c7ccb","unresolved":true,"context_lines":[{"line_number":60,"context_line":"  # Create or verify existance provided CA on the deploy host."},{"line_number":61,"context_line":"  Included in openstack_hosts, to distribute CA to certificate storage"},{"line_number":62,"context_line":"  # Create or verify existing key and certificate, which would be also stored"},{"line_number":63,"context_line":"  on the deploy host. Will be included in required roles during their runtime"},{"line_number":64,"context_line":"  Each instance of each component uses a unique certificate."},{"line_number":65,"context_line":"  # Decide what we \u0027call\u0027 the internal VIP if it\u0027s needed to verify the dns name against subject name in an SSL certificate"},{"line_number":66,"context_line":""}],"source_content_type":"text/x-rst","patch_set":3,"id":"05cfa12d_6a00c589","line":63,"in_reply_to":"5d9ff453_068ee99c","updated":"2021-02-01 16:40:08.000000000","message":"While it sounds super reasonable, I\u0027m not sure about it. This is applicable only for self-singed ones, while we should also support user-provided ones. So I\u0027d say it should just have a flag to:\n* generate new certificate for specific service\n* generate new root ca\n\nAnd it\u0027s up to deployer to take care of certificates expiration date and run playbooks with specific tags to get certificates renewed.\nOnce certificates are all on stored on the deploy host, it should be prety easy to adjust used monitoring tooling to collect data about their expiration dates","commit_id":"0b89241a26502ab86c4ab8df9e6b9179e0c52399"},{"author":{"_account_id":31749,"name":"James Gibson","email":"james.gibson@bbc.co.uk","username":"jamesgibo"},"change_message_id":"e9c1003e139b982dd7a58174653f8c1c03149ae3","unresolved":true,"context_lines":[{"line_number":60,"context_line":"  # Create or verify existance provided CA on the deploy host."},{"line_number":61,"context_line":"  Included in openstack_hosts, to distribute CA to certificate storage"},{"line_number":62,"context_line":"  # Create or verify existing key and certificate, which would be also stored"},{"line_number":63,"context_line":"  on the deploy host. Will be included in required roles during their runtime"},{"line_number":64,"context_line":"  Each instance of each component uses a unique certificate."},{"line_number":65,"context_line":"  # Decide what we \u0027call\u0027 the internal VIP if it\u0027s needed to verify the dns name against subject name in an SSL certificate"},{"line_number":66,"context_line":""}],"source_content_type":"text/x-rst","patch_set":3,"id":"5d9ff453_068ee99c","line":63,"in_reply_to":"9808bafb_45d4a8d5","updated":"2021-02-01 16:28:48.000000000","message":"In the case where the role is responsible for creating server certificates and the intermediate/root CA certificates are still valid, the role could generate a new cert on the deploy host.","commit_id":"0b89241a26502ab86c4ab8df9e6b9179e0c52399"},{"author":{"_account_id":28619,"name":"Dmitriy Rabotyagov","email":"noonedeadpunk@gmail.com","username":"noonedeadpunk"},"change_message_id":"dd5395cd4dd292d6f909077bb0caf051351b6726","unresolved":true,"context_lines":[{"line_number":60,"context_line":"  # Create or verify existance provided CA on the deploy host."},{"line_number":61,"context_line":"  Included in openstack_hosts, to distribute CA to certificate storage"},{"line_number":62,"context_line":"  # Create or verify existing key and certificate, which would be also stored"},{"line_number":63,"context_line":"  on the deploy host. Will be included in required roles during their runtime"},{"line_number":64,"context_line":"  Each instance of each component uses a unique certificate."},{"line_number":65,"context_line":"  # Decide what we \u0027call\u0027 the internal VIP if it\u0027s needed to verify the dns name against subject name in an SSL certificate"},{"line_number":66,"context_line":""}],"source_content_type":"text/x-rst","patch_set":3,"id":"9808bafb_45d4a8d5","line":63,"in_reply_to":"cf097b3a_43a6f2d9","updated":"2021-02-01 16:12:38.000000000","message":"That might be good, but I\u0027m not sure what action should role execute if it\u0027s due - fail with error?\nI don\u0027t think that ordinary debug message will be read by anybody during openstack upgrade or smth.","commit_id":"0b89241a26502ab86c4ab8df9e6b9179e0c52399"},{"author":{"_account_id":25023,"name":"Jonathan Rosser","email":"jonathan.rosser@rd.bbc.co.uk","username":"jrosser"},"change_message_id":"9dcfdb0040a65293cc79191f070dfc35651548ff","unresolved":true,"context_lines":[{"line_number":63,"context_line":"  on the deploy host. Will be included in required roles during their runtime"},{"line_number":64,"context_line":"  Each instance of each component uses a unique certificate."},{"line_number":65,"context_line":"  # Decide what we \u0027call\u0027 the internal VIP if it\u0027s needed to verify the dns name against subject name in an SSL certificate"},{"line_number":66,"context_line":""},{"line_number":67,"context_line":""},{"line_number":68,"context_line":"Roles/service impact"},{"line_number":69,"context_line":"\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d"}],"source_content_type":"text/x-rst","patch_set":3,"id":"5bdc39e7_f17438f0","line":66,"updated":"2021-02-01 13:03:28.000000000","message":"# Create a signed ssh key which can be validated against the CA certificate\nto avoid needing to distribute all keys to all hosts.","commit_id":"0b89241a26502ab86c4ab8df9e6b9179e0c52399"},{"author":{"_account_id":28619,"name":"Dmitriy Rabotyagov","email":"noonedeadpunk@gmail.com","username":"noonedeadpunk"},"change_message_id":"27725bc64ffcaa39b5e7c055371355afd3f7213a","unresolved":false,"context_lines":[{"line_number":63,"context_line":"  on the deploy host. Will be included in required roles during their runtime"},{"line_number":64,"context_line":"  Each instance of each component uses a unique certificate."},{"line_number":65,"context_line":"  # Decide what we \u0027call\u0027 the internal VIP if it\u0027s needed to verify the dns name against subject name in an SSL certificate"},{"line_number":66,"context_line":""},{"line_number":67,"context_line":""},{"line_number":68,"context_line":"Roles/service impact"},{"line_number":69,"context_line":"\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d"}],"source_content_type":"text/x-rst","patch_set":3,"id":"4d6ddf70_fccea068","line":66,"in_reply_to":"5bdc39e7_f17438f0","updated":"2021-02-01 14:25:27.000000000","message":"Done","commit_id":"0b89241a26502ab86c4ab8df9e6b9179e0c52399"},{"author":{"_account_id":31749,"name":"James Gibson","email":"james.gibson@bbc.co.uk","username":"jamesgibo"},"change_message_id":"221318579fc192eb82adbbf6c5de83fd32703e44","unresolved":true,"context_lines":[{"line_number":71,"context_line":"For all hosts/containers"},{"line_number":72,"context_line":"------------------------"},{"line_number":73,"context_line":""},{"line_number":74,"context_line":"The Root CA is installed into the system trust store"},{"line_number":75,"context_line":"Consider pointing REQUESTS_CA_BUNDLE to the system trust store rather than certifi bundle"},{"line_number":76,"context_line":""},{"line_number":77,"context_line":"For HAproxy"}],"source_content_type":"text/x-rst","patch_set":3,"id":"5b7359fa_73ebe728","line":74,"updated":"2021-02-01 14:26:40.000000000","message":"To add to Andrew\u0027s comment about renewals, support for multiple trusted Root CA\u0027s would make Root CA renewal easier as you could trust multiple during a transition period.\nOr specify the use of the \"Root CA Key Update\" methods with certificates OldWithOld, OldWithNew, and NewWithOld\nhttps://tools.ietf.org/html/rfc4210#section-4.4","commit_id":"0b89241a26502ab86c4ab8df9e6b9179e0c52399"},{"author":{"_account_id":28619,"name":"Dmitriy Rabotyagov","email":"noonedeadpunk@gmail.com","username":"noonedeadpunk"},"change_message_id":"dd5395cd4dd292d6f909077bb0caf051351b6726","unresolved":true,"context_lines":[{"line_number":71,"context_line":"For all hosts/containers"},{"line_number":72,"context_line":"------------------------"},{"line_number":73,"context_line":""},{"line_number":74,"context_line":"The Root CA is installed into the system trust store"},{"line_number":75,"context_line":"Consider pointing REQUESTS_CA_BUNDLE to the system trust store rather than certifi bundle"},{"line_number":76,"context_line":""},{"line_number":77,"context_line":"For HAproxy"}],"source_content_type":"text/x-rst","patch_set":3,"id":"da1abecc_66f3029b","line":74,"in_reply_to":"5b7359fa_73ebe728","updated":"2021-02-01 16:12:38.000000000","message":"yeah, agree, totally valid point","commit_id":"0b89241a26502ab86c4ab8df9e6b9179e0c52399"},{"author":{"_account_id":31749,"name":"James Gibson","email":"james.gibson@bbc.co.uk","username":"jamesgibo"},"change_message_id":"221318579fc192eb82adbbf6c5de83fd32703e44","unresolved":true,"context_lines":[{"line_number":72,"context_line":"------------------------"},{"line_number":73,"context_line":""},{"line_number":74,"context_line":"The Root CA is installed into the system trust store"},{"line_number":75,"context_line":"Consider pointing REQUESTS_CA_BUNDLE to the system trust store rather than certifi bundle"},{"line_number":76,"context_line":""},{"line_number":77,"context_line":"For HAproxy"},{"line_number":78,"context_line":"-----------"}],"source_content_type":"text/x-rst","patch_set":3,"id":"7230ce5d_872a6010","line":75,"updated":"2021-02-01 14:26:40.000000000","message":"If possible you could consider using an explicit trust store for securing internal communications rather than implicit using the system trust store.","commit_id":"0b89241a26502ab86c4ab8df9e6b9179e0c52399"},{"author":{"_account_id":28619,"name":"Dmitriy Rabotyagov","email":"noonedeadpunk@gmail.com","username":"noonedeadpunk"},"change_message_id":"dd5395cd4dd292d6f909077bb0caf051351b6726","unresolved":true,"context_lines":[{"line_number":72,"context_line":"------------------------"},{"line_number":73,"context_line":""},{"line_number":74,"context_line":"The Root CA is installed into the system trust store"},{"line_number":75,"context_line":"Consider pointing REQUESTS_CA_BUNDLE to the system trust store rather than certifi bundle"},{"line_number":76,"context_line":""},{"line_number":77,"context_line":"For HAproxy"},{"line_number":78,"context_line":"-----------"}],"source_content_type":"text/x-rst","patch_set":3,"id":"aea0a5ae_fd241ed0","line":75,"in_reply_to":"7230ce5d_872a6010","updated":"2021-02-01 16:12:38.000000000","message":"Actually I\u0027m not sure about explicit trust store, since it means that we need to adjust literally every config file and provide path to the CA for all services, which requires pretty much effort.\nSo it\u0027s possible, but I\u0027d rather start with smth and then iterate if needed.","commit_id":"0b89241a26502ab86c4ab8df9e6b9179e0c52399"},{"author":{"_account_id":31749,"name":"James Gibson","email":"james.gibson@bbc.co.uk","username":"jamesgibo"},"change_message_id":"e9c1003e139b982dd7a58174653f8c1c03149ae3","unresolved":true,"context_lines":[{"line_number":72,"context_line":"------------------------"},{"line_number":73,"context_line":""},{"line_number":74,"context_line":"The Root CA is installed into the system trust store"},{"line_number":75,"context_line":"Consider pointing REQUESTS_CA_BUNDLE to the system trust store rather than certifi bundle"},{"line_number":76,"context_line":""},{"line_number":77,"context_line":"For HAproxy"},{"line_number":78,"context_line":"-----------"}],"source_content_type":"text/x-rst","patch_set":3,"id":"8ed68487_a79d4121","line":75,"in_reply_to":"aea0a5ae_fd241ed0","updated":"2021-02-01 16:28:48.000000000","message":"Agreed, its a lot of work for minimal security gain and can always be retrospectively added","commit_id":"0b89241a26502ab86c4ab8df9e6b9179e0c52399"},{"author":{"_account_id":25023,"name":"Jonathan Rosser","email":"jonathan.rosser@rd.bbc.co.uk","username":"jrosser"},"change_message_id":"9dcfdb0040a65293cc79191f070dfc35651548ff","unresolved":true,"context_lines":[{"line_number":120,"context_line":"  * Signed ssh certificates are created on the deploy host and copied to the"},{"line_number":121,"context_line":"    relevant .ssh user directories. The signing CA is installed into the relevant"},{"line_number":122,"context_line":"    ssh_config file in /etc/"},{"line_number":123,"context_line":""},{"line_number":124,"context_line":""},{"line_number":125,"context_line":"Upgrade impact"},{"line_number":126,"context_line":"--------------"}],"source_content_type":"text/x-rst","patch_set":3,"id":"39d6b236_539be56d","line":123,"updated":"2021-02-01 13:03:28.000000000","message":"* The deployer may already be using signed ssh keys for access to hosts\n  so any implementation should work alongside existing configuration. It\n  may be necessary to investigate supporting more than one trusted CA in\n  the ssh_config file.","commit_id":"0b89241a26502ab86c4ab8df9e6b9179e0c52399"},{"author":{"_account_id":28619,"name":"Dmitriy Rabotyagov","email":"noonedeadpunk@gmail.com","username":"noonedeadpunk"},"change_message_id":"27725bc64ffcaa39b5e7c055371355afd3f7213a","unresolved":false,"context_lines":[{"line_number":120,"context_line":"  * Signed ssh certificates are created on the deploy host and copied to the"},{"line_number":121,"context_line":"    relevant .ssh user directories. The signing CA is installed into the relevant"},{"line_number":122,"context_line":"    ssh_config file in /etc/"},{"line_number":123,"context_line":""},{"line_number":124,"context_line":""},{"line_number":125,"context_line":"Upgrade impact"},{"line_number":126,"context_line":"--------------"}],"source_content_type":"text/x-rst","patch_set":3,"id":"1a37bf41_4c522795","line":123,"in_reply_to":"39d6b236_539be56d","updated":"2021-02-01 14:25:27.000000000","message":"Done","commit_id":"0b89241a26502ab86c4ab8df9e6b9179e0c52399"}]}
