)]}'
{"/PATCHSET_LEVEL":[{"author":{"_account_id":34411,"name":"Neil Hanlon","email":"neil@shrug.pw","username":"nhanlon"},"change_message_id":"ef4494f798e17b2901e06431356932faf19eb4ca","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":11,"id":"7bc7f3ce_e39ceb04","updated":"2023-05-26 20:11:17.000000000","message":"lgtm, modulo the s/Yoga/Zed/ change if appropriate","commit_id":"8bc6eb20bca277f4b8b1e393671d8353a0b9a59f"}],"specs/yoga/internal-tls.rst":[{"author":{"_account_id":28619,"name":"Dmitriy Rabotyagov","email":"noonedeadpunk@gmail.com","username":"noonedeadpunk"},"change_message_id":"9e6fdfb7938f19f487f0e90d9015b5a00d672730","unresolved":true,"context_lines":[{"line_number":20,"context_line":"* Securing internal communications between services such as rabbitmq, galera,"},{"line_number":21,"context_line":"  nova live migration and noVNC"},{"line_number":22,"context_line":""},{"line_number":23,"context_line":""},{"line_number":24,"context_line":"Securing internal communications to the internal haproxy VIP"},{"line_number":25,"context_line":"------------------------------------------------------------"},{"line_number":26,"context_line":""},{"line_number":27,"context_line":"Support for using TLS on in the internal haproxy VIP is already present in"},{"line_number":28,"context_line":"haproxy role and is enabled for the AIO deployment, but not enabled for new or"},{"line_number":29,"context_line":"upgrades of existing deployments."},{"line_number":30,"context_line":""},{"line_number":31,"context_line":"There are no issues with enabling TLS on the internal haproxy VIP for new"},{"line_number":32,"context_line":"deployments, but for existing deployments an upgrade process needs to be"},{"line_number":33,"context_line":"implemented. The reason an upgrade process is required is because currently"},{"line_number":34,"context_line":"if you enabled TLS on the internal haproxy VIP it would cause downtime, until"},{"line_number":35,"context_line":"each client is configured to use HTTPS instead of HTTP."},{"line_number":36,"context_line":""},{"line_number":37,"context_line":"Problems to resolve:"},{"line_number":38,"context_line":""},{"line_number":39,"context_line":"* Haproxy configuration to allow TLS to be enabled without downtime of API\u0027s on"},{"line_number":40,"context_line":"  existing deployments"},{"line_number":41,"context_line":""},{"line_number":42,"context_line":"* OpenStack-Ansible upgrade process and upgrade scripts to enable TLS without"},{"line_number":43,"context_line":"  downtime of API\u0027s on existing deployments"},{"line_number":44,"context_line":""},{"line_number":45,"context_line":""},{"line_number":46,"context_line":"Securing internal communications from haproxy to backends"}],"source_content_type":"text/x-rst","patch_set":1,"id":"ecd940eb_8b2bcc1a","line":43,"range":{"start_line":23,"start_character":0,"end_line":43,"end_character":43},"updated":"2022-01-17 16:51:31.000000000","message":"This is implemented for quite a while? It\u0027s just matter of setting haproxy_ssl_all_vips?","commit_id":"557f4e15825af415d70e1cc1cb9442e13635bbfe"},{"author":{"_account_id":31749,"name":"James Gibson","email":"james.gibson@bbc.co.uk","username":"jamesgibo"},"change_message_id":"2e2c9a4772e743cae4d13789ee05762d616ebd1f","unresolved":true,"context_lines":[{"line_number":20,"context_line":"* Securing internal communications between services such as rabbitmq, galera,"},{"line_number":21,"context_line":"  nova live migration and noVNC"},{"line_number":22,"context_line":""},{"line_number":23,"context_line":""},{"line_number":24,"context_line":"Securing internal communications to the internal haproxy VIP"},{"line_number":25,"context_line":"------------------------------------------------------------"},{"line_number":26,"context_line":""},{"line_number":27,"context_line":"Support for using TLS on in the internal haproxy VIP is already present in"},{"line_number":28,"context_line":"haproxy role and is enabled for the AIO deployment, but not enabled for new or"},{"line_number":29,"context_line":"upgrades of existing deployments."},{"line_number":30,"context_line":""},{"line_number":31,"context_line":"There are no issues with enabling TLS on the internal haproxy VIP for new"},{"line_number":32,"context_line":"deployments, but for existing deployments an upgrade process needs to be"},{"line_number":33,"context_line":"implemented. The reason an upgrade process is required is because currently"},{"line_number":34,"context_line":"if you enabled TLS on the internal haproxy VIP it would cause downtime, until"},{"line_number":35,"context_line":"each client is configured to use HTTPS instead of HTTP."},{"line_number":36,"context_line":""},{"line_number":37,"context_line":"Problems to resolve:"},{"line_number":38,"context_line":""},{"line_number":39,"context_line":"* Haproxy configuration to allow TLS to be enabled without downtime of API\u0027s on"},{"line_number":40,"context_line":"  existing deployments"},{"line_number":41,"context_line":""},{"line_number":42,"context_line":"* OpenStack-Ansible upgrade process and upgrade scripts to enable TLS without"},{"line_number":43,"context_line":"  downtime of API\u0027s on existing deployments"},{"line_number":44,"context_line":""},{"line_number":45,"context_line":""},{"line_number":46,"context_line":"Securing internal communications from haproxy to backends"}],"source_content_type":"text/x-rst","patch_set":1,"id":"6a5437e2_8cfa493c","line":43,"range":{"start_line":23,"start_character":0,"end_line":43,"end_character":43},"in_reply_to":"a2dd927e_08c73157","updated":"2022-02-21 11:12:55.000000000","message":"Yeah the issue is with upgrading existing deployments without causing downtime of the API\u0027s. The issues is because the upgrade to HTTPS is handled in different playbook for both the client and server.\nFor the haproxy frontends, when the internal VIP is upgraded to accept only TLS, internal clients with be unable to communicate with harproxy until their config is changed from HTTP to HTTPS url.\nFor backends, if haproxy is upgraded to expect a HTTPS backend, its will be unable to connect until the backend server is upgraded to HTTPS.","commit_id":"557f4e15825af415d70e1cc1cb9442e13635bbfe"},{"author":{"_account_id":25023,"name":"Jonathan Rosser","email":"jonathan.rosser@rd.bbc.co.uk","username":"jrosser"},"change_message_id":"8146bd214b4b07923706c8e072c4b32c1a2980be","unresolved":true,"context_lines":[{"line_number":20,"context_line":"* Securing internal communications between services such as rabbitmq, galera,"},{"line_number":21,"context_line":"  nova live migration and noVNC"},{"line_number":22,"context_line":""},{"line_number":23,"context_line":""},{"line_number":24,"context_line":"Securing internal communications to the internal haproxy VIP"},{"line_number":25,"context_line":"------------------------------------------------------------"},{"line_number":26,"context_line":""},{"line_number":27,"context_line":"Support for using TLS on in the internal haproxy VIP is already present in"},{"line_number":28,"context_line":"haproxy role and is enabled for the AIO deployment, but not enabled for new or"},{"line_number":29,"context_line":"upgrades of existing deployments."},{"line_number":30,"context_line":""},{"line_number":31,"context_line":"There are no issues with enabling TLS on the internal haproxy VIP for new"},{"line_number":32,"context_line":"deployments, but for existing deployments an upgrade process needs to be"},{"line_number":33,"context_line":"implemented. The reason an upgrade process is required is because currently"},{"line_number":34,"context_line":"if you enabled TLS on the internal haproxy VIP it would cause downtime, until"},{"line_number":35,"context_line":"each client is configured to use HTTPS instead of HTTP."},{"line_number":36,"context_line":""},{"line_number":37,"context_line":"Problems to resolve:"},{"line_number":38,"context_line":""},{"line_number":39,"context_line":"* Haproxy configuration to allow TLS to be enabled without downtime of API\u0027s on"},{"line_number":40,"context_line":"  existing deployments"},{"line_number":41,"context_line":""},{"line_number":42,"context_line":"* OpenStack-Ansible upgrade process and upgrade scripts to enable TLS without"},{"line_number":43,"context_line":"  downtime of API\u0027s on existing deployments"},{"line_number":44,"context_line":""},{"line_number":45,"context_line":""},{"line_number":46,"context_line":"Securing internal communications from haproxy to backends"}],"source_content_type":"text/x-rst","patch_set":1,"id":"a2dd927e_08c73157","line":43,"range":{"start_line":23,"start_character":0,"end_line":43,"end_character":43},"in_reply_to":"ecd940eb_8b2bcc1a","updated":"2022-01-17 19:36:14.000000000","message":"yes it\u0027s implemented and you can do it for a new deployment, but how to take an existing http internal vip and migrate it to https without a large outage is not covered. this spec is trying to address that problem.","commit_id":"557f4e15825af415d70e1cc1cb9442e13635bbfe"},{"author":{"_account_id":28619,"name":"Dmitriy Rabotyagov","email":"noonedeadpunk@gmail.com","username":"noonedeadpunk"},"change_message_id":"9e6fdfb7938f19f487f0e90d9015b5a00d672730","unresolved":true,"context_lines":[{"line_number":76,"context_line":"* OpenStack-Ansible upgrade process and upgrade scripts to enable TLS on"},{"line_number":77,"context_line":"  backends without downtime of API\u0027s on existing deployments"},{"line_number":78,"context_line":""},{"line_number":79,"context_line":"Securing internal communications between services"},{"line_number":80,"context_line":"-------------------------------------------------"},{"line_number":81,"context_line":""},{"line_number":82,"context_line":"Many OpenStack services communicate directly with each other and do not use"},{"line_number":83,"context_line":"haproxy, these communications should also be secured. The work to secure these"},{"line_number":84,"context_line":"communications is already complete and enabled in the current release of"},{"line_number":85,"context_line":"OpenStack-Ansible, for the following services:"},{"line_number":86,"context_line":"* RabbitMQ"},{"line_number":87,"context_line":"* Galera"},{"line_number":88,"context_line":"* Nova live migrations"},{"line_number":89,"context_line":"* noVNC (noVNC to compute nodes)."},{"line_number":90,"context_line":""},{"line_number":91,"context_line":"Problems to resolve:"},{"line_number":92,"context_line":"* Are there any services missing from the list that do not go via haproxy"},{"line_number":93,"context_line":""},{"line_number":94,"context_line":"Proposed change"},{"line_number":95,"context_line":"\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d"}],"source_content_type":"text/x-rst","patch_set":1,"id":"afbd64c4_abfc3d22","line":92,"range":{"start_line":79,"start_character":0,"end_line":92,"end_character":73},"updated":"2022-01-17 16:51:31.000000000","message":"We\u0027ve implemented that in X (except rabbit that was covered with SSL for quite a while)","commit_id":"557f4e15825af415d70e1cc1cb9442e13635bbfe"},{"author":{"_account_id":31749,"name":"James Gibson","email":"james.gibson@bbc.co.uk","username":"jamesgibo"},"change_message_id":"2e2c9a4772e743cae4d13789ee05762d616ebd1f","unresolved":false,"context_lines":[{"line_number":76,"context_line":"* OpenStack-Ansible upgrade process and upgrade scripts to enable TLS on"},{"line_number":77,"context_line":"  backends without downtime of API\u0027s on existing deployments"},{"line_number":78,"context_line":""},{"line_number":79,"context_line":"Securing internal communications between services"},{"line_number":80,"context_line":"-------------------------------------------------"},{"line_number":81,"context_line":""},{"line_number":82,"context_line":"Many OpenStack services communicate directly with each other and do not use"},{"line_number":83,"context_line":"haproxy, these communications should also be secured. The work to secure these"},{"line_number":84,"context_line":"communications is already complete and enabled in the current release of"},{"line_number":85,"context_line":"OpenStack-Ansible, for the following services:"},{"line_number":86,"context_line":"* RabbitMQ"},{"line_number":87,"context_line":"* Galera"},{"line_number":88,"context_line":"* Nova live migrations"},{"line_number":89,"context_line":"* noVNC (noVNC to compute nodes)."},{"line_number":90,"context_line":""},{"line_number":91,"context_line":"Problems to resolve:"},{"line_number":92,"context_line":"* Are there any services missing from the list that do not go via haproxy"},{"line_number":93,"context_line":""},{"line_number":94,"context_line":"Proposed change"},{"line_number":95,"context_line":"\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d"}],"source_content_type":"text/x-rst","patch_set":1,"id":"5271f992_7cb6e045","line":92,"range":{"start_line":79,"start_character":0,"end_line":92,"end_character":73},"in_reply_to":"8c9e63b9_698fce60","updated":"2022-02-21 11:12:55.000000000","message":"Done","commit_id":"557f4e15825af415d70e1cc1cb9442e13635bbfe"},{"author":{"_account_id":31542,"name":"Andrew Bonney","email":"andrew.bonney@bbc.co.uk","username":"andrewbonney"},"change_message_id":"89133631ecfe2a98a02212aa3a323d6e7a534706","unresolved":true,"context_lines":[{"line_number":76,"context_line":"* OpenStack-Ansible upgrade process and upgrade scripts to enable TLS on"},{"line_number":77,"context_line":"  backends without downtime of API\u0027s on existing deployments"},{"line_number":78,"context_line":""},{"line_number":79,"context_line":"Securing internal communications between services"},{"line_number":80,"context_line":"-------------------------------------------------"},{"line_number":81,"context_line":""},{"line_number":82,"context_line":"Many OpenStack services communicate directly with each other and do not use"},{"line_number":83,"context_line":"haproxy, these communications should also be secured. The work to secure these"},{"line_number":84,"context_line":"communications is already complete and enabled in the current release of"},{"line_number":85,"context_line":"OpenStack-Ansible, for the following services:"},{"line_number":86,"context_line":"* RabbitMQ"},{"line_number":87,"context_line":"* Galera"},{"line_number":88,"context_line":"* Nova live migrations"},{"line_number":89,"context_line":"* noVNC (noVNC to compute nodes)."},{"line_number":90,"context_line":""},{"line_number":91,"context_line":"Problems to resolve:"},{"line_number":92,"context_line":"* Are there any services missing from the list that do not go via haproxy"},{"line_number":93,"context_line":""},{"line_number":94,"context_line":"Proposed change"},{"line_number":95,"context_line":"\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d"}],"source_content_type":"text/x-rst","patch_set":1,"id":"8c9e63b9_698fce60","line":92,"range":{"start_line":79,"start_character":0,"end_line":92,"end_character":73},"in_reply_to":"afbd64c4_abfc3d22","updated":"2022-01-19 13:28:25.000000000","message":"Memcached probably needs adding to this list. etcd is also possible.","commit_id":"557f4e15825af415d70e1cc1cb9442e13635bbfe"},{"author":{"_account_id":13095,"name":"Marc Gariépy","email":"gariepy.marc@gmail.com","username":"mgariepy"},"change_message_id":"75a3d3d723dd3cc10fd313f98f1d09758a8b3544","unresolved":true,"context_lines":[{"line_number":99,"context_line":"  - etcd"},{"line_number":100,"context_line":""},{"line_number":101,"context_line":"* Are there any services missing from the list that do not go via haproxy that"},{"line_number":102,"context_line":"  need their communications securing?"},{"line_number":103,"context_line":""},{"line_number":104,"context_line":"Proposed change"},{"line_number":105,"context_line":"\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d"}],"source_content_type":"text/x-rst","patch_set":3,"id":"bbb88b47_a4e4a254","line":102,"range":{"start_line":102,"start_character":0,"end_line":102,"end_character":37},"updated":"2022-04-26 13:27:02.000000000","message":"ovn/ovs also need ssl.","commit_id":"2f85850386cedfb2eaf4dade0f1bc428b29f9743"},{"author":{"_account_id":32666,"name":"Damian Dąbrowski","email":"damian@dabrowski.cloud","username":"ddabrowski"},"change_message_id":"40aa42ebf104e3d62fbf40277bac3aa0402dbb6d","unresolved":false,"context_lines":[{"line_number":99,"context_line":"  - etcd"},{"line_number":100,"context_line":""},{"line_number":101,"context_line":"* Are there any services missing from the list that do not go via haproxy that"},{"line_number":102,"context_line":"  need their communications securing?"},{"line_number":103,"context_line":""},{"line_number":104,"context_line":"Proposed change"},{"line_number":105,"context_line":"\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d"}],"source_content_type":"text/x-rst","patch_set":3,"id":"9872195c_4bd0bc08","line":102,"range":{"start_line":102,"start_character":0,"end_line":102,"end_character":37},"in_reply_to":"bbb88b47_a4e4a254","updated":"2022-11-16 19:39:12.000000000","message":"Done","commit_id":"2f85850386cedfb2eaf4dade0f1bc428b29f9743"}],"specs/zed/internal-tls.rst":[{"author":{"_account_id":34411,"name":"Neil Hanlon","email":"neil@shrug.pw","username":"nhanlon"},"change_message_id":"ef4494f798e17b2901e06431356932faf19eb4ca","unresolved":true,"context_lines":[{"line_number":83,"context_line":""},{"line_number":84,"context_line":"Many OpenStack services communicate directly with each other and do not use"},{"line_number":85,"context_line":"haproxy, these communications should also be secured. The work to secure these"},{"line_number":86,"context_line":"communications is already complete and enabled in the Yoga release of"},{"line_number":87,"context_line":"OpenStack-Ansible, for the following services:"},{"line_number":88,"context_line":""},{"line_number":89,"context_line":"* RabbitMQ"}],"source_content_type":"text/x-rst","patch_set":11,"id":"1b880d72_49363490","line":86,"range":{"start_line":86,"start_character":54,"end_line":86,"end_character":58},"updated":"2023-05-26 20:11:17.000000000","message":"Zed, now, right?","commit_id":"8bc6eb20bca277f4b8b1e393671d8353a0b9a59f"},{"author":{"_account_id":32666,"name":"Damian Dąbrowski","email":"damian@dabrowski.cloud","username":"ddabrowski"},"change_message_id":"7efcfda3dc6a74f435bb36dd6847cdc19bc2ef67","unresolved":false,"context_lines":[{"line_number":83,"context_line":""},{"line_number":84,"context_line":"Many OpenStack services communicate directly with each other and do not use"},{"line_number":85,"context_line":"haproxy, these communications should also be secured. The work to secure these"},{"line_number":86,"context_line":"communications is already complete and enabled in the Yoga release of"},{"line_number":87,"context_line":"OpenStack-Ansible, for the following services:"},{"line_number":88,"context_line":""},{"line_number":89,"context_line":"* RabbitMQ"}],"source_content_type":"text/x-rst","patch_set":11,"id":"52ef1b69_8abcb52e","line":86,"range":{"start_line":86,"start_character":54,"end_line":86,"end_character":58},"in_reply_to":"1b880d72_49363490","updated":"2023-05-27 13:13:56.000000000","message":"thanks for review\n\nyes, current release is Zed but encryption for rabbitmq, galera, nova live migrations and novnc is available since Yoga - that\u0027s why I\u0027m referring to Yoga release.","commit_id":"8bc6eb20bca277f4b8b1e393671d8353a0b9a59f"}]}
