)]}'
{"/PATCHSET_LEVEL":[{"author":{"_account_id":15993,"name":"Amy Marrich","display_name":"Amy Marrich (spotz)","email":"amy@demarco.com","username":"amarrich"},"change_message_id":"d39ad83200558103f6b23bcb9761531d07eb3783","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":2,"id":"adf7b34b_3db3f0c6","updated":"2021-12-03 20:27:20.000000000","message":"Some grammar and typo/spelling changes needed. Feel free to just let me know in the future if you want me too just fix things I find. I only do it for folks who give permission as some folks prefer getting comments. ","commit_id":"b1a80ea9b86a2850c8a95ed6001a7daab0b1985f"},{"author":{"_account_id":31749,"name":"James Gibson","email":"james.gibson@bbc.co.uk","username":"jamesgibo"},"change_message_id":"13d9406dff0b4f11b5205c4fbf453c903a88ad46","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":2,"id":"c63eb0eb_1d407dc7","in_reply_to":"adf7b34b_3db3f0c6","updated":"2021-12-06 08:36:21.000000000","message":"Thanks for the review, I have made the requested changes.\nIn future I am happy for you to make the changes need to the patch.","commit_id":"b1a80ea9b86a2850c8a95ed6001a7daab0b1985f"},{"author":{"_account_id":28619,"name":"Dmitriy Rabotyagov","email":"noonedeadpunk@gmail.com","username":"noonedeadpunk"},"change_message_id":"25e40757a6537628fbe197bf6137906dd30b6352","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":4,"id":"1fd552ea_f5ae999e","updated":"2021-12-06 12:26:00.000000000","message":"damn, I commented for previous patchset, so it\u0027s not seen now in inline comments, but please, check my notes as well","commit_id":"8b2509ea10644ac8cc3586dafbe206b0e8ddb1cf"},{"author":{"_account_id":31749,"name":"James Gibson","email":"james.gibson@bbc.co.uk","username":"jamesgibo"},"change_message_id":"a689d219ec193abbff769906d177688055c793af","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":5,"id":"4591a252_eac1453a","updated":"2021-12-10 07:46:25.000000000","message":"recheck","commit_id":"8ad37b254d47238d50a249beb06996df4fcbad37"},{"author":{"_account_id":31749,"name":"James Gibson","email":"james.gibson@bbc.co.uk","username":"jamesgibo"},"change_message_id":"c07d32505a13d02db2de1b65de0155bee86db11d","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":5,"id":"ff84bb15_a8f2e1ae","updated":"2021-12-09 08:03:18.000000000","message":"recheck","commit_id":"8ad37b254d47238d50a249beb06996df4fcbad37"}],"doc/source/user/security/security-headers.rst":[{"author":{"_account_id":15993,"name":"Amy Marrich","display_name":"Amy Marrich (spotz)","email":"amy@demarco.com","username":"amarrich"},"change_message_id":"d39ad83200558103f6b23bcb9761531d07eb3783","unresolved":true,"context_lines":[{"line_number":2,"context_line":"\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d"},{"line_number":3,"context_line":""},{"line_number":4,"context_line":"Security headers are HTTP headers that can be used to increase the security of"},{"line_number":5,"context_line":"a web application, by restricting what modern browsers are able to run."},{"line_number":6,"context_line":""},{"line_number":7,"context_line":"In Openstack-Ansible, security headers are implemented in haproxy as all public"},{"line_number":8,"context_line":"endpoints reside behind it."}],"source_content_type":"text/x-rst","patch_set":2,"id":"49c9a07b_58e0da53","line":5,"range":{"start_line":5,"start_character":17,"end_line":5,"end_character":18},"updated":"2021-12-03 20:27:20.000000000","message":"no comma needed","commit_id":"b1a80ea9b86a2850c8a95ed6001a7daab0b1985f"},{"author":{"_account_id":31749,"name":"James Gibson","email":"james.gibson@bbc.co.uk","username":"jamesgibo"},"change_message_id":"13d9406dff0b4f11b5205c4fbf453c903a88ad46","unresolved":false,"context_lines":[{"line_number":2,"context_line":"\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d"},{"line_number":3,"context_line":""},{"line_number":4,"context_line":"Security headers are HTTP headers that can be used to increase the security of"},{"line_number":5,"context_line":"a web application, by restricting what modern browsers are able to run."},{"line_number":6,"context_line":""},{"line_number":7,"context_line":"In Openstack-Ansible, security headers are implemented in haproxy as all public"},{"line_number":8,"context_line":"endpoints reside behind it."}],"source_content_type":"text/x-rst","patch_set":2,"id":"4b91e030_12cdd4f8","line":5,"range":{"start_line":5,"start_character":17,"end_line":5,"end_character":18},"in_reply_to":"49c9a07b_58e0da53","updated":"2021-12-06 08:36:21.000000000","message":"Done","commit_id":"b1a80ea9b86a2850c8a95ed6001a7daab0b1985f"},{"author":{"_account_id":15993,"name":"Amy Marrich","display_name":"Amy Marrich (spotz)","email":"amy@demarco.com","username":"amarrich"},"change_message_id":"d39ad83200558103f6b23bcb9761531d07eb3783","unresolved":true,"context_lines":[{"line_number":4,"context_line":"Security headers are HTTP headers that can be used to increase the security of"},{"line_number":5,"context_line":"a web application, by restricting what modern browsers are able to run."},{"line_number":6,"context_line":""},{"line_number":7,"context_line":"In Openstack-Ansible, security headers are implemented in haproxy as all public"},{"line_number":8,"context_line":"endpoints reside behind it."},{"line_number":9,"context_line":""},{"line_number":10,"context_line":"All of the following headers are enabled by default on all haproxy interfaces"}],"source_content_type":"text/x-rst","patch_set":2,"id":"fa35543b_1dd35699","line":7,"range":{"start_line":7,"start_character":69,"end_line":7,"end_character":72},"updated":"2021-12-03 20:27:20.000000000","message":"the or all the","commit_id":"b1a80ea9b86a2850c8a95ed6001a7daab0b1985f"},{"author":{"_account_id":31749,"name":"James Gibson","email":"james.gibson@bbc.co.uk","username":"jamesgibo"},"change_message_id":"13d9406dff0b4f11b5205c4fbf453c903a88ad46","unresolved":false,"context_lines":[{"line_number":4,"context_line":"Security headers are HTTP headers that can be used to increase the security of"},{"line_number":5,"context_line":"a web application, by restricting what modern browsers are able to run."},{"line_number":6,"context_line":""},{"line_number":7,"context_line":"In Openstack-Ansible, security headers are implemented in haproxy as all public"},{"line_number":8,"context_line":"endpoints reside behind it."},{"line_number":9,"context_line":""},{"line_number":10,"context_line":"All of the following headers are enabled by default on all haproxy interfaces"}],"source_content_type":"text/x-rst","patch_set":2,"id":"46fa85fb_57c57dee","line":7,"range":{"start_line":7,"start_character":69,"end_line":7,"end_character":72},"in_reply_to":"fa35543b_1dd35699","updated":"2021-12-06 08:36:21.000000000","message":"Done","commit_id":"b1a80ea9b86a2850c8a95ed6001a7daab0b1985f"},{"author":{"_account_id":15993,"name":"Amy Marrich","display_name":"Amy Marrich (spotz)","email":"amy@demarco.com","username":"amarrich"},"change_message_id":"d39ad83200558103f6b23bcb9761531d07eb3783","unresolved":true,"context_lines":[{"line_number":7,"context_line":"In Openstack-Ansible, security headers are implemented in haproxy as all public"},{"line_number":8,"context_line":"endpoints reside behind it."},{"line_number":9,"context_line":""},{"line_number":10,"context_line":"All of the following headers are enabled by default on all haproxy interfaces"},{"line_number":11,"context_line":"that implement TLS, but only for the Horizon service. The security headers could"},{"line_number":12,"context_line":"be implemented on other haproxy services, but only services used by"},{"line_number":13,"context_line":"browsers will make use of the headers."}],"source_content_type":"text/x-rst","patch_set":2,"id":"80acac35_4bc75d95","line":10,"range":{"start_line":10,"start_character":0,"end_line":10,"end_character":8},"updated":"2021-12-03 20:27:20.000000000","message":"The","commit_id":"b1a80ea9b86a2850c8a95ed6001a7daab0b1985f"},{"author":{"_account_id":31749,"name":"James Gibson","email":"james.gibson@bbc.co.uk","username":"jamesgibo"},"change_message_id":"13d9406dff0b4f11b5205c4fbf453c903a88ad46","unresolved":false,"context_lines":[{"line_number":7,"context_line":"In Openstack-Ansible, security headers are implemented in haproxy as all public"},{"line_number":8,"context_line":"endpoints reside behind it."},{"line_number":9,"context_line":""},{"line_number":10,"context_line":"All of the following headers are enabled by default on all haproxy interfaces"},{"line_number":11,"context_line":"that implement TLS, but only for the Horizon service. The security headers could"},{"line_number":12,"context_line":"be implemented on other haproxy services, but only services used by"},{"line_number":13,"context_line":"browsers will make use of the headers."}],"source_content_type":"text/x-rst","patch_set":2,"id":"d0c349d6_f72c55ef","line":10,"range":{"start_line":10,"start_character":0,"end_line":10,"end_character":8},"in_reply_to":"80acac35_4bc75d95","updated":"2021-12-06 08:36:21.000000000","message":"Done","commit_id":"b1a80ea9b86a2850c8a95ed6001a7daab0b1985f"},{"author":{"_account_id":15993,"name":"Amy Marrich","display_name":"Amy Marrich (spotz)","email":"amy@demarco.com","username":"amarrich"},"change_message_id":"d39ad83200558103f6b23bcb9761531d07eb3783","unresolved":true,"context_lines":[{"line_number":8,"context_line":"endpoints reside behind it."},{"line_number":9,"context_line":""},{"line_number":10,"context_line":"All of the following headers are enabled by default on all haproxy interfaces"},{"line_number":11,"context_line":"that implement TLS, but only for the Horizon service. The security headers could"},{"line_number":12,"context_line":"be implemented on other haproxy services, but only services used by"},{"line_number":13,"context_line":"browsers will make use of the headers."},{"line_number":14,"context_line":""}],"source_content_type":"text/x-rst","patch_set":2,"id":"174534ab_aaf70dab","line":11,"range":{"start_line":11,"start_character":75,"end_line":11,"end_character":80},"updated":"2021-12-03 20:27:20.000000000","message":"can","commit_id":"b1a80ea9b86a2850c8a95ed6001a7daab0b1985f"},{"author":{"_account_id":31749,"name":"James Gibson","email":"james.gibson@bbc.co.uk","username":"jamesgibo"},"change_message_id":"13d9406dff0b4f11b5205c4fbf453c903a88ad46","unresolved":false,"context_lines":[{"line_number":8,"context_line":"endpoints reside behind it."},{"line_number":9,"context_line":""},{"line_number":10,"context_line":"All of the following headers are enabled by default on all haproxy interfaces"},{"line_number":11,"context_line":"that implement TLS, but only for the Horizon service. The security headers could"},{"line_number":12,"context_line":"be implemented on other haproxy services, but only services used by"},{"line_number":13,"context_line":"browsers will make use of the headers."},{"line_number":14,"context_line":""}],"source_content_type":"text/x-rst","patch_set":2,"id":"f3a556ea_aa1e9a39","line":11,"range":{"start_line":11,"start_character":75,"end_line":11,"end_character":80},"in_reply_to":"174534ab_aaf70dab","updated":"2021-12-06 08:36:21.000000000","message":"Done","commit_id":"b1a80ea9b86a2850c8a95ed6001a7daab0b1985f"},{"author":{"_account_id":15993,"name":"Amy Marrich","display_name":"Amy Marrich (spotz)","email":"amy@demarco.com","username":"amarrich"},"change_message_id":"d39ad83200558103f6b23bcb9761531d07eb3783","unresolved":true,"context_lines":[{"line_number":20,"context_line":""},{"line_number":21,"context_line":".. _OpenStack TLS Security Guide: https://docs.openstack.org/security-guide/secure-communication/tls-proxies-and-http-services.html#http-strict-transport-security"},{"line_number":22,"context_line":""},{"line_number":23,"context_line":"By design once this header is set it is very difficult to disable, so it is"},{"line_number":24,"context_line":"recommended that you start with a short time of 1 day during testing and"},{"line_number":25,"context_line":"raise this to one year after testing you have not introduced problems for users."},{"line_number":26,"context_line":""},{"line_number":27,"context_line":"To change the default max age of 1 year, override the variable"},{"line_number":28,"context_line":"``haproxy_security_headers_max_age`` in the"}],"source_content_type":"text/x-rst","patch_set":2,"id":"99f3639c_c35ffc5c","line":25,"range":{"start_line":23,"start_character":0,"end_line":25,"end_character":80},"updated":"2021-12-03 20:27:20.000000000","message":"By design, this header is difficult to disable once set. It is recommended that during testing you set a short time of 1 day and after testing increase the time to 1 year.","commit_id":"b1a80ea9b86a2850c8a95ed6001a7daab0b1985f"},{"author":{"_account_id":31749,"name":"James Gibson","email":"james.gibson@bbc.co.uk","username":"jamesgibo"},"change_message_id":"13d9406dff0b4f11b5205c4fbf453c903a88ad46","unresolved":false,"context_lines":[{"line_number":20,"context_line":""},{"line_number":21,"context_line":".. _OpenStack TLS Security Guide: https://docs.openstack.org/security-guide/secure-communication/tls-proxies-and-http-services.html#http-strict-transport-security"},{"line_number":22,"context_line":""},{"line_number":23,"context_line":"By design once this header is set it is very difficult to disable, so it is"},{"line_number":24,"context_line":"recommended that you start with a short time of 1 day during testing and"},{"line_number":25,"context_line":"raise this to one year after testing you have not introduced problems for users."},{"line_number":26,"context_line":""},{"line_number":27,"context_line":"To change the default max age of 1 year, override the variable"},{"line_number":28,"context_line":"``haproxy_security_headers_max_age`` in the"}],"source_content_type":"text/x-rst","patch_set":2,"id":"3f319bc0_b92af9cb","line":25,"range":{"start_line":23,"start_character":0,"end_line":25,"end_character":80},"in_reply_to":"99f3639c_c35ffc5c","updated":"2021-12-06 08:36:21.000000000","message":"Done","commit_id":"b1a80ea9b86a2850c8a95ed6001a7daab0b1985f"},{"author":{"_account_id":15993,"name":"Amy Marrich","display_name":"Amy Marrich (spotz)","email":"amy@demarco.com","username":"amarrich"},"change_message_id":"d39ad83200558103f6b23bcb9761531d07eb3783","unresolved":true,"context_lines":[{"line_number":24,"context_line":"recommended that you start with a short time of 1 day during testing and"},{"line_number":25,"context_line":"raise this to one year after testing you have not introduced problems for users."},{"line_number":26,"context_line":""},{"line_number":27,"context_line":"To change the default max age of 1 year, override the variable"},{"line_number":28,"context_line":"``haproxy_security_headers_max_age`` in the"},{"line_number":29,"context_line":"``/etc/openstack_deploy/user_variables_haproxy.yml`` file:"},{"line_number":30,"context_line":""}],"source_content_type":"text/x-rst","patch_set":2,"id":"35a39252_4b958b08","line":27,"range":{"start_line":27,"start_character":30,"end_line":27,"end_character":32},"updated":"2021-12-03 20:27:20.000000000","message":"to","commit_id":"b1a80ea9b86a2850c8a95ed6001a7daab0b1985f"},{"author":{"_account_id":31749,"name":"James Gibson","email":"james.gibson@bbc.co.uk","username":"jamesgibo"},"change_message_id":"13d9406dff0b4f11b5205c4fbf453c903a88ad46","unresolved":false,"context_lines":[{"line_number":24,"context_line":"recommended that you start with a short time of 1 day during testing and"},{"line_number":25,"context_line":"raise this to one year after testing you have not introduced problems for users."},{"line_number":26,"context_line":""},{"line_number":27,"context_line":"To change the default max age of 1 year, override the variable"},{"line_number":28,"context_line":"``haproxy_security_headers_max_age`` in the"},{"line_number":29,"context_line":"``/etc/openstack_deploy/user_variables_haproxy.yml`` file:"},{"line_number":30,"context_line":""}],"source_content_type":"text/x-rst","patch_set":2,"id":"56c76969_e028bf29","line":27,"range":{"start_line":27,"start_character":30,"end_line":27,"end_character":32},"in_reply_to":"35a39252_4b958b08","updated":"2021-12-06 08:36:21.000000000","message":"Done","commit_id":"b1a80ea9b86a2850c8a95ed6001a7daab0b1985f"},{"author":{"_account_id":28619,"name":"Dmitriy Rabotyagov","email":"noonedeadpunk@gmail.com","username":"noonedeadpunk"},"change_message_id":"cfbf14813d3b9bbcb1df8280606a2e8ac0e49e30","unresolved":true,"context_lines":[{"line_number":26,"context_line":""},{"line_number":27,"context_line":"To change the default max age of 1 year, override the variable"},{"line_number":28,"context_line":"``haproxy_security_headers_max_age`` in the"},{"line_number":29,"context_line":"``/etc/openstack_deploy/user_variables_haproxy.yml`` file:"},{"line_number":30,"context_line":""},{"line_number":31,"context_line":".. code-block:: yaml"},{"line_number":32,"context_line":""}],"source_content_type":"text/x-rst","patch_set":2,"id":"51094777_b8d78f4e","line":29,"range":{"start_line":29,"start_character":2,"end_line":29,"end_character":50},"updated":"2021-12-06 08:50:07.000000000","message":"I\u0027d say just user_variables, as it could be named anyhow or be even in group_vars.","commit_id":"b1a80ea9b86a2850c8a95ed6001a7daab0b1985f"},{"author":{"_account_id":31749,"name":"James Gibson","email":"james.gibson@bbc.co.uk","username":"jamesgibo"},"change_message_id":"a66e7def7baa758aeeb92173a992535537214441","unresolved":false,"context_lines":[{"line_number":26,"context_line":""},{"line_number":27,"context_line":"To change the default max age of 1 year, override the variable"},{"line_number":28,"context_line":"``haproxy_security_headers_max_age`` in the"},{"line_number":29,"context_line":"``/etc/openstack_deploy/user_variables_haproxy.yml`` file:"},{"line_number":30,"context_line":""},{"line_number":31,"context_line":".. code-block:: yaml"},{"line_number":32,"context_line":""}],"source_content_type":"text/x-rst","patch_set":2,"id":"65061309_61b09210","line":29,"range":{"start_line":29,"start_character":2,"end_line":29,"end_character":50},"in_reply_to":"51094777_b8d78f4e","updated":"2021-12-08 10:26:26.000000000","message":"Done","commit_id":"b1a80ea9b86a2850c8a95ed6001a7daab0b1985f"},{"author":{"_account_id":15993,"name":"Amy Marrich","display_name":"Amy Marrich (spotz)","email":"amy@demarco.com","username":"amarrich"},"change_message_id":"d39ad83200558103f6b23bcb9761531d07eb3783","unresolved":true,"context_lines":[{"line_number":32,"context_line":""},{"line_number":33,"context_line":"    haproxy_security_headers_max_age: 86400"},{"line_number":34,"context_line":""},{"line_number":35,"context_line":"If you would like your domain included in the HSTS preload list which is built"},{"line_number":36,"context_line":"into browsers, before submitting your request to be added to the HSTS preload"},{"line_number":37,"context_line":"list you must add the ``preload`` token to your response header. The ``preload``"},{"line_number":38,"context_line":"token indicates to the maintainers of HSTS preload list that you are happy to"}],"source_content_type":"text/x-rst","patch_set":2,"id":"a25ae97f_cd7e9f62","line":35,"range":{"start_line":35,"start_character":59,"end_line":35,"end_character":63},"updated":"2021-12-03 20:27:20.000000000","message":"list,","commit_id":"b1a80ea9b86a2850c8a95ed6001a7daab0b1985f"},{"author":{"_account_id":31749,"name":"James Gibson","email":"james.gibson@bbc.co.uk","username":"jamesgibo"},"change_message_id":"13d9406dff0b4f11b5205c4fbf453c903a88ad46","unresolved":false,"context_lines":[{"line_number":32,"context_line":""},{"line_number":33,"context_line":"    haproxy_security_headers_max_age: 86400"},{"line_number":34,"context_line":""},{"line_number":35,"context_line":"If you would like your domain included in the HSTS preload list which is built"},{"line_number":36,"context_line":"into browsers, before submitting your request to be added to the HSTS preload"},{"line_number":37,"context_line":"list you must add the ``preload`` token to your response header. The ``preload``"},{"line_number":38,"context_line":"token indicates to the maintainers of HSTS preload list that you are happy to"}],"source_content_type":"text/x-rst","patch_set":2,"id":"9fa57c54_0492e655","line":35,"range":{"start_line":35,"start_character":59,"end_line":35,"end_character":63},"in_reply_to":"a25ae97f_cd7e9f62","updated":"2021-12-06 08:36:21.000000000","message":"Done","commit_id":"b1a80ea9b86a2850c8a95ed6001a7daab0b1985f"},{"author":{"_account_id":15993,"name":"Amy Marrich","display_name":"Amy Marrich (spotz)","email":"amy@demarco.com","username":"amarrich"},"change_message_id":"d39ad83200558103f6b23bcb9761531d07eb3783","unresolved":true,"context_lines":[{"line_number":84,"context_line":"browser is allowed to load for a given page, which helps to mitigate the risks"},{"line_number":85,"context_line":"from Cross-Site Scripting (XSS) and data injection attacks."},{"line_number":86,"context_line":""},{"line_number":87,"context_line":"By default the Content Security Policy (CSP) enables a minimum set of resources"},{"line_number":88,"context_line":"to allow Horizon to work, which includes access the Nova console. If you require"},{"line_number":89,"context_line":"access to other resource these can be set by overriding the"},{"line_number":90,"context_line":"``haproxy_security_headers_csp`` variable in the"}],"source_content_type":"text/x-rst","patch_set":2,"id":"f91b25ed_f2b626d1","line":87,"range":{"start_line":87,"start_character":3,"end_line":87,"end_character":10},"updated":"2021-12-03 20:27:20.000000000","message":"default,","commit_id":"b1a80ea9b86a2850c8a95ed6001a7daab0b1985f"},{"author":{"_account_id":31749,"name":"James Gibson","email":"james.gibson@bbc.co.uk","username":"jamesgibo"},"change_message_id":"13d9406dff0b4f11b5205c4fbf453c903a88ad46","unresolved":false,"context_lines":[{"line_number":84,"context_line":"browser is allowed to load for a given page, which helps to mitigate the risks"},{"line_number":85,"context_line":"from Cross-Site Scripting (XSS) and data injection attacks."},{"line_number":86,"context_line":""},{"line_number":87,"context_line":"By default the Content Security Policy (CSP) enables a minimum set of resources"},{"line_number":88,"context_line":"to allow Horizon to work, which includes access the Nova console. If you require"},{"line_number":89,"context_line":"access to other resource these can be set by overriding the"},{"line_number":90,"context_line":"``haproxy_security_headers_csp`` variable in the"}],"source_content_type":"text/x-rst","patch_set":2,"id":"1205d98d_8cfcd9bf","line":87,"range":{"start_line":87,"start_character":3,"end_line":87,"end_character":10},"in_reply_to":"f91b25ed_f2b626d1","updated":"2021-12-06 08:36:21.000000000","message":"Done","commit_id":"b1a80ea9b86a2850c8a95ed6001a7daab0b1985f"},{"author":{"_account_id":15993,"name":"Amy Marrich","display_name":"Amy Marrich (spotz)","email":"amy@demarco.com","username":"amarrich"},"change_message_id":"d39ad83200558103f6b23bcb9761531d07eb3783","unresolved":true,"context_lines":[{"line_number":86,"context_line":""},{"line_number":87,"context_line":"By default the Content Security Policy (CSP) enables a minimum set of resources"},{"line_number":88,"context_line":"to allow Horizon to work, which includes access the Nova console. If you require"},{"line_number":89,"context_line":"access to other resource these can be set by overriding the"},{"line_number":90,"context_line":"``haproxy_security_headers_csp`` variable in the"},{"line_number":91,"context_line":"``/etc/openstack_deploy/user_variables_haproxy.yml`` file."},{"line_number":92,"context_line":""}],"source_content_type":"text/x-rst","patch_set":2,"id":"24b9ca14_9d6b0445","line":89,"range":{"start_line":89,"start_character":16,"end_line":89,"end_character":24},"updated":"2021-12-03 20:27:20.000000000","message":"resources","commit_id":"b1a80ea9b86a2850c8a95ed6001a7daab0b1985f"},{"author":{"_account_id":31749,"name":"James Gibson","email":"james.gibson@bbc.co.uk","username":"jamesgibo"},"change_message_id":"13d9406dff0b4f11b5205c4fbf453c903a88ad46","unresolved":false,"context_lines":[{"line_number":86,"context_line":""},{"line_number":87,"context_line":"By default the Content Security Policy (CSP) enables a minimum set of resources"},{"line_number":88,"context_line":"to allow Horizon to work, which includes access the Nova console. If you require"},{"line_number":89,"context_line":"access to other resource these can be set by overriding the"},{"line_number":90,"context_line":"``haproxy_security_headers_csp`` variable in the"},{"line_number":91,"context_line":"``/etc/openstack_deploy/user_variables_haproxy.yml`` file."},{"line_number":92,"context_line":""}],"source_content_type":"text/x-rst","patch_set":2,"id":"80bd98d6_4deb9f3c","line":89,"range":{"start_line":89,"start_character":16,"end_line":89,"end_character":24},"in_reply_to":"24b9ca14_9d6b0445","updated":"2021-12-06 08:36:21.000000000","message":"Done","commit_id":"b1a80ea9b86a2850c8a95ed6001a7daab0b1985f"},{"author":{"_account_id":28619,"name":"Dmitriy Rabotyagov","email":"noonedeadpunk@gmail.com","username":"noonedeadpunk"},"change_message_id":"cfbf14813d3b9bbcb1df8280606a2e8ac0e49e30","unresolved":true,"context_lines":[{"line_number":104,"context_line":""},{"line_number":105,"context_line":".. code-block:: yaml"},{"line_number":106,"context_line":""},{"line_number":107,"context_line":"    Content-Security-Policy-Report-Only ...; report-uri https://endpoint.example.com; report-to groupname"},{"line_number":108,"context_line":""},{"line_number":109,"context_line":""},{"line_number":110,"context_line":"Reporting Violations"}],"source_content_type":"text/x-rst","patch_set":2,"id":"2cd45432_64950fc1","line":107,"range":{"start_line":107,"start_character":4,"end_line":107,"end_character":39},"updated":"2021-12-06 08:50:07.000000000","message":"Should we also create a variable like haproxy_security_headers_report_only for testing to replace Content-Security-Policy with Content-Security-Policy-Report-Only when it\u0027s true?","commit_id":"b1a80ea9b86a2850c8a95ed6001a7daab0b1985f"},{"author":{"_account_id":31749,"name":"James Gibson","email":"james.gibson@bbc.co.uk","username":"jamesgibo"},"change_message_id":"a66e7def7baa758aeeb92173a992535537214441","unresolved":false,"context_lines":[{"line_number":104,"context_line":""},{"line_number":105,"context_line":".. code-block:: yaml"},{"line_number":106,"context_line":""},{"line_number":107,"context_line":"    Content-Security-Policy-Report-Only ...; report-uri https://endpoint.example.com; report-to groupname"},{"line_number":108,"context_line":""},{"line_number":109,"context_line":""},{"line_number":110,"context_line":"Reporting Violations"}],"source_content_type":"text/x-rst","patch_set":2,"id":"3a06ac52_82aec35b","line":107,"range":{"start_line":107,"start_character":4,"end_line":107,"end_character":39},"in_reply_to":"2cd45432_64950fc1","updated":"2021-12-08 10:26:26.000000000","message":"Done","commit_id":"b1a80ea9b86a2850c8a95ed6001a7daab0b1985f"},{"author":{"_account_id":28619,"name":"Dmitriy Rabotyagov","email":"noonedeadpunk@gmail.com","username":"noonedeadpunk"},"change_message_id":"cfbf14813d3b9bbcb1df8280606a2e8ac0e49e30","unresolved":true,"context_lines":[{"line_number":109,"context_line":""},{"line_number":110,"context_line":"Reporting Violations"},{"line_number":111,"context_line":"--------------------"},{"line_number":112,"context_line":""},{"line_number":113,"context_line":"It is recommended that you monitor attempted CSP violations in production, this"},{"line_number":114,"context_line":"is achieved by setting the ``report-uri`` and ``report-to`` tokens."},{"line_number":115,"context_line":""},{"line_number":116,"context_line":"Federated Login"},{"line_number":117,"context_line":"---------------"}],"source_content_type":"text/x-rst","patch_set":2,"id":"53126422_d2f87f8f","line":114,"range":{"start_line":112,"start_character":0,"end_line":114,"end_character":67},"updated":"2021-12-06 08:50:07.000000000","message":"should we create then some variables that will allow to easily configure that conditionally if they\u0027re set or not?","commit_id":"b1a80ea9b86a2850c8a95ed6001a7daab0b1985f"},{"author":{"_account_id":31749,"name":"James Gibson","email":"james.gibson@bbc.co.uk","username":"jamesgibo"},"change_message_id":"a66e7def7baa758aeeb92173a992535537214441","unresolved":true,"context_lines":[{"line_number":109,"context_line":""},{"line_number":110,"context_line":"Reporting Violations"},{"line_number":111,"context_line":"--------------------"},{"line_number":112,"context_line":""},{"line_number":113,"context_line":"It is recommended that you monitor attempted CSP violations in production, this"},{"line_number":114,"context_line":"is achieved by setting the ``report-uri`` and ``report-to`` tokens."},{"line_number":115,"context_line":""},{"line_number":116,"context_line":"Federated Login"},{"line_number":117,"context_line":"---------------"}],"source_content_type":"text/x-rst","patch_set":2,"id":"98aaf59e_d29353b0","line":114,"range":{"start_line":112,"start_character":0,"end_line":114,"end_character":67},"in_reply_to":"53126422_d2f87f8f","updated":"2021-12-08 10:26:26.000000000","message":"Yeah that would be nice, but is not that easy to implement, report-uri is easy as this has the format `report-uri \u003curi\u003e \u003curi\u003e;`\nBut report-to requires and extra header adding not just an extra token\nhttps://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/report-to\n\nThis is probably best done by adding the functionality to the service template in the haproxy role.\nDo you think this is worth adding or just leave it as something that user can override?","commit_id":"b1a80ea9b86a2850c8a95ed6001a7daab0b1985f"},{"author":{"_account_id":25023,"name":"Jonathan Rosser","email":"jonathan.rosser@rd.bbc.co.uk","username":"jrosser"},"change_message_id":"f83a95aa8afbadc0edaf16b992325168d964b83c","unresolved":true,"context_lines":[{"line_number":123,"context_line":""},{"line_number":124,"context_line":".. code-block:: yaml"},{"line_number":125,"context_line":""},{"line_number":126,"context_line":"    haproxy_horizon_csp: \"http-response set-header Content-Security-Policy \\\"default-src \u0027self\u0027; frame-ancestors \u0027self\u0027; form-action \u0027self\u0027 {{ external_lb_vip_address }}:5000 \u003c authorisation server origin \u003e; upgrade-insecure-requests; style-src \u0027self\u0027 \u0027unsafe-inline\u0027; script-src \u0027self\u0027 \u0027unsafe-inline\u0027 \u0027unsafe-eval\u0027; child-src \u0027self\u0027 {{ external_lb_vip_address }}:{{ nova_console_port }}; frame-src \u0027self\u0027 {{ external_lb_vip_address }}:{{ nova_console_port }};\\\"\""}],"source_content_type":"text/x-rst","patch_set":2,"id":"246908fe_6d4893ed","line":126,"range":{"start_line":126,"start_character":175,"end_line":126,"end_character":206},"updated":"2021-12-06 11:49:58.000000000","message":"lets make this more obviously something that needs changing \u003cYOUR-AUTHORISATION-SERVER-ORIGIN\u003e","commit_id":"b1a80ea9b86a2850c8a95ed6001a7daab0b1985f"},{"author":{"_account_id":28619,"name":"Dmitriy Rabotyagov","email":"noonedeadpunk@gmail.com","username":"noonedeadpunk"},"change_message_id":"cfbf14813d3b9bbcb1df8280606a2e8ac0e49e30","unresolved":true,"context_lines":[{"line_number":123,"context_line":""},{"line_number":124,"context_line":".. code-block:: yaml"},{"line_number":125,"context_line":""},{"line_number":126,"context_line":"    haproxy_horizon_csp: \"http-response set-header Content-Security-Policy \\\"default-src \u0027self\u0027; frame-ancestors \u0027self\u0027; form-action \u0027self\u0027 {{ external_lb_vip_address }}:5000 \u003c authorisation server origin \u003e; upgrade-insecure-requests; style-src \u0027self\u0027 \u0027unsafe-inline\u0027; script-src \u0027self\u0027 \u0027unsafe-inline\u0027 \u0027unsafe-eval\u0027; child-src \u0027self\u0027 {{ external_lb_vip_address }}:{{ nova_console_port }}; frame-src \u0027self\u0027 {{ external_lb_vip_address }}:{{ nova_console_port }};\\\"\""}],"source_content_type":"text/x-rst","patch_set":2,"id":"15ca99f2_a41afd73","line":126,"range":{"start_line":126,"start_character":176,"end_line":126,"end_character":204},"updated":"2021-12-06 08:50:07.000000000","message":"should we make this a variable as well?","commit_id":"b1a80ea9b86a2850c8a95ed6001a7daab0b1985f"},{"author":{"_account_id":31749,"name":"James Gibson","email":"james.gibson@bbc.co.uk","username":"jamesgibo"},"change_message_id":"a66e7def7baa758aeeb92173a992535537214441","unresolved":true,"context_lines":[{"line_number":123,"context_line":""},{"line_number":124,"context_line":".. code-block:: yaml"},{"line_number":125,"context_line":""},{"line_number":126,"context_line":"    haproxy_horizon_csp: \"http-response set-header Content-Security-Policy \\\"default-src \u0027self\u0027; frame-ancestors \u0027self\u0027; form-action \u0027self\u0027 {{ external_lb_vip_address }}:5000 \u003c authorisation server origin \u003e; upgrade-insecure-requests; style-src \u0027self\u0027 \u0027unsafe-inline\u0027; script-src \u0027self\u0027 \u0027unsafe-inline\u0027 \u0027unsafe-eval\u0027; child-src \u0027self\u0027 {{ external_lb_vip_address }}:{{ nova_console_port }}; frame-src \u0027self\u0027 {{ external_lb_vip_address }}:{{ nova_console_port }};\\\"\""}],"source_content_type":"text/x-rst","patch_set":2,"id":"50634a0b_10eba3d4","line":126,"range":{"start_line":126,"start_character":176,"end_line":126,"end_character":204},"in_reply_to":"15ca99f2_a41afd73","updated":"2021-12-08 10:26:26.000000000","message":"Depending on your exact setup you may find that you need to add other origins to other fields, but could be made a variable.","commit_id":"b1a80ea9b86a2850c8a95ed6001a7daab0b1985f"},{"author":{"_account_id":31749,"name":"James Gibson","email":"james.gibson@bbc.co.uk","username":"jamesgibo"},"change_message_id":"a66e7def7baa758aeeb92173a992535537214441","unresolved":false,"context_lines":[{"line_number":123,"context_line":""},{"line_number":124,"context_line":".. code-block:: yaml"},{"line_number":125,"context_line":""},{"line_number":126,"context_line":"    haproxy_horizon_csp: \"http-response set-header Content-Security-Policy \\\"default-src \u0027self\u0027; frame-ancestors \u0027self\u0027; form-action \u0027self\u0027 {{ external_lb_vip_address }}:5000 \u003c authorisation server origin \u003e; upgrade-insecure-requests; style-src \u0027self\u0027 \u0027unsafe-inline\u0027; script-src \u0027self\u0027 \u0027unsafe-inline\u0027 \u0027unsafe-eval\u0027; child-src \u0027self\u0027 {{ external_lb_vip_address }}:{{ nova_console_port }}; frame-src \u0027self\u0027 {{ external_lb_vip_address }}:{{ nova_console_port }};\\\"\""}],"source_content_type":"text/x-rst","patch_set":2,"id":"80c432c1_22dc8338","line":126,"range":{"start_line":126,"start_character":175,"end_line":126,"end_character":206},"in_reply_to":"246908fe_6d4893ed","updated":"2021-12-08 10:26:26.000000000","message":"Done","commit_id":"b1a80ea9b86a2850c8a95ed6001a7daab0b1985f"},{"author":{"_account_id":28619,"name":"Dmitriy Rabotyagov","email":"noonedeadpunk@gmail.com","username":"noonedeadpunk"},"change_message_id":"63e0c96db0701f0585d6a584b4d7503a1c4ac1b6","unresolved":true,"context_lines":[{"line_number":123,"context_line":""},{"line_number":124,"context_line":".. code-block:: yaml"},{"line_number":125,"context_line":""},{"line_number":126,"context_line":"    haproxy_horizon_csp: \"http-response set-header Content-Security-Policy \\\"default-src \u0027self\u0027; frame-ancestors \u0027self\u0027; form-action \u0027self\u0027 {{ external_lb_vip_address }}:5000 \u003c authorisation server origin \u003e; upgrade-insecure-requests; style-src \u0027self\u0027 \u0027unsafe-inline\u0027; script-src \u0027self\u0027 \u0027unsafe-inline\u0027 \u0027unsafe-eval\u0027; child-src \u0027self\u0027 {{ external_lb_vip_address }}:{{ nova_console_port }}; frame-src \u0027self\u0027 {{ external_lb_vip_address }}:{{ nova_console_port }};\\\"\""}],"source_content_type":"text/x-rst","patch_set":2,"id":"cf0f1a84_3221a897","line":126,"range":{"start_line":126,"start_character":176,"end_line":126,"end_character":204},"in_reply_to":"50634a0b_10eba3d4","updated":"2021-12-10 10:31:49.000000000","message":"anyway, let\u0027s do this as a follow-up patches.","commit_id":"b1a80ea9b86a2850c8a95ed6001a7daab0b1985f"}],"doc/source/user/security/security-txt.rst":[{"author":{"_account_id":15993,"name":"Amy Marrich","display_name":"Amy Marrich (spotz)","email":"amy@demarco.com","username":"amarrich"},"change_message_id":"d39ad83200558103f6b23bcb9761531d07eb3783","unresolved":true,"context_lines":[{"line_number":8,"context_line":""},{"line_number":9,"context_line":".. _IETF standard: https://datatracker.ietf.org/doc/html/draft-foudil-securitytxt"},{"line_number":10,"context_line":""},{"line_number":11,"context_line":"In Openstack-Ansible, ``security.txt`` is implemented in haproxy as all public"},{"line_number":12,"context_line":"endpoints reside behind it and the text file is hosted by keystone. It defaults"},{"line_number":13,"context_line":"to directing any request paths that end with ``/security.txt`` to the text"},{"line_number":14,"context_line":"file using an ACL rule in haproxy."}],"source_content_type":"text/x-rst","patch_set":2,"id":"bc7fb842_924664c1","line":11,"range":{"start_line":11,"start_character":3,"end_line":11,"end_character":12},"updated":"2021-12-03 20:27:20.000000000","message":"OpenStack","commit_id":"b1a80ea9b86a2850c8a95ed6001a7daab0b1985f"},{"author":{"_account_id":31749,"name":"James Gibson","email":"james.gibson@bbc.co.uk","username":"jamesgibo"},"change_message_id":"13d9406dff0b4f11b5205c4fbf453c903a88ad46","unresolved":false,"context_lines":[{"line_number":8,"context_line":""},{"line_number":9,"context_line":".. _IETF standard: https://datatracker.ietf.org/doc/html/draft-foudil-securitytxt"},{"line_number":10,"context_line":""},{"line_number":11,"context_line":"In Openstack-Ansible, ``security.txt`` is implemented in haproxy as all public"},{"line_number":12,"context_line":"endpoints reside behind it and the text file is hosted by keystone. It defaults"},{"line_number":13,"context_line":"to directing any request paths that end with ``/security.txt`` to the text"},{"line_number":14,"context_line":"file using an ACL rule in haproxy."}],"source_content_type":"text/x-rst","patch_set":2,"id":"6d43d9d7_48de751c","line":11,"range":{"start_line":11,"start_character":3,"end_line":11,"end_character":12},"in_reply_to":"bc7fb842_924664c1","updated":"2021-12-06 08:36:21.000000000","message":"Done","commit_id":"b1a80ea9b86a2850c8a95ed6001a7daab0b1985f"},{"author":{"_account_id":15993,"name":"Amy Marrich","display_name":"Amy Marrich (spotz)","email":"amy@demarco.com","username":"amarrich"},"change_message_id":"d39ad83200558103f6b23bcb9761531d07eb3783","unresolved":true,"context_lines":[{"line_number":17,"context_line":"~~~~~~~~~~~~~~~~~~~~~"},{"line_number":18,"context_line":""},{"line_number":19,"context_line":"Use the following process to add a ``security.txt`` file to your deployment"},{"line_number":20,"context_line":"using Openstack-Ansible:"},{"line_number":21,"context_line":""},{"line_number":22,"context_line":"#. Write the contents of the ``security.txt`` file in accordance with the"},{"line_number":23,"context_line":"   standard."}],"source_content_type":"text/x-rst","patch_set":2,"id":"91a4ebc1_3697fcde","line":20,"range":{"start_line":20,"start_character":6,"end_line":20,"end_character":15},"updated":"2021-12-03 20:27:20.000000000","message":"OpenStack","commit_id":"b1a80ea9b86a2850c8a95ed6001a7daab0b1985f"},{"author":{"_account_id":31749,"name":"James Gibson","email":"james.gibson@bbc.co.uk","username":"jamesgibo"},"change_message_id":"13d9406dff0b4f11b5205c4fbf453c903a88ad46","unresolved":false,"context_lines":[{"line_number":17,"context_line":"~~~~~~~~~~~~~~~~~~~~~"},{"line_number":18,"context_line":""},{"line_number":19,"context_line":"Use the following process to add a ``security.txt`` file to your deployment"},{"line_number":20,"context_line":"using Openstack-Ansible:"},{"line_number":21,"context_line":""},{"line_number":22,"context_line":"#. Write the contents of the ``security.txt`` file in accordance with the"},{"line_number":23,"context_line":"   standard."}],"source_content_type":"text/x-rst","patch_set":2,"id":"5f17f920_822b7bee","line":20,"range":{"start_line":20,"start_character":6,"end_line":20,"end_character":15},"in_reply_to":"91a4ebc1_3697fcde","updated":"2021-12-06 08:36:21.000000000","message":"Done","commit_id":"b1a80ea9b86a2850c8a95ed6001a7daab0b1985f"},{"author":{"_account_id":28619,"name":"Dmitriy Rabotyagov","email":"noonedeadpunk@gmail.com","username":"noonedeadpunk"},"change_message_id":"cfbf14813d3b9bbcb1df8280606a2e8ac0e49e30","unresolved":true,"context_lines":[{"line_number":23,"context_line":"   standard."},{"line_number":24,"context_line":"#. Define the contents of ``security.txt`` in the variable"},{"line_number":25,"context_line":"   ``keystone_security_txt_content`` in the"},{"line_number":26,"context_line":"   ``/etc/openstack_deploy/user_variables_keystone.yml`` file:"},{"line_number":27,"context_line":""},{"line_number":28,"context_line":"  .. code-block:: yaml"},{"line_number":29,"context_line":""}],"source_content_type":"text/x-rst","patch_set":2,"id":"2c8785a3_aa970747","line":26,"range":{"start_line":26,"start_character":5,"end_line":26,"end_character":54},"updated":"2021-12-06 08:50:07.000000000","message":"let\u0027s say just user_variables","commit_id":"b1a80ea9b86a2850c8a95ed6001a7daab0b1985f"},{"author":{"_account_id":31749,"name":"James Gibson","email":"james.gibson@bbc.co.uk","username":"jamesgibo"},"change_message_id":"a66e7def7baa758aeeb92173a992535537214441","unresolved":false,"context_lines":[{"line_number":23,"context_line":"   standard."},{"line_number":24,"context_line":"#. Define the contents of ``security.txt`` in the variable"},{"line_number":25,"context_line":"   ``keystone_security_txt_content`` in the"},{"line_number":26,"context_line":"   ``/etc/openstack_deploy/user_variables_keystone.yml`` file:"},{"line_number":27,"context_line":""},{"line_number":28,"context_line":"  .. code-block:: yaml"},{"line_number":29,"context_line":""}],"source_content_type":"text/x-rst","patch_set":2,"id":"b2876187_97016502","line":26,"range":{"start_line":26,"start_character":5,"end_line":26,"end_character":54},"in_reply_to":"2c8785a3_aa970747","updated":"2021-12-08 10:26:26.000000000","message":"Done","commit_id":"b1a80ea9b86a2850c8a95ed6001a7daab0b1985f"},{"author":{"_account_id":28619,"name":"Dmitriy Rabotyagov","email":"noonedeadpunk@gmail.com","username":"noonedeadpunk"},"change_message_id":"cfbf14813d3b9bbcb1df8280606a2e8ac0e49e30","unresolved":true,"context_lines":[{"line_number":51,"context_line":""},{"line_number":52,"context_line":"The haproxy ACL is updated by overriding the variable"},{"line_number":53,"context_line":"``haproxy_security_txt_acl`` in the"},{"line_number":54,"context_line":"``/etc/openstack_deploy/user_variables_haproxy.yml`` file."}],"source_content_type":"text/x-rst","patch_set":2,"id":"c3c20a6c_cdd6bad2","line":54,"range":{"start_line":54,"start_character":2,"end_line":54,"end_character":50},"updated":"2021-12-06 08:50:07.000000000","message":"same here","commit_id":"b1a80ea9b86a2850c8a95ed6001a7daab0b1985f"},{"author":{"_account_id":31749,"name":"James Gibson","email":"james.gibson@bbc.co.uk","username":"jamesgibo"},"change_message_id":"a66e7def7baa758aeeb92173a992535537214441","unresolved":false,"context_lines":[{"line_number":51,"context_line":""},{"line_number":52,"context_line":"The haproxy ACL is updated by overriding the variable"},{"line_number":53,"context_line":"``haproxy_security_txt_acl`` in the"},{"line_number":54,"context_line":"``/etc/openstack_deploy/user_variables_haproxy.yml`` file."}],"source_content_type":"text/x-rst","patch_set":2,"id":"f517eda4_d0ddcdc6","line":54,"range":{"start_line":54,"start_character":2,"end_line":54,"end_character":50},"in_reply_to":"c3c20a6c_cdd6bad2","updated":"2021-12-08 10:26:26.000000000","message":"Done","commit_id":"b1a80ea9b86a2850c8a95ed6001a7daab0b1985f"}],"doc/source/user/security/ssl-certificates.rst":[{"author":{"_account_id":15993,"name":"Amy Marrich","display_name":"Amy Marrich (spotz)","email":"amy@demarco.com","username":"amarrich"},"change_message_id":"d39ad83200558103f6b23bcb9761531d07eb3783","unresolved":true,"context_lines":[{"line_number":269,"context_line":"As well as load balancing public endpoints, haproxy is also used to load balance"},{"line_number":270,"context_line":"internal connections."},{"line_number":271,"context_line":""},{"line_number":272,"context_line":"Openstack-Ansible by default does not secure connections to the internal VIP, to"},{"line_number":273,"context_line":"enable this you must set the following variables in the"},{"line_number":274,"context_line":"``/etc/openstack_deploy/user_variables.yml`` file:"},{"line_number":275,"context_line":""}],"source_content_type":"text/x-rst","patch_set":2,"id":"16e1509f_139d7eb8","line":272,"range":{"start_line":272,"start_character":0,"end_line":272,"end_character":28},"updated":"2021-12-03 20:27:20.000000000","message":"By default, OpenStack-Ansible","commit_id":"b1a80ea9b86a2850c8a95ed6001a7daab0b1985f"},{"author":{"_account_id":15993,"name":"Amy Marrich","display_name":"Amy Marrich (spotz)","email":"amy@demarco.com","username":"amarrich"},"change_message_id":"d39ad83200558103f6b23bcb9761531d07eb3783","unresolved":true,"context_lines":[{"line_number":269,"context_line":"As well as load balancing public endpoints, haproxy is also used to load balance"},{"line_number":270,"context_line":"internal connections."},{"line_number":271,"context_line":""},{"line_number":272,"context_line":"Openstack-Ansible by default does not secure connections to the internal VIP, to"},{"line_number":273,"context_line":"enable this you must set the following variables in the"},{"line_number":274,"context_line":"``/etc/openstack_deploy/user_variables.yml`` file:"},{"line_number":275,"context_line":""}],"source_content_type":"text/x-rst","patch_set":2,"id":"0a7f3cd9_bcdbd01b","line":272,"range":{"start_line":272,"start_character":73,"end_line":272,"end_character":80},"updated":"2021-12-03 20:27:20.000000000","message":"VIP. To","commit_id":"b1a80ea9b86a2850c8a95ed6001a7daab0b1985f"},{"author":{"_account_id":31749,"name":"James Gibson","email":"james.gibson@bbc.co.uk","username":"jamesgibo"},"change_message_id":"13d9406dff0b4f11b5205c4fbf453c903a88ad46","unresolved":false,"context_lines":[{"line_number":269,"context_line":"As well as load balancing public endpoints, haproxy is also used to load balance"},{"line_number":270,"context_line":"internal connections."},{"line_number":271,"context_line":""},{"line_number":272,"context_line":"Openstack-Ansible by default does not secure connections to the internal VIP, to"},{"line_number":273,"context_line":"enable this you must set the following variables in the"},{"line_number":274,"context_line":"``/etc/openstack_deploy/user_variables.yml`` file:"},{"line_number":275,"context_line":""}],"source_content_type":"text/x-rst","patch_set":2,"id":"4611615d_c2ee1df7","line":272,"range":{"start_line":272,"start_character":73,"end_line":272,"end_character":80},"in_reply_to":"0a7f3cd9_bcdbd01b","updated":"2021-12-06 08:36:21.000000000","message":"Done","commit_id":"b1a80ea9b86a2850c8a95ed6001a7daab0b1985f"},{"author":{"_account_id":31749,"name":"James Gibson","email":"james.gibson@bbc.co.uk","username":"jamesgibo"},"change_message_id":"13d9406dff0b4f11b5205c4fbf453c903a88ad46","unresolved":false,"context_lines":[{"line_number":269,"context_line":"As well as load balancing public endpoints, haproxy is also used to load balance"},{"line_number":270,"context_line":"internal connections."},{"line_number":271,"context_line":""},{"line_number":272,"context_line":"Openstack-Ansible by default does not secure connections to the internal VIP, to"},{"line_number":273,"context_line":"enable this you must set the following variables in the"},{"line_number":274,"context_line":"``/etc/openstack_deploy/user_variables.yml`` file:"},{"line_number":275,"context_line":""}],"source_content_type":"text/x-rst","patch_set":2,"id":"b3562fd5_6a088495","line":272,"range":{"start_line":272,"start_character":0,"end_line":272,"end_character":28},"in_reply_to":"16e1509f_139d7eb8","updated":"2021-12-06 08:36:21.000000000","message":"Done","commit_id":"b1a80ea9b86a2850c8a95ed6001a7daab0b1985f"},{"author":{"_account_id":28619,"name":"Dmitriy Rabotyagov","email":"noonedeadpunk@gmail.com","username":"noonedeadpunk"},"change_message_id":"cfbf14813d3b9bbcb1df8280606a2e8ac0e49e30","unresolved":true,"context_lines":[{"line_number":275,"context_line":""},{"line_number":276,"context_line":".. code-block:: yaml"},{"line_number":277,"context_line":""},{"line_number":278,"context_line":"   openstack_service_adminuri_proto: https"},{"line_number":279,"context_line":"   openstack_service_internaluri_proto: https"},{"line_number":280,"context_line":""},{"line_number":281,"context_line":"   haproxy_ssl_all_vips: true"},{"line_number":282,"context_line":""}],"source_content_type":"text/x-rst","patch_set":2,"id":"1380e77d_e02e6b65","line":279,"range":{"start_line":278,"start_character":0,"end_line":279,"end_character":45},"updated":"2021-12-06 08:50:07.000000000","message":"I wonder if we can improve that and set proto to https when `haproxy_ssl_all_vips` is true?\n\nIt\u0027s not for this specific patch though","commit_id":"b1a80ea9b86a2850c8a95ed6001a7daab0b1985f"},{"author":{"_account_id":15993,"name":"Amy Marrich","display_name":"Amy Marrich (spotz)","email":"amy@demarco.com","username":"amarrich"},"change_message_id":"d39ad83200558103f6b23bcb9761531d07eb3783","unresolved":true,"context_lines":[{"line_number":283,"context_line":"Run all playbooks to configure haproxy and openstack services."},{"line_number":284,"context_line":""},{"line_number":285,"context_line":"When enabled haproxy will use the same TLS certificate on all interfaces"},{"line_number":286,"context_line":"(internal and external). It is not currently possible in Openstack-Ansible to"},{"line_number":287,"context_line":"use different self-signed or user-provided TLS certificates on different haproxy"},{"line_number":288,"context_line":"interfaces."},{"line_number":289,"context_line":""}],"source_content_type":"text/x-rst","patch_set":2,"id":"d0bb3acb_7aeb2865","line":286,"range":{"start_line":286,"start_character":57,"end_line":286,"end_character":66},"updated":"2021-12-03 20:27:20.000000000","message":"OpenStack","commit_id":"b1a80ea9b86a2850c8a95ed6001a7daab0b1985f"},{"author":{"_account_id":31749,"name":"James Gibson","email":"james.gibson@bbc.co.uk","username":"jamesgibo"},"change_message_id":"13d9406dff0b4f11b5205c4fbf453c903a88ad46","unresolved":false,"context_lines":[{"line_number":283,"context_line":"Run all playbooks to configure haproxy and openstack services."},{"line_number":284,"context_line":""},{"line_number":285,"context_line":"When enabled haproxy will use the same TLS certificate on all interfaces"},{"line_number":286,"context_line":"(internal and external). It is not currently possible in Openstack-Ansible to"},{"line_number":287,"context_line":"use different self-signed or user-provided TLS certificates on different haproxy"},{"line_number":288,"context_line":"interfaces."},{"line_number":289,"context_line":""}],"source_content_type":"text/x-rst","patch_set":2,"id":"72f2e5ba_8a2ef31a","line":286,"range":{"start_line":286,"start_character":57,"end_line":286,"end_character":66},"in_reply_to":"d0bb3acb_7aeb2865","updated":"2021-12-06 08:36:21.000000000","message":"Done","commit_id":"b1a80ea9b86a2850c8a95ed6001a7daab0b1985f"},{"author":{"_account_id":15993,"name":"Amy Marrich","display_name":"Amy Marrich (spotz)","email":"amy@demarco.com","username":"amarrich"},"change_message_id":"d39ad83200558103f6b23bcb9761531d07eb3783","unresolved":true,"context_lines":[{"line_number":292,"context_line":""},{"line_number":293,"context_line":"Enabling TLS on the internal VIP for existing deployments will cause some"},{"line_number":294,"context_line":"downtime, this is because haproxy only listens on a single well known port for"},{"line_number":295,"context_line":"each Openstack service and Openstack services are configured to use http or"},{"line_number":296,"context_line":"https. This means once haproxy is updated to only accept HTTPS connections, the"},{"line_number":297,"context_line":"Openstack services will stop working until they are updated to use HTTPS."},{"line_number":298,"context_line":""}],"source_content_type":"text/x-rst","patch_set":2,"id":"38e513b8_2089fd0a","line":295,"range":{"start_line":295,"start_character":5,"end_line":295,"end_character":14},"updated":"2021-12-03 20:27:20.000000000","message":"OpenStack","commit_id":"b1a80ea9b86a2850c8a95ed6001a7daab0b1985f"},{"author":{"_account_id":15993,"name":"Amy Marrich","display_name":"Amy Marrich (spotz)","email":"amy@demarco.com","username":"amarrich"},"change_message_id":"d39ad83200558103f6b23bcb9761531d07eb3783","unresolved":true,"context_lines":[{"line_number":292,"context_line":""},{"line_number":293,"context_line":"Enabling TLS on the internal VIP for existing deployments will cause some"},{"line_number":294,"context_line":"downtime, this is because haproxy only listens on a single well known port for"},{"line_number":295,"context_line":"each Openstack service and Openstack services are configured to use http or"},{"line_number":296,"context_line":"https. This means once haproxy is updated to only accept HTTPS connections, the"},{"line_number":297,"context_line":"Openstack services will stop working until they are updated to use HTTPS."},{"line_number":298,"context_line":""}],"source_content_type":"text/x-rst","patch_set":2,"id":"5d4a8032_c891e020","line":295,"range":{"start_line":295,"start_character":27,"end_line":295,"end_character":36},"updated":"2021-12-03 20:27:20.000000000","message":"OpenStack","commit_id":"b1a80ea9b86a2850c8a95ed6001a7daab0b1985f"},{"author":{"_account_id":31749,"name":"James Gibson","email":"james.gibson@bbc.co.uk","username":"jamesgibo"},"change_message_id":"13d9406dff0b4f11b5205c4fbf453c903a88ad46","unresolved":false,"context_lines":[{"line_number":292,"context_line":""},{"line_number":293,"context_line":"Enabling TLS on the internal VIP for existing deployments will cause some"},{"line_number":294,"context_line":"downtime, this is because haproxy only listens on a single well known port for"},{"line_number":295,"context_line":"each Openstack service and Openstack services are configured to use http or"},{"line_number":296,"context_line":"https. This means once haproxy is updated to only accept HTTPS connections, the"},{"line_number":297,"context_line":"Openstack services will stop working until they are updated to use HTTPS."},{"line_number":298,"context_line":""}],"source_content_type":"text/x-rst","patch_set":2,"id":"376bc829_84000e0e","line":295,"range":{"start_line":295,"start_character":5,"end_line":295,"end_character":14},"in_reply_to":"38e513b8_2089fd0a","updated":"2021-12-06 08:36:21.000000000","message":"Done","commit_id":"b1a80ea9b86a2850c8a95ed6001a7daab0b1985f"},{"author":{"_account_id":31749,"name":"James Gibson","email":"james.gibson@bbc.co.uk","username":"jamesgibo"},"change_message_id":"13d9406dff0b4f11b5205c4fbf453c903a88ad46","unresolved":false,"context_lines":[{"line_number":292,"context_line":""},{"line_number":293,"context_line":"Enabling TLS on the internal VIP for existing deployments will cause some"},{"line_number":294,"context_line":"downtime, this is because haproxy only listens on a single well known port for"},{"line_number":295,"context_line":"each Openstack service and Openstack services are configured to use http or"},{"line_number":296,"context_line":"https. This means once haproxy is updated to only accept HTTPS connections, the"},{"line_number":297,"context_line":"Openstack services will stop working until they are updated to use HTTPS."},{"line_number":298,"context_line":""}],"source_content_type":"text/x-rst","patch_set":2,"id":"dd5543ca_bbc0fc29","line":295,"range":{"start_line":295,"start_character":27,"end_line":295,"end_character":36},"in_reply_to":"5d4a8032_c891e020","updated":"2021-12-06 08:36:21.000000000","message":"Done","commit_id":"b1a80ea9b86a2850c8a95ed6001a7daab0b1985f"},{"author":{"_account_id":15993,"name":"Amy Marrich","display_name":"Amy Marrich (spotz)","email":"amy@demarco.com","username":"amarrich"},"change_message_id":"d39ad83200558103f6b23bcb9761531d07eb3783","unresolved":true,"context_lines":[{"line_number":294,"context_line":"downtime, this is because haproxy only listens on a single well known port for"},{"line_number":295,"context_line":"each Openstack service and Openstack services are configured to use http or"},{"line_number":296,"context_line":"https. This means once haproxy is updated to only accept HTTPS connections, the"},{"line_number":297,"context_line":"Openstack services will stop working until they are updated to use HTTPS."},{"line_number":298,"context_line":""},{"line_number":299,"context_line":"For this reason it is recommended that TLS for haproxy internal VIP on existing"},{"line_number":300,"context_line":"deployments is deployed at the same time as enabling TLS for Haproxy backends,"}],"source_content_type":"text/x-rst","patch_set":2,"id":"0d87f119_1dcd0c78","line":297,"range":{"start_line":297,"start_character":0,"end_line":297,"end_character":9},"updated":"2021-12-03 20:27:20.000000000","message":"OpenStack","commit_id":"b1a80ea9b86a2850c8a95ed6001a7daab0b1985f"},{"author":{"_account_id":31749,"name":"James Gibson","email":"james.gibson@bbc.co.uk","username":"jamesgibo"},"change_message_id":"13d9406dff0b4f11b5205c4fbf453c903a88ad46","unresolved":false,"context_lines":[{"line_number":294,"context_line":"downtime, this is because haproxy only listens on a single well known port for"},{"line_number":295,"context_line":"each Openstack service and Openstack services are configured to use http or"},{"line_number":296,"context_line":"https. This means once haproxy is updated to only accept HTTPS connections, the"},{"line_number":297,"context_line":"Openstack services will stop working until they are updated to use HTTPS."},{"line_number":298,"context_line":""},{"line_number":299,"context_line":"For this reason it is recommended that TLS for haproxy internal VIP on existing"},{"line_number":300,"context_line":"deployments is deployed at the same time as enabling TLS for Haproxy backends,"}],"source_content_type":"text/x-rst","patch_set":2,"id":"c2ab1f25_cb48cf23","line":297,"range":{"start_line":297,"start_character":0,"end_line":297,"end_character":9},"in_reply_to":"0d87f119_1dcd0c78","updated":"2021-12-06 08:36:21.000000000","message":"Done","commit_id":"b1a80ea9b86a2850c8a95ed6001a7daab0b1985f"},{"author":{"_account_id":28619,"name":"Dmitriy Rabotyagov","email":"noonedeadpunk@gmail.com","username":"noonedeadpunk"},"change_message_id":"cfbf14813d3b9bbcb1df8280606a2e8ac0e49e30","unresolved":true,"context_lines":[{"line_number":298,"context_line":""},{"line_number":299,"context_line":"For this reason it is recommended that TLS for haproxy internal VIP on existing"},{"line_number":300,"context_line":"deployments is deployed at the same time as enabling TLS for Haproxy backends,"},{"line_number":301,"context_line":"as this may also cause downtime. For new deployments this should be enable from"},{"line_number":302,"context_line":"the start."},{"line_number":303,"context_line":""},{"line_number":304,"context_line":"TLS for Haproxy Backends"}],"source_content_type":"text/x-rst","patch_set":2,"id":"42cc5dd9_63a992aa","line":301,"range":{"start_line":301,"start_character":68,"end_line":301,"end_character":74},"updated":"2021-12-06 08:50:07.000000000","message":"enabled","commit_id":"b1a80ea9b86a2850c8a95ed6001a7daab0b1985f"},{"author":{"_account_id":31749,"name":"James Gibson","email":"james.gibson@bbc.co.uk","username":"jamesgibo"},"change_message_id":"a66e7def7baa758aeeb92173a992535537214441","unresolved":false,"context_lines":[{"line_number":298,"context_line":""},{"line_number":299,"context_line":"For this reason it is recommended that TLS for haproxy internal VIP on existing"},{"line_number":300,"context_line":"deployments is deployed at the same time as enabling TLS for Haproxy backends,"},{"line_number":301,"context_line":"as this may also cause downtime. For new deployments this should be enable from"},{"line_number":302,"context_line":"the start."},{"line_number":303,"context_line":""},{"line_number":304,"context_line":"TLS for Haproxy Backends"}],"source_content_type":"text/x-rst","patch_set":2,"id":"42561549_f574da9c","line":301,"range":{"start_line":301,"start_character":68,"end_line":301,"end_character":74},"in_reply_to":"42cc5dd9_63a992aa","updated":"2021-12-08 10:26:26.000000000","message":"Done","commit_id":"b1a80ea9b86a2850c8a95ed6001a7daab0b1985f"},{"author":{"_account_id":15993,"name":"Amy Marrich","display_name":"Amy Marrich (spotz)","email":"amy@demarco.com","username":"amarrich"},"change_message_id":"d39ad83200558103f6b23bcb9761531d07eb3783","unresolved":true,"context_lines":[{"line_number":310,"context_line":"TLS for Live Migrations"},{"line_number":311,"context_line":"~~~~~~~~~~~~~~~~~~~~~~~"},{"line_number":312,"context_line":""},{"line_number":313,"context_line":"Live migration of VM\u0027s using SSH is deprecated and the `Openstack Nova Docs`_"},{"line_number":314,"context_line":"recommends using the more secure native TLS method supported by QEMU. The"},{"line_number":315,"context_line":"default live migration method used by Openstack-Ansible has been updated to"},{"line_number":316,"context_line":"use TLS migrations."}],"source_content_type":"text/x-rst","patch_set":2,"id":"236e8a6c_e46474f3","line":313,"range":{"start_line":313,"start_character":56,"end_line":313,"end_character":65},"updated":"2021-12-03 20:27:20.000000000","message":"OpenStack","commit_id":"b1a80ea9b86a2850c8a95ed6001a7daab0b1985f"},{"author":{"_account_id":31749,"name":"James Gibson","email":"james.gibson@bbc.co.uk","username":"jamesgibo"},"change_message_id":"13d9406dff0b4f11b5205c4fbf453c903a88ad46","unresolved":false,"context_lines":[{"line_number":310,"context_line":"TLS for Live Migrations"},{"line_number":311,"context_line":"~~~~~~~~~~~~~~~~~~~~~~~"},{"line_number":312,"context_line":""},{"line_number":313,"context_line":"Live migration of VM\u0027s using SSH is deprecated and the `Openstack Nova Docs`_"},{"line_number":314,"context_line":"recommends using the more secure native TLS method supported by QEMU. The"},{"line_number":315,"context_line":"default live migration method used by Openstack-Ansible has been updated to"},{"line_number":316,"context_line":"use TLS migrations."}],"source_content_type":"text/x-rst","patch_set":2,"id":"54ee6794_1fea4820","line":313,"range":{"start_line":313,"start_character":56,"end_line":313,"end_character":65},"in_reply_to":"236e8a6c_e46474f3","updated":"2021-12-06 08:36:21.000000000","message":"Done","commit_id":"b1a80ea9b86a2850c8a95ed6001a7daab0b1985f"},{"author":{"_account_id":15993,"name":"Amy Marrich","display_name":"Amy Marrich (spotz)","email":"amy@demarco.com","username":"amarrich"},"change_message_id":"d39ad83200558103f6b23bcb9761531d07eb3783","unresolved":true,"context_lines":[{"line_number":312,"context_line":""},{"line_number":313,"context_line":"Live migration of VM\u0027s using SSH is deprecated and the `Openstack Nova Docs`_"},{"line_number":314,"context_line":"recommends using the more secure native TLS method supported by QEMU. The"},{"line_number":315,"context_line":"default live migration method used by Openstack-Ansible has been updated to"},{"line_number":316,"context_line":"use TLS migrations."},{"line_number":317,"context_line":""},{"line_number":318,"context_line":".. _Openstack Nova Docs: https://docs.openstack.org/nova/latest/admin/secure-live-migration-with-qemu-native-tls.html"}],"source_content_type":"text/x-rst","patch_set":2,"id":"27bad83c_b33d3b9f","line":315,"range":{"start_line":315,"start_character":38,"end_line":315,"end_character":47},"updated":"2021-12-03 20:27:20.000000000","message":"OpenStack","commit_id":"b1a80ea9b86a2850c8a95ed6001a7daab0b1985f"},{"author":{"_account_id":31749,"name":"James Gibson","email":"james.gibson@bbc.co.uk","username":"jamesgibo"},"change_message_id":"13d9406dff0b4f11b5205c4fbf453c903a88ad46","unresolved":false,"context_lines":[{"line_number":312,"context_line":""},{"line_number":313,"context_line":"Live migration of VM\u0027s using SSH is deprecated and the `Openstack Nova Docs`_"},{"line_number":314,"context_line":"recommends using the more secure native TLS method supported by QEMU. The"},{"line_number":315,"context_line":"default live migration method used by Openstack-Ansible has been updated to"},{"line_number":316,"context_line":"use TLS migrations."},{"line_number":317,"context_line":""},{"line_number":318,"context_line":".. _Openstack Nova Docs: https://docs.openstack.org/nova/latest/admin/secure-live-migration-with-qemu-native-tls.html"}],"source_content_type":"text/x-rst","patch_set":2,"id":"a7607f44_5a2b31e4","line":315,"range":{"start_line":315,"start_character":38,"end_line":315,"end_character":47},"in_reply_to":"27bad83c_b33d3b9f","updated":"2021-12-06 08:36:21.000000000","message":"Done","commit_id":"b1a80ea9b86a2850c8a95ed6001a7daab0b1985f"},{"author":{"_account_id":15993,"name":"Amy Marrich","display_name":"Amy Marrich (spotz)","email":"amy@demarco.com","username":"amarrich"},"change_message_id":"d39ad83200558103f6b23bcb9761531d07eb3783","unresolved":true,"context_lines":[{"line_number":315,"context_line":"default live migration method used by Openstack-Ansible has been updated to"},{"line_number":316,"context_line":"use TLS migrations."},{"line_number":317,"context_line":""},{"line_number":318,"context_line":".. _Openstack Nova Docs: https://docs.openstack.org/nova/latest/admin/secure-live-migration-with-qemu-native-tls.html"},{"line_number":319,"context_line":""},{"line_number":320,"context_line":"QEMU-native TLS requires all compute hosts to accept TCP connections on"},{"line_number":321,"context_line":"port 16514 and port range 49152 to 49261."}],"source_content_type":"text/x-rst","patch_set":2,"id":"c0824b6c_0b79adb3","line":318,"range":{"start_line":318,"start_character":3,"end_line":318,"end_character":13},"updated":"2021-12-03 20:27:20.000000000","message":"OpenStack","commit_id":"b1a80ea9b86a2850c8a95ed6001a7daab0b1985f"},{"author":{"_account_id":31749,"name":"James Gibson","email":"james.gibson@bbc.co.uk","username":"jamesgibo"},"change_message_id":"13d9406dff0b4f11b5205c4fbf453c903a88ad46","unresolved":false,"context_lines":[{"line_number":315,"context_line":"default live migration method used by Openstack-Ansible has been updated to"},{"line_number":316,"context_line":"use TLS migrations."},{"line_number":317,"context_line":""},{"line_number":318,"context_line":".. _Openstack Nova Docs: https://docs.openstack.org/nova/latest/admin/secure-live-migration-with-qemu-native-tls.html"},{"line_number":319,"context_line":""},{"line_number":320,"context_line":"QEMU-native TLS requires all compute hosts to accept TCP connections on"},{"line_number":321,"context_line":"port 16514 and port range 49152 to 49261."}],"source_content_type":"text/x-rst","patch_set":2,"id":"9cd2a781_7cc5ec66","line":318,"range":{"start_line":318,"start_character":3,"end_line":318,"end_character":13},"in_reply_to":"c0824b6c_0b79adb3","updated":"2021-12-06 08:36:21.000000000","message":"Done","commit_id":"b1a80ea9b86a2850c8a95ed6001a7daab0b1985f"},{"author":{"_account_id":15993,"name":"Amy Marrich","display_name":"Amy Marrich (spotz)","email":"amy@demarco.com","username":"amarrich"},"change_message_id":"d39ad83200558103f6b23bcb9761531d07eb3783","unresolved":true,"context_lines":[{"line_number":324,"context_line":"some using TLS for live migrations, as this would prevent live migrations"},{"line_number":325,"context_line":"between the compute nodes."},{"line_number":326,"context_line":""},{"line_number":327,"context_line":"There are no issues enabling TLS live migration during an Openstack upgrade, as"},{"line_number":328,"context_line":"longs as you do not need to live migrate instances during the upgrade. If you"},{"line_number":329,"context_line":"you need to live migrate instances during an upgrade, enable TLS live migrations"},{"line_number":330,"context_line":"before or after the upgrade."}],"source_content_type":"text/x-rst","patch_set":2,"id":"cb653908_6748b683","line":327,"range":{"start_line":327,"start_character":58,"end_line":327,"end_character":67},"updated":"2021-12-03 20:27:20.000000000","message":"OpenStack","commit_id":"b1a80ea9b86a2850c8a95ed6001a7daab0b1985f"},{"author":{"_account_id":31749,"name":"James Gibson","email":"james.gibson@bbc.co.uk","username":"jamesgibo"},"change_message_id":"13d9406dff0b4f11b5205c4fbf453c903a88ad46","unresolved":false,"context_lines":[{"line_number":324,"context_line":"some using TLS for live migrations, as this would prevent live migrations"},{"line_number":325,"context_line":"between the compute nodes."},{"line_number":326,"context_line":""},{"line_number":327,"context_line":"There are no issues enabling TLS live migration during an Openstack upgrade, as"},{"line_number":328,"context_line":"longs as you do not need to live migrate instances during the upgrade. If you"},{"line_number":329,"context_line":"you need to live migrate instances during an upgrade, enable TLS live migrations"},{"line_number":330,"context_line":"before or after the upgrade."}],"source_content_type":"text/x-rst","patch_set":2,"id":"4e6613d6_279055cb","line":327,"range":{"start_line":327,"start_character":58,"end_line":327,"end_character":67},"in_reply_to":"cb653908_6748b683","updated":"2021-12-06 08:36:21.000000000","message":"Done","commit_id":"b1a80ea9b86a2850c8a95ed6001a7daab0b1985f"},{"author":{"_account_id":28619,"name":"Dmitriy Rabotyagov","email":"noonedeadpunk@gmail.com","username":"noonedeadpunk"},"change_message_id":"cfbf14813d3b9bbcb1df8280606a2e8ac0e49e30","unresolved":true,"context_lines":[{"line_number":325,"context_line":"between the compute nodes."},{"line_number":326,"context_line":""},{"line_number":327,"context_line":"There are no issues enabling TLS live migration during an Openstack upgrade, as"},{"line_number":328,"context_line":"longs as you do not need to live migrate instances during the upgrade. If you"},{"line_number":329,"context_line":"you need to live migrate instances during an upgrade, enable TLS live migrations"},{"line_number":330,"context_line":"before or after the upgrade."},{"line_number":331,"context_line":""}],"source_content_type":"text/x-rst","patch_set":2,"id":"f9809e41_0d09bb93","line":328,"range":{"start_line":328,"start_character":0,"end_line":328,"end_character":5},"updated":"2021-12-06 08:50:07.000000000","message":"long","commit_id":"b1a80ea9b86a2850c8a95ed6001a7daab0b1985f"},{"author":{"_account_id":31749,"name":"James Gibson","email":"james.gibson@bbc.co.uk","username":"jamesgibo"},"change_message_id":"a66e7def7baa758aeeb92173a992535537214441","unresolved":false,"context_lines":[{"line_number":325,"context_line":"between the compute nodes."},{"line_number":326,"context_line":""},{"line_number":327,"context_line":"There are no issues enabling TLS live migration during an Openstack upgrade, as"},{"line_number":328,"context_line":"longs as you do not need to live migrate instances during the upgrade. If you"},{"line_number":329,"context_line":"you need to live migrate instances during an upgrade, enable TLS live migrations"},{"line_number":330,"context_line":"before or after the upgrade."},{"line_number":331,"context_line":""}],"source_content_type":"text/x-rst","patch_set":2,"id":"83a56b8c_40406c68","line":328,"range":{"start_line":328,"start_character":0,"end_line":328,"end_character":5},"in_reply_to":"f9809e41_0d09bb93","updated":"2021-12-08 10:26:26.000000000","message":"Done","commit_id":"b1a80ea9b86a2850c8a95ed6001a7daab0b1985f"},{"author":{"_account_id":28619,"name":"Dmitriy Rabotyagov","email":"noonedeadpunk@gmail.com","username":"noonedeadpunk"},"change_message_id":"cfbf14813d3b9bbcb1df8280606a2e8ac0e49e30","unresolved":true,"context_lines":[{"line_number":340,"context_line":"TLS for VNC"},{"line_number":341,"context_line":"~~~~~~~~~~~"},{"line_number":342,"context_line":""},{"line_number":343,"context_line":"When using VNC for console access there a 3 connections to secure, client to"},{"line_number":344,"context_line":"haproxy, haproxy to noVNC Proxy and noVN Proxy to Compute nodes. The `Openstack"},{"line_number":345,"context_line":"Nova Docs for remote console access`_ cover console security in much more"},{"line_number":346,"context_line":"detail."}],"source_content_type":"text/x-rst","patch_set":2,"id":"7ac1df6d_6609ed74","line":343,"range":{"start_line":343,"start_character":34,"end_line":343,"end_character":41},"updated":"2021-12-06 08:50:07.000000000","message":"there are?","commit_id":"b1a80ea9b86a2850c8a95ed6001a7daab0b1985f"},{"author":{"_account_id":31749,"name":"James Gibson","email":"james.gibson@bbc.co.uk","username":"jamesgibo"},"change_message_id":"a66e7def7baa758aeeb92173a992535537214441","unresolved":false,"context_lines":[{"line_number":340,"context_line":"TLS for VNC"},{"line_number":341,"context_line":"~~~~~~~~~~~"},{"line_number":342,"context_line":""},{"line_number":343,"context_line":"When using VNC for console access there a 3 connections to secure, client to"},{"line_number":344,"context_line":"haproxy, haproxy to noVNC Proxy and noVN Proxy to Compute nodes. The `Openstack"},{"line_number":345,"context_line":"Nova Docs for remote console access`_ cover console security in much more"},{"line_number":346,"context_line":"detail."}],"source_content_type":"text/x-rst","patch_set":2,"id":"99f92ce2_5cb05b0d","line":343,"range":{"start_line":343,"start_character":34,"end_line":343,"end_character":41},"in_reply_to":"7ac1df6d_6609ed74","updated":"2021-12-08 10:26:26.000000000","message":"Done","commit_id":"b1a80ea9b86a2850c8a95ed6001a7daab0b1985f"},{"author":{"_account_id":15993,"name":"Amy Marrich","display_name":"Amy Marrich (spotz)","email":"amy@demarco.com","username":"amarrich"},"change_message_id":"d39ad83200558103f6b23bcb9761531d07eb3783","unresolved":true,"context_lines":[{"line_number":341,"context_line":"~~~~~~~~~~~"},{"line_number":342,"context_line":""},{"line_number":343,"context_line":"When using VNC for console access there a 3 connections to secure, client to"},{"line_number":344,"context_line":"haproxy, haproxy to noVNC Proxy and noVN Proxy to Compute nodes. The `Openstack"},{"line_number":345,"context_line":"Nova Docs for remote console access`_ cover console security in much more"},{"line_number":346,"context_line":"detail."},{"line_number":347,"context_line":""}],"source_content_type":"text/x-rst","patch_set":2,"id":"e6b1d8da_80afa177","line":344,"range":{"start_line":344,"start_character":70,"end_line":344,"end_character":79},"updated":"2021-12-03 20:27:20.000000000","message":"OpenStack","commit_id":"b1a80ea9b86a2850c8a95ed6001a7daab0b1985f"},{"author":{"_account_id":28619,"name":"Dmitriy Rabotyagov","email":"noonedeadpunk@gmail.com","username":"noonedeadpunk"},"change_message_id":"cfbf14813d3b9bbcb1df8280606a2e8ac0e49e30","unresolved":true,"context_lines":[{"line_number":341,"context_line":"~~~~~~~~~~~"},{"line_number":342,"context_line":""},{"line_number":343,"context_line":"When using VNC for console access there a 3 connections to secure, client to"},{"line_number":344,"context_line":"haproxy, haproxy to noVNC Proxy and noVN Proxy to Compute nodes. The `Openstack"},{"line_number":345,"context_line":"Nova Docs for remote console access`_ cover console security in much more"},{"line_number":346,"context_line":"detail."},{"line_number":347,"context_line":""}],"source_content_type":"text/x-rst","patch_set":2,"id":"340caa13_12597176","line":344,"range":{"start_line":344,"start_character":36,"end_line":344,"end_character":40},"updated":"2021-12-06 08:50:07.000000000","message":"noVNC","commit_id":"b1a80ea9b86a2850c8a95ed6001a7daab0b1985f"},{"author":{"_account_id":31749,"name":"James Gibson","email":"james.gibson@bbc.co.uk","username":"jamesgibo"},"change_message_id":"a66e7def7baa758aeeb92173a992535537214441","unresolved":false,"context_lines":[{"line_number":341,"context_line":"~~~~~~~~~~~"},{"line_number":342,"context_line":""},{"line_number":343,"context_line":"When using VNC for console access there a 3 connections to secure, client to"},{"line_number":344,"context_line":"haproxy, haproxy to noVNC Proxy and noVN Proxy to Compute nodes. The `Openstack"},{"line_number":345,"context_line":"Nova Docs for remote console access`_ cover console security in much more"},{"line_number":346,"context_line":"detail."},{"line_number":347,"context_line":""}],"source_content_type":"text/x-rst","patch_set":2,"id":"06120501_ab14fc10","line":344,"range":{"start_line":344,"start_character":36,"end_line":344,"end_character":40},"in_reply_to":"340caa13_12597176","updated":"2021-12-08 10:26:26.000000000","message":"Done","commit_id":"b1a80ea9b86a2850c8a95ed6001a7daab0b1985f"},{"author":{"_account_id":31749,"name":"James Gibson","email":"james.gibson@bbc.co.uk","username":"jamesgibo"},"change_message_id":"13d9406dff0b4f11b5205c4fbf453c903a88ad46","unresolved":false,"context_lines":[{"line_number":341,"context_line":"~~~~~~~~~~~"},{"line_number":342,"context_line":""},{"line_number":343,"context_line":"When using VNC for console access there a 3 connections to secure, client to"},{"line_number":344,"context_line":"haproxy, haproxy to noVNC Proxy and noVN Proxy to Compute nodes. The `Openstack"},{"line_number":345,"context_line":"Nova Docs for remote console access`_ cover console security in much more"},{"line_number":346,"context_line":"detail."},{"line_number":347,"context_line":""}],"source_content_type":"text/x-rst","patch_set":2,"id":"7028fc63_1db9a179","line":344,"range":{"start_line":344,"start_character":70,"end_line":344,"end_character":79},"in_reply_to":"e6b1d8da_80afa177","updated":"2021-12-06 08:36:21.000000000","message":"Done","commit_id":"b1a80ea9b86a2850c8a95ed6001a7daab0b1985f"},{"author":{"_account_id":15993,"name":"Amy Marrich","display_name":"Amy Marrich (spotz)","email":"amy@demarco.com","username":"amarrich"},"change_message_id":"d39ad83200558103f6b23bcb9761531d07eb3783","unresolved":true,"context_lines":[{"line_number":345,"context_line":"Nova Docs for remote console access`_ cover console security in much more"},{"line_number":346,"context_line":"detail."},{"line_number":347,"context_line":""},{"line_number":348,"context_line":".. _Openstack Nova Docs for remote console access: https://docs.openstack.org/nova/latest/admin/remote-console-access.html#vnc-proxy-security"},{"line_number":349,"context_line":""},{"line_number":350,"context_line":"In Openstack-Ansible TLS to haproxy is configured in haproxy, TLS to noVNC is"},{"line_number":351,"context_line":"not currently enabled and TLS to Compute nodes is enabled by default."}],"source_content_type":"text/x-rst","patch_set":2,"id":"8d9b190a_7ba1124b","line":348,"range":{"start_line":348,"start_character":3,"end_line":348,"end_character":13},"updated":"2021-12-03 20:27:20.000000000","message":"OpenStack","commit_id":"b1a80ea9b86a2850c8a95ed6001a7daab0b1985f"},{"author":{"_account_id":31749,"name":"James Gibson","email":"james.gibson@bbc.co.uk","username":"jamesgibo"},"change_message_id":"13d9406dff0b4f11b5205c4fbf453c903a88ad46","unresolved":false,"context_lines":[{"line_number":345,"context_line":"Nova Docs for remote console access`_ cover console security in much more"},{"line_number":346,"context_line":"detail."},{"line_number":347,"context_line":""},{"line_number":348,"context_line":".. _Openstack Nova Docs for remote console access: https://docs.openstack.org/nova/latest/admin/remote-console-access.html#vnc-proxy-security"},{"line_number":349,"context_line":""},{"line_number":350,"context_line":"In Openstack-Ansible TLS to haproxy is configured in haproxy, TLS to noVNC is"},{"line_number":351,"context_line":"not currently enabled and TLS to Compute nodes is enabled by default."}],"source_content_type":"text/x-rst","patch_set":2,"id":"f91620f4_4e280ac9","line":348,"range":{"start_line":348,"start_character":3,"end_line":348,"end_character":13},"in_reply_to":"8d9b190a_7ba1124b","updated":"2021-12-06 08:36:21.000000000","message":"Done","commit_id":"b1a80ea9b86a2850c8a95ed6001a7daab0b1985f"},{"author":{"_account_id":15993,"name":"Amy Marrich","display_name":"Amy Marrich (spotz)","email":"amy@demarco.com","username":"amarrich"},"change_message_id":"d39ad83200558103f6b23bcb9761531d07eb3783","unresolved":true,"context_lines":[{"line_number":347,"context_line":""},{"line_number":348,"context_line":".. _Openstack Nova Docs for remote console access: https://docs.openstack.org/nova/latest/admin/remote-console-access.html#vnc-proxy-security"},{"line_number":349,"context_line":""},{"line_number":350,"context_line":"In Openstack-Ansible TLS to haproxy is configured in haproxy, TLS to noVNC is"},{"line_number":351,"context_line":"not currently enabled and TLS to Compute nodes is enabled by default."},{"line_number":352,"context_line":""},{"line_number":353,"context_line":"To help with the transition from unencrypted VNC to VeNCrypt,"}],"source_content_type":"text/x-rst","patch_set":2,"id":"9f81b782_ae9c2b6e","line":350,"range":{"start_line":350,"start_character":3,"end_line":350,"end_character":12},"updated":"2021-12-03 20:27:20.000000000","message":"OpenStack","commit_id":"b1a80ea9b86a2850c8a95ed6001a7daab0b1985f"},{"author":{"_account_id":31749,"name":"James Gibson","email":"james.gibson@bbc.co.uk","username":"jamesgibo"},"change_message_id":"13d9406dff0b4f11b5205c4fbf453c903a88ad46","unresolved":false,"context_lines":[{"line_number":347,"context_line":""},{"line_number":348,"context_line":".. _Openstack Nova Docs for remote console access: https://docs.openstack.org/nova/latest/admin/remote-console-access.html#vnc-proxy-security"},{"line_number":349,"context_line":""},{"line_number":350,"context_line":"In Openstack-Ansible TLS to haproxy is configured in haproxy, TLS to noVNC is"},{"line_number":351,"context_line":"not currently enabled and TLS to Compute nodes is enabled by default."},{"line_number":352,"context_line":""},{"line_number":353,"context_line":"To help with the transition from unencrypted VNC to VeNCrypt,"}],"source_content_type":"text/x-rst","patch_set":2,"id":"698cfffb_419e6a9f","line":350,"range":{"start_line":350,"start_character":3,"end_line":350,"end_character":12},"in_reply_to":"9f81b782_ae9c2b6e","updated":"2021-12-06 08:36:21.000000000","message":"Done","commit_id":"b1a80ea9b86a2850c8a95ed6001a7daab0b1985f"},{"author":{"_account_id":15993,"name":"Amy Marrich","display_name":"Amy Marrich (spotz)","email":"amy@demarco.com","username":"amarrich"},"change_message_id":"d39ad83200558103f6b23bcb9761531d07eb3783","unresolved":true,"context_lines":[{"line_number":353,"context_line":"To help with the transition from unencrypted VNC to VeNCrypt,"},{"line_number":354,"context_line":"initially noVNC proxy auth scheme allows for both encrypted and"},{"line_number":355,"context_line":"unencrypted sessions using the variable `nova_vencrypt_auth_scheme`. This will"},{"line_number":356,"context_line":"be restricted to VeNCrypt only in future versions of Openstack-Ansible."},{"line_number":357,"context_line":""},{"line_number":358,"context_line":".. code-block:: yaml"},{"line_number":359,"context_line":""}],"source_content_type":"text/x-rst","patch_set":2,"id":"8c89c425_46f48085","line":356,"range":{"start_line":356,"start_character":53,"end_line":356,"end_character":62},"updated":"2021-12-03 20:27:20.000000000","message":"OpenStack","commit_id":"b1a80ea9b86a2850c8a95ed6001a7daab0b1985f"},{"author":{"_account_id":31749,"name":"James Gibson","email":"james.gibson@bbc.co.uk","username":"jamesgibo"},"change_message_id":"13d9406dff0b4f11b5205c4fbf453c903a88ad46","unresolved":false,"context_lines":[{"line_number":353,"context_line":"To help with the transition from unencrypted VNC to VeNCrypt,"},{"line_number":354,"context_line":"initially noVNC proxy auth scheme allows for both encrypted and"},{"line_number":355,"context_line":"unencrypted sessions using the variable `nova_vencrypt_auth_scheme`. This will"},{"line_number":356,"context_line":"be restricted to VeNCrypt only in future versions of Openstack-Ansible."},{"line_number":357,"context_line":""},{"line_number":358,"context_line":".. code-block:: yaml"},{"line_number":359,"context_line":""}],"source_content_type":"text/x-rst","patch_set":2,"id":"f058cd0e_4719b7e2","line":356,"range":{"start_line":356,"start_character":53,"end_line":356,"end_character":62},"in_reply_to":"8c89c425_46f48085","updated":"2021-12-06 08:36:21.000000000","message":"Done","commit_id":"b1a80ea9b86a2850c8a95ed6001a7daab0b1985f"}],"inventory/group_vars/haproxy/haproxy.yml":[{"author":{"_account_id":28619,"name":"Dmitriy Rabotyagov","email":"noonedeadpunk@gmail.com","username":"noonedeadpunk"},"change_message_id":"cfbf14813d3b9bbcb1df8280606a2e8ac0e49e30","unresolved":true,"context_lines":[{"line_number":232,"context_line":"  haproxy_service_enabled: \"{{ groups[\u0027keystone_all\u0027] is defined and groups[\u0027keystone_all\u0027] | length \u003e 0 }}\""},{"line_number":233,"context_line":""},{"line_number":234,"context_line":"haproxy_letsencrypt_service:"},{"line_number":235,"context_line":"  haproxy_service_name: certbot"},{"line_number":236,"context_line":"  haproxy_backend_nodes: \"{{ groups[\u0027haproxy_all\u0027] }}\""},{"line_number":237,"context_line":"  backend_rise: 1"},{"line_number":238,"context_line":"  backend_fall: 5"}],"source_content_type":"text/x-yaml","patch_set":2,"id":"b9d1c184_3b6a9c7c","line":235,"range":{"start_line":235,"start_character":0,"end_line":235,"end_character":31},"updated":"2021-12-06 08:50:07.000000000","message":"we also need to ensure that old `letsencrypt` service is absent otherwise they should conflict during upgrade?","commit_id":"b1a80ea9b86a2850c8a95ed6001a7daab0b1985f"},{"author":{"_account_id":31749,"name":"James Gibson","email":"james.gibson@bbc.co.uk","username":"jamesgibo"},"change_message_id":"a66e7def7baa758aeeb92173a992535537214441","unresolved":false,"context_lines":[{"line_number":232,"context_line":"  haproxy_service_enabled: \"{{ groups[\u0027keystone_all\u0027] is defined and groups[\u0027keystone_all\u0027] | length \u003e 0 }}\""},{"line_number":233,"context_line":""},{"line_number":234,"context_line":"haproxy_letsencrypt_service:"},{"line_number":235,"context_line":"  haproxy_service_name: certbot"},{"line_number":236,"context_line":"  haproxy_backend_nodes: \"{{ groups[\u0027haproxy_all\u0027] }}\""},{"line_number":237,"context_line":"  backend_rise: 1"},{"line_number":238,"context_line":"  backend_fall: 5"}],"source_content_type":"text/x-yaml","patch_set":2,"id":"c71ac7d6_e57decb4","line":235,"range":{"start_line":235,"start_character":0,"end_line":235,"end_character":31},"in_reply_to":"b9d1c184_3b6a9c7c","updated":"2021-12-08 10:26:26.000000000","message":"True, i will maybe leave the name as letencrypt as all the variables call it that","commit_id":"b1a80ea9b86a2850c8a95ed6001a7daab0b1985f"},{"author":{"_account_id":25023,"name":"Jonathan Rosser","email":"jonathan.rosser@rd.bbc.co.uk","username":"jrosser"},"change_message_id":"f83a95aa8afbadc0edaf16b992325168d964b83c","unresolved":true,"context_lines":[{"line_number":232,"context_line":"  haproxy_service_enabled: \"{{ groups[\u0027keystone_all\u0027] is defined and groups[\u0027keystone_all\u0027] | length \u003e 0 }}\""},{"line_number":233,"context_line":""},{"line_number":234,"context_line":"haproxy_letsencrypt_service:"},{"line_number":235,"context_line":"  haproxy_service_name: letsencrypt"},{"line_number":236,"context_line":"  haproxy_backend_nodes: \"{{ groups[\u0027haproxy_all\u0027] }}\""},{"line_number":237,"context_line":"  backend_rise: 1"},{"line_number":238,"context_line":"  backend_fall: 5"}],"source_content_type":"text/x-yaml","patch_set":4,"id":"b4373ab3_0a79ef70","side":"PARENT","line":235,"range":{"start_line":235,"start_character":24,"end_line":235,"end_character":35},"updated":"2021-12-06 11:49:58.000000000","message":"this isn\u0027t really documentation like the rest of the patch - and it\u0027s borderline release note stuff too in case anyone has set up monitoring for their haproxy which needs to special-case LE/certbot, as it\u0027s usually legitimately in the \u0027down\u0027 state.","commit_id":"92feb0805ed33c54cb1171eba1e0504bb73119db"},{"author":{"_account_id":31749,"name":"James Gibson","email":"james.gibson@bbc.co.uk","username":"jamesgibo"},"change_message_id":"a66e7def7baa758aeeb92173a992535537214441","unresolved":false,"context_lines":[{"line_number":232,"context_line":"  haproxy_service_enabled: \"{{ groups[\u0027keystone_all\u0027] is defined and groups[\u0027keystone_all\u0027] | length \u003e 0 }}\""},{"line_number":233,"context_line":""},{"line_number":234,"context_line":"haproxy_letsencrypt_service:"},{"line_number":235,"context_line":"  haproxy_service_name: letsencrypt"},{"line_number":236,"context_line":"  haproxy_backend_nodes: \"{{ groups[\u0027haproxy_all\u0027] }}\""},{"line_number":237,"context_line":"  backend_rise: 1"},{"line_number":238,"context_line":"  backend_fall: 5"}],"source_content_type":"text/x-yaml","patch_set":4,"id":"9b40420b_52daf641","side":"PARENT","line":235,"range":{"start_line":235,"start_character":24,"end_line":235,"end_character":35},"in_reply_to":"b4373ab3_0a79ef70","updated":"2021-12-08 10:26:26.000000000","message":"Reverted the change","commit_id":"92feb0805ed33c54cb1171eba1e0504bb73119db"}]}
