)]}'
{"/PATCHSET_LEVEL":[{"author":{"_account_id":3009,"name":"Vladimir Kozhukalov","email":"kozhukalov@gmail.com","username":"kozhukalov"},"change_message_id":"8fd07c71ed364edf8a12c7f6992101a1ef3adbd1","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":3,"id":"2cbc3a54_1b2a5a91","updated":"2023-09-05 14:43:23.000000000","message":"Can you please explain the benefit of having such a condition in HTK? We already have the boolean field .Values.manifests.certificates in all charts. IMO if you set it true and not set .Values.endpoints.$service.host_fqdn_override.tls, then I would prefer Helm to give me the explicit error instead of just silently rejecting creating certificates.","commit_id":"b5556362122efa95bd961169909ff2df90a49527"},{"author":{"_account_id":31746,"name":"Oleksandr Kozachenko","email":"okozachenko1203@gmail.com","username":"okozachenko"},"change_message_id":"00308b4bdaf565fef03c59bc892d19c7585093e3","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":3,"id":"a459e51c_3519e070","updated":"2023-09-08 12:45:30.000000000","message":"agree","commit_id":"b5556362122efa95bd961169909ff2df90a49527"},{"author":{"_account_id":31746,"name":"Oleksandr Kozachenko","email":"okozachenko1203@gmail.com","username":"okozachenko"},"change_message_id":"00308b4bdaf565fef03c59bc892d19c7585093e3","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":3,"id":"63f8a8c4_f0b831ce","in_reply_to":"2acd16cf_d0052dae","updated":"2023-09-08 12:45:30.000000000","message":"Ok, I agree on this.","commit_id":"b5556362122efa95bd961169909ff2df90a49527"},{"author":{"_account_id":31746,"name":"Oleksandr Kozachenko","email":"okozachenko1203@gmail.com","username":"okozachenko"},"change_message_id":"d330d72f286b0a4637ed9e6d48f399858788444c","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":3,"id":"fb77be5d_568fc915","in_reply_to":"2cbc3a54_1b2a5a91","updated":"2023-09-06 09:43:55.000000000","message":"Motivation is to support TLS for certain component(s) instead of all.\n\nI made this change to avoid such exceptions when I just want to enable TLS for certain components, not all.\nBut this patch is not enough for partial TLS support because we mount all certificates to pods regardless their existence.\nBtw, this patch is just to generate desired tls certificates specified in values. We need to find a solution to mount certain certificates only into the pod.\nCurrent manifests.certificate is too general and not perfect to recognize and realize tls for certain components.\n\nHere is a sister patch which generate certs for only vencrypt.\nhttps://review.opendev.org/c/openstack/openstack-helm/+/893563","commit_id":"b5556362122efa95bd961169909ff2df90a49527"},{"author":{"_account_id":3009,"name":"Vladimir Kozhukalov","email":"kozhukalov@gmail.com","username":"kozhukalov"},"change_message_id":"0c8342721c252fcf1e4b79c3d8e0cf684ad84110","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":3,"id":"2acd16cf_d0052dae","in_reply_to":"81a58049_5c55c47e","updated":"2023-09-07 19:38:49.000000000","message":"Or even better. Let\u0027s look at `.Values.conf.nova.vnc.auth_schemes` as you suggested here https://review.opendev.org/c/openstack/openstack-helm/+/893563 but generate vencrypt certificates independently on `.Values.manifests.certificates`.","commit_id":"b5556362122efa95bd961169909ff2df90a49527"},{"author":{"_account_id":3009,"name":"Vladimir Kozhukalov","email":"kozhukalov@gmail.com","username":"kozhukalov"},"change_message_id":"45654ac54323fee9b1fcaf90cabe627d82485ddf","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":3,"id":"81a58049_5c55c47e","in_reply_to":"fb77be5d_568fc915","updated":"2023-09-07 19:28:36.000000000","message":"IMO in most cases it is enough to have just this single boolean field `.Values.manifests.certificates` because usually if you want your cloud to be secure you want it to be secure wherever it is possible. \n\nI still think that silently ignoring the unset tls field for an endpoint is not a good idea. If I set .Values.manifests.certificates but forget to set tls for an endpoint then this endpoint will stay insecure.\n\nVNC case is a bit outstanding. I can imagine when you terminate tls sessions outside of the cloud but still need the communication between VNC and VNC proxy to be secure. So, let\u0027s maybe just have a separate boolean field for vencrypt. Frankly, in one of the PS here  https://review.opendev.org/c/openstack/openstack-helm/+/888109/18/nova/values.yaml Jaymes Mosher suggested to use a separate field and I asked him to look at `.Values.conf.nova.vnc.auth_schemes`. And my motivation was to keep this as simple as possible and have this flag `make everything secure`.\n\nLet\u0027s stick with this approach and have a separate field specifically for vencrypt. I\u0027d like to hear other core reviewers\u0027 opinions regarding this. I unset my -1.","commit_id":"b5556362122efa95bd961169909ff2df90a49527"}]}