)]}'
{"/PATCHSET_LEVEL":[{"author":{"_account_id":9914,"name":"Ade Lee","email":"alee@redhat.com","username":"alee"},"change_message_id":"85850c7ba1de3cbe14acafa4848161532252071c","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":2,"id":"80fd476a_79459c8d","updated":"2023-01-31 22:25:12.000000000","message":"recheck","commit_id":"bbb4611b59b3f21c43dd194df4b4600c8972cb07"},{"author":{"_account_id":9914,"name":"Ade Lee","email":"alee@redhat.com","username":"alee"},"change_message_id":"68e02b8619edaaeb4efe89e772e00a0ee7758bc9","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":4,"id":"5319f822_f3687e34","updated":"2023-02-01 08:29:32.000000000","message":"recheck","commit_id":"173a1ded7e5063fe20bc7d9090a2eaad77e2a975"},{"author":{"_account_id":10459,"name":"Luigi Toscano","email":"ltoscano@redhat.com","username":"ltoscano"},"change_message_id":"aedd61f1bb90b005497f93eb6623ea8a57169751","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":5,"id":"b7f1b825_06cd36f5","updated":"2023-02-10 15:23:00.000000000","message":"The alternative set of jobs implies that all fips jobs should inherit from this, or have to call enable-fips themselves.\nThe former is unmanageable, because often we want to take an existing job and enable fips on it, and reparenting and recreating the hierarchy is not an option.\nThe latter is what we have being doing so far, with a copy of a simple playbook copied in each and every repository. I believe and advocated for a long time that copying the same code over and over is an unneeded complication.\n\nSo the question is: with enable_fips disabled by default, would it still possible to always call the fips role in the pre phase of the topmost openstack job, so that we don\u0027t need to either create a double hierarchy or have an enable-fips playbook in all repositories?","commit_id":"d3221813229b9366c50d48187253b9dc4eb839ca"},{"author":{"_account_id":10459,"name":"Luigi Toscano","email":"ltoscano@redhat.com","username":"ltoscano"},"change_message_id":"cf547f3221fe78aedfe5d0a5a8076ece7365d679","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":5,"id":"03c5f20e_d31f2c13","in_reply_to":"9fb5ae7d_cbbbb3cb","updated":"2023-02-10 15:52:56.000000000","message":"I see, thanks, I\u0027ve missed the other review. That would simplify the testing a lot.","commit_id":"d3221813229b9366c50d48187253b9dc4eb839ca"},{"author":{"_account_id":9914,"name":"Ade Lee","email":"alee@redhat.com","username":"alee"},"change_message_id":"b842a2cd16ce9b75111a5f279a7bbab5cf24eb5a","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":5,"id":"9fb5ae7d_cbbbb3cb","in_reply_to":"b7f1b825_06cd36f5","updated":"2023-02-10 15:36:04.000000000","message":"What we\u0027ve been doing so far has worked because we have not had to deal with trying to access a secret (the ua subscription key) that is stored in project-config.\n\nUp to now, we\u0027ve only implemented fips jobs on centos, where this is not an issue.\n\nIn order to access the secret - and also to make sure that the fips playbooks happen very early in the process, we need to add the alternative job here.  The idea is to change the parent job very early in the hierarchy, so that all subsequent jobs inherit the ability to enable fips.\n\nAn example of this is here:  https://review.opendev.org/c/openstack/devstack/+/871606\n\nWith this change, all jobs descended from devstack-base will have the ability to enable fips simply by specifying enable_fips:True and specifying a nslookup_target.\n\nSo, yes, what you said is what is planned -- to always call the fips role in the pre phase of the topmost openstack job - through inheritance.","commit_id":"d3221813229b9366c50d48187253b9dc4eb839ca"}],"playbooks/openstack-fips/pre.yaml":[{"author":{"_account_id":5263,"name":"Jeremy Stanley","display_name":"fungi","email":"fungi@yuggoth.org","username":"fungi","status":"missing, presumed fed"},"change_message_id":"93d2db42ee079da218864dad0a26b8337d151d1d","unresolved":false,"context_lines":[{"line_number":1,"context_line":"- hosts: all"},{"line_number":2,"context_line":"  roles:"},{"line_number":3,"context_line":"    - role: enable-ua-subscription"},{"line_number":4,"context_line":"  when: enable_fips | default(false)"}],"source_content_type":"text/x-yaml","patch_set":1,"id":"e984893c_3001ed5d","line":4,"updated":"2023-01-31 18:46:39.000000000","message":"Looks like \"when\" has to be in the context of a task, so you may be able to use an include_role task with it: https://stackoverflow.com/questions/64146988/ansible-run-role-based-on-condition","commit_id":"fd62fa11d0c8fdbac5423473c0a7c2b34d89bbf6"}]}