)]}'
{"tripleo_ansible/roles/octavia_controller_check/tasks/main.yml":[{"author":{"_account_id":6469,"name":"Carlos Gonçalves","display_name":"Carlos Goncalves","email":"cgoncalves@redhat.com","username":"cgoncalves"},"change_message_id":"728d576d1a1275e0d778085e493bdf6278a360ba","unresolved":false,"context_lines":[{"line_number":32,"context_line":"            ca_cert: \"{{ ca_file_data.content | b64decode }}\""},{"line_number":33,"context_line":""},{"line_number":34,"context_line":"      - name: Read CA details"},{"line_number":35,"context_line":"        openssl_certificate_info:"},{"line_number":36,"context_line":"            path: \"{{ octavia_confd_prefix }}/{{ ca_cert_path }}\""},{"line_number":37,"context_line":"        register: ca_cert_info"},{"line_number":38,"context_line":"      - name: Force CA update if validity is only 1 year"}],"source_content_type":"text/x-yaml","patch_set":2,"id":"1f493fa4_1e51c90f","line":35,"range":{"start_line":35,"start_character":8,"end_line":35,"end_character":32},"updated":"2020-04-21 17:20:22.000000000","message":"Ansible \u003e\u003d 2.8, Tech prevew","commit_id":"7054796f639470378cfc6c7faf031ee6eee46d0f"}],"tripleo_ansible/roles/octavia_overcloud_config/tasks/certs_gen.yml":[{"author":{"_account_id":6469,"name":"Carlos Gonçalves","display_name":"Carlos Goncalves","email":"cgoncalves@redhat.com","username":"cgoncalves"},"change_message_id":"728d576d1a1275e0d778085e493bdf6278a360ba","unresolved":false,"context_lines":[{"line_number":25,"context_line":"      recurse: true"},{"line_number":26,"context_line":""},{"line_number":27,"context_line":"- name: Generating certificate authority private key"},{"line_number":28,"context_line":"  openssl_privatekey:"},{"line_number":29,"context_line":"      path: \"{{ openssl_temp_dir }}/private/cakey.pem\""},{"line_number":30,"context_line":"      type: RSA"},{"line_number":31,"context_line":"      cipher: aes256"}],"source_content_type":"text/x-yaml","patch_set":2,"id":"1f493fa4_5335fff6","line":28,"range":{"start_line":28,"start_character":2,"end_line":28,"end_character":20},"updated":"2020-04-21 17:20:22.000000000","message":"Ansible \u003e\u003d 2.3, tech preview","commit_id":"7054796f639470378cfc6c7faf031ee6eee46d0f"},{"author":{"_account_id":6469,"name":"Carlos Gonçalves","display_name":"Carlos Goncalves","email":"cgoncalves@redhat.com","username":"cgoncalves"},"change_message_id":"728d576d1a1275e0d778085e493bdf6278a360ba","unresolved":false,"context_lines":[{"line_number":28,"context_line":"  openssl_privatekey:"},{"line_number":29,"context_line":"      path: \"{{ openssl_temp_dir }}/private/cakey.pem\""},{"line_number":30,"context_line":"      type: RSA"},{"line_number":31,"context_line":"      cipher: aes256"},{"line_number":32,"context_line":"      passphrase: \"{{ ca_passphrase }}\""},{"line_number":33,"context_line":"      size: 2048"},{"line_number":34,"context_line":"  when:"}],"source_content_type":"text/x-yaml","patch_set":2,"id":"1f493fa4_d3090f32","line":31,"range":{"start_line":31,"start_character":6,"end_line":31,"end_character":12},"updated":"2020-04-21 17:20:22.000000000","message":"Ansible \u003e\u003d 2.4","commit_id":"7054796f639470378cfc6c7faf031ee6eee46d0f"},{"author":{"_account_id":6469,"name":"Carlos Gonçalves","display_name":"Carlos Goncalves","email":"cgoncalves@redhat.com","username":"cgoncalves"},"change_message_id":"728d576d1a1275e0d778085e493bdf6278a360ba","unresolved":false,"context_lines":[{"line_number":29,"context_line":"      path: \"{{ openssl_temp_dir }}/private/cakey.pem\""},{"line_number":30,"context_line":"      type: RSA"},{"line_number":31,"context_line":"      cipher: aes256"},{"line_number":32,"context_line":"      passphrase: \"{{ ca_passphrase }}\""},{"line_number":33,"context_line":"      size: 2048"},{"line_number":34,"context_line":"  when:"},{"line_number":35,"context_line":"      - not (force_certs_update | default(false) | bool)"}],"source_content_type":"text/x-yaml","patch_set":2,"id":"1f493fa4_3307931f","line":32,"range":{"start_line":32,"start_character":6,"end_line":32,"end_character":16},"updated":"2020-04-21 17:20:22.000000000","message":"Ansible \u003e\u003d 2.4","commit_id":"7054796f639470378cfc6c7faf031ee6eee46d0f"},{"author":{"_account_id":6469,"name":"Carlos Gonçalves","display_name":"Carlos Goncalves","email":"cgoncalves@redhat.com","username":"cgoncalves"},"change_message_id":"728d576d1a1275e0d778085e493bdf6278a360ba","unresolved":false,"context_lines":[{"line_number":30,"context_line":"      type: RSA"},{"line_number":31,"context_line":"      cipher: aes256"},{"line_number":32,"context_line":"      passphrase: \"{{ ca_passphrase }}\""},{"line_number":33,"context_line":"      size: 2048"},{"line_number":34,"context_line":"  when:"},{"line_number":35,"context_line":"      - not (force_certs_update | default(false) | bool)"},{"line_number":36,"context_line":""}],"source_content_type":"text/x-yaml","patch_set":2,"id":"1f493fa4_edff0732","line":33,"updated":"2020-04-21 17:20:22.000000000","message":"May be safer to set strict permissions with the \"mode\" parameter (0600 / u\u003drw,g\u003d,o\u003d)","commit_id":"7054796f639470378cfc6c7faf031ee6eee46d0f"},{"author":{"_account_id":6469,"name":"Carlos Gonçalves","display_name":"Carlos Goncalves","email":"cgoncalves@redhat.com","username":"cgoncalves"},"change_message_id":"728d576d1a1275e0d778085e493bdf6278a360ba","unresolved":false,"context_lines":[{"line_number":35,"context_line":"      - not (force_certs_update | default(false) | bool)"},{"line_number":36,"context_line":""},{"line_number":37,"context_line":"- name: Reuse previous CA private key"},{"line_number":38,"context_line":"  block:"},{"line_number":39,"context_line":"      - name: Write previous CA private key"},{"line_number":40,"context_line":"        copy:"},{"line_number":41,"context_line":"            content: \"{{ private_key_content }}\""}],"source_content_type":"text/x-yaml","patch_set":2,"id":"1f493fa4_8eb63ed9","line":38,"updated":"2020-04-21 17:20:22.000000000","message":"nit: block has only one task. do we need the block?","commit_id":"7054796f639470378cfc6c7faf031ee6eee46d0f"},{"author":{"_account_id":6469,"name":"Carlos Gonçalves","display_name":"Carlos Goncalves","email":"cgoncalves@redhat.com","username":"cgoncalves"},"change_message_id":"728d576d1a1275e0d778085e493bdf6278a360ba","unresolved":false,"context_lines":[{"line_number":39,"context_line":"      - name: Write previous CA private key"},{"line_number":40,"context_line":"        copy:"},{"line_number":41,"context_line":"            content: \"{{ private_key_content }}\""},{"line_number":42,"context_line":"            dest: \"{{ openssl_temp_dir }}/private/cakey.pem\""},{"line_number":43,"context_line":"        no_log: true"},{"line_number":44,"context_line":"  when:"},{"line_number":45,"context_line":"      - force_certs_update | default(false) | bool"}],"source_content_type":"text/x-yaml","patch_set":2,"id":"1f493fa4_2dfa8f41","line":42,"updated":"2020-04-21 17:20:22.000000000","message":"May be safer to set strict permissions with the \"mode\" parameter (0600 / u\u003drw,g\u003d,o\u003d)","commit_id":"7054796f639470378cfc6c7faf031ee6eee46d0f"},{"author":{"_account_id":6469,"name":"Carlos Gonçalves","display_name":"Carlos Goncalves","email":"cgoncalves@redhat.com","username":"cgoncalves"},"change_message_id":"728d576d1a1275e0d778085e493bdf6278a360ba","unresolved":false,"context_lines":[{"line_number":50,"context_line":"      - name: Write previous CA private key"},{"line_number":51,"context_line":"        copy:"},{"line_number":52,"context_line":"            content: \"{{ private_key_content }}\""},{"line_number":53,"context_line":"            dest: \"{{ openssl_temp_dir }}/private/cakey.old.pem\""},{"line_number":54,"context_line":"        no_log: true"},{"line_number":55,"context_line":""},{"line_number":56,"context_line":"      # TODO(gthiemon): ansible 2.10 will provide support in the"}],"source_content_type":"text/x-yaml","patch_set":2,"id":"1f493fa4_ada33f4f","line":53,"updated":"2020-04-21 17:20:22.000000000","message":"May be safer to set strict permissions with the \"mode\" parameter (0600 / u\u003drw,g\u003d,o\u003d)","commit_id":"7054796f639470378cfc6c7faf031ee6eee46d0f"},{"author":{"_account_id":6469,"name":"Carlos Gonçalves","display_name":"Carlos Goncalves","email":"cgoncalves@redhat.com","username":"cgoncalves"},"change_message_id":"728d576d1a1275e0d778085e493bdf6278a360ba","unresolved":false,"context_lines":[{"line_number":57,"context_line":"      # openssl_privatekey module to convert an existing key"},{"line_number":58,"context_line":"      - name: Update CA private key"},{"line_number":59,"context_line":"        shell: |"},{"line_number":60,"context_line":"            openssl rsa -aes256 \\"},{"line_number":61,"context_line":"                --passin pass:{{ ca_passphrase }} \\"},{"line_number":62,"context_line":"                --passout pass:{{ ca_passphrase }} \\"},{"line_number":63,"context_line":"                -in {{ openssl_temp_dir }}/private/cakey.old.pem \\"}],"source_content_type":"text/x-yaml","patch_set":2,"id":"1f493fa4_27e3c835","line":60,"updated":"2020-04-21 17:20:22.000000000","message":"Nice, works well.\n\n\n$ openssl pkey -in private/ca.key.pem.old -pubout -outform pem | sha256sum\nEnter pass phrase for private/ca.key.pem.old:\nbabb7a399dacca5e60515d024e5c38767a397272f8fe78eba89ee31cf391ddc8  -\n\n$ openssl rsa -aes256 --passin pass:foobar --passout pass:foobar -in private/ca.key.pem.old -out private/cakey.pem\nwriting RSA key\n\n$ openssl x509 -in ca.cert.pem -pubkey -noout -outform pem | sha256sum\nbabb7a399dacca5e60515d024e5c38767a397272f8fe78eba89ee31cf391ddc8  -\n\n$ openssl pkey -in private/cakey.pem -pubout -outform pem | sha256sum\nEnter pass phrase for private/cakey.pem:\nbabb7a399dacca5e60515d024e5c38767a397272f8fe78eba89ee31cf391ddc8  -","commit_id":"7054796f639470378cfc6c7faf031ee6eee46d0f"},{"author":{"_account_id":6469,"name":"Carlos Gonçalves","display_name":"Carlos Goncalves","email":"cgoncalves@redhat.com","username":"cgoncalves"},"change_message_id":"728d576d1a1275e0d778085e493bdf6278a360ba","unresolved":false,"context_lines":[{"line_number":61,"context_line":"                --passin pass:{{ ca_passphrase }} \\"},{"line_number":62,"context_line":"                --passout pass:{{ ca_passphrase }} \\"},{"line_number":63,"context_line":"                -in {{ openssl_temp_dir }}/private/cakey.old.pem \\"},{"line_number":64,"context_line":"                -out {{ openssl_temp_dir }}/private/cakey.pem"},{"line_number":65,"context_line":"  when:"},{"line_number":66,"context_line":"      - force_certs_update | default(false) | bool"},{"line_number":67,"context_line":"      - force_private_key_update | default(false) | bool"}],"source_content_type":"text/x-yaml","patch_set":2,"id":"1f493fa4_ed8427b4","line":64,"updated":"2020-04-21 17:20:22.000000000","message":"May be safer to set strict permissions (0600 / u\u003drw,g\u003d,o\u003d)","commit_id":"7054796f639470378cfc6c7faf031ee6eee46d0f"},{"author":{"_account_id":7353,"name":"Kevin Carter","email":"kevin@cloudnull.com","username":"cloudnull"},"change_message_id":"4aa1e490b596aa01ee67fc74b60dfaca69b6a455","unresolved":false,"context_lines":[{"line_number":60,"context_line":""},{"line_number":61,"context_line":"    - name: Update CA private key"},{"line_number":62,"context_line":"      shell: |"},{"line_number":63,"context_line":"        openssl rsa -aes256 \\"},{"line_number":64,"context_line":"            -passin pass:{{ ca_passphrase }} \\"},{"line_number":65,"context_line":"            -passout pass:{{ ca_passphrase }} \\"},{"line_number":66,"context_line":"            -in {{ openssl_temp_dir }}/private/cakey.old.pem \\"},{"line_number":67,"context_line":"            -out {{ openssl_temp_dir }}/private/cakey.pem"},{"line_number":68,"context_line":"  when:"},{"line_number":69,"context_line":"    - force_certs_update | default(false) | bool"},{"line_number":70,"context_line":"    - force_private_key_update | default(false) | bool"}],"source_content_type":"text/x-yaml","patch_set":6,"id":"ff570b3c_092bb994","line":67,"range":{"start_line":63,"start_character":0,"end_line":67,"end_character":57},"updated":"2020-06-01 23:47:20.000000000","message":"any reason not to use the ansible ssl modules? https://docs.ansible.com/ansible/latest/modules/openssl_certificate_module.html","commit_id":"8b10cc60dd4354dfaca74a49f07fd192254c6c15"},{"author":{"_account_id":29244,"name":"Gregory Thiemonge","email":"gthiemon@redhat.com","username":"gthiemonge"},"change_message_id":"e4b5c70d67de35d04398d274b994bc77bff45614","unresolved":false,"context_lines":[{"line_number":60,"context_line":""},{"line_number":61,"context_line":"    - name: Update CA private key"},{"line_number":62,"context_line":"      shell: |"},{"line_number":63,"context_line":"        openssl rsa -aes256 \\"},{"line_number":64,"context_line":"            -passin pass:{{ ca_passphrase }} \\"},{"line_number":65,"context_line":"            -passout pass:{{ ca_passphrase }} \\"},{"line_number":66,"context_line":"            -in {{ openssl_temp_dir }}/private/cakey.old.pem \\"},{"line_number":67,"context_line":"            -out {{ openssl_temp_dir }}/private/cakey.pem"},{"line_number":68,"context_line":"  when:"},{"line_number":69,"context_line":"    - force_certs_update | default(false) | bool"},{"line_number":70,"context_line":"    - force_private_key_update | default(false) | bool"}],"source_content_type":"text/x-yaml","patch_set":6,"id":"ff570b3c_1a193979","line":67,"range":{"start_line":63,"start_character":0,"end_line":67,"end_character":57},"in_reply_to":"ff570b3c_092bb994","updated":"2020-06-02 07:10:52.000000000","message":"My first patchsets were using ansible ssl modules. I\u0027ve reverted back to shell modules.\n2 reasons for that:\n- we want to backport that stuff down to queens, and some ansible SSL modules (openssl_certificate_info) are not supported in previous ansible releases. So I tried to write tasks that could be run in any tripleo/ansible release.\n- some tasks are not feasible in ansible: for instance, the task you highlight there updates the cipher of a private key (it means that the \"new\" private key is still valid for previously generated certificates), the ansible SSL module only supports creating new private keys.","commit_id":"8b10cc60dd4354dfaca74a49f07fd192254c6c15"},{"author":{"_account_id":14985,"name":"Alex Schultz","email":"aschultz@next-development.com","username":"mwhahaha"},"change_message_id":"edc9ea9f4ff912e8bdaff26d3898fd15609d0edf","unresolved":false,"context_lines":[{"line_number":61,"context_line":"    - name: Update CA private key"},{"line_number":62,"context_line":"      shell: |"},{"line_number":63,"context_line":"        openssl rsa -aes256 \\"},{"line_number":64,"context_line":"            -passin pass:{{ ca_passphrase }} \\"},{"line_number":65,"context_line":"            -passout pass:{{ ca_passphrase }} \\"},{"line_number":66,"context_line":"            -in {{ openssl_temp_dir }}/private/cakey.old.pem \\"},{"line_number":67,"context_line":"            -out {{ openssl_temp_dir }}/private/cakey.pem"},{"line_number":68,"context_line":"  when:"}],"source_content_type":"text/x-yaml","patch_set":7,"id":"bf51134e_9e0776ca","line":65,"range":{"start_line":64,"start_character":0,"end_line":65,"end_character":47},"updated":"2020-07-20 19:11:31.000000000","message":"can we not put the password in the clear?  Can we use an environment var instead at least?","commit_id":"0f168dc9ca5b01fe616f196c2f49001d7882a2c8"},{"author":{"_account_id":6469,"name":"Carlos Gonçalves","display_name":"Carlos Goncalves","email":"cgoncalves@redhat.com","username":"cgoncalves"},"change_message_id":"bcc8981b209d4d9bdd08e09ff00d131b0d8c31a0","unresolved":false,"context_lines":[{"line_number":61,"context_line":"    - name: Update CA private key"},{"line_number":62,"context_line":"      shell: |"},{"line_number":63,"context_line":"        openssl rsa -aes256 \\"},{"line_number":64,"context_line":"            -passin pass:{{ ca_passphrase }} \\"},{"line_number":65,"context_line":"            -passout pass:{{ ca_passphrase }} \\"},{"line_number":66,"context_line":"            -in {{ openssl_temp_dir }}/private/cakey.old.pem \\"},{"line_number":67,"context_line":"            -out {{ openssl_temp_dir }}/private/cakey.pem"},{"line_number":68,"context_line":"  when:"}],"source_content_type":"text/x-yaml","patch_set":7,"id":"bf51134e_8244021b","line":65,"range":{"start_line":64,"start_character":0,"end_line":65,"end_character":47},"in_reply_to":"bf51134e_9e0776ca","updated":"2020-07-23 07:19:38.000000000","message":"That\u0027s how it has been done since the very beginning but I understand your point. IMO it could be done as a follow-up patch not to block an actual urgent fix on review for months.","commit_id":"0f168dc9ca5b01fe616f196c2f49001d7882a2c8"}]}