)]}'
{"deploy-guide/source/features/index.rst":[{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"fa5121b2e8a48e8ed05d680e41728c80c10285a5","unresolved":false,"context_lines":[{"line_number":39,"context_line":"   server_blacklist"},{"line_number":40,"context_line":"   security_hardening"},{"line_number":41,"context_line":"   split_stack"},{"line_number":42,"context_line":"   tls"},{"line_number":43,"context_line":"   ssl"},{"line_number":44,"context_line":"   tuned"},{"line_number":45,"context_line":"   undercloud_minion"}],"source_content_type":"text/x-rst","patch_set":2,"id":"1f493fa4_d350d80d","line":42,"updated":"2020-05-05 02:14:38.000000000","message":"I\u0027m putting this in its own section so that we can build out the content for how tls works, without having a massive patch that updates the existing doc.\n\nI\u0027m attempting to pull all the relevant bits from the ssl doc and incorporating them into tls. A subsequent patch will remove the ssl document.","commit_id":"7bc14d787ce2fab1cd7f2876ae568d997e791c17"}],"deploy-guide/source/features/tls-introduction.rst":[{"author":{"_account_id":10873,"name":"Juan Antonio Osorio Robles","email":"jaosorior@redhat.com","username":"ejuaoso"},"change_message_id":"e38099b3780e5724080bd094b8c91f846e1f5196","unresolved":false,"context_lines":[{"line_number":24,"context_line":"certificates scales linearly with the number of nodes in your deployment."},{"line_number":25,"context_line":"TripleO uses several systems to help ease the burden of managing certificates."},{"line_number":26,"context_line":"We describe those systems below and the role they play in deployments using TLS"},{"line_number":27,"context_line":"everywhere."},{"line_number":28,"context_line":""},{"line_number":29,"context_line":"Certmonger"},{"line_number":30,"context_line":"----------"}],"source_content_type":"text/x-rst","patch_set":1,"id":"3fa7e38b_edf51284","line":27,"updated":"2019-10-31 14:37:28.000000000","message":"It might be relevant to mention use-cases where TLS everywhere is needed. Such as high-security environments, or for deployments that need to meet government regulations (e.g. healthcare, telcos, public sector).","commit_id":"4db51806b86db44f2a5590c3655f8c99a0c42596"},{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"72cbb8a0f93492399a730e6e49184932a588cfc9","unresolved":false,"context_lines":[{"line_number":24,"context_line":"certificates scales linearly with the number of nodes in your deployment."},{"line_number":25,"context_line":"TripleO uses several systems to help ease the burden of managing certificates."},{"line_number":26,"context_line":"We describe those systems below and the role they play in deployments using TLS"},{"line_number":27,"context_line":"everywhere."},{"line_number":28,"context_line":""},{"line_number":29,"context_line":"Certmonger"},{"line_number":30,"context_line":"----------"}],"source_content_type":"text/x-rst","patch_set":1,"id":"1f493fa4_f326b4ba","line":27,"in_reply_to":"3fa7e38b_edf51284","updated":"2020-05-05 02:12:25.000000000","message":"Done","commit_id":"4db51806b86db44f2a5590c3655f8c99a0c42596"},{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"af6d0eff234343086324e6728c6f9cce38bd4ef2","unresolved":false,"context_lines":[{"line_number":10,"context_line":"various TLS deployment options. Let\u0027s start by understanding the different ways"},{"line_number":11,"context_line":"we can deploy TLS."},{"line_number":12,"context_line":""},{"line_number":13,"context_line":"The first option is only to encrypt traffic between clients and public"},{"line_number":14,"context_line":"endpoints. This approach results in fewer certificates to manage, and we refer"},{"line_number":15,"context_line":"to it as *public TLS*. Public endpoints, in this sense, are endpoints only"},{"line_number":16,"context_line":"exposed to end-users. Conversely, traffic between internal endpoints is not"}],"source_content_type":"text/x-rst","patch_set":3,"id":"1f493fa4_71e9f27e","line":13,"range":{"start_line":13,"start_character":17,"end_line":13,"end_character":35},"updated":"2020-05-05 14:27:23.000000000","message":"nit: is to only*","commit_id":"548df1a276950093f69874c0315fad9b36055645"},{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"41bd1fa014a4f00b38ff6c12987b66a512e58079","unresolved":false,"context_lines":[{"line_number":10,"context_line":"various TLS deployment options. Let\u0027s start by understanding the different ways"},{"line_number":11,"context_line":"we can deploy TLS."},{"line_number":12,"context_line":""},{"line_number":13,"context_line":"The first option is only to encrypt traffic between clients and public"},{"line_number":14,"context_line":"endpoints. This approach results in fewer certificates to manage, and we refer"},{"line_number":15,"context_line":"to it as *public TLS*. Public endpoints, in this sense, are endpoints only"},{"line_number":16,"context_line":"exposed to end-users. Conversely, traffic between internal endpoints is not"}],"source_content_type":"text/x-rst","patch_set":3,"id":"1f493fa4_b09a4b6b","line":13,"range":{"start_line":13,"start_character":17,"end_line":13,"end_character":35},"in_reply_to":"1f493fa4_71e9f27e","updated":"2020-05-05 21:09:34.000000000","message":"Done","commit_id":"548df1a276950093f69874c0315fad9b36055645"},{"author":{"_account_id":14250,"name":"Grzegorz Grasza","email":"xek@redhat.com","username":"xek"},"change_message_id":"37b4eba02caf86e10c112b811aae65e5f02a5b16","unresolved":false,"context_lines":[{"line_number":25,"context_line":"TripleO uses several systems to help ease the burden of managing certificates."},{"line_number":26,"context_line":"We describe those systems below and the role they play in deployments using TLS"},{"line_number":27,"context_line":"everywhere. This option is desirable for deployments susceptible to industry"},{"line_number":28,"context_line":"regulation or have a higher security risk (e.g., healthcare,"},{"line_number":29,"context_line":"telecommunications, public sector, etc)."},{"line_number":30,"context_line":""},{"line_number":31,"context_line":"Certmonger"}],"source_content_type":"text/x-rst","patch_set":3,"id":"1f493fa4_7421e09f","line":28,"range":{"start_line":28,"start_character":11,"end_line":28,"end_character":18},"updated":"2020-05-05 14:35:11.000000000","message":"I would rephrase that, maybe to\n\"or for those that have\"","commit_id":"548df1a276950093f69874c0315fad9b36055645"},{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"41bd1fa014a4f00b38ff6c12987b66a512e58079","unresolved":false,"context_lines":[{"line_number":25,"context_line":"TripleO uses several systems to help ease the burden of managing certificates."},{"line_number":26,"context_line":"We describe those systems below and the role they play in deployments using TLS"},{"line_number":27,"context_line":"everywhere. This option is desirable for deployments susceptible to industry"},{"line_number":28,"context_line":"regulation or have a higher security risk (e.g., healthcare,"},{"line_number":29,"context_line":"telecommunications, public sector, etc)."},{"line_number":30,"context_line":""},{"line_number":31,"context_line":"Certmonger"}],"source_content_type":"text/x-rst","patch_set":3,"id":"1f493fa4_108e9f26","line":28,"range":{"start_line":28,"start_character":11,"end_line":28,"end_character":18},"in_reply_to":"1f493fa4_7421e09f","updated":"2020-05-05 21:09:34.000000000","message":"Done","commit_id":"548df1a276950093f69874c0315fad9b36055645"},{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"af6d0eff234343086324e6728c6f9cce38bd4ef2","unresolved":false,"context_lines":[{"line_number":16,"context_line":"exposed to end-users. Conversely, traffic between internal endpoints is not"},{"line_number":17,"context_line":"encrypted with TLS."},{"line_number":18,"context_line":""},{"line_number":19,"context_line":"The second option is to leverage TLS for all endpoints in the entire"},{"line_number":20,"context_line":"deployment, including the overcloud, undercloud, and any systems that natively"},{"line_number":21,"context_line":"support TLS. We typically refer to this approach as *TLS-everywhere* because we"},{"line_number":22,"context_line":"use TLS everywhere we can, encrypting as much network traffic as possible."},{"line_number":23,"context_line":"Certificate management is critical with this approach because the number of"},{"line_number":24,"context_line":"certificates scales linearly with the number of services in your deployment."},{"line_number":25,"context_line":"TripleO uses several systems to help ease the burden of managing certificates."},{"line_number":26,"context_line":"We describe those systems below and the role they play in deployments using TLS"},{"line_number":27,"context_line":"everywhere. This option is desirable for deployments susceptible to industry"},{"line_number":28,"context_line":"regulation or have a higher security risk (e.g., healthcare,"},{"line_number":29,"context_line":"telecommunications, public sector, etc)."},{"line_number":30,"context_line":""},{"line_number":31,"context_line":"Certmonger"},{"line_number":32,"context_line":"----------"}],"source_content_type":"text/x-rst","patch_set":3,"id":"1f493fa4_74a44009","line":29,"range":{"start_line":19,"start_character":0,"end_line":29,"end_character":40},"updated":"2020-05-05 14:27:23.000000000","message":"Replace with so the last part of the paragraph reads better.\n\nThe second option is to leverage TLS for all endpoints in the entire deployment, including the overcloud, undercloud, and any systems that natively support TLS. We typically refer to this approach as TLS-everywhere because we use TLS everywhere we can, encrypting as much network traffic as possible. Certificate management is critical with this approach because the number of certificates scales linearly with the number of services in your deployment. TripleO uses several systems to help ease the burden of managing certificates. We describe those systems below and the role they play in deployments using TLS everywhere. This option is desirable for deployments susceptible to industry regulation. Healthcare, telecommunications, and the public sector are but a few industries that make extensive use of TLS-everywhere.","commit_id":"548df1a276950093f69874c0315fad9b36055645"},{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"41bd1fa014a4f00b38ff6c12987b66a512e58079","unresolved":false,"context_lines":[{"line_number":16,"context_line":"exposed to end-users. Conversely, traffic between internal endpoints is not"},{"line_number":17,"context_line":"encrypted with TLS."},{"line_number":18,"context_line":""},{"line_number":19,"context_line":"The second option is to leverage TLS for all endpoints in the entire"},{"line_number":20,"context_line":"deployment, including the overcloud, undercloud, and any systems that natively"},{"line_number":21,"context_line":"support TLS. We typically refer to this approach as *TLS-everywhere* because we"},{"line_number":22,"context_line":"use TLS everywhere we can, encrypting as much network traffic as possible."},{"line_number":23,"context_line":"Certificate management is critical with this approach because the number of"},{"line_number":24,"context_line":"certificates scales linearly with the number of services in your deployment."},{"line_number":25,"context_line":"TripleO uses several systems to help ease the burden of managing certificates."},{"line_number":26,"context_line":"We describe those systems below and the role they play in deployments using TLS"},{"line_number":27,"context_line":"everywhere. This option is desirable for deployments susceptible to industry"},{"line_number":28,"context_line":"regulation or have a higher security risk (e.g., healthcare,"},{"line_number":29,"context_line":"telecommunications, public sector, etc)."},{"line_number":30,"context_line":""},{"line_number":31,"context_line":"Certmonger"},{"line_number":32,"context_line":"----------"}],"source_content_type":"text/x-rst","patch_set":3,"id":"1f493fa4_f092134b","line":29,"range":{"start_line":19,"start_character":0,"end_line":29,"end_character":40},"in_reply_to":"1f493fa4_74a44009","updated":"2020-05-05 21:09:34.000000000","message":"Done","commit_id":"548df1a276950093f69874c0315fad9b36055645"},{"author":{"_account_id":14250,"name":"Grzegorz Grasza","email":"xek@redhat.com","username":"xek"},"change_message_id":"37b4eba02caf86e10c112b811aae65e5f02a5b16","unresolved":false,"context_lines":[{"line_number":36,"context_line":"pairs and certificate signing requests (CSRs). It can self-sign CSRs it"},{"line_number":37,"context_line":"generates or send CSRs to external CAs for them to sign. Certmonger also tracks"},{"line_number":38,"context_line":"the expiration of each certificate it manages. When a certificate is about to"},{"line_number":39,"context_line":"expire, Certmonger requests a new certificate and updates it accordingly. This"},{"line_number":40,"context_line":"automation keeps the node enrolled as a client of the certificate authority so"},{"line_number":41,"context_line":"that you don\u0027t have to update hundreds, or thousands, or certificates manually."},{"line_number":42,"context_line":""}],"source_content_type":"text/x-rst","patch_set":3,"id":"1f493fa4_14d69c50","line":39,"updated":"2020-05-05 14:35:11.000000000","message":"Maybe also mention that it reloads or restarts the services, it might be important, since some might be surprised by this.","commit_id":"548df1a276950093f69874c0315fad9b36055645"},{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"9ada6bd0173a0e60026be11f5f4993ddf5bcab2a","unresolved":false,"context_lines":[{"line_number":36,"context_line":"pairs and certificate signing requests (CSRs). It can self-sign CSRs it"},{"line_number":37,"context_line":"generates or send CSRs to external CAs for them to sign. Certmonger also tracks"},{"line_number":38,"context_line":"the expiration of each certificate it manages. When a certificate is about to"},{"line_number":39,"context_line":"expire, Certmonger requests a new certificate and updates it accordingly. This"},{"line_number":40,"context_line":"automation keeps the node enrolled as a client of the certificate authority so"},{"line_number":41,"context_line":"that you don\u0027t have to update hundreds, or thousands, or certificates manually."},{"line_number":42,"context_line":""}],"source_content_type":"text/x-rst","patch_set":3,"id":"1f493fa4_d731d6ee","line":39,"in_reply_to":"1f493fa4_14d69c50","updated":"2020-05-05 14:42:08.000000000","message":"It reloads and restart openstack services?","commit_id":"548df1a276950093f69874c0315fad9b36055645"},{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"41bd1fa014a4f00b38ff6c12987b66a512e58079","unresolved":false,"context_lines":[{"line_number":36,"context_line":"pairs and certificate signing requests (CSRs). It can self-sign CSRs it"},{"line_number":37,"context_line":"generates or send CSRs to external CAs for them to sign. Certmonger also tracks"},{"line_number":38,"context_line":"the expiration of each certificate it manages. When a certificate is about to"},{"line_number":39,"context_line":"expire, Certmonger requests a new certificate and updates it accordingly. This"},{"line_number":40,"context_line":"automation keeps the node enrolled as a client of the certificate authority so"},{"line_number":41,"context_line":"that you don\u0027t have to update hundreds, or thousands, or certificates manually."},{"line_number":42,"context_line":""}],"source_content_type":"text/x-rst","patch_set":3,"id":"1f493fa4_f0e053cf","line":39,"in_reply_to":"1f493fa4_5a5e8be6","updated":"2020-05-05 21:09:34.000000000","message":"Done","commit_id":"548df1a276950093f69874c0315fad9b36055645"},{"author":{"_account_id":14250,"name":"Grzegorz Grasza","email":"xek@redhat.com","username":"xek"},"change_message_id":"b7a0d6775e8410fb8bafd0652802a96e5f562afb","unresolved":false,"context_lines":[{"line_number":36,"context_line":"pairs and certificate signing requests (CSRs). It can self-sign CSRs it"},{"line_number":37,"context_line":"generates or send CSRs to external CAs for them to sign. Certmonger also tracks"},{"line_number":38,"context_line":"the expiration of each certificate it manages. When a certificate is about to"},{"line_number":39,"context_line":"expire, Certmonger requests a new certificate and updates it accordingly. This"},{"line_number":40,"context_line":"automation keeps the node enrolled as a client of the certificate authority so"},{"line_number":41,"context_line":"that you don\u0027t have to update hundreds, or thousands, or certificates manually."},{"line_number":42,"context_line":""}],"source_content_type":"text/x-rst","patch_set":3,"id":"1f493fa4_5a5e8be6","line":39,"in_reply_to":"1f493fa4_d731d6ee","updated":"2020-05-05 15:07:24.000000000","message":"Yes, most services specify a postsave_cmd which is passed to puppet-certmonger to configure the certmonger service.\n\nSome example refresh scripts are here:\nhttps://github.com/openstack/puppet-tripleo/tree/master/files\n\n(the ones which end with *refresh.sh)\n\nSome other services specify a command directly (without a shell script).","commit_id":"548df1a276950093f69874c0315fad9b36055645"},{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"af6d0eff234343086324e6728c6f9cce38bd4ef2","unresolved":false,"context_lines":[{"line_number":60,"context_line":""},{"line_number":61,"context_line":"Installing FreeIPA"},{"line_number":62,"context_line":"~~~~~~~~~~~~~~~~~~"},{"line_number":63,"context_line":""},{"line_number":64,"context_line":"Similar to setting up the undercloud node, you need to set the hostname"},{"line_number":65,"context_line":"properly for the FreeIPA server. For this example, let\u0027s assume we\u0027re using"},{"line_number":66,"context_line":"``example.com`` as the domain name for the deployment.::"}],"source_content_type":"text/x-rst","patch_set":3,"id":"1f493fa4_343638b6","line":63,"updated":"2020-05-05 14:27:23.000000000","message":"This section should probably include a disclaimer of some sort since it\u0027s up to deployers to setup their freeipa server appropriately.\n\nI only included this for example purposes since it\u0027s important to configure DNS properly for TLS-e to work.","commit_id":"548df1a276950093f69874c0315fad9b36055645"},{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"41bd1fa014a4f00b38ff6c12987b66a512e58079","unresolved":false,"context_lines":[{"line_number":60,"context_line":""},{"line_number":61,"context_line":"Installing FreeIPA"},{"line_number":62,"context_line":"~~~~~~~~~~~~~~~~~~"},{"line_number":63,"context_line":""},{"line_number":64,"context_line":"Similar to setting up the undercloud node, you need to set the hostname"},{"line_number":65,"context_line":"properly for the FreeIPA server. For this example, let\u0027s assume we\u0027re using"},{"line_number":66,"context_line":"``example.com`` as the domain name for the deployment.::"}],"source_content_type":"text/x-rst","patch_set":3,"id":"1f493fa4_d04717bc","line":63,"in_reply_to":"1f493fa4_343638b6","updated":"2020-05-05 21:09:34.000000000","message":"Done","commit_id":"548df1a276950093f69874c0315fad9b36055645"},{"author":{"_account_id":14250,"name":"Grzegorz Grasza","email":"xek@redhat.com","username":"xek"},"change_message_id":"37b4eba02caf86e10c112b811aae65e5f02a5b16","unresolved":false,"context_lines":[{"line_number":67,"context_line":""},{"line_number":68,"context_line":"    sudo hostnamectl set-hostname ipa.example.come"},{"line_number":69,"context_line":"    sudo hostnamectl set-hostname --transient ipa.example.com"},{"line_number":70,"context_line":""},{"line_number":71,"context_line":"Collect and install the FreeIPA packages::"},{"line_number":72,"context_line":""},{"line_number":73,"context_line":"    sudo yum install -y ipa-server ipa-server-dns"}],"source_content_type":"text/x-rst","patch_set":3,"id":"1f493fa4_340478c6","line":70,"updated":"2020-05-05 14:35:11.000000000","message":"I think you also need to modify /etc/hosts","commit_id":"548df1a276950093f69874c0315fad9b36055645"},{"author":{"_account_id":14250,"name":"Grzegorz Grasza","email":"xek@redhat.com","username":"xek"},"change_message_id":"37b4eba02caf86e10c112b811aae65e5f02a5b16","unresolved":false,"context_lines":[{"line_number":85,"context_line":""},{"line_number":86,"context_line":"Please refer to ``ipa-server-install --help`` for specifics on each argument."},{"line_number":87,"context_line":""},{"line_number":88,"context_line":"Novajoin"},{"line_number":89,"context_line":"--------"},{"line_number":90,"context_line":""},{"line_number":91,"context_line":"`Novajoin`_ is a vendor data service that extends nova\u0027s config drive"}],"source_content_type":"text/x-rst","patch_set":3,"id":"1f493fa4_7483a005","line":88,"updated":"2020-05-05 14:35:11.000000000","message":"Shouldn\u0027t we skip on novajoin entirely?\nEven if we will still support novajoin for a certain amount of time, we might refer people to the old documentation.","commit_id":"548df1a276950093f69874c0315fad9b36055645"},{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"9ada6bd0173a0e60026be11f5f4993ddf5bcab2a","unresolved":false,"context_lines":[{"line_number":85,"context_line":""},{"line_number":86,"context_line":"Please refer to ``ipa-server-install --help`` for specifics on each argument."},{"line_number":87,"context_line":""},{"line_number":88,"context_line":"Novajoin"},{"line_number":89,"context_line":"--------"},{"line_number":90,"context_line":""},{"line_number":91,"context_line":"`Novajoin`_ is a vendor data service that extends nova\u0027s config drive"}],"source_content_type":"text/x-rst","patch_set":3,"id":"1f493fa4_776f22c5","line":88,"in_reply_to":"1f493fa4_7483a005","updated":"2020-05-05 14:42:08.000000000","message":"That\u0027s fair. So we should assume readers are using train or newer, right?","commit_id":"548df1a276950093f69874c0315fad9b36055645"},{"author":{"_account_id":14250,"name":"Grzegorz Grasza","email":"xek@redhat.com","username":"xek"},"change_message_id":"b7a0d6775e8410fb8bafd0652802a96e5f562afb","unresolved":false,"context_lines":[{"line_number":85,"context_line":""},{"line_number":86,"context_line":"Please refer to ``ipa-server-install --help`` for specifics on each argument."},{"line_number":87,"context_line":""},{"line_number":88,"context_line":"Novajoin"},{"line_number":89,"context_line":"--------"},{"line_number":90,"context_line":""},{"line_number":91,"context_line":"`Novajoin`_ is a vendor data service that extends nova\u0027s config drive"}],"source_content_type":"text/x-rst","patch_set":3,"id":"1f493fa4_dafe1bad","line":88,"in_reply_to":"1f493fa4_776f22c5","updated":"2020-05-05 15:07:24.000000000","message":"Right, that\u0027s my thinking.","commit_id":"548df1a276950093f69874c0315fad9b36055645"},{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"41bd1fa014a4f00b38ff6c12987b66a512e58079","unresolved":false,"context_lines":[{"line_number":85,"context_line":""},{"line_number":86,"context_line":"Please refer to ``ipa-server-install --help`` for specifics on each argument."},{"line_number":87,"context_line":""},{"line_number":88,"context_line":"Novajoin"},{"line_number":89,"context_line":"--------"},{"line_number":90,"context_line":""},{"line_number":91,"context_line":"`Novajoin`_ is a vendor data service that extends nova\u0027s config drive"}],"source_content_type":"text/x-rst","patch_set":3,"id":"1f493fa4_90262f16","line":88,"in_reply_to":"1f493fa4_dafe1bad","updated":"2020-05-05 21:09:34.000000000","message":"Done","commit_id":"548df1a276950093f69874c0315fad9b36055645"},{"author":{"_account_id":9914,"name":"Ade Lee","email":"alee@redhat.com","username":"alee"},"change_message_id":"e3abaceaac461cbb471581401210249c71bd87ce","unresolved":false,"context_lines":[{"line_number":22,"context_line":"use TLS everywhere we can, encrypting as much network traffic as possible."},{"line_number":23,"context_line":"Certificate management is critical with this approach because the number of"},{"line_number":24,"context_line":"certificates scales linearly with the number of services in your deployment."},{"line_number":25,"context_line":"TripleO uses several systems to help ease the burden of managing certificates."},{"line_number":26,"context_line":"We describe those systems below and the role they play in deployments using TLS"},{"line_number":27,"context_line":"everywhere. This option is desirable for deployments susceptible to industry"},{"line_number":28,"context_line":"regulation or those who have a higher security risk. Healthcare,"}],"source_content_type":"text/x-rst","patch_set":4,"id":"1f493fa4_c8dc8348","line":25,"range":{"start_line":25,"start_character":21,"end_line":25,"end_character":28},"updated":"2020-05-06 14:31:35.000000000","message":"components?","commit_id":"4395062fea4b83b37bfda54cf80343d7e6bf2f0f"},{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"743d13032275f0377f7f1b2a56431a3565e9b453","unresolved":false,"context_lines":[{"line_number":22,"context_line":"use TLS everywhere we can, encrypting as much network traffic as possible."},{"line_number":23,"context_line":"Certificate management is critical with this approach because the number of"},{"line_number":24,"context_line":"certificates scales linearly with the number of services in your deployment."},{"line_number":25,"context_line":"TripleO uses several systems to help ease the burden of managing certificates."},{"line_number":26,"context_line":"We describe those systems below and the role they play in deployments using TLS"},{"line_number":27,"context_line":"everywhere. This option is desirable for deployments susceptible to industry"},{"line_number":28,"context_line":"regulation or those who have a higher security risk. Healthcare,"}],"source_content_type":"text/x-rst","patch_set":4,"id":"1f493fa4_b5dfcb38","line":25,"range":{"start_line":25,"start_character":21,"end_line":25,"end_character":28},"in_reply_to":"1f493fa4_c8dc8348","updated":"2020-05-06 17:08:57.000000000","message":"Done","commit_id":"4395062fea4b83b37bfda54cf80343d7e6bf2f0f"},{"author":{"_account_id":9914,"name":"Ade Lee","email":"alee@redhat.com","username":"alee"},"change_message_id":"e3abaceaac461cbb471581401210249c71bd87ce","unresolved":false,"context_lines":[{"line_number":40,"context_line":"requests a new certificate, updates it accordingly, and may restart a service."},{"line_number":41,"context_line":"This automation keeps the node enrolled as a client of the certificate"},{"line_number":42,"context_line":"authority so that you don’t have to update hundreds, or thousands, of"},{"line_number":43,"context_line":"certificates manually. Certmonger runs on each endpoint using TLS in your"},{"line_number":44,"context_line":"deployment."},{"line_number":45,"context_line":""},{"line_number":46,"context_line":".. _Certmonger: https://pagure.io/certmonger"},{"line_number":47,"context_line":""}],"source_content_type":"text/x-rst","patch_set":4,"id":"1f493fa4_c8276364","line":44,"range":{"start_line":43,"start_character":23,"end_line":44,"end_character":11},"updated":"2020-05-06 14:31:35.000000000","message":"Not sure what this means exactly.  I think what you are trying to say is that certmonger runs on the all the nodes (controllers, computes) that provide endpoints in your deployment.","commit_id":"4395062fea4b83b37bfda54cf80343d7e6bf2f0f"},{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"743d13032275f0377f7f1b2a56431a3565e9b453","unresolved":false,"context_lines":[{"line_number":40,"context_line":"requests a new certificate, updates it accordingly, and may restart a service."},{"line_number":41,"context_line":"This automation keeps the node enrolled as a client of the certificate"},{"line_number":42,"context_line":"authority so that you don’t have to update hundreds, or thousands, of"},{"line_number":43,"context_line":"certificates manually. Certmonger runs on each endpoint using TLS in your"},{"line_number":44,"context_line":"deployment."},{"line_number":45,"context_line":""},{"line_number":46,"context_line":".. _Certmonger: https://pagure.io/certmonger"},{"line_number":47,"context_line":""}],"source_content_type":"text/x-rst","patch_set":4,"id":"1f493fa4_15e67f17","line":44,"range":{"start_line":43,"start_character":23,"end_line":44,"end_character":11},"in_reply_to":"1f493fa4_c8276364","updated":"2020-05-06 17:08:57.000000000","message":"Done","commit_id":"4395062fea4b83b37bfda54cf80343d7e6bf2f0f"},{"author":{"_account_id":9914,"name":"Ade Lee","email":"alee@redhat.com","username":"alee"},"change_message_id":"e3abaceaac461cbb471581401210249c71bd87ce","unresolved":false,"context_lines":[{"line_number":93,"context_line":""},{"line_number":94,"context_line":"`tripleo-ipa`_ is a collection of Ansible roles used to integrate FreeIPA into"},{"line_number":95,"context_line":"TripleO deployments. These playbooks are supported in Train and effectively"},{"line_number":96,"context_line":"replace the novajoin metadata service described above."},{"line_number":97,"context_line":""},{"line_number":98,"context_line":".. _tripleo-ipa: https://opendev.org/x/tripleo-ipa"}],"source_content_type":"text/x-rst","patch_set":4,"id":"1f493fa4_08d02bf7","line":96,"range":{"start_line":96,"start_character":38,"end_line":96,"end_character":53},"updated":"2020-05-06 14:31:35.000000000","message":"There is no description of the novajoin metadata service here.\nMaybe its coming later?","commit_id":"4395062fea4b83b37bfda54cf80343d7e6bf2f0f"},{"author":{"_account_id":9914,"name":"Ade Lee","email":"alee@redhat.com","username":"alee"},"change_message_id":"7194611244a30c97d1867086c849a6df0afbbd36","unresolved":false,"context_lines":[{"line_number":93,"context_line":""},{"line_number":94,"context_line":"`tripleo-ipa`_ is a collection of Ansible roles used to integrate FreeIPA into"},{"line_number":95,"context_line":"TripleO deployments. These playbooks are supported in Train and effectively"},{"line_number":96,"context_line":"replace the novajoin metadata service described above."},{"line_number":97,"context_line":""},{"line_number":98,"context_line":".. _tripleo-ipa: https://opendev.org/x/tripleo-ipa"}],"source_content_type":"text/x-rst","patch_set":4,"id":"1f493fa4_fc3ae0c1","line":96,"range":{"start_line":96,"start_character":38,"end_line":96,"end_character":53},"in_reply_to":"1f493fa4_08d02bf7","updated":"2020-05-06 14:46:42.000000000","message":"More specifically, we need some historical context here.  What is probably missing is a section describing Novajoin and the context that it is the method used for \u003c Train and that is still available for OVB deployments in Train.  We should mention also the limitation that it did not support pre-provisioned nodes.\n\nThen, in this section, we should mention that it is supported in train, but needs to be enabled explicitly as it is not the default.  We should mention that it supports preprovisioned nodes, and also that it will be the only supported method from Ussuri onwards.","commit_id":"4395062fea4b83b37bfda54cf80343d7e6bf2f0f"},{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"743d13032275f0377f7f1b2a56431a3565e9b453","unresolved":false,"context_lines":[{"line_number":93,"context_line":""},{"line_number":94,"context_line":"`tripleo-ipa`_ is a collection of Ansible roles used to integrate FreeIPA into"},{"line_number":95,"context_line":"TripleO deployments. These playbooks are supported in Train and effectively"},{"line_number":96,"context_line":"replace the novajoin metadata service described above."},{"line_number":97,"context_line":""},{"line_number":98,"context_line":".. _tripleo-ipa: https://opendev.org/x/tripleo-ipa"}],"source_content_type":"text/x-rst","patch_set":4,"id":"1f493fa4_f538333c","line":96,"range":{"start_line":96,"start_character":38,"end_line":96,"end_character":53},"in_reply_to":"1f493fa4_fc3ae0c1","updated":"2020-05-06 17:08:57.000000000","message":"Done","commit_id":"4395062fea4b83b37bfda54cf80343d7e6bf2f0f"},{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"2bdd92db2043db3a84496634343d9de18ca757d5","unresolved":false,"context_lines":[{"line_number":93,"context_line":""},{"line_number":94,"context_line":"`tripleo-ipa`_ is a collection of Ansible roles used to integrate FreeIPA into"},{"line_number":95,"context_line":"TripleO deployments. These playbooks are supported in Train and effectively"},{"line_number":96,"context_line":"replace the novajoin metadata service described above."},{"line_number":97,"context_line":""},{"line_number":98,"context_line":".. _tripleo-ipa: https://opendev.org/x/tripleo-ipa"}],"source_content_type":"text/x-rst","patch_set":4,"id":"1f493fa4_7cbed0d4","line":96,"range":{"start_line":96,"start_character":38,"end_line":96,"end_character":53},"in_reply_to":"1f493fa4_fc3ae0c1","updated":"2020-05-06 14:57:40.000000000","message":"I removed this based on Greg\u0027s comment in an earlier patch set and I forgot to remove this reference..\n\nDo we want to describe novajoin here or not?","commit_id":"4395062fea4b83b37bfda54cf80343d7e6bf2f0f"},{"author":{"_account_id":9914,"name":"Ade Lee","email":"alee@redhat.com","username":"alee"},"change_message_id":"e10e79109193991f6278af4c8c12222f08ba4bc3","unresolved":false,"context_lines":[{"line_number":22,"context_line":"use TLS everywhere we can, encrypting as much network traffic as possible."},{"line_number":23,"context_line":"Certificate management is critical with this approach because the number of"},{"line_number":24,"context_line":"certificates scales linearly with the number of services in your deployment."},{"line_number":25,"context_line":"TripleO uses several systems to help ease the burden of managing certificates."},{"line_number":26,"context_line":"We describe those components below and the role they play in deployments using"},{"line_number":27,"context_line":"TLS everywhere. This option is desirable for deployments susceptible to"},{"line_number":28,"context_line":"industry regulation or those who have a higher security risk. Healthcare,"}],"source_content_type":"text/x-rst","patch_set":5,"id":"1f493fa4_06cad76c","line":25,"range":{"start_line":25,"start_character":21,"end_line":25,"end_character":28},"updated":"2020-05-06 19:22:37.000000000","message":"components?","commit_id":"2caecdc3c3d273a5756ec36e9ebf06cfa0b8c9cf"},{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"8ef857eb54452425843ffa9bd493b92d57e9d371","unresolved":false,"context_lines":[{"line_number":22,"context_line":"use TLS everywhere we can, encrypting as much network traffic as possible."},{"line_number":23,"context_line":"Certificate management is critical with this approach because the number of"},{"line_number":24,"context_line":"certificates scales linearly with the number of services in your deployment."},{"line_number":25,"context_line":"TripleO uses several systems to help ease the burden of managing certificates."},{"line_number":26,"context_line":"We describe those components below and the role they play in deployments using"},{"line_number":27,"context_line":"TLS everywhere. This option is desirable for deployments susceptible to"},{"line_number":28,"context_line":"industry regulation or those who have a higher security risk. Healthcare,"}],"source_content_type":"text/x-rst","patch_set":5,"id":"1f493fa4_4e307108","line":25,"range":{"start_line":25,"start_character":21,"end_line":25,"end_character":28},"in_reply_to":"1f493fa4_06cad76c","updated":"2020-05-07 00:52:04.000000000","message":"Done.","commit_id":"2caecdc3c3d273a5756ec36e9ebf06cfa0b8c9cf"},{"author":{"_account_id":9914,"name":"Ade Lee","email":"alee@redhat.com","username":"alee"},"change_message_id":"e10e79109193991f6278af4c8c12222f08ba4bc3","unresolved":false,"context_lines":[{"line_number":93,"context_line":""},{"line_number":94,"context_line":"`Novajoin`_ is a vendor data service that extends nova\u0027s config drive"},{"line_number":95,"context_line":"functionality. When the undercloud creates new nodes for the overcloud,"},{"line_number":96,"context_line":"novajoin enrolls the node as a FreeIPA client. By enrolling the node, novajoin"},{"line_number":97,"context_line":"ensures the node can authenticate to FreeIPA and automatically collect"},{"line_number":98,"context_line":"certificates for services it hosts."},{"line_number":99,"context_line":""}],"source_content_type":"text/x-rst","patch_set":5,"id":"1f493fa4_26d0b3f7","line":96,"range":{"start_line":96,"start_character":0,"end_line":96,"end_character":46},"updated":"2020-05-06 19:22:37.000000000","message":"More precisely:\n\nnovajoin creates a host entry in FreeIPA to enable the overcloud node to be enrolled as a FreeIPA client.","commit_id":"2caecdc3c3d273a5756ec36e9ebf06cfa0b8c9cf"},{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"8ef857eb54452425843ffa9bd493b92d57e9d371","unresolved":false,"context_lines":[{"line_number":93,"context_line":""},{"line_number":94,"context_line":"`Novajoin`_ is a vendor data service that extends nova\u0027s config drive"},{"line_number":95,"context_line":"functionality. When the undercloud creates new nodes for the overcloud,"},{"line_number":96,"context_line":"novajoin enrolls the node as a FreeIPA client. By enrolling the node, novajoin"},{"line_number":97,"context_line":"ensures the node can authenticate to FreeIPA and automatically collect"},{"line_number":98,"context_line":"certificates for services it hosts."},{"line_number":99,"context_line":""}],"source_content_type":"text/x-rst","patch_set":5,"id":"1f493fa4_0e2e69a4","line":96,"range":{"start_line":96,"start_character":0,"end_line":96,"end_character":46},"in_reply_to":"1f493fa4_26d0b3f7","updated":"2020-05-07 00:52:04.000000000","message":"Done","commit_id":"2caecdc3c3d273a5756ec36e9ebf06cfa0b8c9cf"},{"author":{"_account_id":9914,"name":"Ade Lee","email":"alee@redhat.com","username":"alee"},"change_message_id":"e10e79109193991f6278af4c8c12222f08ba4bc3","unresolved":false,"context_lines":[{"line_number":99,"context_line":""},{"line_number":100,"context_line":"If you want to use novajoin, you must have nova deployed in your undercloud."},{"line_number":101,"context_line":"Novajoin isn\u0027t supported for deployments :doc:`deployed_server`."},{"line_number":102,"context_line":""},{"line_number":103,"context_line":"The tripleo-ipa project, described below, effectively replaced novajoin in the"},{"line_number":104,"context_line":"Train release."},{"line_number":105,"context_line":""}],"source_content_type":"text/x-rst","patch_set":5,"id":"1f493fa4_c602af6f","line":102,"updated":"2020-05-06 19:22:37.000000000","message":"We should mention that novajoin has been supported since the Queens release, and that it is supported through the Train release.","commit_id":"2caecdc3c3d273a5756ec36e9ebf06cfa0b8c9cf"},{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"8ef857eb54452425843ffa9bd493b92d57e9d371","unresolved":false,"context_lines":[{"line_number":99,"context_line":""},{"line_number":100,"context_line":"If you want to use novajoin, you must have nova deployed in your undercloud."},{"line_number":101,"context_line":"Novajoin isn\u0027t supported for deployments :doc:`deployed_server`."},{"line_number":102,"context_line":""},{"line_number":103,"context_line":"The tripleo-ipa project, described below, effectively replaced novajoin in the"},{"line_number":104,"context_line":"Train release."},{"line_number":105,"context_line":""}],"source_content_type":"text/x-rst","patch_set":5,"id":"1f493fa4_0e07891e","line":102,"in_reply_to":"1f493fa4_c602af6f","updated":"2020-05-07 00:52:04.000000000","message":"Done","commit_id":"2caecdc3c3d273a5756ec36e9ebf06cfa0b8c9cf"},{"author":{"_account_id":9914,"name":"Ade Lee","email":"alee@redhat.com","username":"alee"},"change_message_id":"f5c9f82f36437ca415c6833fb5da6f5de4bd9c9d","unresolved":false,"context_lines":[{"line_number":111,"context_line":"`tripleo-ipa`_ is a collection of Ansible roles used to integrate FreeIPA into"},{"line_number":112,"context_line":"TripleO deployments. These playbooks support deployments using nova and ironic"},{"line_number":113,"context_line":"in the undercloud as well as :doc:`deployed_server`. This project was"},{"line_number":114,"context_line":"introduced in Train and effectively replace the novajoin metadata service."},{"line_number":115,"context_line":""},{"line_number":116,"context_line":"We recommend using tripleo-ipa for all *TLS-everywhere* deployments as of the"},{"line_number":117,"context_line":"Train release. In a future release, we will update TripleO to only support"}],"source_content_type":"text/x-rst","patch_set":7,"id":"1f493fa4_722410c7","line":114,"range":{"start_line":114,"start_character":37,"end_line":114,"end_character":43},"updated":"2020-05-08 13:55:22.000000000","message":"replaces","commit_id":"77c45e144bb62fed7cb885d63231ba77e2c696ec"},{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"302e554ab2fa9e736789365385149494cf95eb20","unresolved":false,"context_lines":[{"line_number":111,"context_line":"`tripleo-ipa`_ is a collection of Ansible roles used to integrate FreeIPA into"},{"line_number":112,"context_line":"TripleO deployments. These playbooks support deployments using nova and ironic"},{"line_number":113,"context_line":"in the undercloud as well as :doc:`deployed_server`. This project was"},{"line_number":114,"context_line":"introduced in Train and effectively replace the novajoin metadata service."},{"line_number":115,"context_line":""},{"line_number":116,"context_line":"We recommend using tripleo-ipa for all *TLS-everywhere* deployments as of the"},{"line_number":117,"context_line":"Train release. In a future release, we will update TripleO to only support"}],"source_content_type":"text/x-rst","patch_set":7,"id":"ff570b3c_9a932da4","line":114,"range":{"start_line":114,"start_character":37,"end_line":114,"end_character":43},"in_reply_to":"1f493fa4_722410c7","updated":"2020-05-08 18:27:26.000000000","message":"Done","commit_id":"77c45e144bb62fed7cb885d63231ba77e2c696ec"}]}