)]}'
{"/COMMIT_MSG":[{"author":{"_account_id":28011,"name":"Nicholas Tait","email":"ntait@redhat.com","username":"nickthetait"},"change_message_id":"921b182aa71a015fab7d0bdd49079f87f5c38f4e","unresolved":false,"context_lines":[{"line_number":8,"context_line":""},{"line_number":9,"context_line":"This commit lays down the steps you need to take to deploy TLS-e with"},{"line_number":10,"context_line":"TripleO. This is needed because we recently replaced novajoin with"},{"line_number":11,"context_line":"tripleo-ipa and that impacts how people deploy TLS-everywhere."},{"line_number":12,"context_line":""},{"line_number":13,"context_line":"Subsequent patches will:"},{"line_number":14,"context_line":""}],"source_content_type":"text/x-gerrit-commit-message","patch_set":17,"id":"ff570b3c_ef2af7e4","line":11,"range":{"start_line":11,"start_character":12,"end_line":11,"end_character":28},"updated":"2020-05-28 19:57:41.000000000","message":"which changes","commit_id":"a92594948103d97232e65530824c0e05a6ec3bdc"},{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"de5a49fa5ed25f394c429607d36c9da19c408db7","unresolved":false,"context_lines":[{"line_number":8,"context_line":""},{"line_number":9,"context_line":"This commit lays down the steps you need to take to deploy TLS-e with"},{"line_number":10,"context_line":"TripleO. This is needed because we recently replaced novajoin with"},{"line_number":11,"context_line":"tripleo-ipa and that impacts how people deploy TLS-everywhere."},{"line_number":12,"context_line":""},{"line_number":13,"context_line":"Subsequent patches will:"},{"line_number":14,"context_line":""}],"source_content_type":"text/x-gerrit-commit-message","patch_set":17,"id":"ff570b3c_4ce4ad0d","line":11,"range":{"start_line":11,"start_character":12,"end_line":11,"end_character":28},"in_reply_to":"ff570b3c_ef2af7e4","updated":"2020-06-01 13:42:45.000000000","message":"Done","commit_id":"a92594948103d97232e65530824c0e05a6ec3bdc"}],"_custom/custom.css":[{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"e0fa7781b21589eafaf9d3eace32faff0f336a31","unresolved":false,"context_lines":[{"line_number":86,"context_line":".rtos {background: #ade;}"},{"line_number":87,"context_line":".validations {background: #fdd;}"},{"line_number":88,"context_line":".optional {background: #ffe;}"},{"line_number":89,"context_line":".tls {background: #ded;}"},{"line_number":90,"context_line":""},{"line_number":91,"context_line":"/* admonition selector */"},{"line_number":92,"context_line":"#admonition_selector {"}],"source_content_type":"text/css","patch_set":16,"id":"ff570b3c_28682585","line":89,"updated":"2020-05-19 01:21:09.000000000","message":"I\u0027m not sure what the process is (or if there is one) for coming up with colors, so I followed what appeared to be the convention above.","commit_id":"3332b0a1cc90c33d2018dda9f9279eddd41234b2"}],"deploy-guide/source/deployment/install_undercloud.rst":[{"author":{"_account_id":7353,"name":"Kevin Carter","email":"kevin@cloudnull.com","username":"cloudnull"},"change_message_id":"e2769036f752d5ba420d1f588439477c626f4b19","unresolved":false,"context_lines":[{"line_number":104,"context_line":""},{"line_number":105,"context_line":"          sudo yum install -y python3-ipalib python3-ipaclient krb5-devel"},{"line_number":106,"context_line":""},{"line_number":107,"context_line":"      If you\u0027re deploying Train, install the corresponding python2 version of"},{"line_number":108,"context_line":"      the above packages::"},{"line_number":109,"context_line":""},{"line_number":110,"context_line":"          sudo yum install -y python-ipalib python-ipaclient krb5-devel"}],"source_content_type":"text/x-rst","patch_set":21,"id":"9f560f44_f9863cdb","line":107,"range":{"start_line":107,"start_character":59,"end_line":107,"end_character":66},"updated":"2020-07-31 18:41:01.000000000","message":"Does tls everywhere require py2 on train? Asking because we support el8 with train, which I believe will require py3.","commit_id":"095b45c75203494e772a5395a08847a06501e647"},{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"1075a007e8a47e175f620a30cc56886f95d6925c","unresolved":false,"context_lines":[{"line_number":104,"context_line":""},{"line_number":105,"context_line":"          sudo yum install -y python3-ipalib python3-ipaclient krb5-devel"},{"line_number":106,"context_line":""},{"line_number":107,"context_line":"      If you\u0027re deploying Train, install the corresponding python2 version of"},{"line_number":108,"context_line":"      the above packages::"},{"line_number":109,"context_line":""},{"line_number":110,"context_line":"          sudo yum install -y python-ipalib python-ipaclient krb5-devel"}],"source_content_type":"text/x-rst","patch_set":21,"id":"9f560f44_e644b449","line":107,"range":{"start_line":107,"start_character":59,"end_line":107,"end_character":66},"in_reply_to":"9f560f44_23205eac","updated":"2021-01-08 13:53:04.000000000","message":"Done","commit_id":"095b45c75203494e772a5395a08847a06501e647"},{"author":{"_account_id":7353,"name":"Kevin Carter","email":"kevin@cloudnull.com","username":"cloudnull"},"change_message_id":"1bd4c35d58c65c57f4a6caf8ea187b2a13014834","unresolved":false,"context_lines":[{"line_number":104,"context_line":""},{"line_number":105,"context_line":"          sudo yum install -y python3-ipalib python3-ipaclient krb5-devel"},{"line_number":106,"context_line":""},{"line_number":107,"context_line":"      If you\u0027re deploying Train, install the corresponding python2 version of"},{"line_number":108,"context_line":"      the above packages::"},{"line_number":109,"context_line":""},{"line_number":110,"context_line":"          sudo yum install -y python-ipalib python-ipaclient krb5-devel"}],"source_content_type":"text/x-rst","patch_set":21,"id":"9f560f44_23205eac","line":107,"range":{"start_line":107,"start_character":59,"end_line":107,"end_character":66},"in_reply_to":"9f560f44_bff12d98","updated":"2020-08-04 15:51:01.000000000","message":"we support both el7 and el8 on train.","commit_id":"095b45c75203494e772a5395a08847a06501e647"},{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"a9093304a283ee42e253083ef22b7da085a22ba6","unresolved":false,"context_lines":[{"line_number":104,"context_line":""},{"line_number":105,"context_line":"          sudo yum install -y python3-ipalib python3-ipaclient krb5-devel"},{"line_number":106,"context_line":""},{"line_number":107,"context_line":"      If you\u0027re deploying Train, install the corresponding python2 version of"},{"line_number":108,"context_line":"      the above packages::"},{"line_number":109,"context_line":""},{"line_number":110,"context_line":"          sudo yum install -y python-ipalib python-ipaclient krb5-devel"}],"source_content_type":"text/x-rst","patch_set":21,"id":"9f560f44_bff12d98","line":107,"range":{"start_line":107,"start_character":59,"end_line":107,"end_character":66},"in_reply_to":"9f560f44_f9863cdb","updated":"2020-08-03 19:41:28.000000000","message":"TLS-e will work with python2 or python3. I listed python2 dependencies here since Train was using centos7, which I believe is using python2?\n\nIs it possible to force a deployment to use python3?","commit_id":"095b45c75203494e772a5395a08847a06501e647"}],"deploy-guide/source/features/tls-everywhere.rst":[{"author":{"_account_id":9914,"name":"Ade Lee","email":"alee@redhat.com","username":"alee"},"change_message_id":"a5b5a253204a99f1073cd2aec47a9e24a27ce955","unresolved":false,"context_lines":[{"line_number":107,"context_line":"`tripleo-ipa`_ is a collection of Ansible roles used to integrate FreeIPA into"},{"line_number":108,"context_line":"TripleO deployments. These playbooks support deployments using nova and ironic"},{"line_number":109,"context_line":"in the undercloud as well as :doc:`deployed_server`. This project was"},{"line_number":110,"context_line":"introduced in Train and effectively replace the novajoin metadata service."},{"line_number":111,"context_line":""},{"line_number":112,"context_line":"We recommend using tripleo-ipa for all *TLS-everywhere* deployments as of the"},{"line_number":113,"context_line":"Train release. In a future release, we will update TripleO to only support"}],"source_content_type":"text/x-rst","patch_set":7,"id":"1f493fa4_5d12c559","line":110,"range":{"start_line":110,"start_character":36,"end_line":110,"end_character":44},"updated":"2020-05-08 21:11:33.000000000","message":"replaces","commit_id":"bf565e4b066e215aec5030353a6a5f791742603b"},{"author":{"_account_id":9914,"name":"Ade Lee","email":"alee@redhat.com","username":"alee"},"change_message_id":"a5b5a253204a99f1073cd2aec47a9e24a27ce955","unresolved":false,"context_lines":[{"line_number":219,"context_line":"    export USER\u003dstack"},{"line_number":220,"context_line":"    export CLOUD_DOMAIN\u003dexample.com"},{"line_number":221,"context_line":""},{"line_number":222,"context_line":"The variables above assume the stack user exists. You need to update these"},{"line_number":223,"context_line":"values according to your deployment. If you FreeIPA server is using the same"},{"line_number":224,"context_line":"domain and the cloud domain, update it to the be the same. These are example"},{"line_number":225,"context_line":"values. The FreeIPA user credentials must be an administrative user that can"}],"source_content_type":"text/x-rst","patch_set":7,"id":"1f493fa4_5dae45e7","line":222,"range":{"start_line":222,"start_character":27,"end_line":222,"end_character":47},"updated":"2020-05-08 21:11:33.000000000","message":"and has sudo privileges","commit_id":"bf565e4b066e215aec5030353a6a5f791742603b"},{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"a6892685bf1ec47c6db2e2752cb280309cbdbfaf","unresolved":false,"context_lines":[{"line_number":124,"context_line":""},{"line_number":125,"context_line":".. _tripleo-ipa: https://opendev.org/x/tripleo-ipa"},{"line_number":126,"context_line":""},{"line_number":127,"context_line":"Deploying TLS-Everywhere"},{"line_number":128,"context_line":"\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d"},{"line_number":129,"context_line":""},{"line_number":130,"context_line":"Settings up TLS-everywhere primarily consists of a few additional steps you"},{"line_number":131,"context_line":"need to take on the undercloud. Specifically, these steps consist of installing"}],"source_content_type":"text/x-rst","patch_set":9,"id":"ff570b3c_1d88b76f","line":128,"range":{"start_line":127,"start_character":0,"end_line":128,"end_character":24},"updated":"2020-05-08 19:40:59.000000000","message":"This isn\u0027t rendering.. probably because it\u0027s a page title and we already have one of those.","commit_id":"8379ada3f19f5f7896bceeb9378f3995b287e693"},{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"d960e86c8c3afae514d5604b76947495d7469383","unresolved":false,"context_lines":[{"line_number":124,"context_line":""},{"line_number":125,"context_line":".. _tripleo-ipa: https://opendev.org/x/tripleo-ipa"},{"line_number":126,"context_line":""},{"line_number":127,"context_line":"Deploying TLS-Everywhere"},{"line_number":128,"context_line":"\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d"},{"line_number":129,"context_line":""},{"line_number":130,"context_line":"Settings up TLS-everywhere primarily consists of a few additional steps you"},{"line_number":131,"context_line":"need to take on the undercloud. Specifically, these steps consist of installing"}],"source_content_type":"text/x-rst","patch_set":9,"id":"ff570b3c_c06bf21c","line":128,"range":{"start_line":127,"start_character":0,"end_line":128,"end_character":24},"in_reply_to":"ff570b3c_1d88b76f","updated":"2020-05-12 03:46:51.000000000","message":"Done","commit_id":"8379ada3f19f5f7896bceeb9378f3995b287e693"},{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"9a6ad8b85280b4de5a685c49f30f21197a0c2742","unresolved":false,"context_lines":[{"line_number":133,"context_line":"Let\u0027s walk through each step individually."},{"line_number":134,"context_line":""},{"line_number":135,"context_line":"You can either use tripleo-ipa or Novajoin to deploy *TLS-everywhere*. If"},{"line_number":136,"context_line":"you\u0027re deploying a release version to to Train, you can use Novajoin. If you\u0027re"},{"line_number":137,"context_line":"deploying Train or later, you can use tripleo-ipa. We recommend using"},{"line_number":138,"context_line":"tripleo-ipa whenever possible."},{"line_number":139,"context_line":""}],"source_content_type":"text/x-rst","patch_set":9,"id":"ff570b3c_3dfe5b05","line":136,"range":{"start_line":136,"start_character":35,"end_line":136,"end_character":40},"updated":"2020-05-08 19:26:09.000000000","message":"nit: to*","commit_id":"8379ada3f19f5f7896bceeb9378f3995b287e693"},{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"d960e86c8c3afae514d5604b76947495d7469383","unresolved":false,"context_lines":[{"line_number":133,"context_line":"Let\u0027s walk through each step individually."},{"line_number":134,"context_line":""},{"line_number":135,"context_line":"You can either use tripleo-ipa or Novajoin to deploy *TLS-everywhere*. If"},{"line_number":136,"context_line":"you\u0027re deploying a release version to to Train, you can use Novajoin. If you\u0027re"},{"line_number":137,"context_line":"deploying Train or later, you can use tripleo-ipa. We recommend using"},{"line_number":138,"context_line":"tripleo-ipa whenever possible."},{"line_number":139,"context_line":""}],"source_content_type":"text/x-rst","patch_set":9,"id":"ff570b3c_608786d9","line":136,"range":{"start_line":136,"start_character":35,"end_line":136,"end_character":40},"in_reply_to":"ff570b3c_3dfe5b05","updated":"2020-05-12 03:46:51.000000000","message":"Done","commit_id":"8379ada3f19f5f7896bceeb9378f3995b287e693"},{"author":{"_account_id":9914,"name":"Ade Lee","email":"alee@redhat.com","username":"alee"},"change_message_id":"a5b5a253204a99f1073cd2aec47a9e24a27ce955","unresolved":false,"context_lines":[{"line_number":143,"context_line":".. note::"},{"line_number":144,"context_line":"    This deployment strategy is only supported on Train and newer releases. If"},{"line_number":145,"context_line":"    you\u0027re deploying a version older than Train, you\u0027ll need to use Novajoin to"},{"line_number":146,"context_line":"    accomplish *TLS-everywhere*, which are documented below."},{"line_number":147,"context_line":""},{"line_number":148,"context_line":"Do the following steps before deploying your undercloud."},{"line_number":149,"context_line":""}],"source_content_type":"text/x-rst","patch_set":9,"id":"ff570b3c_1d3b979c","line":146,"range":{"start_line":146,"start_character":39,"end_line":146,"end_character":42},"updated":"2020-05-08 21:11:33.000000000","message":"NIT: s/which are/as/","commit_id":"8379ada3f19f5f7896bceeb9378f3995b287e693"},{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"d960e86c8c3afae514d5604b76947495d7469383","unresolved":false,"context_lines":[{"line_number":143,"context_line":".. note::"},{"line_number":144,"context_line":"    This deployment strategy is only supported on Train and newer releases. If"},{"line_number":145,"context_line":"    you\u0027re deploying a version older than Train, you\u0027ll need to use Novajoin to"},{"line_number":146,"context_line":"    accomplish *TLS-everywhere*, which are documented below."},{"line_number":147,"context_line":""},{"line_number":148,"context_line":"Do the following steps before deploying your undercloud."},{"line_number":149,"context_line":""}],"source_content_type":"text/x-rst","patch_set":9,"id":"ff570b3c_4061a239","line":146,"range":{"start_line":146,"start_character":39,"end_line":146,"end_character":42},"in_reply_to":"ff570b3c_1d3b979c","updated":"2020-05-12 03:46:51.000000000","message":"Done","commit_id":"8379ada3f19f5f7896bceeb9378f3995b287e693"},{"author":{"_account_id":9914,"name":"Ade Lee","email":"alee@redhat.com","username":"alee"},"change_message_id":"a5b5a253204a99f1073cd2aec47a9e24a27ce955","unresolved":false,"context_lines":[{"line_number":176,"context_line":"above packages::"},{"line_number":177,"context_line":""},{"line_number":178,"context_line":"    $ sudo yum install -y python-ipalib python-ipaclient krb5-devel"},{"line_number":179,"context_line":""},{"line_number":180,"context_line":"Undercloud Enrollment"},{"line_number":181,"context_line":"~~~~~~~~~~~~~~~~~~~~~"},{"line_number":182,"context_line":""},{"line_number":183,"context_line":"The tripleo-ipa project is a dependency of tripleo-common. You must have"}],"source_content_type":"text/x-rst","patch_set":9,"id":"ff570b3c_fd5343e1","line":180,"range":{"start_line":179,"start_character":0,"end_line":180,"end_character":21},"updated":"2020-05-08 21:11:33.000000000","message":"s/Enroll the Undercloud as an IPA Client","commit_id":"8379ada3f19f5f7896bceeb9378f3995b287e693"},{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"d960e86c8c3afae514d5604b76947495d7469383","unresolved":false,"context_lines":[{"line_number":176,"context_line":"above packages::"},{"line_number":177,"context_line":""},{"line_number":178,"context_line":"    $ sudo yum install -y python-ipalib python-ipaclient krb5-devel"},{"line_number":179,"context_line":""},{"line_number":180,"context_line":"Undercloud Enrollment"},{"line_number":181,"context_line":"~~~~~~~~~~~~~~~~~~~~~"},{"line_number":182,"context_line":""},{"line_number":183,"context_line":"The tripleo-ipa project is a dependency of tripleo-common. You must have"}],"source_content_type":"text/x-rst","patch_set":9,"id":"ff570b3c_a0519e65","line":180,"range":{"start_line":179,"start_character":0,"end_line":180,"end_character":21},"in_reply_to":"ff570b3c_fd5343e1","updated":"2020-05-12 03:46:51.000000000","message":"Done","commit_id":"8379ada3f19f5f7896bceeb9378f3995b287e693"},{"author":{"_account_id":9914,"name":"Ade Lee","email":"alee@redhat.com","username":"alee"},"change_message_id":"a5b5a253204a99f1073cd2aec47a9e24a27ce955","unresolved":false,"context_lines":[{"line_number":203,"context_line":"Next, run the playbook on the undercloud::"},{"line_number":204,"context_line":""},{"line_number":205,"context_line":"    $ ansible-playbook --ssh-extra-args \"-o StrictHostKeyChecking\u003dno -o UserKnownHostsFile\u003d/dev/null\" /usr/share/ansible/tripleo-playbooks/undercloud-ipa-install.yaml"},{"line_number":206,"context_line":""},{"line_number":207,"context_line":"Configure the Undercloud"},{"line_number":208,"context_line":"~~~~~~~~~~~~~~~~~~~~~~~~"},{"line_number":209,"context_line":""}],"source_content_type":"text/x-rst","patch_set":9,"id":"ff570b3c_fd1a2315","line":206,"updated":"2020-05-08 21:11:33.000000000","message":"You could also mention that:\n\nThis playbook also sets up an IPA user nova/\u003cundercloud_fqdn\u003e which will be used for Openstack-related operations in IPA, adds the needed permissions and roles to that user, and downloads a keytab for that user at /etc/novajoin/krb5.keytab.","commit_id":"8379ada3f19f5f7896bceeb9378f3995b287e693"},{"author":{"_account_id":9914,"name":"Ade Lee","email":"alee@redhat.com","username":"alee"},"change_message_id":"a5b5a253204a99f1073cd2aec47a9e24a27ce955","unresolved":false,"context_lines":[{"line_number":216,"context_line":"changes to allow you to deploy *TLS-everywhere* for the overcloud. You can"},{"line_number":217,"context_line":"proceed with the :ref:`Overcloud TLS-Everywhere` steps after the undercloud"},{"line_number":218,"context_line":"installation completes."},{"line_number":219,"context_line":""},{"line_number":220,"context_line":"TLS-Everywhere with Novajoin"},{"line_number":221,"context_line":"----------------------------"},{"line_number":222,"context_line":""}],"source_content_type":"text/x-rst","patch_set":9,"id":"ff570b3c_e05f160c","line":219,"updated":"2020-05-08 21:11:33.000000000","message":"We\u0027re almost there.  Now add a section that says \"Deploy the Undercloud\"  and give \"openstack undercloud install\"\n\nThen add the Undercloud Verificate step.\n\nAnd then continue to add the tasks for overcloud prep as below from line 315 or so.\n\nTreat each of the \"TLS-E with Novajoin and TLS-E with Tripleo-ipa\" as completely independent.","commit_id":"8379ada3f19f5f7896bceeb9378f3995b287e693"},{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"d960e86c8c3afae514d5604b76947495d7469383","unresolved":false,"context_lines":[{"line_number":216,"context_line":"changes to allow you to deploy *TLS-everywhere* for the overcloud. You can"},{"line_number":217,"context_line":"proceed with the :ref:`Overcloud TLS-Everywhere` steps after the undercloud"},{"line_number":218,"context_line":"installation completes."},{"line_number":219,"context_line":""},{"line_number":220,"context_line":"TLS-Everywhere with Novajoin"},{"line_number":221,"context_line":"----------------------------"},{"line_number":222,"context_line":""}],"source_content_type":"text/x-rst","patch_set":9,"id":"ff570b3c_607146e1","line":219,"in_reply_to":"ff570b3c_e05f160c","updated":"2020-05-12 03:46:51.000000000","message":"Done","commit_id":"8379ada3f19f5f7896bceeb9378f3995b287e693"},{"author":{"_account_id":9914,"name":"Ade Lee","email":"alee@redhat.com","username":"alee"},"change_message_id":"197cabb599f07350b53e753631f7700e33f4191b","unresolved":false,"context_lines":[{"line_number":135,"context_line":"you\u0027re deploying Train or newer, you can use tripleo-ipa. We recommend using"},{"line_number":136,"context_line":"tripleo-ipa whenever possible. Let\u0027s walk through each step using both"},{"line_number":137,"context_line":"tripleo-ipa and Novajoin."},{"line_number":138,"context_line":""},{"line_number":139,"context_line":"TLS-everywhere with tripleo-ipa"},{"line_number":140,"context_line":"~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~"},{"line_number":141,"context_line":""}],"source_content_type":"text/x-rst","patch_set":11,"id":"ff570b3c_d96c760a","line":138,"updated":"2020-05-11 18:36:15.000000000","message":"We should probably mention that :\n\nTLS Everywhere is only supported for pre-provisioned nodes using tripleo-ipa.","commit_id":"8a644535090b1389cb094367fe5e0cec6854daa7"},{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"d960e86c8c3afae514d5604b76947495d7469383","unresolved":false,"context_lines":[{"line_number":135,"context_line":"you\u0027re deploying Train or newer, you can use tripleo-ipa. We recommend using"},{"line_number":136,"context_line":"tripleo-ipa whenever possible. Let\u0027s walk through each step using both"},{"line_number":137,"context_line":"tripleo-ipa and Novajoin."},{"line_number":138,"context_line":""},{"line_number":139,"context_line":"TLS-everywhere with tripleo-ipa"},{"line_number":140,"context_line":"~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~"},{"line_number":141,"context_line":""}],"source_content_type":"text/x-rst","patch_set":11,"id":"ff570b3c_fdb15ce3","line":138,"in_reply_to":"ff570b3c_d96c760a","updated":"2020-05-12 03:46:51.000000000","message":"Done","commit_id":"8a644535090b1389cb094367fe5e0cec6854daa7"},{"author":{"_account_id":9914,"name":"Ade Lee","email":"alee@redhat.com","username":"alee"},"change_message_id":"197cabb599f07350b53e753631f7700e33f4191b","unresolved":false,"context_lines":[{"line_number":333,"context_line":"    $ ipa host-find"},{"line_number":334,"context_line":""},{"line_number":335,"context_line":"You should also confirm that ``/etc/novajoin/krb5.keytab`` exists on the"},{"line_number":336,"context_line":"undercloud. The ``novajoin`` directory name is purely for legacy naming"},{"line_number":337,"context_line":"reasons. The keytab is placed in this directory regardless of using novajoin"},{"line_number":338,"context_line":"to enroll the undercloud as a FreeIPA client."},{"line_number":339,"context_line":""},{"line_number":340,"context_line":"You can proceed with the :ref:`Overcloud TLS-everywhere` if the undercloud"},{"line_number":341,"context_line":"installation was successful."}],"source_content_type":"text/x-rst","patch_set":11,"id":"ff570b3c_1988aec4","line":338,"range":{"start_line":336,"start_character":12,"end_line":338,"end_character":44},"updated":"2020-05-11 18:36:15.000000000","message":"We can remove this sentence in this section.\n\nWe can also check to see if the novajoin and novajoin-notifier services are running.","commit_id":"8a644535090b1389cb094367fe5e0cec6854daa7"},{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"d960e86c8c3afae514d5604b76947495d7469383","unresolved":false,"context_lines":[{"line_number":333,"context_line":"    $ ipa host-find"},{"line_number":334,"context_line":""},{"line_number":335,"context_line":"You should also confirm that ``/etc/novajoin/krb5.keytab`` exists on the"},{"line_number":336,"context_line":"undercloud. The ``novajoin`` directory name is purely for legacy naming"},{"line_number":337,"context_line":"reasons. The keytab is placed in this directory regardless of using novajoin"},{"line_number":338,"context_line":"to enroll the undercloud as a FreeIPA client."},{"line_number":339,"context_line":""},{"line_number":340,"context_line":"You can proceed with the :ref:`Overcloud TLS-everywhere` if the undercloud"},{"line_number":341,"context_line":"installation was successful."}],"source_content_type":"text/x-rst","patch_set":11,"id":"ff570b3c_ddb618da","line":338,"range":{"start_line":336,"start_character":12,"end_line":338,"end_character":44},"in_reply_to":"ff570b3c_1988aec4","updated":"2020-05-12 03:46:51.000000000","message":"Done","commit_id":"8a644535090b1389cb094367fe5e0cec6854daa7"},{"author":{"_account_id":9914,"name":"Ade Lee","email":"alee@redhat.com","username":"alee"},"change_message_id":"197cabb599f07350b53e753631f7700e33f4191b","unresolved":false,"context_lines":[{"line_number":342,"context_line":""},{"line_number":343,"context_line":".. _Overcloud TLS-everywhere:"},{"line_number":344,"context_line":""},{"line_number":345,"context_line":"Overcloud TLS-everywhere"},{"line_number":346,"context_line":"~~~~~~~~~~~~~~~~~~~~~~~~"},{"line_number":347,"context_line":""},{"line_number":348,"context_line":"*TLS-everywhere* requires you to set extra parameters and templates before you"}],"source_content_type":"text/x-rst","patch_set":11,"id":"ff570b3c_59fd0639","line":345,"range":{"start_line":345,"start_character":0,"end_line":345,"end_character":24},"updated":"2020-05-11 18:36:15.000000000","message":"Maybe a better title here would be \"Configuring the overcloud for TLS everywhere\"","commit_id":"8a644535090b1389cb094367fe5e0cec6854daa7"},{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"d960e86c8c3afae514d5604b76947495d7469383","unresolved":false,"context_lines":[{"line_number":342,"context_line":""},{"line_number":343,"context_line":".. _Overcloud TLS-everywhere:"},{"line_number":344,"context_line":""},{"line_number":345,"context_line":"Overcloud TLS-everywhere"},{"line_number":346,"context_line":"~~~~~~~~~~~~~~~~~~~~~~~~"},{"line_number":347,"context_line":""},{"line_number":348,"context_line":"*TLS-everywhere* requires you to set extra parameters and templates before you"}],"source_content_type":"text/x-rst","patch_set":11,"id":"ff570b3c_9de140d4","line":345,"range":{"start_line":345,"start_character":0,"end_line":345,"end_character":24},"in_reply_to":"ff570b3c_59fd0639","updated":"2020-05-12 03:46:51.000000000","message":"Done. Updated to be \"Configuring the Overcloud\" to be consistent with the undercloud section (dropped the TLS part because this whole document is specific to TLS-everywhere).","commit_id":"8a644535090b1389cb094367fe5e0cec6854daa7"},{"author":{"_account_id":9914,"name":"Ade Lee","email":"alee@redhat.com","username":"alee"},"change_message_id":"197cabb599f07350b53e753631f7700e33f4191b","unresolved":false,"context_lines":[{"line_number":363,"context_line":""},{"line_number":364,"context_line":"    resource_registry:"},{"line_number":365,"context_line":"      OS::TripleO::Services::IpaClient: /usr/share/openstack-tripleo-heat-templates/deployment/ipa/ipaservices-baremetal-ansible.yaml"},{"line_number":366,"context_line":""},{"line_number":367,"context_line":"We will add this composable service to the resource registry by default in a"},{"line_number":368,"context_line":"future release."},{"line_number":369,"context_line":""}],"source_content_type":"text/x-rst","patch_set":11,"id":"ff570b3c_59e4e6ac","line":366,"updated":"2020-05-11 18:36:15.000000000","message":"This change is only applicable to tripleo-ipa","commit_id":"8a644535090b1389cb094367fe5e0cec6854daa7"},{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"d960e86c8c3afae514d5604b76947495d7469383","unresolved":false,"context_lines":[{"line_number":363,"context_line":""},{"line_number":364,"context_line":"    resource_registry:"},{"line_number":365,"context_line":"      OS::TripleO::Services::IpaClient: /usr/share/openstack-tripleo-heat-templates/deployment/ipa/ipaservices-baremetal-ansible.yaml"},{"line_number":366,"context_line":""},{"line_number":367,"context_line":"We will add this composable service to the resource registry by default in a"},{"line_number":368,"context_line":"future release."},{"line_number":369,"context_line":""}],"source_content_type":"text/x-rst","patch_set":11,"id":"ff570b3c_fde67ce8","line":366,"in_reply_to":"ff570b3c_59e4e6ac","updated":"2020-05-12 03:46:51.000000000","message":"Done","commit_id":"8a644535090b1389cb094367fe5e0cec6854daa7"},{"author":{"_account_id":9914,"name":"Ade Lee","email":"alee@redhat.com","username":"alee"},"change_message_id":"197cabb599f07350b53e753631f7700e33f4191b","unresolved":false,"context_lines":[{"line_number":406,"context_line":""},{"line_number":407,"context_line":"    $ openstack overcloud deploy \\"},{"line_number":408,"context_line":"    -e /usr/share/openstack-tripleo-heat-templates/environments/ssl/tls-everywhere-endpoints-dns.yaml \\"},{"line_number":409,"context_line":"    -e /usr/share/openstack-tripleo-heat-templates/environments/services/haproxy-public-tls-certmonger.yaml \\"},{"line_number":410,"context_line":"    -e /usr/share/openstack-tripleo-heat-templates/environments/ssl/enable-internal-tls.yaml \\"},{"line_number":411,"context_line":"    -e tls-parameters.yaml"},{"line_number":412,"context_line":""}],"source_content_type":"text/x-rst","patch_set":11,"id":"ff570b3c_d9e91681","line":409,"range":{"start_line":409,"start_character":73,"end_line":409,"end_character":102},"updated":"2020-05-11 18:36:15.000000000","message":"There is some detail in the original SSL documentation about this -- and additional choices.","commit_id":"8a644535090b1389cb094367fe5e0cec6854daa7"},{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"d960e86c8c3afae514d5604b76947495d7469383","unresolved":false,"context_lines":[{"line_number":406,"context_line":""},{"line_number":407,"context_line":"    $ openstack overcloud deploy \\"},{"line_number":408,"context_line":"    -e /usr/share/openstack-tripleo-heat-templates/environments/ssl/tls-everywhere-endpoints-dns.yaml \\"},{"line_number":409,"context_line":"    -e /usr/share/openstack-tripleo-heat-templates/environments/services/haproxy-public-tls-certmonger.yaml \\"},{"line_number":410,"context_line":"    -e /usr/share/openstack-tripleo-heat-templates/environments/ssl/enable-internal-tls.yaml \\"},{"line_number":411,"context_line":"    -e tls-parameters.yaml"},{"line_number":412,"context_line":""}],"source_content_type":"text/x-rst","patch_set":11,"id":"ff570b3c_ddebb8ad","line":409,"range":{"start_line":409,"start_character":73,"end_line":409,"end_character":102},"in_reply_to":"ff570b3c_d9e91681","updated":"2020-05-12 03:46:51.000000000","message":"Should we add that here? Should we add that as a separate primer and link to it?\n\nI\u0027m mostly thinking about conciseness.","commit_id":"8a644535090b1389cb094367fe5e0cec6854daa7"},{"author":{"_account_id":9914,"name":"Ade Lee","email":"alee@redhat.com","username":"alee"},"change_message_id":"13fd01176c943a12a4c0654b5a50ed4ff88b5b1a","unresolved":false,"context_lines":[{"line_number":406,"context_line":""},{"line_number":407,"context_line":"    $ openstack overcloud deploy \\"},{"line_number":408,"context_line":"    -e /usr/share/openstack-tripleo-heat-templates/environments/ssl/tls-everywhere-endpoints-dns.yaml \\"},{"line_number":409,"context_line":"    -e /usr/share/openstack-tripleo-heat-templates/environments/services/haproxy-public-tls-certmonger.yaml \\"},{"line_number":410,"context_line":"    -e /usr/share/openstack-tripleo-heat-templates/environments/ssl/enable-internal-tls.yaml \\"},{"line_number":411,"context_line":"    -e tls-parameters.yaml"},{"line_number":412,"context_line":""}],"source_content_type":"text/x-rst","patch_set":11,"id":"ff570b3c_f004cbc8","line":409,"range":{"start_line":409,"start_character":73,"end_line":409,"end_character":102},"in_reply_to":"ff570b3c_ddebb8ad","updated":"2020-05-12 20:58:08.000000000","message":"Well, we are considering removing the original SSL doc - and so that means at least covering some of the information there.  I think in this case, some small bullet points indicating other choices would be sufficient.","commit_id":"8a644535090b1389cb094367fe5e0cec6854daa7"},{"author":{"_account_id":9914,"name":"Ade Lee","email":"alee@redhat.com","username":"alee"},"change_message_id":"13fd01176c943a12a4c0654b5a50ed4ff88b5b1a","unresolved":false,"context_lines":[{"line_number":195,"context_line":"    export CLOUD_DOMAIN\u003dexample.com"},{"line_number":196,"context_line":""},{"line_number":197,"context_line":"The variables above assume the stack user exists. You need to update these"},{"line_number":198,"context_line":"values according to your deployment. If you FreeIPA server is using the same"},{"line_number":199,"context_line":"domain and the cloud domain, update it to the be the same. These are example"},{"line_number":200,"context_line":"values. The FreeIPA user credentials must be an administrative user that can"},{"line_number":201,"context_line":"add new hosts and services."}],"source_content_type":"text/x-rst","patch_set":12,"id":"ff570b3c_b580858d","line":198,"range":{"start_line":198,"start_character":40,"end_line":198,"end_character":43},"updated":"2020-05-12 20:58:08.000000000","message":"your","commit_id":"b269e73e802b0bbf25edd6dce32ce05b67c1b4b1"},{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"1fcbbf3c9abb592e71c6ca6015419ffa0d9eae05","unresolved":false,"context_lines":[{"line_number":195,"context_line":"    export CLOUD_DOMAIN\u003dexample.com"},{"line_number":196,"context_line":""},{"line_number":197,"context_line":"The variables above assume the stack user exists. You need to update these"},{"line_number":198,"context_line":"values according to your deployment. If you FreeIPA server is using the same"},{"line_number":199,"context_line":"domain and the cloud domain, update it to the be the same. These are example"},{"line_number":200,"context_line":"values. The FreeIPA user credentials must be an administrative user that can"},{"line_number":201,"context_line":"add new hosts and services."}],"source_content_type":"text/x-rst","patch_set":12,"id":"ff570b3c_7c035874","line":198,"range":{"start_line":198,"start_character":40,"end_line":198,"end_character":43},"in_reply_to":"ff570b3c_b580858d","updated":"2020-05-14 02:10:37.000000000","message":"Done","commit_id":"b269e73e802b0bbf25edd6dce32ce05b67c1b4b1"},{"author":{"_account_id":9914,"name":"Ade Lee","email":"alee@redhat.com","username":"alee"},"change_message_id":"13fd01176c943a12a4c0654b5a50ed4ff88b5b1a","unresolved":false,"context_lines":[{"line_number":209,"context_line":""},{"line_number":210,"context_line":".. warning::"},{"line_number":211,"context_line":"    This section only provides guidance for configuring *TLS-everywhere*. You"},{"line_number":212,"context_line":"    need to make sure your undercloud configuration is complete before staring"},{"line_number":213,"context_line":"    the undercloud installation process."},{"line_number":214,"context_line":""},{"line_number":215,"context_line":"Set the following variables in `undercloud.conf`::"}],"source_content_type":"text/x-rst","patch_set":12,"id":"ff570b3c_f54b1d84","line":212,"range":{"start_line":212,"start_character":71,"end_line":212,"end_character":78},"updated":"2020-05-12 20:58:08.000000000","message":"starting","commit_id":"b269e73e802b0bbf25edd6dce32ce05b67c1b4b1"},{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"1fcbbf3c9abb592e71c6ca6015419ffa0d9eae05","unresolved":false,"context_lines":[{"line_number":209,"context_line":""},{"line_number":210,"context_line":".. warning::"},{"line_number":211,"context_line":"    This section only provides guidance for configuring *TLS-everywhere*. You"},{"line_number":212,"context_line":"    need to make sure your undercloud configuration is complete before staring"},{"line_number":213,"context_line":"    the undercloud installation process."},{"line_number":214,"context_line":""},{"line_number":215,"context_line":"Set the following variables in `undercloud.conf`::"}],"source_content_type":"text/x-rst","patch_set":12,"id":"ff570b3c_dcf9c480","line":212,"range":{"start_line":212,"start_character":71,"end_line":212,"end_character":78},"in_reply_to":"ff570b3c_f54b1d84","updated":"2020-05-14 02:10:37.000000000","message":"Done","commit_id":"b269e73e802b0bbf25edd6dce32ce05b67c1b4b1"},{"author":{"_account_id":9914,"name":"Ade Lee","email":"alee@redhat.com","username":"alee"},"change_message_id":"13fd01176c943a12a4c0654b5a50ed4ff88b5b1a","unresolved":false,"context_lines":[{"line_number":228,"context_line":""},{"line_number":229,"context_line":"    $ openstack undercloud install"},{"line_number":230,"context_line":""},{"line_number":231,"context_line":"Undercloud Verification"},{"line_number":232,"context_line":"^^^^^^^^^^^^^^^^^^^^^^^"},{"line_number":233,"context_line":""},{"line_number":234,"context_line":"You should verify that the undercloud was enrolled properly by listing the"}],"source_content_type":"text/x-rst","patch_set":12,"id":"ff570b3c_b01c136b","line":231,"range":{"start_line":231,"start_character":0,"end_line":231,"end_character":23},"updated":"2020-05-12 20:58:08.000000000","message":"Strictly speaking -- this verification can take place after the IPA enrollment step.  It might be a better idea to move it there.  Of course the last sentence \"You can proceed ..\" needs to be after the undercloud install.","commit_id":"b269e73e802b0bbf25edd6dce32ce05b67c1b4b1"},{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"1fcbbf3c9abb592e71c6ca6015419ffa0d9eae05","unresolved":false,"context_lines":[{"line_number":228,"context_line":""},{"line_number":229,"context_line":"    $ openstack undercloud install"},{"line_number":230,"context_line":""},{"line_number":231,"context_line":"Undercloud Verification"},{"line_number":232,"context_line":"^^^^^^^^^^^^^^^^^^^^^^^"},{"line_number":233,"context_line":""},{"line_number":234,"context_line":"You should verify that the undercloud was enrolled properly by listing the"}],"source_content_type":"text/x-rst","patch_set":12,"id":"ff570b3c_fcee48b2","line":231,"range":{"start_line":231,"start_character":0,"end_line":231,"end_character":23},"in_reply_to":"ff570b3c_b01c136b","updated":"2020-05-14 02:10:37.000000000","message":"That\u0027s exactly the reason why I opted to put validation after installation even though it can be done before :)\n\nI didn\u0027t want to create an extra jump, but I can reorganize if needed.","commit_id":"b269e73e802b0bbf25edd6dce32ce05b67c1b4b1"},{"author":{"_account_id":9914,"name":"Ade Lee","email":"alee@redhat.com","username":"alee"},"change_message_id":"13fd01176c943a12a4c0654b5a50ed4ff88b5b1a","unresolved":false,"context_lines":[{"line_number":280,"context_line":""},{"line_number":281,"context_line":"    $ sudo yum install -y python-ipalib python-ipaclient krb5-devel python-novajoin"},{"line_number":282,"context_line":""},{"line_number":283,"context_line":"Enroll the Undercloud as an IPA client"},{"line_number":284,"context_line":"^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^"},{"line_number":285,"context_line":""},{"line_number":286,"context_line":"Next, you need to enroll the undercloud as a FreeIPA client. This will give the"}],"source_content_type":"text/x-rst","patch_set":12,"id":"ff570b3c_105cdf23","line":283,"range":{"start_line":283,"start_character":0,"end_line":283,"end_character":38},"updated":"2020-05-12 20:58:08.000000000","message":"Strictly speaking, this is not accurate.\n\nThis is: Add a host entry for the undercloud in the IPA server","commit_id":"b269e73e802b0bbf25edd6dce32ce05b67c1b4b1"},{"author":{"_account_id":9914,"name":"Ade Lee","email":"alee@redhat.com","username":"alee"},"change_message_id":"13fd01176c943a12a4c0654b5a50ed4ff88b5b1a","unresolved":false,"context_lines":[{"line_number":285,"context_line":""},{"line_number":286,"context_line":"Next, you need to enroll the undercloud as a FreeIPA client. This will give the"},{"line_number":287,"context_line":"undercloud the permissions it needs to add new hosts, services, and DNS"},{"line_number":288,"context_line":"records. You can use the following command-line utility to enroll the undercloud::"},{"line_number":289,"context_line":""},{"line_number":290,"context_line":"    novajoin-ipa-setup \\"},{"line_number":291,"context_line":"    --principal $IPA_USER \\"}],"source_content_type":"text/x-rst","patch_set":12,"id":"ff570b3c_d0ed4726","line":288,"range":{"start_line":288,"start_character":9,"end_line":288,"end_character":81},"updated":"2020-05-12 20:58:08.000000000","message":"Maybe we need to specify a bit more about the actual process here.\n\nSomething like this:\n\nYou need to enroll the undercloud as a FreeIPA client.  This will give the undercloud the permissions it needs to add new hosts, services and DNS records.\n\nWhen using novajoin, this operation is accomplished in two stages.  In this step, we accomplish the first step - which is to add a host entry for the undercloud host in the FreeIpa database with a one-time password.\n\nThis one-time password will be used in the undercloud install step to complete the registration.","commit_id":"b269e73e802b0bbf25edd6dce32ce05b67c1b4b1"},{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"1fcbbf3c9abb592e71c6ca6015419ffa0d9eae05","unresolved":false,"context_lines":[{"line_number":285,"context_line":""},{"line_number":286,"context_line":"Next, you need to enroll the undercloud as a FreeIPA client. This will give the"},{"line_number":287,"context_line":"undercloud the permissions it needs to add new hosts, services, and DNS"},{"line_number":288,"context_line":"records. You can use the following command-line utility to enroll the undercloud::"},{"line_number":289,"context_line":""},{"line_number":290,"context_line":"    novajoin-ipa-setup \\"},{"line_number":291,"context_line":"    --principal $IPA_USER \\"}],"source_content_type":"text/x-rst","patch_set":12,"id":"ff570b3c_9c0e2c8b","line":288,"range":{"start_line":288,"start_character":9,"end_line":288,"end_character":81},"in_reply_to":"ff570b3c_d0ed4726","updated":"2020-05-14 02:10:37.000000000","message":"Done","commit_id":"b269e73e802b0bbf25edd6dce32ce05b67c1b4b1"},{"author":{"_account_id":9914,"name":"Ade Lee","email":"alee@redhat.com","username":"alee"},"change_message_id":"13fd01176c943a12a4c0654b5a50ed4ff88b5b1a","unresolved":false,"context_lines":[{"line_number":304,"context_line":""},{"line_number":305,"context_line":".. warning::"},{"line_number":306,"context_line":"    This section only provides guidance for configuring *TLS-everywhere*. You"},{"line_number":307,"context_line":"    need to make sure your undercloud configuration is complete before staring"},{"line_number":308,"context_line":"    the undercloud installation process."},{"line_number":309,"context_line":""},{"line_number":310,"context_line":"Set the following variables in `undercloud.conf`::"}],"source_content_type":"text/x-rst","patch_set":12,"id":"ff570b3c_b0e6d343","line":307,"range":{"start_line":307,"start_character":71,"end_line":307,"end_character":78},"updated":"2020-05-12 20:58:08.000000000","message":"starting","commit_id":"b269e73e802b0bbf25edd6dce32ce05b67c1b4b1"},{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"1fcbbf3c9abb592e71c6ca6015419ffa0d9eae05","unresolved":false,"context_lines":[{"line_number":304,"context_line":""},{"line_number":305,"context_line":".. warning::"},{"line_number":306,"context_line":"    This section only provides guidance for configuring *TLS-everywhere*. You"},{"line_number":307,"context_line":"    need to make sure your undercloud configuration is complete before staring"},{"line_number":308,"context_line":"    the undercloud installation process."},{"line_number":309,"context_line":""},{"line_number":310,"context_line":"Set the following variables in `undercloud.conf`::"}],"source_content_type":"text/x-rst","patch_set":12,"id":"ff570b3c_bc221000","line":307,"range":{"start_line":307,"start_character":71,"end_line":307,"end_character":78},"in_reply_to":"ff570b3c_b0e6d343","updated":"2020-05-14 02:10:37.000000000","message":"Done","commit_id":"b269e73e802b0bbf25edd6dce32ce05b67c1b4b1"},{"author":{"_account_id":14985,"name":"Alex Schultz","email":"aschultz@next-development.com","username":"mwhahaha"},"change_message_id":"a72ba587b413a9893470ec50663fb8c2b994113b","unresolved":false,"context_lines":[{"line_number":170,"context_line":""},{"line_number":171,"context_line":"Install the following packages for python3 deployments::"},{"line_number":172,"context_line":""},{"line_number":173,"context_line":"    $ sudo yum install -y python3-ipalib python3-ipaclient krb5-devel"},{"line_number":174,"context_line":""},{"line_number":175,"context_line":"For deployments using Train, install the corresponding python2 versions of the"},{"line_number":176,"context_line":"above packages::"}],"source_content_type":"text/x-rst","patch_set":15,"id":"ff570b3c_9ce41e0f","line":173,"range":{"start_line":173,"start_character":6,"end_line":173,"end_character":69},"updated":"2020-05-18 18:10:47.000000000","message":"Why is this a separate step? Shouldn\u0027t this be part of the install playbook?","commit_id":"1993d1a99d786040b52b079f2cab91bf1f1bf27d"},{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"9b7f844ac0f07fcbe7cd552ead3d9030c9adfdd9","unresolved":false,"context_lines":[{"line_number":170,"context_line":""},{"line_number":171,"context_line":"Install the following packages for python3 deployments::"},{"line_number":172,"context_line":""},{"line_number":173,"context_line":"    $ sudo yum install -y python3-ipalib python3-ipaclient krb5-devel"},{"line_number":174,"context_line":""},{"line_number":175,"context_line":"For deployments using Train, install the corresponding python2 versions of the"},{"line_number":176,"context_line":"above packages::"}],"source_content_type":"text/x-rst","patch_set":15,"id":"ff570b3c_57e9bfb4","line":173,"range":{"start_line":173,"start_character":6,"end_line":173,"end_character":69},"in_reply_to":"ff570b3c_9ce41e0f","updated":"2020-05-18 19:04:14.000000000","message":"Done","commit_id":"1993d1a99d786040b52b079f2cab91bf1f1bf27d"},{"author":{"_account_id":7353,"name":"Kevin Carter","email":"kevin@cloudnull.com","username":"cloudnull"},"change_message_id":"14538d2d3bbb910f85a7a6fa5e1079a3a43782a0","unresolved":false,"context_lines":[{"line_number":175,"context_line":"For deployments using Train, install the corresponding python2 versions of the"},{"line_number":176,"context_line":"above packages::"},{"line_number":177,"context_line":""},{"line_number":178,"context_line":"    $ sudo yum install -y python-ipalib python-ipaclient krb5-devel"},{"line_number":179,"context_line":""},{"line_number":180,"context_line":"Enroll the Undercloud as an IPA client"},{"line_number":181,"context_line":"^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^"}],"source_content_type":"text/x-rst","patch_set":15,"id":"ff570b3c_bc3f6223","line":178,"range":{"start_line":178,"start_character":26,"end_line":178,"end_character":67},"updated":"2020-05-18 18:38:43.000000000","message":"same question here, shouldn\u0027t this be part of a playbook?","commit_id":"1993d1a99d786040b52b079f2cab91bf1f1bf27d"},{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"9b7f844ac0f07fcbe7cd552ead3d9030c9adfdd9","unresolved":false,"context_lines":[{"line_number":175,"context_line":"For deployments using Train, install the corresponding python2 versions of the"},{"line_number":176,"context_line":"above packages::"},{"line_number":177,"context_line":""},{"line_number":178,"context_line":"    $ sudo yum install -y python-ipalib python-ipaclient krb5-devel"},{"line_number":179,"context_line":""},{"line_number":180,"context_line":"Enroll the Undercloud as an IPA client"},{"line_number":181,"context_line":"^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^"}],"source_content_type":"text/x-rst","patch_set":15,"id":"ff570b3c_b7d13bfe","line":178,"range":{"start_line":178,"start_character":26,"end_line":178,"end_character":67},"in_reply_to":"ff570b3c_bc3f6223","updated":"2020-05-18 19:04:14.000000000","message":"Done","commit_id":"1993d1a99d786040b52b079f2cab91bf1f1bf27d"},{"author":{"_account_id":14985,"name":"Alex Schultz","email":"aschultz@next-development.com","username":"mwhahaha"},"change_message_id":"a72ba587b413a9893470ec50663fb8c2b994113b","unresolved":false,"context_lines":[{"line_number":202,"context_line":""},{"line_number":203,"context_line":"Next, run the playbook on the undercloud::"},{"line_number":204,"context_line":""},{"line_number":205,"context_line":"    $ ansible-playbook --ssh-extra-args \"-o StrictHostKeyChecking\u003dno -o UserKnownHostsFile\u003d/dev/null\" /usr/share/ansible/tripleo-playbooks/undercloud-ipa-install.yaml"},{"line_number":206,"context_line":""},{"line_number":207,"context_line":"Configure the Undercloud"},{"line_number":208,"context_line":"^^^^^^^^^^^^^^^^^^^^^^^^"}],"source_content_type":"text/x-rst","patch_set":15,"id":"ff570b3c_3cbd12d8","line":205,"range":{"start_line":205,"start_character":0,"end_line":205,"end_character":166},"updated":"2020-05-18 18:10:47.000000000","message":"We should never tell people to do this. This should be wrapped in a tripleoclient command that invoke this and that sets the proper environment variables.","commit_id":"1993d1a99d786040b52b079f2cab91bf1f1bf27d"},{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"9b7f844ac0f07fcbe7cd552ead3d9030c9adfdd9","unresolved":false,"context_lines":[{"line_number":202,"context_line":""},{"line_number":203,"context_line":"Next, run the playbook on the undercloud::"},{"line_number":204,"context_line":""},{"line_number":205,"context_line":"    $ ansible-playbook --ssh-extra-args \"-o StrictHostKeyChecking\u003dno -o UserKnownHostsFile\u003d/dev/null\" /usr/share/ansible/tripleo-playbooks/undercloud-ipa-install.yaml"},{"line_number":206,"context_line":""},{"line_number":207,"context_line":"Configure the Undercloud"},{"line_number":208,"context_line":"^^^^^^^^^^^^^^^^^^^^^^^^"}],"source_content_type":"text/x-rst","patch_set":15,"id":"ff570b3c_97f7d78b","line":205,"range":{"start_line":205,"start_character":0,"end_line":205,"end_character":166},"in_reply_to":"ff570b3c_3cbd12d8","updated":"2020-05-18 19:04:14.000000000","message":"++ good point.","commit_id":"1993d1a99d786040b52b079f2cab91bf1f1bf27d"},{"author":{"_account_id":14985,"name":"Alex Schultz","email":"aschultz@next-development.com","username":"mwhahaha"},"change_message_id":"26cdce8868bf3513f0e209a8405caba244d9e7b1","unresolved":false,"context_lines":[{"line_number":265,"context_line":"the FreeIPA server domain is `bigcorp.com`, you should set the following in"},{"line_number":266,"context_line":"`/etc/resolv.conf`::"},{"line_number":267,"context_line":""},{"line_number":268,"context_line":"    search example.com bigcorp.com"},{"line_number":269,"context_line":"    nameserver $FREEIPA_IP_ADDRESS"},{"line_number":270,"context_line":""},{"line_number":271,"context_line":"This step ensures the undercloud can resolve newly added hosts and services"},{"line_number":272,"context_line":"after TripleO enrolls them as FreeIPA clients. You only need to add both search"}],"source_content_type":"text/x-rst","patch_set":15,"id":"ff570b3c_dc985676","line":269,"range":{"start_line":268,"start_character":0,"end_line":269,"end_character":34},"updated":"2020-05-18 18:13:27.000000000","message":"nameservers can also be managed via undercloud.conf. The search line can\u0027t though that seems like perhaps something we should improve on if it\u0027s a requirement for ipa.","commit_id":"1993d1a99d786040b52b079f2cab91bf1f1bf27d"},{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"9b7f844ac0f07fcbe7cd552ead3d9030c9adfdd9","unresolved":false,"context_lines":[{"line_number":265,"context_line":"the FreeIPA server domain is `bigcorp.com`, you should set the following in"},{"line_number":266,"context_line":"`/etc/resolv.conf`::"},{"line_number":267,"context_line":""},{"line_number":268,"context_line":"    search example.com bigcorp.com"},{"line_number":269,"context_line":"    nameserver $FREEIPA_IP_ADDRESS"},{"line_number":270,"context_line":""},{"line_number":271,"context_line":"This step ensures the undercloud can resolve newly added hosts and services"},{"line_number":272,"context_line":"after TripleO enrolls them as FreeIPA clients. You only need to add both search"}],"source_content_type":"text/x-rst","patch_set":15,"id":"ff570b3c_372c0b01","line":269,"range":{"start_line":268,"start_character":0,"end_line":269,"end_character":34},"in_reply_to":"ff570b3c_dc985676","updated":"2020-05-18 19:04:14.000000000","message":"Yeah, that would be really helpful in this case.","commit_id":"1993d1a99d786040b52b079f2cab91bf1f1bf27d"},{"author":{"_account_id":7353,"name":"Kevin Carter","email":"kevin@cloudnull.com","username":"cloudnull"},"change_message_id":"56aa69dd4af6a385a652b0350c87fe8707311ea6","unresolved":false,"context_lines":[{"line_number":6,"context_line":"packages and enrolling the undercloud host as a FreeIPA client."},{"line_number":7,"context_line":""},{"line_number":8,"context_line":"You can either use tripleo-ipa or Novajoin to deploy *TLS-everywhere*. If"},{"line_number":9,"context_line":"you\u0027re deploying a release version older than Train, you can use Novajoin. If"},{"line_number":10,"context_line":"you\u0027re deploying Train or newer, you can use tripleo-ipa. Deployments"},{"line_number":11,"context_line":":ref:`deployed_server` must use tripleo-ipa. We recommend using tripleo-ipa"},{"line_number":12,"context_line":"whenever possible. Let\u0027s walk through each step using both tripleo-ipa and"}],"source_content_type":"text/x-rst","patch_set":16,"id":"ff570b3c_af02bfb2","line":9,"range":{"start_line":9,"start_character":57,"end_line":9,"end_character":60},"updated":"2020-05-28 19:51:04.000000000","message":"\"can\" or \"must\"?","commit_id":"3332b0a1cc90c33d2018dda9f9279eddd41234b2"},{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"479240d20a67855735ea3486b4e18e38d917f421","unresolved":false,"context_lines":[{"line_number":6,"context_line":"packages and enrolling the undercloud host as a FreeIPA client."},{"line_number":7,"context_line":""},{"line_number":8,"context_line":"You can either use tripleo-ipa or Novajoin to deploy *TLS-everywhere*. If"},{"line_number":9,"context_line":"you\u0027re deploying a release version older than Train, you can use Novajoin. If"},{"line_number":10,"context_line":"you\u0027re deploying Train or newer, you can use tripleo-ipa. Deployments"},{"line_number":11,"context_line":":ref:`deployed_server` must use tripleo-ipa. We recommend using tripleo-ipa"},{"line_number":12,"context_line":"whenever possible. Let\u0027s walk through each step using both tripleo-ipa and"}],"source_content_type":"text/x-rst","patch_set":16,"id":"ff570b3c_0c163556","line":9,"range":{"start_line":9,"start_character":57,"end_line":9,"end_character":60},"in_reply_to":"ff570b3c_af02bfb2","updated":"2020-06-01 13:58:39.000000000","message":"Done","commit_id":"3332b0a1cc90c33d2018dda9f9279eddd41234b2"},{"author":{"_account_id":7353,"name":"Kevin Carter","email":"kevin@cloudnull.com","username":"cloudnull"},"change_message_id":"56aa69dd4af6a385a652b0350c87fe8707311ea6","unresolved":false,"context_lines":[{"line_number":7,"context_line":""},{"line_number":8,"context_line":"You can either use tripleo-ipa or Novajoin to deploy *TLS-everywhere*. If"},{"line_number":9,"context_line":"you\u0027re deploying a release version older than Train, you can use Novajoin. If"},{"line_number":10,"context_line":"you\u0027re deploying Train or newer, you can use tripleo-ipa. Deployments"},{"line_number":11,"context_line":":ref:`deployed_server` must use tripleo-ipa. We recommend using tripleo-ipa"},{"line_number":12,"context_line":"whenever possible. Let\u0027s walk through each step using both tripleo-ipa and"},{"line_number":13,"context_line":"Novajoin."}],"source_content_type":"text/x-rst","patch_set":16,"id":"ff570b3c_8ffd3bb3","line":10,"range":{"start_line":10,"start_character":37,"end_line":10,"end_character":40},"updated":"2020-05-28 19:51:04.000000000","message":"same question here? Could someone use both in Train+?","commit_id":"3332b0a1cc90c33d2018dda9f9279eddd41234b2"},{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"479240d20a67855735ea3486b4e18e38d917f421","unresolved":false,"context_lines":[{"line_number":7,"context_line":""},{"line_number":8,"context_line":"You can either use tripleo-ipa or Novajoin to deploy *TLS-everywhere*. If"},{"line_number":9,"context_line":"you\u0027re deploying a release version older than Train, you can use Novajoin. If"},{"line_number":10,"context_line":"you\u0027re deploying Train or newer, you can use tripleo-ipa. Deployments"},{"line_number":11,"context_line":":ref:`deployed_server` must use tripleo-ipa. We recommend using tripleo-ipa"},{"line_number":12,"context_line":"whenever possible. Let\u0027s walk through each step using both tripleo-ipa and"},{"line_number":13,"context_line":"Novajoin."}],"source_content_type":"text/x-rst","patch_set":16,"id":"ff570b3c_67138a5d","line":10,"range":{"start_line":10,"start_character":37,"end_line":10,"end_character":40},"in_reply_to":"ff570b3c_8ffd3bb3","updated":"2020-06-01 13:58:39.000000000","message":"Yeah - good call. I clarified this in the next patch set. Let me know if it helps.","commit_id":"3332b0a1cc90c33d2018dda9f9279eddd41234b2"},{"author":{"_account_id":7353,"name":"Kevin Carter","email":"kevin@cloudnull.com","username":"cloudnull"},"change_message_id":"56aa69dd4af6a385a652b0350c87fe8707311ea6","unresolved":false,"context_lines":[{"line_number":53,"context_line":""},{"line_number":54,"context_line":"    export IPA_DOMAIN\u003dbigcorp.com"},{"line_number":55,"context_line":"    export IPA_REALM\u003dBIGCORP.COM"},{"line_number":56,"context_line":"    export IPA_ADMIN_USER\u003d$IPA_USER"},{"line_number":57,"context_line":"    export IPA_ADMIN_PASSWORD\u003d$IPA_PASSWORD"},{"line_number":58,"context_line":"    export IPA_SERVER_HOSTNAME\u003dipa.bigcorp.com"},{"line_number":59,"context_line":"    export UNDERCLOUD_FQDN\u003dundercloud.example.com"}],"source_content_type":"text/x-rst","patch_set":16,"id":"ff570b3c_efd2f733","line":56,"range":{"start_line":56,"start_character":27,"end_line":56,"end_character":35},"updated":"2020-05-28 19:51:04.000000000","message":"what is the value for this user? is it the same as the shell?","commit_id":"3332b0a1cc90c33d2018dda9f9279eddd41234b2"},{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"479240d20a67855735ea3486b4e18e38d917f421","unresolved":false,"context_lines":[{"line_number":53,"context_line":""},{"line_number":54,"context_line":"    export IPA_DOMAIN\u003dbigcorp.com"},{"line_number":55,"context_line":"    export IPA_REALM\u003dBIGCORP.COM"},{"line_number":56,"context_line":"    export IPA_ADMIN_USER\u003d$IPA_USER"},{"line_number":57,"context_line":"    export IPA_ADMIN_PASSWORD\u003d$IPA_PASSWORD"},{"line_number":58,"context_line":"    export IPA_SERVER_HOSTNAME\u003dipa.bigcorp.com"},{"line_number":59,"context_line":"    export UNDERCLOUD_FQDN\u003dundercloud.example.com"}],"source_content_type":"text/x-rst","patch_set":16,"id":"ff570b3c_67a38a9f","line":56,"range":{"start_line":56,"start_character":27,"end_line":56,"end_character":35},"in_reply_to":"ff570b3c_efd2f733","updated":"2020-06-01 13:58:39.000000000","message":"Done","commit_id":"3332b0a1cc90c33d2018dda9f9279eddd41234b2"},{"author":{"_account_id":7353,"name":"Kevin Carter","email":"kevin@cloudnull.com","username":"cloudnull"},"change_message_id":"56aa69dd4af6a385a652b0350c87fe8707311ea6","unresolved":false,"context_lines":[{"line_number":57,"context_line":"    export IPA_ADMIN_PASSWORD\u003d$IPA_PASSWORD"},{"line_number":58,"context_line":"    export IPA_SERVER_HOSTNAME\u003dipa.bigcorp.com"},{"line_number":59,"context_line":"    export UNDERCLOUD_FQDN\u003dundercloud.example.com"},{"line_number":60,"context_line":"    export USER\u003dstack"},{"line_number":61,"context_line":"    export CLOUD_DOMAIN\u003dexample.com"},{"line_number":62,"context_line":""},{"line_number":63,"context_line":"The variables above assume the stack user exists. You need to update these"}],"source_content_type":"text/x-rst","patch_set":16,"id":"ff570b3c_af1bdf18","line":60,"range":{"start_line":60,"start_character":16,"end_line":60,"end_character":21},"updated":"2020-05-28 19:51:04.000000000","message":"this should probably remain unset?\n\n$USER is a shell built in and the executing user on a real deployment may not actually be \"stack\".","commit_id":"3332b0a1cc90c33d2018dda9f9279eddd41234b2"},{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"479240d20a67855735ea3486b4e18e38d917f421","unresolved":false,"context_lines":[{"line_number":57,"context_line":"    export IPA_ADMIN_PASSWORD\u003d$IPA_PASSWORD"},{"line_number":58,"context_line":"    export IPA_SERVER_HOSTNAME\u003dipa.bigcorp.com"},{"line_number":59,"context_line":"    export UNDERCLOUD_FQDN\u003dundercloud.example.com"},{"line_number":60,"context_line":"    export USER\u003dstack"},{"line_number":61,"context_line":"    export CLOUD_DOMAIN\u003dexample.com"},{"line_number":62,"context_line":""},{"line_number":63,"context_line":"The variables above assume the stack user exists. You need to update these"}],"source_content_type":"text/x-rst","patch_set":16,"id":"ff570b3c_079bae65","line":60,"range":{"start_line":60,"start_character":16,"end_line":60,"end_character":21},"in_reply_to":"ff570b3c_af1bdf18","updated":"2020-06-01 13:58:39.000000000","message":"Done","commit_id":"3332b0a1cc90c33d2018dda9f9279eddd41234b2"},{"author":{"_account_id":7353,"name":"Kevin Carter","email":"kevin@cloudnull.com","username":"cloudnull"},"change_message_id":"56aa69dd4af6a385a652b0350c87fe8707311ea6","unresolved":false,"context_lines":[{"line_number":60,"context_line":"    export USER\u003dstack"},{"line_number":61,"context_line":"    export CLOUD_DOMAIN\u003dexample.com"},{"line_number":62,"context_line":""},{"line_number":63,"context_line":"The variables above assume the stack user exists. You need to update these"},{"line_number":64,"context_line":"values according to your deployment. If your FreeIPA server is using the same"},{"line_number":65,"context_line":"domain and the cloud domain, update it to the be the same. These are example"},{"line_number":66,"context_line":"values. The FreeIPA user credentials must be an administrative user that can"}],"source_content_type":"text/x-rst","patch_set":16,"id":"ff570b3c_2fdd0f42","line":63,"range":{"start_line":63,"start_character":0,"end_line":63,"end_character":48},"updated":"2020-05-28 19:51:04.000000000","message":"this makes it sound like the stack user is required.","commit_id":"3332b0a1cc90c33d2018dda9f9279eddd41234b2"},{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"479240d20a67855735ea3486b4e18e38d917f421","unresolved":false,"context_lines":[{"line_number":60,"context_line":"    export USER\u003dstack"},{"line_number":61,"context_line":"    export CLOUD_DOMAIN\u003dexample.com"},{"line_number":62,"context_line":""},{"line_number":63,"context_line":"The variables above assume the stack user exists. You need to update these"},{"line_number":64,"context_line":"values according to your deployment. If your FreeIPA server is using the same"},{"line_number":65,"context_line":"domain and the cloud domain, update it to the be the same. These are example"},{"line_number":66,"context_line":"values. The FreeIPA user credentials must be an administrative user that can"}],"source_content_type":"text/x-rst","patch_set":16,"id":"ff570b3c_87d4deea","line":63,"range":{"start_line":63,"start_character":0,"end_line":63,"end_character":48},"in_reply_to":"ff570b3c_2fdd0f42","updated":"2020-06-01 13:58:39.000000000","message":"Done","commit_id":"3332b0a1cc90c33d2018dda9f9279eddd41234b2"},{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"e0fa7781b21589eafaf9d3eace32faff0f336a31","unresolved":false,"context_lines":[{"line_number":68,"context_line":""},{"line_number":69,"context_line":"Next, run the playbook on the undercloud::"},{"line_number":70,"context_line":""},{"line_number":71,"context_line":"    $ ansible-playbook --ssh-extra-args \"-o StrictHostKeyChecking\u003dno -o UserKnownHostsFile\u003d/dev/null\" /usr/share/ansible/tripleo-playbooks/undercloud-ipa-install.yaml"},{"line_number":72,"context_line":""},{"line_number":73,"context_line":"Configure the Undercloud"},{"line_number":74,"context_line":"~~~~~~~~~~~~~~~~~~~~~~~~"}],"source_content_type":"text/x-rst","patch_set":16,"id":"ff570b3c_680b3dd5","line":71,"updated":"2020-05-19 01:21:09.000000000","message":"We need to address this bit, per Alex\u0027s comment in PS 15.","commit_id":"3332b0a1cc90c33d2018dda9f9279eddd41234b2"},{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"479240d20a67855735ea3486b4e18e38d917f421","unresolved":false,"context_lines":[{"line_number":68,"context_line":""},{"line_number":69,"context_line":"Next, run the playbook on the undercloud::"},{"line_number":70,"context_line":""},{"line_number":71,"context_line":"    $ ansible-playbook --ssh-extra-args \"-o StrictHostKeyChecking\u003dno -o UserKnownHostsFile\u003d/dev/null\" /usr/share/ansible/tripleo-playbooks/undercloud-ipa-install.yaml"},{"line_number":72,"context_line":""},{"line_number":73,"context_line":"Configure the Undercloud"},{"line_number":74,"context_line":"~~~~~~~~~~~~~~~~~~~~~~~~"}],"source_content_type":"text/x-rst","patch_set":16,"id":"ff570b3c_27fd126e","line":71,"in_reply_to":"ff570b3c_680b3dd5","updated":"2020-06-01 13:58:39.000000000","message":"This will be addressed once Dave\u0027s patch merges:\n\nhttps://review.opendev.org/#/c/731277/","commit_id":"3332b0a1cc90c33d2018dda9f9279eddd41234b2"},{"author":{"_account_id":7353,"name":"Kevin Carter","email":"kevin@cloudnull.com","username":"cloudnull"},"change_message_id":"56aa69dd4af6a385a652b0350c87fe8707311ea6","unresolved":false,"context_lines":[{"line_number":273,"context_line":"      OS::TripleO::Services::IpaClient: /usr/share/openstack-tripleo-heat-templates/deployment/ipa/ipaservices-baremetal-ansible.yaml"},{"line_number":274,"context_line":""},{"line_number":275,"context_line":"Remember, this is going to be the default method of deploying *TLS-everywhere*"},{"line_number":276,"context_line":"in the future."},{"line_number":277,"context_line":""},{"line_number":278,"context_line":"Specify Templates"},{"line_number":279,"context_line":"~~~~~~~~~~~~~~~~~"}],"source_content_type":"text/x-rst","patch_set":16,"id":"ff570b3c_afac7f8c","line":276,"range":{"start_line":276,"start_character":0,"end_line":276,"end_character":14},"updated":"2020-05-28 19:51:04.000000000","message":"is there a release where this change is scheduled to happen?","commit_id":"3332b0a1cc90c33d2018dda9f9279eddd41234b2"},{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"479240d20a67855735ea3486b4e18e38d917f421","unresolved":false,"context_lines":[{"line_number":273,"context_line":"      OS::TripleO::Services::IpaClient: /usr/share/openstack-tripleo-heat-templates/deployment/ipa/ipaservices-baremetal-ansible.yaml"},{"line_number":274,"context_line":""},{"line_number":275,"context_line":"Remember, this is going to be the default method of deploying *TLS-everywhere*"},{"line_number":276,"context_line":"in the future."},{"line_number":277,"context_line":""},{"line_number":278,"context_line":"Specify Templates"},{"line_number":279,"context_line":"~~~~~~~~~~~~~~~~~"}],"source_content_type":"text/x-rst","patch_set":16,"id":"ff570b3c_07a72e0d","line":276,"range":{"start_line":276,"start_character":0,"end_line":276,"end_character":14},"in_reply_to":"ff570b3c_afac7f8c","updated":"2020-06-01 13:58:39.000000000","message":"Done","commit_id":"3332b0a1cc90c33d2018dda9f9279eddd41234b2"},{"author":{"_account_id":28011,"name":"Nicholas Tait","email":"ntait@redhat.com","username":"nickthetait"},"change_message_id":"921b182aa71a015fab7d0bdd49079f87f5c38f4e","unresolved":false,"context_lines":[{"line_number":5,"context_line":"need to take on the undercloud. These steps consist of installing additional"},{"line_number":6,"context_line":"packages and enrolling the undercloud host as a FreeIPA client."},{"line_number":7,"context_line":""},{"line_number":8,"context_line":"You can either use tripleo-ipa or Novajoin to deploy *TLS-everywhere*. If"},{"line_number":9,"context_line":"you\u0027re deploying a release version older than Train, you can use Novajoin. If"},{"line_number":10,"context_line":"you\u0027re deploying Train or newer, you can use tripleo-ipa. Deployments"},{"line_number":11,"context_line":":ref:`deployed_server` must use tripleo-ipa. We recommend using tripleo-ipa"}],"source_content_type":"text/x-rst","patch_set":17,"id":"ff570b3c_ef8e7725","line":8,"updated":"2020-05-28 19:57:41.000000000","message":"\"The OpenStack release you are deploying affects which tool can be used to deploy *TLS-everywhere*. For Train and older, you can use Novajoin. For Train or newer, you can use tripleo-ipa.\"","commit_id":"a92594948103d97232e65530824c0e05a6ec3bdc"},{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"de5a49fa5ed25f394c429607d36c9da19c408db7","unresolved":false,"context_lines":[{"line_number":5,"context_line":"need to take on the undercloud. These steps consist of installing additional"},{"line_number":6,"context_line":"packages and enrolling the undercloud host as a FreeIPA client."},{"line_number":7,"context_line":""},{"line_number":8,"context_line":"You can either use tripleo-ipa or Novajoin to deploy *TLS-everywhere*. If"},{"line_number":9,"context_line":"you\u0027re deploying a release version older than Train, you can use Novajoin. If"},{"line_number":10,"context_line":"you\u0027re deploying Train or newer, you can use tripleo-ipa. Deployments"},{"line_number":11,"context_line":":ref:`deployed_server` must use tripleo-ipa. We recommend using tripleo-ipa"}],"source_content_type":"text/x-rst","patch_set":17,"id":"ff570b3c_ec62e13d","line":8,"in_reply_to":"ff570b3c_ef8e7725","updated":"2020-06-01 13:42:45.000000000","message":"++\n\nI clarified this a bit and used some of what you suggested. Let me know if it helps.","commit_id":"a92594948103d97232e65530824c0e05a6ec3bdc"},{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"c3436c526b76fe005e6a1edd36a9ba4290245019","unresolved":false,"context_lines":[{"line_number":228,"context_line":"      CloudNameInternal: overcloud.internalapi.example.com"},{"line_number":229,"context_line":"      CloudNameStorage: overcloud.storage.example.com"},{"line_number":230,"context_line":"      CloudNameStorageManagement: overcloud.storagemgmt.example.com"},{"line_number":231,"context_line":"      CloudNameCtlplane: overcloud.ctlplane.example.com"},{"line_number":232,"context_line":""},{"line_number":233,"context_line":"The ``DnsServers`` value above assumes we have FreeIPA available at"},{"line_number":234,"context_line":"192.168.1.13."}],"source_content_type":"text/x-rst","patch_set":17,"id":"ff570b3c_fb13e4b6","line":231,"updated":"2020-05-28 15:06:57.000000000","message":"This needs to include the following parameter when using deployed servers.\n\n  IdMInstallClientPackages: True","commit_id":"a92594948103d97232e65530824c0e05a6ec3bdc"},{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"de5a49fa5ed25f394c429607d36c9da19c408db7","unresolved":false,"context_lines":[{"line_number":228,"context_line":"      CloudNameInternal: overcloud.internalapi.example.com"},{"line_number":229,"context_line":"      CloudNameStorage: overcloud.storage.example.com"},{"line_number":230,"context_line":"      CloudNameStorageManagement: overcloud.storagemgmt.example.com"},{"line_number":231,"context_line":"      CloudNameCtlplane: overcloud.ctlplane.example.com"},{"line_number":232,"context_line":""},{"line_number":233,"context_line":"The ``DnsServers`` value above assumes we have FreeIPA available at"},{"line_number":234,"context_line":"192.168.1.13."}],"source_content_type":"text/x-rst","patch_set":17,"id":"ff570b3c_0c3d95dc","line":231,"in_reply_to":"ff570b3c_fb13e4b6","updated":"2020-06-01 13:42:45.000000000","message":"Done","commit_id":"a92594948103d97232e65530824c0e05a6ec3bdc"},{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"4a389d3cfcd3c86f0eb03e1dc03e32d1622c68cf","unresolved":false,"context_lines":[{"line_number":45,"context_line":"domains if they\u0027re different. If the FreeIPA server is using the same domain as"},{"line_number":46,"context_line":"the deployment you only need to specify the deployment domain."},{"line_number":47,"context_line":""},{"line_number":48,"context_line":"Enroll the Undercloud as an IPA client"},{"line_number":49,"context_line":"~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~"},{"line_number":50,"context_line":""},{"line_number":51,"context_line":"The tripleo-ipa project is a dependency of tripleo-common. You must have"},{"line_number":52,"context_line":"tripleo-common installed to run the ``undercloud-ipa-install.yaml`` playbook,"}],"source_content_type":"text/x-rst","patch_set":18,"id":"ff570b3c_ed8adb18","line":49,"range":{"start_line":48,"start_character":0,"end_line":49,"end_character":38},"updated":"2020-06-01 14:26:20.000000000","message":"This section is going to get reworked once we land the following patches, which provide a way to register the undercloud and supply an OTP (similar to how Novajoin registered the undercloud and enrolled it as a FreeIPA client):\n\nhttps://review.opendev.org/#/q/topic:scenario-1+(status:open+OR+status:merged)\n\n\nThis case is more user friendly for deployments who don\u0027t have immediate access or control over the FreeIPA server their using to manage certificates.","commit_id":"c270f0b81133ab7909d7c4466d1fcdecd0bf5fad"},{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"814dc94b62982d55c0ce72eaa46b9f20dbc781bf","unresolved":false,"context_lines":[{"line_number":45,"context_line":"domains if they\u0027re different. If the FreeIPA server is using the same domain as"},{"line_number":46,"context_line":"the deployment you only need to specify the deployment domain."},{"line_number":47,"context_line":""},{"line_number":48,"context_line":"Enroll the Undercloud as an IPA client"},{"line_number":49,"context_line":"~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~"},{"line_number":50,"context_line":""},{"line_number":51,"context_line":"The tripleo-ipa project is a dependency of tripleo-common. You must have"},{"line_number":52,"context_line":"tripleo-common installed to run the ``undercloud-ipa-install.yaml`` playbook,"}],"source_content_type":"text/x-rst","patch_set":18,"id":"bf51134e_c19e1f62","line":49,"range":{"start_line":48,"start_character":0,"end_line":49,"end_character":38},"in_reply_to":"ff570b3c_ed8adb18","updated":"2020-06-17 13:50:52.000000000","message":"Done","commit_id":"c270f0b81133ab7909d7c4466d1fcdecd0bf5fad"},{"author":{"_account_id":25877,"name":"Luke Short","email":"ekultails@gmail.com","username":"ekultails"},"change_message_id":"0bd18254be5487b3e87c1906b0f1385924c583b8","unresolved":false,"context_lines":[{"line_number":83,"context_line":"First, you need to create a new FreeIPA role with the appropriate permissions"},{"line_number":84,"context_line":"for managing hosts, principals, services, and DNS entries::"},{"line_number":85,"context_line":""},{"line_number":86,"context_line":"    kinit"},{"line_number":87,"context_line":"    export IPA_PASSWORD\u003d$IPA_PASSWORD"},{"line_number":88,"context_line":"    export IPA_PRINCIPAL\u003d$IPA_USER"},{"line_number":89,"context_line":"    export UNDERCLOUD_FQDN\u003dundercloud.example.com"}],"source_content_type":"text/x-rst","patch_set":19,"id":"bf51134e_9a925e56","line":86,"updated":"2020-06-23 19:48:25.000000000","message":"nit: These commands do not start with \"$\" whereas later on they do.","commit_id":"9352f3ee715e97ee0833d7403f14ac12ca93c64a"},{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"dcefb39f748b005a1196a1a127e856fc98673464","unresolved":false,"context_lines":[{"line_number":83,"context_line":"First, you need to create a new FreeIPA role with the appropriate permissions"},{"line_number":84,"context_line":"for managing hosts, principals, services, and DNS entries::"},{"line_number":85,"context_line":""},{"line_number":86,"context_line":"    kinit"},{"line_number":87,"context_line":"    export IPA_PASSWORD\u003d$IPA_PASSWORD"},{"line_number":88,"context_line":"    export IPA_PRINCIPAL\u003d$IPA_USER"},{"line_number":89,"context_line":"    export UNDERCLOUD_FQDN\u003dundercloud.example.com"}],"source_content_type":"text/x-rst","patch_set":19,"id":"bf51134e_9a253e0c","line":86,"in_reply_to":"bf51134e_9a925e56","updated":"2020-06-23 19:59:46.000000000","message":"Done","commit_id":"9352f3ee715e97ee0833d7403f14ac12ca93c64a"},{"author":{"_account_id":28223,"name":"Cedric Jeanneret","display_name":"cjeanner (Tengu)","email":"cjeanner@redhat.com","username":"cjeanner"},"change_message_id":"8434eaa57223ba6e30a087a80e4d21ec26f74183","unresolved":false,"context_lines":[{"line_number":77,"context_line":"playbook (e.g., ``ipa privilege-add-permission``, ``ipa host-add``, etc). They"},{"line_number":78,"context_line":"also expect you to generate a kerberos token before executing each playbook."},{"line_number":79,"context_line":""},{"line_number":80,"context_line":"Create a FreeIPA role"},{"line_number":81,"context_line":"^^^^^^^^^^^^^^^^^^^^^"},{"line_number":82,"context_line":""},{"line_number":83,"context_line":"First, you need to create a new FreeIPA role with the appropriate permissions"}],"source_content_type":"text/x-rst","patch_set":20,"id":"bf51134e_3dac2534","line":80,"updated":"2020-07-08 08:24:15.000000000","message":"I think we need to run the undercloud-ipa-install.yaml playbook first in order to get the actual \"ipa\" command...\n\nIs this doc complete?","commit_id":"94acd62596e37014ed280b8ec8987e9a0454271c"},{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"8f27b2c6d35aaef4f4bc13d6101bf0ff89a577bf","unresolved":false,"context_lines":[{"line_number":77,"context_line":"playbook (e.g., ``ipa privilege-add-permission``, ``ipa host-add``, etc). They"},{"line_number":78,"context_line":"also expect you to generate a kerberos token before executing each playbook."},{"line_number":79,"context_line":""},{"line_number":80,"context_line":"Create a FreeIPA role"},{"line_number":81,"context_line":"^^^^^^^^^^^^^^^^^^^^^"},{"line_number":82,"context_line":""},{"line_number":83,"context_line":"First, you need to create a new FreeIPA role with the appropriate permissions"}],"source_content_type":"text/x-rst","patch_set":20,"id":"bf51134e_e2a67a0f","line":80,"in_reply_to":"bf51134e_3dac2534","updated":"2020-07-08 21:37:53.000000000","message":"This is noted on line 52 above.\n\nThe undercloud-ipa-install.yaml playbook is designed to set up everything before installing the undercloud. It creates the undercloud host, sets up the service, and fetches the keytab. You don\u0027t need to configure the undercloud to enroll itself.\n\nWhile this case is convenient, we can\u0027t assume it\u0027s reasonable for most production deployments to give TripleO administrative access to FreeIPA. The undercloud-ipa-install.yaml playbook assumes you can provide it administrative rights.\n\nThe deployer might not have any administrative rights to IPA, making the installation process contingent on obtaining a one-time password from someone who does. We attempted to address this by writing separate playbooks that FreeIPA admins can use (documented here), if they want an automated way of generating the host, service, and privileges needed by the undercloud. Once they generate the password, the deployer can configure the undercloud to do its own enrollment.","commit_id":"94acd62596e37014ed280b8ec8987e9a0454271c"},{"author":{"_account_id":28223,"name":"Cedric Jeanneret","display_name":"cjeanner (Tengu)","email":"cjeanner@redhat.com","username":"cjeanner"},"change_message_id":"6241f7219d441e059a2614d05c395021395a6daf","unresolved":false,"context_lines":[{"line_number":146,"context_line":"You should verify that the undercloud was enrolled properly by listing the"},{"line_number":147,"context_line":"hosts in FreeIPA::"},{"line_number":148,"context_line":""},{"line_number":149,"context_line":"    $ kinit"},{"line_number":150,"context_line":"    $ ipa host-find"},{"line_number":151,"context_line":""},{"line_number":152,"context_line":"You should also confirm that ``/etc/novajoin/krb5.keytab`` exists on the"}],"source_content_type":"text/x-rst","patch_set":20,"id":"bf51134e_f8a53404","line":149,"updated":"2020-07-15 09:17:33.000000000","message":"with the right changes, this should be launched as root (sudo kinit; sudo ipa host-find)","commit_id":"94acd62596e37014ed280b8ec8987e9a0454271c"},{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"ef1f338a765781907771a5f04e92ff0b07a2ec75","unresolved":false,"context_lines":[{"line_number":146,"context_line":"You should verify that the undercloud was enrolled properly by listing the"},{"line_number":147,"context_line":"hosts in FreeIPA::"},{"line_number":148,"context_line":""},{"line_number":149,"context_line":"    $ kinit"},{"line_number":150,"context_line":"    $ ipa host-find"},{"line_number":151,"context_line":""},{"line_number":152,"context_line":"You should also confirm that ``/etc/novajoin/krb5.keytab`` exists on the"}],"source_content_type":"text/x-rst","patch_set":20,"id":"bf51134e_f9bcfa06","line":149,"in_reply_to":"bf51134e_f8a53404","updated":"2020-07-16 17:56:17.000000000","message":"Done","commit_id":"94acd62596e37014ed280b8ec8987e9a0454271c"},{"author":{"_account_id":28223,"name":"Cedric Jeanneret","display_name":"cjeanner (Tengu)","email":"cjeanner@redhat.com","username":"cjeanner"},"change_message_id":"6241f7219d441e059a2614d05c395021395a6daf","unresolved":false,"context_lines":[{"line_number":236,"context_line":"You should verify that the undercloud was enrolled properly by listing the"},{"line_number":237,"context_line":"hosts in FreeIPA::"},{"line_number":238,"context_line":""},{"line_number":239,"context_line":"    $ kinit"},{"line_number":240,"context_line":"    $ ipa host-find"},{"line_number":241,"context_line":""},{"line_number":242,"context_line":"You should also confirm that ``/etc/novajoin/krb5.keytab`` exists on the"}],"source_content_type":"text/x-rst","patch_set":20,"id":"bf51134e_78b12444","line":239,"updated":"2020-07-15 09:17:33.000000000","message":"same here, \"sudo\".","commit_id":"94acd62596e37014ed280b8ec8987e9a0454271c"},{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"ef1f338a765781907771a5f04e92ff0b07a2ec75","unresolved":false,"context_lines":[{"line_number":236,"context_line":"You should verify that the undercloud was enrolled properly by listing the"},{"line_number":237,"context_line":"hosts in FreeIPA::"},{"line_number":238,"context_line":""},{"line_number":239,"context_line":"    $ kinit"},{"line_number":240,"context_line":"    $ ipa host-find"},{"line_number":241,"context_line":""},{"line_number":242,"context_line":"You should also confirm that ``/etc/novajoin/krb5.keytab`` exists on the"}],"source_content_type":"text/x-rst","patch_set":20,"id":"bf51134e_d9b77620","line":239,"in_reply_to":"bf51134e_78b12444","updated":"2020-07-16 17:56:17.000000000","message":"Done","commit_id":"94acd62596e37014ed280b8ec8987e9a0454271c"},{"author":{"_account_id":28223,"name":"Cedric Jeanneret","display_name":"cjeanner (Tengu)","email":"cjeanner@redhat.com","username":"cjeanner"},"change_message_id":"6241f7219d441e059a2614d05c395021395a6daf","unresolved":false,"context_lines":[{"line_number":310,"context_line":"need to update the registry to use a different composable service. Both options"},{"line_number":311,"context_line":"are described below."},{"line_number":312,"context_line":""},{"line_number":313,"context_line":"Novajoin"},{"line_number":314,"context_line":"^^^^^^^^"},{"line_number":315,"context_line":""},{"line_number":316,"context_line":"This is the default option but we will update TripleO in the future to use"}],"source_content_type":"text/x-rst","patch_set":20,"id":"bf51134e_5899c0c1","line":313,"updated":"2020-07-15 09:17:33.000000000","message":"would be good to mark a better difference here - the \"title\" type is light grey, we might overlook we\u0027re in the novajoin section","commit_id":"94acd62596e37014ed280b8ec8987e9a0454271c"},{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"ef1f338a765781907771a5f04e92ff0b07a2ec75","unresolved":false,"context_lines":[{"line_number":310,"context_line":"need to update the registry to use a different composable service. Both options"},{"line_number":311,"context_line":"are described below."},{"line_number":312,"context_line":""},{"line_number":313,"context_line":"Novajoin"},{"line_number":314,"context_line":"^^^^^^^^"},{"line_number":315,"context_line":""},{"line_number":316,"context_line":"This is the default option but we will update TripleO in the future to use"}],"source_content_type":"text/x-rst","patch_set":20,"id":"bf51134e_b9744269","line":313,"in_reply_to":"bf51134e_5899c0c1","updated":"2020-07-16 17:56:17.000000000","message":"Done","commit_id":"94acd62596e37014ed280b8ec8987e9a0454271c"},{"author":{"_account_id":28223,"name":"Cedric Jeanneret","display_name":"cjeanner (Tengu)","email":"cjeanner@redhat.com","username":"cjeanner"},"change_message_id":"6241f7219d441e059a2614d05c395021395a6daf","unresolved":false,"context_lines":[{"line_number":320,"context_line":"    resource_registry:"},{"line_number":321,"context_line":"      OS::TripleO::Services::IpaClient: /usr/share/openstack-tripleo-heat-templates/deployment/ipa/ipaclient-baremetal-ansible.yaml"},{"line_number":322,"context_line":""},{"line_number":323,"context_line":"tripleo-ipa"},{"line_number":324,"context_line":"^^^^^^^^^^^"},{"line_number":325,"context_line":""},{"line_number":326,"context_line":"If you\u0027re deploying *TLS-everwhere* with tripleo-ipa, you need to override the"}],"source_content_type":"text/x-rst","patch_set":20,"id":"bf51134e_788ac463","line":323,"updated":"2020-07-15 09:17:33.000000000","message":"same here - that light grey thing makes it difficult to follow the right section.","commit_id":"94acd62596e37014ed280b8ec8987e9a0454271c"},{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"ef1f338a765781907771a5f04e92ff0b07a2ec75","unresolved":false,"context_lines":[{"line_number":320,"context_line":"    resource_registry:"},{"line_number":321,"context_line":"      OS::TripleO::Services::IpaClient: /usr/share/openstack-tripleo-heat-templates/deployment/ipa/ipaclient-baremetal-ansible.yaml"},{"line_number":322,"context_line":""},{"line_number":323,"context_line":"tripleo-ipa"},{"line_number":324,"context_line":"^^^^^^^^^^^"},{"line_number":325,"context_line":""},{"line_number":326,"context_line":"If you\u0027re deploying *TLS-everwhere* with tripleo-ipa, you need to override the"}],"source_content_type":"text/x-rst","patch_set":20,"id":"bf51134e_996fbe90","line":323,"in_reply_to":"bf51134e_788ac463","updated":"2020-07-16 17:56:17.000000000","message":"Done","commit_id":"94acd62596e37014ed280b8ec8987e9a0454271c"}],"deploy-guide/source/features/tls-overcloud.rst":[{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"1f43b1bbc39850aa9e9e23f006e0849927390eb7","unresolved":false,"context_lines":[{"line_number":16,"context_line":""},{"line_number":17,"context_line":"    resource_registry:"},{"line_number":18,"context_line":"      OS::TripleO::Controller::Net::SoftwareConfig: /usr/share/openstack-tripleo-heat-templates/net-config-bridge.yaml"},{"line_number":19,"context_line":"      OS::TripleO::Compute::Net::SoftwareConfig: /usr/share/openstack-tripleo-heat-templates/net-config-bridge.yaml"},{"line_number":20,"context_line":""},{"line_number":21,"context_line":"Set Parameters"},{"line_number":22,"context_line":"^^^^^^^^^^^^^^"}],"source_content_type":"text/x-rst","patch_set":1,"id":"1f493fa4_94090c33","line":19,"updated":"2020-05-05 14:40:41.000000000","message":"I\u0027m not sure if this is really applicable to TLS-e? It\u0027s required to get things working but each deployment has different networking setups.","commit_id":"b5785fb4c90c2e05fd1a33097cc92293a2bb194b"},{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"db6e46713d0bf2e6b12d723974299205ebae6eb4","unresolved":false,"context_lines":[{"line_number":16,"context_line":""},{"line_number":17,"context_line":"    resource_registry:"},{"line_number":18,"context_line":"      OS::TripleO::Controller::Net::SoftwareConfig: /usr/share/openstack-tripleo-heat-templates/net-config-bridge.yaml"},{"line_number":19,"context_line":"      OS::TripleO::Compute::Net::SoftwareConfig: /usr/share/openstack-tripleo-heat-templates/net-config-bridge.yaml"},{"line_number":20,"context_line":""},{"line_number":21,"context_line":"Set Parameters"},{"line_number":22,"context_line":"^^^^^^^^^^^^^^"}],"source_content_type":"text/x-rst","patch_set":1,"id":"1f493fa4_d31a8115","line":19,"in_reply_to":"1f493fa4_94090c33","updated":"2020-05-05 21:56:33.000000000","message":"Done","commit_id":"b5785fb4c90c2e05fd1a33097cc92293a2bb194b"},{"author":{"_account_id":14250,"name":"Grzegorz Grasza","email":"xek@redhat.com","username":"xek"},"change_message_id":"634afe0bc23a6cef62e7f00613fc8850bfc7f480","unresolved":false,"context_lines":[{"line_number":21,"context_line":"Set Parameters"},{"line_number":22,"context_line":"^^^^^^^^^^^^^^"},{"line_number":23,"context_line":"Set parameters::"},{"line_number":24,"context_line":""},{"line_number":25,"context_line":"    DnsSearchDomains: [\"{{ cloud_domain }}\", \"{{ ipa_domain }}\"]"},{"line_number":26,"context_line":"    IdMServer: ipa.{{ ipa_domain }}"},{"line_number":27,"context_line":"    IdMDomain: {{ ipa_domain }}"}],"source_content_type":"text/x-rst","patch_set":1,"id":"1f493fa4_d4a7144f","line":24,"updated":"2020-05-05 14:56:18.000000000","message":"To keep it in the same format as the above \"resource_registry:\" I would add \"parameter_defaults:\" here and indent the rest.","commit_id":"b5785fb4c90c2e05fd1a33097cc92293a2bb194b"},{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"db6e46713d0bf2e6b12d723974299205ebae6eb4","unresolved":false,"context_lines":[{"line_number":21,"context_line":"Set Parameters"},{"line_number":22,"context_line":"^^^^^^^^^^^^^^"},{"line_number":23,"context_line":"Set parameters::"},{"line_number":24,"context_line":""},{"line_number":25,"context_line":"    DnsSearchDomains: [\"{{ cloud_domain }}\", \"{{ ipa_domain }}\"]"},{"line_number":26,"context_line":"    IdMServer: ipa.{{ ipa_domain }}"},{"line_number":27,"context_line":"    IdMDomain: {{ ipa_domain }}"}],"source_content_type":"text/x-rst","patch_set":1,"id":"1f493fa4_731d6d0e","line":24,"in_reply_to":"1f493fa4_d4a7144f","updated":"2020-05-05 21:56:33.000000000","message":"Done","commit_id":"b5785fb4c90c2e05fd1a33097cc92293a2bb194b"},{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"1f43b1bbc39850aa9e9e23f006e0849927390eb7","unresolved":false,"context_lines":[{"line_number":31,"context_line":"    CloudNameInternal: overcloud.internalapi.{{ cloud_domain }}"},{"line_number":32,"context_line":"    CloudNameStorage: overcloud.storage.{{ cloud_domain }}"},{"line_number":33,"context_line":"    CloudNameStorageManagement: overcloud.storagemgmt.{{ cloud_domain }}"},{"line_number":34,"context_line":"    CloudNameCtlplane: overcloud.ctlplane.{{ cloud_domain }}"},{"line_number":35,"context_line":""},{"line_number":36,"context_line":"Specify Templates"},{"line_number":37,"context_line":"^^^^^^^^^^^^^^^^^"}],"source_content_type":"text/x-rst","patch_set":1,"id":"1f493fa4_b4b0888d","line":34,"updated":"2020-05-05 14:40:41.000000000","message":"I think these should include more concrete examples?\n\nShould also remove the variable names.","commit_id":"b5785fb4c90c2e05fd1a33097cc92293a2bb194b"},{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"db6e46713d0bf2e6b12d723974299205ebae6eb4","unresolved":false,"context_lines":[{"line_number":31,"context_line":"    CloudNameInternal: overcloud.internalapi.{{ cloud_domain }}"},{"line_number":32,"context_line":"    CloudNameStorage: overcloud.storage.{{ cloud_domain }}"},{"line_number":33,"context_line":"    CloudNameStorageManagement: overcloud.storagemgmt.{{ cloud_domain }}"},{"line_number":34,"context_line":"    CloudNameCtlplane: overcloud.ctlplane.{{ cloud_domain }}"},{"line_number":35,"context_line":""},{"line_number":36,"context_line":"Specify Templates"},{"line_number":37,"context_line":"^^^^^^^^^^^^^^^^^"}],"source_content_type":"text/x-rst","patch_set":1,"id":"1f493fa4_73e28d03","line":34,"in_reply_to":"1f493fa4_b4b0888d","updated":"2020-05-05 21:56:33.000000000","message":"Done","commit_id":"b5785fb4c90c2e05fd1a33097cc92293a2bb194b"},{"author":{"_account_id":14250,"name":"Grzegorz Grasza","email":"xek@redhat.com","username":"xek"},"change_message_id":"634afe0bc23a6cef62e7f00613fc8850bfc7f480","unresolved":false,"context_lines":[{"line_number":42,"context_line":"    -e /usr/share/openstack-tripleo-heat-templates/environments/ssl/tls-everywhere-endpoints-dns.yaml \\"},{"line_number":43,"context_line":"    -e /usr/share/openstack-tripleo-heat-templates/environments/services/haproxy-public-tls-certmonger.yaml \\"},{"line_number":44,"context_line":"    -e /usr/share/openstack-tripleo-heat-templates/environments/ssl/enable-internal-tls.yaml \\"},{"line_number":45,"context_line":""}],"source_content_type":"text/x-rst","patch_set":1,"id":"1f493fa4_b7ad2aec","line":45,"updated":"2020-05-05 14:56:18.000000000","message":"Maybe add an \"-e {{ working_dir }}/tls-everywhere.yaml\" here and rephrase the above, making you create this file with all the settings.","commit_id":"b5785fb4c90c2e05fd1a33097cc92293a2bb194b"},{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"db6e46713d0bf2e6b12d723974299205ebae6eb4","unresolved":false,"context_lines":[{"line_number":42,"context_line":"    -e /usr/share/openstack-tripleo-heat-templates/environments/ssl/tls-everywhere-endpoints-dns.yaml \\"},{"line_number":43,"context_line":"    -e /usr/share/openstack-tripleo-heat-templates/environments/services/haproxy-public-tls-certmonger.yaml \\"},{"line_number":44,"context_line":"    -e /usr/share/openstack-tripleo-heat-templates/environments/ssl/enable-internal-tls.yaml \\"},{"line_number":45,"context_line":""}],"source_content_type":"text/x-rst","patch_set":1,"id":"1f493fa4_93e5990d","line":45,"in_reply_to":"1f493fa4_b7ad2aec","updated":"2020-05-05 21:56:33.000000000","message":"Done","commit_id":"b5785fb4c90c2e05fd1a33097cc92293a2bb194b"},{"author":{"_account_id":9914,"name":"Ade Lee","email":"alee@redhat.com","username":"alee"},"change_message_id":"648c28e7c40444cf2b35c7b10b3802851357120a","unresolved":false,"context_lines":[{"line_number":1,"context_line":"TLS Overcloud"},{"line_number":2,"context_line":"\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d"},{"line_number":3,"context_line":""},{"line_number":4,"context_line":""}],"source_content_type":"text/x-rst","patch_set":2,"id":"1f493fa4_9ca0fca7","line":1,"range":{"start_line":1,"start_character":0,"end_line":1,"end_character":13},"updated":"2020-05-06 15:01:49.000000000","message":"Should this be TLS-E (Overcloud)?","commit_id":"07374e9e3e81a2390e54ba0e575cf59a3dfbc6ca"},{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"3061ae4efc97b1b632751ba579da58aaa1a2ecd7","unresolved":false,"context_lines":[{"line_number":1,"context_line":"TLS Overcloud"},{"line_number":2,"context_line":"\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d"},{"line_number":3,"context_line":""},{"line_number":4,"context_line":""}],"source_content_type":"text/x-rst","patch_set":2,"id":"1f493fa4_7564234a","line":1,"range":{"start_line":1,"start_character":0,"end_line":1,"end_character":13},"in_reply_to":"1f493fa4_9ca0fca7","updated":"2020-05-06 19:05:37.000000000","message":"Done","commit_id":"07374e9e3e81a2390e54ba0e575cf59a3dfbc6ca"},{"author":{"_account_id":9914,"name":"Ade Lee","email":"alee@redhat.com","username":"alee"},"change_message_id":"648c28e7c40444cf2b35c7b10b3802851357120a","unresolved":false,"context_lines":[{"line_number":18,"context_line":""},{"line_number":19,"context_line":"    resource_registry:"},{"line_number":20,"context_line":"      OS::TripleO::Services::IpaClient: /usr/share/openstack-tripleo-heat-templates/deployment/ipa/ipaservices-baremetal-ansible.yaml"},{"line_number":21,"context_line":""},{"line_number":22,"context_line":"Set Parameters"},{"line_number":23,"context_line":"^^^^^^^^^^^^^^"},{"line_number":24,"context_line":""}],"source_content_type":"text/x-rst","patch_set":2,"id":"1f493fa4_28dfe7d6","line":21,"updated":"2020-05-06 15:01:49.000000000","message":"The plan of course is to make this the default setting in master going forward.\n\nYou might want to mention that for old releases, a different service (and mechanism) is provided in the enable-internal-tls template below.\n\nAlso, this is of course only relevant for tripleo-ipa and not novajoin.","commit_id":"07374e9e3e81a2390e54ba0e575cf59a3dfbc6ca"},{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"3061ae4efc97b1b632751ba579da58aaa1a2ecd7","unresolved":false,"context_lines":[{"line_number":18,"context_line":""},{"line_number":19,"context_line":"    resource_registry:"},{"line_number":20,"context_line":"      OS::TripleO::Services::IpaClient: /usr/share/openstack-tripleo-heat-templates/deployment/ipa/ipaservices-baremetal-ansible.yaml"},{"line_number":21,"context_line":""},{"line_number":22,"context_line":"Set Parameters"},{"line_number":23,"context_line":"^^^^^^^^^^^^^^"},{"line_number":24,"context_line":""}],"source_content_type":"text/x-rst","patch_set":2,"id":"1f493fa4_15daffe7","line":21,"in_reply_to":"1f493fa4_28dfe7d6","updated":"2020-05-06 19:05:37.000000000","message":"Yeah - Greg and I figured if someone wants to deploy with novajoin, they can pull an older copy of the documentation and follow that.\n\nGreg\u0027s idea was to keep the documentation we introduce here specific to tripleo-ipa and only give reads what they need to know to deploy things with tripleo-ipa.","commit_id":"07374e9e3e81a2390e54ba0e575cf59a3dfbc6ca"},{"author":{"_account_id":9914,"name":"Ade Lee","email":"alee@redhat.com","username":"alee"},"change_message_id":"648c28e7c40444cf2b35c7b10b3802851357120a","unresolved":false,"context_lines":[{"line_number":29,"context_line":"parameter_defaults section::"},{"line_number":30,"context_line":""},{"line_number":31,"context_line":"    parameter_defaults:"},{"line_number":32,"context_line":"      DnsSearchDomains: [\"example.com\"]"},{"line_number":33,"context_line":"      IdMServer: ipa.example.com"},{"line_number":34,"context_line":"      IdMDomain: EXAMPLE.COM"},{"line_number":35,"context_line":"      DnsServers: [\"192.168.1.13\"]"}],"source_content_type":"text/x-rst","patch_set":2,"id":"1f493fa4_489233f8","line":32,"range":{"start_line":32,"start_character":6,"end_line":32,"end_character":39},"updated":"2020-05-06 15:01:49.000000000","message":"There should be a note about the appropriate setting when the IdMDomain is different from the CloudDomain","commit_id":"07374e9e3e81a2390e54ba0e575cf59a3dfbc6ca"},{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"3061ae4efc97b1b632751ba579da58aaa1a2ecd7","unresolved":false,"context_lines":[{"line_number":29,"context_line":"parameter_defaults section::"},{"line_number":30,"context_line":""},{"line_number":31,"context_line":"    parameter_defaults:"},{"line_number":32,"context_line":"      DnsSearchDomains: [\"example.com\"]"},{"line_number":33,"context_line":"      IdMServer: ipa.example.com"},{"line_number":34,"context_line":"      IdMDomain: EXAMPLE.COM"},{"line_number":35,"context_line":"      DnsServers: [\"192.168.1.13\"]"}],"source_content_type":"text/x-rst","patch_set":2,"id":"1f493fa4_155f9f41","line":32,"range":{"start_line":32,"start_character":6,"end_line":32,"end_character":39},"in_reply_to":"1f493fa4_489233f8","updated":"2020-05-06 19:05:37.000000000","message":"Done","commit_id":"07374e9e3e81a2390e54ba0e575cf59a3dfbc6ca"},{"author":{"_account_id":9914,"name":"Ade Lee","email":"alee@redhat.com","username":"alee"},"change_message_id":"648c28e7c40444cf2b35c7b10b3802851357120a","unresolved":false,"context_lines":[{"line_number":30,"context_line":""},{"line_number":31,"context_line":"    parameter_defaults:"},{"line_number":32,"context_line":"      DnsSearchDomains: [\"example.com\"]"},{"line_number":33,"context_line":"      IdMServer: ipa.example.com"},{"line_number":34,"context_line":"      IdMDomain: EXAMPLE.COM"},{"line_number":35,"context_line":"      DnsServers: [\"192.168.1.13\"]"},{"line_number":36,"context_line":"      CloudDomain: example.com"},{"line_number":37,"context_line":"      CloudName: overcloud.example.com"}],"source_content_type":"text/x-rst","patch_set":2,"id":"1f493fa4_48fd1339","line":34,"range":{"start_line":33,"start_character":6,"end_line":34,"end_character":28},"updated":"2020-05-06 15:01:49.000000000","message":"When Greg\u0027s patch merges, these two parameters will be optional.  They should in general be read from the undercloud - and need not be doc\u0027ed here.","commit_id":"07374e9e3e81a2390e54ba0e575cf59a3dfbc6ca"},{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"3061ae4efc97b1b632751ba579da58aaa1a2ecd7","unresolved":false,"context_lines":[{"line_number":30,"context_line":""},{"line_number":31,"context_line":"    parameter_defaults:"},{"line_number":32,"context_line":"      DnsSearchDomains: [\"example.com\"]"},{"line_number":33,"context_line":"      IdMServer: ipa.example.com"},{"line_number":34,"context_line":"      IdMDomain: EXAMPLE.COM"},{"line_number":35,"context_line":"      DnsServers: [\"192.168.1.13\"]"},{"line_number":36,"context_line":"      CloudDomain: example.com"},{"line_number":37,"context_line":"      CloudName: overcloud.example.com"}],"source_content_type":"text/x-rst","patch_set":2,"id":"1f493fa4_b0feb902","line":34,"range":{"start_line":33,"start_character":6,"end_line":34,"end_character":28},"in_reply_to":"1f493fa4_48fd1339","updated":"2020-05-06 19:05:37.000000000","message":"This patch? \n\nhttps://review.opendev.org/#/c/725262/2","commit_id":"07374e9e3e81a2390e54ba0e575cf59a3dfbc6ca"},{"author":{"_account_id":9914,"name":"Ade Lee","email":"alee@redhat.com","username":"alee"},"change_message_id":"648c28e7c40444cf2b35c7b10b3802851357120a","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":2,"id":"1f493fa4_7c8c1035","line":60,"updated":"2020-05-06 15:01:49.000000000","message":"Once again, a verification step seems like a good idea.\n\n-- openstack endpoint list","commit_id":"07374e9e3e81a2390e54ba0e575cf59a3dfbc6ca"},{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"3061ae4efc97b1b632751ba579da58aaa1a2ecd7","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":2,"id":"1f493fa4_35545b21","line":60,"in_reply_to":"1f493fa4_7c8c1035","updated":"2020-05-06 19:05:37.000000000","message":"Done","commit_id":"07374e9e3e81a2390e54ba0e575cf59a3dfbc6ca"}],"deploy-guide/source/features/tls-undercloud.rst":[{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"1f43b1bbc39850aa9e9e23f006e0849927390eb7","unresolved":false,"context_lines":[{"line_number":9,"context_line":""},{"line_number":10,"context_line":"Set DNS in /etc/resolv.conf::"},{"line_number":11,"context_line":""},{"line_number":12,"context_line":"    search $CLOUD_DOMAIN $IPA_DOMAIN"},{"line_number":13,"context_line":"    nameserver $FREEIPA_IP_ADDRESS"},{"line_number":14,"context_line":""},{"line_number":15,"context_line":"Install TLS-e packages"}],"source_content_type":"text/x-rst","patch_set":1,"id":"1f493fa4_3413d8ba","line":12,"range":{"start_line":12,"start_character":26,"end_line":12,"end_character":36},"updated":"2020-05-05 14:40:41.000000000","message":"We need to remember to update the doc to include the use-case behind this.\n\nIt\u0027s common for deployers to have their DNS server in a separate domain from their cloud.","commit_id":"b5785fb4c90c2e05fd1a33097cc92293a2bb194b"},{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"1f43b1bbc39850aa9e9e23f006e0849927390eb7","unresolved":false,"context_lines":[{"line_number":10,"context_line":"Set DNS in /etc/resolv.conf::"},{"line_number":11,"context_line":""},{"line_number":12,"context_line":"    search $CLOUD_DOMAIN $IPA_DOMAIN"},{"line_number":13,"context_line":"    nameserver $FREEIPA_IP_ADDRESS"},{"line_number":14,"context_line":""},{"line_number":15,"context_line":"Install TLS-e packages"},{"line_number":16,"context_line":"^^^^^^^^^^^^^^^^^^^^^^"}],"source_content_type":"text/x-rst","patch_set":1,"id":"1f493fa4_f4d97022","line":13,"updated":"2020-05-05 14:40:41.000000000","message":"These should be replaced with realistic examples.","commit_id":"b5785fb4c90c2e05fd1a33097cc92293a2bb194b"},{"author":{"_account_id":14250,"name":"Grzegorz Grasza","email":"xek@redhat.com","username":"xek"},"change_message_id":"634afe0bc23a6cef62e7f00613fc8850bfc7f480","unresolved":false,"context_lines":[{"line_number":19,"context_line":""},{"line_number":20,"context_line":"- python3-ipalib"},{"line_number":21,"context_line":"- python3-ipaclient"},{"line_number":22,"context_line":"- krb5-devel"},{"line_number":23,"context_line":""},{"line_number":24,"context_line":"For python2 installations (Train and earlier):"},{"line_number":25,"context_line":""}],"source_content_type":"text/x-rst","patch_set":1,"id":"1f493fa4_17d7be25","line":22,"updated":"2020-05-05 14:56:18.000000000","message":"Do we really need to manually install these? I think we have everything in the dependencies, or we could fix the rpm package.","commit_id":"b5785fb4c90c2e05fd1a33097cc92293a2bb194b"},{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"1f43b1bbc39850aa9e9e23f006e0849927390eb7","unresolved":false,"context_lines":[{"line_number":33,"context_line":""},{"line_number":34,"context_line":"Enroll the undercloud as a FreeIPA client"},{"line_number":35,"context_line":""},{"line_number":36,"context_line":"Enrollment with Novajoin"},{"line_number":37,"context_line":"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\""},{"line_number":38,"context_line":""},{"line_number":39,"context_line":"Using novajoin::"}],"source_content_type":"text/x-rst","patch_set":1,"id":"1f493fa4_745ba086","line":36,"updated":"2020-05-05 14:40:41.000000000","message":"Should we highlight that even though novajoin works in some versions, we don\u0027t recommend using it in train or later releases?","commit_id":"b5785fb4c90c2e05fd1a33097cc92293a2bb194b"},{"author":{"_account_id":14250,"name":"Grzegorz Grasza","email":"xek@redhat.com","username":"xek"},"change_message_id":"634afe0bc23a6cef62e7f00613fc8850bfc7f480","unresolved":false,"context_lines":[{"line_number":59,"context_line":"    IPA_ADMIN_PASSWORD: \"{{ ipa_password }}\""},{"line_number":60,"context_line":"    IPA_SERVER_HOSTNAME: \"{{ ipa_nameserver }}\""},{"line_number":61,"context_line":"    UNDERCLOUD_FQDN: \"{{ undercloud_hostname }}\""},{"line_number":62,"context_line":"    USER: stack"},{"line_number":63,"context_line":"    CLOUD_DOMAIN: \"{{ cloud_domain }}\""},{"line_number":64,"context_line":"    ansible-playbook"},{"line_number":65,"context_line":"    --ssh-extra-args \"-o StrictHostKeyChecking\u003dno -o UserKnownHostsFile\u003d/dev/null\""}],"source_content_type":"text/x-rst","patch_set":1,"id":"1f493fa4_77b562ee","line":62,"updated":"2020-05-05 14:56:18.000000000","message":"This might not be the stack user, in the CI I\u0027m using the zuul user.\n\nI\u0027m not sure why, but the user needs to have ssh setup so that it can login to localhost with that user.","commit_id":"b5785fb4c90c2e05fd1a33097cc92293a2bb194b"},{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"1f43b1bbc39850aa9e9e23f006e0849927390eb7","unresolved":false,"context_lines":[{"line_number":63,"context_line":"    CLOUD_DOMAIN: \"{{ cloud_domain }}\""},{"line_number":64,"context_line":"    ansible-playbook"},{"line_number":65,"context_line":"    --ssh-extra-args \"-o StrictHostKeyChecking\u003dno -o UserKnownHostsFile\u003d/dev/null\""},{"line_number":66,"context_line":"    /usr/share/ansible/tripleo-playbooks/undercloud-ipa-install.yaml"},{"line_number":67,"context_line":""},{"line_number":68,"context_line":"Configure the Undercloud"},{"line_number":69,"context_line":"^^^^^^^^^^^^^^^^^^^^^^^^"}],"source_content_type":"text/x-rst","patch_set":1,"id":"1f493fa4_74e9e07e","line":66,"updated":"2020-05-05 14:40:41.000000000","message":"Need to fix the formatting of this and remove the ansible variables.","commit_id":"b5785fb4c90c2e05fd1a33097cc92293a2bb194b"},{"author":{"_account_id":14250,"name":"Grzegorz Grasza","email":"xek@redhat.com","username":"xek"},"change_message_id":"634afe0bc23a6cef62e7f00613fc8850bfc7f480","unresolved":false,"context_lines":[{"line_number":71,"context_line":"For underclouds using novajoin (stable/stein or earlier) set::"},{"line_number":72,"context_line":""},{"line_number":73,"context_line":"    enable_novajoin \u003d True"},{"line_number":74,"context_line":"    ipa_otp \u003d $IPA_OTP"},{"line_number":75,"context_line":""},{"line_number":76,"context_line":"For underclouds not using novajoin, just set::"},{"line_number":77,"context_line":""}],"source_content_type":"text/x-rst","patch_set":1,"id":"1f493fa4_d71d56be","line":74,"updated":"2020-05-05 14:56:18.000000000","message":"You need to get this OTP by running novajoin-ipa-setup, which does most of the things undercloud-ipa-install.yaml does.","commit_id":"b5785fb4c90c2e05fd1a33097cc92293a2bb194b"},{"author":{"_account_id":9914,"name":"Ade Lee","email":"alee@redhat.com","username":"alee"},"change_message_id":"648c28e7c40444cf2b35c7b10b3802851357120a","unresolved":false,"context_lines":[{"line_number":1,"context_line":"TLS Undercloud"},{"line_number":2,"context_line":"\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d"},{"line_number":3,"context_line":""},{"line_number":4,"context_line":"Before Undercloud Installation"}],"source_content_type":"text/x-rst","patch_set":2,"id":"1f493fa4_dcaa8483","line":1,"range":{"start_line":1,"start_character":0,"end_line":1,"end_character":14},"updated":"2020-05-06 15:01:49.000000000","message":"Should this be TLS-E Undercloud ?","commit_id":"07374e9e3e81a2390e54ba0e575cf59a3dfbc6ca"},{"author":{"_account_id":9914,"name":"Ade Lee","email":"alee@redhat.com","username":"alee"},"change_message_id":"e644099495b994e82b6ec6c941145637c02b67af","unresolved":false,"context_lines":[{"line_number":1,"context_line":"TLS Undercloud"},{"line_number":2,"context_line":"\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d"},{"line_number":3,"context_line":""},{"line_number":4,"context_line":"Before Undercloud Installation"}],"source_content_type":"text/x-rst","patch_set":2,"id":"1f493fa4_e60d2b91","line":1,"range":{"start_line":1,"start_character":0,"end_line":1,"end_character":14},"in_reply_to":"1f493fa4_303bc9d1","updated":"2020-05-06 19:27:44.000000000","message":"Thats a good point.  TLS-E is really an overcloud thing.\nWhat you are describing here though are things that you need to do on the undercloud to prepare for deploying TLS-E on the undercloud.","commit_id":"07374e9e3e81a2390e54ba0e575cf59a3dfbc6ca"},{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"3061ae4efc97b1b632751ba579da58aaa1a2ecd7","unresolved":false,"context_lines":[{"line_number":1,"context_line":"TLS Undercloud"},{"line_number":2,"context_line":"\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d"},{"line_number":3,"context_line":""},{"line_number":4,"context_line":"Before Undercloud Installation"}],"source_content_type":"text/x-rst","patch_set":2,"id":"1f493fa4_303bc9d1","line":1,"range":{"start_line":1,"start_character":0,"end_line":1,"end_character":14},"in_reply_to":"1f493fa4_dcaa8483","updated":"2020-05-06 19:05:37.000000000","message":"Sure - it\u0027s just TLS in the undercloud though, right?\n\nTLS-e is really an overcloud technique, isn\u0027t it?","commit_id":"07374e9e3e81a2390e54ba0e575cf59a3dfbc6ca"},{"author":{"_account_id":9914,"name":"Ade Lee","email":"alee@redhat.com","username":"alee"},"change_message_id":"648c28e7c40444cf2b35c7b10b3802851357120a","unresolved":false,"context_lines":[{"line_number":46,"context_line":"    --domain {{ cloud_domain }}"},{"line_number":47,"context_line":"    --hostname {{ undercloud_hostname }}"},{"line_number":48,"context_line":"    --precreate"},{"line_number":49,"context_line":""},{"line_number":50,"context_line":""},{"line_number":51,"context_line":"Enrollment with tripleo-ipa"},{"line_number":52,"context_line":"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\""}],"source_content_type":"text/x-rst","patch_set":2,"id":"1f493fa4_fcbf80f9","line":49,"updated":"2020-05-06 15:01:49.000000000","message":"See comment below, but mention that the result of this is an OTP  which can be added to the undercloud.conf.","commit_id":"07374e9e3e81a2390e54ba0e575cf59a3dfbc6ca"},{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"3061ae4efc97b1b632751ba579da58aaa1a2ecd7","unresolved":false,"context_lines":[{"line_number":46,"context_line":"    --domain {{ cloud_domain }}"},{"line_number":47,"context_line":"    --hostname {{ undercloud_hostname }}"},{"line_number":48,"context_line":"    --precreate"},{"line_number":49,"context_line":""},{"line_number":50,"context_line":""},{"line_number":51,"context_line":"Enrollment with tripleo-ipa"},{"line_number":52,"context_line":"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\""}],"source_content_type":"text/x-rst","patch_set":2,"id":"1f493fa4_a604c3c7","line":49,"in_reply_to":"1f493fa4_fcbf80f9","updated":"2020-05-06 19:05:37.000000000","message":"Done","commit_id":"07374e9e3e81a2390e54ba0e575cf59a3dfbc6ca"},{"author":{"_account_id":9914,"name":"Ade Lee","email":"alee@redhat.com","username":"alee"},"change_message_id":"648c28e7c40444cf2b35c7b10b3802851357120a","unresolved":false,"context_lines":[{"line_number":64,"context_line":"    ansible-playbook"},{"line_number":65,"context_line":"    --ssh-extra-args \"-o StrictHostKeyChecking\u003dno -o UserKnownHostsFile\u003d/dev/null\""},{"line_number":66,"context_line":"    /usr/share/ansible/tripleo-playbooks/undercloud-ipa-install.yaml"},{"line_number":67,"context_line":""},{"line_number":68,"context_line":"Configure the Undercloud"},{"line_number":69,"context_line":"^^^^^^^^^^^^^^^^^^^^^^^^"},{"line_number":70,"context_line":""}],"source_content_type":"text/x-rst","patch_set":2,"id":"1f493fa4_1cf86cc2","line":67,"updated":"2020-05-06 15:01:49.000000000","message":"At the end of this playbook, the undercloud should be enrolled as an ipa client.  We should mention this, and also mention a couple of small steps to verify -- like a kinit for instance.","commit_id":"07374e9e3e81a2390e54ba0e575cf59a3dfbc6ca"},{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"3061ae4efc97b1b632751ba579da58aaa1a2ecd7","unresolved":false,"context_lines":[{"line_number":64,"context_line":"    ansible-playbook"},{"line_number":65,"context_line":"    --ssh-extra-args \"-o StrictHostKeyChecking\u003dno -o UserKnownHostsFile\u003d/dev/null\""},{"line_number":66,"context_line":"    /usr/share/ansible/tripleo-playbooks/undercloud-ipa-install.yaml"},{"line_number":67,"context_line":""},{"line_number":68,"context_line":"Configure the Undercloud"},{"line_number":69,"context_line":"^^^^^^^^^^^^^^^^^^^^^^^^"},{"line_number":70,"context_line":""}],"source_content_type":"text/x-rst","patch_set":2,"id":"1f493fa4_46685f86","line":67,"in_reply_to":"1f493fa4_1cf86cc2","updated":"2020-05-06 19:05:37.000000000","message":"Done","commit_id":"07374e9e3e81a2390e54ba0e575cf59a3dfbc6ca"},{"author":{"_account_id":9914,"name":"Ade Lee","email":"alee@redhat.com","username":"alee"},"change_message_id":"648c28e7c40444cf2b35c7b10b3802851357120a","unresolved":false,"context_lines":[{"line_number":67,"context_line":""},{"line_number":68,"context_line":"Configure the Undercloud"},{"line_number":69,"context_line":"^^^^^^^^^^^^^^^^^^^^^^^^"},{"line_number":70,"context_line":""},{"line_number":71,"context_line":"For underclouds using novajoin (stable/stein or earlier) set::"},{"line_number":72,"context_line":""},{"line_number":73,"context_line":"    enable_novajoin \u003d True"}],"source_content_type":"text/x-rst","patch_set":2,"id":"1f493fa4_1cdcec72","line":70,"updated":"2020-05-06 15:01:49.000000000","message":"I think this is a little confusing.  It may be better to have two sections \"Enrollment with Novajoin\" and \"Enrollment with Tripleo-ipa\", and include the undercloud.conf changes in there.\n\nIt will be interesting to see -- and you should anticipate -- how this changes once we support scenario 2.","commit_id":"07374e9e3e81a2390e54ba0e575cf59a3dfbc6ca"},{"author":{"_account_id":9914,"name":"Ade Lee","email":"alee@redhat.com","username":"alee"},"change_message_id":"648c28e7c40444cf2b35c7b10b3802851357120a","unresolved":false,"context_lines":[{"line_number":76,"context_line":"For underclouds not using novajoin, just set::"},{"line_number":77,"context_line":""},{"line_number":78,"context_line":"    undercloud_nameservers \u003d $FREEIPA_IP_ADDRESS"},{"line_number":79,"context_line":""},{"line_number":80,"context_line":"Deploy the Undercloud"},{"line_number":81,"context_line":"^^^^^^^^^^^^^^^^^^^^^"},{"line_number":82,"context_line":""}],"source_content_type":"text/x-rst","patch_set":2,"id":"1f493fa4_1c4a2c26","line":79,"updated":"2020-05-06 15:01:49.000000000","message":"You are missing the cloud_name setting that is needed for both.","commit_id":"07374e9e3e81a2390e54ba0e575cf59a3dfbc6ca"},{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"3061ae4efc97b1b632751ba579da58aaa1a2ecd7","unresolved":false,"context_lines":[{"line_number":76,"context_line":"For underclouds not using novajoin, just set::"},{"line_number":77,"context_line":""},{"line_number":78,"context_line":"    undercloud_nameservers \u003d $FREEIPA_IP_ADDRESS"},{"line_number":79,"context_line":""},{"line_number":80,"context_line":"Deploy the Undercloud"},{"line_number":81,"context_line":"^^^^^^^^^^^^^^^^^^^^^"},{"line_number":82,"context_line":""}],"source_content_type":"text/x-rst","patch_set":2,"id":"1f493fa4_26739382","line":79,"in_reply_to":"1f493fa4_1c4a2c26","updated":"2020-05-06 19:05:37.000000000","message":"Done","commit_id":"07374e9e3e81a2390e54ba0e575cf59a3dfbc6ca"},{"author":{"_account_id":9914,"name":"Ade Lee","email":"alee@redhat.com","username":"alee"},"change_message_id":"648c28e7c40444cf2b35c7b10b3802851357120a","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":2,"id":"1f493fa4_9cbbdce3","line":86,"updated":"2020-05-06 15:01:49.000000000","message":"A verification section seems like a good idea here, before folks steam on to the rest of the deployment.\n\n-- kinit\n-- ls /etc/novajoin/krb5.conf\n-- klist of the keytab\n\n-- containers/processes running for novajoin","commit_id":"07374e9e3e81a2390e54ba0e575cf59a3dfbc6ca"}]}