)]}'
{"/COMMIT_MSG":[{"author":{"_account_id":28558,"name":"Ghada Khalil","email":"ghada.khalil@windriver.com","username":"gkhalil"},"change_message_id":"28fb33b4e52715a4bd762562b3be78e48dafd119","unresolved":true,"context_lines":[{"line_number":9,"context_line":"This spec proposes the adoption of cert-manager for platform"},{"line_number":10,"context_line":"certificates since system bootstrap."},{"line_number":11,"context_line":""},{"line_number":12,"context_line":"Story: 2009811"},{"line_number":13,"context_line":"Signed-off-by: Rei Oliveira \u003cReinildes.JoseMateusOliveira@windriver.com\u003e"},{"line_number":14,"context_line":"Change-Id: Icb7b6d1a6f53d018e353afb445435786d1c97794"}],"source_content_type":"text/x-gerrit-commit-message","patch_set":3,"id":"a2434be6_e41243db","line":12,"range":{"start_line":12,"start_character":0,"end_line":12,"end_character":14},"updated":"2022-01-31 23:38:37.000000000","message":"Include a second line with the task ID after the Story ID\nTask: 44373","commit_id":"f31e5dbddc0195adaa27174765975bbbc63f0e70"},{"author":{"_account_id":32841,"name":"Reinildes Oliveira","display_name":"Rei Oliveira","email":"Reinildes.JoseMateusOliveira@windriver.com","username":"rjosemat"},"change_message_id":"3ec8bf25b9615e7bf7270a0739f9bf2b5a57b778","unresolved":false,"context_lines":[{"line_number":9,"context_line":"This spec proposes the adoption of cert-manager for platform"},{"line_number":10,"context_line":"certificates since system bootstrap."},{"line_number":11,"context_line":""},{"line_number":12,"context_line":"Story: 2009811"},{"line_number":13,"context_line":"Signed-off-by: Rei Oliveira \u003cReinildes.JoseMateusOliveira@windriver.com\u003e"},{"line_number":14,"context_line":"Change-Id: Icb7b6d1a6f53d018e353afb445435786d1c97794"}],"source_content_type":"text/x-gerrit-commit-message","patch_set":3,"id":"2b2e2154_47368533","line":12,"range":{"start_line":12,"start_character":0,"end_line":12,"end_character":14},"in_reply_to":"53f1a53f_3018d4fd","updated":"2022-02-01 13:29:16.000000000","message":"Done","commit_id":"f31e5dbddc0195adaa27174765975bbbc63f0e70"},{"author":{"_account_id":32841,"name":"Reinildes Oliveira","display_name":"Rei Oliveira","email":"Reinildes.JoseMateusOliveira@windriver.com","username":"rjosemat"},"change_message_id":"41d80426bf48f706e9035c37cb328d580bde2c6b","unresolved":true,"context_lines":[{"line_number":9,"context_line":"This spec proposes the adoption of cert-manager for platform"},{"line_number":10,"context_line":"certificates since system bootstrap."},{"line_number":11,"context_line":""},{"line_number":12,"context_line":"Story: 2009811"},{"line_number":13,"context_line":"Signed-off-by: Rei Oliveira \u003cReinildes.JoseMateusOliveira@windriver.com\u003e"},{"line_number":14,"context_line":"Change-Id: Icb7b6d1a6f53d018e353afb445435786d1c97794"}],"source_content_type":"text/x-gerrit-commit-message","patch_set":3,"id":"53f1a53f_3018d4fd","line":12,"range":{"start_line":12,"start_character":0,"end_line":12,"end_character":14},"in_reply_to":"a2434be6_e41243db","updated":"2022-02-01 13:28:31.000000000","message":"Done! .... I only hadn\u0027t added it, because looking around the spec repo for examples, it didn\u0027t seem like a practice.","commit_id":"f31e5dbddc0195adaa27174765975bbbc63f0e70"},{"author":{"_account_id":28676,"name":"Andy Ning","email":"andy.ning@windriver.com","username":"andy.wrs"},"change_message_id":"d74d48f9cf352b93ccb9956f25f0d07618ffde0e","unresolved":true,"context_lines":[{"line_number":6,"context_line":""},{"line_number":7,"context_line":"Spec for platform certificates with cert-manager"},{"line_number":8,"context_line":""},{"line_number":9,"context_line":"This spec proposes the adoption of cert-manager for platform"},{"line_number":10,"context_line":"certificates since system bootstrap."},{"line_number":11,"context_line":""},{"line_number":12,"context_line":"Story: 2009811"},{"line_number":13,"context_line":"Task: 44373"}],"source_content_type":"text/x-gerrit-commit-message","patch_set":4,"id":"4b5467b6_34471ae3","line":10,"range":{"start_line":9,"start_character":52,"end_line":10,"end_character":12},"updated":"2022-02-02 17:21:35.000000000","message":"Probably \"platform certificate management\"","commit_id":"99f6336db4b5ec338535035700456233268ad1e3"},{"author":{"_account_id":32841,"name":"Reinildes Oliveira","display_name":"Rei Oliveira","email":"Reinildes.JoseMateusOliveira@windriver.com","username":"rjosemat"},"change_message_id":"dcc18a5cdd64590f6117f2caebe6af20507a9081","unresolved":false,"context_lines":[{"line_number":6,"context_line":""},{"line_number":7,"context_line":"Spec for platform certificates with cert-manager"},{"line_number":8,"context_line":""},{"line_number":9,"context_line":"This spec proposes the adoption of cert-manager for platform"},{"line_number":10,"context_line":"certificates since system bootstrap."},{"line_number":11,"context_line":""},{"line_number":12,"context_line":"Story: 2009811"},{"line_number":13,"context_line":"Task: 44373"}],"source_content_type":"text/x-gerrit-commit-message","patch_set":4,"id":"34a969c6_c7006cea","line":10,"range":{"start_line":9,"start_character":52,"end_line":10,"end_character":12},"in_reply_to":"4b5467b6_34471ae3","updated":"2022-02-02 22:19:05.000000000","message":"Done","commit_id":"99f6336db4b5ec338535035700456233268ad1e3"}],"/PATCHSET_LEVEL":[{"author":{"_account_id":26026,"name":"Greg Waines","email":"greg.waines@windriver.com","username":"gwaines"},"change_message_id":"66efa9f8ec2101a0435e86a6350a8c544af9e86c","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":4,"id":"f43c94a6_58445c44","updated":"2022-02-02 19:59:08.000000000","message":"Initial comments.","commit_id":"99f6336db4b5ec338535035700456233268ad1e3"},{"author":{"_account_id":26026,"name":"Greg Waines","email":"greg.waines@windriver.com","username":"gwaines"},"change_message_id":"b6f24a22e8a977ce6c4ea4511c3118ba079f5cb0","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":7,"id":"0b85ae50_3bee0dda","updated":"2022-02-03 19:36:45.000000000","message":"Adding other TSC members to review.","commit_id":"f2679bbd1a4f1bc97f1a789c3818b65fd7f1396c"},{"author":{"_account_id":26026,"name":"Greg Waines","email":"greg.waines@windriver.com","username":"gwaines"},"change_message_id":"165d42aa6f0f2ebe820b122a0058afe790a02886","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":7,"id":"c4445e8a_685c7e14","updated":"2022-02-03 19:36:20.000000000","message":"updated version looks good.","commit_id":"f2679bbd1a4f1bc97f1a789c3818b65fd7f1396c"},{"author":{"_account_id":32841,"name":"Reinildes Oliveira","display_name":"Rei Oliveira","email":"Reinildes.JoseMateusOliveira@windriver.com","username":"rjosemat"},"change_message_id":"45237d584c1d3cfecabaf12b120e9682ad7bb929","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":8,"id":"e6dc61ce_0b39bdaf","updated":"2022-03-16 18:59:03.000000000","message":"Hello folks, \n\nI have addressed all comments in this review so far.\n\nAny other concerns? Otherwise can we get this approved and merged?\n\nThanks","commit_id":"c6bd4dd17ec11423705cdff2c1f8b99c633a6125"}],"doc/source/specs/stx-7.0/approved/security_2009811_default_certificate_configuration_to_use_cert-manager.rst":[{"author":{"_account_id":26026,"name":"Greg Waines","email":"greg.waines@windriver.com","username":"gwaines"},"change_message_id":"66efa9f8ec2101a0435e86a6350a8c544af9e86c","unresolved":true,"context_lines":[{"line_number":17,"context_line":"Key Objectives:"},{"line_number":18,"context_line":""},{"line_number":19,"context_line":"    * Enable HTTPS by default on all core platform APIs"},{"line_number":20,"context_line":"    * Use cert-manager for managing all default platform certificates"},{"line_number":21,"context_line":"    * Use a common/single auto-generated (via cert-manager) local root CA for"},{"line_number":22,"context_line":"      signing all default certificates"},{"line_number":23,"context_line":"    * Use the same naming and certificate hierarchy"}],"source_content_type":"text/x-rst","patch_set":4,"id":"feaa2682_f3b12c1f","line":20,"range":{"start_line":20,"start_character":57,"end_line":20,"end_character":69},"updated":"2022-02-02 19:59:08.000000000","message":"certificates, in order to simplify certificate management (e.g. auto-renewals)","commit_id":"99f6336db4b5ec338535035700456233268ad1e3"},{"author":{"_account_id":32841,"name":"Reinildes Oliveira","display_name":"Rei Oliveira","email":"Reinildes.JoseMateusOliveira@windriver.com","username":"rjosemat"},"change_message_id":"dcc18a5cdd64590f6117f2caebe6af20507a9081","unresolved":false,"context_lines":[{"line_number":17,"context_line":"Key Objectives:"},{"line_number":18,"context_line":""},{"line_number":19,"context_line":"    * Enable HTTPS by default on all core platform APIs"},{"line_number":20,"context_line":"    * Use cert-manager for managing all default platform certificates"},{"line_number":21,"context_line":"    * Use a common/single auto-generated (via cert-manager) local root CA for"},{"line_number":22,"context_line":"      signing all default certificates"},{"line_number":23,"context_line":"    * Use the same naming and certificate hierarchy"}],"source_content_type":"text/x-rst","patch_set":4,"id":"91209dd9_287153f0","line":20,"range":{"start_line":20,"start_character":57,"end_line":20,"end_character":69},"in_reply_to":"feaa2682_f3b12c1f","updated":"2022-02-02 22:19:05.000000000","message":"Done","commit_id":"99f6336db4b5ec338535035700456233268ad1e3"},{"author":{"_account_id":26026,"name":"Greg Waines","email":"greg.waines@windriver.com","username":"gwaines"},"change_message_id":"66efa9f8ec2101a0435e86a6350a8c544af9e86c","unresolved":true,"context_lines":[{"line_number":19,"context_line":"    * Enable HTTPS by default on all core platform APIs"},{"line_number":20,"context_line":"    * Use cert-manager for managing all default platform certificates"},{"line_number":21,"context_line":"    * Use a common/single auto-generated (via cert-manager) local root CA for"},{"line_number":22,"context_line":"      signing all default certificates"},{"line_number":23,"context_line":"    * Use the same naming and certificate hierarchy"},{"line_number":24,"context_line":""},{"line_number":25,"context_line":"Note: This story is a continuation of"}],"source_content_type":"text/x-rst","patch_set":4,"id":"630c6e02_f5dafdba","line":22,"range":{"start_line":22,"start_character":26,"end_line":22,"end_character":38},"updated":"2022-02-02 19:59:08.000000000","message":"certificates, such that external clients need only trust a single additional Root CA for accessing all StarlingX APIs securely","commit_id":"99f6336db4b5ec338535035700456233268ad1e3"},{"author":{"_account_id":32841,"name":"Reinildes Oliveira","display_name":"Rei Oliveira","email":"Reinildes.JoseMateusOliveira@windriver.com","username":"rjosemat"},"change_message_id":"dcc18a5cdd64590f6117f2caebe6af20507a9081","unresolved":false,"context_lines":[{"line_number":19,"context_line":"    * Enable HTTPS by default on all core platform APIs"},{"line_number":20,"context_line":"    * Use cert-manager for managing all default platform certificates"},{"line_number":21,"context_line":"    * Use a common/single auto-generated (via cert-manager) local root CA for"},{"line_number":22,"context_line":"      signing all default certificates"},{"line_number":23,"context_line":"    * Use the same naming and certificate hierarchy"},{"line_number":24,"context_line":""},{"line_number":25,"context_line":"Note: This story is a continuation of"}],"source_content_type":"text/x-rst","patch_set":4,"id":"23e4e161_b5e3870e","line":22,"range":{"start_line":22,"start_character":26,"end_line":22,"end_character":38},"in_reply_to":"630c6e02_f5dafdba","updated":"2022-02-02 22:19:05.000000000","message":"Done","commit_id":"99f6336db4b5ec338535035700456233268ad1e3"},{"author":{"_account_id":26026,"name":"Greg Waines","email":"greg.waines@windriver.com","username":"gwaines"},"change_message_id":"66efa9f8ec2101a0435e86a6350a8c544af9e86c","unresolved":true,"context_lines":[{"line_number":20,"context_line":"    * Use cert-manager for managing all default platform certificates"},{"line_number":21,"context_line":"    * Use a common/single auto-generated (via cert-manager) local root CA for"},{"line_number":22,"context_line":"      signing all default certificates"},{"line_number":23,"context_line":"    * Use the same naming and certificate hierarchy"},{"line_number":24,"context_line":""},{"line_number":25,"context_line":"Note: This story is a continuation of"},{"line_number":26,"context_line":"https://storyboard.openstack.org/#!/story/2007361 which introduced the use"}],"source_content_type":"text/x-rst","patch_set":4,"id":"b7ebba8e_ef0ad48c","line":23,"range":{"start_line":23,"start_character":0,"end_line":23,"end_character":51},"updated":"2022-02-02 19:59:08.000000000","message":"Use the same naming and certificate hierarchy as what ?","commit_id":"99f6336db4b5ec338535035700456233268ad1e3"},{"author":{"_account_id":32841,"name":"Reinildes Oliveira","display_name":"Rei Oliveira","email":"Reinildes.JoseMateusOliveira@windriver.com","username":"rjosemat"},"change_message_id":"3ced04ac7fdfeb2b6746ba64b19565ddc3df2085","unresolved":false,"context_lines":[{"line_number":20,"context_line":"    * Use cert-manager for managing all default platform certificates"},{"line_number":21,"context_line":"    * Use a common/single auto-generated (via cert-manager) local root CA for"},{"line_number":22,"context_line":"      signing all default certificates"},{"line_number":23,"context_line":"    * Use the same naming and certificate hierarchy"},{"line_number":24,"context_line":""},{"line_number":25,"context_line":"Note: This story is a continuation of"},{"line_number":26,"context_line":"https://storyboard.openstack.org/#!/story/2007361 which introduced the use"}],"source_content_type":"text/x-rst","patch_set":4,"id":"6a5a23b8_357170c5","line":23,"range":{"start_line":23,"start_character":0,"end_line":23,"end_character":51},"in_reply_to":"84a57483_d09a49e8","updated":"2022-02-03 20:04:10.000000000","message":"Ack","commit_id":"99f6336db4b5ec338535035700456233268ad1e3"},{"author":{"_account_id":26026,"name":"Greg Waines","email":"greg.waines@windriver.com","username":"gwaines"},"change_message_id":"f39bbf5788f271200993810069552fa3c06344b3","unresolved":true,"context_lines":[{"line_number":20,"context_line":"    * Use cert-manager for managing all default platform certificates"},{"line_number":21,"context_line":"    * Use a common/single auto-generated (via cert-manager) local root CA for"},{"line_number":22,"context_line":"      signing all default certificates"},{"line_number":23,"context_line":"    * Use the same naming and certificate hierarchy"},{"line_number":24,"context_line":""},{"line_number":25,"context_line":"Note: This story is a continuation of"},{"line_number":26,"context_line":"https://storyboard.openstack.org/#!/story/2007361 which introduced the use"}],"source_content_type":"text/x-rst","patch_set":4,"id":"84a57483_d09a49e8","line":23,"range":{"start_line":23,"start_character":0,"end_line":23,"end_character":51},"in_reply_to":"87e355be_de1ed00c","updated":"2022-02-03 19:32:35.000000000","message":"\"Use the same naming and certificate hierarchy in system and subclouds.\"\n\nsounds good.","commit_id":"99f6336db4b5ec338535035700456233268ad1e3"},{"author":{"_account_id":32841,"name":"Reinildes Oliveira","display_name":"Rei Oliveira","email":"Reinildes.JoseMateusOliveira@windriver.com","username":"rjosemat"},"change_message_id":"dcc18a5cdd64590f6117f2caebe6af20507a9081","unresolved":true,"context_lines":[{"line_number":20,"context_line":"    * Use cert-manager for managing all default platform certificates"},{"line_number":21,"context_line":"    * Use a common/single auto-generated (via cert-manager) local root CA for"},{"line_number":22,"context_line":"      signing all default certificates"},{"line_number":23,"context_line":"    * Use the same naming and certificate hierarchy"},{"line_number":24,"context_line":""},{"line_number":25,"context_line":"Note: This story is a continuation of"},{"line_number":26,"context_line":"https://storyboard.openstack.org/#!/story/2007361 which introduced the use"}],"source_content_type":"text/x-rst","patch_set":4,"id":"87e355be_de1ed00c","line":23,"range":{"start_line":23,"start_character":0,"end_line":23,"end_character":51},"in_reply_to":"b7ebba8e_ef0ad48c","updated":"2022-02-02 22:19:05.000000000","message":"Use the same naming and certificate hierarchy in system and subclouds\n\nDoes that sound good? I can remove item as well if it\u0027s not adding anything.","commit_id":"99f6336db4b5ec338535035700456233268ad1e3"},{"author":{"_account_id":28676,"name":"Andy Ning","email":"andy.ning@windriver.com","username":"andy.wrs"},"change_message_id":"d74d48f9cf352b93ccb9956f25f0d07618ffde0e","unresolved":true,"context_lines":[{"line_number":24,"context_line":""},{"line_number":25,"context_line":"Note: This story is a continuation of"},{"line_number":26,"context_line":"https://storyboard.openstack.org/#!/story/2007361 which introduced the use"},{"line_number":27,"context_line":"for cert-manager for managing REST API, registry, and oidc certificates."},{"line_number":28,"context_line":"In stx.6.0, the default certificate configuration does not use cert-manager"},{"line_number":29,"context_line":"on fresh installs. The user has to configure the system explicitly to"},{"line_number":30,"context_line":"migrate to cert-manager."}],"source_content_type":"text/x-rst","patch_set":4,"id":"5ff44fb2_4e1fd94c","line":27,"range":{"start_line":27,"start_character":0,"end_line":27,"end_character":3},"updated":"2022-02-02 17:21:35.000000000","message":"of","commit_id":"99f6336db4b5ec338535035700456233268ad1e3"},{"author":{"_account_id":32841,"name":"Reinildes Oliveira","display_name":"Rei Oliveira","email":"Reinildes.JoseMateusOliveira@windriver.com","username":"rjosemat"},"change_message_id":"dcc18a5cdd64590f6117f2caebe6af20507a9081","unresolved":false,"context_lines":[{"line_number":24,"context_line":""},{"line_number":25,"context_line":"Note: This story is a continuation of"},{"line_number":26,"context_line":"https://storyboard.openstack.org/#!/story/2007361 which introduced the use"},{"line_number":27,"context_line":"for cert-manager for managing REST API, registry, and oidc certificates."},{"line_number":28,"context_line":"In stx.6.0, the default certificate configuration does not use cert-manager"},{"line_number":29,"context_line":"on fresh installs. The user has to configure the system explicitly to"},{"line_number":30,"context_line":"migrate to cert-manager."}],"source_content_type":"text/x-rst","patch_set":4,"id":"a18ab5f5_4d05b309","line":27,"range":{"start_line":27,"start_character":0,"end_line":27,"end_character":3},"in_reply_to":"5ff44fb2_4e1fd94c","updated":"2022-02-02 22:19:05.000000000","message":"Done","commit_id":"99f6336db4b5ec338535035700456233268ad1e3"},{"author":{"_account_id":26026,"name":"Greg Waines","email":"greg.waines@windriver.com","username":"gwaines"},"change_message_id":"66efa9f8ec2101a0435e86a6350a8c544af9e86c","unresolved":true,"context_lines":[{"line_number":25,"context_line":"Note: This story is a continuation of"},{"line_number":26,"context_line":"https://storyboard.openstack.org/#!/story/2007361 which introduced the use"},{"line_number":27,"context_line":"for cert-manager for managing REST API, registry, and oidc certificates."},{"line_number":28,"context_line":"In stx.6.0, the default certificate configuration does not use cert-manager"},{"line_number":29,"context_line":"on fresh installs. The user has to configure the system explicitly to"},{"line_number":30,"context_line":"migrate to cert-manager."},{"line_number":31,"context_line":""},{"line_number":32,"context_line":""},{"line_number":33,"context_line":"Problem description"}],"source_content_type":"text/x-rst","patch_set":4,"id":"bfaaf5ce_eb838faf","line":30,"range":{"start_line":28,"start_character":0,"end_line":30,"end_character":24},"updated":"2022-02-02 19:59:08.000000000","message":"minor reword suggestion:\n\nIn stx.6.0, \n   - only the K8S API and registry.local API is configured as HTTPS by default;\n     the StarlingX REST APIs and Horizon are configured as HTTP by default,\n   - the default certificate configurations do not use cert-manager\n     on fresh installs. The user has to configure the system explicitly \n     to use cert-manager to create/manage platform certificates.","commit_id":"99f6336db4b5ec338535035700456233268ad1e3"},{"author":{"_account_id":32841,"name":"Reinildes Oliveira","display_name":"Rei Oliveira","email":"Reinildes.JoseMateusOliveira@windriver.com","username":"rjosemat"},"change_message_id":"dcc18a5cdd64590f6117f2caebe6af20507a9081","unresolved":false,"context_lines":[{"line_number":25,"context_line":"Note: This story is a continuation of"},{"line_number":26,"context_line":"https://storyboard.openstack.org/#!/story/2007361 which introduced the use"},{"line_number":27,"context_line":"for cert-manager for managing REST API, registry, and oidc certificates."},{"line_number":28,"context_line":"In stx.6.0, the default certificate configuration does not use cert-manager"},{"line_number":29,"context_line":"on fresh installs. The user has to configure the system explicitly to"},{"line_number":30,"context_line":"migrate to cert-manager."},{"line_number":31,"context_line":""},{"line_number":32,"context_line":""},{"line_number":33,"context_line":"Problem description"}],"source_content_type":"text/x-rst","patch_set":4,"id":"7fe3376d_13223f20","line":30,"range":{"start_line":28,"start_character":0,"end_line":30,"end_character":24},"in_reply_to":"bfaaf5ce_eb838faf","updated":"2022-02-02 22:19:05.000000000","message":"Done","commit_id":"99f6336db4b5ec338535035700456233268ad1e3"},{"author":{"_account_id":28676,"name":"Andy Ning","email":"andy.ning@windriver.com","username":"andy.wrs"},"change_message_id":"d74d48f9cf352b93ccb9956f25f0d07618ffde0e","unresolved":true,"context_lines":[{"line_number":34,"context_line":"\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d"},{"line_number":35,"context_line":""},{"line_number":36,"context_line":"By default, platform certificates (https/rest-api and registry.local certificates)"},{"line_number":37,"context_line":"are self-signed and have no organizational relationship with the platform."},{"line_number":38,"context_line":"They are also static and need to be replaced manually via `system"},{"line_number":39,"context_line":"certificate-install` when they approach expiry or manually migrated to"},{"line_number":40,"context_line":"cert-manager [2]_ to be auto renewable."}],"source_content_type":"text/x-rst","patch_set":4,"id":"c3eb4377_c3238f25","line":37,"range":{"start_line":37,"start_character":4,"end_line":37,"end_character":16},"updated":"2022-02-02 17:21:35.000000000","message":"internally generated and self-signed","commit_id":"99f6336db4b5ec338535035700456233268ad1e3"},{"author":{"_account_id":32841,"name":"Reinildes Oliveira","display_name":"Rei Oliveira","email":"Reinildes.JoseMateusOliveira@windriver.com","username":"rjosemat"},"change_message_id":"dcc18a5cdd64590f6117f2caebe6af20507a9081","unresolved":false,"context_lines":[{"line_number":34,"context_line":"\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d"},{"line_number":35,"context_line":""},{"line_number":36,"context_line":"By default, platform certificates (https/rest-api and registry.local certificates)"},{"line_number":37,"context_line":"are self-signed and have no organizational relationship with the platform."},{"line_number":38,"context_line":"They are also static and need to be replaced manually via `system"},{"line_number":39,"context_line":"certificate-install` when they approach expiry or manually migrated to"},{"line_number":40,"context_line":"cert-manager [2]_ to be auto renewable."}],"source_content_type":"text/x-rst","patch_set":4,"id":"cdb87546_f0a20dab","line":37,"range":{"start_line":37,"start_character":4,"end_line":37,"end_character":16},"in_reply_to":"c3eb4377_c3238f25","updated":"2022-02-02 22:19:05.000000000","message":"Done","commit_id":"99f6336db4b5ec338535035700456233268ad1e3"},{"author":{"_account_id":26026,"name":"Greg Waines","email":"greg.waines@windriver.com","username":"gwaines"},"change_message_id":"66efa9f8ec2101a0435e86a6350a8c544af9e86c","unresolved":true,"context_lines":[{"line_number":35,"context_line":""},{"line_number":36,"context_line":"By default, platform certificates (https/rest-api and registry.local certificates)"},{"line_number":37,"context_line":"are self-signed and have no organizational relationship with the platform."},{"line_number":38,"context_line":"They are also static and need to be replaced manually via `system"},{"line_number":39,"context_line":"certificate-install` when they approach expiry or manually migrated to"},{"line_number":40,"context_line":"cert-manager [2]_ to be auto renewable."},{"line_number":41,"context_line":""}],"source_content_type":"text/x-rst","patch_set":4,"id":"26847ca0_aba44ee1","line":38,"range":{"start_line":38,"start_character":36,"end_line":38,"end_character":45},"updated":"2022-02-02 19:59:08.000000000","message":"re-configured","commit_id":"99f6336db4b5ec338535035700456233268ad1e3"},{"author":{"_account_id":32841,"name":"Reinildes Oliveira","display_name":"Rei Oliveira","email":"Reinildes.JoseMateusOliveira@windriver.com","username":"rjosemat"},"change_message_id":"dcc18a5cdd64590f6117f2caebe6af20507a9081","unresolved":false,"context_lines":[{"line_number":35,"context_line":""},{"line_number":36,"context_line":"By default, platform certificates (https/rest-api and registry.local certificates)"},{"line_number":37,"context_line":"are self-signed and have no organizational relationship with the platform."},{"line_number":38,"context_line":"They are also static and need to be replaced manually via `system"},{"line_number":39,"context_line":"certificate-install` when they approach expiry or manually migrated to"},{"line_number":40,"context_line":"cert-manager [2]_ to be auto renewable."},{"line_number":41,"context_line":""}],"source_content_type":"text/x-rst","patch_set":4,"id":"1aa162df_b5e55626","line":38,"range":{"start_line":38,"start_character":36,"end_line":38,"end_character":45},"in_reply_to":"26847ca0_aba44ee1","updated":"2022-02-02 22:19:05.000000000","message":"Done","commit_id":"99f6336db4b5ec338535035700456233268ad1e3"},{"author":{"_account_id":28676,"name":"Andy Ning","email":"andy.ning@windriver.com","username":"andy.wrs"},"change_message_id":"d74d48f9cf352b93ccb9956f25f0d07618ffde0e","unresolved":true,"context_lines":[{"line_number":36,"context_line":"By default, platform certificates (https/rest-api and registry.local certificates)"},{"line_number":37,"context_line":"are self-signed and have no organizational relationship with the platform."},{"line_number":38,"context_line":"They are also static and need to be replaced manually via `system"},{"line_number":39,"context_line":"certificate-install` when they approach expiry or manually migrated to"},{"line_number":40,"context_line":"cert-manager [2]_ to be auto renewable."},{"line_number":41,"context_line":""},{"line_number":42,"context_line":"Migrating these certificates to cert-manager can be error prone and depends"}],"source_content_type":"text/x-rst","patch_set":4,"id":"7dea7879_88601f74","line":39,"range":{"start_line":39,"start_character":40,"end_line":39,"end_character":46},"updated":"2022-02-02 17:21:35.000000000","message":"expiration","commit_id":"99f6336db4b5ec338535035700456233268ad1e3"},{"author":{"_account_id":26026,"name":"Greg Waines","email":"greg.waines@windriver.com","username":"gwaines"},"change_message_id":"66efa9f8ec2101a0435e86a6350a8c544af9e86c","unresolved":true,"context_lines":[{"line_number":36,"context_line":"By default, platform certificates (https/rest-api and registry.local certificates)"},{"line_number":37,"context_line":"are self-signed and have no organizational relationship with the platform."},{"line_number":38,"context_line":"They are also static and need to be replaced manually via `system"},{"line_number":39,"context_line":"certificate-install` when they approach expiry or manually migrated to"},{"line_number":40,"context_line":"cert-manager [2]_ to be auto renewable."},{"line_number":41,"context_line":""},{"line_number":42,"context_line":"Migrating these certificates to cert-manager can be error prone and depends"}],"source_content_type":"text/x-rst","patch_set":4,"id":"06160655_7c47c5e5","line":39,"range":{"start_line":39,"start_character":59,"end_line":39,"end_character":70},"updated":"2022-02-02 19:59:08.000000000","message":"re-configured to use","commit_id":"99f6336db4b5ec338535035700456233268ad1e3"},{"author":{"_account_id":32841,"name":"Reinildes Oliveira","display_name":"Rei Oliveira","email":"Reinildes.JoseMateusOliveira@windriver.com","username":"rjosemat"},"change_message_id":"dcc18a5cdd64590f6117f2caebe6af20507a9081","unresolved":false,"context_lines":[{"line_number":36,"context_line":"By default, platform certificates (https/rest-api and registry.local certificates)"},{"line_number":37,"context_line":"are self-signed and have no organizational relationship with the platform."},{"line_number":38,"context_line":"They are also static and need to be replaced manually via `system"},{"line_number":39,"context_line":"certificate-install` when they approach expiry or manually migrated to"},{"line_number":40,"context_line":"cert-manager [2]_ to be auto renewable."},{"line_number":41,"context_line":""},{"line_number":42,"context_line":"Migrating these certificates to cert-manager can be error prone and depends"}],"source_content_type":"text/x-rst","patch_set":4,"id":"d721a651_c2f67973","line":39,"range":{"start_line":39,"start_character":59,"end_line":39,"end_character":70},"in_reply_to":"06160655_7c47c5e5","updated":"2022-02-02 22:19:05.000000000","message":"Done","commit_id":"99f6336db4b5ec338535035700456233268ad1e3"},{"author":{"_account_id":32841,"name":"Reinildes Oliveira","display_name":"Rei Oliveira","email":"Reinildes.JoseMateusOliveira@windriver.com","username":"rjosemat"},"change_message_id":"dcc18a5cdd64590f6117f2caebe6af20507a9081","unresolved":false,"context_lines":[{"line_number":36,"context_line":"By default, platform certificates (https/rest-api and registry.local certificates)"},{"line_number":37,"context_line":"are self-signed and have no organizational relationship with the platform."},{"line_number":38,"context_line":"They are also static and need to be replaced manually via `system"},{"line_number":39,"context_line":"certificate-install` when they approach expiry or manually migrated to"},{"line_number":40,"context_line":"cert-manager [2]_ to be auto renewable."},{"line_number":41,"context_line":""},{"line_number":42,"context_line":"Migrating these certificates to cert-manager can be error prone and depends"}],"source_content_type":"text/x-rst","patch_set":4,"id":"5f01d0e3_3f5a6092","line":39,"range":{"start_line":39,"start_character":40,"end_line":39,"end_character":46},"in_reply_to":"7dea7879_88601f74","updated":"2022-02-02 22:19:05.000000000","message":"Done","commit_id":"99f6336db4b5ec338535035700456233268ad1e3"},{"author":{"_account_id":28676,"name":"Andy Ning","email":"andy.ning@windriver.com","username":"andy.wrs"},"change_message_id":"d74d48f9cf352b93ccb9956f25f0d07618ffde0e","unresolved":true,"context_lines":[{"line_number":40,"context_line":"cert-manager [2]_ to be auto renewable."},{"line_number":41,"context_line":""},{"line_number":42,"context_line":"Migrating these certificates to cert-manager can be error prone and depends"},{"line_number":43,"context_line":"on user adoption. That may leave systems running with static certificates for"},{"line_number":44,"context_line":"long or ever, what can result in expirations or certificates with very long"},{"line_number":45,"context_line":"durations in order to avoid the frequent manual renewals."},{"line_number":46,"context_line":""},{"line_number":47,"context_line":"Additionally, the https/rest-api certificate is only required at the moment of"}],"source_content_type":"text/x-rst","patch_set":4,"id":"b3259096_55aab64c","line":44,"range":{"start_line":43,"start_character":74,"end_line":44,"end_character":12},"updated":"2022-02-02 17:21:35.000000000","message":"Not sure what this means, \"for long or forever\"?","commit_id":"99f6336db4b5ec338535035700456233268ad1e3"},{"author":{"_account_id":28676,"name":"Andy Ning","email":"andy.ning@windriver.com","username":"andy.wrs"},"change_message_id":"d74d48f9cf352b93ccb9956f25f0d07618ffde0e","unresolved":true,"context_lines":[{"line_number":41,"context_line":""},{"line_number":42,"context_line":"Migrating these certificates to cert-manager can be error prone and depends"},{"line_number":43,"context_line":"on user adoption. That may leave systems running with static certificates for"},{"line_number":44,"context_line":"long or ever, what can result in expirations or certificates with very long"},{"line_number":45,"context_line":"durations in order to avoid the frequent manual renewals."},{"line_number":46,"context_line":""},{"line_number":47,"context_line":"Additionally, the https/rest-api certificate is only required at the moment of"}],"source_content_type":"text/x-rst","patch_set":4,"id":"3a4ba7b9_b4ee18d7","line":44,"range":{"start_line":44,"start_character":14,"end_line":44,"end_character":19},"updated":"2022-02-02 17:21:35.000000000","message":"which?","commit_id":"99f6336db4b5ec338535035700456233268ad1e3"},{"author":{"_account_id":32841,"name":"Reinildes Oliveira","display_name":"Rei Oliveira","email":"Reinildes.JoseMateusOliveira@windriver.com","username":"rjosemat"},"change_message_id":"dcc18a5cdd64590f6117f2caebe6af20507a9081","unresolved":false,"context_lines":[{"line_number":41,"context_line":""},{"line_number":42,"context_line":"Migrating these certificates to cert-manager can be error prone and depends"},{"line_number":43,"context_line":"on user adoption. That may leave systems running with static certificates for"},{"line_number":44,"context_line":"long or ever, what can result in expirations or certificates with very long"},{"line_number":45,"context_line":"durations in order to avoid the frequent manual renewals."},{"line_number":46,"context_line":""},{"line_number":47,"context_line":"Additionally, the https/rest-api certificate is only required at the moment of"}],"source_content_type":"text/x-rst","patch_set":4,"id":"d555d8bf_c0464217","line":44,"range":{"start_line":44,"start_character":14,"end_line":44,"end_character":19},"in_reply_to":"3a4ba7b9_b4ee18d7","updated":"2022-02-02 22:19:05.000000000","message":"I have reworded the whole paragraph please check again.","commit_id":"99f6336db4b5ec338535035700456233268ad1e3"},{"author":{"_account_id":32841,"name":"Reinildes Oliveira","display_name":"Rei Oliveira","email":"Reinildes.JoseMateusOliveira@windriver.com","username":"rjosemat"},"change_message_id":"dcc18a5cdd64590f6117f2caebe6af20507a9081","unresolved":false,"context_lines":[{"line_number":40,"context_line":"cert-manager [2]_ to be auto renewable."},{"line_number":41,"context_line":""},{"line_number":42,"context_line":"Migrating these certificates to cert-manager can be error prone and depends"},{"line_number":43,"context_line":"on user adoption. That may leave systems running with static certificates for"},{"line_number":44,"context_line":"long or ever, what can result in expirations or certificates with very long"},{"line_number":45,"context_line":"durations in order to avoid the frequent manual renewals."},{"line_number":46,"context_line":""},{"line_number":47,"context_line":"Additionally, the https/rest-api certificate is only required at the moment of"}],"source_content_type":"text/x-rst","patch_set":4,"id":"4df424ca_5b9e9e01","line":44,"range":{"start_line":43,"start_character":74,"end_line":44,"end_character":12},"in_reply_to":"b3259096_55aab64c","updated":"2022-02-02 22:19:05.000000000","message":"reworded the whole paragraph please check again.","commit_id":"99f6336db4b5ec338535035700456233268ad1e3"},{"author":{"_account_id":26026,"name":"Greg Waines","email":"greg.waines@windriver.com","username":"gwaines"},"change_message_id":"66efa9f8ec2101a0435e86a6350a8c544af9e86c","unresolved":true,"context_lines":[{"line_number":39,"context_line":"certificate-install` when they approach expiry or manually migrated to"},{"line_number":40,"context_line":"cert-manager [2]_ to be auto renewable."},{"line_number":41,"context_line":""},{"line_number":42,"context_line":"Migrating these certificates to cert-manager can be error prone and depends"},{"line_number":43,"context_line":"on user adoption. That may leave systems running with static certificates for"},{"line_number":44,"context_line":"long or ever, what can result in expirations or certificates with very long"},{"line_number":45,"context_line":"durations in order to avoid the frequent manual renewals."},{"line_number":46,"context_line":""},{"line_number":47,"context_line":"Additionally, the https/rest-api certificate is only required at the moment of"},{"line_number":48,"context_line":"enabling HTTPS on the platform. Users can stay running with HTTP only for"}],"source_content_type":"text/x-rst","patch_set":4,"id":"ddf06804_f2e2eb10","line":45,"range":{"start_line":42,"start_character":0,"end_line":45,"end_character":57},"updated":"2022-02-02 19:59:08.000000000","message":"General comments on this paragraph:\n\n- I don\u0027t think we want to use the words \"error prone\" to describe \n  configuring these certificates using cert-manager\n    * i.e. I think using cert-manager CERTIFICATE yaml is easier than \n           using openssl in lab or using external CA certificate generator\n    * agree that using cert-manager provides more flexibility as you can\n      use 1 or more CAs, and those CAs can be either rootCAs or intermediateCAs\n    * i think you want to re-word this more to say that cert-manager provides\n      a lot of flexibilty wrt your overall certificate strategy\n          ( and then in Proposed Change, you can say that the value of\n            the default cert-manager -based issuer / certificate setup\n            of this feature, is that we are initially setting up the\n            recommended structure for your platform certificates )\n\n- Agree with your comment that currently, use of cert-manager -based \n  certificates for the Platform Certificates does depend on user adoption\n     * I\u0027d separate that out into a separate sentence ...\n       because it is only if the user does NOT adopt the use of cert-manager\n       that he can end up having static certs with long durations, based on\n       current default certificate configuration.\n          ( and again in Proposed Change, you can say that value of the \n            default cert-manager -based certificate setup of this feature\n            is that we are encouraging users to use the new recommended\n            certificate management of platform certificates. )","commit_id":"99f6336db4b5ec338535035700456233268ad1e3"},{"author":{"_account_id":32841,"name":"Reinildes Oliveira","display_name":"Rei Oliveira","email":"Reinildes.JoseMateusOliveira@windriver.com","username":"rjosemat"},"change_message_id":"3ced04ac7fdfeb2b6746ba64b19565ddc3df2085","unresolved":false,"context_lines":[{"line_number":39,"context_line":"certificate-install` when they approach expiry or manually migrated to"},{"line_number":40,"context_line":"cert-manager [2]_ to be auto renewable."},{"line_number":41,"context_line":""},{"line_number":42,"context_line":"Migrating these certificates to cert-manager can be error prone and depends"},{"line_number":43,"context_line":"on user adoption. That may leave systems running with static certificates for"},{"line_number":44,"context_line":"long or ever, what can result in expirations or certificates with very long"},{"line_number":45,"context_line":"durations in order to avoid the frequent manual renewals."},{"line_number":46,"context_line":""},{"line_number":47,"context_line":"Additionally, the https/rest-api certificate is only required at the moment of"},{"line_number":48,"context_line":"enabling HTTPS on the platform. Users can stay running with HTTP only for"}],"source_content_type":"text/x-rst","patch_set":4,"id":"c7a39703_2a8af878","line":45,"range":{"start_line":42,"start_character":0,"end_line":45,"end_character":57},"in_reply_to":"19aeb8bc_bc3ef05f","updated":"2022-02-03 20:04:10.000000000","message":"Ack","commit_id":"99f6336db4b5ec338535035700456233268ad1e3"},{"author":{"_account_id":32841,"name":"Reinildes Oliveira","display_name":"Rei Oliveira","email":"Reinildes.JoseMateusOliveira@windriver.com","username":"rjosemat"},"change_message_id":"dcc18a5cdd64590f6117f2caebe6af20507a9081","unresolved":true,"context_lines":[{"line_number":39,"context_line":"certificate-install` when they approach expiry or manually migrated to"},{"line_number":40,"context_line":"cert-manager [2]_ to be auto renewable."},{"line_number":41,"context_line":""},{"line_number":42,"context_line":"Migrating these certificates to cert-manager can be error prone and depends"},{"line_number":43,"context_line":"on user adoption. That may leave systems running with static certificates for"},{"line_number":44,"context_line":"long or ever, what can result in expirations or certificates with very long"},{"line_number":45,"context_line":"durations in order to avoid the frequent manual renewals."},{"line_number":46,"context_line":""},{"line_number":47,"context_line":"Additionally, the https/rest-api certificate is only required at the moment of"},{"line_number":48,"context_line":"enabling HTTPS on the platform. Users can stay running with HTTP only for"}],"source_content_type":"text/x-rst","patch_set":4,"id":"19aeb8bc_bc3ef05f","line":45,"range":{"start_line":42,"start_character":0,"end_line":45,"end_character":57},"in_reply_to":"ddf06804_f2e2eb10","updated":"2022-02-02 22:19:05.000000000","message":"Okay, I will reword the whole thing.\n\nAgree about \u0027error prone\u0027 being a bad sentence here. What I meant was that leaving it to users to migrate is a faulty process that can leave them running with static certificates just because it may be perceived as more convenient than migrating.","commit_id":"99f6336db4b5ec338535035700456233268ad1e3"},{"author":{"_account_id":26026,"name":"Greg Waines","email":"greg.waines@windriver.com","username":"gwaines"},"change_message_id":"66efa9f8ec2101a0435e86a6350a8c544af9e86c","unresolved":true,"context_lines":[{"line_number":44,"context_line":"long or ever, what can result in expirations or certificates with very long"},{"line_number":45,"context_line":"durations in order to avoid the frequent manual renewals."},{"line_number":46,"context_line":""},{"line_number":47,"context_line":"Additionally, the https/rest-api certificate is only required at the moment of"},{"line_number":48,"context_line":"enabling HTTPS on the platform. Users can stay running with HTTP only for"},{"line_number":49,"context_line":"long periods because of this."},{"line_number":50,"context_line":""},{"line_number":51,"context_line":"Use Cases"},{"line_number":52,"context_line":"---------"}],"source_content_type":"text/x-rst","patch_set":4,"id":"b7e1f452_88503137","line":49,"range":{"start_line":47,"start_character":0,"end_line":49,"end_character":29},"updated":"2022-02-02 19:59:08.000000000","message":"This is similar to your second point of lines 42-45 ... \ni.e. the problem is that the current default setup for platform certificates is not good ... i.e. it does not setup HTTPS for StarlingX REST API / GUI and it does NOT use the now recommmended cert-manager -based certificates for platform certificates.\n\nGenerally You could re-work this whole PROBLEM DESCRIPTION section to say that the default platform certificates setup is bad because it\n- it doesn\u0027t enable HTTPS on all interfaces (specifically StarlingX REST API / GUI are left as HTTPS), and\n- the default auto-generated HTTPS certificates for docker registry does NOT use the new recommended cert-manager -based certificates for the platform for support of things like auto-renewal)","commit_id":"99f6336db4b5ec338535035700456233268ad1e3"},{"author":{"_account_id":28676,"name":"Andy Ning","email":"andy.ning@windriver.com","username":"andy.wrs"},"change_message_id":"d74d48f9cf352b93ccb9956f25f0d07618ffde0e","unresolved":true,"context_lines":[{"line_number":46,"context_line":""},{"line_number":47,"context_line":"Additionally, the https/rest-api certificate is only required at the moment of"},{"line_number":48,"context_line":"enabling HTTPS on the platform. Users can stay running with HTTP only for"},{"line_number":49,"context_line":"long periods because of this."},{"line_number":50,"context_line":""},{"line_number":51,"context_line":"Use Cases"},{"line_number":52,"context_line":"---------"}],"source_content_type":"text/x-rst","patch_set":4,"id":"99f3aef5_34277625","line":49,"range":{"start_line":49,"start_character":5,"end_line":49,"end_character":13},"updated":"2022-02-02 17:21:35.000000000","message":"period?","commit_id":"99f6336db4b5ec338535035700456233268ad1e3"},{"author":{"_account_id":32841,"name":"Reinildes Oliveira","display_name":"Rei Oliveira","email":"Reinildes.JoseMateusOliveira@windriver.com","username":"rjosemat"},"change_message_id":"dcc18a5cdd64590f6117f2caebe6af20507a9081","unresolved":false,"context_lines":[{"line_number":46,"context_line":""},{"line_number":47,"context_line":"Additionally, the https/rest-api certificate is only required at the moment of"},{"line_number":48,"context_line":"enabling HTTPS on the platform. Users can stay running with HTTP only for"},{"line_number":49,"context_line":"long periods because of this."},{"line_number":50,"context_line":""},{"line_number":51,"context_line":"Use Cases"},{"line_number":52,"context_line":"---------"}],"source_content_type":"text/x-rst","patch_set":4,"id":"41bcc682_a10eabd0","line":49,"range":{"start_line":49,"start_character":5,"end_line":49,"end_character":13},"in_reply_to":"99f3aef5_34277625","updated":"2022-02-02 22:19:05.000000000","message":"reworded the whole paragraph please check again.","commit_id":"99f6336db4b5ec338535035700456233268ad1e3"},{"author":{"_account_id":32841,"name":"Reinildes Oliveira","display_name":"Rei Oliveira","email":"Reinildes.JoseMateusOliveira@windriver.com","username":"rjosemat"},"change_message_id":"dcc18a5cdd64590f6117f2caebe6af20507a9081","unresolved":false,"context_lines":[{"line_number":44,"context_line":"long or ever, what can result in expirations or certificates with very long"},{"line_number":45,"context_line":"durations in order to avoid the frequent manual renewals."},{"line_number":46,"context_line":""},{"line_number":47,"context_line":"Additionally, the https/rest-api certificate is only required at the moment of"},{"line_number":48,"context_line":"enabling HTTPS on the platform. Users can stay running with HTTP only for"},{"line_number":49,"context_line":"long periods because of this."},{"line_number":50,"context_line":""},{"line_number":51,"context_line":"Use Cases"},{"line_number":52,"context_line":"---------"}],"source_content_type":"text/x-rst","patch_set":4,"id":"f7c3f27b_6316153d","line":49,"range":{"start_line":47,"start_character":0,"end_line":49,"end_character":29},"in_reply_to":"b7e1f452_88503137","updated":"2022-02-02 22:19:05.000000000","message":"Reworded and included suggestions. Please check","commit_id":"99f6336db4b5ec338535035700456233268ad1e3"},{"author":{"_account_id":26026,"name":"Greg Waines","email":"greg.waines@windriver.com","username":"gwaines"},"change_message_id":"66efa9f8ec2101a0435e86a6350a8c544af9e86c","unresolved":true,"context_lines":[{"line_number":56,"context_line":"Proposed change"},{"line_number":57,"context_line":"\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d"},{"line_number":58,"context_line":""},{"line_number":59,"context_line":"This story addresses this issue by creating a system-local-ca Root CA"},{"line_number":60,"context_line":"certificate at the top of the certificate chain and have it as the"},{"line_number":61,"context_line":"`ClusterIssuer` for the platform."},{"line_number":62,"context_line":""},{"line_number":63,"context_line":"From system bootstrap, these platform certificates"},{"line_number":64,"context_line":"(https/rest-api and registry.local certificates) would be managed by"}],"source_content_type":"text/x-rst","patch_set":4,"id":"d5cb2e55_7216c838","line":61,"range":{"start_line":59,"start_character":0,"end_line":61,"end_character":33},"updated":"2022-02-02 19:59:08.000000000","message":"Suggested Reword:\n\nThis story addresses this issue by updating system bootstrap to:\n- create a system-local-ca \u0027tls\u0027-type SECRET to be the top of the \n  platform certificate chains, and \n- create a cert-manager `ClusterIssuer` that uses system-local-ca for signing of certificates.  \n\nThe system-local-ca \u0027tls\u0027-type SECRET will be auto-populated with the K8S Root CA certificate and key, such that the default platform certificate configuration will use a single Root CA for all Platform Certificates (i.e. k8s, starlingx, registry).  Note that the K8S Root CA is either auto-generated by the system at startup, or specified by user as a bootstrap playbook override.","commit_id":"99f6336db4b5ec338535035700456233268ad1e3"},{"author":{"_account_id":28676,"name":"Andy Ning","email":"andy.ning@windriver.com","username":"andy.wrs"},"change_message_id":"d74d48f9cf352b93ccb9956f25f0d07618ffde0e","unresolved":true,"context_lines":[{"line_number":58,"context_line":""},{"line_number":59,"context_line":"This story addresses this issue by creating a system-local-ca Root CA"},{"line_number":60,"context_line":"certificate at the top of the certificate chain and have it as the"},{"line_number":61,"context_line":"`ClusterIssuer` for the platform."},{"line_number":62,"context_line":""},{"line_number":63,"context_line":"From system bootstrap, these platform certificates"},{"line_number":64,"context_line":"(https/rest-api and registry.local certificates) would be managed by"}],"source_content_type":"text/x-rst","patch_set":4,"id":"82a4bb3e_f2d4e360","line":61,"range":{"start_line":61,"start_character":16,"end_line":61,"end_character":32},"updated":"2022-02-02 17:21:35.000000000","message":"of platform certificates.","commit_id":"99f6336db4b5ec338535035700456233268ad1e3"},{"author":{"_account_id":32841,"name":"Reinildes Oliveira","display_name":"Rei Oliveira","email":"Reinildes.JoseMateusOliveira@windriver.com","username":"rjosemat"},"change_message_id":"dcc18a5cdd64590f6117f2caebe6af20507a9081","unresolved":false,"context_lines":[{"line_number":58,"context_line":""},{"line_number":59,"context_line":"This story addresses this issue by creating a system-local-ca Root CA"},{"line_number":60,"context_line":"certificate at the top of the certificate chain and have it as the"},{"line_number":61,"context_line":"`ClusterIssuer` for the platform."},{"line_number":62,"context_line":""},{"line_number":63,"context_line":"From system bootstrap, these platform certificates"},{"line_number":64,"context_line":"(https/rest-api and registry.local certificates) would be managed by"}],"source_content_type":"text/x-rst","patch_set":4,"id":"2e7b7353_90189b0d","line":61,"range":{"start_line":61,"start_character":16,"end_line":61,"end_character":32},"in_reply_to":"82a4bb3e_f2d4e360","updated":"2022-02-02 22:19:05.000000000","message":"Done","commit_id":"99f6336db4b5ec338535035700456233268ad1e3"},{"author":{"_account_id":32841,"name":"Reinildes Oliveira","display_name":"Rei Oliveira","email":"Reinildes.JoseMateusOliveira@windriver.com","username":"rjosemat"},"change_message_id":"dcc18a5cdd64590f6117f2caebe6af20507a9081","unresolved":false,"context_lines":[{"line_number":56,"context_line":"Proposed change"},{"line_number":57,"context_line":"\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d"},{"line_number":58,"context_line":""},{"line_number":59,"context_line":"This story addresses this issue by creating a system-local-ca Root CA"},{"line_number":60,"context_line":"certificate at the top of the certificate chain and have it as the"},{"line_number":61,"context_line":"`ClusterIssuer` for the platform."},{"line_number":62,"context_line":""},{"line_number":63,"context_line":"From system bootstrap, these platform certificates"},{"line_number":64,"context_line":"(https/rest-api and registry.local certificates) would be managed by"}],"source_content_type":"text/x-rst","patch_set":4,"id":"d1ecce1f_a3cbfc0a","line":61,"range":{"start_line":59,"start_character":0,"end_line":61,"end_character":33},"in_reply_to":"d5cb2e55_7216c838","updated":"2022-02-02 22:19:05.000000000","message":"Done","commit_id":"99f6336db4b5ec338535035700456233268ad1e3"},{"author":{"_account_id":26026,"name":"Greg Waines","email":"greg.waines@windriver.com","username":"gwaines"},"change_message_id":"66efa9f8ec2101a0435e86a6350a8c544af9e86c","unresolved":true,"context_lines":[{"line_number":60,"context_line":"certificate at the top of the certificate chain and have it as the"},{"line_number":61,"context_line":"`ClusterIssuer` for the platform."},{"line_number":62,"context_line":""},{"line_number":63,"context_line":"From system bootstrap, these platform certificates"},{"line_number":64,"context_line":"(https/rest-api and registry.local certificates) would be managed by"},{"line_number":65,"context_line":"cert-manager and signed by system-local-ca."},{"line_number":66,"context_line":""},{"line_number":67,"context_line":"The system-local-ca certificate would also be used as kubernetes Root CA in"},{"line_number":68,"context_line":"/etc/kubernetes/pki/ca.crt [1]_, resulting in a common Root CA for all platform"}],"source_content_type":"text/x-rst","patch_set":4,"id":"80020b57_e784c1c0","line":65,"range":{"start_line":63,"start_character":0,"end_line":65,"end_character":42},"updated":"2022-02-02 19:59:08.000000000","message":"REWORD:\n\nAlso at system bootstrap, the platform certificates (StarlingX RESTAPI/GUI and registry.local certificates) will be created using cert-manager CERTIFICATEs, with the system-local-ca specified as the ISSUER to sign the certificates.","commit_id":"99f6336db4b5ec338535035700456233268ad1e3"},{"author":{"_account_id":32841,"name":"Reinildes Oliveira","display_name":"Rei Oliveira","email":"Reinildes.JoseMateusOliveira@windriver.com","username":"rjosemat"},"change_message_id":"dcc18a5cdd64590f6117f2caebe6af20507a9081","unresolved":false,"context_lines":[{"line_number":60,"context_line":"certificate at the top of the certificate chain and have it as the"},{"line_number":61,"context_line":"`ClusterIssuer` for the platform."},{"line_number":62,"context_line":""},{"line_number":63,"context_line":"From system bootstrap, these platform certificates"},{"line_number":64,"context_line":"(https/rest-api and registry.local certificates) would be managed by"},{"line_number":65,"context_line":"cert-manager and signed by system-local-ca."},{"line_number":66,"context_line":""},{"line_number":67,"context_line":"The system-local-ca certificate would also be used as kubernetes Root CA in"},{"line_number":68,"context_line":"/etc/kubernetes/pki/ca.crt [1]_, resulting in a common Root CA for all platform"}],"source_content_type":"text/x-rst","patch_set":4,"id":"0335f8d2_f1c41be6","line":65,"range":{"start_line":63,"start_character":0,"end_line":65,"end_character":42},"in_reply_to":"80020b57_e784c1c0","updated":"2022-02-02 22:19:05.000000000","message":"Done","commit_id":"99f6336db4b5ec338535035700456233268ad1e3"},{"author":{"_account_id":26026,"name":"Greg Waines","email":"greg.waines@windriver.com","username":"gwaines"},"change_message_id":"66efa9f8ec2101a0435e86a6350a8c544af9e86c","unresolved":true,"context_lines":[{"line_number":64,"context_line":"(https/rest-api and registry.local certificates) would be managed by"},{"line_number":65,"context_line":"cert-manager and signed by system-local-ca."},{"line_number":66,"context_line":""},{"line_number":67,"context_line":"The system-local-ca certificate would also be used as kubernetes Root CA in"},{"line_number":68,"context_line":"/etc/kubernetes/pki/ca.crt [1]_, resulting in a common Root CA for all platform"},{"line_number":69,"context_line":"certificates."},{"line_number":70,"context_line":""},{"line_number":71,"context_line":"Also, from bootstrap, HTTPS would be enabled by default for communication"},{"line_number":72,"context_line":"across platform rest APIS."}],"source_content_type":"text/x-rst","patch_set":4,"id":"8f0dbb36_966f57a4","line":69,"range":{"start_line":67,"start_character":0,"end_line":69,"end_character":13},"updated":"2022-02-02 19:59:08.000000000","message":"See reword comment / suggestion for lines 59-61 .\nI think you should just delete lines 67-69","commit_id":"99f6336db4b5ec338535035700456233268ad1e3"},{"author":{"_account_id":32841,"name":"Reinildes Oliveira","display_name":"Rei Oliveira","email":"Reinildes.JoseMateusOliveira@windriver.com","username":"rjosemat"},"change_message_id":"dcc18a5cdd64590f6117f2caebe6af20507a9081","unresolved":false,"context_lines":[{"line_number":64,"context_line":"(https/rest-api and registry.local certificates) would be managed by"},{"line_number":65,"context_line":"cert-manager and signed by system-local-ca."},{"line_number":66,"context_line":""},{"line_number":67,"context_line":"The system-local-ca certificate would also be used as kubernetes Root CA in"},{"line_number":68,"context_line":"/etc/kubernetes/pki/ca.crt [1]_, resulting in a common Root CA for all platform"},{"line_number":69,"context_line":"certificates."},{"line_number":70,"context_line":""},{"line_number":71,"context_line":"Also, from bootstrap, HTTPS would be enabled by default for communication"},{"line_number":72,"context_line":"across platform rest APIS."}],"source_content_type":"text/x-rst","patch_set":4,"id":"5cb16874_88d352e0","line":69,"range":{"start_line":67,"start_character":0,"end_line":69,"end_character":13},"in_reply_to":"8f0dbb36_966f57a4","updated":"2022-02-02 22:19:05.000000000","message":"Done","commit_id":"99f6336db4b5ec338535035700456233268ad1e3"},{"author":{"_account_id":28676,"name":"Andy Ning","email":"andy.ning@windriver.com","username":"andy.wrs"},"change_message_id":"d74d48f9cf352b93ccb9956f25f0d07618ffde0e","unresolved":true,"context_lines":[{"line_number":68,"context_line":"/etc/kubernetes/pki/ca.crt [1]_, resulting in a common Root CA for all platform"},{"line_number":69,"context_line":"certificates."},{"line_number":70,"context_line":""},{"line_number":71,"context_line":"Also, from bootstrap, HTTPS would be enabled by default for communication"},{"line_number":72,"context_line":"across platform rest APIS."},{"line_number":73,"context_line":""},{"line_number":74,"context_line":"Alternatives"},{"line_number":75,"context_line":"------------"}],"source_content_type":"text/x-rst","patch_set":4,"id":"ee93a233_d27d21ba","line":72,"range":{"start_line":71,"start_character":56,"end_line":72,"end_character":25},"updated":"2022-02-02 17:21:35.000000000","message":"for external access to the system by REST APIs and Horizon.","commit_id":"99f6336db4b5ec338535035700456233268ad1e3"},{"author":{"_account_id":32841,"name":"Reinildes Oliveira","display_name":"Rei Oliveira","email":"Reinildes.JoseMateusOliveira@windriver.com","username":"rjosemat"},"change_message_id":"0dfad3069845831cbbc19ed3957fe0b51d8d3038","unresolved":false,"context_lines":[{"line_number":68,"context_line":"/etc/kubernetes/pki/ca.crt [1]_, resulting in a common Root CA for all platform"},{"line_number":69,"context_line":"certificates."},{"line_number":70,"context_line":""},{"line_number":71,"context_line":"Also, from bootstrap, HTTPS would be enabled by default for communication"},{"line_number":72,"context_line":"across platform rest APIS."},{"line_number":73,"context_line":""},{"line_number":74,"context_line":"Alternatives"},{"line_number":75,"context_line":"------------"}],"source_content_type":"text/x-rst","patch_set":4,"id":"8134d068_23bcfec3","line":72,"range":{"start_line":71,"start_character":56,"end_line":72,"end_character":25},"in_reply_to":"9d22f384_2fa11601","updated":"2022-02-04 20:51:18.000000000","message":"Done","commit_id":"99f6336db4b5ec338535035700456233268ad1e3"},{"author":{"_account_id":32841,"name":"Reinildes Oliveira","display_name":"Rei Oliveira","email":"Reinildes.JoseMateusOliveira@windriver.com","username":"rjosemat"},"change_message_id":"dcc18a5cdd64590f6117f2caebe6af20507a9081","unresolved":true,"context_lines":[{"line_number":68,"context_line":"/etc/kubernetes/pki/ca.crt [1]_, resulting in a common Root CA for all platform"},{"line_number":69,"context_line":"certificates."},{"line_number":70,"context_line":""},{"line_number":71,"context_line":"Also, from bootstrap, HTTPS would be enabled by default for communication"},{"line_number":72,"context_line":"across platform rest APIS."},{"line_number":73,"context_line":""},{"line_number":74,"context_line":"Alternatives"},{"line_number":75,"context_line":"------------"}],"source_content_type":"text/x-rst","patch_set":4,"id":"9d22f384_2fa11601","line":72,"range":{"start_line":71,"start_character":56,"end_line":72,"end_character":25},"in_reply_to":"ee93a233_d27d21ba","updated":"2022-02-02 22:19:05.000000000","message":"I have reworded to \n\nAlso, from system bootstrap, HTTPS will be enabled by default for communication\nacross platform rest APIS. Interfaces such as StarlingX REST API / GUI will be\nHTTPS by default.\n\nPlease see if that\u0027s good","commit_id":"99f6336db4b5ec338535035700456233268ad1e3"},{"author":{"_account_id":28676,"name":"Andy Ning","email":"andy.ning@windriver.com","username":"andy.wrs"},"change_message_id":"d74d48f9cf352b93ccb9956f25f0d07618ffde0e","unresolved":true,"context_lines":[{"line_number":100,"context_line":"* Enhanced security as cert-manager makes it easier to have certificates"},{"line_number":101,"context_line":"  with shorter durations"},{"line_number":102,"context_line":"* Enhanced security by having https enabled by default"},{"line_number":103,"context_line":""},{"line_number":104,"context_line":"Other end user impact"},{"line_number":105,"context_line":"---------------------"},{"line_number":106,"context_line":""}],"source_content_type":"text/x-rst","patch_set":4,"id":"8d17485b_85b6ad22","line":103,"updated":"2022-02-02 17:21:35.000000000","message":"* Enhanced security by enabling platform certificates auto renewal.","commit_id":"99f6336db4b5ec338535035700456233268ad1e3"},{"author":{"_account_id":32841,"name":"Reinildes Oliveira","display_name":"Rei Oliveira","email":"Reinildes.JoseMateusOliveira@windriver.com","username":"rjosemat"},"change_message_id":"0dfad3069845831cbbc19ed3957fe0b51d8d3038","unresolved":false,"context_lines":[{"line_number":100,"context_line":"* Enhanced security as cert-manager makes it easier to have certificates"},{"line_number":101,"context_line":"  with shorter durations"},{"line_number":102,"context_line":"* Enhanced security by having https enabled by default"},{"line_number":103,"context_line":""},{"line_number":104,"context_line":"Other end user impact"},{"line_number":105,"context_line":"---------------------"},{"line_number":106,"context_line":""}],"source_content_type":"text/x-rst","patch_set":4,"id":"e12cc8f3_31c14ff5","line":103,"in_reply_to":"74873cca_3105b9b5","updated":"2022-02-04 20:51:18.000000000","message":"Done","commit_id":"99f6336db4b5ec338535035700456233268ad1e3"},{"author":{"_account_id":32841,"name":"Reinildes Oliveira","display_name":"Rei Oliveira","email":"Reinildes.JoseMateusOliveira@windriver.com","username":"rjosemat"},"change_message_id":"dcc18a5cdd64590f6117f2caebe6af20507a9081","unresolved":true,"context_lines":[{"line_number":100,"context_line":"* Enhanced security as cert-manager makes it easier to have certificates"},{"line_number":101,"context_line":"  with shorter durations"},{"line_number":102,"context_line":"* Enhanced security by having https enabled by default"},{"line_number":103,"context_line":""},{"line_number":104,"context_line":"Other end user impact"},{"line_number":105,"context_line":"---------------------"},{"line_number":106,"context_line":""}],"source_content_type":"text/x-rst","patch_set":4,"id":"74873cca_3105b9b5","line":103,"in_reply_to":"8d17485b_85b6ad22","updated":"2022-02-02 22:19:05.000000000","message":"I assumed your suggestion was to add a new item. Please correct if I misunderstood","commit_id":"99f6336db4b5ec338535035700456233268ad1e3"},{"author":{"_account_id":31500,"name":"Sabeel Ansari","email":"Sabeel.Ansari@windriver.com","username":"sansari"},"change_message_id":"6dfcbf560a10a17083e2a90c6fe62b7775ab1d99","unresolved":true,"context_lines":[{"line_number":105,"context_line":"REST API impact"},{"line_number":106,"context_line":"---------------"},{"line_number":107,"context_line":""},{"line_number":108,"context_line":"None"},{"line_number":109,"context_line":""},{"line_number":110,"context_line":"Security impact"},{"line_number":111,"context_line":"---------------"}],"source_content_type":"text/x-rst","patch_set":6,"id":"c04bd8c2_951eae06","line":108,"updated":"2022-02-03 15:08:32.000000000","message":"Since we are enabling HTTPS by default, do we need to note that as REST API impact?","commit_id":"578b5f43f9dc789a99a2d92fd86d9036814b2ab2"},{"author":{"_account_id":32841,"name":"Reinildes Oliveira","display_name":"Rei Oliveira","email":"Reinildes.JoseMateusOliveira@windriver.com","username":"rjosemat"},"change_message_id":"10c3ce9b6eed5058274ec0b0d1640fd331f0ca3a","unresolved":false,"context_lines":[{"line_number":105,"context_line":"REST API impact"},{"line_number":106,"context_line":"---------------"},{"line_number":107,"context_line":""},{"line_number":108,"context_line":"None"},{"line_number":109,"context_line":""},{"line_number":110,"context_line":"Security impact"},{"line_number":111,"context_line":"---------------"}],"source_content_type":"text/x-rst","patch_set":6,"id":"a4df59c7_53613a1b","line":108,"in_reply_to":"c04bd8c2_951eae06","updated":"2022-02-03 16:19:31.000000000","message":"I have added a more clarifying text","commit_id":"578b5f43f9dc789a99a2d92fd86d9036814b2ab2"},{"author":{"_account_id":31500,"name":"Sabeel Ansari","email":"Sabeel.Ansari@windriver.com","username":"sansari"},"change_message_id":"6dfcbf560a10a17083e2a90c6fe62b7775ab1d99","unresolved":true,"context_lines":[{"line_number":128,"context_line":"------------------"},{"line_number":129,"context_line":""},{"line_number":130,"context_line":"Most of the changes for this feature are in the system bootstrap with little impact on"},{"line_number":131,"context_line":"performance. After bootstrap, impact should be none."},{"line_number":132,"context_line":""},{"line_number":133,"context_line":"Other deployer impact"},{"line_number":134,"context_line":"---------------------"}],"source_content_type":"text/x-rst","patch_set":6,"id":"e81294b7_f4100652","line":131,"updated":"2022-02-03 15:08:32.000000000","message":"Instead of \"impact should be none\", we should say \"no performance impact expected\"","commit_id":"578b5f43f9dc789a99a2d92fd86d9036814b2ab2"},{"author":{"_account_id":32841,"name":"Reinildes Oliveira","display_name":"Rei Oliveira","email":"Reinildes.JoseMateusOliveira@windriver.com","username":"rjosemat"},"change_message_id":"10c3ce9b6eed5058274ec0b0d1640fd331f0ca3a","unresolved":false,"context_lines":[{"line_number":128,"context_line":"------------------"},{"line_number":129,"context_line":""},{"line_number":130,"context_line":"Most of the changes for this feature are in the system bootstrap with little impact on"},{"line_number":131,"context_line":"performance. After bootstrap, impact should be none."},{"line_number":132,"context_line":""},{"line_number":133,"context_line":"Other deployer impact"},{"line_number":134,"context_line":"---------------------"}],"source_content_type":"text/x-rst","patch_set":6,"id":"62b145c5_8c890fbe","line":131,"in_reply_to":"e81294b7_f4100652","updated":"2022-02-03 16:19:31.000000000","message":"Done","commit_id":"578b5f43f9dc789a99a2d92fd86d9036814b2ab2"},{"author":{"_account_id":31500,"name":"Sabeel Ansari","email":"Sabeel.Ansari@windriver.com","username":"sansari"},"change_message_id":"6dfcbf560a10a17083e2a90c6fe62b7775ab1d99","unresolved":true,"context_lines":[{"line_number":143,"context_line":"Upgrade impact"},{"line_number":144,"context_line":"--------------"},{"line_number":145,"context_line":""},{"line_number":146,"context_line":"None"},{"line_number":147,"context_line":""},{"line_number":148,"context_line":"Implementation"},{"line_number":149,"context_line":"\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d"}],"source_content_type":"text/x-rst","patch_set":6,"id":"d9b5b7a3_b9a01cd2","line":146,"updated":"2022-02-03 15:08:32.000000000","message":"Have we confirmed this?\nDo we move the configuration over automatically during upgrades? Are the certs regenerated? \nWe might need to engage with someone in the upgrade team to confirm this and if we need some more upgrade-specific changes in ansible.","commit_id":"578b5f43f9dc789a99a2d92fd86d9036814b2ab2"},{"author":{"_account_id":32841,"name":"Reinildes Oliveira","display_name":"Rei Oliveira","email":"Reinildes.JoseMateusOliveira@windriver.com","username":"rjosemat"},"change_message_id":"a0b26303ed6cd760f904c3619afbe6b432f68cdf","unresolved":true,"context_lines":[{"line_number":143,"context_line":"Upgrade impact"},{"line_number":144,"context_line":"--------------"},{"line_number":145,"context_line":""},{"line_number":146,"context_line":"None"},{"line_number":147,"context_line":""},{"line_number":148,"context_line":"Implementation"},{"line_number":149,"context_line":"\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d"}],"source_content_type":"text/x-rst","patch_set":6,"id":"a41ea842_6c65b3aa","line":146,"in_reply_to":"2c53e93a_4377cbdd","updated":"2022-02-04 19:26:53.000000000","message":"I have further looked at the bootstrap.yml playbook and playbooks that use it.\n\nThe upgrade_platform.yml and restore_platform.yaml playbooks both use the bootstrap playbook with mode \u003d \u0027restore\u0027, which is different than the mode using during bootstrap where mode \u003d \u0027bootstrap\u0027.\n\nInside the playbook many operations are only performed during bootstrap and skipped ruing upgrade / restore, such as:\n\n# Create DC CA and set up subcloud admin endpoint certificates for bootstrap mode.\n- block:\n  - name: Create distributed cloud CA\n    include_tasks: create_dc_ca.yml\n    when: distributed_cloud_role \u003d\u003d \u0027systemcontroller\u0027\n\n  - name: Set up subcloud admin endpoints certificates if host is a subcloud\n    include_role:\n      name: common/setup-subcloud-adminep-certs\n    vars:\n      ansible_become: yes\n    when: distributed_cloud_role \u003d\u003d \u0027subcloud\u0027\n\n  when: mode \u003d\u003d \u0027bootstrap\u0027\n\nHaving said that, it seems to me like we should do the same and skip the creating of system-local-ca issuer and platform certificates for the upgrade path as well, as changing these certificates during upgrade may cause unexpected consequences to users (losing external access for instance). \n\nIt seems safer to let users upgrade first and then migrate certificates with the migrate_platform_certificates_to_certmanager.yml playbook at a later point.\n\nLet me know what you think.","commit_id":"578b5f43f9dc789a99a2d92fd86d9036814b2ab2"},{"author":{"_account_id":32841,"name":"Reinildes Oliveira","display_name":"Rei Oliveira","email":"Reinildes.JoseMateusOliveira@windriver.com","username":"rjosemat"},"change_message_id":"45237d584c1d3cfecabaf12b120e9682ad7bb929","unresolved":false,"context_lines":[{"line_number":143,"context_line":"Upgrade impact"},{"line_number":144,"context_line":"--------------"},{"line_number":145,"context_line":""},{"line_number":146,"context_line":"None"},{"line_number":147,"context_line":""},{"line_number":148,"context_line":"Implementation"},{"line_number":149,"context_line":"\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d"}],"source_content_type":"text/x-rst","patch_set":6,"id":"34a22a41_cc9aa5f7","line":146,"in_reply_to":"3c8729ac_937e2f6d","updated":"2022-03-16 18:59:03.000000000","message":"Done","commit_id":"578b5f43f9dc789a99a2d92fd86d9036814b2ab2"},{"author":{"_account_id":32841,"name":"Reinildes Oliveira","display_name":"Rei Oliveira","email":"Reinildes.JoseMateusOliveira@windriver.com","username":"rjosemat"},"change_message_id":"2d45f4719b8e62cd93de975056eb6a3ad7c5b596","unresolved":true,"context_lines":[{"line_number":143,"context_line":"Upgrade impact"},{"line_number":144,"context_line":"--------------"},{"line_number":145,"context_line":""},{"line_number":146,"context_line":"None"},{"line_number":147,"context_line":""},{"line_number":148,"context_line":"Implementation"},{"line_number":149,"context_line":"\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d"}],"source_content_type":"text/x-rst","patch_set":6,"id":"3c8729ac_937e2f6d","line":146,"in_reply_to":"99e34df4_2c173d2a","updated":"2022-03-09 15:00:00.000000000","message":"Hi Sabeel,\n\n1. I think we should let users upgrade first and manually run the migrate-certificates playbook when they decide to. My reasoning for that is that they may have tools using external access to starlingx and they expect that to keep working after a system upgrade. I think cert-manager adoption should be a deliberate step for the upgrade path. \n\nAs I said before, the upgrade playbook should skip the tasks from the bootstrap playbook that create cert-manager Issuer and certificates, following the example of \u0027Create distributed cloud CA\u0027 tasks.\n\n2. As for point #1, the bootstrap playbook will skip the tasks from the bootstrap playbook that create cert-manager Issuer and certificates, so certificates and secrets will not get recreated. \n\nI don\u0027t think we need to do anything particular for configs to get saved during upgarde. Cert-manage certificates are saved as k8 secrets, they will remain unchanged even after upgrade.\n\n\nPlease clarify if I have misunderstood your questions.","commit_id":"578b5f43f9dc789a99a2d92fd86d9036814b2ab2"},{"author":{"_account_id":31500,"name":"Sabeel Ansari","email":"Sabeel.Ansari@windriver.com","username":"sansari"},"change_message_id":"6a228c27a39f4c09e0cfd4eb98f277e674c5e560","unresolved":true,"context_lines":[{"line_number":143,"context_line":"Upgrade impact"},{"line_number":144,"context_line":"--------------"},{"line_number":145,"context_line":""},{"line_number":146,"context_line":"None"},{"line_number":147,"context_line":""},{"line_number":148,"context_line":"Implementation"},{"line_number":149,"context_line":"\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d"}],"source_content_type":"text/x-rst","patch_set":6,"id":"99e34df4_2c173d2a","line":146,"in_reply_to":"a41ea842_6c65b3aa","updated":"2022-02-07 15:37:30.000000000","message":"There are two use cases to consider.\n1. Upgrading from current stx 6 to stx 7 --\u003e where we go from not having the config we want to the state we want the config (in which case, users can run migrate playbook). We may also need to consider what happens if users dont run the migrate playbook -- perhaps we should run the migrate-playbook from inside the upgrade-playbook to make sure the platform is in a state we expect it to be?\n2. Upgrading from stx 7 to future releases --\u003e will the configs get saved and moved to platform after upgrades automatically? This is what I was thinking needs some more investigation.","commit_id":"578b5f43f9dc789a99a2d92fd86d9036814b2ab2"},{"author":{"_account_id":32841,"name":"Reinildes Oliveira","display_name":"Rei Oliveira","email":"Reinildes.JoseMateusOliveira@windriver.com","username":"rjosemat"},"change_message_id":"b0ed020d1e986175a31cf2e0d98892b08706ecfd","unresolved":true,"context_lines":[{"line_number":143,"context_line":"Upgrade impact"},{"line_number":144,"context_line":"--------------"},{"line_number":145,"context_line":""},{"line_number":146,"context_line":"None"},{"line_number":147,"context_line":""},{"line_number":148,"context_line":"Implementation"},{"line_number":149,"context_line":"\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d"}],"source_content_type":"text/x-rst","patch_set":6,"id":"2c53e93a_4377cbdd","line":146,"in_reply_to":"d9b5b7a3_b9a01cd2","updated":"2022-02-03 15:22:10.000000000","message":"Good point Sabeel. I will try and confirm with the upgrade folks.","commit_id":"578b5f43f9dc789a99a2d92fd86d9036814b2ab2"},{"author":{"_account_id":31500,"name":"Sabeel Ansari","email":"Sabeel.Ansari@windriver.com","username":"sansari"},"change_message_id":"6dfcbf560a10a17083e2a90c6fe62b7775ab1d99","unresolved":true,"context_lines":[{"line_number":166,"context_line":"Work Items"},{"line_number":167,"context_line":"----------"},{"line_number":168,"context_line":""},{"line_number":169,"context_line":"* Make cert-mon aware of secrets created before its startup"},{"line_number":170,"context_line":"* Create system-local-ca issuer and platform certificates as part of ansible"},{"line_number":171,"context_line":"  bootstrap playbook"},{"line_number":172,"context_line":"* Auto-addition of Root CA values to sucloud bootstrap overrides based on"}],"source_content_type":"text/x-rst","patch_set":6,"id":"c9a23dd4_9bb4638d","line":169,"updated":"2022-02-03 15:08:32.000000000","message":"Not sure this statement makes sense. cert-mon runs after the controller unlock. By this time, all the ansible-playbook scripts would have completed the job. Can you confirm what you mean by this statement? Do we need some cert-mon code changes specific to this feature?","commit_id":"578b5f43f9dc789a99a2d92fd86d9036814b2ab2"},{"author":{"_account_id":31500,"name":"Sabeel Ansari","email":"Sabeel.Ansari@windriver.com","username":"sansari"},"change_message_id":"6a228c27a39f4c09e0cfd4eb98f277e674c5e560","unresolved":false,"context_lines":[{"line_number":166,"context_line":"Work Items"},{"line_number":167,"context_line":"----------"},{"line_number":168,"context_line":""},{"line_number":169,"context_line":"* Make cert-mon aware of secrets created before its startup"},{"line_number":170,"context_line":"* Create system-local-ca issuer and platform certificates as part of ansible"},{"line_number":171,"context_line":"  bootstrap playbook"},{"line_number":172,"context_line":"* Auto-addition of Root CA values to sucloud bootstrap overrides based on"}],"source_content_type":"text/x-rst","patch_set":6,"id":"b0932e08_7f3c58c9","line":169,"in_reply_to":"215044fa_b79f23b7","updated":"2022-02-07 15:37:30.000000000","message":"As discussed, we will go with original proposal in cert-mon instead of something during bootstrap.","commit_id":"578b5f43f9dc789a99a2d92fd86d9036814b2ab2"},{"author":{"_account_id":32841,"name":"Reinildes Oliveira","display_name":"Rei Oliveira","email":"Reinildes.JoseMateusOliveira@windriver.com","username":"rjosemat"},"change_message_id":"b7a9450755b5f7f97e8a4ebc532f45c022a1b6ac","unresolved":true,"context_lines":[{"line_number":166,"context_line":"Work Items"},{"line_number":167,"context_line":"----------"},{"line_number":168,"context_line":""},{"line_number":169,"context_line":"* Make cert-mon aware of secrets created before its startup"},{"line_number":170,"context_line":"* Create system-local-ca issuer and platform certificates as part of ansible"},{"line_number":171,"context_line":"  bootstrap playbook"},{"line_number":172,"context_line":"* Auto-addition of Root CA values to sucloud bootstrap overrides based on"}],"source_content_type":"text/x-rst","patch_set":6,"id":"215044fa_b79f23b7","line":169,"in_reply_to":"543aed86_c6af0893","updated":"2022-02-04 19:28:16.000000000","message":"Do you want me to refresh the review with this listed under \u0027alternative approaches\u0027 ?","commit_id":"578b5f43f9dc789a99a2d92fd86d9036814b2ab2"},{"author":{"_account_id":31500,"name":"Sabeel Ansari","email":"Sabeel.Ansari@windriver.com","username":"sansari"},"change_message_id":"5dd85348d6a3d911cf739035201429fdadcccbcd","unresolved":false,"context_lines":[{"line_number":166,"context_line":"Work Items"},{"line_number":167,"context_line":"----------"},{"line_number":168,"context_line":""},{"line_number":169,"context_line":"* Make cert-mon aware of secrets created before its startup"},{"line_number":170,"context_line":"* Create system-local-ca issuer and platform certificates as part of ansible"},{"line_number":171,"context_line":"  bootstrap playbook"},{"line_number":172,"context_line":"* Auto-addition of Root CA values to sucloud bootstrap overrides based on"}],"source_content_type":"text/x-rst","patch_set":6,"id":"543aed86_c6af0893","line":169,"in_reply_to":"80ced868_dcc01fad","updated":"2022-02-03 19:54:04.000000000","message":"OK makes sense.\nAnother option is to consider putting the two commands (https-enabled\u003dtrue and certificate-install commands) as part of the bootstrap (before the controller unlock). This would mean you dont have to do anything in cert-mon.","commit_id":"578b5f43f9dc789a99a2d92fd86d9036814b2ab2"},{"author":{"_account_id":32841,"name":"Reinildes Oliveira","display_name":"Rei Oliveira","email":"Reinildes.JoseMateusOliveira@windriver.com","username":"rjosemat"},"change_message_id":"b0ed020d1e986175a31cf2e0d98892b08706ecfd","unresolved":true,"context_lines":[{"line_number":166,"context_line":"Work Items"},{"line_number":167,"context_line":"----------"},{"line_number":168,"context_line":""},{"line_number":169,"context_line":"* Make cert-mon aware of secrets created before its startup"},{"line_number":170,"context_line":"* Create system-local-ca issuer and platform certificates as part of ansible"},{"line_number":171,"context_line":"  bootstrap playbook"},{"line_number":172,"context_line":"* Auto-addition of Root CA values to sucloud bootstrap overrides based on"}],"source_content_type":"text/x-rst","patch_set":6,"id":"80ced868_dcc01fad","line":169,"in_reply_to":"c9a23dd4_9bb4638d","updated":"2022-02-03 15:22:10.000000000","message":"Certificates and secrets for the rest/api and registry.local certificates are created during ansible bootstrap. \n\nThen there\u0027s the restart triggered by host-unlock.\n\nWhen cert-mon starts up, after the host-unlock, it starts its watchers to watch for following secret events. As these certificate secrets were created before cert-mon\u0027s startup, it is not going to trigger the \u0027certificate-install\u0027 for them, as it starts up, only if an update happens to the certificate secrets.\n\nI want to make use of cert-mon to do the \u0027certificate-install\u0027 of the certificate secrets. That would require a small change to cert-mon.","commit_id":"578b5f43f9dc789a99a2d92fd86d9036814b2ab2"},{"author":{"_account_id":31500,"name":"Sabeel Ansari","email":"Sabeel.Ansari@windriver.com","username":"sansari"},"change_message_id":"6dfcbf560a10a17083e2a90c6fe62b7775ab1d99","unresolved":true,"context_lines":[{"line_number":173,"context_line":"  system-controller\u0027s (dcmanager subcloud add)"},{"line_number":174,"context_line":"* Add support to auto generate Root CA to migrate-platform-certificate"},{"line_number":175,"context_line":"  playbook - Story 2007361, task 44036 [3]_"},{"line_number":176,"context_line":"* Developer testing - bootstrap / CA update on diffent system configurations"},{"line_number":177,"context_line":""},{"line_number":178,"context_line":""},{"line_number":179,"context_line":"System Upgrade"}],"source_content_type":"text/x-rst","patch_set":6,"id":"ab7dbd4b_d135490d","line":176,"updated":"2022-02-03 15:08:32.000000000","message":"\"different\" typo","commit_id":"578b5f43f9dc789a99a2d92fd86d9036814b2ab2"},{"author":{"_account_id":32841,"name":"Reinildes Oliveira","display_name":"Rei Oliveira","email":"Reinildes.JoseMateusOliveira@windriver.com","username":"rjosemat"},"change_message_id":"3ced04ac7fdfeb2b6746ba64b19565ddc3df2085","unresolved":false,"context_lines":[{"line_number":173,"context_line":"  system-controller\u0027s (dcmanager subcloud add)"},{"line_number":174,"context_line":"* Add support to auto generate Root CA to migrate-platform-certificate"},{"line_number":175,"context_line":"  playbook - Story 2007361, task 44036 [3]_"},{"line_number":176,"context_line":"* Developer testing - bootstrap / CA update on diffent system configurations"},{"line_number":177,"context_line":""},{"line_number":178,"context_line":""},{"line_number":179,"context_line":"System Upgrade"}],"source_content_type":"text/x-rst","patch_set":6,"id":"9625f147_286b0c59","line":176,"in_reply_to":"ab7dbd4b_d135490d","updated":"2022-02-03 20:04:10.000000000","message":"Done","commit_id":"578b5f43f9dc789a99a2d92fd86d9036814b2ab2"},{"author":{"_account_id":33265,"name":"Ramaswamy Subramanian","email":"ramaswamy.subramanian@windriver.com","username":"rsubrama"},"change_message_id":"f21272f0916109eb67b04c14137b0d8f755beeaa","unresolved":true,"context_lines":[{"line_number":44,"context_line":"as the registry.local certificate, not taking advantage of features like auto"},{"line_number":45,"context_line":"renewal, which are offered by cert-manager."},{"line_number":46,"context_line":""},{"line_number":47,"context_line":"By default, these platform certificates (StarlingX RESTAPI/GUI and registry.local"},{"line_number":48,"context_line":"certificates) are auto generated, self-signed certificates. That means they"},{"line_number":49,"context_line":"are static and need to be re-configured manually via `system"},{"line_number":50,"context_line":"certificate-install` when they approach expiration or manually reconfigured to"}],"source_content_type":"text/x-rst","patch_set":7,"id":"812c4182_7f46dd64","line":47,"range":{"start_line":47,"start_character":54,"end_line":47,"end_character":56},"updated":"2022-02-07 22:16:04.000000000","message":"space between T and A","commit_id":"f2679bbd1a4f1bc97f1a789c3818b65fd7f1396c"},{"author":{"_account_id":32841,"name":"Reinildes Oliveira","display_name":"Rei Oliveira","email":"Reinildes.JoseMateusOliveira@windriver.com","username":"rjosemat"},"change_message_id":"25d63b02843b73a74d13f68ae9d303cedb023887","unresolved":false,"context_lines":[{"line_number":44,"context_line":"as the registry.local certificate, not taking advantage of features like auto"},{"line_number":45,"context_line":"renewal, which are offered by cert-manager."},{"line_number":46,"context_line":""},{"line_number":47,"context_line":"By default, these platform certificates (StarlingX RESTAPI/GUI and registry.local"},{"line_number":48,"context_line":"certificates) are auto generated, self-signed certificates. That means they"},{"line_number":49,"context_line":"are static and need to be re-configured manually via `system"},{"line_number":50,"context_line":"certificate-install` when they approach expiration or manually reconfigured to"}],"source_content_type":"text/x-rst","patch_set":7,"id":"2c040b1f_8ca99e94","line":47,"range":{"start_line":47,"start_character":54,"end_line":47,"end_character":56},"in_reply_to":"812c4182_7f46dd64","updated":"2022-03-09 12:44:48.000000000","message":"Done","commit_id":"f2679bbd1a4f1bc97f1a789c3818b65fd7f1396c"},{"author":{"_account_id":33265,"name":"Ramaswamy Subramanian","email":"ramaswamy.subramanian@windriver.com","username":"rsubrama"},"change_message_id":"f21272f0916109eb67b04c14137b0d8f755beeaa","unresolved":true,"context_lines":[{"line_number":76,"context_line":"Note that the kubernetes Root CA is either auto-generated by the system at startup,"},{"line_number":77,"context_line":"or specified by user as a bootstrap playbook override. [4]_"},{"line_number":78,"context_line":""},{"line_number":79,"context_line":"Also at system bootstrap, the platform certificates (StarlingX RESTAPI/GUI and"},{"line_number":80,"context_line":"registry.local certificates) will be created using cert-manager `Certificates`,"},{"line_number":81,"context_line":"with the system-local-ca specified as the `Issuer` to sign them."},{"line_number":82,"context_line":""}],"source_content_type":"text/x-rst","patch_set":7,"id":"03fa4644_f170c520","line":79,"range":{"start_line":79,"start_character":66,"end_line":79,"end_character":68},"updated":"2022-02-07 22:16:04.000000000","message":"space between T and A","commit_id":"f2679bbd1a4f1bc97f1a789c3818b65fd7f1396c"},{"author":{"_account_id":32841,"name":"Reinildes Oliveira","display_name":"Rei Oliveira","email":"Reinildes.JoseMateusOliveira@windriver.com","username":"rjosemat"},"change_message_id":"25d63b02843b73a74d13f68ae9d303cedb023887","unresolved":false,"context_lines":[{"line_number":76,"context_line":"Note that the kubernetes Root CA is either auto-generated by the system at startup,"},{"line_number":77,"context_line":"or specified by user as a bootstrap playbook override. [4]_"},{"line_number":78,"context_line":""},{"line_number":79,"context_line":"Also at system bootstrap, the platform certificates (StarlingX RESTAPI/GUI and"},{"line_number":80,"context_line":"registry.local certificates) will be created using cert-manager `Certificates`,"},{"line_number":81,"context_line":"with the system-local-ca specified as the `Issuer` to sign them."},{"line_number":82,"context_line":""}],"source_content_type":"text/x-rst","patch_set":7,"id":"e9c4585d_9a1f137b","line":79,"range":{"start_line":79,"start_character":66,"end_line":79,"end_character":68},"in_reply_to":"03fa4644_f170c520","updated":"2022-03-09 12:44:48.000000000","message":"Done","commit_id":"f2679bbd1a4f1bc97f1a789c3818b65fd7f1396c"},{"author":{"_account_id":33265,"name":"Ramaswamy Subramanian","email":"ramaswamy.subramanian@windriver.com","username":"rsubrama"},"change_message_id":"f21272f0916109eb67b04c14137b0d8f755beeaa","unresolved":true,"context_lines":[{"line_number":81,"context_line":"with the system-local-ca specified as the `Issuer` to sign them."},{"line_number":82,"context_line":""},{"line_number":83,"context_line":"Also, from system bootstrap, HTTPS will be enabled by default for communication"},{"line_number":84,"context_line":"across platform rest APIS. Interfaces such as StarlingX REST API / GUI will be"},{"line_number":85,"context_line":"HTTPS by default."},{"line_number":86,"context_line":""},{"line_number":87,"context_line":"More important, this change encourages users to use and take advantage of"},{"line_number":88,"context_line":"cert-manager which is now recommended for certificate management in the platform."}],"source_content_type":"text/x-rst","patch_set":7,"id":"606897a0_e50b6578","line":85,"range":{"start_line":84,"start_character":27,"end_line":85,"end_character":16},"updated":"2022-02-07 22:16:04.000000000","message":"Will this impact Horizon GUI?  Do we need any changes in Horizon?","commit_id":"f2679bbd1a4f1bc97f1a789c3818b65fd7f1396c"},{"author":{"_account_id":32841,"name":"Reinildes Oliveira","display_name":"Rei Oliveira","email":"Reinildes.JoseMateusOliveira@windriver.com","username":"rjosemat"},"change_message_id":"25d63b02843b73a74d13f68ae9d303cedb023887","unresolved":true,"context_lines":[{"line_number":81,"context_line":"with the system-local-ca specified as the `Issuer` to sign them."},{"line_number":82,"context_line":""},{"line_number":83,"context_line":"Also, from system bootstrap, HTTPS will be enabled by default for communication"},{"line_number":84,"context_line":"across platform rest APIS. Interfaces such as StarlingX REST API / GUI will be"},{"line_number":85,"context_line":"HTTPS by default."},{"line_number":86,"context_line":""},{"line_number":87,"context_line":"More important, this change encourages users to use and take advantage of"},{"line_number":88,"context_line":"cert-manager which is now recommended for certificate management in the platform."}],"source_content_type":"text/x-rst","patch_set":7,"id":"9ee7633b_191799de","line":85,"range":{"start_line":84,"start_character":27,"end_line":85,"end_character":16},"in_reply_to":"606897a0_e50b6578","updated":"2022-03-09 12:44:48.000000000","message":"We don\u0027t need changes to horizon is already supports enabling HTTPS as per current procedure in https://docs.starlingx.io/security/kubernetes/enable-https-access-for-starlingx-rest-and-web-server-endpoints.html\n\nHowever, I\u0027m adding a new patchset to add horizon as documentation and end-user impact.\n\nThanks for pointing it out.","commit_id":"f2679bbd1a4f1bc97f1a789c3818b65fd7f1396c"},{"author":{"_account_id":32841,"name":"Reinildes Oliveira","display_name":"Rei Oliveira","email":"Reinildes.JoseMateusOliveira@windriver.com","username":"rjosemat"},"change_message_id":"45237d584c1d3cfecabaf12b120e9682ad7bb929","unresolved":false,"context_lines":[{"line_number":81,"context_line":"with the system-local-ca specified as the `Issuer` to sign them."},{"line_number":82,"context_line":""},{"line_number":83,"context_line":"Also, from system bootstrap, HTTPS will be enabled by default for communication"},{"line_number":84,"context_line":"across platform rest APIS. Interfaces such as StarlingX REST API / GUI will be"},{"line_number":85,"context_line":"HTTPS by default."},{"line_number":86,"context_line":""},{"line_number":87,"context_line":"More important, this change encourages users to use and take advantage of"},{"line_number":88,"context_line":"cert-manager which is now recommended for certificate management in the platform."}],"source_content_type":"text/x-rst","patch_set":7,"id":"135a4701_79a2d4b0","line":85,"range":{"start_line":84,"start_character":27,"end_line":85,"end_character":16},"in_reply_to":"9ee7633b_191799de","updated":"2022-03-16 18:59:03.000000000","message":"Done","commit_id":"f2679bbd1a4f1bc97f1a789c3818b65fd7f1396c"},{"author":{"_account_id":33265,"name":"Ramaswamy Subramanian","email":"ramaswamy.subramanian@windriver.com","username":"rsubrama"},"change_message_id":"f21272f0916109eb67b04c14137b0d8f755beeaa","unresolved":true,"context_lines":[{"line_number":106,"context_line":"REST API impact"},{"line_number":107,"context_line":"---------------"},{"line_number":108,"context_line":""},{"line_number":109,"context_line":"No impact to REST API schema specification. However, connections are now"},{"line_number":110,"context_line":"secured by HTTPS."},{"line_number":111,"context_line":""},{"line_number":112,"context_line":"Security impact"}],"source_content_type":"text/x-rst","patch_set":7,"id":"852a3285_3e438a7a","line":109,"updated":"2022-02-07 22:16:04.000000000","message":"Do we know if this will impact end users?  For instance, if an end user has scripts or integrated with other systems, will they be impacted?  Do we need to notify the community of this behavior change?","commit_id":"f2679bbd1a4f1bc97f1a789c3818b65fd7f1396c"},{"author":{"_account_id":32841,"name":"Reinildes Oliveira","display_name":"Rei Oliveira","email":"Reinildes.JoseMateusOliveira@windriver.com","username":"rjosemat"},"change_message_id":"25d63b02843b73a74d13f68ae9d303cedb023887","unresolved":true,"context_lines":[{"line_number":106,"context_line":"REST API impact"},{"line_number":107,"context_line":"---------------"},{"line_number":108,"context_line":""},{"line_number":109,"context_line":"No impact to REST API schema specification. However, connections are now"},{"line_number":110,"context_line":"secured by HTTPS."},{"line_number":111,"context_line":""},{"line_number":112,"context_line":"Security impact"}],"source_content_type":"text/x-rst","patch_set":7,"id":"8a812ed6_c7e24bcf","line":109,"in_reply_to":"852a3285_3e438a7a","updated":"2022-03-09 12:44:48.000000000","message":"Yes, you are correct. Users using automated scripts are likely to need to update their connection config. \n\nI have listed it under \u0027developer impact\u0027, please see if that\u0027s appropriate.","commit_id":"f2679bbd1a4f1bc97f1a789c3818b65fd7f1396c"},{"author":{"_account_id":32841,"name":"Reinildes Oliveira","display_name":"Rei Oliveira","email":"Reinildes.JoseMateusOliveira@windriver.com","username":"rjosemat"},"change_message_id":"9e608946500ab65d7fc9bd3768356c63c12452a0","unresolved":true,"context_lines":[{"line_number":106,"context_line":"REST API impact"},{"line_number":107,"context_line":"---------------"},{"line_number":108,"context_line":""},{"line_number":109,"context_line":"No impact to REST API schema specification. However, connections are now"},{"line_number":110,"context_line":"secured by HTTPS."},{"line_number":111,"context_line":""},{"line_number":112,"context_line":"Security impact"}],"source_content_type":"text/x-rst","patch_set":7,"id":"b2adc073_dcd5c1df","line":109,"in_reply_to":"8a812ed6_c7e24bcf","updated":"2022-03-09 15:29:02.000000000","message":"I have just sent out an email to the community as well","commit_id":"f2679bbd1a4f1bc97f1a789c3818b65fd7f1396c"},{"author":{"_account_id":32841,"name":"Reinildes Oliveira","display_name":"Rei Oliveira","email":"Reinildes.JoseMateusOliveira@windriver.com","username":"rjosemat"},"change_message_id":"45237d584c1d3cfecabaf12b120e9682ad7bb929","unresolved":false,"context_lines":[{"line_number":106,"context_line":"REST API impact"},{"line_number":107,"context_line":"---------------"},{"line_number":108,"context_line":""},{"line_number":109,"context_line":"No impact to REST API schema specification. However, connections are now"},{"line_number":110,"context_line":"secured by HTTPS."},{"line_number":111,"context_line":""},{"line_number":112,"context_line":"Security impact"}],"source_content_type":"text/x-rst","patch_set":7,"id":"29449f73_742ed5f6","line":109,"in_reply_to":"b2adc073_dcd5c1df","updated":"2022-03-16 18:59:03.000000000","message":"Done","commit_id":"f2679bbd1a4f1bc97f1a789c3818b65fd7f1396c"}]}