{"id":79,"sha1":"5d27406cffec738adcb252d4747e208cc4f39539","playbook":{"id":2,"items":{"plays":7,"tasks":72,"results":71,"hosts":2,"files":97,"records":0},"arguments":{"version":null,"verbosity":0,"private_key_file":null,"remote_user":null,"connection":"openstack.osa.ssh","timeout":null,"ssh_common_args":null,"sftp_extra_args":null,"scp_extra_args":null,"ssh_extra_args":null,"ask_pass":false,"connection_password_file":null,"force_handlers":true,"flush_cache":false,"become":false,"become_method":"sudo","become_user":null,"become_ask_pass":false,"become_password_file":null,"tags":["all"],"skip_tags":[],"check":false,"diff":false,"inventory":["/home/zuul/src/opendev.org/openstack/openstack-ansible/inventory/dynamic_inventory.py","/home/zuul/src/opendev.org/openstack/openstack-ansible/inventory/inventory.ini","/etc/openstack_deploy/inventory.ini"],"listhosts":false,"subset":null,"extra_vars":"Not saved by ARA as configured by 'ignored_arguments'","vault_ids":[],"ask_vault_pass":false,"vault_password_files":[],"forks":4,"module_path":null,"syntax":false,"listtasks":false,"listtags":false,"step":false,"start_at_task":null,"args":["setup-hosts.yml"]},"labels":[{"id":1,"name":"check:False"},{"id":2,"name":"tags:all"}],"started":"2025-12-05T13:22:31.084267Z","ended":"2025-12-05T13:23:21.889555Z","duration":"00:00:50.805288","name":null,"ansible_version":"2.18.6","client_version":"1.7.4","python_version":"3.12.11","server_version":"1.7.4","status":"failed","path":"/home/zuul/src/opendev.org/openstack/openstack-ansible/playbooks/setup-hosts.yml","controller":"aio1.openstack.local","user":"root"},"content":"---\n# Copyright 2021, BBC\n#\n# Licensed under the Apache License, Version 2.0 (the \"License\");\n# you may not use this file except in compliance with the License.\n# You may obtain a copy of the License at\n#\n#     http://www.apache.org/licenses/LICENSE-2.0\n#\n# Unless required by applicable law or agreed to in writing, software\n# distributed under the License is distributed on an \"AS IS\" BASIS,\n# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n# See the License for the specific language governing permissions and\n# limitations under the License.\n\n# CA certificates to create\npki_authorities: []\n\n# Global enable/disable of CA generation\npki_create_ca: true\n\n# Variable name pattern to search ansible vars for other authority definitions\npki_search_authorities_pattern: \"pki_authorities_\"\n\n# Example variables defining a certificate authorities\n# pki_authorities_roots:\n#   - name: \"SnakeRoot\"\n#     provider: selfsigned\n#     email_address: \"pki@snakeoil.com\"\n#     basic_constraints: \"CA:TRUE\"\n#     cn: \"Snake Oil Corp Root CA\"\n#     country_name: \"GB\"\n#     state_or_province_name: \"England\"\n#     organization_name: \"Snake Oil Corporation\"\n#     organizational_unit_name: \"IT Security\"\n#     key_usage:\n#       - digitalSignature\n#       - cRLSign\n#       - keyCertSign\n#     ttl: \"3650d\"\n\n#pki_authorities_intermediates:\n#   - name: \"SnakeRootIntermediate\"\n#     email_address: \"pki@snakeoil.com\"\n#     provider: ownca\n#     cn: \"Snake Oil Corp Openstack Infrastructure Intermediate CA\"\n#     country_name: \"GB\"\n#     state_or_province_name: \"England\"\n#     organization_name: \"Snake Oil Corporation\"\n#     organizational_unit_name: \"IT Security\"\n#     key_usage:\n#       - digitalSignature\n#       - cRLSign\n#       - keyCertSign\n#     ttl: \"365d\"\n#     signed_by: \"SnakeRoot\"\n\n# example variable of CA to install\n# pki_install_ca:\n#   # CA created but the PKI role\n#   - name: SnakeRoot\n#\n#   # user provided CA copied from the deploy host (src), to the target (filename)\n#   - src: /opt/my-ca/MyRoot.crt\n#     filename: /etc/ssl/certs/MyRoot.crt\n#\npki_install_ca: []\n\n# Variable name pattern to search ansible vars for other certificate definitions\npki_search_install_ca_pattern: \"pki_install_ca_\"\n\n# set this to the name of a CA to regenerate, or to 'true' to regenerate all\npki_regen_ca: \"\"\n\n# Server certificates to create\npki_certificates: []\n\n# Variable name pattern to search ansible vars for other certificate definitions\npki_search_certificates_pattern: \"pki_certificates_\"\n\n# Example variable defining a server certificate\n# pki_certificates_default:\n#   - name: \"SnakeWeb\"\n#     provider: ownca\n#     cn: \"www.snakeoil.com\"\n#     san:\n#       dns:\n#         - www.snakeoil.com\n#         - snakeoil.com\n#   - name: \"SnakeMail\"\n#     signed_by: \"SnakeRootIntermediate\"\n#     provider: ownca\n#     cn: \"imap.snakeoil.com\"\n#     signed_by: \"SnakeRootIntermediate\"\n#     ttl: 30d\n\n# Example variable defining a server certificate from ansible host variables\n# pki_certificates_default:\n#   - name: \"myservice_{{ ansible_facts['hostname'] }}\"\n#     cn: \"{{ ansible_facts['hostname'] }}\"\n#     provider: ownca\n#     san:\n#       dns:\n#         - \"{{ ansible_facts['hostname'] }}\"\n#         - \"{{ ansible_facts['fqdn'] }}\"\n#       ip:\n#         - \"{{ ansible_facts['default_ipv4'] }}\"\n#     signed_by: \"SnakeRootIntermediate\"\n\n# set this to the name of the certificate to regenerate, or to 'true' to regenerate all\npki_regen_cert: \"\"\n\n# host where the generated PKI files are kept\npki_setup_host: localhost\n\n# Python interpreter that will be used during cert generation\npki_setup_host_python_interpreter: \"{{ (pki_setup_host == 'localhost') | ternary(ansible_playbook_python, ansible_facts['python']['executable']) }}\"\n\n# certificates to install\npki_install_certificates: []\n\n# Variable name pattern to search ansible vars for other certificate definitions\npki_search_install_certificates_pattern: \"pki_install_certificates_\"\n\n# Example variable for installation of server certificates with optional user supplied cert override\n# pki_install_certificates:\n#     # server certificate\n#   - src: \"{{ user_ssl_cert | default(pki_dir ~ '/certs/certs/myservice_' ~ ansible_facts['hostname'] ~ '.crt') }}\"\n#     dest: \"{{ myservice_ssl_cert }}\"\n#     owner: \"root\"\n#     group: \"root\"\n#     mode: \"0644\"\n#     #private key\n#   - src: \"{{ myservice_user_ssl_key | default(pki_dir ~ 'certs/keys/myservice_' ~ ansible_facts['hostname'] ~ '.key.pem') }}\"\n#     dest: \"{{ myservice_ssl_key }}\"\n#     owner: \"myservice\"\n#     group: \"myservice\"\n#     mode: \"0600\"\n#     # intermediate CA\n#   - src: \"{{ myservice_user_ssl_ca_cert | default(pki_dir ~ '/roots/SnakeRootIntermediate/certs/SnakeRootIntermediate.crt' }}\"\n#     dest: \"{{ myservice_ssl_ca_cert }}\"\n#     owner: \"myservice\"\n#     group: \"myservice\"\n#     mode: \"0644\"\n\n# Handlers naming\npki_handler_ca_changed: \"ca cert changed\"\npki_handler_cert_changed: \"cert changed\"\npki_handler_cert_installed: \"cert installed\"\n\n# default backend used to create the certificates\n# NOTE(damiandabrowski): Remove backwards compatbility with pki_method after 2026.1\npki_backend: \"{{ pki_method | default(openstack_pki_backend | default('standalone')) }}\"\n\n# standalone backend variables\n# base directory for the CA and server certificates\npki_dir: \"/etc/pki\"\n# Default permissions used on pki_setup_host\n# pki_owner: \"root\"\n# pki_group: \"root\"\npki_cert_mode: \"0644\"\npki_cert_dir_mode: \"0755\"\npki_key_mode: \"0600\"\npki_key_dir_mode: \"0700\"\n\n# permissions used when files are installed on the target\npki_file_mode:\n  certificate: \"{{ pki_cert_mode }}\"\n  certificate_chain: \"{{ pki_cert_mode }}\"\n  ca_bundle: \"{{ pki_cert_mode }}\"\n  private_key: \"{{ pki_key_mode }}\"\n\n# file ownership when files are installed on the target\n#  applies to all files installed\n#  or, applies to all files not having a more specific owner:group in pki_install_certificates\npki_install_owner: \"root\"\npki_install_group: \"root\"\n","created":"2025-12-05T13:22:54.290748Z","updated":"2025-12-05T13:22:54.290759Z","path":"/home/zuul/src/opendev.org/openstack/ansible-role-pki/defaults/main.yml"}