{"id":325,"sha1":"c13836082f1a1c3d84a76407869f1466c8896c96","playbook":{"id":3,"items":{"plays":37,"tasks":567,"results":554,"hosts":7,"files":221,"records":0},"arguments":{"version":null,"verbosity":0,"private_key_file":null,"remote_user":null,"connection":"openstack.osa.ssh","timeout":null,"ssh_common_args":null,"sftp_extra_args":null,"scp_extra_args":null,"ssh_extra_args":null,"ask_pass":false,"connection_password_file":null,"force_handlers":true,"flush_cache":false,"become":false,"become_method":"sudo","become_user":null,"become_ask_pass":false,"become_password_file":null,"tags":["all"],"skip_tags":[],"check":false,"diff":false,"inventory":["/home/zuul/src/opendev.org/openstack/openstack-ansible/inventory/dynamic_inventory.py","/home/zuul/src/opendev.org/openstack/openstack-ansible/inventory/inventory.ini","/etc/openstack_deploy/inventory.ini"],"listhosts":false,"subset":null,"extra_vars":"Not saved by ARA as configured by 'ignored_arguments'","vault_ids":[],"ask_vault_pass":false,"vault_password_files":[],"forks":4,"module_path":null,"syntax":false,"listtasks":false,"listtags":false,"step":false,"start_at_task":null,"args":["setup-infrastructure.yml"]},"labels":[{"id":1,"name":"check:False"},{"id":2,"name":"tags:all"}],"started":"2025-12-14T10:15:01.440414Z","ended":"2025-12-14T10:21:34.655502Z","duration":"00:06:33.215088","name":null,"ansible_version":"2.18.6","client_version":"1.7.4","python_version":"3.13.5","server_version":"1.7.4","status":"completed","path":"/home/zuul/src/opendev.org/openstack/openstack-ansible/playbooks/setup-infrastructure.yml","controller":"aio1.openstack.local","user":"root"},"content":"---\n# Copyright 2017, Rackspace US, Inc.\n#\n# Licensed under the Apache License, Version 2.0 (the \"License\");\n# you may not use this file except in compliance with the License.\n# You may obtain a copy of the License at\n#\n#     http://www.apache.org/licenses/LICENSE-2.0\n#\n# Unless required by applicable law or agreed to in writing, software\n# distributed under the License is distributed on an \"AS IS\" BASIS,\n# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n# See the License for the specific language governing permissions and\n# limitations under the License.\n\n## SSL\n# These do not need to be configured unless you're creating certificates for\n# services running behind Apache (currently, Horizon and Keystone).\nssl_protocol: \"ALL -SSLv2 -SSLv3 -TLSv1 -TLSv1.1\"\n# Cipher suite string from https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/\nssl_cipher_suite_tls12: \"{{ ssl_cipher_suite | default('ECDH+AESGCM:ECDH+CHACHA20:ECDH+AES256:ECDH+AES128:!aNULL:!SHA1:!AESCCM') }}\"\nssl_cipher_suite_tls13: \"TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256\"\n\n#variables used in OSA roles which call the PKI role\nopenstack_pki_dir: \"{{ openstack_config_dir }}/pki\"\nopenstack_pki_service_intermediate_cert_name: \"ExampleCorpIntermediate\"\n\nopenstack_pki_service_intermediate_cert_path: \"{{ openstack_pki_dir ~ '/roots/' ~ openstack_pki_service_intermediate_cert_name ~ '/certs/' ~ openstack_pki_service_intermediate_cert_name ~ '.crt' }}\"\n\n# regenerate the CA or intermediate CA\nopenstack_pki_regen_ca: ''\n\n#example self-signed certificate authority\nopenstack_pki_authorities:\n - name: \"ExampleCorpRoot\"\n   provider: selfsigned\n   basic_constraints: \"CA:TRUE\"\n   cn: \"Example Corp Root CA\"\n   email_address: \"pki@example.com\"\n   country_name: \"GB\"\n   state_or_province_name: \"England\"\n   organization_name: \"Example Corporation\"\n   organizational_unit_name: \"IT Security\"\n   key_usage:\n     - digitalSignature\n     - cRLSign\n     - keyCertSign\n   not_after: \"+3650d\"\n - name: \"ExampleCorpIntermediate\"\n   provider: ownca\n   basic_constraints: \"CA:TRUE,pathlen:0\"\n   cn: \"Example Corp Openstack Infrastructure Intermediate CA\"\n   email_address: \"pki@example.com\"\n   country_name: \"GB\"\n   state_or_province_name: \"England\"\n   organization_name: \"Example Corporation\"\n   organizational_unit_name: \"IT Security\"\n   key_usage:\n     - digitalSignature\n     - cRLSign\n     - keyCertSign\n   not_after: \"+3650d\"\n   signed_by: \"ExampleCorpRoot\"\n\n#install the root CA certificate on all hosts and containers\nopenstack_pki_install_ca:\n - name: \"ExampleCorpRoot\"\n\n# Subject Alternate Name(SAN) for certificates\nopenstack_pki_san: \"{{ 'DNS:' ~ ansible_facts['hostname'] ~ ',IP:' ~ management_address }}\"\n","created":"2025-12-14T10:15:08.602241Z","updated":"2025-12-14T10:15:08.602252Z","path":"/home/zuul/src/opendev.org/openstack/openstack-ansible/inventory/group_vars/all/ssl.yml"}