---
upgrade:
  - |
    Kolla Ansible now defaults ``docker_registry_insecure`` to ``false``.
    If you relied on the previous behaviour, please switch it back on
    but bear in mind the consequences as discussed in the related security
    note as well as the linked bug report.
    `LP#1940547 <https://launchpad.net/bugs/1940547>`__
security:
  - |
    Previously, Kolla Ansible, by default (as documented in several places),
    configured Docker to insecure mode for the configured registry (i.e., if
    not using the default one). This is controlled by the
    ``docker_registry_insecure`` variable.
    If operators did not notice this quirk, they could have opened their
    deployments up for potential MITM attacks. See the bug report for
    more discussion.
    `LP#1940547 <https://launchpad.net/bugs/1940547>`__