all: children: tempest: hosts: controller: null zuul_unreachable: hosts: {} hosts: controller: ansible_connection: ssh ansible_host: 199.204.45.227 ansible_port: 22 ansible_python_interpreter: auto ansible_user: zuul configure_swap_size: 8192 devstack_local_conf: post-config: $NEUTRON_CONF: DEFAULT: global_physnet_mtu: '{{ external_bridge_mtu }}' /etc/magnum/magnum.conf: cluster_template: kubernetes_allowed_network_drivers: calico,cilium kubernetes_default_network_driver: calico nova_client: api_version: 2.15 /etc/manila/manila.conf: generic: connect_share_server_to_tenant_network: true driver_handles_share_servers: true devstack_localrc: ADMIN_PASSWORD: secretadmin DATABASE_PASSWORD: secretdatabase DEBUG_LIBVIRT_COREDUMPS: true DISABLE_AMP_IMAGE_BUILD: true ENABLE_SYSCTL_MEM_TUNING: true ENABLE_SYSCTL_NET_TUNING: true ENABLE_ZSWAP: true ERROR_ON_CLONE: true FIXED_RANGE: 10.1.0.0/20 FLOATING_RANGE: 172.24.5.0/24 GIT_BASE: https://github.com HOST_IP: '{{ hostvars[''controller''][''nodepool''][''private_ipv4''] }}' IPV4_ADDRS_SAFE_TO_USE: 10.1.0.0/20 LIBVIRT_TYPE: '{{ devstack_libvirt_type | default("qemu") }}' LOGFILE: /opt/stack/logs/devstacklog.txt LOG_COLOR: false MAGNUM_GUEST_IMAGE_URL: '{{ image_url }}' MANILA_DEFAULT_SHARE_TYPE_EXTRA_SPECS: snapshot_support=True create_share_from_snapshot_support=True MANILA_ENABLED_BACKENDS: generic MANILA_USE_SERVICE_INSTANCE_PASSWORD: true NETWORK_GATEWAY: 10.1.0.1 NOVA_LIBVIRT_TB_CACHE_SIZE: 128 NOVA_VNC_ENABLED: true OCTAVIA_NODE: api OVN_DBS_LOG_LEVEL: dbg PUBLIC_BRIDGE_MTU: '{{ external_bridge_mtu }}' PUBLIC_NETWORK_GATEWAY: 172.24.5.1 RABBIT_PASSWORD: secretrabbit SERVICE_HOST: '{{ hostvars[''controller''][''nodepool''][''private_ipv4''] }}' SERVICE_PASSWORD: secretservice SWIFT_HASH: 1234123412341234 SWIFT_REPLICAS: 1 SWIFT_START_ALL_SERVICES: false VERBOSE: true VERBOSE_NO_TIMESTAMP: true devstack_plugins: barbican: https://github.com/openstack/barbican magnum: https://review.opendev.org/openstack/magnum magnum-cluster-api: https://github.com/vexxhost/magnum-cluster-api manila: https://github.com/openstack/manila octavia: https://github.com/openstack/octavia ovn-octavia-provider: https://github.com/openstack/ovn-octavia-provider devstack_services: base: false c-api: true c-bak: true c-sch: true c-vol: true dstat: false etcd3: true file_tracker: true g-api: true horizon: false key: true memory_tracker: true mysql: true n-api: true n-api-meta: true n-cond: true n-cpu: true n-novnc: true n-sch: true o-api: true o-da: true o-hk: true octavia: true openstack-cli-server: true ovn-controller: true ovn-northd: true ovs-vswitchd: true ovsdb-server: true placement-api: true q-ovn-agent: true q-svc: true rabbit: true s-account: false s-container: false s-object: false s-proxy: false tempest: false tls-proxy: true extensions_to_txt: auto: true conf: true localrc: true log: true stackenv: true image_url: https://github.com/vexxhost/capo-image-elements/releases/latest/download/ubuntu-22.04-{{ kube_tag }}.qcow2 kube_tag: v1.33.11 network_driver: calico nodepool: az: nova cloud: public external_id: e8f48ec0-3d3c-49c5-b0c0-570782fc85be host_id: be92abac58cdf319c41ec3044bb265315879370c10aa7110cfdbfb5f interface_ip: 199.204.45.227 label: ubuntu-noble-16 node_properties: {} private_ipv4: 199.204.45.227 private_ipv6: null provider: yul1 public_ipv4: 199.204.45.227 public_ipv6: 2604:e100:1:0:f816:3eff:fed0:1e44 region: ca-ymq-1 slot: null zuul_copy_output: /etc/ceph: logs /etc/glusterfs/glusterd.vol: logs /etc/libvirt: logs /etc/lvm: logs /etc/resolv.conf: logs /etc/sudoers: logs /etc/sudoers.d: logs /var/log/ceph: logs /var/log/glusterfs: logs /var/log/libvirt: logs /var/log/mysql: logs /var/log/openvswitch: logs /var/log/postgresql: logs /var/log/rabbitmq: logs /var/log/unbound.log: logs '{{ devstack_conf_dir }}/.localrc.auto': logs '{{ devstack_conf_dir }}/.stackenv': logs '{{ devstack_conf_dir }}/local.conf': logs '{{ devstack_conf_dir }}/localrc': logs '{{ devstack_full_log}}': logs '{{ devstack_log_dir }}/atop': logs '{{ devstack_log_dir }}/devstacklog.txt': logs '{{ devstack_log_dir }}/devstacklog.txt.summary': logs '{{ devstack_log_dir }}/dstat-csv.log': logs '{{ devstack_log_dir }}/qemu.coredump': logs '{{ devstack_log_dir }}/tcpdump.pcap': logs '{{ devstack_log_dir }}/worlddump-latest.txt': logs '{{ stage_dir }}/apache': logs '{{ stage_dir }}/apache_config': logs '{{ stage_dir }}/audit.log': logs '{{ stage_dir }}/core': logs '{{ stage_dir }}/deprecations.log': logs '{{ stage_dir }}/df.txt': logs '{{ stage_dir }}/dpkg-l.txt': logs '{{ stage_dir }}/etc': logs '{{ stage_dir }}/iptables.txt': logs '{{ stage_dir }}/listen53.txt': logs '{{ stage_dir }}/mount.txt': logs '{{ stage_dir }}/performance.json': logs '{{ stage_dir }}/pip2-freeze.txt': logs '{{ stage_dir }}/pip3-freeze.txt': logs '{{ stage_dir }}/rpm-qa.txt': logs '{{ stage_dir }}/services.txt': logs '{{ stage_dir }}/verify_tempest_conf.log': logs zuul_node: az: nova cloud: public external_id: e8f48ec0-3d3c-49c5-b0c0-570782fc85be host_id: be92abac58cdf319c41ec3044bb265315879370c10aa7110cfdbfb5f interface_ip: 199.204.45.227 label: ubuntu-noble-16 node_properties: {} private_ipv4: 199.204.45.227 private_ipv6: null provider: yul1 public_ipv4: 199.204.45.227 public_ipv6: 2604:e100:1:0:f816:3eff:fed0:1e44 region: ca-ymq-1 slot: null uuid: null vars: configure_swap_size: 8192 devstack_local_conf: post-config: $NEUTRON_CONF: DEFAULT: global_physnet_mtu: '{{ external_bridge_mtu }}' /etc/magnum/magnum.conf: cluster_template: kubernetes_allowed_network_drivers: calico,cilium kubernetes_default_network_driver: calico nova_client: api_version: 2.15 /etc/manila/manila.conf: generic: connect_share_server_to_tenant_network: true driver_handles_share_servers: true devstack_localrc: ADMIN_PASSWORD: secretadmin DATABASE_PASSWORD: secretdatabase DEBUG_LIBVIRT_COREDUMPS: true DISABLE_AMP_IMAGE_BUILD: true ENABLE_SYSCTL_MEM_TUNING: true ENABLE_SYSCTL_NET_TUNING: true ENABLE_ZSWAP: true ERROR_ON_CLONE: true FIXED_RANGE: 10.1.0.0/20 FLOATING_RANGE: 172.24.5.0/24 GIT_BASE: https://github.com HOST_IP: '{{ hostvars[''controller''][''nodepool''][''private_ipv4''] }}' IPV4_ADDRS_SAFE_TO_USE: 10.1.0.0/20 LIBVIRT_TYPE: '{{ devstack_libvirt_type | default("qemu") }}' LOGFILE: /opt/stack/logs/devstacklog.txt LOG_COLOR: false MAGNUM_GUEST_IMAGE_URL: '{{ image_url }}' MANILA_DEFAULT_SHARE_TYPE_EXTRA_SPECS: snapshot_support=True create_share_from_snapshot_support=True MANILA_ENABLED_BACKENDS: generic MANILA_USE_SERVICE_INSTANCE_PASSWORD: true NETWORK_GATEWAY: 10.1.0.1 NOVA_LIBVIRT_TB_CACHE_SIZE: 128 NOVA_VNC_ENABLED: true OCTAVIA_NODE: api OVN_DBS_LOG_LEVEL: dbg PUBLIC_BRIDGE_MTU: '{{ external_bridge_mtu }}' PUBLIC_NETWORK_GATEWAY: 172.24.5.1 RABBIT_PASSWORD: secretrabbit SERVICE_HOST: '{{ hostvars[''controller''][''nodepool''][''private_ipv4''] }}' SERVICE_PASSWORD: secretservice SWIFT_HASH: 1234123412341234 SWIFT_REPLICAS: 1 SWIFT_START_ALL_SERVICES: false VERBOSE: true VERBOSE_NO_TIMESTAMP: true devstack_plugins: barbican: https://github.com/openstack/barbican magnum: https://review.opendev.org/openstack/magnum magnum-cluster-api: https://github.com/vexxhost/magnum-cluster-api manila: https://github.com/openstack/manila octavia: https://github.com/openstack/octavia ovn-octavia-provider: https://github.com/openstack/ovn-octavia-provider devstack_services: base: false c-api: true c-bak: true c-sch: true c-vol: true dstat: false etcd3: true file_tracker: true g-api: true horizon: false key: true memory_tracker: true mysql: true n-api: true n-api-meta: true n-cond: true n-cpu: true n-novnc: true n-sch: true o-api: true o-da: true o-hk: true octavia: true openstack-cli-server: true ovn-controller: true ovn-northd: true ovs-vswitchd: true ovsdb-server: true placement-api: true q-ovn-agent: true q-svc: true rabbit: true s-account: false s-container: false s-object: false s-proxy: false tempest: false tls-proxy: true extensions_to_txt: auto: true conf: true localrc: true log: true stackenv: true image_url: https://github.com/vexxhost/capo-image-elements/releases/latest/download/ubuntu-22.04-{{ kube_tag }}.qcow2 kube_tag: v1.33.11 network_driver: calico zuul: _inheritance_path: - '' - '' - '' - '' - '' - '' - '' - '' - '' - '' ansible_version: '9' attempts: 1 branch: main build: 106022d6390647b982f989a212c3bba7 build_refs: - branch: main change: '1018' change_message: "fix(keystone_auth): emit Node,RBAC,Webhook authorization-mode and wait for healthz\n\n## Summary\n\nFixes `enable_keystone_auth=true` on CAPI-driven Magnum clusters. Without this PR, clusters that opt in to Keystone webhook authorization either silently bypass the webhook (so Keystone tokens never authorize) or fail to bootstrap entirely because the kube-apiserver static pod crash-loops at startup.\n\nThe change is a single commit touching `src/features/keystone_auth.rs`:\n\n* Set `--authorization-mode=Node,RBAC,Webhook` via a JSON-Patch op against the kustomize input.\n* Strip the kubeadm-default `--authorization-mode=Node,RBAC` line from the kustomize output before writing the manifest back, so kubelet only ever sees a single `--authorization-mode` line.\n* Wait for the `k8s-keystone-auth` Pod to become Ready before declaring post-kubeadm complete.\n\n## Background and analysis\n\n### 1. Authorization mode never reached the apiserver\n\nThe pre-existing `keystone_auth` feature kustomized `/etc/kubernetes/manifests/kube-apiserver.yaml` to add the keystone webhook authorizer, but did not adjust `--authorization-mode`. The running apiserver therefore had only the kubeadm-default `Node,RBAC` modes, never consulted the webhook, and every Keystone-token authenticated request failed with `RBAC: forbidden`.\n\n### 2. Duplicate `--authorization-mode` line crashed the apiserver\n\nkubeadm always writes `--authorization-mode=Node,RBAC` into its apiserver static-pod manifest. The feature's kustomization runs **after** kubeadm, so simply appending `--authorization-mode=Node,RBAC,Webhook` would leave the manifest carrying both lines:\n\n```yaml\n- --authorization-mode=Node,RBAC \ # written by kubeadm\n- --authorization-mode=Node,RBAC,Webhook \ # appended by us\n```\n\n`--authorization-mode` is a `pflag.StringSliceVar` which **appends** repeated flag values rather than last-occurrence-wins. The apiserver process therefore receives `[\"Node\",\"RBAC\",\"Node\",\"RBAC\",\"Webhook\"]` and bails at startup with:\n\n```\nauthorization-mode [\"Node\" \"RBAC\" \"Node\" \"RBAC\" \"Webhook\"]\n has mode specified more than once\n```\n\n`kube-apiserver` enters CrashLoopBackOff, KCP never reaches `APIServerAvailable=true`, the cluster fails NodeStartupTimeout. **This is the failure mode every `enable_keystone_auth=true` cluster hits without this PR.**\n\nThe fix here pipes the kustomize output through `sed '/^[[:space:]]*- --authorization-mode=Node,RBAC$/d'` before writing the manifest, so the kubeadm-default line is removed and only the `Node,RBAC,Webhook` line remains.\n\n### 3. Cluster bootstrap raced ahead of the keystone webhook deployment\n\nThe post-kubeadm command sequence proceeded as soon as the apiserver TCP port was open, but the `k8s-keystone-auth` Deployment was still rolling out. Webhook calls during that window returned `connection refused`, which the apiserver caches negatively and surfaces as authentication failures for several seconds after the webhook is actually up.\n\nFix: append `kubectl wait --for=condition=Ready` against the `k8s-keystone-auth` Pod to the post-kubeadm commands so the cluster does not register Ready until the webhook actually serves requests.\n\n## Validation\n\nEnd-to-end on a CAPI baremetal cluster created with `enable_keystone_auth=true`:\n\n```\n$ kubectl -n kube-system get pod -l component=kube-apiserver\nNAME READY \ STATUS RESTARTS AGE\nkube-apiserver- 1/1 Running \ 0 8m44s\n\n$ ssh master 'grep authorization-mode /etc/kubernetes/manifests/kube-apiserver.yaml'\n \ - --authorization-mode=Node,RBAC,Webhook # exactly one occurrence\n\n$ kubectl -n kube-system get pod -l app=k8s-keystone-auth\nNAME READY \ STATUS RESTARTS AGE\nk8s-keystone-auth-XXXXX 1/1 Running 0 \ 7m59s\n```\n\n* KubeadmControlPlane reports `APIServerAvailable=true`.\n* Cluster reaches `CREATE_COMPLETE` cleanly.\n* Keystone-token authenticated `kubectl` requests succeed.\n\nTwo unit tests in `src/features/keystone_auth.rs` cover the patch emission and the post-kubeadm command pipeline; both pass with `cargo test`.\n\n## Notes\n\n* The `sed` filter is anchored on whole-line, leading-whitespace tolerant, and only matches the literal `--authorization-mode=Node,RBAC` value \u2014 it cannot accidentally remove a future `Node,RBAC,Foo` value or any line that merely contains the substring.\n* No new label, no new operator-facing knob; the feature is a behaviour fix gated by the existing `enable_keystone_auth=true` label.\n" change_url: https://github.com/vexxhost/magnum-cluster-api/pull/1018 commit_id: ff397654b0e360ba3421b1e80fb0534117b2d797 patchset: ff397654b0e360ba3421b1e80fb0534117b2d797 project: canonical_hostname: github.com canonical_name: github.com/vexxhost/magnum-cluster-api name: vexxhost/magnum-cluster-api short_name: magnum-cluster-api src_dir: src/github.com/vexxhost/magnum-cluster-api src_dir: src/github.com/vexxhost/magnum-cluster-api topic: null buildset: 21cff13a30574ea7bebf2678898f9427 buildset_refs: - branch: main change: '1018' change_message: "fix(keystone_auth): emit Node,RBAC,Webhook authorization-mode and wait for healthz\n\n## Summary\n\nFixes `enable_keystone_auth=true` on CAPI-driven Magnum clusters. Without this PR, clusters that opt in to Keystone webhook authorization either silently bypass the webhook (so Keystone tokens never authorize) or fail to bootstrap entirely because the kube-apiserver static pod crash-loops at startup.\n\nThe change is a single commit touching `src/features/keystone_auth.rs`:\n\n* Set `--authorization-mode=Node,RBAC,Webhook` via a JSON-Patch op against the kustomize input.\n* Strip the kubeadm-default `--authorization-mode=Node,RBAC` line from the kustomize output before writing the manifest back, so kubelet only ever sees a single `--authorization-mode` line.\n* Wait for the `k8s-keystone-auth` Pod to become Ready before declaring post-kubeadm complete.\n\n## Background and analysis\n\n### 1. Authorization mode never reached the apiserver\n\nThe pre-existing `keystone_auth` feature kustomized `/etc/kubernetes/manifests/kube-apiserver.yaml` to add the keystone webhook authorizer, but did not adjust `--authorization-mode`. The running apiserver therefore had only the kubeadm-default `Node,RBAC` modes, never consulted the webhook, and every Keystone-token authenticated request failed with `RBAC: forbidden`.\n\n### 2. Duplicate `--authorization-mode` line crashed the apiserver\n\nkubeadm always writes `--authorization-mode=Node,RBAC` into its apiserver static-pod manifest. The feature's kustomization runs **after** kubeadm, so simply appending `--authorization-mode=Node,RBAC,Webhook` would leave the manifest carrying both lines:\n\n```yaml\n- --authorization-mode=Node,RBAC \ # written by kubeadm\n- --authorization-mode=Node,RBAC,Webhook \ # appended by us\n```\n\n`--authorization-mode` is a `pflag.StringSliceVar` which **appends** repeated flag values rather than last-occurrence-wins. The apiserver process therefore receives `[\"Node\",\"RBAC\",\"Node\",\"RBAC\",\"Webhook\"]` and bails at startup with:\n\n```\nauthorization-mode [\"Node\" \"RBAC\" \"Node\" \"RBAC\" \"Webhook\"]\n has mode specified more than once\n```\n\n`kube-apiserver` enters CrashLoopBackOff, KCP never reaches `APIServerAvailable=true`, the cluster fails NodeStartupTimeout. **This is the failure mode every `enable_keystone_auth=true` cluster hits without this PR.**\n\nThe fix here pipes the kustomize output through `sed '/^[[:space:]]*- --authorization-mode=Node,RBAC$/d'` before writing the manifest, so the kubeadm-default line is removed and only the `Node,RBAC,Webhook` line remains.\n\n### 3. Cluster bootstrap raced ahead of the keystone webhook deployment\n\nThe post-kubeadm command sequence proceeded as soon as the apiserver TCP port was open, but the `k8s-keystone-auth` Deployment was still rolling out. Webhook calls during that window returned `connection refused`, which the apiserver caches negatively and surfaces as authentication failures for several seconds after the webhook is actually up.\n\nFix: append `kubectl wait --for=condition=Ready` against the `k8s-keystone-auth` Pod to the post-kubeadm commands so the cluster does not register Ready until the webhook actually serves requests.\n\n## Validation\n\nEnd-to-end on a CAPI baremetal cluster created with `enable_keystone_auth=true`:\n\n```\n$ kubectl -n kube-system get pod -l component=kube-apiserver\nNAME READY \ STATUS RESTARTS AGE\nkube-apiserver- 1/1 Running \ 0 8m44s\n\n$ ssh master 'grep authorization-mode /etc/kubernetes/manifests/kube-apiserver.yaml'\n \ - --authorization-mode=Node,RBAC,Webhook # exactly one occurrence\n\n$ kubectl -n kube-system get pod -l app=k8s-keystone-auth\nNAME READY \ STATUS RESTARTS AGE\nk8s-keystone-auth-XXXXX 1/1 Running 0 \ 7m59s\n```\n\n* KubeadmControlPlane reports `APIServerAvailable=true`.\n* Cluster reaches `CREATE_COMPLETE` cleanly.\n* Keystone-token authenticated `kubectl` requests succeed.\n\nTwo unit tests in `src/features/keystone_auth.rs` cover the patch emission and the post-kubeadm command pipeline; both pass with `cargo test`.\n\n## Notes\n\n* The `sed` filter is anchored on whole-line, leading-whitespace tolerant, and only matches the literal `--authorization-mode=Node,RBAC` value \u2014 it cannot accidentally remove a future `Node,RBAC,Foo` value or any line that merely contains the substring.\n* No new label, no new operator-facing knob; the feature is a behaviour fix gated by the existing `enable_keystone_auth=true` label.\n" change_url: https://github.com/vexxhost/magnum-cluster-api/pull/1018 commit_id: ff397654b0e360ba3421b1e80fb0534117b2d797 patchset: ff397654b0e360ba3421b1e80fb0534117b2d797 project: canonical_hostname: github.com canonical_name: github.com/vexxhost/magnum-cluster-api name: vexxhost/magnum-cluster-api short_name: magnum-cluster-api src_dir: src/github.com/vexxhost/magnum-cluster-api src_dir: src/github.com/vexxhost/magnum-cluster-api topic: null change: '1018' change_message: "fix(keystone_auth): emit Node,RBAC,Webhook authorization-mode and wait for healthz\n\n## Summary\n\nFixes `enable_keystone_auth=true` on CAPI-driven Magnum clusters. Without this PR, clusters that opt in to Keystone webhook authorization either silently bypass the webhook (so Keystone tokens never authorize) or fail to bootstrap entirely because the kube-apiserver static pod crash-loops at startup.\n\nThe change is a single commit touching `src/features/keystone_auth.rs`:\n\n* Set `--authorization-mode=Node,RBAC,Webhook` via a JSON-Patch op against the kustomize input.\n* Strip the kubeadm-default `--authorization-mode=Node,RBAC` line from the kustomize output before writing the manifest back, so kubelet only ever sees a single `--authorization-mode` line.\n* Wait for the `k8s-keystone-auth` Pod to become Ready before declaring post-kubeadm complete.\n\n## Background and analysis\n\n### 1. Authorization mode never reached the apiserver\n\nThe pre-existing `keystone_auth` feature kustomized `/etc/kubernetes/manifests/kube-apiserver.yaml` to add the keystone webhook authorizer, but did not adjust `--authorization-mode`. The running apiserver therefore had only the kubeadm-default `Node,RBAC` modes, never consulted the webhook, and every Keystone-token authenticated request failed with `RBAC: forbidden`.\n\n### 2. Duplicate `--authorization-mode` line crashed the apiserver\n\nkubeadm always writes `--authorization-mode=Node,RBAC` into its apiserver static-pod manifest. The feature's kustomization runs **after** kubeadm, so simply appending `--authorization-mode=Node,RBAC,Webhook` would leave the manifest carrying both lines:\n\n```yaml\n- --authorization-mode=Node,RBAC \ # written by kubeadm\n- --authorization-mode=Node,RBAC,Webhook # appended by us\n```\n\n`--authorization-mode` is a `pflag.StringSliceVar` which **appends** repeated flag values rather than last-occurrence-wins. The apiserver process therefore receives `[\"Node\",\"RBAC\",\"Node\",\"RBAC\",\"Webhook\"]` and bails at startup with:\n\n```\nauthorization-mode [\"Node\" \"RBAC\" \"Node\" \"RBAC\" \"Webhook\"]\n has mode specified more than once\n```\n\n`kube-apiserver` enters CrashLoopBackOff, KCP never reaches `APIServerAvailable=true`, the cluster fails NodeStartupTimeout. **This is the failure mode every `enable_keystone_auth=true` cluster hits without this PR.**\n\nThe fix here pipes the kustomize output through `sed '/^[[:space:]]*- --authorization-mode=Node,RBAC$/d'` before writing the manifest, so the kubeadm-default line is removed and only the `Node,RBAC,Webhook` line remains.\n\n### 3. Cluster bootstrap raced ahead of the keystone webhook deployment\n\nThe post-kubeadm command sequence proceeded as soon as the apiserver TCP port was open, but the `k8s-keystone-auth` Deployment was still rolling out. Webhook calls during that window returned `connection refused`, which the apiserver caches negatively and surfaces as authentication failures for several seconds after the webhook is actually up.\n\nFix: append `kubectl wait --for=condition=Ready` against the `k8s-keystone-auth` Pod to the post-kubeadm commands so the cluster does not register Ready until the webhook actually serves requests.\n\n## Validation\n\nEnd-to-end on a CAPI baremetal cluster created with `enable_keystone_auth=true`:\n\n```\n$ kubectl -n kube-system get pod -l component=kube-apiserver\nNAME READY STATUS \ RESTARTS AGE\nkube-apiserver- 1/1 Running 0 8m44s\n\n$ ssh master 'grep authorization-mode /etc/kubernetes/manifests/kube-apiserver.yaml'\n \ - --authorization-mode=Node,RBAC,Webhook # exactly one occurrence\n\n$ kubectl -n kube-system get pod -l app=k8s-keystone-auth\nNAME READY \ STATUS RESTARTS AGE\nk8s-keystone-auth-XXXXX 1/1 Running 0 \ 7m59s\n```\n\n* KubeadmControlPlane reports `APIServerAvailable=true`.\n* Cluster reaches `CREATE_COMPLETE` cleanly.\n* Keystone-token authenticated `kubectl` requests succeed.\n\nTwo unit tests in `src/features/keystone_auth.rs` cover the patch emission and the post-kubeadm command pipeline; both pass with `cargo test`.\n\n## Notes\n\n* The `sed` filter is anchored on whole-line, leading-whitespace tolerant, and only matches the literal `--authorization-mode=Node,RBAC` value \u2014 it cannot accidentally remove a future `Node,RBAC,Foo` value or any line that merely contains the substring.\n* No new label, no new operator-facing knob; the feature is a behaviour fix gated by the existing `enable_keystone_auth=true` label.\n" change_url: https://github.com/vexxhost/magnum-cluster-api/pull/1018 child_jobs: [] commit_id: ff397654b0e360ba3421b1e80fb0534117b2d797 event_id: 2a3871c0-4f56-11f1-9186-38f70cf8bd66 executor: hostname: 2d72f0692154 inventory_file: /var/lib/zuul/builds/106022d6390647b982f989a212c3bba7/ansible/inventory.yaml log_root: /var/lib/zuul/builds/106022d6390647b982f989a212c3bba7/work/logs result_data_file: /var/lib/zuul/builds/106022d6390647b982f989a212c3bba7/work/results.json src_root: /var/lib/zuul/builds/106022d6390647b982f989a212c3bba7/work/src work_root: /var/lib/zuul/builds/106022d6390647b982f989a212c3bba7/work include_vars: [] items: - branch: main change: '1018' change_message: "fix(keystone_auth): emit Node,RBAC,Webhook authorization-mode and wait for healthz\n\n## Summary\n\nFixes `enable_keystone_auth=true` on CAPI-driven Magnum clusters. Without this PR, clusters that opt in to Keystone webhook authorization either silently bypass the webhook (so Keystone tokens never authorize) or fail to bootstrap entirely because the kube-apiserver static pod crash-loops at startup.\n\nThe change is a single commit touching `src/features/keystone_auth.rs`:\n\n* Set `--authorization-mode=Node,RBAC,Webhook` via a JSON-Patch op against the kustomize input.\n* Strip the kubeadm-default `--authorization-mode=Node,RBAC` line from the kustomize output before writing the manifest back, so kubelet only ever sees a single `--authorization-mode` line.\n* Wait for the `k8s-keystone-auth` Pod to become Ready before declaring post-kubeadm complete.\n\n## Background and analysis\n\n### 1. Authorization mode never reached the apiserver\n\nThe pre-existing `keystone_auth` feature kustomized `/etc/kubernetes/manifests/kube-apiserver.yaml` to add the keystone webhook authorizer, but did not adjust `--authorization-mode`. The running apiserver therefore had only the kubeadm-default `Node,RBAC` modes, never consulted the webhook, and every Keystone-token authenticated request failed with `RBAC: forbidden`.\n\n### 2. Duplicate `--authorization-mode` line crashed the apiserver\n\nkubeadm always writes `--authorization-mode=Node,RBAC` into its apiserver static-pod manifest. The feature's kustomization runs **after** kubeadm, so simply appending `--authorization-mode=Node,RBAC,Webhook` would leave the manifest carrying both lines:\n\n```yaml\n- --authorization-mode=Node,RBAC \ # written by kubeadm\n- --authorization-mode=Node,RBAC,Webhook \ # appended by us\n```\n\n`--authorization-mode` is a `pflag.StringSliceVar` which **appends** repeated flag values rather than last-occurrence-wins. The apiserver process therefore receives `[\"Node\",\"RBAC\",\"Node\",\"RBAC\",\"Webhook\"]` and bails at startup with:\n\n```\nauthorization-mode [\"Node\" \"RBAC\" \"Node\" \"RBAC\" \"Webhook\"]\n has mode specified more than once\n```\n\n`kube-apiserver` enters CrashLoopBackOff, KCP never reaches `APIServerAvailable=true`, the cluster fails NodeStartupTimeout. **This is the failure mode every `enable_keystone_auth=true` cluster hits without this PR.**\n\nThe fix here pipes the kustomize output through `sed '/^[[:space:]]*- --authorization-mode=Node,RBAC$/d'` before writing the manifest, so the kubeadm-default line is removed and only the `Node,RBAC,Webhook` line remains.\n\n### 3. Cluster bootstrap raced ahead of the keystone webhook deployment\n\nThe post-kubeadm command sequence proceeded as soon as the apiserver TCP port was open, but the `k8s-keystone-auth` Deployment was still rolling out. Webhook calls during that window returned `connection refused`, which the apiserver caches negatively and surfaces as authentication failures for several seconds after the webhook is actually up.\n\nFix: append `kubectl wait --for=condition=Ready` against the `k8s-keystone-auth` Pod to the post-kubeadm commands so the cluster does not register Ready until the webhook actually serves requests.\n\n## Validation\n\nEnd-to-end on a CAPI baremetal cluster created with `enable_keystone_auth=true`:\n\n```\n$ kubectl -n kube-system get pod -l component=kube-apiserver\nNAME READY \ STATUS RESTARTS AGE\nkube-apiserver- 1/1 Running \ 0 8m44s\n\n$ ssh master 'grep authorization-mode /etc/kubernetes/manifests/kube-apiserver.yaml'\n \ - --authorization-mode=Node,RBAC,Webhook # exactly one occurrence\n\n$ kubectl -n kube-system get pod -l app=k8s-keystone-auth\nNAME READY \ STATUS RESTARTS AGE\nk8s-keystone-auth-XXXXX 1/1 Running 0 \ 7m59s\n```\n\n* KubeadmControlPlane reports `APIServerAvailable=true`.\n* Cluster reaches `CREATE_COMPLETE` cleanly.\n* Keystone-token authenticated `kubectl` requests succeed.\n\nTwo unit tests in `src/features/keystone_auth.rs` cover the patch emission and the post-kubeadm command pipeline; both pass with `cargo test`.\n\n## Notes\n\n* The `sed` filter is anchored on whole-line, leading-whitespace tolerant, and only matches the literal `--authorization-mode=Node,RBAC` value \u2014 it cannot accidentally remove a future `Node,RBAC,Foo` value or any line that merely contains the substring.\n* No new label, no new operator-facing knob; the feature is a behaviour fix gated by the existing `enable_keystone_auth=true` label.\n" change_url: https://github.com/vexxhost/magnum-cluster-api/pull/1018 commit_id: ff397654b0e360ba3421b1e80fb0534117b2d797 patchset: ff397654b0e360ba3421b1e80fb0534117b2d797 project: canonical_hostname: github.com canonical_name: github.com/vexxhost/magnum-cluster-api name: vexxhost/magnum-cluster-api short_name: magnum-cluster-api src_dir: src/github.com/vexxhost/magnum-cluster-api topic: null job: magnum-cluster-api-hydrophone-v1.33.11-calico jobtags: [] max_attempts: 3 message: Zml4KGtleXN0b25lX2F1dGgpOiBlbWl0IE5vZGUsUkJBQyxXZWJob29rIGF1dGhvcml6YXRpb24tbW9kZSBhbmQgd2FpdCBmb3IgaGVhbHRoegoKIyMgU3VtbWFyeQoKRml4ZXMgYGVuYWJsZV9rZXlzdG9uZV9hdXRoPXRydWVgIG9uIENBUEktZHJpdmVuIE1hZ251bSBjbHVzdGVycy4gV2l0aG91dCB0aGlzIFBSLCBjbHVzdGVycyB0aGF0IG9wdCBpbiB0byBLZXlzdG9uZSB3ZWJob29rIGF1dGhvcml6YXRpb24gZWl0aGVyIHNpbGVudGx5IGJ5cGFzcyB0aGUgd2ViaG9vayAoc28gS2V5c3RvbmUgdG9rZW5zIG5ldmVyIGF1dGhvcml6ZSkgb3IgZmFpbCB0byBib290c3RyYXAgZW50aXJlbHkgYmVjYXVzZSB0aGUga3ViZS1hcGlzZXJ2ZXIgc3RhdGljIHBvZCBjcmFzaC1sb29wcyBhdCBzdGFydHVwLgoKVGhlIGNoYW5nZSBpcyBhIHNpbmdsZSBjb21taXQgdG91Y2hpbmcgYHNyYy9mZWF0dXJlcy9rZXlzdG9uZV9hdXRoLnJzYDoKCiogU2V0IGAtLWF1dGhvcml6YXRpb24tbW9kZT1Ob2RlLFJCQUMsV2ViaG9va2AgdmlhIGEgSlNPTi1QYXRjaCBvcCBhZ2FpbnN0IHRoZSBrdXN0b21pemUgaW5wdXQuCiogU3RyaXAgdGhlIGt1YmVhZG0tZGVmYXVsdCBgLS1hdXRob3JpemF0aW9uLW1vZGU9Tm9kZSxSQkFDYCBsaW5lIGZyb20gdGhlIGt1c3RvbWl6ZSBvdXRwdXQgYmVmb3JlIHdyaXRpbmcgdGhlIG1hbmlmZXN0IGJhY2ssIHNvIGt1YmVsZXQgb25seSBldmVyIHNlZXMgYSBzaW5nbGUgYC0tYXV0aG9yaXphdGlvbi1tb2RlYCBsaW5lLgoqIFdhaXQgZm9yIHRoZSBgazhzLWtleXN0b25lLWF1dGhgIFBvZCB0byBiZWNvbWUgUmVhZHkgYmVmb3JlIGRlY2xhcmluZyBwb3N0LWt1YmVhZG0gY29tcGxldGUuCgojIyBCYWNrZ3JvdW5kIGFuZCBhbmFseXNpcwoKIyMjIDEuIEF1dGhvcml6YXRpb24gbW9kZSBuZXZlciByZWFjaGVkIHRoZSBhcGlzZXJ2ZXIKClRoZSBwcmUtZXhpc3RpbmcgYGtleXN0b25lX2F1dGhgIGZlYXR1cmUga3VzdG9taXplZCBgL2V0Yy9rdWJlcm5ldGVzL21hbmlmZXN0cy9rdWJlLWFwaXNlcnZlci55YW1sYCB0byBhZGQgdGhlIGtleXN0b25lIHdlYmhvb2sgYXV0aG9yaXplciwgYnV0IGRpZCBub3QgYWRqdXN0IGAtLWF1dGhvcml6YXRpb24tbW9kZWAuIFRoZSBydW5uaW5nIGFwaXNlcnZlciB0aGVyZWZvcmUgaGFkIG9ubHkgdGhlIGt1YmVhZG0tZGVmYXVsdCBgTm9kZSxSQkFDYCBtb2RlcywgbmV2ZXIgY29uc3VsdGVkIHRoZSB3ZWJob29rLCBhbmQgZXZlcnkgS2V5c3RvbmUtdG9rZW4gYXV0aGVudGljYXRlZCByZXF1ZXN0IGZhaWxlZCB3aXRoIGBSQkFDOiBmb3JiaWRkZW5gLgoKIyMjIDIuIER1cGxpY2F0ZSBgLS1hdXRob3JpemF0aW9uLW1vZGVgIGxpbmUgY3Jhc2hlZCB0aGUgYXBpc2VydmVyCgprdWJlYWRtIGFsd2F5cyB3cml0ZXMgYC0tYXV0aG9yaXphdGlvbi1tb2RlPU5vZGUsUkJBQ2AgaW50byBpdHMgYXBpc2VydmVyIHN0YXRpYy1wb2QgbWFuaWZlc3QuIFRoZSBmZWF0dXJlJ3Mga3VzdG9taXphdGlvbiBydW5zICoqYWZ0ZXIqKiBrdWJlYWRtLCBzbyBzaW1wbHkgYXBwZW5kaW5nIGAtLWF1dGhvcml6YXRpb24tbW9kZT1Ob2RlLFJCQUMsV2ViaG9va2Agd291bGQgbGVhdmUgdGhlIG1hbmlmZXN0IGNhcnJ5aW5nIGJvdGggbGluZXM6CgpgYGB5YW1sCi0gLS1hdXRob3JpemF0aW9uLW1vZGU9Tm9kZSxSQkFDICAgICAgICAgICMgd3JpdHRlbiBieSBrdWJlYWRtCi0gLS1hdXRob3JpemF0aW9uLW1vZGU9Tm9kZSxSQkFDLFdlYmhvb2sgICMgYXBwZW5kZWQgYnkgdXMKYGBgCgpgLS1hdXRob3JpemF0aW9uLW1vZGVgIGlzIGEgYHBmbGFnLlN0cmluZ1NsaWNlVmFyYCB3aGljaCAqKmFwcGVuZHMqKiByZXBlYXRlZCBmbGFnIHZhbHVlcyByYXRoZXIgdGhhbiBsYXN0LW9jY3VycmVuY2Utd2lucy4gVGhlIGFwaXNlcnZlciBwcm9jZXNzIHRoZXJlZm9yZSByZWNlaXZlcyBgWyJOb2RlIiwiUkJBQyIsIk5vZGUiLCJSQkFDIiwiV2ViaG9vayJdYCBhbmQgYmFpbHMgYXQgc3RhcnR1cCB3aXRoOgoKYGBgCmF1dGhvcml6YXRpb24tbW9kZSBbIk5vZGUiICJSQkFDIiAiTm9kZSIgIlJCQUMiICJXZWJob29rIl0KICBoYXMgbW9kZSBzcGVjaWZpZWQgbW9yZSB0aGFuIG9uY2UKYGBgCgpga3ViZS1hcGlzZXJ2ZXJgIGVudGVycyBDcmFzaExvb3BCYWNrT2ZmLCBLQ1AgbmV2ZXIgcmVhY2hlcyBgQVBJU2VydmVyQXZhaWxhYmxlPXRydWVgLCB0aGUgY2x1c3RlciBmYWlscyBOb2RlU3RhcnR1cFRpbWVvdXQuICoqVGhpcyBpcyB0aGUgZmFpbHVyZSBtb2RlIGV2ZXJ5IGBlbmFibGVfa2V5c3RvbmVfYXV0aD10cnVlYCBjbHVzdGVyIGhpdHMgd2l0aG91dCB0aGlzIFBSLioqCgpUaGUgZml4IGhlcmUgcGlwZXMgdGhlIGt1c3RvbWl6ZSBvdXRwdXQgdGhyb3VnaCBgc2VkICcvXltbOnNwYWNlOl1dKi0gLS1hdXRob3JpemF0aW9uLW1vZGU9Tm9kZSxSQkFDJC9kJ2AgYmVmb3JlIHdyaXRpbmcgdGhlIG1hbmlmZXN0LCBzbyB0aGUga3ViZWFkbS1kZWZhdWx0IGxpbmUgaXMgcmVtb3ZlZCBhbmQgb25seSB0aGUgYE5vZGUsUkJBQyxXZWJob29rYCBsaW5lIHJlbWFpbnMuCgojIyMgMy4gQ2x1c3RlciBib290c3RyYXAgcmFjZWQgYWhlYWQgb2YgdGhlIGtleXN0b25lIHdlYmhvb2sgZGVwbG95bWVudAoKVGhlIHBvc3Qta3ViZWFkbSBjb21tYW5kIHNlcXVlbmNlIHByb2NlZWRlZCBhcyBzb29uIGFzIHRoZSBhcGlzZXJ2ZXIgVENQIHBvcnQgd2FzIG9wZW4sIGJ1dCB0aGUgYGs4cy1rZXlzdG9uZS1hdXRoYCBEZXBsb3ltZW50IHdhcyBzdGlsbCByb2xsaW5nIG91dC4gV2ViaG9vayBjYWxscyBkdXJpbmcgdGhhdCB3aW5kb3cgcmV0dXJuZWQgYGNvbm5lY3Rpb24gcmVmdXNlZGAsIHdoaWNoIHRoZSBhcGlzZXJ2ZXIgY2FjaGVzIG5lZ2F0aXZlbHkgYW5kIHN1cmZhY2VzIGFzIGF1dGhlbnRpY2F0aW9uIGZhaWx1cmVzIGZvciBzZXZlcmFsIHNlY29uZHMgYWZ0ZXIgdGhlIHdlYmhvb2sgaXMgYWN0dWFsbHkgdXAuCgpGaXg6IGFwcGVuZCBga3ViZWN0bCB3YWl0IC0tZm9yPWNvbmRpdGlvbj1SZWFkeWAgYWdhaW5zdCB0aGUgYGs4cy1rZXlzdG9uZS1hdXRoYCBQb2QgdG8gdGhlIHBvc3Qta3ViZWFkbSBjb21tYW5kcyBzbyB0aGUgY2x1c3RlciBkb2VzIG5vdCByZWdpc3RlciBSZWFkeSB1bnRpbCB0aGUgd2ViaG9vayBhY3R1YWxseSBzZXJ2ZXMgcmVxdWVzdHMuCgojIyBWYWxpZGF0aW9uCgpFbmQtdG8tZW5kIG9uIGEgQ0FQSSBiYXJlbWV0YWwgY2x1c3RlciBjcmVhdGVkIHdpdGggYGVuYWJsZV9rZXlzdG9uZV9hdXRoPXRydWVgOgoKYGBgCiQga3ViZWN0bCAtbiBrdWJlLXN5c3RlbSBnZXQgcG9kIC1sIGNvbXBvbmVudD1rdWJlLWFwaXNlcnZlcgpOQU1FICAgICAgICAgICAgICAgICAgICAgICAgICBSRUFEWSAgIFNUQVRVUyAgICBSRVNUQVJUUyAgIEFHRQprdWJlLWFwaXNlcnZlci08bWFzdGVyPiAgICAgICAxLzEgICAgIFJ1bm5pbmcgICAwICAgICAgICAgIDhtNDRzCgokIHNzaCBtYXN0ZXIgJ2dyZXAgYXV0aG9yaXphdGlvbi1tb2RlIC9ldGMva3ViZXJuZXRlcy9tYW5pZmVzdHMva3ViZS1hcGlzZXJ2ZXIueWFtbCcKICAgIC0gLS1hdXRob3JpemF0aW9uLW1vZGU9Tm9kZSxSQkFDLFdlYmhvb2sgICAgICAgICMgZXhhY3RseSBvbmUgb2NjdXJyZW5jZQoKJCBrdWJlY3RsIC1uIGt1YmUtc3lzdGVtIGdldCBwb2QgLWwgYXBwPWs4cy1rZXlzdG9uZS1hdXRoCk5BTUUgICAgICAgICAgICAgICAgICAgICAgUkVBRFkgICBTVEFUVVMgICAgUkVTVEFSVFMgICBBR0UKazhzLWtleXN0b25lLWF1dGgtWFhYWFggICAxLzEgICAgIFJ1bm5pbmcgICAwICAgICAgICAgIDdtNTlzCmBgYAoKKiBLdWJlYWRtQ29udHJvbFBsYW5lIHJlcG9ydHMgYEFQSVNlcnZlckF2YWlsYWJsZT10cnVlYC4KKiBDbHVzdGVyIHJlYWNoZXMgYENSRUFURV9DT01QTEVURWAgY2xlYW5seS4KKiBLZXlzdG9uZS10b2tlbiBhdXRoZW50aWNhdGVkIGBrdWJlY3RsYCByZXF1ZXN0cyBzdWNjZWVkLgoKVHdvIHVuaXQgdGVzdHMgaW4gYHNyYy9mZWF0dXJlcy9rZXlzdG9uZV9hdXRoLnJzYCBjb3ZlciB0aGUgcGF0Y2ggZW1pc3Npb24gYW5kIHRoZSBwb3N0LWt1YmVhZG0gY29tbWFuZCBwaXBlbGluZTsgYm90aCBwYXNzIHdpdGggYGNhcmdvIHRlc3RgLgoKIyMgTm90ZXMKCiogVGhlIGBzZWRgIGZpbHRlciBpcyBhbmNob3JlZCBvbiB3aG9sZS1saW5lLCBsZWFkaW5nLXdoaXRlc3BhY2UgdG9sZXJhbnQsIGFuZCBvbmx5IG1hdGNoZXMgdGhlIGxpdGVyYWwgYC0tYXV0aG9yaXphdGlvbi1tb2RlPU5vZGUsUkJBQ2AgdmFsdWUg4oCUIGl0IGNhbm5vdCBhY2NpZGVudGFsbHkgcmVtb3ZlIGEgZnV0dXJlIGBOb2RlLFJCQUMsRm9vYCB2YWx1ZSBvciBhbnkgbGluZSB0aGF0IG1lcmVseSBjb250YWlucyB0aGUgc3Vic3RyaW5nLgoqIE5vIG5ldyBsYWJlbCwgbm8gbmV3IG9wZXJhdG9yLWZhY2luZyBrbm9iOyB0aGUgZmVhdHVyZSBpcyBhIGJlaGF2aW91ciBmaXggZ2F0ZWQgYnkgdGhlIGV4aXN0aW5nIGBlbmFibGVfa2V5c3RvbmVfYXV0aD10cnVlYCBsYWJlbC4K override_checkout: master patchset: ff397654b0e360ba3421b1e80fb0534117b2d797 pipeline: check playbook_context: playbook_projects: trusted/project_0/github.com/vexxhost/zuul-config: canonical_name: github.com/vexxhost/zuul-config checkout: main commit: 298983cd1253e6833abdb49d87d912527e0e6597 trusted/project_1/opendev.org/zuul/zuul-jobs: canonical_name: opendev.org/zuul/zuul-jobs checkout: master commit: 79fe3eb1d01f8ac5739b0b7bc4759c407b6e248d trusted/project_2/github.com/vexxhost/zuul-jobs: canonical_name: github.com/vexxhost/zuul-jobs checkout: main commit: a6e68243e02ef030ce5e75f8b67630880c475f33 untrusted/project_0/opendev.org/openstack/devstack: canonical_name: opendev.org/openstack/devstack checkout: master commit: 81ed81ebbee6642f0959d6dd0480ed42ab383e30 untrusted/project_1/opendev.org/openstack/openstack-zuul-jobs: canonical_name: opendev.org/openstack/openstack-zuul-jobs checkout: master commit: 26e5947a427032d10118c88870adef4b7b95d3ee untrusted/project_2/github.com/vexxhost/zuul-config: canonical_name: github.com/vexxhost/zuul-config checkout: main commit: 298983cd1253e6833abdb49d87d912527e0e6597 untrusted/project_3/opendev.org/zuul/zuul-jobs: canonical_name: opendev.org/zuul/zuul-jobs checkout: master commit: 79fe3eb1d01f8ac5739b0b7bc4759c407b6e248d untrusted/project_4/github.com/vexxhost/zuul-jobs: canonical_name: github.com/vexxhost/zuul-jobs checkout: main commit: a6e68243e02ef030ce5e75f8b67630880c475f33 untrusted/project_5/github.com/vexxhost/magnum-cluster-api: canonical_name: github.com/vexxhost/magnum-cluster-api checkout: main commit: 7dd0dbe29dffb1708c8696fb6e981b642b8efb45 playbooks: - path: untrusted/project_5/github.com/vexxhost/magnum-cluster-api/zuul.d/playbooks/hydrophone/run.yml roles: - checkout: master checkout_description: job override ref link_name: ansible/playbook_0/role_1/devstack link_target: untrusted/project_0/opendev.org/openstack/devstack role_path: ansible/playbook_0/role_1/devstack/roles - checkout: master checkout_description: job override ref link_name: ansible/playbook_0/role_2/openstack-zuul-jobs link_target: untrusted/project_1/opendev.org/openstack/openstack-zuul-jobs role_path: ansible/playbook_0/role_2/openstack-zuul-jobs/roles - checkout: master checkout_description: job override ref link_name: ansible/playbook_0/role_4/zuul-jobs link_target: untrusted/project_3/opendev.org/zuul/zuul-jobs role_path: ansible/playbook_0/role_4/zuul-jobs/roles - checkout: main checkout_description: zuul branch link_name: ansible/playbook_0/role_5/zuul-jobs link_target: untrusted/project_4/github.com/vexxhost/zuul-jobs role_path: ansible/playbook_0/role_5/zuul-jobs/roles post_playbooks: - path: untrusted/project_5/github.com/vexxhost/magnum-cluster-api/zuul.d/playbooks/hydrophone/post.yml roles: - checkout: master checkout_description: job override ref link_name: ansible/post_playbook_0/role_1/devstack link_target: untrusted/project_0/opendev.org/openstack/devstack role_path: ansible/post_playbook_0/role_1/devstack/roles - checkout: master checkout_description: job override ref link_name: ansible/post_playbook_0/role_2/openstack-zuul-jobs link_target: untrusted/project_1/opendev.org/openstack/openstack-zuul-jobs role_path: ansible/post_playbook_0/role_2/openstack-zuul-jobs/roles - checkout: master checkout_description: job override ref link_name: ansible/post_playbook_0/role_4/zuul-jobs link_target: untrusted/project_3/opendev.org/zuul/zuul-jobs role_path: ansible/post_playbook_0/role_4/zuul-jobs/roles - checkout: main checkout_description: zuul branch link_name: ansible/post_playbook_0/role_5/zuul-jobs link_target: untrusted/project_4/github.com/vexxhost/zuul-jobs role_path: ansible/post_playbook_0/role_5/zuul-jobs/roles - path: untrusted/project_0/opendev.org/openstack/devstack/playbooks/post.yaml roles: - checkout: master checkout_description: playbook branch link_name: ansible/post_playbook_1/role_0/devstack link_target: untrusted/project_0/opendev.org/openstack/devstack role_path: ansible/post_playbook_1/role_0/devstack/roles - checkout: master checkout_description: job override ref link_name: ansible/post_playbook_1/role_1/openstack-zuul-jobs link_target: untrusted/project_1/opendev.org/openstack/openstack-zuul-jobs role_path: ansible/post_playbook_1/role_1/openstack-zuul-jobs/roles - checkout: master checkout_description: job override ref link_name: ansible/post_playbook_1/role_3/zuul-jobs link_target: untrusted/project_3/opendev.org/zuul/zuul-jobs role_path: ansible/post_playbook_1/role_3/zuul-jobs/roles - checkout: main checkout_description: zuul branch link_name: ansible/post_playbook_1/role_4/zuul-jobs link_target: untrusted/project_4/github.com/vexxhost/zuul-jobs role_path: ansible/post_playbook_1/role_4/zuul-jobs/roles - path: trusted/project_0/github.com/vexxhost/zuul-config/playbooks/base/post.yaml roles: - checkout: master checkout_description: job override ref link_name: ansible/post_playbook_2/role_1/zuul-jobs link_target: trusted/project_1/opendev.org/zuul/zuul-jobs role_path: ansible/post_playbook_2/role_1/zuul-jobs/roles - checkout: main checkout_description: zuul branch link_name: ansible/post_playbook_2/role_2/zuul-jobs link_target: trusted/project_2/github.com/vexxhost/zuul-jobs role_path: ansible/post_playbook_2/role_2/zuul-jobs/roles - path: trusted/project_0/github.com/vexxhost/zuul-config/playbooks/base/post-logs.yaml roles: - checkout: master checkout_description: job override ref link_name: ansible/post_playbook_3/role_1/zuul-jobs link_target: trusted/project_1/opendev.org/zuul/zuul-jobs role_path: ansible/post_playbook_3/role_1/zuul-jobs/roles - checkout: main checkout_description: zuul branch link_name: ansible/post_playbook_3/role_2/zuul-jobs link_target: trusted/project_2/github.com/vexxhost/zuul-jobs role_path: ansible/post_playbook_3/role_2/zuul-jobs/roles pre_playbooks: - path: trusted/project_0/github.com/vexxhost/zuul-config/playbooks/base/pre.yaml roles: - checkout: master checkout_description: job override ref link_name: ansible/pre_playbook_0/role_1/zuul-jobs link_target: trusted/project_1/opendev.org/zuul/zuul-jobs role_path: ansible/pre_playbook_0/role_1/zuul-jobs/roles - checkout: main checkout_description: zuul branch link_name: ansible/pre_playbook_0/role_2/zuul-jobs link_target: trusted/project_2/github.com/vexxhost/zuul-jobs role_path: ansible/pre_playbook_0/role_2/zuul-jobs/roles - path: untrusted/project_0/opendev.org/openstack/devstack/playbooks/pre.yaml roles: - checkout: master checkout_description: playbook branch link_name: ansible/pre_playbook_1/role_0/devstack link_target: untrusted/project_0/opendev.org/openstack/devstack role_path: ansible/pre_playbook_1/role_0/devstack/roles - checkout: master checkout_description: job override ref link_name: ansible/pre_playbook_1/role_1/openstack-zuul-jobs link_target: untrusted/project_1/opendev.org/openstack/openstack-zuul-jobs role_path: ansible/pre_playbook_1/role_1/openstack-zuul-jobs/roles - checkout: master checkout_description: job override ref link_name: ansible/pre_playbook_1/role_3/zuul-jobs link_target: untrusted/project_3/opendev.org/zuul/zuul-jobs role_path: ansible/pre_playbook_1/role_3/zuul-jobs/roles - checkout: main checkout_description: zuul branch link_name: ansible/pre_playbook_1/role_4/zuul-jobs link_target: untrusted/project_4/github.com/vexxhost/zuul-jobs role_path: ansible/pre_playbook_1/role_4/zuul-jobs/roles - path: untrusted/project_5/github.com/vexxhost/magnum-cluster-api/zuul.d/playbooks/hydrophone/pre.yml roles: - checkout: master checkout_description: job override ref link_name: ansible/pre_playbook_2/role_1/devstack link_target: untrusted/project_0/opendev.org/openstack/devstack role_path: ansible/pre_playbook_2/role_1/devstack/roles - checkout: master checkout_description: job override ref link_name: ansible/pre_playbook_2/role_2/openstack-zuul-jobs link_target: untrusted/project_1/opendev.org/openstack/openstack-zuul-jobs role_path: ansible/pre_playbook_2/role_2/openstack-zuul-jobs/roles - checkout: master checkout_description: job override ref link_name: ansible/pre_playbook_2/role_4/zuul-jobs link_target: untrusted/project_3/opendev.org/zuul/zuul-jobs role_path: ansible/pre_playbook_2/role_4/zuul-jobs/roles - checkout: main checkout_description: zuul branch link_name: ansible/pre_playbook_2/role_5/zuul-jobs link_target: untrusted/project_4/github.com/vexxhost/zuul-jobs role_path: ansible/pre_playbook_2/role_5/zuul-jobs/roles post_review: false post_timeout: null pre_timeout: null project: canonical_hostname: github.com canonical_name: github.com/vexxhost/magnum-cluster-api name: vexxhost/magnum-cluster-api short_name: magnum-cluster-api src_dir: src/github.com/vexxhost/magnum-cluster-api projects: github.com/novnc/novnc: canonical_hostname: github.com canonical_name: github.com/novnc/novnc checkout: master checkout_description: job override ref commit: 8e1ebdffba02e651c399dacef841f8941f6ad6e4 name: novnc/novnc required: true short_name: novnc src_dir: src/github.com/novnc/novnc github.com/vexxhost/magnum-cluster-api: canonical_hostname: github.com canonical_name: github.com/vexxhost/magnum-cluster-api checkout: main checkout_description: zuul branch commit: 7dd0dbe29dffb1708c8696fb6e981b642b8efb45 name: vexxhost/magnum-cluster-api required: false short_name: magnum-cluster-api src_dir: src/github.com/vexxhost/magnum-cluster-api opendev.org/openstack/barbican: canonical_hostname: opendev.org canonical_name: opendev.org/openstack/barbican checkout: master checkout_description: job override ref commit: e05bcda51a132411955ca9ea1371bc9ec2946a13 name: openstack/barbican required: true short_name: barbican src_dir: src/opendev.org/openstack/barbican opendev.org/openstack/cinder: canonical_hostname: opendev.org canonical_name: opendev.org/openstack/cinder checkout: master checkout_description: job override ref commit: 72c1bf33b552eeb7b0a8fd8c2b3857773a42056f name: openstack/cinder required: true short_name: cinder src_dir: src/opendev.org/openstack/cinder opendev.org/openstack/devstack: canonical_hostname: opendev.org canonical_name: opendev.org/openstack/devstack checkout: master checkout_description: job override ref commit: 81ed81ebbee6642f0959d6dd0480ed42ab383e30 name: openstack/devstack required: true short_name: devstack src_dir: src/opendev.org/openstack/devstack opendev.org/openstack/glance: canonical_hostname: opendev.org canonical_name: opendev.org/openstack/glance checkout: master checkout_description: job override ref commit: eac2fa47f26da3515c7a1e8c91226750517c52d4 name: openstack/glance required: true short_name: glance src_dir: src/opendev.org/openstack/glance opendev.org/openstack/keystone: canonical_hostname: opendev.org canonical_name: opendev.org/openstack/keystone checkout: master checkout_description: job override ref commit: 2230026f77a8ed50493d2d58be9120910ceb2089 name: openstack/keystone required: true short_name: keystone src_dir: src/opendev.org/openstack/keystone opendev.org/openstack/magnum: canonical_hostname: opendev.org canonical_name: opendev.org/openstack/magnum checkout: master checkout_description: job override ref commit: 67475d47b0ab7284188d783df25d9b12d72df7a2 name: openstack/magnum required: true short_name: magnum src_dir: src/opendev.org/openstack/magnum opendev.org/openstack/manila: canonical_hostname: opendev.org canonical_name: opendev.org/openstack/manila checkout: master checkout_description: job override ref commit: bfa1c563e2349f55a663fcf6dd7aee2d9f6c31fe name: openstack/manila required: true short_name: manila src_dir: src/opendev.org/openstack/manila opendev.org/openstack/neutron: canonical_hostname: opendev.org canonical_name: opendev.org/openstack/neutron checkout: master checkout_description: job override ref commit: 112ecc8d8dde26263d37bffffce4fb7afeacc6a8 name: openstack/neutron required: true short_name: neutron src_dir: src/opendev.org/openstack/neutron opendev.org/openstack/nova: canonical_hostname: opendev.org canonical_name: opendev.org/openstack/nova checkout: master checkout_description: job override ref commit: b2d747f7d7248edb632e5982203d2e90e8e57703 name: openstack/nova required: true short_name: nova src_dir: src/opendev.org/openstack/nova opendev.org/openstack/octavia: canonical_hostname: opendev.org canonical_name: opendev.org/openstack/octavia checkout: master checkout_description: job override ref commit: d16fa5e723701c95cf97a3e9ea57b3856e09aaa7 name: openstack/octavia required: true short_name: octavia src_dir: src/opendev.org/openstack/octavia opendev.org/openstack/os-test-images: canonical_hostname: opendev.org canonical_name: opendev.org/openstack/os-test-images checkout: master checkout_description: job override ref commit: 5d0367e03788764f41da8effffa14e3eac513201 name: openstack/os-test-images required: true short_name: os-test-images src_dir: src/opendev.org/openstack/os-test-images opendev.org/openstack/ovn-octavia-provider: canonical_hostname: opendev.org canonical_name: opendev.org/openstack/ovn-octavia-provider checkout: master checkout_description: job override ref commit: d0a7783cd02566847600d5db1c330e6865594331 name: openstack/ovn-octavia-provider required: true short_name: ovn-octavia-provider src_dir: src/opendev.org/openstack/ovn-octavia-provider opendev.org/openstack/placement: canonical_hostname: opendev.org canonical_name: opendev.org/openstack/placement checkout: master checkout_description: job override ref commit: d2727844011a8f144c818556ed7e8d43f756576f name: openstack/placement required: true short_name: placement src_dir: src/opendev.org/openstack/placement opendev.org/openstack/python-magnumclient: canonical_hostname: opendev.org canonical_name: opendev.org/openstack/python-magnumclient checkout: master checkout_description: job override ref commit: bfc9dbc2aa9a113c12e591a87f774a6d986a981f name: openstack/python-magnumclient required: true short_name: python-magnumclient src_dir: src/opendev.org/openstack/python-magnumclient opendev.org/openstack/requirements: canonical_hostname: opendev.org canonical_name: opendev.org/openstack/requirements checkout: master checkout_description: job override ref commit: 6015fe784a11a9066457cf45795423ca585443bb name: openstack/requirements required: true short_name: requirements src_dir: src/opendev.org/openstack/requirements opendev.org/openstack/swift: canonical_hostname: opendev.org canonical_name: opendev.org/openstack/swift checkout: master checkout_description: job override ref commit: 33967853276f0987a58e5b3aca450173adadc064 name: openstack/swift required: true short_name: swift src_dir: src/opendev.org/openstack/swift ref: refs/pull/1018/head resources: {} tenant: oss timeout: 7200 topic: null voting: true zuul_copy_output: /etc/ceph: logs /etc/glusterfs/glusterd.vol: logs /etc/libvirt: logs /etc/lvm: logs /etc/resolv.conf: logs /etc/sudoers: logs /etc/sudoers.d: logs /var/log/ceph: logs /var/log/glusterfs: logs /var/log/libvirt: logs /var/log/mysql: logs /var/log/openvswitch: logs /var/log/postgresql: logs /var/log/rabbitmq: logs /var/log/unbound.log: logs '{{ devstack_conf_dir }}/.localrc.auto': logs '{{ devstack_conf_dir }}/.stackenv': logs '{{ devstack_conf_dir }}/local.conf': logs '{{ devstack_conf_dir }}/localrc': logs '{{ devstack_full_log}}': logs '{{ devstack_log_dir }}/atop': logs '{{ devstack_log_dir }}/devstacklog.txt': logs '{{ devstack_log_dir }}/devstacklog.txt.summary': logs '{{ devstack_log_dir }}/dstat-csv.log': logs '{{ devstack_log_dir }}/qemu.coredump': logs '{{ devstack_log_dir }}/tcpdump.pcap': logs '{{ devstack_log_dir }}/worlddump-latest.txt': logs '{{ stage_dir }}/apache': logs '{{ stage_dir }}/apache_config': logs '{{ stage_dir }}/audit.log': logs '{{ stage_dir }}/core': logs '{{ stage_dir }}/deprecations.log': logs '{{ stage_dir }}/df.txt': logs '{{ stage_dir }}/dpkg-l.txt': logs '{{ stage_dir }}/etc': logs '{{ stage_dir }}/iptables.txt': logs '{{ stage_dir }}/listen53.txt': logs '{{ stage_dir }}/mount.txt': logs '{{ stage_dir }}/performance.json': logs '{{ stage_dir }}/pip2-freeze.txt': logs '{{ stage_dir }}/pip3-freeze.txt': logs '{{ stage_dir }}/rpm-qa.txt': logs '{{ stage_dir }}/services.txt': logs '{{ stage_dir }}/verify_tempest_conf.log': logs