apiVersion: apps/v1
kind: Deployment
metadata:
  annotations:
    deployment.kubernetes.io/revision: "1"
    meta.helm.sh/release-name: keystone
    meta.helm.sh/release-namespace: openstack
    openstackhelm.openstack.org/release_uuid: ""
  creationTimestamp: "2026-04-20T10:19:49Z"
  generation: 1
  labels:
    app.kubernetes.io/managed-by: Helm
    application: keystone
    component: api
    release_group: keystone
  name: keystone-api
  namespace: openstack
  resourceVersion: "6171"
  uid: d9ddb7cb-89a6-4d09-aaa3-50ede835f71a
spec:
  progressDeadlineSeconds: 600
  replicas: 1
  revisionHistoryLimit: 3
  selector:
    matchLabels:
      application: keystone
      component: api
      release_group: keystone
  strategy:
    rollingUpdate:
      maxSurge: 3
      maxUnavailable: 1
    type: RollingUpdate
  template:
    metadata:
      annotations:
        configmap-bin-hash: 0fa826d4d7a09702781edd1dea99271bec84830f0fb47c323ca6697719e1dc71
        configmap-etc-hash: f27c4c24f4ce337bbbdcc18824338e8040d1fd6ee365db57fe8884b1c98d6e0b
        openstackhelm.openstack.org/release_uuid: ""
      creationTimestamp: null
      labels:
        application: keystone
        component: api
        release_group: keystone
    spec:
      affinity:
        podAntiAffinity:
          preferredDuringSchedulingIgnoredDuringExecution:
          - podAffinityTerm:
              labelSelector:
                matchExpressions:
                - key: release_group
                  operator: In
                  values:
                  - keystone
                - key: application
                  operator: In
                  values:
                  - keystone
                - key: component
                  operator: In
                  values:
                  - api
              topologyKey: kubernetes.io/hostname
            weight: 10
      containers:
      - command:
        - /tmp/keystone-api.sh
        - start
        image: harbor.atmosphere.dev/ghcr.io/vexxhost/keystone:2023.1@sha256:3fe93dc3f2827ef6e7a7efc9b8527c1e775a9bb92da08a25aef5a4c9dd15a730
        imagePullPolicy: IfNotPresent
        lifecycle:
          preStop:
            exec:
              command:
              - /tmp/keystone-api.sh
              - stop
        livenessProbe:
          failureThreshold: 3
          httpGet:
            path: /v3/
            port: 5000
            scheme: HTTP
          initialDelaySeconds: 50
          periodSeconds: 60
          successThreshold: 1
          timeoutSeconds: 15
        name: keystone-api
        ports:
        - containerPort: 5000
          name: ks-pub
          protocol: TCP
        readinessProbe:
          failureThreshold: 3
          httpGet:
            path: /v3/
            port: 5000
            scheme: HTTP
          initialDelaySeconds: 15
          periodSeconds: 60
          successThreshold: 1
          timeoutSeconds: 15
        resources: {}
        securityContext:
          allowPrivilegeEscalation: false
          readOnlyRootFilesystem: true
        terminationMessagePath: /dev/termination-log
        terminationMessagePolicy: File
        volumeMounts:
        - mountPath: /tmp
          name: pod-tmp
        - mountPath: /etc/keystone
          name: etckeystone
        - mountPath: /etc/keystone/domains/keystone.atmosphere.conf
          name: keystone-etc
          readOnly: true
          subPath: keystone.atmosphere.conf
        - mountPath: /var/log/apache2
          name: logs-apache
        - mountPath: /var/run/apache2
          name: run-apache
        - mountPath: /var/www/cgi-bin/keystone
          name: wsgi-keystone
        - mountPath: /etc/keystone/keystone.conf
          name: keystone-etc
          readOnly: true
          subPath: keystone.conf
        - mountPath: /etc/apache2/ports.conf
          name: keystone-etc
          readOnly: true
          subPath: ports.conf
        - mountPath: /etc/keystone/policy.yaml
          name: keystone-etc
          readOnly: true
          subPath: policy.yaml
        - mountPath: /etc/keystone/access_rules.json
          name: keystone-etc
          readOnly: true
          subPath: access_rules.json
        - mountPath: /etc/keystone/sso_callback_template.html
          name: keystone-etc
          readOnly: true
          subPath: sso_callback_template.html
        - mountPath: /etc/apache2/conf-enabled/wsgi-keystone.conf
          name: keystone-etc
          readOnly: true
          subPath: wsgi-keystone.conf
        - mountPath: /etc/apache2/mods-available/mpm_event.conf
          name: keystone-etc
          readOnly: true
          subPath: mpm_event.conf
        - mountPath: /etc/apache2/conf-enabled/security.conf
          name: keystone-etc
          readOnly: true
          subPath: security.conf
        - mountPath: /tmp/keystone-api.sh
          name: keystone-bin
          readOnly: true
          subPath: keystone-api.sh
        - mountPath: /etc/keystone/fernet-keys/
          name: keystone-fernet-keys
        - mountPath: /etc/keystone/credential-keys/
          name: keystone-credential-keys
        - mountPath: /var/lib/apache2/oidc/keycloak.199-204-45-144.nip.io%2Frealms%2Fatmosphere.client
          name: keystone-openid-metadata
          subPath: atmosphere-oidc-client
        - mountPath: /var/lib/apache2/oidc/keycloak.199-204-45-144.nip.io%2Frealms%2Fatmosphere.conf
          name: keystone-openid-metadata
          subPath: atmosphere-oidc-conf
        - mountPath: /var/lib/apache2/oidc/keycloak.199-204-45-144.nip.io%2Frealms%2Fatmosphere.provider
          name: keystone-openid-metadata
          subPath: atmosphere-oidc-provider
        - mountPath: /etc/ssl/certs/ca-certificates.crt
          name: ca-certificates
          readOnly: true
      dnsPolicy: ClusterFirst
      initContainers:
      - command:
        - kubernetes-entrypoint
        env:
        - name: POD_NAME
          valueFrom:
            fieldRef:
              apiVersion: v1
              fieldPath: metadata.name
        - name: NAMESPACE
          valueFrom:
            fieldRef:
              apiVersion: v1
              fieldPath: metadata.namespace
        - name: INTERFACE_NAME
          value: eth0
        - name: PATH
          value: /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/
        - name: DEPENDENCY_SERVICE
          value: openstack:memcached,openstack:percona-xtradb-haproxy
        - name: DEPENDENCY_JOBS
          value: keystone-db-sync,keystone-credential-setup,keystone-fernet-setup
        - name: DEPENDENCY_DAEMONSET
        - name: DEPENDENCY_CONTAINER
        - name: DEPENDENCY_POD_JSON
        - name: DEPENDENCY_CUSTOM_RESOURCE
        image: harbor.atmosphere.dev/ghcr.io/vexxhost/kubernetes-entrypoint:edge@sha256:8921b64b87af184a1421dd856b2703bcf3cff9f50863cd0d18371cf964a87bd3
        imagePullPolicy: IfNotPresent
        name: init
        resources: {}
        securityContext:
          allowPrivilegeEscalation: false
          readOnlyRootFilesystem: true
          runAsUser: 65534
        terminationMessagePath: /dev/termination-log
        terminationMessagePolicy: File
      nodeSelector:
        openstack-control-plane: enabled
      restartPolicy: Always
      schedulerName: default-scheduler
      securityContext:
        runAsUser: 42424
      serviceAccount: keystone-api
      serviceAccountName: keystone-api
      terminationGracePeriodSeconds: 30
      volumes:
      - emptyDir: {}
        name: pod-tmp
      - emptyDir: {}
        name: etckeystone
      - emptyDir: {}
        name: wsgi-keystone
      - emptyDir: {}
        name: logs-apache
      - emptyDir: {}
        name: run-apache
      - name: keystone-etc
        secret:
          defaultMode: 292
          secretName: keystone-etc
      - configMap:
          defaultMode: 365
          name: keystone-bin
        name: keystone-bin
      - name: keystone-fernet-keys
        secret:
          defaultMode: 420
          secretName: keystone-fernet-keys
      - name: keystone-credential-keys
        secret:
          defaultMode: 420
          secretName: keystone-credential-keys
      - configMap:
          defaultMode: 420
          name: keystone-openid-metadata
        name: keystone-openid-metadata
      - hostPath:
          path: /etc/ssl/certs/ca-certificates.crt
          type: ""
        name: ca-certificates
status:
  availableReplicas: 1
  conditions:
  - lastTransitionTime: "2026-04-20T10:19:49Z"
    lastUpdateTime: "2026-04-20T10:19:49Z"
    message: Deployment has minimum availability.
    reason: MinimumReplicasAvailable
    status: "True"
    type: Available
  - lastTransitionTime: "2026-04-20T10:19:49Z"
    lastUpdateTime: "2026-04-20T10:21:54Z"
    message: ReplicaSet "keystone-api-79c97d9b8d" has successfully progressed.
    reason: NewReplicaSetAvailable
    status: "True"
    type: Progressing
  observedGeneration: 1
  readyReplicas: 1
  replicas: 1
  updatedReplicas: 1