all: children: cephs: hosts: instance: null computes: hosts: instance: null controllers: hosts: instance: null zuul_unreachable: hosts: {} hosts: instance: ansible_connection: ssh ansible_host: 199.204.45.216 ansible_port: 22 ansible_python_interpreter: auto ansible_user: zuul atmosphere_image_prefix: harbor.atmosphere.dev/ atmosphere_network_backend: openvswitch barbican_helm_values: pod: replicas: api: 1 ceph_conf_overrides: - option: mon allow pool size one section: global value: true - option: osd crush chooseleaf type section: global value: 0 - option: auth allow insecure global id reclaim section: mon value: false ceph_csi_rbd_helm_values: provisioner: replicaCount: 1 ceph_fsid: 4837cbf8-4f90-4300-b3f6-726c9b9f89b4 ceph_osd_devices: - /dev/ceph-{{ inventory_hostname_short }}-osd0/data - /dev/ceph-{{ inventory_hostname_short }}-osd1/data - /dev/ceph-{{ inventory_hostname_short }}-osd2/data ceph_version: 18.2.7 cilium_helm_values: operator: replicas: 1 cinder_helm_values: conf: ceph: pools: backup: replication: 1 cinder.volumes: replication: 1 cinder: DEFAULT: osapi_volume_workers: 2 pod: replicas: api: 1 scheduler: 1 cluster_issuer_type: self-signed coredns_helm_values: replicaCount: 1 csi_driver: local-path-provisioner glance_helm_values: conf: glance: DEFAULT: workers: 2 glance_store: rbd_store_replication: 1 pod: replicas: api: 1 glance_images: - container_format: bare disk_format: raw is_public: true min_disk: 1 name: cirros url: http://download.cirros-cloud.net/0.6.2/cirros-0.6.2-x86_64-disk.img heat_helm_values: conf: heat: DEFAULT: num_engine_workers: 2 heat_api: workers: 2 heat_api_cfn: workers: 2 heat_api_cloudwatch: workers: 2 pod: replicas: api: 1 cfn: 1 cloudwatch: 1 engine: 1 horizon_helm_values: pod: replicas: server: 1 ingress_nginx_helm_values: controller: config: worker-processes: 2 keystone_helm_values: pod: replicas: api: 1 kube_vip_address: 172.17.0.100 kube_vip_interface: '{{ ansible_facts[''default_ipv4''].interface }}' kubernetes_hostname: '{{ ansible_facts[''default_ipv4''].address }}' kubernetes_keepalived_interface: br-mgmt magnum_helm_values: conf: magnum: api: workers: 2 conductor: workers: 2 pod: replicas: api: 1 conductor: 1 magnum_image_disk_format: qcow2 magnum_images: '[ {{ _magnum_images[-1] }} ]' manila_helm_values: conf: manila: DEFAULT: osapi_share_workers: 2 pod: replicas: api: 1 scheduler: 1 molecule_install_collection_siblings: true molecule_scenario: aio neutron_helm_values: conf: neutron: DEFAULT: api_workers: 2 metadata_workers: 2 rpc_workers: 2 pod: replicas: rpc_server: 1 server: 1 nodepool: az: nova cloud: public external_id: fefbd094-8ec7-47e6-aaf6-a64dcae2d498 host_id: c9670958829e9c96e47d452d2c9c4ce9edaac336d3dbc4a3c4ec531c interface_ip: 199.204.45.216 label: ubuntu-jammy-16 node_properties: {} private_ipv4: 199.204.45.216 private_ipv6: null provider: yul1 public_ipv4: 199.204.45.216 public_ipv6: 2604:e100:1:0:f816:3eff:fe11:2b55 region: ca-ymq-1 slot: null nova_helm_values: conf: nova: DEFAULT: metadata_workers: 2 osapi_compute_workers: 2 conductor: workers: 2 scheduler: workers: 2 pod: replicas: api_metadata: 1 conductor: 1 novncproxy: 1 osapi: 1 scheduler: 1 spiceproxy: 1 octavia_helm_values: conf: octavia: controller_worker: workers: 2 octavia_api_uwsgi: uwsgi: processes: 2 pod: replicas: api: 1 housekeeping: 1 worker: 1 ovn_helm_values: conf: auto_bridge_add: br-ex: null pod: replicas: ovn_northd: 1 ovn_ovsdb_nb: 1 ovn_ovsdb_sb: 1 percona_xtradb_cluster_spec: allowUnsafeConfigurations: true haproxy: size: 1 pxc: size: 1 placement_helm_values: conf: placement_api_uwsgi: uwsgi: processes: 2 pod: replicas: api: 1 rook_ceph_cluster_radosgw_spec: dataPool: failureDomain: osd gateway: instances: 1 metadataPool: failureDomain: osd staffeln_helm_values: pod: replicas: api: 1 conductor: 1 valkey_helm_values: replica: replicaCount: 1 zuul_node: az: nova cloud: public external_id: fefbd094-8ec7-47e6-aaf6-a64dcae2d498 host_id: c9670958829e9c96e47d452d2c9c4ce9edaac336d3dbc4a3c4ec531c interface_ip: 199.204.45.216 label: ubuntu-jammy-16 node_properties: {} private_ipv4: 199.204.45.216 private_ipv6: null provider: yul1 public_ipv4: 199.204.45.216 public_ipv6: 2604:e100:1:0:f816:3eff:fe11:2b55 region: ca-ymq-1 slot: null uuid: null vars: atmosphere_image_prefix: harbor.atmosphere.dev/ atmosphere_network_backend: openvswitch barbican_helm_values: pod: replicas: api: 1 ceph_conf_overrides: - option: mon allow pool size one section: global value: true - option: osd crush chooseleaf type section: global value: 0 - option: auth allow insecure global id reclaim section: mon value: false ceph_csi_rbd_helm_values: provisioner: replicaCount: 1 ceph_fsid: 4837cbf8-4f90-4300-b3f6-726c9b9f89b4 ceph_osd_devices: - /dev/ceph-{{ inventory_hostname_short }}-osd0/data - /dev/ceph-{{ inventory_hostname_short }}-osd1/data - /dev/ceph-{{ inventory_hostname_short }}-osd2/data ceph_version: 18.2.7 cilium_helm_values: operator: replicas: 1 cinder_helm_values: conf: ceph: pools: backup: replication: 1 cinder.volumes: replication: 1 cinder: DEFAULT: osapi_volume_workers: 2 pod: replicas: api: 1 scheduler: 1 cluster_issuer_type: self-signed coredns_helm_values: replicaCount: 1 csi_driver: local-path-provisioner glance_helm_values: conf: glance: DEFAULT: workers: 2 glance_store: rbd_store_replication: 1 pod: replicas: api: 1 glance_images: - container_format: bare disk_format: raw is_public: true min_disk: 1 name: cirros url: http://download.cirros-cloud.net/0.6.2/cirros-0.6.2-x86_64-disk.img heat_helm_values: conf: heat: DEFAULT: num_engine_workers: 2 heat_api: workers: 2 heat_api_cfn: workers: 2 heat_api_cloudwatch: workers: 2 pod: replicas: api: 1 cfn: 1 cloudwatch: 1 engine: 1 horizon_helm_values: pod: replicas: server: 1 ingress_nginx_helm_values: controller: config: worker-processes: 2 keystone_helm_values: pod: replicas: api: 1 kube_vip_address: 172.17.0.100 kube_vip_interface: '{{ ansible_facts[''default_ipv4''].interface }}' kubernetes_hostname: '{{ ansible_facts[''default_ipv4''].address }}' kubernetes_keepalived_interface: br-mgmt magnum_helm_values: conf: magnum: api: workers: 2 conductor: workers: 2 pod: replicas: api: 1 conductor: 1 magnum_image_disk_format: qcow2 magnum_images: '[ {{ _magnum_images[-1] }} ]' manila_helm_values: conf: manila: DEFAULT: osapi_share_workers: 2 pod: replicas: api: 1 scheduler: 1 molecule_install_collection_siblings: true molecule_scenario: aio neutron_helm_values: conf: neutron: DEFAULT: api_workers: 2 metadata_workers: 2 rpc_workers: 2 pod: replicas: rpc_server: 1 server: 1 nova_helm_values: conf: nova: DEFAULT: metadata_workers: 2 osapi_compute_workers: 2 conductor: workers: 2 scheduler: workers: 2 pod: replicas: api_metadata: 1 conductor: 1 novncproxy: 1 osapi: 1 scheduler: 1 spiceproxy: 1 octavia_helm_values: conf: octavia: controller_worker: workers: 2 octavia_api_uwsgi: uwsgi: processes: 2 pod: replicas: api: 1 housekeeping: 1 worker: 1 ovn_helm_values: conf: auto_bridge_add: br-ex: null pod: replicas: ovn_northd: 1 ovn_ovsdb_nb: 1 ovn_ovsdb_sb: 1 percona_xtradb_cluster_spec: allowUnsafeConfigurations: true haproxy: size: 1 pxc: size: 1 placement_helm_values: conf: placement_api_uwsgi: uwsgi: processes: 2 pod: replicas: api: 1 rook_ceph_cluster_radosgw_spec: dataPool: failureDomain: osd gateway: instances: 1 metadataPool: failureDomain: osd staffeln_helm_values: pod: replicas: api: 1 conductor: 1 valkey_helm_values: replica: replicaCount: 1 zuul: _inheritance_path: - '' - '' - '' - '' - '' - '' ansible_version: '9' attempts: 1 branch: main build: 2ac7cb484fe54a10a09040b37e84e685 build_refs: - branch: main change: '3887' change_message: "feat(cluster_issuer): support keyless AWS auth for Route53 solver\n\n## Summary\n\n- Adds two new authentication modes for the Route53 DNS-01 solver in the\n `cluster_issuer` role, alongside the existing long-lived access key flow:\n - **`ambient`** \u2014 `cert-manager` picks up AWS credentials from the pod\n environment (env vars, EC2 IMDS, mounted credentials file). Also the path\n for IAM Roles Anywhere via `credential_process` + `aws_signing_helper`.\n \ - **`kubernetes`** \u2014 OIDC-based `AssumeRoleWithWebIdentity` using a\n projected ServiceAccount token. Works with any Kubernetes cluster whose\n OIDC issuer is publicly resolvable by AWS, including on-premises.\n- Adds `cluster_issuer_acme_route53_role_arn` to configure the IAM role ARN\n \ to assume (optional for `static`/`ambient`, required for `kubernetes`).\n- Default remains `static`, so existing deployments keep working unchanged.\n\n## Background\n\nThe customer this was raised for has a company-wide policy against issuing\nlong-lived AWS access keys. Before this change, the Route53 solver only\naccepted static keys, leaving that class of operator without a path to ACME\nDNS-01 challenges via Route53.\n\nThe upstream cert-manager code in `pkg/issuer/acme/dns/route53/route53.go`\nand the solver wiring in `pkg/issuer/acme/dns/dns.go` already implement all\nthree authentication paths \u2014 this PR just exposes them through Atmosphere's\nAnsible variables.\n\n## Customer-side prerequisites for the OIDC mode\n\nThis mode works with any Kubernetes cluster, not just EKS. Operators need\nto:\n\n1. Configure `--service-account-issuer` on kube-apiserver with a URL whose\n OIDC discovery documents (`/.well-known/openid-configuration` and\n `/openid/v1/jwks`) are reachable from AWS. The API server itself does\n **not** need to be public \u2014 publishing the two static files to any public\n HTTPS endpoint (for example, an S3 bucket with CloudFront) is enough.\n2. Register the issuer URL as an OIDC identity provider in AWS IAM.\n3. Create an IAM role whose trust policy allows that OIDC provider to assume\n it, scoped to `system:serviceaccount:cert-manager:cert-manager-route53`\n \ with the `sts.amazonaws.com` audience, and attach Route53 permissions\n \ (`route53:GetChange`, `route53:ChangeResourceRecordSets`,\n `route53:ListHostedZonesByName`).\n\n## Follow-up\n\nIAM Roles Anywhere already works through `ambient` mode provided the\ncustomer mounts `aws_signing_helper` + a `credential_process` config into\nthe `cert-manager` pod. Native first-class Roles Anywhere support in\nAtmosphere (a dedicated role that ships the helper, manages trust anchors /\nprofile ARNs, and rotates client certs via `cert-manager` itself) is out of\nscope for this PR and worth a separate issue if demand emerges.\n\n## Test plan\n\n- [ ] `cluster_issuer_acme_route53_auth=static` (default) with existing\n access key variables produces the same `ClusterIssuer` spec as before.\n- [ ] `cluster_issuer_acme_route53_auth=ambient` creates a `ClusterIssuer`\n \ with no `accessKeyID` / `secretAccessKeySecretRef` and no Secret.\n- [ ] `cluster_issuer_acme_route53_auth=kubernetes` creates a\n `ServiceAccount` named `cert-manager-route53` in the `cert-manager`\n namespace and a `ClusterIssuer` with\n `spec.acme.solvers[0].dns01.route53.auth.kubernetes.serviceAccountRef.name`\n \ set to that account, plus `role` set to the configured role ARN.\n- [ ] `cluster_issuer_acme_route53_auth=invalid` fails fast with an\n assertion error.\n- [ ] `vale` passes on both the new release note and the updated\n \ `certificates.rst`.\n\nCloses #3886" change_url: https://github.com/vexxhost/atmosphere/pull/3887 commit_id: 087ad88cc6b018826da7c63523f59d78c43ed187 patchset: 087ad88cc6b018826da7c63523f59d78c43ed187 project: canonical_hostname: github.com canonical_name: github.com/vexxhost/atmosphere name: vexxhost/atmosphere short_name: atmosphere src_dir: src/github.com/vexxhost/atmosphere src_dir: src/github.com/vexxhost/atmosphere topic: null buildset: 96ddb8c6c602438d832e7786371d1fed buildset_refs: - branch: main change: '3887' change_message: "feat(cluster_issuer): support keyless AWS auth for Route53 solver\n\n## Summary\n\n- Adds two new authentication modes for the Route53 DNS-01 solver in the\n `cluster_issuer` role, alongside the existing long-lived access key flow:\n - **`ambient`** \u2014 `cert-manager` picks up AWS credentials from the pod\n environment (env vars, EC2 IMDS, mounted credentials file). Also the path\n for IAM Roles Anywhere via `credential_process` + `aws_signing_helper`.\n \ - **`kubernetes`** \u2014 OIDC-based `AssumeRoleWithWebIdentity` using a\n projected ServiceAccount token. Works with any Kubernetes cluster whose\n OIDC issuer is publicly resolvable by AWS, including on-premises.\n- Adds `cluster_issuer_acme_route53_role_arn` to configure the IAM role ARN\n \ to assume (optional for `static`/`ambient`, required for `kubernetes`).\n- Default remains `static`, so existing deployments keep working unchanged.\n\n## Background\n\nThe customer this was raised for has a company-wide policy against issuing\nlong-lived AWS access keys. Before this change, the Route53 solver only\naccepted static keys, leaving that class of operator without a path to ACME\nDNS-01 challenges via Route53.\n\nThe upstream cert-manager code in `pkg/issuer/acme/dns/route53/route53.go`\nand the solver wiring in `pkg/issuer/acme/dns/dns.go` already implement all\nthree authentication paths \u2014 this PR just exposes them through Atmosphere's\nAnsible variables.\n\n## Customer-side prerequisites for the OIDC mode\n\nThis mode works with any Kubernetes cluster, not just EKS. Operators need\nto:\n\n1. Configure `--service-account-issuer` on kube-apiserver with a URL whose\n OIDC discovery documents (`/.well-known/openid-configuration` and\n `/openid/v1/jwks`) are reachable from AWS. The API server itself does\n **not** need to be public \u2014 publishing the two static files to any public\n HTTPS endpoint (for example, an S3 bucket with CloudFront) is enough.\n2. Register the issuer URL as an OIDC identity provider in AWS IAM.\n3. Create an IAM role whose trust policy allows that OIDC provider to assume\n it, scoped to `system:serviceaccount:cert-manager:cert-manager-route53`\n \ with the `sts.amazonaws.com` audience, and attach Route53 permissions\n \ (`route53:GetChange`, `route53:ChangeResourceRecordSets`,\n `route53:ListHostedZonesByName`).\n\n## Follow-up\n\nIAM Roles Anywhere already works through `ambient` mode provided the\ncustomer mounts `aws_signing_helper` + a `credential_process` config into\nthe `cert-manager` pod. Native first-class Roles Anywhere support in\nAtmosphere (a dedicated role that ships the helper, manages trust anchors /\nprofile ARNs, and rotates client certs via `cert-manager` itself) is out of\nscope for this PR and worth a separate issue if demand emerges.\n\n## Test plan\n\n- [ ] `cluster_issuer_acme_route53_auth=static` (default) with existing\n access key variables produces the same `ClusterIssuer` spec as before.\n- [ ] `cluster_issuer_acme_route53_auth=ambient` creates a `ClusterIssuer`\n \ with no `accessKeyID` / `secretAccessKeySecretRef` and no Secret.\n- [ ] `cluster_issuer_acme_route53_auth=kubernetes` creates a\n `ServiceAccount` named `cert-manager-route53` in the `cert-manager`\n namespace and a `ClusterIssuer` with\n `spec.acme.solvers[0].dns01.route53.auth.kubernetes.serviceAccountRef.name`\n \ set to that account, plus `role` set to the configured role ARN.\n- [ ] `cluster_issuer_acme_route53_auth=invalid` fails fast with an\n assertion error.\n- [ ] `vale` passes on both the new release note and the updated\n \ `certificates.rst`.\n\nCloses #3886" change_url: https://github.com/vexxhost/atmosphere/pull/3887 commit_id: 087ad88cc6b018826da7c63523f59d78c43ed187 patchset: 087ad88cc6b018826da7c63523f59d78c43ed187 project: canonical_hostname: github.com canonical_name: github.com/vexxhost/atmosphere name: vexxhost/atmosphere short_name: atmosphere src_dir: src/github.com/vexxhost/atmosphere src_dir: src/github.com/vexxhost/atmosphere topic: null change: '3887' change_message: "feat(cluster_issuer): support keyless AWS auth for Route53 solver\n\n## Summary\n\n- Adds two new authentication modes for the Route53 DNS-01 solver in the\n `cluster_issuer` role, alongside the existing long-lived access key flow:\n - **`ambient`** \u2014 `cert-manager` picks up AWS credentials from the pod\n environment (env vars, EC2 IMDS, mounted credentials file). Also the path\n for IAM Roles Anywhere via `credential_process` + `aws_signing_helper`.\n \ - **`kubernetes`** \u2014 OIDC-based `AssumeRoleWithWebIdentity` using a\n \ projected ServiceAccount token. Works with any Kubernetes cluster whose\n \ OIDC issuer is publicly resolvable by AWS, including on-premises.\n- Adds `cluster_issuer_acme_route53_role_arn` to configure the IAM role ARN\n to assume (optional for `static`/`ambient`, required for `kubernetes`).\n- Default remains `static`, so existing deployments keep working unchanged.\n\n## Background\n\nThe customer this was raised for has a company-wide policy against issuing\nlong-lived AWS access keys. Before this change, the Route53 solver only\naccepted static keys, leaving that class of operator without a path to ACME\nDNS-01 challenges via Route53.\n\nThe upstream cert-manager code in `pkg/issuer/acme/dns/route53/route53.go`\nand the solver wiring in `pkg/issuer/acme/dns/dns.go` already implement all\nthree authentication paths \u2014 this PR just exposes them through Atmosphere's\nAnsible variables.\n\n## Customer-side prerequisites for the OIDC mode\n\nThis mode works with any Kubernetes cluster, not just EKS. Operators need\nto:\n\n1. Configure `--service-account-issuer` on kube-apiserver with a URL whose\n \ OIDC discovery documents (`/.well-known/openid-configuration` and\n `/openid/v1/jwks`) are reachable from AWS. The API server itself does\n **not** need to be public \u2014 publishing the two static files to any public\n HTTPS endpoint (for example, an S3 bucket with CloudFront) is enough.\n2. Register the issuer URL as an OIDC identity provider in AWS IAM.\n3. Create an IAM role whose trust policy allows that OIDC provider to assume\n it, scoped to `system:serviceaccount:cert-manager:cert-manager-route53`\n \ with the `sts.amazonaws.com` audience, and attach Route53 permissions\n \ (`route53:GetChange`, `route53:ChangeResourceRecordSets`,\n `route53:ListHostedZonesByName`).\n\n## Follow-up\n\nIAM Roles Anywhere already works through `ambient` mode provided the\ncustomer mounts `aws_signing_helper` + a `credential_process` config into\nthe `cert-manager` pod. Native first-class Roles Anywhere support in\nAtmosphere (a dedicated role that ships the helper, manages trust anchors /\nprofile ARNs, and rotates client certs via `cert-manager` itself) is out of\nscope for this PR and worth a separate issue if demand emerges.\n\n## Test plan\n\n- [ ] `cluster_issuer_acme_route53_auth=static` (default) with existing\n access key variables produces the same `ClusterIssuer` spec as before.\n- [ ] `cluster_issuer_acme_route53_auth=ambient` creates a `ClusterIssuer`\n with no `accessKeyID` / `secretAccessKeySecretRef` and no Secret.\n- [ ] `cluster_issuer_acme_route53_auth=kubernetes` creates a\n `ServiceAccount` named `cert-manager-route53` in the `cert-manager`\n \ namespace and a `ClusterIssuer` with\n `spec.acme.solvers[0].dns01.route53.auth.kubernetes.serviceAccountRef.name`\n \ set to that account, plus `role` set to the configured role ARN.\n- [ ] `cluster_issuer_acme_route53_auth=invalid` fails fast with an\n assertion error.\n- [ ] `vale` passes on both the new release note and the updated\n \ `certificates.rst`.\n\nCloses #3886" change_url: https://github.com/vexxhost/atmosphere/pull/3887 child_jobs: [] commit_id: 087ad88cc6b018826da7c63523f59d78c43ed187 event_id: 628724f0-54af-11f1-9b72-863b4a5a50c6 executor: hostname: 2d72f0692154 inventory_file: /var/lib/zuul/builds/2ac7cb484fe54a10a09040b37e84e685/ansible/inventory.yaml log_root: /var/lib/zuul/builds/2ac7cb484fe54a10a09040b37e84e685/work/logs result_data_file: /var/lib/zuul/builds/2ac7cb484fe54a10a09040b37e84e685/work/results.json src_root: /var/lib/zuul/builds/2ac7cb484fe54a10a09040b37e84e685/work/src work_root: /var/lib/zuul/builds/2ac7cb484fe54a10a09040b37e84e685/work include_vars: [] items: - branch: main change: '3887' change_message: "feat(cluster_issuer): support keyless AWS auth for Route53 solver\n\n## Summary\n\n- Adds two new authentication modes for the Route53 DNS-01 solver in the\n `cluster_issuer` role, alongside the existing long-lived access key flow:\n - **`ambient`** \u2014 `cert-manager` picks up AWS credentials from the pod\n environment (env vars, EC2 IMDS, mounted credentials file). Also the path\n for IAM Roles Anywhere via `credential_process` + `aws_signing_helper`.\n \ - **`kubernetes`** \u2014 OIDC-based `AssumeRoleWithWebIdentity` using a\n projected ServiceAccount token. Works with any Kubernetes cluster whose\n OIDC issuer is publicly resolvable by AWS, including on-premises.\n- Adds `cluster_issuer_acme_route53_role_arn` to configure the IAM role ARN\n \ to assume (optional for `static`/`ambient`, required for `kubernetes`).\n- Default remains `static`, so existing deployments keep working unchanged.\n\n## Background\n\nThe customer this was raised for has a company-wide policy against issuing\nlong-lived AWS access keys. Before this change, the Route53 solver only\naccepted static keys, leaving that class of operator without a path to ACME\nDNS-01 challenges via Route53.\n\nThe upstream cert-manager code in `pkg/issuer/acme/dns/route53/route53.go`\nand the solver wiring in `pkg/issuer/acme/dns/dns.go` already implement all\nthree authentication paths \u2014 this PR just exposes them through Atmosphere's\nAnsible variables.\n\n## Customer-side prerequisites for the OIDC mode\n\nThis mode works with any Kubernetes cluster, not just EKS. Operators need\nto:\n\n1. Configure `--service-account-issuer` on kube-apiserver with a URL whose\n OIDC discovery documents (`/.well-known/openid-configuration` and\n `/openid/v1/jwks`) are reachable from AWS. The API server itself does\n **not** need to be public \u2014 publishing the two static files to any public\n HTTPS endpoint (for example, an S3 bucket with CloudFront) is enough.\n2. Register the issuer URL as an OIDC identity provider in AWS IAM.\n3. Create an IAM role whose trust policy allows that OIDC provider to assume\n it, scoped to `system:serviceaccount:cert-manager:cert-manager-route53`\n \ with the `sts.amazonaws.com` audience, and attach Route53 permissions\n \ (`route53:GetChange`, `route53:ChangeResourceRecordSets`,\n `route53:ListHostedZonesByName`).\n\n## Follow-up\n\nIAM Roles Anywhere already works through `ambient` mode provided the\ncustomer mounts `aws_signing_helper` + a `credential_process` config into\nthe `cert-manager` pod. Native first-class Roles Anywhere support in\nAtmosphere (a dedicated role that ships the helper, manages trust anchors /\nprofile ARNs, and rotates client certs via `cert-manager` itself) is out of\nscope for this PR and worth a separate issue if demand emerges.\n\n## Test plan\n\n- [ ] `cluster_issuer_acme_route53_auth=static` (default) with existing\n access key variables produces the same `ClusterIssuer` spec as before.\n- [ ] `cluster_issuer_acme_route53_auth=ambient` creates a `ClusterIssuer`\n \ with no `accessKeyID` / `secretAccessKeySecretRef` and no Secret.\n- [ ] `cluster_issuer_acme_route53_auth=kubernetes` creates a\n `ServiceAccount` named `cert-manager-route53` in the `cert-manager`\n namespace and a `ClusterIssuer` with\n `spec.acme.solvers[0].dns01.route53.auth.kubernetes.serviceAccountRef.name`\n \ set to that account, plus `role` set to the configured role ARN.\n- [ ] `cluster_issuer_acme_route53_auth=invalid` fails fast with an\n assertion error.\n- [ ] `vale` passes on both the new release note and the updated\n \ `certificates.rst`.\n\nCloses #3886" change_url: https://github.com/vexxhost/atmosphere/pull/3887 commit_id: 087ad88cc6b018826da7c63523f59d78c43ed187 patchset: 087ad88cc6b018826da7c63523f59d78c43ed187 project: canonical_hostname: github.com canonical_name: github.com/vexxhost/atmosphere name: vexxhost/atmosphere short_name: atmosphere src_dir: src/github.com/vexxhost/atmosphere topic: null job: atmosphere-molecule-aio-openvswitch jobtags: [] max_attempts: 3 message: ZmVhdChjbHVzdGVyX2lzc3Vlcik6IHN1cHBvcnQga2V5bGVzcyBBV1MgYXV0aCBmb3IgUm91dGU1MyBzb2x2ZXIKCiMjIFN1bW1hcnkKCi0gQWRkcyB0d28gbmV3IGF1dGhlbnRpY2F0aW9uIG1vZGVzIGZvciB0aGUgUm91dGU1MyBETlMtMDEgc29sdmVyIGluIHRoZQogIGBjbHVzdGVyX2lzc3VlcmAgcm9sZSwgYWxvbmdzaWRlIHRoZSBleGlzdGluZyBsb25nLWxpdmVkIGFjY2VzcyBrZXkgZmxvdzoKICAtICoqYGFtYmllbnRgKiog4oCUIGBjZXJ0LW1hbmFnZXJgIHBpY2tzIHVwIEFXUyBjcmVkZW50aWFscyBmcm9tIHRoZSBwb2QKICAgIGVudmlyb25tZW50IChlbnYgdmFycywgRUMyIElNRFMsIG1vdW50ZWQgY3JlZGVudGlhbHMgZmlsZSkuIEFsc28gdGhlIHBhdGgKICAgIGZvciBJQU0gUm9sZXMgQW55d2hlcmUgdmlhIGBjcmVkZW50aWFsX3Byb2Nlc3NgICsgYGF3c19zaWduaW5nX2hlbHBlcmAuCiAgLSAqKmBrdWJlcm5ldGVzYCoqIOKAlCBPSURDLWJhc2VkIGBBc3N1bWVSb2xlV2l0aFdlYklkZW50aXR5YCB1c2luZyBhCiAgICBwcm9qZWN0ZWQgU2VydmljZUFjY291bnQgdG9rZW4uIFdvcmtzIHdpdGggYW55IEt1YmVybmV0ZXMgY2x1c3RlciB3aG9zZQogICAgT0lEQyBpc3N1ZXIgaXMgcHVibGljbHkgcmVzb2x2YWJsZSBieSBBV1MsIGluY2x1ZGluZyBvbi1wcmVtaXNlcy4KLSBBZGRzIGBjbHVzdGVyX2lzc3Vlcl9hY21lX3JvdXRlNTNfcm9sZV9hcm5gIHRvIGNvbmZpZ3VyZSB0aGUgSUFNIHJvbGUgQVJOCiAgdG8gYXNzdW1lIChvcHRpb25hbCBmb3IgYHN0YXRpY2AvYGFtYmllbnRgLCByZXF1aXJlZCBmb3IgYGt1YmVybmV0ZXNgKS4KLSBEZWZhdWx0IHJlbWFpbnMgYHN0YXRpY2AsIHNvIGV4aXN0aW5nIGRlcGxveW1lbnRzIGtlZXAgd29ya2luZyB1bmNoYW5nZWQuCgojIyBCYWNrZ3JvdW5kCgpUaGUgY3VzdG9tZXIgdGhpcyB3YXMgcmFpc2VkIGZvciBoYXMgYSBjb21wYW55LXdpZGUgcG9saWN5IGFnYWluc3QgaXNzdWluZwpsb25nLWxpdmVkIEFXUyBhY2Nlc3Mga2V5cy4gQmVmb3JlIHRoaXMgY2hhbmdlLCB0aGUgUm91dGU1MyBzb2x2ZXIgb25seQphY2NlcHRlZCBzdGF0aWMga2V5cywgbGVhdmluZyB0aGF0IGNsYXNzIG9mIG9wZXJhdG9yIHdpdGhvdXQgYSBwYXRoIHRvIEFDTUUKRE5TLTAxIGNoYWxsZW5nZXMgdmlhIFJvdXRlNTMuCgpUaGUgdXBzdHJlYW0gY2VydC1tYW5hZ2VyIGNvZGUgaW4gYHBrZy9pc3N1ZXIvYWNtZS9kbnMvcm91dGU1My9yb3V0ZTUzLmdvYAphbmQgdGhlIHNvbHZlciB3aXJpbmcgaW4gYHBrZy9pc3N1ZXIvYWNtZS9kbnMvZG5zLmdvYCBhbHJlYWR5IGltcGxlbWVudCBhbGwKdGhyZWUgYXV0aGVudGljYXRpb24gcGF0aHMg4oCUIHRoaXMgUFIganVzdCBleHBvc2VzIHRoZW0gdGhyb3VnaCBBdG1vc3BoZXJlJ3MKQW5zaWJsZSB2YXJpYWJsZXMuCgojIyBDdXN0b21lci1zaWRlIHByZXJlcXVpc2l0ZXMgZm9yIHRoZSBPSURDIG1vZGUKClRoaXMgbW9kZSB3b3JrcyB3aXRoIGFueSBLdWJlcm5ldGVzIGNsdXN0ZXIsIG5vdCBqdXN0IEVLUy4gT3BlcmF0b3JzIG5lZWQKdG86CgoxLiBDb25maWd1cmUgYC0tc2VydmljZS1hY2NvdW50LWlzc3VlcmAgb24ga3ViZS1hcGlzZXJ2ZXIgd2l0aCBhIFVSTCB3aG9zZQogICBPSURDIGRpc2NvdmVyeSBkb2N1bWVudHMgKGAvLndlbGwta25vd24vb3BlbmlkLWNvbmZpZ3VyYXRpb25gIGFuZAogICBgL29wZW5pZC92MS9qd2tzYCkgYXJlIHJlYWNoYWJsZSBmcm9tIEFXUy4gVGhlIEFQSSBzZXJ2ZXIgaXRzZWxmIGRvZXMKICAgKipub3QqKiBuZWVkIHRvIGJlIHB1YmxpYyDigJQgcHVibGlzaGluZyB0aGUgdHdvIHN0YXRpYyBmaWxlcyB0byBhbnkgcHVibGljCiAgIEhUVFBTIGVuZHBvaW50IChmb3IgZXhhbXBsZSwgYW4gUzMgYnVja2V0IHdpdGggQ2xvdWRGcm9udCkgaXMgZW5vdWdoLgoyLiBSZWdpc3RlciB0aGUgaXNzdWVyIFVSTCBhcyBhbiBPSURDIGlkZW50aXR5IHByb3ZpZGVyIGluIEFXUyBJQU0uCjMuIENyZWF0ZSBhbiBJQU0gcm9sZSB3aG9zZSB0cnVzdCBwb2xpY3kgYWxsb3dzIHRoYXQgT0lEQyBwcm92aWRlciB0byBhc3N1bWUKICAgaXQsIHNjb3BlZCB0byBgc3lzdGVtOnNlcnZpY2VhY2NvdW50OmNlcnQtbWFuYWdlcjpjZXJ0LW1hbmFnZXItcm91dGU1M2AKICAgd2l0aCB0aGUgYHN0cy5hbWF6b25hd3MuY29tYCBhdWRpZW5jZSwgYW5kIGF0dGFjaCBSb3V0ZTUzIHBlcm1pc3Npb25zCiAgIChgcm91dGU1MzpHZXRDaGFuZ2VgLCBgcm91dGU1MzpDaGFuZ2VSZXNvdXJjZVJlY29yZFNldHNgLAogICBgcm91dGU1MzpMaXN0SG9zdGVkWm9uZXNCeU5hbWVgKS4KCiMjIEZvbGxvdy11cAoKSUFNIFJvbGVzIEFueXdoZXJlIGFscmVhZHkgd29ya3MgdGhyb3VnaCBgYW1iaWVudGAgbW9kZSBwcm92aWRlZCB0aGUKY3VzdG9tZXIgbW91bnRzIGBhd3Nfc2lnbmluZ19oZWxwZXJgICsgYSBgY3JlZGVudGlhbF9wcm9jZXNzYCBjb25maWcgaW50bwp0aGUgYGNlcnQtbWFuYWdlcmAgcG9kLiBOYXRpdmUgZmlyc3QtY2xhc3MgUm9sZXMgQW55d2hlcmUgc3VwcG9ydCBpbgpBdG1vc3BoZXJlIChhIGRlZGljYXRlZCByb2xlIHRoYXQgc2hpcHMgdGhlIGhlbHBlciwgbWFuYWdlcyB0cnVzdCBhbmNob3JzIC8KcHJvZmlsZSBBUk5zLCBhbmQgcm90YXRlcyBjbGllbnQgY2VydHMgdmlhIGBjZXJ0LW1hbmFnZXJgIGl0c2VsZikgaXMgb3V0IG9mCnNjb3BlIGZvciB0aGlzIFBSIGFuZCB3b3J0aCBhIHNlcGFyYXRlIGlzc3VlIGlmIGRlbWFuZCBlbWVyZ2VzLgoKIyMgVGVzdCBwbGFuCgotIFsgXSBgY2x1c3Rlcl9pc3N1ZXJfYWNtZV9yb3V0ZTUzX2F1dGg9c3RhdGljYCAoZGVmYXVsdCkgd2l0aCBleGlzdGluZwogICAgICBhY2Nlc3Mga2V5IHZhcmlhYmxlcyBwcm9kdWNlcyB0aGUgc2FtZSBgQ2x1c3Rlcklzc3VlcmAgc3BlYyBhcyBiZWZvcmUuCi0gWyBdIGBjbHVzdGVyX2lzc3Vlcl9hY21lX3JvdXRlNTNfYXV0aD1hbWJpZW50YCBjcmVhdGVzIGEgYENsdXN0ZXJJc3N1ZXJgCiAgICAgIHdpdGggbm8gYGFjY2Vzc0tleUlEYCAvIGBzZWNyZXRBY2Nlc3NLZXlTZWNyZXRSZWZgIGFuZCBubyBTZWNyZXQuCi0gWyBdIGBjbHVzdGVyX2lzc3Vlcl9hY21lX3JvdXRlNTNfYXV0aD1rdWJlcm5ldGVzYCBjcmVhdGVzIGEKICAgICAgYFNlcnZpY2VBY2NvdW50YCBuYW1lZCBgY2VydC1tYW5hZ2VyLXJvdXRlNTNgIGluIHRoZSBgY2VydC1tYW5hZ2VyYAogICAgICBuYW1lc3BhY2UgYW5kIGEgYENsdXN0ZXJJc3N1ZXJgIHdpdGgKICAgICAgYHNwZWMuYWNtZS5zb2x2ZXJzWzBdLmRuczAxLnJvdXRlNTMuYXV0aC5rdWJlcm5ldGVzLnNlcnZpY2VBY2NvdW50UmVmLm5hbWVgCiAgICAgIHNldCB0byB0aGF0IGFjY291bnQsIHBsdXMgYHJvbGVgIHNldCB0byB0aGUgY29uZmlndXJlZCByb2xlIEFSTi4KLSBbIF0gYGNsdXN0ZXJfaXNzdWVyX2FjbWVfcm91dGU1M19hdXRoPWludmFsaWRgIGZhaWxzIGZhc3Qgd2l0aCBhbgogICAgICBhc3NlcnRpb24gZXJyb3IuCi0gWyBdIGB2YWxlYCBwYXNzZXMgb24gYm90aCB0aGUgbmV3IHJlbGVhc2Ugbm90ZSBhbmQgdGhlIHVwZGF0ZWQKICAgICAgYGNlcnRpZmljYXRlcy5yc3RgLgoKQ2xvc2VzICMzODg2 patchset: 087ad88cc6b018826da7c63523f59d78c43ed187 pipeline: check playbook_context: playbook_projects: trusted/project_0/github.com/vexxhost/zuul-config: canonical_name: github.com/vexxhost/zuul-config checkout: main commit: 298983cd1253e6833abdb49d87d912527e0e6597 trusted/project_1/opendev.org/zuul/zuul-jobs: canonical_name: opendev.org/zuul/zuul-jobs checkout: master commit: 0006564de174b87f2f6253cf820f852d63dc24b3 trusted/project_2/github.com/vexxhost/zuul-jobs: canonical_name: github.com/vexxhost/zuul-jobs checkout: main commit: 348c7ff425450b0356e1d84589143dce260be74a untrusted/project_0/github.com/vexxhost/zuul-jobs: canonical_name: github.com/vexxhost/zuul-jobs checkout: main commit: 348c7ff425450b0356e1d84589143dce260be74a untrusted/project_1/github.com/vexxhost/zuul-config: canonical_name: github.com/vexxhost/zuul-config checkout: main commit: 298983cd1253e6833abdb49d87d912527e0e6597 untrusted/project_2/opendev.org/zuul/zuul-jobs: canonical_name: opendev.org/zuul/zuul-jobs checkout: master commit: 0006564de174b87f2f6253cf820f852d63dc24b3 untrusted/project_3/github.com/vexxhost/atmosphere: canonical_name: github.com/vexxhost/atmosphere checkout: main commit: 087ad88cc6b018826da7c63523f59d78c43ed187 untrusted/project_4/opendev.org/openstack/openstack-helm: canonical_name: opendev.org/openstack/openstack-helm checkout: master commit: ebd6507b8b84365fe43c389f9571959da7b0826c playbooks: - path: untrusted/project_0/github.com/vexxhost/zuul-jobs/playbooks/molecule/run.yaml roles: - checkout: master checkout_description: project default branch link_name: ansible/playbook_0/role_1/zuul-jobs link_target: untrusted/project_2/opendev.org/zuul/zuul-jobs role_path: ansible/playbook_0/role_1/zuul-jobs/roles - checkout: main checkout_description: playbook branch link_name: ansible/playbook_0/role_2/zuul-jobs link_target: untrusted/project_0/github.com/vexxhost/zuul-jobs role_path: ansible/playbook_0/role_2/zuul-jobs/roles post_playbooks: - path: untrusted/project_3/github.com/vexxhost/atmosphere/test-playbooks/molecule/post.yml roles: - checkout: main checkout_description: playbook branch link_name: ansible/post_playbook_0/role_0/atmosphere link_target: untrusted/project_3/github.com/vexxhost/atmosphere role_path: ansible/post_playbook_0/role_0/atmosphere/roles - checkout: master checkout_description: project default branch link_name: ansible/post_playbook_0/role_1/openstack-helm link_target: untrusted/project_4/opendev.org/openstack/openstack-helm role_path: ansible/post_playbook_0/role_1/openstack-helm/roles - checkout: master checkout_description: project default branch link_name: ansible/post_playbook_0/role_3/zuul-jobs link_target: untrusted/project_2/opendev.org/zuul/zuul-jobs role_path: ansible/post_playbook_0/role_3/zuul-jobs/roles - checkout: main checkout_description: zuul branch link_name: ansible/post_playbook_0/role_4/zuul-jobs link_target: untrusted/project_0/github.com/vexxhost/zuul-jobs role_path: ansible/post_playbook_0/role_4/zuul-jobs/roles - path: trusted/project_0/github.com/vexxhost/zuul-config/playbooks/base/post.yaml roles: - checkout: master checkout_description: project default branch link_name: ansible/post_playbook_1/role_1/zuul-jobs link_target: trusted/project_1/opendev.org/zuul/zuul-jobs role_path: ansible/post_playbook_1/role_1/zuul-jobs/roles - checkout: main checkout_description: zuul branch link_name: ansible/post_playbook_1/role_2/zuul-jobs link_target: trusted/project_2/github.com/vexxhost/zuul-jobs role_path: ansible/post_playbook_1/role_2/zuul-jobs/roles - path: trusted/project_0/github.com/vexxhost/zuul-config/playbooks/base/post-logs.yaml roles: - checkout: master checkout_description: project default branch link_name: ansible/post_playbook_2/role_1/zuul-jobs link_target: trusted/project_1/opendev.org/zuul/zuul-jobs role_path: ansible/post_playbook_2/role_1/zuul-jobs/roles - checkout: main checkout_description: zuul branch link_name: ansible/post_playbook_2/role_2/zuul-jobs link_target: trusted/project_2/github.com/vexxhost/zuul-jobs role_path: ansible/post_playbook_2/role_2/zuul-jobs/roles pre_playbooks: - path: trusted/project_0/github.com/vexxhost/zuul-config/playbooks/base/pre.yaml roles: - checkout: master checkout_description: project default branch link_name: ansible/pre_playbook_0/role_1/zuul-jobs link_target: trusted/project_1/opendev.org/zuul/zuul-jobs role_path: ansible/pre_playbook_0/role_1/zuul-jobs/roles - checkout: main checkout_description: zuul branch link_name: ansible/pre_playbook_0/role_2/zuul-jobs link_target: trusted/project_2/github.com/vexxhost/zuul-jobs role_path: ansible/pre_playbook_0/role_2/zuul-jobs/roles - path: untrusted/project_0/github.com/vexxhost/zuul-jobs/playbooks/molecule/pre.yaml roles: - checkout: master checkout_description: project default branch link_name: ansible/pre_playbook_1/role_1/zuul-jobs link_target: untrusted/project_2/opendev.org/zuul/zuul-jobs role_path: ansible/pre_playbook_1/role_1/zuul-jobs/roles - checkout: main checkout_description: playbook branch link_name: ansible/pre_playbook_1/role_2/zuul-jobs link_target: untrusted/project_0/github.com/vexxhost/zuul-jobs role_path: ansible/pre_playbook_1/role_2/zuul-jobs/roles - path: untrusted/project_3/github.com/vexxhost/atmosphere/test-playbooks/molecule/pre.yml roles: - checkout: main checkout_description: playbook branch link_name: ansible/pre_playbook_2/role_0/atmosphere link_target: untrusted/project_3/github.com/vexxhost/atmosphere role_path: ansible/pre_playbook_2/role_0/atmosphere/roles - checkout: master checkout_description: project default branch link_name: ansible/pre_playbook_2/role_1/openstack-helm link_target: untrusted/project_4/opendev.org/openstack/openstack-helm role_path: ansible/pre_playbook_2/role_1/openstack-helm/roles - checkout: master checkout_description: project default branch link_name: ansible/pre_playbook_2/role_3/zuul-jobs link_target: untrusted/project_2/opendev.org/zuul/zuul-jobs role_path: ansible/pre_playbook_2/role_3/zuul-jobs/roles - checkout: main checkout_description: zuul branch link_name: ansible/pre_playbook_2/role_4/zuul-jobs link_target: untrusted/project_0/github.com/vexxhost/zuul-jobs role_path: ansible/pre_playbook_2/role_4/zuul-jobs/roles post_review: false post_timeout: null pre_timeout: null project: canonical_hostname: github.com canonical_name: github.com/vexxhost/atmosphere name: vexxhost/atmosphere short_name: atmosphere src_dir: src/github.com/vexxhost/atmosphere projects: github.com/ansible-collections/ansible.netcommon: canonical_hostname: github.com canonical_name: github.com/ansible-collections/ansible.netcommon checkout: main checkout_description: zuul branch commit: 74b98f449ab9c553bd7821a7524e54412cd05751 name: ansible-collections/ansible.netcommon required: true short_name: ansible.netcommon src_dir: src/github.com/ansible-collections/ansible.netcommon github.com/ansible-collections/ansible.posix: canonical_hostname: github.com canonical_name: github.com/ansible-collections/ansible.posix checkout: main checkout_description: zuul branch commit: 3c232a2429aaa9b49cae40bb3afa1a0ceb03c221 name: ansible-collections/ansible.posix required: true short_name: ansible.posix src_dir: src/github.com/ansible-collections/ansible.posix github.com/ansible-collections/ansible.utils: canonical_hostname: github.com canonical_name: github.com/ansible-collections/ansible.utils checkout: main checkout_description: zuul branch commit: 777fdd8b4df2aebf2227d5b3d89eb8f97fcc281c name: ansible-collections/ansible.utils required: true short_name: ansible.utils src_dir: src/github.com/ansible-collections/ansible.utils github.com/ansible-collections/community.crypto: canonical_hostname: github.com canonical_name: github.com/ansible-collections/community.crypto checkout: main checkout_description: zuul branch commit: be72041cee7c6766efa4d22ee9e7ffbc2cb14676 name: ansible-collections/community.crypto required: true short_name: community.crypto src_dir: src/github.com/ansible-collections/community.crypto github.com/ansible-collections/community.general: canonical_hostname: github.com canonical_name: github.com/ansible-collections/community.general checkout: main checkout_description: zuul branch commit: e6ca0df592c4db26ef4af31ea08986fa8a056fd6 name: ansible-collections/community.general required: true short_name: community.general src_dir: src/github.com/ansible-collections/community.general github.com/ansible-collections/community.mysql: canonical_hostname: github.com canonical_name: github.com/ansible-collections/community.mysql checkout: main checkout_description: zuul branch commit: fa81214de95662ba161ddaeb99680a16a7d337d4 name: ansible-collections/community.mysql required: true short_name: community.mysql src_dir: src/github.com/ansible-collections/community.mysql github.com/ansible-collections/kubernetes.core: canonical_hostname: github.com canonical_name: github.com/ansible-collections/kubernetes.core checkout: main checkout_description: zuul branch commit: 53c6c0ee80065de07286213058ee1747939b4add name: ansible-collections/kubernetes.core required: true short_name: kubernetes.core src_dir: src/github.com/ansible-collections/kubernetes.core github.com/vexxhost/ansible-collection-ceph: canonical_hostname: github.com canonical_name: github.com/vexxhost/ansible-collection-ceph checkout: main checkout_description: zuul branch commit: 73f630a25d5c22f029e85298d9d47f3d94a014a6 name: vexxhost/ansible-collection-ceph required: true short_name: ansible-collection-ceph src_dir: src/github.com/vexxhost/ansible-collection-ceph github.com/vexxhost/ansible-collection-containers: canonical_hostname: github.com canonical_name: github.com/vexxhost/ansible-collection-containers checkout: main checkout_description: zuul branch commit: 81e3fb55671a8a2c167c263761c5c139bc8421bc name: vexxhost/ansible-collection-containers required: true short_name: ansible-collection-containers src_dir: src/github.com/vexxhost/ansible-collection-containers github.com/vexxhost/ansible-collection-kubernetes: canonical_hostname: github.com canonical_name: github.com/vexxhost/ansible-collection-kubernetes checkout: main checkout_description: zuul branch commit: 9f3d6b431eecba057ca958b01e0ecfcee5ff5516 name: vexxhost/ansible-collection-kubernetes required: true short_name: ansible-collection-kubernetes src_dir: src/github.com/vexxhost/ansible-collection-kubernetes github.com/vexxhost/atmosphere: canonical_hostname: github.com canonical_name: github.com/vexxhost/atmosphere checkout: main checkout_description: zuul branch commit: 087ad88cc6b018826da7c63523f59d78c43ed187 name: vexxhost/atmosphere required: false short_name: atmosphere src_dir: src/github.com/vexxhost/atmosphere github.com/vexxhost/atmosphere.common: canonical_hostname: github.com canonical_name: github.com/vexxhost/atmosphere.common checkout: main checkout_description: zuul branch commit: 1b2c1f70f67daca73ccaf50727179f0c1168615f name: vexxhost/atmosphere.common required: true short_name: atmosphere.common src_dir: src/github.com/vexxhost/atmosphere.common opendev.org/openstack/ansible-collections-openstack: canonical_hostname: opendev.org canonical_name: opendev.org/openstack/ansible-collections-openstack checkout: master checkout_description: project default branch commit: 338534eab2f1111a652739e873a5c6deb32bbce2 name: openstack/ansible-collections-openstack required: true short_name: ansible-collections-openstack src_dir: src/opendev.org/openstack/ansible-collections-openstack ref: refs/pull/3887/head resources: {} tenant: oss timeout: 7200 topic: null voting: true