all: children: cephs: hosts: instance: null computes: hosts: instance: null controllers: hosts: instance: null zuul_unreachable: hosts: {} hosts: instance: ansible_connection: ssh ansible_host: 199.204.45.38 ansible_port: 22 ansible_python_interpreter: auto ansible_user: zuul atmosphere_image_prefix: harbor.atmosphere.dev/ ceph_conf_overrides: - option: mon allow pool size one section: global value: true - option: osd crush chooseleaf type section: global value: 0 - option: auth allow insecure global id reclaim section: mon value: false ceph_csi_rbd_helm_values: provisioner: replicaCount: 1 ceph_fsid: 4837cbf8-4f90-4300-b3f6-726c9b9f89b4 ceph_osd_devices: - /dev/ceph-{{ inventory_hostname_short }}-osd0/data - /dev/ceph-{{ inventory_hostname_short }}-osd1/data - /dev/ceph-{{ inventory_hostname_short }}-osd2/data cilium_helm_values: operator: replicas: 1 csi_driver: local-path-provisioner kube_vip_address: 172.17.0.100 kube_vip_interface: '{{ ansible_facts[''default_ipv4''].interface }}' kubernetes_hostname: '{{ ansible_facts[''default_ipv4''].address }}' molecule_scenario: csi nodepool: az: nova cloud: public external_id: c706c8a3-33bb-451e-bb4c-b4c84de07a6d host_id: 7cb77d063530dedbf6983b78a36ec607482cf1d282610499e8bd9357 interface_ip: 199.204.45.38 label: ubuntu-jammy node_properties: {} private_ipv4: 199.204.45.38 private_ipv6: null provider: yul1 public_ipv4: 199.204.45.38 public_ipv6: 2604:e100:1:0:f816:3eff:fe5c:e34d region: ca-ymq-1 slot: null zuul_node: az: nova cloud: public external_id: c706c8a3-33bb-451e-bb4c-b4c84de07a6d host_id: 7cb77d063530dedbf6983b78a36ec607482cf1d282610499e8bd9357 interface_ip: 199.204.45.38 label: ubuntu-jammy node_properties: {} private_ipv4: 199.204.45.38 private_ipv6: null provider: yul1 public_ipv4: 199.204.45.38 public_ipv6: 2604:e100:1:0:f816:3eff:fe5c:e34d region: ca-ymq-1 slot: null uuid: null vars: atmosphere_image_prefix: harbor.atmosphere.dev/ ceph_conf_overrides: - option: mon allow pool size one section: global value: true - option: osd crush chooseleaf type section: global value: 0 - option: auth allow insecure global id reclaim section: mon value: false ceph_csi_rbd_helm_values: provisioner: replicaCount: 1 ceph_fsid: 4837cbf8-4f90-4300-b3f6-726c9b9f89b4 ceph_osd_devices: - /dev/ceph-{{ inventory_hostname_short }}-osd0/data - /dev/ceph-{{ inventory_hostname_short }}-osd1/data - /dev/ceph-{{ inventory_hostname_short }}-osd2/data cilium_helm_values: operator: replicas: 1 csi_driver: local-path-provisioner kube_vip_address: 172.17.0.100 kube_vip_interface: '{{ ansible_facts[''default_ipv4''].interface }}' kubernetes_hostname: '{{ ansible_facts[''default_ipv4''].address }}' molecule_scenario: csi zuul: _inheritance_path: - '' - '' - '' - '' - '' - '' ansible_version: '9' attempts: 1 branch: main build: e239b1bd0f9440cbb367b35254a25453 build_refs: - branch: main change: '3887' change_message: "feat(cluster_issuer): support keyless AWS auth for Route53 solver\n\n## Summary\n\n- Adds two new authentication modes for the Route53 DNS-01 solver in the\n `cluster_issuer` role, alongside the existing long-lived access key flow:\n - **`ambient`** \u2014 `cert-manager` picks up AWS credentials from the pod\n environment (env vars, EC2 IMDS, mounted credentials file). Also the path\n for IAM Roles Anywhere via `credential_process` + `aws_signing_helper`.\n \ - **`kubernetes`** \u2014 OIDC-based `AssumeRoleWithWebIdentity` using a\n projected ServiceAccount token. Works with any Kubernetes cluster whose\n OIDC issuer is publicly resolvable by AWS, including on-premises.\n- Adds `cluster_issuer_acme_route53_role_arn` to configure the IAM role ARN\n \ to assume (optional for `static`/`ambient`, required for `kubernetes`).\n- Default remains `static`, so existing deployments keep working unchanged.\n\n## Background\n\nThe customer this was raised for has a company-wide policy against issuing\nlong-lived AWS access keys. Before this change, the Route53 solver only\naccepted static keys, leaving that class of operator without a path to ACME\nDNS-01 challenges via Route53.\n\nThe upstream cert-manager code in `pkg/issuer/acme/dns/route53/route53.go`\nand the solver wiring in `pkg/issuer/acme/dns/dns.go` already implement all\nthree authentication paths \u2014 this PR just exposes them through Atmosphere's\nAnsible variables.\n\n## Customer-side prerequisites for the OIDC mode\n\nThis mode works with any Kubernetes cluster, not just EKS. Operators need\nto:\n\n1. Configure `--service-account-issuer` on kube-apiserver with a URL whose\n OIDC discovery documents (`/.well-known/openid-configuration` and\n `/openid/v1/jwks`) are reachable from AWS. The API server itself does\n **not** need to be public \u2014 publishing the two static files to any public\n HTTPS endpoint (for example, an S3 bucket with CloudFront) is enough.\n2. Register the issuer URL as an OIDC identity provider in AWS IAM.\n3. Create an IAM role whose trust policy allows that OIDC provider to assume\n it, scoped to `system:serviceaccount:cert-manager:cert-manager-route53`\n \ with the `sts.amazonaws.com` audience, and attach Route53 permissions\n \ (`route53:GetChange`, `route53:ChangeResourceRecordSets`,\n `route53:ListHostedZonesByName`).\n\n## Follow-up\n\nIAM Roles Anywhere already works through `ambient` mode provided the\ncustomer mounts `aws_signing_helper` + a `credential_process` config into\nthe `cert-manager` pod. Native first-class Roles Anywhere support in\nAtmosphere (a dedicated role that ships the helper, manages trust anchors /\nprofile ARNs, and rotates client certs via `cert-manager` itself) is out of\nscope for this PR and worth a separate issue if demand emerges.\n\n## Test plan\n\n- [ ] `cluster_issuer_acme_route53_auth=static` (default) with existing\n access key variables produces the same `ClusterIssuer` spec as before.\n- [ ] `cluster_issuer_acme_route53_auth=ambient` creates a `ClusterIssuer`\n \ with no `accessKeyID` / `secretAccessKeySecretRef` and no Secret.\n- [ ] `cluster_issuer_acme_route53_auth=kubernetes` creates a\n `ServiceAccount` named `cert-manager-route53` in the `cert-manager`\n namespace and a `ClusterIssuer` with\n `spec.acme.solvers[0].dns01.route53.auth.kubernetes.serviceAccountRef.name`\n \ set to that account, plus `role` set to the configured role ARN.\n- [ ] `cluster_issuer_acme_route53_auth=invalid` fails fast with an\n assertion error.\n- [ ] `vale` passes on both the new release note and the updated\n \ `certificates.rst`.\n\nCloses #3886" change_url: https://github.com/vexxhost/atmosphere/pull/3887 commit_id: e0b351124f52ae3be122add06e95a030e7e32ca9 patchset: e0b351124f52ae3be122add06e95a030e7e32ca9 project: canonical_hostname: github.com canonical_name: github.com/vexxhost/atmosphere name: vexxhost/atmosphere short_name: atmosphere src_dir: src/github.com/vexxhost/atmosphere src_dir: src/github.com/vexxhost/atmosphere topic: null buildset: e29dc8c2789d4ecba9cf6457b79e6357 buildset_refs: - branch: main change: '3887' change_message: "feat(cluster_issuer): support keyless AWS auth for Route53 solver\n\n## Summary\n\n- Adds two new authentication modes for the Route53 DNS-01 solver in the\n `cluster_issuer` role, alongside the existing long-lived access key flow:\n - **`ambient`** \u2014 `cert-manager` picks up AWS credentials from the pod\n environment (env vars, EC2 IMDS, mounted credentials file). Also the path\n for IAM Roles Anywhere via `credential_process` + `aws_signing_helper`.\n \ - **`kubernetes`** \u2014 OIDC-based `AssumeRoleWithWebIdentity` using a\n projected ServiceAccount token. Works with any Kubernetes cluster whose\n OIDC issuer is publicly resolvable by AWS, including on-premises.\n- Adds `cluster_issuer_acme_route53_role_arn` to configure the IAM role ARN\n \ to assume (optional for `static`/`ambient`, required for `kubernetes`).\n- Default remains `static`, so existing deployments keep working unchanged.\n\n## Background\n\nThe customer this was raised for has a company-wide policy against issuing\nlong-lived AWS access keys. Before this change, the Route53 solver only\naccepted static keys, leaving that class of operator without a path to ACME\nDNS-01 challenges via Route53.\n\nThe upstream cert-manager code in `pkg/issuer/acme/dns/route53/route53.go`\nand the solver wiring in `pkg/issuer/acme/dns/dns.go` already implement all\nthree authentication paths \u2014 this PR just exposes them through Atmosphere's\nAnsible variables.\n\n## Customer-side prerequisites for the OIDC mode\n\nThis mode works with any Kubernetes cluster, not just EKS. Operators need\nto:\n\n1. Configure `--service-account-issuer` on kube-apiserver with a URL whose\n OIDC discovery documents (`/.well-known/openid-configuration` and\n `/openid/v1/jwks`) are reachable from AWS. The API server itself does\n **not** need to be public \u2014 publishing the two static files to any public\n HTTPS endpoint (for example, an S3 bucket with CloudFront) is enough.\n2. Register the issuer URL as an OIDC identity provider in AWS IAM.\n3. Create an IAM role whose trust policy allows that OIDC provider to assume\n it, scoped to `system:serviceaccount:cert-manager:cert-manager-route53`\n \ with the `sts.amazonaws.com` audience, and attach Route53 permissions\n \ (`route53:GetChange`, `route53:ChangeResourceRecordSets`,\n `route53:ListHostedZonesByName`).\n\n## Follow-up\n\nIAM Roles Anywhere already works through `ambient` mode provided the\ncustomer mounts `aws_signing_helper` + a `credential_process` config into\nthe `cert-manager` pod. Native first-class Roles Anywhere support in\nAtmosphere (a dedicated role that ships the helper, manages trust anchors /\nprofile ARNs, and rotates client certs via `cert-manager` itself) is out of\nscope for this PR and worth a separate issue if demand emerges.\n\n## Test plan\n\n- [ ] `cluster_issuer_acme_route53_auth=static` (default) with existing\n access key variables produces the same `ClusterIssuer` spec as before.\n- [ ] `cluster_issuer_acme_route53_auth=ambient` creates a `ClusterIssuer`\n \ with no `accessKeyID` / `secretAccessKeySecretRef` and no Secret.\n- [ ] `cluster_issuer_acme_route53_auth=kubernetes` creates a\n `ServiceAccount` named `cert-manager-route53` in the `cert-manager`\n namespace and a `ClusterIssuer` with\n `spec.acme.solvers[0].dns01.route53.auth.kubernetes.serviceAccountRef.name`\n \ set to that account, plus `role` set to the configured role ARN.\n- [ ] `cluster_issuer_acme_route53_auth=invalid` fails fast with an\n assertion error.\n- [ ] `vale` passes on both the new release note and the updated\n \ `certificates.rst`.\n\nCloses #3886" change_url: https://github.com/vexxhost/atmosphere/pull/3887 commit_id: e0b351124f52ae3be122add06e95a030e7e32ca9 patchset: e0b351124f52ae3be122add06e95a030e7e32ca9 project: canonical_hostname: github.com canonical_name: github.com/vexxhost/atmosphere name: vexxhost/atmosphere short_name: atmosphere src_dir: src/github.com/vexxhost/atmosphere src_dir: src/github.com/vexxhost/atmosphere topic: null change: '3887' change_message: "feat(cluster_issuer): support keyless AWS auth for Route53 solver\n\n## Summary\n\n- Adds two new authentication modes for the Route53 DNS-01 solver in the\n `cluster_issuer` role, alongside the existing long-lived access key flow:\n - **`ambient`** \u2014 `cert-manager` picks up AWS credentials from the pod\n environment (env vars, EC2 IMDS, mounted credentials file). Also the path\n for IAM Roles Anywhere via `credential_process` + `aws_signing_helper`.\n \ - **`kubernetes`** \u2014 OIDC-based `AssumeRoleWithWebIdentity` using a\n \ projected ServiceAccount token. Works with any Kubernetes cluster whose\n \ OIDC issuer is publicly resolvable by AWS, including on-premises.\n- Adds `cluster_issuer_acme_route53_role_arn` to configure the IAM role ARN\n to assume (optional for `static`/`ambient`, required for `kubernetes`).\n- Default remains `static`, so existing deployments keep working unchanged.\n\n## Background\n\nThe customer this was raised for has a company-wide policy against issuing\nlong-lived AWS access keys. Before this change, the Route53 solver only\naccepted static keys, leaving that class of operator without a path to ACME\nDNS-01 challenges via Route53.\n\nThe upstream cert-manager code in `pkg/issuer/acme/dns/route53/route53.go`\nand the solver wiring in `pkg/issuer/acme/dns/dns.go` already implement all\nthree authentication paths \u2014 this PR just exposes them through Atmosphere's\nAnsible variables.\n\n## Customer-side prerequisites for the OIDC mode\n\nThis mode works with any Kubernetes cluster, not just EKS. Operators need\nto:\n\n1. Configure `--service-account-issuer` on kube-apiserver with a URL whose\n \ OIDC discovery documents (`/.well-known/openid-configuration` and\n `/openid/v1/jwks`) are reachable from AWS. The API server itself does\n **not** need to be public \u2014 publishing the two static files to any public\n HTTPS endpoint (for example, an S3 bucket with CloudFront) is enough.\n2. Register the issuer URL as an OIDC identity provider in AWS IAM.\n3. Create an IAM role whose trust policy allows that OIDC provider to assume\n it, scoped to `system:serviceaccount:cert-manager:cert-manager-route53`\n \ with the `sts.amazonaws.com` audience, and attach Route53 permissions\n \ (`route53:GetChange`, `route53:ChangeResourceRecordSets`,\n `route53:ListHostedZonesByName`).\n\n## Follow-up\n\nIAM Roles Anywhere already works through `ambient` mode provided the\ncustomer mounts `aws_signing_helper` + a `credential_process` config into\nthe `cert-manager` pod. Native first-class Roles Anywhere support in\nAtmosphere (a dedicated role that ships the helper, manages trust anchors /\nprofile ARNs, and rotates client certs via `cert-manager` itself) is out of\nscope for this PR and worth a separate issue if demand emerges.\n\n## Test plan\n\n- [ ] `cluster_issuer_acme_route53_auth=static` (default) with existing\n access key variables produces the same `ClusterIssuer` spec as before.\n- [ ] `cluster_issuer_acme_route53_auth=ambient` creates a `ClusterIssuer`\n with no `accessKeyID` / `secretAccessKeySecretRef` and no Secret.\n- [ ] `cluster_issuer_acme_route53_auth=kubernetes` creates a\n `ServiceAccount` named `cert-manager-route53` in the `cert-manager`\n \ namespace and a `ClusterIssuer` with\n `spec.acme.solvers[0].dns01.route53.auth.kubernetes.serviceAccountRef.name`\n \ set to that account, plus `role` set to the configured role ARN.\n- [ ] `cluster_issuer_acme_route53_auth=invalid` fails fast with an\n assertion error.\n- [ ] `vale` passes on both the new release note and the updated\n \ `certificates.rst`.\n\nCloses #3886" change_url: https://github.com/vexxhost/atmosphere/pull/3887 child_jobs: [] commit_id: e0b351124f52ae3be122add06e95a030e7e32ca9 event_id: 68046db0-429f-11f1-8b0b-d8e40e816946 executor: hostname: 0a8996d2b663 inventory_file: /var/lib/zuul/builds/e239b1bd0f9440cbb367b35254a25453/ansible/inventory.yaml log_root: /var/lib/zuul/builds/e239b1bd0f9440cbb367b35254a25453/work/logs result_data_file: /var/lib/zuul/builds/e239b1bd0f9440cbb367b35254a25453/work/results.json src_root: /var/lib/zuul/builds/e239b1bd0f9440cbb367b35254a25453/work/src work_root: /var/lib/zuul/builds/e239b1bd0f9440cbb367b35254a25453/work include_vars: [] items: - branch: main change: '3887' change_message: "feat(cluster_issuer): support keyless AWS auth for Route53 solver\n\n## Summary\n\n- Adds two new authentication modes for the Route53 DNS-01 solver in the\n `cluster_issuer` role, alongside the existing long-lived access key flow:\n - **`ambient`** \u2014 `cert-manager` picks up AWS credentials from the pod\n environment (env vars, EC2 IMDS, mounted credentials file). Also the path\n for IAM Roles Anywhere via `credential_process` + `aws_signing_helper`.\n \ - **`kubernetes`** \u2014 OIDC-based `AssumeRoleWithWebIdentity` using a\n projected ServiceAccount token. Works with any Kubernetes cluster whose\n OIDC issuer is publicly resolvable by AWS, including on-premises.\n- Adds `cluster_issuer_acme_route53_role_arn` to configure the IAM role ARN\n \ to assume (optional for `static`/`ambient`, required for `kubernetes`).\n- Default remains `static`, so existing deployments keep working unchanged.\n\n## Background\n\nThe customer this was raised for has a company-wide policy against issuing\nlong-lived AWS access keys. Before this change, the Route53 solver only\naccepted static keys, leaving that class of operator without a path to ACME\nDNS-01 challenges via Route53.\n\nThe upstream cert-manager code in `pkg/issuer/acme/dns/route53/route53.go`\nand the solver wiring in `pkg/issuer/acme/dns/dns.go` already implement all\nthree authentication paths \u2014 this PR just exposes them through Atmosphere's\nAnsible variables.\n\n## Customer-side prerequisites for the OIDC mode\n\nThis mode works with any Kubernetes cluster, not just EKS. Operators need\nto:\n\n1. Configure `--service-account-issuer` on kube-apiserver with a URL whose\n OIDC discovery documents (`/.well-known/openid-configuration` and\n `/openid/v1/jwks`) are reachable from AWS. The API server itself does\n **not** need to be public \u2014 publishing the two static files to any public\n HTTPS endpoint (for example, an S3 bucket with CloudFront) is enough.\n2. Register the issuer URL as an OIDC identity provider in AWS IAM.\n3. Create an IAM role whose trust policy allows that OIDC provider to assume\n it, scoped to `system:serviceaccount:cert-manager:cert-manager-route53`\n \ with the `sts.amazonaws.com` audience, and attach Route53 permissions\n \ (`route53:GetChange`, `route53:ChangeResourceRecordSets`,\n `route53:ListHostedZonesByName`).\n\n## Follow-up\n\nIAM Roles Anywhere already works through `ambient` mode provided the\ncustomer mounts `aws_signing_helper` + a `credential_process` config into\nthe `cert-manager` pod. Native first-class Roles Anywhere support in\nAtmosphere (a dedicated role that ships the helper, manages trust anchors /\nprofile ARNs, and rotates client certs via `cert-manager` itself) is out of\nscope for this PR and worth a separate issue if demand emerges.\n\n## Test plan\n\n- [ ] `cluster_issuer_acme_route53_auth=static` (default) with existing\n access key variables produces the same `ClusterIssuer` spec as before.\n- [ ] `cluster_issuer_acme_route53_auth=ambient` creates a `ClusterIssuer`\n \ with no `accessKeyID` / `secretAccessKeySecretRef` and no Secret.\n- [ ] `cluster_issuer_acme_route53_auth=kubernetes` creates a\n `ServiceAccount` named `cert-manager-route53` in the `cert-manager`\n namespace and a `ClusterIssuer` with\n `spec.acme.solvers[0].dns01.route53.auth.kubernetes.serviceAccountRef.name`\n \ set to that account, plus `role` set to the configured role ARN.\n- [ ] `cluster_issuer_acme_route53_auth=invalid` fails fast with an\n assertion error.\n- [ ] `vale` passes on both the new release note and the updated\n \ `certificates.rst`.\n\nCloses #3886" change_url: https://github.com/vexxhost/atmosphere/pull/3887 commit_id: e0b351124f52ae3be122add06e95a030e7e32ca9 patchset: e0b351124f52ae3be122add06e95a030e7e32ca9 project: canonical_hostname: github.com canonical_name: github.com/vexxhost/atmosphere name: vexxhost/atmosphere short_name: atmosphere src_dir: src/github.com/vexxhost/atmosphere topic: null job: atmosphere-molecule-csi-local-path-provisioner jobtags: [] max_attempts: 3 message: ZmVhdChjbHVzdGVyX2lzc3Vlcik6IHN1cHBvcnQga2V5bGVzcyBBV1MgYXV0aCBmb3IgUm91dGU1MyBzb2x2ZXIKCiMjIFN1bW1hcnkKCi0gQWRkcyB0d28gbmV3IGF1dGhlbnRpY2F0aW9uIG1vZGVzIGZvciB0aGUgUm91dGU1MyBETlMtMDEgc29sdmVyIGluIHRoZQogIGBjbHVzdGVyX2lzc3VlcmAgcm9sZSwgYWxvbmdzaWRlIHRoZSBleGlzdGluZyBsb25nLWxpdmVkIGFjY2VzcyBrZXkgZmxvdzoKICAtICoqYGFtYmllbnRgKiog4oCUIGBjZXJ0LW1hbmFnZXJgIHBpY2tzIHVwIEFXUyBjcmVkZW50aWFscyBmcm9tIHRoZSBwb2QKICAgIGVudmlyb25tZW50IChlbnYgdmFycywgRUMyIElNRFMsIG1vdW50ZWQgY3JlZGVudGlhbHMgZmlsZSkuIEFsc28gdGhlIHBhdGgKICAgIGZvciBJQU0gUm9sZXMgQW55d2hlcmUgdmlhIGBjcmVkZW50aWFsX3Byb2Nlc3NgICsgYGF3c19zaWduaW5nX2hlbHBlcmAuCiAgLSAqKmBrdWJlcm5ldGVzYCoqIOKAlCBPSURDLWJhc2VkIGBBc3N1bWVSb2xlV2l0aFdlYklkZW50aXR5YCB1c2luZyBhCiAgICBwcm9qZWN0ZWQgU2VydmljZUFjY291bnQgdG9rZW4uIFdvcmtzIHdpdGggYW55IEt1YmVybmV0ZXMgY2x1c3RlciB3aG9zZQogICAgT0lEQyBpc3N1ZXIgaXMgcHVibGljbHkgcmVzb2x2YWJsZSBieSBBV1MsIGluY2x1ZGluZyBvbi1wcmVtaXNlcy4KLSBBZGRzIGBjbHVzdGVyX2lzc3Vlcl9hY21lX3JvdXRlNTNfcm9sZV9hcm5gIHRvIGNvbmZpZ3VyZSB0aGUgSUFNIHJvbGUgQVJOCiAgdG8gYXNzdW1lIChvcHRpb25hbCBmb3IgYHN0YXRpY2AvYGFtYmllbnRgLCByZXF1aXJlZCBmb3IgYGt1YmVybmV0ZXNgKS4KLSBEZWZhdWx0IHJlbWFpbnMgYHN0YXRpY2AsIHNvIGV4aXN0aW5nIGRlcGxveW1lbnRzIGtlZXAgd29ya2luZyB1bmNoYW5nZWQuCgojIyBCYWNrZ3JvdW5kCgpUaGUgY3VzdG9tZXIgdGhpcyB3YXMgcmFpc2VkIGZvciBoYXMgYSBjb21wYW55LXdpZGUgcG9saWN5IGFnYWluc3QgaXNzdWluZwpsb25nLWxpdmVkIEFXUyBhY2Nlc3Mga2V5cy4gQmVmb3JlIHRoaXMgY2hhbmdlLCB0aGUgUm91dGU1MyBzb2x2ZXIgb25seQphY2NlcHRlZCBzdGF0aWMga2V5cywgbGVhdmluZyB0aGF0IGNsYXNzIG9mIG9wZXJhdG9yIHdpdGhvdXQgYSBwYXRoIHRvIEFDTUUKRE5TLTAxIGNoYWxsZW5nZXMgdmlhIFJvdXRlNTMuCgpUaGUgdXBzdHJlYW0gY2VydC1tYW5hZ2VyIGNvZGUgaW4gYHBrZy9pc3N1ZXIvYWNtZS9kbnMvcm91dGU1My9yb3V0ZTUzLmdvYAphbmQgdGhlIHNvbHZlciB3aXJpbmcgaW4gYHBrZy9pc3N1ZXIvYWNtZS9kbnMvZG5zLmdvYCBhbHJlYWR5IGltcGxlbWVudCBhbGwKdGhyZWUgYXV0aGVudGljYXRpb24gcGF0aHMg4oCUIHRoaXMgUFIganVzdCBleHBvc2VzIHRoZW0gdGhyb3VnaCBBdG1vc3BoZXJlJ3MKQW5zaWJsZSB2YXJpYWJsZXMuCgojIyBDdXN0b21lci1zaWRlIHByZXJlcXVpc2l0ZXMgZm9yIHRoZSBPSURDIG1vZGUKClRoaXMgbW9kZSB3b3JrcyB3aXRoIGFueSBLdWJlcm5ldGVzIGNsdXN0ZXIsIG5vdCBqdXN0IEVLUy4gT3BlcmF0b3JzIG5lZWQKdG86CgoxLiBDb25maWd1cmUgYC0tc2VydmljZS1hY2NvdW50LWlzc3VlcmAgb24ga3ViZS1hcGlzZXJ2ZXIgd2l0aCBhIFVSTCB3aG9zZQogICBPSURDIGRpc2NvdmVyeSBkb2N1bWVudHMgKGAvLndlbGwta25vd24vb3BlbmlkLWNvbmZpZ3VyYXRpb25gIGFuZAogICBgL29wZW5pZC92MS9qd2tzYCkgYXJlIHJlYWNoYWJsZSBmcm9tIEFXUy4gVGhlIEFQSSBzZXJ2ZXIgaXRzZWxmIGRvZXMKICAgKipub3QqKiBuZWVkIHRvIGJlIHB1YmxpYyDigJQgcHVibGlzaGluZyB0aGUgdHdvIHN0YXRpYyBmaWxlcyB0byBhbnkgcHVibGljCiAgIEhUVFBTIGVuZHBvaW50IChmb3IgZXhhbXBsZSwgYW4gUzMgYnVja2V0IHdpdGggQ2xvdWRGcm9udCkgaXMgZW5vdWdoLgoyLiBSZWdpc3RlciB0aGUgaXNzdWVyIFVSTCBhcyBhbiBPSURDIGlkZW50aXR5IHByb3ZpZGVyIGluIEFXUyBJQU0uCjMuIENyZWF0ZSBhbiBJQU0gcm9sZSB3aG9zZSB0cnVzdCBwb2xpY3kgYWxsb3dzIHRoYXQgT0lEQyBwcm92aWRlciB0byBhc3N1bWUKICAgaXQsIHNjb3BlZCB0byBgc3lzdGVtOnNlcnZpY2VhY2NvdW50OmNlcnQtbWFuYWdlcjpjZXJ0LW1hbmFnZXItcm91dGU1M2AKICAgd2l0aCB0aGUgYHN0cy5hbWF6b25hd3MuY29tYCBhdWRpZW5jZSwgYW5kIGF0dGFjaCBSb3V0ZTUzIHBlcm1pc3Npb25zCiAgIChgcm91dGU1MzpHZXRDaGFuZ2VgLCBgcm91dGU1MzpDaGFuZ2VSZXNvdXJjZVJlY29yZFNldHNgLAogICBgcm91dGU1MzpMaXN0SG9zdGVkWm9uZXNCeU5hbWVgKS4KCiMjIEZvbGxvdy11cAoKSUFNIFJvbGVzIEFueXdoZXJlIGFscmVhZHkgd29ya3MgdGhyb3VnaCBgYW1iaWVudGAgbW9kZSBwcm92aWRlZCB0aGUKY3VzdG9tZXIgbW91bnRzIGBhd3Nfc2lnbmluZ19oZWxwZXJgICsgYSBgY3JlZGVudGlhbF9wcm9jZXNzYCBjb25maWcgaW50bwp0aGUgYGNlcnQtbWFuYWdlcmAgcG9kLiBOYXRpdmUgZmlyc3QtY2xhc3MgUm9sZXMgQW55d2hlcmUgc3VwcG9ydCBpbgpBdG1vc3BoZXJlIChhIGRlZGljYXRlZCByb2xlIHRoYXQgc2hpcHMgdGhlIGhlbHBlciwgbWFuYWdlcyB0cnVzdCBhbmNob3JzIC8KcHJvZmlsZSBBUk5zLCBhbmQgcm90YXRlcyBjbGllbnQgY2VydHMgdmlhIGBjZXJ0LW1hbmFnZXJgIGl0c2VsZikgaXMgb3V0IG9mCnNjb3BlIGZvciB0aGlzIFBSIGFuZCB3b3J0aCBhIHNlcGFyYXRlIGlzc3VlIGlmIGRlbWFuZCBlbWVyZ2VzLgoKIyMgVGVzdCBwbGFuCgotIFsgXSBgY2x1c3Rlcl9pc3N1ZXJfYWNtZV9yb3V0ZTUzX2F1dGg9c3RhdGljYCAoZGVmYXVsdCkgd2l0aCBleGlzdGluZwogICAgICBhY2Nlc3Mga2V5IHZhcmlhYmxlcyBwcm9kdWNlcyB0aGUgc2FtZSBgQ2x1c3Rlcklzc3VlcmAgc3BlYyBhcyBiZWZvcmUuCi0gWyBdIGBjbHVzdGVyX2lzc3Vlcl9hY21lX3JvdXRlNTNfYXV0aD1hbWJpZW50YCBjcmVhdGVzIGEgYENsdXN0ZXJJc3N1ZXJgCiAgICAgIHdpdGggbm8gYGFjY2Vzc0tleUlEYCAvIGBzZWNyZXRBY2Nlc3NLZXlTZWNyZXRSZWZgIGFuZCBubyBTZWNyZXQuCi0gWyBdIGBjbHVzdGVyX2lzc3Vlcl9hY21lX3JvdXRlNTNfYXV0aD1rdWJlcm5ldGVzYCBjcmVhdGVzIGEKICAgICAgYFNlcnZpY2VBY2NvdW50YCBuYW1lZCBgY2VydC1tYW5hZ2VyLXJvdXRlNTNgIGluIHRoZSBgY2VydC1tYW5hZ2VyYAogICAgICBuYW1lc3BhY2UgYW5kIGEgYENsdXN0ZXJJc3N1ZXJgIHdpdGgKICAgICAgYHNwZWMuYWNtZS5zb2x2ZXJzWzBdLmRuczAxLnJvdXRlNTMuYXV0aC5rdWJlcm5ldGVzLnNlcnZpY2VBY2NvdW50UmVmLm5hbWVgCiAgICAgIHNldCB0byB0aGF0IGFjY291bnQsIHBsdXMgYHJvbGVgIHNldCB0byB0aGUgY29uZmlndXJlZCByb2xlIEFSTi4KLSBbIF0gYGNsdXN0ZXJfaXNzdWVyX2FjbWVfcm91dGU1M19hdXRoPWludmFsaWRgIGZhaWxzIGZhc3Qgd2l0aCBhbgogICAgICBhc3NlcnRpb24gZXJyb3IuCi0gWyBdIGB2YWxlYCBwYXNzZXMgb24gYm90aCB0aGUgbmV3IHJlbGVhc2Ugbm90ZSBhbmQgdGhlIHVwZGF0ZWQKICAgICAgYGNlcnRpZmljYXRlcy5yc3RgLgoKQ2xvc2VzICMzODg2 patchset: e0b351124f52ae3be122add06e95a030e7e32ca9 pipeline: check playbook_context: playbook_projects: trusted/project_0/github.com/vexxhost/zuul-config: canonical_name: github.com/vexxhost/zuul-config checkout: main commit: 298983cd1253e6833abdb49d87d912527e0e6597 trusted/project_1/opendev.org/zuul/zuul-jobs: canonical_name: opendev.org/zuul/zuul-jobs checkout: master commit: 9f5c1d680d573485f0ccdb18d2184d4f1d446419 trusted/project_2/github.com/vexxhost/zuul-jobs: canonical_name: github.com/vexxhost/zuul-jobs checkout: main commit: a6e68243e02ef030ce5e75f8b67630880c475f33 untrusted/project_0/github.com/vexxhost/zuul-jobs: canonical_name: github.com/vexxhost/zuul-jobs checkout: main commit: a6e68243e02ef030ce5e75f8b67630880c475f33 untrusted/project_1/github.com/vexxhost/zuul-config: canonical_name: github.com/vexxhost/zuul-config checkout: main commit: 298983cd1253e6833abdb49d87d912527e0e6597 untrusted/project_2/opendev.org/zuul/zuul-jobs: canonical_name: opendev.org/zuul/zuul-jobs checkout: master commit: 9f5c1d680d573485f0ccdb18d2184d4f1d446419 untrusted/project_3/github.com/vexxhost/atmosphere: canonical_name: github.com/vexxhost/atmosphere checkout: main commit: e0b351124f52ae3be122add06e95a030e7e32ca9 untrusted/project_4/opendev.org/openstack/openstack-helm: canonical_name: opendev.org/openstack/openstack-helm checkout: master commit: 4d5267170d82791cf249843da757249e4124aa85 playbooks: - path: untrusted/project_0/github.com/vexxhost/zuul-jobs/playbooks/molecule/run.yaml roles: - checkout: master checkout_description: project default branch link_name: ansible/playbook_0/role_1/zuul-jobs link_target: untrusted/project_2/opendev.org/zuul/zuul-jobs role_path: ansible/playbook_0/role_1/zuul-jobs/roles - checkout: main checkout_description: playbook branch link_name: ansible/playbook_0/role_2/zuul-jobs link_target: untrusted/project_0/github.com/vexxhost/zuul-jobs role_path: ansible/playbook_0/role_2/zuul-jobs/roles post_playbooks: - path: untrusted/project_3/github.com/vexxhost/atmosphere/test-playbooks/molecule/post.yml roles: - checkout: main checkout_description: playbook branch link_name: ansible/post_playbook_0/role_0/atmosphere link_target: untrusted/project_3/github.com/vexxhost/atmosphere role_path: ansible/post_playbook_0/role_0/atmosphere/roles - checkout: master checkout_description: project default branch link_name: ansible/post_playbook_0/role_1/openstack-helm link_target: untrusted/project_4/opendev.org/openstack/openstack-helm role_path: ansible/post_playbook_0/role_1/openstack-helm/roles - checkout: master checkout_description: project default branch link_name: ansible/post_playbook_0/role_3/zuul-jobs link_target: untrusted/project_2/opendev.org/zuul/zuul-jobs role_path: ansible/post_playbook_0/role_3/zuul-jobs/roles - checkout: main checkout_description: zuul branch link_name: ansible/post_playbook_0/role_4/zuul-jobs link_target: untrusted/project_0/github.com/vexxhost/zuul-jobs role_path: ansible/post_playbook_0/role_4/zuul-jobs/roles - path: trusted/project_0/github.com/vexxhost/zuul-config/playbooks/base/post.yaml roles: - checkout: master checkout_description: project default branch link_name: ansible/post_playbook_1/role_1/zuul-jobs link_target: trusted/project_1/opendev.org/zuul/zuul-jobs role_path: ansible/post_playbook_1/role_1/zuul-jobs/roles - checkout: main checkout_description: zuul branch link_name: ansible/post_playbook_1/role_2/zuul-jobs link_target: trusted/project_2/github.com/vexxhost/zuul-jobs role_path: ansible/post_playbook_1/role_2/zuul-jobs/roles - path: trusted/project_0/github.com/vexxhost/zuul-config/playbooks/base/post-logs.yaml roles: - checkout: master checkout_description: project default branch link_name: ansible/post_playbook_2/role_1/zuul-jobs link_target: trusted/project_1/opendev.org/zuul/zuul-jobs role_path: ansible/post_playbook_2/role_1/zuul-jobs/roles - checkout: main checkout_description: zuul branch link_name: ansible/post_playbook_2/role_2/zuul-jobs link_target: trusted/project_2/github.com/vexxhost/zuul-jobs role_path: ansible/post_playbook_2/role_2/zuul-jobs/roles pre_playbooks: - path: trusted/project_0/github.com/vexxhost/zuul-config/playbooks/base/pre.yaml roles: - checkout: master checkout_description: project default branch link_name: ansible/pre_playbook_0/role_1/zuul-jobs link_target: trusted/project_1/opendev.org/zuul/zuul-jobs role_path: ansible/pre_playbook_0/role_1/zuul-jobs/roles - checkout: main checkout_description: zuul branch link_name: ansible/pre_playbook_0/role_2/zuul-jobs link_target: trusted/project_2/github.com/vexxhost/zuul-jobs role_path: ansible/pre_playbook_0/role_2/zuul-jobs/roles - path: untrusted/project_0/github.com/vexxhost/zuul-jobs/playbooks/molecule/pre.yaml roles: - checkout: master checkout_description: project default branch link_name: ansible/pre_playbook_1/role_1/zuul-jobs link_target: untrusted/project_2/opendev.org/zuul/zuul-jobs role_path: ansible/pre_playbook_1/role_1/zuul-jobs/roles - checkout: main checkout_description: playbook branch link_name: ansible/pre_playbook_1/role_2/zuul-jobs link_target: untrusted/project_0/github.com/vexxhost/zuul-jobs role_path: ansible/pre_playbook_1/role_2/zuul-jobs/roles - path: untrusted/project_3/github.com/vexxhost/atmosphere/test-playbooks/molecule/pre.yml roles: - checkout: main checkout_description: playbook branch link_name: ansible/pre_playbook_2/role_0/atmosphere link_target: untrusted/project_3/github.com/vexxhost/atmosphere role_path: ansible/pre_playbook_2/role_0/atmosphere/roles - checkout: master checkout_description: project default branch link_name: ansible/pre_playbook_2/role_1/openstack-helm link_target: untrusted/project_4/opendev.org/openstack/openstack-helm role_path: ansible/pre_playbook_2/role_1/openstack-helm/roles - checkout: master checkout_description: project default branch link_name: ansible/pre_playbook_2/role_3/zuul-jobs link_target: untrusted/project_2/opendev.org/zuul/zuul-jobs role_path: ansible/pre_playbook_2/role_3/zuul-jobs/roles - checkout: main checkout_description: zuul branch link_name: ansible/pre_playbook_2/role_4/zuul-jobs link_target: untrusted/project_0/github.com/vexxhost/zuul-jobs role_path: ansible/pre_playbook_2/role_4/zuul-jobs/roles post_review: false post_timeout: null pre_timeout: null project: canonical_hostname: github.com canonical_name: github.com/vexxhost/atmosphere name: vexxhost/atmosphere short_name: atmosphere src_dir: src/github.com/vexxhost/atmosphere projects: github.com/vexxhost/atmosphere: canonical_hostname: github.com canonical_name: github.com/vexxhost/atmosphere checkout: main checkout_description: zuul branch commit: e0b351124f52ae3be122add06e95a030e7e32ca9 name: vexxhost/atmosphere required: false short_name: atmosphere src_dir: src/github.com/vexxhost/atmosphere ref: refs/pull/3887/head resources: {} tenant: oss timeout: 1800 topic: null voting: true