)]}'
{"id":"openstack%2Fopenstack-helm~991058","triplet_id":"openstack%2Fopenstack-helm~master~I5fa10f5a28d36f0cb645cf73d9f20d0ec90953cd","project":"openstack/openstack-helm","branch":"master","attention_set":{"3009":{"account":{"_account_id":3009,"name":"Vladimir Kozhukalov","email":"kozhukalov@gmail.com","username":"kozhukalov"},"last_update":"2026-06-05 16:51:06.000000000","reason":"\u003cGERRIT_ACCOUNT_37208\u003e replied on the change","reason_account":{"_account_id":37208,"name":"Marek Skrobacki","display_name":"Marek Skrobacki","email":"skrobul@skrobul.com","username":"skrobul"}}},"removed_from_attention_set":{"37208":{"account":{"_account_id":37208,"name":"Marek Skrobacki","display_name":"Marek Skrobacki","email":"skrobul@skrobul.com","username":"skrobul"},"last_update":"2026-06-05 12:12:32.000000000","reason":"\u003cGERRIT_ACCOUNT_37208\u003e replied on the change","reason_account":{"_account_id":37208,"name":"Marek Skrobacki","display_name":"Marek Skrobacki","email":"skrobul@skrobul.com","username":"skrobul"}}},"hashtags":[],"change_id":"I5fa10f5a28d36f0cb645cf73d9f20d0ec90953cd","subject":"fix(ks-user): skip password update when password is unchanged","status":"NEW","created":"2026-06-02 10:35:50.000000000","updated":"2026-06-05 16:51:06.000000000","submit_type":"MERGE_IF_NECESSARY","mergeable":true,"submittable":false,"total_comment_count":5,"unresolved_comment_count":0,"has_review_started":true,"meta_rev_id":"51f26a3f6e95eca0825ab853b8465111b66f8757","_number":991058,"virtual_id_number":991058,"owner":{"_account_id":37208,"name":"Marek Skrobacki","display_name":"Marek Skrobacki","email":"skrobul@skrobul.com","username":"skrobul"},"actions":{},"labels":{"Verified":{"recommended":{"_account_id":22348,"name":"Zuul","username":"zuul","tags":["SERVICE_USER"]},"all":[{"tag":"autogenerated:zuul:check","value":1,"date":"2026-06-05 15:14:57.000000000","permitted_voting_range":{"min":-2,"max":2},"_account_id":22348,"name":"Zuul","username":"zuul","tags":["SERVICE_USER"]}],"values":{"-2":"Fails","-1":"Doesn\u0027t seem to work"," 0":"No score","+1":"Works for me","+2":"Verified"},"description":"","value":1,"default_value":0,"optional":true},"Code-Review":{"all":[{"value":0,"permitted_voting_range":{"min":-1,"max":1},"_account_id":22348,"name":"Zuul","username":"zuul","tags":["SERVICE_USER"]}],"values":{"-2":"Do not merge","-1":"This patch needs further work before it can be merged"," 0":"No score","+1":"Looks good to me, but someone else must approve","+2":"Looks good to me (core reviewer)"},"description":"","default_value":0,"optional":true},"Workflow":{"all":[{"_account_id":22348,"name":"Zuul","username":"zuul","tags":["SERVICE_USER"]}],"values":{"-1":"Work in progress"," 0":"Ready for reviews","+1":"Approved"},"description":"","default_value":0,"optional":true}},"removable_reviewers":[],"reviewers":{"REVIEWER":[{"_account_id":22348,"name":"Zuul","username":"zuul","tags":["SERVICE_USER"]}],"CC":[{"_account_id":3009,"name":"Vladimir Kozhukalov","email":"kozhukalov@gmail.com","username":"kozhukalov"},{"_account_id":28237,"name":"att-airship-ci","email":"airship.jenkins@gmail.com","username":"ATT-airship-CI"}]},"pending_reviewers":{},"reviewer_updates":[{"updated":"2026-06-02 10:36:02.000000000","updated_by":{"_account_id":28237,"name":"att-airship-ci","email":"airship.jenkins@gmail.com","username":"ATT-airship-CI"},"reviewer":{"_account_id":28237,"name":"att-airship-ci","email":"airship.jenkins@gmail.com","username":"ATT-airship-CI"},"state":"CC"},{"updated":"2026-06-02 12:02:30.000000000","updated_by":{"_account_id":22348,"name":"Zuul","username":"zuul","tags":["SERVICE_USER"]},"reviewer":{"_account_id":22348,"name":"Zuul","username":"zuul","tags":["SERVICE_USER"]},"state":"REVIEWER"},{"updated":"2026-06-03 23:11:50.000000000","updated_by":{"_account_id":3009,"name":"Vladimir Kozhukalov","email":"kozhukalov@gmail.com","username":"kozhukalov"},"reviewer":{"_account_id":3009,"name":"Vladimir Kozhukalov","email":"kozhukalov@gmail.com","username":"kozhukalov"},"state":"CC"}],"messages":[{"id":"96d34f8d2e042064bd461bd8471541ca80d18ebf","tag":"autogenerated:gerrit:newPatchSet","author":{"_account_id":37208,"name":"Marek Skrobacki","display_name":"Marek Skrobacki","email":"skrobul@skrobul.com","username":"skrobul"},"date":"2026-06-02 10:35:50.000000000","message":"Uploaded patch set 1.","accounts_in_message":[],"_revision_number":1},{"id":"7889f01821092d39a5544db0b0d625ad9e93e75f","tag":"autogenerated:jenkins-gerrit-trigger","author":{"_account_id":28237,"name":"att-airship-ci","email":"airship.jenkins@gmail.com","username":"ATT-airship-CI"},"date":"2026-06-02 10:36:02.000000000","message":"Patch Set 1:\n\nBuild Started","accounts_in_message":[],"_revision_number":1},{"id":"d247a4ad5ccd53ed7d32e25b5ea6759cbd0e65ad","tag":"autogenerated:zuul:check","author":{"_account_id":22348,"name":"Zuul","username":"zuul","tags":["SERVICE_USER"]},"date":"2026-06-02 12:02:30.000000000","message":"Patch Set 1: Verified+1\n\nBuild succeeded (check pipeline).\nhttps://zuul.opendev.org/t/openstack/buildset/b7c40066c9f74325bd9047969dfbc783\n\n- openstack-tox-docs https://zuul.opendev.org/t/openstack/build/c885baf053b74a73b6a4fe4e3bce0be7 : SUCCESS in 3m 43s\n- build-openstack-releasenotes https://zuul.opendev.org/t/openstack/build/b3eced8c1c0a4631a4c27ce45218b1f9 : SUCCESS in 3m 41s\n- openstack-helm-linter https://zuul.opendev.org/t/openstack/build/2fd5e50f22b04dc789da7fd495555df9 : SUCCESS in 3m 15s\n- openstack-helm-pre-commit https://zuul.opendev.org/t/openstack/build/37bf183faca04e4994fc6559caf05f54 : SUCCESS in 3m 04s\n- openstack-helm-build-charts https://zuul.opendev.org/t/openstack/build/fd41e0f6beb84b30a90e2d1f9a4f64ac : SUCCESS in 38m 29s\n- openstack-helm-cinder-2025-1-ubuntu_noble https://zuul.opendev.org/t/openstack/build/31ff276f627b4c939ca4d98594148f7a : SUCCESS in 38m 05s\n- openstack-helm-compute-kit-2025-1-ubuntu_noble https://zuul.opendev.org/t/openstack/build/69564de0c3034b7f85b9127deca88d16 : SUCCESS in 1h 04m 17s\n- openstack-helm-cinder-2025-2-ubuntu_noble https://zuul.opendev.org/t/openstack/build/b64d12b3460f4d38b16b8d63b6980b02 : SUCCESS in 45m 19s\n- openstack-helm-compute-kit-2025-2-ubuntu_noble https://zuul.opendev.org/t/openstack/build/c36d8ef933a44c7590e02d547e702a1c : SUCCESS in 1h 03m 08s\n- openstack-helm-cinder-2026-1-ubuntu_noble https://zuul.opendev.org/t/openstack/build/05847c0d22ea4b78a9ece5a39636389e : SUCCESS in 24m 56s\n- openstack-helm-compute-kit-2026-1-ubuntu_noble https://zuul.opendev.org/t/openstack/build/a8c4ed8d717e4a6b89d548b0ecb164fb : SUCCESS in 50m 46s\n- openstack-helm-compute-kit-tls-2026-1-ubuntu_noble https://zuul.opendev.org/t/openstack/build/59b6bbf00f6249bcb57ae4ccd721ed1c : SUCCESS in 1h 14m 45s\n- openstack-helm-octavia-2026-1-ubuntu_noble https://zuul.opendev.org/t/openstack/build/92a7fa5c7bc142eabaf891ed9f9c3ca1 : SUCCESS in 1h 21m 00s\n- openstack-helm-logging https://zuul.opendev.org/t/openstack/build/86ac0a7ba8c049a4b610d841c770b20d : SUCCESS in 40m 39s\n- openstack-helm-monitoring https://zuul.opendev.org/t/openstack/build/770c6bf0154c4f6e9b9a3fca9329c7fb : SUCCESS in 21m 27s","accounts_in_message":[],"_revision_number":1},{"id":"aa8bd61090a9419bb7aa034a691c8565dae3d889","author":{"_account_id":3009,"name":"Vladimir Kozhukalov","email":"kozhukalov@gmail.com","username":"kozhukalov"},"date":"2026-06-03 23:11:50.000000000","message":"Patch Set 1:\n\n(1 comment)","accounts_in_message":[],"_revision_number":1},{"id":"7c0ee89374f71d3d2e2a079510ac384f371d990f","author":{"_account_id":3009,"name":"Vladimir Kozhukalov","email":"kozhukalov@gmail.com","username":"kozhukalov"},"date":"2026-06-03 23:12:15.000000000","message":"Patch Set 1:\n\n(1 comment)","accounts_in_message":[],"_revision_number":1},{"id":"3e5bfb0d4848069c9fc35e25afd267008750727b","tag":"autogenerated:gerrit:newPatchSet","author":{"_account_id":37208,"name":"Marek Skrobacki","display_name":"Marek Skrobacki","email":"skrobul@skrobul.com","username":"skrobul"},"date":"2026-06-05 10:07:10.000000000","message":"Uploaded patch set 2.\n\nOutdated Votes:\n* Verified+1 (copy condition: \"NEVER\")\n","accounts_in_message":[],"_revision_number":2},{"id":"bf05da054676f022b01df80cd5ec78e2e7700346","tag":"autogenerated:jenkins-gerrit-trigger","author":{"_account_id":28237,"name":"att-airship-ci","email":"airship.jenkins@gmail.com","username":"ATT-airship-CI"},"date":"2026-06-05 10:07:20.000000000","message":"Patch Set 2:\n\nBuild Started","accounts_in_message":[],"_revision_number":2},{"id":"29d52126071c4e915da0a4aa499d61c335165f34","author":{"_account_id":37208,"name":"Marek Skrobacki","display_name":"Marek Skrobacki","email":"skrobul@skrobul.com","username":"skrobul"},"date":"2026-06-05 10:10:37.000000000","message":"Patch Set 1:\n\n(1 comment)","accounts_in_message":[],"_revision_number":1},{"id":"6865e6e54249a5a61db988a18752d860d5c1833f","tag":"autogenerated:zuul:check","author":{"_account_id":22348,"name":"Zuul","username":"zuul","tags":["SERVICE_USER"]},"date":"2026-06-05 11:00:39.000000000","message":"Patch Set 2: Verified-1\n\nBuild failed (check pipeline).  For information on how to proceed, see\nhttps://docs.opendev.org/opendev/infra-manual/latest/developers.html#automated-testing\nand https://docs.openstack.org/project-team-guide/testing.html#how-to-handle-test-failures\n\nhttps://zuul.opendev.org/t/openstack/buildset/79513309e0a043658ce3705861f3671c\n\n- openstack-tox-docs https://zuul.opendev.org/t/openstack/build/48ca58b7667a43ff999736af9f5b87fb : SUCCESS in 3m 01s\n- build-openstack-releasenotes https://zuul.opendev.org/t/openstack/build/3b9099113b744fd0b46424da4e9d34c4 : SUCCESS in 2m 47s\n- openstack-helm-linter https://zuul.opendev.org/t/openstack/build/4fccd323622742868408afb386dfc263 : FAILURE in 1m 54s\n- openstack-helm-pre-commit https://zuul.opendev.org/t/openstack/build/dc541bd46c4c434f8b013d125232f155 : SUCCESS in 2m 35s\n- openstack-helm-build-charts https://zuul.opendev.org/t/openstack/build/adad79f0cd1a4ec7b88bd1ca891bde4e : SUCCESS in 24m 06s\n- openstack-helm-cinder-2025-1-ubuntu_noble https://zuul.opendev.org/t/openstack/build/8154bdc54ff04b9b90ad81aa1371ce2c : POST_FAILURE in 31m 31s\n- openstack-helm-compute-kit-2025-1-ubuntu_noble https://zuul.opendev.org/t/openstack/build/cf44b0ace1a84662a6d85cdd609fd25e : FAILURE in 31m 44s\n- openstack-helm-cinder-2025-2-ubuntu_noble https://zuul.opendev.org/t/openstack/build/4a0b39bc55e54111aa003d5d97eac6d6 : FAILURE in 49m 43s\n- openstack-helm-compute-kit-2025-2-ubuntu_noble https://zuul.opendev.org/t/openstack/build/74cb1c43887a420bb58a107842952215 : FAILURE in 30m 59s\n- openstack-helm-cinder-2026-1-ubuntu_noble https://zuul.opendev.org/t/openstack/build/b187a510e34c4443a475f9aa3789d3e3 : FAILURE in 29m 54s\n- openstack-helm-compute-kit-2026-1-ubuntu_noble https://zuul.opendev.org/t/openstack/build/7f754919d3834bfc81fa614ea150190e : FAILURE in 37m 54s\n- openstack-helm-compute-kit-tls-2026-1-ubuntu_noble https://zuul.opendev.org/t/openstack/build/473a8c5b39b4466c8c1aff53767136a2 : FAILURE in 25m 40s\n- openstack-helm-octavia-2026-1-ubuntu_noble https://zuul.opendev.org/t/openstack/build/518a079027c948aba1c05ae09915af6e : FAILURE in 36m 48s\n- openstack-helm-logging https://zuul.opendev.org/t/openstack/build/0f72300f66af493bbfd11869f63aa723 : SUCCESS in 33m 11s\n- openstack-helm-monitoring https://zuul.opendev.org/t/openstack/build/87f374830158497f91aeb91d78d24084 : SUCCESS in 30m 15s","accounts_in_message":[],"_revision_number":2},{"id":"2a8eea2651a412d8fe7290c1a948689327005ef2","author":{"_account_id":37208,"name":"Marek Skrobacki","display_name":"Marek Skrobacki","email":"skrobul@skrobul.com","username":"skrobul"},"date":"2026-06-05 12:12:32.000000000","message":"Patch Set 2:\n\n(1 comment)","accounts_in_message":[],"_revision_number":2},{"id":"a7235c7c645deaa645ed2b5c8d680403802c1ee0","tag":"autogenerated:gerrit:setWorkInProgress","author":{"_account_id":37208,"name":"Marek Skrobacki","display_name":"Marek Skrobacki","email":"skrobul@skrobul.com","username":"skrobul"},"date":"2026-06-05 12:38:04.000000000","message":"Set Work In Progress","accounts_in_message":[],"_revision_number":2},{"id":"f2b10f0eb2b5ec28a63716ad70b5be4543fdd1c8","tag":"autogenerated:gerrit:newWipPatchSet","author":{"_account_id":37208,"name":"Marek Skrobacki","display_name":"Marek Skrobacki","email":"skrobul@skrobul.com","username":"skrobul"},"date":"2026-06-05 12:43:36.000000000","message":"Uploaded patch set 3.\n\nOutdated Votes:\n* Verified-1 (copy condition: \"NEVER\")\n","accounts_in_message":[],"_revision_number":3},{"id":"6f0a2c15b3890f56061ba422cc416b1e3a0b0914","tag":"autogenerated:jenkins-gerrit-trigger","author":{"_account_id":28237,"name":"att-airship-ci","email":"airship.jenkins@gmail.com","username":"ATT-airship-CI"},"date":"2026-06-05 12:43:45.000000000","message":"Patch Set 3:\n\nBuild Started","accounts_in_message":[],"_revision_number":3},{"id":"1d228b0f6200714e559f1a084f13fe4f1738e88b","tag":"autogenerated:gerrit:newWipPatchSet","author":{"_account_id":37208,"name":"Marek Skrobacki","display_name":"Marek Skrobacki","email":"skrobul@skrobul.com","username":"skrobul"},"date":"2026-06-05 13:10:38.000000000","message":"Uploaded patch set 4.","accounts_in_message":[],"_revision_number":4},{"id":"4bb4eba36e221419204fb05c2ef7895299b403a8","tag":"autogenerated:jenkins-gerrit-trigger","author":{"_account_id":28237,"name":"att-airship-ci","email":"airship.jenkins@gmail.com","username":"ATT-airship-CI"},"date":"2026-06-05 13:10:50.000000000","message":"Patch Set 4:\n\nBuild Started","accounts_in_message":[],"_revision_number":4},{"id":"e41623c910ea4980996c3461b6c25c8e2f4cae59","tag":"autogenerated:gerrit:newWipPatchSet","author":{"_account_id":37208,"name":"Marek Skrobacki","display_name":"Marek Skrobacki","email":"skrobul@skrobul.com","username":"skrobul"},"date":"2026-06-05 13:51:14.000000000","message":"Uploaded patch set 5.","accounts_in_message":[],"_revision_number":5},{"id":"318510ac3817551b2d4928627fd895a0e947bc09","tag":"autogenerated:jenkins-gerrit-trigger","author":{"_account_id":28237,"name":"att-airship-ci","email":"airship.jenkins@gmail.com","username":"ATT-airship-CI"},"date":"2026-06-05 13:51:25.000000000","message":"Patch Set 5:\n\nBuild Started","accounts_in_message":[],"_revision_number":5},{"id":"6e2aa1034ea125b8676993fb9cf559dd5ef389b7","tag":"autogenerated:zuul:check","author":{"_account_id":22348,"name":"Zuul","username":"zuul","tags":["SERVICE_USER"]},"date":"2026-06-05 15:14:57.000000000","message":"Patch Set 5: Verified+1\n\nBuild succeeded (check pipeline).\nhttps://zuul.opendev.org/t/openstack/buildset/ac4f986967a848c8ac65d6d71d4d6d3f\n\n- openstack-tox-docs https://zuul.opendev.org/t/openstack/build/1837e12ad30248579ed4fcf0a63628b8 : SUCCESS in 5m 27s\n- build-openstack-releasenotes https://zuul.opendev.org/t/openstack/build/d62f9562c0d14679bf8d616564b1cf8d : SUCCESS in 2m 31s\n- openstack-helm-linter https://zuul.opendev.org/t/openstack/build/02b106b3d5fe4f8186c849bf46c1b077 : SUCCESS in 2m 57s\n- openstack-helm-pre-commit https://zuul.opendev.org/t/openstack/build/bedb709bb32841a7933873a7d290dee5 : SUCCESS in 1m 51s\n- openstack-helm-build-charts https://zuul.opendev.org/t/openstack/build/43f580e1182c47a1b4c1d89dd436c8a2 : SUCCESS in 37m 54s\n- openstack-helm-cinder-2025-1-ubuntu_noble https://zuul.opendev.org/t/openstack/build/bf5b83afe4394387a61ca12ce1c30dbe : SUCCESS in 30m 54s\n- openstack-helm-compute-kit-2025-1-ubuntu_noble https://zuul.opendev.org/t/openstack/build/48902ec307ec47aea6c21b1f9cd40b54 : SUCCESS in 1h 13m 11s\n- openstack-helm-cinder-2025-2-ubuntu_noble https://zuul.opendev.org/t/openstack/build/0f8be6d413d04869ae206ab2c5d4e9a1 : SUCCESS in 37m 32s\n- openstack-helm-compute-kit-2025-2-ubuntu_noble https://zuul.opendev.org/t/openstack/build/3d51b70f83ff4bf48af86aa2acce0295 : SUCCESS in 45m 16s\n- openstack-helm-cinder-2026-1-ubuntu_noble https://zuul.opendev.org/t/openstack/build/0056c63850584e18b161e56e1ac5a210 : SUCCESS in 47m 12s\n- openstack-helm-compute-kit-2026-1-ubuntu_noble https://zuul.opendev.org/t/openstack/build/d2c9fffb42154758852b82d408e133bf : SUCCESS in 1h 20m 32s\n- openstack-helm-compute-kit-tls-2026-1-ubuntu_noble https://zuul.opendev.org/t/openstack/build/bfd4fe75a56c4d0f994aa55d526b9334 : SUCCESS in 1h 06m 48s\n- openstack-helm-octavia-2026-1-ubuntu_noble https://zuul.opendev.org/t/openstack/build/9f7c08ab755641f38378a90a7d04017b : SUCCESS in 51m 19s\n- openstack-helm-logging https://zuul.opendev.org/t/openstack/build/78f0a74c711b42cd996188b52a028b0d : SUCCESS in 35m 57s\n- openstack-helm-monitoring https://zuul.opendev.org/t/openstack/build/2346c886718244d0ba97110165a93d55 : SUCCESS in 23m 46s","accounts_in_message":[],"_revision_number":5},{"id":"b0781f9be6ef63273f320d9ed11b9b9ee596c0ee","tag":"autogenerated:gerrit:setReadyForReview","author":{"_account_id":37208,"name":"Marek Skrobacki","display_name":"Marek Skrobacki","email":"skrobul@skrobul.com","username":"skrobul"},"date":"2026-06-05 16:02:47.000000000","message":"Set Ready For Review","accounts_in_message":[],"_revision_number":5},{"id":"51f26a3f6e95eca0825ab853b8465111b66f8757","author":{"_account_id":37208,"name":"Marek Skrobacki","display_name":"Marek Skrobacki","email":"skrobul@skrobul.com","username":"skrobul"},"date":"2026-06-05 16:51:06.000000000","message":"Patch Set 5:\n\n(1 comment)","accounts_in_message":[],"_revision_number":5}],"current_revision_number":5,"current_revision":"28de5c47143fb788b39f0835f436984e1b2f0348","revisions":{"f65b0e1635d4d87eaf03b420a5c13a61c051ef99":{"kind":"REWORK","_number":1,"created":"2026-06-02 10:35:50.000000000","uploader":{"_account_id":37208,"name":"Marek Skrobacki","display_name":"Marek Skrobacki","email":"skrobul@skrobul.com","username":"skrobul"},"ref":"refs/changes/58/991058/1","fetch":{"anonymous http":{"url":"https://review.opendev.org/openstack/openstack-helm","ref":"refs/changes/58/991058/1","commands":{"Checkout":"git fetch https://review.opendev.org/openstack/openstack-helm refs/changes/58/991058/1 \u0026\u0026 git checkout FETCH_HEAD","Cherry Pick":"git fetch https://review.opendev.org/openstack/openstack-helm refs/changes/58/991058/1 \u0026\u0026 git cherry-pick FETCH_HEAD","Format Patch":"git fetch https://review.opendev.org/openstack/openstack-helm refs/changes/58/991058/1 \u0026\u0026 git format-patch -1 --stdout FETCH_HEAD","Pull":"git pull https://review.opendev.org/openstack/openstack-helm refs/changes/58/991058/1"}}},"commit":{"parents":[{"commit":"872fd69e7f42ad175ceede7e07a288cb4df5f83c","subject":"Merge \"feat: Support alternative Keystone auth plugins in helm-toolkit jobs\"","web_links":[{"name":"gitea","tooltip":"Open in GitWeb","url":"https://opendev.org/openstack/openstack-helm/commit/872fd69e7f42ad175ceede7e07a288cb4df5f83c"}]}],"author":{"name":"Marek Skrobacki","email":"skrobul@skrobul.com","date":"2026-06-02 10:06:44.000000000","tz":60},"committer":{"name":"Marek Skrobacki","email":"skrobul@skrobul.com","date":"2026-06-02 10:11:22.000000000","tz":60},"subject":"fix(ks-user): skip password update when password is unchanged","message":"fix(ks-user): skip password update when password is unchanged\n\nKeystone invalidates all active tokens for a user whenever their\npassword is updated, regardless of whether the new value differs\nfrom the current one. The previous implementation set the password\nunconditionally on every Helm reconciliation, causing unnecessary\ntoken invalidation even when the password had not changed.\n\nThis patch probes authentication with the candidate password before\napplying it. If the probe succeeds the password is already correct\nand the update is skipped. If it fails the password is applied as\nbefore. The probe runs under set +x with all output redirected to\n/dev/null so the credential is not exposed in logs.\n\nIn environments where the ks-user job runs frequently — such as\nGitOps reconciliation loops — this prevents repeated disruption to\nlong-lived service tokens that would otherwise be invalidated on\nevery run.\n\nChange-Id: I5fa10f5a28d36f0cb645cf73d9f20d0ec90953cd\nSigned-off-by: Marek Skrobacki \u003cskrobul@skrobul.com\u003e\n","web_links":[{"name":"gitea","tooltip":"Open in GitWeb","url":"https://opendev.org/openstack/openstack-helm/commit/f65b0e1635d4d87eaf03b420a5c13a61c051ef99"}],"resolve_conflicts_web_links":[{"name":"gitea","tooltip":"Open in GitWeb","url":"https://opendev.org/openstack/openstack-helm/commit/f65b0e1635d4d87eaf03b420a5c13a61c051ef99"}]},"branch":"refs/heads/master"},"1378af0c7efc77c1d3e76c45d1fdf9d26349c241":{"kind":"REWORK","_number":2,"created":"2026-06-05 10:07:10.000000000","uploader":{"_account_id":37208,"name":"Marek Skrobacki","display_name":"Marek Skrobacki","email":"skrobul@skrobul.com","username":"skrobul"},"ref":"refs/changes/58/991058/2","fetch":{"anonymous http":{"url":"https://review.opendev.org/openstack/openstack-helm","ref":"refs/changes/58/991058/2","commands":{"Checkout":"git fetch https://review.opendev.org/openstack/openstack-helm refs/changes/58/991058/2 \u0026\u0026 git checkout FETCH_HEAD","Cherry Pick":"git fetch https://review.opendev.org/openstack/openstack-helm refs/changes/58/991058/2 \u0026\u0026 git cherry-pick FETCH_HEAD","Format Patch":"git fetch https://review.opendev.org/openstack/openstack-helm refs/changes/58/991058/2 \u0026\u0026 git format-patch -1 --stdout FETCH_HEAD","Pull":"git pull https://review.opendev.org/openstack/openstack-helm refs/changes/58/991058/2"}}},"commit":{"parents":[{"commit":"872fd69e7f42ad175ceede7e07a288cb4df5f83c","subject":"Merge \"feat: Support alternative Keystone auth plugins in helm-toolkit jobs\"","web_links":[{"name":"gitea","tooltip":"Open in GitWeb","url":"https://opendev.org/openstack/openstack-helm/commit/872fd69e7f42ad175ceede7e07a288cb4df5f83c"}]}],"author":{"name":"Marek Skrobacki","email":"skrobul@skrobul.com","date":"2026-06-02 10:06:44.000000000","tz":60},"committer":{"name":"Marek Skrobacki","email":"skrobul@skrobul.com","date":"2026-06-05 10:06:39.000000000","tz":60},"subject":"fix(ks-user): skip password update when password is unchanged","message":"fix(ks-user): skip password update when password is unchanged\n\nKeystone invalidates all active tokens for a user whenever their\npassword is updated, regardless of whether the new value differs from\nthe current one. The previous implementation set the password\nunconditionally on every Helm reconciliation, causing unnecessary token\ninvalidation even when the password had not changed.\n\nThis patch probes authentication with the candidate password before\napplying it. The probe forces OS_AUTH_TYPE\u003dpassword and clears any\nambient auth-plugin env vars (OS_PROTOCOL, OS_IDENTITY_PROVIDER,\nOS_ACCESS_TOKEN) to avoid false positives, and requests an unscoped\ntoken to keep the check minimal.\n\nIf the probe succeeds the password is already correct and the update is\nskipped. If it fails with HTTP 401 the password is applied as before.\nAny other failure (network error, user disabled, Keystone unavailable)\nis treated as an unexpected error and the job exits with a non-zero\nstatus rather than silently attempting a password update. The probe runs\nunder set +x with stdout redirected to /dev/null so the credential is\nnot exposed in logs.\n\nNOTE: if Keystone\u0027s [security_compliance] lockout_failure_attempts is\nconfigured, each failed probe counts as a failed login attempt. During\ninitial deployment or after a password rotation the probe will fail once\nbefore the password is applied, so lockout_failure_attempts must be set\nhigh enough to tolerate at least one failure per reconciliation cycle.\n\nIn environments where the ks-user job runs frequently — such as GitOps\nreconciliation loops — this prevents repeated disruption to long-lived\nservice tokens that would otherwise be invalidated on every run.\n\nChange-Id: I5fa10f5a28d36f0cb645cf73d9f20d0ec90953cd\nSigned-off-by: Marek Skrobacki \u003cskrobul@skrobul.com\u003e\n","web_links":[{"name":"gitea","tooltip":"Open in GitWeb","url":"https://opendev.org/openstack/openstack-helm/commit/1378af0c7efc77c1d3e76c45d1fdf9d26349c241"}],"resolve_conflicts_web_links":[{"name":"gitea","tooltip":"Open in GitWeb","url":"https://opendev.org/openstack/openstack-helm/commit/1378af0c7efc77c1d3e76c45d1fdf9d26349c241"}]},"branch":"refs/heads/master"},"be9927c0003a0ccf5c952fc3f8a7c519c86b54b0":{"kind":"REWORK","_number":3,"created":"2026-06-05 12:43:36.000000000","uploader":{"_account_id":37208,"name":"Marek Skrobacki","display_name":"Marek Skrobacki","email":"skrobul@skrobul.com","username":"skrobul"},"ref":"refs/changes/58/991058/3","fetch":{"anonymous http":{"url":"https://review.opendev.org/openstack/openstack-helm","ref":"refs/changes/58/991058/3","commands":{"Checkout":"git fetch https://review.opendev.org/openstack/openstack-helm refs/changes/58/991058/3 \u0026\u0026 git checkout FETCH_HEAD","Cherry Pick":"git fetch https://review.opendev.org/openstack/openstack-helm refs/changes/58/991058/3 \u0026\u0026 git cherry-pick FETCH_HEAD","Format Patch":"git fetch https://review.opendev.org/openstack/openstack-helm refs/changes/58/991058/3 \u0026\u0026 git format-patch -1 --stdout FETCH_HEAD","Pull":"git pull https://review.opendev.org/openstack/openstack-helm refs/changes/58/991058/3"}}},"commit":{"parents":[{"commit":"872fd69e7f42ad175ceede7e07a288cb4df5f83c","subject":"Merge \"feat: Support alternative Keystone auth plugins in helm-toolkit jobs\"","web_links":[{"name":"gitea","tooltip":"Open in GitWeb","url":"https://opendev.org/openstack/openstack-helm/commit/872fd69e7f42ad175ceede7e07a288cb4df5f83c"}]}],"author":{"name":"Marek Skrobacki","email":"skrobul@skrobul.com","date":"2026-06-02 10:06:44.000000000","tz":60},"committer":{"name":"Marek Skrobacki","email":"skrobul@skrobul.com","date":"2026-06-05 12:43:25.000000000","tz":60},"subject":"fix(ks-user): skip password update when password is unchanged","message":"fix(ks-user): skip password update when password is unchanged\n\nKeystone invalidates all active tokens for a user whenever their\npassword is updated, regardless of whether the new value differs from\nthe current one. The previous implementation set the password\nunconditionally on every Helm reconciliation, causing unnecessary token\ninvalidation even when the password had not changed.\n\nThis patch probes authentication with the candidate password before\napplying it. The probe forces OS_AUTH_TYPE\u003dpassword and clears any\nambient auth-plugin env vars (OS_PROTOCOL, OS_IDENTITY_PROVIDER,\nOS_ACCESS_TOKEN) to avoid false positives, and requests an unscoped\ntoken to keep the check minimal.\n\nIf the probe succeeds the password is already correct and the update is\nskipped. If it fails with HTTP 401 the password is applied as before.\nAny other failure (network error, user disabled, Keystone unavailable)\nis treated as an unexpected error and the job exits with a non-zero\nstatus rather than silently attempting a password update. The probe runs\nunder set +x with stdout redirected to /dev/null so the credential is\nnot exposed in logs.\n\nNOTE: if Keystone\u0027s [security_compliance] lockout_failure_attempts is\nconfigured, each failed probe counts as a failed login attempt. During\ninitial deployment or after a password rotation the probe will fail once\nbefore the password is applied, so lockout_failure_attempts must be set\nhigh enough to tolerate at least one failure per reconciliation cycle.\n\nIn environments where the ks-user job runs frequently — such as GitOps\nreconciliation loops — this prevents repeated disruption to long-lived\nservice tokens that would otherwise be invalidated on every run.\n\nChange-Id: I5fa10f5a28d36f0cb645cf73d9f20d0ec90953cd\nSigned-off-by: Marek Skrobacki \u003cskrobul@skrobul.com\u003e\n","web_links":[{"name":"gitea","tooltip":"Open in GitWeb","url":"https://opendev.org/openstack/openstack-helm/commit/be9927c0003a0ccf5c952fc3f8a7c519c86b54b0"}],"resolve_conflicts_web_links":[{"name":"gitea","tooltip":"Open in GitWeb","url":"https://opendev.org/openstack/openstack-helm/commit/be9927c0003a0ccf5c952fc3f8a7c519c86b54b0"}]},"branch":"refs/heads/master"},"fd17ae089abe95505adb564061b91ebf728c960d":{"kind":"REWORK","_number":4,"created":"2026-06-05 13:10:38.000000000","uploader":{"_account_id":37208,"name":"Marek Skrobacki","display_name":"Marek Skrobacki","email":"skrobul@skrobul.com","username":"skrobul"},"ref":"refs/changes/58/991058/4","fetch":{"anonymous http":{"url":"https://review.opendev.org/openstack/openstack-helm","ref":"refs/changes/58/991058/4","commands":{"Checkout":"git fetch https://review.opendev.org/openstack/openstack-helm refs/changes/58/991058/4 \u0026\u0026 git checkout FETCH_HEAD","Cherry Pick":"git fetch https://review.opendev.org/openstack/openstack-helm refs/changes/58/991058/4 \u0026\u0026 git cherry-pick FETCH_HEAD","Format Patch":"git fetch https://review.opendev.org/openstack/openstack-helm refs/changes/58/991058/4 \u0026\u0026 git format-patch -1 --stdout FETCH_HEAD","Pull":"git pull https://review.opendev.org/openstack/openstack-helm refs/changes/58/991058/4"}}},"commit":{"parents":[{"commit":"872fd69e7f42ad175ceede7e07a288cb4df5f83c","subject":"Merge \"feat: Support alternative Keystone auth plugins in helm-toolkit jobs\"","web_links":[{"name":"gitea","tooltip":"Open in GitWeb","url":"https://opendev.org/openstack/openstack-helm/commit/872fd69e7f42ad175ceede7e07a288cb4df5f83c"}]}],"author":{"name":"Marek Skrobacki","email":"skrobul@skrobul.com","date":"2026-06-02 10:06:44.000000000","tz":60},"committer":{"name":"Marek Skrobacki","email":"skrobul@skrobul.com","date":"2026-06-05 13:10:27.000000000","tz":60},"subject":"fix(ks-user): skip password update when password is unchanged","message":"fix(ks-user): skip password update when password is unchanged\n\nKeystone invalidates all active tokens for a user whenever their\npassword is updated, regardless of whether the new value differs from\nthe current one. The previous implementation set the password\nunconditionally on every Helm reconciliation, causing unnecessary token\ninvalidation even when the password had not changed.\n\nThis patch probes authentication with the candidate password before\napplying it. The probe forces OS_AUTH_TYPE\u003dpassword and clears any\nambient auth-plugin env vars (OS_PROTOCOL, OS_IDENTITY_PROVIDER,\nOS_ACCESS_TOKEN) to avoid false positives, and requests an unscoped\ntoken to keep the check minimal.\n\nIf the probe succeeds the password is already correct and the update is\nskipped. If it fails with HTTP 401 the password is applied as before.\nAny other failure (network error, user disabled, Keystone unavailable)\nis treated as an unexpected error and the job exits with a non-zero\nstatus rather than silently attempting a password update. The probe runs\nunder set +x with stdout redirected to /dev/null so the credential is\nnot exposed in logs.\n\nNOTE: if Keystone\u0027s [security_compliance] lockout_failure_attempts is\nconfigured, each failed probe counts as a failed login attempt. During\ninitial deployment or after a password rotation the probe will fail once\nbefore the password is applied, so lockout_failure_attempts must be set\nhigh enough to tolerate at least one failure per reconciliation cycle.\n\nIn environments where the ks-user job runs frequently — such as GitOps\nreconciliation loops — this prevents repeated disruption to long-lived\nservice tokens that would otherwise be invalidated on every run.\n\nChange-Id: I5fa10f5a28d36f0cb645cf73d9f20d0ec90953cd\nSigned-off-by: Marek Skrobacki \u003cskrobul@skrobul.com\u003e\n","web_links":[{"name":"gitea","tooltip":"Open in GitWeb","url":"https://opendev.org/openstack/openstack-helm/commit/fd17ae089abe95505adb564061b91ebf728c960d"}],"resolve_conflicts_web_links":[{"name":"gitea","tooltip":"Open in GitWeb","url":"https://opendev.org/openstack/openstack-helm/commit/fd17ae089abe95505adb564061b91ebf728c960d"}]},"branch":"refs/heads/master"},"28de5c47143fb788b39f0835f436984e1b2f0348":{"kind":"REWORK","_number":5,"created":"2026-06-05 13:51:14.000000000","uploader":{"_account_id":37208,"name":"Marek Skrobacki","display_name":"Marek Skrobacki","email":"skrobul@skrobul.com","username":"skrobul"},"ref":"refs/changes/58/991058/5","fetch":{"anonymous http":{"url":"https://review.opendev.org/openstack/openstack-helm","ref":"refs/changes/58/991058/5","commands":{"Checkout":"git fetch https://review.opendev.org/openstack/openstack-helm refs/changes/58/991058/5 \u0026\u0026 git checkout FETCH_HEAD","Cherry Pick":"git fetch https://review.opendev.org/openstack/openstack-helm refs/changes/58/991058/5 \u0026\u0026 git cherry-pick FETCH_HEAD","Format Patch":"git fetch https://review.opendev.org/openstack/openstack-helm refs/changes/58/991058/5 \u0026\u0026 git format-patch -1 --stdout FETCH_HEAD","Pull":"git pull https://review.opendev.org/openstack/openstack-helm refs/changes/58/991058/5"}}},"commit":{"parents":[{"commit":"872fd69e7f42ad175ceede7e07a288cb4df5f83c","subject":"Merge \"feat: Support alternative Keystone auth plugins in helm-toolkit jobs\"","web_links":[{"name":"gitea","tooltip":"Open in GitWeb","url":"https://opendev.org/openstack/openstack-helm/commit/872fd69e7f42ad175ceede7e07a288cb4df5f83c"}]}],"author":{"name":"Marek Skrobacki","email":"skrobul@skrobul.com","date":"2026-06-02 10:06:44.000000000","tz":60},"committer":{"name":"Marek Skrobacki","email":"skrobul@skrobul.com","date":"2026-06-05 13:51:06.000000000","tz":60},"subject":"fix(ks-user): skip password update when password is unchanged","message":"fix(ks-user): skip password update when password is unchanged\n\nKeystone invalidates all active tokens for a user whenever their\npassword is updated, regardless of whether the new value differs from\nthe current one. The previous implementation set the password\nunconditionally on every Helm reconciliation, causing unnecessary token\ninvalidation even when the password had not changed.\n\nThis patch probes authentication with the candidate password before\napplying it. The probe forces OS_AUTH_TYPE\u003dpassword and clears any\nambient auth-plugin env vars (OS_PROTOCOL, OS_IDENTITY_PROVIDER,\nOS_ACCESS_TOKEN) to avoid false positives, and requests an unscoped\ntoken to keep the check minimal.\n\nIf the probe succeeds the password is already correct and the update is\nskipped. If it fails with HTTP 401 the password is applied as before.\nAny other failure (network error, user disabled, Keystone unavailable)\nis treated as an unexpected error and the job exits with a non-zero\nstatus rather than silently attempting a password update. The probe runs\nunder set +x with stdout redirected to /dev/null so the credential is\nnot exposed in logs.\n\nNOTE: if Keystone\u0027s [security_compliance] lockout_failure_attempts is\nconfigured, each failed probe counts as a failed login attempt. During\ninitial deployment or after a password rotation the probe will fail once\nbefore the password is applied, so lockout_failure_attempts must be set\nhigh enough to tolerate at least one failure per reconciliation cycle.\n\nIn environments where the ks-user job runs frequently — such as GitOps\nreconciliation loops — this prevents repeated disruption to long-lived\nservice tokens that would otherwise be invalidated on every run.\n\nChange-Id: I5fa10f5a28d36f0cb645cf73d9f20d0ec90953cd\nSigned-off-by: Marek Skrobacki \u003cskrobul@skrobul.com\u003e\n","web_links":[{"name":"gitea","tooltip":"Open in GitWeb","url":"https://opendev.org/openstack/openstack-helm/commit/28de5c47143fb788b39f0835f436984e1b2f0348"}],"resolve_conflicts_web_links":[{"name":"gitea","tooltip":"Open in GitWeb","url":"https://opendev.org/openstack/openstack-helm/commit/28de5c47143fb788b39f0835f436984e1b2f0348"}]},"branch":"refs/heads/master"}},"requirements":[],"submit_records":[{"rule_name":"gerrit~DefaultSubmitRule","status":"OK","labels":[{"label":"Verified","status":"MAY","applied_by":{"_account_id":22348,"name":"Zuul","username":"zuul","tags":["SERVICE_USER"]}},{"label":"Code-Review","status":"MAY"},{"label":"Workflow","status":"MAY"}]}],"submit_requirements":[{"name":"Verified","description":"Verified in gate by CI","status":"UNSATISFIED","is_legacy":false,"submittability_expression_result":{"expression":"label:Verified\u003dMAX AND -label:Verified\u003dMIN","fulfilled":false,"status":"FAIL","passing_atoms":[],"failing_atoms":["label:Verified\u003dMAX","label:Verified\u003dMIN"],"atom_explanations":{"label:Verified\u003dMAX":"","label:Verified\u003dMIN":""}}},{"name":"Code-Review","description":"Code reviewed by core reviewer","status":"UNSATISFIED","is_legacy":false,"submittability_expression_result":{"expression":"label:Code-Review\u003dMAX AND -label:Code-Review\u003dMIN","fulfilled":false,"status":"FAIL","passing_atoms":[],"failing_atoms":["label:Code-Review\u003dMAX","label:Code-Review\u003dMIN"],"atom_explanations":{"label:Code-Review\u003dMAX":"","label:Code-Review\u003dMIN":""}}},{"name":"Workflow","description":"Approved for gate by core reviewer","status":"UNSATISFIED","is_legacy":false,"submittability_expression_result":{"expression":"label:Workflow\u003dMAX AND -label:Workflow\u003dMIN","fulfilled":false,"status":"FAIL","passing_atoms":[],"failing_atoms":["label:Workflow\u003dMAX","label:Workflow\u003dMIN"],"atom_explanations":{"label:Workflow\u003dMAX":"","label:Workflow\u003dMIN":""}}}]}