)]}'
{"id":"openstack%2Fopenstack-helm~992528","triplet_id":"openstack%2Fopenstack-helm~master~I89829176d4d85c7033af8ac2f5a8d6af23037e4d","project":"openstack/openstack-helm","branch":"master","attention_set":{"3009":{"account":{"_account_id":3009,"name":"Vladimir Kozhukalov","email":"kozhukalov@gmail.com","username":"kozhukalov"},"last_update":"2026-06-16 01:41:57.000000000","reason":"\u003cGERRIT_ACCOUNT_5890\u003e replied on the change","reason_account":{"_account_id":5890,"name":"Doug Goldstein","email":"cardoe@cardoe.com","username":"cardoe"}}},"removed_from_attention_set":{},"hashtags":[],"change_id":"I89829176d4d85c7033af8ac2f5a8d6af23037e4d","subject":"[WIP] Terminate API TLS with nginx sidecars instead of Apache","status":"NEW","created":"2026-06-09 20:18:20.000000000","updated":"2026-06-16 01:41:57.000000000","submit_type":"MERGE_IF_NECESSARY","mergeable":true,"submittable":false,"total_comment_count":1,"unresolved_comment_count":1,"work_in_progress":true,"has_review_started":true,"meta_rev_id":"aa991efa51806784fe6c2c0de6dad671b7d5d29d","_number":992528,"virtual_id_number":992528,"owner":{"_account_id":3009,"name":"Vladimir Kozhukalov","email":"kozhukalov@gmail.com","username":"kozhukalov"},"actions":{},"labels":{"Verified":{"recommended":{"_account_id":22348,"name":"Zuul","username":"zuul","tags":["SERVICE_USER"]},"all":[{"tag":"autogenerated:zuul:check","value":1,"date":"2026-06-15 19:21:51.000000000","permitted_voting_range":{"min":-2,"max":2},"_account_id":22348,"name":"Zuul","username":"zuul","tags":["SERVICE_USER"]}],"values":{"-2":"Fails","-1":"Doesn\u0027t seem to work"," 0":"No score","+1":"Works for me","+2":"Verified"},"description":"","value":1,"default_value":0,"optional":true},"Code-Review":{"all":[{"value":0,"permitted_voting_range":{"min":-1,"max":1},"_account_id":22348,"name":"Zuul","username":"zuul","tags":["SERVICE_USER"]}],"values":{"-2":"Do not merge","-1":"This patch needs further work before it can be merged"," 0":"No score","+1":"Looks good to me, but someone else must approve","+2":"Looks good to me (core reviewer)"},"description":"","default_value":0,"optional":true},"Workflow":{"all":[{"_account_id":22348,"name":"Zuul","username":"zuul","tags":["SERVICE_USER"]}],"values":{"-1":"Work in progress"," 0":"Ready for reviews","+1":"Approved"},"description":"","default_value":0,"optional":true}},"removable_reviewers":[],"reviewers":{"REVIEWER":[{"_account_id":22348,"name":"Zuul","username":"zuul","tags":["SERVICE_USER"]}],"CC":[{"_account_id":5890,"name":"Doug Goldstein","email":"cardoe@cardoe.com","username":"cardoe"}]},"pending_reviewers":{"REVIEWER":[{"_account_id":22348,"name":"Zuul","username":"zuul","tags":["SERVICE_USER"]}],"CC":[{"_account_id":5890,"name":"Doug Goldstein","email":"cardoe@cardoe.com","username":"cardoe"}]},"reviewer_updates":[{"updated":"2026-06-09 20:47:08.000000000","updated_by":{"_account_id":22348,"name":"Zuul","username":"zuul","tags":["SERVICE_USER"]},"reviewer":{"_account_id":22348,"name":"Zuul","username":"zuul","tags":["SERVICE_USER"]},"state":"REVIEWER"},{"updated":"2026-06-16 01:41:57.000000000","updated_by":{"_account_id":5890,"name":"Doug Goldstein","email":"cardoe@cardoe.com","username":"cardoe"},"reviewer":{"_account_id":5890,"name":"Doug Goldstein","email":"cardoe@cardoe.com","username":"cardoe"},"state":"CC"}],"messages":[{"id":"534db4547c4c8e9ba45e22fa86b4a280a2f2b4b1","tag":"autogenerated:gerrit:newPatchSet","author":{"_account_id":3009,"name":"Vladimir Kozhukalov","email":"kozhukalov@gmail.com","username":"kozhukalov"},"date":"2026-06-09 20:18:20.000000000","message":"Uploaded patch set 1.","accounts_in_message":[],"_revision_number":1},{"id":"c500d5f4852dadcc540ce7906ab0f3e90572ac09","tag":"autogenerated:gerrit:newWipPatchSet","author":{"_account_id":3009,"name":"Vladimir Kozhukalov","email":"kozhukalov@gmail.com","username":"kozhukalov"},"date":"2026-06-09 20:37:45.000000000","message":"Uploaded patch set 2.","accounts_in_message":[],"_revision_number":2},{"id":"c4f500defb62bbf7ed71fee110670539d8f18138","tag":"autogenerated:zuul:check","author":{"_account_id":22348,"name":"Zuul","username":"zuul","tags":["SERVICE_USER"]},"date":"2026-06-09 20:47:08.000000000","message":"Patch Set 1: Verified-1\n\nBuild failed (check pipeline).  For information on how to proceed, see\nhttps://docs.opendev.org/opendev/infra-manual/latest/developers.html#automated-testing\nand https://docs.openstack.org/project-team-guide/testing.html#how-to-handle-test-failures\n\nhttps://zuul.opendev.org/t/openstack/buildset/62794ae781cd4aadad7db5cd1dddf2e3\n\n- openstack-helm-compute-kit-tls-2026-1-ubuntu_noble https://zuul.opendev.org/t/openstack/build/ad7eef82837247b3a3dc80e1f7eca909 : FAILURE in 25m 50s","accounts_in_message":[],"_revision_number":1},{"id":"8ec711b17503e0a6f15ccd2ac5fb9d2d440becf9","tag":"autogenerated:gerrit:newWipPatchSet","author":{"_account_id":3009,"name":"Vladimir Kozhukalov","email":"kozhukalov@gmail.com","username":"kozhukalov"},"date":"2026-06-09 20:53:21.000000000","message":"Uploaded patch set 3.","accounts_in_message":[],"_revision_number":3},{"id":"1723646fd2d4c01364524d0809713a2c41db0db7","tag":"autogenerated:zuul:check","author":{"_account_id":22348,"name":"Zuul","username":"zuul","tags":["SERVICE_USER"]},"date":"2026-06-09 21:15:05.000000000","message":"Patch Set 3: Verified-1\n\nBuild failed (check pipeline).  For information on how to proceed, see\nhttps://docs.opendev.org/opendev/infra-manual/latest/developers.html#automated-testing\nand https://docs.openstack.org/project-team-guide/testing.html#how-to-handle-test-failures\n\nhttps://zuul.opendev.org/t/openstack/buildset/cd1c06ef851e4b02b36ec5ce19a4c232\n\n- openstack-helm-compute-kit-tls-2026-1-ubuntu_noble https://zuul.opendev.org/t/openstack/build/264f7ce8fa0f4e9a8ed68ab38b46abcf : FAILURE in 18m 15s","accounts_in_message":[],"_revision_number":3},{"id":"cd7c52dbbc226fba04cf1cc4e2afb199fb11ef7b","tag":"autogenerated:gerrit:newWipPatchSet","author":{"_account_id":3009,"name":"Vladimir Kozhukalov","email":"kozhukalov@gmail.com","username":"kozhukalov"},"date":"2026-06-09 22:53:05.000000000","message":"Uploaded patch set 4.\n\nOutdated Votes:\n* Verified-1 (copy condition: \"NEVER\")\n","accounts_in_message":[],"_revision_number":4},{"id":"28734a58b50307a05a85733c19d2e351d6146c91","tag":"autogenerated:gerrit:newWipPatchSet","author":{"_account_id":3009,"name":"Vladimir Kozhukalov","email":"kozhukalov@gmail.com","username":"kozhukalov"},"date":"2026-06-09 23:14:36.000000000","message":"Uploaded patch set 5.","accounts_in_message":[],"_revision_number":5},{"id":"82e69b6f2695182d729d4164c3af830e24b7febe","tag":"autogenerated:zuul:check","author":{"_account_id":22348,"name":"Zuul","username":"zuul","tags":["SERVICE_USER"]},"date":"2026-06-09 23:31:10.000000000","message":"Patch Set 5: Verified-1\n\nBuild failed (check pipeline).  For information on how to proceed, see\nhttps://docs.opendev.org/opendev/infra-manual/latest/developers.html#automated-testing\nand https://docs.openstack.org/project-team-guide/testing.html#how-to-handle-test-failures\n\nhttps://zuul.opendev.org/t/openstack/buildset/31d9423001f345ce854477b23453a85c\n\n- openstack-helm-compute-kit-tls-2026-1-ubuntu_noble https://zuul.opendev.org/t/openstack/build/837af958c25a40c2a6227127ceb5d0b4 : FAILURE in 14m 31s","accounts_in_message":[],"_revision_number":5},{"id":"e7fed04647d5f1e112eaeb90bce1386378204c78","tag":"autogenerated:gerrit:newWipPatchSet","author":{"_account_id":3009,"name":"Vladimir Kozhukalov","email":"kozhukalov@gmail.com","username":"kozhukalov"},"date":"2026-06-10 01:15:31.000000000","message":"Uploaded patch set 6.\n\nOutdated Votes:\n* Verified-1 (copy condition: \"NEVER\")\n","accounts_in_message":[],"_revision_number":6},{"id":"1384e9a0a1f7a61c04ed8067321a155e60868716","tag":"autogenerated:gerrit:newWipPatchSet","author":{"_account_id":3009,"name":"Vladimir Kozhukalov","email":"kozhukalov@gmail.com","username":"kozhukalov"},"date":"2026-06-10 04:04:02.000000000","message":"Uploaded patch set 7.","accounts_in_message":[],"_revision_number":7},{"id":"06dd14592b00af56e208f2a1d187252a709bbdfa","tag":"autogenerated:zuul:check","author":{"_account_id":22348,"name":"Zuul","username":"zuul","tags":["SERVICE_USER"]},"date":"2026-06-10 04:19:45.000000000","message":"Patch Set 7: Verified-1\n\nBuild failed (check pipeline).  For information on how to proceed, see\nhttps://docs.opendev.org/opendev/infra-manual/latest/developers.html#automated-testing\nand https://docs.openstack.org/project-team-guide/testing.html#how-to-handle-test-failures\n\nhttps://zuul.opendev.org/t/openstack/buildset/52742301fda0409bb3a79230b1b572a5\n\n- openstack-helm-compute-kit-tls-2026-1-ubuntu_noble https://zuul.opendev.org/t/openstack/build/87966ce5d88d45b1a6ea9efb994b5859 : FAILURE in 13m 51s","accounts_in_message":[],"_revision_number":7},{"id":"12b50cfd476ea29ddddb74b78dd10dbc3c426e5f","tag":"autogenerated:gerrit:newWipPatchSet","author":{"_account_id":3009,"name":"Vladimir Kozhukalov","email":"kozhukalov@gmail.com","username":"kozhukalov"},"date":"2026-06-10 04:26:15.000000000","message":"Uploaded patch set 8.\n\nOutdated Votes:\n* Verified-1 (copy condition: \"NEVER\")\n","accounts_in_message":[],"_revision_number":8},{"id":"1fa679c05154c8718a8a39e7824abfe1e8b9f351","tag":"autogenerated:zuul:check","author":{"_account_id":22348,"name":"Zuul","username":"zuul","tags":["SERVICE_USER"]},"date":"2026-06-10 05:00:53.000000000","message":"Patch Set 8: Verified-1\n\nBuild failed (check pipeline).  For information on how to proceed, see\nhttps://docs.opendev.org/opendev/infra-manual/latest/developers.html#automated-testing\nand https://docs.openstack.org/project-team-guide/testing.html#how-to-handle-test-failures\n\nhttps://zuul.opendev.org/t/openstack/buildset/311496015764488da2bfc2f79bf5d527\n\n- openstack-helm-compute-kit-tls-2026-1-ubuntu_noble https://zuul.opendev.org/t/openstack/build/8d0a4228d2214b60a44880805a039920 : FAILURE in 33m 32s","accounts_in_message":[],"_revision_number":8},{"id":"5b4811ecfe0728facbc76a1d5d8993329d3f8621","tag":"autogenerated:gerrit:newWipPatchSet","author":{"_account_id":3009,"name":"Vladimir Kozhukalov","email":"kozhukalov@gmail.com","username":"kozhukalov"},"date":"2026-06-10 05:11:14.000000000","message":"Uploaded patch set 9.\n\nOutdated Votes:\n* Verified-1 (copy condition: \"NEVER\")\n","accounts_in_message":[],"_revision_number":9},{"id":"fb3334ef3c2c0ccc4e4b4a2af54cfd62a1e54adb","tag":"autogenerated:zuul:check","author":{"_account_id":22348,"name":"Zuul","username":"zuul","tags":["SERVICE_USER"]},"date":"2026-06-10 06:16:04.000000000","message":"Patch Set 9: Verified-1\n\nBuild failed (check pipeline).  For information on how to proceed, see\nhttps://docs.opendev.org/opendev/infra-manual/latest/developers.html#automated-testing\nand https://docs.openstack.org/project-team-guide/testing.html#how-to-handle-test-failures\n\nhttps://zuul.opendev.org/t/openstack/buildset/985f222f996a47a2953f66c07e44a0a5\n\n- openstack-helm-compute-kit-tls-2026-1-ubuntu_noble https://zuul.opendev.org/t/openstack/build/d0dacacf7242455ebabe4771ac770795 : FAILURE in 57m 41s","accounts_in_message":[],"_revision_number":9},{"id":"418236827fe93b5a88191b4753ffc1b945da1157","tag":"autogenerated:gerrit:newWipPatchSet","author":{"_account_id":3009,"name":"Vladimir Kozhukalov","email":"kozhukalov@gmail.com","username":"kozhukalov"},"date":"2026-06-10 06:38:16.000000000","message":"Uploaded patch set 10.\n\nOutdated Votes:\n* Verified-1 (copy condition: \"NEVER\")\n","accounts_in_message":[],"_revision_number":10},{"id":"f3970418a7006f5cb2a40aed8205c5ea33122dc4","tag":"autogenerated:zuul:check","author":{"_account_id":22348,"name":"Zuul","username":"zuul","tags":["SERVICE_USER"]},"date":"2026-06-10 07:46:45.000000000","message":"Patch Set 10: Verified-1\n\nBuild failed (check pipeline).  For information on how to proceed, see\nhttps://docs.opendev.org/opendev/infra-manual/latest/developers.html#automated-testing\nand https://docs.openstack.org/project-team-guide/testing.html#how-to-handle-test-failures\n\nhttps://zuul.opendev.org/t/openstack/buildset/8c74464f66464902a0d2c0f32e6ef78c\n\n- openstack-helm-compute-kit-tls-2026-1-ubuntu_noble https://zuul.opendev.org/t/openstack/build/3122aa805cb947fa95b51e3fbd6fcc93 : FAILURE in 1h 05m 46s","accounts_in_message":[],"_revision_number":10},{"id":"585073affc27bc0dffbdd7044b78e4b556d11dfa","tag":"autogenerated:gerrit:newWipPatchSet","author":{"_account_id":3009,"name":"Vladimir Kozhukalov","email":"kozhukalov@gmail.com","username":"kozhukalov"},"date":"2026-06-10 14:30:40.000000000","message":"Uploaded patch set 11.\n\nOutdated Votes:\n* Verified-1 (copy condition: \"NEVER\")\n","accounts_in_message":[],"_revision_number":11},{"id":"10eb433105725556bdac4849347085965d596f2e","tag":"autogenerated:zuul:check","author":{"_account_id":22348,"name":"Zuul","username":"zuul","tags":["SERVICE_USER"]},"date":"2026-06-10 16:08:14.000000000","message":"Patch Set 11: Verified-1\n\nBuild failed (check pipeline).  For information on how to proceed, see\nhttps://docs.opendev.org/opendev/infra-manual/latest/developers.html#automated-testing\nand https://docs.openstack.org/project-team-guide/testing.html#how-to-handle-test-failures\n\nhttps://zuul.opendev.org/t/openstack/buildset/bce50e3322964c19839544078d2520d6\n\n- openstack-helm-compute-kit-tls-2026-1-ubuntu_noble https://zuul.opendev.org/t/openstack/build/930f2ec464e94f75b66e749cdadb5e4a : FAILURE in 1h 26m 47s","accounts_in_message":[],"_revision_number":11},{"id":"2a3f782a126d0a48f6c0f3e87692eaaa893106ce","tag":"autogenerated:gerrit:newWipPatchSet","author":{"_account_id":3009,"name":"Vladimir Kozhukalov","email":"kozhukalov@gmail.com","username":"kozhukalov"},"date":"2026-06-10 16:23:25.000000000","message":"Uploaded patch set 12.\n\nOutdated Votes:\n* Verified-1 (copy condition: \"NEVER\")\n","accounts_in_message":[],"_revision_number":12},{"id":"b6e1c0d68d808646cf989a0dff8d197f6d229728","tag":"autogenerated:zuul:check","author":{"_account_id":22348,"name":"Zuul","username":"zuul","tags":["SERVICE_USER"]},"date":"2026-06-10 17:18:56.000000000","message":"Patch Set 12: Verified+1\n\nBuild succeeded (check pipeline).\nhttps://zuul.opendev.org/t/openstack/buildset/dbf7e66eb1c34fc4a21b14fdb95dd166\n\n- openstack-helm-compute-kit-tls-2026-1-ubuntu_noble https://zuul.opendev.org/t/openstack/build/0fb15e3fe41641e690217752bfbc6602 : SUCCESS in 52m 21s","accounts_in_message":[],"_revision_number":12},{"id":"36001e12d03e2a9082c5d0798d96d15e24ee5976","tag":"autogenerated:gerrit:newWipPatchSet","author":{"_account_id":3009,"name":"Vladimir Kozhukalov","email":"kozhukalov@gmail.com","username":"kozhukalov"},"date":"2026-06-10 20:07:46.000000000","message":"Uploaded patch set 13.\n\nOutdated Votes:\n* Verified+1 (copy condition: \"NEVER\")\n","accounts_in_message":[],"_revision_number":13},{"id":"a5b8ff5a0ba0593789d5eb4b7a9a009c385b217b","tag":"autogenerated:zuul:check","author":{"_account_id":22348,"name":"Zuul","username":"zuul","tags":["SERVICE_USER"]},"date":"2026-06-10 20:56:10.000000000","message":"Patch Set 13: Verified-1\n\nBuild failed (check pipeline).  For information on how to proceed, see\nhttps://docs.opendev.org/opendev/infra-manual/latest/developers.html#automated-testing\nand https://docs.openstack.org/project-team-guide/testing.html#how-to-handle-test-failures\n\nhttps://zuul.opendev.org/t/openstack/buildset/08e98f7e46d745d49411dafe6d14ba92\n\n- openstack-helm-compute-kit-tls-2026-1-ubuntu_noble https://zuul.opendev.org/t/openstack/build/64f34479da06403fa6dc60d08b66ee3a : FAILURE in 45m 20s","accounts_in_message":[],"_revision_number":13},{"id":"8a38cc6dd9c110f318edb12915667a3b19299e4e","tag":"autogenerated:gerrit:newWipPatchSet","author":{"_account_id":3009,"name":"Vladimir Kozhukalov","email":"kozhukalov@gmail.com","username":"kozhukalov"},"date":"2026-06-10 22:00:35.000000000","message":"Uploaded patch set 14.\n\nOutdated Votes:\n* Verified-1 (copy condition: \"NEVER\")\n","accounts_in_message":[],"_revision_number":14},{"id":"f9dcebde9ec5f11163889fc7d59418aa0639b0cd","tag":"autogenerated:zuul:check","author":{"_account_id":22348,"name":"Zuul","username":"zuul","tags":["SERVICE_USER"]},"date":"2026-06-10 22:55:40.000000000","message":"Patch Set 14: Verified+1\n\nBuild succeeded (check pipeline).\nhttps://zuul.opendev.org/t/openstack/buildset/b8593b54427e430db4344b4a9329fbc6\n\n- openstack-helm-compute-kit-tls-2026-1-ubuntu_noble https://zuul.opendev.org/t/openstack/build/b54c4a1c68454bdd95a0d14d126cd6ab : SUCCESS in 52m 07s","accounts_in_message":[],"_revision_number":14},{"id":"9d46d034decd4f1d15231ce73be70f5c4f8db0e2","tag":"autogenerated:gerrit:newWipPatchSet","author":{"_account_id":3009,"name":"Vladimir Kozhukalov","email":"kozhukalov@gmail.com","username":"kozhukalov"},"date":"2026-06-12 22:08:20.000000000","message":"Uploaded patch set 15.\n\nOutdated Votes:\n* Verified+1 (copy condition: \"NEVER\")\n","accounts_in_message":[],"_revision_number":15},{"id":"ea037e4146ed0c46d9d4075bd47065b40df724d7","tag":"autogenerated:zuul:check","author":{"_account_id":22348,"name":"Zuul","username":"zuul","tags":["SERVICE_USER"]},"date":"2026-06-12 22:10:23.000000000","message":"Patch Set 15: Verified-1\n\nMerge Failed.\n\nThis change or one of its cross-repo dependencies was unable to be automatically merged with the current state of its repository. Please rebase the change and upload a new patchset.\nWarning:\n  Error merging gerrit/openstack/openstack-helm for 992528,15","accounts_in_message":[],"_revision_number":15},{"id":"0bb047f672c7dea4d8f18496d7d5045d6dd22773","tag":"autogenerated:gerrit:newWipPatchSet","author":{"_account_id":3009,"name":"Vladimir Kozhukalov","email":"kozhukalov@gmail.com","username":"kozhukalov"},"date":"2026-06-12 22:25:52.000000000","message":"Uploaded patch set 16.\n\nOutdated Votes:\n* Verified-1 (copy condition: \"NEVER\")\n","accounts_in_message":[],"_revision_number":16},{"id":"5426cf569a2e442994a28f7dc8fa10be9274bae2","tag":"autogenerated:zuul:check","author":{"_account_id":22348,"name":"Zuul","username":"zuul","tags":["SERVICE_USER"]},"date":"2026-06-12 23:15:07.000000000","message":"Patch Set 16: Verified+1\n\nBuild succeeded (check pipeline).\nhttps://zuul.opendev.org/t/openstack/buildset/c06c2e4dd23644048142254d12805b38\n\n- openstack-helm-compute-kit-tls-2026-1-ubuntu_noble https://zuul.opendev.org/t/openstack/build/c8279410d76549c18ecbba88a3d6bc6c : SUCCESS in 44m 37s","accounts_in_message":[],"_revision_number":16},{"id":"b9e809c8db19c2dbeea2d595e7c78130c187d9b9","tag":"autogenerated:gerrit:newWipPatchSet","author":{"_account_id":3009,"name":"Vladimir Kozhukalov","email":"kozhukalov@gmail.com","username":"kozhukalov"},"date":"2026-06-15 17:55:30.000000000","message":"Uploaded patch set 17.\n\nOutdated Votes:\n* Verified+1 (copy condition: \"NEVER\")\n","accounts_in_message":[],"_revision_number":17},{"id":"8d3eebd75a282c90455e4c534d55d0b0e85b7a4c","tag":"autogenerated:zuul:check","author":{"_account_id":22348,"name":"Zuul","username":"zuul","tags":["SERVICE_USER"]},"date":"2026-06-15 19:21:51.000000000","message":"Patch Set 17: Verified+1\n\nBuild succeeded (check pipeline).\nhttps://zuul.opendev.org/t/openstack/buildset/ecb0882ee8db4dfd84effef127aa5cf9\n\n- openstack-helm-compute-kit-tls-2026-1-ubuntu_noble https://zuul.opendev.org/t/openstack/build/97b39f6831944875b63eebd4b18ced6c : SUCCESS in 1h 20m 26s","accounts_in_message":[],"_revision_number":17},{"id":"aa991efa51806784fe6c2c0de6dad671b7d5d29d","author":{"_account_id":5890,"name":"Doug Goldstein","email":"cardoe@cardoe.com","username":"cardoe"},"date":"2026-06-16 01:41:57.000000000","message":"Patch Set 17:\n\n(1 comment)","accounts_in_message":[],"_revision_number":17}],"current_revision_number":17,"current_revision":"c22cffb37645b270892cad2995a73f021e82819d","revisions":{"b2929c270473b67a16f50870d7afd535371006ba":{"kind":"REWORK","_number":1,"created":"2026-06-09 20:18:20.000000000","uploader":{"_account_id":3009,"name":"Vladimir Kozhukalov","email":"kozhukalov@gmail.com","username":"kozhukalov"},"ref":"refs/changes/28/992528/1","fetch":{"anonymous http":{"url":"https://review.opendev.org/openstack/openstack-helm","ref":"refs/changes/28/992528/1","commands":{"Checkout":"git fetch https://review.opendev.org/openstack/openstack-helm refs/changes/28/992528/1 \u0026\u0026 git checkout FETCH_HEAD","Cherry Pick":"git fetch https://review.opendev.org/openstack/openstack-helm refs/changes/28/992528/1 \u0026\u0026 git cherry-pick FETCH_HEAD","Format Patch":"git fetch https://review.opendev.org/openstack/openstack-helm refs/changes/28/992528/1 \u0026\u0026 git format-patch -1 --stdout FETCH_HEAD","Pull":"git pull https://review.opendev.org/openstack/openstack-helm refs/changes/28/992528/1"}}},"commit":{"parents":[{"commit":"72bc3884dff60cf56fa1320e98331fb96387af75","subject":"Use a dedicated client certificate for MariaDB TLS connections","web_links":[{"name":"gitea","tooltip":"Open in GitWeb","url":"https://opendev.org/openstack/openstack-helm/commit/72bc3884dff60cf56fa1320e98331fb96387af75"}]}],"author":{"name":"Vladimir Kozhukalov","email":"kozhukalov@gmail.com","date":"2026-06-09 19:01:43.000000000","tz":-300},"committer":{"name":"Vladimir Kozhukalov","email":"kozhukalov@gmail.com","date":"2026-06-09 20:18:14.000000000","tz":-300},"subject":"keystone: Terminate API TLS with an nginx sidecar instead of Apache","message":"keystone: Terminate API TLS with an nginx sidecar instead of Apache\n\nReplace in-container Apache httpd TLS termination for the keystone API with\na dedicated nginx sidecar that terminates TLS and reverse-proxies to a uwsgi\nbackend in the same pod.\n\nThe keystone-api container now runs uwsgi directly, binding the identity\n\"service\" endpoint port (5000) over plain HTTP exactly as in the non-TLS\ncase. All Apache artifacts are removed: the conf.wsgi_keystone vhost,\nconf.software.apache2 settings, the mpm_event/security snippets and the\napache volumes, mounts and start/stop logic.\n\nNew pod.extraContainers.keystone_api / pod.extraVolumes.keystone_api hooks\nlet an override inject sidecar containers and volumes into the keystone-api\nDeployment. values_overrides/keystone/api-tls.yaml uses them to add an nginx\nsidecar that terminates TLS on port 443 (cert issued by ca-issuer) and proxies\nto 127.0.0.1:5000. When .Values.tls.identity is enabled the keystone-api\nService adds targetPort: 443 so in-cluster clients reach keystone over TLS on\nthe well-known service port, and the internal/default endpoint scheme flips to\nhttps.\n\nThe api-tls.yaml override is added to the openstack-helm-compute-kit-tls\njob. All other Zuul jobs are temporarily commented out in zuul.d/project.yaml\nwhile the nginx sidecar migration is iterated on, and must be restored before\nmerge.\n\nCo-Authored-By: Claude Opus 4.8 \u003cnoreply@anthropic.com\u003e\nChange-Id: I89829176d4d85c7033af8ac2f5a8d6af23037e4d\nSigned-off-by: Vladimir Kozhukalov \u003ckozhukalov@gmail.com\u003e\n","web_links":[{"name":"gitea","tooltip":"Open in GitWeb","url":"https://opendev.org/openstack/openstack-helm/commit/b2929c270473b67a16f50870d7afd535371006ba"}],"resolve_conflicts_web_links":[{"name":"gitea","tooltip":"Open in GitWeb","url":"https://opendev.org/openstack/openstack-helm/commit/b2929c270473b67a16f50870d7afd535371006ba"}]},"branch":"refs/heads/master"},"07996520e785d5802380349815043b379cfeaa5d":{"kind":"REWORK","_number":2,"created":"2026-06-09 20:37:45.000000000","uploader":{"_account_id":3009,"name":"Vladimir Kozhukalov","email":"kozhukalov@gmail.com","username":"kozhukalov"},"ref":"refs/changes/28/992528/2","fetch":{"anonymous http":{"url":"https://review.opendev.org/openstack/openstack-helm","ref":"refs/changes/28/992528/2","commands":{"Checkout":"git fetch https://review.opendev.org/openstack/openstack-helm refs/changes/28/992528/2 \u0026\u0026 git checkout FETCH_HEAD","Cherry Pick":"git fetch https://review.opendev.org/openstack/openstack-helm refs/changes/28/992528/2 \u0026\u0026 git cherry-pick FETCH_HEAD","Format Patch":"git fetch https://review.opendev.org/openstack/openstack-helm refs/changes/28/992528/2 \u0026\u0026 git format-patch -1 --stdout FETCH_HEAD","Pull":"git pull https://review.opendev.org/openstack/openstack-helm refs/changes/28/992528/2"}}},"commit":{"parents":[{"commit":"72bc3884dff60cf56fa1320e98331fb96387af75","subject":"Use a dedicated client certificate for MariaDB TLS connections","web_links":[{"name":"gitea","tooltip":"Open in GitWeb","url":"https://opendev.org/openstack/openstack-helm/commit/72bc3884dff60cf56fa1320e98331fb96387af75"}]}],"author":{"name":"Vladimir Kozhukalov","email":"kozhukalov@gmail.com","date":"2026-06-09 19:01:43.000000000","tz":-300},"committer":{"name":"Vladimir Kozhukalov","email":"kozhukalov@gmail.com","date":"2026-06-09 20:37:23.000000000","tz":-300},"subject":"[WIP] keystone: Terminate API TLS with an nginx sidecar instead of Apache","message":"[WIP] keystone: Terminate API TLS with an nginx sidecar instead of Apache\n\nReplace in-container Apache httpd TLS termination for the keystone API with\na dedicated nginx sidecar that terminates TLS and reverse-proxies to a uwsgi\nbackend in the same pod.\n\nThe keystone-api container now runs uwsgi directly, binding the identity\n\"service\" endpoint port (5000) over plain HTTP exactly as in the non-TLS\ncase. All Apache artifacts are removed: the conf.wsgi_keystone vhost,\nconf.software.apache2 settings, the mpm_event/security snippets and the\napache volumes, mounts and start/stop logic.\n\nNew pod.extraContainers.keystone_api / pod.extraVolumes.keystone_api hooks\nlet an override inject sidecar containers and volumes into the keystone-api\nDeployment. values_overrides/keystone/api-tls.yaml uses them to add an nginx\nsidecar that terminates TLS on port 443 (cert issued by ca-issuer) and proxies\nto 127.0.0.1:5000. When .Values.tls.identity is enabled the keystone-api\nService adds targetPort: 443 so in-cluster clients reach keystone over TLS on\nthe well-known service port, and the internal/default endpoint scheme flips to\nhttps.\n\nThe api-tls.yaml override is added to the openstack-helm-compute-kit-tls\njob. All other Zuul jobs are temporarily commented out in zuul.d/project.yaml\nwhile the nginx sidecar migration is iterated on, and must be restored before\nmerge.\n\nChange-Id: I89829176d4d85c7033af8ac2f5a8d6af23037e4d\nSigned-off-by: Vladimir Kozhukalov \u003ckozhukalov@gmail.com\u003e\n","web_links":[{"name":"gitea","tooltip":"Open in GitWeb","url":"https://opendev.org/openstack/openstack-helm/commit/07996520e785d5802380349815043b379cfeaa5d"}],"resolve_conflicts_web_links":[{"name":"gitea","tooltip":"Open in GitWeb","url":"https://opendev.org/openstack/openstack-helm/commit/07996520e785d5802380349815043b379cfeaa5d"}]},"branch":"refs/heads/master"},"fb3c4e8f7af6cf066b1fbf0d87d4fc74fc0ec03e":{"kind":"REWORK","_number":3,"created":"2026-06-09 20:53:21.000000000","uploader":{"_account_id":3009,"name":"Vladimir Kozhukalov","email":"kozhukalov@gmail.com","username":"kozhukalov"},"ref":"refs/changes/28/992528/3","fetch":{"anonymous http":{"url":"https://review.opendev.org/openstack/openstack-helm","ref":"refs/changes/28/992528/3","commands":{"Checkout":"git fetch https://review.opendev.org/openstack/openstack-helm refs/changes/28/992528/3 \u0026\u0026 git checkout FETCH_HEAD","Cherry Pick":"git fetch https://review.opendev.org/openstack/openstack-helm refs/changes/28/992528/3 \u0026\u0026 git cherry-pick FETCH_HEAD","Format Patch":"git fetch https://review.opendev.org/openstack/openstack-helm refs/changes/28/992528/3 \u0026\u0026 git format-patch -1 --stdout FETCH_HEAD","Pull":"git pull https://review.opendev.org/openstack/openstack-helm refs/changes/28/992528/3"}}},"commit":{"parents":[{"commit":"72bc3884dff60cf56fa1320e98331fb96387af75","subject":"Use a dedicated client certificate for MariaDB TLS connections","web_links":[{"name":"gitea","tooltip":"Open in GitWeb","url":"https://opendev.org/openstack/openstack-helm/commit/72bc3884dff60cf56fa1320e98331fb96387af75"}]}],"author":{"name":"Vladimir Kozhukalov","email":"kozhukalov@gmail.com","date":"2026-06-09 19:01:43.000000000","tz":-300},"committer":{"name":"Vladimir Kozhukalov","email":"kozhukalov@gmail.com","date":"2026-06-09 20:52:47.000000000","tz":-300},"subject":"[WIP] keystone: Terminate API TLS with an nginx sidecar instead of Apache","message":"[WIP] keystone: Terminate API TLS with an nginx sidecar instead of Apache\n\nReplace in-container Apache httpd TLS termination for the keystone API with\na dedicated nginx sidecar that terminates TLS and reverse-proxies to a uwsgi\nbackend in the same pod.\n\nThe keystone-api container now runs uwsgi directly, binding the identity\n\"service\" endpoint port (5000) over plain HTTP exactly as in the non-TLS\ncase. All Apache artifacts are removed: the conf.wsgi_keystone vhost,\nconf.software.apache2 settings, the mpm_event/security snippets and the\napache volumes, mounts and start/stop logic.\n\nNew pod.extraContainers.keystone_api / pod.extraVolumes.keystone_api hooks\nlet an override inject sidecar containers and volumes into the keystone-api\nDeployment. values_overrides/keystone/api-tls.yaml uses them to add an nginx\nsidecar that terminates TLS on port 443 (cert issued by ca-issuer) and proxies\nto 127.0.0.1:5000. When .Values.tls.identity is enabled the keystone-api\nService adds targetPort: 443 so in-cluster clients reach keystone over TLS on\nthe well-known service port, and the internal/default endpoint scheme flips to\nhttps.\n\nThe api-tls.yaml override is added to the openstack-helm-compute-kit-tls\njob. All other Zuul jobs are temporarily commented out in zuul.d/project.yaml\nwhile the nginx sidecar migration is iterated on, and must be restored before\nmerge.\n\nChange-Id: I89829176d4d85c7033af8ac2f5a8d6af23037e4d\nSigned-off-by: Vladimir Kozhukalov \u003ckozhukalov@gmail.com\u003e\n","web_links":[{"name":"gitea","tooltip":"Open in GitWeb","url":"https://opendev.org/openstack/openstack-helm/commit/fb3c4e8f7af6cf066b1fbf0d87d4fc74fc0ec03e"}],"resolve_conflicts_web_links":[{"name":"gitea","tooltip":"Open in GitWeb","url":"https://opendev.org/openstack/openstack-helm/commit/fb3c4e8f7af6cf066b1fbf0d87d4fc74fc0ec03e"}]},"branch":"refs/heads/master"},"4ad34ff6c2acbc773cfc97096437b00f973fb4cb":{"kind":"REWORK","_number":4,"created":"2026-06-09 22:53:05.000000000","uploader":{"_account_id":3009,"name":"Vladimir Kozhukalov","email":"kozhukalov@gmail.com","username":"kozhukalov"},"ref":"refs/changes/28/992528/4","fetch":{"anonymous http":{"url":"https://review.opendev.org/openstack/openstack-helm","ref":"refs/changes/28/992528/4","commands":{"Checkout":"git fetch https://review.opendev.org/openstack/openstack-helm refs/changes/28/992528/4 \u0026\u0026 git checkout FETCH_HEAD","Cherry Pick":"git fetch https://review.opendev.org/openstack/openstack-helm refs/changes/28/992528/4 \u0026\u0026 git cherry-pick FETCH_HEAD","Format Patch":"git fetch https://review.opendev.org/openstack/openstack-helm refs/changes/28/992528/4 \u0026\u0026 git format-patch -1 --stdout FETCH_HEAD","Pull":"git pull https://review.opendev.org/openstack/openstack-helm refs/changes/28/992528/4"}}},"commit":{"parents":[{"commit":"72bc3884dff60cf56fa1320e98331fb96387af75","subject":"Use a dedicated client certificate for MariaDB TLS connections","web_links":[{"name":"gitea","tooltip":"Open in GitWeb","url":"https://opendev.org/openstack/openstack-helm/commit/72bc3884dff60cf56fa1320e98331fb96387af75"}]}],"author":{"name":"Vladimir Kozhukalov","email":"kozhukalov@gmail.com","date":"2026-06-09 19:01:43.000000000","tz":-300},"committer":{"name":"Vladimir Kozhukalov","email":"kozhukalov@gmail.com","date":"2026-06-09 22:52:52.000000000","tz":-300},"subject":"[WIP] keystone: Terminate API TLS with an nginx sidecar instead of Apache","message":"[WIP] keystone: Terminate API TLS with an nginx sidecar instead of Apache\n\nReplace in-container Apache httpd TLS termination for the keystone API with\na dedicated nginx sidecar that terminates TLS and reverse-proxies to a uwsgi\nbackend in the same pod.\n\nThe keystone-api container now runs uwsgi directly, binding the identity\n\"service\" endpoint port (5000) over plain HTTP exactly as in the non-TLS\ncase. All Apache artifacts are removed: the conf.wsgi_keystone vhost,\nconf.software.apache2 settings, the mpm_event/security snippets and the\napache volumes, mounts and start/stop logic.\n\nNew pod.extraContainers.keystone_api / pod.extraVolumes.keystone_api hooks\nlet an override inject sidecar containers and volumes into the keystone-api\nDeployment. values_overrides/keystone/api-tls.yaml uses them to add an nginx\nsidecar that terminates TLS on port 443 (cert issued by ca-issuer) and proxies\nto 127.0.0.1:5000. When .Values.tls.identity is enabled the keystone-api\nService adds targetPort: 443 so in-cluster clients reach keystone over TLS on\nthe well-known service port, and the internal/default endpoint scheme flips to\nhttps.\n\nThe api-tls.yaml override is added to the openstack-helm-compute-kit-tls\njob. All other Zuul jobs are temporarily commented out in zuul.d/project.yaml\nwhile the nginx sidecar migration is iterated on, and must be restored before\nmerge.\n\nChange-Id: I89829176d4d85c7033af8ac2f5a8d6af23037e4d\nSigned-off-by: Vladimir Kozhukalov \u003ckozhukalov@gmail.com\u003e\n","web_links":[{"name":"gitea","tooltip":"Open in GitWeb","url":"https://opendev.org/openstack/openstack-helm/commit/4ad34ff6c2acbc773cfc97096437b00f973fb4cb"}],"resolve_conflicts_web_links":[{"name":"gitea","tooltip":"Open in GitWeb","url":"https://opendev.org/openstack/openstack-helm/commit/4ad34ff6c2acbc773cfc97096437b00f973fb4cb"}]},"branch":"refs/heads/master"},"ad8c91dfe3460ae2c9d96b48cca50e3c92d1d847":{"kind":"REWORK","_number":5,"created":"2026-06-09 23:14:36.000000000","uploader":{"_account_id":3009,"name":"Vladimir Kozhukalov","email":"kozhukalov@gmail.com","username":"kozhukalov"},"ref":"refs/changes/28/992528/5","fetch":{"anonymous http":{"url":"https://review.opendev.org/openstack/openstack-helm","ref":"refs/changes/28/992528/5","commands":{"Checkout":"git fetch https://review.opendev.org/openstack/openstack-helm refs/changes/28/992528/5 \u0026\u0026 git checkout FETCH_HEAD","Cherry Pick":"git fetch https://review.opendev.org/openstack/openstack-helm refs/changes/28/992528/5 \u0026\u0026 git cherry-pick FETCH_HEAD","Format Patch":"git fetch https://review.opendev.org/openstack/openstack-helm refs/changes/28/992528/5 \u0026\u0026 git format-patch -1 --stdout FETCH_HEAD","Pull":"git pull https://review.opendev.org/openstack/openstack-helm refs/changes/28/992528/5"}}},"commit":{"parents":[{"commit":"72bc3884dff60cf56fa1320e98331fb96387af75","subject":"Use a dedicated client certificate for MariaDB TLS connections","web_links":[{"name":"gitea","tooltip":"Open in GitWeb","url":"https://opendev.org/openstack/openstack-helm/commit/72bc3884dff60cf56fa1320e98331fb96387af75"}]}],"author":{"name":"Vladimir Kozhukalov","email":"kozhukalov@gmail.com","date":"2026-06-09 19:01:43.000000000","tz":-300},"committer":{"name":"Vladimir Kozhukalov","email":"kozhukalov@gmail.com","date":"2026-06-09 23:14:25.000000000","tz":-300},"subject":"[WIP] keystone: Terminate API TLS with an nginx sidecar instead of Apache","message":"[WIP] keystone: Terminate API TLS with an nginx sidecar instead of Apache\n\nReplace in-container Apache httpd TLS termination for the keystone API with\na dedicated nginx sidecar that terminates TLS and reverse-proxies to a uwsgi\nbackend in the same pod.\n\nThe keystone-api container now runs uwsgi directly, binding the identity\n\"service\" endpoint port (5000) over plain HTTP exactly as in the non-TLS\ncase. All Apache artifacts are removed: the conf.wsgi_keystone vhost,\nconf.software.apache2 settings, the mpm_event/security snippets and the\napache volumes, mounts and start/stop logic.\n\nNew pod.extraContainers.keystone_api / pod.extraVolumes.keystone_api hooks\nlet an override inject sidecar containers and volumes into the keystone-api\nDeployment. values_overrides/keystone/api-tls.yaml uses them to add an nginx\nsidecar that terminates TLS on port 443 (cert issued by ca-issuer) and proxies\nto 127.0.0.1:5000. When .Values.tls.identity is enabled the keystone-api\nService adds targetPort: 443 so in-cluster clients reach keystone over TLS on\nthe well-known service port, and the internal/default endpoint scheme flips to\nhttps.\n\nThe api-tls.yaml override is added to the openstack-helm-compute-kit-tls\njob. All other Zuul jobs are temporarily commented out in zuul.d/project.yaml\nwhile the nginx sidecar migration is iterated on, and must be restored before\nmerge.\n\nChange-Id: I89829176d4d85c7033af8ac2f5a8d6af23037e4d\nSigned-off-by: Vladimir Kozhukalov \u003ckozhukalov@gmail.com\u003e\n","web_links":[{"name":"gitea","tooltip":"Open in GitWeb","url":"https://opendev.org/openstack/openstack-helm/commit/ad8c91dfe3460ae2c9d96b48cca50e3c92d1d847"}],"resolve_conflicts_web_links":[{"name":"gitea","tooltip":"Open in GitWeb","url":"https://opendev.org/openstack/openstack-helm/commit/ad8c91dfe3460ae2c9d96b48cca50e3c92d1d847"}]},"branch":"refs/heads/master"},"9d496ede28592052266b1a844ff1b4230b300cf8":{"kind":"REWORK","_number":6,"created":"2026-06-10 01:15:31.000000000","uploader":{"_account_id":3009,"name":"Vladimir Kozhukalov","email":"kozhukalov@gmail.com","username":"kozhukalov"},"ref":"refs/changes/28/992528/6","fetch":{"anonymous http":{"url":"https://review.opendev.org/openstack/openstack-helm","ref":"refs/changes/28/992528/6","commands":{"Checkout":"git fetch https://review.opendev.org/openstack/openstack-helm refs/changes/28/992528/6 \u0026\u0026 git checkout FETCH_HEAD","Cherry Pick":"git fetch https://review.opendev.org/openstack/openstack-helm refs/changes/28/992528/6 \u0026\u0026 git cherry-pick FETCH_HEAD","Format Patch":"git fetch https://review.opendev.org/openstack/openstack-helm refs/changes/28/992528/6 \u0026\u0026 git format-patch -1 --stdout FETCH_HEAD","Pull":"git pull https://review.opendev.org/openstack/openstack-helm refs/changes/28/992528/6"}}},"commit":{"parents":[{"commit":"72bc3884dff60cf56fa1320e98331fb96387af75","subject":"Use a dedicated client certificate for MariaDB TLS connections","web_links":[{"name":"gitea","tooltip":"Open in GitWeb","url":"https://opendev.org/openstack/openstack-helm/commit/72bc3884dff60cf56fa1320e98331fb96387af75"}]}],"author":{"name":"Vladimir Kozhukalov","email":"kozhukalov@gmail.com","date":"2026-06-09 19:01:43.000000000","tz":-300},"committer":{"name":"Vladimir Kozhukalov","email":"kozhukalov@gmail.com","date":"2026-06-10 01:15:28.000000000","tz":-300},"subject":"[WIP] keystone: Terminate API TLS with an nginx sidecar instead of Apache","message":"[WIP] keystone: Terminate API TLS with an nginx sidecar instead of Apache\n\nReplace in-container Apache httpd TLS termination for the keystone API with\na dedicated nginx sidecar that terminates TLS and reverse-proxies to a uwsgi\nbackend in the same pod.\n\nThe keystone-api container now runs uwsgi directly, binding the identity\n\"service\" endpoint port (5000) over plain HTTP exactly as in the non-TLS\ncase. All Apache artifacts are removed: the conf.wsgi_keystone vhost,\nconf.software.apache2 settings, the mpm_event/security snippets and the\napache volumes, mounts and start/stop logic.\n\nNew pod.extraContainers.keystone_api / pod.extraVolumes.keystone_api hooks\nlet an override inject sidecar containers and volumes into the keystone-api\nDeployment. values_overrides/keystone/api-tls.yaml uses them to add an nginx\nsidecar that terminates TLS on port 443 (cert issued by ca-issuer) and proxies\nto 127.0.0.1:5000. When .Values.tls.identity is enabled the keystone-api\nService adds targetPort: 443 so in-cluster clients reach keystone over TLS on\nthe well-known service port, and the internal/default endpoint scheme flips to\nhttps.\n\nThe api-tls.yaml override is added to the openstack-helm-compute-kit-tls\njob. All other Zuul jobs are temporarily commented out in zuul.d/project.yaml\nwhile the nginx sidecar migration is iterated on, and must be restored before\nmerge.\n\nChange-Id: I89829176d4d85c7033af8ac2f5a8d6af23037e4d\nSigned-off-by: Vladimir Kozhukalov \u003ckozhukalov@gmail.com\u003e\n","web_links":[{"name":"gitea","tooltip":"Open in GitWeb","url":"https://opendev.org/openstack/openstack-helm/commit/9d496ede28592052266b1a844ff1b4230b300cf8"}],"resolve_conflicts_web_links":[{"name":"gitea","tooltip":"Open in GitWeb","url":"https://opendev.org/openstack/openstack-helm/commit/9d496ede28592052266b1a844ff1b4230b300cf8"}]},"branch":"refs/heads/master"},"8469336892811c90a22a2e45add039712fe797a9":{"kind":"REWORK","_number":7,"created":"2026-06-10 04:04:02.000000000","uploader":{"_account_id":3009,"name":"Vladimir Kozhukalov","email":"kozhukalov@gmail.com","username":"kozhukalov"},"ref":"refs/changes/28/992528/7","fetch":{"anonymous http":{"url":"https://review.opendev.org/openstack/openstack-helm","ref":"refs/changes/28/992528/7","commands":{"Checkout":"git fetch https://review.opendev.org/openstack/openstack-helm refs/changes/28/992528/7 \u0026\u0026 git checkout FETCH_HEAD","Cherry Pick":"git fetch https://review.opendev.org/openstack/openstack-helm refs/changes/28/992528/7 \u0026\u0026 git cherry-pick FETCH_HEAD","Format Patch":"git fetch https://review.opendev.org/openstack/openstack-helm refs/changes/28/992528/7 \u0026\u0026 git format-patch -1 --stdout FETCH_HEAD","Pull":"git pull https://review.opendev.org/openstack/openstack-helm refs/changes/28/992528/7"}}},"commit":{"parents":[{"commit":"72bc3884dff60cf56fa1320e98331fb96387af75","subject":"Use a dedicated client certificate for MariaDB TLS connections","web_links":[{"name":"gitea","tooltip":"Open in GitWeb","url":"https://opendev.org/openstack/openstack-helm/commit/72bc3884dff60cf56fa1320e98331fb96387af75"}]}],"author":{"name":"Vladimir Kozhukalov","email":"kozhukalov@gmail.com","date":"2026-06-09 19:01:43.000000000","tz":-300},"committer":{"name":"Vladimir Kozhukalov","email":"kozhukalov@gmail.com","date":"2026-06-10 04:03:54.000000000","tz":-300},"subject":"[WIP] Terminate API TLS with nginx sidecars instead of Apache","message":"[WIP] Terminate API TLS with nginx sidecars instead of Apache\n\nReplace in-container Apache httpd / chart-native nginx TLS termination for the\nOpenStack API services with a uniform nginx TLS-terminating sidecar injected\nvia pod.extraContainers, across keystone, glance, heat (api+cfn),\nnova (osapi+metadata), neutron and placement.\n\nFor each API component:\n\n* The main container runs uwsgi directly (Apache removed where present),\n  binding the endpoint \"service\" scope port over plain HTTP exactly as in the\n  non-TLS case; liveness/readiness probes hit that backend directly.\n* New pod.extraContainers.\u003ccomponent\u003e / pod.extraVolumes.\u003ccomponent\u003e hooks let\n  the per-chart values_overrides/\u003cchart\u003e/api-tls.yaml override inject an nginx\n  sidecar that terminates TLS on port 443 and reverse-proxies to the uwsgi\n  backend.\n* TLS is toggled independently per API service via .Values.tls.\u003cservice\u003e. When\n  enabled the chart issues the server certificate (gated on tls.\u003cservice\u003e, not\n  manifests.certificates, to avoid forcing RabbitMQ/DB TLS), renders the nginx\n  config ConfigMap and a Gateway API BackendTLSPolicy so the Envoy Gateway\n  re-encrypts to the sidecar, and the API Service gains targetPort: 443.\n* glance and neutron, which shipped a chart-native nginx sidecar, are converted\n  to the same extraContainers approach.\n* Consumer side: each service trusts the in-cluster TLS endpoints via the\n  ca-issuer CA (keystone_authtoken/clients cafile) and an https identity scheme.\n\nThe api-tls.yaml overrides are added to the openstack-helm-compute-kit-tls job.\nAll other Zuul jobs are temporarily commented out in zuul.d/project.yaml while\nthis is iterated on, and must be restored before merge.\n\nChange-Id: I89829176d4d85c7033af8ac2f5a8d6af23037e4d\nSigned-off-by: Vladimir Kozhukalov \u003ckozhukalov@gmail.com\u003e\n","web_links":[{"name":"gitea","tooltip":"Open in GitWeb","url":"https://opendev.org/openstack/openstack-helm/commit/8469336892811c90a22a2e45add039712fe797a9"}],"resolve_conflicts_web_links":[{"name":"gitea","tooltip":"Open in GitWeb","url":"https://opendev.org/openstack/openstack-helm/commit/8469336892811c90a22a2e45add039712fe797a9"}]},"branch":"refs/heads/master"},"a8170df62c62773eef276bef854ce1f86cdf0a84":{"kind":"REWORK","_number":8,"created":"2026-06-10 04:26:15.000000000","uploader":{"_account_id":3009,"name":"Vladimir Kozhukalov","email":"kozhukalov@gmail.com","username":"kozhukalov"},"ref":"refs/changes/28/992528/8","fetch":{"anonymous http":{"url":"https://review.opendev.org/openstack/openstack-helm","ref":"refs/changes/28/992528/8","commands":{"Checkout":"git fetch https://review.opendev.org/openstack/openstack-helm refs/changes/28/992528/8 \u0026\u0026 git checkout FETCH_HEAD","Cherry Pick":"git fetch https://review.opendev.org/openstack/openstack-helm refs/changes/28/992528/8 \u0026\u0026 git cherry-pick FETCH_HEAD","Format Patch":"git fetch https://review.opendev.org/openstack/openstack-helm refs/changes/28/992528/8 \u0026\u0026 git format-patch -1 --stdout FETCH_HEAD","Pull":"git pull https://review.opendev.org/openstack/openstack-helm refs/changes/28/992528/8"}}},"commit":{"parents":[{"commit":"72bc3884dff60cf56fa1320e98331fb96387af75","subject":"Use a dedicated client certificate for MariaDB TLS connections","web_links":[{"name":"gitea","tooltip":"Open in GitWeb","url":"https://opendev.org/openstack/openstack-helm/commit/72bc3884dff60cf56fa1320e98331fb96387af75"}]}],"author":{"name":"Vladimir Kozhukalov","email":"kozhukalov@gmail.com","date":"2026-06-09 19:01:43.000000000","tz":-300},"committer":{"name":"Vladimir Kozhukalov","email":"kozhukalov@gmail.com","date":"2026-06-10 04:26:12.000000000","tz":-300},"subject":"[WIP] Terminate API TLS with nginx sidecars instead of Apache","message":"[WIP] Terminate API TLS with nginx sidecars instead of Apache\n\nReplace in-container Apache httpd / chart-native nginx TLS termination for the\nOpenStack API services with a uniform nginx TLS-terminating sidecar injected\nvia pod.extraContainers, across keystone, glance, heat (api+cfn),\nnova (osapi+metadata), neutron and placement.\n\nFor each API component:\n\n* The main container runs uwsgi directly (Apache removed where present),\n  binding the endpoint \"service\" scope port over plain HTTP exactly as in the\n  non-TLS case; liveness/readiness probes hit that backend directly.\n* New pod.extraContainers.\u003ccomponent\u003e / pod.extraVolumes.\u003ccomponent\u003e hooks let\n  the per-chart values_overrides/\u003cchart\u003e/api-tls.yaml override inject an nginx\n  sidecar that terminates TLS on port 443 and reverse-proxies to the uwsgi\n  backend.\n* TLS is toggled independently per API service via .Values.tls.\u003cservice\u003e. When\n  enabled the chart issues the server certificate (gated on tls.\u003cservice\u003e, not\n  manifests.certificates, to avoid forcing RabbitMQ/DB TLS), renders the nginx\n  config ConfigMap and a Gateway API BackendTLSPolicy so the Envoy Gateway\n  re-encrypts to the sidecar, and the API Service gains targetPort: 443.\n* glance and neutron, which shipped a chart-native nginx sidecar, are converted\n  to the same extraContainers approach.\n* Consumer side: each service trusts the in-cluster TLS endpoints via the\n  ca-issuer CA (keystone_authtoken/clients cafile) and an https identity scheme.\n\nThe api-tls.yaml overrides are added to the openstack-helm-compute-kit-tls job.\nAll other Zuul jobs are temporarily commented out in zuul.d/project.yaml while\nthis is iterated on, and must be restored before merge.\n\nChange-Id: I89829176d4d85c7033af8ac2f5a8d6af23037e4d\nSigned-off-by: Vladimir Kozhukalov \u003ckozhukalov@gmail.com\u003e\n","web_links":[{"name":"gitea","tooltip":"Open in GitWeb","url":"https://opendev.org/openstack/openstack-helm/commit/a8170df62c62773eef276bef854ce1f86cdf0a84"}],"resolve_conflicts_web_links":[{"name":"gitea","tooltip":"Open in GitWeb","url":"https://opendev.org/openstack/openstack-helm/commit/a8170df62c62773eef276bef854ce1f86cdf0a84"}]},"branch":"refs/heads/master"},"de7616f5a1922507e43f96bfcda48e3169bb3eb4":{"kind":"REWORK","_number":9,"created":"2026-06-10 05:11:14.000000000","uploader":{"_account_id":3009,"name":"Vladimir Kozhukalov","email":"kozhukalov@gmail.com","username":"kozhukalov"},"ref":"refs/changes/28/992528/9","fetch":{"anonymous http":{"url":"https://review.opendev.org/openstack/openstack-helm","ref":"refs/changes/28/992528/9","commands":{"Checkout":"git fetch https://review.opendev.org/openstack/openstack-helm refs/changes/28/992528/9 \u0026\u0026 git checkout FETCH_HEAD","Cherry Pick":"git fetch https://review.opendev.org/openstack/openstack-helm refs/changes/28/992528/9 \u0026\u0026 git cherry-pick FETCH_HEAD","Format Patch":"git fetch https://review.opendev.org/openstack/openstack-helm refs/changes/28/992528/9 \u0026\u0026 git format-patch -1 --stdout FETCH_HEAD","Pull":"git pull https://review.opendev.org/openstack/openstack-helm refs/changes/28/992528/9"}}},"commit":{"parents":[{"commit":"72bc3884dff60cf56fa1320e98331fb96387af75","subject":"Use a dedicated client certificate for MariaDB TLS connections","web_links":[{"name":"gitea","tooltip":"Open in GitWeb","url":"https://opendev.org/openstack/openstack-helm/commit/72bc3884dff60cf56fa1320e98331fb96387af75"}]}],"author":{"name":"Vladimir Kozhukalov","email":"kozhukalov@gmail.com","date":"2026-06-09 19:01:43.000000000","tz":-300},"committer":{"name":"Vladimir Kozhukalov","email":"kozhukalov@gmail.com","date":"2026-06-10 05:11:12.000000000","tz":-300},"subject":"[WIP] Terminate API TLS with nginx sidecars instead of Apache","message":"[WIP] Terminate API TLS with nginx sidecars instead of Apache\n\nReplace in-container Apache httpd / chart-native nginx TLS termination for the\nOpenStack API services with a uniform nginx TLS-terminating sidecar injected\nvia pod.extraContainers, across keystone, glance, heat (api+cfn),\nnova (osapi+metadata), neutron and placement.\n\nFor each API component:\n\n* The main container runs uwsgi directly (Apache removed where present),\n  binding the endpoint \"service\" scope port over plain HTTP exactly as in the\n  non-TLS case; liveness/readiness probes hit that backend directly.\n* New pod.extraContainers.\u003ccomponent\u003e / pod.extraVolumes.\u003ccomponent\u003e hooks let\n  the per-chart values_overrides/\u003cchart\u003e/api-tls.yaml override inject an nginx\n  sidecar that terminates TLS on port 443 and reverse-proxies to the uwsgi\n  backend.\n* TLS is toggled independently per API service via .Values.tls.\u003cservice\u003e. When\n  enabled the chart issues the server certificate (gated on tls.\u003cservice\u003e, not\n  manifests.certificates, to avoid forcing RabbitMQ/DB TLS), renders the nginx\n  config ConfigMap and a Gateway API BackendTLSPolicy so the Envoy Gateway\n  re-encrypts to the sidecar, and the API Service gains targetPort: 443.\n* glance and neutron, which shipped a chart-native nginx sidecar, are converted\n  to the same extraContainers approach.\n* Consumer side: each service trusts the in-cluster TLS endpoints via the\n  ca-issuer CA (keystone_authtoken/clients cafile) and an https identity scheme.\n\nThe api-tls.yaml overrides are added to the openstack-helm-compute-kit-tls job.\nAll other Zuul jobs are temporarily commented out in zuul.d/project.yaml while\nthis is iterated on, and must be restored before merge.\n\nChange-Id: I89829176d4d85c7033af8ac2f5a8d6af23037e4d\nSigned-off-by: Vladimir Kozhukalov \u003ckozhukalov@gmail.com\u003e\n","web_links":[{"name":"gitea","tooltip":"Open in GitWeb","url":"https://opendev.org/openstack/openstack-helm/commit/de7616f5a1922507e43f96bfcda48e3169bb3eb4"}],"resolve_conflicts_web_links":[{"name":"gitea","tooltip":"Open in GitWeb","url":"https://opendev.org/openstack/openstack-helm/commit/de7616f5a1922507e43f96bfcda48e3169bb3eb4"}]},"branch":"refs/heads/master"},"5e7115b40fe03644a6758402a7bfb0436e247b22":{"kind":"REWORK","_number":10,"created":"2026-06-10 06:38:16.000000000","uploader":{"_account_id":3009,"name":"Vladimir Kozhukalov","email":"kozhukalov@gmail.com","username":"kozhukalov"},"ref":"refs/changes/28/992528/10","fetch":{"anonymous http":{"url":"https://review.opendev.org/openstack/openstack-helm","ref":"refs/changes/28/992528/10","commands":{"Checkout":"git fetch https://review.opendev.org/openstack/openstack-helm refs/changes/28/992528/10 \u0026\u0026 git checkout FETCH_HEAD","Cherry Pick":"git fetch https://review.opendev.org/openstack/openstack-helm refs/changes/28/992528/10 \u0026\u0026 git cherry-pick FETCH_HEAD","Format Patch":"git fetch https://review.opendev.org/openstack/openstack-helm refs/changes/28/992528/10 \u0026\u0026 git format-patch -1 --stdout FETCH_HEAD","Pull":"git pull https://review.opendev.org/openstack/openstack-helm refs/changes/28/992528/10"}}},"commit":{"parents":[{"commit":"72bc3884dff60cf56fa1320e98331fb96387af75","subject":"Use a dedicated client certificate for MariaDB TLS connections","web_links":[{"name":"gitea","tooltip":"Open in GitWeb","url":"https://opendev.org/openstack/openstack-helm/commit/72bc3884dff60cf56fa1320e98331fb96387af75"}]}],"author":{"name":"Vladimir Kozhukalov","email":"kozhukalov@gmail.com","date":"2026-06-09 19:01:43.000000000","tz":-300},"committer":{"name":"Vladimir Kozhukalov","email":"kozhukalov@gmail.com","date":"2026-06-10 06:38:13.000000000","tz":-300},"subject":"[WIP] Terminate API TLS with nginx sidecars instead of Apache","message":"[WIP] Terminate API TLS with nginx sidecars instead of Apache\n\nReplace in-container Apache httpd / chart-native nginx TLS termination for the\nOpenStack API services with a uniform nginx TLS-terminating sidecar injected\nvia pod.extraContainers, across keystone, glance, heat (api+cfn),\nnova (osapi+metadata), neutron and placement.\n\nFor each API component:\n\n* The main container runs uwsgi directly (Apache removed where present),\n  binding the endpoint \"service\" scope port over plain HTTP exactly as in the\n  non-TLS case; liveness/readiness probes hit that backend directly.\n* New pod.extraContainers.\u003ccomponent\u003e / pod.extraVolumes.\u003ccomponent\u003e hooks let\n  the per-chart values_overrides/\u003cchart\u003e/api-tls.yaml override inject an nginx\n  sidecar that terminates TLS on port 443 and reverse-proxies to the uwsgi\n  backend.\n* TLS is toggled independently per API service via .Values.tls.\u003cservice\u003e. When\n  enabled the chart issues the server certificate (gated on tls.\u003cservice\u003e, not\n  manifests.certificates, to avoid forcing RabbitMQ/DB TLS), renders the nginx\n  config ConfigMap and a Gateway API BackendTLSPolicy so the Envoy Gateway\n  re-encrypts to the sidecar, and the API Service gains targetPort: 443.\n* glance and neutron, which shipped a chart-native nginx sidecar, are converted\n  to the same extraContainers approach.\n* Consumer side: each service trusts the in-cluster TLS endpoints via the\n  ca-issuer CA (keystone_authtoken/clients cafile) and an https identity scheme.\n\nThe api-tls.yaml overrides are added to the openstack-helm-compute-kit-tls job.\nAll other Zuul jobs are temporarily commented out in zuul.d/project.yaml while\nthis is iterated on, and must be restored before merge.\n\nChange-Id: I89829176d4d85c7033af8ac2f5a8d6af23037e4d\nSigned-off-by: Vladimir Kozhukalov \u003ckozhukalov@gmail.com\u003e\n","web_links":[{"name":"gitea","tooltip":"Open in GitWeb","url":"https://opendev.org/openstack/openstack-helm/commit/5e7115b40fe03644a6758402a7bfb0436e247b22"}],"resolve_conflicts_web_links":[{"name":"gitea","tooltip":"Open in GitWeb","url":"https://opendev.org/openstack/openstack-helm/commit/5e7115b40fe03644a6758402a7bfb0436e247b22"}]},"branch":"refs/heads/master"},"37523b6920025abca6b7fdf2fd49b73bc718266a":{"kind":"REWORK","_number":11,"created":"2026-06-10 14:30:40.000000000","uploader":{"_account_id":3009,"name":"Vladimir Kozhukalov","email":"kozhukalov@gmail.com","username":"kozhukalov"},"ref":"refs/changes/28/992528/11","fetch":{"anonymous http":{"url":"https://review.opendev.org/openstack/openstack-helm","ref":"refs/changes/28/992528/11","commands":{"Checkout":"git fetch https://review.opendev.org/openstack/openstack-helm refs/changes/28/992528/11 \u0026\u0026 git checkout FETCH_HEAD","Cherry Pick":"git fetch https://review.opendev.org/openstack/openstack-helm refs/changes/28/992528/11 \u0026\u0026 git cherry-pick FETCH_HEAD","Format Patch":"git fetch https://review.opendev.org/openstack/openstack-helm refs/changes/28/992528/11 \u0026\u0026 git format-patch -1 --stdout FETCH_HEAD","Pull":"git pull https://review.opendev.org/openstack/openstack-helm refs/changes/28/992528/11"}}},"commit":{"parents":[{"commit":"72bc3884dff60cf56fa1320e98331fb96387af75","subject":"Use a dedicated client certificate for MariaDB TLS connections","web_links":[{"name":"gitea","tooltip":"Open in GitWeb","url":"https://opendev.org/openstack/openstack-helm/commit/72bc3884dff60cf56fa1320e98331fb96387af75"}]}],"author":{"name":"Vladimir Kozhukalov","email":"kozhukalov@gmail.com","date":"2026-06-09 19:01:43.000000000","tz":-300},"committer":{"name":"Vladimir Kozhukalov","email":"kozhukalov@gmail.com","date":"2026-06-10 14:30:37.000000000","tz":-300},"subject":"[WIP] Terminate API TLS with nginx sidecars instead of Apache","message":"[WIP] Terminate API TLS with nginx sidecars instead of Apache\n\nReplace in-container Apache httpd / chart-native nginx TLS termination for the\nOpenStack API services with a uniform nginx TLS-terminating sidecar injected\nvia pod.extraContainers, across keystone, glance, heat (api+cfn),\nnova (osapi+metadata), neutron and placement.\n\nFor each API component:\n\n* The main container runs uwsgi directly (Apache removed where present),\n  binding the endpoint \"service\" scope port over plain HTTP exactly as in the\n  non-TLS case; liveness/readiness probes hit that backend directly.\n* New pod.extraContainers.\u003ccomponent\u003e / pod.extraVolumes.\u003ccomponent\u003e hooks let\n  the per-chart values_overrides/\u003cchart\u003e/api-tls.yaml override inject an nginx\n  sidecar that terminates TLS on port 443 and reverse-proxies to the uwsgi\n  backend.\n* TLS is toggled independently per API service via .Values.tls.\u003cservice\u003e. When\n  enabled the chart issues the server certificate (gated on tls.\u003cservice\u003e, not\n  manifests.certificates, to avoid forcing RabbitMQ/DB TLS), renders the nginx\n  config ConfigMap and a Gateway API BackendTLSPolicy so the Envoy Gateway\n  re-encrypts to the sidecar, and the API Service gains targetPort: 443.\n* glance and neutron, which shipped a chart-native nginx sidecar, are converted\n  to the same extraContainers approach.\n* Consumer side: each service trusts the in-cluster TLS endpoints via the\n  ca-issuer CA (keystone_authtoken/clients cafile) and an https identity scheme.\n\nThe api-tls.yaml overrides are added to the openstack-helm-compute-kit-tls job.\nAll other Zuul jobs are temporarily commented out in zuul.d/project.yaml while\nthis is iterated on, and must be restored before merge.\n\nChange-Id: I89829176d4d85c7033af8ac2f5a8d6af23037e4d\nSigned-off-by: Vladimir Kozhukalov \u003ckozhukalov@gmail.com\u003e\n","web_links":[{"name":"gitea","tooltip":"Open in GitWeb","url":"https://opendev.org/openstack/openstack-helm/commit/37523b6920025abca6b7fdf2fd49b73bc718266a"}],"resolve_conflicts_web_links":[{"name":"gitea","tooltip":"Open in GitWeb","url":"https://opendev.org/openstack/openstack-helm/commit/37523b6920025abca6b7fdf2fd49b73bc718266a"}]},"branch":"refs/heads/master"},"e225ade2a0de72b140da61694ea8ef0a1aa7625d":{"kind":"REWORK","_number":12,"created":"2026-06-10 16:23:25.000000000","uploader":{"_account_id":3009,"name":"Vladimir Kozhukalov","email":"kozhukalov@gmail.com","username":"kozhukalov"},"ref":"refs/changes/28/992528/12","fetch":{"anonymous http":{"url":"https://review.opendev.org/openstack/openstack-helm","ref":"refs/changes/28/992528/12","commands":{"Checkout":"git fetch https://review.opendev.org/openstack/openstack-helm refs/changes/28/992528/12 \u0026\u0026 git checkout FETCH_HEAD","Cherry Pick":"git fetch https://review.opendev.org/openstack/openstack-helm refs/changes/28/992528/12 \u0026\u0026 git cherry-pick FETCH_HEAD","Format Patch":"git fetch https://review.opendev.org/openstack/openstack-helm refs/changes/28/992528/12 \u0026\u0026 git format-patch -1 --stdout FETCH_HEAD","Pull":"git pull https://review.opendev.org/openstack/openstack-helm refs/changes/28/992528/12"}}},"commit":{"parents":[{"commit":"72bc3884dff60cf56fa1320e98331fb96387af75","subject":"Use a dedicated client certificate for MariaDB TLS connections","web_links":[{"name":"gitea","tooltip":"Open in GitWeb","url":"https://opendev.org/openstack/openstack-helm/commit/72bc3884dff60cf56fa1320e98331fb96387af75"}]}],"author":{"name":"Vladimir Kozhukalov","email":"kozhukalov@gmail.com","date":"2026-06-09 19:01:43.000000000","tz":-300},"committer":{"name":"Vladimir Kozhukalov","email":"kozhukalov@gmail.com","date":"2026-06-10 16:23:22.000000000","tz":-300},"subject":"[WIP] Terminate API TLS with nginx sidecars instead of Apache","message":"[WIP] Terminate API TLS with nginx sidecars instead of Apache\n\nReplace in-container Apache httpd / chart-native nginx TLS termination for the\nOpenStack API services with a uniform nginx TLS-terminating sidecar injected\nvia pod.extraContainers, across keystone, glance, heat (api+cfn),\nnova (osapi+metadata), neutron and placement.\n\nFor each API component:\n\n* The main container runs uwsgi directly (Apache removed where present),\n  binding the endpoint \"service\" scope port over plain HTTP exactly as in the\n  non-TLS case; liveness/readiness probes hit that backend directly.\n* New pod.extraContainers.\u003ccomponent\u003e / pod.extraVolumes.\u003ccomponent\u003e hooks let\n  the per-chart values_overrides/\u003cchart\u003e/api-tls.yaml override inject an nginx\n  sidecar that terminates TLS on port 443 and reverse-proxies to the uwsgi\n  backend.\n* TLS is toggled independently per API service via .Values.tls.\u003cservice\u003e. When\n  enabled the chart issues the server certificate (gated on tls.\u003cservice\u003e, not\n  manifests.certificates, to avoid forcing RabbitMQ/DB TLS), renders the nginx\n  config ConfigMap and a Gateway API BackendTLSPolicy so the Envoy Gateway\n  re-encrypts to the sidecar, and the API Service gains targetPort: 443.\n* glance and neutron, which shipped a chart-native nginx sidecar, are converted\n  to the same extraContainers approach.\n* Consumer side: each service trusts the in-cluster TLS endpoints via the\n  ca-issuer CA (keystone_authtoken/clients cafile) and an https identity scheme.\n\nThe api-tls.yaml overrides are added to the openstack-helm-compute-kit-tls job.\nAll other Zuul jobs are temporarily commented out in zuul.d/project.yaml while\nthis is iterated on, and must be restored before merge.\n\nChange-Id: I89829176d4d85c7033af8ac2f5a8d6af23037e4d\nSigned-off-by: Vladimir Kozhukalov \u003ckozhukalov@gmail.com\u003e\n","web_links":[{"name":"gitea","tooltip":"Open in GitWeb","url":"https://opendev.org/openstack/openstack-helm/commit/e225ade2a0de72b140da61694ea8ef0a1aa7625d"}],"resolve_conflicts_web_links":[{"name":"gitea","tooltip":"Open in GitWeb","url":"https://opendev.org/openstack/openstack-helm/commit/e225ade2a0de72b140da61694ea8ef0a1aa7625d"}]},"branch":"refs/heads/master"},"6d7917f752a22960459cee72de482f9c5505b985":{"kind":"REWORK","_number":13,"created":"2026-06-10 20:07:46.000000000","uploader":{"_account_id":3009,"name":"Vladimir Kozhukalov","email":"kozhukalov@gmail.com","username":"kozhukalov"},"ref":"refs/changes/28/992528/13","fetch":{"anonymous http":{"url":"https://review.opendev.org/openstack/openstack-helm","ref":"refs/changes/28/992528/13","commands":{"Checkout":"git fetch https://review.opendev.org/openstack/openstack-helm refs/changes/28/992528/13 \u0026\u0026 git checkout FETCH_HEAD","Cherry Pick":"git fetch https://review.opendev.org/openstack/openstack-helm refs/changes/28/992528/13 \u0026\u0026 git cherry-pick FETCH_HEAD","Format Patch":"git fetch https://review.opendev.org/openstack/openstack-helm refs/changes/28/992528/13 \u0026\u0026 git format-patch -1 --stdout FETCH_HEAD","Pull":"git pull https://review.opendev.org/openstack/openstack-helm refs/changes/28/992528/13"}}},"commit":{"parents":[{"commit":"72bc3884dff60cf56fa1320e98331fb96387af75","subject":"Use a dedicated client certificate for MariaDB TLS connections","web_links":[{"name":"gitea","tooltip":"Open in GitWeb","url":"https://opendev.org/openstack/openstack-helm/commit/72bc3884dff60cf56fa1320e98331fb96387af75"}]}],"author":{"name":"Vladimir Kozhukalov","email":"kozhukalov@gmail.com","date":"2026-06-09 19:01:43.000000000","tz":-300},"committer":{"name":"Vladimir Kozhukalov","email":"kozhukalov@gmail.com","date":"2026-06-10 20:07:37.000000000","tz":-300},"subject":"[WIP] Terminate API TLS with nginx sidecars instead of Apache","message":"[WIP] Terminate API TLS with nginx sidecars instead of Apache\n\nReplace in-container Apache httpd / chart-native nginx TLS termination for the\nOpenStack API services with a uniform nginx TLS-terminating sidecar injected\nvia pod.extraContainers, across keystone, glance, heat (api+cfn),\nnova (osapi+metadata), neutron and placement.\n\nFor each API component:\n\n* The main container runs uwsgi directly (Apache removed where present),\n  binding the endpoint \"service\" scope port over plain HTTP exactly as in the\n  non-TLS case; liveness/readiness probes hit that backend directly.\n* New pod.extraContainers.\u003ccomponent\u003e / pod.extraVolumes.\u003ccomponent\u003e hooks let\n  the per-chart values_overrides/\u003cchart\u003e/api-tls.yaml override inject an nginx\n  sidecar that terminates TLS on port 443 and reverse-proxies to the uwsgi\n  backend.\n* TLS is toggled independently per API service via .Values.tls.\u003cservice\u003e. When\n  enabled the chart issues the server certificate and renders the nginx config\n  ConfigMap (both gated on tls.\u003cservice\u003e, not manifests.certificates, to avoid\n  forcing RabbitMQ/DB TLS), and the API Service gains targetPort: 443.\n* Exposing the service via the Gateway API stays in the overrides: the\n  gateway-tls.yaml extraObjects carry the HTTPRoute and (gated on tls.\u003cservice\u003e)\n  a BackendTLSPolicy so the Envoy Gateway re-encrypts to the sidecar. Charts\n  remain independent of how services are exposed outside the cluster.\n* glance and neutron, which shipped a chart-native nginx sidecar, are converted\n  to the same extraContainers approach.\n* Consumer side: each service trusts the in-cluster TLS endpoints via the\n  ca-issuer CA (keystone_authtoken/clients cafile, https client schemes, and\n  the neutron metadata agent reaches nova-metadata over https).\n\nThe api-tls.yaml overrides are added to the openstack-helm-compute-kit-tls job.\nAll other Zuul jobs are temporarily commented out in zuul.d/project.yaml while\nthis is iterated on, and must be restored before merge.\n\nChange-Id: I89829176d4d85c7033af8ac2f5a8d6af23037e4d\nSigned-off-by: Vladimir Kozhukalov \u003ckozhukalov@gmail.com\u003e\n","web_links":[{"name":"gitea","tooltip":"Open in GitWeb","url":"https://opendev.org/openstack/openstack-helm/commit/6d7917f752a22960459cee72de482f9c5505b985"}],"resolve_conflicts_web_links":[{"name":"gitea","tooltip":"Open in GitWeb","url":"https://opendev.org/openstack/openstack-helm/commit/6d7917f752a22960459cee72de482f9c5505b985"}]},"branch":"refs/heads/master"},"78e9c027a07521cbae31c9ad01fa00380b0c73c3":{"kind":"REWORK","_number":14,"created":"2026-06-10 22:00:35.000000000","uploader":{"_account_id":3009,"name":"Vladimir Kozhukalov","email":"kozhukalov@gmail.com","username":"kozhukalov"},"ref":"refs/changes/28/992528/14","fetch":{"anonymous http":{"url":"https://review.opendev.org/openstack/openstack-helm","ref":"refs/changes/28/992528/14","commands":{"Checkout":"git fetch https://review.opendev.org/openstack/openstack-helm refs/changes/28/992528/14 \u0026\u0026 git checkout FETCH_HEAD","Cherry Pick":"git fetch https://review.opendev.org/openstack/openstack-helm refs/changes/28/992528/14 \u0026\u0026 git cherry-pick FETCH_HEAD","Format Patch":"git fetch https://review.opendev.org/openstack/openstack-helm refs/changes/28/992528/14 \u0026\u0026 git format-patch -1 --stdout FETCH_HEAD","Pull":"git pull https://review.opendev.org/openstack/openstack-helm refs/changes/28/992528/14"}}},"commit":{"parents":[{"commit":"72bc3884dff60cf56fa1320e98331fb96387af75","subject":"Use a dedicated client certificate for MariaDB TLS connections","web_links":[{"name":"gitea","tooltip":"Open in GitWeb","url":"https://opendev.org/openstack/openstack-helm/commit/72bc3884dff60cf56fa1320e98331fb96387af75"}]}],"author":{"name":"Vladimir Kozhukalov","email":"kozhukalov@gmail.com","date":"2026-06-09 19:01:43.000000000","tz":-300},"committer":{"name":"Vladimir Kozhukalov","email":"kozhukalov@gmail.com","date":"2026-06-10 21:40:38.000000000","tz":-300},"subject":"[WIP] Terminate API TLS with nginx sidecars instead of Apache","message":"[WIP] Terminate API TLS with nginx sidecars instead of Apache\n\nReplace in-container Apache httpd / chart-native nginx TLS termination for the\nOpenStack API services with a uniform nginx TLS-terminating sidecar, across\nkeystone, glance, heat (api+cfn), nova (osapi+metadata), neutron and placement.\n\nFor each API component:\n\n* The main container runs uwsgi directly (Apache removed where present),\n  binding the endpoint \"service\" scope port over plain HTTP exactly as in the\n  non-TLS case; liveness/readiness probes hit that backend directly.\n* New pod.extraContainers.\u003ccomponent\u003e / pod.extraVolumes.\u003ccomponent\u003e render\n  hooks let an override inject an nginx sidecar that terminates TLS on port 443\n  and reverse-proxies to the uwsgi backend.\n* TLS is toggled per service via .Values.tls.\u003cservice\u003e. When enabled the chart\n  issues the server certificate (gated on tls.\u003cservice\u003e, not\n  manifests.certificates, to avoid forcing RabbitMQ/DB TLS) and the API Service\n  gains targetPort: 443.\n\nExposure and the TLS objects live entirely in the overrides so the charts stay\nindependent of how services are exposed outside the cluster:\n\n* gateway-tls.yaml (unchanged) covers public-endpoint TLS only (gateway\n  terminates public TLS, plain HTTP to the backend).\n* gateway-api-tls.yaml is a new, self-contained \"secure everywhere\" override:\n  public TLS plus gateway\u003c-\u003epod TLS. It carries the nginx sidecar\n  (extraContainers/extraVolumes), the https schemes, the cert config and the\n  consumer-trust settings, and its extraObjects hold the HTTPRoute(s), the\n  nginx config ConfigMap(s) and the BackendTLSPolicy(ies) (so the Envoy Gateway\n  re-encrypts to the sidecar). The compute-kit-tls job uses this override.\n\n* glance and neutron, which shipped a chart-native nginx sidecar, are converted\n  to the same extraContainers approach.\n* Consumer side: each service trusts the in-cluster TLS endpoints via the\n  ca-issuer CA (keystone_authtoken/clients cafile, https client schemes, ks-*\n  registration jobs and rally test pods get the CA, and the neutron metadata\n  agent reaches nova-metadata over https).\n\nAll other Zuul jobs are temporarily commented out in zuul.d/project.yaml while\nthis is iterated on, and must be restored before merge.\n\nChange-Id: I89829176d4d85c7033af8ac2f5a8d6af23037e4d\nSigned-off-by: Vladimir Kozhukalov \u003ckozhukalov@gmail.com\u003e\n","web_links":[{"name":"gitea","tooltip":"Open in GitWeb","url":"https://opendev.org/openstack/openstack-helm/commit/78e9c027a07521cbae31c9ad01fa00380b0c73c3"}],"resolve_conflicts_web_links":[{"name":"gitea","tooltip":"Open in GitWeb","url":"https://opendev.org/openstack/openstack-helm/commit/78e9c027a07521cbae31c9ad01fa00380b0c73c3"}]},"branch":"refs/heads/master"},"9acb8b1ece8224d1c4cfb63f7d65892f7a322c1f":{"kind":"REWORK","_number":15,"created":"2026-06-12 22:08:20.000000000","uploader":{"_account_id":3009,"name":"Vladimir Kozhukalov","email":"kozhukalov@gmail.com","username":"kozhukalov"},"ref":"refs/changes/28/992528/15","fetch":{"anonymous http":{"url":"https://review.opendev.org/openstack/openstack-helm","ref":"refs/changes/28/992528/15","commands":{"Checkout":"git fetch https://review.opendev.org/openstack/openstack-helm refs/changes/28/992528/15 \u0026\u0026 git checkout FETCH_HEAD","Cherry Pick":"git fetch https://review.opendev.org/openstack/openstack-helm refs/changes/28/992528/15 \u0026\u0026 git cherry-pick FETCH_HEAD","Format Patch":"git fetch https://review.opendev.org/openstack/openstack-helm refs/changes/28/992528/15 \u0026\u0026 git format-patch -1 --stdout FETCH_HEAD","Pull":"git pull https://review.opendev.org/openstack/openstack-helm refs/changes/28/992528/15"}}},"commit":{"parents":[{"commit":"929e023e86e1002c36cf625470cb54c60fb04f3c","subject":"Use mTLS and a shared client certificate for RabbitMQ","web_links":[{"name":"gitea","tooltip":"Open in GitWeb","url":"https://opendev.org/openstack/openstack-helm/commit/929e023e86e1002c36cf625470cb54c60fb04f3c"}]}],"author":{"name":"Vladimir Kozhukalov","email":"kozhukalov@gmail.com","date":"2026-06-09 19:01:43.000000000","tz":-300},"committer":{"name":"Vladimir Kozhukalov","email":"kozhukalov@gmail.com","date":"2026-06-12 22:05:17.000000000","tz":-300},"subject":"[WIP] Terminate API TLS with nginx sidecars instead of Apache","message":"[WIP] Terminate API TLS with nginx sidecars instead of Apache\n\nReplace in-container Apache httpd / chart-native nginx TLS termination for the\nOpenStack API services with a uniform nginx TLS-terminating sidecar, across\nkeystone, glance, heat (api+cfn), nova (osapi+metadata), neutron and placement.\n\nFor each API component:\n\n* The main container runs uwsgi directly (Apache removed where present),\n  binding the endpoint \"service\" scope port over plain HTTP exactly as in the\n  non-TLS case; liveness/readiness probes hit that backend directly.\n* New pod.extraContainers.\u003ccomponent\u003e / pod.extraVolumes.\u003ccomponent\u003e render\n  hooks let an override inject an nginx sidecar that terminates TLS on port 443\n  and reverse-proxies to the uwsgi backend.\n* TLS is toggled per service via .Values.tls.\u003cservice\u003e. When enabled the chart\n  issues the server certificate (gated on tls.\u003cservice\u003e, not\n  manifests.certificates, to avoid forcing RabbitMQ/DB TLS) and the API Service\n  gains targetPort: 443.\n\nExposure and the TLS objects live entirely in the overrides so the charts stay\nindependent of how services are exposed outside the cluster:\n\n* gateway-tls.yaml (unchanged) covers public-endpoint TLS only (gateway\n  terminates public TLS, plain HTTP to the backend).\n* gateway-api-tls.yaml is a new, self-contained \"secure everywhere\" override:\n  public TLS plus gateway\u003c-\u003epod TLS. It carries the nginx sidecar\n  (extraContainers/extraVolumes), the https schemes, the cert config and the\n  consumer-trust settings, and its extraObjects hold the HTTPRoute(s), the\n  nginx config ConfigMap(s) and the BackendTLSPolicy(ies) (so the Envoy Gateway\n  re-encrypts to the sidecar). The compute-kit-tls job uses this override.\n\n* glance and neutron, which shipped a chart-native nginx sidecar, are converted\n  to the same extraContainers approach.\n* Consumer side: each service trusts the in-cluster TLS endpoints via the\n  ca-issuer CA (keystone_authtoken/clients cafile, https client schemes, ks-*\n  registration jobs and rally test pods get the CA, and the neutron metadata\n  agent reaches nova-metadata over https).\n\nAll other Zuul jobs are temporarily commented out in zuul.d/project.yaml while\nthis is iterated on, and must be restored before merge.\n\nChange-Id: I89829176d4d85c7033af8ac2f5a8d6af23037e4d\nSigned-off-by: Vladimir Kozhukalov \u003ckozhukalov@gmail.com\u003e\n","web_links":[{"name":"gitea","tooltip":"Open in GitWeb","url":"https://opendev.org/openstack/openstack-helm/commit/9acb8b1ece8224d1c4cfb63f7d65892f7a322c1f"}],"resolve_conflicts_web_links":[{"name":"gitea","tooltip":"Open in GitWeb","url":"https://opendev.org/openstack/openstack-helm/commit/9acb8b1ece8224d1c4cfb63f7d65892f7a322c1f"}]},"branch":"refs/heads/master"},"8fc622ce3cfd955d60fa738ee9d54a7afaa2e7e4":{"kind":"REWORK","_number":16,"created":"2026-06-12 22:25:52.000000000","uploader":{"_account_id":3009,"name":"Vladimir Kozhukalov","email":"kozhukalov@gmail.com","username":"kozhukalov"},"ref":"refs/changes/28/992528/16","fetch":{"anonymous http":{"url":"https://review.opendev.org/openstack/openstack-helm","ref":"refs/changes/28/992528/16","commands":{"Checkout":"git fetch https://review.opendev.org/openstack/openstack-helm refs/changes/28/992528/16 \u0026\u0026 git checkout FETCH_HEAD","Cherry Pick":"git fetch https://review.opendev.org/openstack/openstack-helm refs/changes/28/992528/16 \u0026\u0026 git cherry-pick FETCH_HEAD","Format Patch":"git fetch https://review.opendev.org/openstack/openstack-helm refs/changes/28/992528/16 \u0026\u0026 git format-patch -1 --stdout FETCH_HEAD","Pull":"git pull https://review.opendev.org/openstack/openstack-helm refs/changes/28/992528/16"}}},"commit":{"parents":[{"commit":"9d891d3e679b522832c216f23e30e64a9b400681","subject":"Use mTLS and a shared client certificate for RabbitMQ","web_links":[{"name":"gitea","tooltip":"Open in GitWeb","url":"https://opendev.org/openstack/openstack-helm/commit/9d891d3e679b522832c216f23e30e64a9b400681"}]}],"author":{"name":"Vladimir Kozhukalov","email":"kozhukalov@gmail.com","date":"2026-06-09 19:01:43.000000000","tz":-300},"committer":{"name":"Vladimir Kozhukalov","email":"kozhukalov@gmail.com","date":"2026-06-12 22:24:37.000000000","tz":-300},"subject":"[WIP] Terminate API TLS with nginx sidecars instead of Apache","message":"[WIP] Terminate API TLS with nginx sidecars instead of Apache\n\nReplace in-container Apache httpd / chart-native nginx TLS termination for the\nOpenStack API services with a uniform nginx TLS-terminating sidecar, across\nkeystone, glance, heat (api+cfn), nova (osapi+metadata), neutron and placement.\n\nFor each API component:\n\n* The main container runs uwsgi directly (Apache removed where present),\n  binding the endpoint \"service\" scope port over plain HTTP exactly as in the\n  non-TLS case; liveness/readiness probes hit that backend directly.\n* New pod.extraContainers.\u003ccomponent\u003e / pod.extraVolumes.\u003ccomponent\u003e render\n  hooks let an override inject an nginx sidecar that terminates TLS on port 443\n  and reverse-proxies to the uwsgi backend.\n* TLS is toggled per service via .Values.tls.\u003cservice\u003e. When enabled the chart\n  issues the server certificate (gated on tls.\u003cservice\u003e, not\n  manifests.certificates, to avoid forcing RabbitMQ/DB TLS) and the API Service\n  gains targetPort: 443.\n\nExposure and the TLS objects live entirely in the overrides so the charts stay\nindependent of how services are exposed outside the cluster:\n\n* gateway-tls.yaml (unchanged) covers public-endpoint TLS only (gateway\n  terminates public TLS, plain HTTP to the backend).\n* gateway-api-tls.yaml is a new, self-contained \"secure everywhere\" override:\n  public TLS plus gateway\u003c-\u003epod TLS. It carries the nginx sidecar\n  (extraContainers/extraVolumes), the https schemes, the cert config and the\n  consumer-trust settings, and its extraObjects hold the HTTPRoute(s), the\n  nginx config ConfigMap(s) and the BackendTLSPolicy(ies) (so the Envoy Gateway\n  re-encrypts to the sidecar). The compute-kit-tls job uses this override.\n\n* glance and neutron, which shipped a chart-native nginx sidecar, are converted\n  to the same extraContainers approach.\n* Consumer side: each service trusts the in-cluster TLS endpoints via the\n  ca-issuer CA (keystone_authtoken/clients cafile, https client schemes, ks-*\n  registration jobs and rally test pods get the CA, and the neutron metadata\n  agent reaches nova-metadata over https).\n\nAll other Zuul jobs are temporarily commented out in zuul.d/project.yaml while\nthis is iterated on, and must be restored before merge.\n\nChange-Id: I89829176d4d85c7033af8ac2f5a8d6af23037e4d\nSigned-off-by: Vladimir Kozhukalov \u003ckozhukalov@gmail.com\u003e\n","web_links":[{"name":"gitea","tooltip":"Open in GitWeb","url":"https://opendev.org/openstack/openstack-helm/commit/8fc622ce3cfd955d60fa738ee9d54a7afaa2e7e4"}],"resolve_conflicts_web_links":[{"name":"gitea","tooltip":"Open in GitWeb","url":"https://opendev.org/openstack/openstack-helm/commit/8fc622ce3cfd955d60fa738ee9d54a7afaa2e7e4"}]},"branch":"refs/heads/master"},"c22cffb37645b270892cad2995a73f021e82819d":{"kind":"REWORK","_number":17,"created":"2026-06-15 17:55:30.000000000","uploader":{"_account_id":3009,"name":"Vladimir Kozhukalov","email":"kozhukalov@gmail.com","username":"kozhukalov"},"ref":"refs/changes/28/992528/17","fetch":{"anonymous http":{"url":"https://review.opendev.org/openstack/openstack-helm","ref":"refs/changes/28/992528/17","commands":{"Checkout":"git fetch https://review.opendev.org/openstack/openstack-helm refs/changes/28/992528/17 \u0026\u0026 git checkout FETCH_HEAD","Cherry Pick":"git fetch https://review.opendev.org/openstack/openstack-helm refs/changes/28/992528/17 \u0026\u0026 git cherry-pick FETCH_HEAD","Format Patch":"git fetch https://review.opendev.org/openstack/openstack-helm refs/changes/28/992528/17 \u0026\u0026 git format-patch -1 --stdout FETCH_HEAD","Pull":"git pull https://review.opendev.org/openstack/openstack-helm refs/changes/28/992528/17"}}},"commit":{"parents":[{"commit":"9d891d3e679b522832c216f23e30e64a9b400681","subject":"Use mTLS and a shared client certificate for RabbitMQ","web_links":[{"name":"gitea","tooltip":"Open in GitWeb","url":"https://opendev.org/openstack/openstack-helm/commit/9d891d3e679b522832c216f23e30e64a9b400681"}]}],"author":{"name":"Vladimir Kozhukalov","email":"kozhukalov@gmail.com","date":"2026-06-09 19:01:43.000000000","tz":-300},"committer":{"name":"Vladimir Kozhukalov","email":"kozhukalov@gmail.com","date":"2026-06-15 17:55:24.000000000","tz":-300},"subject":"[WIP] Terminate API TLS with nginx sidecars instead of Apache","message":"[WIP] Terminate API TLS with nginx sidecars instead of Apache\n\nReplace in-container Apache httpd / chart-native nginx TLS termination for the\nOpenStack API services with a uniform nginx TLS-terminating sidecar, across\nkeystone, glance, heat (api+cfn), nova (osapi+metadata), neutron and placement.\n\nFor each API component:\n\n* The main container runs uwsgi directly (Apache removed where present),\n  binding the endpoint \"service\" scope port over plain HTTP exactly as in the\n  non-TLS case; liveness/readiness probes hit that backend directly.\n* New pod.extraContainers.\u003ccomponent\u003e / pod.extraVolumes.\u003ccomponent\u003e render\n  hooks let an override inject an nginx sidecar that terminates TLS on port 443\n  and reverse-proxies to the uwsgi backend.\n* TLS is toggled per service via .Values.tls.\u003cservice\u003e. When enabled the chart\n  issues the server certificate (gated on tls.\u003cservice\u003e, not\n  manifests.certificates, to avoid forcing RabbitMQ/DB TLS) and the API Service\n  gains targetPort: 443.\n\nExposure and the TLS objects live entirely in the overrides so the charts stay\nindependent of how services are exposed outside the cluster:\n\n* gateway-tls.yaml (unchanged) covers public-endpoint TLS only (gateway\n  terminates public TLS, plain HTTP to the backend).\n* gateway-api-tls.yaml is a new, self-contained \"secure everywhere\" override:\n  public TLS plus gateway\u003c-\u003epod TLS. It carries the nginx sidecar\n  (extraContainers/extraVolumes), the https schemes, the cert config and the\n  consumer-trust settings, and its extraObjects hold the HTTPRoute(s), the\n  nginx config ConfigMap(s) and the BackendTLSPolicy(ies) (so the Envoy Gateway\n  re-encrypts to the sidecar). The compute-kit-tls job uses this override.\n\n* glance and neutron, which shipped a chart-native nginx sidecar, are converted\n  to the same extraContainers approach.\n* Consumer side: each service trusts the in-cluster TLS endpoints via the\n  ca-issuer CA (keystone_authtoken/clients cafile, https client schemes, ks-*\n  registration jobs and rally test pods get the CA, and the neutron metadata\n  agent reaches nova-metadata over https).\n\nAll other Zuul jobs are temporarily commented out in zuul.d/project.yaml while\nthis is iterated on, and must be restored before merge.\n\nChange-Id: I89829176d4d85c7033af8ac2f5a8d6af23037e4d\nSigned-off-by: Vladimir Kozhukalov \u003ckozhukalov@gmail.com\u003e\n","web_links":[{"name":"gitea","tooltip":"Open in GitWeb","url":"https://opendev.org/openstack/openstack-helm/commit/c22cffb37645b270892cad2995a73f021e82819d"}],"resolve_conflicts_web_links":[{"name":"gitea","tooltip":"Open in GitWeb","url":"https://opendev.org/openstack/openstack-helm/commit/c22cffb37645b270892cad2995a73f021e82819d"}]},"branch":"refs/heads/master"}},"requirements":[],"submit_records":[{"rule_name":"gerrit~DefaultSubmitRule","status":"OK","labels":[{"label":"Verified","status":"MAY","applied_by":{"_account_id":22348,"name":"Zuul","username":"zuul","tags":["SERVICE_USER"]}},{"label":"Code-Review","status":"MAY"},{"label":"Workflow","status":"MAY"}]}],"submit_requirements":[{"name":"Verified","description":"Verified in gate by CI","status":"UNSATISFIED","is_legacy":false,"submittability_expression_result":{"expression":"label:Verified\u003dMAX AND -label:Verified\u003dMIN","fulfilled":false,"status":"FAIL","passing_atoms":[],"failing_atoms":["label:Verified\u003dMAX","label:Verified\u003dMIN"],"atom_explanations":{"label:Verified\u003dMAX":"","label:Verified\u003dMIN":""}}},{"name":"Code-Review","description":"Code reviewed by core reviewer","status":"UNSATISFIED","is_legacy":false,"submittability_expression_result":{"expression":"label:Code-Review\u003dMAX AND -label:Code-Review\u003dMIN","fulfilled":false,"status":"FAIL","passing_atoms":[],"failing_atoms":["label:Code-Review\u003dMAX","label:Code-Review\u003dMIN"],"atom_explanations":{"label:Code-Review\u003dMAX":"","label:Code-Review\u003dMIN":""}}},{"name":"Workflow","description":"Approved for gate by core reviewer","status":"UNSATISFIED","is_legacy":false,"submittability_expression_result":{"expression":"label:Workflow\u003dMAX AND -label:Workflow\u003dMIN","fulfilled":false,"status":"FAIL","passing_atoms":[],"failing_atoms":["label:Workflow\u003dMAX","label:Workflow\u003dMIN"],"atom_explanations":{"label:Workflow\u003dMAX":"","label:Workflow\u003dMIN":""}}}]}