)]}'
{"id":"openstack%2Fopenstack-helm~995159","triplet_id":"openstack%2Fopenstack-helm~master~I630bc0cb4efecefe7be32da67107aa6d8c95854f","project":"openstack/openstack-helm","branch":"master","hashtags":[],"change_id":"I630bc0cb4efecefe7be32da67107aa6d8c95854f","subject":"Decouple mTLS client cert from oslo_db endpoint","status":"NEW","created":"2026-06-26 23:45:50.000000000","updated":"2026-06-27 04:41:46.000000000","submit_type":"MERGE_IF_NECESSARY","mergeable":true,"submittable":false,"total_comment_count":0,"unresolved_comment_count":0,"has_review_started":true,"meta_rev_id":"2c965299495695bb3dcd41f2b23681755963bd25","_number":995159,"virtual_id_number":995159,"owner":{"_account_id":3009,"name":"Vladimir Kozhukalov","email":"kozhukalov@gmail.com","username":"kozhukalov"},"actions":{},"labels":{"Verified":{"recommended":{"_account_id":22348,"name":"Zuul","username":"zuul","tags":["SERVICE_USER"]},"all":[{"tag":"autogenerated:zuul:check","value":1,"date":"2026-06-27 04:41:46.000000000","permitted_voting_range":{"min":-2,"max":2},"_account_id":22348,"name":"Zuul","username":"zuul","tags":["SERVICE_USER"]}],"values":{"-2":"Fails","-1":"Doesn\u0027t seem to work"," 0":"No score","+1":"Works for me","+2":"Verified"},"description":"","value":1,"default_value":0,"optional":true},"Code-Review":{"all":[{"value":0,"permitted_voting_range":{"min":-1,"max":1},"_account_id":22348,"name":"Zuul","username":"zuul","tags":["SERVICE_USER"]}],"values":{"-2":"Do not merge","-1":"This patch needs further work before it can be merged"," 0":"No score","+1":"Looks good to me, but someone else must approve","+2":"Looks good to me (core reviewer)"},"description":"","default_value":0,"optional":true},"Workflow":{"all":[{"_account_id":22348,"name":"Zuul","username":"zuul","tags":["SERVICE_USER"]}],"values":{"-1":"Work in progress"," 0":"Ready for reviews","+1":"Approved"},"description":"","default_value":0,"optional":true}},"removable_reviewers":[],"reviewers":{"REVIEWER":[{"_account_id":22348,"name":"Zuul","username":"zuul","tags":["SERVICE_USER"]}]},"pending_reviewers":{},"reviewer_updates":[{"updated":"2026-06-27 01:08:41.000000000","updated_by":{"_account_id":22348,"name":"Zuul","username":"zuul","tags":["SERVICE_USER"]},"reviewer":{"_account_id":22348,"name":"Zuul","username":"zuul","tags":["SERVICE_USER"]},"state":"REVIEWER"}],"messages":[{"id":"1dffdd79a645f764db1f2c706592e35ad71e5cbc","tag":"autogenerated:gerrit:newWipPatchSet","author":{"_account_id":3009,"name":"Vladimir Kozhukalov","email":"kozhukalov@gmail.com","username":"kozhukalov"},"date":"2026-06-26 23:45:50.000000000","message":"Uploaded patch set 1.","accounts_in_message":[],"_revision_number":1},{"id":"c426f382c8ad29fb21d6c6a207e4b2c1601aee74","tag":"autogenerated:zuul:check","author":{"_account_id":22348,"name":"Zuul","username":"zuul","tags":["SERVICE_USER"]},"date":"2026-06-27 01:08:41.000000000","message":"Patch Set 1: Verified+1\n\nBuild succeeded (check pipeline).\nhttps://zuul.opendev.org/t/openstack/buildset/98469d58a9c94b8eba4e45cbbbe79774\n\n- openstack-tox-docs https://zuul.opendev.org/t/openstack/build/4334386d99ce4e16a290b884f32e27c6 : SUCCESS in 5m 07s\n- build-openstack-releasenotes https://zuul.opendev.org/t/openstack/build/e4a2968ee99b49ccb498c444872dd356 : SUCCESS in 5m 09s\n- openstack-helm-compute-kit-tls-2026-1-ubuntu_noble https://zuul.opendev.org/t/openstack/build/35979d158baa4b8d8a32f398d908c3e1 : SUCCESS in 1h 17m 05s","accounts_in_message":[],"_revision_number":1},{"id":"cc2eefe3e2cf2a26284efb0403cb7cbbfb1a22be","tag":"autogenerated:gerrit:newWipPatchSet","author":{"_account_id":3009,"name":"Vladimir Kozhukalov","email":"kozhukalov@gmail.com","username":"kozhukalov"},"date":"2026-06-27 02:02:40.000000000","message":"Uploaded patch set 2.\n\nOutdated Votes:\n* Verified+1 (copy condition: \"NEVER\")\n","accounts_in_message":[],"_revision_number":2},{"id":"bc4639f6018bec53af668399942c14eec57cdac9","tag":"autogenerated:gerrit:newPatchSet","author":{"_account_id":3009,"name":"Vladimir Kozhukalov","email":"kozhukalov@gmail.com","username":"kozhukalov"},"date":"2026-06-27 02:03:55.000000000","message":"Uploaded patch set 3: New patch set was added with same tree, parent tree, and commit message as Patch Set 2.","accounts_in_message":[],"_revision_number":3},{"id":"2c965299495695bb3dcd41f2b23681755963bd25","tag":"autogenerated:zuul:check","author":{"_account_id":22348,"name":"Zuul","username":"zuul","tags":["SERVICE_USER"]},"date":"2026-06-27 04:41:46.000000000","message":"Patch Set 3: Verified+1\n\nBuild succeeded (check pipeline).\nhttps://zuul.opendev.org/t/openstack/buildset/8afe0c2df382416fb50b86095f19a708\n\n- openstack-tox-docs https://zuul.opendev.org/t/openstack/build/c2d25c3391394a4cad1485757a4cdae5 : SUCCESS in 3m 52s\n- build-openstack-releasenotes https://zuul.opendev.org/t/openstack/build/6622ec64b69f4f3596980232ae7d1f97 : SUCCESS in 4m 04s\n- openstack-helm-linter https://zuul.opendev.org/t/openstack/build/19bd1ac6ddd54f34a7178fe762bfeb54 : SUCCESS in 4m 09s\n- openstack-helm-pre-commit https://zuul.opendev.org/t/openstack/build/21954fb6b1d643c69161533980563095 : SUCCESS in 3m 29s\n- openstack-helm-build-charts https://zuul.opendev.org/t/openstack/build/d8b758aec1c040bfb749cced24e82d8f : SUCCESS in 40m 09s\n- openstack-helm-cinder-2025-1-ubuntu_noble https://zuul.opendev.org/t/openstack/build/b734b4717de44e41850be4eb0feaf283 : SUCCESS in 38m 50s\n- openstack-helm-compute-kit-2025-1-ubuntu_noble https://zuul.opendev.org/t/openstack/build/1d2cbb3e00724415b87db866306137fc : SUCCESS in 1h 13m 57s\n- openstack-helm-cinder-2025-2-ubuntu_noble https://zuul.opendev.org/t/openstack/build/c66df9b7511745a6a8cd79859493030c : SUCCESS in 45m 27s\n- openstack-helm-compute-kit-2025-2-ubuntu_noble https://zuul.opendev.org/t/openstack/build/3b9ee6983d584d07853fbe76d12145d6 : SUCCESS in 47m 55s\n- openstack-helm-cinder-2026-1-ubuntu_noble https://zuul.opendev.org/t/openstack/build/c75f10697cf1487a85cec759e73505cf : SUCCESS in 43m 39s\n- openstack-helm-compute-kit-2026-1-ubuntu_noble https://zuul.opendev.org/t/openstack/build/eb8b4f2ade6845d58a45c5133973f2f2 : SUCCESS in 1h 03m 03s\n- openstack-helm-compute-kit-tls-2026-1-ubuntu_noble https://zuul.opendev.org/t/openstack/build/1b3c1cf4b41a47f59be7af836f764dab : SUCCESS in 1h 26m 37s\n- openstack-helm-compute-kit-dpdk-2026-1-ubuntu_noble https://zuul.opendev.org/t/openstack/build/2ea20e9bf9424712a90defb6f5b9088f : SUCCESS in 57m 18s\n- openstack-helm-octavia-2026-1-ubuntu_noble https://zuul.opendev.org/t/openstack/build/1a7e8c9c5c024ef1824e7ced63ef77b6 : SUCCESS in 1h 18m 39s\n- openstack-helm-blazar-2026-1-ubuntu_noble https://zuul.opendev.org/t/openstack/build/36da3d0eb16a497ca6ff740095569805 : SUCCESS in 51m 10s\n- openstack-helm-freezer-2026-1-ubuntu_noble https://zuul.opendev.org/t/openstack/build/303ef8694a4a47f0aed40d9e9e7234b1 : SUCCESS in 25m 36s\n- openstack-helm-horizon-2026-1-ubuntu_noble https://zuul.opendev.org/t/openstack/build/bc7f2f31395d4dc4a3a3dd6edd96d842 : SUCCESS in 22m 18s\n- openstack-helm-manila-2026-1-ubuntu_noble https://zuul.opendev.org/t/openstack/build/47666b19813b455aa95bc10b17a89e8e : SUCCESS in 1h 15m 46s\n- openstack-helm-zaqar-2026-1-ubuntu_noble https://zuul.opendev.org/t/openstack/build/8b39f7413261497a9364c52366de5f0a : SUCCESS in 24m 09s\n- openstack-helm-logging https://zuul.opendev.org/t/openstack/build/4926f4fad632465fb119fadb3a8b8475 : SUCCESS in 39m 51s\n- openstack-helm-monitoring https://zuul.opendev.org/t/openstack/build/49380d5ad08945ed8f0fb24b8e899f43 : SUCCESS in 25m 10s","accounts_in_message":[],"_revision_number":3}],"current_revision_number":3,"current_revision":"db238e7c35f72f574a493d00751c97aa8e85af0c","revisions":{"e6d2429a34ffe3fee619a89114d8f917fa3f34ef":{"kind":"REWORK","_number":1,"created":"2026-06-26 23:45:50.000000000","uploader":{"_account_id":3009,"name":"Vladimir Kozhukalov","email":"kozhukalov@gmail.com","username":"kozhukalov"},"ref":"refs/changes/59/995159/1","fetch":{"anonymous http":{"url":"https://review.opendev.org/openstack/openstack-helm","ref":"refs/changes/59/995159/1","commands":{"Checkout":"git fetch https://review.opendev.org/openstack/openstack-helm refs/changes/59/995159/1 \u0026\u0026 git checkout FETCH_HEAD","Cherry Pick":"git fetch https://review.opendev.org/openstack/openstack-helm refs/changes/59/995159/1 \u0026\u0026 git cherry-pick FETCH_HEAD","Format Patch":"git fetch https://review.opendev.org/openstack/openstack-helm refs/changes/59/995159/1 \u0026\u0026 git format-patch -1 --stdout FETCH_HEAD","Pull":"git pull https://review.opendev.org/openstack/openstack-helm refs/changes/59/995159/1"}}},"commit":{"parents":[{"commit":"99d96acbaa328426c113da33f5611b10cf1af0e2","subject":"Merge \"manila: Add graceful shutdown support\"","web_links":[{"name":"gitea","tooltip":"Open in GitWeb","url":"https://opendev.org/openstack/openstack-helm/commit/99d96acbaa328426c113da33f5611b10cf1af0e2"}]}],"author":{"name":"Vladimir Kozhukalov","email":"kozhukalov@gmail.com","date":"2026-06-26 23:45:19.000000000","tz":-300},"committer":{"name":"Vladimir Kozhukalov","email":"kozhukalov@gmail.com","date":"2026-06-26 23:45:42.000000000","tz":-300},"subject":"[WIP] Decouple mTLS client cert name from oslo_db endpoint","message":"[WIP] Decouple mTLS client cert name from oslo_db endpoint\n\nThe mTLS client certificate that each chart presents on outbound\nconnections to MariaDB and RabbitMQ was named after\nendpoints.oslo_db.host_fqdn_override.default.tls.secretName. Users whose\nvalues tooling renders endpoints from a single shared endpoint catalog\nget an identical oslo_db endpoint across every chart, so every chart\nwould render a client Certificate with the same name in the same\nnamespace - a collision.\n\nhelm-toolkit.manifests.certificates now accepts an optional secretName\nparameter. When provided it overrides both metadata.name and\nspec.secretName; when omitted the behavior is unchanged (server-cert\ncallers are unaffected). Each chart\u0027s oslo_db certificate call now passes\nsecrets.tls.client.\u003cchart\u003e, a chart-local value that is never part of\nthe shared endpoint catalog, so each chart always renders a uniquely\nnamed client certificate. The pod client-certs volume already keys off\nthe same value, keeping cert and mount in lockstep.\n\nThe now-redundant secretName entries are removed from the oslo_db\nendpoint blocks in the per-chart TLS value overrides; issuerRef and\nusages are retained.\n\nWIP: check pipeline temporarily reduced to the TLS job only for\ndebugging.\n\nChange-Id: I630bc0cb4efecefe7be32da67107aa6d8c95854f\nSigned-off-by: Vladimir Kozhukalov \u003ckozhukalov@gmail.com\u003e\n","web_links":[{"name":"gitea","tooltip":"Open in GitWeb","url":"https://opendev.org/openstack/openstack-helm/commit/e6d2429a34ffe3fee619a89114d8f917fa3f34ef"}],"resolve_conflicts_web_links":[{"name":"gitea","tooltip":"Open in GitWeb","url":"https://opendev.org/openstack/openstack-helm/commit/e6d2429a34ffe3fee619a89114d8f917fa3f34ef"}]},"branch":"refs/heads/master"},"d31da3562453bc14c158bfe6f477dd75a42e963a":{"kind":"REWORK","_number":2,"created":"2026-06-27 02:02:40.000000000","uploader":{"_account_id":3009,"name":"Vladimir Kozhukalov","email":"kozhukalov@gmail.com","username":"kozhukalov"},"ref":"refs/changes/59/995159/2","fetch":{"anonymous http":{"url":"https://review.opendev.org/openstack/openstack-helm","ref":"refs/changes/59/995159/2","commands":{"Checkout":"git fetch https://review.opendev.org/openstack/openstack-helm refs/changes/59/995159/2 \u0026\u0026 git checkout FETCH_HEAD","Cherry Pick":"git fetch https://review.opendev.org/openstack/openstack-helm refs/changes/59/995159/2 \u0026\u0026 git cherry-pick FETCH_HEAD","Format Patch":"git fetch https://review.opendev.org/openstack/openstack-helm refs/changes/59/995159/2 \u0026\u0026 git format-patch -1 --stdout FETCH_HEAD","Pull":"git pull https://review.opendev.org/openstack/openstack-helm refs/changes/59/995159/2"}}},"commit":{"parents":[{"commit":"99d96acbaa328426c113da33f5611b10cf1af0e2","subject":"Merge \"manila: Add graceful shutdown support\"","web_links":[{"name":"gitea","tooltip":"Open in GitWeb","url":"https://opendev.org/openstack/openstack-helm/commit/99d96acbaa328426c113da33f5611b10cf1af0e2"}]}],"author":{"name":"Vladimir Kozhukalov","email":"kozhukalov@gmail.com","date":"2026-06-26 23:45:19.000000000","tz":-300},"committer":{"name":"Vladimir Kozhukalov","email":"kozhukalov@gmail.com","date":"2026-06-27 02:02:32.000000000","tz":-300},"subject":"Decouple mTLS client cert from oslo_db endpoint","message":"Decouple mTLS client cert from oslo_db endpoint\n\nThe mTLS client certificate that each chart presents on outbound\nconnections to MariaDB and RabbitMQ was named after\nendpoints.oslo_db.host_fqdn_override.default.tls.secretName. Users whose\nvalues tooling renders endpoints from a single shared endpoint catalog\nget an identical oslo_db endpoint across every chart, so every chart\nwould render a client Certificate with the same name in the same\nnamespace - a collision.\n\nhelm-toolkit.manifests.certificates now accepts an optional secretName\nparameter. When provided it overrides both metadata.name and\nspec.secretName; when omitted the behavior is unchanged (server-cert\ncallers are unaffected). Each chart\u0027s oslo_db certificate call now passes\nsecrets.tls.client.\u003cchart\u003e, a chart-local value that is never part of\nthe shared endpoint catalog, so each chart always renders a uniquely\nnamed client certificate. The pod client-certs volume already keys off\nthe same value, keeping cert and mount in lockstep.\n\nThe now-redundant secretName entries are removed from the oslo_db\nendpoint blocks in the per-chart TLS value overrides; issuerRef and\nusages are retained.\n\nChange-Id: I630bc0cb4efecefe7be32da67107aa6d8c95854f\nSigned-off-by: Vladimir Kozhukalov \u003ckozhukalov@gmail.com\u003e\n","web_links":[{"name":"gitea","tooltip":"Open in GitWeb","url":"https://opendev.org/openstack/openstack-helm/commit/d31da3562453bc14c158bfe6f477dd75a42e963a"}],"resolve_conflicts_web_links":[{"name":"gitea","tooltip":"Open in GitWeb","url":"https://opendev.org/openstack/openstack-helm/commit/d31da3562453bc14c158bfe6f477dd75a42e963a"}]},"branch":"refs/heads/master"},"db238e7c35f72f574a493d00751c97aa8e85af0c":{"kind":"NO_CHANGE","_number":3,"created":"2026-06-27 02:03:55.000000000","uploader":{"_account_id":3009,"name":"Vladimir Kozhukalov","email":"kozhukalov@gmail.com","username":"kozhukalov"},"ref":"refs/changes/59/995159/3","fetch":{"anonymous http":{"url":"https://review.opendev.org/openstack/openstack-helm","ref":"refs/changes/59/995159/3","commands":{"Checkout":"git fetch https://review.opendev.org/openstack/openstack-helm refs/changes/59/995159/3 \u0026\u0026 git checkout FETCH_HEAD","Cherry Pick":"git fetch https://review.opendev.org/openstack/openstack-helm refs/changes/59/995159/3 \u0026\u0026 git cherry-pick FETCH_HEAD","Format Patch":"git fetch https://review.opendev.org/openstack/openstack-helm refs/changes/59/995159/3 \u0026\u0026 git format-patch -1 --stdout FETCH_HEAD","Pull":"git pull https://review.opendev.org/openstack/openstack-helm refs/changes/59/995159/3"}}},"commit":{"parents":[{"commit":"99d96acbaa328426c113da33f5611b10cf1af0e2","subject":"Merge \"manila: Add graceful shutdown support\"","web_links":[{"name":"gitea","tooltip":"Open in GitWeb","url":"https://opendev.org/openstack/openstack-helm/commit/99d96acbaa328426c113da33f5611b10cf1af0e2"}]}],"author":{"name":"Vladimir Kozhukalov","email":"kozhukalov@gmail.com","date":"2026-06-27 02:03:54.000000000","tz":-300},"committer":{"name":"Vladimir Kozhukalov","email":"kozhukalov@gmail.com","date":"2026-06-27 02:03:54.000000000","tz":-300},"subject":"Decouple mTLS client cert from oslo_db endpoint","message":"Decouple mTLS client cert from oslo_db endpoint\n\nThe mTLS client certificate that each chart presents on outbound\nconnections to MariaDB and RabbitMQ was named after\nendpoints.oslo_db.host_fqdn_override.default.tls.secretName. Users whose\nvalues tooling renders endpoints from a single shared endpoint catalog\nget an identical oslo_db endpoint across every chart, so every chart\nwould render a client Certificate with the same name in the same\nnamespace - a collision.\n\nhelm-toolkit.manifests.certificates now accepts an optional secretName\nparameter. When provided it overrides both metadata.name and\nspec.secretName; when omitted the behavior is unchanged (server-cert\ncallers are unaffected). Each chart\u0027s oslo_db certificate call now passes\nsecrets.tls.client.\u003cchart\u003e, a chart-local value that is never part of\nthe shared endpoint catalog, so each chart always renders a uniquely\nnamed client certificate. The pod client-certs volume already keys off\nthe same value, keeping cert and mount in lockstep.\n\nThe now-redundant secretName entries are removed from the oslo_db\nendpoint blocks in the per-chart TLS value overrides; issuerRef and\nusages are retained.\n\nChange-Id: I630bc0cb4efecefe7be32da67107aa6d8c95854f\nSigned-off-by: Vladimir Kozhukalov \u003ckozhukalov@gmail.com\u003e\n","web_links":[{"name":"gitea","tooltip":"Open in GitWeb","url":"https://opendev.org/openstack/openstack-helm/commit/db238e7c35f72f574a493d00751c97aa8e85af0c"}],"resolve_conflicts_web_links":[{"name":"gitea","tooltip":"Open in GitWeb","url":"https://opendev.org/openstack/openstack-helm/commit/db238e7c35f72f574a493d00751c97aa8e85af0c"}]},"branch":"refs/heads/master"}},"requirements":[],"submit_records":[{"rule_name":"gerrit~DefaultSubmitRule","status":"OK","labels":[{"label":"Verified","status":"MAY","applied_by":{"_account_id":22348,"name":"Zuul","username":"zuul","tags":["SERVICE_USER"]}},{"label":"Code-Review","status":"MAY"},{"label":"Workflow","status":"MAY"}]}],"submit_requirements":[{"name":"Verified","description":"Verified in gate by CI","status":"UNSATISFIED","is_legacy":false,"submittability_expression_result":{"expression":"label:Verified\u003dMAX AND -label:Verified\u003dMIN","fulfilled":false,"status":"FAIL","passing_atoms":[],"failing_atoms":["label:Verified\u003dMAX","label:Verified\u003dMIN"],"atom_explanations":{"label:Verified\u003dMAX":"","label:Verified\u003dMIN":""}}},{"name":"Code-Review","description":"Code reviewed by core reviewer","status":"UNSATISFIED","is_legacy":false,"submittability_expression_result":{"expression":"label:Code-Review\u003dMAX AND -label:Code-Review\u003dMIN","fulfilled":false,"status":"FAIL","passing_atoms":[],"failing_atoms":["label:Code-Review\u003dMAX","label:Code-Review\u003dMIN"],"atom_explanations":{"label:Code-Review\u003dMAX":"","label:Code-Review\u003dMIN":""}}},{"name":"Workflow","description":"Approved for gate by core reviewer","status":"UNSATISFIED","is_legacy":false,"submittability_expression_result":{"expression":"label:Workflow\u003dMAX AND -label:Workflow\u003dMIN","fulfilled":false,"status":"FAIL","passing_atoms":[],"failing_atoms":["label:Workflow\u003dMAX","label:Workflow\u003dMIN"],"atom_explanations":{"label:Workflow\u003dMAX":"","label:Workflow\u003dMIN":""}}}]}