Synchronise 2026.1 with upstream#282
Open
github-actions[bot] wants to merge 4 commits into
Open
Conversation
Change-Id: I8f85a9f5ed60040f9c89b8750d267ee75e656fe5 Signed-off-by: Michal Nasiadka <mnasiadka@gmail.com> (cherry picked from commit f7ddcfd)
During nodegroup creation, Cluster label dict is assigned directly to the nodegroup and then updated with new labels. This has the effect of changing the Cluster labels which is not the desired change. Closes-bug: #2129739 Change-Id: I3c4f8e2fb0f7620ecb39c882aaf2d3bec1cb1eae Co-authored-by: Sam Morrison <sorrison@gmail.com> Signed-off-by: Dale Smith <dale@catalystcloud.nz> (cherry picked from commit 34283af)
Keystone CVE-2026-43000 blocks all application credential tokens (including unrestricted ones) from managing trusts. When a federated user authenticates via an application credential and then requests a cluster, Magnum's trust creation now fails with HTTP 403 and an opaque TrustCreateFailed error that gives no guidance. Compatible with pre-CVE Keystone: the trust creation is attempted regardless; unrestricted application credentials continue to work on older Keystone deployments that allow them. Change-Id: I089f7948eae19ba6b263a8bb428be9d6b9e65109 Signed-off-by: Michal Nasiadka <mnasiadka@gmail.com>
Add a `needs_trust` class attribute (default `True`) to the base `Driver` class so drivers can declare they do not require a Keystone trustee/trust. In-tree Heat-based drivers continue to create trusts by default; out-of-tree drivers using Kubernetes Cluster API can set `needs_trust = False` to skip the trust lifecycle entirely. This can help alleviate the recent Keystone CVE changes and allow using an unrestricted application credential for creating a cluster which doesn't need a Keystone trust established. Change-Id: I53afb4139d320737007a58c0b1a750932e0b5c3e Signed-off-by: Michal Nasiadka <mnasiadka@gmail.com>
github-actions
Bot
added
automated
Member
|
I'd say we don't need that fork, what's the reason we're merging this? |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This PR contains a snapshot of 2026.1 from upstream stable/2026.1.