From 8885d030133f4ef4ddc47e432600111bd148193a Mon Sep 17 00:00:00 2001
From: Doug Goldstein <doug.goldstein@rackspace.com>
Date: Mon, 1 Dec 2025 13:12:23 -0600
Subject: [PATCH 1/3] chore(keystone): variablize mod_auth_openidc version

Make the mod_auth_openidc version a variable to make updating this
easier.
---
 containers/keystone/Dockerfile | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/containers/keystone/Dockerfile b/containers/keystone/Dockerfile
index ee2c04da2..f1ff09c3c 100644
--- a/containers/keystone/Dockerfile
+++ b/containers/keystone/Dockerfile
@@ -3,9 +3,12 @@
 ARG OPENSTACK_VERSION="required_argument"
 FROM quay.io/airshipit/keystone:${OPENSTACK_VERSION}-ubuntu_jammy
 
-ADD --checksum=sha256:deb52ea8304a41ee0331e4ba87a9f82ff643464b6d34084e161f58ec11c25a69 https://github.com/OpenIDC/mod_auth_openidc/releases/download/v2.4.16.5/libapache2-mod-auth-openidc_2.4.16.5-1.jammy_amd64.deb /tmp
+# renovate: datasource=github-releases depName=OpenIDC/mod_auth_openidc
+ARG MOD_AUTH_OPENIDC_VERSION=2.4.16.5
+ARG MOD_AUTH_OPENIDC_SHA256=deb52ea8304a41ee0331e4ba87a9f82ff643464b6d34084e161f58ec11c25a69
+ADD --checksum=sha256:${MOD_AUTH_OPENIDC_SHA256} https://github.com/OpenIDC/mod_auth_openidc/releases/download/v${MOD_AUTH_OPENIDC_VERSION}/libapache2-mod-auth-openidc_${MOD_AUTH_OPENIDC_VERSION}-1.jammy_amd64.deb /tmp
 
 RUN apt-get update && \
     apt-get install -y --no-install-recommends \
-        /tmp/libapache2-mod-auth-openidc_2.4.16.5-1.jammy_amd64.deb \
+        /tmp/libapache2-mod-auth-openidc_${MOD_AUTH_OPENIDC_VERSION}-1.jammy_amd64.deb \
     && apt-get clean && rm -rf /var/lib/apt/lists/* /tmp/*.deb

From 5b564f6f5fa11f4970a8af1f23b7e98fa80238c9 Mon Sep 17 00:00:00 2001
From: Doug Goldstein <doug.goldstein@rackspace.com>
Date: Mon, 1 Dec 2025 13:13:56 -0600
Subject: [PATCH 2/3] chore(keystone): bump mod_auth_openidc to 2.4.16.11

Bump to the latest stable 2.4.16 version to catch some bug fixes.
---
 containers/keystone/Dockerfile | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/containers/keystone/Dockerfile b/containers/keystone/Dockerfile
index f1ff09c3c..70f3131f1 100644
--- a/containers/keystone/Dockerfile
+++ b/containers/keystone/Dockerfile
@@ -4,8 +4,8 @@ ARG OPENSTACK_VERSION="required_argument"
 FROM quay.io/airshipit/keystone:${OPENSTACK_VERSION}-ubuntu_jammy
 
 # renovate: datasource=github-releases depName=OpenIDC/mod_auth_openidc
-ARG MOD_AUTH_OPENIDC_VERSION=2.4.16.5
-ARG MOD_AUTH_OPENIDC_SHA256=deb52ea8304a41ee0331e4ba87a9f82ff643464b6d34084e161f58ec11c25a69
+ARG MOD_AUTH_OPENIDC_VERSION=2.4.16.11
+ARG MOD_AUTH_OPENIDC_SHA256=f5b8751fe2dc7e249c8bf0f7b376cecf90427ba8ba280f18f850fc658047f091
 ADD --checksum=sha256:${MOD_AUTH_OPENIDC_SHA256} https://github.com/OpenIDC/mod_auth_openidc/releases/download/v${MOD_AUTH_OPENIDC_VERSION}/libapache2-mod-auth-openidc_${MOD_AUTH_OPENIDC_VERSION}-1.jammy_amd64.deb /tmp
 
 RUN apt-get update && \

From 5012b8fc4ddae603578866b147749e8ff875014d Mon Sep 17 00:00:00 2001
From: Doug Goldstein <doug.goldstein@rackspace.com>
Date: Mon, 1 Dec 2025 15:15:24 -0600
Subject: [PATCH 3/3] feat: switch to running the ansible container for
 bootstrap by default

We want to use the ansible container for all of our bootstrap activities
in the future so switch to running it by default. Rename the keystone
playbook to match the other services.
---
 .../{keystone_bootstrap.yaml => keystone-post-deploy.yaml}  | 0
 components/images-openstack.yaml                            | 2 +-
 components/keystone/values.yaml                             | 6 +-----
 3 files changed, 2 insertions(+), 6 deletions(-)
 rename ansible/{keystone_bootstrap.yaml => keystone-post-deploy.yaml} (100%)

diff --git a/ansible/keystone_bootstrap.yaml b/ansible/keystone-post-deploy.yaml
similarity index 100%
rename from ansible/keystone_bootstrap.yaml
rename to ansible/keystone-post-deploy.yaml
diff --git a/components/images-openstack.yaml b/components/images-openstack.yaml
index d344e2311..a3b3f05aa 100644
--- a/components/images-openstack.yaml
+++ b/components/images-openstack.yaml
@@ -5,7 +5,7 @@ images:
 
   tags:
     # these are common across all these OpenStack Helm installations
-    bootstrap: "quay.io/airshipit/heat:2025.2-ubuntu_jammy"
+    bootstrap: "ghcr.io/rackerlabs/understack/ansible:latest"
     db_init: "quay.io/airshipit/heat:2025.2-ubuntu_jammy"
     db_drop: "quay.io/airshipit/heat:2025.2-ubuntu_jammy"
     ks_user: "quay.io/airshipit/heat:2025.2-ubuntu_jammy"
diff --git a/components/keystone/values.yaml b/components/keystone/values.yaml
index 3ddc338a3..a678213a1 100644
--- a/components/keystone/values.yaml
+++ b/components/keystone/values.yaml
@@ -2,15 +2,11 @@
 ---
 release_group: null
 
-images:
-  tags:
-    bootstrap: "ghcr.io/rackerlabs/understack/ansible:latest"
-
 bootstrap:
   enabled: true
   ks_user: admin
   script: |
-    ansible-runner run /runner --playbook keystone_bootstrap.yaml -vv
+    ansible-runner run /runner --playbook keystone-post-deploy.yaml -vv
 
 network:
   # configure OpenStack Helm to use Undercloud's ingress