Restructure requirements for easier upstream syncing

[SeanMeyer]

Summary

This PR restructures the Python requirements files to use an overlay approach, making it easier to sync with upstream Netflix/lemur:

• requirements-base.in: Direct copy from upstream Netflix/lemur requirements.in - can be overwritten with curl during upstream sync
• requirements-datadog.in: Datadog-specific additions and security overrides - maintained separately
• requirements.in: Simple include file that combines both

Datadog-specific additions include:

• Internal packages (cert_orchestration_adapter)
• Additional integrations (azure-*, google-cloud-compute, cert_manager, logmatic-python)
• Version pins for compatibility (cryptography for FIPS, anyio, dnspython, etc.)
• Security overrides not yet fixed in upstream

Security pins removed (upstream now satisfies):

• requests (upstream has 2.32.5)
• werkzeug (upstream has 3.1.5)
• Flask-Cors (upstream has 6.0.2)
• grpcio (upstream has 1.76.0)
• sentry-sdk (upstream has 2.51.0)
• pyjwt (upstream has 2.10.1)
• zipp (upstream has 3.23.0)

Security pins remained (upstream still vulnerable):

• jinja2 >= 3.1.6 (CVE-2024-56201, CVE-2024-56326, CVE-2025-27516) - upstream has 3.1.3
• python_ldap >= 3.4.5 (CVE-2025-61911, CVE-2025-61912) - upstream has 3.4.4
• h11 >= 0.16.0 (CVE-2025-43859)

Security pins added:

• urllib3 >= 2.5.0 (CVE-2025-50181, CVE-2025-50182) - upstream has 1.26.18
  This is the underlying purpose of the PR, adding this security fix.

Future Upstream Sync Workflow

# 1. Fetch latest upstream requirements
curl https://raw.githubusercontent.com/Netflix/lemur/main/requirements.in > requirements-base.in

# 2. Recompile all requirements
make up-reqs

# 3. Review changes and commit
git diff
git add -A && git commit -m "Sync requirements from upstream Netflix/lemur"

Test plan

• Verify pip install -r requirements.txt works
• Verify pip install -r requirements-tests.txt works
• Run existing tests to confirm no regressions
• Verify security pins are applied correctly (check resolved versions in requirements.txt)

[SeanMeyer]

@codex review

[chatgpt-codex-connector]

To use Codex here, create a Codex account and connect to github.

[SeanMeyer]

Local Verification Results

Check	Status
Security pins resolved correctly	✅ urllib3==2.6.3, jinja2==3.1.6, python-ldap==3.4.5, h11==0.16.0
pip install -r requirements.txt	✅ Installs successfully
pip install -r requirements-tests.txt	✅ Installs successfully
Unit tests	⚠️ Require PostgreSQL database (same behavior on master - CI will validate)

[SeanMeyer]

FYI I also have a smaller scope PR that just addresses the urllib3 vulns here: #221. But after thinking about it more I decided to go with this approach to sync from upstream. I'm open to whichever the maintainers of this repo prefer.

[maperu]

Validated the unit tests, lgtm

[SeanMeyer]

/merge

[gh-worker-devflow-routing-ef8351]

View all feedbacks in Devflow UI.

2026-01-29 20:14:38 UTC ℹ️ Start processing command /merge

---

2026-01-29 20:15:06 UTC ℹ️ MergeQueue: waiting for PR to be ready

This pull request is not mergeable according to GitHub. Common reasons include pending required checks, missing approvals, or merge conflicts — but it could also be blocked by other repository rules or settings.
It will be added to the queue as soon as checks pass and/or get approvals. View in MergeQueue UI.
Note: if you pushed new commits since the last approval, you may need additional approval.
You can remove it from the waiting list with /remove command.

---

2026-01-29 20:28:39 UTC ⚠️ MergeQueue: This merge request was unqueued

maxime.perusse@datadoghq.com unqueued this merge request

[maperu]

/merge -c

[gh-worker-devflow-routing-ef8351]

View all feedbacks in Devflow UI.

2026-01-29 20:28:19 UTC ℹ️ Start processing command /merge -c

[maperu]

/merge

[gh-worker-devflow-routing-ef8351]

View all feedbacks in Devflow UI.

2026-01-29 20:52:45 UTC ℹ️ Start processing command /merge

---

2026-01-29 20:53:26 UTC ℹ️ MergeQueue: waiting for PR to be ready

This pull request is not mergeable according to GitHub. Common reasons include pending required checks, missing approvals, or merge conflicts — but it could also be blocked by other repository rules or settings.
It will be added to the queue as soon as checks pass and/or get approvals. View in MergeQueue UI.
Note: if you pushed new commits since the last approval, you may need additional approval.
You can remove it from the waiting list with /remove command.

---

2026-01-30 00:54:21 UTC ⚠️ MergeQueue: This merge request was unqueued

devflow unqueued this merge request: It did not become mergeable within the expected time

[maperu]

/merge

[gh-worker-devflow-routing-ef8351]

View all feedbacks in Devflow UI.

2026-01-29 21:03:06 UTC ℹ️ Start processing command /merge

---

2026-01-29 21:03:10 UTC ❌ MergeQueue

PR already in the queue with status waiting

[maperu]

/merge

[gh-worker-devflow-routing-ef8351]

View all feedbacks in Devflow UI.

2026-02-02 15:25:44 UTC ℹ️ Start processing command /merge

---

2026-02-02 15:25:51 UTC ℹ️ MergeQueue: waiting for PR to be ready

This pull request is not mergeable according to GitHub. Common reasons include pending required checks, missing approvals, or merge conflicts — but it could also be blocked by other repository rules or settings.
It will be added to the queue as soon as checks pass and/or get approvals. View in MergeQueue UI.
Note: if you pushed new commits since the last approval, you may need additional approval.
You can remove it from the waiting list with /remove command.

---

2026-02-02 15:27:19 UTC ⚠️ MergeQueue: This merge request was unqueued

maxime.perusse@datadoghq.com unqueued this merge request

[maperu]

/merge -c

[gh-worker-devflow-routing-ef8351]

View all feedbacks in Devflow UI.

2026-02-02 18:49:34 UTC ℹ️ Start processing command /remove

---

2026-02-02 18:49:37 UTC ℹ️ Devflow: /remove

[maperu]

/merge

[gh-worker-devflow-routing-ef8351]

View all feedbacks in Devflow UI.

2026-02-02 18:58:42 UTC ℹ️ Start processing command /merge

---

2026-02-02 18:58:49 UTC ℹ️ MergeQueue: waiting for PR to be ready

This pull request is not mergeable according to GitHub. Common reasons include pending required checks, missing approvals, or merge conflicts — but it could also be blocked by other repository rules or settings.
It will be added to the queue as soon as checks pass and/or get approvals. View in MergeQueue UI.
Note: if you pushed new commits since the last approval, you may need additional approval.
You can remove it from the waiting list with /remove command.

---

2026-02-02 19:37:38 UTC ℹ️ MergeQueue: merge request added to the queue

The expected merge time in master is approximately 0s (p90).

---

2026-02-02 19:53:24 UTC ℹ️ MergeQueue: This merge request was merged

[maperu]

/merge

[gh-worker-devflow-routing-ef8351]

View all feedbacks in Devflow UI.

2026-02-02 19:22:31 UTC ℹ️ Start processing command /merge

---

2026-02-02 19:22:34 UTC ❌ MergeQueue

PR already in the queue with status waiting