From c73ef055b1316a96ddf5c5ff63d83d753dfbf522 Mon Sep 17 00:00:00 2001
From: Michal Nasiadka <mnasiadka@gmail.com>
Date: Fri, 22 Aug 2025 17:16:21 +0200
Subject: [PATCH 1/2] [stable-only]: Switch to uWSGI module

For some reason (pbr, setuptools, upper-constraints, devstack itself)
devstack can't find /opt/stack/data/venv/bin/magnum-api-wsgi

It's a partial cherry-pick of If8a155a3cebf8cd6a6d22ed7617f2777fbfac11f

buster-slim got moved to debian/eol
marking flannel jobs as non-voting for now

Change-Id: I331ef443c626c8f8936e75ac20b76a464092fbf1
Signed-off-by: Michal Nasiadka <mnasiadka@gmail.com>
---
 .zuul.yaml                         |  6 ++++--
 devstack/lib/magnum                |  4 ++--
 dockerfiles/helm-client/Dockerfile |  2 +-
 magnum/wsgi/api.py                 | 24 ++++++++++++++++++++++++
 4 files changed, 31 insertions(+), 5 deletions(-)
 create mode 100644 magnum/wsgi/api.py

diff --git a/.zuul.yaml b/.zuul.yaml
index c9fff8038a..6bdaf43813 100644
--- a/.zuul.yaml
+++ b/.zuul.yaml
@@ -145,9 +145,11 @@
       jobs:
         - magnum-tempest-plugin-tests-api
         - magnum-tempest-plugin-tests-api-jammy
-        - magnum-tempest-plugin-tests-cluster-k8s_fcos_v1-1.27-flannel
+        - magnum-tempest-plugin-tests-cluster-k8s_fcos_v1-1.27-flannel:
+            voting: false
         - magnum-tempest-plugin-tests-cluster-k8s_fcos_v1-1.27-calico
-        - magnum-tempest-plugin-tests-cluster-k8s_fcos_v1-1.28-flannel
+        - magnum-tempest-plugin-tests-cluster-k8s_fcos_v1-1.28-flannel:
+            voting: false
         - magnum-tempest-plugin-tests-cluster-k8s_fcos_v1-1.28-calico
         - magnum-container-build
     gate:
diff --git a/devstack/lib/magnum b/devstack/lib/magnum
index 22d47a4be3..c07434de6c 100644
--- a/devstack/lib/magnum
+++ b/devstack/lib/magnum
@@ -49,7 +49,7 @@ MAGNUM_API_PASTE=$MAGNUM_CONF_DIR/api-paste.ini
 MAGNUM_K8S_KEYSTONE_AUTH_DEFAULT_POLICY=$MAGNUM_CONF_DIR/k8s_keystone_auth_default_policy.json
 MAGNUM_POLICY=$MAGNUM_CONF_DIR/policy.yaml
 
-MAGNUM_UWSGI=$MAGNUM_BIN_DIR/magnum-api-wsgi
+MAGNUM_UWSGI=magnum.wsgi.api:application
 MAGNUM_UWSGI_CONF=$MAGNUM_CONF_DIR/magnum-api-uwsgi.ini
 
 # Public facing bits
@@ -242,7 +242,7 @@ function create_magnum_conf {
 
     iniset $MAGNUM_CONF kubernetes keystone_auth_default_policy $MAGNUM_K8S_KEYSTONE_AUTH_DEFAULT_POLICY
 
-    write_uwsgi_config "$MAGNUM_UWSGI_CONF" "$MAGNUM_UWSGI" "/container-infra"
+    write_uwsgi_config "$MAGNUM_UWSGI_CONF" "$MAGNUM_UWSGI" "/container-infra" "" "magnum-api"
 }
 
 function create_api_paste_conf {
diff --git a/dockerfiles/helm-client/Dockerfile b/dockerfiles/helm-client/Dockerfile
index 2f5c4402ee..42f648989f 100644
--- a/dockerfiles/helm-client/Dockerfile
+++ b/dockerfiles/helm-client/Dockerfile
@@ -1,5 +1,5 @@
 ARG HELM_VERSION=v3.2.0
-FROM debian:buster-slim
+FROM debian/eol:buster-slim
 
 ARG HELM_VERSION
 
diff --git a/magnum/wsgi/api.py b/magnum/wsgi/api.py
new file mode 100644
index 0000000000..49105c7616
--- /dev/null
+++ b/magnum/wsgi/api.py
@@ -0,0 +1,24 @@
+# -*- mode: python -*-
+#
+# Copyright 2017 SUSE Linux GmbH
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License. You may obtain
+# a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+# License for the specific language governing permissions and limitations
+# under the License.
+
+import sys
+
+from magnum.api import app as api_app
+from magnum.common import service
+
+service.prepare_service(sys.argv)
+
+application = api_app.load_app()

From aa954f9adbca132c5229e73ee8dda4b118268269 Mon Sep 17 00:00:00 2001
From: Jack Hodgkiss <identity@jackhodgkiss.uk>
Date: Fri, 31 Jan 2025 10:55:02 +0000
Subject: [PATCH 2/2] certs: add subject key identifier extension

Add the subject key identifier extension to the certificate generated
by Magnum. Which should permit Kubernetes clusters to have certificates
that include authority key identifier extension which appears to be a
requirement in Python 3.13 and newer.

Closes-Bug: #2097094
Change-Id: I13bbb97c8b17fbba2f5f1acfac9d597f12925818
(cherry picked from commit 89f185b1972db25c8af84c7ca50c5ffc2af65613)
Signed-off-by: Michal Nasiadka <mnasiadka@gmail.com>
---
 magnum/common/x509/operations.py              |  6 ++++++
 magnum/tests/unit/common/x509/test_sign.py    | 20 +++++++++++++++++++
 ...ubject-key-identifer-ae5c6ebe86749239.yaml |  7 +++++++
 3 files changed, 33 insertions(+)
 create mode 100644 releasenotes/notes/add-subject-key-identifer-ae5c6ebe86749239.yaml

diff --git a/magnum/common/x509/operations.py b/magnum/common/x509/operations.py
index 7d8c5a8ebe..8e2c59a5f8 100644
--- a/magnum/common/x509/operations.py
+++ b/magnum/common/x509/operations.py
@@ -223,6 +223,12 @@ def sign(csr, issuer_name, ca_key, ca_key_password=None,
         builder = builder.add_extension(extention.value,
                                         critical=extention.critical)
 
+    subject_key_identifier = x509.SubjectKeyIdentifier.from_public_key(
+        csr.public_key())
+    builder = builder.add_extension(
+            subject_key_identifier, critical=False
+    )
+
     certificate = builder.sign(
         private_key=ca_key, algorithm=hashes.SHA256(),
     ).public_bytes(serialization.Encoding.PEM).strip()
diff --git a/magnum/tests/unit/common/x509/test_sign.py b/magnum/tests/unit/common/x509/test_sign.py
index 42083ebfe0..e52a513bf7 100644
--- a/magnum/tests/unit/common/x509/test_sign.py
+++ b/magnum/tests/unit/common/x509/test_sign.py
@@ -233,6 +233,26 @@ def test_sign_empty_chars(self, mock_load_pem):
         self.assertEqual(certificate,
                          certificate.strip())
 
+    # If a subject key identifier is given in the CSR, ensure it is added
+    @mock.patch('cryptography.x509.load_pem_x509_csr')
+    def test_sign_subject_key_identifier(self, mock_load_pem):
+        ca_key = self._generate_private_key()
+        private_key = self._generate_private_key()
+        csr_obj = self._build_csr(private_key)
+        csr = csr_obj.public_bytes(serialization.Encoding.PEM)
+        csr = csr.decode('utf-8')
+
+        mock_load_pem.return_value = csr_obj
+        certificate = operations.sign(csr, self.issuer_name,
+                                      ca_key, skip_validation=True)
+
+        # Ensure the Subject Key Identifier extension is present
+        cert = c_x509.load_pem_x509_certificate(certificate)
+        ext_ski = [ext for ext in cert.extensions
+                   if cert.extensions[0].oid ==
+                   c_x509.oid.ExtensionOID.SUBJECT_KEY_IDENTIFIER]
+        self.assertEqual(len(ext_ski), 1)
+
     def test_sign_with_invalid_csr(self):
         ca_key = self._generate_private_key()
         csr = 'test'
diff --git a/releasenotes/notes/add-subject-key-identifer-ae5c6ebe86749239.yaml b/releasenotes/notes/add-subject-key-identifer-ae5c6ebe86749239.yaml
new file mode 100644
index 0000000000..570aa7423a
--- /dev/null
+++ b/releasenotes/notes/add-subject-key-identifer-ae5c6ebe86749239.yaml
@@ -0,0 +1,7 @@
+---
+features:
+  - |
+    Add subject key identifier extension to x509 operations
+    signing function. Allows for magnum Kubernetes clusters
+    to generate certificates with authority key
+    identifier extension.