Appendix B -- As-Built Version / Channel / Revision Lock

Source: juju export-bundle (model openstack) + the in-cloud mgmt-cluster captures, 2026-06-09. ASCII-only.

POLICY (D-002 + consolidation prompt): the bundle PINS CHANNELS, not revisions. This appendix records the as-built REVISIONS as the known-good baseline. A fresh deploy resolving a channel to a higher revision than below is EXPECTED -- treat this as "last-known-good," verify against Charmhub at pre-flight, and refresh the table on a successful validated deploy.

B.1 Charm channels + as-built revisions

Application	Charm	Channel (pinned)	As-built rev
barbican	barbican	2024.1/stable	209
barbican-hacluster	hacluster	2.4/stable	131
barbican-mysql-router	mysql-router	8.0/stable	1154
barbican-vault	barbican-vault	2024.1/stable	75
ceph-mon	ceph-mon	squid/stable	268
ceph-osd	ceph-osd	squid/stable	632
ceph-radosgw	ceph-radosgw	squid/stable	600
ceph-radosgw-hacluster	hacluster	2.4/stable	131
cinder	cinder	2024.1/stable	733
cinder-ceph	cinder-ceph	2024.1/stable	533
cinder-hacluster	hacluster	2.4/stable	131
cinder-mysql-router	mysql-router	8.0/stable	1154
dashboard-mysql-router	mysql-router	8.0/stable	1136
glance	glance	2024.1/stable	642
glance-hacluster	hacluster	2.4/stable	131
glance-mysql-router	mysql-router	8.0/stable	1154
glance-simplestreams-sync	glance-simplestreams-sync	2024.1/stable	124
keystone	keystone	2024.1/stable	778
keystone-hacluster	hacluster	2.4/stable	131
keystone-mysql-router	mysql-router	8.0/stable	1154
magnum	magnum	2024.1/stable	70
magnum-dashboard	magnum-dashboard	2024.1/stable	59
magnum-hacluster	hacluster	2.4/stable	131
magnum-mysql-router	mysql-router	8.0/stable	1154
memcached	memcached	latest/stable	39
mysql-innodb-cluster	mysql-innodb-cluster	8.0/stable	159
ncc-mysql-router	mysql-router	8.0/stable	1136
neutron-api	neutron-api	2024.1/stable	650
neutron-api-hacluster	hacluster	2.4/stable	131
neutron-api-mysql-router	mysql-router	8.0/stable	1154
neutron-api-plugin-ovn	neutron-api-plugin-ovn	2024.1/stable	178
nova-cloud-controller	nova-cloud-controller	2024.1/stable	795
nova-cloud-controller-hacluster	hacluster	2.4/stable	131
nova-compute	nova-compute	2024.1/stable	827
octavia	octavia	2024.1/stable	441
octavia-dashboard	octavia-dashboard	2024.1/stable	120
octavia-diskimage-retrofit	octavia-diskimage-retrofit	2024.1/stable	196
octavia-hacluster	hacluster	2.4/stable	131
octavia-mysql-router	mysql-router	8.0/stable	1154
openstack-dashboard	openstack-dashboard	2024.1/stable	728
openstack-dashboard-hacluster	hacluster	2.4/stable	131
ovn-central	ovn-central	24.03/stable	311
ovn-chassis	ovn-chassis	24.03/stable	396
ovn-chassis-octavia	ovn-chassis	24.03/stable	396
placement	placement	2024.1/stable	125
placement-hacluster	hacluster	2.4/stable	131
placement-mysql-router	mysql-router	8.0/stable	1154
rabbitmq-server	rabbitmq-server	3.9/stable	295
vault	vault	1.8/stable	372
vault-mysql-router	mysql-router	8.0/stable	1136

Notes:

memcached is on latest/stable (rev 39) -- the only charm not on a versioned track. AT PRE-FLIGHT run juju info memcached to list available tracks; if no stable versioned track exists, either pin revision 39 explicitly in the bundle or accept latest/stable knowingly. Flagged as a drift candidate.
mysql-router subordinates show mixed as-built revisions (most 1154; the ncc/dashboard/vault routers at 1136) on the SAME 8.0/stable channel. This is benign under channel-pinning (all resolve to current 8.0/stable on redeploy); recorded only for completeness.
EXCLUDED from the bundle: the k8s charm (channel 1.32/stable) deployed on Juju machine 4 / MAAS capi-mgmt (10.12.4.100). That is the retired D-033 out-of-cloud node, slated for Phase 7 teardown; the in-cloud mgmt cluster (D-035) replaces it. It is intentionally absent here.

B.2 In-cloud management cluster + CAPI constellation (D-034 / D-035 / D-037)

Node capi-mgmt-v2 (FIP 10.12.7.40, internal 10.20.0.45), single-node, non-CAPI-managed:

k8s-snap: channel 1.32-classic/stable, rev 5326, k8s v1.32.13 (classic confinement)
CAPI core + kubeadm-bootstrap + kubeadm-control-plane: v1.13.2
CAPO (infra provider): v0.14.4
cert-manager: v1.20.2
ORC: v2.5.0 [install BEFORE `clusterctl init` -- CAPO v0.14.4 hard-deps the ORC Image CRD]
CAAPH (cluster-api-addon-provider): chart 0.12.0 (helm --version, from dependencies.json; deploys image 62f7c00)
cluster-api-janitor-openstack: chart 0.11.0 (helm --version, from dependencies.json; deploys image d527847)
cluster-autoscaler (per-workload): v1.30.4
Mgmt CNI: Cilium 1.17.12-ck0. Workload-cluster CNI: Calico (chart default).

VERSION-SOURCE RULE (D-034): every provider ref above is read live from the chosen capi-helm-charts release tag's dependencies.json via jq. DO NOT hardcode semver in IaC -- this table is a snapshot for redeploy comparison only.

B.3 Magnum driver + chart (Layer B -- outside Juju channels, manually pinned)

magnum-capi-helm driver: 1.3.0 was the AS-FIRST-BUILT pin; the v1 TARGET is the RELEASED magnum-capi-helm==1.4.0 (D-042). 1.3.0 is contract-INCOHERENT with the Layer-A core -- it reads apiVersion off the infrastructureRef, which CAPI v1.13 (v1beta2 contract) no longer carries, so the driver's infrastructure health GET returns "not found" (cosmetic only -- the create path is unaffected; the chart templates resource versions). (1.3.0 also supersedes D-007's 1.1.0 and the late-May 1.2.0 note -- both stale; Review-later: reconcile design-decisions.md.)
DRIVER DECISION (D-042, amends D-034): pin the RELEASED magnum-capi-helm==1.4.0 (the "generalize-api-resources" feature; released line 1.0.0/1.1.0/1.2.0/1.2.1/1.3.0/ 1.4.0). 1.4.0 resolves each resource query as api_resources.get(<Kind>,{}).get("api_version", <code-default>); the driver's CODE defaults are v1beta1 for the CAPI core kinds, but the api_resources OPTION itself defaults to an EMPTY map {} (the v1beta1 values are code-level fallbacks, NOT option defaults). CAPI v1.13.2 / CAPO v0.14.4 serve v1beta1, so an empty map yields matching v1beta1 lookups -- set api_resources = {} EXPLICITLY (phase-07 7.5: the option's registered default is a dict and the driver json.loads() it; an explicit string {} avoids the oslo coercion question). Override a kind only if it serves v1beta2-only. Same pin for testcloud and Roosevelt. RULE: the Layer-B driver pin MUST be contract-coherent with the Layer-A CAPI core; verify that intersection at deploy. Install: phase-07 7.3-7.6.
chart repo: https://azimuth-cloud.github.io/capi-helm-charts
chart name: openstack-cluster ; default_helm_chart_version: 0.25.1
conf.d drop-in: /etc/magnum/magnum.conf.d/00-capi-helm.conf (D-037)
note (CNI): the capi-k8s-v1-32 template OMITS the Magnum network_driver field, so the workload cluster gets the chart-default Calico (the as-built CNI). Whether 1.4.0 honors network_driver is unverified and not relied on -- omitting the field is what guarantees Calico (appendix-A: CNI-label; phase-08).
v1 END STATE: 1.4.0 installed and health_status = HEALTHY (D-011). 1.3.0 is only a TEMPORARY rollback/holding state (phase-07 Rollback), never a v1 completion. Either way, do NOT wire magnum auto-heal to health_status (CAPI MachineHealthCheck handles healing independently -- proven during the D-040 OOM recovery).

B.4 Pre-flight checklist (redeploy)

scripts/pre-flight-checks.sh -- verify every channel above still resolves on Charmhub.
juju info memcached -- confirm track decision (see B.1 note).
Read CAPI constellation live from dependencies.json (D-034); compare to B.2.
Driver (D-042): pin the RELEASED magnum-capi-helm==1.4.0 (contract-coherent with the Layer-A CAPI core; api_resources defaults to v1beta1, which CAPI v1.13.2 serves). Confirm 1.4.0 still resolves on PyPI and that the cluster serves v1beta1 (phase-07 7.3).