RESERVED number: DOCFIX-064 (per changelog next-free note). This is the accumulated phase-08 operator-runbook (single-consumer acceptance) sweep. Written as a change-LIST with exact anchors + evidence so the edit is mechanical when phase-08 is finalized. NOT yet applied to runbooks/phase-08-workload-cluster-acceptance.md.
Scope note: these are fixes to the OPERATOR single-consumer acceptance path (capi-test-1 in capi-mgmt scope). The multi-tenant tenant->cluster flow is a SEPARATE deliverable (tenant-onboarding-v2-DRAFT.md). Some items overlap (image --public, image-by-UUID, template ownership scope) because both paths hit them.
IMAGE SEED MUST create the image --public [Step 8.0, image create] Evidence: a shared/owner-only kube image causes magnum cluster/template create to fail with Cluster type (vm, Unset, kubernetes) not supported -- a non-owner (or the driver acting in another project) cannot read os_distro, so type-derivation returns Unset. Fix: the seed openstack image create ... --public (and re-verify visibility=public post-create).
SEED HARDENING [Step 8.0]
active as a hard-gate loop (not a fixed sleep).IMAGE-ABSENT PRESENCE GUARD [Step 8.0] Explicitly branch "image present -> verify props" vs "absent -> seed", so a re-run does not double-seed and a present-but-wrong-visibility image is caught (ties to item 1).
IMAGE BY UUID, not name [Step 8.0 template create; 8.1] Evidence: a doubled-quoted image NAME resolved to the literal 'name' (no image) -> Unset type -> 400. Passing the resolved UUID removes the quoting/resolution surface. Gate the UUID with grep -qE '^[0-9a-f-]{36}$' before use.
TEMPLATE CREATE -- OWNER PROJECT SCOPE [Step 8.0] Evidence: coe cluster template create/show and cluster create --cluster-template <name> resolve the template within the CALLER'S project (templates are visible by ownership). A private template created in capi-mgmt is NOT selectable by name from admin scope (create 404s while template list still shows it). Fix: run the template create AND the cluster create in the SAME project scope that owns the template (capi-mgmt for the operator path). Add the capi-mgmt scope preamble (resolve capi-mgmt --domain capi dynamically; export OS_PROJECT_ID) before both.
FLAVOR-FLOOR PRE-CHECK [Step 8.0 template create] Magnum requires master/node flavors >= 2 vcpu and >= 2048 MB. Pre-check the chosen flavors against the floor and fail loud, rather than surfacing an opaque driver error later.
OCTAVIA PREREQ -- CAPTURE REAL EXIT [Prerequisites / Step 8.0] The octavia-healthy probe must capture the actual command result and test it, NOT ... | head || echo (which masks failure -- head succeeds on empty input). Same capture-and-test-result discipline applied across the onboarding v2 blocks.
8.1 PRE-CHECKS -- D-039 role + keypair [Step 8.1] Before cluster create, assert (a) the trustor holds member + load-balancer_member (+ reader) on the cluster project (D-039 -- else CAPO 403s at the Octavia LB step), and (b) the keypair exists in the creating scope. Fail loud pre-create.
POLICYD ZIP PATH UNDER $HOME (snap confinement) [appendix-C section C.3] Evidence: juju attach-resource ... /tmp/overrides.zip failed "no such file or directory" though the shell saw the file -- the confined juju snap cannot read /tmp. Build the zip under $HOME. Also: zip is absent on the jumphost -- build via python3 zipfile (arcname=top-level). Fix appendix-C C.3 to use a $HOME path and the python3 zipfile method (currently shows zip -j /tmp/overrides.zip).
Apply items 1-8 to phase-08 and item 9 to appendix-C only AFTER Stage 6 (create_trust) is resolved -- if the multi-tenant trust step surfaces a further phase-08-relevant fix (e.g. a CONF.trust.roles pin), fold it into the same DOCFIX-064 sweep rather than reopening.