TEMPLATE NOTE (removed before delivery): fields written as {{THIS}} are filled in by us per client at handover.
The definition of "your environment works": every row below passes. Run it once at onboarding -- with us on the line if you like -- and re-run any row whenever you suspect a problem. Rows marked "You" are fully self-service; rows marked "Us" need a request through your account contact. Rows marked "expected refusal" MUST fail -- they prove the platform's boundaries are protecting you.
Unless a row says otherwise, run the checks as your automation credential (OS_CLOUD={{TENANT_SHORT_NAME}}, per the CI/Automation Integration Guide). Substitute any small shared machine size and base image from openstack flavor list / openstack image list. The starter-kit script scripts/acceptance-run.sh automates every fully self-service row below (and tears its resources down again); the rows that need a password login or a human are listed in its output.
| # | Proves | Minimal check | Expected result | Who |
|---|---|---|---|---|
| A1 | Pipeline sign-in (application credential) | openstack token issue |
a token, scoped to your project | You |
| A2 | Cluster account sign-in (password) | as {{TENANT_SHORT_NAME}}-cluster: openstack token issue |
a token, scoped to your project | You |
| A3 | Admin account sign-in (password, dashboard) | log in to {{DASHBOARD_URL}} as {{TENANT_SHORT_NAME}}-domain-admin with domain {{TENANT_SHORT_NAME}} |
dashboard opens showing the Identity section; the error popups at this login are normal for this account -- dismiss them (see the Self-Service Guide) | You |
| A4 | Endpoint discovery | openstack catalog list |
every service used in sections B-H appears with an endpoint | You |
| A5 | Quota envelope visible | openstack limits show --absolute |
limits match your agreed quota | You |
| A6 | Identity boundary (expected refusal) | with the application credential: openstack user create ci-accept-probe |
permission DENIED -- identity work belongs to -domain-admin only |
You |
{{TENANT_SHORT_NAME}}-domain-admin)Run these rows with the command-line client -- identity tasks are done via the CLI today (the exact commands are in the Self-Service Guide).
| # | Proves | Minimal check | Expected result | Who |
|---|---|---|---|---|
| B1 | You can manage your own team | create user ci-accept-user in your domain, grant member on {{TENANT_SHORT_NAME}}-prod, then delete the user |
create, grant, and delete all succeed | You |
| B2 | Escalation is blocked (expected refusal) | try to grant admin on your project to any of your users |
grant refused / does not appear in openstack role assignment list |
You |
| # | Proves | Minimal check | Expected result | Who |
|---|---|---|---|---|
| C1 | Handover network intact | openstack network show {{TENANT_SHORT_NAME}}-net and openstack router show {{TENANT_SHORT_NAME}}-router |
both exist; router's external gateway is on provider-ext |
You |
| C2 | Network create/delete | create network ci-accept-net + a subnet on it (non-overlapping range), then delete both |
both succeed | You |
| C3 | Firewall self-service | create security group ci-accept-sg with a TCP/22 rule, then delete it |
both succeed | You |
| C4 | Public IP allocation | openstack floating ip create provider-ext, then delete it |
an address is allocated and released | You |
| # | Proves | Minimal check | Expected result | Who |
|---|---|---|---|---|
| D1 | Shared images and sizes visible | openstack image list and openstack flavor list |
the shared base images and machine sizes appear | You |
| D2 | Server lifecycle | boot ci-accept-vm on {{TENANT_SHORT_NAME}}-net with keypair {{TENANT_SHORT_NAME}}-key; wait; delete |
status reaches ACTIVE; delete completes | You |
| D3 | End-to-end reachability | attach a floating IP to ci-accept-vm and SSH in with your keypair (allow TCP/22 in its security group first) |
SSH login succeeds | You |
Note on D2: keypairs are per-account and {{TENANT_SHORT_NAME}}-key is owned by the -cluster account, so when running D2 as the automation credential, boot with a keypair of your own instead -- the automated runner scripts/acceptance-run.sh creates (and deletes) a throwaway ci-accept-key for exactly this reason. Row H2 proves the handover keypair itself.
| # | Proves | Minimal check | Expected result | Who |
|---|---|---|---|---|
| E1 | Volume lifecycle | openstack volume create --size 1 ci-accept-vol |
status reaches available |
You |
| E2 | Attach/detach | attach ci-accept-vol to ci-accept-vm, verify in-use, detach, delete |
all four steps succeed | You |
| # | Proves | Minimal check | Expected result | Who |
|---|---|---|---|---|
| F1 | Load balancer lifecycle | openstack loadbalancer create --name ci-accept-lb --vip-subnet-id {{TENANT_SHORT_NAME}}-subnet --wait, then delete (--cascade) |
provisioning ACTIVE and operating ONLINE; delete completes | You |
| F2 | Listener/pool/member | on ci-accept-lb before deleting: add a listener (TCP/80), a pool, and ci-accept-vm as a member |
all three create calls succeed | You |
Note: load balancers take several minutes to build; that is normal.
| # | Proves | Minimal check | Expected result | Who |
|---|---|---|---|---|
| G1 | Secret lifecycle | openstack secret store --name ci-accept-secret --payload check123, retrieve it, delete it |
stored, retrieved intact, deleted | You |
This is the same store that holds TLS certificates for load balancer listeners, so G1 passing means your TLS workflow will work.
Run H2/H3 as {{TENANT_SHORT_NAME}}-cluster signed in with its PASSWORD -- that is a platform requirement, not a preference. Cluster builds take tens of minutes; agree timing with us if you are running the whole checklist in one sitting.
| # | Proves | Minimal check | Expected result | Who |
|---|---|---|---|---|
| H1 | Your cluster template exists | openstack coe cluster template show {{TENANT_SHORT_NAME}}-k8s |
template found | You |
| H2 | Cluster lifecycle | openstack coe cluster create ci-accept-k8s --cluster-template {{TENANT_SHORT_NAME}}-k8s --keypair {{TENANT_SHORT_NAME}}-key --master-count 1 --node-count 1; wait; fetch kubeconfig (openstack coe cluster config); delete |
CREATE_COMPLETE; kubectl get nodes answers; delete completes |
You |
| H3 | Cluster boundary (expected refusal) | attempt the same create with the application credential | refused -- clusters require the -cluster password login |
You |
The platform runs an object storage service (S3/Swift compatible), available to your accounts. Run this row by hand, with the CLI or on the dashboard's object storage page, whichever you prefer; the automated runner lists it with the manual rows.
| # | Proves | Minimal check | Expected result | Who |
|---|---|---|---|---|
| I1 | Object storage lifecycle | openstack container create ci-accept-bucket, upload/download a small object, delete both (or the same via the dashboard) |
all steps succeed | You |
| # | Proves | Minimal check | Expected result | Who |
|---|---|---|---|---|
| J1 | Quota change path | an authorized requester asks {{ACCOUNT_CONTACT}} for a (small, real) quota change | change is applied and visible in openstack limits show --absolute |
Us |
| J2 | Escalation path | send a test "urgent" notice to {{ACCOUNT_CONTACT}} as agreed at handover | acknowledged within the agreed response window | Us |
All rows above passed on: __
For {{TENANT_SHORT_NAME}}: __ (name, role)
For Omega Cloud: __ (name, role)
Leftover check: after sign-off, run openstack server list, openstack volume list, openstack loadbalancer list, openstack floating ip list, openstack network list, openstack security group list, and openstack coe cluster list -- nothing named ci-accept-* should remain, and your quota consumption should be back to its pre-checklist level.