Skip to content

[4.21] OCPBUGS-59514: redacted install config for baremetal #9972

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

[4.21] OCPBUGS-59514: redacted install config for baremetal #9972

wants to merge 1 commit into from
+53 −0

Conversation

@iurygregory
Copy link
Contributor

@iurygregory iurygregory commented Sep 29, 2025

No description provided.

@openshift-ci-robot openshift-ci-robot added jira/severity-important Referenced Jira bug's severity is important for the branch this PR is targeting. jira/valid-reference Indicates that this PR references a valid Jira ticket of any type. jira/invalid-bug Indicates that a referenced Jira bug is invalid for the branch this PR is targeting. labels Sep 29, 2025
@openshift-ci-robot
Copy link
Contributor

openshift-ci-robot commented Sep 29, 2025

@iurygregory: This pull request references Jira Issue OCPBUGS-59514, which is invalid:

  • expected the bug to target the "4.21.0" version, but no target version was set

Comment /jira refresh to re-evaluate validity if changes to the Jira bug are made, or edit the title of this pull request to link to a different bug.

The bug has been updated to refer to the pull request using the external bug tracker.

In response to this:

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

@iurygregory
Copy link
Contributor Author

iurygregory commented Sep 29, 2025

/jira refresh

@openshift-ci-robot openshift-ci-robot added jira/valid-bug Indicates that a referenced Jira bug is valid for the branch this PR is targeting. and removed jira/invalid-bug Indicates that a referenced Jira bug is invalid for the branch this PR is targeting. labels Sep 29, 2025
@openshift-ci-robot
Copy link
Contributor

openshift-ci-robot commented Sep 29, 2025

@iurygregory: This pull request references Jira Issue OCPBUGS-59514, which is valid. The bug has been moved to the POST state.

3 validation(s) were run on this bug
  • bug is open, matching expected state (open)
  • bug target version (4.21.0) matches configured target version for branch (4.21.0)
  • bug is in the state ASSIGNED, which is one of the valid states (NEW, ASSIGNED, POST)

Requesting review from QA contact:
/cc @jadhaj

In response to this:

/jira refresh

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

@openshift-ci
Copy link
Contributor

openshift-ci bot commented Sep 29, 2025

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
Once this PR has been reviewed and has the lgtm label, please assign rwsu for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

patrickdillon
patrickdillon reviewed Sep 29, 2025
View reviewed changes
Copy link
Contributor

@patrickdillon patrickdillon left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/label backport-risk-assessed

Hm perhaps I'm missing something obvious, but could you simply do this:

	case newConfig.BareMetal != nil:
		for _, host := range newConfig.BareMetal.Hosts {
			host.BMC.Password = "REDACTED"
		}

This way you would not need to update this code for future fields. Not sure why other platforms don't do this, so perhaps I am missing something!

@openshift-ci openshift-ci bot added the backport-risk-assessed Indicates a PR to a release branch has been evaluated and considered safe to accept. label Sep 29, 2025
@iurygregory
Copy link
Contributor Author

iurygregory commented Sep 29, 2025

@patrickdillon thanks for the feedback, let me push a change with your idea and test via cluster-bot!

@zaneb
Copy link
Member

zaneb commented Sep 29, 2025

It looks like another instance of this problem was already fixed by OCPBUGS-61353, but there is still one more that this doesn't solve.

Clearly this is going to keep happening though. I don't feel like this is fixed until we have code that uses reflect to go through the whole structure and redact any fields with a json tag that contains user or password.

This way you would not need to update this code for future fields. Not sure why other platforms don't do this, so perhaps I am missing something!

I think the problem is that this changes the original install-config, meaning the redacted version will get written to the asset store. The InstallConfig struct is passed by value, so it is safe to overwrite the pullSecret at the top level, but it contains references to nested structs (Platform struct is embedded by value, but it contains pointers to the actual platform implementation), and only the references get copied.

We need to either go through (a hopefully better version of) the same rigmarole as the other platforms or generate DeepCopy() functions for the InstallConfig. The latter would be vastly preferable, since the current code is extremely brittle if not already broken (e.g. Port field is missing from VCenters).

barbacbd
barbacbd reviewed Sep 30, 2025
View reviewed changes
Copy link
Contributor

@barbacbd barbacbd left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This seems ok. Is there any way you can add some commit notes maybe why this is needed? I also like Patrick's comment to add Redacted instead of an empty string; I think it gives an indication for why it was set the way that it was.

@patrickdillon
Copy link
Contributor

patrickdillon commented Sep 30, 2025

Platform struct is embedded by value, but it contains pointers to the actual platform implementation

+1. I knew I was missing something and this point was exactly it. Ignore my suggestion!

@patrickdillon
Copy link
Contributor

patrickdillon commented Sep 30, 2025

& apologies for misleading you @iurygregory

@iurygregory iurygregory force-pushed the OCPBUGS-59514 branch 2 times, most recently from 18cc555 to 1cb7810 Compare October 24, 2025 14:50
@iurygregory
[4.21] OCPBUGS-59514: redacted install config
5e4737a 
Assisted-By: Claude Code Sonnet 4
Signed-off-by: Iury Gregory Melo Ferreira <[email protected]>
@openshift-ci
Copy link
Contributor

openshift-ci bot commented Oct 24, 2025

@iurygregory: The following tests failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name Commit Details Required Rerun command
ci/prow/e2e-vsphere-ovn-techpreview 18cc555 link false /test e2e-vsphere-ovn-techpreview
ci/prow/e2e-aws-ovn-fips 18cc555 link false /test e2e-aws-ovn-fips
ci/prow/aws-private 18cc555 link false /test aws-private
ci/prow/e2e-aws-default-config 18cc555 link false /test e2e-aws-default-config
ci/prow/e2e-aws-ovn-shared-vpc-custom-security-groups 18cc555 link false /test e2e-aws-ovn-shared-vpc-custom-security-groups
ci/prow/e2e-aws-ovn-heterogeneous 18cc555 link false /test e2e-aws-ovn-heterogeneous
ci/prow/e2e-ibmcloud-ovn 18cc555 link false /test e2e-ibmcloud-ovn
ci/prow/e2e-openstack-ovn 18cc555 link true /test e2e-openstack-ovn
ci/prow/e2e-vsphere-ovn 18cc555 link true /test e2e-vsphere-ovn
ci/prow/azure-ovn-marketplace-images 18cc555 link false /test azure-ovn-marketplace-images
ci/prow/e2e-azure-ovn 18cc555 link true /test e2e-azure-ovn
ci/prow/e2e-aws-ovn-shared-vpc-edge-zones 18cc555 link false /test e2e-aws-ovn-shared-vpc-edge-zones
ci/prow/e2e-vsphere-ovn-disk-setup-techpreview 18cc555 link false /test e2e-vsphere-ovn-disk-setup-techpreview
ci/prow/azure-private 18cc555 link false /test azure-private
ci/prow/e2e-metal-single-node-live-iso 18cc555 link false /test e2e-metal-single-node-live-iso
ci/prow/e2e-vsphere-multi-vcenter-ovn 18cc555 link false /test e2e-vsphere-multi-vcenter-ovn
ci/prow/e2e-azurestack 18cc555 link false /test e2e-azurestack
ci/prow/e2e-aws-byo-subnet-role-security-groups 18cc555 link false /test e2e-aws-byo-subnet-role-security-groups
ci/prow/e2e-azure-ovn-shared-vpc 18cc555 link false /test e2e-azure-ovn-shared-vpc
ci/prow/e2e-aws-ovn-single-node 18cc555 link false /test e2e-aws-ovn-single-node
ci/prow/e2e-aws-ovn-edge-zones-manifest-validation 18cc555 link true /test e2e-aws-ovn-edge-zones-manifest-validation
ci/prow/e2e-aws-ovn-edge-zones 18cc555 link false /test e2e-aws-ovn-edge-zones
ci/prow/okd-scos-e2e-aws-ovn 5e4737a link false /test okd-scos-e2e-aws-ovn
ci/prow/e2e-vsphere-ovn-hybrid-env 18cc555 link false /test e2e-vsphere-ovn-hybrid-env
ci/prow/openstack-manifests 18cc555 link true /test openstack-manifests
ci/prow/e2e-openstack-proxy 18cc555 link false /test e2e-openstack-proxy
ci/prow/e2e-vsphere-ovn-zones 18cc555 link false /test e2e-vsphere-ovn-zones
ci/prow/e2e-azure-default-config 18cc555 link false /test e2e-azure-default-config
ci/prow/e2e-openstack-nfv-intel 18cc555 link false /test e2e-openstack-nfv-intel
ci/prow/e2e-aws-ovn-imdsv2 18cc555 link false /test e2e-aws-ovn-imdsv2
ci/prow/e2e-nutanix-ovn 18cc555 link false /test e2e-nutanix-ovn

Full PR test history. Your PR dashboard.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

@tthvo
Copy link
Member

tthvo commented Nov 5, 2025

We need to either go through (a hopefully better version of) the same rigmarole as the other platforms or generate DeepCopy() functions for the InstallConfig. The latter would be vastly preferable, since the current code is extremely brittle if not already broken (e.g. Port field is missing from VCenters).

Looks like you predicted #10025, Zane. This PR should make the whole copying much easier and individual overrides can be done just like Patrick's previous suggestion.

@tthvo
Copy link
Member

tthvo commented Nov 5, 2025

Clearly this is going to keep happening though. I don't feel like this is fixed until we have code that uses reflect to go through the whole structure and redact any fields with a json tag that contains user or password.

Looks like a good scenarios to use Claude 😁

Current approach looks OK to me though resolve the issue today unless you want to wait for #10025, @iurygregory

@iurygregory
Copy link
Contributor Author

iurygregory commented Nov 6, 2025

Clearly this is going to keep happening though. I don't feel like this is fixed until we have code that uses reflect to go through the whole structure and redact any fields with a json tag that contains user or password.

Looks like a good scenarios to use Claude 😁

Current approach looks OK to me though resolve the issue today unless you want to wait for #10025, @iurygregory

Hey @tthvo , I'll be waiting for #10025 to land so I can update things!

@patrickdillon
Copy link
Contributor

patrickdillon commented Nov 12, 2025
edited
Loading

I'm not sure how much #10025 will help. I mean that I honestly don't know.

I did have a thought though that JSON serialization would be a just fine way to copy one go struct to another, right?

edit: Ok clearly #10025 will help, and should merge soon.

@iurygregory
Copy link
Contributor Author

iurygregory commented Nov 14, 2025

I'm not sure how much #10025 will help. I mean that I honestly don't know.

I did have a thought though that JSON serialization would be a just fine way to copy one go struct to another, right?

edit: Ok clearly #10025 will help, and should merge soon.

Thanks @patrickdillon I will wait for #10025 to merge so I can update this one.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@patrickdillon patrickdillon patrickdillon left review comments

@jadhaj jadhaj Awaiting requested review from jadhaj

@bfournie bfournie Awaiting requested review from bfournie

+1 more reviewer

@barbacbd barbacbd barbacbd left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

backport-risk-assessed Indicates a PR to a release branch has been evaluated and considered safe to accept. jira/severity-important Referenced Jira bug's severity is important for the branch this PR is targeting. jira/valid-bug Indicates that a referenced Jira bug is valid for the branch this PR is targeting. jira/valid-reference Indicates that this PR references a valid Jira ticket of any type.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

6 participants

@iurygregory @openshift-ci-robot @zaneb @patrickdillon @tthvo @barbacbd