Skip to content

[4.21] OCPBUGS-59514: redacted install config for baremetal #9972

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
iurygregory wants to merge 1 commit into
base: main
Choose a base branch
from
Open

[4.21] OCPBUGS-59514: redacted install config for baremetal #9972

iurygregory wants to merge 1 commit into from
+150 −50

Conversation

@iurygregory
Copy link
Contributor

@iurygregory iurygregory commented Sep 29, 2025

No description provided.

@openshift-ci-robot openshift-ci-robot added jira/severity-important Referenced Jira bug's severity is important for the branch this PR is targeting. jira/valid-reference Indicates that this PR references a valid Jira ticket of any type. jira/invalid-bug Indicates that a referenced Jira bug is invalid for the branch this PR is targeting. labels Sep 29, 2025
@openshift-ci-robot
Copy link
Contributor

openshift-ci-robot commented Sep 29, 2025

@iurygregory: This pull request references Jira Issue OCPBUGS-59514, which is invalid:

  • expected the bug to target the "4.21.0" version, but no target version was set

Comment /jira refresh to re-evaluate validity if changes to the Jira bug are made, or edit the title of this pull request to link to a different bug.

The bug has been updated to refer to the pull request using the external bug tracker.

Details

In response to this:

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

@iurygregory
Copy link
Contributor Author

iurygregory commented Sep 29, 2025

/jira refresh

@openshift-ci-robot openshift-ci-robot added jira/valid-bug Indicates that a referenced Jira bug is valid for the branch this PR is targeting. and removed jira/invalid-bug Indicates that a referenced Jira bug is invalid for the branch this PR is targeting. labels Sep 29, 2025
@openshift-ci-robot
Copy link
Contributor

openshift-ci-robot commented Sep 29, 2025

@iurygregory: This pull request references Jira Issue OCPBUGS-59514, which is valid. The bug has been moved to the POST state.

3 validation(s) were run on this bug
  • bug is open, matching expected state (open)
  • bug target version (4.21.0) matches configured target version for branch (4.21.0)
  • bug is in the state ASSIGNED, which is one of the valid states (NEW, ASSIGNED, POST)

Requesting review from QA contact:
/cc @jadhaj

Details

In response to this:

/jira refresh

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

patrickdillon
patrickdillon reviewed Sep 29, 2025
View reviewed changes
Copy link
Contributor

@patrickdillon patrickdillon left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/label backport-risk-assessed

Hm perhaps I'm missing something obvious, but could you simply do this:

	case newConfig.BareMetal != nil:
		for _, host := range newConfig.BareMetal.Hosts {
			host.BMC.Password = "REDACTED"
		}

This way you would not need to update this code for future fields. Not sure why other platforms don't do this, so perhaps I am missing something!

@openshift-ci openshift-ci bot added the backport-risk-assessed Indicates a PR to a release branch has been evaluated and considered safe to accept. label Sep 29, 2025
@iurygregory
Copy link
Contributor Author

iurygregory commented Sep 29, 2025

@patrickdillon thanks for the feedback, let me push a change with your idea and test via cluster-bot!

@zaneb
Copy link
Member

zaneb commented Sep 29, 2025

It looks like another instance of this problem was already fixed by OCPBUGS-61353, but there is still one more that this doesn't solve.

Clearly this is going to keep happening though. I don't feel like this is fixed until we have code that uses reflect to go through the whole structure and redact any fields with a json tag that contains user or password.

This way you would not need to update this code for future fields. Not sure why other platforms don't do this, so perhaps I am missing something!

I think the problem is that this changes the original install-config, meaning the redacted version will get written to the asset store. The InstallConfig struct is passed by value, so it is safe to overwrite the pullSecret at the top level, but it contains references to nested structs (Platform struct is embedded by value, but it contains pointers to the actual platform implementation), and only the references get copied.

We need to either go through (a hopefully better version of) the same rigmarole as the other platforms or generate DeepCopy() functions for the InstallConfig. The latter would be vastly preferable, since the current code is extremely brittle if not already broken (e.g. Port field is missing from VCenters).

barbacbd
barbacbd reviewed Sep 30, 2025
View reviewed changes
Copy link
Contributor

@barbacbd barbacbd left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This seems ok. Is there any way you can add some commit notes maybe why this is needed? I also like Patrick's comment to add Redacted instead of an empty string; I think it gives an indication for why it was set the way that it was.

@patrickdillon
Copy link
Contributor

patrickdillon commented Sep 30, 2025

Platform struct is embedded by value, but it contains pointers to the actual platform implementation

+1. I knew I was missing something and this point was exactly it. Ignore my suggestion!

@patrickdillon
Copy link
Contributor

patrickdillon commented Sep 30, 2025

& apologies for misleading you @iurygregory

@iurygregory iurygregory force-pushed the OCPBUGS-59514 branch 3 times, most recently from 1cb7810 to 5e4737a Compare October 24, 2025 16:09
@tthvo
Copy link
Member

tthvo commented Nov 5, 2025

We need to either go through (a hopefully better version of) the same rigmarole as the other platforms or generate DeepCopy() functions for the InstallConfig. The latter would be vastly preferable, since the current code is extremely brittle if not already broken (e.g. Port field is missing from VCenters).

Looks like you predicted #10025, Zane. This PR should make the whole copying much easier and individual overrides can be done just like Patrick's previous suggestion.

@tthvo
Copy link
Member

tthvo commented Nov 5, 2025

Clearly this is going to keep happening though. I don't feel like this is fixed until we have code that uses reflect to go through the whole structure and redact any fields with a json tag that contains user or password.

Looks like a good scenarios to use Claude 😁

Current approach looks OK to me though resolve the issue today unless you want to wait for #10025, @iurygregory

@iurygregory
Copy link
Contributor Author

iurygregory commented Nov 6, 2025

Clearly this is going to keep happening though. I don't feel like this is fixed until we have code that uses reflect to go through the whole structure and redact any fields with a json tag that contains user or password.

Looks like a good scenarios to use Claude 😁

Current approach looks OK to me though resolve the issue today unless you want to wait for #10025, @iurygregory

Hey @tthvo , I'll be waiting for #10025 to land so I can update things!

@patrickdillon
Copy link
Contributor

patrickdillon commented Nov 12, 2025
edited
Loading

I'm not sure how much #10025 will help. I mean that I honestly don't know.

I did have a thought though that JSON serialization would be a just fine way to copy one go struct to another, right?

edit: Ok clearly #10025 will help, and should merge soon.

@iurygregory
Copy link
Contributor Author

iurygregory commented Nov 14, 2025

I'm not sure how much #10025 will help. I mean that I honestly don't know.

I did have a thought though that JSON serialization would be a just fine way to copy one go struct to another, right?

edit: Ok clearly #10025 will help, and should merge soon.

Thanks @patrickdillon I will wait for #10025 to merge so I can update this one.

@tthvo
Copy link
Member

tthvo commented Dec 2, 2025

@iurygregory #10025 is merged. You can use deepcopy now :D

@iurygregory
Copy link
Contributor Author

iurygregory commented Dec 10, 2025

@tthvo thanks! going to update here

tthvo
tthvo reviewed Dec 10, 2025
View reviewed changes
@iurygregory
Copy link
Contributor Author

iurygregory commented Dec 11, 2025

/jira refresh

@openshift-ci-robot
Copy link
Contributor

openshift-ci-robot commented Dec 11, 2025

@iurygregory: This pull request references Jira Issue OCPBUGS-59514, which is valid.

3 validation(s) were run on this bug
  • bug is open, matching expected state (open)
  • bug target version (4.21.0) matches configured target version for branch (4.21.0)
  • bug is in the state POST, which is one of the valid states (NEW, ASSIGNED, POST)

Requesting review from QA contact:
/cc @jadhaj

Details

In response to this:

/jira refresh

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

@iurygregory
[4.21] OCPBUGS-59514: redacted install config
4b09c16 
Assisted-By: Claude Code Sonnet 4

Signed-off-by: Iury Gregory Melo Ferreira <imelofer@redhat.com>
tthvo
tthvo reviewed Dec 11, 2025
View reviewed changes
Copy link
Member

@tthvo tthvo left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/lgtm

Looks good! The unit tests also verifies that it works and does not break other platform.

/cc @jcpowermac for vsphere 🙏

@openshift-ci openshift-ci bot added the lgtm Indicates that a PR is ready to be merged. label Dec 11, 2025
@tthvo
Copy link
Member

tthvo commented Dec 11, 2025

/retest

Hmm, test failures complain about missing DeepCopyInto, but those func are all there...

@iurygregory
Copy link
Contributor Author

iurygregory commented Dec 16, 2025

@jcpowermac can you take a look at the vsphere part? Tks!

@jcpowermac
Copy link
Contributor

jcpowermac commented Jan 7, 2026

/lgtm

@patrickdillon
Copy link
Contributor

patrickdillon commented Jan 7, 2026

/approve

@openshift-ci
Copy link
Contributor

openshift-ci bot commented Jan 7, 2026

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: patrickdillon

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@openshift-ci openshift-ci bot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Jan 7, 2026
@patrickdillon
Copy link
Contributor

patrickdillon commented Jan 7, 2026

/test ?

@openshift-ci
Copy link
Contributor

openshift-ci bot commented Jan 7, 2026

@patrickdillon: The following commands are available to trigger required jobs:

/test artifacts-images

/test e2e-agent-compact-ipv4

/test e2e-aws-ovn

/test e2e-aws-ovn-edge-zones-manifest-validation

/test e2e-aws-ovn-upi

/test e2e-azure-nat-gateway-single-zone

/test e2e-azure-ovn

/test e2e-gcp-ovn

/test e2e-gcp-ovn-upi

/test e2e-metal-ipi-ovn-ipv6

/test e2e-openstack-ovn

/test e2e-vsphere-ovn

/test e2e-vsphere-ovn-upi

/test gofmt

/test golint

/test govet

/test images

/test integration-tests

/test integration-tests-nodejoiner

/test okd-scos-images

/test openstack-manifests

/test shellcheck

/test unit

/test verify-codegen

/test verify-deps

/test verify-vendor

/test yaml-lint

The following commands are available to trigger optional jobs:

/test aws-private

/test azure-ovn-marketplace-images

/test azure-private

/test e2e-agent-4control-ipv4

/test e2e-agent-5control-ipv4

/test e2e-agent-compact-ipv4-appliance-diskimage

/test e2e-agent-compact-ipv4-iso-no-registry

/test e2e-agent-compact-ipv4-none-platform

/test e2e-agent-compact-ipv6-minimaliso

/test e2e-agent-ha-dualstack

/test e2e-agent-sno-ipv4-pxe

/test e2e-agent-sno-ipv6

/test e2e-agent-two-node-fencing-ipv4

/test e2e-aws-byo-subnet-role-security-groups

/test e2e-aws-custom-dns-techpreview

/test e2e-aws-default-config

/test e2e-aws-overlay-mtu-ovn-1200

/test e2e-aws-ovn-custom-iam-profile

/test e2e-aws-ovn-edge-zones

/test e2e-aws-ovn-fips

/test e2e-aws-ovn-heterogeneous

/test e2e-aws-ovn-imdsv2

/test e2e-aws-ovn-proxy

/test e2e-aws-ovn-public-ipv4-pool

/test e2e-aws-ovn-public-ipv4-pool-disabled

/test e2e-aws-ovn-public-subnets

/test e2e-aws-ovn-shared-vpc-custom-security-groups

/test e2e-aws-ovn-shared-vpc-edge-zones

/test e2e-aws-ovn-single-node

/test e2e-aws-ovn-techpreview

/test e2e-aws-ovn-upgrade

/test e2e-aws-upi-proxy

/test e2e-azure-confidential-trustedlaunch

/test e2e-azure-custom-dns-techpreview

/test e2e-azure-default-config

/test e2e-azure-ovn-multidisk-techpreview

/test e2e-azure-ovn-resourcegroup

/test e2e-azure-ovn-shared-vpc

/test e2e-azure-ovn-techpreview

/test e2e-azure-ovn-upi

/test e2e-azurestack

/test e2e-azurestack-upi

/test e2e-crc

/test e2e-external-aws

/test e2e-external-aws-ccm

/test e2e-gcp-custom-dns

/test e2e-gcp-custom-endpoints

/test e2e-gcp-default-config

/test e2e-gcp-ovn-byo-vpc

/test e2e-gcp-ovn-heterogeneous

/test e2e-gcp-ovn-techpreview

/test e2e-gcp-ovn-xpn

/test e2e-gcp-secureboot

/test e2e-gcp-upgrade

/test e2e-gcp-upi-xpn

/test e2e-gcp-xpn-dedicated-dns-project

/test e2e-ibmcloud-ovn

/test e2e-metal-assisted

/test e2e-metal-ipi-ovn

/test e2e-metal-ipi-ovn-dualstack

/test e2e-metal-ipi-ovn-swapped-hosts

/test e2e-metal-ipi-ovn-virtualmedia

/test e2e-metal-ovn-two-node-arbiter

/test e2e-metal-ovn-two-node-fencing

/test e2e-metal-single-node-live-iso

/test e2e-nutanix-ovn

/test e2e-openstack-ccpmso

/test e2e-openstack-ccpmso-zone

/test e2e-openstack-dualstack

/test e2e-openstack-dualstack-upi

/test e2e-openstack-externallb

/test e2e-openstack-nfv-intel

/test e2e-openstack-proxy

/test e2e-openstack-singlestackv6

/test e2e-powervs-capi-ovn

/test e2e-vsphere-externallb-ovn

/test e2e-vsphere-host-groups-ovn-techpreview

/test e2e-vsphere-multi-vcenter-ovn

/test e2e-vsphere-ovn-disk-setup-techpreview

/test e2e-vsphere-ovn-hybrid-env

/test e2e-vsphere-ovn-multi-disk

/test e2e-vsphere-ovn-multi-network

/test e2e-vsphere-ovn-techpreview

/test e2e-vsphere-ovn-upi-zones

/test e2e-vsphere-ovn-zones

/test e2e-vsphere-ovn-zones-techpreview

/test e2e-vsphere-static-ovn

/test gcp-custom-endpoints-proxy-wif

/test gcp-private

/test okd-scos-e2e-aws-ovn

Use /test all to run the following jobs that were automatically triggered:

pull-ci-openshift-installer-main-artifacts-images

pull-ci-openshift-installer-main-e2e-aws-ovn

pull-ci-openshift-installer-main-gofmt

pull-ci-openshift-installer-main-golint

pull-ci-openshift-installer-main-govet

pull-ci-openshift-installer-main-images

pull-ci-openshift-installer-main-okd-scos-images

pull-ci-openshift-installer-main-shellcheck

pull-ci-openshift-installer-main-unit

pull-ci-openshift-installer-main-verify-codegen

pull-ci-openshift-installer-main-verify-deps

pull-ci-openshift-installer-main-verify-vendor

pull-ci-openshift-installer-main-yaml-lint
Details

In response to this:

/test ?

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

@patrickdillon
Copy link
Contributor

patrickdillon commented Jan 7, 2026

/test e2e-metal-ipi-ovn e2e-vsphere-ovn e2e-nutanix-ovn

@openshift-ci
Copy link
Contributor

openshift-ci bot commented Jan 7, 2026

@iurygregory: The following tests failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name Commit Details Required Rerun command
ci/prow/e2e-vsphere-ovn-techpreview 18cc555 link false /test e2e-vsphere-ovn-techpreview
ci/prow/e2e-aws-ovn-fips 18cc555 link false /test e2e-aws-ovn-fips
ci/prow/aws-private 18cc555 link false /test aws-private
ci/prow/e2e-aws-default-config 18cc555 link false /test e2e-aws-default-config
ci/prow/e2e-aws-ovn-shared-vpc-custom-security-groups 18cc555 link false /test e2e-aws-ovn-shared-vpc-custom-security-groups
ci/prow/e2e-aws-ovn-heterogeneous 18cc555 link false /test e2e-aws-ovn-heterogeneous
ci/prow/e2e-ibmcloud-ovn 18cc555 link false /test e2e-ibmcloud-ovn
ci/prow/e2e-openstack-ovn 18cc555 link true /test e2e-openstack-ovn
ci/prow/azure-ovn-marketplace-images 18cc555 link false /test azure-ovn-marketplace-images
ci/prow/e2e-azure-ovn 18cc555 link true /test e2e-azure-ovn
ci/prow/e2e-aws-ovn-shared-vpc-edge-zones 18cc555 link false /test e2e-aws-ovn-shared-vpc-edge-zones
ci/prow/e2e-vsphere-ovn-disk-setup-techpreview 18cc555 link false /test e2e-vsphere-ovn-disk-setup-techpreview
ci/prow/azure-private 18cc555 link false /test azure-private
ci/prow/e2e-metal-single-node-live-iso 18cc555 link false /test e2e-metal-single-node-live-iso
ci/prow/e2e-vsphere-multi-vcenter-ovn 18cc555 link false /test e2e-vsphere-multi-vcenter-ovn
ci/prow/e2e-azurestack 18cc555 link false /test e2e-azurestack
ci/prow/e2e-aws-byo-subnet-role-security-groups 18cc555 link false /test e2e-aws-byo-subnet-role-security-groups
ci/prow/e2e-azure-ovn-shared-vpc 18cc555 link false /test e2e-azure-ovn-shared-vpc
ci/prow/e2e-aws-ovn-single-node 18cc555 link false /test e2e-aws-ovn-single-node
ci/prow/e2e-aws-ovn-edge-zones-manifest-validation 18cc555 link true /test e2e-aws-ovn-edge-zones-manifest-validation
ci/prow/e2e-aws-ovn-edge-zones 18cc555 link false /test e2e-aws-ovn-edge-zones
ci/prow/okd-scos-e2e-aws-ovn 5e4737a link false /test okd-scos-e2e-aws-ovn
ci/prow/e2e-vsphere-ovn-hybrid-env 18cc555 link false /test e2e-vsphere-ovn-hybrid-env
ci/prow/openstack-manifests 18cc555 link true /test openstack-manifests
ci/prow/e2e-openstack-proxy 18cc555 link false /test e2e-openstack-proxy
ci/prow/e2e-vsphere-ovn-zones 18cc555 link false /test e2e-vsphere-ovn-zones
ci/prow/e2e-azure-default-config 18cc555 link false /test e2e-azure-default-config
ci/prow/e2e-openstack-nfv-intel 18cc555 link false /test e2e-openstack-nfv-intel
ci/prow/e2e-aws-ovn-imdsv2 18cc555 link false /test e2e-aws-ovn-imdsv2
ci/prow/e2e-nutanix-ovn 4b09c16 link false /test e2e-nutanix-ovn

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@patrickdillon patrickdillon patrickdillon left review comments

@jadhaj jadhaj Awaiting requested review from jadhaj

@bfournie bfournie Awaiting requested review from bfournie

+2 more reviewers

@barbacbd barbacbd barbacbd left review comments

@tthvo tthvo tthvo left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

@jcpowermac jcpowermac

@tthvo tthvo

Labels

approved Indicates a PR has been approved by an approver from all required OWNERS files. backport-risk-assessed Indicates a PR to a release branch has been evaluated and considered safe to accept. jira/severity-important Referenced Jira bug's severity is important for the branch this PR is targeting. jira/valid-bug Indicates that a referenced Jira bug is valid for the branch this PR is targeting. jira/valid-reference Indicates that this PR references a valid Jira ticket of any type. lgtm Indicates that a PR is ready to be merged.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

7 participants

@iurygregory @openshift-ci-robot @zaneb @patrickdillon @tthvo @jcpowermac @barbacbd