Skip to content

NO-JIRA: limit fencing credentials to master nodes only.#1885

Open
fracappa wants to merge 1 commit intoopenshift-metal3:masterfrom
fracappa:fca/fix-fencing-credentials-masters-only
Open

NO-JIRA: limit fencing credentials to master nodes only.#1885
fracappa wants to merge 1 commit intoopenshift-metal3:masterfrom
fracappa:fca/fix-fencing-credentials-masters-only

Conversation

@fracappa
Copy link
Copy Markdown
Contributor

@fracappa fracappa commented Apr 23, 2026

The agent install config-template iterated over all BMH nodes when generating fencing credentials. With NUM_WORKERS now customizable in TNA/TNF scenario, this produces credentials for worker nodes too, causing install validation failures.

@openshift-ci openshift-ci Bot requested review from andfasano and rwsu April 23, 2026 07:43
@openshift-ci openshift-ci Bot added the needs-ok-to-test Indicates a PR that requires an org member to verify it is safe to test. label Apr 23, 2026
@openshift-ci
Copy link
Copy Markdown

openshift-ci Bot commented Apr 23, 2026

Hi @fracappa. Thanks for your PR.

I'm waiting for a openshift-metal3 member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work.

Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

@fracappa fracappa changed the title NO-JIRA: limit credentials to master nodes only. NO-JIRA: limit fencing credentials to master nodes only. Apr 23, 2026
@elfosardo
Copy link
Copy Markdown
Member

elfosardo commented Apr 23, 2026

/ok-to-test

@openshift-ci openshift-ci Bot added ok-to-test Indicates a non-member PR verified by an org member that is safe to test. and removed needs-ok-to-test Indicates a PR that requires an org member to verify it is safe to test. labels Apr 23, 2026
andfasano
andfasano reviewed Apr 23, 2026
View reviewed changes
Comment thread agent/roles/manifests/templates/install-config_baremetal_yaml.j2 Outdated
fencing:
credentials:
{% for hostname in hostnames %}
{% for hostname in hostnames[:num_masters|int] %}
Copy link
Copy Markdown
Member

@andfasano andfasano Apr 23, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

There's a long chain but IINW this derives from AGENT_NODES_HOSTNAMES. As a quick fix it could work, but I won't give it for granted the ordering (first masters, then workers), so I'd evaluate also a more robust solution

Copy link
Copy Markdown
Contributor Author

@fracappa fracappa Apr 23, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hi @andfasano, thanks for the feedback!
I agree with you that the previous solution worked as a quick fix but it requires granted ordering in the node evaluation. Just pushed a commit that introduces dedicated master-only BMC arrays.

@andfasano
Copy link
Copy Markdown
Member

andfasano commented Apr 23, 2026

/approve

@openshift-ci
Copy link
Copy Markdown

openshift-ci Bot commented Apr 23, 2026

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: andfasano

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@openshift-ci openshift-ci Bot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Apr 23, 2026
@fracappa fracappa force-pushed the fca/fix-fencing-credentials-masters-only branch from f95f786 to fbb93f9 Compare April 23, 2026 13:39
@fracappa
limit fencing credentials to master nodes only
5e32a77 
The agent install config-template iterated over all BMH nodes when generating fencing credentials. With NUM_WORKERS now customizable in TNA/TNF scenario, this produces credentials for worker nodes too, causing install validation failures.
@fracappa fracappa force-pushed the fca/fix-fencing-credentials-masters-only branch from 9420ac8 to 5e32a77 Compare April 23, 2026 14:27
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@rwsu rwsu Awaiting requested review from rwsu

1 more reviewer

@andfasano andfasano andfasano left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

approved Indicates a PR has been approved by an approver from all required OWNERS files. ok-to-test Indicates a non-member PR verified by an org member that is safe to test.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@fracappa @elfosardo @andfasano