Fix rotate_app_creds YAML parsing when from_yaml returns a list#19
Open
tusharjadhav3302 wants to merge 2 commits into
Open
Fix rotate_app_creds YAML parsing when from_yaml returns a list#19tusharjadhav3302 wants to merge 2 commits into
tusharjadhav3302 wants to merge 2 commits into
Conversation
The clouds.yaml stored in the OCP secret starts with '---' (from to_nice_yaml), causing from_yaml to return a list instead of a dict. Strip the document separator before piping to the secret and handle both list/dict cases when parsing the verification readback. OSPRH-6485 Co-authored-by: Cursor <cursoragent@cursor.com>
…late (PR #20) Cherry-picked from fix-omit-leak-install-config branch to unblock CI. Without this fix, openshift-install fails immediately with: "platform.openstack.controlPlanePort.fixedIPs[0].subnet.id: Invalid value: __omit_place_holder__...: invalid subnet ID" The omit sentinel leaks because default(omit) only works in Ansible module parameters, not in vars passed to ansible.builtin.template. This fix uses empty defaults and truthiness checks instead. OCPBUGS-95045 Co-authored-by: Cursor <cursoragent@cursor.com>
imatza-rh
reviewed
Jul 1, 2026
imatza-rh
left a comment
Contributor
There was a problem hiding this comment.
lgtm. Two things, please:
-
Rebase on main - #20 is merged, so the cherry-picked install-config commit is already on
main. A rebase should drop it cleanly. -
Testing - could you check the test plan boxes or link a CI run showing the rotation succeeds with the fix?
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Fix the
rotate_app_credsday2ops procedure failing at the credential verification step with:'list object' has no attribute 'clouds'Why
The
to_nice_yaml(indent=4)filter prepends---\nto the clouds.yaml content. When this content is piped into the OCPopenstack-credentialssecret viaoc set data, the secret stores the YAML document separator. On readback, Ansible'sfrom_yamlinterprets the----prefixed content as a multi-document YAML and returns a list (with one element) instead of a dict.The verification assert then fails because it expects
ocp_creds.clouds.openstack.auth_typebutocp_credsis a list, not a mapping.What failed
Task:
Verify credentials rotated to application credentialsError from Zuul job (shiftstack-rhel9-rhoso18.0-ocp421, Jun 30):
The conditional check 'ocp_creds.clouds.openstack.auth_type == 'v3applicationcredential'' failed. The error was: error while evaluating conditional (ocp_creds.clouds.openstack.auth_type == 'v3applicationcredential'): 'list object' has no attribute 'clouds'. 'list object' has no attribute 'clouds'Note: The credential rotation itself succeeds — the secret IS correctly updated. Only the verification readback parsing fails.
How
Two fixes applied to
rotate_app_creds.yml:1. Prevention — strip
---before writing to the secret:2. Defensive parsing — handle both list and dict from from_yaml:
Test Plan
oc get secret -n kube-system openstack-credentialscontent has no leading---ocp_credscorrectly parsed as dict withauth_type: v3applicationcredentialReferences
Bug: https://redhat.atlassian.net/browse/OCPBUGS-95045
Parent feature: https://redhat.atlassian.net/browse/OSPRH-6485
Failing job: shiftstack-rhel9-rhoso18.0-ocp421 periodic run (Jun 30, 2026)