-
Notifications
You must be signed in to change notification settings - Fork 241
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Validating Webhook for BareMetalHost #855
Comments
|
@s3rj1k are you working on it? |
@ardaguclu No, just watching issue for updates |
/assign @ardaguclu |
We had some discussion on this - it is valid to change this in some cases, for example if you deploy via virtualmedia it can potentially work with any MAC on the system, but if you later want to deploy via PXE (or as we're doing downstream, derive the provisioning-network NIC from this MAC) then it must be the correct nic. There are reported cases e.g https://bugzilla.redhat.com/show_bug.cgi?id=2000081 of this being configured wrongly but deployment still succeeding, in which case it's likely we'd want to enable patching of the bootMACAddress to some other value (but we could still e.g validate that it's a valid mac for the system by comparing with the status.hardware data) |
Changing from virtualmedia->PXE means changing the driver, so it also means a new BMC address (which is never safe).
Validating against the HardwareDetails is not a bad idea, but as it stands that would mean the user is effectively free to change it, since if they can change the boot MAC they can also change the HardwareDetails. |
Ok, but what if a non-integrated NIC gets replaced - should we force a user to redeploy, or to defer updating the BMH until some later date when redeploy is needed (and probably the NIC replacement is forgotten...)? IMO it's more logical to relax this validation and allow them to patch the bootMACAddress, but with some validation to prevent completely-wrong values?
They could only change it with the inspect annotation right? In which case they have to explicitly disable inspection, so I think it's reasonable to say users get to keep the pieces if they do that, we can only validate against the HardwareDetails we have, so it's up to the user to provide correct data (or use the default path where we collect it)? |
Forgot the HardwareDetails is in the Status, not the Spec. That's probably a reasonable trade-off then, although I'm not sure how it helps if the NIC is replaced. The main thing we want to prevent is switching the MAC to point to some other host so that things get messed up in the ironic DB. |
Hmm, yeah that's true, they'd have to patch the status (either the hacky way, or via the inspect annotation)
That would be enough to help with the downstream case mentioned, although clearly that's not directly relevant to BMO, and may have be rethought if we're not comfortable with the pattern of consuming bootMACAddress to identify the provisioning NIC. |
/assign @demonCoder95 |
I'm going to take a stab at the last 2 validations related to RAID. @zaneb PR coming up soon. |
/help |
@Rozzii: Please ensure the request meets the requirements listed here. If this request no longer meets these requirements, the label can be removed In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
Issues go stale after 90d of inactivity. If this issue is safe to close now please do so with /lifecycle stale |
/remove-lifecycle stale |
/lifecycle frozen |
/unassign @demonCoder95 |
/remove-lifecycle frozen |
Issues go stale after 90d of inactivity. If this issue is safe to close now please do so with /lifecycle stale |
/lifecycle frozen |
There's a number of values or changes in a BMH Spec that we know are invalid, but that we don't prevent the user from commiting. A validating webhook would allow us to reject these values synchronously before the CR is written, thus relieving both us and the user from asynchronous error reporting.
This bug will serve as a place to record known invalid configs that should be checked by a webhook, until such time as it is implemented.
[A-Za-z0-9~._-]
~
(used in ironic Node name to separate name + namespace)live-iso
used with non-virtualmedia driverphysicalDisks
specified withoutcontroller
numberOfPhysicalDisks
andphysicalDisks
specifiedThe text was updated successfully, but these errors were encountered: