Fix default(omit) placeholder leak in install-config template#20
Merged
Conversation
OSPRH-6485 Co-authored-by: Cursor <cursoragent@cursor.com>
tusharjadhav3302
added a commit
that referenced
this pull request
Jul 1, 2026
…late (PR #20) Cherry-picked from fix-omit-leak-install-config branch to unblock CI. Without this fix, openshift-install fails immediately with: "platform.openstack.controlPlanePort.fixedIPs[0].subnet.id: Invalid value: __omit_place_holder__...: invalid subnet ID" The omit sentinel leaks because default(omit) only works in Ansible module parameters, not in vars passed to ansible.builtin.template. This fix uses empty defaults and truthiness checks instead. OCPBUGS-95045 Co-authored-by: Cursor <cursoragent@cursor.com>
imatza-rh
approved these changes
Jul 1, 2026
4 tasks
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Why
Commit
09f3777(merged via PR #16) introduced| default(omit)invars:passed toansible.builtin.templatefor IPI install-config generation. However,default(omit)only works in Ansible module parameters — when used in templatevars, Ansible does not intercept the omit sentinel and passes the raw__omit_place_holder__...string through to Jinja2.Any job that does not define
ocp_deployment_topology.machines_subnet(e.g.osp_verification.yaml) hits this because:machines_subnet_idis never setdefault(omit)leaks the sentinel string into the template variableis definedtest returnstrue(the variable is defined — it just holds garbage)machinesSubnet: __omit_place_holder__...This causes
openshift-install create clusterto fail with:platform.openstack.controlPlanePort.fixedIPs[0].subnet.id: Invalid value: "omit_place_holder...": invalid subnet ID: must be a UUIDv4The same class of bug affects
installcfg_additional_trust_bundle, which would leak the sentinel into theadditionalTrustBundleblock when no CA cert file exists.What
ipi_install_config.yml— template task vars:installcfg_machines_subnetdefault(omit)default('')installcfg_additional_trust_bundledefault(omit)default([])install-config-ipi.yaml.j2— Jinja2 conditionals:machinesSubnetinstallcfg_machines_subnet is definedinstallcfg_machines_subnet(truthiness)externalDNSinstallcfg_machines_subnet is not definednot installcfg_machines_subnetadditionalTrustBundleinstallcfg_additional_trust_bundle is definedinstallcfg_additional_trust_bundle(truthiness)How
Instead of relying on
omit(which is intercepted only at the module-parameter level), we default to the type-appropriate empty value (''for strings,[]for lists). The Jinja2 template then uses truthiness checks instead ofis defined— an empty string and an empty list are both falsy in Jinja2, so the conditional blocks are correctly skipped when the upstream variable is absent.Validation
ansible-lint: Passed with 0 failures, 0 warnings (
productionprofile)Scenario 1 —
machines_subnet_idundefined (simulatesosp_verification.yaml):machinesSubnetline correctly absent from rendered output__omit_place_holder__leakexternalDNScorrectly presentadditionalTrustBundlecorrectly absentScenario 2 —
machines_subnet_id= valid UUID:machinesSubnet: a1b2c3d4-e5f6-7890-abcd-ef1234567890correctly renderedexternalDNScorrectly absent (mutually exclusive withmachinesSubnet)additionalTrustBundlecorrectly rendered with cert linesReferences
09f3777(PR Add telco NFV day2ops procedures and IPI configuration for shiftstack #16)