Skip to content

Fix default(omit) placeholder leak in install-config template#20

Merged
eshulman2 merged 1 commit into
mainfrom
fix-omit-leak-install-config
Jul 1, 2026
Merged

Fix default(omit) placeholder leak in install-config template#20
eshulman2 merged 1 commit into
mainfrom
fix-omit-leak-install-config

Conversation

@tusharjadhav3302

Copy link
Copy Markdown
Contributor

Why

Commit 09f3777 (merged via PR #16) introduced | default(omit) in vars: passed to ansible.builtin.template for IPI install-config generation. However, default(omit) only works in Ansible module parameters — when used in template vars, Ansible does not intercept the omit sentinel and passes the raw __omit_place_holder__... string through to Jinja2.

Any job that does not define ocp_deployment_topology.machines_subnet (e.g. osp_verification.yaml) hits this because:

  1. machines_subnet_id is never set
  2. default(omit) leaks the sentinel string into the template variable
  3. Jinja2's is defined test returns true (the variable is defined — it just holds garbage)
  4. The template renders machinesSubnet: __omit_place_holder__...

This causes openshift-install create cluster to fail with:
platform.openstack.controlPlanePort.fixedIPs[0].subnet.id: Invalid value: "omit_place_holder...": invalid subnet ID: must be a UUIDv4

The same class of bug affects installcfg_additional_trust_bundle, which would leak the sentinel into the additionalTrustBundle block when no CA cert file exists.

What

ipi_install_config.yml — template task vars:

Variable Before After
installcfg_machines_subnet default(omit) default('')
installcfg_additional_trust_bundle default(omit) default([])

install-config-ipi.yaml.j2 — Jinja2 conditionals:

Condition Before After
Render machinesSubnet installcfg_machines_subnet is defined installcfg_machines_subnet (truthiness)
Render externalDNS installcfg_machines_subnet is not defined not installcfg_machines_subnet
Render additionalTrustBundle installcfg_additional_trust_bundle is defined installcfg_additional_trust_bundle (truthiness)

How

Instead of relying on omit (which is intercepted only at the module-parameter level), we default to the type-appropriate empty value ('' for strings, [] for lists). The Jinja2 template then uses truthiness checks instead of is defined — an empty string and an empty list are both falsy in Jinja2, so the conditional blocks are correctly skipped when the upstream variable is absent.

Validation

  • ansible-lint: Passed with 0 failures, 0 warnings (production profile)

  • Scenario 1machines_subnet_id undefined (simulates osp_verification.yaml):

    • machinesSubnet line correctly absent from rendered output
    • No __omit_place_holder__ leak
    • externalDNS correctly present
    • additionalTrustBundle correctly absent
  • Scenario 2machines_subnet_id = valid UUID:

    • machinesSubnet: a1b2c3d4-e5f6-7890-abcd-ef1234567890 correctly rendered
    • externalDNS correctly absent (mutually exclusive with machinesSubnet)
    • additionalTrustBundle correctly rendered with cert lines

References

OSPRH-6485

Co-authored-by: Cursor <cursoragent@cursor.com>
@tusharjadhav3302 tusharjadhav3302 added the ready-for-review PR is ready for code review label Jul 1, 2026
tusharjadhav3302 added a commit that referenced this pull request Jul 1, 2026
…late (PR #20)

Cherry-picked from fix-omit-leak-install-config branch to unblock CI.
Without this fix, openshift-install fails immediately with:
  "platform.openstack.controlPlanePort.fixedIPs[0].subnet.id:
   Invalid value: __omit_place_holder__...: invalid subnet ID"

The omit sentinel leaks because default(omit) only works in Ansible
module parameters, not in vars passed to ansible.builtin.template.
This fix uses empty defaults and truthiness checks instead.

OCPBUGS-95045

Co-authored-by: Cursor <cursoragent@cursor.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

ready-for-review PR is ready for code review

Development

Successfully merging this pull request may close these issues.

3 participants