* agent/installconfig: Add two-node-with-fencing topology and refactor
two-node validation
* feat: add override for control plane fencing creds
Signed-off-by: ehila <ehila@redhat.com>
* Add TNF fencing credentials override test
* Update integration test with new validation result
* Update installer verification and tests to only allow URLs with redfish on them for Two Nodes with Fencing topology
* Update validation check for redfish
* Remove simultaneous dual replica feature set restriction
* Update fencing address validation to include port
* Update validation to disallow http
* Update and expand url validation tests
* Revert "Update validation to disallow http"
This reverts commit e9595a8d4f.
* Update variable name
* Update tests
* Add YAML tags to Credential struct for fencing
Add explicit yaml struct tags to the Credential type to ensure proper
YAML serialization with lowercase field names (e.g., 'hostname' instead
of 'hostName'). This is required for the assisted-service to correctly
parse the fencing credentials file.
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude <noreply@anthropic.com>
* Add fencing credentials file generation for TNF clusters
Generate /etc/assisted/hostconfig/fencing-credentials.yaml containing
all fencing credentials from controlPlane.fencing.credentials[]. This
file is embedded in the agent ISO and consumed by assisted-service
during TNF cluster installation.
Key changes:
- Add OptionalInstallConfig to Ignition Dependencies()
- Add addFencingCredentials() function to generate the YAML file
- Call addFencingCredentials() in Generate() after NTP sources
- Add comprehensive unit tests for the new function
The single-file approach avoids directory naming collisions between
MAC-based host directories and hostname-based fencing credentials.
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude <noreply@anthropic.com>
* Revert fencing credentials override
The fencing credentials are now passed to assisted-service via the
hostconfig/fencing-credentials.yaml file embedded in the ISO, making
the install-config annotation override unnecessary.
This reverts commits:
- 105b3c95c9 Add TNF fencing credentials override test
- a06d1a766b feat: add override for control plane fencing creds
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude <noreply@anthropic.com>
* Improve fencing credentials test coverage
Enhance TestIgnition_addFencingCredentials with:
- File owner verification (assert root ownership)
- Append behavior test with pre-existing files
- Fix misleading test name and add second credential to match
valid TNF configuration (2 credentials required)
- Remove unused expectError field from test struct
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude <noreply@anthropic.com>
* Support vendor-specific redfish schemes in fencing validation
Vendor-specific redfish schemes like idrac-redfish:// and ilo5-redfish://
use HTTPS (port 443) by default, so they should be valid without an
explicit port number.
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude <noreply@anthropic.com>
* unit tests: Add missing OptionalInstallConfig dependency in ignition test
The TestIgnition_Generate test was panicking because the
OptionalInstallConfig asset was missing from the test dependencies.
This caused dependencies.Get() to return a nil value when the
addFencingCredentials function tried to access it.
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude <noreply@anthropic.com>
* agent: Refactor fencing credentials into standalone asset
Move fencing credentials generation from inline ignition.go code into a
proper FencingCredentials asset following the installer's asset pattern.
This refactor:
- Creates pkg/asset/agent/manifests/fencingcredentials.go as a
WritableAsset with Dependencies, Generate, Files, and Load methods
- Adds comprehensive unit tests in fencingcredentials_test.go
- Integrates FencingCredentials into AgentManifests dependency graph
- Removes addFencingCredentials() from ignition.go
- Adds positive integration test for TNF with fencing credentials
- Changes output path from /etc/assisted/hostconfig/ to
/etc/assisted/manifests/ (standard manifests location)
The asset automatically returns empty Files() for non-TNF clusters,
so no fencing-credentials.yaml is generated unless fencing is configured.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
* agent: Improve fencing credentials code quality
- Add explicit YAML library aliasing for clarity (goyaml for marshal,
k8syaml for unmarshal) with documentation explaining why different
libraries are used for each operation
- Improve error message to include credential count for debugging
- Add test case for empty fencing credentials array
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
* agent: Fix CI failures for gofmt and integration tests
- Add blank line between k8s.io and github.com/openshift import groups
in ignition_test.go to satisfy gci formatting requirements
- Add featureSet: TechPreviewNoUpgrade to tnf_with_fencing_credentials
integration test to enable the DualReplica feature gate required for
TNF fencing configuration
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
* agent: Move fencing credentials to agentconfig package
FencingCredentials is a host-scoped configuration asset, not a
cluster-scoped manifest. Moving it from manifests/ to agentconfig/
aligns with the package's purpose and follows the pattern used by
other host configuration assets like AgentHosts.
This change also updates ignition.go to import from the new location
and removes the now-unused fencing credentials from agent.go manifests.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
* agent: Add FencingCredentials to ignition test dependencies
The TestIgnition_Generate test was failing with a panic because the
FencingCredentials asset was added as a dependency to Ignition.Generate()
but wasn't included in the test's buildIgnitionAssetDefaultDependencies()
helper function.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
* agent: Fix fencing credentials path in integration test
The integration test expected the fencing credentials file at
/etc/assisted/manifests/ but assisted-service reads it from
/etc/assisted/hostconfig/ (HOST_CONFIG_DIR default). The installer
correctly embeds the file at hostconfig/, so the test expectation
was wrong.
Changed test path from manifests to hostconfig to match both the
installer implementation and assisted-service expectations.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
* agent: Add nolint directive for gosec G101 false positive
The gosec linter flags fencingCredentialsFilename as "potential
hardcoded credentials" (G101) because the variable name contains
"credentials". This is a false positive - the variable contains
a filename string, not actual credentials.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
* agent: Fix expected YAML field order in TNF integration test
The expected fencing-credentials.yaml had fields in a different order
than the actual YAML serialization output. Updated the expected file
to match the actual field order: hostname, username, password, address,
certificateVerification.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
---------
Signed-off-by: ehila <ehila@redhat.com>
Co-authored-by: ehila <ehila@redhat.com>
Co-authored-by: Claude <noreply@anthropic.com>
Custom DNS (userProvisionedDNS) is not supported on Azure Stack Hub. This
change adds validation to prevent users from setting userProvisionedDNS on
Azure Stack Hub.
** While the regional support is valid, we will not be using this in openshift. Regional support
requires that each api have its own endpoint. Only one api is associated with an endpoint, and managing
this access will be difficult and unnessary at this time.
pkg/types/gcp/machinepools.go:
Include the n4a instance type in the map as well as the (current) supported disk types:
- hyperdisk-balanced
pkg/asset/installconfig/gcp/validation.go:
Include n4a in the types of arm instance families.
* azure: validate cluster name against Azure reserved words
Azure prohibits the use of certain reserved words and trademarks
in resource names. This change adds validation to reject cluster
names containing any of the 43 reserved words documented by Azure,
preventing deployment failures with ReservedResourceName errors.
Reserved words checked include:
- Complete reserved words (40): AZURE, OFFICE, EXCHANGE, etc.
- Substring forbidden (2): MICROSOFT, WINDOWS
- Prefix forbidden (1): LOGIN
* update the checking logic on reserved words
* fix the gofmt issues
** Ensure that the feature is backwards compatible for original XPN cases. The new field
firewallRulesManagement is an explicit setting of whether the user has the firewall rules
or not. In old versions this did not exist but XPN installs did not need firewall rules.
Now we will default to checking permissions when no field value is provided. If the rules
do not exist, the rules management is set to unmanaged.
Set the default type EBS volume for machine pools:
- Controlplane, arbiter and worker pool default to gp3 volume.
- Edge pool default to gp2 volume.
The default decision is taken from existing code [0]. This commit just
makes the defaulting earlier.
This also loosens the validation to allow 0 for volume size and iops as
they are int type (i.e. not pointer).
Reference:
[0] fd5a518e49/pkg/asset/machines/worker.go (L102-L117)
GP3 volumes have the ability to configure throughput from 125 MiB/s to
2000 MiB/s. This allows the ability to set this at install time in the
install-config.
https://issues.redhat.com/browse/CORS-4212
This commit updates default value handling when loading the
install config to set values in machine pools based on the
defaultMachinePlatform.
By populating the values directly in the install config, we can
avoid repetitive checks throughout the codebase to ensure the
default machine platform is applied to the relevant machine pool.
GP3 volumes have the ability to configure throughput from 125 MiB/s to
2000 MiB/s. This allows the ability to set this at install time in the
install-config.
https://issues.redhat.com/browse/CORS-4212
pkg/types/gcp/platform.go:
Add FirewallManagementPolicy. The policy will indicate whether the cluster or user
will manage the firewall rules.
Add validation to ensure that a network is provided when the install config
is set to Unmanaged to FirewallManagement.
pkg/types/gcp/metadata.go:
Add the management policy to the metadata so that the bootstrap destroy process
knows whether to delete the bootstrap firewall rules or not.
Adding support to install multiple NAT gateways per subnet in
the specific zones they need to be in.
Also, allowing the users to bring their own subnets.
(NAT gateways on BYO subnets are not supported by CAPZ, it just
creates a dummy NAT gateway and doesn't attach it to the subnet).
** Remove the validation when the `endpoint` field is filled out in install-config.
The feature has been tested and the feature gate should no longer be required.
** Remove the test for the featuregate.
Wire in the internalDNSRecords API field to install-config so we can
disable the internal DNS records for deployments using a
user-managed loadbalancer.
Co-Authored-By: Claude <noreply@anthropic.com>
PowerVC is an OpenStack based cloud provider with some significant
differences. Since we can use the OpenStack provider for most of the
work, we will create a thin provider which will only handle the
differences.
Iff the intent of adding kubebuilder/DeepCopy code generation is to
enable these types to be used in CRD definitions, it stands to reason
that these CRDs should be usable in a k8s cluster. UniqueItem=true is
not permitted on CRDs for k8s.
This might be controversial because it relaxes validation requirements
Add validation to ensure failureDomain.Topology.Datacenter is listed
in the associated vCenter.Datacenters array. Previously, users could
specify a datacenter that wasn't in the vCenter's datacenters list,
which would only fail at runtime during installation.
This change provides early validation with a clear error message
indicating which vCenter's datacenters list is missing the entry.
Assisted by Claude.
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude <noreply@anthropic.com>
