Fix rotate_app_creds YAML parsing when from_yaml returns a list#19
Fix rotate_app_creds YAML parsing when from_yaml returns a list#19tusharjadhav3302 wants to merge 2 commits into
Conversation
imatza-rh
left a comment
There was a problem hiding this comment.
lgtm. Two things, please:
-
Rebase on main - #20 is merged, so the cherry-picked install-config commit is already on
main. A rebase should drop it cleanly. -
Testing - could you check the test plan boxes or link a CI run showing the rotation succeeds with the fix?
a04c57b to
9d8bbb0
Compare
|
On running the ansible playbook manually on a healthy shiftstack cluster over serval71 using the following command : The execution passes : The failing ansible task now shows passing : A zuul ci re-run is triggered for the ci-framework-testproject |
The clouds.yaml stored in the OCP secret starts with '---' (from to_nice_yaml), causing from_yaml to return a list instead of a dict. Strip the document separator before piping to the secret and handle both list/dict cases when parsing the verification readback. OSPRH-6485 Co-authored-by: Cursor <cursoragent@cursor.com>
…sibility The previous from_yaml fix handled the list case but not the string case. The root cause is the jq + base64 pipeline returning unexpected content. Switch to oc get -o jsonpath for reliable raw value extraction, add debug output to diagnose future parsing issues, and improve the assert to show actual values on failure. OCPBUGS-95045 Co-authored-by: Cursor <cursoragent@cursor.com>
9d8bbb0 to
d38cd8f
Compare
Summary
Fix the
rotate_app_credsday2ops procedure failing at the credential verification step with:'list object' has no attribute 'clouds'Why
The
to_nice_yaml(indent=4)filter prepends---\nto the clouds.yaml content. When this content is piped into the OCPopenstack-credentialssecret viaoc set data, the secret stores the YAML document separator. On readback, Ansible'sfrom_yamlinterprets the----prefixed content as a multi-document YAML and returns a list (with one element) instead of a dict.The verification assert then fails because it expects
ocp_creds.clouds.openstack.auth_typebutocp_credsis a list, not a mapping.What failed
Task:
Verify credentials rotated to application credentialsError from Zuul job (shiftstack-rhel9-rhoso18.0-ocp421, Jun 30):
The conditional check 'ocp_creds.clouds.openstack.auth_type == 'v3applicationcredential'' failed. The error was: error while evaluating conditional (ocp_creds.clouds.openstack.auth_type == 'v3applicationcredential'): 'list object' has no attribute 'clouds'. 'list object' has no attribute 'clouds'Note: The credential rotation itself succeeds — the secret IS correctly updated. Only the verification readback parsing fails.
How
Two fixes applied to
rotate_app_creds.yml:1. Prevention — strip
---before writing to the secret:2. Defensive parsing — handle both list and dict from from_yaml:
Test Plan
oc get secret -n kube-system openstack-credentialscontent has no leading---ocp_credscorrectly parsed as dict withauth_type: v3applicationcredentialReferences
Bug: https://redhat.atlassian.net/browse/OCPBUGS-95045
Parent feature: https://redhat.atlassian.net/browse/OSPRH-6485
Failing job: shiftstack-rhel9-rhoso18.0-ocp421 periodic run (Jun 30, 2026)