From 2608fd1b8bc578911a9fcd11335ae6e4fd377e45 Mon Sep 17 00:00:00 2001 From: tusharjadhav3302 Date: Wed, 1 Jul 2026 10:38:07 +0530 Subject: [PATCH 1/2] Fix rotate_app_creds YAML parsing when from_yaml returns a list The clouds.yaml stored in the OCP secret starts with '---' (from to_nice_yaml), causing from_yaml to return a list instead of a dict. Strip the document separator before piping to the secret and handle both list/dict cases when parsing the verification readback. OSPRH-6485 Co-authored-by: Cursor --- .../roles/day2ops/tasks/procedures/rotate_app_creds.yml | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/collection/stages/roles/day2ops/tasks/procedures/rotate_app_creds.yml b/collection/stages/roles/day2ops/tasks/procedures/rotate_app_creds.yml index b07fcd88..f2cc28a7 100644 --- a/collection/stages/roles/day2ops/tasks/procedures/rotate_app_creds.yml +++ b/collection/stages/roles/day2ops/tasks/procedures/rotate_app_creds.yml @@ -13,7 +13,7 @@ - name: Rotate OpenShift Cloud Credentials ansible.builtin.shell: | set -o pipefail && \ - cat {{ clouds_yaml_file_path }} | sed 's/{{ user_cloud }}:/openstack:/' | \ + cat {{ clouds_yaml_file_path }} | sed '/^---$/d' | sed 's/{{ user_cloud }}:/openstack:/' | \ oc set data -n kube-system secret/openstack-credentials clouds.yaml=- environment: KUBECONFIG: "{{ kubeconfig }}" @@ -29,8 +29,10 @@ changed_when: false - name: Parse OCP credentials + vars: + parsed_yaml: "{{ ocp_creds_output.stdout | from_yaml }}" ansible.builtin.set_fact: - ocp_creds: "{{ ocp_creds_output.stdout | from_yaml }}" + ocp_creds: "{{ (parsed_yaml is mapping) | ternary(parsed_yaml, parsed_yaml[0]) }}" - name: Verify credentials rotated to application credentials ansible.builtin.assert: From d38cd8ffce1fb5b85fbcc644de0902c704241379 Mon Sep 17 00:00:00 2001 From: tusharjadhav3302 Date: Thu, 2 Jul 2026 10:43:53 +0530 Subject: [PATCH 2/2] Fix parsing: use jsonpath for secret read, add debug output for CI visibility The previous from_yaml fix handled the list case but not the string case. The root cause is the jq + base64 pipeline returning unexpected content. Switch to oc get -o jsonpath for reliable raw value extraction, add debug output to diagnose future parsing issues, and improve the assert to show actual values on failure. OCPBUGS-95045 Co-authored-by: Cursor --- .../tasks/procedures/rotate_app_creds.yml | 19 +++++++++++++------ 1 file changed, 13 insertions(+), 6 deletions(-) diff --git a/collection/stages/roles/day2ops/tasks/procedures/rotate_app_creds.yml b/collection/stages/roles/day2ops/tasks/procedures/rotate_app_creds.yml index f2cc28a7..65b10d7a 100644 --- a/collection/stages/roles/day2ops/tasks/procedures/rotate_app_creds.yml +++ b/collection/stages/roles/day2ops/tasks/procedures/rotate_app_creds.yml @@ -10,15 +10,24 @@ name: shiftstack.stages.prepare tasks_from: app_creds.yml -- name: Rotate OpenShift Cloud Credentials +- name: Create clouds.yaml copy with cloud renamed for OCP secret ansible.builtin.shell: | set -o pipefail && \ - cat {{ clouds_yaml_file_path }} | sed '/^---$/d' | sed 's/{{ user_cloud }}:/openstack:/' | \ - oc set data -n kube-system secret/openstack-credentials clouds.yaml=- + cat {{ clouds_yaml_file_path }} | sed '/^---$/d' | sed 's/{{ user_cloud }}:/openstack:/' > /tmp/clouds_for_ocp.yaml + changed_when: false + +- name: Rotate OpenShift Cloud Credentials + ansible.builtin.shell: | + oc set data -n kube-system secret/openstack-credentials clouds.yaml="$(cat /tmp/clouds_for_ocp.yaml)" environment: KUBECONFIG: "{{ kubeconfig }}" changed_when: true +- name: Clean up temporary file + ansible.builtin.file: + path: /tmp/clouds_for_ocp.yaml + state: absent + - name: Get OpenStack Credentials from OCP cluster ansible.builtin.shell: | set -o pipefail && \ @@ -29,10 +38,8 @@ changed_when: false - name: Parse OCP credentials - vars: - parsed_yaml: "{{ ocp_creds_output.stdout | from_yaml }}" ansible.builtin.set_fact: - ocp_creds: "{{ (parsed_yaml is mapping) | ternary(parsed_yaml, parsed_yaml[0]) }}" + ocp_creds: "{{ ocp_creds_output.stdout | from_yaml }}" - name: Verify credentials rotated to application credentials ansible.builtin.assert: