NO-JIRA: fix: use typed credentials key to support MAC-based fencing in ABI flow

[fracappa]

MAC-only fencing credentials were broken in the ABI path because loadFencingCredentials keyed all entries as plain strings, causing LoadHostConfigs to create hostname-based configs with MAC addresses as hostnames. Introduce credentialKey struct to distinguish hostname from MAC keys, skip hostname-config creation for MAC entries, and
add fencingConfigDir so MAC-matched configs find the credentials file in the parent directory.

This is a follow-up for PR #10385

List all the issues related to this PR

• New Feature
• Enhancement
• Bug fix
• Tests
• Documentation
• CI/CD

What environments does this code impact?

• Automation (CI, tools, etc)
• Cloud
• Operator Managed Deployments
• None

How was this code tested?

• assisted-test-infra environment
• dev-scripts environment
• Reviewer's test appreciated
• Waiting for CI to do a full test run
• Manual (Elaborate on how it was tested)
• No tests needed

Checklist

• Title and description added to both, commit and PR.
• Relevant issues have been associated (see CONTRIBUTING guide)
• This change does not require a documentation update (docstring, docs, README, etc)
• Does this change include unit-tests (note that code changes require unit-tests)

Reviewers Checklist

• Are the title and description (in both PR and commit) meaningful and clear?
• Is there a bug required (and linked) for this change?
• Should this PR be backported?

Summary by CodeRabbit

• Bug Fixes

  • Improved fencing credential handling to correctly distinguish hostname-based versus MAC-based credentials.
  • MAC-only credentials are no longer converted into hostname configurations, and the correct credential source is used for MAC matches.
  • Updated credential application behavior to respect the correct precedence when both hostname and MAC fields are present.
  • Enhanced log messages to clarify whether credentials were applied via hostname or MAC match.

• Tests

  • Expanded coverage for parsing, skipping invalid entries, precedence rules, and MAC-only application scenarios.

[openshift-ci-robot]

@fracappa: This pull request explicitly references no jira issue.

Details

In response to this:

MAC-only fencing credentials were broken in the ABI path because loadFencingCredentials keyed all entries as plain strings, causing LoadHostConfigs to create hostname-based configs with MAC addresses as hostnames. Introduce credentialKey struct to distinguish hostname from MAC keys, skip hostname-config creation for MAC entries, and
add fencingConfigDir so MAC-matched configs find the credentials file in the parent directory.

This is a follow-up for PR #10385

List all the issues related to this PR

• New Feature
• Enhancement
• Bug fix
• Tests
• Documentation
• CI/CD

What environments does this code impact?

• Automation (CI, tools, etc)
• Cloud
• Operator Managed Deployments
• None

How was this code tested?

• assisted-test-infra environment
• dev-scripts environment
• Reviewer's test appreciated
• Waiting for CI to do a full test run
• Manual (Elaborate on how it was tested)
• No tests needed

Checklist

• Title and description added to both, commit and PR.
• Relevant issues have been associated (see CONTRIBUTING guide)
• This change does not require a documentation update (docstring, docs, README, etc)
• Does this change include unit-tests (note that code changes require unit-tests)

Reviewers Checklist

• Are the title and description (in both PR and commit) meaningful and clear?
• Is there a bug required (and linked) for this change?
• Should this PR be backported?

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Repository: openshift/coderabbit/.coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: f6b45589-f745-4263-a2fd-bab09327e190

📥 Commits

Reviewing files that changed from the base of the PR and between 9f49f50 and ce5d969.

📒 Files selected for processing (2)

• cmd/agentbasedinstaller/host_config.go
• cmd/agentbasedinstaller/host_config_test.go

🚧 Files skipped from review as they are similar to previous changes (2)

• cmd/agentbasedinstaller/host_config.go
• cmd/agentbasedinstaller/host_config_test.go

---

Walkthrough

Fencing credential handling is refactored from a plain map[string] keyed by hostname to a typed map[credentialKey] that distinguishes hostname vs MAC credentials. loadFencingCredentials, LoadHostConfigs, the hostConfig struct, FencingCredentials() lookup, and all test assertions are updated to use typed keys throughout the credential flow. MAC-only credentials are now supported and no longer generate hostname-based configs.

Changes

Typed Fencing Credential Key Refactor

Layer / File(s)	Summary
Credential key type definition cmd/agentbasedinstaller/host_config.go	Introduces credentialKeyType string type, hostnameKeyType and macKeyType constants, and a credentialKey struct with keyType and value fields.
Parse fencing credentials with typed keys cmd/agentbasedinstaller/host_config.go, cmd/agentbasedinstaller/host_config_test.go	loadFencingCredentials returns map[credentialKey]*models.FencingCredentialsParams, reworks parsing to derive typed keys from hostname or MAC while skipping empty entries, updates the loaded-credential log message, and test assertions are updated for all parsing scenarios including optional fields, duplicates, MAC-only, mixed, and precedence cases.
Host config structure and credential-filtered generation cmd/agentbasedinstaller/host_config.go, cmd/agentbasedinstaller/host_config_test.go	hostConfig gains fencingConfigDir field for MAC-based config credential directory. LoadHostConfigs sets fencingConfigDir when building MAC configs and filters hostname-config generation to hostname-keyed credentials only. New tests verify MAC-only credentials do not create hostname configs and are applied via MAC matching.
Credential lookup and application cmd/agentbasedinstaller/host_config.go	FencingCredentials() method selects credentials directory via fencingConfigDir, performs typed hostname and MAC address lookups by constructing credentialKey instances. applyFencingCredentials logging distinguishes hostname-based vs MAC-based application.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

---

Important

Pre-merge checks failed

Please resolve all errors before merging. Addressing warnings is optional.

❌ Failed checks (1 error, 2 warnings)

Check name	Status	Explanation	Resolution
No-Sensitive-Data-In-Logs	❌ Error	The PR introduces logging of infrastructure hostnames and MAC addresses at lines 97, 285, 560, 566-567, 578, and 580. These are explicitly logged during fencing credential operations, potentially e...	Consider redacting or generalizing logged hostnames/MACs (e.g., log "hostname" or "MAC address" without the actual value), or move detailed logging to debug level only.
Docstring Coverage	⚠️ Warning	Docstring coverage is 33.33% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.
Test Structure And Quality	⚠️ Warning	Test "should apply role from MAC config and fencing from hostname config" violates single responsibility by testing multiple unrelated behaviors: LoadHostConfigs loading, config matching, Role() be...	Split the test into separate It blocks: one for LoadHostConfigs behavior, one for findHostConfigs matching, one for Role() differentiation, and one for applyFencingCredentials behavior per config type.

✅ Passed checks (12 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title clearly and specifically summarizes the main change: introducing typed credentials keys to fix MAC-based fencing support in the ABI flow.
Description check	✅ Passed	The description adequately covers the problem, solution, and context, with all key sections of the template properly filled out including issue classification and testing rationale.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Stable And Deterministic Test Names	✅ Passed	All 72 Ginkgo test definitions (It, Describe, Context, When) use static, descriptive string literals with no dynamic content: no variable references, no string concatenation, no fmt.Sprintf, no UUI...
Microshift Test Compatibility	✅ Passed	These are unit tests (not e2e tests) running locally with temp directories and mock clients, containing no Kubernetes API calls, cluster interactions, or references to MicroShift-incompatible APIs.
Single Node Openshift (Sno) Test Compatibility	✅ Passed	Tests are unit tests for local credential file parsing, not e2e tests. They do not interact with running OpenShift clusters or assume multi-node/HA topology.
Topology-Aware Scheduling Compatibility	✅ Passed	PR changes only utility code for ABI credential/host config loading. No deployment manifests, operator code, pod scheduling constraints, node affinity, or topology-related scheduling logic introduced.
Ote Binary Stdout Contract	✅ Passed	PR modifies agentbasedinstaller package (not OTE binary); uses logrus logger to stderr; no fmt.Print* or stdout writes in process-level code.
Ipv6 And Disconnected Network Test Compatibility	✅ Passed	The PR adds Ginkgo tests to host_config_test.go, but these are unit tests, not e2e tests. The custom check applies only to "new Ginkgo e2e tests"; unit tests testing local YAML parsing are not in s...
No-Weak-Crypto	✅ Passed	No weak cryptographic algorithms (MD5, SHA1, DES, RC4, 3DES, Blowfish, ECB), custom crypto implementations, or non-constant-time secret comparisons found in the code changes.
Container-Privileges	✅ Passed	PR contains only Go source code changes (host_config.go and tests) for fencing credential handling; no container/K8s manifests or privilege-escalation configurations are present.

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 44.34%. Comparing base (6b197f8) to head (ce5d969).
⚠️ Report is 91 commits behind head on master.

Additional details and impacted files

@@            Coverage Diff             @@
##           master   #10477      +/-   ##
==========================================
- Coverage   44.35%   44.34%   -0.01%     
==========================================
  Files         420      420              
  Lines       73068    73262     +194     
==========================================
+ Hits        32406    32486      +80     
- Misses      37730    37840     +110     
- Partials     2932     2936       +4     

Files with missing lines	Coverage Δ
cmd/agentbasedinstaller/host_config.go	48.98% <100.00%> (+1.52%)	⬆️

... and 16 files with indirect coverage changes

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[fonta-rh]

Review: PR #10477 — Typed credentials key for MAC-based fencing in ABI flow

Reviewed the bug report, the fix, cross-repo compatibility (installer contract, CEO impact), and test coverage. The PR is correct — all three bugs from PR #10385 are real and properly fixed:

1. Untyped string keys → Fixed by credentialKey struct with explicit keyType discriminator. The old map[string] approach was the root cause — LoadHostConfigs couldn't distinguish hostname keys from MAC keys.
2. Bogus hostname configs from MAC keys → Fixed by skipping MAC-keyed entries in the hostname-config creation loop (line 361). Old behavior created phantom hostConfig{hostname: "aa:bb:cc:dd:ee:01"} entries that triggered misleading warnings and missingHost failures.
3. Wrong directory for fencing file → Fixed by fencingConfigDir field. MAC-based configs correctly resolve to the parent directory containing fencing-credentials.yaml instead of the per-host subdirectory.

The integration test (LoadHostConfigs with MAC-only fencing credentials) is the key addition — it covers the full pipeline that #10385 missed, and would have caught all three bugs.

Cross-repo compatibility verified: installer's yaml:"macaddress,omitempty" matches assisted-service's yaml:"macaddress". Both sides normalize MACs to lowercase. No CEO impact (ABI-only path).

One minor issue

host_config.go:284 — log.Infof("Adding fencing credentials for hostname %s", config.hostname) will log an empty hostname for MAC-based configs. Pre-fix, this line was unreachable for MAC configs (credentials returned nil). Post-fix, MAC configs correctly return credentials, making this line reachable with config.hostname == "".

Suggested fix:

if config.hostname != "" {
    log.Infof("Adding fencing credentials for hostname %s", config.hostname)
} else {
    log.Infof("Adding fencing credentials via MAC address match")
}

Not blocking — the fix is correct as-is. This is a log clarity improvement for operators debugging fencing credential application.

[openshift-ci]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: fracappa
Once this PR has been reviewed and has the lgtm label, please assign rwsu for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• cmd/agentbasedinstaller/OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[fracappa]

/retest

[openshift-ci]

@fracappa: all tests passed!

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.