1948563 – End-to-End Secure boot deployment fails "Invalid value for input variable"

Bug 1948563 - End-to-End Secure boot deployment fails "Invalid value for input variable"

Summary: End-to-End Secure boot deployment fails "Invalid value for input variable"

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	OpenShift Container Platform
Classification:	Red Hat
Component:	Installer
Sub Component:
Version:	4.8
Hardware:	Unspecified
OS:	Unspecified
Priority:	high
Severity:	high
Target Milestone:	---
Target Release:	4.8.0
Assignee:	Iury Gregory Melo Ferreira
QA Contact:	Lubov
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2021-04-12 12:59 UTC by Lubov
Modified:	2021-07-27 22:59 UTC (History)
CC List:	5 users (show)
Fixed In Version:
Doc Type:	No Doc Update
Doc Text:
Clone Of:
Environment:
Last Closed:	2021-07-27 22:59:25 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)
openshift_install.log (103.76 KB, text/plain) 2021-04-12 12:59 UTC, Lubov	no flags	Details
install-config.yaml (6.62 KB, text/plain) 2021-04-12 13:00 UTC, Lubov	no flags	Details
View All

Links
System	ID	Priority	Status	Summary	Last Updated
Github	openshift-metal3 terraform-provider-ironic pull 51	None	open	Handle capabilities in instance_info	2021-05-04 18:22:15 UTC
Github	openshift installer pull 4903	None	open	Bug 1948563: Handle instance_info capabilities and update ironic-terraform	2021-05-05 08:28:06 UTC
Red Hat Product Errata	RHSA-2021:2438	None	None	None	2021-07-27 22:59:46 UTC

Description Lubov 2021-04-12 12:59:30 UTC

Created attachment 1771344 [details]
openshift_install.log

Version:
$ ./openshift-baremetal-install version
./openshift-baremetal-install 4.8.0-0.nightly-2021-04-09-222447
built from commit 5086499eca66825c0fa2a4966776f60d2b7fd7c6
release image registry.ci.openshift.org/ocp/release@sha256:17b7cf16006bacfee6af8a21430eac51a82539fd5a6eef01956cae83c008b840

Platform:
IPI Baremetal

What happened?
Deployment for bootMode:UEFISecureBoot fails with error 
ERROR Error: Invalid value for input variable      
ERROR                                              
ERROR   on /tmp/openshift-install-846813943/terraform.baremetal.auto.tfvars.json line 157: 
ERROR  157:   "instance_infos": [                  
ERROR  158:     {                                  
ERROR  159:       "capabilities": {                
ERROR  160:         "secure_boot": "true"          
ERROR  161:       },                               
ERROR  162:       "image_checksum": "http://10.46.29.199:80/images/rhcos-48.83.202103221318-0-openstack.x86_64.qcow2/cached-rhcos-48.83.202103221318-0-openstack.x86_64.qcow2.md5sum", 
ERROR  163:       "image_source": "http://10.46.29.199:80/images/rhcos-48.83.202103221318-0-openstack.x86_64.qcow2/cached-rhcos-48.83.202103221318-0-openstack.x86_64.qcow2" 
ERROR  164:     },                                 
ERROR  165:     {                                  
ERROR  166:       "capabilities": {                
ERROR  167:         "secure_boot": "true"          
ERROR  168:       },                               
ERROR  169:       "image_checksum": "http://10.46.29.199:80/images/rhcos-48.83.202103221318-0-openstack.x86_64.qcow2/cached-rhcos-48.83.202103221318-0-openstack.x86_64.qcow2.md5sum", 
ERROR  170:       "image_source": "http://10.46.29.199:80/images/rhcos-48.83.202103221318-0-openstack.x86_64.qcow2/cached-rhcos-48.83.202103221318-0-openstack.x86_64.qcow2" 
ERROR  171:     },                                 
ERROR  172:     {                                  
ERROR  173:       "capabilities": {                
ERROR  174:         "secure_boot": "true"          
ERROR  175:       },                               
ERROR  176:       "image_checksum": "http://10.46.29.199:80/images/rhcos-48.83.202103221318-0-openstack.x86_64.qcow2/cached-rhcos-48.83.202103221318-0-openstack.x86_64.qcow2.md5sum", 
ERROR  177:       "image_source": "http://10.46.29.199:80/images/rhcos-48.83.202103221318-0-openstack.x86_64.qcow2/cached-rhcos-48.83.202103221318-0-openstack.x86_64.qcow2" 
ERROR  178:     },                                 
ERROR  179:     {                                  
ERROR  180:       "capabilities": {                
ERROR  181:         "secure_boot": "true"          
ERROR  182:       },                               
ERROR  183:       "image_checksum": "http://10.46.29.199:80/images/rhcos-48.83.202103221318-0-openstack.x86_64.qcow2/cached-rhcos-48.83.202103221318-0-openstack.x86_64.qcow2.md5sum", 
ERROR  184:       "image_source": "http://10.46.29.199:80/images/rhcos-48.83.202103221318-0-openstack.x86_64.qcow2/cached-rhcos-48.83.202103221318-0-openstack.x86_64.qcow2" 
ERROR  185:     },                                 
ERROR  186:     {                                  
ERROR  187:       "capabilities": {                
ERROR  188:         "secure_boot": "true"          
ERROR  189:       },                               
ERROR  190:       "image_checksum": "http://10.46.29.199:80/images/rhcos-48.83.202103221318-0-openstack.x86_64.qcow2/cached-rhcos-48.83.202103221318-0-openstack.x86_64.qcow2.md5sum", 
ERROR  191:       "image_source": "http://10.46.29.199:80/images/rhcos-48.83.202103221318-0-openstack.x86_64.qcow2/cached-rhcos-48.83.202103221318-0-openstack.x86_64.qcow2" 
ERROR  192:     }                                  
ERROR  193:   ]                                    
ERROR                                              
ERROR The given value is not valid for variable "instance_infos": element 0: element 
ERROR "capabilities": string required.             
ERROR                                              
ERROR Failed to read tfstate: open /tmp/openshift-install-846813943/terraform.tfstate: no such file or directory 
FATAL failed to fetch Cluster: failed to generate asset "Cluster": failed to create cluster: failed to apply Terraform: failed to complete the change

.openshift_install.log attached

What did you expect to happen?
Deployment finished successfully, Secure Boot on all nodes is ON

How to reproduce it (as minimally and precisely as possible)?
1. When build install-config add bootMode: UEFISecureBoot parameter for hosts (see example in attahment) and copy it to a directory 
2. Build manifest using the directory containing install-config.yaml 
3. Run the deployment usinfg the manifest

Comment 1 Lubov 2021-04-12 13:00:22 UTC

Created attachment 1771345 [details]
install-config.yaml

Comment 2 Dmitry Tantsur 2021-04-14 11:04:46 UTC

Not sure why our team was assigned to it, this is a bug in the installer: node.instance_info is not a map[string]string, it's a map[string]interface{}. Please let me know how I can fix that (I'm not familiar with Terraform at all).

Comment 5 Iury Gregory Melo Ferreira 2021-04-14 18:59:39 UTC

After a few investigations I think the problem is not the way installer regarding the type of instance_info (it's already map[string]interface{}), the problem is that terraform expects the elements to be a string (based on image_checksum and image_source), I see the following options:

1- installer will transform capabilities in a string "key1:value1,key2:value2" (or other format), terraform won't complain about the format and we would need to transform in terraform the capabilities back to json to be sent to ironic. https://github.com/openshift/installer/blob/6d778f911e79afad8ba2ff4301eda5b5cf4d8e9e/pkg/tfvars/baremetal/baremetal.go#L142-L144
2- update the instance_info schema in terraform https://github.com/openshift-metal3/terraform-provider-ironic/blob/5b0c62f3d975469a8878d4e79479a25b67ee6c6e/ironic/resource_ironic_deployment.go#L37-L41

I have the feeling that the option#2 would be a breaking change in the terraform.

Comment 6 Iury Gregory Melo Ferreira 2021-04-14 21:54:53 UTC

Another approach could be:

3- have a specific field in the host definition for the capabilities we need to set in instance_info (but I think this would require more effort in different projects - BMO / terraform / installer)

Comment 7 Stephen Benjamin 2021-04-15 12:30:08 UTC

When we wrote all this it targetted 0.11 of terraform, supposedly things are much approved in 0.12: https://www.hashicorp.com/blog/terraform-0-12-rich-value-types


You might consider changing this https://github.com/openshift/installer/blob/6d778f911e79afad8ba2ff4301eda5b5cf4d8e9e/data/data/baremetal/masters/variables.tf#L32-L35

to something like this:

variable "instance_infos" {
  type = list(map(object({
    image_source = string
    image_checksum = string
    capabilities = map(string)
  })))
}

Comment 8 Iury Gregory Melo Ferreira 2021-05-04 18:23:37 UTC

Terraform PR is up, after it merges I will update the installer with the new version.

Comment 10 Lubov 2021-05-11 08:41:06 UTC

verified on 4.8.0-0.nightly-2021-05-10-225140

Comment 13 errata-xmlrpc 2021-07-27 22:59:25 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Moderate: OpenShift Container Platform 4.8.2 bug fix and security update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2021:2438

Note You need to log in before you can comment on or make changes to this bug.