Skip to content

Skip ProxyJump for baremetal nodes when direct SSH works#91

Open
fonta-rh wants to merge 1 commit into
openshift-eng:mainfrom
fonta-rh:direct-ssh-baremetal
Open

Skip ProxyJump for baremetal nodes when direct SSH works#91
fonta-rh wants to merge 1 commit into
openshift-eng:mainfrom
fonta-rh:direct-ssh-baremetal

Conversation

@fonta-rh

@fonta-rh fonta-rh commented Jul 7, 2026

Copy link
Copy Markdown
Contributor

Summary

  • After propagating the laptop SSH key to baremetal nodes, probe direct SSH from localhost to the first node
  • If direct SSH succeeds, write [cluster_nodes:vars] without ProxyJump — baremetal nodes are typically on the same network as the provisioning host
  • Falls back to ProxyJump when direct access is unavailable (no behavior change for existing setups)

Test plan

  • Deploy baremetal cluster from a laptop on the same network as the nodes — verify inventory has no ProxyJump, ansible -m ping cluster_nodes works directly
  • Deploy from a laptop on a different network (VPN) — verify ProxyJump is still used

🤖 Generated with Claude Code

Summary by CodeRabbit

  • Bug Fixes
    • Improved bare-metal inventory updates by automatically choosing the best SSH connection method.
    • When direct access to a node is available, the update process now connects without a proxy; otherwise, it continues through the provisioning host.
    • Updated status messages to clearly show how nodes are being reached during inventory updates.

After propagating the laptop SSH key to nodes, test direct SSH from
localhost. If it succeeds, write [cluster_nodes:vars] without ProxyJump.
Baremetal nodes are typically on the same network as the provisioning
host, making the tunnel unnecessary.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@openshift-ci openshift-ci Bot requested review from jeff-roche and slintes July 7, 2026 13:20
@openshift-ci

openshift-ci Bot commented Jul 7, 2026

Copy link
Copy Markdown

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: fonta-rh

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@openshift-ci openshift-ci Bot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Jul 7, 2026
@coderabbitai

coderabbitai Bot commented Jul 7, 2026

Copy link
Copy Markdown
Contributor

Walkthrough

This change modifies the Ansible task file for baremetal inventory updates to test direct SSH connectivity to the first cluster node. Based on the test result, it conditionally configures ProxyJump settings and updates related debug and success messaging.

Changes

Conditional Direct SSH Access

Layer / File(s) Summary
SSH connectivity test and fact setting
deploy/openshift-clusters/roles/common/tasks/update-baremetal-inventory.yml
Adds a delegate-to-laptop SSH test against the first node, sets direct_node_access fact from the result, and debugs the chosen connectivity mode.
Conditional ProxyJump configuration and messaging
deploy/openshift-clusters/roles/common/tasks/update-baremetal-inventory.yml
Builds ansible_ssh_common_args for [cluster_nodes:vars] conditionally (omitting or including ProxyJump based on direct_node_access) and updates the success message to describe direct access or ProxyJump access accordingly.

Estimated code review effort: 2 (Simple) | ~10 minutes

Sequence Diagram(s)

sequenceDiagram
    participant Laptop as Local Machine
    participant Node as First Baremetal Node
    participant Playbook as Inventory Update Task

    Playbook->>Laptop: Delegate SSH test to node
    Laptop->>Node: Attempt direct SSH connection
    Node-->>Laptop: Connection result
    Laptop-->>Playbook: Return test result
    Playbook->>Playbook: Set direct_node_access fact
    alt Direct access succeeded
        Playbook->>Playbook: Build ansible_ssh_common_args without ProxyJump
        Playbook->>Playbook: Debug/success message: direct SSH
    else Direct access failed
        Playbook->>Playbook: Build ansible_ssh_common_args with ProxyJump
        Playbook->>Playbook: Debug/success message: via ProxyJump
    end
Loading

Suggested labels: ready-for-human-review


Caution

Pre-merge checks failed

Please resolve all errors before merging. Addressing warnings is optional.

  • Ignore

❌ Failed checks (1 error, 1 warning)

Check name Status Explanation Resolution
No-Sensitive-Data-In-Logs ❌ Error The updated debug logs print provisioning_host_user@provisioning_host_addr and node names/IPs, which can expose internal hostnames and network details. Redact/remove those debug messages or gate them behind a secure verbose flag; log only the chosen access mode, not hostnames/IPs.
Ai-Attribution ⚠️ Warning PR/commit mention Claude Code, but the commit uses Co-Authored-By instead of Red Hat’s Assisted-by/Generated-by trailer; no approved AI attribution found. Amend the commit message(s) to replace AI-related Co-Authored-By lines with an Assisted-by or Generated-by trailer, and avoid using Co-Authored-By for AI tools.
✅ Passed checks (9 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title clearly matches the main change: it conditionally skips ProxyJump for baremetal nodes when direct SSH is available.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
No-Weak-Crypto ✅ Passed PASS: The PR only adds SSH connectivity logic; no new MD5/SHA1/DES/RC4/3DES/Blowfish/ECB usage or secret comparisons were introduced.
Container-Privileges ✅ Passed Only changed file is an Ansible task; no container/K8s manifests or privileged settings (privileged, hostPID, allowPrivilegeEscalation, etc.) were introduced.
No-Hardcoded-Secrets ✅ Passed Changed YAML only handles SSH key propagation and ProxyJump logic; no hardcoded secrets, tokens, passwords, private keys, or credentialed URLs found.
No-Injection-Vectors ✅ Passed No new injection vectors were introduced; the added SSH probe only interpolates validated IPv4 node_ip values, and no eval/yaml.load/os.system/dangerous HTML patterns appear.
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests

Comment @coderabbitai help to get the list of available commands.

@coderabbitai coderabbitai Bot added the ready-for-human-review Indicates a PR has been reviewed by automated tools and is ready for human review label Jul 7, 2026

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 1

🧹 Nitpick comments (2)
deploy/openshift-clusters/roles/common/tasks/update-baremetal-inventory.yml (2)

98-104: 📐 Maintainability & Code Quality | 🔵 Trivial | 💤 Low value

Suppressed stderr hides probe failure diagnostics.

2>/dev/null discards ssh's own error output, so when direct_ssh_test.rc != 0 there's no way to distinguish a timeout, refused connection, or auth failure from the registered result. Since failed_when: false is already set, capturing stderr wouldn't fail the play but would aid troubleshooting.

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@deploy/openshift-clusters/roles/common/tasks/update-baremetal-inventory.yml`
around lines 98 - 104, The direct SSH probe in the update-baremetal-inventory
task is suppressing useful failure diagnostics by discarding stderr. Remove the
stderr redirection from the shell command so `direct_ssh_test` retains ssh’s
error output, while keeping `failed_when: false` and `changed_when: false`
unchanged; this will preserve troubleshooting details for connection failures,
timeouts, and auth issues when inspecting `direct_ssh_test`.

111-118: 📐 Maintainability & Code Quality | 🔵 Trivial | 💤 Low value

Duplicated connectivity messaging across two locations.

The "direct vs ProxyJump" phrasing is repeated (lines 111-118 and 172-176) with slightly different wording. Consider deriving both messages from a single templated variable/fact to avoid drift if one is updated later.

Also applies to: 172-176

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@deploy/openshift-clusters/roles/common/tasks/update-baremetal-inventory.yml`
around lines 111 - 118, The connectivity status text is duplicated in the
inventory update tasks, so the “direct vs ProxyJump” message can drift between
the two debug blocks. Refactor the logic in update-baremetal-inventory.yml to
build the message once from a shared templated fact/variable, then reuse that
value in both debug statements that reference direct_node_access,
provisioning_host_user, and provisioning_host_addr. Keep the phrasing
centralized so both locations always render the same connectivity wording.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@deploy/openshift-clusters/roles/common/tasks/update-baremetal-inventory.yml`:
- Around line 95-105: The direct SSH test in the task that uses
parsed_vm_entries[0].ip needs a guard for an empty baremetal_nodes result before
indexing the first entry. Update the when condition or add a prior check in the
update-baremetal-inventory workflow so the SSH probe only runs when
parsed_vm_entries is defined and has at least one item, and otherwise skip or
fail with a clear message. Keep the fix local to the existing direct_ssh_test
task and its surrounding conditions.

---

Nitpick comments:
In `@deploy/openshift-clusters/roles/common/tasks/update-baremetal-inventory.yml`:
- Around line 98-104: The direct SSH probe in the update-baremetal-inventory
task is suppressing useful failure diagnostics by discarding stderr. Remove the
stderr redirection from the shell command so `direct_ssh_test` retains ssh’s
error output, while keeping `failed_when: false` and `changed_when: false`
unchanged; this will preserve troubleshooting details for connection failures,
timeouts, and auth issues when inspecting `direct_ssh_test`.
- Around line 111-118: The connectivity status text is duplicated in the
inventory update tasks, so the “direct vs ProxyJump” message can drift between
the two debug blocks. Refactor the logic in update-baremetal-inventory.yml to
build the message once from a shared templated fact/variable, then reuse that
value in both debug statements that reference direct_node_access,
provisioning_host_user, and provisioning_host_addr. Keep the phrasing
centralized so both locations always render the same connectivity wording.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Repository YAML (base), Central YAML (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: d57f29ea-2272-488c-b5aa-8d5cac07e8dd

📥 Commits

Reviewing files that changed from the base of the PR and between f53a30a and c228c2f.

📒 Files selected for processing (1)
  • deploy/openshift-clusters/roles/common/tasks/update-baremetal-inventory.yml

Comment on lines +95 to +105
- name: Test direct SSH access to first node from laptop
delegate_to: localhost
become: false
shell: |
ssh -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null \
-o ConnectTimeout=5 -o BatchMode=yes \
"core@{{ parsed_vm_entries[0].ip }}" "echo ok" 2>/dev/null
register: direct_ssh_test
failed_when: false
changed_when: false
when: ssh_key_valid | default(false)

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🩺 Stability & Availability | 🟡 Minor | ⚡ Quick win

Guard against empty parsed_vm_entries before indexing [0].

parsed_vm_entries[0].ip will raise a Jinja error if the baremetal_nodes group ends up empty, aborting the whole play with an unclear error instead of a meaningful message.

🛡️ Proposed guard
+- name: Fail if no baremetal nodes found
+  fail:
+    msg: "No entries found in parsed_vm_entries; cannot test direct SSH access."
+  when: parsed_vm_entries | length == 0
+
 - name: Test direct SSH access to first node from laptop
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
- name: Test direct SSH access to first node from laptop
delegate_to: localhost
become: false
shell: |
ssh -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null \
-o ConnectTimeout=5 -o BatchMode=yes \
"core@{{ parsed_vm_entries[0].ip }}" "echo ok" 2>/dev/null
register: direct_ssh_test
failed_when: false
changed_when: false
when: ssh_key_valid | default(false)
- name: Fail if no baremetal nodes found
fail:
msg: "No entries found in parsed_vm_entries; cannot test direct SSH access."
when: parsed_vm_entries | length == 0
- name: Test direct SSH access to first node from laptop
delegate_to: localhost
become: false
shell: |
ssh -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null \
-o ConnectTimeout=5 -o BatchMode=yes \
"core@{{ parsed_vm_entries[0].ip }}" "echo ok" 2>/dev/null
register: direct_ssh_test
failed_when: false
changed_when: false
when: ssh_key_valid | default(false)
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@deploy/openshift-clusters/roles/common/tasks/update-baremetal-inventory.yml`
around lines 95 - 105, The direct SSH test in the task that uses
parsed_vm_entries[0].ip needs a guard for an empty baremetal_nodes result before
indexing the first entry. Update the when condition or add a prior check in the
update-baremetal-inventory workflow so the SSH probe only runs when
parsed_vm_entries is defined and has at least one item, and otherwise skip or
fail with a clear message. Keep the fix local to the existing direct_ssh_test
task and its surrounding conditions.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

approved Indicates a PR has been approved by an approver from all required OWNERS files. ready-for-human-review Indicates a PR has been reviewed by automated tools and is ready for human review

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant