feat: rotate password for admin user from nvswitch#1609
Conversation
|
Auto-sync is disabled for draft pull requests in this repository. Workflows must be run manually. Contributors can view more details about this message here. |
|
🌿 Preview your docs: https://nvidia-preview-pull-request-1609.docs.buildwithfern.com/infra-controller |
|
can you add a few more details to the commit message that describe what exactly this is doing? |
narasimhan321
changed the title
Updated the Title and description of the PR to reflect the functionality of this PR |
narasimhan321
added
the
rack lifecycle
narasimhan321
force-pushed
the
nv/nvos-password-rotation
branch
from
f99f0a6 to
becb288
Compare
|
Is there CM api to rotate password ? |
| .push_back(response); | ||
| } | ||
|
|
||
| pub async fn queue_update_switch_system_password_response( |
There was a problem hiding this comment.
any idea why its queue_ ?
There was a problem hiding this comment.
switch_system_password_responses looks good !
|
|
||
| let key = CredentialKey::SwitchNvosAdmin { bmc_mac_address }; | ||
|
|
||
| if let Ok(Some(Credentials::UsernamePassword { .. })) = |
There was a problem hiding this comment.
This code is still required !
|
|
||
| let current_credentials = match current_credentials { | ||
| Some(Credentials::UsernamePassword { username, password }) => { | ||
| if username == NVOS_ADMIN_USERNAME && password == target_password { |
There was a problem hiding this comment.
lets take this user name from expected_switch table
| { | ||
| (Some(username), Some(password)) => (username, password), | ||
| _ => { | ||
| let target_password = match expected_switch.nvos_password.clone() { |
There was a problem hiding this comment.
ARe we taking password to be changed from expected_switch ?
There was a problem hiding this comment.
It should site wide unique password stored in vault for now
There was a problem hiding this comment.
Yes its reading from expetced_switch instead from vault. will change this to read from vault.
Now persisting the initial vault password was part of site exploration ?
looked at component-manager and it has credential reads and endpoint construction but no password rotation support. |
|
|
||
| use carbide_uuid::switch::SwitchId; | ||
| use forge_secrets::credentials::{CredentialKey, Credentials}; | ||
| use librms::protos::rack_manager as rms; |
There was a problem hiding this comment.
We need to rework this PR to make sure the state machine is calling component manager APIs and not RMS directly ... otherwise it will cause failures in the non-RMS deployments.
The non-RMS implementation in component manager should just be NOP
4 participants
Description
Type of Change
Related Issues (Optional)
https://jirasw.nvidia.com/browse/RCKMANAGER-503
Testing
Additional Notes
Flow
flowchart LR A[SwitchId + rack_id] --> N[NewNodeInfo] B[BMC MAC + BMC IP] --> BE[BmcEndpoint] C[NVOS MAC/IP] --> HE[HostEndpoint] D[Current NVOS credentials] --> HE BE --> N HE --> N N --> NS[NodeSet] NS --> REQ[UpdateSwitchSystemPasswordRequest] E[target username: admin] --> REQ F[target password from expected_switch.nvos_password] --> REQ