OCPBUGS-90536: openstack: Guard network resource names on os_net_id being defined

[stephenfin]

The Compute network resource names task in common.yaml uses the os_net_id variable, which is loaded from netid.json. Since commit 7b6b3f1 (OCPBUGS-39285), netid.json is loaded conditionally via include_vars (skipped when the file doesn't exist), but the task that consumes os_net_id had no corresponding guard. This causes the UPI deprovision playbook to fail with 'os_net_id' is undefined when netid.json is not present in the working directory.

Add a when: os_net_id is defined guard, consistent with the existing when: sym.stat.exists guard on the Compute resource names task above.

Note that the deprovision playbooks (e.g. down-network.yaml) do use these network resource names, but they already handle missing resources gracefully - they list resources by tag first and use state: absent for deletion. Without os_net_id the names can't be computed at all, so skipping is the only safe option. More importantly, failing hard here prevents the entire deprovision run from cleaning up resources that can be cleaned up (servers, security groups, etc. that use infraID from metadata.json rather than os_net_id).

Summary by CodeRabbit

• Bug Fixes
  • Network resource configuration now executes conditionally, preventing errors in deployment scenarios where required network parameters are not available.

[openshift-ci-robot]

@stephenfin: This pull request explicitly references no jira issue.

Details

In response to this:

The 'Compute network resource names' task in common.yaml uses the os_net_id variable, which is loaded from netid.json. Since commit 7b6b3f1 (OCPBUGS-39285), netid.json is loaded conditionally via include_vars (skipped when the file doesn't exist), but the task that consumes os_net_id had no corresponding guard. This causes the UPI deprovision playbook to fail with 'os_net_id' is undefined when netid.json is not present in the working directory.

Add a when: os_net_id is defined guard, consistent with the existing when: sym.stat.exists guard on the Compute resource names task above.

Note that the deprovision playbooks (e.g. down-network.yaml) do use these network resource names, but they already handle missing resources gracefully - they list resources by tag first and use state: absent for deletion. Without os_net_id the names can't be computed at all, so skipping is the only safe option. More importantly, failing hard here prevents the entire deprovision run from cleaning up resources that can be cleaned up (servers, security groups, etc. that use infraID from metadata.json rather than os_net_id).

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[coderabbitai]

📝 Walkthrough

Walkthrough

Adds a when: os_net_id is defined condition to the set_fact task that computes network, subnet, router, and port name variables in upi/openstack/common.yaml, preventing the task from running when os_net_id is not set.

Changes

OpenStack UPI network name guard

Layer / File(s)	Summary
Conditional guard on network resource name set_fact upi/openstack/common.yaml	Adds when: os_net_id is defined to the "Compute network resource names" set_fact task so derived name variables are only set when os_net_id is available.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~2 minutes

🚥 Pre-merge checks | ✅ 15

✅ Passed checks (15 passed)

Check name	Status	Explanation
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Stable And Deterministic Test Names	✅ Passed	PR modifies Ansible playbook (upi/openstack/common.yaml), not Ginkgo tests. Custom check for test naming is not applicable to infrastructure provisioning code.
Test Structure And Quality	✅ Passed	Custom check for Ginkgo test structure is not applicable - PR modifies Ansible playbook YAML only, contains no Go test code.
Microshift Test Compatibility	✅ Passed	PR modifies only Ansible infrastructure provisioning code (upi/openstack/common.yaml), not Ginkgo e2e tests. The check applies only to new e2e tests, making it not applicable here.
Single Node Openshift (Sno) Test Compatibility	✅ Passed	PR modifies infrastructure provisioning playbooks (upi/openstack/common.yaml), not e2e tests. SNO test compatibility check does not apply to non-test code changes.
Topology-Aware Scheduling Compatibility	✅ Passed	The PR modifies only Ansible playbook files for OpenStack UPI infrastructure provisioning. The custom check applies to Kubernetes deployment manifests, operator code, and controllers—not Ansible in...
Ote Binary Stdout Contract	✅ Passed	OTE Binary Stdout Contract check is not applicable: PR modifies Ansible YAML playbooks (upi/openstack/common.yaml), not OTE binaries or Go test code.
Ipv6 And Disconnected Network Test Compatibility	✅ Passed	PR modifies an Ansible playbook (upi/openstack/common.yaml), not Ginkgo e2e tests. Custom check applies only to test files with It(), Describe(), etc.
No-Weak-Crypto	✅ Passed	The PR modifies an Ansible YAML file for OpenStack provisioning with no cryptographic code, weak crypto usage, or custom crypto implementations present.
Container-Privileges	✅ Passed	PR modifies an Ansible playbook (upi/openstack/common.yaml), not a container/K8s manifest. Check does not apply to infrastructure provisioning code.
No-Sensitive-Data-In-Logs	✅ Passed	No logging statements present in the PR; only adds a conditional guard to prevent task execution when os_net_id is undefined. Variables set contain non-sensitive infrastructure identifiers.
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately describes the main change: adding a conditional guard on os_net_id being defined for the network resource names task in the OpenStack common playbook.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[openshift-ci]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
Once this PR has been reviewed and has the lgtm label, please assign stephenfin for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• upi/openstack/OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[openshift-ci-robot]

@stephenfin: This pull request references Jira Issue OCPBUGS-90536, which is valid. The bug has been moved to the POST state.

3 validation(s) were run on this bug

• bug is open, matching expected state (open)
• bug target version (5.0.0) matches configured target version for branch (5.0.0)
• bug is in the state New, which is one of the valid states (NEW, ASSIGNED, POST)

The bug has been updated to refer to the pull request using the external bug tracker.

Details

In response to this:

The Compute network resource names task in common.yaml uses the os_net_id variable, which is loaded from netid.json. Since commit 7b6b3f1 (OCPBUGS-39285), netid.json is loaded conditionally via include_vars (skipped when the file doesn't exist), but the task that consumes os_net_id had no corresponding guard. This causes the UPI deprovision playbook to fail with 'os_net_id' is undefined when netid.json is not present in the working directory.

Add a when: os_net_id is defined guard, consistent with the existing when: sym.stat.exists guard on the Compute resource names task above.

Note that the deprovision playbooks (e.g. down-network.yaml) do use these network resource names, but they already handle missing resources gracefully - they list resources by tag first and use state: absent for deletion. Without os_net_id the names can't be computed at all, so skipping is the only safe option. More importantly, failing hard here prevents the entire deprovision run from cleaning up resources that can be cleaned up (servers, security groups, etc. that use infraID from metadata.json rather than os_net_id).

Summary by CodeRabbit

• Bug Fixes
• Network resource configuration now executes conditionally, preventing errors in deployment scenarios where required network parameters are not available.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[mandre]

/test e2e-openstack-dualstack-upi

[mandre]

/lgtm

[openshift-ci]

@stephenfin: The following tests failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
ci/prow/e2e-openstack-proxy	c4f843c	link	false	/test e2e-openstack-proxy
ci/prow/e2e-openstack-ovn	c4f843c	link	true	/test e2e-openstack-ovn
ci/prow/e2e-openstack-dualstack-upi	c4f843c	link	false	/test e2e-openstack-dualstack-upi

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.