feat(component-manager): add NVOS password rotation job contract#3409
feat(component-manager): add NVOS password rotation job contract#3409jayzhudev wants to merge 2 commits into
Conversation
Signed-off-by: Jay Zhu <jayzhu@nvidia.com>
|
No actionable comments were generated in the recent review. 🎉 ℹ️ Recent review info⚙️ Run configurationConfiguration used: Path: .coderabbit.yaml Review profile: CHILL Plan: Enterprise Run ID: 📒 Files selected for processing (1)
🚧 Files skipped from review as they are similar to previous changes (1)
Summary by CodeRabbit
WalkthroughAdds configurable asynchronous NVOS password rotation to the RMS-backed component manager, including backend-neutral states, RMS job submission and polling, credential-safe node information, error mappings, and comprehensive tests. ChangesNVOS Password Rotation
Estimated code review effort: 4 (Complex) | ~60 minutes Sequence Diagram(s)sequenceDiagram
participant ComponentManager
participant RmsBackend
participant RmsApi
ComponentManager->>RmsBackend: start_password_rotation(endpoint, next_password)
RmsBackend->>RmsApi: UpdateSwitchSystemPassword(host-only node info)
RmsApi-->>RmsBackend: durable job ID
RmsBackend-->>ComponentManager: return job ID
ComponentManager->>RmsBackend: get_password_rotation_job_status(job ID)
RmsBackend->>RmsApi: GetJobStatus(include child jobs)
RmsApi-->>RmsBackend: RMS job execution and error state
RmsBackend-->>ComponentManager: SwitchPasswordRotationState
Possibly related PRs
🚥 Pre-merge checks | ✅ 5✅ Passed checks (5 passed)
✨ Finishing Touches🧪 Generate unit tests (beta)
Comment |
There was a problem hiding this comment.
Actionable comments posted: 1
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In `@crates/component-manager/src/rms.rs`:
- Around line 3252-3283: The test fixture in
password_rotation_node_info_excludes_bmc_credentials must use a distinct
nvos_credentials value from bmc_credentials so the host_endpoint source is
validated. Update the shared make_sw_endpoint setup, including the
password-rotation test below that uses it, while preserving the existing
assertions and test behavior.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Path: .coderabbit.yaml
Review profile: CHILL
Plan: Enterprise
Run ID: f5c1a623-fb4d-4dbc-822a-9abe00d12979
📒 Files selected for processing (6)
crates/api-core/src/handlers/component_manager.rscrates/component-manager/src/component_manager.rscrates/component-manager/src/config.rscrates/component-manager/src/error.rscrates/component-manager/src/nv_switch_manager.rscrates/component-manager/src/rms.rs
Signed-off-by: Jay Zhu <jayzhu@nvidia.com>
🔍 Container Scan Summary
Per-CVE detail lives in the per-service |
This is the second incremental step toward complete NVOS password rotation support, following #3405.
It lays the groundwork in component-manager for async rotation:
Password rotation needs careful retry and state handling. If a request times out or its response is lost, the password may still have changed. Retrying immediately could start another rotation using the wrong current credential. Component-manager handles backend-specific request and job details, while future controller changes will handle durable state, safe retries, credential reconciliation, and promotion.
This PR does not enable end-to-end rotation. No rotation tasks are submitted by the existing runtime, and the capability is disabled by default. Enabling the config option only makes the backend capability available; controller orchestration is still needed before the feature can work. Existing runtime behavior remains unchanged.
Returned job IDs are preserved as handles for observing submitted operations. A missing job is not treated as proof that the rotation never ran; credential state remains the basis for reconciliation.
Planned follow-up changes will add durable rotation state, controller submission and polling, credential reconciliation and promotion, restart recovery, operator documentation, and controlled activation.
Related issues
Supports #2041
Type of Change
Breaking Changes
Testing