feat(component-manager): add NVOS password rotation job contract#3409
Conversation
|
Note Reviews pausedIt looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the Use the following commands to manage reviews:
Use the checkboxes below for quick actions:
WalkthroughAdds configurable asynchronous NVOS password rotation to the RMS-backed component manager, including backend-neutral states, RMS job submission and polling, credential-safe node information, error mappings, and comprehensive tests. ChangesNVOS Password Rotation
Estimated code review effort: 4 (Complex) | ~60 minutes Sequence Diagram(s)sequenceDiagram
participant ComponentManager
participant RmsBackend
participant RmsApi
ComponentManager->>RmsBackend: start_password_rotation(endpoint, next_password)
RmsBackend->>RmsApi: UpdateSwitchSystemPassword(host-only node info)
RmsApi-->>RmsBackend: durable job ID
RmsBackend-->>ComponentManager: return job ID
ComponentManager->>RmsBackend: get_password_rotation_job_status(job ID)
RmsBackend->>RmsApi: GetJobStatus(include child jobs)
RmsApi-->>RmsBackend: RMS job execution and error state
RmsBackend-->>ComponentManager: SwitchPasswordRotationState
Possibly related PRs
🚥 Pre-merge checks | ✅ 4 | ❌ 1❌ Failed checks (1 warning)
✅ Passed checks (4 passed)
✨ Finishing Touches🧪 Generate unit tests (beta)
Comment |
There was a problem hiding this comment.
Actionable comments posted: 1
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In `@crates/component-manager/src/rms.rs`:
- Around line 3252-3283: The test fixture in
password_rotation_node_info_excludes_bmc_credentials must use a distinct
nvos_credentials value from bmc_credentials so the host_endpoint source is
validated. Update the shared make_sw_endpoint setup, including the
password-rotation test below that uses it, while preserving the existing
assertions and test behavior.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Path: .coderabbit.yaml
Review profile: CHILL
Plan: Enterprise
Run ID: f5c1a623-fb4d-4dbc-822a-9abe00d12979
📒 Files selected for processing (6)
crates/api-core/src/handlers/component_manager.rscrates/component-manager/src/component_manager.rscrates/component-manager/src/config.rscrates/component-manager/src/error.rscrates/component-manager/src/nv_switch_manager.rscrates/component-manager/src/rms.rs
🔍 Container Scan Summary
Per-CVE detail lives in the per-service |
vinodchitraliNVIDIA
left a comment
There was a problem hiding this comment.
LGTM.
move nvos_password_rotation_enabled variable to component_manager struct
5ac7dd1 to
893c2d4
Compare
There was a problem hiding this comment.
Actionable comments posted: 1
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In `@crates/component-manager/src/config.rs`:
- Around line 202-211: Extend the rms_nvos_password_rotation_can_be_enabled test
to use table-driven input/output cases, including an empty or legacy
configuration whose nvos_password_rotation_enabled value deserializes to false.
Retain coverage for the explicit true configuration and assert each expected
result after deserialization.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Path: .coderabbit.yaml
Review profile: CHILL
Plan: Enterprise
Run ID: ad5e974d-3e18-4422-b2a9-f19ce4b06800
📒 Files selected for processing (6)
crates/api-core/src/handlers/component_manager.rscrates/component-manager/src/component_manager.rscrates/component-manager/src/config.rscrates/component-manager/src/error.rscrates/component-manager/src/nv_switch_manager.rscrates/component-manager/src/rms.rs
🚧 Files skipped from review as they are similar to previous changes (5)
- crates/component-manager/src/error.rs
- crates/component-manager/src/component_manager.rs
- crates/component-manager/src/nv_switch_manager.rs
- crates/api-core/src/handlers/component_manager.rs
- crates/component-manager/src/rms.rs
|
🌿 Preview your docs: https://nvidia-preview-pull-request-3409.docs.buildwithfern.com/infra-controller |
9e132f0 to
36eeadf
Compare
|
/ok-to-test |
Signed-off-by: Jay Zhu <jayzhu@nvidia.com>
Signed-off-by: Jay Zhu <jayzhu@nvidia.com>
Signed-off-by: Jay Zhu <jayzhu@nvidia.com>
Signed-off-by: Jay Zhu <jayzhu@nvidia.com>
Signed-off-by: Jay Zhu <jayzhu@nvidia.com>
Signed-off-by: Jay Zhu <jayzhu@nvidia.com>
36eeadf to
cb62290
Compare
|
@jayzhudev does this supersede #1609? |
Yes it does. |
This is the second incremental step toward complete NVOS password rotation support, following #3405.
It lays the groundwork in component-manager for async rotation:
Password rotation needs careful retry and state handling. If a request times out or its response is lost, the password may still have changed. Retrying immediately could start another rotation using the wrong current credential. Component-manager handles backend-specific request and job details, while future controller changes will handle durable state, safe retries, credential reconciliation, and promotion.
This PR does not enable end-to-end rotation. No rotation tasks are submitted by the existing runtime, and the capability is disabled by default. Enabling the config option only makes the backend capability available; controller orchestration is still needed before the feature can work. Existing runtime behavior remains unchanged.
Returned job IDs are preserved as handles for observing submitted operations. A missing job is not treated as proof that the rotation never ran; credential state remains the basis for reconciliation.
Planned follow-up changes will add durable rotation state, controller submission and polling, credential reconciliation and promotion, restart recovery, operator documentation, and controlled activation.
Related issues
Supports #2041 and #3522
Type of Change
Breaking Changes
Testing