feat: Add UEFI credential REST endpoint#3241
Conversation
Signed-off-by: Kyle Felter <kfelter@nvidia.com>
|
Auto-sync is disabled for draft pull requests in this repository. Workflows must be run manually. Contributors can view more details about this message here. |
WalkthroughAdds REST API support for creating site-default UEFI credentials for Host and DPU targets, including validation, Core credential proxying, route registration, OpenAPI schemas, CLI command generation, and handler/model tests. ChangesUEFI credential API
Estimated code review effort: 3 (Moderate) | ~25 minutes Sequence Diagram(s)sequenceDiagram
participant APIClient
participant CreateUEFICredentialHandler
participant SiteAuthorization
participant CoreCredentialService
APIClient->>CreateUEFICredentialHandler: POST UEFI credential request
CreateUEFICredentialHandler->>SiteAuthorization: authorize provider for site
SiteAuthorization-->>CreateUEFICredentialHandler: authorization result
CreateUEFICredentialHandler->>CoreCredentialService: create HostUefi or DpuUefi credential
CoreCredentialService-->>CreateUEFICredentialHandler: creation result
CreateUEFICredentialHandler-->>APIClient: 201 response without password
🚥 Pre-merge checks | ✅ 4 | ❌ 1❌ Failed checks (1 warning)
✅ Passed checks (4 passed)
✨ Finishing Touches🧪 Generate unit tests (beta)
Comment |
|
@thossain-nv could you please review the API shape here? I implemented an additive, create-only |
Signed-off-by: Kyle Felter <kfelter@nvidia.com>
🔍 Container Scan Summary
Per-CVE detail lives in the per-service |
|
🌿 Preview your docs: https://nvidia-preview-pull-request-3241.docs.buildwithfern.com/infra-controller |
🔐 TruffleHog Secret Scan✅ No secrets or credentials found! Your code has been scanned for 700+ types of secrets and credentials. All clear! 🎉 🕐 Last updated: 2026-07-09 23:47:24 UTC | Commit: 2c41f24 |
There was a problem hiding this comment.
🧹 Nitpick comments (1)
rest-api/cli/pkg/commands_test.go (1)
858-879: 📐 Maintainability & Code Quality | 🔵 Trivial | 💤 Low valueLGTM, with an optional dedupe nit.
Test correctly validates the command tree shape. The two manual find-by-name loops are identical in shape; a tiny generic helper (e.g.
findCommand(cmds []*cli.Command, name string) *cli.Command) would remove the duplication, but this is purely cosmetic for an 8-line test.🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In `@rest-api/cli/pkg/commands_test.go` around lines 858 - 879, Optionally deduplicate the repeated command lookup logic in TestNewApp_UEFICredentialCreateCommand by adding a findCommand helper that accepts []*cli.Command and a name, returning the matching command or nil, then use it for both the top-level UEFI credential command and its create subcommand.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Nitpick comments:
In `@rest-api/cli/pkg/commands_test.go`:
- Around line 858-879: Optionally deduplicate the repeated command lookup logic
in TestNewApp_UEFICredentialCreateCommand by adding a findCommand helper that
accepts []*cli.Command and a name, returning the matching command or nil, then
use it for both the top-level UEFI credential command and its create subcommand.
ℹ️ Review info
⚙️ Run configuration
Configuration used: Path: .coderabbit.yaml
Review profile: CHILL
Plan: Enterprise
Run ID: f3fed072-1341-46c6-b41c-38afeeebb840
⛔ Files ignored due to path filters (4)
rest-api/sdk/standard/api_uefi_credential.gois excluded by!rest-api/sdk/standard/api_*.gorest-api/sdk/standard/client.gois excluded by!rest-api/sdk/standard/client.gorest-api/sdk/standard/model_uefi_credential.gois excluded by!rest-api/sdk/standard/model_*.gorest-api/sdk/standard/model_uefi_credential_request.gois excluded by!rest-api/sdk/standard/model_*.go
📒 Files selected for processing (8)
rest-api/api/pkg/api/handler/ueficredential.gorest-api/api/pkg/api/handler/ueficredential_test.gorest-api/api/pkg/api/model/ueficredential.gorest-api/api/pkg/api/model/ueficredential_test.gorest-api/api/pkg/api/routes.gorest-api/api/pkg/api/routes_test.gorest-api/cli/pkg/commands_test.gorest-api/openapi/spec.yaml
Signed-off-by: Kyle Felter <kfelter@nvidia.com>
Resolves #2803
What this PR does
Adds a Provider Admin REST and nicocli path for creating site-default UEFI credentials without using
nico-admin-cli.POST /v2/org/{org}/nico/credential/uefiHostorDPUcredential kindWhy
Core already supports site-default Host and DPU UEFI credentials, but REST clients and nicocli have no equivalent operation. Operators therefore still need the admin CLI for this site-setup step.
How we verified it
Hands-on revision:
2c41f241af2af60d7101b4aa0fad94c431fe5fddCurrent head:
727eb8686829c727cd0550d36b824e4366ec82b3. The follow-up commit only adds the repository-required SPDX headers to the three generated SDK files; it does not change runtime behavior.Environment: Linux x86_64 development VM, Docker 29.1.3, kind 0.27.0, and kubectl 1.30.8. The integrated REST/Core stack was running in the
kind-kindcontext. The REST image was built from the PR revision layered onto the current DevSpace integration base1a0d78b9454ad5fbf841f3886a0451efb4ad2e98.The image was built with:
The resulting image digest was
sha256:699d38abac875ffefd3a599da0e1107789edee5ed62214eb9cb8ccc89f71eb01. It was loaded into kind, deployed as thenico-rest-apiimage, and the deployment rolled out successfully.Hands-on verification then exercised the real route through REST, the site-agent Core proxy, Core's credential handler, and the local Vault store. Because the disposable stack seeds a Host UEFI credential, the original local value was retained in memory, the current Vault version was soft-deleted, and the original value was restored after the test.
Sanitized proof:
The focused tests also passed:
These tests cover both Host and DPU mappings, invalid request rejection, secret omission in the response, route registration, and the generated nicocli create command.
For the generated-header follow-up,
python3 scripts/check_source_headers.py,go test ./...fromrest-api/sdk/standard, andgit diff --checkall passed.How to reproduce the verification
Prerequisites:
kind-kindStart from a clean checkout and assemble the exact tested revisions:
In separate terminals, forward the REST API and Keycloak services:
Then exercise validation, creation, persistence, and duplicate handling. Use
localhostfor Keycloak so the token issuer matches the local API configuration.Expected results: invalid input returns 400; the first valid request returns 201 with only
siteIdandkind; Vault contains the submitted local test value; a duplicate request returns 409; and the cleanup restores the original local credential.