Add helper script for MAC-only fencing credential testing

[dhensel-rh]

Summary

• Adds helpers/patch-devscripts-mac-fencing.sh — patches dev-scripts on a hypervisor to generate macaddress:-based fencing credentials instead of hostname:-based ones in the ABI install-config
• Updates helpers/README.md with usage documentation and prerequisites
• Also fixes OPENSHIFT_CI case sensitivity ("TRUE" → "true") in the dev-scripts config

Used for verifying OCPEDGE-2692 (MAC address fencing credential support in assisted-service ABI flow).

Prerequisites: Initialized hypervisor (TNT make init or make deploy). A running cluster is not required — the script patches dev-scripts source files before deployment.

Test plan

• Script tested on AWS EC2 hypervisor — patches applied successfully, MAC-only fencing-credentials.yaml generated correctly on agent ISO
• Idempotent — re-running the script does not duplicate patches

🤖 Generated with Claude Code

Summary by CodeRabbit

• New Features

  • Introduced an automated workflow to patch development bare-metal installer generation to use MAC-address-based fencing credentials (instead of hostname-based), including hypervisor auto-discovery and guided next steps.

• Documentation

  • Added a dedicated guide explaining the MAC-only fencing credential process, prerequisites, and how to run the patch workflow with optional inventory overrides.

[openshift-ci]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: dhensel-rh
Once this PR has been reviewed and has the lgtm label, please assign jerpeter1 for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Repository YAML (base), Central YAML (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: 431a82c6-9f6c-4cb6-a4af-9c2e1e2faf11

📥 Commits

Reviewing files that changed from the base of the PR and between cd43a23 and b8b149b.

📒 Files selected for processing (2)

• helpers/README.md
• helpers/patch-devscripts-mac-fencing.sh

✅ Files skipped from review due to trivial changes (1)

• helpers/README.md

🚧 Files skipped from review as they are similar to previous changes (1)

• helpers/patch-devscripts-mac-fencing.sh

---

Walkthrough

A new Bash script helpers/patch-devscripts-mac-fencing.sh is added that SSHes to a hypervisor (resolved from a CLI argument or inventory.ini) and applies four guarded remote edits to a dev-scripts checkout, switching BMC fencing credentials from hostname-based to MAC-address-based. A corresponding README section documents the patched files and usage steps.

Changes

MAC-Address Fencing Patch

Layer / File(s)	Summary
Script setup, validation, and hypervisor resolution helpers/patch-devscripts-mac-fencing.sh	Enforces strict Bash options and documents prerequisites. Computes inventory path relative to script location. Resolves the target hypervisor from the first CLI argument or by parsing deploy/openshift-clusters/inventory.ini, exiting with usage guidance if neither is available. Validates via SSH that dev-scripts/agent exists on the remote host before proceeding.
Remote patches applied via SSH to dev-scripts helpers/patch-devscripts-mac-fencing.sh	Applies four sequential idempotent remote edits: Patch 0 normalizes OPENSHIFT_CI casing (TRUE → true) and ensures AGENT_E2E_TEST_SCENARIO is set in config_*.sh; Patch 1a/1b collects master node MACs into AGENT_MASTER_MACS and exports a comma-separated AGENT_MASTER_MACS_STR in agent/05_agent_configure.sh; Patch 2 injects agent_master_macs sourced from the env variable into agent/roles/manifests/vars/main.yml; Patch 3 rewrites fencing blocks in install-config_baremetal_yaml.j2 to use macaddress-based loops instead of hostname-based. Each patch uses anchor validation and idempotency guards. Prints next-step SSH and sudo make agent instructions on completion.
README documentation helpers/README.md	Adds the "MAC-Only Fencing Credentials (dev-scripts patch)" section listing the target patched files, the OPENSHIFT_CI case-sensitivity fix, prerequisites (dev-scripts already cloned on hypervisor), and end-to-end usage steps for running the patch script and subsequent sudo make agent on the hypervisor.

Sequence Diagram

sequenceDiagram
  participant Local as Local Script
  participant Inventory as inventory.ini
  participant Remote as Hypervisor/SSH
  participant AgentCfg as agent/05_agent_configure.sh
  participant VarsFile as agent/roles/manifests/vars/main.yml
  participant Template as install-config_baremetal_yaml.j2
  Local->>Inventory: parse hypervisor from TNT inventory
  Local->>Remote: SSH pre-flight: test dev-scripts/agent exists
  Local->>Remote: Patch 0: normalize OPENSHIFT_CI, set AGENT_E2E_TEST_SCENARIO in config_*.sh
  Local->>AgentCfg: Patch 1a/1b: populate AGENT_MASTER_MACS and export AGENT_MASTER_MACS_STR
  Local->>VarsFile: Patch 2: add agent_master_macs from env AGENT_MASTER_MACS_STR
  Local->>Template: Patch 3: replace hostname-based fencing with macaddress-based blocks
  Local->>Remote: print next-step SSH and sudo make agent instructions

Loading

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

🚥 Pre-merge checks | ✅ 10 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Ai-Attribution	⚠️ Warning	AI tool (Claude Code) was used per PR description, but commit uses Co-Authored-By for AI instead of Assisted-by or Generated-by trailer.	Replace Co-Authored-By: Claude Opus with Assisted-by: Claude (Anthropic) to match Red Hat attribution standards for AI-assisted code.

✅ Passed checks (10 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title clearly summarizes the main change: adding a helper script for MAC-only fencing credential testing, which aligns with the primary addition of the patch-devscripts-mac-fencing.sh script and its documentation.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
No-Weak-Crypto	✅ Passed	No weak crypto, custom crypto implementations, or non-constant-time secret comparisons found. The PR adds a configuration patching script with no cryptographic operations.
Container-Privileges	✅ Passed	PR adds only a helper shell script and documentation; no container/K8s manifests with privileged settings (privileged: true, hostPID, hostNetwork, hostIPC, SYS_ADMIN, allowPrivilegeEscalation) are...
No-Sensitive-Data-In-Logs	✅ Passed	Script logs only non-sensitive metadata (hypervisor hostname, file paths, patch status); no passwords, tokens, API keys, PII, session IDs, or credentials are logged.
No-Hardcoded-Secrets	✅ Passed	No hardcoded secrets found. Script contains only legitimate paths, config variables, and Ansible templating logic. README documents the feature without exposing any credentials.
No-Injection-Vectors	✅ Passed	No injection vectors found: bash script properly quotes all user input in ssh commands, uses single-quoted heredocs, and all sed/grep patterns are hardcoded with no untrusted data.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[openshift-ci]

@dhensel-rh: The following test failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
ci/prow/shellcheck	7af8e43	link	true	/test shellcheck

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

[coderabbitai]

Actionable comments posted: 3

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@helpers/patch-devscripts-mac-fencing.sh`:
- Around line 102-107: The sed -i operations in this script print "Applied"
messages unconditionally, even if the target anchor pattern is not found in the
file, which can mask silent failures when upstream dev-scripts changes. For the
AGENT_MASTER_MACS collection block and the other patches referenced (around
lines 109-115, 126-131, and 142-149), add validation checks before and after
each sed command: verify that the anchor pattern exists in the file before
attempting the patch, and verify that the expected content was actually inserted
after sed completes. Only print the "Applied" success message if both checks
pass, otherwise print an error message and exit or fail appropriately. This
hardening pattern should be consistently applied across all patch blocks to
prevent false success reports when patches fail to apply.
- Line 50: The SSH_OPTS variable includes StrictHostKeyChecking=no which
disables host identity verification and creates a security vulnerability. Change
the StrictHostKeyChecking option from "no" to "accept-new" (which accepts new
host keys but still verifies them on subsequent connections), or remove it
entirely to use SSH's default secure behavior. If insecure mode must be
supported, make it explicit and opt-in through an environment variable or
command-line flag that users can set when they explicitly need to bypass host
verification.

In `@helpers/README.md`:
- Around line 135-141: The "What it patches" section in helpers/README.md is
incomplete and does not document all files modified by the script. Update this
section to include the `config_*.sh` files (specifically noting the
`AGENT_E2E_TEST_SCENARIO` variable modifications and the `OPENSHIFT_CI` case
sensitivity fix from "TRUE" to "true") in addition to the 3 files already listed
under `dev-scripts/agent/`. Ensure the documentation explicitly lists the
complete patch surface to match the actual script behavior and maintain
consistency with the coding guidelines.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository YAML (base), Central YAML (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: 38a1ece5-a866-4029-8304-4caa328c84a1

📥 Commits

Reviewing files that changed from the base of the PR and between fdf5f39 and cd43a23.

📒 Files selected for processing (2)

• helpers/README.md
• helpers/patch-devscripts-mac-fencing.sh