🌱 Add validation in webhook for live-iso

[nerok]

What this PR does / why we need it:
Add a validation for live-iso to require a bmc protocol (that is the part in the address before "://") which includes "virtualmedia", which seems to be what the requirement for live-isos are according to the docs: https://book.metal3.io/bmo/live-iso

This relates to #855

[metal3-io-bot]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
Once this PR has been reviewed and has the lgtm label, please assign elfosardo for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[metal3-io-bot]

Hi @nerok. Thanks for your PR.

I'm waiting for a metal3-io member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[tuminoid]

/ok-to-test

[tuminoid]

Thanks for the contribution! Some minor comments left.

[tuminoid]

Can we use something like hasPrefix("redfish-virtualmedia://") , seems more robust?

[nerok]

Do we have a list somewhere over prefixes? because I found these in the docs:

• redfish-virtualmedia://
• idrac-virtualmedia://
• ilo5-virtualmedia://
• ilo4-virtualmedia://

and all of there can also have +http or +https.
I can probably use hasPrefix instead yeah

[tuminoid]

If you can make it work cleanly, sure, but if it gets complicated, then the current one is fine as well.

[nerok]

I think another look at this improved it a lot.
Still got the "contains", but I believe the right way there would be to add SupportsVirtualmedia() to the BMCs, and call those.
I could give that a go, but it is a bit outside of the scope of this PR, and I'm uncertain if we would actually need it anywhere else.

[tuminoid]

I'm good with this iteration.

[tuminoid]

/lgtm
/cc @zaneb @elfosardo @dtantsur

[zaneb]

I'm not sure it's safe to make this assumption about the driver name.

I would expect that in practice bmcAccess.SupportsISOPreprovisioningImage() corresponds to exactly what we want to know. @dtantsur can you confirm?

[nerok]

That worked locally atleast, pushed it up in a new version

[tuminoid]

@zaneb @dtantsur can you check if you're happy with latest version?

[tuminoid]

/cc @zaneb @dtantsur

[zaneb]

/lgtm
The one where this gives a different answer is the UEFI HTTP driver, but I am not good enough at tracing the code through ironic to say one way or the other there whether live-iso should be allowed there. (If I had to guess though, I'd say yes and that this version is correct.)

[dtantsur]

We tried this, and people complained. The thing is: technically you can boot an ISO over iPXE. It does not work with all ISO's, but apparently does work with some.

[nerok]

Am I understanding you correct in that we shouldn't have this validation at all? Or is there a part of this validation that could be valuable? If not we should ensure it is documented, and I would think a test would be nice to ensure we don't break anything at a later point?

[metal3-io-bot]

PR needs rebase.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.