OCPBUGS-87029: nutanix: fix ccoctl to accept directory for --credentials-source-filepath

[vdurgam10]

Problem

When a directory path is passed to --credentials-source-filepath, ccoctl nutanix create-shared-secrets fails with a cryptic error:

Error: credentials data read from file <dir>/ is invalid: failed to read the credentials file <dir>/: read <dir>/: is a directory

The root cause is that os.Stat() succeeds silently for directories, and os.ReadFile() then throws an unhelpful OS-level error.

This is also inconsistent with the official OCP documentation (4.16, 4.21), which describes --credentials-source-filepath as accepting a directory path.

Fix

• In getCredentialsFromFile(), added an IsDir() check after os.Stat(). If a directory is provided, the code now automatically appends credentials to construct the full file path (e.g. install-dir/ → install-dir/credentials), consistent with how the default ~/.nutanix/credentials path is constructed.
• Updated the flag description in the binary help (-h) to clearly state that both a file path and a directory containing a file named credentials are accepted.

Testing

Added two new test cases:

• Directory provided for credentials-source-filepath with credentials file inside — verifies successful secret generation when a directory is passed
• Directory provided for credentials-source-filepath without credentials file inside — verifies a clear error message when the directory has no credentials file

All 9 tests pass.

ok  github.com/openshift/cloud-credential-operator/pkg/cmd/provisioning/nutanix  2.097s

Made with Cursor

Summary by CodeRabbit

New Features

• The --credentials-source-filepath flag now accepts both direct credentials file paths and directories containing a credentials file.
• Enhanced error handling provides clearer messages when credential files are missing or invalid.

[coderabbitai]

Walkthrough

The PR extends the Nutanix create-shared-secrets command to accept directory paths for the --credentials-source-filepath flag. When a directory is provided, the code resolves it to <dir>/credentials and validates the file exists. Help text is updated, directory detection logic is added to getCredentialsFromFile, and two test cases verify both success and error scenarios.

Changes

Directory path support for Nutanix credentials

Layer / File(s)	Summary
Flag documentation and directory handling pkg/cmd/provisioning/nutanix/create_shared_secrets.go	The --credentials-source-filepath flag help text is updated to describe directory input, and getCredentialsFromFile now stats the provided path and resolves directories to <dir>/credentials with appropriate error handling.
Test cases for directory input pkg/cmd/provisioning/nutanix/create_shared_secrets_test.go	Two new test cases verify that when a directory path is provided, the code correctly uses the credentials file inside it (success case) and reports an error if the file is missing (error case).

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

🚥 Pre-merge checks | ✅ 13 | ❌ 2

❌ Failed checks (1 warning, 1 inconclusive)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 66.67% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.
Test Structure And Quality	❓ Inconclusive	The custom check instructions request review of "Ginkgo test code," but this PR adds standard Go testing.T subtests with t.Run(), not Ginkgo tests. The check is not applicable.	Clarify if the check applies to standard testing.T tests or only Ginkgo Describe/Context/It blocks. This PR uses testing.T with testify assertions.

✅ Passed checks (13 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Stable And Deterministic Test Names	✅ Passed	Test file uses standard Go testing framework (not Ginkgo); all test names are static, descriptive strings without dynamic content like timestamps, UUIDs, or generated identifiers.
Microshift Test Compatibility	✅ Passed	The PR adds only standard Go unit tests (using testing.T and testify), not Ginkgo e2e tests. The MicroShift Test Compatibility check applies only to Ginkgo e2e tests.
Single Node Openshift (Sno) Test Compatibility	✅ Passed	PR adds only standard Go unit tests (testing.T), not Ginkgo e2e tests. Custom check applies only to Ginkgo e2e tests, so check does not apply here.
Topology-Aware Scheduling Compatibility	✅ Passed	PR modifies only credential file handling logic for a CLI tool. Generated manifests are plain Kubernetes Secrets with no scheduling constraints, deployments, or topology-aware requirements.
Ote Binary Stdout Contract	✅ Passed	The modified code is in pkg/cmd/provisioning/nutanix, which is only used in cmd/ccoctl (standalone CLI), not in the OTE binary (cmd/cloud-credential-tests-ext). The check is not applicable.
Ipv6 And Disconnected Network Test Compatibility	✅ Passed	Tests added are standard Go unit tests, not Ginkgo e2e tests. The custom check applies only to Ginkgo e2e tests, which are absent from this PR.
No-Weak-Crypto	✅ Passed	No weak cryptography patterns, custom implementations, or unsafe secret comparisons found in the code changes.
Container-Privileges	✅ Passed	PR modifies only nutanix provisioning code (credential file handling), not container/K8s manifests. No privilege-related security concerns introduced.
No-Sensitive-Data-In-Logs	✅ Passed	Code review confirms no sensitive data (passwords, tokens, credentials) is logged. Only file paths and generic error messages are logged; credentials are handled securely and not exposed.
Title check	✅ Passed	The title clearly summarizes the main change: fixing ccoctl to accept a directory for the --credentials-source-filepath flag, which is the core objective of the PR.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[openshift-ci]

Hi @vdurgam10. Thanks for your PR.

I'm waiting for a openshift member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work.

Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[openshift-ci]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: vdurgam10
Once this PR has been reviewed and has the lgtm label, please assign 2uasimojo for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[openshift-ci-robot]

@vdurgam10: This pull request references Jira Issue OCPBUGS-87029, which is invalid:

• expected the bug to target the "5.0.0" version, but no target version was set

Comment /jira refresh to re-evaluate validity if changes to the Jira bug are made, or edit the title of this pull request to link to a different bug.

The bug has been updated to refer to the pull request using the external bug tracker.

Details

In response to this:

Problem

When a directory path is passed to --credentials-source-filepath, ccoctl nutanix create-shared-secrets fails with a cryptic error:

Error: credentials data read from file <dir>/ is invalid: failed to read the credentials file <dir>/: read <dir>/: is a directory

The root cause is that os.Stat() succeeds silently for directories, and os.ReadFile() then throws an unhelpful OS-level error.

This is also inconsistent with the official OCP documentation (4.16, 4.21), which describes --credentials-source-filepath as accepting a directory path.

Fix

• In getCredentialsFromFile(), added an IsDir() check after os.Stat(). If a directory is provided, the code now automatically appends credentials to construct the full file path (e.g. install-dir/ → install-dir/credentials), consistent with how the default ~/.nutanix/credentials path is constructed.
• Updated the flag description in the binary help (-h) to clearly state that both a file path and a directory containing a file named credentials are accepted.

Testing

Added two new test cases:

• Directory provided for credentials-source-filepath with credentials file inside — verifies successful secret generation when a directory is passed
• Directory provided for credentials-source-filepath without credentials file inside — verifies a clear error message when the directory has no credentials file

All 9 tests pass.

ok  github.com/openshift/cloud-credential-operator/pkg/cmd/provisioning/nutanix  2.097s

Made with Cursor

Summary by CodeRabbit

New Features

• The --credentials-source-filepath flag now accepts both direct credentials file paths and directories containing a credentials file.
• Enhanced error handling provides clearer messages when credential files are missing or invalid.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[dsimansk]

/ok-to-test

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 47.08%. Comparing base (833d9a3) to head (d13f46c).

Additional details and impacted files

@@            Coverage Diff             @@
##           master    #1036      +/-   ##
==========================================
+ Coverage   47.06%   47.08%   +0.02%     
==========================================
  Files          97       97              
  Lines       12560    12565       +5     
==========================================
+ Hits         5911     5916       +5     
  Misses       5994     5994              
  Partials      655      655              

Files with missing lines	Coverage Δ
.../cmd/provisioning/nutanix/create_shared_secrets.go	63.30% <100.00%> (+1.76%)	⬆️

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[vdurgam10]

/retest

[openshift-ci]

@vdurgam10: The following test failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
ci/prow/security	d13f46c	link	true	/test security

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.