fix(rest-api): OS imageUrl/imageSha are immutable on update and change attempt should fail (release 2.0)#3484
Conversation
The operating-system PATCH validation advertised imageUrl/imageSha as
patchable and forced them to be sent together, but site sync forwards
those to Core's UpdateOsImage, which rejects any change to
source_url/digest as read-only ("os_image update read-only attributes
changed"). Callers who only wanted to rotate an image auth token were
also blocked, since imageAuthToken could not be sent without imageUrl.
Align the API layer with the immutable-image design: reject changes to
imageUrl/imageSha up front with a clear 400 (re-sending the current
value stays a no-op), and allow imageAuthType/imageAuthToken to be
updated on image-based OS without re-sending imageUrl/imageSha. Update
the OpenAPI descriptions and the model/handler tests to match.
Signed-off-by: Patrice Breton <pbreton@nvidia.com>
Signed-off-by: Patrice Breton <pbreton@nvidia.com>
Move the non-image imageURL rejection into the early OS-type guard so it covers both iPXE and templated-iPXE OS, and drop the duplicate imageURL Nil rule from the non-image ValidateStruct block. Update the second OperatingSystemUpdateRequest OpenAPI example to omit the immutable imageUrl/imageSha, showing a mutable-only image OS update. Signed-off-by: Patrice Breton <pbreton@nvidia.com>
Signed-off-by: Patrice Breton <pbreton@nvidia.com>
|
Important Review skippedAuto reviews are disabled on base/target branches other than the default branch. Please check the settings in the CodeRabbit UI or the ⚙️ Run configurationConfiguration used: Path: .coderabbit.yaml Review profile: CHILL Plan: Enterprise Run ID: You can disable this status message by setting the Use the checkbox below for a quick retry:
✨ Finishing Touches🧪 Generate unit tests (beta)
Comment |
|
🌿 Preview your docs: https://nvidia-preview-pull-request-3484.docs.buildwithfern.com/infra-controller |
🔐 TruffleHog Secret Scan✅ No secrets or credentials found! Your code has been scanned for 700+ types of secrets and credentials. All clear! 🎉 🕐 Last updated: 2026-07-14 16:07:15 UTC | Commit: ff88f83 |
🔍 Container Scan Summary
Per-CVE detail lives in the per-service |
The operating-system PATCH validation advertised imageUrl/imageSha as patchable and forced them to be sent together, but site sync forwards those to Core's UpdateOsImage, which rejects any change to source_url/digest as read-only ("os_image update read-only attributes changed"). Callers who only wanted to rotate an image auth token were also blocked, since imageAuthToken could not be sent without imageUrl.
Align the API layer with the immutable-image design: reject changes to imageUrl/imageSha up front with a clear 400 (re-sending the current value stays a no-op), and allow imageAuthType/imageAuthToken to be updated on image-based OS without re-sending imageUrl/imageSha. Update the OpenAPI descriptions and the model/handler tests to match.
Related issues
Cherry-picked from main (#3294)