Merge pull request #10287 from zaneb/install-config-unmarshal-strict

openshift-merge-bot[bot] · web-flow · commit 435db5ebe4d5 · 2026-02-27T03:50:44.000Z
CORS-3954: Enable strict unmarshaling for user invocations
diff --git a/pkg/asset/imagebased/configimage/installconfig.go b/pkg/asset/imagebased/configimage/installconfig.go
@@ -67,10 +67,21 @@ func (i *InstallConfig) loadFromFile(f asset.FileFetcher) (found bool, err error
 			return false, fmt.Errorf("%s, err: %w", asset.InstallConfigError, err)
 		}
 		err = fmt.Errorf("failed to parse first occurrence of unknown field, err: %w", err)
-		logrus.Warn(err.Error())
-		logrus.Info("Attempting to unmarshal while ignoring unknown keys because strict unmarshaling failed")
-		if err = yaml.Unmarshal(file.Data, config); err != nil {
-			err = fmt.Errorf("failed to unmarshal %s, err: %w", InstallConfigFilename, err)
+
+		// Check if invoked by automation tool (Hive, assisted-service, etc.)
+		// These tools may generate install-config with fields from newer versions
+		// that aren't recognized by older installer versions.
+		invoker := os.Getenv("OPENSHIFT_INSTALL_INVOKER")
+		if invoker != "" {
+			// Legacy behavior for automation tools: warn and continue
+			logrus.Warn(err.Error())
+			logrus.Info("Attempting to unmarshal while ignoring unknown keys because strict unmarshaling failed")
+			if err = yaml.Unmarshal(file.Data, config); err != nil {
+				err = fmt.Errorf("failed to unmarshal %s, err: %w", InstallConfigFilename, err)
+				return false, fmt.Errorf("%s, err: %w", asset.InstallConfigError, err)
+			}
+		} else {
+			// Strict behavior for direct user invocations: fail on unknown fields
 			return false, fmt.Errorf("%s, err: %w", asset.InstallConfigError, err)
 		}
 	}
diff --git a/pkg/asset/installconfig/installconfig_test.go b/pkg/asset/installconfig/installconfig_test.go
@@ -88,6 +88,7 @@ func TestInstallConfigLoad(t *testing.T) {
 		name           string
 		data           string
 		fetchError     error
+		invoker        string
 		expectedFound  bool
 		expectedError  bool
 		expectedConfig *types.InstallConfig
@@ -175,7 +176,7 @@ metadata:
 			expectedError: true,
 		},
 		{
-			name: "unknown field",
+			name: "unknown field fails for user",
 			data: `
 apiVersion: v1
 metadata:
@@ -185,7 +186,23 @@ baseDomain: test-domain
 platform:
   none: {}
 pullSecret: "{\"auths\":{\"example.com\":{\"auth\":\"authorization value\"}}}"
-wrong_key: wrong_value 
+wrong_key: wrong_value
+`,
+			expectedError: true,
+		},
+		{
+			name:    "unknown field warns for automation tools",
+			invoker: "hive",
+			data: `
+apiVersion: v1
+metadata:
+  name: test-cluster
+additionalTrustBundlePolicy: Proxyonly
+baseDomain: test-domain
+platform:
+  none: {}
+pullSecret: "{\"auths\":{\"example.com\":{\"auth\":\"authorization value\"}}}"
+wrong_key: wrong_value
 `,
 			expectedFound: true,
 			expectedConfig: &types.InstallConfig{
@@ -289,6 +306,21 @@ pullSecret: "{\"auths\":{\"example.com\":{\"auth\":\"authorization value\"}}}"
 	}
 	for _, tc := range cases {
 		t.Run(tc.name, func(t *testing.T) {
+			// Set OPENSHIFT_INSTALL_INVOKER if specified, and restore it after the test
+			oldInvoker, hadInvoker := os.LookupEnv("OPENSHIFT_INSTALL_INVOKER")
+			if tc.invoker != "" {
+				os.Setenv("OPENSHIFT_INSTALL_INVOKER", tc.invoker)
+			} else {
+				os.Unsetenv("OPENSHIFT_INSTALL_INVOKER")
+			}
+			defer func() {
+				if hadInvoker {
+					os.Setenv("OPENSHIFT_INSTALL_INVOKER", oldInvoker)
+				} else {
+					os.Unsetenv("OPENSHIFT_INSTALL_INVOKER")
+				}
+			}()
+
 			mockCtrl := gomock.NewController(t)
 			defer mockCtrl.Finish()
 
diff --git a/pkg/asset/installconfig/installconfigbase.go b/pkg/asset/installconfig/installconfigbase.go
@@ -51,10 +51,21 @@ func (a *AssetBase) LoadFromFile(f asset.FileFetcher) (found bool, err error) {
 			return false, errors.Wrap(err, asset.InstallConfigError)
 		}
 		err = errors.Wrapf(err, "failed to parse first occurrence of unknown field")
-		logrus.Warnf("%s", err.Error())
-		logrus.Info("Attempting to unmarshal while ignoring unknown keys because strict unmarshaling failed")
-		if err = yaml.Unmarshal(file.Data, config); err != nil {
-			err = errors.Wrapf(err, "failed to unmarshal %s", installConfigFilename)
+
+		// Check if invoked by automation tool (Hive, assisted-service, etc.)
+		// These tools may generate install-config with fields from newer versions
+		// that aren't recognized by older installer versions.
+		invoker := os.Getenv("OPENSHIFT_INSTALL_INVOKER")
+		if invoker != "" {
+			// Legacy behavior for automation tools: warn and continue
+			logrus.Warnf("%s", err.Error())
+			logrus.Info("Attempting to unmarshal while ignoring unknown keys because strict unmarshaling failed")
+			if err = yaml.Unmarshal(file.Data, config); err != nil {
+				err = errors.Wrapf(err, "failed to unmarshal %s", installConfigFilename)
+				return false, errors.Wrap(err, asset.InstallConfigError)
+			}
+		} else {
+			// Strict behavior for direct user invocations: fail on unknown fields
 			return false, errors.Wrap(err, asset.InstallConfigError)
 		}
 	}
