bug: BMCs locked out despite site explorer in "avoid lockout" mode

[bryan-aguilar]

Version

v0.5.4-0-ge451bcca

Describe the bug.

We found ourselves in a position where a BMCs password was changed after successful exploration. This led to the BMCs credentials in vault differing from the credentials on the BMCs. We were able to identify the root cause and our remediation was to update the credentials on the BMCs back to the password that ncx expected.

The problem that happened though was that despite the site explore being in "avoid lockout" mode the BMC was still locked out due to too many failed auth attempts. After referring to the ncx handbook it was identified that health check service also makes authenticated calls to the redfish api with configured credentials. I believe these failed auth attempts were still occurring and locking out BMCs.

We scaled down the health check service to 0, waiting for lockout to end, patched the password, restarted health check and the issue was solved.

Avoid lockout, especially for errors relating to incorrect credentials should disable all services from trying to auth with those credentials to the BMC.

Minimum reproducible example

Relevant log output

Other/Misc.

No response

Code of Conduct

• I agree to follow NCX Infra Controller's Code of Conduct
• I have searched the open bugs and have found no duplicates for this bug report

[yoks]

This issue was already fixed in #698, it is not part of 0.5.4, this is why you see it here.

[nvaprado]

@yoks , how can we use the build that has the fix ?

[yoks]

0.7.0 should have it, but i do not see stable tag, only latest RC https://github.com/NVIDIA/infra-controller-core/blob/v0.7.0-rc11