Skip to content

ARO Fips Mode Installation #1732

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
jewzaam merged 7 commits into from
Sep 27, 2021
Merged

ARO Fips Mode Installation #1732

jewzaam merged 7 commits into from
Sep 27, 2021

Conversation

@ross-bryan
Copy link
Contributor

@ross-bryan ross-bryan commented Sep 9, 2021
edited
Loading

Which issue this PR addresses:

Fixes https://msazure.visualstudio.com/AzureRedHatOpenShift/_workitems/edit/10901527/

What this PR does / why we need it:

Exposes a Cluster Profile parameter named FipsValidatedModules which is sent to the installer to determine if FIPS mode is turned on for cluster.

Test plan for issue:

Added frontend tests, defaults tests, e2e tests checking database document and machineconfigs for FIPS, and manual verification process:

Setup basic vars and create network:

RESOURCEGROUP=$USER-fips
CLUSTER=$RESOURCEGROUP-cluster
CLUSTER_RESOURCEGROUP=$CLUSTER
LOCATION=eastus
AZURE_FP_CLIENT_ID=#well known value
CLUSTER_SP_NAME=$CLUSTER
CLUSTER_DOMAIN=#yourdomainhere

az group create --name $RESOURCEGROUP --location $LOCATION

az network vnet create \
   --resource-group $RESOURCEGROUP \
   --name aro-vnet \
   --address-prefixes 10.0.0.0/22

az network vnet subnet create \
  --resource-group $RESOURCEGROUP \
  --vnet-name aro-vnet \
  --name master-subnet \
  --address-prefixes 10.0.0.0/23 \
  --service-endpoints Microsoft.ContainerRegistry

az network vnet subnet create \
  --resource-group $RESOURCEGROUP \
  --vnet-name aro-vnet \
  --name worker-subnet \
  --address-prefixes 10.0.2.0/23 \
  --service-endpoints Microsoft.ContainerRegistry

az network vnet subnet update \
  --name master-subnet \
  --resource-group $RESOURCEGROUP \
  --vnet-name aro-vnet \
  --disable-private-link-service-network-policies true

Next create the SP, and note the values and assign therem

az ad sp create-for-rbac --skip-assignment --name $CLUSTER_SP_NAME
CLUSTER_SP_ID=#id
CLUSTER_SP_SECRET=#password

Give network contributor permissions on SP, and generate JSON payload with FipsEnabled in ClusterProfile

VNET_RESOURCE_ID=$(az network vnet show --resource-group $RESOURCEGROUP --name aro-vnet --query "[id]" -o tsv)
az role assignment create --assignee $CLUSTER_SP_ID --role "Network Contributor" --scope $VNET_RESOURCE_ID -o jsonc
az role assignment create --assignee $AZURE_FP_CLIENT_ID --role "Network Contributor" --scope $VNET_RESOURCE_ID -o jsonc

SUBSCRIPTION_ID=$(az account show --query "[id]" -o tsv)

MASTER_SUBNET_RESOURCE_ID=$(az network vnet subnet show -g $RESOURCEGROUP --vnet-name aro-vnet --name master-subnet --query "[id]" -o tsv)
WORKER_SUBNET_RESOURCE_ID=$(az network vnet subnet show -g $RESOURCEGROUP --vnet-name aro-vnet --name worker-subnet --query "[id]" -o tsv)

data.json:

{
    "location": "$LOCATION",
    "properties": {
        "clusterProfile": {
            "domain": "$CLUSTER_DOMAIN",
            "resourceGroupId": "/subscriptions/$SUBSCRIPTION_ID/resourceGroups/$CLUSTER_RESOURCEGROUP",
	    "fipsValidatedModules": "Enabled"
        },
        "servicePrincipalProfile": {
            "clientId": "$CLUSTER_SP_ID",
            "clientSecret": "$CLUSTER_SP_SECRET"
        },
        "networkProfile": {
            "podCidr": "10.128.0.0/14",
            "serviceCidr": "172.30.0.0/16",
            "softwareDefinedNetwork": "OpenShiftSDN"
        },
        "masterProfile": {
            "vmSize": "Standard_D8s_v3",
            "subnetId": "$MASTER_SUBNET_RESOURCE_ID",
            "encryptionAtHost": "Disabled"

        },
        "workerProfiles": [
            {
                "name": "worker",
                "vmSize": "Standard_D2s_v3",
                "diskSizeGB": 130,
                "subnetId": "$WORKER_SUBNET_RESOURCE_ID",
                "count": 3,
                "encryptionAtHost": "Disabled"

            }
        ],
        "apiserverProfile": {
            "visibility": "Public"
        },
        "ingressProfiles": [
            {
                "name": "default",
                "visibility": "Public"
            }
        ]
    }
}

Send payload to local RP to build cluster

curl -k -X PUT "https://localhost:8443/subscriptions/$SUBSCRIPTION_ID/resourceGroups/$RESOURCEGROUP/providers/Microsoft.RedHatOpenShift/openShiftClusters/$CLUSTER?api-version=2021-09-01-preview" -H 'Content-Type: application/json' -d @./data.json

Once cluster is built, we can query for existence of FipsValidatedModules in ClusterProfile:

curl -k https://localhost:8443/subscriptions/$SUBSCRIPTION_ID/resourceGroups/$RESOURCEGROUP/providers/Microsoft.RedHatOpenShift/openShiftClusters/$CLUSTER?api-version=2021-09-01-preview" -H 'Content-Type: application/json'

Validate adminapi as well:

curl -k "https://localhost:8443/subscriptions/225e02bc-43d0-43d1-a01a-17e584a4ef69/resourceGroups/robryan-fips/providers/Microsoft.RedHatOpenShift/openShiftClusters/robryan-fips-cluster?api-version=admin" -H 'Content-Type: application/json'

Now we can manually test that sysctl fips_enabled is true:

make admin.kubeconfig
export KUBECONFIG=admin.kubeconfig
oc debug node/#anynode
chroot /host
sh-4.4# cat /proc/sys/crypto/fips_enabled
1

Is there any documentation that needs to be updated for this PR?

Will provide document updates when this is released via az cli.

ross-bryan
ross-bryan commented Sep 9, 2021
View reviewed changes
ross-bryan
ross-bryan commented Sep 9, 2021
View reviewed changes
m1kola
m1kola reviewed Sep 10, 2021
View reviewed changes
Copy link
Contributor

@m1kola m1kola left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good so far. Left few comments which might be useful.

pkg/api/v20210901preview/openshiftcluster.go Outdated
Copy link
Contributor

@m1kola m1kola Sep 10, 2021

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

  1. Do we need to expose this to the customers?
  2. If the answer to the above is "yes", then we need to update API spec in https://github.com/Azure/azure-rest-api-specs if we are still allowed to do so. Or create a new API version if not

Copy link
Contributor

@mjudeikis mjudeikis Sep 10, 2021

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I suspect this will be breaking change, would be good to raise POC PR into repo @m1kola raised and confirm. Tell them not to merge, but ask a question.
This might need to be ARM feature flag for now.

Copy link
Contributor Author

@ross-bryan ross-bryan Sep 24, 2021

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Azure/azure-rest-api-specs#16028 on my todo list to follow up on this to determine what steps are needed for breaking change approval. I know @cadenmarchese is in a similar boat as myself with L series support.

mjudeikis
mjudeikis previously requested changes Sep 10, 2021
View reviewed changes
Copy link
Contributor

@mjudeikis mjudeikis left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Overall good start.
Please move CLI too separate PR as that side is not yet ready and is not a blocker to deliver this feature.

pkg/api/v20210901preview/openshiftcluster.go Outdated
Copy link
Contributor

@mjudeikis mjudeikis Sep 10, 2021

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I suspect this will be breaking change, would be good to raise POC PR into repo @m1kola raised and confirm. Tell them not to merge, but ask a question.
This might need to be ARM feature flag for now.

pkg/api/v20210901preview/openshiftcluster.go Outdated
Copy link
Contributor

@mjudeikis mjudeikis Sep 10, 2021

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Same as Admin API - no bools.

Copy link
Contributor

@mjudeikis mjudeikis Sep 10, 2021

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Overall MSFT does not like abbreviation on the API but this might fly... Need POC pr for this too :)

Copy link
Contributor Author

@ross-bryan ross-bryan Sep 14, 2021

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I am not sure what to expect, but here goes nothing Azure/azure-rest-api-specs#16028

@ross-bryan ross-bryan force-pushed the fips-installation branch 12 times, most recently from eaabc8a to 086b264 Compare September 13, 2021 22:21
@ross-bryan ross-bryan added the size-medium Size medium label Sep 13, 2021
@ross-bryan ross-bryan changed the title DRAFT: ARO Fips installation DRAFT: ARO Fips Mode Installation Sep 16, 2021
bennerv
bennerv previously requested changes Sep 20, 2021
View reviewed changes
@ross-bryan ross-bryan force-pushed the fips-installation branch 2 times, most recently from a191438 to ab7b645 Compare September 21, 2021 15:01
@ross-bryan ross-bryan changed the title DRAFT: ARO Fips Mode Installation ARO Fips Mode Installation Sep 23, 2021
@ross-bryan ross-bryan requested a review from bennerv September 23, 2021 21:33
@ross-bryan ross-bryan dismissed stale reviews from bennerv and mjudeikis September 23, 2021 21:33

applied changes

nilsanderselde
nilsanderselde reviewed Sep 24, 2021
View reviewed changes
Copy link
Contributor

@nilsanderselde nilsanderselde left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good, just found one typo

@jewzaam jewzaam merged commit a9abc15 into Azure:master Sep 27, 2021
@ross-bryan ross-bryan mentioned this pull request Sep 29, 2021
Merged
@ross-bryan ross-bryan deleted the fips-installation branch May 24, 2022 13:16
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@mjudeikis mjudeikis Awaiting requested review from mjudeikis

@bennerv bennerv Awaiting requested review from bennerv bennerv is a code owner

3 more reviewers

@m1kola m1kola m1kola left review comments

@nilsanderselde nilsanderselde nilsanderselde left review comments

@jewzaam jewzaam jewzaam approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

ready-for-review size-medium Size medium

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

7 participants

@ross-bryan @jewzaam @m1kola @mjudeikis @bennerv @nilsanderselde @arborite-rh