HIVE-2548: Run installmanager binary in install container for fips compatibility by lleshchi · Pull Request #2260 · openshift/hive

lleshchi · 2024-04-17T17:19:39Z

openshift-ci · 2024-04-17T17:19:44Z

Skipping CI for Draft Pull Request.
If you want CI signal for your change, please convert it to an actual PR.
You can still manually trigger a test run with /test all

lleshchi · 2024-04-17T17:19:50Z

/test all

codecov · 2024-04-17T19:35:28Z

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 58.55%. Comparing base (cd191be) to head (d1629e3).
Report is 2 commits behind head on mce-2.6.

Additional details and impacted files

@@           Coverage Diff            @@
##           mce-2.6    #2260   +/-   ##
========================================
  Coverage    58.54%   58.55%           
========================================
  Files          182      182           
  Lines        25830    25829    -1     
========================================
+ Hits         15123    15124    +1     
+ Misses        9431     9429    -2     
  Partials      1276     1276

Files	Coverage Δ
contrib/pkg/utils/generic.go	`11.21% <ø> (+0.40%)`	⬆️
pkg/imageset/updateinstaller.go	`45.06% <100.00%> (-0.67%)`	⬇️
pkg/install/generate.go	`47.62% <100.00%> (+0.48%)`	⬆️

... and 1 file with indirect coverage changes

lleshchi · 2024-04-17T20:21:24Z

/test all

lleshchi · 2024-04-18T18:18:34Z

/test all

lleshchi · 2024-04-19T15:18:40Z

/test all

lleshchi · 2024-04-19T15:29:00Z

/retest e2e

openshift-ci · 2024-04-19T15:29:04Z

@lleshchi: The /retest command does not accept any targets.
The following commands are available to trigger required jobs:

/test coverage
/test e2e
/test e2e-azure
/test e2e-gcp
/test e2e-pool
/test images
/test periodic-images
/test security
/test unit
/test verify

Use /test all to run the following jobs that were automatically triggered:

pull-ci-openshift-hive-master-coverage
pull-ci-openshift-hive-master-e2e
pull-ci-openshift-hive-master-e2e-pool
pull-ci-openshift-hive-master-images
pull-ci-openshift-hive-master-periodic-images
pull-ci-openshift-hive-master-security
pull-ci-openshift-hive-master-unit
pull-ci-openshift-hive-master-verify

Details

In response to this:

/retest e2e

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

lleshchi · 2024-04-19T15:29:14Z

/test e2e

lleshchi · 2024-04-19T16:22:17Z

/test e2e

lleshchi · 2024-05-21T21:07:28Z

/test all

lleshchi · 2024-05-22T14:27:11Z

/assign @2uasimojo

2uasimojo

I have substantive concerns over cert installation. We should ask QE for a pre-merge run that specifically targets that path.

Dockerfile

contrib/pkg/utils/generic.go

pkg/imageset/updateinstaller.go

pkg/install/generate.go

2uasimojo · 2024-05-23T15:07:09Z

I have substantive concerns over cert installation.

These concerns have been assuaged.

But...

We should ask QE for a pre-merge run that specifically targets that path.

...we should still totally do this. From our conversation:

I think we want to make sure QE hits e.g. this path by making sure CERTS_SECRET_NAME is set, which comes from here if this returns a cert secret ref, which was set via CertificatesSecretRef.
The test case would be like:
Make sure your vsphere env is set up to require additional certs, and run an install without ⬆️ to make sure it fails. Then run with it and make sure it works.

2uasimojo

I think this is ready to go
/lgtm

but
/hold
cause we want to do some pre-merge QE.

pkg/install/generate.go

As a result of the openshift installer transitioning from rhel8 to rhel9 (openshift/installer#8196), running openshift-install in the rhel8 backed hive container in order to install a cluster in fips mode results in a fips incompatibility. Create a seperate installmanager binary that runs the install-manager command previously invoked by hiveutil. Build a rhel8 and rhel9 version of hive, and copy both versions of installmanager to the installer container. The directory struture of the provisioning pod is also adjusted to support this change. Lastly, the installmanager binary corresponding to the rhel version of the installer container. Signed-off-by: Leah Leshchinsky <lleshchi@redhat.com>

Signed-off-by: Leah Leshchinsky <lleshchi@redhat.com>

openshift-ci · 2024-06-18T15:49:57Z

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: 2uasimojo, lleshchi

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

~~OWNERS~~ [2uasimojo,lleshchi]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

2uasimojo · 2024-06-20T13:21:47Z

/retest

celebdor · 2024-06-20T13:21:56Z

/retest

2uasimojo · 2024-06-20T14:12:33Z

/test e2e

2uasimojo · 2024-06-20T16:28:45Z

/test e2e e2e-pool

Looks like new permission requirements were added:

time="2024-06-20T14:26:11Z" level=warning msg="Action not allowed with tested creds" action="elasticloadbalancing:SetSecurityGroups"
time="2024-06-20T14:26:11Z" level=warning msg="Action not allowed with tested creds" action="s3:PutBucketPolicy"

I've added these to the ci user. Trying again.

2uasimojo · 2024-06-20T16:29:56Z

security fail: #2308 needs to be backported. Overriding for now.

/override ci/prow/security

openshift-ci · 2024-06-20T16:32:07Z

@2uasimojo: Overrode contexts on behalf of 2uasimojo: ci/prow/security

Details

In response to this:

security fail: #2308 needs to be backported. Overriding for now.

/override ci/prow/security

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

2uasimojo · 2024-06-20T18:02:45Z

/test e2e e2e-pool

I... must not have hit the final "go" button on those permissions?

2uasimojo · 2024-06-20T18:29:16Z

Same error, but now I know for sure the perms are there. WTF?

/test e2e e2e-pool

2uasimojo · 2024-06-20T18:52:42Z

/test e2e-pool

infra flake

2uasimojo · 2024-06-20T19:49:41Z

I forgot again that our CI user is in a different AWS account.

/test e2e e2e-pool

2uasimojo · 2024-06-20T20:05:34Z

/test e2e-pool

2uasimojo · 2024-06-20T20:28:05Z

/test e2e-pool

2uasimojo · 2024-06-20T22:02:01Z

/test e2e-pool

same infra flake -- opening DPTP request

celebdor · 2024-06-21T14:25:52Z

/retitle HIVE-2548: Run installmanager binary in install container for fips compatibility

openshift-ci-robot · 2024-06-21T14:26:38Z

@lleshchi: This pull request references HIVE-2548 which is a valid jira issue.

Details

In response to this:

HIVE-2400

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

openshift-ci-robot · 2024-06-21T14:45:49Z

@lleshchi: This pull request references HIVE-2548 which is a valid jira issue.

Details

In response to this:

HIVE-2400
HIVE-2548

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

openshift-ci-robot · 2024-06-21T14:46:05Z

@lleshchi: This pull request references HIVE-2548 which is a valid jira issue.

Details

In response to this:

HIVE-2400
HIVE-2548

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

2uasimojo · 2024-06-21T14:46:31Z

/test e2e-pool

openshift-ci · 2024-06-21T16:58:35Z

@lleshchi: The following tests failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
ci/prow/e2e-azure	`674956a`	link	true	`/test e2e-azure`
ci/prow/security	`d1629e3`	link	true	`/test security`
ci/prow/e2e-pool	`d1629e3`	link	true	`/test e2e-pool`

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

In openshift#2260 we changed how we're invoking the openshift-install binary. Before: Copy openshift-install into the hive container and run it via `/usr/bin/hiveutil install-manager` After: Copy hiveutil into the installer container and run installer via `/output/hiveutil.rhel$VER install-manager` What we missed was that, for STS flows, we inject an AWS credentials file containing a `credential_process` that invoked `/usr/bin/hiveutil install-manager aws-credentials` -- but `hiveutil` no longer lives there. Fix. HIVE-2400

openshift-ci bot added the do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. label Apr 17, 2024

openshift-ci bot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Apr 17, 2024

lleshchi force-pushed the HIVE-2400 branch from b77b8a5 to 27396a9 Compare April 17, 2024 19:33

lleshchi force-pushed the HIVE-2400 branch from 27396a9 to 7cf554e Compare April 18, 2024 17:57

lleshchi force-pushed the HIVE-2400 branch 3 times, most recently from 2c3d29f to f581d13 Compare May 21, 2024 21:00

lleshchi changed the title ~~test run hiveutil from installer container~~ Run installmanager binary in install container for fips compatibility May 21, 2024

lleshchi marked this pull request as ready for review May 22, 2024 14:25

openshift-ci bot removed the do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. label May 22, 2024

openshift-ci bot assigned 2uasimojo May 22, 2024

openshift-ci bot requested review from dlom and jstuever May 22, 2024 14:43

2uasimojo reviewed May 22, 2024

View reviewed changes

Dockerfile Outdated Show resolved Hide resolved

contrib/pkg/utils/generic.go Show resolved Hide resolved

contrib/pkg/utils/generic.go Show resolved Hide resolved

pkg/imageset/updateinstaller.go Show resolved Hide resolved

2uasimojo reviewed May 23, 2024

View reviewed changes

pkg/install/generate.go Show resolved Hide resolved

lleshchi force-pushed the HIVE-2400 branch from f581d13 to 755b731 Compare May 23, 2024 15:16

2uasimojo reviewed May 23, 2024

View reviewed changes

pkg/install/generate.go Show resolved Hide resolved

lleshchi added 2 commits June 18, 2024 11:35

Consolidate Dockerfiles

d1629e3

Signed-off-by: Leah Leshchinsky <lleshchi@redhat.com>

lleshchi force-pushed the HIVE-2400 branch from 674956a to d1629e3 Compare June 18, 2024 15:37

openshift-ci bot changed the title ~~HIVE-2400: Run installmanager binary in install container for fips compatibility~~ HIVE-2548: Run installmanager binary in install container for fips compatibility Jun 21, 2024

2uasimojo merged commit 0ed7370 into openshift:mce-2.6 Jun 21, 2024

2uasimojo mentioned this pull request Jun 21, 2024

Fix AWS STS for RHEL8/9 transition #2322

Merged

Conversation

lleshchi commented Apr 17, 2024 • edited by openshift-ci bot Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

openshift-ci bot commented Apr 17, 2024

Uh oh!

lleshchi commented Apr 17, 2024

Uh oh!

codecov bot commented Apr 17, 2024 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Codecov Report

Uh oh!

lleshchi commented Apr 17, 2024

Uh oh!

lleshchi commented Apr 18, 2024

Uh oh!

lleshchi commented Apr 19, 2024

Uh oh!

lleshchi commented Apr 19, 2024

Uh oh!

openshift-ci bot commented Apr 19, 2024

Uh oh!

lleshchi commented Apr 19, 2024

Uh oh!

lleshchi commented Apr 19, 2024

Uh oh!

lleshchi commented May 21, 2024

Uh oh!

lleshchi commented May 22, 2024

Uh oh!

2uasimojo left a comment

Choose a reason for hiding this comment

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

2uasimojo commented May 23, 2024

Uh oh!

2uasimojo left a comment

Choose a reason for hiding this comment

Uh oh!

Uh oh!

openshift-ci bot commented Jun 18, 2024

Uh oh!

2uasimojo commented Jun 20, 2024

Uh oh!

celebdor commented Jun 20, 2024

Uh oh!

2uasimojo commented Jun 20, 2024

Uh oh!

2uasimojo commented Jun 20, 2024

Uh oh!

2uasimojo commented Jun 20, 2024

Uh oh!

openshift-ci bot commented Jun 20, 2024

Uh oh!

2uasimojo commented Jun 20, 2024

Uh oh!

2uasimojo commented Jun 20, 2024

Uh oh!

2uasimojo commented Jun 20, 2024

Uh oh!

2uasimojo commented Jun 20, 2024

Uh oh!

2uasimojo commented Jun 20, 2024

Uh oh!

2uasimojo commented Jun 20, 2024

Uh oh!

2uasimojo commented Jun 20, 2024

Uh oh!

celebdor commented Jun 21, 2024 • edited by openshift-ci bot Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

openshift-ci-robot commented Jun 21, 2024 • edited by openshift-ci bot Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

openshift-ci-robot commented Jun 21, 2024 • edited by openshift-ci bot Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

lleshchi commented Apr 17, 2024 •

edited by openshift-ci bot

Loading

codecov bot commented Apr 17, 2024 •

edited

Loading

celebdor commented Jun 21, 2024 •

edited by openshift-ci bot

Loading

openshift-ci-robot commented Jun 21, 2024 •

edited by openshift-ci bot

Loading

openshift-ci-robot commented Jun 21, 2024 •

edited by openshift-ci bot

Loading

openshift-ci-robot commented Jun 21, 2024 •

edited by openshift-ci bot

Loading