HIVE-2548: Run installmanager binary in install container for fips compatibility

.tekton/hive-pull-request.yaml

@@ -223,9 +223,9 @@ spec:
       taskRef:
         params:
         - name: name
-          value: buildah-10gb
+          value: buildah-20gb
         - name: bundle
-          value: quay.io/redhat-appstudio-tekton-catalog/task-buildah-10gb:0.1
+          value: quay.io/redhat-appstudio-tekton-catalog/task-buildah-20gb:0.1
         - name: kind
           value: task
         resolver: bundles

.tekton/hive-push.yaml

@@ -220,9 +220,9 @@ spec:
       taskRef:
         params:
         - name: name
-          value: buildah-10gb
+          value: buildah-20gb
         - name: bundle
-          value: quay.io/redhat-appstudio-tekton-catalog/task-buildah-10gb:0.1
+          value: quay.io/redhat-appstudio-tekton-catalog/task-buildah-20gb:0.1
         - name: kind
           value: task
         resolver: bundles

Dockerfile

@@ -1,25 +1,36 @@
-FROM registry.ci.openshift.org/openshift/release:rhel-8-release-golang-1.21-openshift-4.16 as builder
+FROM registry.ci.openshift.org/openshift/release:rhel-8-release-golang-1.21-openshift-4.16 as builder_rhel8
 RUN mkdir -p /go/src/github.com/openshift/hive
 WORKDIR /go/src/github.com/openshift/hive
 COPY . .
+RUN dnf -y install git python3-pip
 RUN make build
 
-FROM quay.io/centos/centos:stream9
+FROM registry.ci.openshift.org/openshift/release:rhel-9-release-golang-1.21-openshift-4.16 as builder_rhel9
+RUN mkdir -p /go/src/github.com/openshift/hive
+WORKDIR /go/src/github.com/openshift/hive
+COPY . .
+RUN dnf -y install git python3-pip
+RUN make build
 
-ARG DNF=dnf
+FROM registry.redhat.io/rhel9-4-els/rhel:9.4
 
-RUN $DNF -y update && $DNF clean all
+RUN dnf -y update && dnf clean all
 
 # ssh-agent required for gathering logs in some situations:
-RUN if ! rpm -q openssh-clients; then $DNF install -y openssh-clients && $DNF clean all && rm -rf /var/cache/dnf/*; fi
+RUN if ! rpm -q openssh-clients; then dnf install -y openssh-clients && dnf clean all && rm -rf /var/cache/dnf/*; fi
 
 # libvirt libraries required for running bare metal installer.
-RUN if ! rpm -q libvirt-libs; then $DNF install -y libvirt-libs && $DNF clean all && rm -rf /var/cache/dnf/*; fi
+RUN if ! rpm -q libvirt-libs; then dnf install -y libvirt-libs && dnf clean all && rm -rf /var/cache/dnf/*; fi
+
+# tar is needed to package must-gathers on install failure
+RUN if ! which tar; then dnf install -y tar && dnf clean all && rm -rf /var/cache/dnf/*; fi
+
+COPY --from=builder_rhel9 /go/src/github.com/openshift/hive/bin/manager /opt/services/
+COPY --from=builder_rhel9 /go/src/github.com/openshift/hive/bin/hiveadmission /opt/services/
+COPY --from=builder_rhel9 /go/src/github.com/openshift/hive/bin/operator /opt/services/hive-operator
 
-COPY --from=builder /go/src/github.com/openshift/hive/bin/manager /opt/services/
-COPY --from=builder /go/src/github.com/openshift/hive/bin/hiveadmission /opt/services/
-COPY --from=builder /go/src/github.com/openshift/hive/bin/hiveutil /usr/bin
-COPY --from=builder /go/src/github.com/openshift/hive/bin/operator /opt/services/hive-operator
+COPY --from=builder_rhel8 /go/src/github.com/openshift/hive/bin/hiveutil /usr/bin/hiveutil.rhel8
+COPY --from=builder_rhel9 /go/src/github.com/openshift/hive/bin/hiveutil /usr/bin/hiveutil
 
 # Hacks to allow writing known_hosts, homedir is / by default in OpenShift.
 # Bare metal installs need to write to $HOME/.cache, and $HOME/.ssh for as long as
@@ -30,17 +41,9 @@ RUN mkdir -p /home/hive && \
     chgrp -R 0 /home/hive && \
     chmod -R g=u /home/hive
 
-# This is so that we can write source certificate anchors during container start up.
-RUN mkdir -p /etc/pki/ca-trust/source/anchors && \
-    chgrp -R 0 /etc/pki/ca-trust/source/anchors && \
-    chmod -R g=u /etc/pki/ca-trust/source/anchors
-
-# This is so that we can run update-ca-trust during container start up.
-RUN mkdir -p /etc/pki/ca-trust/extracted/openssl && \
-    mkdir -p /etc/pki/ca-trust/extracted/pem && \
-    mkdir -p /etc/pki/ca-trust/extracted/java && \
-    chgrp -R 0 /etc/pki/ca-trust/extracted && \
-    chmod -R g=u /etc/pki/ca-trust/extracted
+RUN mkdir -p /output/hive-trusted-cabundle && \
+    chgrp -R 0 /output/hive-trusted-cabundle && \
+    chmod -R g=u /output/hive-trusted-cabundle
 
 # TODO: should this be the operator?
 ENTRYPOINT ["/opt/services/manager"]

contrib/pkg/utils/generic.go

@@ -25,7 +25,7 @@ import (
 )
 
 const (
-	caTrustDir = "/etc/pki/ca-trust/source/anchors/"
+	caTrustDir = "/output/hive-trusted-cabundle/"
 )
 
 type releasePayload struct {
@@ -205,10 +205,4 @@ func InstallCerts(sourceDir string) {
 		logger.WithError(err).WithField("output", string(b)).Fatal("failed to copy certs")
 	}
 	logger.WithField("output", string(b)).Info("copied certs")
-
-	b, err = exec.Command("update-ca-trust").CombinedOutput()
-	if err != nil {
-		logger.WithError(err).WithField("output", string(b)).Fatal("failed to update CA trust")
-	}
-	logger.WithField("output", string(b)).Info("updated CA trust")
 }

hack/app_sre_build_deploy.sh

@@ -99,7 +99,7 @@ else
 fi
 
 # build the image
-CONTAINER_BUILD_FLAGS="--file ./Dockerfile.ubi" make IMG="$IMG" GO_REQUIRED_MIN_VERSION:= docker-build
+CONTAINER_BUILD_FLAGS="--file ./Dockerfile" make IMG="$IMG" GO_REQUIRED_MIN_VERSION:= docker-build
 
 # push the image
 make IMG="$IMG" docker-push

hack/e2e-common.sh

@@ -139,7 +139,9 @@ function save_hive_logs() {
   done
   # Let's try to save any prov/deprov pod logs
   oc get po -A -l hive.openshift.io/install=true -o custom-columns=:.metadata.namespace,:.metadata.name --no-headers | while read ns po; do
-    oc logs -n $ns $po -c hive > ${ARTIFACT_DIR}/${ns}-${po}.log
+    oc logs -n $ns $po -c hive > ${ARTIFACT_DIR}/${ns}-${po}-hive.log
+    oc logs -n $ns $po -c installer > ${ARTIFACT_DIR}/${ns}-${po}-installer.log
+
   done
   oc get po -A -l hive.openshift.io/uninstall=true -o custom-columns=:.metadata.namespace,:.metadata.name --no-headers | while read ns po; do
     oc logs -n $ns $po > ${ARTIFACT_DIR}/${ns}-${po}.log
@@ -269,12 +271,12 @@ function capture_cluster_logs() {
     # Capture install logs
     if IMAGESET_JOB_NAME=$(oc get job -l "hive.openshift.io/cluster-deployment-name=${CLUSTER_NAME},hive.openshift.io/imageset=true" -o name -n ${CLUSTER_NAMESPACE}) && [ "${IMAGESET_JOB_NAME}" ]
     then
-        oc logs -c hive -n ${CLUSTER_NAMESPACE} ${IMAGESET_JOB_NAME} &> "${ARTIFACT_DIR}/hive_imageset_job.log" || true
+        oc logs -c installer -n ${CLUSTER_NAMESPACE} ${IMAGESET_JOB_NAME} &> "${ARTIFACT_DIR}/hive_imageset_job.log" || true
         oc get ${IMAGESET_JOB_NAME} -n ${CLUSTER_NAMESPACE} -o yaml &> "${ARTIFACT_DIR}/hive_imageset_job.yaml" || true
     fi
     if INSTALL_JOB_NAME=$(oc get job -l "hive.openshift.io/cluster-deployment-name=${CLUSTER_NAME},hive.openshift.io/install=true" -o name -n ${CLUSTER_NAMESPACE}) && [ "${INSTALL_JOB_NAME}" ]
     then
-        oc logs -c hive -n ${CLUSTER_NAMESPACE} ${INSTALL_JOB_NAME} &> "${ARTIFACT_DIR}/hive_install_job.log" || true
+        oc logs -c installer -n ${CLUSTER_NAMESPACE} ${INSTALL_JOB_NAME} &> "${ARTIFACT_DIR}/hive_install_job.log" || true
         oc get ${INSTALL_JOB_NAME} -n ${CLUSTER_NAMESPACE} -o yaml &> "${ARTIFACT_DIR}/hive_install_job.yaml" || true
     fi
     echo "************* INSTALL JOB LOG *************"

pkg/controller/clusterdeployment/clusterdeployment_controller_test.go

@@ -688,7 +688,7 @@ func TestClusterDeploymentReconcile(t *testing.T) {
 				if assert.Len(t, provisions, 1, "expected exactly one ClusterProvision") {
 					podSpec := provisions[0].Spec.PodSpec
 					if assert.Len(t, podSpec.InitContainers, 1, "expected exactly one initContainer") {
-						assert.Equal(t, "installer", podSpec.InitContainers[0].Name, "expected the initContainer to be 'installer'")
+						assert.Equal(t, "hive", podSpec.InitContainers[0].Name, "expected the initContainer to be 'hive'")
 					}
 				}
 			},

pkg/imageset/updateinstaller.go

@@ -167,13 +167,9 @@ func (o *UpdateInstallerImageOptions) Run() (returnErr error) {
 		o.log.WithField("installerImage", installerImage).Info("installer image overridden")
 	} else {
 		// Glean the installer image from the release metadata
-		installerTagName := "installer"
-		// If this is a bare metal install, we need to get the openshift-install binary from a different image with
-		// bare metal functionality compiled in. The binary is named the same and in the same location, so after swapping
-		// out what image to get it from, we can proceed with the code as we normally would.
-		if cd.Spec.Platform.BareMetal != nil {
-			installerTagName = "baremetal-installer"
-		}
+		// "baremetal-installer" is the legacy name for the fips compliant installer image
+		installerTagName := "baremetal-installer"
+
 		// Override annotation is allowed to override baremetal-installer too
 		if cd.Annotations != nil {
 			if override := cd.Annotations[constants.OverrideInstallerImageNameAnnotation]; override != "" {

pkg/imageset/updateinstaller_test.go

@@ -47,41 +47,28 @@ func TestUpdateInstallerImageCommand(t *testing.T) {
 			name:                      "successful execution",
 			existingClusterDeployment: testClusterDeployment(),
 			images: map[string]string{
-				"installer": testInstallerImage,
-				"cli":       testCLIImage,
+				"baremetal-installer": testInstallerImage,
+				"cli":                 testCLIImage,
 			},
 			validateClusterDeployment: validateSuccessfulExecution(testInstallerImage, testCLIImage, ""),
 		},
 		{
 			name:                      "failure execution missing cli",
 			existingClusterDeployment: testClusterDeployment(),
 			images: map[string]string{
-				"installer": testInstallerImage,
+				"baremetal-installer": testInstallerImage,
 			},
 			validateClusterDeployment: validateFailureExecution("could not get cli image"),
 			expectError:               true,
 		},
 		{
 			name:                      "successful execution after failure",
 			existingClusterDeployment: testClusterDeploymentWithErrorCondition(),
-			images: map[string]string{
-				"installer": testInstallerImage,
-				"cli":       testCLIImage,
-			},
-			validateClusterDeployment: validateSuccessfulExecution(testInstallerImage, testCLIImage, installerImageResolvedReason),
-		},
-		{
-			name: "successful execution baremetal platform",
-			existingClusterDeployment: func() *hivev1.ClusterDeployment {
-				cd := testClusterDeployment()
-				cd.Spec.Platform.BareMetal = &baremetal.Platform{}
-				return cd
-			}(),
 			images: map[string]string{
 				"baremetal-installer": testInstallerImage,
 				"cli":                 testCLIImage,
 			},
-			validateClusterDeployment: validateSuccessfulExecution(testInstallerImage, testCLIImage, ""),
+			validateClusterDeployment: validateSuccessfulExecution(testInstallerImage, testCLIImage, installerImageResolvedReason),
 		},
 		{
 			name: "installer image name override",
@@ -118,8 +105,8 @@ func TestUpdateInstallerImageCommand(t *testing.T) {
 			name:                      "successful execution with version in release metadata",
 			existingClusterDeployment: testClusterDeployment(),
 			images: map[string]string{
-				"installer": testInstallerImage,
-				"cli":       testCLIImage,
+				"baremetal-installer": testInstallerImage,
+				"cli":                 testCLIImage,
 			},
 			version:                   testReleaseVersion,
 			validateClusterDeployment: validateSuccessfulExecution(testInstallerImage, testCLIImage, ""),
@@ -137,17 +124,17 @@ func TestUpdateInstallerImageCommand(t *testing.T) {
 			name:                      "CLI image domain copied from installer image",
 			existingClusterDeployment: testClusterDeploymentWithCLIDomainCopy(),
 			images: map[string]string{
-				"installer": testInstallerImage,
-				"cli":       cliImageWithDifferentDomain,
+				"baremetal-installer": testInstallerImage,
+				"cli":                 cliImageWithDifferentDomain,
 			},
 			validateClusterDeployment: validateSuccessfulExecution(testInstallerImage, "registry.io/foo/cli:blah", ""),
 		},
 		{
 			name:                      "copy requested, invalid installer image",
 			existingClusterDeployment: testClusterDeploymentWithCLIDomainCopy(),
 			images: map[string]string{
-				"installer": "invalid image",
-				"cli":       cliImageWithDifferentDomain,
+				"baremetal-installer": "invalid image",
+				"cli":                 cliImageWithDifferentDomain,
 			},
 			validateClusterDeployment: validateFailureExecution("invalid installer image"),
 			expectError:               true,
@@ -156,8 +143,8 @@ func TestUpdateInstallerImageCommand(t *testing.T) {
 			name:                      "copy requested, invalid cli image",
 			existingClusterDeployment: testClusterDeploymentWithCLIDomainCopy(),
 			images: map[string]string{
-				"installer": testInstallerImage,
-				"cli":       "invalid image",
+				"baremetal-installer": testInstallerImage,
+				"cli":                 "invalid image",
 			},
 			validateClusterDeployment: validateFailureExecution("invalid cli image"),
 			expectError:               true,