From 2e19d448f6ac80ec9468d21fc72682295a7365c9 Mon Sep 17 00:00:00 2001 From: Zane Bitter Date: Thu, 4 Apr 2024 16:50:45 +1300 Subject: [PATCH] CORS-3446: Add instructions for obtaining correct binary Update the warning message from the hostcrypt check to give more specific instructions on how to obtain the correct binary and where to run it. --- pkg/hostcrypt/dynamic.go | 17 +++++++++++++++++ pkg/hostcrypt/hostcrypt.go | 20 ++++++++++++-------- pkg/hostcrypt/static.go | 17 +++++++++++++++++ 3 files changed, 46 insertions(+), 8 deletions(-) create mode 100644 pkg/hostcrypt/dynamic.go create mode 100644 pkg/hostcrypt/static.go diff --git a/pkg/hostcrypt/dynamic.go b/pkg/hostcrypt/dynamic.go new file mode 100644 index 00000000000..5bf54fc52cc --- /dev/null +++ b/pkg/hostcrypt/dynamic.go @@ -0,0 +1,17 @@ +//go:build libvirt +// +build libvirt + +package hostcrypt + +import "fmt" + +func allowFIPSCluster() error { + fipsEnabled, err := hostFIPSEnabled() + if err != nil { + return err + } + if fipsEnabled { + return nil + } + return fmt.Errorf("enable FIPS mode on the host") +} diff --git a/pkg/hostcrypt/hostcrypt.go b/pkg/hostcrypt/hostcrypt.go index 845738510f0..4245a4e70cc 100644 --- a/pkg/hostcrypt/hostcrypt.go +++ b/pkg/hostcrypt/hostcrypt.go @@ -18,23 +18,27 @@ func VerifyHostTargetState(fips bool) error { if !fips { return nil } + + if err := allowFIPSCluster(); err != nil { + return fmt.Errorf("target cluster is in FIPS mode, %w", err) + } + return nil +} + +func hostFIPSEnabled() (bool, error) { if runtime.GOOS != "linux" { - return fmt.Errorf("target cluster is in FIPS mode, operation requires a Linux client") + return false, fmt.Errorf("operation requires a Linux client") } hostFIPSData, err := os.ReadFile(fipsFile) if err != nil { - return fmt.Errorf("target cluster is in FIPS mode, but failed to read client FIPS state %s: %w", fipsFile, err) + return false, fmt.Errorf("failed to read client FIPS state %s: %w", fipsFile, err) } hostFIPS, err := strconv.ParseBool(strings.TrimSuffix(string(hostFIPSData), "\n")) if err != nil { - return fmt.Errorf("target cluster is in FIPS mode, but failed to parse client FIPS state %s: %w", fipsFile, err) - } - - if !hostFIPS { - return fmt.Errorf("target cluster is in FIPS mode, operation requires a FIPS enabled client") + return false, fmt.Errorf("failed to parse client FIPS state %s: %w", fipsFile, err) } - return nil + return hostFIPS, nil } diff --git a/pkg/hostcrypt/static.go b/pkg/hostcrypt/static.go new file mode 100644 index 00000000000..6eb0e5efbec --- /dev/null +++ b/pkg/hostcrypt/static.go @@ -0,0 +1,17 @@ +//go:build !libvirt +// +build !libvirt + +package hostcrypt + +import "fmt" + +const binaryInstructions = "To obtain a suitable binary, download the openshift-install-rhel8 archive from the client mirror, or extract the openshift-install-fips command from the release payload." + +func allowFIPSCluster() error { + hostMsg := "" + if fipsEnabled, err := hostFIPSEnabled(); err != nil || !fipsEnabled { + hostMsg = " on a host with FIPS enabled" + } + return fmt.Errorf("use the FIPS-capable installer binary for RHEL 8%s.\n%s", + hostMsg, binaryInstructions) +}