From bd47f6ba47efab69663b032ecefb0b0bbf20c539 Mon Sep 17 00:00:00 2001 From: Miciah Masters Date: Fri, 28 Jan 2022 15:24:05 -0500 Subject: [PATCH] Skip some HAProxy tests on FIPS Skip HAProxy tests that use the router image's built-in default certificate, which is incompatible with FIPS. This is a temporary measure to prevent CI from permafailing on FIPS over the weekend. This commit is related to bug 2047790. https://bugzilla.redhat.com/show_bug.cgi?id=2047790 * test/extended/router/scoped.go: * test/extended/router/unprivileged.go: * test/extended/router/weighted.go: Skip on FIPS. --- test/extended/router/scoped.go | 24 +++++++++++++++++++++--- test/extended/router/unprivileged.go | 8 +++++++- test/extended/router/weighted.go | 8 +++++++- 3 files changed, 35 insertions(+), 5 deletions(-) diff --git a/test/extended/router/scoped.go b/test/extended/router/scoped.go index 02a6889f2337..e899048bf75e 100644 --- a/test/extended/router/scoped.go +++ b/test/extended/router/scoped.go @@ -61,9 +61,15 @@ var _ = g.Describe("[sig-network][Feature:Router]", func() { g.Describe("The HAProxy router", func() { g.It("should serve the correct routes when scoped to a single namespace and label set", func() { + isFIPS, err := exutil.IsFIPS(oc.AdminKubeClient().CoreV1()) + o.Expect(err).NotTo(o.HaveOccurred()) + if isFIPS { + g.Skip("The router image's built-in default certificate is incompatible with FIPS: https://bugzilla.redhat.com/show_bug.cgi?id=2047790") + } + configPath := exutil.FixturePath("testdata", "router", "router-scoped.yaml") g.By(fmt.Sprintf("creating a router from a config file %q", configPath)) - err := oc.AsAdmin().Run("new-app").Args("-f", configPath, "-p", "IMAGE="+routerImage).Execute() + err = oc.AsAdmin().Run("new-app").Args("-f", configPath, "-p", "IMAGE="+routerImage).Execute() o.Expect(err).NotTo(o.HaveOccurred()) ns := oc.KubeFramework().Namespace.Name @@ -106,9 +112,15 @@ var _ = g.Describe("[sig-network][Feature:Router]", func() { g.It("should override the route host with a custom value", func() { + isFIPS, err := exutil.IsFIPS(oc.AdminKubeClient().CoreV1()) + o.Expect(err).NotTo(o.HaveOccurred()) + if isFIPS { + g.Skip("The router image's built-in default certificate is incompatible with FIPS: https://bugzilla.redhat.com/show_bug.cgi?id=2047790") + } + configPath := exutil.FixturePath("testdata", "router", "router-override.yaml") g.By(fmt.Sprintf("creating a router from a config file %q", configPath)) - err := oc.AsAdmin().Run("new-app").Args("-f", configPath, "-p", "IMAGE="+routerImage).Execute() + err = oc.AsAdmin().Run("new-app").Args("-f", configPath, "-p", "IMAGE="+routerImage).Execute() o.Expect(err).NotTo(o.HaveOccurred()) ns := oc.KubeFramework().Namespace.Name @@ -170,9 +182,15 @@ var _ = g.Describe("[sig-network][Feature:Router]", func() { g.It("should override the route host for overridden domains with a custom value", func() { + isFIPS, err := exutil.IsFIPS(oc.AdminKubeClient().CoreV1()) + o.Expect(err).NotTo(o.HaveOccurred()) + if isFIPS { + g.Skip("The router image's built-in default certificate is incompatible with FIPS: https://bugzilla.redhat.com/show_bug.cgi?id=2047790") + } + configPath := exutil.FixturePath("testdata", "router", "router-override-domains.yaml") g.By(fmt.Sprintf("creating a router from a config file %q", configPath)) - err := oc.AsAdmin().Run("new-app").Args("-f", configPath, "-p", "IMAGE="+routerImage).Execute() + err = oc.AsAdmin().Run("new-app").Args("-f", configPath, "-p", "IMAGE="+routerImage).Execute() o.Expect(err).NotTo(o.HaveOccurred()) ns := oc.KubeFramework().Namespace.Name diff --git a/test/extended/router/unprivileged.go b/test/extended/router/unprivileged.go index c9725cf00894..0b739d63ec06 100644 --- a/test/extended/router/unprivileged.go +++ b/test/extended/router/unprivileged.go @@ -54,9 +54,15 @@ var _ = g.Describe("[sig-network][Feature:Router]", func() { g.Describe("The HAProxy router", func() { g.It("should run even if it has no access to update status", func() { + isFIPS, err := exutil.IsFIPS(oc.AdminKubeClient().CoreV1()) + o.Expect(err).NotTo(o.HaveOccurred()) + if isFIPS { + g.Skip("The router image's built-in default certificate is incompatible with FIPS: https://bugzilla.redhat.com/show_bug.cgi?id=2047790") + } + configPath := exutil.FixturePath("testdata", "router", "router-scoped.yaml") g.By(fmt.Sprintf("creating a router from a config file %q", configPath)) - err := oc.AsAdmin().Run("new-app").Args("-f", configPath, + err = oc.AsAdmin().Run("new-app").Args("-f", configPath, `-p=IMAGE=`+routerImage, `-p=ROUTER_NAME=test-unprivileged`, `-p=UPDATE_STATUS=false`, diff --git a/test/extended/router/weighted.go b/test/extended/router/weighted.go index ecf04494ba2c..4f2129fcf03b 100644 --- a/test/extended/router/weighted.go +++ b/test/extended/router/weighted.go @@ -37,6 +37,12 @@ var _ = g.Describe("[sig-network][Feature:Router]", func() { g.Describe("The HAProxy router", func() { g.It("should serve a route that points to two services and respect weights", func() { + isFIPS, err := exutil.IsFIPS(oc.AdminKubeClient().CoreV1()) + o.Expect(err).NotTo(o.HaveOccurred()) + if isFIPS { + g.Skip("The router image's built-in default certificate is incompatible with FIPS: https://bugzilla.redhat.com/show_bug.cgi?id=2047790") + } + defer func() { if g.CurrentGinkgoTestDescription().Failed { dumpWeightedRouterLogs(oc, g.CurrentGinkgoTestDescription().FullTestText) @@ -52,7 +58,7 @@ var _ = g.Describe("[sig-network][Feature:Router]", func() { g.By(fmt.Sprintf("creating a weighted router from a config file %q", configPath)) var routerIP string - err := wait.Poll(time.Second, changeTimeoutSeconds*time.Second, func() (bool, error) { + err = wait.Poll(time.Second, changeTimeoutSeconds*time.Second, func() (bool, error) { pod, err := oc.KubeFramework().ClientSet.CoreV1().Pods(oc.KubeFramework().Namespace.Name).Get(context.Background(), "weighted-router", metav1.GetOptions{}) if err != nil { return false, err