Bug 2047913: Fix HAProxy tests on FIPS properly

[Miciah]

Revert "Skip some HAProxy tests on FIPS"

This reverts #26800.

test/extended/util/url: Use curl --connect-to

• test/extended/util/url/url.go (CURL): Add a new ProxyHost field.
  (Through): Assign the given address to ProxyHost instead of changing the request host or headers.
  (ToShell): Use Curl's --connect-to flag to specify the proxy host.

Fix HAProxy tests on FIPS properly

Change existing HAProxy tests to use a FIPS-compatible, 2048-bit RSA key. Add a new test to verify that using a FIPS-incompatible, 1024-bit RSA key for the router's default certificate fails on FIPS clusters and succeeds on non-FIPS clusters.

The certificate used in this new test comes from the default certificate that is currently built into the router image (which is why the tests were failing on FIPS). The certificate used for the already existing tests was generated using the following Shell commands on a RHEL 8.4 system with OpenSSL 1.1.1g:

openssl req -x509 -newkey rsa:2048 -days 3650 -keyout ca.key -out ca.crt -nodes -subj '/C=US/ST=SC/L=Default City/O=Default Company Ltd/OU=Test CA/CN=www.exampleca.com/emailAddress=example@example.com'
openssl req -newkey rsa:2048 -nodes -keyout tls.key -out router.csr -subj '/CN=www.example.com/ST=SC/C=US/emailAddress=example@example.com/O=Example/OU=Example'
printf 'basicConstraints=CA:FALSE\n' > router.cnf
openssl x509 -req -days 3650 -in router.csr -signkey tls.key -CA ca.crt -CAcreateserial -CAkey ca.key -out tls.crt -clrext -extfile router.cnf
cat tls.{crt,key} > default_pub_keys.pem

These commands generate a certificate that has the same parameters as the old one except for the serial number, signature algorithm, validity period, and key size.

• test/extended/router/certs.go: New file with the new tests.
• test/extended/testdata/router/router-common.yaml: Change route-1 and route-2 from non-TLS routes to edge-terminated TLS routes with insecureEdgeTerminationPolicy: Allow.
• test/extended/testdata/router/router-override-domains.yaml:
• test/extended/testdata/router/router-override.yaml:
• test/extended/testdata/router/router-scoped.yaml:
• test/extended/testdata/router/weighted-router.yaml: Add a parameter for the default certificate with the default value being a certificate with a FIPS-compatible, 2048-bit RSA key.
• test/extended/testdata/bindata.go:
• test/extended/util/annotate/generated/zz_generated.annotations.go: Regenerate.

test/extended/router: Dump crypto-policy for FIPS

Update the new tests that use a FIPS-incompatible key to gather and print out the content of /etc/crypto-policies/back-ends/opensslcnf.config so that the configured crypto-policy can be examined in case of test failures.

• test/extended/router/certs.go: cat /etc/crypto-policies/back-ends/opensslcnf.config after each test.

[openshift-ci]

@Miciah: This pull request references Bugzilla bug 2047913, which is invalid:

• expected the bug to target the "4.11.0" release, but it targets "---" instead

Comment /bugzilla refresh to re-evaluate validity if changes to the Bugzilla bug are made, or edit the title of this pull request to link to a different bug.

Details

In response to this:

Bug 2047913: Fix HAProxy tests on FIPS properly

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[Miciah]

/bugzilla refresh

[openshift-ci]

@Miciah: This pull request references Bugzilla bug 2047913, which is valid. The bug has been moved to the POST state. The bug has been updated to refer to the pull request using the external bug tracker.

3 validation(s) were run on this bug

• bug is open, matching expected state (open)
• bug target release (4.11.0) matches configured target release for branch (4.11.0)
• bug is in the state ASSIGNED, which is one of the valid states (NEW, ASSIGNED, ON_DEV, POST, POST)

Requesting review from QA contact:
/cc @lihongan

Details

In response to this:

/bugzilla refresh

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[deads2k]

will this function on ipv6?

[Miciah]

It should, if the address is bracketed. I've added a comment to Through to mention that IPv6 addresses should be bracketed. I've also replaced --resolve with --connect-to, which handles IPv4 addresses, bracketed IPv6 addresses, and host names (the last would have failed with --resolve, which would cause problems on platforms such as AWS where the LB status has a host name rather than an IP address).

[deads2k]

/approve

The overall approach looks reasonable. I'll leave lgtm with someone on network-edge. @frobware perhaps?

[openshift-ci]

@Miciah: This pull request references Bugzilla bug 2047913, which is valid.

3 validation(s) were run on this bug

• bug is open, matching expected state (open)
• bug target release (4.11.0) matches configured target release for branch (4.11.0)
• bug is in the state POST, which is one of the valid states (NEW, ASSIGNED, ON_DEV, POST, POST)

Requesting review from QA contact:
/cc @lihongan

Details

In response to this:

Bug 2047913: Fix HAProxy tests on FIPS properly

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[Miciah]

Latest push updates some additional manifests with the FIPS-compatible certificate and replaces --resolve with --connect-to.

[Miciah]

The new test failed because the router started even with a FIPS-incompatible, 1024-bit key on a FIPS-enabled cluster. I'm not sure how that could happen. The test passed for me when I tested with cluster-bot; in manual testing, the router did not start with a FIPS-incompatible key on a FIPS-enabled GCP cluster.
/test e2e-aws-fips

[Miciah]

/test e2e-gcp-fips-serial

[frobware]

Many failures.

/retest

[Miciah]

The tests work on cluster-bot fips clusters. In addition to my earlier manual testing on a FIPS-enabled GCP cluster, I used /msg @cluster-bot test e2e openshift/origin#26803 aws,fips and /msg @cluster-bot test e2e openshift/origin#26803 gcp,fips to verify that the tests work properly on FIPS clusters. Linked below are the passing cluster-bot jobs, which show that [sig-network][Feature:Router] when FIPS is enabled the HAProxy router should not work when configured with a 1024-bit RSA key passes and [sig-network][Feature:Router] when FIPS is disabled the HAProxy router should serve routes when configured with a 1024-bit RSA key is skipped on FIPS clusters:

https://prow.ci.openshift.org/view/gs/origin-ci-test/logs/release-openshift-origin-installer-launch-aws-modern/1488206794919514112

https://prow.ci.openshift.org/view/gs/origin-ci-test/logs/release-openshift-origin-installer-launch-gcp-modern/1488178502883610624

I'm increasingly thinking that our e2e-aws-fips and e2e-gcp-fips-serial tests are broken.

/test e2e-aws-fips
/test e2e-gcp-fips-serial

[openshift-ci]

@Miciah: An error was encountered querying GitHub for users with public email (hongli@redhat.com) for bug 2047913 on the Bugzilla server at https://bugzilla.redhat.com. No known errors were detected, please see the full error message for details.

Full error message.

non-200 OK status code: 403 Forbidden body: "{\n \"documentation_url\": \"https://docs.github.com/en/free-pro-team@latest/rest/overview/resources-in-the-rest-api#secondary-rate-limits\",\n \"message\": \"You have exceeded a secondary rate limit. Please wait a few minutes before you try again.\"\n}\n"

Please contact an administrator to resolve this issue, then request a bug refresh with /bugzilla refresh.

Details

In response to this:

Bug 2047913: Fix HAProxy tests on FIPS properly

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[Miciah]

The e2e-gcp-fips-serial job has gone missing...
/refresh

[Miciah]

/test e2e-gcp-fips-serial

[Miciah]

/test images

[Miciah]

/test e2e-aws-fips

[Miciah]

/test e2e-aws-fips
/test e2e-gcp-fips-serial

[Miciah]

   * could not run steps: step src failed: could not get build src: builds.build.openshift.io "src" not found 

/test e2e-aws-fips

[Miciah]

/test e2e-aws-fips

[Miciah]

/retest

[Miciah]

/retest

[frobware]

/lgtm

[frobware]

/skip

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: deads2k, frobware, Miciah

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• test/extended/OWNERS [deads2k]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[openshift-ci]

@Miciah: The following test failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
ci/prow/e2e-gcp-ovn-rt-upgrade	11f619c	link	false	/test e2e-gcp-ovn-rt-upgrade

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here.

[openshift-ci]

@Miciah: All pull requests linked via external trackers have merged:

• openshift/origin#26803

Bugzilla bug 2047913 has been moved to the MODIFIED state.

Details

In response to this:

Bug 2047913: Fix HAProxy tests on FIPS properly

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.