Skip to content

WIP: ci-operator/step-registry/openshift/e2e/fips: Add FIPS steps #10478

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed
wking wants to merge 1 commit into from
Closed

WIP: ci-operator/step-registry/openshift/e2e/fips: Add FIPS steps #10478

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
6 changes: 5 additions & 1 deletion ci-operator/config/openshift/installer/openshift-installer-master.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -168,7 +168,11 @@ tests:
- as: e2e-aws
steps:
cluster_profile: aws
workflow: openshift-e2e-aws
workflow: openshift-e2e-aws-fips-default
- as: e2e-aws-fips
steps:
cluster_profile: aws
workflow: openshift-e2e-aws-fips
- as: e2e-aws-proxy
steps:
cluster_profile: aws
Expand Down
44 changes: 7 additions & 37 deletions ci-operator/jobs/openshift/installer/openshift-installer-master-presubmits.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -153,6 +153,7 @@ presubmits:
decoration_config:
skip_cloning: true
labels:
ci-operator.openshift.io/prowgen-controlled: "true"
pj-rehearse.openshift.io/can-be-rehearsed: "true"
name: pull-ci-openshift-installer-master-e2e-aws-fips
optional: true
Expand All @@ -161,62 +162,34 @@ presubmits:
spec:
containers:
- args:
- --artifact-dir=$(ARTIFACTS)
- --give-pr-author-access-to-namespace=true
- --image-import-pull-secret=/etc/pull-secret/.dockerconfigjson
- --kubeconfig=/etc/apici/kubeconfig
- --lease-server-password-file=/etc/boskos/password
- --lease-server-username=ci
- --lease-server=https://boskos-ci.svc.ci.openshift.org
- --repo=installer
- --report-password-file=/etc/report/password.txt
- --report-username=ci
- --secret-dir=/usr/local/e2e-aws-fips-cluster-profile
- --target=e2e-aws-fips
- --template=/usr/local/e2e-aws-fips
command:
- ci-operator
env:
- name: CLUSTER_TYPE
value: aws
- name: CLUSTER_VARIANT
value: fips
- name: JOB_NAME_SAFE
value: e2e-aws-fips
- name: TEST_COMMAND
value: |
fips_check
TEST_SUITE=openshift/conformance/parallel run-tests
image: ci-operator:latest
imagePullPolicy: Always
name: ""
resources:
requests:
cpu: 10m
volumeMounts:
- mountPath: /etc/apici
name: apici-ci-operator-credentials
readOnly: true
- mountPath: /etc/boskos
name: boskos
readOnly: true
- mountPath: /usr/local/e2e-aws-fips-cluster-profile
name: cluster-profile
- mountPath: /usr/local/e2e-aws-fips
name: job-definition
subPath: cluster-launch-installer-e2e.yaml
- mountPath: /etc/pull-secret
name: pull-secret
readOnly: true
- mountPath: /etc/sentry-dsn
name: sentry-dsn
- mountPath: /etc/report
name: result-aggregator
readOnly: true
serviceAccountName: ci-operator
volumes:
- name: apici-ci-operator-credentials
secret:
items:
- key: sa.ci-operator.apici.config
path: kubeconfig
secretName: apici-ci-operator-credentials
- name: boskos
secret:
items:
Expand All @@ -228,15 +201,12 @@ presubmits:
sources:
- secret:
name: cluster-secrets-aws
- configMap:
name: prow-job-cluster-launch-installer-e2e
name: job-definition
- name: pull-secret
secret:
secretName: regcred
- name: sentry-dsn
- name: result-aggregator
secret:
secretName: sentry-dsn
secretName: result-aggregator
trigger: (?m)^/test( | .* )e2e-aws-fips,?($|\s.*)
- agent: kubernetes
always_run: false
Expand Down
4 changes: 4 additions & 0 deletions ci-operator/step-registry/ipi/conf/fips/OWNERS
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,4 @@
approvers:
- abhinavdahiya
- sallyom
- wking
7 changes: 7 additions & 0 deletions ci-operator/step-registry/ipi/conf/fips/ipi-conf-fips-commands.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,7 @@
#!/bin/bash

set -o nounset
set -o errexit
set -o pipefail

echo 'fips: true' > "${SHARED_DIR}/install-config.yaml"
10 changes: 10 additions & 0 deletions ci-operator/step-registry/ipi/conf/fips/ipi-conf-fips-ref.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,10 @@
ref:
as: ipi-conf-fips
from: upi-installer
commands: ipi-conf-fips-commands.sh
resources:
requests:
cpu: 10m
memory: 100Mi
documentation: >-
This step enables FIPS in an install-config.yaml file. An existing install-config.yaml file should already exist in the shared directory. The resulting file remains in the shared directory for future consumption.
1 change: 1 addition & 0 deletions ci-operator/step-registry/openshift/e2e/aws/fips/OWNERS
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
../../../../ipi/conf/fips/OWNERS
1 change: 1 addition & 0 deletions ci-operator/step-registry/openshift/e2e/aws/fips/default/OWNERS
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
../OWNERS
12 changes: 12 additions & 0 deletions ...step-registry/openshift/e2e/aws/fips/default/openshift-e2e-aws-fips-default-workflow.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,12 @@
workflow:
as: openshift-e2e-aws-fips-default
steps:
pre:
- chain: ipi-aws-pre
test:
- ref: openshift-e2e-fips
- ref: openshift-e2e-test
post:
- chain: ipi-aws-post
documentation: |-
The Openshift E2E AWS workflow executes the common end-to-end test suite and FIPS check on AWS with a default cluster configuration, where FIPS is disabled.
14 changes: 14 additions & 0 deletions ci-operator/step-registry/openshift/e2e/aws/fips/openshift-e2e-aws-fips-workflow.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,14 @@
workflow:
as: openshift-e2e-aws-fips
steps:
pre:
- chain: ipi-conf-aws
- chain: ipi-conf-fips
- chain: ipi-install
test:
- ref: openshift-e2e-fips
- ref: openshift-e2e-test
post:
- chain: ipi-aws-post
documentation: |-
The Openshift E2E AWS workflow executes the common end-to-end test suite and FIPS check on AWS with a FIPS cluster configuration.
1 change: 1 addition & 0 deletions ci-operator/step-registry/openshift/e2e/fips/OWNERS
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
../../../ipi/conf/fips/OWNERS
45 changes: 45 additions & 0 deletions ci-operator/step-registry/openshift/e2e/fips/openshift-e2e-fips-commands.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,45 @@
#!/bin/bash
Copy link
Contributor

@abhinavdahiya abhinavdahiya Jul 27, 2020

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

why this not a test in openshift-test binary?

Copy link
Member Author

@wking wking Jul 28, 2020

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm fine with that too. There should be some way to figure out what the configured value should be for a node? But I guess that wouldn't cover "installer ignores fips setting in the install-config". Do we care about covering that portion? We could probably cover it in create manifests integration testing in the installer.


set -o nounset
set -o errexit
set -o pipefail

trap 'CHILDREN=$(jobs -p); if test -n "${CHILDREN}"; then kill ${CHILDREN} && wait; fi' TERM

oc --request-timeout=60s get nodes -o jsonpath --template '{range .items[*]}{.metadata.name}{"\n"}{end}' > "${TMPDIR}/node-names" &
wait "$!"

cat "${TMPDIR}/node-names" | sort | while read -r NODE_NAME
do
echo "Checking FIPS for node ${NODE_NAME}"
attempt=0
while true; do
out=$(oc --request-timeout=60s -n default debug "node/${NODE_NAME}" -- cat /proc/sys/crypto/fips_enabled || true) &
wait "$!"
if [[ ! -z "${out}" ]]; then
break
fi
attempt=$(( attempt + 1 ))
if [[ $attempt -gt 3 ]]; then
break
fi
echo "command failed, $(( 4 - $attempt )) retries left"
sleep 5
done

if [[ -z "${out}" ]]; then
echo "oc debug node/${NODE_NAME} failed" >&2
exit 1
fi
if [[ "${FIPS_ENABLED}" = 'true' ]]; then
if [[ "${out}" -ne 1 ]]; then
echo "FIPS not enabled on node ${NODE_NAME} but should be, exiting" >&2
exit 1
fi
else
if [[ "${out}" -ne 0 ]]; then
echo "FIPS is enabled on node ${NODE_NAME} but should not be, exiting" >&2
exit 1
fi
fi
done
17 changes: 17 additions & 0 deletions ci-operator/step-registry/openshift/e2e/fips/openshift-e2e-fips-ref.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,17 @@
ref:
as: openshift-e2e-fips
from: cli
commands: openshift-e2e-fips-commands.sh
env:
- name: TMPDIR
default: /tmp
documentation: A pathname of a directory made available for programs that need a place to create temporary files.
- name: FIPS_EXPECTED
Copy link
Contributor

@abhinavdahiya abhinavdahiya Jul 27, 2020

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

hmm.. this env is not used ..

Copy link
Member Author

@wking wking Jul 28, 2020

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Oops, I need to set it in the workflow that enables FIPS...

default: false
documentation: Set to 'true' when you expect FIPS to be enabled on all nodes. By default, the expectation is that FIPS is disabled on all nodes.
resources:
requests:
cpu: 300m
memory: 300Mi
documentation: >-
This step ensures FIPS is enabled or disabled as expected (depending on FIPS_EXPECTED).