Skip to content

OCPBUGS-77760: verify FIPS mode after installation completes#10348

Open
zaneb wants to merge 3 commits intoopenshift:mainfrom
zaneb:verify-fips
Open

OCPBUGS-77760: verify FIPS mode after installation completes#10348
zaneb wants to merge 3 commits intoopenshift:mainfrom
zaneb:verify-fips

Conversation

@zaneb
Copy link
Member

@zaneb zaneb commented Mar 2, 2026

When install-config specifies fips: true, verify
that FIPS mode was actually enabled on the cluster before declaring an ABI
installation successful.

The verification queries both worker and master MachineConfigPools to
retrieve their rendered MachineConfigs (the combined configs that
machine-config-operator actually applies to nodes), and verifies that
FIPS is enabled in each.

This verification only runs for the agent wait-for install-complete
command. Regular installations are unchanged.

@openshift-ci-robot openshift-ci-robot added the jira/valid-reference Indicates that this PR references a valid Jira ticket of any type. label Mar 2, 2026
@openshift-ci-robot
Copy link
Contributor

openshift-ci-robot commented Mar 2, 2026
edited by openshift-ci bot
Loading

@zaneb: This pull request references AGENT-1455 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "4.22.0" version, but no target version was set.

Details

In response to this:

When install-config specifies fips: true, verify
that FIPS mode was actually enabled on the cluster before declaring an ABI
installation successful.

The verification queries both worker and master MachineConfigPools to
retrieve their rendered MachineConfigs (the combined configs that
machine-config-operator actually applies to nodes), and verifies that
FIPS is enabled in each.

This verification only runs for the agent wait-for install-complete
command. Regular installations are unchanged.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

@openshift-ci openshift-ci bot requested review from rwsu and tthvo March 2, 2026 21:54
@tthvo
Copy link
Member

tthvo commented Mar 2, 2026

/test e2e-aws-ovn-fips

@andfasano
Copy link
Contributor

andfasano commented Mar 4, 2026

/approve

@openshift-ci
Copy link
Contributor

openshift-ci bot commented Mar 4, 2026

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: andfasano

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@openshift-ci openshift-ci bot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Mar 4, 2026
@zaneb
Copy link
Member Author

zaneb commented Mar 4, 2026

/retitle OCPBUGS-77760: verify FIPS mode after installation completes

@openshift-ci openshift-ci bot changed the title AGENT-1455: verify FIPS mode after installation completes OCPBUGS-77760: verify FIPS mode after installation completes Mar 4, 2026
@openshift-ci-robot openshift-ci-robot added the jira/invalid-bug Indicates that a referenced Jira bug is invalid for the branch this PR is targeting. label Mar 4, 2026
@openshift-ci-robot
Copy link
Contributor

openshift-ci-robot commented Mar 4, 2026

@zaneb: This pull request references Jira Issue OCPBUGS-77760, which is invalid:

  • expected the bug to target the "4.22.0" version, but no target version was set

Comment /jira refresh to re-evaluate validity if changes to the Jira bug are made, or edit the title of this pull request to link to a different bug.

The bug has been updated to refer to the pull request using the external bug tracker.

Details

In response to this:

When install-config specifies fips: true, verify
that FIPS mode was actually enabled on the cluster before declaring an ABI
installation successful.

The verification queries both worker and master MachineConfigPools to
retrieve their rendered MachineConfigs (the combined configs that
machine-config-operator actually applies to nodes), and verifies that
FIPS is enabled in each.

This verification only runs for the agent wait-for install-complete
command. Regular installations are unchanged.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

@zaneb
Copy link
Member Author

zaneb commented Mar 4, 2026

/jira refresh

@openshift-ci-robot openshift-ci-robot added jira/valid-bug Indicates that a referenced Jira bug is valid for the branch this PR is targeting. and removed jira/invalid-bug Indicates that a referenced Jira bug is invalid for the branch this PR is targeting. labels Mar 4, 2026
@openshift-ci-robot
Copy link
Contributor

openshift-ci-robot commented Mar 4, 2026

@zaneb: This pull request references Jira Issue OCPBUGS-77760, which is valid. The bug has been moved to the POST state.

3 validation(s) were run on this bug
  • bug is open, matching expected state (open)
  • bug target version (4.22.0) matches configured target version for branch (4.22.0)
  • bug is in the state New, which is one of the valid states (NEW, ASSIGNED, POST)
Details

In response to this:

/jira refresh

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

andfasano
andfasano reviewed Mar 4, 2026
View reviewed changes
@zaneb zaneb force-pushed the verify-fips branch 2 times, most recently from cfd5509 to 1d1b6aa Compare March 6, 2026 11:23
zaneb added 3 commits March 7, 2026 00:44
@zaneb
Refactor WaitForInstallComplete to use options struct
2e81a83 
Move install-config loading from inside WaitForInstallComplete to each
call site, and introduce a WaitOptions struct to pass configuration
instead of the entire asset store.

Note that ABI uses an OptionalInstallConfig rather than an InstallConfig
asset, so it has never used an extended timeout for baremetal.

Assisted-by: Claude Code
@zaneb
AGENT-1455: Verify FIPS mode after installation completes
5706845 
When install-config specifies fips: true, the agent-based installer now
verifies that FIPS mode was actually enabled on the cluster before
declaring installation successful.

The verification queries both worker and master MachineConfigPools to
retrieve their rendered MachineConfigs (the combined configs that
machine-config-operator actually applies to nodes), and verifies that
FIPS is enabled in each.

This verification only runs for the agent wait-for install-complete
command. Other installations are unchanged.

Assisted-by: Claude Code
@zaneb
agent: Pass Asset Store to functions instead of assetDir
154e406 
NewCluster() and FindRendezvousIPAndSSHKeyFromAssetStore() now accept
an asset.Store parameter directly instead of a directory path string.
This allows callers to reuse an existing Store instance and makes the
API more explicit about its dependencies.

Also fixed typo in function name: FindRendezvouIPAndSSHKeyFromAssetStore
-> FindRendezvousIPAndSSHKeyFromAssetStore.

Assisted-by: Claude Code
@openshift-ci
Copy link
Contributor

openshift-ci bot commented Mar 6, 2026

@zaneb: The following tests failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name Commit Details Required Rerun command
ci/prow/e2e-aws-ovn 154e406 link true /test e2e-aws-ovn
ci/prow/e2e-agent-compact-ipv4-iso-no-registry 154e406 link false /test e2e-agent-compact-ipv4-iso-no-registry
ci/prow/e2e-aws-ovn-rhcos10-devpreview 154e406 link false /test e2e-aws-ovn-rhcos10-devpreview

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@rwsu rwsu Awaiting requested review from rwsu

@tthvo tthvo Awaiting requested review from tthvo

1 more reviewer

@andfasano andfasano andfasano left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

approved Indicates a PR has been approved by an approver from all required OWNERS files. jira/valid-bug Indicates that a referenced Jira bug is valid for the branch this PR is targeting. jira/valid-reference Indicates that this PR references a valid Jira ticket of any type.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@zaneb @openshift-ci-robot @tthvo @andfasano