From e2e01f9ab4e39a2e7ac4e1e027411316686e628b Mon Sep 17 00:00:00 2001 From: Colin Walters Date: Tue, 28 Jul 2020 14:04:43 +0000 Subject: [PATCH] Remove FIPS check shell code, already done in the MCO This effectively reverts fb1c4b45ccae5a91d8cd920ea03cdaf3b70fea8c e2e-fips is currently failing with `/bin/bash: line 15: nodes[i]: unbound variable` Looking at this...we already have code to validate the state of FIPS in the MCO, see: https://github.com/openshift/machine-config-operator/blob/091afde36ac117ef8b782a85b38ae8783ddf4b70/pkg/daemon/update.go#L571 https://github.com/openshift/machine-config-operator/pull/1252 https://github.com/openshift/machine-config-operator/pull/1233 I think these types of checks should be the MCO's role, or if we choose not to do that, let's at least implement them in Go in the existing e2e suite and avoid nontrivial shell-in-YAML. --- ...openshift-installer-master-presubmits.yaml | 1 - ...hift-installer-release-4.4-presubmits.yaml | 1 - ...hift-installer-release-4.6-presubmits.yaml | 1 - ...hift-installer-release-4.7-presubmits.yaml | 1 - ...penshift-kubernetes-master-presubmits.yaml | 1 - .../openshift-origin-master-presubmits.yaml | 1 - ...enshift-origin-release-4.4-presubmits.yaml | 1 - ...enshift-origin-release-4.6-presubmits.yaml | 1 - ...enshift-origin-release-4.7-presubmits.yaml | 1 - ...enshift-release-release-4.3-periodics.yaml | 4 -- ...enshift-release-release-4.4-periodics.yaml | 4 -- .../cluster-launch-installer-e2e.yaml | 37 ------------------- 12 files changed, 54 deletions(-) diff --git a/ci-operator/jobs/openshift/installer/openshift-installer-master-presubmits.yaml b/ci-operator/jobs/openshift/installer/openshift-installer-master-presubmits.yaml index 51584d6d7732b..a54e899204fc7 100644 --- a/ci-operator/jobs/openshift/installer/openshift-installer-master-presubmits.yaml +++ b/ci-operator/jobs/openshift/installer/openshift-installer-master-presubmits.yaml @@ -183,7 +183,6 @@ presubmits: value: e2e-aws-fips - name: TEST_COMMAND value: | - fips_check TEST_SUITE=openshift/conformance/parallel run-tests image: ci-operator:latest imagePullPolicy: Always diff --git a/ci-operator/jobs/openshift/installer/openshift-installer-release-4.4-presubmits.yaml b/ci-operator/jobs/openshift/installer/openshift-installer-release-4.4-presubmits.yaml index c6956bdcc0ec6..251cbd40bc3f7 100644 --- a/ci-operator/jobs/openshift/installer/openshift-installer-release-4.4-presubmits.yaml +++ b/ci-operator/jobs/openshift/installer/openshift-installer-release-4.4-presubmits.yaml @@ -182,7 +182,6 @@ presubmits: value: e2e-aws-fips - name: TEST_COMMAND value: | - fips_check TEST_SUITE=openshift/conformance/parallel run-tests image: ci-operator:latest imagePullPolicy: Always diff --git a/ci-operator/jobs/openshift/installer/openshift-installer-release-4.6-presubmits.yaml b/ci-operator/jobs/openshift/installer/openshift-installer-release-4.6-presubmits.yaml index b1fcfb6e06e58..f62d5dacf6f9e 100644 --- a/ci-operator/jobs/openshift/installer/openshift-installer-release-4.6-presubmits.yaml +++ b/ci-operator/jobs/openshift/installer/openshift-installer-release-4.6-presubmits.yaml @@ -182,7 +182,6 @@ presubmits: value: e2e-aws-fips - name: TEST_COMMAND value: | - fips_check TEST_SUITE=openshift/conformance/parallel run-tests image: ci-operator:latest imagePullPolicy: Always diff --git a/ci-operator/jobs/openshift/installer/openshift-installer-release-4.7-presubmits.yaml b/ci-operator/jobs/openshift/installer/openshift-installer-release-4.7-presubmits.yaml index 5b52ff6daf217..a42ff81b73ff7 100644 --- a/ci-operator/jobs/openshift/installer/openshift-installer-release-4.7-presubmits.yaml +++ b/ci-operator/jobs/openshift/installer/openshift-installer-release-4.7-presubmits.yaml @@ -182,7 +182,6 @@ presubmits: value: e2e-aws-fips - name: TEST_COMMAND value: | - fips_check TEST_SUITE=openshift/conformance/parallel run-tests image: ci-operator:latest imagePullPolicy: Always diff --git a/ci-operator/jobs/openshift/kubernetes/openshift-kubernetes-master-presubmits.yaml b/ci-operator/jobs/openshift/kubernetes/openshift-kubernetes-master-presubmits.yaml index 41825bb2ff905..6f7733259dd5e 100644 --- a/ci-operator/jobs/openshift/kubernetes/openshift-kubernetes-master-presubmits.yaml +++ b/ci-operator/jobs/openshift/kubernetes/openshift-kubernetes-master-presubmits.yaml @@ -232,7 +232,6 @@ presubmits: value: e2e-aws-fips - name: TEST_COMMAND value: | - fips_check TEST_SUITE=openshift/conformance/parallel run-tests image: ci-operator:latest imagePullPolicy: Always diff --git a/ci-operator/jobs/openshift/origin/openshift-origin-master-presubmits.yaml b/ci-operator/jobs/openshift/origin/openshift-origin-master-presubmits.yaml index 8305d9fd0a8e0..ca265c9308a64 100644 --- a/ci-operator/jobs/openshift/origin/openshift-origin-master-presubmits.yaml +++ b/ci-operator/jobs/openshift/origin/openshift-origin-master-presubmits.yaml @@ -182,7 +182,6 @@ presubmits: value: e2e-aws-fips - name: TEST_COMMAND value: | - fips_check TEST_SUITE=openshift/conformance/parallel run-tests image: ci-operator:latest imagePullPolicy: Always diff --git a/ci-operator/jobs/openshift/origin/openshift-origin-release-4.4-presubmits.yaml b/ci-operator/jobs/openshift/origin/openshift-origin-release-4.4-presubmits.yaml index 49bcd1a991b07..8103aa50ec317 100644 --- a/ci-operator/jobs/openshift/origin/openshift-origin-release-4.4-presubmits.yaml +++ b/ci-operator/jobs/openshift/origin/openshift-origin-release-4.4-presubmits.yaml @@ -294,7 +294,6 @@ presubmits: value: e2e-aws-fips - name: TEST_COMMAND value: | - fips_check TEST_SUITE=openshift/conformance/parallel run-tests image: ci-operator:latest imagePullPolicy: Always diff --git a/ci-operator/jobs/openshift/origin/openshift-origin-release-4.6-presubmits.yaml b/ci-operator/jobs/openshift/origin/openshift-origin-release-4.6-presubmits.yaml index 511c45254405e..1cda0eb463ecd 100644 --- a/ci-operator/jobs/openshift/origin/openshift-origin-release-4.6-presubmits.yaml +++ b/ci-operator/jobs/openshift/origin/openshift-origin-release-4.6-presubmits.yaml @@ -231,7 +231,6 @@ presubmits: value: e2e-aws-fips - name: TEST_COMMAND value: | - fips_check TEST_SUITE=openshift/conformance/parallel run-tests image: ci-operator:latest imagePullPolicy: Always diff --git a/ci-operator/jobs/openshift/origin/openshift-origin-release-4.7-presubmits.yaml b/ci-operator/jobs/openshift/origin/openshift-origin-release-4.7-presubmits.yaml index 15db8e03ba018..6e541531ca60d 100644 --- a/ci-operator/jobs/openshift/origin/openshift-origin-release-4.7-presubmits.yaml +++ b/ci-operator/jobs/openshift/origin/openshift-origin-release-4.7-presubmits.yaml @@ -231,7 +231,6 @@ presubmits: value: e2e-aws-fips - name: TEST_COMMAND value: | - fips_check TEST_SUITE=openshift/conformance/parallel run-tests image: ci-operator:latest imagePullPolicy: Always diff --git a/ci-operator/jobs/openshift/release/openshift-release-release-4.3-periodics.yaml b/ci-operator/jobs/openshift/release/openshift-release-release-4.3-periodics.yaml index 6572dab1e8df2..de074f6957677 100644 --- a/ci-operator/jobs/openshift/release/openshift-release-release-4.3-periodics.yaml +++ b/ci-operator/jobs/openshift/release/openshift-release-release-4.3-periodics.yaml @@ -4957,16 +4957,12 @@ periodics: tests: - as: e2e-aws-fips commands: | - fips_check TEST_SUITE=all run-upgrade-tests - fips_check openshift_installer: cluster_profile: "$(CLUSTER_TYPE)" - name: TEST_COMMAND value: | - fips_check TEST_SUITE=all run-upgrade-tests - fips_check image: ci-operator:latest imagePullPolicy: Always name: "" diff --git a/ci-operator/jobs/openshift/release/openshift-release-release-4.4-periodics.yaml b/ci-operator/jobs/openshift/release/openshift-release-release-4.4-periodics.yaml index 0ac82fd6bbd67..c5f332dfcaca8 100644 --- a/ci-operator/jobs/openshift/release/openshift-release-release-4.4-periodics.yaml +++ b/ci-operator/jobs/openshift/release/openshift-release-release-4.4-periodics.yaml @@ -4629,16 +4629,12 @@ periodics: tests: - as: e2e-aws-fips commands: | - fips_check TEST_SUITE=all run-upgrade-tests - fips_check openshift_installer: cluster_profile: "$(CLUSTER_TYPE)" - name: TEST_COMMAND value: | - fips_check TEST_SUITE=all run-upgrade-tests - fips_check image: ci-operator:latest imagePullPolicy: Always name: "" diff --git a/ci-operator/templates/openshift/installer/cluster-launch-installer-e2e.yaml b/ci-operator/templates/openshift/installer/cluster-launch-installer-e2e.yaml index b1e0170bdf9f2..02d22094c6900 100644 --- a/ci-operator/templates/openshift/installer/cluster-launch-installer-e2e.yaml +++ b/ci-operator/templates/openshift/installer/cluster-launch-installer-e2e.yaml @@ -158,43 +158,6 @@ objects: trap 'touch /tmp/shared/exit' EXIT trap 'jobs -p | xargs -r kill || true; exit 0' TERM - function fips_check() { - get_nodes=$(oc --request-timeout=60s get nodes -o jsonpath --template '{range .items[*]}{.metadata.name}{"\n"}{end}') - nodes=( $get_nodes ) - # bash doesn't handle '.' in array elements easily - for i in {0..5}; do - attempt=0 - while true; do - out=$(oc --request-timeout=60s -n default debug node/"${nodes[i]}" -- cat /proc/sys/crypto/fips_enabled || true) - if [[ ! -z "${out}" ]]; then - break - fi - attempt=$(( attempt + 1 )) - if [[ $attempt -gt 3 ]]; then - break - fi - echo "command failed, $(( 4 - $attempt )) retries left" - sleep 5 - done - - if [[ -z "${out}" ]]; then - echo "oc debug node/${nodes[i]} failed" - exit 1 - fi - if [[ "${CLUSTER_VARIANT}" =~ "fips" ]]; then - if [[ "${out}" -ne 1 ]]; then - echo "fips not enabled in node ${nodes[i]} but should be, exiting" - exit 1 - fi - else - if [[ "${out}" -ne 0 ]]; then - echo "fips is enabled in node ${nodes[i]} but should not be, exiting" - exit 1 - fi - fi - done - } - function patch_image_specs() { cat <samples-patch.yaml - op: add