refactor fips from preview api to feature flag and admin api

2021-09-29 14:30:41 -04:00 · 2021-09-29 14:30:41 -04:00 · 3a57d37fc8
--- a/.sha256sum
+++ b/.sha256sum
@ -1,2 +1,2 @@
 468fa0da0a50d50640ec57843ad288af343128b39f5bf23e76e4e336580883d4  swagger/redhatopenshift/resource-manager/Microsoft.RedHatOpenShift/stable/2020-04-30/redhatopenshift.json
-5369bd05f66fb79c8bd0836a980eea438974cc94cb8a073104ee218da8612602  swagger/redhatopenshift/resource-manager/Microsoft.RedHatOpenShift/preview/2021-09-01-preview/redhatopenshift.json
+c323c84befa5ea11da50a2407050abed6540ea01e796720bc2241604ce80567c  swagger/redhatopenshift/resource-manager/Microsoft.RedHatOpenShift/preview/2021-09-01-preview/redhatopenshift.json
--- a/pkg/api/v20210901preview/openshiftcluster.go
+++ b/pkg/api/v20210901preview/openshiftcluster.go
@ -84,15 +84,6 @@ const (
 	ProvisioningStateFailed        ProvisioningState = "Failed"
 )

-// FipsValidatedModules determines if FIPS is used.
-type FipsValidatedModules string
-
-// FipsValidatedModules constants.
-const (
-	FipsValidatedModulesEnabled  FipsValidatedModules = "Enabled"
-	FipsValidatedModulesDisabled FipsValidatedModules = "Disabled"
-)
-
 // ClusterProfile represents a cluster profile.
 type ClusterProfile struct {
 	// The pull secret for the cluster.
@ -106,9 +97,6 @@ type ClusterProfile struct {

 	// The ID of the cluster resource group.
 	ResourceGroupID string `json:"resourceGroupId,omitempty"`
-
-	// If FIPS validated crypto modules are used
-	FipsValidatedModules FipsValidatedModules `json:"fipsValidatedModules,omitempty"`
 }

 // ConsoleProfile represents a console profile.
--- a/pkg/api/v20210901preview/openshiftcluster_convert.go
+++ b/pkg/api/v20210901preview/openshiftcluster_convert.go
@ -22,11 +22,10 @@ func (c *openShiftClusterConverter) ToExternal(oc *api.OpenShiftCluster) interfa
 		Properties: OpenShiftClusterProperties{
 			ProvisioningState: ProvisioningState(oc.Properties.ProvisioningState),
 			ClusterProfile: ClusterProfile{
-				PullSecret:           string(oc.Properties.ClusterProfile.PullSecret),
-				Domain:               oc.Properties.ClusterProfile.Domain,
-				Version:              oc.Properties.ClusterProfile.Version,
-				ResourceGroupID:      oc.Properties.ClusterProfile.ResourceGroupID,
-				FipsValidatedModules: FipsValidatedModules(oc.Properties.ClusterProfile.FipsValidatedModules),
+				PullSecret:      string(oc.Properties.ClusterProfile.PullSecret),
+				Domain:          oc.Properties.ClusterProfile.Domain,
+				Version:         oc.Properties.ClusterProfile.Version,
+				ResourceGroupID: oc.Properties.ClusterProfile.ResourceGroupID,
 			},
 			ConsoleProfile: ConsoleProfile{
 				URL: oc.Properties.ConsoleProfile.URL,
@ -136,7 +135,6 @@ func (c *openShiftClusterConverter) ToInternal(_oc interface{}, out *api.OpenShi
 	out.Properties.ClusterProfile.PullSecret = api.SecureString(oc.Properties.ClusterProfile.PullSecret)
 	out.Properties.ClusterProfile.Domain = oc.Properties.ClusterProfile.Domain
 	out.Properties.ClusterProfile.Version = oc.Properties.ClusterProfile.Version
-	out.Properties.ClusterProfile.FipsValidatedModules = api.FipsValidatedModules(oc.Properties.ClusterProfile.FipsValidatedModules)
 	out.Properties.ClusterProfile.ResourceGroupID = oc.Properties.ClusterProfile.ResourceGroupID
 	out.Properties.ConsoleProfile.URL = oc.Properties.ConsoleProfile.URL
 	out.Properties.ServicePrincipalProfile.ClientID = oc.Properties.ServicePrincipalProfile.ClientID
--- a/pkg/client/services/redhatopenshift/mgmt/2021-09-01-preview/redhatopenshift/enums.go
+++ b/pkg/client/services/redhatopenshift/mgmt/2021-09-01-preview/redhatopenshift/enums.go
@ -51,21 +51,6 @@ func PossibleEncryptionAtHostValues() []EncryptionAtHost {
 	return []EncryptionAtHost{Disabled, Enabled}
 }

-// FipsValidatedModules enumerates the values for fips validated modules.
-type FipsValidatedModules string
-
-const (
-	// FipsValidatedModulesDisabled ...
-	FipsValidatedModulesDisabled FipsValidatedModules = "Disabled"
-	// FipsValidatedModulesEnabled ...
-	FipsValidatedModulesEnabled FipsValidatedModules = "Enabled"
-)
-
-// PossibleFipsValidatedModulesValues returns an array of possible values for the FipsValidatedModules const type.
-func PossibleFipsValidatedModulesValues() []FipsValidatedModules {
-	return []FipsValidatedModules{FipsValidatedModulesDisabled, FipsValidatedModulesEnabled}
-}
-
 // ProvisioningState enumerates the values for provisioning state.
 type ProvisioningState string

--- a/pkg/client/services/redhatopenshift/mgmt/2021-09-01-preview/redhatopenshift/models.go
+++ b/pkg/client/services/redhatopenshift/mgmt/2021-09-01-preview/redhatopenshift/models.go
@ -88,8 +88,6 @@ type ClusterProfile struct {
 	Version *string `json:"version,omitempty"`
 	// ResourceGroupID - The ID of the cluster resource group.
 	ResourceGroupID *string `json:"resourceGroupId,omitempty"`
-	// FipsValidatedModules - If FIPS validated crypto modules are used. Possible values include: 'FipsValidatedModulesDisabled', 'FipsValidatedModulesEnabled'
-	FipsValidatedModules FipsValidatedModules `json:"fipsValidatedModules,omitempty"`
 }

 // ConsoleProfile consoleProfile represents a console profile.
--- a/pkg/util/cluster/cluster.go
+++ b/pkg/util/cluster/cluster.go
@ -146,11 +146,6 @@ func (c *Cluster) Create(ctx context.Context, vnetResourceGroup, clusterName str
 		visibility = api.VisibilityPrivate
 	}

-	fipsValidatedModules := api.FipsValidatedModulesEnabled
-	if os.Getenv("ARO_FIPS_DISABLED") != "" {
-		fipsValidatedModules = api.FipsValidatedModulesDisabled
-	}
-
 	if c.ci {
 		c.log.Infof("creating resource group")
 		_, err = c.groups.CreateOrUpdate(ctx, vnetResourceGroup, mgmtfeatures.ResourceGroup{
@ -261,7 +256,7 @@ func (c *Cluster) Create(ctx context.Context, vnetResourceGroup, clusterName str
 	}

 	c.log.Info("creating cluster")
-	err = c.createCluster(ctx, vnetResourceGroup, clusterName, appID, appSecret, visibility, fipsValidatedModules)
+	err = c.createCluster(ctx, vnetResourceGroup, clusterName, appID, appSecret, visibility)
 	if err != nil {
 		return err
 	}
@ -362,14 +357,13 @@ func (c *Cluster) Delete(ctx context.Context, vnetResourceGroup, clusterName str
 // createCluster created new clusters, based on where it is running.
 // development - using preview api
 // production - using stable GA api
-func (c *Cluster) createCluster(ctx context.Context, vnetResourceGroup, clusterName, clientID, clientSecret string, visibility api.Visibility, fipsValidatedModules api.FipsValidatedModules) error {
+func (c *Cluster) createCluster(ctx context.Context, vnetResourceGroup, clusterName, clientID, clientSecret string, visibility api.Visibility) error {
 	// using internal representation for "singe source" of options
 	oc := api.OpenShiftCluster{
 		Properties: api.OpenShiftClusterProperties{
 			ClusterProfile: api.ClusterProfile{
-				Domain:               strings.ToLower(clusterName),
-				FipsValidatedModules: fipsValidatedModules,
-				ResourceGroupID:      fmt.Sprintf("/subscriptions/%s/resourceGroups/%s", c.env.SubscriptionID(), "aro-"+clusterName),
+				Domain:          strings.ToLower(clusterName),
+				ResourceGroupID: fmt.Sprintf("/subscriptions/%s/resourceGroups/%s", c.env.SubscriptionID(), "aro-"+clusterName),
 			},
 			ServicePrincipalProfile: api.ServicePrincipalProfile{
 				ClientID:     clientID,
--- a/python/client/azure/mgmt/redhatopenshift/v2021_09_01_preview/models/init.py
+++ b/python/client/azure/mgmt/redhatopenshift/v2021_09_01_preview/models/init.py
@ -60,7 +60,6 @@ except (SyntaxError, ImportError):
 from ._azure_red_hat_open_shift_client_enums import (
    CreatedByType,
    EncryptionAtHost,
-    FipsValidatedModules,
    ProvisioningState,
    SoftwareDefinedNetwork,
    VMSize,
@ -90,7 +89,6 @@ __all__ = [
    'WorkerProfile',
    'CreatedByType',
    'EncryptionAtHost',
-    'FipsValidatedModules',
    'ProvisioningState',
    'SoftwareDefinedNetwork',
    'VMSize',
--- a/python/client/azure/mgmt/redhatopenshift/v2021_09_01_preview/models/_azure_red_hat_open_shift_client_enums.py
+++ b/python/client/azure/mgmt/redhatopenshift/v2021_09_01_preview/models/_azure_red_hat_open_shift_client_enums.py
@ -50,13 +50,6 @@ class EncryptionAtHost(with_metaclass(_CaseInsensitiveEnumMeta, str, Enum)):
    DISABLED = "Disabled"
    ENABLED = "Enabled"

-class FipsValidatedModules(with_metaclass(_CaseInsensitiveEnumMeta, str, Enum)):
-    """FipsValidatedModules determines if FIPS is used.
-    """
-
-    DISABLED = "Disabled"
-    ENABLED = "Enabled"
-
 class ProvisioningState(with_metaclass(_CaseInsensitiveEnumMeta, str, Enum)):
    """ProvisioningState represents a provisioning state.
    """
--- a/python/client/azure/mgmt/redhatopenshift/v2021_09_01_preview/models/_models.py
+++ b/python/client/azure/mgmt/redhatopenshift/v2021_09_01_preview/models/_models.py
@ -89,10 +89,6 @@ class ClusterProfile(msrest.serialization.Model):
    :type version: str
    :param resource_group_id: The ID of the cluster resource group.
    :type resource_group_id: str
-    :param fips_validated_modules: If FIPS validated crypto modules are used. Possible values
-     include: "Disabled", "Enabled".
-    :type fips_validated_modules: str or
-     ~azure.mgmt.redhatopenshift.v2021_09_01_preview.models.FipsValidatedModules
    """

    _attribute_map = {
@ -100,7 +96,6 @@ class ClusterProfile(msrest.serialization.Model):
        'domain': {'key': 'domain', 'type': 'str'},
        'version': {'key': 'version', 'type': 'str'},
        'resource_group_id': {'key': 'resourceGroupId', 'type': 'str'},
-        'fips_validated_modules': {'key': 'fipsValidatedModules', 'type': 'str'},
    }

    def __init__(
@ -112,7 +107,6 @@ class ClusterProfile(msrest.serialization.Model):
        self.domain = kwargs.get('domain', None)
        self.version = kwargs.get('version', None)
        self.resource_group_id = kwargs.get('resource_group_id', None)
-        self.fips_validated_modules = kwargs.get('fips_validated_modules', None)


 class ConsoleProfile(msrest.serialization.Model):
--- a/python/client/azure/mgmt/redhatopenshift/v2021_09_01_preview/models/_models_py3.py
+++ b/python/client/azure/mgmt/redhatopenshift/v2021_09_01_preview/models/_models_py3.py
@ -103,10 +103,6 @@ class ClusterProfile(msrest.serialization.Model):
    :type version: str
    :param resource_group_id: The ID of the cluster resource group.
    :type resource_group_id: str
-    :param fips_validated_modules: If FIPS validated crypto modules are used. Possible values
-     include: "Disabled", "Enabled".
-    :type fips_validated_modules: str or
-     ~azure.mgmt.redhatopenshift.v2021_09_01_preview.models.FipsValidatedModules
    """

    _attribute_map = {
@ -114,7 +110,6 @@ class ClusterProfile(msrest.serialization.Model):
        'domain': {'key': 'domain', 'type': 'str'},
        'version': {'key': 'version', 'type': 'str'},
        'resource_group_id': {'key': 'resourceGroupId', 'type': 'str'},
-        'fips_validated_modules': {'key': 'fipsValidatedModules', 'type': 'str'},
    }

    def __init__(
@ -124,7 +119,6 @@ class ClusterProfile(msrest.serialization.Model):
        domain: Optional[str] = None,
        version: Optional[str] = None,
        resource_group_id: Optional[str] = None,
-        fips_validated_modules: Optional[Union[str, "FipsValidatedModules"]] = None,
        **kwargs
    ):
        super(ClusterProfile, self).__init__(**kwargs)
@ -132,7 +126,6 @@ class ClusterProfile(msrest.serialization.Model):
        self.domain = domain
        self.version = version
        self.resource_group_id = resource_group_id
-        self.fips_validated_modules = fips_validated_modules


 class ConsoleProfile(msrest.serialization.Model):
--- a/swagger/redhatopenshift/resource-manager/Microsoft.RedHatOpenShift/preview/2021-09-01-preview/redhatopenshift.json
+++ b/swagger/redhatopenshift/resource-manager/Microsoft.RedHatOpenShift/preview/2021-09-01-preview/redhatopenshift.json
@ -519,10 +519,6 @@
        "resourceGroupId": {
          "description": "The ID of the cluster resource group.",
          "type": "string"
-        },
-        "fipsValidatedModules": {
-          "$ref": "#/definitions/FipsValidatedModules",
-          "description": "If FIPS validated crypto modules are used"
        }
      }
    },
@ -570,14 +566,6 @@
        "modelAsString": true
      }
    },
-    "FipsValidatedModules": {
-      "description": "FipsValidatedModules determines if FIPS is used.",
-      "enum": [
-        "Disabled",
-        "Enabled"
-      ],
-      "type": "string"
-    },
    "IngressProfile": {
      "description": "IngressProfile represents an ingress profile.",
      "type": "object",
--- a/test/e2e/fips.go
+++ b/test/e2e/fips.go
@ -20,16 +20,6 @@ const (

 var _ = Describe("Validate FIPS Mode", func() {
 	ctx := context.Background()
-	It("should be possible to retrieve FipsValidatedModules from cluster document", func() {
-		oc, err := clients.OpenshiftClustersv20210901preview.Get(ctx, vnetResourceGroup, clusterName)
-		Expect(err).NotTo(HaveOccurred())
-
-		// Check we retrieve FipsValidatedModules
-		clusterProfile := oc.ClusterProfile
-		Expect(clusterProfile).NotTo(BeNil())
-		Expect(string(clusterProfile.FipsValidatedModules)).To(Equal("Enabled"))
-
-	})
 	It("should be possible to validate fips master and worker machineconfigs exist", func() {
 		mcp, err := clients.MachineConfig.MachineconfigurationV1().MachineConfigPools().List(ctx, metav1.ListOptions{})
 		Expect(err).NotTo(HaveOccurred())