From 3a57d37fc892f7ebc548d2b351765cfa7ebe26fd Mon Sep 17 00:00:00 2001 From: Ross Bryan Date: Wed, 29 Sep 2021 14:30:41 -0400 Subject: [PATCH] refactor fips from preview api to feature flag and admin api --- .sha256sum | 2 +- pkg/api/v20210901preview/openshiftcluster.go | 12 ------------ .../v20210901preview/openshiftcluster_convert.go | 10 ++++------ .../2021-09-01-preview/redhatopenshift/enums.go | 15 --------------- .../2021-09-01-preview/redhatopenshift/models.go | 2 -- pkg/util/cluster/cluster.go | 14 ++++---------- .../v2021_09_01_preview/models/__init__.py | 2 -- .../_azure_red_hat_open_shift_client_enums.py | 7 ------- .../v2021_09_01_preview/models/_models.py | 6 ------ .../v2021_09_01_preview/models/_models_py3.py | 7 ------- .../2021-09-01-preview/redhatopenshift.json | 12 ------------ test/e2e/fips.go | 10 ---------- 12 files changed, 9 insertions(+), 90 deletions(-) diff --git a/.sha256sum b/.sha256sum index dbd5a3a32..a5059ecf2 100644 --- a/.sha256sum +++ b/.sha256sum @@ -1,2 +1,2 @@ 468fa0da0a50d50640ec57843ad288af343128b39f5bf23e76e4e336580883d4 swagger/redhatopenshift/resource-manager/Microsoft.RedHatOpenShift/stable/2020-04-30/redhatopenshift.json -5369bd05f66fb79c8bd0836a980eea438974cc94cb8a073104ee218da8612602 swagger/redhatopenshift/resource-manager/Microsoft.RedHatOpenShift/preview/2021-09-01-preview/redhatopenshift.json +c323c84befa5ea11da50a2407050abed6540ea01e796720bc2241604ce80567c swagger/redhatopenshift/resource-manager/Microsoft.RedHatOpenShift/preview/2021-09-01-preview/redhatopenshift.json diff --git a/pkg/api/v20210901preview/openshiftcluster.go b/pkg/api/v20210901preview/openshiftcluster.go index 6f3775e4e..b5e5d07ba 100644 --- a/pkg/api/v20210901preview/openshiftcluster.go +++ b/pkg/api/v20210901preview/openshiftcluster.go @@ -84,15 +84,6 @@ const ( ProvisioningStateFailed ProvisioningState = "Failed" ) -// FipsValidatedModules determines if FIPS is used. -type FipsValidatedModules string - -// FipsValidatedModules constants. -const ( - FipsValidatedModulesEnabled FipsValidatedModules = "Enabled" - FipsValidatedModulesDisabled FipsValidatedModules = "Disabled" -) - // ClusterProfile represents a cluster profile. type ClusterProfile struct { // The pull secret for the cluster. @@ -106,9 +97,6 @@ type ClusterProfile struct { // The ID of the cluster resource group. ResourceGroupID string `json:"resourceGroupId,omitempty"` - - // If FIPS validated crypto modules are used - FipsValidatedModules FipsValidatedModules `json:"fipsValidatedModules,omitempty"` } // ConsoleProfile represents a console profile. diff --git a/pkg/api/v20210901preview/openshiftcluster_convert.go b/pkg/api/v20210901preview/openshiftcluster_convert.go index 80d6e2a9d..69a796c9a 100644 --- a/pkg/api/v20210901preview/openshiftcluster_convert.go +++ b/pkg/api/v20210901preview/openshiftcluster_convert.go @@ -22,11 +22,10 @@ func (c *openShiftClusterConverter) ToExternal(oc *api.OpenShiftCluster) interfa Properties: OpenShiftClusterProperties{ ProvisioningState: ProvisioningState(oc.Properties.ProvisioningState), ClusterProfile: ClusterProfile{ - PullSecret: string(oc.Properties.ClusterProfile.PullSecret), - Domain: oc.Properties.ClusterProfile.Domain, - Version: oc.Properties.ClusterProfile.Version, - ResourceGroupID: oc.Properties.ClusterProfile.ResourceGroupID, - FipsValidatedModules: FipsValidatedModules(oc.Properties.ClusterProfile.FipsValidatedModules), + PullSecret: string(oc.Properties.ClusterProfile.PullSecret), + Domain: oc.Properties.ClusterProfile.Domain, + Version: oc.Properties.ClusterProfile.Version, + ResourceGroupID: oc.Properties.ClusterProfile.ResourceGroupID, }, ConsoleProfile: ConsoleProfile{ URL: oc.Properties.ConsoleProfile.URL, @@ -136,7 +135,6 @@ func (c *openShiftClusterConverter) ToInternal(_oc interface{}, out *api.OpenShi out.Properties.ClusterProfile.PullSecret = api.SecureString(oc.Properties.ClusterProfile.PullSecret) out.Properties.ClusterProfile.Domain = oc.Properties.ClusterProfile.Domain out.Properties.ClusterProfile.Version = oc.Properties.ClusterProfile.Version - out.Properties.ClusterProfile.FipsValidatedModules = api.FipsValidatedModules(oc.Properties.ClusterProfile.FipsValidatedModules) out.Properties.ClusterProfile.ResourceGroupID = oc.Properties.ClusterProfile.ResourceGroupID out.Properties.ConsoleProfile.URL = oc.Properties.ConsoleProfile.URL out.Properties.ServicePrincipalProfile.ClientID = oc.Properties.ServicePrincipalProfile.ClientID diff --git a/pkg/client/services/redhatopenshift/mgmt/2021-09-01-preview/redhatopenshift/enums.go b/pkg/client/services/redhatopenshift/mgmt/2021-09-01-preview/redhatopenshift/enums.go index 81d7dd759..0b1103374 100644 --- a/pkg/client/services/redhatopenshift/mgmt/2021-09-01-preview/redhatopenshift/enums.go +++ b/pkg/client/services/redhatopenshift/mgmt/2021-09-01-preview/redhatopenshift/enums.go @@ -51,21 +51,6 @@ func PossibleEncryptionAtHostValues() []EncryptionAtHost { return []EncryptionAtHost{Disabled, Enabled} } -// FipsValidatedModules enumerates the values for fips validated modules. -type FipsValidatedModules string - -const ( - // FipsValidatedModulesDisabled ... - FipsValidatedModulesDisabled FipsValidatedModules = "Disabled" - // FipsValidatedModulesEnabled ... - FipsValidatedModulesEnabled FipsValidatedModules = "Enabled" -) - -// PossibleFipsValidatedModulesValues returns an array of possible values for the FipsValidatedModules const type. -func PossibleFipsValidatedModulesValues() []FipsValidatedModules { - return []FipsValidatedModules{FipsValidatedModulesDisabled, FipsValidatedModulesEnabled} -} - // ProvisioningState enumerates the values for provisioning state. type ProvisioningState string diff --git a/pkg/client/services/redhatopenshift/mgmt/2021-09-01-preview/redhatopenshift/models.go b/pkg/client/services/redhatopenshift/mgmt/2021-09-01-preview/redhatopenshift/models.go index 05f478b44..299fef2d6 100644 --- a/pkg/client/services/redhatopenshift/mgmt/2021-09-01-preview/redhatopenshift/models.go +++ b/pkg/client/services/redhatopenshift/mgmt/2021-09-01-preview/redhatopenshift/models.go @@ -88,8 +88,6 @@ type ClusterProfile struct { Version *string `json:"version,omitempty"` // ResourceGroupID - The ID of the cluster resource group. ResourceGroupID *string `json:"resourceGroupId,omitempty"` - // FipsValidatedModules - If FIPS validated crypto modules are used. Possible values include: 'FipsValidatedModulesDisabled', 'FipsValidatedModulesEnabled' - FipsValidatedModules FipsValidatedModules `json:"fipsValidatedModules,omitempty"` } // ConsoleProfile consoleProfile represents a console profile. diff --git a/pkg/util/cluster/cluster.go b/pkg/util/cluster/cluster.go index b6171ef1b..6c84b10d6 100644 --- a/pkg/util/cluster/cluster.go +++ b/pkg/util/cluster/cluster.go @@ -146,11 +146,6 @@ func (c *Cluster) Create(ctx context.Context, vnetResourceGroup, clusterName str visibility = api.VisibilityPrivate } - fipsValidatedModules := api.FipsValidatedModulesEnabled - if os.Getenv("ARO_FIPS_DISABLED") != "" { - fipsValidatedModules = api.FipsValidatedModulesDisabled - } - if c.ci { c.log.Infof("creating resource group") _, err = c.groups.CreateOrUpdate(ctx, vnetResourceGroup, mgmtfeatures.ResourceGroup{ @@ -261,7 +256,7 @@ func (c *Cluster) Create(ctx context.Context, vnetResourceGroup, clusterName str } c.log.Info("creating cluster") - err = c.createCluster(ctx, vnetResourceGroup, clusterName, appID, appSecret, visibility, fipsValidatedModules) + err = c.createCluster(ctx, vnetResourceGroup, clusterName, appID, appSecret, visibility) if err != nil { return err } @@ -362,14 +357,13 @@ func (c *Cluster) Delete(ctx context.Context, vnetResourceGroup, clusterName str // createCluster created new clusters, based on where it is running. // development - using preview api // production - using stable GA api -func (c *Cluster) createCluster(ctx context.Context, vnetResourceGroup, clusterName, clientID, clientSecret string, visibility api.Visibility, fipsValidatedModules api.FipsValidatedModules) error { +func (c *Cluster) createCluster(ctx context.Context, vnetResourceGroup, clusterName, clientID, clientSecret string, visibility api.Visibility) error { // using internal representation for "singe source" of options oc := api.OpenShiftCluster{ Properties: api.OpenShiftClusterProperties{ ClusterProfile: api.ClusterProfile{ - Domain: strings.ToLower(clusterName), - FipsValidatedModules: fipsValidatedModules, - ResourceGroupID: fmt.Sprintf("/subscriptions/%s/resourceGroups/%s", c.env.SubscriptionID(), "aro-"+clusterName), + Domain: strings.ToLower(clusterName), + ResourceGroupID: fmt.Sprintf("/subscriptions/%s/resourceGroups/%s", c.env.SubscriptionID(), "aro-"+clusterName), }, ServicePrincipalProfile: api.ServicePrincipalProfile{ ClientID: clientID, diff --git a/python/client/azure/mgmt/redhatopenshift/v2021_09_01_preview/models/__init__.py b/python/client/azure/mgmt/redhatopenshift/v2021_09_01_preview/models/__init__.py index 5b0207dc7..7d1854d6a 100644 --- a/python/client/azure/mgmt/redhatopenshift/v2021_09_01_preview/models/__init__.py +++ b/python/client/azure/mgmt/redhatopenshift/v2021_09_01_preview/models/__init__.py @@ -60,7 +60,6 @@ except (SyntaxError, ImportError): from ._azure_red_hat_open_shift_client_enums import ( CreatedByType, EncryptionAtHost, - FipsValidatedModules, ProvisioningState, SoftwareDefinedNetwork, VMSize, @@ -90,7 +89,6 @@ __all__ = [ 'WorkerProfile', 'CreatedByType', 'EncryptionAtHost', - 'FipsValidatedModules', 'ProvisioningState', 'SoftwareDefinedNetwork', 'VMSize', diff --git a/python/client/azure/mgmt/redhatopenshift/v2021_09_01_preview/models/_azure_red_hat_open_shift_client_enums.py b/python/client/azure/mgmt/redhatopenshift/v2021_09_01_preview/models/_azure_red_hat_open_shift_client_enums.py index ee271fedd..462e4b71d 100644 --- a/python/client/azure/mgmt/redhatopenshift/v2021_09_01_preview/models/_azure_red_hat_open_shift_client_enums.py +++ b/python/client/azure/mgmt/redhatopenshift/v2021_09_01_preview/models/_azure_red_hat_open_shift_client_enums.py @@ -50,13 +50,6 @@ class EncryptionAtHost(with_metaclass(_CaseInsensitiveEnumMeta, str, Enum)): DISABLED = "Disabled" ENABLED = "Enabled" -class FipsValidatedModules(with_metaclass(_CaseInsensitiveEnumMeta, str, Enum)): - """FipsValidatedModules determines if FIPS is used. - """ - - DISABLED = "Disabled" - ENABLED = "Enabled" - class ProvisioningState(with_metaclass(_CaseInsensitiveEnumMeta, str, Enum)): """ProvisioningState represents a provisioning state. """ diff --git a/python/client/azure/mgmt/redhatopenshift/v2021_09_01_preview/models/_models.py b/python/client/azure/mgmt/redhatopenshift/v2021_09_01_preview/models/_models.py index 3c6428b60..2e7e61ecb 100644 --- a/python/client/azure/mgmt/redhatopenshift/v2021_09_01_preview/models/_models.py +++ b/python/client/azure/mgmt/redhatopenshift/v2021_09_01_preview/models/_models.py @@ -89,10 +89,6 @@ class ClusterProfile(msrest.serialization.Model): :type version: str :param resource_group_id: The ID of the cluster resource group. :type resource_group_id: str - :param fips_validated_modules: If FIPS validated crypto modules are used. Possible values - include: "Disabled", "Enabled". - :type fips_validated_modules: str or - ~azure.mgmt.redhatopenshift.v2021_09_01_preview.models.FipsValidatedModules """ _attribute_map = { @@ -100,7 +96,6 @@ class ClusterProfile(msrest.serialization.Model): 'domain': {'key': 'domain', 'type': 'str'}, 'version': {'key': 'version', 'type': 'str'}, 'resource_group_id': {'key': 'resourceGroupId', 'type': 'str'}, - 'fips_validated_modules': {'key': 'fipsValidatedModules', 'type': 'str'}, } def __init__( @@ -112,7 +107,6 @@ class ClusterProfile(msrest.serialization.Model): self.domain = kwargs.get('domain', None) self.version = kwargs.get('version', None) self.resource_group_id = kwargs.get('resource_group_id', None) - self.fips_validated_modules = kwargs.get('fips_validated_modules', None) class ConsoleProfile(msrest.serialization.Model): diff --git a/python/client/azure/mgmt/redhatopenshift/v2021_09_01_preview/models/_models_py3.py b/python/client/azure/mgmt/redhatopenshift/v2021_09_01_preview/models/_models_py3.py index 690395f3d..ff2a8610b 100644 --- a/python/client/azure/mgmt/redhatopenshift/v2021_09_01_preview/models/_models_py3.py +++ b/python/client/azure/mgmt/redhatopenshift/v2021_09_01_preview/models/_models_py3.py @@ -103,10 +103,6 @@ class ClusterProfile(msrest.serialization.Model): :type version: str :param resource_group_id: The ID of the cluster resource group. :type resource_group_id: str - :param fips_validated_modules: If FIPS validated crypto modules are used. Possible values - include: "Disabled", "Enabled". - :type fips_validated_modules: str or - ~azure.mgmt.redhatopenshift.v2021_09_01_preview.models.FipsValidatedModules """ _attribute_map = { @@ -114,7 +110,6 @@ class ClusterProfile(msrest.serialization.Model): 'domain': {'key': 'domain', 'type': 'str'}, 'version': {'key': 'version', 'type': 'str'}, 'resource_group_id': {'key': 'resourceGroupId', 'type': 'str'}, - 'fips_validated_modules': {'key': 'fipsValidatedModules', 'type': 'str'}, } def __init__( @@ -124,7 +119,6 @@ class ClusterProfile(msrest.serialization.Model): domain: Optional[str] = None, version: Optional[str] = None, resource_group_id: Optional[str] = None, - fips_validated_modules: Optional[Union[str, "FipsValidatedModules"]] = None, **kwargs ): super(ClusterProfile, self).__init__(**kwargs) @@ -132,7 +126,6 @@ class ClusterProfile(msrest.serialization.Model): self.domain = domain self.version = version self.resource_group_id = resource_group_id - self.fips_validated_modules = fips_validated_modules class ConsoleProfile(msrest.serialization.Model): diff --git a/swagger/redhatopenshift/resource-manager/Microsoft.RedHatOpenShift/preview/2021-09-01-preview/redhatopenshift.json b/swagger/redhatopenshift/resource-manager/Microsoft.RedHatOpenShift/preview/2021-09-01-preview/redhatopenshift.json index 53d2cf1e7..c23f0e6f9 100644 --- a/swagger/redhatopenshift/resource-manager/Microsoft.RedHatOpenShift/preview/2021-09-01-preview/redhatopenshift.json +++ b/swagger/redhatopenshift/resource-manager/Microsoft.RedHatOpenShift/preview/2021-09-01-preview/redhatopenshift.json @@ -519,10 +519,6 @@ "resourceGroupId": { "description": "The ID of the cluster resource group.", "type": "string" - }, - "fipsValidatedModules": { - "$ref": "#/definitions/FipsValidatedModules", - "description": "If FIPS validated crypto modules are used" } } }, @@ -570,14 +566,6 @@ "modelAsString": true } }, - "FipsValidatedModules": { - "description": "FipsValidatedModules determines if FIPS is used.", - "enum": [ - "Disabled", - "Enabled" - ], - "type": "string" - }, "IngressProfile": { "description": "IngressProfile represents an ingress profile.", "type": "object", diff --git a/test/e2e/fips.go b/test/e2e/fips.go index dcfe57b7f..639e97e95 100644 --- a/test/e2e/fips.go +++ b/test/e2e/fips.go @@ -20,16 +20,6 @@ const ( var _ = Describe("Validate FIPS Mode", func() { ctx := context.Background() - It("should be possible to retrieve FipsValidatedModules from cluster document", func() { - oc, err := clients.OpenshiftClustersv20210901preview.Get(ctx, vnetResourceGroup, clusterName) - Expect(err).NotTo(HaveOccurred()) - - // Check we retrieve FipsValidatedModules - clusterProfile := oc.ClusterProfile - Expect(clusterProfile).NotTo(BeNil()) - Expect(string(clusterProfile.FipsValidatedModules)).To(Equal("Enabled")) - - }) It("should be possible to validate fips master and worker machineconfigs exist", func() { mcp, err := clients.MachineConfig.MachineconfigurationV1().MachineConfigPools().List(ctx, metav1.ListOptions{}) Expect(err).NotTo(HaveOccurred())