refactor fips from preview api to feature flag and admin api

.sha256sum

@@ -1,2 +1,2 @@
 468fa0da0a50d50640ec57843ad288af343128b39f5bf23e76e4e336580883d4  swagger/redhatopenshift/resource-manager/Microsoft.RedHatOpenShift/stable/2020-04-30/redhatopenshift.json
-5369bd05f66fb79c8bd0836a980eea438974cc94cb8a073104ee218da8612602  swagger/redhatopenshift/resource-manager/Microsoft.RedHatOpenShift/preview/2021-09-01-preview/redhatopenshift.json
+c323c84befa5ea11da50a2407050abed6540ea01e796720bc2241604ce80567c  swagger/redhatopenshift/resource-manager/Microsoft.RedHatOpenShift/preview/2021-09-01-preview/redhatopenshift.json

pkg/api/v20210901preview/openshiftcluster.go

@@ -84,15 +84,6 @@ const (
 	ProvisioningStateFailed        ProvisioningState = "Failed"
 )
 
-// FipsValidatedModules determines if FIPS is used.
-type FipsValidatedModules string
-
-// FipsValidatedModules constants.
-const (
-	FipsValidatedModulesEnabled  FipsValidatedModules = "Enabled"
-	FipsValidatedModulesDisabled FipsValidatedModules = "Disabled"
-)
-
 // ClusterProfile represents a cluster profile.
 type ClusterProfile struct {
 	// The pull secret for the cluster.
@@ -106,9 +97,6 @@ type ClusterProfile struct {
 
 	// The ID of the cluster resource group.
 	ResourceGroupID string `json:"resourceGroupId,omitempty"`
-
-	// If FIPS validated crypto modules are used
-	FipsValidatedModules FipsValidatedModules `json:"fipsValidatedModules,omitempty"`
 }
 
 // ConsoleProfile represents a console profile.

pkg/api/v20210901preview/openshiftcluster_convert.go

@@ -22,11 +22,10 @@ func (c *openShiftClusterConverter) ToExternal(oc *api.OpenShiftCluster) interfa
 		Properties: OpenShiftClusterProperties{
 			ProvisioningState: ProvisioningState(oc.Properties.ProvisioningState),
 			ClusterProfile: ClusterProfile{
-				PullSecret:           string(oc.Properties.ClusterProfile.PullSecret),
+				PullSecret:      string(oc.Properties.ClusterProfile.PullSecret),
-				Domain:               oc.Properties.ClusterProfile.Domain,
+				Domain:          oc.Properties.ClusterProfile.Domain,
-				Version:              oc.Properties.ClusterProfile.Version,
+				Version:         oc.Properties.ClusterProfile.Version,
-				ResourceGroupID:      oc.Properties.ClusterProfile.ResourceGroupID,
+				ResourceGroupID: oc.Properties.ClusterProfile.ResourceGroupID,
-				FipsValidatedModules: FipsValidatedModules(oc.Properties.ClusterProfile.FipsValidatedModules),
 			},
 			ConsoleProfile: ConsoleProfile{
 				URL: oc.Properties.ConsoleProfile.URL,
@@ -136,7 +135,6 @@ func (c *openShiftClusterConverter) ToInternal(_oc interface{}, out *api.OpenShi
 	out.Properties.ClusterProfile.PullSecret = api.SecureString(oc.Properties.ClusterProfile.PullSecret)
 	out.Properties.ClusterProfile.Domain = oc.Properties.ClusterProfile.Domain
 	out.Properties.ClusterProfile.Version = oc.Properties.ClusterProfile.Version
-	out.Properties.ClusterProfile.FipsValidatedModules = api.FipsValidatedModules(oc.Properties.ClusterProfile.FipsValidatedModules)
 	out.Properties.ClusterProfile.ResourceGroupID = oc.Properties.ClusterProfile.ResourceGroupID
 	out.Properties.ConsoleProfile.URL = oc.Properties.ConsoleProfile.URL
 	out.Properties.ServicePrincipalProfile.ClientID = oc.Properties.ServicePrincipalProfile.ClientID

pkg/client/services/redhatopenshift/mgmt/2021-09-01-preview/redhatopenshift/enums.go

@@ -51,21 +51,6 @@ func PossibleEncryptionAtHostValues() []EncryptionAtHost {
 	return []EncryptionAtHost{Disabled, Enabled}
 }
 
-// FipsValidatedModules enumerates the values for fips validated modules.
-type FipsValidatedModules string
-
-const (
-	// FipsValidatedModulesDisabled ...
-	FipsValidatedModulesDisabled FipsValidatedModules = "Disabled"
-	// FipsValidatedModulesEnabled ...
-	FipsValidatedModulesEnabled FipsValidatedModules = "Enabled"
-)
-
-// PossibleFipsValidatedModulesValues returns an array of possible values for the FipsValidatedModules const type.
-func PossibleFipsValidatedModulesValues() []FipsValidatedModules {
-	return []FipsValidatedModules{FipsValidatedModulesDisabled, FipsValidatedModulesEnabled}
-}
-
 // ProvisioningState enumerates the values for provisioning state.
 type ProvisioningState string
 

pkg/client/services/redhatopenshift/mgmt/2021-09-01-preview/redhatopenshift/models.go

@@ -88,8 +88,6 @@ type ClusterProfile struct {
 	Version *string `json:"version,omitempty"`
 	// ResourceGroupID - The ID of the cluster resource group.
 	ResourceGroupID *string `json:"resourceGroupId,omitempty"`
-	// FipsValidatedModules - If FIPS validated crypto modules are used. Possible values include: 'FipsValidatedModulesDisabled', 'FipsValidatedModulesEnabled'
-	FipsValidatedModules FipsValidatedModules `json:"fipsValidatedModules,omitempty"`
 }
 
 // ConsoleProfile consoleProfile represents a console profile.

pkg/util/cluster/cluster.go

@@ -146,11 +146,6 @@ func (c *Cluster) Create(ctx context.Context, vnetResourceGroup, clusterName str
 		visibility = api.VisibilityPrivate
 	}
 
-	fipsValidatedModules := api.FipsValidatedModulesEnabled
-	if os.Getenv("ARO_FIPS_DISABLED") != "" {
-		fipsValidatedModules = api.FipsValidatedModulesDisabled
-	}
-
 	if c.ci {
 		c.log.Infof("creating resource group")
 		_, err = c.groups.CreateOrUpdate(ctx, vnetResourceGroup, mgmtfeatures.ResourceGroup{
@@ -261,7 +256,7 @@ func (c *Cluster) Create(ctx context.Context, vnetResourceGroup, clusterName str
 	}
 
 	c.log.Info("creating cluster")
-	err = c.createCluster(ctx, vnetResourceGroup, clusterName, appID, appSecret, visibility, fipsValidatedModules)
+	err = c.createCluster(ctx, vnetResourceGroup, clusterName, appID, appSecret, visibility)
 	if err != nil {
 		return err
 	}
@@ -362,14 +357,13 @@ func (c *Cluster) Delete(ctx context.Context, vnetResourceGroup, clusterName str
 // createCluster created new clusters, based on where it is running.
 // development - using preview api
 // production - using stable GA api
-func (c *Cluster) createCluster(ctx context.Context, vnetResourceGroup, clusterName, clientID, clientSecret string, visibility api.Visibility, fipsValidatedModules api.FipsValidatedModules) error {
+func (c *Cluster) createCluster(ctx context.Context, vnetResourceGroup, clusterName, clientID, clientSecret string, visibility api.Visibility) error {
 	// using internal representation for "singe source" of options
 	oc := api.OpenShiftCluster{
 		Properties: api.OpenShiftClusterProperties{
 			ClusterProfile: api.ClusterProfile{
-				Domain:               strings.ToLower(clusterName),
+				Domain:          strings.ToLower(clusterName),
-				FipsValidatedModules: fipsValidatedModules,
+				ResourceGroupID: fmt.Sprintf("/subscriptions/%s/resourceGroups/%s", c.env.SubscriptionID(), "aro-"+clusterName),
-				ResourceGroupID:      fmt.Sprintf("/subscriptions/%s/resourceGroups/%s", c.env.SubscriptionID(), "aro-"+clusterName),
 			},
 			ServicePrincipalProfile: api.ServicePrincipalProfile{
 				ClientID:     clientID,

python/client/azure/mgmt/redhatopenshift/v2021_09_01_preview/models/__init__.py

@@ -60,7 +60,6 @@ except (SyntaxError, ImportError):
 from ._azure_red_hat_open_shift_client_enums import (
     CreatedByType,
     EncryptionAtHost,
-    FipsValidatedModules,
     ProvisioningState,
     SoftwareDefinedNetwork,
     VMSize,
@@ -90,7 +89,6 @@ __all__ = [
     'WorkerProfile',
     'CreatedByType',
     'EncryptionAtHost',
-    'FipsValidatedModules',
     'ProvisioningState',
     'SoftwareDefinedNetwork',
     'VMSize',

python/client/azure/mgmt/redhatopenshift/v2021_09_01_preview/models/_azure_red_hat_open_shift_client_enums.py

@@ -50,13 +50,6 @@ class EncryptionAtHost(with_metaclass(_CaseInsensitiveEnumMeta, str, Enum)):
     DISABLED = "Disabled"
     ENABLED = "Enabled"
 
-class FipsValidatedModules(with_metaclass(_CaseInsensitiveEnumMeta, str, Enum)):
-    """FipsValidatedModules determines if FIPS is used.
-    """
-
-    DISABLED = "Disabled"
-    ENABLED = "Enabled"
-
 class ProvisioningState(with_metaclass(_CaseInsensitiveEnumMeta, str, Enum)):
     """ProvisioningState represents a provisioning state.
     """

python/client/azure/mgmt/redhatopenshift/v2021_09_01_preview/models/_models.py

@@ -89,10 +89,6 @@ class ClusterProfile(msrest.serialization.Model):
     :type version: str
     :param resource_group_id: The ID of the cluster resource group.
     :type resource_group_id: str
-    :param fips_validated_modules: If FIPS validated crypto modules are used. Possible values
-     include: "Disabled", "Enabled".
-    :type fips_validated_modules: str or
-     ~azure.mgmt.redhatopenshift.v2021_09_01_preview.models.FipsValidatedModules
     """
 
     _attribute_map = {
@@ -100,7 +96,6 @@ class ClusterProfile(msrest.serialization.Model):
         'domain': {'key': 'domain', 'type': 'str'},
         'version': {'key': 'version', 'type': 'str'},
         'resource_group_id': {'key': 'resourceGroupId', 'type': 'str'},
-        'fips_validated_modules': {'key': 'fipsValidatedModules', 'type': 'str'},
     }
 
     def __init__(
@@ -112,7 +107,6 @@ class ClusterProfile(msrest.serialization.Model):
         self.domain = kwargs.get('domain', None)
         self.version = kwargs.get('version', None)
         self.resource_group_id = kwargs.get('resource_group_id', None)
-        self.fips_validated_modules = kwargs.get('fips_validated_modules', None)
 
 
 class ConsoleProfile(msrest.serialization.Model):

python/client/azure/mgmt/redhatopenshift/v2021_09_01_preview/models/_models_py3.py

@@ -103,10 +103,6 @@ class ClusterProfile(msrest.serialization.Model):
     :type version: str
     :param resource_group_id: The ID of the cluster resource group.
     :type resource_group_id: str
-    :param fips_validated_modules: If FIPS validated crypto modules are used. Possible values
-     include: "Disabled", "Enabled".
-    :type fips_validated_modules: str or
-     ~azure.mgmt.redhatopenshift.v2021_09_01_preview.models.FipsValidatedModules
     """
 
     _attribute_map = {
@@ -114,7 +110,6 @@ class ClusterProfile(msrest.serialization.Model):
         'domain': {'key': 'domain', 'type': 'str'},
         'version': {'key': 'version', 'type': 'str'},
         'resource_group_id': {'key': 'resourceGroupId', 'type': 'str'},
-        'fips_validated_modules': {'key': 'fipsValidatedModules', 'type': 'str'},
     }
 
     def __init__(
@@ -124,7 +119,6 @@ class ClusterProfile(msrest.serialization.Model):
         domain: Optional[str] = None,
         version: Optional[str] = None,
         resource_group_id: Optional[str] = None,
-        fips_validated_modules: Optional[Union[str, "FipsValidatedModules"]] = None,
         **kwargs
     ):
         super(ClusterProfile, self).__init__(**kwargs)
@@ -132,7 +126,6 @@ class ClusterProfile(msrest.serialization.Model):
         self.domain = domain
         self.version = version
         self.resource_group_id = resource_group_id
-        self.fips_validated_modules = fips_validated_modules
 
 
 class ConsoleProfile(msrest.serialization.Model):

swagger/redhatopenshift/resource-manager/Microsoft.RedHatOpenShift/preview/2021-09-01-preview/redhatopenshift.json

@@ -519,10 +519,6 @@
         "resourceGroupId": {
           "description": "The ID of the cluster resource group.",
           "type": "string"
-        },
-        "fipsValidatedModules": {
-          "$ref": "#/definitions/FipsValidatedModules",
-          "description": "If FIPS validated crypto modules are used"
         }
       }
     },
@@ -570,14 +566,6 @@
         "modelAsString": true
       }
     },
-    "FipsValidatedModules": {
-      "description": "FipsValidatedModules determines if FIPS is used.",
-      "enum": [
-        "Disabled",
-        "Enabled"
-      ],
-      "type": "string"
-    },
     "IngressProfile": {
       "description": "IngressProfile represents an ingress profile.",
       "type": "object",

test/e2e/fips.go

@@ -20,16 +20,6 @@ const (
 
 var _ = Describe("Validate FIPS Mode", func() {
 	ctx := context.Background()
-	It("should be possible to retrieve FipsValidatedModules from cluster document", func() {
-		oc, err := clients.OpenshiftClustersv20210901preview.Get(ctx, vnetResourceGroup, clusterName)
-		Expect(err).NotTo(HaveOccurred())
-
-		// Check we retrieve FipsValidatedModules
-		clusterProfile := oc.ClusterProfile
-		Expect(clusterProfile).NotTo(BeNil())
-		Expect(string(clusterProfile.FipsValidatedModules)).To(Equal("Enabled"))
-
-	})
 	It("should be possible to validate fips master and worker machineconfigs exist", func() {
 		mcp, err := clients.MachineConfig.MachineconfigurationV1().MachineConfigPools().List(ctx, metav1.ListOptions{})
 		Expect(err).NotTo(HaveOccurred())