diff --git a/.sha256sum b/.sha256sum index a5059ecf2..dbd5a3a32 100644 --- a/.sha256sum +++ b/.sha256sum @@ -1,2 +1,2 @@ 468fa0da0a50d50640ec57843ad288af343128b39f5bf23e76e4e336580883d4 swagger/redhatopenshift/resource-manager/Microsoft.RedHatOpenShift/stable/2020-04-30/redhatopenshift.json -c323c84befa5ea11da50a2407050abed6540ea01e796720bc2241604ce80567c swagger/redhatopenshift/resource-manager/Microsoft.RedHatOpenShift/preview/2021-09-01-preview/redhatopenshift.json +5369bd05f66fb79c8bd0836a980eea438974cc94cb8a073104ee218da8612602 swagger/redhatopenshift/resource-manager/Microsoft.RedHatOpenShift/preview/2021-09-01-preview/redhatopenshift.json diff --git a/pkg/api/admin/openshiftcluster.go b/pkg/api/admin/openshiftcluster.go index 4ab613827..ab5b60a83 100644 --- a/pkg/api/admin/openshiftcluster.go +++ b/pkg/api/admin/openshiftcluster.go @@ -66,11 +66,21 @@ const ( ProvisioningStateFailed ProvisioningState = "Failed" ) +// FipsValidatedModules determines if FIPS is used. +type FipsValidatedModules string + +// FipsValidatedModules constants. +const ( + FipsValidatedModulesEnabled FipsValidatedModules = "Enabled" + FipsValidatedModulesDisabled FipsValidatedModules = "Disabled" +) + // ClusterProfile represents a cluster profile. type ClusterProfile struct { - Domain string `json:"domain,omitempty"` - Version string `json:"version,omitempty"` - ResourceGroupID string `json:"resourceGroupId,omitempty"` + Domain string `json:"domain,omitempty"` + Version string `json:"version,omitempty"` + ResourceGroupID string `json:"resourceGroupId,omitempty"` + FipsValidatedModules FipsValidatedModules `json:"fipsValidatedModules,omitempty"` } // FeatureProfile represents a feature profile. diff --git a/pkg/api/admin/openshiftcluster_convert.go b/pkg/api/admin/openshiftcluster_convert.go index ba00289f9..3229d7df1 100644 --- a/pkg/api/admin/openshiftcluster_convert.go +++ b/pkg/api/admin/openshiftcluster_convert.go @@ -29,9 +29,10 @@ func (c *openShiftClusterConverter) ToExternal(oc *api.OpenShiftCluster) interfa CreatedBy: oc.Properties.CreatedBy, ProvisionedBy: oc.Properties.ProvisionedBy, ClusterProfile: ClusterProfile{ - Domain: oc.Properties.ClusterProfile.Domain, - Version: oc.Properties.ClusterProfile.Version, - ResourceGroupID: oc.Properties.ClusterProfile.ResourceGroupID, + Domain: oc.Properties.ClusterProfile.Domain, + Version: oc.Properties.ClusterProfile.Version, + ResourceGroupID: oc.Properties.ClusterProfile.ResourceGroupID, + FipsValidatedModules: FipsValidatedModules(oc.Properties.ClusterProfile.FipsValidatedModules), }, FeatureProfile: FeatureProfile{ GatewayEnabled: oc.Properties.FeatureProfile.GatewayEnabled, @@ -171,6 +172,7 @@ func (c *openShiftClusterConverter) ToInternal(_oc interface{}, out *api.OpenShi out.Properties.CreatedBy = oc.Properties.CreatedBy out.Properties.ProvisionedBy = oc.Properties.ProvisionedBy out.Properties.ClusterProfile.Domain = oc.Properties.ClusterProfile.Domain + out.Properties.ClusterProfile.FipsValidatedModules = api.FipsValidatedModules(oc.Properties.ClusterProfile.FipsValidatedModules) out.Properties.ClusterProfile.Version = oc.Properties.ClusterProfile.Version out.Properties.ClusterProfile.ResourceGroupID = oc.Properties.ClusterProfile.ResourceGroupID out.Properties.FeatureProfile.GatewayEnabled = oc.Properties.FeatureProfile.GatewayEnabled diff --git a/pkg/api/defaults.go b/pkg/api/defaults.go index dd04454e0..5d3e18f65 100644 --- a/pkg/api/defaults.go +++ b/pkg/api/defaults.go @@ -25,5 +25,9 @@ func SetDefaults(doc *OpenShiftClusterDocument) { doc.OpenShiftCluster.Properties.WorkerProfiles[i].EncryptionAtHost = EncryptionAtHostDisabled } } + + if doc.OpenShiftCluster.Properties.ClusterProfile.FipsValidatedModules == "" { + doc.OpenShiftCluster.Properties.ClusterProfile.FipsValidatedModules = FipsValidatedModulesDisabled + } } } diff --git a/pkg/api/defaults_test.go b/pkg/api/defaults_test.go index 32f76d77b..2d401b1af 100644 --- a/pkg/api/defaults_test.go +++ b/pkg/api/defaults_test.go @@ -24,6 +24,9 @@ func validOpenShiftClusterDocument() *OpenShiftClusterDocument { EncryptionAtHost: EncryptionAtHostDisabled, }, }, + ClusterProfile: ClusterProfile{ + FipsValidatedModules: FipsValidatedModulesDisabled, + }, }, }, } @@ -82,6 +85,26 @@ func TestSetDefaults(t *testing.T) { base.OpenShiftCluster.Properties.MasterProfile.EncryptionAtHost = EncryptionAtHostEnabled }, }, + { + name: "default fips validated modules", + want: func() *OpenShiftClusterDocument { + return validOpenShiftClusterDocument() + }, + input: func(base *OpenShiftClusterDocument) { + base.OpenShiftCluster.Properties.ClusterProfile.FipsValidatedModules = "" + }, + }, + { + name: "preserve fips validated modules", + want: func() *OpenShiftClusterDocument { + doc := validOpenShiftClusterDocument() + doc.OpenShiftCluster.Properties.ClusterProfile.FipsValidatedModules = FipsValidatedModulesEnabled + return doc + }, + input: func(base *OpenShiftClusterDocument) { + base.OpenShiftCluster.Properties.ClusterProfile.FipsValidatedModules = FipsValidatedModulesEnabled + }, + }, } { t.Run(tt.name, func(t *testing.T) { doc := validOpenShiftClusterDocument() diff --git a/pkg/api/openshiftcluster.go b/pkg/api/openshiftcluster.go index 6fd7c631c..c2a1f7802 100644 --- a/pkg/api/openshiftcluster.go +++ b/pkg/api/openshiftcluster.go @@ -169,14 +169,24 @@ func (t ProvisioningState) String() string { return string(t) } +// FipsValidatedModules determines if FIPS is used. +type FipsValidatedModules string + +// FipsValidatedModules constants. +const ( + FipsValidatedModulesEnabled FipsValidatedModules = "Enabled" + FipsValidatedModulesDisabled FipsValidatedModules = "Disabled" +) + // ClusterProfile represents a cluster profile. type ClusterProfile struct { MissingFields - PullSecret SecureString `json:"pullSecret,omitempty"` - Domain string `json:"domain,omitempty"` - Version string `json:"version,omitempty"` - ResourceGroupID string `json:"resourceGroupId,omitempty"` + PullSecret SecureString `json:"pullSecret,omitempty"` + Domain string `json:"domain,omitempty"` + Version string `json:"version,omitempty"` + ResourceGroupID string `json:"resourceGroupId,omitempty"` + FipsValidatedModules FipsValidatedModules `json:"fipsValidatedModules,omitempty"` } // FeatureProfile represents a feature profile. diff --git a/pkg/api/v20210901preview/openshiftcluster.go b/pkg/api/v20210901preview/openshiftcluster.go index b5e5d07ba..6f3775e4e 100644 --- a/pkg/api/v20210901preview/openshiftcluster.go +++ b/pkg/api/v20210901preview/openshiftcluster.go @@ -84,6 +84,15 @@ const ( ProvisioningStateFailed ProvisioningState = "Failed" ) +// FipsValidatedModules determines if FIPS is used. +type FipsValidatedModules string + +// FipsValidatedModules constants. +const ( + FipsValidatedModulesEnabled FipsValidatedModules = "Enabled" + FipsValidatedModulesDisabled FipsValidatedModules = "Disabled" +) + // ClusterProfile represents a cluster profile. type ClusterProfile struct { // The pull secret for the cluster. @@ -97,6 +106,9 @@ type ClusterProfile struct { // The ID of the cluster resource group. ResourceGroupID string `json:"resourceGroupId,omitempty"` + + // If FIPS validated crypto modules are used + FipsValidatedModules FipsValidatedModules `json:"fipsValidatedModules,omitempty"` } // ConsoleProfile represents a console profile. diff --git a/pkg/api/v20210901preview/openshiftcluster_convert.go b/pkg/api/v20210901preview/openshiftcluster_convert.go index 69a796c9a..80d6e2a9d 100644 --- a/pkg/api/v20210901preview/openshiftcluster_convert.go +++ b/pkg/api/v20210901preview/openshiftcluster_convert.go @@ -22,10 +22,11 @@ func (c *openShiftClusterConverter) ToExternal(oc *api.OpenShiftCluster) interfa Properties: OpenShiftClusterProperties{ ProvisioningState: ProvisioningState(oc.Properties.ProvisioningState), ClusterProfile: ClusterProfile{ - PullSecret: string(oc.Properties.ClusterProfile.PullSecret), - Domain: oc.Properties.ClusterProfile.Domain, - Version: oc.Properties.ClusterProfile.Version, - ResourceGroupID: oc.Properties.ClusterProfile.ResourceGroupID, + PullSecret: string(oc.Properties.ClusterProfile.PullSecret), + Domain: oc.Properties.ClusterProfile.Domain, + Version: oc.Properties.ClusterProfile.Version, + ResourceGroupID: oc.Properties.ClusterProfile.ResourceGroupID, + FipsValidatedModules: FipsValidatedModules(oc.Properties.ClusterProfile.FipsValidatedModules), }, ConsoleProfile: ConsoleProfile{ URL: oc.Properties.ConsoleProfile.URL, @@ -135,6 +136,7 @@ func (c *openShiftClusterConverter) ToInternal(_oc interface{}, out *api.OpenShi out.Properties.ClusterProfile.PullSecret = api.SecureString(oc.Properties.ClusterProfile.PullSecret) out.Properties.ClusterProfile.Domain = oc.Properties.ClusterProfile.Domain out.Properties.ClusterProfile.Version = oc.Properties.ClusterProfile.Version + out.Properties.ClusterProfile.FipsValidatedModules = api.FipsValidatedModules(oc.Properties.ClusterProfile.FipsValidatedModules) out.Properties.ClusterProfile.ResourceGroupID = oc.Properties.ClusterProfile.ResourceGroupID out.Properties.ConsoleProfile.URL = oc.Properties.ConsoleProfile.URL out.Properties.ServicePrincipalProfile.ClientID = oc.Properties.ServicePrincipalProfile.ClientID diff --git a/pkg/client/services/redhatopenshift/mgmt/2021-09-01-preview/redhatopenshift/enums.go b/pkg/client/services/redhatopenshift/mgmt/2021-09-01-preview/redhatopenshift/enums.go index 0b1103374..81d7dd759 100644 --- a/pkg/client/services/redhatopenshift/mgmt/2021-09-01-preview/redhatopenshift/enums.go +++ b/pkg/client/services/redhatopenshift/mgmt/2021-09-01-preview/redhatopenshift/enums.go @@ -51,6 +51,21 @@ func PossibleEncryptionAtHostValues() []EncryptionAtHost { return []EncryptionAtHost{Disabled, Enabled} } +// FipsValidatedModules enumerates the values for fips validated modules. +type FipsValidatedModules string + +const ( + // FipsValidatedModulesDisabled ... + FipsValidatedModulesDisabled FipsValidatedModules = "Disabled" + // FipsValidatedModulesEnabled ... + FipsValidatedModulesEnabled FipsValidatedModules = "Enabled" +) + +// PossibleFipsValidatedModulesValues returns an array of possible values for the FipsValidatedModules const type. +func PossibleFipsValidatedModulesValues() []FipsValidatedModules { + return []FipsValidatedModules{FipsValidatedModulesDisabled, FipsValidatedModulesEnabled} +} + // ProvisioningState enumerates the values for provisioning state. type ProvisioningState string diff --git a/pkg/client/services/redhatopenshift/mgmt/2021-09-01-preview/redhatopenshift/models.go b/pkg/client/services/redhatopenshift/mgmt/2021-09-01-preview/redhatopenshift/models.go index 299fef2d6..05f478b44 100644 --- a/pkg/client/services/redhatopenshift/mgmt/2021-09-01-preview/redhatopenshift/models.go +++ b/pkg/client/services/redhatopenshift/mgmt/2021-09-01-preview/redhatopenshift/models.go @@ -88,6 +88,8 @@ type ClusterProfile struct { Version *string `json:"version,omitempty"` // ResourceGroupID - The ID of the cluster resource group. ResourceGroupID *string `json:"resourceGroupId,omitempty"` + // FipsValidatedModules - If FIPS validated crypto modules are used. Possible values include: 'FipsValidatedModulesDisabled', 'FipsValidatedModulesEnabled' + FipsValidatedModules FipsValidatedModules `json:"fipsValidatedModules,omitempty"` } // ConsoleProfile consoleProfile represents a console profile. diff --git a/pkg/cluster/generateconfig.go b/pkg/cluster/generateconfig.go index 4f00f57e9..d5700c1d6 100644 --- a/pkg/cluster/generateconfig.go +++ b/pkg/cluster/generateconfig.go @@ -181,6 +181,7 @@ func (m *manager) generateInstallConfig(ctx context.Context) (*installconfig.Ins }, }, PullSecret: pullSecret, + FIPS: m.doc.OpenShiftCluster.Properties.ClusterProfile.FipsValidatedModules == api.FipsValidatedModulesEnabled, ImageContentSources: []types.ImageContentSource{ { Source: "quay.io/openshift-release-dev/ocp-release", diff --git a/pkg/frontend/openshiftcluster_putorpatch_test.go b/pkg/frontend/openshiftcluster_putorpatch_test.go index 241e8469d..b21f0a8a5 100644 --- a/pkg/frontend/openshiftcluster_putorpatch_test.go +++ b/pkg/frontend/openshiftcluster_putorpatch_test.go @@ -104,6 +104,9 @@ func TestPutOrPatchOpenShiftClusterAdminAPI(t *testing.T) { Properties: api.OpenShiftClusterProperties{ ProvisioningState: api.ProvisioningStateAdminUpdating, LastProvisioningState: api.ProvisioningStateSucceeded, + ClusterProfile: api.ClusterProfile{ + FipsValidatedModules: api.FipsValidatedModulesDisabled, + }, NetworkProfile: api.NetworkProfile{ SoftwareDefinedNetwork: api.SoftwareDefinedNetworkOpenShiftSDN, }, @@ -123,6 +126,9 @@ func TestPutOrPatchOpenShiftClusterAdminAPI(t *testing.T) { Properties: admin.OpenShiftClusterProperties{ ProvisioningState: admin.ProvisioningStateAdminUpdating, LastProvisioningState: admin.ProvisioningStateSucceeded, + ClusterProfile: admin.ClusterProfile{ + FipsValidatedModules: admin.FipsValidatedModulesDisabled, + }, NetworkProfile: admin.NetworkProfile{ SoftwareDefinedNetwork: admin.SoftwareDefinedNetworkOpenShiftSDN, }, @@ -187,7 +193,8 @@ func TestPutOrPatchOpenShiftClusterAdminAPI(t *testing.T) { ProvisioningState: api.ProvisioningStateAdminUpdating, LastProvisioningState: api.ProvisioningStateSucceeded, ClusterProfile: api.ClusterProfile{ - Domain: "changed", + Domain: "changed", + FipsValidatedModules: api.FipsValidatedModulesDisabled, }, NetworkProfile: api.NetworkProfile{ SoftwareDefinedNetwork: api.SoftwareDefinedNetworkOpenShiftSDN, @@ -210,7 +217,8 @@ func TestPutOrPatchOpenShiftClusterAdminAPI(t *testing.T) { ProvisioningState: admin.ProvisioningStateAdminUpdating, LastProvisioningState: admin.ProvisioningStateSucceeded, ClusterProfile: admin.ClusterProfile{ - Domain: "changed", + Domain: "changed", + FipsValidatedModules: admin.FipsValidatedModulesDisabled, }, NetworkProfile: admin.NetworkProfile{ SoftwareDefinedNetwork: admin.SoftwareDefinedNetworkOpenShiftSDN, @@ -378,7 +386,8 @@ func TestPutOrPatchOpenShiftCluster(t *testing.T) { CreatedAt: mockCurrentTime, CreatedBy: version.GitCommit, ClusterProfile: api.ClusterProfile{ - Version: "4.3.0", + Version: "4.3.0", + FipsValidatedModules: api.FipsValidatedModulesDisabled, }, NetworkProfile: api.NetworkProfile{ SoftwareDefinedNetwork: api.SoftwareDefinedNetworkOpenShiftSDN, @@ -430,7 +439,8 @@ func TestPutOrPatchOpenShiftCluster(t *testing.T) { Properties: api.OpenShiftClusterProperties{ ProvisioningState: api.ProvisioningStateSucceeded, ClusterProfile: api.ClusterProfile{ - PullSecret: `{"will":"be-kept"}`, + PullSecret: `{"will":"be-kept"}`, + FipsValidatedModules: api.FipsValidatedModulesDisabled, }, IngressProfiles: []api.IngressProfile{{Name: "will-be-removed"}}, WorkerProfiles: []api.WorkerProfile{{Name: "will-be-removed"}}, @@ -467,8 +477,9 @@ func TestPutOrPatchOpenShiftCluster(t *testing.T) { ProvisioningState: api.ProvisioningStateUpdating, LastProvisioningState: api.ProvisioningStateSucceeded, ClusterProfile: api.ClusterProfile{ - PullSecret: `{"will":"be-kept"}`, - Domain: "changed", + PullSecret: `{"will":"be-kept"}`, + Domain: "changed", + FipsValidatedModules: api.FipsValidatedModulesDisabled, }, ServicePrincipalProfile: api.ServicePrincipalProfile{ ClientSecret: "will-be-kept", @@ -549,7 +560,8 @@ func TestPutOrPatchOpenShiftCluster(t *testing.T) { LastProvisioningState: api.ProvisioningStateFailed, FailedProvisioningState: api.ProvisioningStateUpdating, ClusterProfile: api.ClusterProfile{ - Domain: "changed", + Domain: "changed", + FipsValidatedModules: api.FipsValidatedModulesDisabled, }, NetworkProfile: api.NetworkProfile{ SoftwareDefinedNetwork: api.SoftwareDefinedNetworkOpenShiftSDN, @@ -714,7 +726,8 @@ func TestPutOrPatchOpenShiftCluster(t *testing.T) { ProvisioningState: api.ProvisioningStateUpdating, LastProvisioningState: api.ProvisioningStateSucceeded, ClusterProfile: api.ClusterProfile{ - Domain: "changed", + Domain: "changed", + FipsValidatedModules: api.FipsValidatedModulesDisabled, }, IngressProfiles: []api.IngressProfile{{Name: "changed"}}, WorkerProfiles: []api.WorkerProfile{ @@ -784,6 +797,9 @@ func TestPutOrPatchOpenShiftCluster(t *testing.T) { EncryptionAtHost: api.EncryptionAtHostDisabled, }, }, + ClusterProfile: api.ClusterProfile{ + FipsValidatedModules: api.FipsValidatedModulesDisabled, + }, NetworkProfile: api.NetworkProfile{ SoftwareDefinedNetwork: api.SoftwareDefinedNetworkOpenShiftSDN, }, @@ -815,7 +831,8 @@ func TestPutOrPatchOpenShiftCluster(t *testing.T) { LastProvisioningState: api.ProvisioningStateFailed, FailedProvisioningState: api.ProvisioningStateUpdating, ClusterProfile: api.ClusterProfile{ - Domain: "changed", + Domain: "changed", + FipsValidatedModules: api.FipsValidatedModulesDisabled, }, IngressProfiles: []api.IngressProfile{{Name: "will-be-kept"}}, WorkerProfiles: []api.WorkerProfile{ @@ -877,6 +894,9 @@ func TestPutOrPatchOpenShiftCluster(t *testing.T) { Properties: api.OpenShiftClusterProperties{ ProvisioningState: api.ProvisioningStateFailed, FailedProvisioningState: api.ProvisioningStateCreating, + ClusterProfile: api.ClusterProfile{ + FipsValidatedModules: api.FipsValidatedModulesDisabled, + }, NetworkProfile: api.NetworkProfile{ SoftwareDefinedNetwork: api.SoftwareDefinedNetworkOpenShiftSDN, }, @@ -915,6 +935,9 @@ func TestPutOrPatchOpenShiftCluster(t *testing.T) { Properties: api.OpenShiftClusterProperties{ ProvisioningState: api.ProvisioningStateFailed, FailedProvisioningState: api.ProvisioningStateDeleting, + ClusterProfile: api.ClusterProfile{ + FipsValidatedModules: api.FipsValidatedModulesDisabled, + }, NetworkProfile: api.NetworkProfile{ SoftwareDefinedNetwork: api.SoftwareDefinedNetworkOpenShiftSDN, }, @@ -954,8 +977,9 @@ func TestPutOrPatchOpenShiftCluster(t *testing.T) { Properties: api.OpenShiftClusterProperties{ ProvisioningState: api.ProvisioningStateCreating, ClusterProfile: api.ClusterProfile{ - Version: "4.3.0", - ResourceGroupID: fmt.Sprintf("/subscriptions/%s/resourcegroups/aro-vjb21wca", mockSubID), + Version: "4.3.0", + ResourceGroupID: fmt.Sprintf("/subscriptions/%s/resourcegroups/aro-vjb21wca", mockSubID), + FipsValidatedModules: api.FipsValidatedModulesDisabled, }, NetworkProfile: api.NetworkProfile{ SoftwareDefinedNetwork: api.SoftwareDefinedNetworkOpenShiftSDN, @@ -997,7 +1021,8 @@ func TestPutOrPatchOpenShiftCluster(t *testing.T) { Properties: api.OpenShiftClusterProperties{ ProvisioningState: api.ProvisioningStateCreating, ClusterProfile: api.ClusterProfile{ - Version: "4.3.0", + Version: "4.3.0", + FipsValidatedModules: api.FipsValidatedModulesDisabled, }, NetworkProfile: api.NetworkProfile{ SoftwareDefinedNetwork: api.SoftwareDefinedNetworkOpenShiftSDN, diff --git a/pkg/util/cluster/cluster.go b/pkg/util/cluster/cluster.go index a3c5d1009..4e1d8ed1c 100644 --- a/pkg/util/cluster/cluster.go +++ b/pkg/util/cluster/cluster.go @@ -146,6 +146,11 @@ func (c *Cluster) Create(ctx context.Context, vnetResourceGroup, clusterName str visibility = api.VisibilityPrivate } + fipsValidatedModules := api.FipsValidatedModulesEnabled + if os.Getenv("ARO_FIPS_DISABLED") != "" { + fipsValidatedModules = api.FipsValidatedModulesDisabled + } + if c.ci { c.log.Infof("creating resource group") _, err = c.groups.CreateOrUpdate(ctx, vnetResourceGroup, mgmtfeatures.ResourceGroup{ @@ -256,7 +261,7 @@ func (c *Cluster) Create(ctx context.Context, vnetResourceGroup, clusterName str } c.log.Info("creating cluster") - err = c.createCluster(ctx, vnetResourceGroup, clusterName, appID, appSecret, visibility) + err = c.createCluster(ctx, vnetResourceGroup, clusterName, appID, appSecret, visibility, fipsValidatedModules) if err != nil { return err } @@ -357,13 +362,14 @@ func (c *Cluster) Delete(ctx context.Context, vnetResourceGroup, clusterName str // createCluster created new clusters, based on where it is running. // development - using preview api // production - using stable GA api -func (c *Cluster) createCluster(ctx context.Context, vnetResourceGroup, clusterName, clientID, clientSecret string, visibility api.Visibility) error { +func (c *Cluster) createCluster(ctx context.Context, vnetResourceGroup, clusterName, clientID, clientSecret string, visibility api.Visibility, fipsValidatedModules api.FipsValidatedModules) error { // using internal representation for "singe source" of options oc := api.OpenShiftCluster{ Properties: api.OpenShiftClusterProperties{ ClusterProfile: api.ClusterProfile{ - Domain: strings.ToLower(clusterName), - ResourceGroupID: fmt.Sprintf("/subscriptions/%s/resourceGroups/%s", c.env.SubscriptionID(), "aro-"+clusterName), + Domain: strings.ToLower(clusterName), + FipsValidatedModules: fipsValidatedModules, + ResourceGroupID: fmt.Sprintf("/subscriptions/%s/resourceGroups/%s", c.env.SubscriptionID(), "aro-"+clusterName), }, ServicePrincipalProfile: api.ServicePrincipalProfile{ ClientID: clientID, diff --git a/python/client/azure/mgmt/redhatopenshift/v2021_09_01_preview/models/__init__.py b/python/client/azure/mgmt/redhatopenshift/v2021_09_01_preview/models/__init__.py index 7d1854d6a..5b0207dc7 100644 --- a/python/client/azure/mgmt/redhatopenshift/v2021_09_01_preview/models/__init__.py +++ b/python/client/azure/mgmt/redhatopenshift/v2021_09_01_preview/models/__init__.py @@ -60,6 +60,7 @@ except (SyntaxError, ImportError): from ._azure_red_hat_open_shift_client_enums import ( CreatedByType, EncryptionAtHost, + FipsValidatedModules, ProvisioningState, SoftwareDefinedNetwork, VMSize, @@ -89,6 +90,7 @@ __all__ = [ 'WorkerProfile', 'CreatedByType', 'EncryptionAtHost', + 'FipsValidatedModules', 'ProvisioningState', 'SoftwareDefinedNetwork', 'VMSize', diff --git a/python/client/azure/mgmt/redhatopenshift/v2021_09_01_preview/models/_azure_red_hat_open_shift_client_enums.py b/python/client/azure/mgmt/redhatopenshift/v2021_09_01_preview/models/_azure_red_hat_open_shift_client_enums.py index 462e4b71d..ee271fedd 100644 --- a/python/client/azure/mgmt/redhatopenshift/v2021_09_01_preview/models/_azure_red_hat_open_shift_client_enums.py +++ b/python/client/azure/mgmt/redhatopenshift/v2021_09_01_preview/models/_azure_red_hat_open_shift_client_enums.py @@ -50,6 +50,13 @@ class EncryptionAtHost(with_metaclass(_CaseInsensitiveEnumMeta, str, Enum)): DISABLED = "Disabled" ENABLED = "Enabled" +class FipsValidatedModules(with_metaclass(_CaseInsensitiveEnumMeta, str, Enum)): + """FipsValidatedModules determines if FIPS is used. + """ + + DISABLED = "Disabled" + ENABLED = "Enabled" + class ProvisioningState(with_metaclass(_CaseInsensitiveEnumMeta, str, Enum)): """ProvisioningState represents a provisioning state. """ diff --git a/python/client/azure/mgmt/redhatopenshift/v2021_09_01_preview/models/_models.py b/python/client/azure/mgmt/redhatopenshift/v2021_09_01_preview/models/_models.py index 2e7e61ecb..3c6428b60 100644 --- a/python/client/azure/mgmt/redhatopenshift/v2021_09_01_preview/models/_models.py +++ b/python/client/azure/mgmt/redhatopenshift/v2021_09_01_preview/models/_models.py @@ -89,6 +89,10 @@ class ClusterProfile(msrest.serialization.Model): :type version: str :param resource_group_id: The ID of the cluster resource group. :type resource_group_id: str + :param fips_validated_modules: If FIPS validated crypto modules are used. Possible values + include: "Disabled", "Enabled". + :type fips_validated_modules: str or + ~azure.mgmt.redhatopenshift.v2021_09_01_preview.models.FipsValidatedModules """ _attribute_map = { @@ -96,6 +100,7 @@ class ClusterProfile(msrest.serialization.Model): 'domain': {'key': 'domain', 'type': 'str'}, 'version': {'key': 'version', 'type': 'str'}, 'resource_group_id': {'key': 'resourceGroupId', 'type': 'str'}, + 'fips_validated_modules': {'key': 'fipsValidatedModules', 'type': 'str'}, } def __init__( @@ -107,6 +112,7 @@ class ClusterProfile(msrest.serialization.Model): self.domain = kwargs.get('domain', None) self.version = kwargs.get('version', None) self.resource_group_id = kwargs.get('resource_group_id', None) + self.fips_validated_modules = kwargs.get('fips_validated_modules', None) class ConsoleProfile(msrest.serialization.Model): diff --git a/python/client/azure/mgmt/redhatopenshift/v2021_09_01_preview/models/_models_py3.py b/python/client/azure/mgmt/redhatopenshift/v2021_09_01_preview/models/_models_py3.py index ff2a8610b..690395f3d 100644 --- a/python/client/azure/mgmt/redhatopenshift/v2021_09_01_preview/models/_models_py3.py +++ b/python/client/azure/mgmt/redhatopenshift/v2021_09_01_preview/models/_models_py3.py @@ -103,6 +103,10 @@ class ClusterProfile(msrest.serialization.Model): :type version: str :param resource_group_id: The ID of the cluster resource group. :type resource_group_id: str + :param fips_validated_modules: If FIPS validated crypto modules are used. Possible values + include: "Disabled", "Enabled". + :type fips_validated_modules: str or + ~azure.mgmt.redhatopenshift.v2021_09_01_preview.models.FipsValidatedModules """ _attribute_map = { @@ -110,6 +114,7 @@ class ClusterProfile(msrest.serialization.Model): 'domain': {'key': 'domain', 'type': 'str'}, 'version': {'key': 'version', 'type': 'str'}, 'resource_group_id': {'key': 'resourceGroupId', 'type': 'str'}, + 'fips_validated_modules': {'key': 'fipsValidatedModules', 'type': 'str'}, } def __init__( @@ -119,6 +124,7 @@ class ClusterProfile(msrest.serialization.Model): domain: Optional[str] = None, version: Optional[str] = None, resource_group_id: Optional[str] = None, + fips_validated_modules: Optional[Union[str, "FipsValidatedModules"]] = None, **kwargs ): super(ClusterProfile, self).__init__(**kwargs) @@ -126,6 +132,7 @@ class ClusterProfile(msrest.serialization.Model): self.domain = domain self.version = version self.resource_group_id = resource_group_id + self.fips_validated_modules = fips_validated_modules class ConsoleProfile(msrest.serialization.Model): diff --git a/swagger/redhatopenshift/resource-manager/Microsoft.RedHatOpenShift/preview/2021-09-01-preview/redhatopenshift.json b/swagger/redhatopenshift/resource-manager/Microsoft.RedHatOpenShift/preview/2021-09-01-preview/redhatopenshift.json index c23f0e6f9..53d2cf1e7 100644 --- a/swagger/redhatopenshift/resource-manager/Microsoft.RedHatOpenShift/preview/2021-09-01-preview/redhatopenshift.json +++ b/swagger/redhatopenshift/resource-manager/Microsoft.RedHatOpenShift/preview/2021-09-01-preview/redhatopenshift.json @@ -519,6 +519,10 @@ "resourceGroupId": { "description": "The ID of the cluster resource group.", "type": "string" + }, + "fipsValidatedModules": { + "$ref": "#/definitions/FipsValidatedModules", + "description": "If FIPS validated crypto modules are used" } } }, @@ -566,6 +570,14 @@ "modelAsString": true } }, + "FipsValidatedModules": { + "description": "FipsValidatedModules determines if FIPS is used.", + "enum": [ + "Disabled", + "Enabled" + ], + "type": "string" + }, "IngressProfile": { "description": "IngressProfile represents an ingress profile.", "type": "object", diff --git a/test/e2e/fips.go b/test/e2e/fips.go new file mode 100644 index 000000000..dcfe57b7f --- /dev/null +++ b/test/e2e/fips.go @@ -0,0 +1,56 @@ +package e2e + +// Copyright (c) Microsoft Corporation. +// Licensed under the Apache License 2.0. + +import ( + "context" + "fmt" + + . "github.com/onsi/ginkgo" + . "github.com/onsi/gomega" + + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" +) + +const ( + wFips = "99-worker-fips" + mFips = "99-master-fips" +) + +var _ = Describe("Validate FIPS Mode", func() { + ctx := context.Background() + It("should be possible to retrieve FipsValidatedModules from cluster document", func() { + oc, err := clients.OpenshiftClustersv20210901preview.Get(ctx, vnetResourceGroup, clusterName) + Expect(err).NotTo(HaveOccurred()) + + // Check we retrieve FipsValidatedModules + clusterProfile := oc.ClusterProfile + Expect(clusterProfile).NotTo(BeNil()) + Expect(string(clusterProfile.FipsValidatedModules)).To(Equal("Enabled")) + + }) + It("should be possible to validate fips master and worker machineconfigs exist", func() { + mcp, err := clients.MachineConfig.MachineconfigurationV1().MachineConfigPools().List(ctx, metav1.ListOptions{}) + Expect(err).NotTo(HaveOccurred()) + masterFips, workerFips := false, false + for _, m := range mcp.Items { + for _, mc := range m.Spec.Configuration.Source { + if mc.Name == wFips { + workerFips = true + } + if mc.Name == mFips { + masterFips = true + } + } + } + if !masterFips { + err = fmt.Errorf("FIPS machine configs not found on master") + } + Expect(err).NotTo(HaveOccurred()) + if !workerFips { + err = fmt.Errorf("FIPS machine configs not found on worker") + } + Expect(err).NotTo(HaveOccurred()) + }) +}) diff --git a/test/e2e/setup.go b/test/e2e/setup.go index e83428441..cd4510bbc 100644 --- a/test/e2e/setup.go +++ b/test/e2e/setup.go @@ -15,6 +15,7 @@ import ( "github.com/Azure/go-autorest/autorest/azure/auth" projectclient "github.com/openshift/client-go/project/clientset/versioned" maoclient "github.com/openshift/machine-api-operator/pkg/generated/clientset/versioned" + mcoclient "github.com/openshift/machine-config-operator/pkg/generated/clientset/versioned" "github.com/sirupsen/logrus" "k8s.io/client-go/kubernetes" "k8s.io/client-go/rest" @@ -45,11 +46,12 @@ type clientSet struct { ActivityLogs insights.ActivityLogsClient VirtualNetworks network.VirtualNetworksClient - RestConfig *rest.Config - Kubernetes kubernetes.Interface - MachineAPI maoclient.Interface - AROClusters aroclient.Interface - Project projectclient.Interface + RestConfig *rest.Config + Kubernetes kubernetes.Interface + MachineAPI maoclient.Interface + MachineConfig mcoclient.Interface + AROClusters aroclient.Interface + Project projectclient.Interface } var ( @@ -106,6 +108,11 @@ func newClientSet(ctx context.Context) (*clientSet, error) { return nil, err } + mcocli, err := mcoclient.NewForConfig(restconfig) + if err != nil { + return nil, err + } + projectcli, err := projectclient.NewForConfig(restconfig) if err != nil { return nil, err @@ -127,11 +134,12 @@ func newClientSet(ctx context.Context) (*clientSet, error) { ActivityLogs: insights.NewActivityLogsClient(_env.Environment(), _env.SubscriptionID(), authorizer), VirtualNetworks: network.NewVirtualNetworksClient(_env.Environment(), _env.SubscriptionID(), authorizer), - RestConfig: restconfig, - Kubernetes: cli, - MachineAPI: machineapicli, - AROClusters: arocli, - Project: projectcli, + RestConfig: restconfig, + Kubernetes: cli, + MachineAPI: machineapicli, + MachineConfig: mcocli, + AROClusters: arocli, + Project: projectcli, }, nil }