✨ WIP: Add the FIPS field to the RosaControlPlane CR, and add tests.#5873
✨ WIP: Add the FIPS field to the RosaControlPlane CR, and add tests.#5873tinaafitz wants to merge 12 commits intokubernetes-sigs:mainfrom
Conversation
|
Adding the "do-not-merge/release-note-label-needed" label because no release-note block was detected, please follow our release note process to remove it. DetailsInstructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. |
k8s-ci-robot
added
kind/feature
k8s-ci-robot
added
needs-rebase
|
Hi @tinaafitz. Thanks for your PR. I'm waiting for a kubernetes-sigs member to verify that this patch is reasonable to test. If it is, they should reply with Once the patch is verified, the new status will be reflected by the I understand the commands that are listed here. DetailsInstructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. |
k8s-ci-robot
added
size/L
tinaafitz
force-pushed
the
add_fips_support
branch
from
b549921 to
6ed9935
Compare
k8s-ci-robot
added
needs-rebase
tinaafitz
force-pushed
the
add_fips_support
branch
from
6ed9935 to
62769f2
Compare
k8s-ci-robot
removed
the
needs-rebase
|
Hi @serngawy, Changes made. Please review. |
|
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: The full list of commands accepted by this bot can be found here. DetailsNeeds approval from an approver in each of these files:Approvers can indicate their approval by writing |
| FIPSEnabled FIPS = "Enabled" | ||
|
|
||
| // FIPSDisabled disables FIPS mode (default) | ||
| FIPSDisabled FIPS = "Disabled" |
There was a problem hiding this comment.
| FIPSDisabled FIPS = "Disabled" | |
| Disabled FIPS = "Disabled" |
| ) | ||
|
|
||
| // FIPS specifies the FIPS mode for the ROSA Control Plane. | ||
| type FIPS string |
There was a problem hiding this comment.
can we generalize this enum, it is similar to autoNode. lets make it as state so in future can be re-used with any boolean kind of fields
| type FIPS string | |
| type mode/state string |
| AWSCreator: creator, | ||
| AuditLogRoleARN: ptr.To(controlPlaneSpec.AuditLogRoleARN), | ||
| ExternalAuthProvidersEnabled: controlPlaneSpec.EnableExternalAuthProviders, | ||
| FIPS: controlPlaneSpec.FIPS == "Enabled", |
There was a problem hiding this comment.
compare with the enum type created above
| }) | ||
|
|
||
| // Test case 3: Zero value FIPS (should be false) | ||
| t.Run("FIPS Zero Value", func(t *testing.T) { |
There was a problem hiding this comment.
I think this similar to the above test-case , why duplication ?
There was a problem hiding this comment.
Hi @serngawy, this test case differs in that the controlPlaneSpec FIPSfield is not provided. The first test sets FIPS to Enabled, the second to Disabled, and the third doesn't set it.
Updated TestBuildOCMClusterSpec test cases to pass nil for roleConfig and rosaNet parameters to match the current function signature.
tinaafitz
force-pushed
the
add_fips_support
branch
from
e4e62e6 to
b22c01d
Compare
|
/ok-to-test |
k8s-ci-robot
added
the
ok-to-test
k8s-ci-robot
removed
the
needs-ok-to-test
|
The CAPA code only enables etcd encryption if a KMS ARN is provided: OCM requires etcd encryption to be enabled when FIPS is enabled. The rosa CLI (v1.2.59) requires a KMS ARN for etcd encryption on ROSA HCP clusters. When you use From rosa help: The help text says: I added the validation below to ensure the KMS ARN is set when FIPS is enabled. Updated Documentation 
|
|
@serngawy, Please review. |
| } | ||
| } | ||
|
|
||
| // Validate FIPS requirements |
There was a problem hiding this comment.
Based on the discussion this is not true, enable ectd-encryption and fips doesn't requires kmsARN
|
/retest |
Fixed Gomega instance scoping in TestBuildOCMClusterSpec to prevent "subtest may have called FailNow on a parent test" error. Moved NewWithT(t) from function level into each subtest so each has its own Gomega instance bound to the correct *testing.T. 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com>
Remove the validation that requires etcdEncryptionKMSARN when FIPS is enabled. The validation contradicts: 1. Rosa CLI documentation - etcd-encryption-kms-arn is OPTIONAL 2. Developer comment stating "fips doesn't requires kmsARN" 3. Implementation code which already enables etcd encryption when FIPS is enabled The implementation at line 1198 correctly handles FIPS: - Enables etcd encryption when FIPS is enabled OR KMS ARN is provided - Passes KMS ARN to OCM if provided (optional enhancement) This allows users to enable FIPS with default etcd encryption without requiring them to create and manage a custom KMS key. 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com>
|
@tinaafitz: The following test failed, say
Full PR test history. Your PR dashboard. Please help us cut down on flakes by linking to an open issue when you hit one in your PR. DetailsInstructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here. |
| } | ||
|
|
||
| // Validate FIPS requirements | ||
| if rosaControlPlane.Spec.FIPS == rosacontrolplanev1.Enabled && rosaControlPlane.Spec.EtcdEncryptionKMSARN == "" { |
There was a problem hiding this comment.
please move this check to the webhook validation
| RoleARN: installerRoleARN, | ||
| SupportRoleARN: supportRoleARN, | ||
| WorkerRoleARN: workerRoleARN, | ||
| OperatorIAMRoles: operatorRoles, | ||
| OidcConfigId: oidcConfigID, |
| } | ||
| } | ||
|
|
||
| // Determine role ARNs source - either from RoleConfig or manual configuration |
There was a problem hiding this comment.
not sure why you adding this part ?
3 participants
/kind feature
The acceptance criteria states that the FIPS state can only be selected at cluster install time