HIVE-2559 [mce-2.5] FIPS backports

Dockerfile

@@ -1,18 +1,30 @@
 ARG CONTAINER_SUB_MANAGER_OFF=0
-ARG EL8_BUILD_IMAGE=registry.ci.openshift.org/ocp/builder:rhel-8-golang-1.20-openshift-4.15
-ARG EL9_BUILD_IMAGE=registry.ci.openshift.org/ocp/builder:rhel-9-golang-1.20-openshift-4.15
-ARG BASE_IMAGE=registry.ci.openshift.org/ocp/4.15:base
+ARG EL8_BUILD_IMAGE=registry.ci.openshift.org/ocp/builder:rhel-8-golang-1.21-openshift-4.16
+ARG EL9_BUILD_IMAGE=registry.ci.openshift.org/ocp/builder:rhel-9-golang-1.21-openshift-4.16
+ARG BASE_IMAGE=registry.ci.openshift.org/ocp/4.16:base-rhel9
 
 FROM ${EL8_BUILD_IMAGE} as builder_rhel8
 RUN mkdir -p /go/src/github.com/openshift/hive
 WORKDIR /go/src/github.com/openshift/hive
 COPY . .
 
+
 RUN if [ -e "/activation-key/org" ]; then unlink /etc/rhsm-host; subscription-manager register --org $(cat "/activation-key/org") --activationkey $(cat "/activation-key/activationkey"); fi
 RUN python3 -m ensurepip
-RUN make build
 RUN make build-hiveutil
 
+FROM ${EL9_BUILD_IMAGE} as builder_rhel9
+ARG CONTAINER_SUB_MANAGER_OFF
+RUN mkdir -p /go/src/github.com/openshift/hive
+WORKDIR /go/src/github.com/openshift/hive
+COPY . .
+
+ENV SMDEV_CONTAINER_OFF=${CONTAINER_SUB_MANAGER_OFF}
+RUN if [ -e "/activation-key/org" ]; then unlink /etc/rhsm-host; subscription-manager register --org $(cat "/activation-key/org") --activationkey $(cat "/activation-key/activationkey"); fi
+RUN python3 -m ensurepip
+RUN make build-hiveadmission build-manager build-operator && \
+  make build-hiveutil
+
 FROM ${BASE_IMAGE}
 ARG CONTAINER_SUB_MANAGER_OFF
 ENV SMDEV_CONTAINER_OFF=${CONTAINER_SUB_MANAGER_OFF}
@@ -30,10 +42,12 @@ RUN if ! rpm -q libvirt-libs; then dnf install -y libvirt-libs && dnf clean all
 # tar is needed to package must-gathers on install failure
 RUN if ! which tar; then dnf install -y tar && dnf clean all && rm -rf /var/cache/dnf/*; fi
 
-COPY --from=builder_rhel8 /go/src/github.com/openshift/hive/bin/manager /opt/services/
-COPY --from=builder_rhel8 /go/src/github.com/openshift/hive/bin/hiveadmission /opt/services/
-COPY --from=builder_rhel8 /go/src/github.com/openshift/hive/bin/operator /opt/services/hive-operator
-COPY --from=builder_rhel8 /go/src/github.com/openshift/hive/bin/hiveutil /usr/bin/hiveutil
+COPY --from=builder_rhel9 /go/src/github.com/openshift/hive/bin/manager /opt/services/
+COPY --from=builder_rhel9 /go/src/github.com/openshift/hive/bin/hiveadmission /opt/services/
+COPY --from=builder_rhel9 /go/src/github.com/openshift/hive/bin/operator /opt/services/hive-operator
+
+COPY --from=builder_rhel8 /go/src/github.com/openshift/hive/bin/hiveutil /usr/bin/hiveutil.rhel8
+COPY --from=builder_rhel9 /go/src/github.com/openshift/hive/bin/hiveutil /usr/bin/hiveutil
 
 # Hacks to allow writing known_hosts, homedir is / by default in OpenShift.
 # Bare metal installs need to write to $HOME/.cache, and $HOME/.ssh for as long as
@@ -44,16 +58,9 @@ RUN mkdir -p /home/hive && \
   chgrp -R 0 /home/hive && \
   chmod -R g=u /home/hive
 
-RUN mkdir -p /etc/pki/ca-trust/source/anchors && \
-  chgrp -R 0 /etc/pki/ca-trust/source/anchors && \
-  chmod -R g=u /etc/pki/ca-trust/source/anchors
-
-# This is so that we can run update-ca-trust during container start up.
-RUN mkdir -p /etc/pki/ca-trust/extracted/openssl && \
-  mkdir -p /etc/pki/ca-trust/extracted/pem && \
-  mkdir -p /etc/pki/ca-trust/extracted/java && \
-  chgrp -R 0 /etc/pki/ca-trust/extracted && \
-  chmod -R g=u /etc/pki/ca-trust/extracted
+RUN mkdir -p /output/hive-trusted-cabundle && \
+  chgrp -R 0 /output/hive-trusted-cabundle && \
+  chmod -R g=u /output/hive-trusted-cabundle
 
 # replace removed symlink when using activation-key
 RUN if [ -e "/activation-key/org" ]; then ln -s /etc/rhsm-host /run/secrets/rhsm ; fi

contrib/pkg/utils/generic.go

@@ -26,7 +26,7 @@ import (
 )
 
 const (
-	caTrustDir = "/etc/pki/ca-trust/source/anchors/"
+	caTrustDir = "/output/hive-trusted-cabundle/"
 )
 
 type releasePayload struct {
@@ -250,10 +250,4 @@ func InstallCerts(sourceDir string) {
 		logger.WithError(err).WithField("output", string(b)).Fatal("failed to copy certs")
 	}
 	logger.WithField("output", string(b)).Info("copied certs")
-
-	b, err = exec.Command("update-ca-trust").CombinedOutput()
-	if err != nil {
-		logger.WithError(err).WithField("output", string(b)).Fatal("failed to update CA trust")
-	}
-	logger.WithField("output", string(b)).Info("updated CA trust")
 }

hack/app-sre/generate-saas-template.py

@@ -1,4 +1,4 @@
-#!/usr/bin/env python
+#!/usr/bin/env python3
 
 import os
 import sys

hack/app_sre_build_deploy.sh

@@ -99,7 +99,7 @@ else
 fi
 
 # build the image
-CONTAINER_BUILD_FLAGS="--file ./Dockerfile.ubi" make IMG="$IMG" GO_REQUIRED_MIN_VERSION:= docker-build
+CONTAINER_BUILD_FLAGS="--file ./Dockerfile" make IMG="$IMG" GO_REQUIRED_MIN_VERSION:= docker-build
 
 # push the image
 make IMG="$IMG" docker-push

hack/bundle-gen.py

@@ -1,4 +1,4 @@
-#!/usr/bin/env python
+#!/usr/bin/env python3
 
 import argparse
 import datetime

hack/e2e-common.sh

@@ -139,7 +139,9 @@ function save_hive_logs() {
   done
   # Let's try to save any prov/deprov pod logs
   oc get po -A -l hive.openshift.io/install=true -o custom-columns=:.metadata.namespace,:.metadata.name --no-headers | while read ns po; do
-    oc logs -n $ns $po -c hive > ${ARTIFACT_DIR}/${ns}-${po}.log
+    oc logs -n $ns $po -c hive > ${ARTIFACT_DIR}/${ns}-${po}-hive.log
+    oc logs -n $ns $po -c installer > ${ARTIFACT_DIR}/${ns}-${po}-installer.log
+
   done
   oc get po -A -l hive.openshift.io/uninstall=true -o custom-columns=:.metadata.namespace,:.metadata.name --no-headers | while read ns po; do
     oc logs -n $ns $po > ${ARTIFACT_DIR}/${ns}-${po}.log
@@ -265,12 +267,12 @@ function capture_cluster_logs() {
     # Capture install logs
     if IMAGESET_JOB_NAME=$(oc get job -l "hive.openshift.io/cluster-deployment-name=${CLUSTER_NAME},hive.openshift.io/imageset=true" -o name -n ${CLUSTER_NAMESPACE}) && [ "${IMAGESET_JOB_NAME}" ]
     then
-        oc logs -c hive -n ${CLUSTER_NAMESPACE} ${IMAGESET_JOB_NAME} &> "${ARTIFACT_DIR}/hive_imageset_job.log" || true
+        oc logs -c installer -n ${CLUSTER_NAMESPACE} ${IMAGESET_JOB_NAME} &> "${ARTIFACT_DIR}/hive_imageset_job.log" || true
         oc get ${IMAGESET_JOB_NAME} -n ${CLUSTER_NAMESPACE} -o yaml &> "${ARTIFACT_DIR}/hive_imageset_job.yaml" || true
     fi
     if INSTALL_JOB_NAME=$(oc get job -l "hive.openshift.io/cluster-deployment-name=${CLUSTER_NAME},hive.openshift.io/install=true" -o name -n ${CLUSTER_NAMESPACE}) && [ "${INSTALL_JOB_NAME}" ]
     then
-        oc logs -c hive -n ${CLUSTER_NAMESPACE} ${INSTALL_JOB_NAME} &> "${ARTIFACT_DIR}/hive_install_job.log" || true
+        oc logs -c installer -n ${CLUSTER_NAMESPACE} ${INSTALL_JOB_NAME} &> "${ARTIFACT_DIR}/hive_install_job.log" || true
         oc get ${INSTALL_JOB_NAME} -n ${CLUSTER_NAMESPACE} -o yaml &> "${ARTIFACT_DIR}/hive_install_job.yaml" || true
     fi
     echo "************* INSTALL JOB LOG *************"

hack/statuspatch

@@ -117,7 +117,7 @@ fi
 
 # Proxy through a unix socket so we don't have to dork with ports
 socket=$patchfile.sock
-python -c "import os, socket as s; s.socket(s.AF_UNIX).bind('$socket')"
+/usr/bin/env python3 -c "import os, socket as s; s.socket(s.AF_UNIX).bind('$socket')"
 oc proxy -u $socket &
 # TODO: Better way to wait for the socket to spin up
 sleep 1

pkg/controller/clusterdeployment/clusterdeployment_controller_test.go

@@ -688,7 +688,7 @@ func TestClusterDeploymentReconcile(t *testing.T) {
 				if assert.Len(t, provisions, 1, "expected exactly one ClusterProvision") {
 					podSpec := provisions[0].Spec.PodSpec
 					if assert.Len(t, podSpec.InitContainers, 1, "expected exactly one initContainer") {
-						assert.Equal(t, "installer", podSpec.InitContainers[0].Name, "expected the initContainer to be 'installer'")
+						assert.Equal(t, "hive", podSpec.InitContainers[0].Name, "expected the initContainer to be 'hive'")
 					}
 				}
 			},

pkg/imageset/updateinstaller.go

@@ -167,13 +167,9 @@ func (o *UpdateInstallerImageOptions) Run() (returnErr error) {
 		o.log.WithField("installerImage", installerImage).Info("installer image overridden")
 	} else {
 		// Glean the installer image from the release metadata
-		installerTagName := "installer"
-		// If this is a bare metal install, we need to get the openshift-install binary from a different image with
-		// bare metal functionality compiled in. The binary is named the same and in the same location, so after swapping
-		// out what image to get it from, we can proceed with the code as we normally would.
-		if cd.Spec.Platform.BareMetal != nil {
-			installerTagName = "baremetal-installer"
-		}
+		// "baremetal-installer" is the legacy name for the fips compliant installer image
+		installerTagName := "baremetal-installer"
+
 		// Override annotation is allowed to override baremetal-installer too
 		if cd.Annotations != nil {
 			if override := cd.Annotations[constants.OverrideInstallerImageNameAnnotation]; override != "" {

pkg/imageset/updateinstaller_test.go

@@ -47,41 +47,28 @@ func TestUpdateInstallerImageCommand(t *testing.T) {
 			name:                      "successful execution",
 			existingClusterDeployment: testClusterDeployment(),
 			images: map[string]string{
-				"installer": testInstallerImage,
-				"cli":       testCLIImage,
+				"baremetal-installer": testInstallerImage,
+				"cli":                 testCLIImage,
 			},
 			validateClusterDeployment: validateSuccessfulExecution(testInstallerImage, testCLIImage, ""),
 		},
 		{
 			name:                      "failure execution missing cli",
 			existingClusterDeployment: testClusterDeployment(),
 			images: map[string]string{
-				"installer": testInstallerImage,
+				"baremetal-installer": testInstallerImage,
 			},
 			validateClusterDeployment: validateFailureExecution("could not get cli image"),
 			expectError:               true,
 		},
 		{
 			name:                      "successful execution after failure",
 			existingClusterDeployment: testClusterDeploymentWithErrorCondition(),
-			images: map[string]string{
-				"installer": testInstallerImage,
-				"cli":       testCLIImage,
-			},
-			validateClusterDeployment: validateSuccessfulExecution(testInstallerImage, testCLIImage, installerImageResolvedReason),
-		},
-		{
-			name: "successful execution baremetal platform",
-			existingClusterDeployment: func() *hivev1.ClusterDeployment {
-				cd := testClusterDeployment()
-				cd.Spec.Platform.BareMetal = &baremetal.Platform{}
-				return cd
-			}(),
 			images: map[string]string{
 				"baremetal-installer": testInstallerImage,
 				"cli":                 testCLIImage,
 			},
-			validateClusterDeployment: validateSuccessfulExecution(testInstallerImage, testCLIImage, ""),
+			validateClusterDeployment: validateSuccessfulExecution(testInstallerImage, testCLIImage, installerImageResolvedReason),
 		},
 		{
 			name: "installer image name override",
@@ -118,8 +105,8 @@ func TestUpdateInstallerImageCommand(t *testing.T) {
 			name:                      "successful execution with version in release metadata",
 			existingClusterDeployment: testClusterDeployment(),
 			images: map[string]string{
-				"installer": testInstallerImage,
-				"cli":       testCLIImage,
+				"baremetal-installer": testInstallerImage,
+				"cli":                 testCLIImage,
 			},
 			version:                   testReleaseVersion,
 			validateClusterDeployment: validateSuccessfulExecution(testInstallerImage, testCLIImage, ""),
@@ -137,17 +124,17 @@ func TestUpdateInstallerImageCommand(t *testing.T) {
 			name:                      "CLI image domain copied from installer image",
 			existingClusterDeployment: testClusterDeploymentWithCLIDomainCopy(),
 			images: map[string]string{
-				"installer": testInstallerImage,
-				"cli":       cliImageWithDifferentDomain,
+				"baremetal-installer": testInstallerImage,
+				"cli":                 cliImageWithDifferentDomain,
 			},
 			validateClusterDeployment: validateSuccessfulExecution(testInstallerImage, "registry.io/foo/cli:blah", ""),
 		},
 		{
 			name:                      "copy requested, invalid installer image",
 			existingClusterDeployment: testClusterDeploymentWithCLIDomainCopy(),
 			images: map[string]string{
-				"installer": "invalid image",
-				"cli":       cliImageWithDifferentDomain,
+				"baremetal-installer": "invalid image",
+				"cli":                 cliImageWithDifferentDomain,
 			},
 			validateClusterDeployment: validateFailureExecution("invalid installer image"),
 			expectError:               true,
@@ -156,8 +143,8 @@ func TestUpdateInstallerImageCommand(t *testing.T) {
 			name:                      "copy requested, invalid cli image",
 			existingClusterDeployment: testClusterDeploymentWithCLIDomainCopy(),
 			images: map[string]string{
-				"installer": testInstallerImage,
-				"cli":       "invalid image",
+				"baremetal-installer": testInstallerImage,
+				"cli":                 "invalid image",
 			},
 			validateClusterDeployment: validateFailureExecution("invalid cli image"),
 			expectError:               true,