-
Notifications
You must be signed in to change notification settings - Fork 90
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[release-4.6] Bug 1899136: Stop vendoring the module_utils/crypto.py Ansible library #1459
Conversation
Remove the module_utils (and as a result, the module_utils.crypto.py library) directory in the meteringconfig Role. Previously, this was necessary in order to have Metering function on FIPS-enabled clusters as the crypto.py module was being utilized in the openssl-* Ansible modules. This library listed the md5 algorithm as FIPS-compliant, despite md5 not being FIPS-compliant in many FIPS standards. Now, this behavior has been patched upstream in Ansible (in versions greater than 2.9.6) so vendoring this library is no longer needed.
Update the metering-ansible-operator Dockerfile(s), ensuring that the minimum Ansible version is 2.9.6. The 2.9.6 version contains the patched crypto.py library that previously needed to be vendored in order to have Metering run on FIPS-enabled clusters. Note on the Dockerfile.metering-ansible-operator: by default, we inherit Ansible from the base image and there's problems with upgrading from Ansible 2.9 to 2.10 when using pip. In order to bypass that limitation, we can specify 2.9.6 as the lower bound and 2.10 as the upper bound. It likely doesn't matter what Ansible version we get, but we don't utilize any 2.10 functionality or haven't tested that release as-of-yet.
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: timflannagan1 The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
@timflannagan1: This pull request references Bugzilla bug 1899136, which is invalid:
Comment In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
/bugzilla-refresh |
@timflannagan1: you cannot LGTM your own PR. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
Oh right this was a manual cherrypick 🤦 |
/bugzilla refresh |
@timflannagan1: This pull request references Bugzilla bug 1899136, which is valid. The bug has been moved to the POST state. The bug has been updated to refer to the pull request using the external bug tracker. 6 validation(s) were run on this bug
In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
Could we get some 👀 on this to get it moving? It looks like everything is good to go, except for a |
@trevor-viljoen It looks like this didn't make the pre-holiday z-stream release. We have dedicated people that act as "patch managers" that are responsible for marking the |
@trevor-viljoen Actually, I'll bump the |
/bugzilla refresh |
@timflannagan1: This pull request references Bugzilla bug 1899136, which is valid. 6 validation(s) were run on this bug
In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
@timflannagan1: This pull request references Bugzilla bug 1899136, which is valid. 6 validation(s) were run on this bug
In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
@trevor-viljoen Just a quick follow-up - it looks like this likely isn't getting tagged until next week due to a large 4.6 backlog + limited QE capacity. |
One of the e2e tests failed to be installed due to an OLM bug. /retest |
@timflannagan1: All pull requests linked via external trackers have merged: Bugzilla bug 1899136 has been moved to the MODIFIED state. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
Manual cherry-pick of #1450
Remove the module_utils (and as a result, the module_utils.crypto.py library) directory in the meteringconfig Ansible Role.
Previously, this was necessary in order to have Metering function on FIPS-enabled clusters as the crypto.py module was being referenced in the openssl-* Ansible modules, which we namely use for generating certificates for the components in the stack. This library listed the md5 algorithm as FIPS-compliant, despite md5 not being FIPS-compliant in many FIPS standards, which resulted in our Ansible role failing (and therefore installations and upgrades to 4.6/4.7 will fail) when attempting to call any of the openssl-* modules.
Now, this behavior has been patched upstream in Ansible (in versions greater than 2.9.6) so vendoring this library is no longer needed.