Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[release-4.6] Bug 1899136: Stop vendoring the module_utils/crypto.py Ansible library #1459

Merged
merged 2 commits into from
Jan 27, 2021
Merged

[release-4.6] Bug 1899136: Stop vendoring the module_utils/crypto.py Ansible library #1459

merged 2 commits into from
Jan 27, 2021

Conversation

timflannagan
Copy link
Member

@timflannagan timflannagan commented Dec 7, 2020
edited

Manual cherry-pick of #1450

Remove the module_utils (and as a result, the module_utils.crypto.py library) directory in the meteringconfig Ansible Role.

Previously, this was necessary in order to have Metering function on FIPS-enabled clusters as the crypto.py module was being referenced in the openssl-* Ansible modules, which we namely use for generating certificates for the components in the stack. This library listed the md5 algorithm as FIPS-compliant, despite md5 not being FIPS-compliant in many FIPS standards, which resulted in our Ansible role failing (and therefore installations and upgrades to 4.6/4.7 will fail) when attempting to call any of the openssl-* modules.

Now, this behavior has been patched upstream in Ansible (in versions greater than 2.9.6) so vendoring this library is no longer needed.

@timflannagan
images: Avoid vendoring the crpyto.py Ansible module utilities
b3e3280 
Remove the module_utils (and as a result, the module_utils.crypto.py library) directory in the meteringconfig Role.

Previously, this was necessary in order to have Metering function on FIPS-enabled clusters as the crypto.py module was being utilized in the openssl-* Ansible modules. This library listed the md5 algorithm as FIPS-compliant, despite md5 not being FIPS-compliant in many FIPS standards.

Now, this behavior has been patched upstream in Ansible (in versions greater than 2.9.6) so vendoring this library is no longer needed.
@timflannagan
Dockerfile: Ensure that Ansible 2.9.6+ is installed in the container
b3ca5d5 
Update the metering-ansible-operator Dockerfile(s), ensuring that the minimum Ansible version is 2.9.6.

The 2.9.6 version contains the patched crypto.py library that previously needed to be vendored in order to have Metering run on FIPS-enabled clusters.

Note on the Dockerfile.metering-ansible-operator: by default, we inherit Ansible from the base image and there's problems with upgrading from Ansible 2.9 to 2.10 when using pip. In order to bypass that limitation, we can specify 2.9.6 as the lower bound and 2.10 as the upper bound. It likely doesn't matter what Ansible version we get, but we don't utilize any 2.10 functionality or haven't tested that release as-of-yet.
@openshift-ci-robot openshift-ci-robot added bugzilla/severity-low bugzilla/invalid-bug Indicates that a referenced Bugzilla bug is invalid for the branch this PR is targeting. labels Dec 7, 2020
@openshift-ci-robot
Copy link

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: timflannagan1

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@openshift-ci-robot
Copy link

@timflannagan1: This pull request references Bugzilla bug 1899136, which is invalid:

  • expected dependent Bugzilla bug 1900125 to be in one of the following states: VERIFIED, RELEASE_PENDING, CLOSED (ERRATA), but it is ON_QA instead

Comment /bugzilla refresh to re-evaluate validity if changes to the Bugzilla bug are made, or edit the title of this pull request to link to a different bug.

In response to this:

[release-4.6] Bug 1899136: Stop vendoring the module_utils/crypto.py Ansible library

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@openshift-ci-robot openshift-ci-robot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Dec 7, 2020
@timflannagan
Copy link
Member Author

/bugzilla-refresh
/lgtm

@openshift-ci-robot
Copy link

@timflannagan1: you cannot LGTM your own PR.

In response to this:

/bugzilla-refresh
/lgtm

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@timflannagan
Copy link
Member Author

@timflannagan1: you cannot LGTM your own PR.

Oh right this was a manual cherrypick 🤦

@timflannagan
Copy link
Member Author

/bugzilla refresh

@openshift-ci-robot openshift-ci-robot added the bugzilla/valid-bug Indicates that a referenced Bugzilla bug is valid for the branch this PR is targeting. label Dec 11, 2020
@openshift-ci-robot
Copy link

@timflannagan1: This pull request references Bugzilla bug 1899136, which is valid. The bug has been moved to the POST state. The bug has been updated to refer to the pull request using the external bug tracker.

6 validation(s) were run on this bug
  • bug is open, matching expected state (open)
  • bug target release (4.6.z) matches configured target release for branch (4.6.z)
  • bug is in the state ASSIGNED, which is one of the valid states (NEW, ASSIGNED, ON_DEV, POST, POST)
  • dependent bug Bugzilla bug 1900125 is in the state VERIFIED, which is one of the valid states (VERIFIED, RELEASE_PENDING, CLOSED (ERRATA))
  • dependent Bugzilla bug 1900125 targets the "4.7.0" release, which is one of the valid target releases: 4.7.0
  • bug has dependents

In response to this:

/bugzilla refresh

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@openshift-ci-robot openshift-ci-robot removed the bugzilla/invalid-bug Indicates that a referenced Bugzilla bug is invalid for the branch this PR is targeting. label Dec 11, 2020
@timflannagan timflannagan added the lgtm Indicates that a PR is ready to be merged. label Dec 12, 2020
@trevor-viljoen
Copy link

Could we get some 👀 on this to get it moving? It looks like everything is good to go, except for a cherry-pick-approved label.

@timflannagan
Copy link
Member Author

@trevor-viljoen It looks like this didn't make the pre-holiday z-stream release. We have dedicated people that act as "patch managers" that are responsible for marking the cherry-pick-approved label on PRs that are backported to already released versions of OCP components. Because the BZ attached to this backported PR is low, it likely doesn't get attention over other bugs from other components. I'd recommend bumping the priority so this gets into the next release.

@timflannagan
Copy link
Member Author

timflannagan commented Jan 12, 2021
edited

@trevor-viljoen Actually, I'll bump the priority severity now to high and get in touch with the next patch manager as I've been getting pinged quite a bit about this BZ merging for a couple of weeks now.

@timflannagan
Copy link
Member Author

/bugzilla refresh

@openshift-ci-robot
Copy link

@timflannagan1: This pull request references Bugzilla bug 1899136, which is valid.

6 validation(s) were run on this bug
  • bug is open, matching expected state (open)
  • bug target release (4.6.z) matches configured target release for branch (4.6.z)
  • bug is in the state POST, which is one of the valid states (NEW, ASSIGNED, ON_DEV, POST, POST)
  • dependent bug Bugzilla bug 1900125 is in the state VERIFIED, which is one of the valid states (VERIFIED, RELEASE_PENDING, CLOSED (ERRATA))
  • dependent Bugzilla bug 1900125 targets the "4.7.0" release, which is one of the valid target releases: 4.7.0
  • bug has dependents

In response to this:

/bugzilla refresh

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@openshift-ci-robot
Copy link

@timflannagan1: This pull request references Bugzilla bug 1899136, which is valid.

6 validation(s) were run on this bug
  • bug is open, matching expected state (open)
  • bug target release (4.6.z) matches configured target release for branch (4.6.z)
  • bug is in the state POST, which is one of the valid states (NEW, ASSIGNED, ON_DEV, POST, POST)
  • dependent bug Bugzilla bug 1900125 is in the state VERIFIED, which is one of the valid states (VERIFIED, RELEASE_PENDING, CLOSED (ERRATA))
  • dependent Bugzilla bug 1900125 targets the "4.7.0" release, which is one of the valid target releases: 4.7.0
  • bug has dependents

In response to this:

[release-4.6] Bug 1899136: Stop vendoring the module_utils/crypto.py Ansible library

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@timflannagan
Copy link
Member Author

@trevor-viljoen Just a quick follow-up - it looks like this likely isn't getting tagged until next week due to a large 4.6 backlog + limited QE capacity.

@jwforres jwforres added the cherry-pick-approved Indicates a cherry-pick PR into a release branch has been approved by the release branch manager. label Jan 27, 2021
@timflannagan
Copy link
Member Author

One of the e2e tests failed to be installed due to an OLM bug.

/retest

@openshift-merge-robot openshift-merge-robot merged commit 721ab2f into kube-reporting:release-4.6 Jan 27, 2021
@openshift-ci-robot
Copy link

@timflannagan1: All pull requests linked via external trackers have merged:

Bugzilla bug 1899136 has been moved to the MODIFIED state.

In response to this:

[release-4.6] Bug 1899136: Stop vendoring the module_utils/crypto.py Ansible library

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@timflannagan timflannagan deleted the release-4.6-stop-vendoring-ansible-crypto-module-utils branch February 16, 2021 18:28
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@bentito bentito Awaiting requested review from bentito

@EmilyM1 EmilyM1 Awaiting requested review from EmilyM1

Assignees
No one assigned
Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. bugzilla/severity-high bugzilla/valid-bug Indicates that a referenced Bugzilla bug is valid for the branch this PR is targeting. cherry-pick-approved Indicates a cherry-pick PR into a release branch has been approved by the release branch manager. lgtm Indicates that a PR is ready to be merged.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
5 participants
@timflannagan @openshift-ci-robot @trevor-viljoen @jwforres @openshift-merge-robot