Skip to content

OCM-9528 | Expose FIPS flag in OCM CLI when provisioning an OSD cluster on Google Cloud #793

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
ckandag merged 1 commit into from
Jun 6, 2025
Merged

OCM-9528 | Expose FIPS flag in OCM CLI when provisioning an OSD cluster on Google Cloud #793

ckandag merged 1 commit into from
Jun 6, 2025

Conversation

@miguelhbrito
Copy link
Contributor

@miguelhbrito miguelhbrito commented Jun 5, 2025
edited
Loading

From -i:
mipereir@mipereir-thinkpadp1gen4i:~/myprojects/ocm-cli$ ./ocm create cluster -i
? Cluster name: mipereir-fips
? Subscription type: standard (Annual: Fixed capacity subscription from Red Hat)
? Cloud provider: gcp
? CCS: Yes
? Authentication type: Workload Identity Federation (WIF)
? WIF configuration: mipereir-stg (2j75tie8m8bofi0q4g338pql5isfjpuf)
? Region: us-east1
? Multiple AZ: No
? Secure boot support for Shielded VMs: No
? Use Custom KMS Keys (optional): No
? Enable FIPS cryptography: Yes
? OpenShift version: [Use arrows to move, type to filter, ? for more help]

mipereir@mipereir-thinkpadp1gen4i:~/myprojects/ocm-cli$ ./ocm create cluster -i
? Cluster name: mipereir-fips
? Subscription type: standard (Annual: Fixed capacity subscription from Red Hat)
? Cloud provider: gcp
? CCS: Yes
? Authentication type: Workload Identity Federation (WIF)
? WIF configuration: mipereir-stg (2j75tie8m8bofi0q4g338pql5isfjpuf)
? Region: us-east1
? Multiple AZ: No
? Secure boot support for Shielded VMs: No
? Use Custom KMS Keys (optional): No
? Enable FIPS cryptography: No
? Enable additional etcd encryption: [? for help] (y/N)

From --help:
--etcd-encryption Add more encryption for OpenShift and Kubernetes API resources.
--fips Install a cluster that uses FIPS Validated / Modules in Process cryptographic libraries on the x86_64 architecture.

mipereir@mipereir-thinkpadp1gen4i:~/myprojects/ocm-cli$ ./ocm create cluster mipereir-fips --provider=gcp --ccs --region=us-east1 --version=openshift-v4.18.5 --wif-config=mipereir-stg --fips=true --etcd-encryption=false
Error: When FIPS mode is enabled, etcd encryption cannot be disabled

mipereir@mipereir-thinkpadp1gen4i:~/myprojects/ocm-cli$ ./ocm create cluster mipereir-fips --provider=gcp --ccs --region=us-east1 --version=openshift-v4.18.5 --wif-config=mipereir-stg --fips=true --dry-run
dry run: Would be successful.

@openshift-ci openshift-ci bot added the needs-ok-to-test Indicates a PR that requires an org member to verify it is safe to test. label Jun 5, 2025
@openshift-ci
Copy link

openshift-ci bot commented Jun 5, 2025

Hi @miguelhbrito. Thanks for your PR.

I'm waiting for a openshift-online member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

@ckandag ckandag self-requested a review June 5, 2025 18:44
ckandag
ckandag reviewed Jun 5, 2025
View reviewed changes
ckandag
ckandag reviewed Jun 5, 2025
View reviewed changes
ckandag
ckandag reviewed Jun 5, 2025
View reviewed changes
ckandag
ckandag reviewed Jun 5, 2025
View reviewed changes
ckandag
ckandag reviewed Jun 5, 2025
View reviewed changes
@miguelhbrito miguelhbrito force-pushed the fips-encryption-flag-cli branch from 97c8f8f to 8e1d180 Compare June 5, 2025 19:51
@openshift-ci openshift-ci bot added the lgtm Indicates that a PR is ready to be merged. label Jun 5, 2025
@ckandag
Copy link
Collaborator

ckandag commented Jun 5, 2025

/lgtm

@ckandag ckandag added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Jun 5, 2025
@openshift-ci
Copy link

openshift-ci bot commented Jun 5, 2025

[APPROVALNOTIFIER] This PR is APPROVED

Approval requirements bypassed by manually added approval.

This pull-request has been approved by: ckandag, miguelhbrito

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@ckandag ckandag merged commit 35d31f6 into openshift-online:main Jun 6, 2025
5 of 7 checks passed
ckandag added a commit that referenced this pull request Jun 10, 2025
@ckandag
Release v1.0.6
4df44f7 
-f95acd1 Update github.com/golang/groupcache digest to 2c02b82
-a4c0ee2 Update github.com/jackc/pgservicefile digest to 5a60cdf
-2f87995 Update Konflux references (#734)
-4a1708e updates to konflux pipeline for 1.0.5 (#756)
-687527d Bump github.com/openshift-online/ocm-sdk-go from 0.1.463 to 0.1.465
-de7adc6 remove marketplace-rhm option from subscription-type options (#773)
-436ff34 secure-boot-for-shielded-vms flag for create machinepool (#778)
-3440bb5 OCM-15127 | Add make binary in ocm-cli image (#779)
-64ca7ac secure-boot-for-shielded-vms flag tests (#780)
-822e0f2 Bump github.com/MicahParks/jwkset from 0.5.20 to 0.7.0 (#728)
-8474de0 Update Konflux references
-2ecdf68 Bump github.com/spf13/cobra from 1.7.0 to 1.9.1 (#748)
-ea64448 Bump github.com/golang/glog from 1.2.4 to 1.2.5
-3cbf8aa Release v1.0.6 (#790)
-f9b671f update github actions (#792)
-35d31f6 added new flag fips (#793)
-2fd22f3 Prefix group to sre pricipal when configuring gcp-wifconfig (#794)
-345d4da fix subscription type param (#795)
-34330bb fix subscription type options (#804)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@ckandag ckandag ckandag approved these changes

Assignees

@ckandag ckandag

Labels

approved Indicates a PR has been approved by an approver from all required OWNERS files. lgtm Indicates that a PR is ready to be merged. needs-ok-to-test Indicates a PR that requires an org member to verify it is safe to test.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@miguelhbrito @ckandag