-
Notifications
You must be signed in to change notification settings - Fork 12
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
OCPBUGS-27023: add infrastructure annotations #128
OCPBUGS-27023: add infrastructure annotations #128
Conversation
@alebedev87: This pull request references Jira Issue OCPBUGS-27023, which is valid. The bug has been moved to the POST state. 3 validation(s) were run on this bug
Requesting review from QA contact: The bug has been updated to refer to the pull request using the external bug tracker. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository. |
/retest |
d1894d4
to
5562c83
Compare
features.operators.openshift.io/disconnected: "true" | ||
features.operators.openshift.io/fips-compliant: "true" | ||
features.operators.openshift.io/proxy-aware: "true" | ||
features.operators.openshift.io/tls-profiles: "false" | ||
features.operators.openshift.io/token-auth-aws: "true" | ||
features.operators.openshift.io/token-auth-azure: "false" | ||
features.operators.openshift.io/token-auth-gcp: "false" | ||
olm.skipRange: <1.1.0 | ||
operatorframework.io/suggested-namespace: aws-load-balancer-operator | ||
operators.openshift.io/infrastructure-features: '["proxy-aware"]' |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Can you describe in the commit message why you are adding the additional capabilities, and cite the relevant commits or Jira tickets related to the newly added capabilities?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The commit message changed.
/assign |
@@ -66,9 +66,15 @@ metadata: | |||
} | |||
] | |||
capabilities: Basic Install | |||
features.operators.openshift.io/disconnected: "true" | |||
features.operators.openshift.io/fips-compliant: "true" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The fips bug OCPBUGS-14846 has been fixed by PR #99 but that's for latest v1.1.0.
If this PR is back ported to old release then we need to update this annotation to "false" I think.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Got catch! Yes, I'll need to backport this PR down to 1.0. So the 1.0 PR needs to have fips-compliant
set to false
.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I just want to double-check that this is correct.
We set CGO_ENABLED=0
in the Dockerfile:
aws-load-balancer-operator/Dockerfile
Line 17 in 1a2c320
RUN CGO_ENABLED=0 GOOS=linux GOARCH=amd64 go build -a -o manager main.go |
We don't set CGO_ENABLED
in the Makefile:
aws-load-balancer-operator/Makefile
Line 178 in 1a2c320
go build -mod=vendor -o bin/manager main.go |
The Dockerfile is referenced here: https://github.com/openshift/release/blob/8703107e5b40d8559b2d7858350a88e3634762a6/ci-operator/config/openshift/aws-load-balancer-operator/openshift-aws-load-balancer-operator-main.yaml#L17
Do we use the Dockerfile or the Makefile? Is CGO_ENABLED
set or not, and if it is, to what value?
My understanding based on openshift/external-dns-operator#213 (comment), is that we need CGO_ENABLED=1
(or maybe not setting CGO_ENABLED
at all is sufficient?) in order to use OpenSSL, and using OpenSSL (from UBI) is sufficient to claim FIPS compliance using the features.operators.openshift.io/fips-compliant: "true"
annotation. Do I understand correctly?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
(By the way, aws-load-balancer-controller doesn't specify CGO_ENABLED
at all in its Dockerfile or Makefile.)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Do we use the Dockerfile or the Makefile?
You found the right CI config, we use Dockerfile
to build the operator image which is then added to the OLM bundle which in turn is deployed for each e2e test.
Is CGO_ENABLED set or not, and if it is, to what value?
It's set to 0
which means that we use a statically built operator for the e2e tests. Also the users of the GitHub version of ALBO may use Dockerfile
and build not FIPS compliant operator binary. Then what we deliver to the customers is built on CPaaS where we don't set CGO_ENABLED
so the operator is built for the dynamic linkage.
My understanding based on openshift/external-dns-operator#213 (comment), is that we need CGO_ENABLED=1 (or maybe not setting CGO_ENABLED at all is sufficient?) in order to use OpenSSL, and using OpenSSL (from UBI) is sufficient to claim FIPS compliance using the features.operators.openshift.io/fips-compliant: "true" annotation. Do I understand correctly?
Default value for CGO_ENABLED
is 1
, so it's enough to not set it. Whether the UBI image is fine the FIPS compliance or not is not 100% clear to me. I tend to say yes as it's RHEL based. Asked a question in FIPS workshop slides.
Let me remove CGO_ENABLED=0
from Dockerfile
.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
CGO_ENABLED=0
removed from Dockerfile.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
#133 fixed the FIPS compliance for ALBO. I think we have the right to set true
now.
5562c83
to
76a9c5e
Compare
/retest |
7c71eac
to
c1eb9e4
Compare
/test e2e-aws-proxy-operator |
Hm, maybe removing
By the way, is there any reason not to set |
Oh, do we need to resolve OCPBUGS-24653 aws-load-balancer-operator fails FIPS check-payload scan before we can specify |
features.operators.openshift.io/fips-compliant: "true" | ||
features.operators.openshift.io/proxy-aware: "true" | ||
features.operators.openshift.io/tls-profiles: "false" | ||
features.operators.openshift.io/token-auth-aws: "true" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Only proxy-aware
is set as a true infrastructure features in the previous version. Can you explain why you mark token-auth-aws
and fips-compliant
as true here?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The commit message now explains why these features are marked as true.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
What a phrase - "human obliviousness" !
7430a8e
to
b61fb56
Compare
/test e2e-aws-proxy-operator |
|
The downstream (Red Hat) OLM requires a new set of annotations to describe the features supported by Red Hat operators. This commit introduces the necessary changes to implement these annotations, aiming to enhance the user experience when customers use the OperatorHub in the OpenShift cluster. The previous convention used the "infrastructure-features" annotation as a mere list, lacking a way to differentiate between deliberate absence of a value and human obliviousness. This limitation led to its deprecation. With the new set of annotations, we address this issue. During the transition, the old list was mapped to the new set of annotations, with some of the new features set to "false" as they are not yet implemented. The "token-auth-aws" feature is set to "true", as it is addressed in the context of the STS standardization effort(https://issues.redhat.com/browse/NE-1307). The "fips-compliant" feature is set to "true" following verification during the resolution of https://issues.redhat.com/browse/OCPBUGS-14846 and https://issues.redhat.com//browse/OCPBUGS-24653.
b61fb56
to
167b573
Compare
A link to OCPBUGS-24653 has been added to the commit message. |
Thanks! |
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: Miciah The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
/test e2e-aws-rosa-operator |
LGTM |
@alebedev87: all tests passed! Full PR test history. Your PR dashboard. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here. |
@alebedev87: Jira Issue OCPBUGS-27023: All pull requests linked via external trackers have merged: Jira Issue OCPBUGS-27023 has been moved to the MODIFIED state. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository. |
According to the Red Hat Operator's Best practices the infrastructure annotations are now required. The old "infrastructure-features" annotation is deprecated hence I removed it.