OCPBUGS-27023: add infrastructure annotations

[alebedev87]

According to the Red Hat Operator's Best practices the infrastructure annotations are now required. The old "infrastructure-features" annotation is deprecated hence I removed it.

[openshift-ci-robot]

@alebedev87: This pull request references Jira Issue OCPBUGS-27023, which is valid. The bug has been moved to the POST state.

3 validation(s) were run on this bug

• bug is open, matching expected state (open)
• bug target version (4.16.0) matches configured target version for branch (4.16.0)
• bug is in the state New, which is one of the valid states (NEW, ASSIGNED, POST)

Requesting review from QA contact:
/cc @lihongan

The bug has been updated to refer to the pull request using the external bug tracker.

In response to this:

According to the Red Hat Operator's Best practices the infrastructure annotations are now required. The old "infrastructure-features" annotation is deprecated hence I removed it.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[alebedev87]

/retest

[Miciah]

Can you describe in the commit message why you are adding the additional capabilities, and cite the relevant commits or Jira tickets related to the newly added capabilities?

[alebedev87]

The commit message changed.

[candita]

/assign
/assign @Miciah

[lihongan]

The fips bug OCPBUGS-14846 has been fixed by PR #99 but that's for latest v1.1.0.
If this PR is back ported to old release then we need to update this annotation to "false" I think.

[alebedev87]

Got catch! Yes, I'll need to backport this PR down to 1.0. So the 1.0 PR needs to have fips-compliant set to false.

[Miciah]

I just want to double-check that this is correct.

We set CGO_ENABLED=0 in the Dockerfile:

aws-load-balancer-operator/Dockerfile

Line 17 in 1a2c320

RUN CGO_ENABLED=0 GOOS=linux GOARCH=amd64 go build -a -o manager main.go

We don't set CGO_ENABLED in the Makefile:

aws-load-balancer-operator/Makefile

Line 178 in 1a2c320

go build -mod=vendor -o bin/manager main.go

The Dockerfile is referenced here: https://github.com/openshift/release/blob/8703107e5b40d8559b2d7858350a88e3634762a6/ci-operator/config/openshift/aws-load-balancer-operator/openshift-aws-load-balancer-operator-main.yaml#L17

Do we use the Dockerfile or the Makefile? Is CGO_ENABLED set or not, and if it is, to what value?

My understanding based on openshift/external-dns-operator#213 (comment), is that we need CGO_ENABLED=1 (or maybe not setting CGO_ENABLED at all is sufficient?) in order to use OpenSSL, and using OpenSSL (from UBI) is sufficient to claim FIPS compliance using the features.operators.openshift.io/fips-compliant: "true" annotation. Do I understand correctly?

[Miciah]

(By the way, aws-load-balancer-controller doesn't specify CGO_ENABLED at all in its Dockerfile or Makefile.)

[alebedev87]

Do we use the Dockerfile or the Makefile?

You found the right CI config, we use Dockerfile to build the operator image which is then added to the OLM bundle which in turn is deployed for each e2e test.

Is CGO_ENABLED set or not, and if it is, to what value?

It's set to 0 which means that we use a statically built operator for the e2e tests. Also the users of the GitHub version of ALBO may use Dockerfile and build not FIPS compliant operator binary. Then what we deliver to the customers is built on CPaaS where we don't set CGO_ENABLED so the operator is built for the dynamic linkage.

My understanding based on openshift/external-dns-operator#213 (comment), is that we need CGO_ENABLED=1 (or maybe not setting CGO_ENABLED at all is sufficient?) in order to use OpenSSL, and using OpenSSL (from UBI) is sufficient to claim FIPS compliance using the features.operators.openshift.io/fips-compliant: "true" annotation. Do I understand correctly?

Default value for CGO_ENABLED is 1, so it's enough to not set it. Whether the UBI image is fine the FIPS compliance or not is not 100% clear to me. I tend to say yes as it's RHEL based. Asked a question in FIPS workshop slides.

Let me remove CGO_ENABLED=0 from Dockerfile.

[alebedev87]

CGO_ENABLED=0 removed from Dockerfile.

[alebedev87]

#133 fixed the FIPS compliance for ALBO. I think we have the right to set true now.

[alebedev87]

/retest

[alebedev87]

/test e2e-aws-proxy-operator

[Miciah]

Hm, maybe removing CGO_ENABLED=0 was not the right thing to do. CI is now failing, with the aws-load-balancer-operator-controller-manager pod logging the following:

/manager: /lib64/libc.so.6: version `GLIBC_2.32' not found (required by /manager)
/manager: /lib64/libc.so.6: version `GLIBC_2.34' not found (required by /manager)

---

By the way, is there any reason not to set terminationMessagePolicy: FallbackToLogsOnError on all pod containers? David Eads has been making that change to a lot of other operators (see OCPBUGS-28230) in order to make this sort of failure a little easier to spot, so I just now posted #131 to do the same for this operator.

[Miciah]

Oh, do we need to resolve OCPBUGS-24653 aws-load-balancer-operator fails FIPS check-payload scan before we can specify features.operators.openshift.io/fips-compliant: "true"?

[candita]

Only proxy-aware is set as a true infrastructure features in the previous version. Can you explain why you mark token-auth-aws and fips-compliant as true here?

[Miciah]

The commit message now explains why these features are marked as true.

[candita]

What a phrase - "human obliviousness" !

[alebedev87]

/test e2e-aws-proxy-operator

[alebedev87]

e2e-aws-rosa-operator is failing due to an ongoing issue with the OCP 4.16 candidate integration into ROSA.

[alebedev87]

A link to OCPBUGS-24653 has been added to the commit message.

[Miciah]

Thanks!
/approve
/lgtm
/hold
for @candita.

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: Miciah

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• OWNERS [Miciah]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[alebedev87]

/test e2e-aws-rosa-operator

[candita]

LGTM
/unhold

[openshift-ci-robot]

/retest-required

Remaining retests: 0 against base HEAD 5d9d2fa and 2 for PR HEAD 167b573 in total

[openshift-ci]

@alebedev87: all tests passed!

Full PR test history. Your PR dashboard.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here.

[openshift-ci-robot]

@alebedev87: Jira Issue OCPBUGS-27023: All pull requests linked via external trackers have merged:

• openshift/aws-load-balancer-operator#128

Jira Issue OCPBUGS-27023 has been moved to the MODIFIED state.

In response to this:

According to the Red Hat Operator's Best practices the infrastructure annotations are now required. The old "infrastructure-features" annotation is deprecated hence I removed it.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.