USHIFT-2210: Run FIPS tests on RPM and ostree-based RHEL 9.4 systems

[ggiguash]

The FIPS blueprint customization is not supported for edge-commits, so it cannot be used in image-installer due to the current MicroShift bluepring organization. Instead, we explicitly pass fips=1 when booting the VM and call fips-mode-setup in kickstart.

The following message is produced by fips-mode-setup command when run in kickstart.

Setting system policy to FIPS
Note: System-wide crypto policies are applied on application start-up.
It is recommended to restart the system for the change of policies to fully take place.
FIPS mode will be enabled.
Now you need to configure the bootloader to add kernel options "fips=1 boot=UUID=<your-boot-device-uuid>" and reboot the system for the setting to take effect.

Since we are using microshift-source-isolated images for FIPS tests, I had to upgrade those to run RHEL 9.4 OS and fix the dependent scenarios to use these upgraded images. This is anyway part of the work we are doing on RHEL 9.4 transition (CC: @copejon)

[openshift-ci-robot]

@ggiguash: This pull request references USHIFT-2210 which is a valid jira issue.

In response to this:

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[openshift-ci]

Skipping CI for Draft Pull Request.
If you want CI signal for your change, please convert it to an actual PR.
You can still manually trigger a test run with /test all

[openshift-ci-robot]

@ggiguash: This pull request references USHIFT-2210 which is a valid jira issue.

In response to this:

The FIPS blueprint customization is not supported for edge-commits, so it cannot be used due to the current MicroShift bluepring organization. Instead, we explicitly pass fips=1 when booting the VM, and call fips-mode-setup in kickstart.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[openshift-ci-robot]

@ggiguash: This pull request references USHIFT-2210 which is a valid jira issue.

In response to this:

The FIPS blueprint customization is not supported for edge-commits, so it cannot be used due to the current MicroShift bluepring organization. Instead, we explicitly pass fips=1 when booting the VM and call fips-mode-setup in kickstart.

Since we are using microshift-source-isolated images for FIPS tests, I had to upgrade those to run RHEL 9.4 OS and fix the dependent scenarios to use these upgraded images. This is anyway part of the work we are doing on RHEL 9.4 transition (CC: @copejon)

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[ggiguash]

/test ?

[openshift-ci]

@ggiguash: The following commands are available to trigger required jobs:

• /test images
• /test metal-bootc-test
• /test metal-bootc-test-arm
• /test metal-periodic-test
• /test metal-periodic-test-arm
• /test microshift-metal-cache
• /test microshift-metal-cache-arm
• /test microshift-metal-tests
• /test microshift-metal-tests-arm
• /test ocp-conformance-rhel-eus
• /test ocp-conformance-rhel-eus-arm
• /test test-rpm
• /test test-unit
• /test verify

The following commands are available to trigger optional jobs:

• /test test-rebase

Use /test all to run the following jobs that were automatically triggered:

• pull-ci-openshift-microshift-main-images
• pull-ci-openshift-microshift-main-metal-bootc-test
• pull-ci-openshift-microshift-main-metal-bootc-test-arm
• pull-ci-openshift-microshift-main-metal-periodic-test
• pull-ci-openshift-microshift-main-metal-periodic-test-arm
• pull-ci-openshift-microshift-main-microshift-metal-tests
• pull-ci-openshift-microshift-main-microshift-metal-tests-arm
• pull-ci-openshift-microshift-main-test-unit
• pull-ci-openshift-microshift-main-verify

In response to this:

/test ?

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[ggiguash]

/test metal-periodic-test

[ggiguash]

/test verify

[openshift-ci-robot]

@ggiguash: This pull request references USHIFT-2210 which is a valid jira issue.

In response to this:

The FIPS blueprint customization is not supported for edge-commits, so it cannot be used due to the current MicroShift bluepring organization. Instead, we explicitly pass fips=1 when booting the VM and call fips-mode-setup in kickstart.

The following message is produced by fips-mode-setup command when run in kickstart.

Setting system policy to FIPS
Note: System-wide crypto policies are applied on application start-up.
It is recommended to restart the system for the change of policies to fully take place.
FIPS mode will be enabled.
Now you need to configure the bootloader to add kernel options "fips=1 boot=UUID=<your-boot-device-uuid>" and reboot the system for the setting to take effect.

Since we are using microshift-source-isolated images for FIPS tests, I had to upgrade those to run RHEL 9.4 OS and fix the dependent scenarios to use these upgraded images. This is anyway part of the work we are doing on RHEL 9.4 transition (CC: @copejon)

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[openshift-ci-robot]

@ggiguash: This pull request references USHIFT-2210 which is a valid jira issue.

In response to this:

The FIPS blueprint customization is not supported for edge-commits, so it cannot be used in image-installer due to the current MicroShift bluepring organization. Instead, we explicitly pass fips=1 when booting the VM and call fips-mode-setup in kickstart.

The following message is produced by fips-mode-setup command when run in kickstart.

Setting system policy to FIPS
Note: System-wide crypto policies are applied on application start-up.
It is recommended to restart the system for the change of policies to fully take place.
FIPS mode will be enabled.
Now you need to configure the bootloader to add kernel options "fips=1 boot=UUID=<your-boot-device-uuid>" and reboot the system for the setting to take effect.

Since we are using microshift-source-isolated images for FIPS tests, I had to upgrade those to run RHEL 9.4 OS and fix the dependent scenarios to use these upgraded images. This is anyway part of the work we are doing on RHEL 9.4 transition (CC: @copejon)

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[ggiguash]

/assign @copejon @eslutsky

[copejon]

/lgtm

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: copejon, ggiguash

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• OWNERS [copejon,ggiguash]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[openshift-ci]

@ggiguash: all tests passed!

Full PR test history. Your PR dashboard.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here.