CMP-4180: Replace deprecated fips-mode-setup with kernel flag for FIPS check

[xiaojiey]

This commit adds:

• Replace deprecated fips-mode-setup with kernel flag for FIPS check

• Use /proc/sys/crypto/fips_enabled instead of fips-mode-setup command,
  which is deprecated and not available on RHCOS10+.

• Select only Ready master nodes and add error handling to fail explicitly

  if no Ready node is found or if FIPS status cannot be determined.

The test PR is available at: #77038
Per the test job, it works.

[openshift-ci-robot]

@xiaojiey: This pull request references CMP-4180 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "4.22.0" version, but no target version was set.

Details

In response to this:

The fips-mode-setup check can fail transiently due to:

• Node NotReady status or maintenance
• oc debug pod scheduling delays
• Temporary network issues

This commit adds:

• Retry mechanism with 3 attempts and 10 second delays
• Selection of only Ready master nodes on each attempt
• Proper handling of non-zero exit codes from fips-mode-setup
• Validation that a Ready node exists before attempting debug
• Failure detection to exit with error if FIPS status cannot be determined after all retries

The test PR is available at: #77038

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[xiaojiey]

/retest

[openshift-ci-robot]

@xiaojiey: This pull request references CMP-4180 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "4.22.0" version, but no target version was set.

Details

In response to this:

The fips-mode-setup check can fail transiently due to:

• Node NotReady status or maintenance
• not supported in rhcos10

This commit adds:

• Retry mechanism with 3 attempts and 10 second delays
• Selection of only Ready master nodes on each attempt
• Failure detection to exit with error if FIPS status cannot be determined after all retries

The test PR is available at: #77038

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[openshift-ci-robot]

@xiaojiey: This pull request references CMP-4180 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "4.22.0" version, but no target version was set.

Details

In response to this:

The fips-mode-setup check can fail transiently due to:

• Node NotReady status or maintenance
• not supported in rhcos10

This commit adds:

• Retry mechanism with 3 attempts and 10 second delays
• Selection of only Ready master nodes on each attempt
• Failure detection to exit with error if FIPS status cannot be determined after all retries

The test PR is available at: #77038
Per the test job, it works.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[xiaojiey]

/retest

[openshift-ci-robot]

@xiaojiey: This pull request references CMP-4180 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "4.22.0" version, but no target version was set.

Details

In response to this:

The fips-mode-setup check can fail transiently due to:

• Node NotReady status or maintenance
• not supported in rhcos10

This commit adds:

• Replace deprecated fips-mode-setup with kernel flag for FIPS check

• Use /proc/sys/crypto/fips_enabled instead of fips-mode-setup command,
  which is deprecated and not available on RHCOS10+.

• Select only Ready master nodes and add error handling to fail explicitly

  if no Ready node is found or if FIPS status cannot be determined.

The test PR is available at: #77038
Per the test job, it works.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[openshift-ci-robot]

@xiaojiey: This pull request references CMP-4180 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "4.22.0" version, but no target version was set.

Details

In response to this:

This commit adds:

• Replace deprecated fips-mode-setup with kernel flag for FIPS check

• Use /proc/sys/crypto/fips_enabled instead of fips-mode-setup command,
  which is deprecated and not available on RHCOS10+.

• Select only Ready master nodes and add error handling to fail explicitly

  if no Ready node is found or if FIPS status cannot be determined.

The test PR is available at: #77038
Per the test job, it works.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[openshift-ci-robot]

[REHEARSALNOTIFIER]
@xiaojiey: the pj-rehearse plugin accommodates running rehearsal tests for the changes in this PR. Expand 'Interacting with pj-rehearse' for usage details. The following rehearsable tests have been affected by this change:

Test name	Repo	Type	Reason
pull-ci-openshift-cincinnati-operator-master-operator-e2e-new-ocp-published-graph-data-fips	openshift/cincinnati-operator	presubmit	Registry content changed
pull-ci-openshift-cluster-etcd-operator-release-4.12-e2e-gcp-qe-no-capabilities	openshift/cluster-etcd-operator	presubmit	Registry content changed
pull-ci-openshift-cluster-etcd-operator-release-4.11-e2e-gcp-qe-no-capabilities	openshift/cluster-etcd-operator	presubmit	Registry content changed
pull-ci-openshift-secrets-store-csi-driver-main-e2e-vault-fips	openshift/secrets-store-csi-driver	presubmit	Registry content changed
pull-ci-openshift-secrets-store-csi-driver-release-5.0-e2e-vault-fips	openshift/secrets-store-csi-driver	presubmit	Registry content changed
pull-ci-openshift-secrets-store-csi-driver-release-4.23-e2e-vault-fips	openshift/secrets-store-csi-driver	presubmit	Registry content changed
pull-ci-openshift-secrets-store-csi-driver-release-4.22-e2e-vault-fips	openshift/secrets-store-csi-driver	presubmit	Registry content changed
pull-ci-openshift-secrets-store-csi-driver-release-4.21-e2e-vault-fips	openshift/secrets-store-csi-driver	presubmit	Registry content changed
pull-ci-openshift-secrets-store-csi-driver-release-4.20-e2e-vault-fips	openshift/secrets-store-csi-driver	presubmit	Registry content changed
pull-ci-openshift-cli-manager-main-e2e-aws-operator	openshift/cli-manager	presubmit	Registry content changed
pull-ci-openshift-cli-manager-release-5.0-e2e-aws-operator	openshift/cli-manager	presubmit	Registry content changed
pull-ci-openshift-cli-manager-release-4.23-e2e-aws-operator	openshift/cli-manager	presubmit	Registry content changed
pull-ci-openshift-cli-manager-release-4.22-e2e-aws-operator	openshift/cli-manager	presubmit	Registry content changed
pull-ci-openshift-cli-manager-release-4.21-e2e-aws-operator	openshift/cli-manager	presubmit	Registry content changed
pull-ci-openshift-cli-manager-release-4.20-e2e-aws-operator	openshift/cli-manager	presubmit	Registry content changed
pull-ci-openshift-cli-manager-release-4.19-e2e-aws-operator	openshift/cli-manager	presubmit	Registry content changed
pull-ci-openshift-cli-manager-release-4.18-e2e-aws-operator	openshift/cli-manager	presubmit	Registry content changed
pull-ci-openshift-cli-manager-release-4.17-e2e-aws-operator	openshift/cli-manager	presubmit	Registry content changed
pull-ci-openshift-cli-manager-release-4.16-e2e-aws-operator	openshift/cli-manager	presubmit	Registry content changed
pull-ci-rh-ecosystem-edge-recert-main-e2e-aws-ovn-single-node-recert-openshift-e2e-test-qe	rh-ecosystem-edge/recert	presubmit	Registry content changed
pull-ci-rh-ecosystem-edge-recert-release-4.21-e2e-aws-ovn-single-node-recert-openshift-e2e-test-qe	rh-ecosystem-edge/recert	presubmit	Registry content changed
pull-ci-rh-ecosystem-edge-recert-release-4.20-e2e-aws-ovn-single-node-recert-openshift-e2e-test-qe	rh-ecosystem-edge/recert	presubmit	Registry content changed
pull-ci-rh-ecosystem-edge-recert-release-4.19-e2e-aws-ovn-single-node-recert-openshift-e2e-test-qe	rh-ecosystem-edge/recert	presubmit	Registry content changed
pull-ci-rh-ecosystem-edge-recert-release-4.18-e2e-aws-ovn-single-node-recert-openshift-e2e-test-qe	rh-ecosystem-edge/recert	presubmit	Registry content changed
pull-ci-rh-ecosystem-edge-recert-release-4.17-e2e-aws-ovn-single-node-recert-openshift-e2e-test-qe	rh-ecosystem-edge/recert	presubmit	Registry content changed

A total of 2634 jobs have been affected by this change. The above listing is non-exhaustive and limited to 25 jobs.

A full list of affected jobs can be found here

Interacting with pj-rehearse

Comment: /pj-rehearse to run up to 5 rehearsals
Comment: /pj-rehearse skip to opt-out of rehearsals
Comment: /pj-rehearse {test-name}, with each test separated by a space, to run one or more specific rehearsals
Comment: /pj-rehearse more to run up to 10 rehearsals
Comment: /pj-rehearse max to run up to 25 rehearsals
Comment: /pj-rehearse auto-ack to run up to 5 rehearsals, and add the rehearsals-ack label on success
Comment: /pj-rehearse list to get an up-to-date list of affected jobs
Comment: /pj-rehearse abort to abort all active rehearsals
Comment: /pj-rehearse network-access-allowed to allow rehearsals of tests that have the restrict_network_access field set to false. This must be executed by an openshift org member who is not the PR author

Once you are satisfied with the results of the rehearsals, comment: /pj-rehearse ack to unblock merge. When the rehearsals-ack label is present on your PR, merge will no longer be blocked by rehearsals.
If you would like the rehearsals-ack label removed, comment: /pj-rehearse reject to re-block merging.

[Anna-Koudelkova]

/lgtm

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: Anna-Koudelkova, xiaojiey

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• ci-operator/step-registry/fips-check/fips-or-die/OWNERS [xiaojiey]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[xiaojiey]

/retest

[openshift-ci-robot]

@xiaojiey: This pull request references CMP-4180 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "4.22.0" version, but no target version was set.

Details

In response to this:

This commit adds:

• Replace deprecated fips-mode-setup with kernel flag for FIPS check

• Use /proc/sys/crypto/fips_enabled instead of fips-mode-setup command,
  which is deprecated and not available on RHCOS10+.

• Select only Ready master nodes and add error handling to fail explicitly

  if no Ready node is found or if FIPS status cannot be determined.

The test PR is available at: #77038
Per the test job, it works.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[xiaojiey]

/pj-rehearse ack

[openshift-ci-robot]

@xiaojiey: now processing your pj-rehearse request. Please allow up to 10 minutes for jobs to trigger or cancel.

[openshift-ci]

@xiaojiey: all tests passed!

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.