Step: fips-check

This step checks if FIPS is enabled in all nodes of the cluster and exit accordingly depending on what value the environment variable ${FIPS_ENABLED} holds.

Container image used for this step: cli

cli resolves to an image built or imported by the ci-operator configuration (documentation).

Environment

In addition to the default environment, the step exposes the following:

Variable Name Type Variable Content
FIPS_ENABLED Parameter[?] (default: false)

Source Code

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
#!/bin/bash

set -o nounset
set -o errexit
set -o pipefail


get_nodes=$(oc --request-timeout=60s get nodes -o jsonpath --template '{range .items[*]}{.metadata.name}{","}{end}')

IFS="," read -r -a nodes <<< "$get_nodes"

# bash doesn't handle '.' in array elements easily
num_nodes="${#nodes[@]}"
# TODO: This must be replaced by code that waits for all the expected number
# of nodes to be ready.
for (( i=0; i<$num_nodes; i++ )); do
  attempt=0
  while true; do
      out=$(oc --request-timeout=60s -n default debug node/"${nodes[i]}" -- cat /proc/sys/crypto/fips_enabled || true)
      if [[ ! -z "${out}" ]]; then
          break
      fi
      attempt=$(( attempt + 1 ))
      if [[ $attempt -gt 3 ]]; then
          break
      fi
      echo "command failed, $(( 4 - $attempt )) retries left"
      sleep 5
  done
  if [[ -z "${out}" ]]; then
    echo "oc debug node/${nodes[i]} failed"
    exit 1
  fi
  if [[ "${FIPS_ENABLED:-}" == "true" ]]; then
    if [[ "${out}" -ne 1 ]]; then
      echo "fips not enabled in node ${nodes[i]} but should be, exiting"
      exit 1
    fi
    echo "fips-check passed for node ${nodes[i]}: fips is enabled."
  else
    if [[ "${out}" -ne 0 ]]; then
      echo "fips is enabled in node ${nodes[i]} but should not be, exiting"
      exit 1
    fi
  fi
done

Properties

Property Value Description
Resource requests (cpu) 10m Used in .resources.requests of the pod running this step.
Resource requests (memory) 100Mi Used in .resources.requests of the pod running this step.

GitHub Link:

https://github.com/openshift/release/blob/master/ci-operator/step-registry/fips-check/fips-check-ref.yaml

Owners:

Approvers:

Source code for this page located on GitHub