From e7fa4d801300d28ccc245f72ffe680b12700ab55 Mon Sep 17 00:00:00 2001 From: Amber Brown Date: Wed, 22 Jan 2025 13:18:15 +1100 Subject: [PATCH 1/5] allow setting of the podman pull policy --- pkg/containerinstall/install.go | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/pkg/containerinstall/install.go b/pkg/containerinstall/install.go index b7e4d35a452..a0e602b8c95 100644 --- a/pkg/containerinstall/install.go +++ b/pkg/containerinstall/install.go @@ -40,11 +40,16 @@ var ( ) func (m *manager) Install(ctx context.Context, sub *api.SubscriptionDocument, doc *api.OpenShiftClusterDocument, version *api.OpenShiftVersion) error { + pullPolicy := os.Getenv("ARO_PODMAN_PULL_POLICY") + if pullPolicy == "" { + pullPolicy = "always" + } + s := []steps.Step{ steps.Action(func(context.Context) error { options := (&images.PullOptions{}). WithQuiet(true). - WithPolicy("always"). + WithPolicy(pullPolicy). WithUsername(m.pullSecret.Username). WithPassword(m.pullSecret.Password) From da050093a891299f90a1b1003795bda010605d0e Mon Sep 17 00:00:00 2001 From: Amber Brown Date: Thu, 23 Jan 2025 14:33:34 +1100 Subject: [PATCH 2/5] 4.16.26 --- pkg/util/version/const.go | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/pkg/util/version/const.go b/pkg/util/version/const.go index 8681449d965..c4e7d0eaf9f 100644 --- a/pkg/util/version/const.go +++ b/pkg/util/version/const.go @@ -34,8 +34,8 @@ type Stream struct { // This default is left here ONLY for use by local development mode, // until we can come up with a better solution. var DefaultInstallStream = Stream{ - Version: NewVersion(4, 15, 35), - PullSpec: "quay.io/openshift-release-dev/ocp-release@sha256:8c8433f95d09b051e156ff638f4ccc95543918c3aed92b8c09552a8977a2a1a2", + Version: NewVersion(4, 16, 26), + PullSpec: "quay.io/openshift-release-dev/ocp-release@sha256:7ecc9d14151c7d16a04aec8103ba6c32fd424898e45b7a09e9bc861ccf895eab", } // FluentbitImage contains the location of the Fluentbit container image From b5640c9324e034eb5c122167624e4b33608f5aba Mon Sep 17 00:00:00 2001 From: Amber Brown Date: Thu, 23 Jan 2025 19:39:50 +1100 Subject: [PATCH 3/5] try 27 --- pkg/util/version/const.go | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/pkg/util/version/const.go b/pkg/util/version/const.go index c4e7d0eaf9f..eff01757f9f 100644 --- a/pkg/util/version/const.go +++ b/pkg/util/version/const.go @@ -34,8 +34,8 @@ type Stream struct { // This default is left here ONLY for use by local development mode, // until we can come up with a better solution. var DefaultInstallStream = Stream{ - Version: NewVersion(4, 16, 26), - PullSpec: "quay.io/openshift-release-dev/ocp-release@sha256:7ecc9d14151c7d16a04aec8103ba6c32fd424898e45b7a09e9bc861ccf895eab", + Version: NewVersion(4, 16, 27), + PullSpec: "quay.io/openshift-release-dev/ocp-release@sha256:efc3a4f3db634bc6733dcad71cd57040da05c5f203df9447fa7f7a1a9067fa39", } // FluentbitImage contains the location of the Fluentbit container image From f083bb870d3d18d011561d11724a301464c4c1c2 Mon Sep 17 00:00:00 2001 From: Amber Brown Date: Fri, 24 Jan 2025 12:03:48 +1100 Subject: [PATCH 4/5] don't do fips mode in local dev only --- pkg/util/cluster/cluster.go | 18 +++++++++++++++--- 1 file changed, 15 insertions(+), 3 deletions(-) diff --git a/pkg/util/cluster/cluster.go b/pkg/util/cluster/cluster.go index 7390eb1a677..e39ac4d57fe 100644 --- a/pkg/util/cluster/cluster.go +++ b/pkg/util/cluster/cluster.go @@ -363,8 +363,15 @@ func (c *Cluster) Create(ctx context.Context, vnetResourceGroup, clusterName str } } + fipsMode := true + + // Don't install with FIPS in a local dev, non-CI environment + if !c.ci && env.IsLocalDevelopmentMode() { + fipsMode = false + } + c.log.Info("creating cluster") - err = c.createCluster(ctx, vnetResourceGroup, clusterName, appDetails.applicationId, appDetails.applicationSecret, diskEncryptionSetID, visibility, osClusterVersion) + err = c.createCluster(ctx, vnetResourceGroup, clusterName, appDetails.applicationId, appDetails.applicationSecret, diskEncryptionSetID, visibility, osClusterVersion, fipsMode) if err != nil { return err @@ -516,14 +523,19 @@ func (c *Cluster) Delete(ctx context.Context, vnetResourceGroup, clusterName str // createCluster created new clusters, based on where it is running. // development - using preview api // production - using stable GA api -func (c *Cluster) createCluster(ctx context.Context, vnetResourceGroup, clusterName, clientID, clientSecret, diskEncryptionSetID string, visibility api.Visibility, osClusterVersion string) error { +func (c *Cluster) createCluster(ctx context.Context, vnetResourceGroup, clusterName, clientID, clientSecret, diskEncryptionSetID string, visibility api.Visibility, osClusterVersion string, fipsEnabled bool) error { + fipsMode := api.FipsValidatedModulesDisabled + if fipsEnabled { + fipsMode = api.FipsValidatedModulesEnabled + } + // using internal representation for "singe source" of options oc := api.OpenShiftCluster{ Properties: api.OpenShiftClusterProperties{ ClusterProfile: api.ClusterProfile{ Domain: strings.ToLower(clusterName), ResourceGroupID: fmt.Sprintf("/subscriptions/%s/resourceGroups/%s", c.env.SubscriptionID(), "aro-"+clusterName), - FipsValidatedModules: api.FipsValidatedModulesEnabled, + FipsValidatedModules: fipsMode, Version: osClusterVersion, PullSecret: api.SecureString(os.Getenv("USER_PULL_SECRET")), }, From 9c53b3bb0fd2381215c87fd287c65825d4ab2963 Mon Sep 17 00:00:00 2001 From: Amber Brown Date: Fri, 24 Jan 2025 12:19:53 +1100 Subject: [PATCH 5/5] test 4.16.30 --- pkg/util/version/const.go | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/pkg/util/version/const.go b/pkg/util/version/const.go index eff01757f9f..74e77957cd4 100644 --- a/pkg/util/version/const.go +++ b/pkg/util/version/const.go @@ -34,8 +34,8 @@ type Stream struct { // This default is left here ONLY for use by local development mode, // until we can come up with a better solution. var DefaultInstallStream = Stream{ - Version: NewVersion(4, 16, 27), - PullSpec: "quay.io/openshift-release-dev/ocp-release@sha256:efc3a4f3db634bc6733dcad71cd57040da05c5f203df9447fa7f7a1a9067fa39", + Version: NewVersion(4, 16, 30), + PullSpec: "quay.io/openshift-release-dev/ocp-release@sha256:7aacace57ab6ec468dd98b0b3e0f3fc440b29afce21b90bd716fed0db487e9e9", } // FluentbitImage contains the location of the Fluentbit container image