Merge branch 'master' into frontend-validation-encryptionathost

.pipelines/ci.yml

@@ -22,7 +22,7 @@ pr:
 resources:
   containers:
     - container: golang
-      image: registry.access.redhat.com/ubi8/go-toolset:1.18
+      image: registry.access.redhat.com/ubi8/go-toolset:1.18.10
       options: --user=0
     - container: python
       image: registry.access.redhat.com/ubi8/python-39:latest
@@ -82,12 +82,6 @@ jobs:
         displayName: 🧪 Run Golang unit tests
         target: golang
 
-      - script: |
-          set -xe
-          make validate-fips
-        displayName: 🕵️ Validate FIPS
-        target: golang
-
       - task: PublishTestResults@2
         displayName: 📊 Publish tests results
         inputs:

Dockerfile.aro-e2e

@@ -9,7 +9,7 @@ RUN mkdir -p /app
 WORKDIR /app
 
 COPY . /app
-RUN make aro RELEASE=${IS_OFFICIAL_RELEASE} -o generate && make e2e.test e2etools
+RUN make aro RELEASE=${IS_OFFICIAL_RELEASE} -o generate && make validate-fips && make e2e.test e2etools
 
 FROM ${REGISTRY}/ubi8/ubi-minimal
 RUN microdnf update && microdnf clean all

Dockerfile.aro-multistage

@@ -9,7 +9,7 @@ RUN mkdir -p /app
 WORKDIR /app
 
 COPY . /app
-RUN make aro RELEASE=${IS_OFFICIAL_RELEASE} -o generate && make e2e.test
+RUN make aro RELEASE=${IS_OFFICIAL_RELEASE} -o generate && make validate-fips && make e2e.test
 
 FROM ${REGISTRY}/ubi8/ubi-minimal
 RUN microdnf update && microdnf clean all

Makefile

@@ -210,7 +210,7 @@ validate-go-action:
 	@sha256sum --quiet -c .sha256sum || (echo error: client library is stale, please run make client; exit 1)
 
 validate-fips:
-	hack/fips/validate-fips.sh
+	hack/fips/validate-fips.sh ./aro
 
 unit-test-go:
 	go run gotest.tools/[email protected] --format pkgname --junitfile report.xml -- -coverprofile=cover.out ./...

go.mod

@@ -210,7 +210,7 @@ require (
 	github.com/oklog/ulid v1.3.1 // indirect
 	github.com/opencontainers/go-digest v1.0.0 // indirect
 	github.com/opencontainers/image-spec v1.1.0-rc2.0.20221005185240-3a7f492d3f1b // indirect
-	github.com/opencontainers/runc v1.1.6 // indirect
+	github.com/opencontainers/runc v1.1.12 // indirect
 	github.com/opencontainers/runtime-tools v0.9.1-0.20221014010322-58c91d646d86 // indirect
 	github.com/opencontainers/selinux v1.10.2 // indirect
 	github.com/openshift/custom-resource-status v1.1.3-0.20220503160415-f2fdb4999d87 // indirect

go.sum

@@ -556,8 +556,8 @@ github.com/opencontainers/go-digest v1.0.0/go.mod h1:0JzlMkj0TRzQZfJkVvzbP0HBR3I
 github.com/opencontainers/image-spec v1.0.2/go.mod h1:BtxoFyWECRxE4U/7sNtV5W15zMzWCbyJoFRP3s7yZA0=
 github.com/opencontainers/image-spec v1.1.0-rc2.0.20221005185240-3a7f492d3f1b h1:YWuSjZCQAPM8UUBLkYUk1e+rZcvWHJmFb6i6rM44Xs8=
 github.com/opencontainers/image-spec v1.1.0-rc2.0.20221005185240-3a7f492d3f1b/go.mod h1:3OVijpioIKYWTqjiG0zfF6wvoJ4fAXGbjdZuI2NgsRQ=
-github.com/opencontainers/runc v1.1.6 h1:XbhB8IfG/EsnhNvZtNdLB0GBw92GYEFvKlhaJk9jUgA=
-github.com/opencontainers/runc v1.1.6/go.mod h1:CbUumNnWCuTGFukNXahoo/RFBZvDAgRh/smNYNOhA50=
+github.com/opencontainers/runc v1.1.12 h1:BOIssBaW1La0/qbNZHXOOa71dZfZEQOzW7dqQf3phss=
+github.com/opencontainers/runc v1.1.12/go.mod h1:S+lQwSfncpBha7XTy/5lBwWgm5+y5Ma/O44Ekby9FK8=
 github.com/opencontainers/runtime-spec v1.0.2/go.mod h1:jwyrGlmzljRJv/Fgzds9SsS/C5hL+LL3ko9hs6T5lQ0=
 github.com/opencontainers/runtime-spec v1.0.3-0.20210326190908-1c3f411f0417/go.mod h1:jwyrGlmzljRJv/Fgzds9SsS/C5hL+LL3ko9hs6T5lQ0=
 github.com/opencontainers/runtime-spec v1.0.3-0.20220825212826-86290f6a00fb h1:1xSVPOd7/UA+39/hXEGnBJ13p6JFB0E1EvQFlrRDOXI=

hack/fips/validate-fips.sh

@@ -1,24 +1,22 @@
 #!/bin/bash
 
-# The small go program below will validate that a 
-# FIPS validated crypto lib
-cat > ./hack/fips/main.go << 'EOF'
-package main
+set -xe
 
-// Copyright (c) Microsoft Corporation.
-// Licensed under the Apache License 2.0.
+# check if we can build and have built a valid FIPS-compatible binary
+res=$(go run github.com/acardace/[email protected] ${1} -j)
 
-import (
-	_ "crypto/tls/fipsonly"
+binary=$(echo $res | go run ./hack/jq -r '.goBinaryFips.value')
+lib=$(echo $res | go run ./hack/jq -r '.cryptoLibFips.value')
 
-	utillog "github.com/Azure/ARO-RP/pkg/util/log"
-)
+if [[ $binary == "false" ]]; then
+	echo "binary is not FIPS compatible"
+	exit 1
+fi
 
-func main() {
-	log := utillog.GetLogger()
-	log.Println("FIPS mode enabled")
-}
-EOF
-trap "rm ./hack/fips/main.go" EXIT
-echo "Attempting to run program that requires FIPS crypto"
-go run ./hack/fips/main.go
+if [[ $lib == "false" ]]; then
+	echo "lib is not FIPS compatible"
+	exit 1
+fi
+
+tool=$(go tool nm ${1} | grep FIPS)
+echo $tool

pkg/backend/openshiftcluster.go

@@ -6,6 +6,7 @@ package backend
 import (
 	"context"
 	"fmt"
+	"net/http"
 	"strings"
 	"sync/atomic"
 	"time"
@@ -339,6 +340,11 @@ func (ocb *openShiftClusterBackend) asyncOperationResultLog(log *logrus.Entry, i
 		return
 	}
 
+	if strings.Contains(strings.ToLower(backendErr.Error()), "one of the claims 'puid' or 'altsecid' or 'oid' should be present") {
+		backendErr = api.NewCloudError(http.StatusBadRequest, api.CloudErrorCodeInvalidServicePrincipalClaims,
+			"properties.servicePrincipalProfile", "The Azure Red Hat Openshift resource provider service principal has been removed from your tenant. To restore, please unregister and then re-register the Azure Red Hat OpenShift resource provider.")
+	}
+
 	_, ok := backendErr.(*api.CloudError)
 	if ok {
 		log = log.WithField("resultType", utillog.UserErrorResultType)

pkg/cluster/adminupdate_test.go

@@ -306,7 +306,7 @@ func TestAdminUpdateSteps(t *testing.T) {
 				doc := baseClusterDoc()
 				doc.OpenShiftCluster.Properties.ProvisioningState = api.ProvisioningStateAdminUpdating
 				doc.OpenShiftCluster.Properties.MaintenanceTask = api.MaintenanceTaskEverything
-				doc.OpenShiftCluster.Properties.HiveProfile.Namespace = "some_namespace"
+				doc.OpenShiftCluster.Properties.HiveProfile.Namespace = "aro-00000000-0000-0000-0000-000000000000"
 				doc.OpenShiftCluster.Properties.HiveProfile.CreatedByHive = true
 				return doc, true
 			},

pkg/cluster/hive.go

@@ -17,7 +17,7 @@ func (m *manager) hiveCreateNamespace(ctx context.Context) error {
 		return nil
 	}
 
-	namespace, err := m.hiveClusterManager.CreateNamespace(ctx)
+	namespace, err := m.hiveClusterManager.CreateNamespace(ctx, m.doc.ID)
 	if err != nil {
 		return err
 	}

pkg/cluster/hive_test.go

@@ -21,8 +21,7 @@ import (
 )
 
 func TestHiveClusterDeploymentReady(t *testing.T) {
-	fakeNamespace := "fake-namespace"
-
+	fakeNamespace := "aro-00000000-0000-0000-0000-000000000000"
 	for _, tt := range []struct {
 		name       string
 		mocks      func(hiveMock *mock_hive.MockClusterManager, doc *api.OpenShiftClusterDocument)
@@ -75,7 +74,7 @@ func TestHiveClusterDeploymentReady(t *testing.T) {
 }
 
 func TestHiveResetCorrelationData(t *testing.T) {
-	fakeNamespace := "fake-namespace"
+	fakeNamespace := "aro-00000000-0000-0000-0000-000000000000"
 
 	for _, tt := range []struct {
 		name  string
@@ -115,6 +114,8 @@ func TestHiveResetCorrelationData(t *testing.T) {
 }
 
 func TestHiveCreateNamespace(t *testing.T) {
+	fakeNamespace := "aro-00000000-0000-0000-0000-000000000000"
+	fakeNewNamespace := "aro-11111111-1111-1111-1111-111111111111"
 	for _, tt := range []struct {
 		testName              string
 		existingNamespaceName string
@@ -126,36 +127,36 @@ func TestHiveCreateNamespace(t *testing.T) {
 		{
 			testName:              "creates namespace if it doesn't exist",
 			existingNamespaceName: "",
-			newNamespaceName:      "new-namespace",
+			newNamespaceName:      fakeNamespace,
 			clusterManagerMock: func(mockCtrl *gomock.Controller, namespaceName string) *mock_hive.MockClusterManager {
 				namespaceToReturn := &corev1.Namespace{}
 				namespaceToReturn.Name = namespaceName
 				mockClusterManager := mock_hive.NewMockClusterManager(mockCtrl)
-				mockClusterManager.EXPECT().CreateNamespace(gomock.Any()).Return(namespaceToReturn, nil)
+				mockClusterManager.EXPECT().CreateNamespace(gomock.Any(), gomock.Any()).Return(namespaceToReturn, nil)
 				return mockClusterManager
 			},
-			expectedNamespaceName: "new-namespace",
+			expectedNamespaceName: fakeNamespace,
 			wantErr:               "",
 		},
 		{
 			testName:              "doesn't create namespace if it already exists",
-			existingNamespaceName: "existing-namespace",
-			newNamespaceName:      "new-namespace",
-			expectedNamespaceName: "existing-namespace",
+			existingNamespaceName: fakeNamespace,
+			newNamespaceName:      fakeNewNamespace,
+			expectedNamespaceName: fakeNamespace,
 			clusterManagerMock: func(mockCtrl *gomock.Controller, namespaceName string) *mock_hive.MockClusterManager {
 				mockClusterManager := mock_hive.NewMockClusterManager(mockCtrl)
-				mockClusterManager.EXPECT().CreateNamespace(gomock.Any()).Times(0)
+				mockClusterManager.EXPECT().CreateNamespace(gomock.Any(), gomock.Any()).Times(0)
 				return mockClusterManager
 			},
 		},
 		{
 			testName:              "returns error if cluster manager returns error",
 			existingNamespaceName: "",
-			newNamespaceName:      "new-namespace",
+			newNamespaceName:      fakeNamespace,
 			expectedNamespaceName: "",
 			clusterManagerMock: func(mockCtrl *gomock.Controller, namespaceName string) *mock_hive.MockClusterManager {
 				mockClusterManager := mock_hive.NewMockClusterManager(mockCtrl)
-				mockClusterManager.EXPECT().CreateNamespace(gomock.Any()).Return(nil, fmt.Errorf("cluster manager error"))
+				mockClusterManager.EXPECT().CreateNamespace(gomock.Any(), gomock.Any()).Return(nil, fmt.Errorf("cluster manager error"))
 				return mockClusterManager
 			},
 			wantErr: "cluster manager error",

pkg/hive/manager.go

@@ -24,11 +24,10 @@ import (
 	"github.com/Azure/ARO-RP/pkg/hive/failure"
 	"github.com/Azure/ARO-RP/pkg/util/dynamichelper"
 	utillog "github.com/Azure/ARO-RP/pkg/util/log"
-	"github.com/Azure/ARO-RP/pkg/util/uuid"
 )
 
 type ClusterManager interface {
-	CreateNamespace(ctx context.Context) (*corev1.Namespace, error)
+	CreateNamespace(ctx context.Context, docID string) (*corev1.Namespace, error)
 
 	// CreateOrUpdate reconciles the ClusterDocument and related secrets for an
 	// existing cluster. This may adopt the cluster (Create) or amend the
@@ -110,11 +109,11 @@ func NewFromConfig(log *logrus.Entry, _env env.Core, restConfig *rest.Config) (C
 	}, nil
 }
 
-func (hr *clusterManager) CreateNamespace(ctx context.Context) (*corev1.Namespace, error) {
+func (hr *clusterManager) CreateNamespace(ctx context.Context, docID string) (*corev1.Namespace, error) {
 	var namespaceName string
 	var namespace *corev1.Namespace
 	err := retry.RetryOnConflict(retry.DefaultRetry, func() error {
-		namespaceName = "aro-" + uuid.DefaultGenerator.Generate()
+		namespaceName = "aro-" + docID
 		namespace = &corev1.Namespace{
 			ObjectMeta: metav1.ObjectMeta{
 				Name: namespaceName,

pkg/hive/manager_test.go

@@ -26,7 +26,7 @@ import (
 )
 
 func TestIsClusterDeploymentReady(t *testing.T) {
-	fakeNamespace := "fake-namespace"
+	fakeNamespace := "aro-00000000-0000-0000-0000-000000000000"
 	doc := &api.OpenShiftClusterDocument{
 		OpenShiftCluster: &api.OpenShiftCluster{
 			Properties: api.OpenShiftClusterProperties{
@@ -170,7 +170,7 @@ func TestIsClusterDeploymentReady(t *testing.T) {
 }
 
 func TestIsClusterInstallationComplete(t *testing.T) {
-	fakeNamespace := "fake-namespace"
+	fakeNamespace := "aro-00000000-0000-0000-0000-000000000000"
 	doc := &api.OpenShiftClusterDocument{
 		OpenShiftCluster: &api.OpenShiftCluster{
 			Properties: api.OpenShiftClusterProperties{
@@ -413,7 +413,7 @@ func TestIsClusterInstallationComplete(t *testing.T) {
 }
 
 func TestResetCorrelationData(t *testing.T) {
-	fakeNamespace := "fake-namespace"
+	fakeNamespace := "aro-00000000-0000-0000-0000-000000000000"
 	doc := &api.OpenShiftClusterDocument{
 		OpenShiftCluster: &api.OpenShiftCluster{
 			Properties: api.OpenShiftClusterProperties{
@@ -478,6 +478,7 @@ func TestResetCorrelationData(t *testing.T) {
 }
 
 func TestCreateNamespace(t *testing.T) {
+	const docID = "00000000-0000-0000-0000-000000000000"
 	for _, tc := range []struct {
 		name             string
 		nsNames          []string
@@ -519,7 +520,7 @@ func TestCreateNamespace(t *testing.T) {
 				uuid.DefaultGenerator = uuidfake.NewGenerator(tc.nsNames)
 			}
 
-			ns, err := c.CreateNamespace(context.Background())
+			ns, err := c.CreateNamespace(context.Background(), docID)
 			if err != nil && !tc.shouldFail {
 				t.Error(err)
 			}
@@ -538,7 +539,7 @@ func TestCreateNamespace(t *testing.T) {
 }
 
 func TestGetClusterDeployment(t *testing.T) {
-	fakeNamespace := "fake-namespace"
+	fakeNamespace := "aro-00000000-0000-0000-0000-000000000000"
 	doc := &api.OpenShiftClusterDocument{
 		OpenShiftCluster: &api.OpenShiftCluster{
 			Properties: api.OpenShiftClusterProperties{

pkg/monitor/azure/nsg/nsg.go

@@ -113,15 +113,23 @@ func (n *NSGMonitor) toSubnetConfig(ctx context.Context, subnetID string) (subne
 func (n *NSGMonitor) Monitor(ctx context.Context) []error {
 	defer n.wg.Done()
 
+	errors := []error{}
+
+	// to make sure each NSG is processed only once
+	nsgSet := map[string]*armnetwork.SecurityGroup{}
+
 	masterSubnet, err := n.toSubnetConfig(ctx, n.oc.Properties.MasterProfile.SubnetID)
 	if err != nil {
 		// FP has no access to the subnet
-		return []error{err}
+		errors = append(errors, err)
+	} else {
+		if masterSubnet.nsg != nil && masterSubnet.nsg.ID != nil {
+			nsgSet[*masterSubnet.nsg.ID] = masterSubnet.nsg
+		}
 	}
 
 	// need this to get the right workerProfiles
 	workerProfiles, _ := api.GetEnrichedWorkerProfiles(n.oc.Properties)
-	workerSubnets := make([]subnetNSGConfig, 0, len(workerProfiles))
 	workerPrefixes := make([]netip.Prefix, 0, len(workerProfiles))
 	// To minimize the possibility of NRP throttling, we only retrieve a subnet's info only once.
 	subnetsToMonitor := map[string]struct{}{}
@@ -139,20 +147,12 @@ func (n *NSGMonitor) Monitor(ctx context.Context) []error {
 		s, err := n.toSubnetConfig(ctx, subnetID)
 		if err != nil {
 			// FP has no access to the subnet
-			return []error{err}
-		}
-		workerSubnets = append(workerSubnets, s)
-		workerPrefixes = append(workerPrefixes, s.prefix...)
-	}
-
-	// to make sure each NSG is processed only once
-	nsgSet := map[string]*armnetwork.SecurityGroup{}
-	if masterSubnet.nsg != nil && masterSubnet.nsg.ID != nil {
-		nsgSet[*masterSubnet.nsg.ID] = masterSubnet.nsg
-	}
-	for _, w := range workerSubnets {
-		if w.nsg != nil && w.nsg.ID != nil {
-			nsgSet[*w.nsg.ID] = w.nsg
+			errors = append(errors, err)
+		} else {
+			workerPrefixes = append(workerPrefixes, s.prefix...)
+			if s.nsg != nil && s.nsg.ID != nil {
+				nsgSet[*s.nsg.ID] = s.nsg
+			}
 		}
 	}
 
@@ -166,6 +166,7 @@ func (n *NSGMonitor) Monitor(ctx context.Context) []error {
 			nsgResource, err := arm.ParseResourceID(nsgID)
 			if err != nil {
 				n.log.Errorf("Unable to parse NSG resource ID: %s. %s", nsgID, err)
+				errors = append(errors, err)
 				continue
 			}
 
@@ -185,5 +186,5 @@ func (n *NSGMonitor) Monitor(ctx context.Context) []error {
 			}
 		}
 	}
-	return []error{}
+	return errors
 }

pkg/operator/controllers/genevalogging/genevalogging.go

@@ -22,6 +22,12 @@ import (
 	"github.com/Azure/ARO-RP/pkg/util/version"
 )
 
+var privilegedNamespaceLabels = map[string]string{
+	"pod-security.kubernetes.io/enforce": "privileged",
+	"pod-security.kubernetes.io/audit":   "privileged",
+	"pod-security.kubernetes.io/warn":    "privileged",
+}
+
 func (r *Reconciler) securityContextConstraints(ctx context.Context, name, serviceAccountName string) (*securityv1.SecurityContextConstraints, error) {
 	scc := &securityv1.SecurityContextConstraints{}
 	err := r.Client.Get(ctx, types.NamespacedName{Name: "privileged"}, scc)
@@ -284,6 +290,7 @@ func (r *Reconciler) resources(ctx context.Context, cluster *arov1alpha1.Cluster
 			ObjectMeta: metav1.ObjectMeta{
 				Name:        kubeNamespace,
 				Annotations: map[string]string{projectv1.ProjectNodeSelector: ""},
+				Labels:      privilegedNamespaceLabels,
 			},
 		},
 		&corev1.Secret{