MGMT-17771: Adds enhancement for FIPS with multiple RHEL installer versions

[carbonin]

In order for an OpenShift cluster to be considered FIPS compliant the installer must be run on a system with FIPS compliant openssl libraries. This means using a dynamically linked openshift-install binary against the openssl libraries present on our container image. Today this is not a problem because all openshift-install binaries in use have been expecting to link to RHEL 8 based openssl libraries, but now OpenShift 4.16 will ship and installer that requires RHEL 9 libraries.

This will require assisted-service to maintain a way to run the openshift-install binary in a compatible environment for multiple openssl versions.

List all the issues related to this PR

https://issues.redhat.com/browse/MGMT-17771

• [ ] New Feature
• [ ] Enhancement
• [ ] Bug fix
• [ ] Tests
• [x] Documentation
• [ ] CI/CD

What environments does this code impact?

• [ ] Automation (CI, tools, etc)
• [ ] Cloud
• [ ] Operator Managed Deployments
• [x] None

How was this code tested?

• [ ] assisted-test-infra environment
• [ ] dev-scripts environment
• [ ] Reviewer's test appreciated
• [ ] Waiting for CI to do a full test run
• [ ] Manual (Elaborate on how it was tested)
• [x] No tests needed

Checklist

• [x] Title and description added to both, commit and PR.
• [x] Relevant issues have been associated (see [CONTRIBUTING] guide)
• [x] This change does not require a documentation update (docstring, docs, README, etc)
• [ ] Does this change include unit-tests (note that code changes require unit-tests)

Reviewers Checklist

• Are the title and description (in both PR and commit) meaningful and clear?
• Is there a bug required (and linked) for this change?
• Should this PR be backported?

[openshift-ci-robot]

@carbonin: This pull request references MGMT-17771 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the task to target the "4.16.0" version, but no target version was set.

In response to this:

In order for an OpenShift cluster to be considered FIPS compliant the installer must be run on a system with FIPS compliant openssl libraries. This means using a dynamically linked openshift-install binary against the openssl libraries present on our container image. Today this is not a problem because all openshift-install binaries in use have been expecting to link to RHEL 8 based openssl libraries, but now OpenShift 4.16 will ship and installer that requires RHEL 9 libraries.

This will require assisted-service to maintain a way to run the openshift-install binary in a compatible environment for multiple openssl versions.

List all the issues related to this PR

https://issues.redhat.com/browse/MGMT-17771

• [ ] New Feature
• [ ] Enhancement
• [ ] Bug fix
• [ ] Tests
• [x] Documentation
• [ ] CI/CD

What environments does this code impact?

• [ ] Automation (CI, tools, etc)
• [ ] Cloud
• [ ] Operator Managed Deployments
• [x] None

How was this code tested?

• [ ] assisted-test-infra environment
• [ ] dev-scripts environment
• [ ] Reviewer's test appreciated
• [ ] Waiting for CI to do a full test run
• [ ] Manual (Elaborate on how it was tested)
• [x] No tests needed

Checklist

• [x] Title and description added to both, commit and PR.
• [x] Relevant issues have been associated (see [CONTRIBUTING] guide)
• [x] This change does not require a documentation update (docstring, docs, README, etc)
• [ ] Does this change include unit-tests (note that code changes require unit-tests)

Reviewers Checklist

• Are the title and description (in both PR and commit) meaningful and clear?
• Is there a bug required (and linked) for this change?
• Should this PR be backported?

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[openshift-ci[bot]]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: carbonin

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• ~~OWNERS~~ [carbonin]

Approvers can indicate their approval by writing /approve in a comment Approvers can cancel approval by writing /approve cancel in a comment

[romfreiman]

What about ABI? Wont it be affected by this change?

[carbonin]

What about ABI? Wont it be affected by this change?

ABI doesn't actually have this problem since they build assisted-service on the base image that corresponds with the installer, but making this change might affect them if we don't also continue to support the current way we run the installer (in the assisted-service container).

Also it depends on what you mean by "affect". If, after this change, they also deploy assisted as described in the enhancement (with the sidecar containers) then things should just work for them, but this will affect them in that they will likely need to update the deployment code for their assisted-service instance.

cc @bfournie @pawanpinjarkar @zaneb

[openshift-ci[bot]]

@carbonin: The following tests failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
ci/prow/edge-e2e-metal-assisted-cnv-4-16	e87cd02f6519cdaef0f47c4b1658ffdad475c27d	link	true	/test edge-e2e-metal-assisted-cnv-4-16
ci/prow/edge-e2e-metal-assisted-odf-4-16	e87cd02f6519cdaef0f47c4b1658ffdad475c27d	link	true	/test edge-e2e-metal-assisted-odf-4-16
ci/prow/edge-e2e-metal-assisted-mtv-4-17	e87cd02f6519cdaef0f47c4b1658ffdad475c27d	link	true	/test edge-e2e-metal-assisted-mtv-4-17

Full PR test history. Your PR dashboard.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.