fix: when in fips mode and in a disconnected environment, remove the non fips openshift-install

prb112 · prb112 · commit fab0c61ff321 · 2025-09-17T05:29:57.000-04:00
Signed-off-by: Paul Bastide &lt;pbastide@us.ibm.com&gt;
diff --git a/playbooks/roles/ocp-config/tasks/extract.yaml b/playbooks/roles/ocp-config/tasks/extract.yaml
@@ -31,6 +31,13 @@
   args:
     chdir: "{{ tools_dir }}"
 
+- name: Extract OCP4 tools from release image ( local-registry )
+  when: enable_local_registry
+  shell: |
+    oc adm release extract --tools {{ release_image_override }} --registry-config='{{ ansible_env.HOME }}/.openshift/pull-secret-updated'
+  args:
+    chdir: "{{ tools_dir }}"
+
 - name: Create pull-secret file
   when: not enable_local_registry
   copy:
@@ -57,6 +64,35 @@
     remote_src: yes
   with_items: "{{ find_result.files }}"
 
+
+- name: Check if FIPS is enabled
+  ansible.builtin.command: grep -q 1 /proc/sys/crypto/fips_enabled
+  register: fips_check
+  changed_when: false
+  failed_when: false
+
+- name: Check if openshift-install binary exists
+  ansible.builtin.stat:
+    path: "/usr/local/bin/openshift-install"
+  register: binary_check
+  
+- name: Remove openshift-install binary when FIPS is enabled
+  ansible.builtin.file:
+    path: "/usr/local/bin/openshift-install"
+    state: absent
+  when: 
+    - fips_check.rc == 0  # FIPS is enabled (returns 1 when enabled)
+    - binary_check.stat.exists
+
+- name: Link openshift-install-fips to openshift-install
+  file:
+    src: "/usr/local/bin/openshift-install-fips"
+    dest: "/usr/local/bin/openshift-install"
+    state: link
+  when: 
+    - fips_check.rc == 0  # FIPS is enabled (returns 1 when enabled)
+    - binary_check.stat.exists
+
 - name: Remove tools directory
   file:
     path: "{{ tools_dir }}"
