OCPBUGS-15845: Fail if host incompatible with target cluster

zaneb · cgwalters · zaneb · commit b261deb2aec7 · 2024-04-05T16:36:25.000+13:00
Co-Authored-By: Colin Walters &lt;walters@verbum.org&gt;
diff --git a/pkg/types/validation/installconfig.go b/pkg/types/validation/installconfig.go
@@ -51,6 +51,9 @@ import (
 	"github.com/openshift/installer/pkg/validate"
 )
 
+// hostCryptBypassedAnnotation is set if the host crypt check was bypassed via environment variable.
+const hostCryptBypassedAnnotation = "install.openshift.io/hostcrypt-check-bypassed"
+
 // list of known plugins that require hostPrefix to be set
 var pluginsUsingHostPrefix = sets.NewString(string(operv1.NetworkTypeOVNKubernetes))
 
@@ -1171,7 +1174,15 @@ func validateFIPSconfig(c *types.InstallConfig) field.ErrorList {
 	}
 
 	if err := hostcrypt.VerifyHostTargetState(c.FIPS); err != nil {
-		logrus.Warnf("%v", err)
+		if skip, ok := os.LookupEnv("OPENSHIFT_INSTALL_SKIP_HOSTCRYPT_VALIDATION"); ok && skip != "" {
+			logrus.Warnf("%v", err)
+			if c.Annotations == nil {
+				c.Annotations = make(map[string]string)
+			}
+			c.Annotations[hostCryptBypassedAnnotation] = "true"
+		} else {
+			allErrs = append(allErrs, field.Forbidden(field.NewPath("fips"), err.Error()))
+		}
 	}
 	return allErrs
 }

Original file line number	Diff line number	Diff line change
`@@ -51,6 +51,9 @@ import (`
`51`	`51`	`"github.com/openshift/installer/pkg/validate"`
`52`	`52`	`)`
`53`	`53`
	`54`	`+// hostCryptBypassedAnnotation is set if the host crypt check was bypassed via environment variable.`
	`55`	`+const hostCryptBypassedAnnotation = "install.openshift.io/hostcrypt-check-bypassed"`
	`56`	`+`
`54`	`57`	`// list of known plugins that require hostPrefix to be set`
`55`	`58`	`var pluginsUsingHostPrefix = sets.NewString(string(operv1.NetworkTypeOVNKubernetes))`
`56`	`59`
`@@ -1171,7 +1174,15 @@ func validateFIPSconfig(c *types.InstallConfig) field.ErrorList {`
`1171`	`1174`	`}`
`1172`	`1175`
`1173`	`1176`	`if err := hostcrypt.VerifyHostTargetState(c.FIPS); err != nil {`
`1174`		`- logrus.Warnf("%v", err)`
	`1177`	`+ if skip, ok := os.LookupEnv("OPENSHIFT_INSTALL_SKIP_HOSTCRYPT_VALIDATION"); ok && skip != "" {`
	`1178`	`+ logrus.Warnf("%v", err)`
	`1179`	`+ if c.Annotations == nil {`
	`1180`	`+ c.Annotations = make(map[string]string)`
	`1181`	`+ }`
	`1182`	`+ c.Annotations[hostCryptBypassedAnnotation] = "true"`
	`1183`	`+ } else {`
	`1184`	`+ allErrs = append(allErrs, field.Forbidden(field.NewPath("fips"), err.Error()))`
	`1185`	`+ }`
`1175`	`1186`	`}`
`1176`	`1187`	`return allErrs`
`1177`	`1188`	`}`