Uploaded image for project: 'Red Hat Advanced Cluster Management'
  1. Red Hat Advanced Cluster Management
  2. ACM-12095

Document installing FIPS clusters

XMLWordPrintable

    • False
    • None
    • False
    • No

      Create an informative issue (See each section, incomplete templates/issues won't be triaged)

      Using the current documentation as a model, please complete the issue template. 

      Note: Doc team updates the current version and the two previous versions (n-2). For earlier versions, we will address only high-priority, customer-reported issues for releases in support.

      Prerequisite: Start with what we have

      There is no current documentation dealing specifically with installing FIPS enabled clusters.

      Describe the changes in the doc and link to your dev story

      Provide info for the following steps:

      1. [x] Mandatory Add the required version to the Fix version/s field.

      2. [x] Mandatory Choose the type of documentation change.

            - [x] New topic in an existing section or new section
            - [ ] Update to an existing topic

      3. [x] Mandatory for GA content:
                  
             - [x] Add steps and/or other important conceptual information here: 

      When using the infrastructure operator to install a cluster in FIPS mode additional steps must be taken to ensure a successful installation.

      1. As noted in the OpenShift documentation installing a cluster in FIPS mode requires both a specific version of RHEL and that the host running the installer also be running in FIPS mode. This means that installing a FIPS mode managed cluster requires the managed cluster to also be running in FIPS mode.

      2. When installing in FIPS mode the installer must be run on a specific RHEL verison.

      • For installing OCP versions 4.15 and earlier the installer must be run on a RHEL8 host.
      • If a user wants to use the infrastructure operator to install FIPS-enabled OCP clusters of version 4.15 or earlier they must annotation the AgentServiceConfig resource with `agent-install.openshift.io/service-image-base: el8`.
      • If a user wants to use the infrastructure operator to install FIPS-enabled OCP clusters of version 4.16 or greater, no annotation is required.

      3. To install a FIPS-enabled cluster using the assisted installer an annotation is required on the AgentClusterInstall resource:

      • `agent-install.openshift.io/install-config-overrides: " {\"fips\":true}

        "`
                    
               - [x] Add Required access level for the user to complete the task here: The user must be able to both edit the AgentServiceConfig and AgentClusterInstall resources.
               

             - [x] Add verification at the end of the task, how does the user verify success (a command to run or a result to see?)

      A cluster marked with the FIPS annotation will install correctly.
           
             - [x] Add link to dev story here: https://issues.redhat.com/browse/MGMT-17894

      4. - [ ] Mandatory for bugs: What is the diff? Clearly define what the problem is, what the change is, and link to the current documentation:

              mdockery@redhat.com Mikela Jackson
              ncarboni@redhat.com Nick Carboni
              Chad Crum Chad Crum
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

                Created:
                Updated:
                Resolved: