Uploaded image for project: 'OpenShift Bugs'
  1. OpenShift Bugs
  2. OCPBUGS-35808

[TP][OLMv1] "olm" degraded due to error "FIPS mode is enabled, but the required OpenSSL backend is unavailable" from openshift-rukpak pods in the FIPS enabled cluster

XMLWordPrintable

    • Important
    • Yes
    • 2
    • OSDOCS Sprint 256, OSDOCS Sprint 257
    • 2
    • Rejected
    • False
    • Hide

      None

      Show
      None
    • Release Note Not Required
    • Done

      Description of problem:

      The cluster operator "olm" degraded due to error "FIPS mode is enabled, but the required OpenSSL backend is unavailable" from openshift-rukpak pods

      Version-Release number of selected component (if applicable):

      4.16.0-0.nightly-2024-06-14-130320

      How reproducible:

      Always

      Steps to Reproduce:

      1. create an OCP cluster with the FIPS enabled. Like below

jiazha-mac:~ jiazha$ oc debug node/qitang-vsgtm-master-0.us-central1-a.c.openshift-qe.internal

Warning: metadata.name: this is used in the Pod's hostname, which can result in surprising behavior; a DNS label is recommended: [must be no more than 63 characters]

Starting pod/qitang-vsgtm-master-0us-central1-acopenshift-qeinternal-debug-2hnqs ...

To use host binaries, run `chroot /host`

Pod IP: 10.0.0.4

If you don't see a command prompt, try pressing enter.

sh-5.1# sh-5.1# chroot /host

sh-5.1# fips-mode-setup --check

FIPS mode is enabled.

sh-5.1# sh-5.1# update-crypto-policies --show

FIPS

2. enable TP

$ oc patch featuregate cluster -p '{"spec": {"featureSet": "TechPreviewNoUpgrade"}}' --type=merge

      Actual results:

      The cluster operator "olm" degraded due to "RukpakDeploymentCoreAvailable: Waiting for Deployment...", and the core & helm-provisioner pods in namespace openshift-rukpak tell below error:

FIPS mode is enabled, but the required OpenSSL backend is unavailable

jiazha-mac:~ jiazha$ oc project openshift-rukpak

 Now using project "openshift-rukpak" on server "https://api.qitang.qe.gcp.devcluster.openshift.com:6443".

jiazha-mac:~ jiazha$ oc get pods NAME                               READY   STATUS             RESTARTS       AGEcore-64dd55cb47-k2lt5              0/2     CrashLoopBackOff   12 (53s ago)   8m51shelm-provisioner-8bbd58b5-xnqcx    0/2     CrashLoopBackOff   12 (68s ago)   8m53srukpak-webhooks-7d4dbc655c-cnpx5   1/1     Running            0              13m

jiazha-mac:~ jiazha$ oc logs core-64dd55cb47-k2lt5

FIPS mode is enabled, but the required OpenSSL backend is unavailable

jiazha-mac:~ jiazha$ oc logs helm-provisioner-8bbd58b5-xnqcx 

FIPS mode is enabled, but the required OpenSSL backend is unavailable

      Expected results:

      all cluster operators should be available

      Additional info:

      FYI the problem CAPI installations where FIPS enabled:

https://qe-private-deck-ci.apps.ci.l2s4.p1.openshiftapps.com/view/gs/qe-private-deck/pr-logs/pull/openshift_release/52816/rehearse-52816-periodic-ci-openshift-verification-tests-master-installer-rehearse-4.16-installer-rehearse-debug/1802989952468783104

https://qe-private-deck-ci.apps.ci.l2s4.p1.openshiftapps.com/view/gs/qe-private-deck/pr-logs/pull/openshift_release/52816/rehearse-52816-periodic-ci-openshift-verification-tests-master-installer-rehearse-4.16-installer-rehearse-debug/1802887872160731136

Note: GCP CAPI installation requires "featureSet: TechPreviewNoUpgrade" in install-config.yaml.

              rhn-support-mipeter Michael Peter
              rhn-support-jiwei Jianli Wei
              Jian Zhang Jian Zhang
              Votes:
              0 Vote for this issue
              Watchers:
              6 Start watching this issue

                Created:
                Updated:
                Resolved: