-
Story
-
Resolution: Won't Do
-
Blocker
-
None
-
None
On greenfield deployments that use the openstack baremetal operator the image used to provision edpm nodes need to depend on fthe FIPS mode of the OCP cluster.
Currently it uses an image and a QCOW2 name inside it for non FIPS, but if FIPS is enabled on OCP it needs to use a different image and a different QCOW2 name.
When deploying in FIPS mode iscsid needs to be configured to not allow MD5:
IscsidCHAPAlgorithms: 'SHA3-256,SHA256,SHA1'
in /etc/iscsi/icscisd.conf. But this configuration should not happen when FIPS is not enabled, as it would break some Cinder storage backends that only support MD5.
Checking the OCP FIPS mode can be done with the new lib-common method.