Uploaded image for project: 'OCP Technical Release Team'
  1. OCP Technical Release Team
  2. TRT-1776

Improve FIPS CI coverage

XMLWordPrintable

    • Icon: Story Story
    • Resolution: Unresolved
    • Icon: Major Major
    • None
    • None
    • None
    • False
    • None
    • False

      FIPS is currently blocking on installs only via install-analysis-all.  The job itself is pretty stable, about 100% pass rate over the last two weeks.

      Given the importance of keeping FIPS working, we'd like to make it fully blocking.  

      Some options:

      • Take the existing job itself as blocking
      • Add an upgrade job for FIPS and make it blocking
      • Possibly swap out one of the 2 AWS aggregated jobs and make it fips (like we did for GCP RT)

      We discussed in an office hours for TRT and we think the third option may be the most viable, as we'd be able to detect when FIPS gets worse not just when it starts permafailing.

       

            [TRT-1776] Improve FIPS CI coverage

            Luke Meyer added a comment -

            Running successfully so far

            Luke Meyer added a comment - Running successfully so far

            Luke Meyer added a comment -

            The job is created and should be running on 4.19 nightlies as aws-ovn-upgrade-micro-fips

            Observe for a sprint and see if it's stable enough to replace the current aggregated job.

            Luke Meyer added a comment - The job is created and should be running on 4.19 nightlies as aws-ovn-upgrade-micro-fips Observe for a sprint and see if it's stable enough to replace the current aggregated job.

            Luke Meyer added a comment -

            I don't think variants will be a problem, there's no fips variant and AFAIK no effect on variants of turning FIPS on.

            The approach we agreed on here is to add an informing job that does what aggregated-aws-ovn-upgrade-4.19-micro (and thus periodic-ci-openshift-release-master-ci-4.19-e2e-aws-ovn-upgrade) does now, but with FIPS enabled. Once we have enough history and comfort with that job, we can then replace the existing aggregated job with one running the new job.

            Luke Meyer added a comment - I don't think variants will be a problem, there's no fips variant and AFAIK no effect on variants of turning FIPS on. The approach we agreed on here is to add an informing job that does what aggregated-aws-ovn-upgrade-4.19-micro (and thus periodic-ci-openshift-release-master-ci-4.19-e2e-aws-ovn-upgrade) does now, but with FIPS enabled. Once we have enough history and comfort with that job, we can then replace the existing aggregated job with one running the new job.

            Ken Zhang added a comment -

            If we are to replace one of the AWS upgrade with fips enabled, deed to confirm that CR is dealing with those are still properly categorized as existing variants.  

            Ken Zhang added a comment - If we are to replace one of the AWS upgrade with fips enabled, deed to confirm that CR is dealing with those are still properly categorized as existing variants.  

              lmeyer@redhat.com Luke Meyer
              stbenjam Stephen Benjamin
              Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

                Created:
                Updated: