Bug 1774318

Marking low priority - this is only an issue for FIPS environments and does not impact specific functionality.

xiyuan - do you know already, or could quickly see, if the rails-postgresql-example template is OK in a FIPS env ?

Extract latest oc from 4.3.0-0.nightly-2019-11-27-011055,
It's built in 201910250623
./oc version 
Client Version: openshift-clients-4.3.0-201910250623-68-g9d412f42
Server Version: 4.3.0-0.nightly-2019-11-26-171052
Kubernetes Versio
n: v1.16.2

And oc client install from rpm openshift-clients.x86_64.0.4.3.0-201911261917.git.1.133e54c.el7
It's built in "2019-11-25T21:16:09Z"

I1127 11:18:04.656634   25254 request.go:968] Response Body: {
  "major": "1",
  "minor": "16+",
  "gitVersion": "v1.16.2",
  "gitCommit": "dad97c3",
  "gitTreeState": "clean",
  "buildDate": "2019-11-25T21:16:09Z",
  "goVersion": "go1.12.12",
  "compiler": "gc",
  "platform": "linux/amd64"
}

Both client don't update the example in the fips enabled cluster(Server Version: 4.3.0-0.nightly-2019-11-26-171052).

$oc new-project test1
Now using project "test1" on server "https://api.xiuwang-fips27.qe.azure.devcluster.openshift.com:6443".

You can add applications to this project with the 'new-app' command. For example, try:

    oc new-app django-psql-example

to build a new example application in Python. Or use kubectl to deploy a simple Kubernetes application:

    kubectl create deployment hello-node --image=gcr.io/hello-minikube-zero-install/hello-node

An OC built on 201910250623 is not recent enough ... that is Oct 25

I just looked at https://openshift-release.svc.ci.openshift.org/releasestream/4.3.0-0.nightly/release/4.3.0-0.nightly-2019-11-29-051144

and openshift-client-linux-4.3.0-0.nightly-2019-11-29-051144.tar.gz 

has an `oc` whose `oc version` reports:

gmontero ~/QE_bzs/oc-new-app-msg $ ./oc version
Client Version: 4.3.0-0.nightly-2019-11-29-051144
Kubernetes Version: v1.11.0+d4cacc0


Please try that level or later @XiuJuan

So weird, I download same version package, but the oc version is different. I will keep an eye untill a new oc version built out
[wxj@console 4.3]$ ll
total 215932
-rwxr-xr-x. 2 wxj docker 83381912 Nov 27 08:45 kubectl
-rwxr-xr-x. 2 wxj docker 83381912 Nov 27 08:45 oc
-rw-r--r--. 1 wxj docker 27171236 Nov 27 08:45 openshift-client-linux-4.3.0-0.nightly-2019-11-29-051144.tar.gz
-rw-r--r--. 1 wxj docker 27171236 Nov 27 08:45 openshift-client-linux-4.3.0-0.nightly-2019-11-29-130430.tar.gz

[wxj@console 4.3]$ ./oc version 
Client Version: openshift-clients-4.3.0-201910250623-70-g0ed83003
Server Version: 4.3.0-0.nightly-2019-11-29-013902
Kubernetes Version: v1.16.

Latest 4.3.0-0.nightly-2019-12-04-214544 didn't included the fix yet.
$oc version 
Client Version: openshift-clients-4.3.0-201910250623-77-gdf8483a7
Server Version: 4.3.0-0.nightly-2019-12-04-214544
Kubernetes Version: v1.16.2

$oc version --loglevel=8 | grep buildDate
  "buildDate": "2019-12-03T23:50:46Z",

$oc new-project  xiuwang
Now using project "xiuwang" on server "https://api.reliab431205eua.qe.azure.devcluster.openshift.com:6443".

You can add applications to this project with the 'new-app' command. For example, try:

    oc new-app django-psql-example

to build a new example application in Python. Or use kubectl to deploy a simple Kubernetes application:

    kubectl create deployment hello-node --image=gcr.io/hello-minikube-zero-install/hello-node


This cluster have enabled fips.

$oc debug node/reliab431205eua-6hcxr-worker-eastus1-9md99
sh-4.4# chroot /host
# cat /proc/sys/crypto/fips_enabled 
1

Do I need wait a newer oc binary built out?

I figured it out ... the PR https://github.com/openshift/oc/pull/170 did not merge until after the 4.3 / 4.4 split

So we have to use a 4.4 nightly.

Given the priority of this, I am not initiating the backport to 4.3 ... and am retargeting this to 4.4

Sorry for the confusion, try a 4.4 nightly @XiuJuan

 $./oc new-project test
Now using project "test" on server "https://api.qe-xiuwang-44.qe.devcluster.openshift.com:6443".

You can add applications to this project with the 'new-app' command. For example, try:

    oc new-app ruby~https://github.com/sclorg/ruby-ex.git

to build a new example application in Python. Or use kubectl to deploy a simple Kubernetes application:

    kubectl create deployment hello-node --image=gcr.io/hello-minikube-zero-install/hello-node

$ ./oc version 
Client Version: openshift-clients-4.3.0-201910250623-91-gc994341a
Server Version: 4.4.0-0.nightly-2019-12-05-203858
Kubernetes Version: v1.16.2

Verified with 4.4.0-0.nightly-2019-12-05-203858 payload.

will you commit it to 4.3? I think it is mandatory for 4.3. Thanks.

On principle we don't backport low severity bugs.
This bug does not impact the ability of a customer to deploy OpenShift in FIPS mode, or even deploy an application on a FIPS-compliant cluster.

This bug may impact the onboarding experience of users who are completely new to OpenShift and are using the new-app examples to test or demonstrate capabilities.
If this impact warrants a higher severity rating, then we can reconsider.

CC-ing Neelesh (FIPS initiative owner).

*** Bug 1780438 has been marked as a duplicate of this bug. ***

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2020:0581