Bug 1787745

Summary: Meteringconfig failed during ansible setup to gernate RSA private key with Openshift having FIPS enabled.
Product: OpenShift Container Platform Reporter: Peter Ruan <pruan>
Component: Metering OperatorAssignee: tflannag
Status: CLOSED ERRATA QA Contact: Peter Ruan <pruan>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 4.3.0CC: cvogel, scuppett, sd-operator-metering
Target Milestone: ---   
Target Release: 4.4.0   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
When attempting to run Metering on a FIPS-enabled cluster, we fail role execution while generating user TLS certificates calling the 'openssl_privatekey' module. This module utilizes the module_utils/crypto.py helper library. This library iterates over a list of hashlib "FIPS-compliant" algorithms but the 'md5' algorithm was present in that list. We "vendored" this python helper library in the metering-ansible-operator's role module_utils directory, removing the 'md5' algorithm from the list of available algorithms. This allowed role execution to progress past the TLS-related tasks.
 Story Points: ---
Clone Of:
: 1788208 (view as bug list) Environment:
Last Closed: 2020-05-04 11:22:02 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1788208    

Description Peter Ruan 2020-01-04 22:50:19 UTC 
Description of problem:
Meteringconfig failed during ansible setup with Openshift having FIPS enabled.  This is related to https://bugzilla.redhat.com/show_bug.cgi?id=1782104

Version-Release number of selected component (if applicable):
4.3.x

How reproducible:

always

Steps to Reproduce:
1. install openshift on Openstack with FIPS enabled
2. run ./hack/openshift-install.sh
3.

Actual results:
TASK [meteringconfig : Generate a RSA private key for the CA] ******************
task path: /opt/ansible/roles/meteringconfig/tasks/configure_root_ca.yml:45
Saturday 04 January 2020  22:45:22 +0000 (0:00:00.367)       0:00:18.541 ******
An exception occurred during task execution. To see the full traceback, use -vvv. The error was: ValueError: error:060800A3:digital envelope routines:EVP_DigestInit_ex:disabled for fips
fatal: [localhost]: FAILED! => {"changed": false, "module_stderr": "Traceback (most recent call last):\n  File \"/tmp/.ansible-/tmp/ansible-tmp-1578177923.0-157257680349580/AnsiballZ_openssl_privatekey.py\", line 114, in <module>\n    _ansiballz_main()\n  File \"/tmp/.ansible-/tmp/ansible-tmp-1578177923.0-157257680349580/AnsiballZ_openssl_privatekey.py\", line 106, in _ansiballz_main\n    invoke_module(zipped_mod, temp_path, ANSIBALLZ_PARAMS)\n  File \"/tmp/.ansible-/tmp/ansible-tmp-1578177923.0-157257680349580/AnsiballZ_openssl_privatekey.py\", line 49, in invoke_module\n    imp.load_module('__main__', mod, module, MOD_DESC)\n  File \"/tmp/ansible_openssl_privatekey_payload_8broM6/__main__.py\", line 703, in <module>\n  File \"/tmp/ansible_openssl_privatekey_payload_8broM6/__main__.py\", line 687, in main\n  File \"/tmp/ansible_openssl_privatekey_payload_8broM6/__main__.py\", line 318, in generate\n  File \"/tmp/ansible_openssl_privatekey_payload_8broM6/__main__.py\", line 559, in _get_fingerprint\n  File \"/tmp/ansible_openssl_privatekey_payload_8broM6/ansible_openssl_privatekey_payload.zip/ansible/module_utils/crypto.py\", line 86, in get_fingerprint_of_bytes\nValueError: error:060800A3:digital envelope routines:EVP_DigestInit_ex:disabled for fips\n", "module_stdout": "", "msg": "MODULE FAILURE\nSee stdout/stderr for the exact error", "rc": 1}


Expected results:


Additional info:
Comment 4 Peter Ruan 2020-01-30 18:30:01 UTC 
verified with  imageID: quay.io/openshift/origin-metering-ansible-operator@sha256:d8eb8c604066c5fd1b398456f274217cc2907cedd6fddeda72691945979d1196

I can install successfully and get report data back.
Comment 6 errata-xmlrpc 2020-05-04 11:22:02 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2020:0581