Skip to content

[rhcos-4.14] kola/tests: Add failing test for FIPS & LUKS #4262

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: rhcos-4.14
Choose a base branch
from
Open

[rhcos-4.14] kola/tests: Add failing test for FIPS & LUKS #4262

wants to merge 1 commit into from

Conversation

openshift-cherrypick-robot
Copy link

This is an automated cherry-pick of #4181

/assign aaradhak

@travier
kola/tests: Add failing test for FIPS & LUKS
29292fa 
Ensure that setting up a LUKS device with FIPS incompatible algorithms
will fail when FIPS mode is enabled.

Only run this on QEMU as it should behave the same way on all platforms.
@openshift-cherrypick-robot openshift-cherrypick-robot mentioned this pull request Aug 14, 2025
Merged
@openshift-ci OpenShift CI
Copy link

openshift-ci bot commented Aug 14, 2025

Hi @openshift-cherrypick-robot. Thanks for your PR.

I'm waiting for a coreos member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

gemini-code-assist[bot]
gemini-code-assist bot reviewed Aug 14, 2025
View reviewed changes
Copy link
Contributor

@gemini-code-assist gemini-code-assist bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Code Review

This pull request adds a new test case to verify that cryptsetup fails with non-FIPS-compliant algorithms when FIPS mode is enabled. The overall test logic is sound and covers the intended scenario. I have provided a few suggestions to improve code clarity and maintainability by addressing variable shadowing and simplifying error handling logic.

mantle/kola/tests/fips/failure.go
Comment on lines +134 to +152
resultingError := inst.WaitAll(ctx)
if resultingError == nil {
resultingError = fmt.Errorf("ignition unexpectedly succeeded")
} else if resultingError == platform.ErrInitramfsEmergency {
// Expected initramfs failure, checking the console file to ensure
// that it failed the expected way
found, err := fileContainsPattern(builder.ConsoleFile, searchPattern)
if err != nil {
resultingError = errors.Wrapf(err, "looking for pattern '%s' in file '%s' failed", searchPattern, builder.ConsoleFile)
} else if !found {
resultingError = fmt.Errorf("pattern '%s' in file '%s' not found", searchPattern, builder.ConsoleFile)
} else {
// The expected case
resultingError = nil
}
} else {
resultingError = errors.Wrapf(resultingError, "expected initramfs emergency.target error")
}
errchan <- resultingError
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

medium

The error handling logic in this goroutine is a bit complex due to multiple reassignments of resultingError. Using a switch statement on the error from inst.WaitAll(ctx) would make the logic clearer and easier to maintain.

Suggested change
resultingError := inst.WaitAll(ctx)
if resultingError == nil {
resultingError = fmt.Errorf("ignition unexpectedly succeeded")
} else if resultingError == platform.ErrInitramfsEmergency {
// Expected initramfs failure, checking the console file to ensure
// that it failed the expected way
found, err := fileContainsPattern(builder.ConsoleFile, searchPattern)
if err != nil {
resultingError = errors.Wrapf(err, "looking for pattern '%s' in file '%s' failed", searchPattern, builder.ConsoleFile)
} else if !found {
resultingError = fmt.Errorf("pattern '%s' in file '%s' not found", searchPattern, builder.ConsoleFile)
} else {
// The expected case
resultingError = nil
}
} else {
resultingError = errors.Wrapf(resultingError, "expected initramfs emergency.target error")
}
errchan <- resultingError
err := inst.WaitAll(ctx)
switch err {
case nil:
errchan <- fmt.Errorf("ignition unexpectedly succeeded")
case platform.ErrInitramfsEmergency:
// Expected initramfs failure, checking the console file to ensure
// that it failed the expected way
found, patternErr := fileContainsPattern(builder.ConsoleFile, searchPattern)
if patternErr != nil {
errchan <- errors.Wrapf(patternErr, "looking for pattern '%s' in file '%s' failed", searchPattern, builder.ConsoleFile)
} else if !found {
errchan <- fmt.Errorf("pattern '%s' in file '%s' not found", searchPattern, builder.ConsoleFile)
} else {
// The expected case
errchan <- nil
}
default:
errchan <- errors.Wrap(err, "expected initramfs emergency.target error")
}

mantle/kola/tests/fips/failure.go
defer builder.Close()

// Prepare Ingnition config
failConfig, err := failConfig.Render(conf.FailWarnings)
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

medium

The local variable failConfig shadows the global package-level variable of the same name. This can be confusing and lead to bugs. It's better to use a different name for the local variable, for example renderedConfig.

Suggested change
failConfig, err := failConfig.Render(conf.FailWarnings)
renderedConfig, err := failConfig.Render(conf.FailWarnings)

mantle/kola/tests/fips/failure.go

// Instruct builder to use it
builder.ConsoleFile = consoleFile.Name()
builder.SetConfig(failConfig)
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

medium

To fix the variable shadowing issue from line 174, this should use the newly named renderedConfig variable.

Suggested change
builder.SetConfig(failConfig)
builder.SetConfig(renderedConfig)

@aaradhak
Copy link
Member

/retest

@openshift-ci OpenShift CI
Copy link

openshift-ci bot commented Aug 15, 2025

@openshift-cherrypick-robot: The following tests failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name Commit Details Required Rerun command
ci/prow/images 29292fa link true /test images
ci/prow/rhcos 29292fa link true /test rhcos

Full PR test history. Your PR dashboard.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

@dustymabe
Copy link
Member

dustymabe commented Aug 19, 2025
edited
Loading

The lint failures here look like they would be legitimate build failures.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
1 more reviewer

@gemini-code-assist gemini-code-assist[bot] gemini-code-assist[bot] left review comments

Reviewers whose approvals may not affect merge requirements

At least 1 approving review is required to merge this pull request.

Assignees

@aaradhak aaradhak

Labels
ok-to-test
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@openshift-cherrypick-robot @aaradhak @dustymabe @travier