Closed
Description
Bug Report
What did you do?
I have an Ansible operator image based on quay.io/operator-framework/ansible-operator:v1.19.1 which adds the kubernetes.core:2.3.0 and operator_sdk.util:0.4.0 collections in requirements.yaml. One of the playbook tasks sets the status of a CR like so:
- name: Set status to {{ status }} for {{ ansible_operator_meta.name }} in {{ ansible_operator_meta.namespace }}
k8s_status:
api_version: "acme.com/v1beta1"
kind: AcmeThing
name: "{{ ansible_operator_meta.name }}"
namespace: "{{ ansible_operator_meta.namespace }}"
status:
acmeStatus: "{{ status }}"
acmeVersion: "{{ version | default(omit) }}"
register: set_cr_status
retries: 3
delay: 5
until: set_cr_status is not failedThis works just fine on my FIPS-enabled OCP 4.8 cluster.
What did you expect to see?
When I change the base image to ansible-operator:v1.20.0 it continues to work.
What did you see instead? Under which circumstances?
When I change the base image to ansible-operator:v1.20.0 task k8s_status fails:
fatal: [localhost]: FAILED! => {"attempts": 3, "changed": false, "error": "[digital envelope routines: EVP_DigestInit_ex] disabled for FIPS", "msg": "Failed to get client due to %s"}
Environment
Operator type:
/language ansible
Kubernetes cluster type:
OpenShift 4.8.39
$ operator-sdk version
operator-sdk version: "v1.20.0", commit: "deb3531ae20a5805b7ee30b71f13792b80bd49b1", kubernetes version: "1.23", go version: "go1.17.9", GOOS: "linux", GOARCH: "amd64"
$ go version (if language is Go)
$ kubectl version
$ oc version
Client Version: 4.8.36
Server Version: 4.8.39
Kubernetes Version: v1.21.8+ed4d8fd
Possible Solution
The problem seems to be related to using MD5 hashes which are restricted in FIPS mode, compare s3tools/s3cmd#1005 (comment).