Open fbladilo opened 2 years ago
@fbladilo Thanks for reporting this issue. Could you please provide the output for -vvv
so that we can see the full stack trace without which it is difficult to debug the issue?
@Akasurde I added the ansible debug output as requested to the "actual results" issue section. I was able to trigger easily with a playbook like this :
sh-4.4$ cat test.yml
- hosts: localhost
tasks:
- name: "Load cluster API groups"
set_fact:
api_groups: "{{ lookup('k8s', cluster_info='api_groups') }}"
- debug:
var: api_groups
@fbladilo Sorry for the delay. Could you try using the fully qualified collection name for the lookup plugin? So:
api_groups: "{{ lookup('kubernetes.core.k8s', cluster_info='api_groups') }}"
I ran into this issue today.
The module is using and md5 hash which is not FIPS 140-2
osrcp-{0}.json'.format(hashlib.md5(default_cache_id).hexdigest()
The full traceback is:
File "/tmp/ansible_kubernetes.core.k8s_payload_5cdslgzl/ansible_kubernetes.core.k8s_payload.zip/ansible_collections/kubernetes/core/plugins/module_utils/common.py", line 294, in get_api_client
return DynamicClient(kubernetes.client.ApiClient(configuration))
File "/home/user/.local/lib/python3.6/site-packages/openshift/dynamic/client.py", line 40, in __init__
K8sDynamicClient.__init__(self, client, cache_file=cache_file, discoverer=discoverer)
File "/home/user/.local/lib/python3.6/site-packages/kubernetes/dynamic/client.py", line 84, in __init__
self.__discoverer = discoverer(self, cache_file)
File "/home/user/.local/lib/python3.6/site-packages/kubernetes/dynamic/discovery.py", line 224, in __init__
Discoverer.__init__(self, client, cache_file)
File "/home/user/.local/lib/python3.6/site-packages/kubernetes/dynamic/discovery.py", line 48, in __init__
default_cachefile_name = 'osrcp-{0}.json'.format(hashlib.md5(default_cache_id).hexdigest())
fatal: [ip-10-1-2-3.us-east-1.compute.internal]: FAILED! => {
"changed": false,
"invocation": {
"module_args": {
"api_key": null,
"api_version": "v1",
"append_hash": false,
"apply": false,
"ca_cert": null,
"client_cert": null,
"client_key": null,
"context": null,
"delete_options": null,
"force": false,
"host": null,
"kind": "Namespace",
"kubeconfig": null,
"merge_type": null,
"name": "bigbang",
"namespace": null,
"password": null,
"persist_config": null,
"proxy": null,
"resource_definition": null,
"src": null,
"state": "present",
"template": null,
"username": null,
"validate": null,
"validate_certs": null,
"wait": false,
Failed to get client due to [digital envelope routines: EVP_DigestInit_ex] disabled for fips())
Per FIPS 104-2 Annex A Approved Security Functions for FIPS PUB 140-2 the following Secure Hash Standard (SHS) (SHA-1, SHA-224, SHA-256, SHA-384, SHA-512, SHA-512/224 and SHA-512/256) are compliant.
@ozekidesu The kubernetes.core collection has used SHA 256 since version 2.0. You don't specify what version of Ansible or what version of the collection you are using, but I would suggest upgrading and making sure you are using the fully qualified collection name.
SUMMARY
Attempting to run k8s ansible module in a FIPS enabled OpenShift cluster fails with :
An unhandled exception occurred while running the lookup plugin 'k8s'. Error was a <class 'ValueError'>, original message: [digital envelope routines: EVP_DigestInit_ex] disabled for FIPS
We are using the k8s module extensively with Operator SDK ansible, currently requirements.yml in Operator SDK detailing versions of collections :
ISSUE TYPE
COMPONENT NAME
k8s
ANSIBLE VERSION
COLLECTION VERSION
CONFIGURATION
OS / ENVIRONMENT
Operator SDK image used (RHEL8.6 based) : quay.io/operator-framework/ansible-operator:v1.22.0 Openshift Version : 4.10
STEPS TO REPRODUCE
Alternatively , you can just run the playbook pasted below on a FIPS enabled system.
EXPECTED RESULTS
Run k8s successfully in FIPS enabled systems
ACTUAL RESULTS