ComplianceAsCode
api_server_encryption_provider_cipher rule.yml has bad jsonpath
Description:
- api_server_encryption_provider_cipher rule.yml has bad jsonpath
Rationale:
- The jsonpath returns nothing, with the update, it processes the write results.
Review Hints:
as-is
❯ oc get openshiftapiserver -o=jsonpath='{range.items[0].status.conditions[?(@.type=="Encrypted")]}{.reason}{"\n"}{.message}{"\n"}'
with fix:
❯ oc get openshiftapiserver -o=jsonpath='{range .items[0]}{.status.conditions[?(@.type=="Encrypted")].status}{"\n"}{end}'
False
@rhmdnd This might be you or @Vincent056 to review.
Hi @prb112. Thanks for your PR.
I'm waiting for a ComplianceAsCode member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.
Once the patch is verified, the new status will be reflected by the ok-to-test label.
I understand the commands that are listed here.
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.
![openshift-ci[bot] avatar](https://avatars.githubusercontent.com/in/91280?v=4 "Published by a pub.dev verified publisher"){kind=small}
Start a new ephemeral environment with changes proposed in this pull request:
Fedora Environment
Oracle Linux 8 Environment
![github-actions[bot] avatar](https://avatars.githubusercontent.com/in/15368?v=4 "Published by a pub.dev verified publisher"){kind=small}
Code Climate has analyzed commit a4c04205 and detected 0 issues on this pull request.
The test coverage on the diff in this pull request is 100.0% (50% is the threshold).
This pull request will bring the total coverage in the repository to 58.5%.
View more on Code Climate.
![qlty-cloud-legacy[bot] avatar](https://avatars.githubusercontent.com/in/9403?v=4 "Published by a pub.dev verified publisher"){kind=small}
Verification passed with 4.14.7 + compliance-operator from ComplianceAsCode
$ oc get rules upstream-ocp4-api-server-encryption-provider-cipher -ojsonpath={.instructions}
OpenShift supports encryption of data at rest of etcd datastore, but it is up to the
customer to configure. The asecbc cipher is used. No other ciphers are supported. Keys
are stored on the filesystem of the master and automatically rotated.
Run the following command to review the Encrypted status condition for the OpenShift
API server to verify that its resources were successfully encrypted:
# encrypt the etcd datastore
$ oc get openshiftapiserver -o=jsonpath='{range .items[0].status.conditions[?(@.type=="Encrypted")]}{.status}{"\n"}{.reason}{"\n"}{.message}{"\n"}{end}'
The output shows EncryptionCompleted upon successful encryption.
If the output shows EncryptionInProgress this means that encryption is still in
progress. Wait a few minutes and try again.
To display the encryption configured, run the following command:
$ oc get --raw /apis/config.openshift.io/v1/apiservers/cluster | jq [.spec.encryption.type]
If the output does not list aescbc, the encryption is not configured correctly.
$ oc get openshiftapiserver -o=jsonpath='{range .items[0].status.conditions[?(@.type=="Encrypted")]}{.status}{"\n"}{.reason}{"\n"}{.message}{"\n"}{end}'
False
$ oc get --raw /apis/config.openshift.io/v1/apiservers/cluster | jq [.spec.encryption.type]
[
null
]
Thanks @rhmdnd . I re-run the failing testing-farm test and this time it passed. Merging.
