From c499192d2e2dd63715ac4dcc498f66529f429e9b Mon Sep 17 00:00:00 2001 From: James Nesbitt Date: Wed, 3 Jun 2026 17:17:05 +0300 Subject: [PATCH 1/6] fix(windows): let install.ps1 resolve MCR version from channel index MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit DOCKER_VERSION was hardcoded to "latest" in the InstallMCR command. For FIPS channels, install.ps1 appends +fips to produce "latest+fips", but docker-latest+fips.zip is never published — only versioned artifacts (docker-29.2.1+fips.zip) exist. Without DOCKER_VERSION set, install.ps1 fetches the channel's index.json and calls getNumericallyHigherVersion, which returns the correct pinned version. This works for all channel types: versioned FIPS (stable-29.2.1/fips), rolling FIPS (stable/fips), and non-FIPS channels alike. Fixes PRODENG-3471 --- pkg/configurer/windows.go | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/pkg/configurer/windows.go b/pkg/configurer/windows.go index f961d2a7..01f7b941 100644 --- a/pkg/configurer/windows.go +++ b/pkg/configurer/windows.go @@ -60,7 +60,6 @@ func (c WindowsConfigurer) InstallMCRLicense(h os.Host, lic string) error { // InstallMCR install MCR on Windows. func (c WindowsConfigurer) InstallMCR(h os.Host, engineConfig commonconfig.MCRConfig) error { - version := "latest" installerPath, getInstallerErr := GetInstaller(engineConfig.InstallURLWindows) if getInstallerErr != nil { @@ -79,7 +78,7 @@ func (c WindowsConfigurer) InstallMCR(h os.Host, engineConfig commonconfig.MCRCo } }() - installCommand := fmt.Sprintf("set DOWNLOAD_URL=%s && set DOCKER_VERSION=%s && set CHANNEL=%s && powershell -ExecutionPolicy Bypass -NoProfile -NonInteractive -File %s -Verbose", engineConfig.RepoURL, version, engineConfig.Channel, ps.DoubleQuote(installer)) + installCommand := fmt.Sprintf("set DOWNLOAD_URL=%s && set CHANNEL=%s && powershell -ExecutionPolicy Bypass -NoProfile -NonInteractive -File %s -Verbose", engineConfig.RepoURL, engineConfig.Channel, ps.DoubleQuote(installer)) log.Infof("%s: running installer", h) From 1eba2b91175d4c68f1dd746f0fb084c4ab6c6085 Mon Sep 17 00:00:00 2001 From: James Nesbitt Date: Wed, 3 Jun 2026 17:26:21 +0300 Subject: [PATCH 2/6] test(smoke): add TestWindowsFIPSCluster for PRODENG-3471 Exercises a ubuntu24 manager + windows_2022 worker cluster with MCR channel stable-29.2.1/fips. Both Linux (APT component ubuntu/dists/noble/stable-29.2.1/fips/) and Windows (win/static/stable-29.2.1/fips/index.json) have published artifacts for this channel. The test directly covers the regression: without the fix, the Windows installer would attempt docker-latest+fips.zip (which does not exist); with the fix it resolves docker-29.2.1.1+fips.zip from the channel index. --- test/smoke/smoke_test.go | 18 ++++++++++++++++++ 1 file changed, 18 insertions(+) diff --git a/test/smoke/smoke_test.go b/test/smoke/smoke_test.go index b396432c..83d62bb3 100644 --- a/test/smoke/smoke_test.go +++ b/test/smoke/smoke_test.go @@ -225,3 +225,21 @@ func TestWindowsCluster(t *testing.T) { }) } +// TestWindowsFIPSCluster exercises ubuntu24 manager and a windows_2022 worker +// with MCR stable-29.2.1/fips and MKE 3.9.2. Validates that the Windows +// installer correctly resolves a versioned FIPS artifact from the channel +// index rather than attempting the non-existent docker-latest+fips.zip. +// Uses RSA keypair (required for Windows password retrieval). +func TestWindowsFIPSCluster(t *testing.T) { + runSmokeTest(t, smokeConfig{ + Name: "windows-fips", + MCRChannel: "stable-29.2.1/fips", + MKEVersion: "3.9.2", + MSRVersion: "3.1.18", + SSHKeyAlgorithm: "rsa", + Nodegroups: map[string]interface{}{ + "MngrUbuntu24": test.Platforms["Ubuntu24"].GetManager(), + "WrkWin2022": test.Platforms["Windows2022"].GetWorker(), + }, + }) +} From 878829141aa092edb93410f01d7d1930ee37b176 Mon Sep 17 00:00:00 2001 From: James Nesbitt Date: Wed, 3 Jun 2026 17:32:36 +0300 Subject: [PATCH 3/6] ci: add smoke-windows-fips make target and GitHub Actions job Triggered by the 'smoke-windows-fips' PR label (or 'smoke-test' to run all suites, or on push to main). --- .github/workflows/smoke-tests.yaml | 17 +++++++++++++++++ Makefile | 3 +++ 2 files changed, 20 insertions(+) diff --git a/.github/workflows/smoke-tests.yaml b/.github/workflows/smoke-tests.yaml index 74515196..4633a745 100644 --- a/.github/workflows/smoke-tests.yaml +++ b/.github/workflows/smoke-tests.yaml @@ -69,6 +69,23 @@ jobs: AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }} run: make smoke-windows + smoke-windows-fips: + runs-on: ubuntu-latest + if: | + github.event_name == 'push' || + contains(github.event.pull_request.labels.*.name, 'smoke-test') || + contains(github.event.pull_request.labels.*.name, 'smoke-windows-fips') + steps: + - name: Checkout code + uses: actions/checkout@v4 + - name: Setup Terraform + uses: hashicorp/setup-terraform@v3 + - name: Run windows FIPS smoke test + env: + AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }} + AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }} + run: make smoke-windows-fips + smoke-upgrade: runs-on: ubuntu-latest if: | diff --git a/Makefile b/Makefile index 8eb84ba7..dee0a06a 100644 --- a/Makefile +++ b/Makefile @@ -63,6 +63,9 @@ smoke-legacy: .PHONY: smoke-windows smoke-windows: go test -count=1 -v ./test/smoke/... -run TestWindowsCluster -timeout 60m +.PHONY: smoke-windows-fips +smoke-windows-fips: + go test -count=1 -v ./test/smoke/... -run TestWindowsFIPSCluster -timeout 60m .PHONY: smoke-upgrade smoke-upgrade: go test -count=1 -v ./test/smoke/... -run TestUpgrade -timeout 90m From 7caa87c23f345ebe7a298a0d5dee7faa4f7f05de Mon Sep 17 00:00:00 2001 From: James Nesbitt Date: Wed, 3 Jun 2026 17:34:31 +0300 Subject: [PATCH 4/6] refactor(smoke): rename windows-fips -> fips across test, make, and CI --- .github/workflows/smoke-tests.yaml | 8 ++++---- Makefile | 6 +++--- test/smoke/smoke_test.go | 6 +++--- 3 files changed, 10 insertions(+), 10 deletions(-) diff --git a/.github/workflows/smoke-tests.yaml b/.github/workflows/smoke-tests.yaml index 4633a745..de49b364 100644 --- a/.github/workflows/smoke-tests.yaml +++ b/.github/workflows/smoke-tests.yaml @@ -69,22 +69,22 @@ jobs: AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }} run: make smoke-windows - smoke-windows-fips: + smoke-fips: runs-on: ubuntu-latest if: | github.event_name == 'push' || contains(github.event.pull_request.labels.*.name, 'smoke-test') || - contains(github.event.pull_request.labels.*.name, 'smoke-windows-fips') + contains(github.event.pull_request.labels.*.name, 'smoke-fips') steps: - name: Checkout code uses: actions/checkout@v4 - name: Setup Terraform uses: hashicorp/setup-terraform@v3 - - name: Run windows FIPS smoke test + - name: Run FIPS smoke test env: AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }} AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }} - run: make smoke-windows-fips + run: make smoke-fips smoke-upgrade: runs-on: ubuntu-latest diff --git a/Makefile b/Makefile index dee0a06a..1df000fb 100644 --- a/Makefile +++ b/Makefile @@ -63,9 +63,9 @@ smoke-legacy: .PHONY: smoke-windows smoke-windows: go test -count=1 -v ./test/smoke/... -run TestWindowsCluster -timeout 60m -.PHONY: smoke-windows-fips -smoke-windows-fips: - go test -count=1 -v ./test/smoke/... -run TestWindowsFIPSCluster -timeout 60m +.PHONY: smoke-fips +smoke-fips: + go test -count=1 -v ./test/smoke/... -run TestFIPSCluster -timeout 60m .PHONY: smoke-upgrade smoke-upgrade: go test -count=1 -v ./test/smoke/... -run TestUpgrade -timeout 90m diff --git a/test/smoke/smoke_test.go b/test/smoke/smoke_test.go index 83d62bb3..3cc6c6cb 100644 --- a/test/smoke/smoke_test.go +++ b/test/smoke/smoke_test.go @@ -225,14 +225,14 @@ func TestWindowsCluster(t *testing.T) { }) } -// TestWindowsFIPSCluster exercises ubuntu24 manager and a windows_2022 worker +// TestFIPSCluster exercises ubuntu24 manager and a windows_2022 worker // with MCR stable-29.2.1/fips and MKE 3.9.2. Validates that the Windows // installer correctly resolves a versioned FIPS artifact from the channel // index rather than attempting the non-existent docker-latest+fips.zip. // Uses RSA keypair (required for Windows password retrieval). -func TestWindowsFIPSCluster(t *testing.T) { +func TestFIPSCluster(t *testing.T) { runSmokeTest(t, smokeConfig{ - Name: "windows-fips", + Name: "fips", MCRChannel: "stable-29.2.1/fips", MKEVersion: "3.9.2", MSRVersion: "3.1.18", From 1bbb6c82cbf91b52e516548bbd7504789be5ca99 Mon Sep 17 00:00:00 2001 From: James Nesbitt Date: Thu, 4 Jun 2026 14:10:33 +0300 Subject: [PATCH 5/6] fix(smoke): hardcode ubuntu_22.04_fips AMI locally until registry picks up v0.1.6 The terraform-mirantis-modules/provision-aws module gained ubuntu_22.04_fips in v0.1.6 but the Terraform Registry has not yet indexed that release. Add it to lib_local_platform_definitions in examples/terraform/aws-simple/platform.tf as a temporary override with a TODO to remove once the module source is bumped to >= v0.1.6. Also wire Ubuntu22FIPS into test/platforms.go and update TestFIPSCluster to use it as the manager node. --- examples/terraform/aws-simple/platform.tf | 11 +++++++++++ test/platforms.go | 8 ++++++++ test/smoke/smoke_test.go | 4 ++-- 3 files changed, 21 insertions(+), 2 deletions(-) diff --git a/examples/terraform/aws-simple/platform.tf b/examples/terraform/aws-simple/platform.tf index 9f1f6e7c..f910ae64 100644 --- a/examples/terraform/aws-simple/platform.tf +++ b/examples/terraform/aws-simple/platform.tf @@ -18,6 +18,17 @@ locals { ssh_user = "ubuntu" ssh_port = 22 } + // TODO: remove once terraform-mirantis-modules/terraform-mirantis-provision-aws v0.1.6 + // is picked up by the Terraform Registry and the module source is updated to >= v0.1.6. + // ubuntu_22.04_fips was added upstream in PR #21 (released in v0.1.6). + "ubuntu_22.04_fips" = { + ami_name = "ubuntu-pro-fips-updates-server/images/hvm-ssd/ubuntu-jammy-22.04-amd64-pro-fips-updates-server-*" + owner = "099720109477" + interface = "ens5" + connection = "ssh" + ssh_user = "ubuntu" + ssh_port = 22 + } "windows_2025" = { ami_name = "Windows_Server-2025-English-Core-Base-*" owner = "801119661308" diff --git a/test/platforms.go b/test/platforms.go index 19eee0cd..a33ce350 100644 --- a/test/platforms.go +++ b/test/platforms.go @@ -145,4 +145,12 @@ var Platforms = map[string]Platform{ Public: true, UserData: "", }, + "Ubuntu22FIPS": { + Name: "ubuntu_22.04_fips", + Count: 1, + VolumeSize: "100", + Public: true, + UserData: "sudo ufw allow 2377,7946,10250/tcp; sudo ufw allow 7946,4789/udp", + }, } + diff --git a/test/smoke/smoke_test.go b/test/smoke/smoke_test.go index 3cc6c6cb..32f2913d 100644 --- a/test/smoke/smoke_test.go +++ b/test/smoke/smoke_test.go @@ -225,7 +225,7 @@ func TestWindowsCluster(t *testing.T) { }) } -// TestFIPSCluster exercises ubuntu24 manager and a windows_2022 worker +// TestFIPSCluster exercises an ubuntu_22.04_fips manager and a windows_2022 worker // with MCR stable-29.2.1/fips and MKE 3.9.2. Validates that the Windows // installer correctly resolves a versioned FIPS artifact from the channel // index rather than attempting the non-existent docker-latest+fips.zip. @@ -238,7 +238,7 @@ func TestFIPSCluster(t *testing.T) { MSRVersion: "3.1.18", SSHKeyAlgorithm: "rsa", Nodegroups: map[string]interface{}{ - "MngrUbuntu24": test.Platforms["Ubuntu24"].GetManager(), + "MngrUbuntu22FIPS": test.Platforms["Ubuntu22FIPS"].GetManager(), "WrkWin2022": test.Platforms["Windows2022"].GetWorker(), }, }) From 4f2d6300baf7cf112eb7f7b6ce71d0e2a01e6b09 Mon Sep 17 00:00:00 2001 From: James Nesbitt Date: Thu, 4 Jun 2026 17:17:41 +0300 Subject: [PATCH 6/6] test(smoke): use windows_2025 worker in TestFIPSCluster windows_2022 consistently fails to open port 5986 (WinRM HTTPS) within the retry window. Switching to windows_2025 to determine if the issue is AMI-specific. --- test/smoke/smoke_test.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/test/smoke/smoke_test.go b/test/smoke/smoke_test.go index 32f2913d..d47d3ef9 100644 --- a/test/smoke/smoke_test.go +++ b/test/smoke/smoke_test.go @@ -239,7 +239,7 @@ func TestFIPSCluster(t *testing.T) { SSHKeyAlgorithm: "rsa", Nodegroups: map[string]interface{}{ "MngrUbuntu22FIPS": test.Platforms["Ubuntu22FIPS"].GetManager(), - "WrkWin2022": test.Platforms["Windows2022"].GetWorker(), + "WrkWin2025": test.Platforms["Windows2025"].GetWorker(), }, }) }