CMP-3230: Test CO PCI-DSS profiles on ARM

[rhmdnd]

Testing on ARM is necessary to support this profile by default. Adding
these jobs will make it easier for us to suss out any issues with how
rules behave on that architecture.

[openshift-ci-robot]

@rhmdnd: This pull request references CMP-3230 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "4.20.0" version, but no target version was set.

Details

In response to this:

Testing on ARM is necessary to support this profile by default. Adding
these jobs will make it easier for us to suss out any issues with how
rules behave on that architecture.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[rhmdnd]

cc: @Anna-Koudelkova @yuumasato @Vincent056 this should get PCI DSS profiles running on ARM clusters.

[rhmdnd]

/pj-rehearse

[openshift-ci-robot]

@rhmdnd: now processing your pj-rehearse request. Please allow up to 10 minutes for jobs to trigger or cancel.

[rhmdnd]

We might not need to wait for ComplianceAsCode/content#13833 to land since we're using Dockerfiles/ocp4_content here, which is building for ARM64 already.

[Vincent056]

/lgtm

[rhmdnd]

FIO, SPO, and CSO remediations failed because those operators aren't supported on ARM, yet.

[rhmdnd]

E2E-FAILURE: The expected remediated result for the e2e-pci-dss-audit-log-forwarding-enabled rule didn't match.
E2E-FAILURE: The expected remediated result for the e2e-pci-dss-security-profiles-operator-exists rule didn't match.
E2E-Error: e2e-pci-dss-ingress-controller-tls-cipher-suites: rule assertion missing

[rhmdnd]

ComplianceAsCode/content#13837 updates the assertions so this rehearsal passes.

[yuumasato]

E2E-FAILURE: The expected remediated result for the e2e-pci-dss-audit-log-forwarding-enabled rule didn't match. E2E-FAILURE: The expected remediated result for the e2e-pci-dss-security-profiles-operator-exists rule didn't match. E2E-Error: e2e-pci-dss-ingress-controller-tls-cipher-suites: rule assertion missing

I guess it makes sense to set those rules as not applicable for ARM?
Do we expect these rules to pass if customer manages to install them on ARM from upstream?

[rhmdnd]

E2E-FAILURE: The expected remediated result for the e2e-pci-dss-audit-log-forwarding-enabled rule didn't match. E2E-FAILURE: The expected remediated result for the e2e-pci-dss-security-profiles-operator-exists rule didn't match. E2E-Error: e2e-pci-dss-ingress-controller-tls-cipher-suites: rule assertion missing

I guess it makes sense to set those rules as not applicable for ARM? Do we expect these rules to pass if customer manages to install them on ARM from upstream?

I'm not sure I've hit a case where users have done that, so I expect it would be rare? In that case, I think it would be ok to exclude the rule if they decide to install from upstream.

[rhmdnd]

/pj-rehearse

[openshift-ci-robot]

@rhmdnd: now processing your pj-rehearse request. Please allow up to 10 minutes for jobs to trigger or cancel.

[rhmdnd]

Clean run on the new rehearsals so I'm going to ack it since the last update was just a rebase.

/pj-rehearse ack

[openshift-ci-robot]

@rhmdnd: now processing your pj-rehearse request. Please allow up to 10 minutes for jobs to trigger or cancel.

[yuumasato]

/pj-rehearse

[openshift-ci-robot]

@yuumasato: now processing your pj-rehearse request. Please allow up to 10 minutes for jobs to trigger or cancel.

[yuumasato]

/lgtm

Looks like it needs a rebase though

[yuumasato]

/lgtm

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: rhmdnd, Vincent056, yuumasato

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[openshift-ci]

New changes are detected. LGTM label has been removed.

[openshift-ci-robot]

[REHEARSALNOTIFIER]
@rhmdnd: the pj-rehearse plugin accommodates running rehearsal tests for the changes in this PR. Expand 'Interacting with pj-rehearse' for usage details. The following rehearsable tests have been affected by this change:

Test name	Repo	Type	Reason
pull-ci-ComplianceAsCode-content-master-e2e-aws-ocp4-pci-dss-arm	ComplianceAsCode/content	presubmit	Presubmit changed
pull-ci-ComplianceAsCode-content-master-e2e-aws-ocp4-pci-dss-node-arm	ComplianceAsCode/content	presubmit	Presubmit changed
pull-ci-ComplianceAsCode-content-master-e2e-aws-ocp4-pci-dss-node	ComplianceAsCode/content	presubmit	Ci-operator config changed

Interacting with pj-rehearse

Comment: /pj-rehearse to run up to 5 rehearsals
Comment: /pj-rehearse skip to opt-out of rehearsals
Comment: /pj-rehearse {test-name}, with each test separated by a space, to run one or more specific rehearsals
Comment: /pj-rehearse more to run up to 10 rehearsals
Comment: /pj-rehearse max to run up to 25 rehearsals
Comment: /pj-rehearse auto-ack to run up to 5 rehearsals, and add the rehearsals-ack label on success
Comment: /pj-rehearse list to get an up-to-date list of affected jobs
Comment: /pj-rehearse abort to abort all active rehearsals
Comment: /pj-rehearse network-access-allowed to allow rehearsals of tests that have the restrict_network_access field set to false. This must be executed by an openshift org member who is not the PR author

Once you are satisfied with the results of the rehearsals, comment: /pj-rehearse ack to unblock merge. When the rehearsals-ack label is present on your PR, merge will no longer be blocked by rehearsals.
If you would like the rehearsals-ack label removed, comment: /pj-rehearse reject to re-block merging.

[xiaojiey]

/pj-rehearse

[openshift-ci-robot]

@xiaojiey: now processing your pj-rehearse request. Please allow up to 10 minutes for jobs to trigger or cancel.

[openshift-ci]

@rhmdnd: The following tests failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
ci/rehearse/ComplianceAsCode/content/master/e2e-aws-ocp4-pci-dss-node	56dac0b	link	unknown	/pj-rehearse pull-ci-ComplianceAsCode-content-master-e2e-aws-ocp4-pci-dss-node
ci/rehearse/ComplianceAsCode/content/master/e2e-aws-ocp4-pci-dss-arm	56dac0b	link	unknown	/pj-rehearse pull-ci-ComplianceAsCode-content-master-e2e-aws-ocp4-pci-dss-arm
ci/rehearse/ComplianceAsCode/content/master/e2e-aws-ocp4-pci-dss-node-arm	56dac0b	link	unknown	/pj-rehearse pull-ci-ComplianceAsCode-content-master-e2e-aws-ocp4-pci-dss-node-arm

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

[openshift-bot]

Issues in openshift/release go stale after 30d of inactivity.

Mark the issue as fresh by commenting /remove-lifecycle stale.
Stale issues rot after an additional 15d of inactivity and eventually close.
Exclude this issue from closing by commenting /lifecycle frozen.

If this issue is safe to close now please do so with /close.

/lifecycle stale

[openshift-merge-robot]

PR needs rebase.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[openshift-bot]

Stale issue in openshift/release rot after 15d of inactivity.

Mark the issue as fresh by commenting /remove-lifecycle rotten.
Rotten issues close after an additional 15d of inactivity.
Exclude this issue from closing by commenting /lifecycle frozen.

If this issue is safe to close now please do so with /close.

/lifecycle rotten
/remove-lifecycle stale

[openshift-bot]

Rotten issues in openshift/release close after 15d of inactivity.

Reopen the issue by commenting /reopen.
Mark the issue as fresh by commenting /remove-lifecycle rotten.
Exclude this issue from closing again by commenting /lifecycle frozen.

/close

[openshift-ci]

@openshift-bot: Closed this PR.

Details

In response to this:

Rotten issues in openshift/release close after 15d of inactivity.

Reopen the issue by commenting /reopen.
Mark the issue as fresh by commenting /remove-lifecycle rotten.
Exclude this issue from closing again by commenting /lifecycle frozen.

/close

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.