-
Bug
-
Resolution: Not a Bug
-
Minor
-
None
-
4.16
-
None
-
3
-
MCO Sprint 269
-
1
-
False
-
Description of problem:
A customer installed a cluster with the ABI method enabling FIPS and setting the disk encryption to TPM v2. When checking if the disks were encrypted, the encryption did not work. The customer after installation tried to create an mc to enable TPM v2 but mcp degraded. Â
Version-Release number of selected component (if applicable):
How reproducible:
Steps to Reproduce:
1.Install an ocp 4.16.28 cluster with fips enabled.  Â
2. Create an mc with the following information:
---
kind: MachineConfig
metadata:
labels:
machineconfiguration.openshift.io/role: worker
name: luks-worker
spec:
config:
ignition:
version: 3.4.0
storage:
filesystems:
- device: /dev/mapper/root
format: xfs
label: root
wipeFilesystem: true
luks:
- clevis:
tpm2: true
device: /dev/disk/by-partlabel/root
label: luks-root
name: root
wipeVolume: true
--- Â
3. mcp's attempt to reconcile is degraded:
---
$ oc get mcp worker -o json |jq .status.conditions
...
{
  "lastTransitionTime": "2025-03-19T21:25:42Z",
  "message": "Failed to render configuration for pool worker: could not generate rendered MachineConfig: new machineconfig \"rendered-worker-cab81f8fed5c4d381c1932f0c826cf1d\" is not reconcilable against \"rendered-worker-cf7276d648a1da6da78c59cc5a95dec8\": ignition filesystems section contains changes\nnew machineconfig \"rendered-worker-cab81f8fed5c4d381c1932f0c826cf1d\" is not reconcilable against \"00-worker\": detected change to FIPS flag; refusing to modify FIPS on a running cluster",
  "reason": "",
  "status": "True",
  "type": "RenderDegraded"
 },
--- Â Â
Actual results:
MCP degraded
Expected results:
Additional info:
