Fix SHC appframework bundle-push loop in FIPS mode

[dpericaxon]

Description

This PR fixes a retry storm / “app update loop” seen when Splunk Operator (v3.0.0) manages an SHC with App Framework enabled and Splunk is running in FIPS mode. In this scenario, the SHC bundle push status file can contain benign FIPS/TLS banner output (and sometimes ConfDeploymentException: ... already running) which was previously treated as a hard failure. The operator would reset the bundle push state back to Pending and immediately re-trigger the bundle push, causing collisions and preventing SHC app updates from completing.

This change makes the status parsing more robust by treating known-benign output as “still in progress” rather than a failure.

Key Changes

• pkg/splunk/enterprise/afwscheduler.go

  • Use normalized status output (strip benign FIPS banner + TLS hostname warning) when determining completion.
  • Treat banner-only output as in-progress (do not reset bundle state to Pending).
  • Treat ConfDeploymentException: Can't start deployment job as one is already running! as in-progress (do not reset bundle state to Pending / do not re-trigger).
  • Preserve existing behavior for true errors (non-empty output that is not success and not the known benign cases).

• pkg/splunk/enterprise/afwscheduler_test.go

  • Add unit test coverage for:
    • FIPS banner-only status output ⇒ remains BundlePushInProgress
    • FIPS banner + “already running” ⇒ remains BundlePushInProgress

Testing and Verification

• Unit tests:
  • go test ./pkg/splunk/enterprise -run '^TestSHCRunPlaybook$' -v
• Behavioral verification (manual):
  • Verified the operator no longer resets bundle push state to Pending when the status output contains only the FIPS/TLS banner or the “already running” ConfDeploymentException.
  • Verified SHC bundle push progresses without a re-trigger storm and SHC app updates can complete.

Related Issues

• GitHub: splunk/splunk-operator issue App Framework: #1611 (FIPS / SHC bundle push loop)

PR Checklist

• Code changes adhere to the project's coding standards.
• Relevant unit and integration tests are included.
• Documentation has been updated accordingly.
• All tests pass locally.
• The PR description follows the project's guidelines.

[rlieberman-splunk]

Is there a list of benign banners somewhere that we can add to the checks here? I'm worried if we merge this it will only cover a specific scenario with hard coded values.

[kasiakoziol]

If we don't find out, then as of now, we can just make a list of such banners (as of now 1-element), use this list in the code to validate the output and once we learn more, we can expand the list with new banners.

[dpericaxon]

@rlieberman-splunk @kasiakoziol is this an action item on your side to dig into this? For now I Implemented a benignLinePrefixes list in normalizeSHCBundlePushStatusOutput() (currently includes the known FIPS banner and the TLS hostname validation warning). This keeps the logic extensible and we can expand the list as additional benign lines are identified.Implemented a benignLinePrefixes list in normalizeSHCBundlePushStatusOutput() (currently includes the known FIPS banner and the TLS hostname validation warning). This keeps the logic extensible and we can expand the list as additional benign lines are identified.

[kasiakoziol]

Please update the comment for consistency - stdOut to normalizedOut

[dpericaxon]

Done! Updated the comment to reference normalizedOut for consistency with the normalized parsing logic.

[kasiakoziol]

Did you perform manual tests with the fix on both FIPS and non-FIPS enabled clusters?

[github-actions]

CLA Assistant Lite bot CLA Assistant Lite bot All contributors have signed the COC ✍️ ✅

[dpericaxon]

I have read the Code of Conduct and I hereby accept the Terms

[dpericaxon]

recheck

[dpericaxon]

I have read the CLA Document and I hereby sign the CLA

[kubabuczak]

I have read the CLA Document and I hereby accept the Terms

@dpericaxon you need to post comment with "I have read the CLA Document and I hereby sign the CLA" - you hae slightly different wording

[dpericaxon]

Did you perform manual tests with the fix on both FIPS and non-FIPS enabled clusters?

I did it for FIPs clusters. Do you perhaps have a non-fips cluster to test in quickly? If not I can see what I can come up with.

[dpericaxon]

Hey @kubabuczak and @gabrielm-splunk I noticed that a new release got cut but the change above didn't make it in. Isn't this effecting other customers running on fips pods?

[kubabuczak]

Calling @rlieberman-splunk , as she is working on FIPS certification for this release

[rlieberman-splunk]

Hi @dpericaxon , I have opened a PR with similar changes and tested them on our FIPS enabled environment. These changes will be included in the next release.