Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Build the operator for FIPS enabled environments #456

Merged
merged 1 commit into from
Oct 26, 2023

Conversation

rhmdnd
Copy link

@rhmdnd rhmdnd commented Oct 24, 2023

This commit does a few things to make sure the Compliance Operator is built
so that it can run in FIPS-enabled clusters.

  • Uses ubi8-minimal for openssl for container image builds
  • Set CGO_ENABLE=1
  • Use a boilerplate base image for building the operator container image
  • Set the appropriate flags so that go builds with FIPS enabled and
    links dynamically to the necessary openssl libraries
  • Includes a FIPS-enabled go source file that implements a "FIPS or Die"
    feature

The ubi9-micro image we were using was ideal for minimal dependencies,
but it doesn't include openssl, which we need to support FIPS. This
commit changes the operator container image to fix this.

Set CGO_ENABLE=1 so that go can link dynamically to the openssl library.

Use an image from app-sre/boilerplate to build the operator binary. This
is needed so that golang links the necessary libraries.

Set the appropriate golang experimental flags at build time so the
complier knows to build for FIPS-enabled clusters. The other part of
this change is a golang file we need to keep in-tree. If we're missing
either, the build won't produce container images for FIPS-enabled
environments.

This commit is a smattering of openshift/boilerplate code that enables
FIPS for operator builds. Eventually, we should reconsider maintaining
our hand-rolled Makefiles for boilerplate, which contains handy tools
and scripts for maintaining common operator components.

@openshift-ci openshift-ci bot requested review from jhrozek and Vincent056 October 24, 2023 15:48
@rhmdnd rhmdnd requested review from yuumasato and xiaojiey and removed request for jhrozek October 24, 2023 15:48
This commit includes a file that allows strict usage of algorithms for
FIPS.

This was copied for openshift/boilerplate, which includes some scripts
for enabling FIPS-compliant container image builds. Since we're not
using boilerplate, this just copies the file over, but
ultimately does the same thing as what boilerplate is doing.

To build with strict FIPS runtimes, enable CGO and use the
`strictfipsruntime` Go experimenal variable with a compiler that
supports it.
Copy link

@Vincent056 Vincent056 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/lgtm

@openshift-ci
Copy link

openshift-ci bot commented Oct 26, 2023

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: rhmdnd, Vincent056

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@openshift-ci openshift-ci bot merged commit dae8105 into ComplianceAsCode:master Oct 26, 2023
5 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants