Uploaded image for project: 'Red Hat Advanced Cluster Management'
  1. Red Hat Advanced Cluster Management
  2. ACM-30139

Enable CGO for managed-serviceaccount and separate clusterprofile plugin

XMLWordPrintable

    • Icon: Story Story
    • Resolution: Unresolved
    • Icon: Major Major
    • MCE 2.17.0
    • MCE 2.17.0
    • Server Foundation
    • None
    • Product / Portfolio Work
    • False
    • Hide

      None

      Show
      None
    • False
    • Hide

      Provide the required acceptance criteria using this template.

      • ...
      Show
      Provide the required acceptance criteria using this template. ...
    • Not Selected
    • Moderate
    • None

      Value Statement

      Currently, the managed-serviceaccount addon
      (https://github.com/open-cluster-management-io/managed-serviceaccount)
      is built with CGO disabled (CGO_ENABLED=0).

      The reason CGO was disabled is because the clusterprofile credentials provider plugin was introduced directly into the managed-serviceaccount addon via PR #259:
      https://github.com/open-cluster-management-io/managed-serviceaccount/pull/259

      The plugin needs to be statically linked so that it can run in arbitrary environments without external runtime dependencies. To achieve static linking, the build was configured with CGO_ENABLED=0.

      However, disabling CGO may not align with FIPS compliance requirements for managed-serviceaccount, as FIPS-
      enabled builds typically require CGO to be enabled to properly link against validated cryptographic libraries.

      Definition of Done for Engineering Story Owner (Checklist)

      • managed-serviceaccount is built with CGO_ENABLED=1
      • FIPS build validation passes
      • clusterprofile credentials provider plugin is packaged as a separate image
      • managed-serviceaccount image no longer directly embeds the clusterprofile credentials provider plugin
      •  Existing functionality remains unaffected

      Development Complete

      • The code is complete.
      • Functionality is working.
      • Any required downstream Docker file changes are made.

      Tests Automated

      • [ ] Unit/function tests have been automated and incorporated into the
        build.
      • [ ] 100% automated unit/function test coverage for new or changed APIs.

      Secure Design

      • [ ] Security has been assessed and incorporated into your threat model.

      Multidisciplinary Teams Readiness

      • [ ] Create an informative documentation issue using the Customer

      Portal Doc template that you can access from [The Playbook](

      https://docs.google.com/document/d/1YTqpZRH54Bnn4WJ2nZmjaCoiRtqmrc2w6DdQxe_yLZ8/edit#heading=h.9fvyr2rdriby),

      and ensure doc acceptance criteria is met.

      • Call out this sentence as it's own action:
      • [ ] Link the development issue to the doc issue.

      Support Readiness

      • [ ] The must-gather script has been updated.

              lcao@redhat.com Longlong Cao
              lcao@redhat.com Longlong Cao
              Hui Chen Hui Chen
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

                Created:
                Updated: