Epic Goal

Enable compliant deployment of Builds on a FIPS-enabled OpenShift Ensure Builds for OpenShift meets the prerequisite checks for FIPS 140 ("Designed for FIPS") compliance.

More details:

• FIPS 140 support for OpenShift bundled products and operators
• FIPS Workshop
• KONFLUX-4158

Note: Builds for OpenShift cannot claim FIPS support until OpenShift Pipelines can support FIPS environments

Why is this important?

By Jan 31, 2025 all OpenShift layered products should be FIPS compliant and comply for consumption within FedRamp

Acceptance Criteria (Mandatory)

• Builds on OpenShift is FIPS compliant meets prerequisites for FIPS compliance:
  • Konflux static checks verify container image compliance
  • Ideally, Konflux-driven CI verifies builds function correctly on FIPS-enabled clusters. Manual testing on FIPS clusters acceptable.
• Release Technical Enablement - Provide necessary release enablement details and documents.

Dependencies (internal and external)

• s2i: FIPS support BUILD-1166
• buildah: FIPS support (based on issues like RHELPLAN-37190)
• Go toolset support for FIPS
• UBI 9 support for FIPS

Previous Work (Optional):

NA

Open questions::

None

Done Checklist

• Acceptance criteria are met
• Non-functional properties of the Feature have been validated (such as performance, resource, UX, security or privacy aspects)
• User Journey automation is delivered
• Support and SRE teams are provided with enough skills to support the feature in production environment