Uploaded image for project: 'OpenShift Builds'
  1. OpenShift Builds
  2. BUILD-1190

s2i: FIPS support

XMLWordPrintable

    • 3
    • False
    • None
    • False
    • With this update, source-to-image can run in FIPS-enabled environments.
    • Enhancement
    • Proposed
    • 1
    • Builds Sprint #18, Builds Sprint #19, Builds Sprint #20
    • 3

      Story (Required)

      As a developer trying to build containers in FIPS 140 regulated environments I want s2i to support FIPS 140.

      <Describes high level purpose and goal for this story. Answers the questions: Who is impacted, what is it and why do we need it? How does it improve the customer’s experience?>

      Background (Required)

      <Describes the context or background related to this story>

      FIPS standard requires specific golang compilation modes - otherwise it may fail to execute on FIPS-enabled clusters.

      Out of scope

      <Defines what is not included in this story>

      • Produce UBI9 based image
      • Audit of x/crypto use

      Approach (Required)

      <Description of the general technical path on how to achieve the goal of the story. Include details like json schema, class definitions>

      • Set CGO_ENABLED=1 in all Dockerfiles/Containerfiles
      • Ensure no_openssl build tag is not set.
      • Ensure dynamic linking is enabled (cannot set -ldflags "-static", -extldflags "-static")
      • UBI major versions of the go-toolset "builder" and ubi "runtime" image must match. Ex: ubi9/go-toolset -> ubi9/ubi-minimal
      • Add "check payload" FIPS test to the Konflux build pipeline.

      Dependencies

      <Describes what this story depends on. Dependent Stories and EPICs should be linked to the story.>

      • "check payload" test for FIPS mode. This is a task that is available in the set of Konflux vetted/approved tasks.

      Out of Scope

      • e2e test on FIPS cluster - will be done as part of BUILD-1200.

      Acceptance Criteria (Mandatory)

      <Describe edge cases to consider when implementing the story and defining tests>

      <Provides a required and minimum list of acceptance tests for this story. More is expected as the engineer implements this story>

      • s2i container image can run in a FIPS enabled environment.
      • Container image passes Konflux FIPS checks ("check payload" test)

      INVEST Checklist

      Dependencies identified

      Blockers noted and expected delivery timelines set

      Design is implementable

      Acceptance criteria agreed upon

      Story estimated

      Legend

      Unknown

      Verified

      Unsatisfied

      Done Checklist

      • Code is completed, reviewed, documented and checked in
      • Unit and integration test automation have been delivered and running cleanly in continuous integration/staging/canary environment
      • Continuous Delivery pipeline(s) is able to proceed with new code included
      • Customer facing documentation, API docs etc. are produced/updated, reviewed and published
      • Acceptance criteria are met

              rh-ee-asatyam Ayush Satyam
              adkaplan@redhat.com Adam Kaplan
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

                Created:
                Updated:
                Resolved: