Uploaded image for project: 'OpenShift Builds'
  1. OpenShift Builds
  2. BUILD-1190

s2i: FIPS support

XMLWordPrintable

    • Icon: Story Story
    • Resolution: Unresolved
    • Icon: Critical Critical
    • None
    • s2i-1.4
    • source-to-image
    • None
    • False
    • None
    • False

      Story (Required)

      As a developer trying to build containers in FIPS 140 regulated environments I want s2i to support FIPS 140.

      <Describes high level purpose and goal for this story. Answers the questions: Who is impacted, what is it and why do we need it? How does it improve the customer’s experience?>

      Background (Required)

      <Describes the context or background related to this story>

      FIPS standard requires specific golang compilation modes - otherwise it may fail to execute on FIPS-enabled clusters.

      Out of scope

      <Defines what is not included in this story>

      • Produce UBI9 based image
      • Audit of x/crypto use

      Approach (Required)

      <Description of the general technical path on how to achieve the goal of the story. Include details like json schema, class definitions>

      • Set CGO_ENABLED=1 in all Dockerfiles/Containerfiles
      • Ensure no_openssl build tag is not set.
      • Ensure dynamic linking is enabled (cannot set -ldflags "-static", -extldflags "-static")
      • UBI major versions of the go-toolset "builder" and ubi "runtime" image must match. Ex: ubi9/go-toolset -> ubi9/ubi-minimal

      Dependencies

      <Describes what this story depends on. Dependent Stories and EPICs should be linked to the story.>

      Acceptance Criteria (Mandatory)

      <Describe edge cases to consider when implementing the story and defining tests>

      <Provides a required and minimum list of acceptance tests for this story. More is expected as the engineer implements this story>

      INVEST Checklist

      Dependencies identified

      Blockers noted and expected delivery timelines set

      Design is implementable

      Acceptance criteria agreed upon

      Story estimated

      Legend

      Unknown

      Verified

      Unsatisfied

      Done Checklist

      • Code is completed, reviewed, documented and checked in
      • Unit and integration test automation have been delivered and running cleanly in continuous integration/staging/canary environment
      • Continuous Delivery pipeline(s) is able to proceed with new code included
      • Customer facing documentation, API docs etc. are produced/updated, reviewed and published
      • Acceptance criteria are met

              Unassigned Unassigned
              adkaplan@redhat.com Adam Kaplan
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

                Created:
                Updated: