Uploaded image for project: 'OpenShift Builds'
  1. OpenShift Builds
  2. BUILD-1191

Compile all images without static linking

XMLWordPrintable

    • False
    • None
    • False
    • Enhancement

      Story (Required)

      As a trying to support Builds for OpenShift in FIPS environments I want all container images compiled in a manner that is FIPS compliant

      <Describes high level purpose and goal for this story. Answers the questions: Who is impacted, what is it and why do we need it? How does it improve the customer’s experience?>

      Background (Required)

      <Describes the context or background related to this story>

      FIPS compliance for go applications: FIPS Workshop (Red Hat Internal).

      Out of scope

      <Defines what is not included in this story>

      • FIPS compliance for images that are not directly built for this operator (s2i, buildah, kube-rbac-proxy, csi-node-registrar)
      • Auditing of golang x/crypto libraries/use.

      Approach (Required)

      <Description of the general technical path on how to achieve the goal of the story. Include details like json schema, class definitions>

      • Set CGO_ENABLED=1 in all Dockerfiles/Containerfiles built directly in the product
      • Ensure no_openssl build tag is not set.
      • Ensure dynamic linking is enabled (cannot set -ldflags "-static", -extldflags "-static")
      • UBI major versions of the go-toolset "builder" and ubi "runtime" image must match. Ex: ubi9/go-toolset -> ubi9/ubi-minimal
      • Enable "FIPS or Die" compile mode:
        • Set export GOEXPERIMENT=strictfipsruntime environment variable before the build
        • Add -tags strictfipsruntime as part of go build invocation

      Dependencies

      <Describes what this story depends on. Dependent Stories and EPICs should be linked to the story.>

      Acceptance Criteria (Mandatory)

      <Describe edge cases to consider when implementing the story and defining tests>

      <Provides a required and minimum list of acceptance tests for this story. More is expected as the engineer implements this story>

      • Build of all go container images as part of the product (operator, main operands) pass FIPS compliance checks from the check-payload script.

      INVEST Checklist

      Dependencies identified

      Blockers noted and expected delivery timelines set

      Design is implementable

      Acceptance criteria agreed upon

      Story estimated

      Legend

      Unknown

      Verified

      Unsatisfied

      Done Checklist

      • Code is completed, reviewed, documented and checked in
      • Unit and integration test automation have been delivered and running cleanly in continuous integration/staging/canary environment
      • Continuous Delivery pipeline(s) is able to proceed with new code included
      • Customer facing documentation, API docs etc. are produced/updated, reviewed and published
      • Acceptance criteria are met

              Unassigned Unassigned
              adkaplan@redhat.com Adam Kaplan
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

                Created:
                Updated: