-
Task
-
Resolution: Done
-
Normal
-
None
-
None
-
False
-
None
-
False
-
-
A cursory investigation into FIPS compliance around the operator:
Start the builder image as root:
$ docker run --user root -it --entrypoint sh registry.access.redhat.com/ubi8/go-toolset:1.20.10-10
Then compile the binary:
sh-4.4# yum -y update && yum clean all sh-4.4# git clone https://github.com/project-koku/koku-metrics-operator.git sh-4.4# cd koku-metrics-operator/ sh-4.4# GIT_COMMIT=$(git rev-list -1 HEAD) sh-4.4# CGO_ENABLED=0 GOFLAGS=-mod=vendor go build -ldflags "-X github.com/project-koku/koku-metrics-operator/controllers.GitCommit=$GIT_COMMIT" -a -o manager cmd/main.go (do not include the -w -s ldflags here) sh-4.4# go tool nm manager | grep _Cfunc sh-4.4#
The lack of output from the
{go tool nm manager | grep _Cfunc}suggests that we are not currently FIPS compliant. If we set
{CGO_ENABLED=1}during the build, the output changes to:
sh-4.4# CGO_ENABLED=1 GOFLAGS=-mod=vendor go build -ldflags "-X github.com/project-koku/koku-metrics-operator/controllers.GitCommit=$GIT_COMMIT" -a -o manager cmd/main.go
sh-4.4# go tool nm manager | grep _Cfunc
16c9248 T _cgo_0edd79296193_Cfunc__Cmalloc
16c9a48 T _cgo_0edd79296193_Cfunc__goboringcrypto_BN_bn2binpad
16cb648 T _cgo_0edd79296193_Cfunc__goboringcrypto_BN_bn2lebinpad
16c9ad8 T _cgo_0edd79296193_Cfunc__goboringcrypto_BN_free
16cb6d8 T _cgo_0edd79296193_Cfunc__goboringcrypto_BN_lebin2bn
16ca1b0 T _cgo_0edd79296193_Cfunc__goboringcrypto_BN_new
16cb770 T _cgo_0edd79296193_Cfunc__goboringcrypto_BN_num_bytes
....
To compile a FIPS compliant operator, we may just need to flip the CGO_ENABLED flag, but more investigation is necessary to determine if that is sufficient...
- relates to
-
-
- Closed
-
