Uploaded image for project: 'Red Hat OpenShift Dev Spaces (formerly CodeReady Workspaces) '
  1. Red Hat OpenShift Dev Spaces (formerly CodeReady Workspaces)
  2. CRW-6246

git-lfs binary used in DevWorkspace Operator Project Clone container is not FIPS compliant

XMLWordPrintable

    • False
    • None
    • False

      Description of problem:**

      Operator FIPS Static Check CVP test results for DWO are reporting that the git-lfs binary used in the project clone container is not FIPS compliant:

      image: registry.redhat.io/devworkspace/devworkspace-project-clone-rhel8@sha256:c960e8343dfb9df0e92906ca9b413b4851f87385fce8da184629627b7b923a61 build: devworkspace-project-clone-container-0.27-3 check-payload warnings: * /usr/bin/git-lfs: go binary does not contain required tag(s): strictfipsruntime

      This warning will become gating (i.e. we can't ship unless the git-lfs binary is FIPS compliant) at the end of CY24 Q2.

      I'm not sure yet what is the best approach here: in an ideal world, I'd contribute to [git-lfs upstream|https://github.com/git-lfs/git-lfs|https://github.com/git-lfs/git-lfs%5D] to make it FIPS compliant. Then we'd consume the fixed version in DevWorkspace Operator's project clone container.

      However:

      • We'd be at the mercy of the community and maintainers of git-lfs whether that hypothetical change would be accepted
      • If the change is accepted, we'd have to wait for it to make its way into a new release of git-lfs
      • Both of these conditions might not occur in time before the end of Q2 2024, but are long-term solutions that should be considered

      In the short term, I might have to compile git-lfs from source so that it is FIPS compliant. This might bring its own set of challenges, but gives us the most control in this situation (rather than being dependent on the git-lfs community's timing and decisions).

      Prerequisites (if any, like setup, operators/versions):

      Steps to Reproduce

      Build DevWorkspace Operator downstream and have the CVP tests run

      Actual results:

      The operators-fips-static-check-bundle-image test reports a warning that the git-lfs binary is not compliant

      Expected results:

      The operators-fips-static-check-bundle-image test reports no warnings

      Additional info (Such as Logs, Screenshots, etc):

      Link to the operator-fips-static-check-bundle-image test results for DWO 0.27.0: http://external-ci-coldstorage.datahub.redhat.com/cvp/cvp-redhat-operator-bundle-image-validation-test/devworkspace-operator-bundle-container-0.27-5/5ab4642a-76ad-4d94-9415-46a109b04669/operator-fips-static-check-bundle-image-output.txt

      Link to the cvp-fips-check-payload-report.json: http://external-ci-coldstorage.datahub.redhat.com/cvp/cvp-redhat-operator-bundle-image-validation-test/devworkspace-operator-bundle-container-0.27-5/5ab4642a-76ad-4d94-9415-46a109b04669/cvp-fips-check-payload-report.json

       

            aobuchow Andrew Obuchowicz
            aobuchow Andrew Obuchowicz
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

              Created:
              Updated: