Uploaded image for project: 'OpenShift GitOps'
  1. OpenShift GitOps
  2. GITOPS-7000

FIPS enablement : Enable FIPS compliant build for Argo CD Plugin Server

XMLWordPrintable

    • FIPS enablement : Enable FIPS compliant build for Argo CD Plugin Server
    • 3
    • S
    • False
    • Hide

      None

      Show
      None
    • False
    • In Progress
    • SECFLOWOTL-108 - FIPS Support - GitOps
    • 0% To Do, 33% In Progress, 67% Done
    • Hide
      Breaking Change:
      Prior to this release, the argocd-cmp-server binary was statically linked.
      For FIPS compliance, the binary is now dynamically linked to use the OpenSSL implementation for cryptographic operations. This change introduces a hard dependency on glibc, meaning the binary can only run on container images that include glibc support. Minimal images such as BusyBox or Alpine (without glibc) do not provide it, and running the binary in such environments will result in a crash.

      Before upgrading, ensure that your CMP sidecar container image includes glibc.
      If it does not, either:
        - Switch to an image that includes glibc (for example, UBI, Fedora), or
        - Use the default Argo CD base image, which is guaranteed to work and is the recommended approach for such scenarios.

      You can switch to using the default Argo CD image by simply removing the `image` field from your sidecar container configuration under
      `.spec.repo.sidecarContainers` in the ArgoCD CR.
      The operator will automatically add the default image during reconciliation.
      Show
      Breaking Change: Prior to this release, the argocd-cmp-server binary was statically linked. For FIPS compliance, the binary is now dynamically linked to use the OpenSSL implementation for cryptographic operations. This change introduces a hard dependency on glibc, meaning the binary can only run on container images that include glibc support. Minimal images such as BusyBox or Alpine (without glibc) do not provide it, and running the binary in such environments will result in a crash. Before upgrading, ensure that your CMP sidecar container image includes glibc. If it does not, either:   - Switch to an image that includes glibc (for example, UBI, Fedora), or   - Use the default Argo CD base image, which is guaranteed to work and is the recommended approach for such scenarios. You can switch to using the default Argo CD image by simply removing the `image` field from your sidecar container configuration under `.spec.repo.sidecarContainers` in the ArgoCD CR. The operator will automatically add the default image during reconciliation.
    • Feature
    • Proposed

      Epic Goal

      Make the Argo CD Plugin server binary (argocd-cmp-server) in the container image for RHEL 8 and RHEL 9, from CPaaS and Konflux CI systems, FIPS compliant

       

      Technical Work

      • Enable CGO builds by setting environment variable CGO_ENABLED=1
      • Enable Strict FIPS compliance by setting environment variable GO_EXPERIMENT=strictfipsruntime.
      • Set build tags to include strictfipsruntime when building the binaries using go build
        • For eg:  go build -tags strictfipstruntime cmd/main.go
      • Ensure that the base image for go build phase use the latest golang 1.22 based images which has the required go-toolset for ensuring FIPS compliance.
      • Ensure that the flags for static linking is not present in the go build command (e.g. -ldflags '-extldflags "-static"')

      Binaries to build for FIPS compliance.

      • argocd-cmp-server

      NOTE: If some of the upstream projects does not the required overrides for enabling these compiler options, make the required changes upstream and use those overrides for building the binaries in the downstream Dockerfile.

      Acceptance Criteria

      • Use the new check tool to scan images
        https://github.com/openshift/check-payload : Checks CGO_ENABLED=1 , presence of openssl, strictfipsruntime tag, no_openssl tag, dynamic linking
      • All existing acceptance tests should pass when run against an OCP cluster with FIPS enabled.
      • All existing acceptance tests should pass when run against an OCP cluster with FIPS enabled.

              rh-ee-sghadi Siddhesh Ghadi
              rh-ee-anjoseph Anand Francis Joseph
              Crimson
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

                Created:
                Updated:
                Resolved: