Uploaded image for project: 'OpenShift GitOps'
  1. OpenShift GitOps
  2. GITOPS-7000

FIPS enablement : Enable FIPS compliant build for Argo CD Plugin Server

XMLWordPrintable

    • FIPS enablement : Enable FIPS compliant build for Argo CD Plugin Server
    • 3
    • S
    • False
    • Hide

      None

      Show
      None
    • False
    • In Progress
    • SECFLOWOTL-108 - FIPS Support - GitOps
    • 100% To Do, 0% In Progress, 0% Done
    • Hide
      FIPS readiness
      Red Hat OpenShift GitOps is designed for FIPS. When running on Red Hat OpenShift Container Platform in FIPS mode, OpenShift Container Platform uses the Red Hat Enterprise Linux cryptographic libraries submitted to NIST for FIPS Validation on only the architectures that are supported by OpenShift Container Platform. For more information about the NIST validation program, see Cryptographic Module Validation Program. For the latest NIST status for the individual versions of the RHEL cryptographic libraries submitted for validation, see Compliance Activities and Government Standards.

      Breaking Change:
      prior to the release the argocd-cmp-plugin-server binary was statically linked and for FIPS compliance, the binary is now dynamically linked to use openssl implementation for cryptographic library. This creates a hard dependency on glibc and the binary can run only on images with glibc support. Images like busybox does not contain glibc and in such container images, this binary will crash. Using the default image of argocd is guarenteed to work and recommended for such scenarios.
      Show
      FIPS readiness Red Hat OpenShift GitOps is designed for FIPS. When running on Red Hat OpenShift Container Platform in FIPS mode, OpenShift Container Platform uses the Red Hat Enterprise Linux cryptographic libraries submitted to NIST for FIPS Validation on only the architectures that are supported by OpenShift Container Platform. For more information about the NIST validation program, see Cryptographic Module Validation Program. For the latest NIST status for the individual versions of the RHEL cryptographic libraries submitted for validation, see Compliance Activities and Government Standards. Breaking Change: prior to the release the argocd-cmp-plugin-server binary was statically linked and for FIPS compliance, the binary is now dynamically linked to use openssl implementation for cryptographic library. This creates a hard dependency on glibc and the binary can run only on images with glibc support. Images like busybox does not contain glibc and in such container images, this binary will crash. Using the default image of argocd is guarenteed to work and recommended for such scenarios.
    • Feature
    • Proposed

      Epic Goal

      Make the Argo CD Plugin server binary (argocd-cmp-server) in the container image for RHEL 8 and RHEL 9, from CPaaS and Konflux CI systems, FIPS compliant

       

      Technical Work

      • Enable CGO builds by setting environment variable CGO_ENABLED=1
      • Enable Strict FIPS compliance by setting environment variable GO_EXPERIMENT=strictfipsruntime.
      • Set build tags to include strictfipsruntime when building the binaries using go build
        • For eg:  go build -tags strictfipstruntime cmd/main.go
      • Ensure that the base image for go build phase use the latest golang 1.22 based images which has the required go-toolset for ensuring FIPS compliance.
      • Ensure that the flags for static linking is not present in the go build command (e.g. -ldflags '-extldflags "-static"')

      Binaries to build for FIPS compliance.

      • argocd-cmp-server

      NOTE: If some of the upstream projects does not the required overrides for enabling these compiler options, make the required changes upstream and use those overrides for building the binaries in the downstream Dockerfile.

      Acceptance Criteria

      • Use the new check tool to scan images
        https://github.com/openshift/check-payload : Checks CGO_ENABLED=1 , presence of openssl, strictfipsruntime tag, no_openssl tag, dynamic linking
      • All existing acceptance tests should pass when run against an OCP cluster with FIPS enabled.
      • All existing acceptance tests should pass when run against an OCP cluster with FIPS enabled.

              rh-ee-sghadi Siddhesh Ghadi
              rh-ee-anjoseph Anand Francis Joseph
              Crimson
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

                Created:
                Updated: