Uploaded image for project: 'OpenShift GitOps'
  1. OpenShift GitOps
  2. GITOPS-8798

FIPS Support - GitOps

XMLWordPrintable

    • Icon: Feature Feature
    • Resolution: Unresolved
    • Icon: Critical Critical
    • None
    • None
    • None
    • False
    • Hide

      None

      Show
      None
    • False
    • 0% To Do, 0% In Progress, 100% Done

      Goals

      OpenShift GitOps is able to run in OpenShift’s FIPS mode and claim compliance.

      Requirements

       

      Requirements Notes IS MVP
      go binaries must be compiled with CGO_ENABLED=1 this has to be done for all binaries compiled for OpenShift GitOps Yes
      go binaries must be compiled with strictfipsruntime enabled set GOEXPERIMENT=strictfipsruntime and use -tag strictfipsruntime in the go build command Yes
      make targets in upstream Makefiles should support passing build tags and setting GO_ENABLED flag ensure that it is possible to set these flags in upstream build process Yes
      git-lfs binary must be built from source Currently it is installed via the dnf package manger Yes
      Add linting to the CI process check-payload binary should be called for every build and if it fails with warning or error, the CI process should fail as well Yes
      OpenShift GitOps to use FIPS compliant base images for RHEL 8 and RHEL 9 This image isn’t minimal, so we’ll either need to wait for a minimal version to become available or trim down the existing base image to just what we require Yes
      The infrastructure annotation for FIPS is set to `true`  features.operators.openshift.io/fips-compliant: "true" annotation should be set in CSV manifest Yes
      Remove any static compilation flags ldflags '-extldflags "-static" - if present in the go build command, needs to be removed. Yes
      Changes need to be done in both CPaaS and Konflux . Yes

       

      (Optional) Use Cases

      • Customers using OCP 4.14+ using FIPS enabled clusters in Disconnected environments needs to be able to use OpenShift GitOps as a bundled product.

      Out of scope

      • This feature is only about making the go binaries FIPS compliant by using CGO and Dynamic linking to use the FIPS compliant OpenSSL cryptographic library.
      • Required for container images built for OpenShift GitOps, no need to make changes for client side binaries built using RPMs.

      Dependencies

      • Go shim tool needs to be available for go builder base container image. This needs to be available for RHEL 8 and go toolset for 1.22
      • UBI 8 base container image should be used as base image which has the FIPS certified OpenSSL RPM installed in this base image.

      Background, and strategic fit

      < What does the person writing code, testing, documenting need to know? >

      Assumptions

      • Go shim tool needs to be available for go builder base container image. This needs to be available for RHEL 8 and go toolset for 1.22
      • UBI 8 base container image should be used as base image which has the FIPS certified OpenSSL RPM installed in this base image.

      Customer Considerations

      • Customers using OCP 4.14+ using FIPS enabled clusters in Disconnected environments needs to be able to use OpenShift GitOps as a bundled product.

      Documentation Considerations

      FIPS 140 for OpenShift bundled products
      NIST FIPS
      What is FIPS

      What does success look like?

      Doc Impact : New Content, Release Notes.

      QE Contact

      • Due to the build changes for FIPS compliance, the existing features in non FIPS enabled clusters should not be broken.
      • All features working in an non FIPS enabled server should work the same way in FIPS enabled server as well. There should be no feature parity introduced due to the FIPS compliance.
      • The FIPS compliance has to be validated in a FIPS enabled OCP cluster with disconnected setup.

      Impact

      < If the feature is ordered with other work, state the impact of this feature on the other work>

      Related Architecture/Technical Documents

      FIPS Workshop slide deck
      FIPS Workshop recording
      FIPS 140 for OpenShift bundled products

      Done Checklist

      • Acceptance criteria are met
      • Non-functional properties of the Feature have been validated (such as performance, resource, UX, security or privacy aspects)
      • User Journey automation is delivered
      • Support and SRE teams are provided with enough skills to support the feature in production environment

              rh-ee-anjoseph Anand Francis Joseph
              halawren@redhat.com Harriet Lawrence (Inactive)
              Votes:
              0 Vote for this issue
              Watchers:
              5 Start watching this issue

                Created:
                Updated: