Uploaded image for project: 'OpenShift Over the Air'
  1. OpenShift Over the Air
  2. OTA-1501

Enable FIPS support for OSUS operator

XMLWordPrintable

    • Icon: Epic Epic
    • Resolution: Unresolved
    • Icon: Undefined Undefined
    • None
    • None
    • None
    • None
    • CincinnatorFIPS
    • Product / Portfolio Work
    • 67% To Do, 0% In Progress, 33% Done
    • False
    • Hide

      None

      Show
      None
    • False
    • Not Selected
    • None
    • None
    • None

      Epic Goal*

      What is our purpose in implementing this?  What new capability will be available to customers?

      Cincinnati Operator (Cincinnator) can claim FIPS support and run on a FIPS enabled OpenShift cluster.

      For now, we work only on the operator. The operand (cincinnati and cincinnati-graph-data) is out of the scope of this Epic as they are implemented with Rust for which there is no clear FIPS-compliance solution at the moment.

      We may still use "features.operators.openshift.io/fips-compliant" (see the docs about it) on the operator bundle at the end of the epic. The security team is aware of it. In FIPS workshop, there is a slide about Rust and a comment about using crypto module https://github.com/tofay/rustls-openssl. We may follow that up after this epic.

      Why is this important? (mandatory)

      What are the benefits to the customer or Red Hat?   Does it improve security, performance, supportability, etc?  Why is work a priority?

      FIPS-support is important to Red Hat products.

      Scenarios (mandatory) 

      Provide details for user scenarios including actions to be performed, platform specifications, and user personas.  

      1. Many customers requires it (see the linked doc above).

      Dependencies (internal and external) (mandatory)

      What items must be delivered by other teams/groups to enable delivery of this epic.

      n/a 

      Contributing Teams(and contacts) (mandatory) 

      Our expectation is that teams would modify the list below to fit the epic. Some epics may not need all the default groups but what is included here should accurately reflect who will be involved in delivering the epic.

      • Development - OTA
      • Documentation - N/A
      • QE - OTA-QE
      • PX - 
      • Others - In the end, we might need the security team to confirm before we claim the FIPS support.

      Acceptance Criteria (optional)

      Provide some (testable) examples of how we will know if we have achieved the epic goal.  

      • Claim FIPS support for the new release of OSUS operator.

      Done - Checklist (mandatory)

      The following points apply to all epics and are what the OpenShift team believes are the minimum set of criteria that epics should meet for us to consider them potentially shippable. We request that epic owners modify this list to reflect the work to be completed in order to produce something that is potentially shippable.

      • CI Testing
        • e2e test are with FIPS enabled
        • Jobs to scan upstream/downstream built images to ensure no regression of FIPS support for the future release.
      • Documentation - N/A.
      • QE - Cincinnator has no regression after the work of the epic.
      • Technical Enablement - N/A.
      • Other - N/A.

              hongkliu Hongkai Liu
              hongkliu Hongkai Liu
              None
              None
              None
              None
              Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

                Created:
                Updated: