Epic Goal

• Red Hat Quay can be adopted by Government Agencies Customers who are bound to regulatory compliances rules according to FIPS 140-3
• Red Hat Quay should be able to claim to solely use "FIPS-validated crypto modules" when configured to run in FIPS mode

Why is this important?

• Many NAPS customers require this and though technically it may be fine since Quay does not store PII or National Security Data, it is becoming an early show stopper in sales conversations

Scenarios

1. Quay solely relies on FIPS validated crypto modules provided eventually by RHEL
2. Quay Configuration allows to enable FIPS mode which enforces the usage of above mentioned crypto modules

Acceptance Criteria

• All crypto library usage in Quay is consolidated on python-cryptography shipped on RHEL
• All crypto library usage in Clair is consolidated on the Red Hat authored go runtime on top of RHEL
• CI - MUST be running successfully with tests automated
• Release Technical Enablement - Provide necessary release enablement details and documents.
• ...

Dependencies (internal and external)

1. RHEL 8 crypto libraries being FIPS 140-3 validated

Previous Work (Optional):

1. PROJQUAY-1340 - Quay runs fine on top of RHEL / OCP nodes in FIPS mode

Open questions::

1. …

Done Checklist

• CI - CI is running, tests are automated and merged.
• Release Enablement <link to Feature Enablement Presentation>
• DEV - Upstream code and tests merged: <link to meaningful PR or GitHub Issue>
• DEV - Upstream documentation merged: <link to meaningful PR or GitHub Issue>
• DEV - Downstream build attached to advisory: <link to errata>
• QE - Test plans in Polarion: <link or reference to Polarion>
• QE - Automated tests merged: <link or reference to automated tests>
• DOC - Downstream documentation merged: <link to meaningful PR>