Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Build fips-ready #362

Closed
jiridanek opened this issue Jul 1, 2024 · 1 comment · Fixed by #406
Closed

Build fips-ready #362

jiridanek opened this issue Jul 1, 2024 · 1 comment · Fixed by #406
Labels
kind/feature New feature

Comments

@jiridanek
Copy link
Member

/kind feature

Why you need this feature:

Apparently, to build for fips, it's necessary to do

RUN CGO_ENABLED=1 GOOS=linux GOARCH=amd64 go build -tags strictfipsruntime -a -o manager main.go

(from xxx://data-hub/rhods-cpaas-midstream/-/commit/d7be5e82b3f7dfdda0458dbc89d40b430ae2ef1f by @sutaakar)

https://developers.redhat.com/articles/2022/05/31/your-go-application-fips-compliant

@openshift-ci openshift-ci bot added the kind/feature New feature label Jul 1, 2024
@jiridanek
Copy link
Member Author

This is actually timely, see https://redhat-internal.slack.com/archives/C05NXTEHLGY/p1712136020868139 (if you have perms), otherwise just know that the bosses want to get this soon-ish.

jiridanek added a commit to jiridanek/kubeflow that referenced this issue Oct 2, 2024
This takes inspiration from:

* The Notebooks 2.0 Dockerfile, which comes from a default recent Kubebuilder template, at
https://github.com/kubeflow/notebooks/blob/notebooks-v2/workspaces/controller/Dockerfile

* The Red Hat build Dockerfile (that's the Cachito part) in an internal repository.

This change brings multiple improvements:

1. Dockerfiles are brought closer together, especially to the Red Hat build; previously, sourcing things in a stand-alone RUN command had no effect
2. The openssl fips-compatible library is linked into the manager binaries, to proactively address fips concerns
jiridanek added a commit to jiridanek/kubeflow that referenced this issue Oct 2, 2024
This takes inspiration from:

* The Notebooks 2.0 Dockerfile, which comes from a default recent Kubebuilder template, at
https://github.com/kubeflow/notebooks/blob/notebooks-v2/workspaces/controller/Dockerfile

* The Red Hat build Dockerfile (that's the Cachito part) in an internal repository.

This change brings multiple improvements:

1. Dockerfiles are brought closer together, especially to the Red Hat build; previously, sourcing things in a stand-alone RUN command had no effect
2. The openssl fips-compatible library is linked into the manager binaries, to proactively address fips concerns
jiridanek added a commit to jiridanek/kubeflow that referenced this issue Oct 2, 2024
This takes inspiration from:

* The Notebooks 2.0 Dockerfile, which comes from a default recent Kubebuilder template, at
https://github.com/kubeflow/notebooks/blob/notebooks-v2/workspaces/controller/Dockerfile

* The Red Hat build Dockerfile (that's the Cachito part) in an internal repository.

This change brings multiple improvements:

1. Dockerfiles are brought closer together, especially to the Red Hat build; previously, sourcing things in a stand-alone RUN command had no effect
2. The openssl fips-compatible library is linked into the manager binaries, to proactively address fips concerns
openshift-merge-bot bot added a commit that referenced this issue Nov 13, 2024
RHOAISTRAT-214: Issue #362: feat(nbcs): build containers to be fips-ready
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
kind/feature New feature
Projects
None yet
Development

Successfully merging a pull request may close this issue.

1 participant