Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Create a new image using the RHEL8 go-toolset image for FIPS compliance #6453

Closed
pit1sIBM opened this issue May 31, 2023 · 4 comments
Closed

Create a new image using the RHEL8 go-toolset image for FIPS compliance #6453

pit1sIBM opened this issue May 31, 2023 · 4 comments
Assignees
@acornett21
Labels
language/ansible Issue is related to an Ansible operator project

Comments

@pit1sIBM
Copy link
Contributor

Feature Request

Describe the problem you need a feature to resolve.

Our internal operators use the quay.io/operator-framework/ansible-operator:latest image for our builds. One concern we have around using the current image is FIPS compliance. My understanding is that the Debian-based image on Dockerhub is not compliant, though it does appear to be operational. This would prevent our operators from being used by users that list FIPS as a hard requirement.

Describe the solution you'd like.

I commented in the previous issue (#6397 (comment)) but I'd like to propose spinning off a new image, similar to the ansible-operator-2.11-preview image, that will use the registry.redhat.io/rhel8/go-toolset image as the base instead of golang to ensure FIPS compliance going forward.

I chose registry.redhat.io/rhel8/go-toolset since the ubi8.7 image is used in the base image. Same minor version is supported, though the go-toolset image is one patch version ahead of the golang image

❯ docker run --rm -it --entrypoint go registry.redhat.io/rhel8/go-toolset:1.19 version
go version go1.19.9 linux/amd64

❯ docker run --rm -it --entrypoint go golang:1.19 version
go version go1.19.8 linux/amd64

I have started looking at this for my team specifically but wanted to open the request here to get your thoughts. If it makes sense, I don't mind owning the issue and creating a draft PR with what I have to get started

/language ansible
@openshift-ci openshift-ci bot added the language/ansible Issue is related to an Ansible operator project label May 31, 2023
@acornett21
Copy link
Contributor

/assign

@acornett21
Copy link
Contributor

Hi @pit1sIBM thanks for creating this issue. I don't think it would make sense to support another ansible version in this project, as that seems like alot of overhead to maintain. I might be mistaken, but I think the downstream version of operator-sdk provided by Red Hat for OpenShift already has a FIPS compliant ansible image, please check here

Info from the above running in a cluster

Starting pod/test-ansible-fips-6697479759-wd6jp-debug ...
If you don't see a command prompt, try pressing enter.
sh-4.4$ openssl version
OpenSSL 1.1.1k  FIPS 25 Mar 2021

@pit1sIBM
Copy link
Contributor Author

pit1sIBM commented Jun 7, 2023

Thank you for the response @acornett21 I was also a little concerned with just adding a new image but wasn't sure how to proceed. Have seen your comment and am discussing with our team. I think this can be closed since it seems like there are alternatives.

@varshaprasad96
Copy link
Member

@acornett21 @pit1sIBM Closing this issue, as discussed in the previous threads. Please feel free to reopen if your concerns have not been resolved. Thank you!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@acornett21 acornett21

Labels
language/ansible Issue is related to an Ansible operator project
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@varshaprasad96 @acornett21 @pit1sIBM