Skip to content

Make FIPS image locally buildable #4832

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 20 commits into from
May 5, 2025
Merged

Make FIPS image locally buildable #4832

merged 20 commits into from
May 5, 2025

Conversation

andriisoldatenko
Copy link
Contributor

@andriisoldatenko andriisoldatenko commented Apr 29, 2025
edited
Loading

Description

resolves https://dt-rnd.atlassian.net/browse/DAQ-6756

Also this change is based on what we had before for CGO=1 builds.

!Note: Warning
By default it will build FIPS images using local platform, bc cross-compile takes long and useless for local debug.

Locally, you can build fips image via:

# this will build correct image name with `-fips` suffix for tag
OPERATOR_DEV_BUILD_PLATFORM="linux/arm64" make image/build/fips

# and will deploy this image to your cluster
make deploy/fips

first time it will be slow, and then when podman will cache layer, we are good and quick.

NOTE: It took 1h:05mins or my machine to build and image without cache by removing all cache
using podman system prune --all

How can this be tested?

build/deploy and run some standard tests, for example test/e2e/standard

also you can exec to operator pod and check envs:

bash-5.1$ env | grep -i fips
GOFIPS=1
LIBGCRYPT_FORCE_FIPS_MODE=1
bash-5.1$

@andriisoldatenko andriisoldatenko marked this pull request as ready for review April 29, 2025 13:02
@andriisoldatenko andriisoldatenko requested a review from a team as a code owner April 29, 2025 13:02
@andriisoldatenko andriisoldatenko requested a review from 0sewa0 May 2, 2025 12:21
0sewa0
0sewa0 requested changes May 2, 2025
View reviewed changes
@0sewa0 0sewa0 changed the title local build fips arm Make FIPS image locally buildable May 2, 2025
andriisoldatenko and others added 2 commits May 2, 2025 16:12
@andriisoldatenko @0sewa0
Update fips.Dockerfile
3576a35 
Co-authored-by: Marcell Sevcsik <31651557+0sewa0@users.noreply.github.com>
@andriisoldatenko
Merge branch 'main' into local-build-fips-arm
f5c6938
@andriisoldatenko andriisoldatenko requested a review from 0sewa0 May 2, 2025 14:37
0sewa0
0sewa0 requested changes May 5, 2025
View reviewed changes
Copy link
Contributor

@0sewa0 0sewa0 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Tried it, it works but wouldn't it make sense to:

  • have a make target for it, like make images/build/fips or something
  • As cross-compiling takes an AGE (1h), I don't see anyone actually using it like that. So I would make the default platfrom the same as the system when building FIPS locally

andriisoldatenko
andriisoldatenko commented May 5, 2025
View reviewed changes
@andriisoldatenko andriisoldatenko requested a review from 0sewa0 May 5, 2025 08:30
@andriisoldatenko
Copy link
Contributor Author

Tried it, it works but wouldn't it make sense to:

  • have a make target for it, like make images/build/fips or something

  • As cross-compiling takes an AGE (1h), I don't see anyone actually using it like that. So I would make the default platfrom the same as the system when building FIPS locally

@0sewa0 tried to fix in 251d2da

0sewa0
0sewa0 reviewed May 5, 2025
View reviewed changes
@andriisoldatenko andriisoldatenko requested a review from 0sewa0 May 5, 2025 09:36
andriisoldatenko
andriisoldatenko commented May 5, 2025
View reviewed changes
0sewa0
0sewa0 previously approved these changes May 5, 2025
View reviewed changes
Copy link
Contributor

@0sewa0 0sewa0 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

ran OPERATOR_DEV_BUILD_PLATFORM="linux/arm64" make images/build/fips
worked

@andriisoldatenko
update comment
ef2f6c3 
# Conflicts:
#	hack/make/images.mk
@andriisoldatenko andriisoldatenko requested a review from 0sewa0 May 5, 2025 10:52
@andriisoldatenko andriisoldatenko enabled auto-merge (squash) May 5, 2025 10:52
@andriisoldatenko andriisoldatenko merged commit 9ea2286 into main May 5, 2025
14 checks passed
@andriisoldatenko andriisoldatenko deleted the local-build-fips-arm branch May 5, 2025 10:56
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@0sewa0 0sewa0 0sewa0 approved these changes

@Incredible-O Incredible-O Awaiting requested review from Incredible-O Incredible-O is a code owner automatically assigned from Dynatrace/kubernetes-operator

@gkrenn gkrenn Awaiting requested review from gkrenn gkrenn is a code owner automatically assigned from Dynatrace/kubernetes-operator

@chrismuellner chrismuellner Awaiting requested review from chrismuellner chrismuellner is a code owner automatically assigned from Dynatrace/kubernetes-operator

@waodim waodim Awaiting requested review from waodim waodim is a code owner automatically assigned from Dynatrace/kubernetes-operator

@StefanHauth StefanHauth Awaiting requested review from StefanHauth StefanHauth is a code owner automatically assigned from Dynatrace/kubernetes-operator

@aorcholski aorcholski Awaiting requested review from aorcholski aorcholski is a code owner automatically assigned from Dynatrace/kubernetes-operator

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@andriisoldatenko @0sewa0