feat: enable FIPS compliance by switching to ubi9 minimal and install…

…ing openssl; add Infrastructure Feature Test annotations (RHIDP-294) (#141) * feat: enable FIPS compliance by switching to ubi9 minimal and installing openssl; add Infrastructure Feature Test annotations (RHIDP-294) Signed-off-by: RHDH Build (rhdh-bot) <rhdh-bot@redhat.com> * fix sonarcube complaint and use latest 9.3-1475 ubi9 minimal Signed-off-by: RHDH Build (rhdh-bot) <rhdh-bot@redhat.com> --------- Signed-off-by: RHDH Build (rhdh-bot) <rhdh-bot@redhat.com> Co-authored-by: RHDH Build (rhdh-bot) <rhdh-bot@redhat.com>
janus-idp · Jan 12, 2024 · 910d71e · 910d71e
1 parent a187eba
commit 910d71e
Show file tree

Hide file tree

Showing 3 changed files with 22 additions and 7 deletions.
diff --git a/.rhdh/bundle/manifests/rhdh-operator.csv.yaml b/.rhdh/bundle/manifests/rhdh-operator.csv.yaml
@@ -28,8 +28,19 @@ metadata:
     operatorframework.io/suggested-namespace: openshift-operators
     operators.openshift.io/valid-subscription: '["OpenShift Container Platform", "OpenShift
       Platform Plus"]'
-    operators.operatorframework.io/builder: operator-sdk-v1.32.0
+    operators.operatorframework.io/builder: operator-sdk-v1.33.0
     operators.operatorframework.io/project_layout: go.kubebuilder.io/v3
+    # Infrastructure Feature Test annotations - see https://issues.redhat.com/browse/RHIDP-294
+    features.operators.openshift.io/disconnected: true
+    features.operators.openshift.io/fips-compliant: true
+    features.operators.openshift.io/proxy-aware: false
+    features.operators.openshift.io/cnf: false
+    features.operators.openshift.io/cni: false
+    features.operators.openshift.io/csi: false
+    features.operators.openshift.io/tls-profiles: false
+    features.operators.openshift.io/token-auth-aws: false
+    features.operators.openshift.io/token-auth-azure: false
+    features.operators.openshift.io/token-auth-gcp: false
     repository: https://gitlab.cee.redhat.com/rhidp/rhdh/
     support: Red Hat
   name: rhdh-operator.v1.0.0

diff --git a/.rhdh/docker/Dockerfile b/.rhdh/docker/Dockerfile
@@ -52,9 +52,11 @@ RUN source ./cachito.env && rm -f ./cachito.env && mkdir -p /workspace
 RUN export ARCH="$(uname -m)" && if [[ ${ARCH} == "x86_64" ]]; then export ARCH="amd64"; elif [[ ${ARCH} == "aarch64" ]]; then export ARCH="arm64"; fi && \
     CGO_ENABLED=1 GOOS=linux GOARCH=${ARCH} go build -a -o manager main.go
 
-# NOTE: ubi-micro will not be FIPS compliant, if openssl is not installed
-#@follow_tag(registry.redhat.io/ubi9/ubi-micro:latest)
-FROM registry.access.redhat.com/ubi9/ubi-micro:9.3-9
+# Install openssl for FIPS support
+#@follow_tag(registry.redhat.io/ubi9/ubi-minimal:latest)
+FROM registry.access.redhat.com/ubi9-minimal:9.3-1475 AS runtime
+RUN microdnf install -y openssl; microdnf clean -y all
+
 # Upstream sources
 # Downstream comment
 # ENV CONTAINER_SOURCE=/workspace

diff --git a/docker/Dockerfile b/docker/Dockerfile
@@ -52,9 +52,11 @@ RUN go mod download
 RUN export ARCH="$(uname -m)" && if [[ ${ARCH} == "x86_64" ]]; then export ARCH="amd64"; elif [[ ${ARCH} == "aarch64" ]]; then export ARCH="arm64"; fi && \
     CGO_ENABLED=1 GOOS=linux GOARCH=${ARCH} go build -a -o manager main.go
 
-# NOTE: ubi-micro will not be FIPS compliant, if openssl is not installed
-#@follow_tag(registry.redhat.io/ubi9/ubi-micro:latest)
-FROM registry.access.redhat.com/ubi9/ubi-micro:9.3-9
+# Install openssl for FIPS support
+#@follow_tag(registry.redhat.io/ubi9/ubi-minimal:latest)
+FROM registry.access.redhat.com/ubi9-minimal:9.3-1475 AS runtime
+RUN microdnf install -y openssl; microdnf clean -y all
+
 # Upstream sources
 # Downstream comment
 ENV CONTAINER_SOURCE=/workspace