diff --git a/boilerplate/openshift/golang-osd-operator/Dockerfile.olm-registry b/boilerplate/openshift/golang-osd-operator/Dockerfile.olm-registry index ca69fece..b0f46f3f 100644 --- a/boilerplate/openshift/golang-osd-operator/Dockerfile.olm-registry +++ b/boilerplate/openshift/golang-osd-operator/Dockerfile.olm-registry @@ -3,8 +3,7 @@ ARG SAAS_OPERATOR_DIR COPY ${SAAS_OPERATOR_DIR} manifests RUN initializer --permissive -# ubi-micro does not work for clusters with fips enabled unless we make OpenSSL available -FROM registry.access.redhat.com/ubi9/ubi-minimal:latest +FROM registry.access.redhat.com/ubi9/ubi-micro:latest COPY --from=builder /bin/registry-server /bin/registry-server COPY --from=builder /bin/grpc_health_probe /bin/grpc_health_probe diff --git a/boilerplate/openshift/golang-osd-operator/README.md b/boilerplate/openshift/golang-osd-operator/README.md index 0f415ee0..86784e29 100644 --- a/boilerplate/openshift/golang-osd-operator/README.md +++ b/boilerplate/openshift/golang-osd-operator/README.md @@ -121,9 +121,7 @@ Checks consist of: ## FIPS (Federal Information Processing Standards) -To enable FIPS in your build there is a `make ensure-fips` target. - -Add `FIPS_ENABLED=true` to your repos Makefile. Please ensure that this variable is added **before** including boilerplate Makefiles. +To enable FIPS in your build, add `FIPS_ENABLED=true` to your repo's Makefile. Please ensure that this variable is added **before** including boilerplate Makefiles. e.g. @@ -133,11 +131,7 @@ FIPS_ENABLED=true include boilerplate/generated-includes.mk ``` -`ensure-fips` will add a [fips.go](./fips.go) file in the same directory as the `main.go` file. (Please commit this file as normal) - -`fips.go` will import the necessary packages to restrict all TLS configuration to FIPS-approved settings. - -With `FIPS_ENABLED=true`, `ensure-fips` is always run before `make go-build` +FIPS is enabled via the `fips140=on` GODEBUG option. See https://go.dev/blog/fips140 for more details. ## Additional deployment support @@ -145,7 +139,7 @@ With `FIPS_ENABLED=true`, `ensure-fips` is always run before `make go-build` - If an additional deployment image has to be built and appended to the CSV as part of the build process, then the consumer needs to: - Specify `SupplementaryImage` which is the deployment name in the consuming repository's `config/config.go`. - Define the image to be built as `ADDITIONAL_IMAGE_SPECS` in the consuming repository's Makefile, Boilerplate later parses this image as part of the build process; [ref](https://github.com/openshift/boilerplate/blob/master/boilerplate/openshift/golang-osd-operator/standard.mk#L56). - + e.g. ```.mk diff --git a/boilerplate/openshift/golang-osd-operator/configure-fips.sh b/boilerplate/openshift/golang-osd-operator/configure-fips.sh deleted file mode 100755 index d0092551..00000000 --- a/boilerplate/openshift/golang-osd-operator/configure-fips.sh +++ /dev/null @@ -1,18 +0,0 @@ -#!/usr/bin/env bash - -set -e - -REPO_ROOT=$(git rev-parse --show-toplevel) -CONVENTION_DIR="$REPO_ROOT/boilerplate/openshift/golang-osd-operator" -PRE_V1_SDK_MANAGER_DIR="$REPO_ROOT/cmd/manager" - -if [[ -d "$PRE_V1_SDK_MANAGER_DIR" ]] -then - MAIN_DIR=$PRE_V1_SDK_MANAGER_DIR -else - MAIN_DIR=$REPO_ROOT -fi - -echo "Writing fips file at $MAIN_DIR/fips.go" - -cp $CONVENTION_DIR/fips.go.tmplt "$MAIN_DIR/fips.go" diff --git a/boilerplate/openshift/golang-osd-operator/fips.go.tmplt b/boilerplate/openshift/golang-osd-operator/fips.go.tmplt deleted file mode 100644 index d4b108ee..00000000 --- a/boilerplate/openshift/golang-osd-operator/fips.go.tmplt +++ /dev/null @@ -1,16 +0,0 @@ -//go:build fips_enabled -// +build fips_enabled - -// BOILERPLATE GENERATED -- DO NOT EDIT -// Run 'make ensure-fips' to regenerate - -package main - -import ( - _ "crypto/tls/fipsonly" - "fmt" -) - -func init() { - fmt.Println("***** Starting with FIPS crypto enabled *****") -} diff --git a/boilerplate/openshift/golang-osd-operator/standard.mk b/boilerplate/openshift/golang-osd-operator/standard.mk index a77c9e87..af2d780c 100644 --- a/boilerplate/openshift/golang-osd-operator/standard.mk +++ b/boilerplate/openshift/golang-osd-operator/standard.mk @@ -98,14 +98,11 @@ GOBIN?=$(shell go env GOBIN) unexport GOFLAGS GOFLAGS_MOD ?= -GOENV+=GOOS=${GOOS} GOARCH=${GOARCH} CGO_ENABLED=1 GOFLAGS="${GOFLAGS_MOD}" +GOENV+=GOOS=${GOOS} GOARCH=${GOARCH} CGO_ENABLED=0 GOFLAGS="${GOFLAGS_MOD}" GOBUILDFLAGS=-gcflags="all=-trimpath=${GOPATH}" -asmflags="all=-trimpath=${GOPATH}" ifeq (${FIPS_ENABLED}, true) -GOFLAGS_MOD+=-tags=fips_enabled -GOFLAGS_MOD:=$(strip ${GOFLAGS_MOD}) -$(warning Setting GOEXPERIMENT=boringcrypto - this generally causes builds to fail unless building inside the provided Dockerfile. If building locally consider calling 'go build .') -GOENV+=GOEXPERIMENT=boringcrypto +GOENV+=GODEBUG=fips140=on GOENV:=$(strip ${GOENV}) endif @@ -237,10 +234,6 @@ endif .PHONY: generate generate: op-generate go-generate openapi-generate manifests -ifeq (${FIPS_ENABLED}, true) -go-build: ensure-fips -endif - .PHONY: go-build go-build: ## Build binary ${GOENV} go build ${GOBUILDFLAGS} -o build/_output/bin/$(OPERATOR_NAME) . @@ -342,10 +335,6 @@ opm-build-push: python-venv docker-push OLM_CHANNEL="${OLM_CHANNEL}" \ ${CONVENTION_DIR}/build-opm-catalog.sh -.PHONY: ensure-fips -ensure-fips: - ${CONVENTION_DIR}/configure-fips.sh - # You will need to export the forked/cloned operator repository directory as OLD_SDK_REPO_DIR to make this work. # Example: export OLD_SDK_REPO_DIR=~/Projects/My-Operator-Fork .PHONY: migrate-to-osdk1 diff --git a/boilerplate/openshift/golang-osd-operator/update b/boilerplate/openshift/golang-osd-operator/update index 7f2c702f..8e1f6570 100755 --- a/boilerplate/openshift/golang-osd-operator/update +++ b/boilerplate/openshift/golang-osd-operator/update @@ -92,10 +92,10 @@ for file in $DOCKERFILES; do ${SED?} -i "1s,.*,FROM $IMAGE_PULL_PATH AS builder," $file fi - # Update any UBI images to use a versioned tag of ubi9/ubi-minimal that is compatible with dependabot. + # Update any UBI images to use a versioned tag of ubi9/ubi-micro that is compatible with dependabot. # WARNING: The ubi version _must_ match the one that Boilerplate's image is built with. Update this if you change the # base ubi version. - UBI_IMAGE_NAME="registry.access.redhat.com/ubi9/ubi-minimal" + UBI_IMAGE_NAME="registry.access.redhat.com/ubi9/ubi-micro" for ubi_latest in $(grep -oE 'registry.access.redhat.com/ubi[7-9]/ubi.*?:.*' ${file}); do replacement_image=$(skopeo inspect --override-os linux --override-arch amd64 docker://${UBI_IMAGE_NAME} --format "{{.Name}}:{{.Labels.version}}-{{.Labels.release}}") echo "Overwriting ${file}'s ${ubi_latest} image to ${replacement_image}" diff --git a/test/projects/file-generate/build/Dockerfile b/test/projects/file-generate/build/Dockerfile index 710523f5..e299de4b 100644 --- a/test/projects/file-generate/build/Dockerfile +++ b/test/projects/file-generate/build/Dockerfile @@ -1,4 +1,4 @@ -FROM registry.access.redhat.com/ubi9/ubi-minimal:latest +FROM registry.access.redhat.com/ubi9/ubi-micro:latest ENV OPERATOR=/usr/local/bin/file-generate \ USER_UID=1001 \