Skip to content

UPSTREAM <carry>: OCPBUGS-24653: Ensure FIPS compliance for controller image #21

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Apr 3, 2024
Merged

UPSTREAM <carry>: OCPBUGS-24653: Ensure FIPS compliance for controller image #21

merged 1 commit into from
Apr 3, 2024

Conversation

alebedev87
Copy link

@alebedev87 alebedev87 commented Apr 3, 2024
edited
Loading

  • Replaced the base image with a non-UBI variant.
  • Added the 'strictfipsruntime' tag to the controller binary.

check-payload scan:

$ git log -1
commit b84e919edb49f66ee1b3f538490f3d756c5edc42 (HEAD -> fips-compliance, origin/fips-compliance)
Author: Andrey Lebedev <[email protected]>
Date:   Wed Apr 3 12:12:41 2024 +0200

    UPSTREAM <carry>: OCPBUGS-24653: Ensure FIPS compliance for controller image
    
    - Replaced the base image with a non-UBI variant.
    - Added the 'strictfipsruntime' tag to the controller binary.

$ podman build -t quay.io/alebedev/aws-load-balancer-controller:b84e919ed -f Dockerfile.openshift .
...
Successfully tagged quay.io/alebedev/aws-load-balancer-controller:b84e919ed
Successfully tagged quay.io/alebedev/aws-load-balancer-controller:3.4.1140
015b97227b263e93e08c9265b0cc9007c30d8c569591c0437e16df3069c894f7

$ podman push quay.io/alebedev/aws-load-balancer-controller:b84e919ed
Getting image source signatures
Copying blob 013e3dbc52ff skipped: already exists  
Copying blob fc72b3d90f88 skipped: already exists  
Copying config 015b97227b done  
Writing manifest to image destination

$ podman run --privileged registry.ci.openshift.org/ci/check-payload:latest scan operator --spec quay.io/alebedev/aws-load-balancer-controller:b84e919ed
I0403 10:32:34.093944       1 main.go:302] using embedded config
I0403 10:32:34.094271       1 types_config.go:12] using config ...
I0403 10:32:34.094342       1 main.go:102] "scan" version="0.3.1-91-ga0d1e0d3-dirty"
---- Successful run

@alebedev87
UPSTREAM <carry>: OCPBUGS-24653: Ensure FIPS compliance for controlle…
b84e919 
…r image

- Replaced the base image with a non-UBI variant.
- Added the 'strictfipsruntime' tag to the controller binary.
@openshift-ci-robot openshift-ci-robot added jira/valid-reference Indicates that this PR references a valid Jira ticket of any type. jira/invalid-bug Indicates that a referenced Jira bug is invalid for the branch this PR is targeting. labels Apr 3, 2024
@openshift-ci-robot
Copy link

@alebedev87: This pull request references Jira Issue OCPBUGS-24653, which is invalid:

  • expected the bug to be in one of the following states: NEW, ASSIGNED, POST, but it is MODIFIED instead

Comment /jira refresh to re-evaluate validity if changes to the Jira bug are made, or edit the title of this pull request to link to a different bug.

The bug has been updated to refer to the pull request using the external bug tracker.

In response to this:

  • Replaced the base image with a non-UBI variant.
  • Added the 'strictfipsruntime' tag to the controller binary.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

@openshift-ci openshift-ci bot requested review from frobware and Miciah April 3, 2024 10:18
@alebedev87
Copy link
Author

/jira refresh

@openshift-ci-robot openshift-ci-robot added jira/valid-bug Indicates that a referenced Jira bug is valid for the branch this PR is targeting. and removed jira/invalid-bug Indicates that a referenced Jira bug is invalid for the branch this PR is targeting. labels Apr 3, 2024
@openshift-ci-robot
Copy link

@alebedev87: This pull request references Jira Issue OCPBUGS-24653, which is valid.

3 validation(s) were run on this bug
  • bug is open, matching expected state (open)
  • bug target version (4.16.0) matches configured target version for branch (4.16.0)
  • bug is in the state POST, which is one of the valid states (NEW, ASSIGNED, POST)

Requesting review from QA contact:
/cc @lihongan

In response to this:

/jira refresh

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

@openshift-ci openshift-ci bot requested a review from lihongan April 3, 2024 10:19
@openshift-ci OpenShift CI
Copy link

openshift-ci bot commented Apr 3, 2024

@alebedev87: all tests passed!

Full PR test history. Your PR dashboard.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here.

@openshift-ci-robot openshift-ci-robot removed the jira/valid-bug Indicates that a referenced Jira bug is valid for the branch this PR is targeting. label Apr 3, 2024
@openshift-ci-robot
Copy link

@alebedev87: This pull request references Jira Issue OCPBUGS-24653, which is invalid:

  • expected the bug to be in one of the following states: NEW, ASSIGNED, POST, but it is MODIFIED instead

Comment /jira refresh to re-evaluate validity if changes to the Jira bug are made, or edit the title of this pull request to link to a different bug.

In response to this:

  • Replaced the base image with a non-UBI variant.
  • Added the 'strictfipsruntime' tag to the controller binary.
$ git log -1
commit b84e919edb49f66ee1b3f538490f3d756c5edc42 (HEAD -> fips-compliance, origin/fips-compliance)
Author: Andrey Lebedev <[email protected]>
Date:   Wed Apr 3 12:12:41 2024 +0200

   UPSTREAM <carry>: OCPBUGS-24653: Ensure FIPS compliance for controller image
   
   - Replaced the base image with a non-UBI variant.
   - Added the 'strictfipsruntime' tag to the controller binary.

$ podman build -t quay.io/alebedev/aws-load-balancer-controller:b84e919ed -f Dockerfile.openshift .
...
Successfully tagged quay.io/alebedev/aws-load-balancer-controller:b84e919ed
Successfully tagged quay.io/alebedev/aws-load-balancer-controller:3.4.1140
015b97227b263e93e08c9265b0cc9007c30d8c569591c0437e16df3069c894f7

$ podman push quay.io/alebedev/aws-load-balancer-controller:b84e919ed
Getting image source signatures
Copying blob 013e3dbc52ff skipped: already exists  
Copying blob fc72b3d90f88 skipped: already exists  
Copying config 015b97227b done  
Writing manifest to image destination

$ podman run --privileged registry.ci.openshift.org/ci/check-payload:latest scan operator --spec quay.io/alebedev/aws-load-balancer-controller:b84e919ed
I0403 10:32:34.093944       1 main.go:302] using embedded config
I0403 10:32:34.094271       1 types_config.go:12] using config ...
I0403 10:32:34.094342       1 main.go:102] "scan" version="0.3.1-91-ga0d1e0d3-dirty"
---- Successful run

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

@openshift-ci-robot openshift-ci-robot added the jira/invalid-bug Indicates that a referenced Jira bug is invalid for the branch this PR is targeting. label Apr 3, 2024
@alebedev87
Copy link
Author

/jira refresh

@openshift-ci-robot openshift-ci-robot added the jira/valid-bug Indicates that a referenced Jira bug is valid for the branch this PR is targeting. label Apr 3, 2024
@openshift-ci-robot
Copy link

@alebedev87: This pull request references Jira Issue OCPBUGS-24653, which is valid.

3 validation(s) were run on this bug
  • bug is open, matching expected state (open)
  • bug target version (4.16.0) matches configured target version for branch (4.16.0)
  • bug is in the state POST, which is one of the valid states (NEW, ASSIGNED, POST)

Requesting review from QA contact:
/cc @lihongan

In response to this:

/jira refresh

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

@openshift-ci-robot openshift-ci-robot removed the jira/invalid-bug Indicates that a referenced Jira bug is invalid for the branch this PR is targeting. label Apr 3, 2024
@lihongan
Copy link

lihongan commented Apr 3, 2024

/label qe-approved

@openshift-ci openshift-ci bot added the qe-approved Signifies that QE has signed off on this PR label Apr 3, 2024
@Miciah
Copy link

Miciah commented Apr 3, 2024

Thanks!
/approve
/lgtm
/hold
in case @gcs278 wants to review.

At some point, would it make sense to squash all the "UPSTREAM" commits that update Dockerfile.openshift, in order to make rebases easier?

@openshift-ci openshift-ci bot added the do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. label Apr 3, 2024
@openshift-ci openshift-ci bot added the lgtm Indicates that a PR is ready to be merged. label Apr 3, 2024
@openshift-ci OpenShift CI
Copy link

openshift-ci bot commented Apr 3, 2024

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: Miciah

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@openshift-ci openshift-ci bot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Apr 3, 2024
@alebedev87
Copy link
Author

At some point, would it make sense to squash all the "UPSTREAM" commits that update Dockerfile.openshift, in order to make rebases easier?

Good point. I think this should be done - yes.

@Miciah
Copy link

Miciah commented Apr 3, 2024

At some point, would it make sense to squash all the "UPSTREAM" commits that update Dockerfile.openshift, in order to make rebases easier?

Good point. I think this should be done - yes.

To be clear, I'm not saying you need to do this now. Maybe next time we rebase on a new upstream release.

@gcs278
Copy link

gcs278 commented Apr 3, 2024

Thanks!
/lgtm
/unhold

@openshift-ci openshift-ci bot removed the do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. label Apr 3, 2024
@openshift-merge-bot openshift-merge-bot bot merged commit 105552e into openshift:main Apr 3, 2024
@openshift-ci-robot
Copy link

@alebedev87: Jira Issue OCPBUGS-24653: All pull requests linked via external trackers have merged:

Jira Issue OCPBUGS-24653 has been moved to the MODIFIED state.

In response to this:

  • Replaced the base image with a non-UBI variant.
  • Added the 'strictfipsruntime' tag to the controller binary.

check-payload scan:

$ git log -1
commit b84e919edb49f66ee1b3f538490f3d756c5edc42 (HEAD -> fips-compliance, origin/fips-compliance)
Author: Andrey Lebedev <[email protected]>
Date:   Wed Apr 3 12:12:41 2024 +0200

   UPSTREAM <carry>: OCPBUGS-24653: Ensure FIPS compliance for controller image
   
   - Replaced the base image with a non-UBI variant.
   - Added the 'strictfipsruntime' tag to the controller binary.

$ podman build -t quay.io/alebedev/aws-load-balancer-controller:b84e919ed -f Dockerfile.openshift .
...
Successfully tagged quay.io/alebedev/aws-load-balancer-controller:b84e919ed
Successfully tagged quay.io/alebedev/aws-load-balancer-controller:3.4.1140
015b97227b263e93e08c9265b0cc9007c30d8c569591c0437e16df3069c894f7

$ podman push quay.io/alebedev/aws-load-balancer-controller:b84e919ed
Getting image source signatures
Copying blob 013e3dbc52ff skipped: already exists  
Copying blob fc72b3d90f88 skipped: already exists  
Copying config 015b97227b done  
Writing manifest to image destination

$ podman run --privileged registry.ci.openshift.org/ci/check-payload:latest scan operator --spec quay.io/alebedev/aws-load-balancer-controller:b84e919ed
I0403 10:32:34.093944       1 main.go:302] using embedded config
I0403 10:32:34.094271       1 types_config.go:12] using config ...
I0403 10:32:34.094342       1 main.go:102] "scan" version="0.3.1-91-ga0d1e0d3-dirty"
---- Successful run

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

@alebedev87 alebedev87 mentioned this pull request Apr 3, 2024
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@frobware frobware Awaiting requested review from frobware

@Miciah Miciah Awaiting requested review from Miciah

@lihongan lihongan Awaiting requested review from lihongan

Assignees

@Miciah Miciah

@gcs278 gcs278

Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. jira/valid-bug Indicates that a referenced Jira bug is valid for the branch this PR is targeting. jira/valid-reference Indicates that this PR references a valid Jira ticket of any type. lgtm Indicates that a PR is ready to be merged. qe-approved Signifies that QE has signed off on this PR
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@alebedev87 @openshift-ci-robot @lihongan @Miciah @gcs278