This change adds requirements for FIPS #306
Conversation
|
Skipping CI for Draft Pull Request. |
Dockerfile
Outdated
| @@ -1,5 +1,5 @@ | |||
| # Build the manager binary | |||
| ARG GOLANG_BUILDER=golang:1.19 | |||
| ARG GOLANG_BUILDER=quay.io/projectquay/golang:1.20 | |||
| ARG OPERATOR_BASE_IMAGE=gcr.io/distroless/static:nonroot | |||
There was a problem hiding this comment.
This might need to switch to distroless/base. Try building this image locally and running a container with it. The manager should actually run (and error out).
With ironic-operator I got the following until I changed the base image:
exec container process (missing dynamic library?) '/manager': No such file or directory
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: bshephar, rebtoor The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
- Changed the build image to ubi9/go-toolkit - Changed the base image to ubi9/minimal - Added the default GO_BUILD_EXTRA_ARGS="-tags strictfipsruntime" - Added the GO_BUILD_EXTRA_ENV_ARGS build argument to allow custom build arguments at build time. It defaults to "CGO_ENABLED=1 GO111MODULE=on" - Those default parameters have been added to enable FIPS compliance - Fixed indentation - Removed TARGETOS and TARGETARCH env vars. - Added DOCKER_BUILD_ARGS variable in Makefile to pass custom parameters during podman build - Added export FAIL_FIPS_CHECK=true in .prow_ci.env file Signed-off-by: Brendan Shephard <[email protected]>
|
/lgtm |
openshift-merge-bot
bot
merged commit 244c345
into
openstack-k8s-operators:main
This change ensures the heat-operator is built with FIPS compliance.