POC improvements: CRD fixes, FIPS 140-3 migration, schema hardening

ciaranRoche · claude · ciaranRoche · commit 52e3a1043fe8 · 2026-03-04T11:20:09.000Z
- Add "Unknown" to condition status enum in all CRDs per K8s metav1.ConditionStatus
- Add ClusterRoleBinding for admin ClusterRole
- Migrate Makefile from BoringCrypto/GOEXPERIMENT to Go 1.25 native FIPS 140-3 (GOFIPS140/GODEBUG)
- Add BearerAuth security requirement to buildCreateStatusOperation
- Fix silent constraint drops in CRD-to-OpenAPI schema conversion (handle []interface{}, float64, additionalProperties as object)
- Bump generation in Replace when spec changes
- Remove redundant value-type presenter registrations
- Fix getOwnerPlural fallback to use lowercase

Co-Authored-By: Claude Opus 4.6 &lt;noreply@anthropic.com&gt;
diff --git a/Makefile b/Makefile
@@ -3,9 +3,12 @@
 # Include bingo-managed tool variables
 include .bingo/Variables.mk
 
-# CGO_ENABLED=0 is not FIPS compliant. large commercial vendors and FedRAMP require FIPS compliant crypto
-# Use ?= to allow Dockerfile to override (CGO_ENABLED=0 for Alpine-based dev images)
-CGO_ENABLED ?= 1
+# Go 1.25+ uses native FIPS 140-3 support (GOFIPS140) instead of BoringCrypto/GOEXPERIMENT.
+# CGO is no longer required for FIPS compliance. Set GOFIPS140=latest at build time and
+# GODEBUG=fips140=on at runtime to enable FIPS 140-3 mode.
+# Use ?= to allow Dockerfile to override
+CGO_ENABLED ?= 0
+GOFIPS140 ?= latest
 
 # Enable users to override the golang used to accomodate custom installations
 GO ?= go
@@ -69,7 +72,7 @@ help:
 .PHONY: help
 
 # Encourage consistent tool versions
-GO_VERSION:=go1.24.
+GO_VERSION:=go1.25.
 
 ### Constants:
 version:=$(shell date +%s)
@@ -135,12 +138,12 @@ lint: $(GOLANGCI_LINT)
 build: check-gopath generate-mocks
 	@mkdir -p bin
 	echo "Building version: ${build_version}"
-	CGO_ENABLED=$(CGO_ENABLED) GOEXPERIMENT=boringcrypto ${GO} build -ldflags="$(ldflags)" -o bin/hyperfleet-api ./cmd/hyperfleet-api
+	CGO_ENABLED=$(CGO_ENABLED) GOFIPS140=$(GOFIPS140) ${GO} build -ldflags="$(ldflags)" -o bin/hyperfleet-api ./cmd/hyperfleet-api
 .PHONY: build
 
 # Install
 install: check-gopath generate-mocks
-	CGO_ENABLED=$(CGO_ENABLED) GOEXPERIMENT=boringcrypto ${GO} install -ldflags="$(ldflags)" ./cmd/hyperfleet-api
+	CGO_ENABLED=$(CGO_ENABLED) GOFIPS140=$(GOFIPS140) ${GO} install -ldflags="$(ldflags)" ./cmd/hyperfleet-api
 	@ ${GO} version | grep -q "$(GO_VERSION)" || \
 		( \
 			printf '\033[41m\033[97m\n'; \
@@ -173,7 +176,7 @@ secrets:
 # Examples:
 #   make test TESTFLAGS="-run TestSomething"
 test: install secrets $(GOTESTSUM)
-	OCM_ENV=unit_testing $(GOTESTSUM) --format $(TEST_SUMMARY_FORMAT) -- -p 1 -v $(TESTFLAGS) \
+	GODEBUG=fips140=on OCM_ENV=unit_testing $(GOTESTSUM) --format $(TEST_SUMMARY_FORMAT) -- -p 1 -v $(TESTFLAGS) \
 		./pkg/... \
 		./cmd/...
 .PHONY: test
@@ -186,7 +189,7 @@ test: install secrets $(GOTESTSUM)
 # Examples:
 #   make test-unit-json TESTFLAGS="-run TestSomething"
 ci-test-unit: install secrets $(GOTESTSUM)
-	OCM_ENV=unit_testing $(GOTESTSUM) --jsonfile-timing-events=$(unit_test_json_output) --format $(TEST_SUMMARY_FORMAT) -- -p 1 -v $(TESTFLAGS) \
+	GODEBUG=fips140=on OCM_ENV=unit_testing $(GOTESTSUM) --jsonfile-timing-events=$(unit_test_json_output) --format $(TEST_SUMMARY_FORMAT) -- -p 1 -v $(TESTFLAGS) \
 		./pkg/... \
 		./cmd/...
 .PHONY: ci-test-unit
@@ -202,7 +205,7 @@ ci-test-unit: install secrets $(GOTESTSUM)
 #   make test-integration TESTFLAGS="-run TestAccountsGet"  runs TestAccountsGet
 #   make test-integration TESTFLAGS="-short"                skips long-run tests
 ci-test-integration: install secrets $(GOTESTSUM)
-	TESTCONTAINERS_RYUK_DISABLED=true OCM_ENV=integration_testing $(GOTESTSUM) --jsonfile-timing-events=$(integration_test_json_output) --format $(TEST_SUMMARY_FORMAT) -- -p 1 -ldflags -s -v -timeout 1h $(TESTFLAGS) \
+	GODEBUG=fips140=on TESTCONTAINERS_RYUK_DISABLED=true OCM_ENV=integration_testing $(GOTESTSUM) --jsonfile-timing-events=$(integration_test_json_output) --format $(TEST_SUMMARY_FORMAT) -- -p 1 -ldflags -s -v -timeout 1h $(TESTFLAGS) \
 			./test/integration
 .PHONY: ci-test-integration
 
@@ -217,7 +220,7 @@ ci-test-integration: install secrets $(GOTESTSUM)
 #   make test-integration TESTFLAGS="-run TestAccountsGet"  runs TestAccountsGet
 #   make test-integration TESTFLAGS="-short"                skips long-run tests
 test-integration: install secrets $(GOTESTSUM)
-	TESTCONTAINERS_RYUK_DISABLED=true OCM_ENV=integration_testing $(GOTESTSUM) --format $(TEST_SUMMARY_FORMAT) -- -p 1 -ldflags -s -v -timeout 1h $(TESTFLAGS) \
+	GODEBUG=fips140=on TESTCONTAINERS_RYUK_DISABLED=true OCM_ENV=integration_testing $(GOTESTSUM) --format $(TEST_SUMMARY_FORMAT) -- -p 1 -ldflags -s -v -timeout 1h $(TESTFLAGS) \
 			./test/integration
 .PHONY: test-integration
 
@@ -233,13 +236,13 @@ generate-all: generate-mocks
 .PHONY: generate-all
 
 run: build
-	./bin/hyperfleet-api migrate
-	CRD_PATH=$(PWD)/charts/crds ./bin/hyperfleet-api serve
+	GODEBUG=fips140=on ./bin/hyperfleet-api migrate
+	GODEBUG=fips140=on CRD_PATH=$(PWD)/charts/crds ./bin/hyperfleet-api serve
 .PHONY: run
 
 run-no-auth: build
-	./bin/hyperfleet-api migrate
-	CRD_PATH=$(PWD)/charts/crds ./bin/hyperfleet-api serve --enable-authz=false --enable-jwt=false
+	GODEBUG=fips140=on ./bin/hyperfleet-api migrate
+	GODEBUG=fips140=on CRD_PATH=$(PWD)/charts/crds ./bin/hyperfleet-api serve --enable-authz=false --enable-jwt=false
 .PHONY: run-no-auth
 
 # Run Swagger and host the api docs
@@ -261,7 +264,7 @@ clean:
 cmds:
 	@mkdir -p bin
 	for cmd in $$(ls cmd); do \
-		CGO_ENABLED=$(CGO_ENABLED) ${GO} build \
+		CGO_ENABLED=$(CGO_ENABLED) GOFIPS140=$(GOFIPS140) ${GO} build \
 			-ldflags="$(ldflags)" \
 			-o "bin/$${cmd}" \
 			"./cmd/$${cmd}" \
diff --git a/charts/crds/cluster-crd.yaml b/charts/crds/cluster-crd.yaml
@@ -62,6 +62,7 @@ spec:
                         enum:
                           - "True"
                           - "False"
+                          - "Unknown"
                       reason:
                         type: string
                         description: Machine-readable reason for the condition's last transition
diff --git a/charts/crds/idp-crd.yaml b/charts/crds/idp-crd.yaml
@@ -78,6 +78,7 @@ spec:
                         enum:
                           - "True"
                           - "False"
+                          - "Unknown"
                       reason:
                         type: string
                         description: Machine-readable reason for the condition's last transition
diff --git a/charts/crds/nodepool-crd.yaml b/charts/crds/nodepool-crd.yaml
@@ -68,6 +68,7 @@ spec:
                         enum:
                           - "True"
                           - "False"
+                          - "Unknown"
                       reason:
                         type: string
                         description: Machine-readable reason for the condition's last transition
diff --git a/charts/templates/rbac/clusterrolebinding-admin.yaml b/charts/templates/rbac/clusterrolebinding-admin.yaml
@@ -0,0 +1,16 @@
+{{- if .Values.rbac.create -}}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: {{ include "hyperfleet-api.fullname" . }}-admin
+  labels:
+    {{- include "hyperfleet-api.labels" . | nindent 4 }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: {{ include "hyperfleet-api.fullname" . }}-admin
+subjects:
+  - kind: ServiceAccount
+    name: {{ include "hyperfleet-api.serviceAccountName" . }}
+    namespace: {{ .Release.Namespace }}
+{{- end }}
diff --git a/pkg/openapi/paths.go b/pkg/openapi/paths.go
@@ -337,6 +337,7 @@ func buildCreateStatusOperation(def *api.ResourceDefinition, ownerDef *api.Resou
 			},
 		},
 		Responses: buildStatusCreateResponses(),
+		Security:  &openapi3.SecurityRequirements{{"BearerAuth": {}}},
 	}
 }
 
diff --git a/pkg/openapi/schemas.go b/pkg/openapi/schemas.go
@@ -278,18 +278,13 @@ func applySchemaProperties(schema *openapi3.Schema, crdSchema map[string]interfa
 		}
 	}
 
-	if required, ok := crdSchema["required"].([]string); ok {
-		schema.Required = required
-	}
+	schema.Required = toStringSlice(crdSchema["required"])
 
 	if desc, ok := crdSchema["description"].(string); ok {
 		schema.Description = desc
 	}
 
-	// Handle additionalProperties
-	if addProps, ok := crdSchema["additionalProperties"].(bool); ok && addProps {
-		schema.AdditionalProperties = openapi3.AdditionalProperties{Has: boolPtr(true)}
-	}
+	applyAdditionalProperties(schema, crdSchema)
 }
 
 // convertCRDSchemaToOpenAPI converts a CRD schema map to an OpenAPI SchemaRef.
@@ -320,13 +315,12 @@ func convertCRDSchemaToOpenAPI(crdSchema map[string]interface{}) *openapi3.Schem
 		schema.Max = &max
 	}
 
-	if minLen, ok := crdSchema["minLength"].(int64); ok {
-		schema.MinLength = uint64(minLen)
+	if v, ok := toUint64(crdSchema["minLength"]); ok {
+		schema.MinLength = v
 	}
 
-	if maxLen, ok := crdSchema["maxLength"].(int64); ok {
-		uval := uint64(maxLen)
-		schema.MaxLength = &uval
+	if v, ok := toUint64(crdSchema["maxLength"]); ok {
+		schema.MaxLength = &v
 	}
 
 	if pattern, ok := crdSchema["pattern"].(string); ok {
@@ -346,15 +340,58 @@ func convertCRDSchemaToOpenAPI(crdSchema map[string]interface{}) *openapi3.Schem
 		schema.Items = convertCRDSchemaToOpenAPI(items)
 	}
 
-	if required, ok := crdSchema["required"].([]string); ok {
-		schema.Required = required
+	schema.Required = toStringSlice(crdSchema["required"])
+
+	applyAdditionalProperties(schema, crdSchema)
+
+	return &openapi3.SchemaRef{Value: schema}
+}
+
+// toStringSlice converts an interface{} (typically []interface{} from JSON/YAML unmarshal) to []string.
+// Returns nil if the value is nil or not convertible.
+func toStringSlice(v interface{}) []string {
+	switch val := v.(type) {
+	case []string:
+		return val
+	case []interface{}:
+		result := make([]string, 0, len(val))
+		for _, item := range val {
+			if s, ok := item.(string); ok {
+				result = append(result, s)
+			}
+		}
+		return result
 	}
+	return nil
+}
 
-	if addProps, ok := crdSchema["additionalProperties"].(bool); ok && addProps {
-		schema.AdditionalProperties = openapi3.AdditionalProperties{Has: boolPtr(true)}
+// toUint64 converts an interface{} (typically float64 or int from JSON/YAML unmarshal) to uint64.
+func toUint64(v interface{}) (uint64, bool) {
+	switch val := v.(type) {
+	case float64:
+		return uint64(val), true
+	case int:
+		return uint64(val), true
+	case int64:
+		return uint64(val), true
 	}
+	return 0, false
+}
 
-	return &openapi3.SchemaRef{Value: schema}
+// applyAdditionalProperties handles the additionalProperties field which can be a bool or an object.
+func applyAdditionalProperties(schema *openapi3.Schema, crdSchema map[string]interface{}) {
+	ap := crdSchema["additionalProperties"]
+	if ap == nil {
+		return
+	}
+	switch val := ap.(type) {
+	case bool:
+		schema.AdditionalProperties = openapi3.AdditionalProperties{Has: boolPtr(val)}
+	case map[string]interface{}:
+		schema.AdditionalProperties = openapi3.AdditionalProperties{
+			Schema: convertCRDSchemaToOpenAPI(val),
+		}
+	}
 }
 
 // uint64Ptr returns a pointer to a uint64 value.
diff --git a/pkg/services/resource.go b/pkg/services/resource.go
@@ -1,6 +1,7 @@
 package services
 
 import (
+	"bytes"
 	"context"
 	"encoding/json"
 	stderrors "errors"
@@ -109,7 +110,16 @@ func (s *sqlResourceService) Create(ctx context.Context, resource *api.Resource,
 }
 
 func (s *sqlResourceService) Replace(ctx context.Context, resource *api.Resource) (*api.Resource, *errors.ServiceError) {
-	resource, err := s.resourceDao.Replace(ctx, resource)
+	existing, err := s.resourceDao.GetByKindAndID(ctx, resource.Kind, resource.ID)
+	if err != nil {
+		return nil, handleGetError(resource.Kind, "id", resource.ID, err)
+	}
+
+	if !bytes.Equal(existing.Spec, resource.Spec) {
+		resource.Generation = existing.Generation + 1
+	}
+
+	resource, err = s.resourceDao.Replace(ctx, resource)
 	if err != nil {
 		return nil, handleUpdateError(resource.Kind, err)
 	}
diff --git a/plugins/resources/plugin.go b/plugins/resources/plugin.go
@@ -6,6 +6,7 @@ import (
 	"context"
 	"net/http"
 	"os"
+	"strings"
 
 	"github.com/gorilla/mux"
 	"github.com/openshift-hyperfleet/hyperfleet-api/cmd/hyperfleet-api/environments"
@@ -99,10 +100,8 @@ func init() {
 		}
 	})
 
-	// Presenter registration for Resource type
-	presenters.RegisterPath(api.Resource{}, "resources")
+	// Presenter registration for Resource type (pointer only)
 	presenters.RegisterPath(&api.Resource{}, "resources")
-	presenters.RegisterKind(api.Resource{}, "Resource")
 	presenters.RegisterKind(&api.Resource{}, "Resource")
 }
 
@@ -161,5 +160,5 @@ func getOwnerPlural(kind string) string {
 		return def.Plural
 	}
 	// Fallback: lowercase + "s"
-	return kind + "s"
+	return strings.ToLower(kind) + "s"
 }

Original file line number	Diff line number	Diff line change
`@@ -337,6 +337,7 @@ func buildCreateStatusOperation(def api.ResourceDefinition, ownerDef api.Resou`
`337`	`337`	`},`
`338`	`338`	`},`
`339`	`339`	`Responses: buildStatusCreateResponses(),`
	`340`	`+ Security: &openapi3.SecurityRequirements{{"BearerAuth": {}}},`
`340`	`341`	`}`
`341`	`342`	`}`
`342`	`343`
Original file line number	Diff line number	Diff line change
`@@ -6,6 +6,7 @@ import (`
`6`	`6`	`"context"`
`7`	`7`	`"net/http"`
`8`	`8`	`"os"`
	`9`	`+ "strings"`
`9`	`10`
`10`	`11`	`"github.com/gorilla/mux"`
`11`	`12`	`"github.com/openshift-hyperfleet/hyperfleet-api/cmd/hyperfleet-api/environments"`
`@@ -99,10 +100,8 @@ func init() {`
`99`	`100`	`}`
`100`	`101`	`})`
`101`	`102`
`102`		`- // Presenter registration for Resource type`
`103`		`- presenters.RegisterPath(api.Resource{}, "resources")`
	`103`	`+ // Presenter registration for Resource type (pointer only)`
`104`	`104`	`presenters.RegisterPath(&api.Resource{}, "resources")`
`105`		`- presenters.RegisterKind(api.Resource{}, "Resource")`
`106`	`105`	`presenters.RegisterKind(&api.Resource{}, "Resource")`
`107`	`106`	`}`
`108`	`107`
`@@ -161,5 +160,5 @@ func getOwnerPlural(kind string) string {`
`161`	`160`	`return def.Plural`
`162`	`161`	`}`
`163`	`162`	`// Fallback: lowercase + "s"`
`164`		`- return kind + "s"`
	`163`	`+ return strings.ToLower(kind) + "s"`
`165`	`164`	`}`