OCPSTRAT-3113: Set DEFAULT:PQ crypto-policies to RHEL9 base image #230
There are no files selected for viewing
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -1,5 +1,16 @@ | ||
| # Builder stage: Configure crypto-policies with post-quantum support | ||
| FROM registry.ci.openshift.org/ocp/4.22:base-rhel9 AS builder | ||
|
|
||
| RUN dnf install -y --nodocs crypto-policies-scripts && \ | ||
| update-crypto-policies --set DEFAULT:PQ && \ | ||
|
There was a problem hiding this comment. So for RHEL 9 crypto-policies, the DEFAULT:PQ policy and FIPS mode are currently mutually exclusive, right? So are binaries built with this image shunted away from FIPS enabled cluster usage somehow?
Member
Author
There was a problem hiding this comment. I don't believe they are mutually exclusive in implementation only in audit policy. There was a problem hiding this comment. Okay so reading here: https://docs.redhat.com/en/documentation/red_hat_enterprise_linux/9/html/security_hardening/using-the-system-wide-cryptographic-policies_security-hardening#post_quantum_cryptography I think I understand that PQ is a subpolicy and in FIPS cluster, we'd likely see double (hybrid) encryption where the PQ crypto is wrapped by the compliant crypto, for now. |
||
| dnf clean all && rm -rf /var/cache/* | ||
|
|
||
| # Final stage: Base RHEL9 image with PQ crypto-policies | ||
|
There was a problem hiding this comment. Not quite as good as building in CI, but I built locally, I'll check coredns and CIO, CDO too There was a problem hiding this comment. I was running CIO's e2e on a dev cluster with the PQ build router, I saw: so we have at least one e2e test to fix with this... There was a problem hiding this comment. Results for coredns and running cluster-dns-operator e2e: we can build with PQ image and e2e tests all run, except for one non-TLS related flake. I think we don't hard code a cipher suite test in the same way so this won't be a problem |
||
| FROM registry.ci.openshift.org/ocp/4.22:base-rhel9 | ||
|
|
||
| # Copy crypto-policies configuration from builder stage | ||
| COPY --from=builder /etc/crypto-policies/ /etc/crypto-policies/ | ||
|
sdodson marked this conversation as resolved.
|
||
|
|
||
| # A ubi9 image will expose python3 as /usr/bin/python. It does not contain | ||
| # python2. Subsequent layers should install if it needed. | ||
| # | ||
|
|
||
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Will this affect 4.22 images? I thought this was planned for 5.0?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
No, that will only affect the inputs to the build, not the output. ART just hasn't done the image synchronization stuff that they normally do, I assume they'll update this in the near future. Since 4.22 and 5.0 both use UBI9 as the base this shouldn't affect any outcomes.