Enable FIPS compliancy in Makefile #6071
Conversation
.ci/pipelines/build.Jenkinsfile
Outdated
| @@ -38,6 +38,7 @@ pipeline { | |||
| steps { | |||
| sh '.ci/setenvconfig build' | |||
| sh 'make -C .ci license.key TARGET=ci-release ci' | |||
| sh 'make -C .ci license.key TARGET=build-operator-multiarch-image ci ENABLE_FIPS=true' | |||
There was a problem hiding this comment.
Would it make sense to do a whole other step here, with a different target in setenvconfig? It seems overkill when looking at this, but setenvconfig is used to set all env variables in all other steps, but since the build case block is split between nightly and release already, it seemed adding a 3rd would be ugly.
There was a problem hiding this comment.
I'm good with this approach to call again the build in FIPS mode using an environment variable. I don't think we should rely on setenvconfig for this. Also I wonder if we should not make this builds in parallel with the old one.
stage('build') {
failFast true
parallel {
stage("build operator image") {
steps {
sh '.ci/setenvconfig build'
sh 'make -C .ci license.key TARGET=ci-release ci'
}
}
stage("build operator image in FIPS mode") {
steps {
sh '.ci/setenvconfig build'
sh 'make -C .ci license.key TARGET=ci-release ci ENABLE_FIPS=true'
}
}
}
}There was a problem hiding this comment.
I think the parallel build makes perfect sense. I've updated this PR with this new parallel build phase.
This potential change will enable FIPS compliancy for the operator build by making the changes:
ENABLE_FIPSenvironment variable which will add a build flaggoexperiment.boringcryptoto the existingGO_TAGSvariable which we use duringgo buildanddocker buildoperations.-fipsto all container build names that we push to existing registries.ENABLE_FIPS=trueenvironment variable set.This change does not1. Add any Jenkins/Buildkite changes that would allow FIPS these changes to be triggered in our current/future CI system.