The MCE hypershift container needs changes to the exceptions in place#339
The MCE hypershift container needs changes to the exceptions in place#339yiraeChristineKim wants to merge 1 commit into
Conversation
The FIPS scans are failing in our konflux builds due to problems with the hypershift "extra" binaries. The current exceptions for these binaries is not correctly preventing the scanner from erroring on these binaries. Tested with the latest image from our MCE 2.18.3 release Refs: - https://issues.redhat.com/browse/ACM-24281 Signed-off-by: Gus Parvin <gparvin@redhat.com> Signed-off-by: yiraeChristineKim <yikim@redhat.com> Co-authored-by: Cursor <cursoragent@cursor.com>
|
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: yiraeChristineKim The full list of commands accepted by this bot can be found here. DetailsNeeds approval from an approver in each of these files:Approvers can indicate their approval by writing |
There was a problem hiding this comment.
A few questions:
- Why can't the -no-cgo and hypershift-no-cgo binaries be removed from the production image? They're documented as QE-only.
- Why is the primary /usr/bin/hcp binary now non-CGO/non-FIPS? Is there a plan to fix this upstream rather than permanently excepting it?
- If exceptions are truly necessary (e.g., short-term while upstream fixes land), they need justification comments, bug links, and ideally a time-boxed plan to remove them.
Wondering if this is due to a split here between konflux and ART? Modifying here means that when ART runs this against the release payload, the exceptions trickle up.
If this is purely at some level with konflux then is there a way to have some override at the konflux level?
Does ART actually strip /usr/bin/hcp, /usr/bin/hcp-no-cgo, and /usr/bin/hypershift-no-cgo from the final image?
Right, QE is requiring these files be included.
When we move to ART, we can just not include the binaries at all. It's not clear exactly when this will be, but I expect it will not be more than a few months for all streams to move over.
The QE team doesn't have a plan to move away from using these binaries, but we should be able to include them in ACM builds that don't scan for FIPS and not include them in ART builds -- when we move to ART. For now, our ACM dev pipeline and production pipelines use the same dockerfile so the binaries are included.
I'm not sure, I was thinking our ART dockerfile could not include the binaries at all. I'll suggest this to the hypershift team to see if it would work. |
|
@gparvin Thank you for answering those questions. Let me know if further clarifications are needed. |
|
@smith-xyz Can we merge this? It’s been pending for a long time. |
|
@yiraeChristineKim @gparvin Thanks, this helps, but it reinforces why I’m hesitant to merge as-is. Release configs ≠ Konflux workaround. dist/releases/*/config.toml is used when scanning the OCP release payload. If ART omits these binaries, we shouldn’t need exceptions here. If ACM Konflux needs a pass, that belongs in the Konflux pipeline / scan invocation, not in release-wide exceptions. Same Dockerfile for ACM dev and prod means QE-only binaries are shipping to ACM customers today. Widening exceptions doesn’t address that; splitting the Dockerfile (or a build arg to omit -no-cgo / non-FIPS hcp from prod) does. /usr/bin/hcp is the production binary. Excepting it for ErrGoNotCgoEnabled / missing symbols / static link is accepting non-FIPS crypto for the main tool. “We’ll drop it in ART later” isn’t a substitute for either fixing the build or not shipping it now. Before merge: confirm what com.redhat.component is on Konflux vs ART images; confirm whether these paths exist in the composed OCP payload; add justification comments + ACM-24281 in the TOML; scope exceptions to releases that actually ship this image. Happy to re-review if the approach is “fix Dockerfile / omit binaries from prod” or a Konflux-specific config path — less happy to merge broad release exceptions for binaries you plan to stop shipping. |
|
just thinking of a few cleaner paths we can take in case this can help - I'm not sure what is possible relative to konflux here but just to see if we can move this along:
|
|
@smith-xyz Currently we are trying to release hypershift hcp cli to Developer portal, then If we omit binaries from prod, then we cannot publish to developer portal .... right? |
|
@yiraeChristineKim: all tests passed! Full PR test history. Your PR dashboard. DetailsInstructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here. |
4 participants
The FIPS scans are failing in our konflux builds due to problems with the hypershift "extra" binaries. The current exceptions for these binaries is not correctly preventing the scanner from erroring on these binaries. Tested with the latest image from our MCE 2.18.3 release
from #282
Refs: