Merge pull request #76748 from bscott-rh/OSDOCS-10725

bscott-rh · web-flow · commit 1f986764c495 · 2024-06-19T18:12:16.000-04:00
OSDOCS#10725 documenting RHEL 9 FIPS requirement
diff --git a/installing/installing-fips.adoc b/installing/installing-fips.adoc
@@ -14,19 +14,28 @@ For more information about the NIST validation program, see link:https://csrc.ni
 
 [IMPORTANT]
 ====
-To enable FIPS mode for your cluster, you must run the installation program from a {op-system-base} 8 computer that is configured to operate in FIPS mode. Running {op-system-base} 9 with FIPS mode enabled to install an {product-title} cluster is not possible.
+To enable FIPS mode for your cluster, you must run the installation program from a {op-system-base} 9 computer that is configured to operate in FIPS mode, and you must use a FIPS-capable version of the installation program. See the section titled _Obtaining a FIPS-capable installation program using `oc adm extract`_.
 
-For more information about configuring FIPS mode on {op-system-base}, see link:https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/security_hardening/assembly_installing-a-rhel-8-system-with-fips-mode-enabled_security-hardening[Installing the system in FIPS mode].
+For more information about configuring FIPS mode on {op-system-base}, see link:https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/html/security_hardening/assembly_installing-the-system-in-fips-mode_security-hardening[Installing the system in FIPS mode].
 ====
 
 For the {op-system-first} machines in your cluster, this change is applied when the machines are deployed based on the status of an option in the `install-config.yaml` file, which governs the cluster options that a user can change during cluster deployment. With {op-system-base-full} machines, you must enable FIPS mode when you install the operating system on the machines that you plan to use as worker machines.
 
 Because FIPS must be enabled before the operating system that your cluster uses boots for the first time, you cannot enable FIPS after you deploy a cluster.
 
+include::modules/installation-obtaining-fips-installer-oc.adoc[leveloffset=+1]
+
+[role="_additional-resources"]
+.Additional resources
+
+* xref:../installing/installing_bare_metal_ipi/ipi-install-installation-workflow.adoc#retrieving-the-openshift-installer_ipi-install-installation-workflow[Extracting the OpenShift Container Platform installation program]
+
+include::modules/installation-obtaining-fips-installer-mirror.adoc[leveloffset=+1]
+
 [id="installation-about-fips-validation_{context}"]
 == FIPS validation in {product-title}
 
-{product-title} uses certain FIPS validated or Modules In Process modules within {op-system-base} and {op-system} for the operating system components that it uses. See link:https://access.redhat.com/articles/3655361[RHEL8 core crypto components]. For example, when users use SSH to connect to {product-title} clusters and containers, those connections are properly encrypted.
+{product-title} uses certain FIPS validated or Modules In Process modules within {op-system-base} and {op-system} for the operating system components that it uses. See link:https://access.redhat.com/articles/3655361[RHEL core crypto components]. For example, when users use SSH to connect to {product-title} clusters and containers, those connections are properly encrypted.
 
 {product-title} components are written in Go and built with Red Hat's golang compiler. When you enable FIPS mode for your cluster, all {product-title} components that require cryptographic signing call {op-system-base} and {op-system} cryptographic libraries.
 
@@ -37,14 +46,12 @@ Because FIPS must be enabled before the operating system that your cluster uses
 |Attributes
 |Limitations
 
-|FIPS support in {op-system-base} 8 and {op-system} operating systems.
-.3+|The FIPS implementation does not offer a single function that both computes hash functions and validates the keys that are based on that hash. This limitation will continue to be evaluated and improved in future {product-title} releases.
+|FIPS support in {op-system-base} 9 and {op-system} operating systems.
+.4+|The FIPS implementation does not use a function that performs hash computation and signature generation or validation in a single step. This limitation will continue to be evaluated and improved in future {product-title} releases.
 
 |FIPS support in CRI-O runtimes.
 |FIPS support in {product-title} services.
-
-|FIPS validated or Modules In Process cryptographic module and algorithms that are obtained from {op-system-base} 8 and {op-system} binaries and images.
-|
+|FIPS validated or Modules In Process cryptographic module and algorithms that are obtained from {op-system-base} 9 and {op-system} binaries and images.
 
 |Use of FIPS compatible golang compiler.
 |TLS FIPS support is not complete but is planned for future {product-title} releases.
@@ -104,4 +111,4 @@ If you are using Azure File storage, you cannot enable FIPS mode.
 
 To apply `AES CBC` encryption to your etcd data store, follow the xref:../security/encrypting-etcd.adoc#encrypting-etcd[Encrypting etcd data] process after you install your cluster.
 
-If you add {op-system-base} nodes to your cluster, ensure that you enable FIPS mode on the machines before their initial boot. See xref:../machine_management/adding-rhel-compute.adoc#adding-rhel-compute[Adding RHEL compute machines to an {product-title} cluster] and link:https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/security_hardening/using-the-system-wide-cryptographic-policies_security-hardening#enabling-fips-mode-in-a-container_using-the-system-wide-cryptographic-policies[Enabling FIPS Mode] in the {op-system-base} 8 documentation.
+If you add {op-system-base} nodes to your cluster, ensure that you enable FIPS mode on the machines before their initial boot. See xref:../machine_management/adding-rhel-compute.adoc#adding-rhel-compute[Adding RHEL compute machines to an {product-title} cluster] and link:https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/html/security_hardening/assembly_installing-the-system-in-fips-mode_security-hardening[Installing the system in FIPS mode].
diff --git a/modules/installation-obtaining-fips-installer-mirror.adoc b/modules/installation-obtaining-fips-installer-mirror.adoc
@@ -0,0 +1,24 @@
+// Module included in the following assembly:
+// installing/installing-fips.adoc
+
+:_mod-docs-content-type: PROCEDURE
+[id="installation-obtaining-fips-installer-mirror_{context}"]
+= Obtaining a FIPS-capable installation program using the public OpenShift mirror
+
+{product-title} requires the use of a FIPS-capable installation binary to install a cluster in FIPS mode. You can obtain this binary by downloading it from the public OpenShift mirror. After you have obtained the binary, proceed with the cluster installation, replacing all instances of the `openshift-install` binary with `openshift-install-fips`.
+
+.Prerequisites
+
+* You have access to the internet.
+
+.Procedure
+
+. Download the installation program from https://mirror.openshift.com/pub/openshift-v4/clients/ocp/latest-4.16/openshift-install-rhel9-amd64.tar.gz.
+. Extract the installation program. For example, on a computer that uses a Linux operating system, run the following command:
++
+[source,terminal]
+----
+$ tar -xvf openshift-install-rhel9-amd64.tar.gz
+----
++
+. Proceed with cluster installation, replacing all instances of the `openshift-install` command with `openshift-install-fips`.
diff --git a/modules/installation-obtaining-fips-installer-oc.adoc b/modules/installation-obtaining-fips-installer-oc.adoc
@@ -0,0 +1,30 @@
+// Module included in the following assembly:
+// installing/installing-fips.adoc
+
+:_mod-docs-content-type: PROCEDURE
+[id="installation-obtaining-fips-installer-oc_{context}"]
+= Obtaining a FIPS-capable installation program using `oc adm extract`
+
+{product-title} requires the use of a FIPS-capable installation binary to install a cluster in FIPS mode. You can obtain this binary by extracting it from the release image by using the {oc-first}. After you have obtained the binary, you proceed with the cluster installation, replacing all instances of the `openshift-install` command with `openshift-install-fips`.
+
+.Prerequisites
+
+* You have installed the {oc-first} with version 4.16 or newer.
+
+.Procedure
+
+. Extract the FIPS-capable binary from the installation program by running the following command:
++
+[source,terminal]
+----
+$ oc adm release extract --registry-config "${pullsecret_file}" --command=openshift-install-fips --to "${extract_dir}" ${RELEASE_IMAGE}
+----
++
+where:
++
+--
+`<pullsecret_file>`:: Specifies the name of a file that contains your pull secret.
+`<extract_dir>`:: Specifies the directory where you want to extract the binary.
+`<RELEASE_IMAGE>`:: Specifies the Quay.io URL of the {product-title} release you are using. For more information on finding the release image, see _Extracting the {product-title} installation program_.
+--
+. Proceed with cluster installation, replacing all instances of the `openshift-install` command with `openshift-install-fips`.
