FIPS mode changes and docs (#761)

thegridman · web-flow · commit 3b386ab8e900 · 2025-06-13T19:00:14.000+03:00
diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml
@@ -147,6 +147,13 @@ jobs:
         make uninstall-crds
         make e2e-helm-test
 
+    - name: FIPS Tests
+      shell: bash
+      run: |
+        make undeploy
+        make uninstall-crds
+        make fips-test
+
     - name: Upload Manifests
       uses: actions/upload-artifact@v4
       if: success()
diff --git a/.github/workflows/trivy.yaml b/.github/workflows/trivy.yaml
@@ -81,6 +81,7 @@ jobs:
     - name: Image Scan
       shell: bash
       run:  |
+        make build-operator
         sh ./hack/golang/govulncheck.sh
         echo "${{ secrets.GITHUB_TOKEN }}" | docker login ghcr.io -u $ --password-stdin
         export TRIVY_CACHE=$GITHUB_WORKSPACE/.cache/trivy
diff --git a/.go-version b/.go-version
@@ -1 +1 @@
-1.24.3
+1.24.4
diff --git a/Makefile b/Makefile
@@ -1888,6 +1888,16 @@ else
 	$(KUSTOMIZE) build $(BUILD_DEPLOY)/overlays/ci | $(KUBECTL_CMD) apply -f -
 endif
 
+.PHONY: just-deploy-fips
+just-deploy-fips: ensure-pull-secret ## Deploy the Coherence Operator in FIPS mode without rebuilding anything
+	$(call prepare_deploy,$(OPERATOR_IMAGE),$(OPERATOR_NAMESPACE))
+	$(KUSTOMIZE) build $(BUILD_DEPLOY)/overlays/fips | $(KUBECTL_CMD) apply -f -
+
+.PHONY: fips-test
+fips-test: just-deploy-fips wait-for-deploy
+	chmod +x $(SCRIPTS_DIR)/fips/fips-test.sh
+	$(SCRIPTS_DIR)/fips/fips-test.sh
+
 
 .PHONY: ensure-pull-secret
 ensure-pull-secret:
diff --git a/config/components/fips/fips-env.yaml b/config/components/fips/fips-env.yaml
@@ -0,0 +1,8 @@
+#
+# This patch will configure the Operator to run in FIPS mode.
+#
+- op: add
+  path: /spec/template/spec/containers/0/env/-
+  value:
+    name: GODEBUG
+    value: "fips140=on"
diff --git a/config/components/fips/kustomization.yaml b/config/components/fips/kustomization.yaml
@@ -0,0 +1,8 @@
+apiVersion: kustomize.config.k8s.io/v1alpha1
+kind: Component
+
+patches:
+  - path: fips-env.yaml
+    target:
+      kind: Deployment
+      name: controller-manager
diff --git a/config/overlays/fips/kustomization.yaml b/config/overlays/fips/kustomization.yaml
@@ -0,0 +1,8 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+resources:
+  - ../../default
+
+components:
+  - ../../components/fips
diff --git a/docs/installation/100_fips.adoc b/docs/installation/100_fips.adoc
@@ -24,11 +24,14 @@ How the `GODEBUG` environment variable is set depends on how the operator is ins
 [NOTE]
 ====
 Although the Coherence Operator image can easily be installed in a FIPS compliant mode, none of the default
-Oracle Coherence images used by the operator are FIPS complaint.
+Oracle Coherence images used by the operator are FIPS compliant.
+
 The Oracle Coherence team does not currently publish FIPS compliant Coherence images.
-Coherence is FIPS compatible and correctly configured applications running in an image that has a FIPS
-compliant JDK and FIPS compliant base O/S will be FIPS complaint.
 Customers must build their own FIPS complaint Java and Coherence images, which the operator will then manage.
+
+Coherence is FIPS _compatible_ so a correctly configured application running in an image that has a FIPS
+compliant JDK and FIPS compliant base O/S will be FIPS complaint. To be fully FIPS compliant these images must then
+be run in a container runtime on a FIPS compliant host.
 ====
 
 === Install Using Yaml Manifests
@@ -61,6 +64,21 @@ then add the required `GODEBUG` value, for example
           value: fips140=on
 ----
 
+
+=== Install Using Kustomize
+
+If <<docs/installation/013_install_kustomize.adoc,installing the operator using Kustomize>> (or using `kubectl -k`)
+the Coherence manifest yaml files contain a FIPS overlay that adds the `GODEBUG` environment variable
+to the Operator container.
+
+The following command will generate a yaml manifest that installs the operator with FIPS enabled:
+
+[source,bash]
+----
+kustomize build manifests/overlays/fips
+----
+
+
 === Install Using Helm
 
 If <<docs/installation/012_install_helm.adoc,installing the operator using Helm>>
diff --git a/go.mod b/go.mod
@@ -8,7 +8,7 @@ module github.com/oracle/coherence-operator
 // See ./.go-version for the go compiler version used when building binaries
 //
 // https://go.dev/doc/modules/gomod-ref#go
-go 1.24.3
+go 1.24.4
 
 require (
 	github.com/distribution/reference v0.6.0
diff --git a/hack/fips/fips-test.sh b/hack/fips/fips-test.sh
@@ -0,0 +1,21 @@
+#!/usr/bin/env bash
+#
+# Copyright (c) 2020, 2025, Oracle and/or its affiliates.
+# Licensed under the Universal Permissive License v 1.0 as shown at
+# http://oss.oracle.com/licenses/upl.
+#
+set -o errexit
+
+PODS=$(kubectl -n operator-test get pod -l control-plane=coherence -o name)
+
+for POD in ${PODS}
+do
+  echo "Checking Operator Pod ${POD} is running in FIPS mode"
+  kubectl -n operator-test logs ${POD} | grep "Operator is running with FIPS 140 Enabled"
+  if [[ $? == 1 ]]
+  then
+    echo "Failed - did not find FIPS log message for Pod ${POD}"
+    exit 1
+  fi
+done
+
diff --git a/hack/golang/govulncheck.sh b/hack/golang/govulncheck.sh
@@ -12,6 +12,8 @@ TOOLS_BIN=${ROOT_DIR}/build/tools/bin
 test -s ${TOOLS_BIN}/govulncheck || GOBIN=${TOOLS_BIN} go install golang.org/x/vuln/cmd/govulncheck@latest
 chmod +x ${TOOLS_BIN}/govulncheck
 
+go version
+
 make build-operator-images
 
 echo "INFO: govulncheck - Checking x84_64 runner"
diff --git a/runner/main.go b/runner/main.go
@@ -7,6 +7,7 @@
 package main
 
 import (
+	"crypto/fips140"
 	"fmt"
 	"github.com/oracle/coherence-operator/pkg/operator"
 	"github.com/oracle/coherence-operator/pkg/runner"
@@ -51,4 +52,7 @@ func printVersion() {
 	log.Info(fmt.Sprintf("Operator Git Commit: %s (%s)", Commit, Branch))
 	log.Info(fmt.Sprintf("Go Version: %s", runtime.Version()))
 	log.Info(fmt.Sprintf("Go OS/Arch: %s/%s", runtime.GOOS, runtime.GOARCH))
+	if fips140.Enabled() {
+		log.Info("Operator is running with FIPS 140 Enabled")
+	}
 }
