OCPSTRAT-3113: Set DEFAULT:PQ crypto-policies to RHEL9 base image#230
OCPSTRAT-3113: Set DEFAULT:PQ crypto-policies to RHEL9 base image#230sdodson wants to merge 1 commit intoopenshift:masterfrom
Conversation
WalkthroughAdded a multi-stage build in Changes
Estimated code review effort🎯 2 (Simple) | ⏱️ ~10 minutes ✨ Finishing Touches🧪 Generate unit tests (beta)
Comment |
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: sdodson The full list of commands accepted by this bot can be found here. The pull request process is described here DetailsNeeds approval from an approver in each of these files:
Approvers can indicate their approval by writing |
openshift-ci
Bot
added
the
approved
![coderabbitai[bot]](https://avatars.githubusercontent.com/in/347564?s=60&v=4){kind=small}
There was a problem hiding this comment.
Actionable comments posted: 1
🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.
Inline comments:
In `@base/Dockerfile.rhel9`:
- Around line 11-12: The crypto-policies copy (the COPY --from=builder
/etc/crypto-policies/ /etc/crypto-policies/ step) is placed before later dnf
package transactions which can rebuild policy state; move that COPY so it occurs
after all package installation and dnf transaction steps to ensure the final
DEFAULT:PQ policy is deterministic and not overwritten by subsequent package
operations. Locate the COPY in base/Dockerfile.rhel9 and reorder it to follow
the block that performs dnf installs/transactions (the package installation
commands) so the copied /etc/crypto-policies/ is the last change to that path.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Organization UI
Review profile: CHILL
Plan: Pro
Run ID: 1b3e24d5-04d8-4563-a315-087010e8d4db
📒 Files selected for processing (1)
base/Dockerfile.rhel9
openshift-ci
Bot
added
the
do-not-merge/work-in-progress
Convert base/Dockerfile.rhel9 to multi-stage build to configure crypto-policies with DEFAULT:PQ policy. This adds post-quantum cryptography support for future-proofing against quantum threats. The builder stage installs crypto-policies and runs update-crypto-policies --set DEFAULT:PQ, then the final stage copies /etc/crypto-policies/ from the builder to include the configured policies in the base image. Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
sdodson
force-pushed
the
pq-crypto-policies
branch
from
fe502ea to
fd63ad8
Compare
|
/test images |
sdodson
changed the title
sdodson
changed the title
openshift-ci-robot
added
the
jira/valid-reference
|
@sdodson: This pull request references OCPSTRAT-3113 which is a valid jira issue. Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the initiative to target only the "4.22.0" version, but multiple target versions were set. DetailsIn response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository. |
sdodson
changed the title
openshift-ci
Bot
removed
the
do-not-merge/work-in-progress
|
/hold |
openshift-ci
Bot
added
the
do-not-merge/hold
There was a problem hiding this comment.
🧹 Nitpick comments (1)
base/Dockerfile.rhel9 (1)
11-12: Add a build-time guard to prevent silent crypto-policy regressions.Consider asserting the copied policy in the final stage so future base/package changes can’t silently drift away from
DEFAULT:PQ.Suggested diff
# Copy crypto-policies configuration from builder stage COPY --from=builder /etc/crypto-policies/ /etc/crypto-policies/ + +# Fail build if policy is not what we expect +RUN test "$(cat /etc/crypto-policies/config)" = "DEFAULT:PQ"As per coding guidelines, "-Focus on major issues impacting performance, readability, maintainability and security. Avoid nitpicks and avoid verbosity."
🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In `@base/Dockerfile.rhel9` around lines 11 - 12, Add a build-time assertion in the final Docker stage to verify the copied crypto-policies did not regress from the expected DEFAULT:PQ; after the existing COPY --from=builder /etc/crypto-policies/ /etc/crypto-policies/ add a RUN that inspects the relevant policy file under /etc/crypto-policies/ (e.g., the config or DEFAULT file) and fails the build if it does not contain "DEFAULT:PQ" so any future base/package changes break the build rather than silently drifting.
🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.
Nitpick comments:
In `@base/Dockerfile.rhel9`:
- Around line 11-12: Add a build-time assertion in the final Docker stage to
verify the copied crypto-policies did not regress from the expected DEFAULT:PQ;
after the existing COPY --from=builder /etc/crypto-policies/
/etc/crypto-policies/ add a RUN that inspects the relevant policy file under
/etc/crypto-policies/ (e.g., the config or DEFAULT file) and fails the build if
it does not contain "DEFAULT:PQ" so any future base/package changes break the
build rather than silently drifting.
ℹ️ Review info
⚙️ Run configuration
Configuration used: Organization UI
Review profile: CHILL
Plan: Pro
Run ID: f003135e-d91b-4ab9-872d-b73bfed4adae
📒 Files selected for processing (1)
base/Dockerfile.rhel9
|
@sdodson: all tests passed! Full PR test history. Your PR dashboard. DetailsInstructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here. |
|
@sdodson: This pull request references OCPSTRAT-3113 which is a valid jira issue. Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the initiative to target only the "5.0.0" version, but multiple target versions were set. DetailsIn response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository. |
|
/hold cancel |
openshift-ci
Bot
removed
the
do-not-merge/hold
|
/verified by @sdodson |
openshift-ci-robot
added
the
verified
|
@sdodson: This PR has been marked as verified by DetailsIn response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository. |
| update-crypto-policies --set DEFAULT:PQ && \ | ||
| dnf clean all && rm -rf /var/cache/* | ||
|
|
||
| # Final stage: Base RHEL9 image with PQ crypto-policies |
There was a problem hiding this comment.
Not quite as good as building in CI, but I built locally, router with the PQ policy and it didn't die on start:
podman run --platform linux/amd64 --rm --entrypoint /usr/sbin/haproxy localhost/router:test-pq -c -f /var/lib/haproxy/conf/haproxy.config │
Configuration file has no error but will not start (no listener) => exit(2)
I'll check coredns and CIO, CDO too
There was a problem hiding this comment.
I was running CIO's e2e on a dev cluster with the PQ build router, I saw:
=== NAME TestAll/parallel/TestTLSSecurityProfile
operator_test.go:1916: ingresscontroller status has unexpected security profile spec.
expected:
ciphers:
- ECDHE-ECDSA-AES128-GCM-SHA256
- ECDHE-ECDSA-AES256-GCM-SHA384
- ECDHE-ECDSA-CHACHA20-POLY1305
- ECDHE-RSA-AES128-GCM-SHA256
- ECDHE-RSA-AES256-GCM-SHA384
- ECDHE-RSA-CHACHA20-POLY1305
- TLS_AES_128_GCM_SHA256
- TLS_AES_256_GCM_SHA384
- TLS_CHACHA20_POLY1305_SHA256
mintlsversion: VersionTLS12
got:
ciphers:
- DHE-RSA-AES128-GCM-SHA256
- DHE-RSA-AES256-GCM-SHA384
- ECDHE-ECDSA-AES128-GCM-SHA256
- ECDHE-ECDSA-AES256-GCM-SHA384
- ECDHE-ECDSA-CHACHA20-POLY1305
- ECDHE-RSA-AES128-GCM-SHA256
- ECDHE-RSA-AES256-GCM-SHA384
- ECDHE-RSA-CHACHA20-POLY1305
- TLS_AES_128_GCM_SHA256
- TLS_AES_256_GCM_SHA384
- TLS_CHACHA20_POLY1305_SHA256
mintlsversion: VersionTLS12
so we have at least one e2e test to fix with this...
There was a problem hiding this comment.
Results for coredns and running cluster-dns-operator e2e: we can build with PQ image and e2e tests all run, except for one non-TLS related flake. I think we don't hard code a cipher suite test in the same way so this won't be a problem
| FROM registry.ci.openshift.org/ocp/4.22:base-rhel9 AS builder | ||
|
|
||
| RUN dnf install -y --nodocs crypto-policies-scripts && \ | ||
| update-crypto-policies --set DEFAULT:PQ && \ |
There was a problem hiding this comment.
So for RHEL 9 crypto-policies, the DEFAULT:PQ policy and FIPS mode are currently mutually exclusive, right? So are binaries built with this image shunted away from FIPS enabled cluster usage somehow?
There was a problem hiding this comment.
I don't believe they are mutually exclusive in implementation only in audit policy.
There was a problem hiding this comment.
Okay so reading here: https://docs.redhat.com/en/documentation/red_hat_enterprise_linux/9/html/security_hardening/using-the-system-wide-cryptographic-policies_security-hardening#post_quantum_cryptography
I think I understand that PQ is a subpolicy and in FIPS cluster, we'd likely see double (hybrid) encryption where the PQ crypto is wrapped by the compliant crypto, for now.
| @@ -1,5 +1,16 @@ | |||
| # Builder stage: Configure crypto-policies with post-quantum support | |||
| FROM registry.ci.openshift.org/ocp/4.22:base-rhel9 AS builder | |||
There was a problem hiding this comment.
Will this affect 4.22 images? I thought this was planned for 5.0?
There was a problem hiding this comment.
No, that will only affect the inputs to the build, not the output. ART just hasn't done the image synchronization stuff that they normally do, I assume they'll update this in the near future. Since 4.22 and 5.0 both use UBI9 as the base this shouldn't affect any outcomes.
4 participants
Summary
Technical Details
The DEFAULT:PQ policy is additive - it adds post-quantum algorithms while maintaining existing algorithms for backward compatibility.
Test plan
docker build -f base/Dockerfile.rhel9 .docker run --rm <image> update-crypto-policies --show(should output: DEFAULT:PQ)docker run --rm <image> ls -la /etc/crypto-policies/🤖 Generated with Claude Code