openshift · openshift-cherrypick-robot · Sep 23, 2025
diff --git a/...blueprints-bootc/layer1-base/group3/rhel96-bootc-brew-ec-with-optional-fips.containerfile b/...blueprints-bootc/layer1-base/group3/rhel96-bootc-brew-ec-with-optional-fips.containerfile
@@ -0,0 +1,16 @@
+# {{- if env.Getenv "BREW_EC_RELEASE_VERSION" "" -}}
+# Note: This comment makes templating add a new line before the code
+FROM localhost/rhel96-bootc-brew-ec-with-optional:latest
+
+# Add fips=1 kernel argument
+# See https://containers.github.io/bootc/building/kernel-arguments.html
+RUN cat > /usr/lib/bootc/kargs.d/01-fips.toml <<'EOF'
+kargs = ["fips=1"]
+match-architectures = ["x86_64"]
+EOF
+
+# Enable the FIPS crypto policy
+RUN dnf install -y crypto-policies-scripts && \
+    update-crypto-policies --no-reload --set FIPS && \
+    dnf clean all
+# {{- end -}}
diff --git a/...blueprints-bootc/layer1-base/group3/rhel96-bootc-brew-rc-with-optional-fips.containerfile b/...blueprints-bootc/layer1-base/group3/rhel96-bootc-brew-rc-with-optional-fips.containerfile
@@ -0,0 +1,16 @@
+# {{- if env.Getenv "BREW_RC_RELEASE_VERSION" "" -}}
+# Note: This comment makes templating add a new line before the code
+FROM localhost/rhel96-bootc-brew-rc-with-optional:latest
+
+# Add fips=1 kernel argument
+# See https://containers.github.io/bootc/building/kernel-arguments.html
+RUN cat > /usr/lib/bootc/kargs.d/01-fips.toml <<'EOF'
+kargs = ["fips=1"]
+match-architectures = ["x86_64"]
+EOF
+
+# Enable the FIPS crypto policy
+RUN dnf install -y crypto-policies-scripts && \
+    update-crypto-policies --no-reload --set FIPS && \
+    dnf clean all
+# {{- end -}}
diff --git a/...rints-bootc/layer1-base/group3/rhel96-bootc-brew-zstream-with-optional-fips.containerfile b/...rints-bootc/layer1-base/group3/rhel96-bootc-brew-zstream-with-optional-fips.containerfile
@@ -0,0 +1,16 @@
+# {{- if env.Getenv "BREW_Y0_RELEASE_VERSION" "" -}}
+# Note: This comment makes templating add a new line before the code
+FROM localhost/rhel96-bootc-brew-zstream-with-optional:latest
+
+# Add fips=1 kernel argument
+# See https://containers.github.io/bootc/building/kernel-arguments.html
+RUN cat > /usr/lib/bootc/kargs.d/01-fips.toml <<'EOF'
+kargs = ["fips=1"]
+match-architectures = ["x86_64"]
+EOF
+
+# Enable the FIPS crypto policy
+RUN dnf install -y crypto-policies-scripts && \
+    update-crypto-policies --no-reload --set FIPS && \
+    dnf clean all
+# {{- end -}}
diff --git a/test/image-blueprints/layer1-base/group5/rhel96-brew-ec-with-optionals-fips.toml b/test/image-blueprints/layer1-base/group5/rhel96-brew-ec-with-optionals-fips.toml
@@ -0,0 +1,32 @@
+{{- if and (env.Getenv "BREW_EC_RELEASE_VERSION" "") (env.Getenv "BREW_Y1_RELEASE_VERSION" "") -}}
+{{- /*
+
+  We wrap this template in a test so that the body of the output is
+  empty when there is no "current" version release. The output file
+  must end up completely empty, so we need to remove whitespace from
+  around the first and last template instructions.
+
+*/ -}}
+
+name = "rhel-9.6-microshift-brew-optionals-4.{{ .Env.MINOR_VERSION}}-ec-fips"
+description = "FIPS-enabled version of rhel-9.6-microshift-brew-optionals-4.{{ .Env.MINOR_VERSION}}-ec"
+version = "0.0.1"
+modules = []
+groups = []
+distro = "rhel-96"
+
+# Use the base brewery blueprint as parent
+parent = "rhel-9.6-microshift-brew-optionals-4.{{ .Env.MINOR_VERSION}}-ec"
+
+# Add only FIPS-specific configuration
+[[packages]]
+name = "crypto-policies-scripts"
+version = "*"
+
+[customizations.kernel]
+append = "fips=1"
+
+[[customizations.files]]
+path = "/etc/crypto-policies/config"
+data = "FIPS"
+{{- end -}}
diff --git a/test/image-blueprints/layer1-base/group5/rhel96-brew-rc-with-optionals-fips.toml b/test/image-blueprints/layer1-base/group5/rhel96-brew-rc-with-optionals-fips.toml
@@ -0,0 +1,32 @@
+{{- if and (env.Getenv "BREW_RC_RELEASE_VERSION" "") (env.Getenv "BREW_Y1_RELEASE_VERSION" "") -}}
+{{- /*
+
+  We wrap this template in a test so that the body of the output is
+  empty when there is no "current" version release. The output file
+  must end up completely empty, so we need to remove whitespace from
+  around the first and last template instructions.
+
+*/ -}}
+
+name = "rhel-9.6-microshift-brew-optionals-4.{{ .Env.MINOR_VERSION}}-rc-fips"
+description = "FIPS-enabled version of rhel-9.6-microshift-brew-optionals-4.{{ .Env.MINOR_VERSION}}-rc"
+version = "0.0.1"
+modules = []
+groups = []
+distro = "rhel-96"
+
+# Use the base brewery blueprint as parent
+parent = "rhel-9.6-microshift-brew-optionals-4.{{ .Env.MINOR_VERSION}}-rc"
+
+# Add only FIPS-specific configuration
+[[packages]]
+name = "crypto-policies-scripts"
+version = "*"
+
+[customizations.kernel]
+append = "fips=1"
+
+[[customizations.files]]
+path = "/etc/crypto-policies/config"
+data = "FIPS"
+{{- end -}}
diff --git a/test/image-blueprints/layer1-base/group5/rhel96-brew-zstream-with-optionals-fips.toml b/test/image-blueprints/layer1-base/group5/rhel96-brew-zstream-with-optionals-fips.toml
@@ -0,0 +1,32 @@
+{{- if and (env.Getenv "BREW_Y0_RELEASE_VERSION" "") (env.Getenv "BREW_Y1_RELEASE_VERSION" "") -}}
+{{- /*
+
+  We wrap this template in a test so that the body of the output is
+  empty when there is no "current" version release. The output file
+  must end up completely empty, so we need to remove whitespace from
+  around the first and last template instructions.
+
+*/ -}}
+
+name = "rhel-9.6-microshift-brew-optionals-4.{{ .Env.MINOR_VERSION }}-zstream-fips"
+description = "FIPS-enabled version of rhel-9.6-microshift-brew-optionals-4.{{ .Env.MINOR_VERSION }}-zstream"
+version = "0.0.1"
+modules = []
+groups = []
+distro = "rhel-96"
+
+# Use the base brewery blueprint as parent
+parent = "rhel-9.6-microshift-brew-optionals-4.{{ .Env.MINOR_VERSION }}-zstream"
+
+# Add only FIPS-specific configuration
+[[packages]]
+name = "crypto-policies-scripts"
+version = "*"
+
+[customizations.kernel]
+append = "fips=1"
+
+[[customizations.files]]
+path = "/etc/crypto-policies/config"
+data = "FIPS"
+{{- end -}}
diff --git a/test/scenarios-bootc/releases/el96-lrel@fips.sh.disabled b/test/scenarios-bootc/releases/el96-lrel@fips.sh.disabled
@@ -0,0 +1,37 @@
+#!/bin/bash
+
+# Sourced from scenario.sh and uses functions defined there.
+
+start_image="rhel96-bootc-brew-${LATEST_RELEASE_TYPE}-with-optional-fips"
+
+check_platform() {
+    if [[ "${UNAME_M}" =~ aarch64 ]] ; then
+        record_junit "setup" "scenario_create_vms" "SKIPPED"
+        exit 0
+    fi
+}
+
+scenario_create_vms() {
+    if ! does_commit_exist "${start_image}"; then
+        echo "Image '${start_image}' not found - skipping test"
+        return 0
+    fi
+
+    check_platform
+
+    prepare_kickstart host1 kickstart-bootc.ks.template "${start_image}"
+    launch_vm --boot_blueprint rhel96-bootc --fips
+}
+
+scenario_remove_vms() {
+    check_platform
+
+    remove_vm host1
+}
+
+scenario_run_tests() {
+    check_platform
+
+    run_tests host1 suites/fips/
+}
+
diff --git a/test/scenarios/releases/el96-lrel@fips.sh.disabled b/test/scenarios/releases/el96-lrel@fips.sh.disabled
@@ -0,0 +1,37 @@
+#!/bin/bash
+
+# Sourced from scenario.sh and uses functions defined there.
+
+start_image="rhel-9.6-microshift-brew-optionals-4.${MINOR_VERSION}-${LATEST_RELEASE_TYPE}-fips"
+
+check_platform() {
+    if [[ "${UNAME_M}" =~ aarch64 ]] ; then
+        record_junit "setup" "scenario_create_vms" "SKIPPED"
+        exit 0
+    fi
+}
+
+scenario_create_vms() {
+    if ! does_commit_exist "${start_image}"; then
+        echo "Image '${start_image}' not found - skipping test"
+        return 0
+    fi
+
+    check_platform
+
+    prepare_kickstart host1 kickstart.ks.template "${start_image}"
+    launch_vm --fips
+}
+
+scenario_remove_vms() {
+    check_platform
+
+    remove_vm host1
+}
+
+scenario_run_tests() {
+    check_platform
+
+    run_tests host1 suites/fips/
+}
+