Enable fips checks

[JasonPowr]

Summary by Sourcery

Enable FIPS checks in CI pipelines and mark the operator as FIPS-compliant

Enhancements:

• Add fips-check parameter set to true across operator and bundle Tekton pipeline definitions for pull-request and push workflows
• Update bundle Dockerfile and ClusterServiceVersion manifest to label the operator as FIPS-compliant

[sourcery-ai]

Reviewer's guide (collapsed on small PRs)

Reviewer's Guide

This PR enables FIPS compliance by introducing a FIPS_CHECK parameter to the Tekton CI pipelines for both pull request and push workflows and updating bundle and operator CSV metadata labels to mark them as FIPS-compliant.

Entity relationship diagram for updated FIPS-compliant metadata labels

erDiagram
  OPERATOR_BUNDLE {
    string name
    string fips-compliant
  }
  CLUSTERSERVICEVERSION {
    string name
    string fips-compliant
  }
  OPERATOR_BUNDLE ||--|| CLUSTERSERVICEVERSION : contains
  OPERATOR_BUNDLE ||--|| CLUSTERSERVICEVERSION : mirrors fips-compliant

Loading

File-Level Changes

Change	Details	Files
Enable FIPS check in CI pipelines	Add a fips-check parameter with value "true" to pull-request bundle pipeline Add a fips-check parameter with value "true" to push bundle pipeline Add a fips-check parameter with value "true" to pull-request operator pipeline Add a fips-check parameter with value "true" to push operator pipeline	.tekton/rhtas-operator-bundle-pull-request.yaml .tekton/rhtas-operator-bundle-push.yaml .tekton/rhtas-operator-pull-request.yaml .tekton/rhtas-operator-push.yaml
Mark bundle as FIPS-compliant	Change features.operators.openshift.io/fips-compliant label to "true"	bundle.Dockerfile
Mark operator CSV as FIPS-compliant	Update clusterserviceversion annotation features.operators.openshift.io/fips-compliant to "true"	config/manifests/bases/rhtas-operator.clusterserviceversion.yaml

---

Tips and commands

Interacting with Sourcery

• Trigger a new review: Comment @sourcery-ai review on the pull request.
• Continue discussions: Reply directly to Sourcery's review comments.
• Generate a GitHub issue from a review comment: Ask Sourcery to create an
  issue from a review comment by replying to it. You can also reply to a
  review comment with @sourcery-ai issue to create an issue from it.
• Generate a pull request title: Write @sourcery-ai anywhere in the pull
  request title to generate a title at any time. You can also comment
  @sourcery-ai title on the pull request to (re-)generate the title at any time.
• Generate a pull request summary: Write @sourcery-ai summary anywhere in
  the pull request body to generate a PR summary at any time exactly where you
  want it. You can also comment @sourcery-ai summary on the pull request to
  (re-)generate the summary at any time.
• Generate reviewer's guide: Comment @sourcery-ai guide on the pull
  request to (re-)generate the reviewer's guide at any time.
• Resolve all Sourcery comments: Comment @sourcery-ai resolve on the
  pull request to resolve all Sourcery comments. Useful if you've already
  addressed all the comments and don't want to see them anymore.
• Dismiss all Sourcery reviews: Comment @sourcery-ai dismiss on the pull
  request to dismiss all existing Sourcery reviews. Especially useful if you
  want to start fresh with a new review - don't forget to comment
  @sourcery-ai review to trigger a new review!

Customizing Your Experience

Access your dashboard to:

• Enable or disable review features such as the Sourcery-generated pull request
  summary, the reviewer's guide, and others.
• Change the review language.
• Add, remove or edit custom review instructions.
• Adjust other review settings.

Getting Help

• Contact our support team for questions or feedback.
• Visit our documentation for detailed guides and information.
• Keep in touch with the Sourcery team by following us on X/Twitter, LinkedIn or GitHub.

[JasonPowr]

/retest

[qodo-merge-pro]

CI Feedback 🧐

A test triggered by this PR failed. Here is an AI-generated analysis of the failure:

Action: Test upgrade operator

Failed stage: Run tests [❌]

Failed test name: Operator upgrade [It] Verify deployment was upgraded

Failure summary: The action failed because the E2E test for operator upgrade timed out waiting for the Trillian components to become ready: - Pod trillian-db-6d4b48dd9d-qk95t failed to start because its container was "waiting to start: trying and failing to pull image" (image pull failure). - As a result, deployment trillian-db was not available, causing the test's Eventually assertion to time out after 300s. - Failure reported at /home/runner/work/secure-sign-operator/secure-sign-operator/test/e2e/support/tas/trillian/trillian.go:27. - Additional pods (trillian-logserver, trillian-logsigner) were still PodInitializing, indicating the stack couldn't fully start.

Relevant error logs: 1: ##[group]Runner Image Provisioner 2: Hosted Compute Agent ... 369: configmap/ingress-nginx-controller created 370: service/ingress-nginx-controller created 371: service/ingress-nginx-controller-admission created 372: deployment.apps/ingress-nginx-controller created 373: job.batch/ingress-nginx-admission-create created 374: job.batch/ingress-nginx-admission-patch created 375: ingressclass.networking.k8s.io/nginx created 376: validatingwebhookconfiguration.admissionregistration.k8s.io/ingress-nginx-admission created 377: pod/ingress-nginx-controller-bcdf75cfc-g8w7c condition met 378: ##[group]Run # Download the bundle.yaml 379: �[36;1m# Download the bundle.yaml�[0m 380: �[36;1mcurl -sL https://github.com/prometheus-operator/prometheus-operator/releases/download/v0.84.0/bundle.yaml -o bundle.yaml �[0m 381: �[36;1m�[0m 382: �[36;1m# Check if the download was successful and the file is not empty�[0m 383: �[36;1mif [ ! -s "bundle.yaml" ]; then�[0m 384: �[36;1m echo "Error: Downloaded bundle.yaml is empty or failed to download."�[0m 385: �[36;1m exit 1�[0m ... 724: go: downloading github.com/spf13/cast v1.6.0 725: go: downloading github.com/common-nighthawk/go-figure v0.0.0-20210622060536-734e95fb86be 726: go: downloading github.com/aws/aws-sdk-go-v2/credentials v1.17.27 727: go: downloading github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.16.11 728: go: downloading github.com/aws/aws-sdk-go-v2/service/sso v1.22.4 729: go: downloading github.com/aws/aws-sdk-go-v2/internal/ini v1.8.0 730: go: downloading github.com/aws/aws-sdk-go-v2/service/ssooidc v1.26.4 731: go: downloading github.com/aws/aws-sdk-go-v2/service/sts v1.30.3 732: go: downloading github.com/aws/smithy-go v1.20.3 733: go: downloading github.com/aws/aws-sdk-go-v2/internal/configsources v1.3.15 734: go: downloading github.com/letsencrypt/boulder v0.0.0-20240620165639-de9c06129bec 735: go: downloading github.com/cenkalti/backoff/v3 v3.2.2 736: go: downloading github.com/go-jose/go-jose/v4 v4.0.2 737: go: downloading github.com/hashicorp/errwrap v1.1.0 738: go: downloading github.com/hashicorp/go-cleanhttp v0.5.2 739: go: downloading github.com/hashicorp/go-multierror v1.1.1 740: go: downloading github.com/hashicorp/go-retryablehttp v0.7.7 ... 749: go: downloading github.com/googleapis/gax-go/v2 v2.13.0 750: go: downloading google.golang.org/genproto v0.0.0-20240730163845-b1a4ccb954bf 751: go: downloading google.golang.org/grpc v1.65.0 752: go: downloading google.golang.org/genproto/googleapis/api v0.0.0-20240725223205-93522f1f2a9f 753: go: downloading cloud.google.com/go/auth v0.7.3 754: go: downloading golang.org/x/oauth2 v0.22.0 755: go: downloading github.com/Azure/azure-sdk-for-go/sdk/internal v1.10.0 756: go: downloading github.com/AzureAD/microsoft-authentication-library-for-go v1.2.2 757: go: downloading github.com/Azure/azure-sdk-for-go/sdk/security/keyvault/internal v1.0.0 758: go: downloading github.com/containerd/stargz-snapshotter/estargz v0.14.3 759: go: downloading github.com/google/go-cmp v0.6.0 760: go: downloading github.com/docker/docker v26.1.4+incompatible 761: go: downloading github.com/google/go-github/v55 v55.0.0 762: go: downloading github.com/theupdateframework/go-tuf v0.7.0 763: go: downloading github.com/xanzy/go-gitlab v0.107.0 764: go: downloading github.com/go-openapi/errors v0.22.0 765: go: downloading github.com/go-openapi/validate v0.24.0 ... 941: REGISTRY: ghcr.io 942: CONTAINER_TOOL: podman 943: IMG: ghcr.io/securesign/secure-sign-operator:dev-bae6c17b3bc524a90b22393a97bde55856b268d5 944: BUNDLE_IMG: ghcr.io/securesign/secure-sign-operator-bundle:dev-bae6c17b3bc524a90b22393a97bde55856b268d5 945: CATALOG_IMG: ghcr.io/securesign/secure-sign-operator-fbc:dev-bae6c17b3bc524a90b22393a97bde55856b268d5 946: NEW_OLM_CHANNEL: rhtas-operator.v1.4.0 947: OCP_VERSION: v4.19 948: REGISTRY_AUTH_FILE: /tmp/config.json 949: TEST_BASE_CATALOG: registry.redhat.io/redhat/redhat-operator-index:v4.19 950: TEST_TARGET_CATALOG: ghcr.io/securesign/secure-sign-operator-fbc:dev-bae6c17b3bc524a90b22393a97bde55856b268d5 951: ##[endgroup] 952: Running Suite: Trusted Artifact Signer E2E Suite - /home/runner/work/secure-sign-operator/secure-sign-operator/test/e2e 953: ======================================================================================================================= 954: Random Seed: �[1m1763134393�[0m 955: Will run �[1m9�[0m of �[1m9�[0m specs 956: �[38;5;10m•�[0m�[38;5;10m•�[0m�[38;5;10m•�[0m�[38;5;10m•�[0m�[38;5;10m•�[0m2025/11/14 15:44:49 failed to open log stream for pod "trillian-db-6d4b48dd9d-qk95t": container "trillian-db" in pod "trillian-db-6d4b48dd9d-qk95t" is waiting to start: trying and failing to pull image 957: 2025/11/14 15:44:49 failed to open log stream for pod "trillian-logserver-94885b449-nblm8": container "trillian-logserver" in pod "trillian-logserver-94885b449-nblm8" is waiting to start: PodInitializing 958: 2025/11/14 15:44:49 failed to open log stream for pod "trillian-logsigner-79656b44f9-92g2k": container "trillian-logsigner" in pod "trillian-logsigner-79656b44f9-92g2k" is waiting to start: PodInitializing 959: �[38;5;243m------------------------------�[0m 960: �[38;5;9m• [FAILED] [317.794 seconds]�[0m 961: �[0mOperator upgrade �[38;5;9m�[1m[It] Verify deployment was upgraded�[0m 962: �[38;5;243m/home/runner/work/secure-sign-operator/secure-sign-operator/test/e2e/upgrade_test.go:217�[0m 963: �[38;5;243mTimeline >>�[0m 964: �[38;5;9m[FAILED]�[0m in [It] - /home/runner/work/secure-sign-operator/secure-sign-operator/test/e2e/support/tas/trillian/trillian.go:27 �[38;5;243m@ 11/14/25 15:44:49.297�[0m 965: ----------------------- Dumping operator resources ----------------------- 966: ClusterServiceVersions: 967: rhtas-operator.v1.4.0 1.4.0 Succeeded 968: CatalogSources: 969: test-catalog ghcr.io/securesign/secure-sign-operator-fbc:dev-bae6c17b3bc524a90b22393a97bde55856b268d5 READY 970: ----------------------- Dumping namespace upgrade-test-ttfvz ----------------------- 971: �[38;5;243m<< Timeline�[0m 972: �[38;5;9m[FAILED] Timed out after 300.000s. 973: The function passed to Eventually returned the following error: 974: <*fmt.wrapErrors | 0xc000640660>: 975: deployment not ready(trillian-db): not available 976: { 977: msg: "deployment not ready(trillian-db): not available", 978: errs: [ 979: <*errors.errorString | 0x242d730>{ 980: s: "deployment not ready", 981: }, 982: <*errors.errorString | 0x242d750>{s: "not available"}, 983: ], 984: }�[0m 985: �[38;5;9mIn �[1m[It]�[0m�[38;5;9m at: �[1m/home/runner/work/secure-sign-operator/secure-sign-operator/test/e2e/support/tas/trillian/trillian.go:27�[0m �[38;5;243m@ 11/14/25 15:44:49.297�[0m 986: �[38;5;243m------------------------------�[0m 987: �[38;5;14mS�[0m�[38;5;14mS�[0m�[38;5;14mS�[0m 988: �[38;5;9m�[1mSummarizing 1 Failure:�[0m 989: �[38;5;9m[FAIL]�[0m �[0mOperator upgrade �[38;5;9m�[1m[It] Verify deployment was upgraded�[0m 990: �[38;5;243m/home/runner/work/secure-sign-operator/secure-sign-operator/test/e2e/support/tas/trillian/trillian.go:27�[0m 991: �[38;5;9m�[1mRan 6 of 9 Specs in 695.768 seconds�[0m 992: �[38;5;9m�[1mFAIL!�[0m -- �[38;5;10m�[1m5 Passed�[0m | �[38;5;9m�[1m1 Failed�[0m | �[38;5;11m�[1m0 Pending�[0m | �[38;5;14m�[1m3 Skipped�[0m 993: --- FAIL: TestE2e (695.77s) 994: FAIL ... 996: ok github.com/securesign/operator/test/e2e/high_avalability 0.005s 997: ? github.com/securesign/operator/test/e2e/support [no test files] 998: ? github.com/securesign/operator/test/e2e/support/condition [no test files] 999: ? github.com/securesign/operator/test/e2e/support/kubernetes [no test files] 1000: ? github.com/securesign/operator/test/e2e/support/steps [no test files] 1001: ? github.com/securesign/operator/test/e2e/support/tas [no test files] 1002: ? github.com/securesign/operator/test/e2e/support/tas/cli [no test files] 1003: ? github.com/securesign/operator/test/e2e/support/tas/ctlog [no test files] 1004: ? github.com/securesign/operator/test/e2e/support/tas/fulcio [no test files] 1005: ? github.com/securesign/operator/test/e2e/support/tas/rekor [no test files] 1006: ? github.com/securesign/operator/test/e2e/support/tas/securesign [no test files] 1007: ? github.com/securesign/operator/test/e2e/support/tas/trillian [no test files] 1008: ? github.com/securesign/operator/test/e2e/support/tas/tsa [no test files] 1009: ? github.com/securesign/operator/test/e2e/support/tas/tuf [no test files] 1010: FAIL 1011: ##[error]Process completed with exit code 1. 1012: ##[group]Run actions/upload-artifact@v4