diff --git a/samples/security/pqc/Dockerfile b/samples/security/pqc/Dockerfile new file mode 100644 index 0000000000..e2d1ab230a --- /dev/null +++ b/samples/security/pqc/Dockerfile @@ -0,0 +1,48 @@ +FROM docker.io/redhat/ubi9:9.6 AS builder + +ARG LIBOQS_TAG=0.12.0 +ARG OQSPROVIDER_TAG=0.8.0 +ARG INSTALLDIR_OPENSSL=/usr/lib64 +ARG INSTALLDIR_LIBOQS=/opt/liboqs + +RUN dnf install -y git make cmake ninja-build +RUN dnf install -y openssl-devel +RUN dnf install -y gcc gcc-c++ + +WORKDIR /optbuild +RUN git clone --depth 1 --branch ${LIBOQS_TAG} https://github.com/open-quantum-safe/liboqs + +WORKDIR /optbuild/liboqs/build +RUN cmake -G "Ninja" .. \ + -DOPENSSL_ROOT_DIR=${INSTALLDIR_OPENSSL} \ + -DCMAKE_INSTALL_PREFIX=${INSTALLDIR_LIBOQS} && \ + ninja install + +WORKDIR /optbuild +RUN git clone --depth 1 --branch ${OQSPROVIDER_TAG} https://github.com/open-quantum-safe/oqs-provider.git + +WORKDIR /optbuild/oqs-provider +RUN liboqs_DIR=${INSTALLDIR_LIBOQS} cmake \ + -DOPENSSL_ROOT_DIR=${INSTALLDIR_OPENSSL} \ + -DCMAKE_BUILD_TYPE=Release \ + -DCMAKE_PREFIX_PATH=${INSTALLDIR_OPENSSL} \ + -S . -B _build && \ + cmake --build _build && \ + cmake --install _build && \ + cp _build/lib/oqsprovider.so ${INSTALLDIR_OPENSSL}/ossl-modules + +FROM registry.redhat.io/openshift-service-mesh/istio-proxyv2-rhel9:1.26.2 AS final + +ARG INSTALLDIR_OPENSSL=/usr/lib64 +ARG INSTALLDIR_LIBOQS=/opt/liboqs + +COPY --from=builder ${INSTALLDIR_LIBOQS} ${INSTALLDIR_LIBOQS} +COPY --from=builder ${INSTALLDIR_OPENSSL}/ossl-modules ${INSTALLDIR_OPENSSL}/ossl-modules + +USER root +RUN sed '/^default = default_sect$/a oqsprovider = oqsprovider_sect' /etc/pki/tls/openssl.cnf > /tmp/openssl.cnf && \ + printf "\n[oqsprovider_sect]\n" >> /tmp/openssl.cnf && \ + echo "module = /usr/lib64/ossl-modules/oqsprovider.so" >> /tmp/openssl.cnf && \ + echo "activate = 1" >> /tmp/openssl.cnf && \ + cp /tmp/openssl.cnf /etc/pki/tls/openssl.cnf +USER 1000 diff --git a/samples/security/pqc/README.md b/samples/security/pqc/README.md new file mode 100644 index 0000000000..df23e70a18 --- /dev/null +++ b/samples/security/pqc/README.md @@ -0,0 +1,196 @@ +# Quantum-Safe Gateway + +## Prerequisites + +1. Install OpenShift Service Mesh Operator 3.1+. +1. Install Gateway API CRDs (not required on OCP 4.19+). + + ```shell + oc apply -f https://github.com/kubernetes-sigs/gateway-api/releases/download/v1.3.0/standard-install.yaml + ``` + +## Customize istio-proxy image + +OpenShift Service Mesh 3.1 does not deliver istio-proxy image with built-in support for PQC. +Enabling post-quantum safe algorithms requires configuring [OQS provider](https://github.com/open-quantum-safe/oqs-provider) in the proxy container. + +1. Get pull secret from OCP and build the proxy image with OQS provider: + + ```shell + oc get secret pull-secret -n openshift-config -o jsonpath='{.data.\.dockerconfigjson}' | base64 -d > /tmp/config.json + podman --config /tmp build -t localhost:5000/istio-system/istio-proxyv2-rhel9-oqs:1.26.2 . + ``` + +1. Configure permissions for pushing images to OCP image registry: + + ```shell + oc new-project istio-system + oc policy add-role-to-user system:image-pusher -z default -n istio-system + TOKEN=$(oc create token default -n istio-system) + ``` + +1. Create an image stream for custom istio-proxy and expose the registry: + + ```shell + oc patch configs.imageregistry.operator.openshift.io/cluster --type=merge -p '{"spec":{"defaultRoute":true}}' + oc create imagestream istio-proxyv2-rhel9-oqs -n istio-system + ``` + +1. Push the local image: + + ```shell + HOST=$(oc get route default-route -n openshift-image-registry -o jsonpath='{.spec.host}') + podman login --tls-verify=false -u default -p $TOKEN $HOST + podman push --tls-verify=false istio-proxyv2-rhel9-oqs:1.26.2 $HOST/istio-system/istio-proxyv2-rhel9-oqs:1.26.2 + ``` + +## Install Service Mesh + +1. Install CNI: + + ```shell + oc new-project istio-cni + oc apply -f - <