From f3d4e604cf1600d79ab0468cf69ade608324e62e Mon Sep 17 00:00:00 2001
From: Scott Stroud <sstroud@confluent.io>
Date: Mon, 6 Jan 2025 22:46:09 +0000
Subject: [PATCH 1/3] Adding back Java Options

---
 Dockerfile | 9 ++++++---
 1 file changed, 6 insertions(+), 3 deletions(-)

diff --git a/Dockerfile b/Dockerfile
index 2a5138d..811f9f0 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -12,6 +12,12 @@ FROM ${BASE_REGISTRY}/${BASE_IMAGE}:${BASE_TAG}
 # We want UTF-8 and this is the only locale in the base image that supports it
 ENV LANG="C.UTF-8"
 
+# openjdk11 (base image) does not expose all the fips ciphers, like HmacSHA256, when fips enabled
+# This causes issues with keytool & connect, so disable it for ONLY those java processes (not other processes, the OS, or K8S host)
+ARG JAVA_OPTS="-Dsecurity.useSystemPropertiesFile=false -Dcom.redhat.fips=false"
+ENV JDK_JAVA_OPTIONS=$JAVA_OPTS
+ENV JAVA_TOOL_OPTIONS=$JAVA_OPTS
+
 # Set the classpath for JARs required by `cub`
 ENV CUB_CLASSPATH='"/usr/share/java/cp-base-new/*"'
 
@@ -57,9 +63,6 @@ RUN echo "===> dnf installs" \
         && chown appuser:appuser -R /usr/logs \
     && dnfupdate 
     
-# enable FIPS in docker image, this will only work if underlying OS has FIPS enabled as well else is a NO OP.
-RUN update-crypto-policies --set FIPS 
-
 # Disable setuid/setgid bits
 RUN find / -perm /6000 -type f -exec chmod a-s {} \; || true
 RUN find / -perm /6000 -type f -exec chmod g-s {} \; || true
-- 
GitLab


From 4d1316cf973602bd9d2745df4dd41c9f00f5ba0d Mon Sep 17 00:00:00 2001
From: Scott Stroud <sstroud@confluent.io>
Date: Mon, 6 Jan 2025 22:47:21 +0000
Subject: [PATCH 2/3] new tag for update

---
 hardening_manifest.yaml | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/hardening_manifest.yaml b/hardening_manifest.yaml
index 1f55499..4ff18c7 100644
--- a/hardening_manifest.yaml
+++ b/hardening_manifest.yaml
@@ -8,8 +8,9 @@ name: "confluentinc/cp-base-new"
 # on ironbank.dso.mil
 tags:
   - "Q4_2024_jdk17"
-  - "2024-12-11"
+  - "2025-01-06"
   - "7.7.2"
+  - "7.8.0"
   - "latest-ubi8.amd64"
   - "latest.amd64"
   - "latest_jdk17"
@@ -19,7 +20,7 @@ tags:
 args:
   CP_BASE_NEW_IMAGE: "confluentinc/cp-base-new"
   CP_BASE_NEW_TAG: "7.7.2"
-  BASE_IMAGE: "redhat/openjdk/openjdk17"
+  BASE_IMAGE: "ironbank/redhat/openjdk/openjdk17"
   BASE_TAG: "1.17"
 
 # Docker image labels
-- 
GitLab


From f5de40f6ecdc95575ce8392203484adc268aa409 Mon Sep 17 00:00:00 2001
From: Scott Stroud <sstroud@confluent.io>
Date: Mon, 6 Jan 2025 23:17:47 +0000
Subject: [PATCH 3/3] undo url

---
 hardening_manifest.yaml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/hardening_manifest.yaml b/hardening_manifest.yaml
index 4ff18c7..08327c3 100644
--- a/hardening_manifest.yaml
+++ b/hardening_manifest.yaml
@@ -20,7 +20,7 @@ tags:
 args:
   CP_BASE_NEW_IMAGE: "confluentinc/cp-base-new"
   CP_BASE_NEW_TAG: "7.7.2"
-  BASE_IMAGE: "ironbank/redhat/openjdk/openjdk17"
+  BASE_IMAGE: "redhat/openjdk/openjdk17"
   BASE_TAG: "1.17"
 
 # Docker image labels
-- 
GitLab