Deal with crypto policies

[ekohl]

In a non-containerized world you can use crypto-policies (on EL) to configure the TLS protocols & ciphers. Foreman has been moving to that to secure communications in an easy way.

crypto-policies are a user space implementation and containers have their own isolated user space. This means we need a way to manage this at scale.

On a related note, for #219 it means we need to configure each container based on EL9 to use the DEFAULT:PQ policy when the user opts into it.

[ehelms]

A few things I learned:

• Bind mount of crypto policy can break between rhel versions. Therefore, we should not rely on this.
• When system is run in FIPS mode, the container has to use an option / bind-mount for each container but can detect this from the host.
• Crypto policy container update command has to be run as part of the entrypoint / command or special images with crypto policy set would need to be provided per configuration. The latter feels not scaleable. We should continue to pursue what are the best practices in this space.

[ekohl]

Crypto policy container update command has to be run as part of the entrypoint / command or special images with crypto policy set would need to be provided per configuration. The latter feels not scaleable. We should continue to pursue what are the best practices in this space.

Will this work if the container itself runs rootless? We currently don't do that, but it's a best practice.