Switch to use Go 1.24+ runtime FIPS support.

packages/kubernetes-1.29/kubernetes-1.29.spec

@@ -160,11 +160,6 @@ export KUBE_CGO_OVERRIDES="kube-proxy"
 make WHAT="cmd/kubelet"
 make WHAT="cmd/kube-proxy"
 
-export KUBE_OUTPUT_SUBPATH="_fips_output/local"
-export GOEXPERIMENT="boringcrypto"
-make WHAT="cmd/kubelet"
-make WHAT="cmd/kube-proxy"
-
 # build the pause container
 cd build/pause/linux/
 
@@ -188,10 +183,9 @@ install -d %{buildroot}%{_cross_bindir}
 install -p -m 0755 ${output}/kubelet %{buildroot}%{_cross_bindir}
 install -p -m 0755 ${output}/kube-proxy %{buildroot}%{_cross_bindir}
 
-fips_output="./_fips_output/local/bin/linux/%{_cross_go_arch}"
 install -d %{buildroot}%{_cross_fips_bindir}
-install -p -m 0755 ${fips_output}/kubelet %{buildroot}%{_cross_fips_bindir}
-install -p -m 0755 ${fips_output}/kube-proxy %{buildroot}%{_cross_fips_bindir}
+install -p -m 0755 ${output}/kubelet %{buildroot}%{_cross_fips_bindir}
+install -p -m 0755 ${output}/kube-proxy %{buildroot}%{_cross_fips_bindir}
 
 install -d %{buildroot}%{_cross_unitdir}
 install -p -m 0644 %{S:1} %{S:10} %{S:13} %{buildroot}%{_cross_unitdir}

packages/kubernetes-1.30/kubernetes-1.30.spec

@@ -161,11 +161,6 @@ export KUBE_CGO_OVERRIDES="kube-proxy"
 make WHAT="cmd/kubelet"
 make WHAT="cmd/kube-proxy"
 
-export KUBE_OUTPUT_SUBPATH="_fips_output/local"
-export GOEXPERIMENT="boringcrypto"
-make WHAT="cmd/kubelet"
-make WHAT="cmd/kube-proxy"
-
 # build the pause container
 cd build/pause/linux/
 
@@ -189,10 +184,9 @@ install -d %{buildroot}%{_cross_bindir}
 install -p -m 0755 ${output}/kubelet %{buildroot}%{_cross_bindir}
 install -p -m 0755 ${output}/kube-proxy %{buildroot}%{_cross_bindir}
 
-fips_output="./_fips_output/local/bin/linux/%{_cross_go_arch}"
 install -d %{buildroot}%{_cross_fips_bindir}
-install -p -m 0755 ${fips_output}/kubelet %{buildroot}%{_cross_fips_bindir}
-install -p -m 0755 ${fips_output}/kube-proxy %{buildroot}%{_cross_fips_bindir}
+install -p -m 0755 ${output}/kubelet %{buildroot}%{_cross_fips_bindir}
+install -p -m 0755 ${output}/kube-proxy %{buildroot}%{_cross_fips_bindir}
 
 install -d %{buildroot}%{_cross_unitdir}
 install -p -m 0644 %{S:1} %{S:10} %{S:13} %{buildroot}%{_cross_unitdir}

packages/kubernetes-1.31/kubernetes-1.31.spec

@@ -161,11 +161,6 @@ export KUBE_CGO_OVERRIDES="kube-proxy"
 make WHAT="cmd/kubelet"
 make WHAT="cmd/kube-proxy"
 
-export KUBE_OUTPUT_SUBPATH="_fips_output/local"
-export GOEXPERIMENT="boringcrypto"
-make WHAT="cmd/kubelet"
-make WHAT="cmd/kube-proxy"
-
 # build the pause container
 cd build/pause/linux/
 
@@ -189,10 +184,9 @@ install -d %{buildroot}%{_cross_bindir}
 install -p -m 0755 ${output}/kubelet %{buildroot}%{_cross_bindir}
 install -p -m 0755 ${output}/kube-proxy %{buildroot}%{_cross_bindir}
 
-fips_output="./_fips_output/local/bin/linux/%{_cross_go_arch}"
 install -d %{buildroot}%{_cross_fips_bindir}
-install -p -m 0755 ${fips_output}/kubelet %{buildroot}%{_cross_fips_bindir}
-install -p -m 0755 ${fips_output}/kube-proxy %{buildroot}%{_cross_fips_bindir}
+install -p -m 0755 ${output}/kubelet %{buildroot}%{_cross_fips_bindir}
+install -p -m 0755 ${output}/kube-proxy %{buildroot}%{_cross_fips_bindir}
 
 install -d %{buildroot}%{_cross_unitdir}
 install -p -m 0644 %{S:1} %{S:10} %{S:13} %{buildroot}%{_cross_unitdir}

packages/kubernetes-1.32/kubernetes-1.32.spec

@@ -160,11 +160,6 @@ export KUBE_CGO_OVERRIDES="kube-proxy"
 make WHAT="cmd/kubelet"
 make WHAT="cmd/kube-proxy"
 
-export KUBE_OUTPUT_SUBPATH="_fips_output/local"
-export GOEXPERIMENT="boringcrypto"
-make WHAT="cmd/kubelet"
-make WHAT="cmd/kube-proxy"
-
 # build the pause container
 cd build/pause/linux/
 
@@ -188,10 +183,9 @@ install -d %{buildroot}%{_cross_bindir}
 install -p -m 0755 ${output}/kubelet %{buildroot}%{_cross_bindir}
 install -p -m 0755 ${output}/kube-proxy %{buildroot}%{_cross_bindir}
 
-fips_output="./_fips_output/local/bin/linux/%{_cross_go_arch}"
 install -d %{buildroot}%{_cross_fips_bindir}
-install -p -m 0755 ${fips_output}/kubelet %{buildroot}%{_cross_fips_bindir}
-install -p -m 0755 ${fips_output}/kube-proxy %{buildroot}%{_cross_fips_bindir}
+install -p -m 0755 ${output}/kubelet %{buildroot}%{_cross_fips_bindir}
+install -p -m 0755 ${output}/kube-proxy %{buildroot}%{_cross_fips_bindir}
 
 install -d %{buildroot}%{_cross_unitdir}
 install -p -m 0644 %{S:1} %{S:10} %{S:13} %{buildroot}%{_cross_unitdir}

packages/kubernetes-1.33/kubernetes-1.33.spec

@@ -162,11 +162,6 @@ export KUBE_CGO_OVERRIDES="kube-proxy"
 make WHAT="cmd/kubelet"
 make WHAT="cmd/kube-proxy"
 
-export KUBE_OUTPUT_SUBPATH="_fips_output/local"
-export GOEXPERIMENT="boringcrypto"
-make WHAT="cmd/kubelet"
-make WHAT="cmd/kube-proxy"
-
 # build the pause container
 cd build/pause/linux/
 
@@ -190,10 +185,9 @@ install -d %{buildroot}%{_cross_bindir}
 install -p -m 0755 ${output}/kubelet %{buildroot}%{_cross_bindir}
 install -p -m 0755 ${output}/kube-proxy %{buildroot}%{_cross_bindir}
 
-fips_output="./_fips_output/local/bin/linux/%{_cross_go_arch}"
 install -d %{buildroot}%{_cross_fips_bindir}
-install -p -m 0755 ${fips_output}/kubelet %{buildroot}%{_cross_fips_bindir}
-install -p -m 0755 ${fips_output}/kube-proxy %{buildroot}%{_cross_fips_bindir}
+install -p -m 0755 ${output}/kubelet %{buildroot}%{_cross_fips_bindir}
+install -p -m 0755 ${output}/kube-proxy %{buildroot}%{_cross_fips_bindir}
 
 install -d %{buildroot}%{_cross_unitdir}
 install -p -m 0644 %{S:1} %{S:10} %{S:13} %{buildroot}%{_cross_unitdir}

packages/kubernetes-1.34/kubernetes-1.34.spec

@@ -162,11 +162,6 @@ export KUBE_CGO_OVERRIDES="kube-proxy"
 make WHAT="cmd/kubelet"
 make WHAT="cmd/kube-proxy"
 
-export KUBE_OUTPUT_SUBPATH="_fips_output/local"
-export GOEXPERIMENT="boringcrypto"
-make WHAT="cmd/kubelet"
-make WHAT="cmd/kube-proxy"
-
 # build the pause container
 cd build/pause/linux/
 
@@ -190,10 +185,9 @@ install -d %{buildroot}%{_cross_bindir}
 install -p -m 0755 ${output}/kubelet %{buildroot}%{_cross_bindir}
 install -p -m 0755 ${output}/kube-proxy %{buildroot}%{_cross_bindir}
 
-fips_output="./_fips_output/local/bin/linux/%{_cross_go_arch}"
 install -d %{buildroot}%{_cross_fips_bindir}
-install -p -m 0755 ${fips_output}/kubelet %{buildroot}%{_cross_fips_bindir}
-install -p -m 0755 ${fips_output}/kube-proxy %{buildroot}%{_cross_fips_bindir}
+install -p -m 0755 ${output}/kubelet %{buildroot}%{_cross_fips_bindir}
+install -p -m 0755 ${output}/kube-proxy %{buildroot}%{_cross_fips_bindir}
 
 install -d %{buildroot}%{_cross_unitdir}
 install -p -m 0644 %{S:1} %{S:10} %{S:13} %{buildroot}%{_cross_unitdir}

packages/kubernetes-1.35/kubernetes-1.35.spec

@@ -162,11 +162,6 @@ export KUBE_CGO_OVERRIDES="kube-proxy"
 make WHAT="cmd/kubelet"
 make WHAT="cmd/kube-proxy"
 
-export KUBE_OUTPUT_SUBPATH="_fips_output/local"
-export GOEXPERIMENT="boringcrypto"
-make WHAT="cmd/kubelet"
-make WHAT="cmd/kube-proxy"
-
 # build the pause container
 cd build/pause/linux/
 
@@ -190,10 +185,9 @@ install -d %{buildroot}%{_cross_bindir}
 install -p -m 0755 ${output}/kubelet %{buildroot}%{_cross_bindir}
 install -p -m 0755 ${output}/kube-proxy %{buildroot}%{_cross_bindir}
 
-fips_output="./_fips_output/local/bin/linux/%{_cross_go_arch}"
 install -d %{buildroot}%{_cross_fips_bindir}
-install -p -m 0755 ${fips_output}/kubelet %{buildroot}%{_cross_fips_bindir}
-install -p -m 0755 ${fips_output}/kube-proxy %{buildroot}%{_cross_fips_bindir}
+install -p -m 0755 ${output}/kubelet %{buildroot}%{_cross_fips_bindir}
+install -p -m 0755 ${output}/kube-proxy %{buildroot}%{_cross_fips_bindir}
 
 install -d %{buildroot}%{_cross_unitdir}
 install -p -m 0644 %{S:1} %{S:10} %{S:13} %{buildroot}%{_cross_unitdir}

packages/release/fips-go.conf

@@ -0,0 +1,4 @@
+[Service]
+# Enable Go FIPS 140-3 mode for all services. This restricts Go's crypto
+# packages to use only FIPS-approved algorithms.
+Environment=GODEBUG=fips140=only

packages/release/release.spec

@@ -110,6 +110,7 @@ Source1108: systemd-sysusers-selinux.conf
 Source1109: modprobe-no-exit.conf
 Source1110: tmp-mount-noexec.conf
 Source1111: network-pre-target-dbus-dep.conf
+Source1112: fips-go.conf
 
 # network link rules
 Source1200: 80-release.link
@@ -231,6 +232,9 @@ install -p -m 0644 %{S:81} %{buildroot}%{_cross_sysctldir}/81-release-swap.conf
 install -d %{buildroot}%{_cross_unitdir}/service.d
 install -p -m 0644 %{S:1104} %{buildroot}%{_cross_unitdir}/service.d/00-aws-config.conf
 
+install -d %{buildroot}%{_cross_unitdir}/service.d
+install -p -m 0644 %{S:1112} %{buildroot}%{_cross_unitdir}/service.d/00-fips-go.conf
+
 install -d %{buildroot}%{_cross_libdir}/systemd/system.conf.d
 install -p -m 0644 %{S:98} %{buildroot}%{_cross_libdir}/systemd/system.conf.d/80-release.conf
 
@@ -467,6 +471,7 @@ ln -s preconfigured.target %{buildroot}%{_cross_unitdir}/default.target
 %files fips
 %{_cross_bootconfigdir}/10-fips.conf
 %{_cross_tmpfilesdir}/release-fips.conf
+%{_cross_unitdir}/service.d/00-fips-go.conf
 %{_cross_unitdir}/*-bin.mount
 %{_cross_unitdir}/*-libexec.mount
 %{_cross_unitdir}/fipscheck.target