Enforce TLS in fips mode for cns-csi admission handler (#3506)

chethanv28 · web-flow · commit f6416fdab531 · 2025-08-29T09:00:52.000-07:00
* Add approved TLS 1.3 cipher suites
* Enfore TLS in fips mode for cns-csi admission handler
diff --git a/Makefile b/Makefile
@@ -13,6 +13,9 @@ export BIN_OUT ?= $(BUILD_OUT)/bin
 # DIST_OUT is the directory containting the distribution packages
 export DIST_OUT ?= $(BUILD_OUT)/dist
 
+# Compile Go with boringcrypto. This is required to import crypto/tls/fipsonly package.
+export GOEXPERIMENT=boringcrypto
+
 
 ################################################################################
 ##                             VERIFY GO VERSION                              ##
@@ -103,11 +106,11 @@ CSI_BIN_SRCS += $(addsuffix /*.go,$(shell go list -f '{{ join .Deps "\n" }}' ./c
 export CSI_BIN_SRCS
 endif
 $(CSI_BIN): $(CSI_BIN_SRCS)
-	CGO_ENABLED=0 GOOS=$(GOOS) GOARCH=$(GOARCH) go build -ldflags '$(LDFLAGS_CSI)' -o $(CSI_BIN_LINUX) $<
+	CGO_ENABLED=1 GOOS=$(GOOS) GOARCH=$(GOARCH) go build -ldflags '$(LDFLAGS_CSI)' -o $(CSI_BIN_LINUX) $<
 	@touch $@
 
 $(CSI_BIN_WINDOWS): $(CSI_BIN_SRCS)
-	CGO_ENABLED=0 GOOS=windows GOARCH=$(GOARCH) go build -ldflags '$(LDFLAGS_CSI)' -o $(CSI_BIN_WINDOWS) $<
+	CGO_ENABLED=1 GOOS=windows GOARCH=$(GOARCH) go build -ldflags '$(LDFLAGS_CSI)' -o $(CSI_BIN_WINDOWS) $<
 	@touch $@
 
 
@@ -141,7 +144,7 @@ CONTROLLER_GEN=$(shell which controller-gen)
 endif
 
 $(SYNCER_BIN): $(SYNCER_BIN_SRCS) syncer_manifest
-	CGO_ENABLED=0 GOOS=$(GOOS) GOARCH=$(GOARCH) go build -ldflags '$(LDFLAGS_SYNCER)' -o $(abspath $@) $<
+	CGO_ENABLED=1 GOOS=$(GOOS) GOARCH=$(GOARCH) go build -ldflags '$(LDFLAGS_SYNCER)' -o $(abspath $@) $<
 	@touch $@
 
 # The default build target.
diff --git a/hack/check-staticcheck.sh b/hack/check-staticcheck.sh
@@ -31,4 +31,4 @@ GOOS=linux "$(go env GOPATH)"/bin/staticcheck --version
 
 # shellcheck disable=SC2046
 # shellcheck disable=SC1083
-GOOS=linux "$(go env GOPATH)"/bin/staticcheck $(go list ./... | grep -v /vendor/)
+GOOS=linux "$(go env GOPATH)"/bin/staticcheck $(go list ./...)
diff --git a/images/ci/Dockerfile b/images/ci/Dockerfile
@@ -50,7 +50,7 @@ COPY cmd ./cmd/
 ARG GOOS
 ARG GOARCH
 ARG GOPROXY
-ENV CGO_ENABLED=0 GOOS=${GOOS:-linux} GOARCH=${GOARCH:-amd64}
+ENV CGO_ENABLED=1 GOOS=${GOOS:-linux} GOARCH=${GOARCH:-amd64}
 ENV GOPROXY ${GOPROXY:-https://proxy.golang.org}
 RUN LDFLAGS=$(cat ldflags.txt) && \
     go build -ldflags "${LDFLAGS}" ./cmd/vsphere-csi
diff --git a/images/driver/Dockerfile b/images/driver/Dockerfile
@@ -38,7 +38,9 @@ WORKDIR /build
 COPY go.mod go.sum ./
 COPY pkg/    pkg/
 COPY cmd/    cmd/
-ENV CGO_ENABLED=0
+ENV CGO_ENABLED=1
+ENV GOFIPS=1
+ENV GOEXPERIMENT="boringcrypto"
 ENV GOPROXY ${GOPROXY:-https://proxy.golang.org}
 RUN go build -a -ldflags="-w -s -extldflags=static -X sigs.k8s.io/vsphere-csi-driver/v3/pkg/csi/service.Version=${VERSION}" -o vsphere-csi ./cmd/vsphere-csi
 
diff --git a/images/syncer/Dockerfile b/images/syncer/Dockerfile
@@ -37,10 +37,14 @@ COPY pkg/    pkg/
 
 COPY cmd/    cmd/
 
-ENV CGO_ENABLED=0
+ENV CGO_ENABLED=1
 
 ENV GOPROXY ${GOPROXY:-https://proxy.golang.org}
 
+ENV GOFIPS=1
+
+ENV GOEXPERIMENT="boringcrypto"
+
 RUN go build -a -ldflags="-w -s -extldflags=static -X sigs.k8s.io/vsphere-csi-driver/v3/pkg/syncer.Version=${VERSION}" -o vsphere-syncer ./cmd/syncer
 
 ################################################################################
diff --git a/images/windows/driver/Dockerfile b/images/windows/driver/Dockerfile
@@ -37,7 +37,9 @@ WORKDIR /build
 COPY go.mod go.sum ./
 COPY pkg/    pkg/
 COPY cmd/    cmd/
-ENV CGO_ENABLED=0
+ENV CGO_ENABLED=1
+ENV GOFIPS=1
+ENV GOEXPERIMENT="boringcrypto"
 ENV GOPROXY ${GOPROXY:-https://proxy.golang.org}
 RUN GOOS=windows GOARCH=amd64 go build -a -ldflags="-w -s -extldflags=static -X sigs.k8s.io/vsphere-csi-driver/v3/pkg/csi/service.Version=${VERSION}" -o ./bin/vsphere-csi.windows_amd64 cmd/vsphere-csi/main.go
 
diff --git a/pkg/syncer/admissionhandler/cnscsi_admissionhandler.go b/pkg/syncer/admissionhandler/cnscsi_admissionhandler.go
@@ -3,6 +3,7 @@ package admissionhandler
 import (
 	"context"
 	"crypto/tls"
+	_ "crypto/tls/fipsonly"
 	"crypto/x509"
 	"encoding/json"
 	"fmt"
@@ -85,7 +86,9 @@ func startCNSCSIWebhookManager(ctx context.Context, enableWebhookClientCertVerif
 		func(t *tls.Config) {
 			// CipherSuites allows us to specify TLS 1.2 cipher suites that have been recommended by the Security team
 			t.CipherSuites = []uint16{tls.TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
-				tls.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384}
+				tls.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
+				tls.TLS_AES_128_GCM_SHA256,
+				tls.TLS_AES_256_GCM_SHA384}
 			t.MinVersion = tls.VersionTLS12
 		},
 	}
