chore: build fips compliant binaries

On-behalf-of: SAP <[email protected]>
Signed-off-by: Simon Bein <[email protected]>

Author: SimonTheLeg

charts/control-plane-operator/templates/deployment.yaml

@@ -80,6 +80,10 @@ spec:
                 fieldRef:
                   fieldPath: metadata.namespace
             {{- end }}
+            {{- if .Values.fips.enabled }}
+            - name: GODEBUG
+              value: "fips140=only"
+            {{- end }}
           {{- with .Values.init.env }}
             {{- toYaml . | nindent 12 }}
           {{- end }}

charts/control-plane-operator/values.yaml

@@ -148,6 +148,9 @@ rbac:
   role:
     rules: []
 
+fips:
+  enabled: true # controls whether controller is started with GODEBUG=fips140=only option
+
 nodeSelector: {}
 
 tolerations: []

cmd/main.go

@@ -17,6 +17,7 @@ limitations under the License.
 package main
 
 import (
+	"crypto/fips140"
 	"embed"
 	"flag"
 	"os"
@@ -129,6 +130,13 @@ func main() {
 
 	ctrl.SetLogger(zap.New(zap.UseFlagOptions(&opts)))
 
+	// needs to be run after ctrl.Logger has been called, so we can log
+	if fips140.Enabled() {
+		setupLog.Info("Running in FIPS 140-3 compliant mode")
+	} else {
+		setupLog.Info("Running in non-compliant FIPS mode")
+	}
+
 	setupContext := context.Background()
 
 	setupClient, err := client.New(ctrl.GetConfigOrDie(), client.Options{Scheme: schemes.Local})

hack/common/build-binary.sh

@@ -12,7 +12,7 @@ echo "> Building binaries ..."
       echo "> Building binary for component '$comp' ($pf) ..." | indent 1
       os=${pf%/*}
       arch=${pf#*/}
-      CGO_ENABLED=0 GOOS=$os GOARCH=$arch go build -a -o bin/${comp}-${os}.${arch} cmd/main.go | indent 2
+      CGO_ENABLED=0 GOFIPS140=latest GOOS=$os GOARCH=$arch go build -a -o bin/${comp}-${os}.${arch} cmd/main.go | indent 2
     done
   done
 )