chore: build fips compliant binaries

SimonTheLeg · SimonTheLeg · commit c29e60ca9799 · 2025-04-14T15:39:20.000+02:00
On-behalf-of: SAP &lt;simon.bein@sap.com&gt;
Signed-off-by: Simon Bein &lt;simontheleg@gmail.com&gt;
diff --git a/cmd/main.go b/cmd/main.go
@@ -17,6 +17,7 @@ limitations under the License.
 package main
 
 import (
+	"crypto/fips140"
 	"embed"
 	"flag"
 	"os"
@@ -129,6 +130,14 @@ func main() {
 
 	ctrl.SetLogger(zap.New(zap.UseFlagOptions(&opts)))
 
+	// needs to be run after ctrl.Logger has been called, so we can log
+	if fips140.Enabled() {
+		setupLog.Info("Running in FIPS 140-3 compliant mode")
+	} else {
+		setupLog.Error(nil, "Running in non-compliant FIPS mode. Exiting now")
+		os.Exit(1)
+	}
+
 	setupContext := context.Background()
 
 	setupClient, err := client.New(ctrl.GetConfigOrDie(), client.Options{Scheme: schemes.Local})
diff --git a/hack/common/build-binary.sh b/hack/common/build-binary.sh
@@ -12,7 +12,7 @@ echo "> Building binaries ..."
       echo "> Building binary for component '$comp' ($pf) ..." | indent 1
       os=${pf%/*}
       arch=${pf#*/}
-      CGO_ENABLED=0 GOOS=$os GOARCH=$arch go build -a -o bin/${comp}-${os}.${arch} cmd/main.go | indent 2
+      CGO_ENABLED=0 GODEBUG=fips140=only GOOS=$os GOARCH=$arch go build -a -o bin/${comp}-${os}.${arch} cmd/main.go | indent 2
     done
   done
 )

Original file line number	Diff line number	Diff line change
`@@ -12,7 +12,7 @@ echo "> Building binaries ..."`
`12`	`12`	`echo "> Building binary for component '$comp' ($pf) ..." \| indent 1`
`13`	`13`	`os=${pf%/*}`
`14`	`14`	`arch=${pf#*/}`
`15`		`- CGO_ENABLED=0 GOOS=$os GOARCH=$arch go build -a -o bin/${comp}-${os}.${arch} cmd/main.go \| indent 2`
	`15`	`+ CGO_ENABLED=0 GODEBUG=fips140=only GOOS=$os GOARCH=$arch go build -a -o bin/${comp}-${os}.${arch} cmd/main.go \| indent 2`
`16`	`16`	`done`
`17`	`17`	`done`
`18`	`18`	`)`