[1.18] Add FIPS compliance config

savitaashture · savitaashture · commit 82cc522a6972 · 2025-02-11T22:59:24.000+05:30
Add tag strictfipsruntime
Fix openssl issue for nop container

Signed-off-by: savitaashture &lt;sashture@redhat.com&gt;
diff --git a/.konflux/dockerfiles/controller.Dockerfile b/.konflux/dockerfiles/controller.Dockerfile
@@ -8,8 +8,9 @@ COPY upstream .
 COPY .konflux/patches patches/
 RUN set -e; for f in patches/*.patch; do echo ${f}; [[ -f ${f} ]] || continue; git apply ${f}; done
 COPY head HEAD
+ENV GOEXPERIMENT=strictfipsruntime
 ENV GODEBUG="http2server=0"
-RUN go build -ldflags="-X 'knative.dev/pkg/changeset.rev=$(cat HEAD)'" -mod=vendor -tags disable_gcp -v -o /tmp/controller \
+RUN go build -ldflags="-X 'knative.dev/pkg/changeset.rev=$(cat HEAD)'" -mod=vendor -tags disable_gcp -tags strictfipsruntime -v -o /tmp/controller \
     ./cmd/controller
 
 FROM $RUNTIME
diff --git a/.konflux/dockerfiles/events.Dockerfile b/.konflux/dockerfiles/events.Dockerfile
@@ -9,7 +9,8 @@ COPY .konflux/patches patches/
 RUN set -e; for f in patches/*.patch; do echo ${f}; [[ -f ${f} ]] || continue; git apply ${f}; done
 COPY head HEAD
 ENV GODEBUG="http2server=0"
-RUN go build -ldflags="-X 'knative.dev/pkg/changeset.rev=$(cat HEAD)'" -mod=vendor -tags disable_gcp -v -o /tmp/events \
+ENV GOEXPERIMENT=strictfipsruntime
+RUN go build -ldflags="-X 'knative.dev/pkg/changeset.rev=$(cat HEAD)'" -mod=vendor -tags disable_gcp -tags strictfipsruntime -v -o /tmp/events \
     ./cmd/events
 
 FROM $RUNTIME
diff --git a/.konflux/dockerfiles/nop.Dockerfile b/.konflux/dockerfiles/nop.Dockerfile
@@ -1,4 +1,5 @@
 ARG GO_BUILDER=brew.registry.redhat.io/rh-osbs/openshift-golang-builder:v1.23
+ARG MID_RUNTIME=registry.access.redhat.com/ubi9/ubi-minimal:latest@sha256:66b99214cb9733e77c4a12cc3e3cbbe76769a213f4e2767f170a4f0fdf9db490
 ARG RUNTIME=scratch
 
 FROM $GO_BUILDER AS builder
@@ -9,12 +10,17 @@ COPY .konflux/patches patches/
 RUN set -e; for f in patches/*.patch; do echo ${f}; [[ -f ${f} ]] || continue; git apply ${f}; done
 COPY head HEAD
 ENV GODEBUG="http2server=0"
-RUN go build -ldflags="-X 'knative.dev/pkg/changeset.rev=$(cat HEAD)'" -mod=vendor -tags disable_gcp -v -o /tmp/nop \
+ENV GOEXPERIMENT=strictfipsruntime
+RUN go build -ldflags="-X 'knative.dev/pkg/changeset.rev=$(cat HEAD)'" -mod=vendor -tags disable_gcp -tags strictfipsruntime -v -o /tmp/nop \
     ./cmd/nop
 
+FROM $MID_RUNTIME AS tmp
+
 FROM $RUNTIME
 ARG VERSION=pipeline-1.18
 
+COPY --from=tmp /usr/lib64/libcrypto.so.* /usr/lib64/
+
 ENV NOP=/usr/local/bin/nop \
     KO_APP=/ko-app \
     KO_DATA_PATH=/kodata
diff --git a/.konflux/dockerfiles/resolvers.Dockerfile b/.konflux/dockerfiles/resolvers.Dockerfile
@@ -9,7 +9,8 @@ COPY .konflux/patches patches/
 RUN set -e; for f in patches/*.patch; do echo ${f}; [[ -f ${f} ]] || continue; git apply ${f}; done
 COPY head HEAD
 ENV GODEBUG="http2server=0"
-RUN go build -ldflags="-X 'knative.dev/pkg/changeset.rev=$(cat HEAD)'" -mod=vendor -tags disable_gcp -v -o /tmp/resolvers \
+ENV GOEXPERIMENT=strictfipsruntime
+RUN go build -ldflags="-X 'knative.dev/pkg/changeset.rev=$(cat HEAD)'" -mod=vendor -tags disable_gcp -tags strictfipsruntime -v -o /tmp/resolvers \
     ./cmd/resolvers
 
 FROM $RUNTIME
diff --git a/.konflux/dockerfiles/sidecarlogresults.Dockerfile b/.konflux/dockerfiles/sidecarlogresults.Dockerfile
@@ -9,7 +9,8 @@ COPY .konflux/patches patches/
 RUN set -e; for f in patches/*.patch; do echo ${f}; [[ -f ${f} ]] || continue; git apply ${f}; done
 COPY head HEAD
 ENV GODEBUG="http2server=0"
-RUN go build -ldflags="-X 'knative.dev/pkg/changeset.rev=$(cat HEAD)'" -mod=vendor -tags disable_gcp -v -o /tmp/sidecarlogresults \
+ENV GOEXPERIMENT=strictfipsruntime
+RUN go build -ldflags="-X 'knative.dev/pkg/changeset.rev=$(cat HEAD)'" -mod=vendor -tags disable_gcp -tags strictfipsruntime -v -o /tmp/sidecarlogresults \
     ./cmd/sidecarlogresults
 
 FROM $RUNTIME
diff --git a/.konflux/dockerfiles/webhook.Dockerfile b/.konflux/dockerfiles/webhook.Dockerfile
@@ -9,7 +9,8 @@ COPY .konflux/patches patches/
 RUN set -e; for f in patches/*.patch; do echo ${f}; [[ -f ${f} ]] || continue; git apply ${f}; done
 COPY head HEAD
 ENV GODEBUG="http2server=0"
-RUN go build -ldflags="-X 'knative.dev/pkg/changeset.rev=$(cat HEAD)'" -mod=vendor -tags disable_gcp -v -o /tmp/webhook \
+ENV GOEXPERIMENT=strictfipsruntime
+RUN go build -ldflags="-X 'knative.dev/pkg/changeset.rev=$(cat HEAD)'" -mod=vendor -tags disable_gcp -tags strictfipsruntime -v -o /tmp/webhook \
     ./cmd/webhook
 
 FROM $RUNTIME
diff --git a/.konflux/dockerfiles/workingdirinit.Dockerfile b/.konflux/dockerfiles/workingdirinit.Dockerfile
@@ -9,7 +9,8 @@ COPY .konflux/patches patches/
 RUN set -e; for f in patches/*.patch; do echo ${f}; [[ -f ${f} ]] || continue; git apply ${f}; done
 COPY head HEAD
 ENV GODEBUG="http2server=0"
-RUN go build -ldflags="-X 'knative.dev/pkg/changeset.rev=$(cat HEAD)'" -mod=vendor -tags disable_gcp -v -o /tmp/workingdirinit \
+ENV GOEXPERIMENT=strictfipsruntime
+RUN go build -ldflags="-X 'knative.dev/pkg/changeset.rev=$(cat HEAD)'" -mod=vendor -tags disable_gcp -tags strictfipsruntime -v -o /tmp/workingdirinit \
     ./cmd/workingdirinit
 
 FROM $RUNTIME
