COO-1739: build: enable strictfipsruntime and CGO for COO Go images#2875
Open
danielmellado wants to merge 1 commit intorhobs:release-1.4from
Open
COO-1739: build: enable strictfipsruntime and CGO for COO Go images#2875danielmellado wants to merge 1 commit intorhobs:release-1.4from
danielmellado wants to merge 1 commit intorhobs:release-1.4from
Conversation
danielmellado
force-pushed
the
release-1.4-fips
branch
from
07a85e6 to
afa223c
Compare
Align Konflux Docker builds with Red Hat FIPS-oriented Go (OpenSSL-backed crypto): set GOTOOLCHAIN=local, CGO_ENABLED=1, and GOEXPERIMENT=strictfipsruntime on alertmanager, observability-operator, prometheus, and thanos builder stages. Admission webhook: build via explicit go build with CGO enabled instead of the upstream Makefile recipe (CGO_ENABLED=0), so binaries pass openshift/check-payload validation. Fix webhook binary COPY path. Thanos: correct go build flags (-mod=mod -tags=netgo). hack/analyze-xcrypto-fips.sh: inventory golang.org/x/crypto reachability for all git submodule roots with go.mod (OCPSTRAT-1882 helper). Tekton (get-submodule-commit-labels): the get-submodule-sha step used buildah-task:2296080, which does not ship git, so CI failed with "git: command not found" after the Konflux image bump (rhobs#2846). Run that step on digest-pinned ubi9-minimal and install git-core before querying submodule HEAD. Signed-off-by: Daniel Mellado <dmellado@fedoraproject.org>
danielmellado
force-pushed
the
release-1.4-fips
branch
from
afa223c to
5e6819e
Compare
danielmellado
changed the title
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Align Konflux Docker builds with Red Hat FIPS-oriented Go (OpenSSL-backed
crypto): set GOTOOLCHAIN=local, CGO_ENABLED=1, and GOEXPERIMENT=strictfipsruntime
on alertmanager, observability-operator, prometheus, and thanos builder
stages.
Admission webhook: build via explicit go build with CGO enabled instead of
the upstream Makefile recipe (CGO_ENABLED=0), so binaries pass
openshift/check-payload validation. Fix webhook binary COPY path.
Thanos: correct go build flags (-mod=mod -tags=netgo).
hack/analyze-xcrypto-fips.sh: inventory golang.org/x/crypto reachability for
all git submodule roots with go.mod (OCPSTRAT-1882 helper).
Tekton (get-submodule-commit-labels): the get-submodule-sha step used
buildah-task:2296080, which does not ship git, so CI failed with "git: command
not found" after the Konflux image bump (#2846). Run that step
on digest-pinned ubi9-minimal and install git-core before querying submodule
HEAD.
Signed-off-by: Daniel Mellado dmellado@fedoraproject.org