chore: build fips compliant binaries

SimonTheLeg · SimonTheLeg · commit 89973d409e4e · 2025-04-29T12:41:28.000+02:00
On-behalf-of: SAP &lt;simon.bein@sap.com&gt;
Signed-off-by: Simon Bein &lt;simontheleg@gmail.com&gt;
diff --git a/charts/control-plane-operator/templates/deployment.yaml b/charts/control-plane-operator/templates/deployment.yaml
@@ -80,6 +80,8 @@ spec:
                 fieldRef:
                   fieldPath: metadata.namespace
             {{- end }}
+            - name: GODEBUG
+              value: "fips140={{ .Values.fips.mode }}"
           {{- with .Values.init.env }}
             {{- toYaml . | nindent 12 }}
           {{- end }}
@@ -177,6 +179,8 @@ spec:
               valueFrom:
                 fieldRef:
                   fieldPath: spec.serviceAccountName
+            - name: GODEBUG
+              value: "fips140={{ .Values.fips.mode }}"
           {{- with .Values.manager.env }}
             {{- toYaml . | nindent 12 }}
           {{- end }}
diff --git a/charts/control-plane-operator/values.yaml b/charts/control-plane-operator/values.yaml
@@ -148,6 +148,9 @@ rbac:
   role:
     rules: []
 
+fips:
+  mode: off # controls GODEBUG=fips140 setting. Set to either off, on, or only (refer to https://go.dev/doc/security/fips140#fips-140-3-mode)
+
 nodeSelector: {}
 
 tolerations: []
diff --git a/cmd/main.go b/cmd/main.go
@@ -17,6 +17,7 @@ limitations under the License.
 package main
 
 import (
+	"crypto/fips140"
 	"embed"
 	"flag"
 	"os"
@@ -129,6 +130,13 @@ func main() {
 
 	ctrl.SetLogger(zap.New(zap.UseFlagOptions(&opts)))
 
+	// needs to be run after ctrl.SetLogger has been called, so we can log
+	if fips140.Enabled() {
+		setupLog.Info("Running in FIPS 140-3 compliant mode")
+	} else {
+		setupLog.Info("Running in non-FIPS-compliant mode")
+	}
+
 	setupContext := context.Background()
 
 	setupClient, err := client.New(ctrl.GetConfigOrDie(), client.Options{Scheme: schemes.Local})
diff --git a/hack/common/build-binary.sh b/hack/common/build-binary.sh
@@ -12,7 +12,7 @@ echo "> Building binaries ..."
       echo "> Building binary for component '$comp' ($pf) ..." | indent 1
       os=${pf%/*}
       arch=${pf#*/}
-      CGO_ENABLED=0 GOOS=$os GOARCH=$arch go build -a -o bin/${comp}-${os}.${arch} cmd/main.go | indent 2
+      CGO_ENABLED=0 GOFIPS140=v1.0.0 GOOS=$os GOARCH=$arch go build -a -o bin/${comp}-${os}.${arch} cmd/main.go | indent 2
     done
   done
 )

Original file line number	Diff line number	Diff line change
`@@ -12,7 +12,7 @@ echo "> Building binaries ..."`
`12`	`12`	`echo "> Building binary for component '$comp' ($pf) ..." \| indent 1`
`13`	`13`	`os=${pf%/*}`
`14`	`14`	`arch=${pf#*/}`
`15`		`- CGO_ENABLED=0 GOOS=$os GOARCH=$arch go build -a -o bin/${comp}-${os}.${arch} cmd/main.go \| indent 2`
	`15`	`+ CGO_ENABLED=0 GOFIPS140=v1.0.0 GOOS=$os GOARCH=$arch go build -a -o bin/${comp}-${os}.${arch} cmd/main.go \| indent 2`
`16`	`16`	`done`
`17`	`17`	`done`
`18`	`18`	`)`