diff --git a/.github/actions/build-push-image/action.yaml b/.github/actions/build-push-image/action.yaml index e375832c87..ad92d61f33 100644 --- a/.github/actions/build-push-image/action.yaml +++ b/.github/actions/build-push-image/action.yaml @@ -17,6 +17,10 @@ inputs: suffix: description: Suffix appended to image tags required: false + fips: + description: Whether to build the image with FIPS enabled + default: 'false' + required: false outputs: digest: description: The digest of the built image @@ -88,6 +92,8 @@ runs: build-args: | GO_LINKER_ARGS=${{ steps.prep.outputs.go_linker_args }} GO_BUILD_TAGS=${{ steps.prep.outputs.go_build_tags }} + GOFIPS140=${{ inputs.fips == 'true' && 'v1.0.0' || 'off' }} + GODEBUG_ARG=${{ inputs.fips == 'true' && 'fips140=only,tlsmlkem=0' || '' }} context: . file: ${{ inputs.dockerfile }} provenance: false diff --git a/.github/renovate.json5 b/.github/renovate.json5 index 9116fd6ced..c38e115daf 100644 --- a/.github/renovate.json5 +++ b/.github/renovate.json5 @@ -37,7 +37,6 @@ regexManagers: [ { fileMatch: [ - "(^|/|\\.)fips.Dockerfile$", "(^|/|\\.)Dockerfile$", "(^|/|\\.)prerequisites.mk$", "(^|/|\\.)third-party-licenses.sh$", diff --git a/.github/workflows/fips-ci.yaml b/.github/workflows/fips-ci.yaml index 5b9b34a942..2a98c14658 100644 --- a/.github/workflows/fips-ci.yaml +++ b/.github/workflows/fips-ci.yaml @@ -65,7 +65,7 @@ jobs: id: dockerfile with: files: | - fips.Dockerfile + Dockerfile base_sha: ${{ github.event_name == 'pull_request' && github.event.pull_request.base.sha || github.event.before }} - name: List Changed Files run: | @@ -119,8 +119,8 @@ jobs: platforms: ${{ matrix.platform }} images: ${{ env.DOCKER_REGISTRY }}/${{ env.DOCKER_REPOSITORY }} suffix: ${{ matrix.image-postfix }} - dockerfile: ./fips.Dockerfile - + dockerfile: ./Dockerfile + fips: 'true' index: name: Create image-index needs: [detect-changes, prepare, build-images] diff --git a/.github/workflows/fips-release.yaml b/.github/workflows/fips-release.yaml index 3ad425acc4..0bd9ae72fe 100644 --- a/.github/workflows/fips-release.yaml +++ b/.github/workflows/fips-release.yaml @@ -67,7 +67,8 @@ jobs: platforms: ${{ matrix.platform }} images: ${{ env.DOCKER_IMAGE }},${{ env.ECR_IMAGE }} suffix: ${{ matrix.image-postfix }} - dockerfile: ./fips.Dockerfile + dockerfile: ./Dockerfile + fips: 'true' index: name: Create image-index diff --git a/Dockerfile b/Dockerfile index 38d2ea78da..88e67aac6b 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,6 +1,6 @@ # check=skip=RedundantTargetPlatform # setup build image -FROM --platform=$BUILDPLATFORM golang:1.25.5@sha256:20b91eda7a9627c127c0225b0d4e8ec927b476fa4130c6760928b849d769c149 AS operator-build +FROM --platform=$BUILDPLATFORM golang:tip-20251206 as operator-build WORKDIR /app @@ -19,11 +19,11 @@ ARG GO_LINKER_ARGS ARG GO_BUILD_TAGS ARG TARGETARCH ARG TARGETOS - +ARG GOFIPS140=off RUN --mount=type=cache,target="/root/.cache/go-build" \ --mount=type=cache,target="/go/pkg" \ - CGO_ENABLED=0 GOOS=$TARGETOS GOARCH=$TARGETARCH \ + CGO_ENABLED=0 GOFIPS140="${GOFIPS140}" GOOS=$TARGETOS GOARCH=$TARGETARCH \ go build -tags "${GO_BUILD_TAGS}" -trimpath -ldflags="${GO_LINKER_ARGS}" \ -o ./build/_output/bin/dynatrace-operator ./cmd/ @@ -79,9 +79,12 @@ LABEL name="Dynatrace Operator" \ vcs-type="git" \ changelog-url="https://github.com/Dynatrace/dynatrace-operator/releases" +ARG GODEBUG_ARG + ENV OPERATOR=dynatrace-operator \ USER_UID=1001 \ - USER_NAME=dynatrace-operator + USER_NAME=dynatrace-operator \ + GODEBUG=${GODEBUG_ARG:+fips140=only,tlsmlkem=0} RUN /usr/local/bin/user_setup diff --git a/hack/build/build_image.sh b/hack/build/build_image.sh index de0aff6ea9..318748317e 100755 --- a/hack/build/build_image.sh +++ b/hack/build/build_image.sh @@ -14,6 +14,7 @@ tag=${2} debug=${3:-false} dockerfile=${4:-Dockerfile} platform=${5:-linux/amd64} +gofips140=${6:-off} commit=$(git rev-parse HEAD) go_linker_args=$(hack/build/create_go_linker_args.sh "${tag}" "${commit}" "${debug}") @@ -22,7 +23,7 @@ go_build_tags=$(hack/build/create_go_build_tags.sh false) out_image="${image}:${tag}" # directory required by docker copy command -mkdir -p third_party_licenses +mkdir -p third_party_licenses if ! command -v docker 2>/dev/null; then CONTAINER_CMD=podman @@ -34,6 +35,7 @@ ${CONTAINER_CMD} build "--platform=${platform}" . -f "${dockerfile}" -t "${out_i --build-arg "GO_LINKER_ARGS=${go_linker_args}" \ --build-arg "GO_BUILD_TAGS=${go_build_tags}" \ --build-arg "DEBUG_TOOLS=${debug}" \ + --build-arg "GOFIPS140=${gofips140}" \ --label "quay.expires-after=14d" rm -rf third_party_licenses diff --git a/hack/make/images.mk b/hack/make/images.mk index 0f381af8fa..f2228989c3 100644 --- a/hack/make/images.mk +++ b/hack/make/images.mk @@ -13,6 +13,7 @@ else endif FIPS_TAG ?= ${TAG}-fips +GOFIPS140 ?= v1.0.0 #use the digest if digest is set ifeq ($(DIGEST),) @@ -46,7 +47,7 @@ images/build/push: images/build images/push # because cross-compile takes ~1h, we want to build fips locally only for local architecture # so that's why the recommended way to run it (assuming local platfrom is arm64) is `OPERATOR_DEV_BUILD_PLATFORM="linux/arm64" make images/build/fips images/build/fips: ensure-tag-not-snapshot - $(BUILD_IMAGE_SH) "${IMAGE}" "${FIPS_TAG}" "${DEBUG}" "fips.Dockerfile" "${OPERATOR_BUILD_PLATFORM}" + $(BUILD_IMAGE_SH) "${IMAGE}" "${FIPS_TAG}" "${DEBUG}" "Dockerfile" "${OPERATOR_BUILD_PLATFORM}" "${GOFIPS140}" images/push/fips: ensure-tag-not-snapshot $(PUSH_IMAGE_SH) "${IMAGE}" "${FIPS_TAG}-${OPERATOR_BUILD_ARCH}" diff --git a/pkg/version/version.go b/pkg/version/version.go index 3a0281e627..7b061528d7 100644 --- a/pkg/version/version.go +++ b/pkg/version/version.go @@ -1,6 +1,7 @@ package version import ( + "crypto/fips140" "fmt" "runtime" "runtime/debug" @@ -37,6 +38,7 @@ func LogVersionToLogger(log logd.Logger) { "buildDate", BuildDate, "goVersion", runtime.Version(), "platform", fmt.Sprintf("%s/%s", runtime.GOOS, runtime.GOARCH), + "fips140", fmt.Sprintf("FIPS 140-3 Mode Enabled: %v", fips140.Enabled()), ) // SetMemoryLimit returns the previously set memory limit. A negative input does not adjust the limit, and allows for retrieval of the currently set memory limit.