From 38ba065df9054c4ace68772cf0c75c40d9e7bb6c Mon Sep 17 00:00:00 2001 From: Andrii Soldatenko Date: Thu, 27 Nov 2025 13:33:47 +0100 Subject: [PATCH 01/23] add fips enabled to logs --- pkg/version/version.go | 2 ++ 1 file changed, 2 insertions(+) diff --git a/pkg/version/version.go b/pkg/version/version.go index 3a0281e627..6bd5a94214 100644 --- a/pkg/version/version.go +++ b/pkg/version/version.go @@ -1,6 +1,7 @@ package version import ( + "crypto/fips140" "fmt" "runtime" "runtime/debug" @@ -37,6 +38,7 @@ func LogVersionToLogger(log logd.Logger) { "buildDate", BuildDate, "goVersion", runtime.Version(), "platform", fmt.Sprintf("%s/%s", runtime.GOOS, runtime.GOARCH), + "fips140", fmt.Sprintf("FIPS 140-2 Mode Enabled: %v", fips140.Enabled()), ) // SetMemoryLimit returns the previously set memory limit. A negative input does not adjust the limit, and allows for retrieval of the currently set memory limit. From 34b2d38f0b956e47d69999572dafd24c286e3a17 Mon Sep 17 00:00:00 2001 From: Andrii Soldatenko Date: Thu, 27 Nov 2025 13:36:11 +0100 Subject: [PATCH 02/23] update Dockerfile --- Dockerfile | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/Dockerfile b/Dockerfile index 38d2ea78da..0333f6f437 100644 --- a/Dockerfile +++ b/Dockerfile @@ -19,11 +19,12 @@ ARG GO_LINKER_ARGS ARG GO_BUILD_TAGS ARG TARGETARCH ARG TARGETOS +ARG GOFIPS140=v1.0.0 RUN --mount=type=cache,target="/root/.cache/go-build" \ --mount=type=cache,target="/go/pkg" \ - CGO_ENABLED=0 GOOS=$TARGETOS GOARCH=$TARGETARCH \ + CGO_ENABLED=0 GOFIPS140="${GOFIPS140}" GOOS=$TARGETOS GOARCH=$TARGETARCH \ go build -tags "${GO_BUILD_TAGS}" -trimpath -ldflags="${GO_LINKER_ARGS}" \ -o ./build/_output/bin/dynatrace-operator ./cmd/ From 756c20fcd4e775bf8292e3bb07a9420ab6f8dc2c Mon Sep 17 00:00:00 2001 From: Andrii Soldatenko Date: Thu, 27 Nov 2025 14:39:50 +0100 Subject: [PATCH 03/23] remove fips.Dockerfile and use single source of truth # Conflicts: # .github/workflows/fips-ci.yaml --- .github/actions/build-push-image/action.yaml | 5 +++++ .github/renovate.json5 | 1 - .github/workflows/fips-release.yaml | 3 ++- Dockerfile | 2 +- hack/build/build_image.sh | 4 +++- hack/make/images.mk | 3 ++- 6 files changed, 13 insertions(+), 5 deletions(-) diff --git a/.github/actions/build-push-image/action.yaml b/.github/actions/build-push-image/action.yaml index e375832c87..67542e953c 100644 --- a/.github/actions/build-push-image/action.yaml +++ b/.github/actions/build-push-image/action.yaml @@ -17,6 +17,10 @@ inputs: suffix: description: Suffix appended to image tags required: false + fips: + description: Whether to build the image with FIPS enabled + default: "false" + required: false outputs: digest: description: The digest of the built image @@ -88,6 +92,7 @@ runs: build-args: | GO_LINKER_ARGS=${{ steps.prep.outputs.go_linker_args }} GO_BUILD_TAGS=${{ steps.prep.outputs.go_build_tags }} + GOFIPS=${{ inputs.fips == 'true' && 'v1.0.0' || 'off' }} context: . file: ${{ inputs.dockerfile }} provenance: false diff --git a/.github/renovate.json5 b/.github/renovate.json5 index 9116fd6ced..c38e115daf 100644 --- a/.github/renovate.json5 +++ b/.github/renovate.json5 @@ -37,7 +37,6 @@ regexManagers: [ { fileMatch: [ - "(^|/|\\.)fips.Dockerfile$", "(^|/|\\.)Dockerfile$", "(^|/|\\.)prerequisites.mk$", "(^|/|\\.)third-party-licenses.sh$", diff --git a/.github/workflows/fips-release.yaml b/.github/workflows/fips-release.yaml index 3ad425acc4..0bd9ae72fe 100644 --- a/.github/workflows/fips-release.yaml +++ b/.github/workflows/fips-release.yaml @@ -67,7 +67,8 @@ jobs: platforms: ${{ matrix.platform }} images: ${{ env.DOCKER_IMAGE }},${{ env.ECR_IMAGE }} suffix: ${{ matrix.image-postfix }} - dockerfile: ./fips.Dockerfile + dockerfile: ./Dockerfile + fips: 'true' index: name: Create image-index diff --git a/Dockerfile b/Dockerfile index 0333f6f437..3659924a0f 100644 --- a/Dockerfile +++ b/Dockerfile @@ -19,7 +19,7 @@ ARG GO_LINKER_ARGS ARG GO_BUILD_TAGS ARG TARGETARCH ARG TARGETOS -ARG GOFIPS140=v1.0.0 +ARG GOFIPS140=off RUN --mount=type=cache,target="/root/.cache/go-build" \ diff --git a/hack/build/build_image.sh b/hack/build/build_image.sh index de0aff6ea9..614dafb359 100755 --- a/hack/build/build_image.sh +++ b/hack/build/build_image.sh @@ -14,6 +14,7 @@ tag=${2} debug=${3:-false} dockerfile=${4:-Dockerfile} platform=${5:-linux/amd64} +gofips140=${6:-off} commit=$(git rev-parse HEAD) go_linker_args=$(hack/build/create_go_linker_args.sh "${tag}" "${commit}" "${debug}") @@ -22,7 +23,7 @@ go_build_tags=$(hack/build/create_go_build_tags.sh false) out_image="${image}:${tag}" # directory required by docker copy command -mkdir -p third_party_licenses +mkdir -p third_party_licenses if ! command -v docker 2>/dev/null; then CONTAINER_CMD=podman @@ -34,6 +35,7 @@ ${CONTAINER_CMD} build "--platform=${platform}" . -f "${dockerfile}" -t "${out_i --build-arg "GO_LINKER_ARGS=${go_linker_args}" \ --build-arg "GO_BUILD_TAGS=${go_build_tags}" \ --build-arg "DEBUG_TOOLS=${debug}" \ + --build-arg "GOFIPS140=${gofips140:-off}" \ --label "quay.expires-after=14d" rm -rf third_party_licenses diff --git a/hack/make/images.mk b/hack/make/images.mk index 0f381af8fa..f2228989c3 100644 --- a/hack/make/images.mk +++ b/hack/make/images.mk @@ -13,6 +13,7 @@ else endif FIPS_TAG ?= ${TAG}-fips +GOFIPS140 ?= v1.0.0 #use the digest if digest is set ifeq ($(DIGEST),) @@ -46,7 +47,7 @@ images/build/push: images/build images/push # because cross-compile takes ~1h, we want to build fips locally only for local architecture # so that's why the recommended way to run it (assuming local platfrom is arm64) is `OPERATOR_DEV_BUILD_PLATFORM="linux/arm64" make images/build/fips images/build/fips: ensure-tag-not-snapshot - $(BUILD_IMAGE_SH) "${IMAGE}" "${FIPS_TAG}" "${DEBUG}" "fips.Dockerfile" "${OPERATOR_BUILD_PLATFORM}" + $(BUILD_IMAGE_SH) "${IMAGE}" "${FIPS_TAG}" "${DEBUG}" "Dockerfile" "${OPERATOR_BUILD_PLATFORM}" "${GOFIPS140}" images/push/fips: ensure-tag-not-snapshot $(PUSH_IMAGE_SH) "${IMAGE}" "${FIPS_TAG}-${OPERATOR_BUILD_ARCH}" From 25829d4c98a859c36947f6f7231b441336a268be Mon Sep 17 00:00:00 2001 From: Andrii Soldatenko Date: Thu, 27 Nov 2025 15:15:37 +0100 Subject: [PATCH 04/23] Update hack/build/build_image.sh Co-authored-by: aorcholski <84514340+aorcholski@users.noreply.github.com> --- hack/build/build_image.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/hack/build/build_image.sh b/hack/build/build_image.sh index 614dafb359..318748317e 100755 --- a/hack/build/build_image.sh +++ b/hack/build/build_image.sh @@ -35,7 +35,7 @@ ${CONTAINER_CMD} build "--platform=${platform}" . -f "${dockerfile}" -t "${out_i --build-arg "GO_LINKER_ARGS=${go_linker_args}" \ --build-arg "GO_BUILD_TAGS=${go_build_tags}" \ --build-arg "DEBUG_TOOLS=${debug}" \ - --build-arg "GOFIPS140=${gofips140:-off}" \ + --build-arg "GOFIPS140=${gofips140}" \ --label "quay.expires-after=14d" rm -rf third_party_licenses From 3e148ec75842f22801f05cc6733946edbb870435 Mon Sep 17 00:00:00 2001 From: Andrii Soldatenko Date: Thu, 27 Nov 2025 17:52:58 +0100 Subject: [PATCH 05/23] fixup quotes --- .github/actions/build-push-image/action.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/actions/build-push-image/action.yaml b/.github/actions/build-push-image/action.yaml index 67542e953c..1e5b03d6b2 100644 --- a/.github/actions/build-push-image/action.yaml +++ b/.github/actions/build-push-image/action.yaml @@ -19,7 +19,7 @@ inputs: required: false fips: description: Whether to build the image with FIPS enabled - default: "false" + default: 'false' required: false outputs: digest: From bf60082455ec674262dd70a6032bdd6a0373576f Mon Sep 17 00:00:00 2001 From: Andrii Soldatenko Date: Thu, 27 Nov 2025 18:02:10 +0100 Subject: [PATCH 06/23] fixup typo --- .github/actions/build-push-image/action.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/actions/build-push-image/action.yaml b/.github/actions/build-push-image/action.yaml index 1e5b03d6b2..23dc613c34 100644 --- a/.github/actions/build-push-image/action.yaml +++ b/.github/actions/build-push-image/action.yaml @@ -92,7 +92,7 @@ runs: build-args: | GO_LINKER_ARGS=${{ steps.prep.outputs.go_linker_args }} GO_BUILD_TAGS=${{ steps.prep.outputs.go_build_tags }} - GOFIPS=${{ inputs.fips == 'true' && 'v1.0.0' || 'off' }} + GOFIPS140=${{ inputs.fips == 'true' && 'v1.0.0' || 'off' }} context: . file: ${{ inputs.dockerfile }} provenance: false From d78c04c44b9e9c618150847cea074b7dd38bc7e1 Mon Sep 17 00:00:00 2001 From: Andrii Soldatenko Date: Fri, 28 Nov 2025 09:33:03 +0100 Subject: [PATCH 07/23] Update pkg/version/version.go Co-authored-by: Mario Valderrama --- pkg/version/version.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pkg/version/version.go b/pkg/version/version.go index 6bd5a94214..7b061528d7 100644 --- a/pkg/version/version.go +++ b/pkg/version/version.go @@ -38,7 +38,7 @@ func LogVersionToLogger(log logd.Logger) { "buildDate", BuildDate, "goVersion", runtime.Version(), "platform", fmt.Sprintf("%s/%s", runtime.GOOS, runtime.GOARCH), - "fips140", fmt.Sprintf("FIPS 140-2 Mode Enabled: %v", fips140.Enabled()), + "fips140", fmt.Sprintf("FIPS 140-3 Mode Enabled: %v", fips140.Enabled()), ) // SetMemoryLimit returns the previously set memory limit. A negative input does not adjust the limit, and allows for retrieval of the currently set memory limit. From f285b549ed6f92a1c959be57fad5918c31c64b02 Mon Sep 17 00:00:00 2001 From: Andrii Soldatenko Date: Tue, 9 Dec 2025 11:08:12 +0100 Subject: [PATCH 08/23] add test --- .../default/templates/Common/operator/deployment-operator.yaml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/config/helm/chart/default/templates/Common/operator/deployment-operator.yaml b/config/helm/chart/default/templates/Common/operator/deployment-operator.yaml index 34b1212105..df492ddce2 100644 --- a/config/helm/chart/default/templates/Common/operator/deployment-operator.yaml +++ b/config/helm/chart/default/templates/Common/operator/deployment-operator.yaml @@ -71,6 +71,8 @@ spec: value: {{ include "dynatrace-operator.image" . }} - name: DT_HOST_AVAILABILITY_DETECTION value: "{{ .Values.operator.hostAvailabilityDetection }}" + - name: GODEBUG + value: fips140=only {{- if .Values.debugLogs }} - name: LOG_LEVEL value: "debug" From c62b61046fa20b6a3ad3920e9da2bb2f6b9379ae Mon Sep 17 00:00:00 2001 From: Andrii Soldatenko Date: Tue, 9 Dec 2025 11:16:55 +0100 Subject: [PATCH 09/23] build image --- Dockerfile | 2 ++ 1 file changed, 2 insertions(+) diff --git a/Dockerfile b/Dockerfile index 3659924a0f..11ac7f2e23 100644 --- a/Dockerfile +++ b/Dockerfile @@ -88,4 +88,6 @@ RUN /usr/local/bin/user_setup ENTRYPOINT ["/usr/local/bin/entrypoint"] +RUN echo 1 + USER ${USER_UID}:${USER_UID} From 1575891ace73297ddb7e817220fa1e0f8318ff09 Mon Sep 17 00:00:00 2001 From: Andrii Soldatenko Date: Tue, 9 Dec 2025 13:19:25 +0100 Subject: [PATCH 10/23] undo some changes --- Dockerfile | 2 -- 1 file changed, 2 deletions(-) diff --git a/Dockerfile b/Dockerfile index 11ac7f2e23..3659924a0f 100644 --- a/Dockerfile +++ b/Dockerfile @@ -88,6 +88,4 @@ RUN /usr/local/bin/user_setup ENTRYPOINT ["/usr/local/bin/entrypoint"] -RUN echo 1 - USER ${USER_UID}:${USER_UID} From 3f60da57c600a55a8b39733a3e7d020bd5a7474f Mon Sep 17 00:00:00 2001 From: Andrii Soldatenko Date: Wed, 10 Dec 2025 08:48:50 +0100 Subject: [PATCH 11/23] try go 1.26 fix https://github.com/golang/go/issues/74630 --- Dockerfile | 2 +- .../default/templates/Common/operator/deployment-operator.yaml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/Dockerfile b/Dockerfile index 3659924a0f..1ba2ae7f0f 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,6 +1,6 @@ # check=skip=RedundantTargetPlatform # setup build image -FROM --platform=$BUILDPLATFORM golang:1.25.5@sha256:20b91eda7a9627c127c0225b0d4e8ec927b476fa4130c6760928b849d769c149 AS operator-build +FROM --platform=$BUILDPLATFORM golang:tip-20251206 WORKDIR /app diff --git a/config/helm/chart/default/templates/Common/operator/deployment-operator.yaml b/config/helm/chart/default/templates/Common/operator/deployment-operator.yaml index df492ddce2..2e8a922f3a 100644 --- a/config/helm/chart/default/templates/Common/operator/deployment-operator.yaml +++ b/config/helm/chart/default/templates/Common/operator/deployment-operator.yaml @@ -72,7 +72,7 @@ spec: - name: DT_HOST_AVAILABILITY_DETECTION value: "{{ .Values.operator.hostAvailabilityDetection }}" - name: GODEBUG - value: fips140=only + value: fips140=only,tlsmlkem=0 {{- if .Values.debugLogs }} - name: LOG_LEVEL value: "debug" From 6cf7448e7bc45f930e3e9f3636c35fb76fd72517 Mon Sep 17 00:00:00 2001 From: Andrii Soldatenko Date: Wed, 10 Dec 2025 10:52:54 +0100 Subject: [PATCH 12/23] fixup --- Dockerfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Dockerfile b/Dockerfile index 1ba2ae7f0f..fba7a2da40 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,6 +1,6 @@ # check=skip=RedundantTargetPlatform # setup build image -FROM --platform=$BUILDPLATFORM golang:tip-20251206 +FROM --platform=$BUILDPLATFORM golang:tip-20251206 as operator-build WORKDIR /app From 64440b6daf70aa2f7a3cb248361e18bb465d3f11 Mon Sep 17 00:00:00 2001 From: Andrii Soldatenko Date: Wed, 10 Dec 2025 12:09:10 +0100 Subject: [PATCH 13/23] empty commit From e6e77dbf40bdb8bdabdaef2d713fe724e0764a0d Mon Sep 17 00:00:00 2001 From: Andrii Soldatenko Date: Wed, 10 Dec 2025 12:26:18 +0100 Subject: [PATCH 14/23] fixup Dockerfile --- .github/workflows/fips-ci.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/fips-ci.yaml b/.github/workflows/fips-ci.yaml index 5b9b34a942..9218d0b82d 100644 --- a/.github/workflows/fips-ci.yaml +++ b/.github/workflows/fips-ci.yaml @@ -65,7 +65,7 @@ jobs: id: dockerfile with: files: | - fips.Dockerfile + Dockerfile base_sha: ${{ github.event_name == 'pull_request' && github.event.pull_request.base.sha || github.event.before }} - name: List Changed Files run: | @@ -119,7 +119,7 @@ jobs: platforms: ${{ matrix.platform }} images: ${{ env.DOCKER_REGISTRY }}/${{ env.DOCKER_REPOSITORY }} suffix: ${{ matrix.image-postfix }} - dockerfile: ./fips.Dockerfile + dockerfile: ./Dockerfile index: name: Create image-index From a408845d4ab751336a2b544b5c3f2e265a02d70f Mon Sep 17 00:00:00 2001 From: Andrii Soldatenko Date: Wed, 10 Dec 2025 12:29:32 +0100 Subject: [PATCH 15/23] fixup Dockerfile --- .github/workflows/fips-ci.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/fips-ci.yaml b/.github/workflows/fips-ci.yaml index 9218d0b82d..2a98c14658 100644 --- a/.github/workflows/fips-ci.yaml +++ b/.github/workflows/fips-ci.yaml @@ -120,7 +120,7 @@ jobs: images: ${{ env.DOCKER_REGISTRY }}/${{ env.DOCKER_REPOSITORY }} suffix: ${{ matrix.image-postfix }} dockerfile: ./Dockerfile - + fips: 'true' index: name: Create image-index needs: [detect-changes, prepare, build-images] From 5a1d463a9798ff8a47c990fbb4f4a59cf7af31dc Mon Sep 17 00:00:00 2001 From: Andrii Soldatenko Date: Fri, 12 Dec 2025 08:41:31 +0100 Subject: [PATCH 16/23] add GODEBUG to Dockerfile --- Dockerfile | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/Dockerfile b/Dockerfile index fba7a2da40..2348b024b4 100644 --- a/Dockerfile +++ b/Dockerfile @@ -19,8 +19,13 @@ ARG GO_LINKER_ARGS ARG GO_BUILD_TAGS ARG TARGETARCH ARG TARGETOS +ARG GODEBUG ARG GOFIPS140=off +# ${variable:+word} indicates that if variable is set then word +# will be the result, otherwise the result is the empty string. +ENV GODEBUG=${GODEBUG:+fips140=only,tlsmlkem=0} + RUN --mount=type=cache,target="/root/.cache/go-build" \ --mount=type=cache,target="/go/pkg" \ From 61fa8bcbe60a5d71eea03beb13831e4a12941ee1 Mon Sep 17 00:00:00 2001 From: Andrii Soldatenko Date: Fri, 12 Dec 2025 08:52:22 +0100 Subject: [PATCH 17/23] refactor --- .github/actions/build-push-image/action.yaml | 1 + .../default/templates/Common/operator/deployment-operator.yaml | 2 -- 2 files changed, 1 insertion(+), 2 deletions(-) diff --git a/.github/actions/build-push-image/action.yaml b/.github/actions/build-push-image/action.yaml index 23dc613c34..89401c66e4 100644 --- a/.github/actions/build-push-image/action.yaml +++ b/.github/actions/build-push-image/action.yaml @@ -93,6 +93,7 @@ runs: GO_LINKER_ARGS=${{ steps.prep.outputs.go_linker_args }} GO_BUILD_TAGS=${{ steps.prep.outputs.go_build_tags }} GOFIPS140=${{ inputs.fips == 'true' && 'v1.0.0' || 'off' }} + GODEBUG=${{ inputs.fips }} context: . file: ${{ inputs.dockerfile }} provenance: false diff --git a/config/helm/chart/default/templates/Common/operator/deployment-operator.yaml b/config/helm/chart/default/templates/Common/operator/deployment-operator.yaml index 2e8a922f3a..34b1212105 100644 --- a/config/helm/chart/default/templates/Common/operator/deployment-operator.yaml +++ b/config/helm/chart/default/templates/Common/operator/deployment-operator.yaml @@ -71,8 +71,6 @@ spec: value: {{ include "dynatrace-operator.image" . }} - name: DT_HOST_AVAILABILITY_DETECTION value: "{{ .Values.operator.hostAvailabilityDetection }}" - - name: GODEBUG - value: fips140=only,tlsmlkem=0 {{- if .Values.debugLogs }} - name: LOG_LEVEL value: "debug" From 4011029057acf22e3440e9eb70b95e118dc1ee15 Mon Sep 17 00:00:00 2001 From: Andrii Soldatenko Date: Fri, 12 Dec 2025 09:11:59 +0100 Subject: [PATCH 18/23] refactor --- .github/actions/build-push-image/action.yaml | 2 +- Dockerfile | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/actions/build-push-image/action.yaml b/.github/actions/build-push-image/action.yaml index 89401c66e4..9e8c015774 100644 --- a/.github/actions/build-push-image/action.yaml +++ b/.github/actions/build-push-image/action.yaml @@ -93,7 +93,7 @@ runs: GO_LINKER_ARGS=${{ steps.prep.outputs.go_linker_args }} GO_BUILD_TAGS=${{ steps.prep.outputs.go_build_tags }} GOFIPS140=${{ inputs.fips == 'true' && 'v1.0.0' || 'off' }} - GODEBUG=${{ inputs.fips }} + GODEBUG=${{ inputs.fips == 'true' && 'fips140=only,tlsmlkem=0' || '' }} context: . file: ${{ inputs.dockerfile }} provenance: false diff --git a/Dockerfile b/Dockerfile index 2348b024b4..19c066b3d5 100644 --- a/Dockerfile +++ b/Dockerfile @@ -24,12 +24,12 @@ ARG GOFIPS140=off # ${variable:+word} indicates that if variable is set then word # will be the result, otherwise the result is the empty string. -ENV GODEBUG=${GODEBUG:+fips140=only,tlsmlkem=0} +#ENV GODEBUG=${GODEBUG:+fips140=only,tlsmlkem=0} RUN --mount=type=cache,target="/root/.cache/go-build" \ --mount=type=cache,target="/go/pkg" \ - CGO_ENABLED=0 GOFIPS140="${GOFIPS140}" GOOS=$TARGETOS GOARCH=$TARGETARCH \ + CGO_ENABLED=0 GOFIPS140="${GOFIPS140}" GODEBUG="${GODEBUG}" GOOS=$TARGETOS GOARCH=$TARGETARCH \ go build -tags "${GO_BUILD_TAGS}" -trimpath -ldflags="${GO_LINKER_ARGS}" \ -o ./build/_output/bin/dynatrace-operator ./cmd/ From 938c52a22083bce8ee4f9e68e7f2a8d3f834bace Mon Sep 17 00:00:00 2001 From: Andrii Soldatenko Date: Fri, 12 Dec 2025 09:17:05 +0100 Subject: [PATCH 19/23] refactor --- Dockerfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Dockerfile b/Dockerfile index 19c066b3d5..2177368b0f 100644 --- a/Dockerfile +++ b/Dockerfile @@ -29,7 +29,7 @@ ARG GOFIPS140=off RUN --mount=type=cache,target="/root/.cache/go-build" \ --mount=type=cache,target="/go/pkg" \ - CGO_ENABLED=0 GOFIPS140="${GOFIPS140}" GODEBUG="${GODEBUG}" GOOS=$TARGETOS GOARCH=$TARGETARCH \ + CGO_ENABLED=0 GOFIPS140="${GOFIPS140}" GOOS=$TARGETOS GOARCH=$TARGETARCH \ go build -tags "${GO_BUILD_TAGS}" -trimpath -ldflags="${GO_LINKER_ARGS}" \ -o ./build/_output/bin/dynatrace-operator ./cmd/ From fefb464ba648a854375d966cfcb8200edeb7f88f Mon Sep 17 00:00:00 2001 From: Andrii Soldatenko Date: Fri, 12 Dec 2025 09:24:47 +0100 Subject: [PATCH 20/23] refactor --- .github/actions/build-push-image/action.yaml | 1 - 1 file changed, 1 deletion(-) diff --git a/.github/actions/build-push-image/action.yaml b/.github/actions/build-push-image/action.yaml index 9e8c015774..23dc613c34 100644 --- a/.github/actions/build-push-image/action.yaml +++ b/.github/actions/build-push-image/action.yaml @@ -93,7 +93,6 @@ runs: GO_LINKER_ARGS=${{ steps.prep.outputs.go_linker_args }} GO_BUILD_TAGS=${{ steps.prep.outputs.go_build_tags }} GOFIPS140=${{ inputs.fips == 'true' && 'v1.0.0' || 'off' }} - GODEBUG=${{ inputs.fips == 'true' && 'fips140=only,tlsmlkem=0' || '' }} context: . file: ${{ inputs.dockerfile }} provenance: false From ab5f66bf9ba55d1f528c6d97ad5588f8250a5ed6 Mon Sep 17 00:00:00 2001 From: Andrii Soldatenko Date: Fri, 12 Dec 2025 09:56:35 +0100 Subject: [PATCH 21/23] move env var GODEBUG to the end --- .github/actions/build-push-image/action.yaml | 1 + Dockerfile | 8 ++------ 2 files changed, 3 insertions(+), 6 deletions(-) diff --git a/.github/actions/build-push-image/action.yaml b/.github/actions/build-push-image/action.yaml index 23dc613c34..9e8c015774 100644 --- a/.github/actions/build-push-image/action.yaml +++ b/.github/actions/build-push-image/action.yaml @@ -93,6 +93,7 @@ runs: GO_LINKER_ARGS=${{ steps.prep.outputs.go_linker_args }} GO_BUILD_TAGS=${{ steps.prep.outputs.go_build_tags }} GOFIPS140=${{ inputs.fips == 'true' && 'v1.0.0' || 'off' }} + GODEBUG=${{ inputs.fips == 'true' && 'fips140=only,tlsmlkem=0' || '' }} context: . file: ${{ inputs.dockerfile }} provenance: false diff --git a/Dockerfile b/Dockerfile index 2177368b0f..e0acf74900 100644 --- a/Dockerfile +++ b/Dockerfile @@ -22,11 +22,6 @@ ARG TARGETOS ARG GODEBUG ARG GOFIPS140=off -# ${variable:+word} indicates that if variable is set then word -# will be the result, otherwise the result is the empty string. -#ENV GODEBUG=${GODEBUG:+fips140=only,tlsmlkem=0} - - RUN --mount=type=cache,target="/root/.cache/go-build" \ --mount=type=cache,target="/go/pkg" \ CGO_ENABLED=0 GOFIPS140="${GOFIPS140}" GOOS=$TARGETOS GOARCH=$TARGETARCH \ @@ -87,7 +82,8 @@ LABEL name="Dynatrace Operator" \ ENV OPERATOR=dynatrace-operator \ USER_UID=1001 \ - USER_NAME=dynatrace-operator + USER_NAME=dynatrace-operator \ + GODEBUG=${GODEBUG:+fips140=only,tlsmlkem=0} RUN /usr/local/bin/user_setup From d7f129842bec63d18c1867ebd4ade613538ce1b7 Mon Sep 17 00:00:00 2001 From: Andrii Soldatenko Date: Fri, 12 Dec 2025 10:05:50 +0100 Subject: [PATCH 22/23] rename GODEBUG to GODEBUG_ARG --- .github/actions/build-push-image/action.yaml | 2 +- Dockerfile | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/actions/build-push-image/action.yaml b/.github/actions/build-push-image/action.yaml index 9e8c015774..ad92d61f33 100644 --- a/.github/actions/build-push-image/action.yaml +++ b/.github/actions/build-push-image/action.yaml @@ -93,7 +93,7 @@ runs: GO_LINKER_ARGS=${{ steps.prep.outputs.go_linker_args }} GO_BUILD_TAGS=${{ steps.prep.outputs.go_build_tags }} GOFIPS140=${{ inputs.fips == 'true' && 'v1.0.0' || 'off' }} - GODEBUG=${{ inputs.fips == 'true' && 'fips140=only,tlsmlkem=0' || '' }} + GODEBUG_ARG=${{ inputs.fips == 'true' && 'fips140=only,tlsmlkem=0' || '' }} context: . file: ${{ inputs.dockerfile }} provenance: false diff --git a/Dockerfile b/Dockerfile index e0acf74900..db7d06096b 100644 --- a/Dockerfile +++ b/Dockerfile @@ -19,7 +19,7 @@ ARG GO_LINKER_ARGS ARG GO_BUILD_TAGS ARG TARGETARCH ARG TARGETOS -ARG GODEBUG +ARG GODEBUG_ARG ARG GOFIPS140=off RUN --mount=type=cache,target="/root/.cache/go-build" \ @@ -83,7 +83,7 @@ LABEL name="Dynatrace Operator" \ ENV OPERATOR=dynatrace-operator \ USER_UID=1001 \ USER_NAME=dynatrace-operator \ - GODEBUG=${GODEBUG:+fips140=only,tlsmlkem=0} + GODEBUG=${GODEBUG_ARG:+fips140=only,tlsmlkem=0} RUN /usr/local/bin/user_setup From 91a19d16a1efa706f00bbb8e998a942cf697c2b5 Mon Sep 17 00:00:00 2001 From: Andrii Soldatenko Date: Fri, 12 Dec 2025 10:56:56 +0100 Subject: [PATCH 23/23] move arg GODEBUG_ARG to correct stage --- Dockerfile | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/Dockerfile b/Dockerfile index db7d06096b..88e67aac6b 100644 --- a/Dockerfile +++ b/Dockerfile @@ -19,7 +19,6 @@ ARG GO_LINKER_ARGS ARG GO_BUILD_TAGS ARG TARGETARCH ARG TARGETOS -ARG GODEBUG_ARG ARG GOFIPS140=off RUN --mount=type=cache,target="/root/.cache/go-build" \ @@ -80,6 +79,8 @@ LABEL name="Dynatrace Operator" \ vcs-type="git" \ changelog-url="https://github.com/Dynatrace/dynatrace-operator/releases" +ARG GODEBUG_ARG + ENV OPERATOR=dynatrace-operator \ USER_UID=1001 \ USER_NAME=dynatrace-operator \