Dynatrace · andriisoldatenko · Nov 27, 2025 · Nov 27, 2025 · Nov 27, 2025 · Nov 27, 2025
@@ -17,6 +17,10 @@ inputs:
   suffix:
     description: Suffix appended to image tags
     required: false
+  fips:
+    description: Whether to build the image with FIPS enabled
+    default: 'false'
+    required: false
 outputs:
   digest:
     description: The digest of the built image
@@ -88,6 +92,8 @@ runs:
         build-args: |
           GO_LINKER_ARGS=${{ steps.prep.outputs.go_linker_args }}
           GO_BUILD_TAGS=${{ steps.prep.outputs.go_build_tags }}
+          GOFIPS140=${{ inputs.fips == 'true' && 'v1.0.0' || 'off' }}
+          GODEBUG_ARG=${{ inputs.fips == 'true' && 'fips140=only,tlsmlkem=0' || '' }}
         context: .
         file: ${{ inputs.dockerfile }}
         provenance: false

@@ -37,7 +37,6 @@
   regexManagers: [
     {
       fileMatch: [
-        "(^|/|\\.)fips.Dockerfile$",
         "(^|/|\\.)Dockerfile$",
         "(^|/|\\.)prerequisites.mk$",
         "(^|/|\\.)third-party-licenses.sh$",

@@ -65,7 +65,7 @@ jobs:
         id: dockerfile
         with:
           files: |
-            fips.Dockerfile
+            Dockerfile
           base_sha: ${{ github.event_name == 'pull_request' && github.event.pull_request.base.sha || github.event.before }}
       - name: List Changed Files
         run: |
@@ -119,8 +119,8 @@ jobs:
           platforms: ${{ matrix.platform }}
           images: ${{ env.DOCKER_REGISTRY }}/${{ env.DOCKER_REPOSITORY }}
           suffix: ${{ matrix.image-postfix }}
-          dockerfile: ./fips.Dockerfile
-
+          dockerfile: ./Dockerfile
+          fips: 'true'
   index:
     name: Create image-index
     needs: [detect-changes, prepare, build-images]

@@ -67,7 +67,8 @@ jobs:
           platforms: ${{ matrix.platform }}
           images: ${{ env.DOCKER_IMAGE }},${{ env.ECR_IMAGE }}
           suffix: ${{ matrix.image-postfix }}
-          dockerfile: ./fips.Dockerfile
+          dockerfile: ./Dockerfile
+          fips: 'true'
 
   index:
     name: Create image-index

@@ -1,6 +1,6 @@
 # check=skip=RedundantTargetPlatform
 # setup build image
-FROM --platform=$BUILDPLATFORM golang:1.25.5@sha256:20b91eda7a9627c127c0225b0d4e8ec927b476fa4130c6760928b849d769c149 AS operator-build
+FROM --platform=$BUILDPLATFORM golang:tip-20251206 as operator-build
 
 WORKDIR /app
 
@@ -19,11 +19,11 @@
 ARG GO_BUILD_TAGS
 ARG TARGETARCH
 ARG TARGETOS
-
+ARG GOFIPS140=off
 
 RUN --mount=type=cache,target="/root/.cache/go-build" \
     --mount=type=cache,target="/go/pkg" \
-    CGO_ENABLED=0 GOOS=$TARGETOS GOARCH=$TARGETARCH \
+    CGO_ENABLED=0 GOFIPS140="${GOFIPS140}" GOOS=$TARGETOS GOARCH=$TARGETARCH \
     go build -tags "${GO_BUILD_TAGS}" -trimpath -ldflags="${GO_LINKER_ARGS}" \
     -o ./build/_output/bin/dynatrace-operator ./cmd/
 
@@ -79,9 +79,12 @@
       vcs-type="git" \
       changelog-url="https://github.com/Dynatrace/dynatrace-operator/releases"
 
+ARG GODEBUG_ARG
+
 ENV OPERATOR=dynatrace-operator \
     USER_UID=1001 \
-    USER_NAME=dynatrace-operator
+    USER_NAME=dynatrace-operator \
+    GODEBUG=${GODEBUG_ARG:+fips140=only,tlsmlkem=0}
 
 RUN /usr/local/bin/user_setup
 

@@ -14,6 +14,7 @@ tag=${2}
 debug=${3:-false}
 dockerfile=${4:-Dockerfile}
 platform=${5:-linux/amd64}
+gofips140=${6:-off}
 
 commit=$(git rev-parse HEAD)
 go_linker_args=$(hack/build/create_go_linker_args.sh "${tag}" "${commit}" "${debug}")
@@ -22,7 +23,7 @@ go_build_tags=$(hack/build/create_go_build_tags.sh false)
 out_image="${image}:${tag}"
 
 # directory required by docker copy command
-mkdir -p third_party_licenses 
+mkdir -p third_party_licenses
 
 if ! command -v docker 2>/dev/null; then
   CONTAINER_CMD=podman
@@ -34,6 +35,7 @@ ${CONTAINER_CMD} build "--platform=${platform}" . -f "${dockerfile}" -t "${out_i
   --build-arg "GO_LINKER_ARGS=${go_linker_args}" \
   --build-arg "GO_BUILD_TAGS=${go_build_tags}" \
   --build-arg "DEBUG_TOOLS=${debug}" \
+  --build-arg "GOFIPS140=${gofips140}" \
   --label "quay.expires-after=14d"
 
 rm -rf third_party_licenses
@@ -13,6 +13,7 @@ else
 endif
 
 FIPS_TAG ?= ${TAG}-fips
+GOFIPS140 ?= v1.0.0
 
 #use the digest if digest is set
 ifeq ($(DIGEST),)
@@ -46,7 +47,7 @@ images/build/push: images/build images/push
 # because cross-compile takes ~1h, we want to build fips locally only for local architecture
 # so that's why the recommended way to run it (assuming local platfrom is arm64) is `OPERATOR_DEV_BUILD_PLATFORM="linux/arm64" make images/build/fips
 images/build/fips: ensure-tag-not-snapshot
-	$(BUILD_IMAGE_SH) "${IMAGE}" "${FIPS_TAG}" "${DEBUG}" "fips.Dockerfile" "${OPERATOR_BUILD_PLATFORM}"
+	$(BUILD_IMAGE_SH) "${IMAGE}" "${FIPS_TAG}" "${DEBUG}" "Dockerfile" "${OPERATOR_BUILD_PLATFORM}" "${GOFIPS140}"
 
 images/push/fips: ensure-tag-not-snapshot
 	$(PUSH_IMAGE_SH) "${IMAGE}" "${FIPS_TAG}-${OPERATOR_BUILD_ARCH}"

@@ -1,6 +1,7 @@
 package version
 
 import (
+	"crypto/fips140"
 	"fmt"
 	"runtime"
 	"runtime/debug"
@@ -37,6 +38,7 @@ func LogVersionToLogger(log logd.Logger) {
 		"buildDate", BuildDate,
 		"goVersion", runtime.Version(),
 		"platform", fmt.Sprintf("%s/%s", runtime.GOOS, runtime.GOARCH),
+		"fips140", fmt.Sprintf("FIPS 140-3 Mode Enabled: %v", fips140.Enabled()),
 	)
 
 	// SetMemoryLimit returns the previously set memory limit. A negative input does not adjust the limit, and allows for retrieval of the currently set memory limit.