diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml index e2b43c2f4..05733889c 100644 --- a/.gitlab-ci.yml +++ b/.gitlab-ci.yml @@ -16,6 +16,7 @@ variables: TEST_INFRA_DEFINITIONS_BUILDIMAGES: f61405297d57 PUSH_IMAGES_TO_STAGING: description: "Set PUSH_IMAGE_TO_STAGING to 'true' if you want to push the operator to internal staging registry." + FIPS_ENABLED: false cache: &global_cache key: ${CI_COMMIT_REF_SLUG} @@ -144,9 +145,16 @@ build_operator_image_amd64: # DockerHub login for build to limit rate limit when pulling base images - DOCKER_REGISTRY_LOGIN=$(aws ssm get-parameter --region us-east-1 --name ci.datadog-operator.$DOCKER_REGISTRY_LOGIN_SSM_KEY --with-decryption --query "Parameter.Value" --out text) - aws ssm get-parameter --region us-east-1 --name ci.datadog-operator.$DOCKER_REGISTRY_PWD_SSM_KEY --with-decryption --query "Parameter.Value" --out text | docker login --username "$DOCKER_REGISTRY_LOGIN" --password-stdin "$DOCKER_REGISTRY_URL" - - IMG=$TARGET_IMAGE make docker-build-push-ci + - IMG=$TARGET_IMAGE FIPS_ENABLED=$FIPS_ENABLED make docker-build-push-ci - if [ -n "$CI_COMMIT_TAG" ]; then docker buildx imagetools create $TARGET_IMAGE --tag $RELEASE_IMAGE; fi +build_operator_image_fips_amd64: + extends: build_operator_image_amd64 + variables: + TARGET_IMAGE: $BUILD_DOCKER_REGISTRY/$PROJECTNAME:v${CI_PIPELINE_ID}-${CI_COMMIT_SHORT_SHA}-fips-amd64 + RELEASE_IMAGE: $BUILD_DOCKER_REGISTRY/$PROJECTNAME:$CI_COMMIT_TAG-fips-amd64 + FIPS_ENABLED: "true" + build_operator_image_arm64: stage: image rules: !reference [.on_build_images] @@ -161,9 +169,16 @@ build_operator_image_arm64: # DockerHub login for build to limit rate limit when pulling base images - DOCKER_REGISTRY_LOGIN=$(aws ssm get-parameter --region us-east-1 --name ci.datadog-operator.$DOCKER_REGISTRY_LOGIN_SSM_KEY --with-decryption --query "Parameter.Value" --out text) - aws ssm get-parameter --region us-east-1 --name ci.datadog-operator.$DOCKER_REGISTRY_PWD_SSM_KEY --with-decryption --query "Parameter.Value" --out text | docker login --username "$DOCKER_REGISTRY_LOGIN" --password-stdin "$DOCKER_REGISTRY_URL" - - IMG=$TARGET_IMAGE make docker-build-push-ci + - IMG=$TARGET_IMAGE FIPS_ENABLED=$FIPS_ENABLED make docker-build-push-ci - if [ -n "$CI_COMMIT_TAG" ]; then docker buildx imagetools create $TARGET_IMAGE --tag $RELEASE_IMAGE; fi +build_operator_image_fips_arm64: + extends: build_operator_image_arm64 + variables: + TARGET_IMAGE: $BUILD_DOCKER_REGISTRY/$PROJECTNAME:v${CI_PIPELINE_ID}-${CI_COMMIT_SHORT_SHA}-fips-arm64 + RELEASE_IMAGE: $BUILD_DOCKER_REGISTRY/$PROJECTNAME:$CI_COMMIT_TAG-fips-arm64 + FIPS_ENABLED: "true" + build_operator_check_image_amd64: stage: image rules: !reference [.on_build_images] @@ -227,6 +242,12 @@ publish_public_main: IMG_DESTINATIONS: operator:main IMG_SIGNING: "false" +publish_public_main_fips: + extends: publish_public_main + variables: + IMG_SOURCES: $BUILD_DOCKER_REGISTRY/$PROJECTNAME:v${CI_PIPELINE_ID}-${CI_COMMIT_SHORT_SHA}-fips-amd64,$BUILD_DOCKER_REGISTRY/$PROJECTNAME:v${CI_PIPELINE_ID}-${CI_COMMIT_SHORT_SHA}-fips-arm64 + IMG_DESTINATIONS: operator:main-fips + publish_public_tag: stage: release rules: diff --git a/Dockerfile b/Dockerfile index c78c5e2f5..ca893db79 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,3 +1,6 @@ +# +ARG FIPS_ENABLED=false + # Build the manager binary FROM golang:1.23.6 AS builder @@ -32,7 +35,14 @@ COPY cmd/helpers/ cmd/helpers/ # Build ARG LDFLAGS ARG GOARCH -RUN CGO_ENABLED=0 GOOS=linux GOARCH=${GOARCH} GO111MODULE=on go build -a -ldflags "${LDFLAGS}" -o manager cmd/main.go +ARG FIPS_ENABLED +RUN echo "FIPS_ENABLED is: $FIPS_ENABLED" +RUN if [ "$FIPS_ENABLED" = "true" ]; then \ + CGO_ENABLED=1 GOEXPERIMENT=boringcrypto GOOS=linux GOARCH=${GOARCH} GO111MODULE=on go build -tags fips -a -ldflags "${LDFLAGS}" -o manager cmd/main.go; \ + else \ + CGO_ENABLED=0 GOOS=linux GOARCH=${GOARCH} GO111MODULE=on go build -a -ldflags "${LDFLAGS}" -o manager cmd/main.go; \ + fi + RUN CGO_ENABLED=0 GOOS=linux GOARCH=${GOARCH} GO111MODULE=on go build -a -ldflags "${LDFLAGS}" -o helpers cmd/helpers/main.go FROM registry.access.redhat.com/ubi9/ubi-minimal:latest diff --git a/Makefile b/Makefile index c70d247a9..52bd7a788 100644 --- a/Makefile +++ b/Makefile @@ -14,13 +14,14 @@ IMG_VERSION?=$(if $(VERSION),$(VERSION),latest) VERSION?=$(if $(GIT_TAG),$(GIT_TAG),$(TAG_HASH)) GIT_COMMIT?=$(shell git rev-parse HEAD) DATE=$(shell date +%Y-%m-%d/%H:%M:%S ) -LDFLAGS=-w -s -X ${BUILDINFOPKG}.Commit=${GIT_COMMIT} -X ${BUILDINFOPKG}.Version=${VERSION} -X ${BUILDINFOPKG}.BuildTime=${DATE} +LDFLAGS=-X ${BUILDINFOPKG}.Commit=${GIT_COMMIT} -X ${BUILDINFOPKG}.Version=${VERSION} -X ${BUILDINFOPKG}.BuildTime=${DATE} CHANNELS=stable DEFAULT_CHANNEL=stable GOARCH?= PLATFORM=$(shell uname -s | tr '[:upper:]' '[:lower:]')-$(shell uname -m) ROOT=$(dir $(abspath $(firstword $(MAKEFILE_LIST)))) KUSTOMIZE_CONFIG?=config/default +FIPS_ENABLED?=false # Default bundle image tag BUNDLE_IMG ?= controller-bundle:$(VERSION) @@ -157,7 +158,7 @@ docker-build: generate docker-build-ci docker-build-check-ci # For local use .PHONY: docker-build-ci docker-build-ci: - docker build . -t ${IMG} --build-arg LDFLAGS="${LDFLAGS}" --build-arg GOARCH="${GOARCH}" + docker build . -t ${IMG} --build-arg FIPS_ENABLED="${FIPS_ENABLED}" --build-arg LDFLAGS="${LDFLAGS}" --build-arg GOARCH="${GOARCH}" # For local use .PHONY: docker-build-check-ci @@ -168,7 +169,7 @@ docker-build-check-ci: # For Gitlab use .PHONY: docker-build-push-ci docker-build-push-ci: - docker buildx build . -t ${IMG} --build-arg LDFLAGS="${LDFLAGS}" --build-arg GOARCH="${GOARCH}" --platform=linux/${GOARCH} --provenance=false --push + docker buildx build . -t ${IMG} --build-arg FIPS_ENABLED="${FIPS_ENABLED}" --build-arg LDFLAGS="${LDFLAGS}" --build-arg GOARCH="${GOARCH}" --platform=linux/${GOARCH} --provenance=false --push # For Gitlab use .PHONY: docker-build-push-check-ci diff --git a/internal/controller/fipsonly.go b/internal/controller/fipsonly.go new file mode 100644 index 000000000..4a0701d46 --- /dev/null +++ b/internal/controller/fipsonly.go @@ -0,0 +1,10 @@ +// Unless explicitly stated otherwise all files in this repository are licensed +// under the Apache License Version 2.0. +// This product includes software developed at Datadog (https://www.datadoghq.com/). +// Copyright 2016-present Datadog, Inc. + +//go:build fips + +package controller + +import _ "crypto/tls/fipsonly"