From 23f6dd44a0887b9f29fcb017d70310eb90bd0b4a Mon Sep 17 00:00:00 2001 From: Ryan Richard Date: Wed, 18 Jan 2023 16:00:16 -0800 Subject: [PATCH] Use Go 1.19 for fips builds Co-authored-by: Ryan Richard Co-authored-by: Joshua Casey --- hack/Dockerfile_fips | 11 +++++++---- 1 file changed, 7 insertions(+), 4 deletions(-) diff --git a/hack/Dockerfile_fips b/hack/Dockerfile_fips index cee3e42b..acf63042 100644 --- a/hack/Dockerfile_fips +++ b/hack/Dockerfile_fips @@ -1,6 +1,6 @@ # syntax=docker/dockerfile:1 -# Copyright 2022 the Pinniped contributors. All Rights Reserved. +# Copyright 2022-2023 the Pinniped contributors. All Rights Reserved. # SPDX-License-Identifier: Apache-2.0 # this dockerfile is used to produce a binary of Pinniped that uses @@ -11,8 +11,11 @@ # using this dockerfile. Using this dockerfile does not convey # any type of fips certification. -# use go-boringcrypto rather than main go -FROM us-docker.pkg.dev/google.com/api-project-999119582588/go-boringcrypto/golang:1.18.10b7 as build-env +# Starting in 1.19, go-boringcrypto has been added to the main Go toolchain, +# hidden behind a `GOEXPERIMENT=boringcrypto` env var. +# See https://go.googlesource.com/go/+/dev.boringcrypto/README.boringcrypto.md +# and https://kupczynski.info/posts/fips-golang/ for details. +FROM golang:1.19.5 as build-env WORKDIR /work COPY . . @@ -46,7 +49,7 @@ ARG GOPROXY # since we would not be able to ship windows and macOS binaries. RUN \ mkdir out && \ - export CGO_ENABLED=1 GOOS=linux GOARCH=amd64 && \ + export CGO_ENABLED=1 GOOS=linux GOARCH=amd64 GOEXPERIMENT=boringcrypto && \ go build -tags fips_strict,osusergo,netgo -v -trimpath -ldflags "$(hack/get-ldflags.sh) -w -linkmode=external -extldflags -static" -o /usr/local/bin/pinniped-concierge-kube-cert-agent ./cmd/pinniped-concierge-kube-cert-agent/... && \ go build -tags fips_strict,osusergo,netgo -v -trimpath -ldflags "$(hack/get-ldflags.sh) -w -linkmode=external -extldflags -static" -o /usr/local/bin/pinniped-server ./cmd/pinniped-server/... && \ ln -s /usr/local/bin/pinniped-server /usr/local/bin/pinniped-concierge && \