Use tag boringcrypto instead of fips_strict

2023-02-02 19:32:21 -06:00 · 2023-02-02 19:32:21 -06:00 · a5d622179e
commit a5d622179e
parent 003416ffd1
13 changed files with 30 additions and 30 deletions
--- a/cmd/pinniped-concierge-kube-cert-agent/main.go
+++ b/cmd/pinniped-concierge-kube-cert-agent/main.go
@ -13,7 +13,7 @@ import (
 	"os"
 	"time"
-	// This side effect import ensures that we use fipsonly crypto during TLS in fips_strict mode.
+	// This side effect import ensures that we use fipsonly crypto during TLS in boringcrypto mode.
 	//
 	// Commenting this out because it causes the runtime memory consumption of this binary to increase
 	// from ~1 MB to ~8 MB (as measured when running the sleep subcommand). This binary does not use TLS,
@ -25,8 +25,8 @@ import (
 	//nolint:godot // This is not sentence, it is a commented out line of import code.
 	// _ "go.pinniped.dev/internal/crypto/ptls"
-	// This side effect imports cgo so that runtime/cgo gets linked, when in fips_strict mode.
+	// This side effect imports cgo so that runtime/cgo gets linked, when in boringcrypto mode.
-	// Without this line, the binary will exit 133 upon startup in fips_strict mode.
+	// Without this line, the binary will exit 133 upon startup in boringcrypto mode.
 	// It also enables fipsonly tls mode, just to be absolutely sure that the fips code is enabled,
 	// even though it shouldn't be used currently by this binary.
 	_ "go.pinniped.dev/internal/crypto/fips"
--- a/cmd/pinniped-server/main.go
+++ b/cmd/pinniped-server/main.go
@ -15,7 +15,7 @@ import (
 	"k8s.io/apimachinery/pkg/util/sets"
 	concierge "go.pinniped.dev/internal/concierge/server"
-	// this side effect import ensures that we use fipsonly crypto in fips_strict mode.
+	// this side effect import ensures that we use fipsonly crypto in boringcrypto mode.
 	_ "go.pinniped.dev/internal/crypto/ptls"
 	lua "go.pinniped.dev/internal/localuserauthenticator"
 	"go.pinniped.dev/internal/plog"
--- a/cmd/pinniped/main.go
+++ b/cmd/pinniped/main.go
@ -1,4 +1,4 @@
-// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved.
+// Copyright 2020-2023 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0
 package main
@ -9,7 +9,7 @@ import (
 	"github.com/pkg/browser"
 	"go.pinniped.dev/cmd/pinniped/cmd"
-	// this side effect import ensures that we use fipsonly crypto in fips_strict mode.
+	// this side effect import ensures that we use fipsonly crypto in boringcrypto mode.
 	_ "go.pinniped.dev/internal/crypto/ptls"
 )
--- a/hack/Dockerfile_fips
+++ b/hack/Dockerfile_fips
@ -34,8 +34,8 @@ RUN \
  export GOOS=linux && \
  export GOARCH=amd64 &&  \
  export GOEXPERIMENT=boringcrypto && \
-  go build -tags fips_strict,osusergo,netgo -v -trimpath -ldflags "$(hack/get-ldflags.sh) -w -s" -o /usr/local/bin/pinniped-concierge-kube-cert-agent ./cmd/pinniped-concierge-kube-cert-agent/... && \
+  go build -v -trimpath -ldflags "$(hack/get-ldflags.sh) -w -s" -o /usr/local/bin/pinniped-concierge-kube-cert-agent ./cmd/pinniped-concierge-kube-cert-agent/... && \
-  go build -tags fips_strict,osusergo,netgo -v -trimpath -ldflags "$(hack/get-ldflags.sh) -w -s" -o /usr/local/bin/pinniped-server ./cmd/pinniped-server/... && \
+  go build -v -trimpath -ldflags "$(hack/get-ldflags.sh) -w -s" -o /usr/local/bin/pinniped-server ./cmd/pinniped-server/... && \
  ln -s /usr/local/bin/pinniped-server /usr/local/bin/pinniped-concierge && \
  ln -s /usr/local/bin/pinniped-server /usr/local/bin/pinniped-supervisor && \
  ln -s /usr/local/bin/pinniped-server /usr/local/bin/local-user-authenticator
--- a/internal/crypto/fips/doc.go
+++ b/internal/crypto/fips/doc.go
@ -1,6 +1,6 @@
 // Copyright 2023 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0
-// Package fips can be imported to enable fipsonly tls mode when compiling with fips_strict.
+// Package fips can be imported to enable fipsonly tls mode when compiling with boringcrypto.
-// It will also cause cgo to be explicitly imported when compiling with fips_strict.
+// It will also cause cgo to be explicitly imported when compiling with boringcrypto.
 package fips
--- a/internal/crypto/fips/fips_strict.go
+++ b/internal/crypto/fips/fips_strict.go
@ -1,8 +1,8 @@
 // Copyright 2023 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0
-//go:build fips_strict
+//go:build boringcrypto
-// +build fips_strict
+// +build boringcrypto
 package fips
--- a/internal/crypto/ptls/default.go
+++ b/internal/crypto/ptls/default.go
@ -1,8 +1,8 @@
-// Copyright 2021-2022 the Pinniped contributors. All Rights Reserved.
+// Copyright 2021-2023 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0
-//go:build !fips_strict
+//go:build !boringcrypto
-// +build !fips_strict
+// +build !boringcrypto
 package ptls
--- a/internal/crypto/ptls/fips_strict.go
+++ b/internal/crypto/ptls/fips_strict.go
@ -4,8 +4,8 @@
 // The configurations here override the usual ptls.Secure, ptls.Default, and ptls.DefaultLDAP
 // configs when Pinniped is built in fips-only mode.
 // All of these are the same because FIPs is already so limited.
-//go:build fips_strict
+//go:build boringcrypto
-// +build fips_strict
+// +build boringcrypto
 package ptls
--- a/internal/crypto/ptls/secure.go
+++ b/internal/crypto/ptls/secure.go
@ -1,8 +1,8 @@
-// Copyright 2021-2022 the Pinniped contributors. All Rights Reserved.
+// Copyright 2021-2023 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0
-//go:build !fips_strict
+//go:build !boringcrypto
-// +build !fips_strict
+// +build !boringcrypto
 package ptls
--- a/site/content/docs/reference/fips.md
+++ b/site/content/docs/reference/fips.md
@ -11,7 +11,7 @@ menu:
 ---
 By default, the Pinniped supervisor and concierge use ciphers that are not supported by FIPS 140-2.
 If you are deploying Pinniped in an environment with FIPS compliance requirements, you will have to build
-the binaries yourself using the `fips_strict` build tag and Golang's `go-boringcrypto` fork.
+the binaries yourself using `GOEXPERIMENT=boringcrypto`.
 The Pinniped team provides an [example Dockerfile](https://github.com/vmware-tanzu/pinniped/blob/main/hack/Dockerfile_fips)
 demonstrating how you can build Pinniped images in a FIPS compatible way.
--- a/test/integration/securetls_fips_test.go
+++ b/test/integration/securetls_fips_test.go
@ -1,8 +1,8 @@
-// Copyright 2021-2022 the Pinniped contributors. All Rights Reserved.
+// Copyright 2021-2023 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0
-//go:build fips_strict
+//go:build boringcrypto
-// +build fips_strict
+// +build boringcrypto
 package integration
--- a/test/testlib/securetls_preference_fips.go
+++ b/test/testlib/securetls_preference_fips.go
@ -1,8 +1,8 @@
-// Copyright 2022 the Pinniped contributors. All Rights Reserved.
+// Copyright 2022-2023 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0
-//go:build fips_strict
+//go:build boringcrypto
-// +build fips_strict
+// +build boringcrypto
 package testlib
--- a/test/testlib/securetls_preference_nonfips.go
+++ b/test/testlib/securetls_preference_nonfips.go
@ -1,8 +1,8 @@
-// Copyright 2022 the Pinniped contributors. All Rights Reserved.
+// Copyright 2022-2023 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0
-//go:build !fips_strict
+//go:build !boringcrypto
-// +build !fips_strict
+// +build !boringcrypto
 package testlib