diff --git a/Dockerfile b/Dockerfile index 797f9445..c57e27c0 100644 --- a/Dockerfile +++ b/Dockerfile @@ -16,7 +16,11 @@ RUN \ --mount=type=cache,target=/cache/gocache \ --mount=type=cache,target=/cache/gomodcache \ mkdir out && \ - export GOCACHE=/cache/gocache GOMODCACHE=/cache/gomodcache CGO_ENABLED=0 GOOS=linux GOARCH=amd64 && \ + export GOCACHE=/cache/gocache && \ + export GOMODCACHE=/cache/gomodcache && \ + export CGO_ENABLED=0 && \ + export GOOS=linux && \ + export GOARCH=amd64 && \ go build -v -trimpath -ldflags "$(hack/get-ldflags.sh) -w -s" -o /usr/local/bin/pinniped-concierge-kube-cert-agent ./cmd/pinniped-concierge-kube-cert-agent/... && \ go build -v -trimpath -ldflags "$(hack/get-ldflags.sh) -w -s" -o /usr/local/bin/pinniped-server ./cmd/pinniped-server/... && \ ln -s /usr/local/bin/pinniped-server /usr/local/bin/pinniped-concierge && \ diff --git a/cmd/pinniped-concierge-kube-cert-agent/main.go b/cmd/pinniped-concierge-kube-cert-agent/main.go index 8a4e23a8..0a2472d1 100644 --- a/cmd/pinniped-concierge-kube-cert-agent/main.go +++ b/cmd/pinniped-concierge-kube-cert-agent/main.go @@ -13,8 +13,7 @@ import ( "os" "time" - // This side effect import ensures that we use fipsonly crypto during TLS in fips_strict mode. - // + // This side effect import ensures that we use fipsonly crypto in boringcrypto mode. // Commenting this out because it causes the runtime memory consumption of this binary to increase // from ~1 MB to ~8 MB (as measured when running the sleep subcommand). This binary does not use TLS, // so it should not be needed. If this binary is ever changed to make use of TLS client and/or server @@ -23,13 +22,7 @@ import ( // decided by the kube cert agent controller in the Concierge). // //nolint:godot // This is not sentence, it is a commented out line of import code. - // _ "go.pinniped.dev/internal/crypto/ptls" - - // This side effect imports cgo so that runtime/cgo gets linked, when in fips_strict mode. - // Without this line, the binary will exit 133 upon startup in fips_strict mode. - // It also enables fipsonly tls mode, just to be absolutely sure that the fips code is enabled, - // even though it shouldn't be used currently by this binary. - _ "go.pinniped.dev/internal/crypto/fips" + //_ "go.pinniped.dev/internal/crypto/ptls" // This side effect ensures building with at least go1.19 _ "go.pinniped.dev/internal/build" diff --git a/cmd/pinniped/main.go b/cmd/pinniped/main.go index 1b9da6e6..6333b879 100644 --- a/cmd/pinniped/main.go +++ b/cmd/pinniped/main.go @@ -9,7 +9,7 @@ import ( "github.com/pkg/browser" "go.pinniped.dev/cmd/pinniped/cmd" - // this side effect import ensures that we use fipsonly crypto in fips_strict mode. + // this side effect import ensures that we use fipsonly crypto in boringcrypto mode. _ "go.pinniped.dev/internal/crypto/ptls" // This side effect ensures building with at least go1.19 diff --git a/hack/Dockerfile_fips b/hack/Dockerfile_fips index 798c89a8..743ed5e3 100644 --- a/hack/Dockerfile_fips +++ b/hack/Dockerfile_fips @@ -49,9 +49,12 @@ ARG GOPROXY # since we would not be able to ship windows and macOS binaries. RUN \ mkdir out && \ - export CGO_ENABLED=1 GOOS=linux GOARCH=amd64 GOEXPERIMENT=boringcrypto && \ - go build -tags fips_strict,osusergo,netgo -v -trimpath -ldflags "$(hack/get-ldflags.sh) -w -linkmode=external -extldflags -static" -o /usr/local/bin/pinniped-concierge-kube-cert-agent ./cmd/pinniped-concierge-kube-cert-agent/... && \ - go build -tags fips_strict,osusergo,netgo -v -trimpath -ldflags "$(hack/get-ldflags.sh) -w -linkmode=external -extldflags -static" -o /usr/local/bin/pinniped-server ./cmd/pinniped-server/... && \ + export CGO_ENABLED=0 && \ + export GOOS=linux && \ + export GOARCH=amd64 && \ + export GOEXPERIMENT=boringcrypto && \ + go build -v -trimpath -ldflags "$(hack/get-ldflags.sh) -w" -o /usr/local/bin/pinniped-concierge-kube-cert-agent ./cmd/pinniped-concierge-kube-cert-agent/... && \ + go build -v -trimpath -ldflags "$(hack/get-ldflags.sh) -w" -o /usr/local/bin/pinniped-server ./cmd/pinniped-server/... && \ ln -s /usr/local/bin/pinniped-server /usr/local/bin/pinniped-concierge && \ ln -s /usr/local/bin/pinniped-server /usr/local/bin/pinniped-supervisor && \ ln -s /usr/local/bin/pinniped-server /usr/local/bin/local-user-authenticator diff --git a/internal/crypto/fips/doc.go b/internal/crypto/fips/doc.go deleted file mode 100644 index e265bb85..00000000 --- a/internal/crypto/fips/doc.go +++ /dev/null @@ -1,6 +0,0 @@ -// Copyright 2023 the Pinniped contributors. All Rights Reserved. -// SPDX-License-Identifier: Apache-2.0 - -// Package fips can be imported to enable fipsonly tls mode when compiling with fips_strict. -// It will also cause cgo to be explicitly imported when compiling with fips_strict. -package fips diff --git a/internal/crypto/fips/fips_strict.go b/internal/crypto/fips/fips_strict.go deleted file mode 100644 index b0679c30..00000000 --- a/internal/crypto/fips/fips_strict.go +++ /dev/null @@ -1,12 +0,0 @@ -// Copyright 2023 the Pinniped contributors. All Rights Reserved. -// SPDX-License-Identifier: Apache-2.0 - -//go:build fips_strict -// +build fips_strict - -package fips - -import ( - "C" // explicitly import cgo so that runtime/cgo gets linked into the kube-cert-agent - _ "crypto/tls/fipsonly" // restricts all TLS configuration to FIPS-approved settings. -) diff --git a/internal/crypto/ptls/default.go b/internal/crypto/ptls/default.go index d929a4eb..a1aa006a 100644 --- a/internal/crypto/ptls/default.go +++ b/internal/crypto/ptls/default.go @@ -1,8 +1,7 @@ -// Copyright 2021-2022 the Pinniped contributors. All Rights Reserved. +// Copyright 2021-2023 the Pinniped contributors. All Rights Reserved. // SPDX-License-Identifier: Apache-2.0 -//go:build !fips_strict -// +build !fips_strict +//go:build !boringcrypto package ptls diff --git a/internal/crypto/ptls/fips_strict.go b/internal/crypto/ptls/fips_strict.go index 2db12fcf..ed87ec66 100644 --- a/internal/crypto/ptls/fips_strict.go +++ b/internal/crypto/ptls/fips_strict.go @@ -4,8 +4,7 @@ // The configurations here override the usual ptls.Secure, ptls.Default, and ptls.DefaultLDAP // configs when Pinniped is built in fips-only mode. // All of these are the same because FIPs is already so limited. -//go:build fips_strict -// +build fips_strict +//go:build boringcrypto package ptls @@ -18,8 +17,6 @@ import ( "k8s.io/apiserver/pkg/server/options" - // Cause fipsonly tls mode with this side effect import. - _ "go.pinniped.dev/internal/crypto/fips" "go.pinniped.dev/internal/plog" ) diff --git a/internal/crypto/ptls/secure.go b/internal/crypto/ptls/secure.go index ddea0816..84d3ea17 100644 --- a/internal/crypto/ptls/secure.go +++ b/internal/crypto/ptls/secure.go @@ -1,8 +1,7 @@ -// Copyright 2021-2022 the Pinniped contributors. All Rights Reserved. +// Copyright 2021-2023 the Pinniped contributors. All Rights Reserved. // SPDX-License-Identifier: Apache-2.0 -//go:build !fips_strict -// +build !fips_strict +//go:build !boringcrypto package ptls diff --git a/site/content/docs/reference/fips.md b/site/content/docs/reference/fips.md index 2e012c81..eba33e51 100644 --- a/site/content/docs/reference/fips.md +++ b/site/content/docs/reference/fips.md @@ -12,8 +12,7 @@ menu: By default, the Pinniped supervisor and concierge use ciphers that are not supported by FIPS 140-2. If you are deploying Pinniped in an environment with FIPS compliance requirements, you will have to build -the binaries yourself using the `fips_strict` build tag and Golang's -`go-boringcrypto` fork. +the binaries yourself using Golang 1.19 and the `GOEXPERIMENT=boringcrypto` build tag. The Pinniped team provides an [example Dockerfile](https://github.com/vmware-tanzu/pinniped/blob/main/hack/Dockerfile_fips) demonstrating how you can build Pinniped images in a FIPS compatible way. diff --git a/test/integration/securetls_fips_test.go b/test/integration/securetls_fips_test.go index 19cfea78..521784c5 100644 --- a/test/integration/securetls_fips_test.go +++ b/test/integration/securetls_fips_test.go @@ -1,8 +1,7 @@ -// Copyright 2021-2022 the Pinniped contributors. All Rights Reserved. +// Copyright 2021-2023 the Pinniped contributors. All Rights Reserved. // SPDX-License-Identifier: Apache-2.0 -//go:build fips_strict -// +build fips_strict +//go:build boringcrypto package integration diff --git a/test/testlib/securetls_preference_fips.go b/test/testlib/securetls_preference_fips.go index e61fc205..303eb435 100644 --- a/test/testlib/securetls_preference_fips.go +++ b/test/testlib/securetls_preference_fips.go @@ -1,8 +1,7 @@ -// Copyright 2022 the Pinniped contributors. All Rights Reserved. +// Copyright 2022-2023 the Pinniped contributors. All Rights Reserved. // SPDX-License-Identifier: Apache-2.0 -//go:build fips_strict -// +build fips_strict +//go:build boringcrypto package testlib diff --git a/test/testlib/securetls_preference_nonfips.go b/test/testlib/securetls_preference_nonfips.go index 002d329d..d1f74400 100644 --- a/test/testlib/securetls_preference_nonfips.go +++ b/test/testlib/securetls_preference_nonfips.go @@ -1,8 +1,7 @@ -// Copyright 2022 the Pinniped contributors. All Rights Reserved. +// Copyright 2022-2023 the Pinniped contributors. All Rights Reserved. // SPDX-License-Identifier: Apache-2.0 -//go:build !fips_strict -// +build !fips_strict +//go:build !boringcrypto package testlib