Use tag 'boringcrypto' instead of 'fips_strict'

2023-03-08 23:26:34 -06:00 · 2023-03-08 23:26:34 -06:00 · bd85ad8d9c
commit bd85ad8d9c
parent 60c7613c7d
13 changed files with 26 additions and 53 deletions
--- a/6
+++ b/6
@ -16,7 +16,11 @@ RUN \
  --mount=type=cache,target=/cache/gocache \
  --mount=type=cache,target=/cache/gomodcache \
  mkdir out && \
-  export GOCACHE=/cache/gocache GOMODCACHE=/cache/gomodcache CGO_ENABLED=0 GOOS=linux GOARCH=amd64 && \
+  export GOCACHE=/cache/gocache && \
  export GOMODCACHE=/cache/gomodcache && \
  export CGO_ENABLED=0 && \
  export GOOS=linux && \
  export GOARCH=amd64 && \
  go build -v -trimpath -ldflags "$(hack/get-ldflags.sh) -w -s" -o /usr/local/bin/pinniped-concierge-kube-cert-agent ./cmd/pinniped-concierge-kube-cert-agent/... && \
  go build -v -trimpath -ldflags "$(hack/get-ldflags.sh) -w -s" -o /usr/local/bin/pinniped-server ./cmd/pinniped-server/... && \
  ln -s /usr/local/bin/pinniped-server /usr/local/bin/pinniped-concierge && \
--- a/cmd/pinniped-concierge-kube-cert-agent/main.go
+++ b/cmd/pinniped-concierge-kube-cert-agent/main.go
@ -13,8 +13,7 @@ import (
 	"os"
 	"time"
-	// This side effect import ensures that we use fipsonly crypto during TLS in fips_strict mode.
+	// This side effect import ensures that we use fipsonly crypto in boringcrypto mode.
 	//
 	// Commenting this out because it causes the runtime memory consumption of this binary to increase
 	// from ~1 MB to ~8 MB (as measured when running the sleep subcommand). This binary does not use TLS,
 	// so it should not be needed. If this binary is ever changed to make use of TLS client and/or server
@ -23,13 +22,7 @@ import (
 	// decided by the kube cert agent controller in the Concierge).
 	//
 	//nolint:godot // This is not sentence, it is a commented out line of import code.
-	// _ "go.pinniped.dev/internal/crypto/ptls"
+	//_ "go.pinniped.dev/internal/crypto/ptls"
 	// This side effect imports cgo so that runtime/cgo gets linked, when in fips_strict mode.
 	// Without this line, the binary will exit 133 upon startup in fips_strict mode.
 	// It also enables fipsonly tls mode, just to be absolutely sure that the fips code is enabled,
 	// even though it shouldn't be used currently by this binary.
 	_ "go.pinniped.dev/internal/crypto/fips"
 	// This side effect ensures building with at least go1.19
 	_ "go.pinniped.dev/internal/build"
--- a/cmd/pinniped/main.go
+++ b/cmd/pinniped/main.go
@ -9,7 +9,7 @@ import (
 	"github.com/pkg/browser"
 	"go.pinniped.dev/cmd/pinniped/cmd"
-	// this side effect import ensures that we use fipsonly crypto in fips_strict mode.
+	// this side effect import ensures that we use fipsonly crypto in boringcrypto mode.
 	_ "go.pinniped.dev/internal/crypto/ptls"
 	// This side effect ensures building with at least go1.19
--- a/hack/Dockerfile_fips
+++ b/hack/Dockerfile_fips
@ -49,9 +49,12 @@ ARG GOPROXY
 # since we would not be able to ship windows and macOS binaries.
 RUN \
  mkdir out && \
-  export CGO_ENABLED=1 GOOS=linux GOARCH=amd64 GOEXPERIMENT=boringcrypto && \
+  export CGO_ENABLED=0 && \
-  go build -tags fips_strict,osusergo,netgo -v -trimpath -ldflags "$(hack/get-ldflags.sh) -w -linkmode=external -extldflags -static" -o /usr/local/bin/pinniped-concierge-kube-cert-agent ./cmd/pinniped-concierge-kube-cert-agent/... && \
+  export GOOS=linux && \
-  go build -tags fips_strict,osusergo,netgo -v -trimpath -ldflags "$(hack/get-ldflags.sh) -w -linkmode=external -extldflags -static" -o /usr/local/bin/pinniped-server ./cmd/pinniped-server/... && \
+  export GOARCH=amd64 && \
  export GOEXPERIMENT=boringcrypto && \
  go build -v -trimpath -ldflags "$(hack/get-ldflags.sh) -w" -o /usr/local/bin/pinniped-concierge-kube-cert-agent ./cmd/pinniped-concierge-kube-cert-agent/... && \
  go build -v -trimpath -ldflags "$(hack/get-ldflags.sh) -w" -o /usr/local/bin/pinniped-server ./cmd/pinniped-server/... && \
  ln -s /usr/local/bin/pinniped-server /usr/local/bin/pinniped-concierge && \
  ln -s /usr/local/bin/pinniped-server /usr/local/bin/pinniped-supervisor && \
  ln -s /usr/local/bin/pinniped-server /usr/local/bin/local-user-authenticator
--- a/internal/crypto/fips/doc.go
+++ b/internal/crypto/fips/doc.go
@ -1,6 +0,0 @@
 // Copyright 2023 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0
 // Package fips can be imported to enable fipsonly tls mode when compiling with fips_strict.
 // It will also cause cgo to be explicitly imported when compiling with fips_strict.
 package fips
--- a/internal/crypto/fips/fips_strict.go
+++ b/internal/crypto/fips/fips_strict.go
@ -1,12 +0,0 @@
 // Copyright 2023 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0
 //go:build fips_strict
 // +build fips_strict
 package fips
 import (
 	"C"                     // explicitly import cgo so that runtime/cgo gets linked into the kube-cert-agent
 	_ "crypto/tls/fipsonly" // restricts all TLS configuration to FIPS-approved settings.
 )
--- a/internal/crypto/ptls/default.go
+++ b/internal/crypto/ptls/default.go
@ -1,8 +1,7 @@
-// Copyright 2021-2022 the Pinniped contributors. All Rights Reserved.
+// Copyright 2021-2023 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0
-//go:build !fips_strict
+//go:build !boringcrypto
 // +build !fips_strict
 package ptls
--- a/internal/crypto/ptls/fips_strict.go
+++ b/internal/crypto/ptls/fips_strict.go
@ -4,8 +4,7 @@
 // The configurations here override the usual ptls.Secure, ptls.Default, and ptls.DefaultLDAP
 // configs when Pinniped is built in fips-only mode.
 // All of these are the same because FIPs is already so limited.
-//go:build fips_strict
+//go:build boringcrypto
 // +build fips_strict
 package ptls
@ -18,8 +17,6 @@ import (
 	"k8s.io/apiserver/pkg/server/options"
 	// Cause fipsonly tls mode with this side effect import.
 	_ "go.pinniped.dev/internal/crypto/fips"
 	"go.pinniped.dev/internal/plog"
 )
--- a/internal/crypto/ptls/secure.go
+++ b/internal/crypto/ptls/secure.go
@ -1,8 +1,7 @@
-// Copyright 2021-2022 the Pinniped contributors. All Rights Reserved.
+// Copyright 2021-2023 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0
-//go:build !fips_strict
+//go:build !boringcrypto
 // +build !fips_strict
 package ptls
--- a/site/content/docs/reference/fips.md
+++ b/site/content/docs/reference/fips.md
@ -12,8 +12,7 @@ menu:
 By default, the Pinniped supervisor and concierge use ciphers that
 are not supported by FIPS 140-2. If you are deploying Pinniped in an
 environment with FIPS compliance requirements, you will have to build
-the binaries yourself using the `fips_strict` build tag and Golang's
+the binaries yourself using Golang 1.19 and the `GOEXPERIMENT=boringcrypto` build tag.
 `go-boringcrypto` fork.
 The Pinniped team provides an [example Dockerfile](https://github.com/vmware-tanzu/pinniped/blob/main/hack/Dockerfile_fips)
 demonstrating how you can build Pinniped images in a FIPS compatible way.
--- a/test/integration/securetls_fips_test.go
+++ b/test/integration/securetls_fips_test.go
@ -1,8 +1,7 @@
-// Copyright 2021-2022 the Pinniped contributors. All Rights Reserved.
+// Copyright 2021-2023 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0
-//go:build fips_strict
+//go:build boringcrypto
 // +build fips_strict
 package integration
--- a/test/testlib/securetls_preference_fips.go
+++ b/test/testlib/securetls_preference_fips.go
@ -1,8 +1,7 @@
-// Copyright 2022 the Pinniped contributors. All Rights Reserved.
+// Copyright 2022-2023 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0
-//go:build fips_strict
+//go:build boringcrypto
 // +build fips_strict
 package testlib
--- a/test/testlib/securetls_preference_nonfips.go
+++ b/test/testlib/securetls_preference_nonfips.go
@ -1,8 +1,7 @@
-// Copyright 2022 the Pinniped contributors. All Rights Reserved.
+// Copyright 2022-2023 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0
-//go:build !fips_strict
+//go:build !boringcrypto
 // +build !fips_strict
 package testlib