Use tag 'boringcrypto' instead of 'fips_strict'

Dockerfile

@@ -16,7 +16,11 @@ RUN \
   --mount=type=cache,target=/cache/gocache \
   --mount=type=cache,target=/cache/gomodcache \
   mkdir out && \
-  export GOCACHE=/cache/gocache GOMODCACHE=/cache/gomodcache CGO_ENABLED=0 GOOS=linux GOARCH=amd64 && \
+  export GOCACHE=/cache/gocache && \
+  export GOMODCACHE=/cache/gomodcache && \
+  export CGO_ENABLED=0 && \
+  export GOOS=linux && \
+  export GOARCH=amd64 && \
   go build -v -trimpath -ldflags "$(hack/get-ldflags.sh) -w -s" -o /usr/local/bin/pinniped-concierge-kube-cert-agent ./cmd/pinniped-concierge-kube-cert-agent/... && \
   go build -v -trimpath -ldflags "$(hack/get-ldflags.sh) -w -s" -o /usr/local/bin/pinniped-server ./cmd/pinniped-server/... && \
   ln -s /usr/local/bin/pinniped-server /usr/local/bin/pinniped-concierge && \

cmd/pinniped-concierge-kube-cert-agent/main.go

@@ -13,8 +13,7 @@ import (
 	"os"
 	"time"
 
-	// This side effect import ensures that we use fipsonly crypto during TLS in fips_strict mode.
-	//
+	// This side effect import ensures that we use fipsonly crypto in boringcrypto mode.
 	// Commenting this out because it causes the runtime memory consumption of this binary to increase
 	// from ~1 MB to ~8 MB (as measured when running the sleep subcommand). This binary does not use TLS,
 	// so it should not be needed. If this binary is ever changed to make use of TLS client and/or server
@@ -25,12 +24,6 @@ import (
 	//nolint:godot // This is not sentence, it is a commented out line of import code.
 	//_ "go.pinniped.dev/internal/crypto/ptls"
 
-	// This side effect imports cgo so that runtime/cgo gets linked, when in fips_strict mode.
-	// Without this line, the binary will exit 133 upon startup in fips_strict mode.
-	// It also enables fipsonly tls mode, just to be absolutely sure that the fips code is enabled,
-	// even though it shouldn't be used currently by this binary.
-	_ "go.pinniped.dev/internal/crypto/fips"
-
 	// This side effect ensures building with at least go1.19
 	_ "go.pinniped.dev/internal/build"
 )

cmd/pinniped/main.go

@@ -9,7 +9,7 @@ import (
 	"github.com/pkg/browser"
 
 	"go.pinniped.dev/cmd/pinniped/cmd"
-	// this side effect import ensures that we use fipsonly crypto in fips_strict mode.
+	// this side effect import ensures that we use fipsonly crypto in boringcrypto mode.
 	_ "go.pinniped.dev/internal/crypto/ptls"
 
 	// This side effect ensures building with at least go1.19

hack/Dockerfile_fips

@@ -49,9 +49,12 @@ ARG GOPROXY
 # since we would not be able to ship windows and macOS binaries.
 RUN \
   mkdir out && \
-  export CGO_ENABLED=1 GOOS=linux GOARCH=amd64 GOEXPERIMENT=boringcrypto && \
-  go build -tags fips_strict,osusergo,netgo -v -trimpath -ldflags "$(hack/get-ldflags.sh) -w -linkmode=external -extldflags -static" -o /usr/local/bin/pinniped-concierge-kube-cert-agent ./cmd/pinniped-concierge-kube-cert-agent/... && \
-  go build -tags fips_strict,osusergo,netgo -v -trimpath -ldflags "$(hack/get-ldflags.sh) -w -linkmode=external -extldflags -static" -o /usr/local/bin/pinniped-server ./cmd/pinniped-server/... && \
+  export CGO_ENABLED=0 && \
+  export GOOS=linux && \
+  export GOARCH=amd64 && \
+  export GOEXPERIMENT=boringcrypto && \
+  go build -v -trimpath -ldflags "$(hack/get-ldflags.sh) -w" -o /usr/local/bin/pinniped-concierge-kube-cert-agent ./cmd/pinniped-concierge-kube-cert-agent/... && \
+  go build -v -trimpath -ldflags "$(hack/get-ldflags.sh) -w" -o /usr/local/bin/pinniped-server ./cmd/pinniped-server/... && \
   ln -s /usr/local/bin/pinniped-server /usr/local/bin/pinniped-concierge && \
   ln -s /usr/local/bin/pinniped-server /usr/local/bin/pinniped-supervisor && \
   ln -s /usr/local/bin/pinniped-server /usr/local/bin/local-user-authenticator

internal/crypto/fips/doc.go

@@ -1,6 +0,0 @@
-// Copyright 2023 the Pinniped contributors. All Rights Reserved.
-// SPDX-License-Identifier: Apache-2.0
-
-// Package fips can be imported to enable fipsonly tls mode when compiling with fips_strict.
-// It will also cause cgo to be explicitly imported when compiling with fips_strict.
-package fips

internal/crypto/fips/fips_strict.go

@@ -1,12 +0,0 @@
-// Copyright 2023 the Pinniped contributors. All Rights Reserved.
-// SPDX-License-Identifier: Apache-2.0
-
-//go:build fips_strict
-// +build fips_strict
-
-package fips
-
-import (
-	"C"                     // explicitly import cgo so that runtime/cgo gets linked into the kube-cert-agent
-	_ "crypto/tls/fipsonly" // restricts all TLS configuration to FIPS-approved settings.
-)

internal/crypto/ptls/default.go

@@ -1,8 +1,7 @@
-// Copyright 2021-2022 the Pinniped contributors. All Rights Reserved.
+// Copyright 2021-2023 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0
 
-//go:build !fips_strict
-// +build !fips_strict
+//go:build !boringcrypto
 
 package ptls
 

internal/crypto/ptls/fips_strict.go

@@ -4,8 +4,7 @@
 // The configurations here override the usual ptls.Secure, ptls.Default, and ptls.DefaultLDAP
 // configs when Pinniped is built in fips-only mode.
 // All of these are the same because FIPs is already so limited.
-//go:build fips_strict
-// +build fips_strict
+//go:build boringcrypto
 
 package ptls
 
@@ -18,8 +17,6 @@ import (
 
 	"k8s.io/apiserver/pkg/server/options"
 
-	// Cause fipsonly tls mode with this side effect import.
-	_ "go.pinniped.dev/internal/crypto/fips"
 	"go.pinniped.dev/internal/plog"
 )
 

internal/crypto/ptls/secure.go

@@ -1,8 +1,7 @@
-// Copyright 2021-2022 the Pinniped contributors. All Rights Reserved.
+// Copyright 2021-2023 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0
 
-//go:build !fips_strict
-// +build !fips_strict
+//go:build !boringcrypto
 
 package ptls
 

site/content/docs/reference/fips.md

@@ -12,8 +12,7 @@ menu:
 By default, the Pinniped supervisor and concierge use ciphers that
 are not supported by FIPS 140-2. If you are deploying Pinniped in an
 environment with FIPS compliance requirements, you will have to build
-the binaries yourself using the `fips_strict` build tag and Golang's
-`go-boringcrypto` fork.
+the binaries yourself using Golang 1.19 and the `GOEXPERIMENT=boringcrypto` build tag.
 
 The Pinniped team provides an [example Dockerfile](https://github.com/vmware-tanzu/pinniped/blob/main/hack/Dockerfile_fips)
 demonstrating how you can build Pinniped images in a FIPS compatible way.

test/integration/securetls_fips_test.go

@@ -1,8 +1,7 @@
-// Copyright 2021-2022 the Pinniped contributors. All Rights Reserved.
+// Copyright 2021-2023 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0
 
-//go:build fips_strict
-// +build fips_strict
+//go:build boringcrypto
 
 package integration
 

test/testlib/securetls_preference_fips.go

@@ -1,8 +1,7 @@
-// Copyright 2022 the Pinniped contributors. All Rights Reserved.
+// Copyright 2022-2023 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0
 
-//go:build fips_strict
-// +build fips_strict
+//go:build boringcrypto
 
 package testlib
 

test/testlib/securetls_preference_nonfips.go

@@ -1,8 +1,7 @@
-// Copyright 2022 the Pinniped contributors. All Rights Reserved.
+// Copyright 2022-2023 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0
 
-//go:build !fips_strict
-// +build !fips_strict
+//go:build !boringcrypto
 
 package testlib