[fips] - Enable boringcrypto in the build image.

nyodas · nyodas · commit 5b87fe31572e · 2025-10-06T10:52:18.000+02:00
This should allow build to have fips crypto enabled when we build with CGO_ENABLED=1

Modify the github build to do so.

datadog:patch

[fips] - Enable fips on select component

This would enable *fipsonly* on the following component:
- kubelet
- kubectl
- kube-controller-manager
- kube-scheduler

The apiserver is currently being held back because not all client is going to be fips.
Especially in non govcloud environment.

datadog:patch
diff --git a/.github/workflows/dd-build.yml b/.github/workflows/dd-build.yml
@@ -20,7 +20,7 @@ jobs:
     - name: Set up Go
       uses: actions/setup-go@v5
       with:
-        go-version: 1.22
+        go-version: 1.24
     - name: Set env
       run: echo SANITIZED_TARGET_PLATFORM=${KUBE_BUILD_PLATFORM/\//-} >> $GITHUB_ENV
       env:
@@ -34,9 +34,10 @@ jobs:
         sudo rm -rf /usr/local/.ghcup
     - name: Build
       env:
+        GOFLAGS: "-tags=fips"
         KUBE_BUILD_PLATFORMS: ${{ matrix.platform }}
         KUBE_RELEASE_RUN_TESTS: n
-      run: make quick-release KUBE_BUILD_PLATFORMS=$KUBE_BUILD_PLATFORMS
+      run: make quick-release CGO_ENABLED=1 KUBE_CGO_OVERRIDES="kube-apiserver kube-controller-manager kube-scheduler kubelet" KUBE_BUILD_PLATFORMS=$KUBE_BUILD_PLATFORMS GOFLAGS=$GOFLAGS
     - name: Calculate checksums
       id: calculate_checksums
       shell: bash
diff --git a/build/build-image/Dockerfile b/build/build-image/Dockerfile
@@ -55,3 +55,8 @@ ADD rsyncd.password /
 RUN chmod a+r /rsyncd.password
 ADD rsyncd.sh /
 RUN chmod a+rx /rsyncd.sh
+
+# Enable fips build
+ENV GOEXPERIMENT=boringcrypto
+# Enable debug to keep symbols around, allowing us to do go tool nm
+ENV DBG=1
diff --git a/cmd/kube-apiserver/fips.go b/cmd/kube-apiserver/fips.go
@@ -0,0 +1,6 @@
+//go:build fips
+
+package main
+
+// enforce fips compliance if boringcrypto is enabled
+import _ "crypto/tls/fipsonly"
diff --git a/cmd/kube-controller-manager/fips.go b/cmd/kube-controller-manager/fips.go
@@ -0,0 +1,6 @@
+//go:build fips
+
+package main
+
+// enforce fips compliance if boringcrypto is enabled
+import _ "crypto/tls/fipsonly"
diff --git a/cmd/kube-scheduler/fips.go b/cmd/kube-scheduler/fips.go
@@ -0,0 +1,6 @@
+//go:build fips
+
+package main
+
+// enforce fips compliance if boringcrypto is enabled
+import _ "crypto/tls/fipsonly"
diff --git a/cmd/kubectl/fips.go b/cmd/kubectl/fips.go
@@ -0,0 +1,6 @@
+//go:build fips
+
+package main
+
+// enforce fips compliance if boringcrypto is enabled
+import _ "crypto/tls/fipsonly"
diff --git a/cmd/kubelet/fips.go b/cmd/kubelet/fips.go
@@ -0,0 +1,6 @@
+//go:build fips
+
+package main
+
+// enforce fips compliance if boringcrypto is enabled
+import _ "crypto/tls/fipsonly"
