Skip to content

MGMT-21756: enable FIPS 140-3 crypto module in Go builds #650

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
omer-vishlitzky wants to merge 1 commit into
base: main
Choose a base branch
from
Open

MGMT-21756: enable FIPS 140-3 crypto module in Go builds #650

omer-vishlitzky wants to merge 1 commit into from

Conversation

@omer-vishlitzky
Copy link
Contributor

@omer-vishlitzky omer-vishlitzky commented Jan 14, 2026
edited
Loading

Add GOFIPS140=latest to go build commands to enable Go 1.24+ native FIPS 140-3 cryptographic module. This ensures the application uses FIPS-validated crypto when deployed on FIPS-enabled clusters.

see here: https://go.dev/doc/security/fips140

https://issues.redhat.com/browse/MGMT-21756

@omer-vishlitzky
MGMT-21756: enable FIPS 140-3 crypto module in Go builds
0a0f11d 
Add GOFIPS140=latest to go build commands to enable Go 1.24+ native
FIPS 140-3 cryptographic module. This ensures the application uses
FIPS-validated crypto when deployed on FIPS-enabled clusters.

See https://go.dev/doc/security/fips140
@openshift-ci-robot
Copy link

openshift-ci-robot commented Jan 14, 2026

Pipeline controller notification
This repo is configured to use the pipeline controller. Second-stage tests will be triggered either automatically or after lgtm label is added, depending on the repository configuration. The pipeline controller will automatically detect which contexts are required and will utilize /test Prow commands to trigger the second stage.

For optional jobs, comment /test ? to see a list of all defined jobs. To trigger manually all jobs from second stage use /pipeline required command.

This repository is configured in: LGTM mode

@openshift-ci-robot openshift-ci-robot added the jira/valid-reference Indicates that this PR references a valid Jira ticket of any type. label Jan 14, 2026
@openshift-ci-robot
Copy link

openshift-ci-robot commented Jan 14, 2026
edited by openshift-ci bot
Loading

@omer-vishlitzky: This pull request references MGMT-21756 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the epic to target the "4.22.0" version, but no target version was set.

Details

In response to this:

Add GOFIPS140=latest to go build commands to enable Go 1.24+ native FIPS 140-3 cryptographic module. This ensures the application uses FIPS-validated crypto when deployed on FIPS-enabled clusters.

Evidence: https://go.dev/doc/security/fips140

Jira: https://issues.redhat.com/browse/MGMT-21756

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

@openshift-ci-robot
Copy link

openshift-ci-robot commented Jan 14, 2026
edited by openshift-ci bot
Loading

@omer-vishlitzky: This pull request references MGMT-21756 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the epic to target the "4.22.0" version, but no target version was set.

Details

In response to this:

Add GOFIPS140=latest to go build commands to enable Go 1.24+ native FIPS 140-3 cryptographic module. This ensures the application uses FIPS-validated crypto when deployed on FIPS-enabled clusters.

see here: https://go.dev/doc/security/fips140

https://issues.redhat.com/browse/MGMT-21756

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

@openshift-ci openshift-ci bot added the size/XS Denotes a PR that changes 0-9 lines, ignoring generated files. label Jan 14, 2026
@openshift-ci
Copy link

openshift-ci bot commented Jan 14, 2026

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: omer-vishlitzky

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@openshift-ci openshift-ci bot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Jan 14, 2026
@openshift-ci
Copy link

openshift-ci bot commented Jan 14, 2026

@omer-vishlitzky: all tests passed!

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

@codecov
Copy link

codecov bot commented Jan 14, 2026

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 59.02%. Comparing base (ba7c26e) to head (0a0f11d).

Additional details and impacted files

Impacted file tree graph

@@           Coverage Diff           @@
##             main     #650   +/-   ##
=======================================
  Coverage   59.02%   59.02%           
=======================================
  Files          27       27           
  Lines        1674     1674           
=======================================
  Hits          988      988           
  Misses        524      524           
  Partials      162      162
🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

@omer-vishlitzky
Copy link
Contributor Author

omer-vishlitzky commented Jan 14, 2026

/retest

@omer-vishlitzky
Copy link
Contributor Author

omer-vishlitzky commented Jan 14, 2026

/hold

@openshift-ci openshift-ci bot added the do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. label Jan 14, 2026
carbonin
carbonin reviewed Jan 16, 2026
View reviewed changes
Dockerfile.image-service
ADD . /app
WORKDIR /app
RUN CGO_ENABLED=1 GOFLAGS="" GO111MODULE=on go build -o /assisted-image-service main.go
RUN CGO_ENABLED=1 GOFIPS140=latest GOFLAGS="" GO111MODULE=on go build -o /assisted-image-service main.go
Copy link
Member

@carbonin carbonin Jan 16, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

What's the difference between this and what we do for the mce-specific build?

RUN GO111MODULE=on GOOS=${TARGETOS} GOARCH=${TARGETARCH} go build -tags strictfipsruntime -o assisted-image-service main.go

Should we change both?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@carbonin carbonin carbonin left review comments

@romfreiman romfreiman Awaiting requested review from romfreiman

@yoavsc0302 yoavsc0302 Awaiting requested review from yoavsc0302

Assignees

No one assigned

Labels

approved Indicates a PR has been approved by an approver from all required OWNERS files. do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. jira/valid-reference Indicates that this PR references a valid Jira ticket of any type. size/XS Denotes a PR that changes 0-9 lines, ignoring generated files.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@omer-vishlitzky @openshift-ci-robot @carbonin