From 5bb384cb5d8c581bc1701a272da2f06c5094de12 Mon Sep 17 00:00:00 2001 From: Brad Lugo Date: Fri, 4 Oct 2024 14:37:35 -0700 Subject: [PATCH] chore: enable strictfipsruntime in Konflux builds --- image/rhel/konflux.Dockerfile | 4 +++- image/roxctl/konflux.Dockerfile | 4 +++- make/env.mk | 6 ++++-- operator/konflux.Dockerfile | 4 +++- scanner/image/scanner/konflux.Dockerfile | 4 +++- 5 files changed, 16 insertions(+), 6 deletions(-) diff --git a/image/rhel/konflux.Dockerfile b/image/rhel/konflux.Dockerfile index 30104cb797143..1415813be9ba7 100644 --- a/image/rhel/konflux.Dockerfile +++ b/image/rhel/konflux.Dockerfile @@ -42,7 +42,9 @@ ENV BUILD_TAG="$BUILD_TAG" ENV GOFLAGS="" ENV CGO_ENABLED=1 # TODO(ROX-20240): enable non-release development builds. -ENV GOTAGS="release" +# TODO(ROX-27054): Remove the redundant strictfipsruntime option if one is found to be so. +ENV GOTAGS="release,strictfipsruntime" +ENV GOEXPERIMENT=strictfipsruntime ENV CI=1 RUN # TODO(ROX-13200): make sure roxctl cli is built without running go mod tidy. \ diff --git a/image/roxctl/konflux.Dockerfile b/image/roxctl/konflux.Dockerfile index 17a6aea4b5baa..e13011e278cd1 100644 --- a/image/roxctl/konflux.Dockerfile +++ b/image/roxctl/konflux.Dockerfile @@ -20,7 +20,9 @@ ENV BUILD_TAG="$BUILD_TAG" ENV CI=1 GOFLAGS="" # TODO(ROX-20240): enable non-release development builds. -ENV GOTAGS="release" +# TODO(ROX-27054): Remove the redundant strictfipsruntime option if one is found to be so. +ENV GOTAGS="release,strictfipsruntime" +ENV GOEXPERIMENT=strictfipsruntime RUN RACE=0 CGO_ENABLED=1 GOOS=linux GOARCH=$(go env GOARCH) scripts/go-build.sh ./roxctl && \ cp bin/linux_$(go env GOARCH)/roxctl image/bin/roxctl diff --git a/make/env.mk b/make/env.mk index c162c5ef3e2f0..6af59e81b151d 100644 --- a/make/env.mk +++ b/make/env.mk @@ -3,6 +3,7 @@ SHELL := /bin/bash colon := : +comma := , # GOPATH might actually be a colon-separated list of paths. For the purposes of this makefile, # work with the first element only. @@ -40,10 +41,11 @@ endif TAG := # make sure tag is never injectable as an env var RELEASE_GOTAGS := release -# Use a release go -tag when CI is targetting a tag +# Use a release go -tag when CI is targeting a tag ifdef CI ifneq ($(BUILD_TAG),) -GOTAGS := $(RELEASE_GOTAGS) +# Preserve existing GOTAGS and append release tags +GOTAGS := $(if $(GOTAGS),$(GOTAGS)$(comma))$(RELEASE_GOTAGS) endif endif diff --git a/operator/konflux.Dockerfile b/operator/konflux.Dockerfile index 9f5a4f567b983..7f02b56ef25ad 100644 --- a/operator/konflux.Dockerfile +++ b/operator/konflux.Dockerfile @@ -11,7 +11,9 @@ RUN if [[ "$BUILD_TAG" == "" ]]; then >&2 echo "error: required BUILD_TAG arg is ENV BUILD_TAG="$BUILD_TAG" # TODO(ROX-20240): enable non-release development builds. -ENV GOTAGS="release" +# TODO(ROX-27054): Remove the redundant strictfipsruntime option if one is found to be so. +ENV GOTAGS="release,strictfipsruntime" +ENV GOEXPERIMENT=strictfipsruntime ENV CI=1 GOFLAGS="" CGO_ENABLED=1 RUN GOOS=linux GOARCH=$(go env GOARCH) scripts/go-build-file.sh operator/cmd/main.go image/bin/operator diff --git a/scanner/image/scanner/konflux.Dockerfile b/scanner/image/scanner/konflux.Dockerfile index fd57f2def94e1..375d3909026ec 100644 --- a/scanner/image/scanner/konflux.Dockerfile +++ b/scanner/image/scanner/konflux.Dockerfile @@ -14,7 +14,9 @@ ENV BUILD_TAG="$BUILD_TAG" ENV GOFLAGS="" # TODO(ROX-20240): enable non-release development builds. -ENV GOTAGS="release" +# TODO(ROX-27054): Remove the redundant strictfipsruntime option if one is found to be so. +ENV GOTAGS="release,strictfipsruntime" +ENV GOEXPERIMENT=strictfipsruntime ENV CI=1 COPY . /src