Enable FIPS compliancy in Makefile (#6071)

* Allow building of fips images during release process.
elastic · Oct 31, 2022 · dcd4f32 · dcd4f32
1 parent d11f532
commit dcd4f32
Show file tree

Hide file tree

Showing 2 changed files with 32 additions and 4 deletions.
diff --git a/.ci/pipelines/build.Jenkinsfile b/.ci/pipelines/build.Jenkinsfile
@@ -34,10 +34,21 @@ pipeline {
                         sh 'make -C .ci TARGET=ci ci'
                     }
                 }
-                stage('Build and push Docker image') {
-                    steps {
-                        sh '.ci/setenvconfig build'
-                        sh 'make -C .ci license.key TARGET=ci-release ci'
+                stage('build') {
+                    failFast true
+                    parallel {
+                        stage("build and push operator image") {
+                            steps {
+                                sh '.ci/setenvconfig build'
+                                sh 'make -C .ci license.key TARGET=ci-release ci'
+                            }
+                        }
+                        stage("build and push operator image in FIPS mode") {
+                            steps {
+                                sh '.ci/setenvconfig build'
+                                sh 'make -C .ci license.key TARGET=ci-release ci ENABLE_FIPS=true'
+                            }
+                        }
                     }
                 }
                 stage('Upload YAML manifest to S3') {

diff --git a/Makefile b/Makefile
@@ -18,6 +18,9 @@ KUBECTL_CLUSTER := $(shell kubectl config current-context 2> /dev/null)
 # Default to debug logging
 LOG_VERBOSITY ?= 1
 
+# Allow FIPS compliance by means of BoringCrypto build tag.
+ENABLE_FIPS ?= false
+
 # Get the currently used golang install path (in GOPATH/bin, unless GOBIN is set)
 GOBIN := $(or $(shell go env GOBIN 2>/dev/null), $(shell go env GOPATH 2>/dev/null)/bin)
 
@@ -51,6 +54,20 @@ OPERATOR_IMAGE_UBI           ?= $(BASE_IMG)-ubi8:$(IMG_VERSION)
 OPERATOR_DOCKERHUB_IMAGE     ?= docker.io/elastic/$(IMG_NAME):$(IMG_VERSION)
 OPERATOR_DOCKERHUB_IMAGE_UBI ?= docker.io/elastic/$(IMG_NAME)-ubi8:$(IMG_VERSION)
 
+# From https://github.com/golang/go/blob/master/src/internal/goexperiment/flags.go#L17-L18
+#
+# Experiments are exposed to the build in the following ways:
+# - Build tag goexperiment.x is set if experiment x (lower case) is enabled.
+#
+# Also, if fips is enabled, push fips versions of all builds to container registrys.
+ifeq ($(ENABLE_FIPS),true)
+	GO_TAGS += goexperiment.boringcrypto
+	OPERATOR_IMAGE               ?= $(BASE_IMG)-fips:$(IMG_VERSION)
+	OPERATOR_IMAGE_UBI           ?= $(BASE_IMG)-ubi8-fips:$(IMG_VERSION)
+	OPERATOR_DOCKERHUB_IMAGE     ?= docker.io/elastic/$(IMG_NAME)-fips:$(IMG_VERSION)
+	OPERATOR_DOCKERHUB_IMAGE_UBI ?= docker.io/elastic/$(IMG_NAME)-ubi8-fips:$(IMG_VERSION)	
+endif
+
 print-operator-image:
 	@ echo $(OPERATOR_IMAGE)