POC of replacing boringcrypto with Go's native FIPS-140-3 module

boilerplate/openshift/golang-osd-operator/Dockerfile.olm-registry

@@ -3,8 +3,7 @@ ARG SAAS_OPERATOR_DIR
 COPY ${SAAS_OPERATOR_DIR} manifests
 RUN initializer --permissive
 
-# ubi-micro does not work for clusters with fips enabled unless we make OpenSSL available
-FROM registry.access.redhat.com/ubi9/ubi-minimal:latest
+FROM registry.access.redhat.com/ubi9/ubi-micro:latest
 
 COPY --from=builder /bin/registry-server /bin/registry-server
 COPY --from=builder /bin/grpc_health_probe /bin/grpc_health_probe

boilerplate/openshift/golang-osd-operator/README.md

@@ -121,9 +121,7 @@ Checks consist of:
 
 ## FIPS (Federal Information Processing Standards)
 
-To enable FIPS in your build there is a `make ensure-fips` target.
-
-Add `FIPS_ENABLED=true` to your repos Makefile. Please ensure that this variable is added **before** including boilerplate Makefiles.
+To enable FIPS in your build, add `FIPS_ENABLED=true` to your repo's Makefile. Please ensure that this variable is added **before** including boilerplate Makefiles.
 
 e.g.
 
@@ -133,19 +131,15 @@ FIPS_ENABLED=true
 include boilerplate/generated-includes.mk
 ```
 
-`ensure-fips` will add a [fips.go](./fips.go) file in the same directory as the `main.go` file. (Please commit this file as normal)
-
-`fips.go` will import the necessary packages to restrict all TLS configuration to FIPS-approved settings.
-
-With `FIPS_ENABLED=true`, `ensure-fips` is always run before `make go-build`
+FIPS is enabled via the `fips140=on` GODEBUG option. See https://go.dev/blog/fips140 for more details.
 
 ## Additional deployment support
 
 - The convention currently supports a maximum of two deployments. i.e. The operator deployment itself plus an optional additional deployment.
 - If an additional deployment image has to be built and appended to the CSV as part of the build process, then the consumer needs to:
   - Specify `SupplementaryImage` which is the deployment name in the consuming repository's `config/config.go`.
   - Define the image to be built as `ADDITIONAL_IMAGE_SPECS` in the consuming repository's Makefile, Boilerplate later parses this image as part of the build process; [ref](https://github.com/openshift/boilerplate/blob/master/boilerplate/openshift/golang-osd-operator/standard.mk#L56).
-  
+
   e.g.
 
     ```.mk

boilerplate/openshift/golang-osd-operator/standard.mk

@@ -98,14 +98,11 @@ GOBIN?=$(shell go env GOBIN)
 unexport GOFLAGS
 GOFLAGS_MOD ?=
 
-GOENV+=GOOS=${GOOS} GOARCH=${GOARCH} CGO_ENABLED=1 GOFLAGS="${GOFLAGS_MOD}"
+GOENV+=GOOS=${GOOS} GOARCH=${GOARCH} CGO_ENABLED=0 GOFLAGS="${GOFLAGS_MOD}"
 GOBUILDFLAGS=-gcflags="all=-trimpath=${GOPATH}" -asmflags="all=-trimpath=${GOPATH}"
 
 ifeq (${FIPS_ENABLED}, true)
-GOFLAGS_MOD+=-tags=fips_enabled
-GOFLAGS_MOD:=$(strip ${GOFLAGS_MOD})
-$(warning Setting GOEXPERIMENT=boringcrypto - this generally causes builds to fail unless building inside the provided Dockerfile. If building locally consider calling 'go build .')
-GOENV+=GOEXPERIMENT=boringcrypto
+GOENV+=GODEBUG=fips140=on
 GOENV:=$(strip ${GOENV})
 endif
 
@@ -237,10 +234,6 @@ endif
 .PHONY: generate
 generate: op-generate go-generate openapi-generate manifests
 
-ifeq (${FIPS_ENABLED}, true)
-go-build: ensure-fips
-endif
-
 .PHONY: go-build
 go-build: ## Build binary
 	${GOENV} go build ${GOBUILDFLAGS} -o build/_output/bin/$(OPERATOR_NAME) .
@@ -342,10 +335,6 @@ opm-build-push: python-venv docker-push
 	OLM_CHANNEL="${OLM_CHANNEL}" \
 	${CONVENTION_DIR}/build-opm-catalog.sh
 
-.PHONY: ensure-fips
-ensure-fips:
-	${CONVENTION_DIR}/configure-fips.sh
-
 # You will need to export the forked/cloned operator repository directory as OLD_SDK_REPO_DIR to make this work.
 # Example: export OLD_SDK_REPO_DIR=~/Projects/My-Operator-Fork
 .PHONY: migrate-to-osdk1

boilerplate/openshift/golang-osd-operator/update

@@ -92,10 +92,10 @@ for file in $DOCKERFILES; do
     ${SED?} -i "1s,.*,FROM $IMAGE_PULL_PATH AS builder," $file
   fi
 
-  # Update any UBI images to use a versioned tag of ubi9/ubi-minimal that is compatible with dependabot.
+  # Update any UBI images to use a versioned tag of ubi9/ubi-micro that is compatible with dependabot.
   # WARNING: The ubi version _must_ match the one that Boilerplate's image is built with. Update this if you change the
   # base ubi version.
-  UBI_IMAGE_NAME="registry.access.redhat.com/ubi9/ubi-minimal"
+  UBI_IMAGE_NAME="registry.access.redhat.com/ubi9/ubi-micro"
   for ubi_latest in $(grep -oE 'registry.access.redhat.com/ubi[7-9]/ubi.*?:.*' ${file}); do
       replacement_image=$(skopeo inspect --override-os linux --override-arch amd64 docker://${UBI_IMAGE_NAME} --format "{{.Name}}:{{.Labels.version}}-{{.Labels.release}}")
       echo "Overwriting ${file}'s ${ubi_latest} image to ${replacement_image}"

test/projects/file-generate/build/Dockerfile

@@ -1,4 +1,4 @@
-FROM registry.access.redhat.com/ubi9/ubi-minimal:latest
+FROM registry.access.redhat.com/ubi9/ubi-micro:latest
 
 ENV OPERATOR=/usr/local/bin/file-generate \
     USER_UID=1001 \