Build the operator for FIPS enabled environments

This commit does a few things to make the Compliance Operator is built
so that it can run in FIPS-enabled clusters.

- Uses ubi8-minimal for openssl for container image builds
- Set CGO_ENABLE=1
- Use a boilerplate base image for building the operator container image
- Set the appropriate flags so that go builds with FIPS enabled and
  links dynamically to the necessary openssl libraries
- Includes a FIPS-enabled go source file that implements a "FIPS or Die"
  feature

The ubi9-micro image we were using was ideal for minimal dependencies,
but it doesn't include openssl, which  we need to support FIPS. This
commit changes the operator container image to fix this.

Set CGO_ENABLE=1 so that go can link dynamically to the openssl library.

Use an image from app-sre/boilerplate to build the operator binary. This
is needed so that golang links the necessary libraries.

Set the appropriate golang experimental flags at build time so the
complier knows to build for FIPS-enabled clusters. The other part of
this change is a golang file we need to keep in-tree. If we're missing
either, the build won't produce container images for FIPS-enabled
environments.

This commit is a smattering of openshift/boilerplate code that enables
FIPS for operator builds. Eventually, we should reconsider maintaining
our hand-rolled Makefiles for boilerplate, which contains handy tools
and scripts for maintaining common operator components.

Dockerfile.ci

@@ -9,8 +9,10 @@ COPY . .
 
 RUN make manager
 
-# Step two: containerize compliance-operator
-FROM registry.access.redhat.com/ubi8/ubi-micro:latest
+# Step two: containerize compliance-operator. We need to use the ubi-minimal
+# image because it contains openssl, which we need to ensure we're using the
+# right algorithms for FIPS.
+FROM registry.access.redhat.com/ubi8/ubi-minimal:latest
 
 ENV OPERATOR=/usr/local/bin/compliance-operator \
     USER_UID=1001 \

Dockerfile.ocp

@@ -9,8 +9,10 @@ COPY . .
 
 RUN make manager
 
-# Step two: containerize compliance-operator
-FROM registry.access.redhat.com/ubi8/ubi-micro:latest
+# Step two: containerize compliance-operator. We need to use the ubi-minimal
+# image because it contains openssl, which we need to ensure we're using the
+# right algorithms for FIPS.
+FROM registry.access.redhat.com/ubi8/ubi-minimal:latest
 
 ENV OPERATOR=/usr/local/bin/compliance-operator \
     USER_UID=1001 \

Makefile

@@ -419,7 +419,7 @@ images-extra: openscap-image e2e-content-images  ## Build the openscap and test
 
 .PHONY: build
 build: generate fmt vet test-unit ## Build the operator binary.
-	$(GO) build \
+	CGO_ENABLED=1 GOEXPERIMENT=boringcrypto,strictfipsruntime $(GO) build \
 		-trimpath \
 		-ldflags=-buildid= \
 		-o $(TARGET_OPERATOR) $(MAIN_PKG)

build/Dockerfile

@@ -1,5 +1,5 @@
 # Step one: build compliance-operator
-FROM golang:1.21 AS builder
+FROM quay.io/app-sre/boilerplate:image-v3.0.6 AS builder
 
 WORKDIR /go/src/github.com/openshift/compliance-operator
 
@@ -8,8 +8,10 @@ ENV GOFLAGS=-mod=vendor
 COPY . . 
 RUN make manager
 
-# Step two: containerize compliance-operator
-FROM registry.access.redhat.com/ubi9/ubi-micro:latest
+# Step two: containerize compliance-operator. We need to use the ubi-minimal
+# image because it contains openssl, which we need to ensure we're using the
+# right algorithms for FIPS.
+FROM registry.access.redhat.com/ubi8/ubi-minimal:latest
 
 ENV OPERATOR=/usr/local/bin/compliance-operator \
     USER_UID=1001 \

cmd/manager/fips.go

@@ -0,0 +1,21 @@
+//go:build fips_enabled
+// +build fips_enabled
+
+// FIXME(rhmdnd): This was copied from openshift/boilerplate. We should
+// consider migrating our `make` targets to using boilerplate, which include
+// handy approaches and tools to enabling things consistently across
+// operators.
+
+// BOILERPLATE GENERATED -- DO NOT EDIT
+// Run 'make ensure-fips' to regenerate
+
+package manager
+
+import (
+	_ "crypto/tls/fipsonly"
+	"fmt"
+)
+
+func init() {
+	fmt.Println("***** Starting with FIPS crypto enabled *****")
+}