Fix go-fips build image

* Install go "manually" from tarball in ci go-fips container. We need go 1.19 to install go-fips 1.19, and the image only has 1.18. * Specify `GOEXPERIMENT=boringcrypto` when building the fips version of runner. As @stanhu mentions, this is necessary because of https://github.com/golang/go/blob/dev.boringcrypto/README.boringcrypto.md See: * golang/go#51940 * golang-fips/go#59
gitlabhq · Mar 3, 2023 · ba4c482 · ba4c482
1 parent 12eca5e
commit ba4c482
Show file tree

Hide file tree

Showing 3 changed files with 20 additions and 5 deletions.
diff --git a/Makefile.build.mk b/Makefile.build.mk
@@ -9,7 +9,7 @@ runner-bin-fips: export GOOS ?= linux
 runner-bin-fips: export GOARCH ?= amd64
 runner-bin-fips:
 	# Building $(NAME) in version $(VERSION) for FIPS $(GOOS) $(GOARCH)
-	GOOS=$(GOOS) GOARCH=$(GOARCH) CGO_ENABLED=1 go build \
+	GOOS=$(GOOS) GOARCH=$(GOARCH) CGO_ENABLED=1 GOEXPERIMENT=boringcrypto go build \
 		   -tags fips \
 		   -ldflags "$(GO_LDFLAGS)" \
 		   -o="out/binaries/$(NAME)-$(GOOS)-$(GOARCH)-fips" \

diff --git a/Makefile.runner_helper.mk b/Makefile.runner_helper.mk
@@ -104,7 +104,7 @@ ${BASE_BINARY_PATH}-fips: export GOOS ?= linux
 ${BASE_BINARY_PATH}-fips: export GOARCH ?= amd64
 ${BASE_BINARY_PATH}-fips: APP_NAME := "gitlab-runner-helper"
 ${BASE_BINARY_PATH}-fips: $(HELPER_GO_FILES)
-	GOOS=$(GOOS) GOARCH=$(GOARCH) CGO_ENABLED=1 go build \
+	GOOS=$(GOOS) GOARCH=$(GOARCH) CGO_ENABLED=1 GOEXPERIMENT=boringcrypto go build \
     		   -tags fips \
     		   -ldflags "$(GO_LDFLAGS)" \
     		   -o="${BASE_BINARY_PATH}.$(GO_ARCH_NAME_$(GOARCH))-fips" \

diff --git a/dockerfiles/ci/go.fips.Dockerfile b/dockerfiles/ci/go.fips.Dockerfile
@@ -2,22 +2,37 @@ ARG UBI_VERSION
 
 FROM redhat/ubi8:${UBI_VERSION}
 
-RUN INSTALL_PKGS="openssl-devel glibc-devel gcc git golang" &&  \
+RUN INSTALL_PKGS="openssl-devel glibc-devel gcc git wget" &&  \
     dnf update -y && \
     dnf install -y --setopt=tsflags=nodocs $INSTALL_PKGS && \
     dnf clean all -y
 
 ARG GO_VERSION=1.19
+ARG GO_FULL_VERSION=${GO_VERSION}.6
+
+RUN wget https://go.dev/dl/go${GO_FULL_VERSION}.linux-amd64.tar.gz && \
+    tar -C /usr/ -xzf go${GO_FULL_VERSION}.linux-amd64.tar.gz
+
+ENV PATH="$PATH:/usr/go/bin"
 
 RUN git clone \
     https://github.com/golang-fips/go \
     --branch go${GO_VERSION}-fips-release \
     --single-branch \
     --depth 1 \
-    /usr/local/go
+    /tmp/go
+
+RUN cd /tmp/go && \
+    chmod +x scripts/* && \
+    git config --global user.email "you@example.com" && \
+    git config --global user.name "Your Name" && \
+    scripts/full-initialize-repo.sh && \
+    pushd go/src && \
+    CGO_ENABLED=1 ./make.bash && \
+    popd && \
+    mv go /usr/local/
 
 RUN cd /usr/local/go/src && \
-    CGO_ENABLED=1 ./make.bash && \
     rm -rf \
         /usr/local/go/pkg/*/cmd \
         /usr/local/go/pkg/bootstrap \