Enable FIPS-140 builds

scripts/build.sh

@@ -138,6 +138,15 @@ ${GOX:?command not found} \
     -output "pkg/{{.OS}}_{{.Arch}}/packer" \
     .
 
+CGO_ENABLED=1 GOEXPERIMENT=boringcrypto ${GOX:?command not found} \
+    -os="${XC_OS:-$ALL_XC_OS}" \
+    -arch="${XC_ARCH:-$ALL_XC_ARCH}" \
+    -osarch="${SKIPPED_OSARCH}" \
+    -ldflags "${GOLDFLAGS}" \
+    -tags="fips" \
+    -output "pkg/{{.OS}}_{{.Arch}}_fips/packer" \
+    .
+
 # trim GOPATH to first element
 IFS="${PATHSEP}"
 # FIXME: How do you know that the first path of GOPATH is the main GOPATH? Or is the main GOPATH meant to be the first path in GOPATH?

version/fips_bulld.go

@@ -0,0 +1,27 @@
+//go:build fips
+
+package version
+
+// This validates during compilation that we are being built with a FIPS enabled go toolchain
+import (
+	_ "crypto/tls/fipsonly"
+	"runtime"
+	"strings"
+)
+
+// IsFIPS returns true if consul-k8s is operating in FIPS-140-2 mode.
+func IsFIPS() bool {
+	return true
+}
+
+func GetFIPSInfo() string {
+	str := "Enabled"
+	// Try to get the crypto module name
+	gover := strings.Split(runtime.Version(), "X:")
+	if len(gover) >= 2 {
+		gover_last := gover[len(gover)-1]
+		// Able to find crypto module name; add that to status string.
+		str = "FIPS 140-2 Enabled, crypto module " + gover_last
+	}
+	return str
+}

version/non_fips_build.go

@@ -0,0 +1,12 @@
+//go:build !fips
+
+package version
+
+// IsFIPS returns true if consul-k8s is operating in FIPS-140-2 mode.
+func IsFIPS() bool {
+	return false
+}
+
+func GetFIPSInfo() string {
+	return ""
+}

version/version.go

@@ -45,6 +45,10 @@ func FormattedVersion() string {
 var SemVer *version.Version
 
 func init() {
+	if IsFIPS() {
+		Version += "+fips1402"
+	}
+
 	PackerVersion = pluginVersion.InitializePluginVersion(Version, VersionPrerelease)
 	SemVer = PackerVersion.SemVer()
 }