chore: CRW-4582 enable FIPS... (#258)

* chore: CRW-4582 enable FIPS (CGO_ENABLED=1) Change-Id: Ib3192b59ac6cfe993c952398b11be83db52219b9 Signed-off-by: Nick Boldt <nboldt@redhat.com> * resolve missing gcc Change-Id: I73f35d1b0121ba7b2f816b27beba1bc1071b9d39 Signed-off-by: Nick Boldt <nboldt@redhat.com> --------- Signed-off-by: Nick Boldt <nboldt@redhat.com>
eclipse-che · Jul 11, 2023 · bb7a93f · bb7a93f
1 parent 3cc8889
commit bb7a93f
Show file tree

Hide file tree

Showing 3 changed files with 17 additions and 6 deletions.
diff --git a/build/dockerfiles/Dockerfile b/build/dockerfiles/Dockerfile
@@ -31,12 +31,18 @@ RUN addgroup --gid "$GID" "$USER" \
       --uid "$UID" \
       "$USER"
 # initialize CA certificates to propagate them into scratch image
-RUN apk update && apk add --no-cache git && update-ca-certificates
+RUN apk --update --no-cache add \
+    build-base \
+    gcc \
+    git \
+  && rm -rf /tmp/* /var/cache/apk/* && update-ca-certificates
 
 # compile machine exec binary file
 WORKDIR /che-machine-exec/
 COPY . .
-RUN CGO_ENABLED=0 GOOS=linux go build -mod=vendor -a -ldflags '-w -s' -a -installsuffix cgo -o /go/bin/che-machine-exec .
+# to test FIPS compliance, run https://github.com/openshift/check-payload#scan-a-container-or-operator-image against a built image
+ENV CGO_ENABLED=1
+RUN GOOS=linux go build -mod=vendor -a -ldflags '-w -s' -a -installsuffix cgo -o /go/bin/che-machine-exec .
 
 # NOTE: could not compile with node:18-alpine, so for now stick with node:16-alpine
 FROM docker.io/node:16-alpine as cloud_shell_builder

diff --git a/build/dockerfiles/brew.Dockerfile b/build/dockerfiles/brew.Dockerfile
@@ -11,12 +11,15 @@
 
 # https://registry.access.redhat.com/rhel8/go-toolset
 FROM rhel8/go-toolset:1.19.10-3 as builder
-ENV GOPATH=/go/
+ENV GOPATH=/go/ \
+    CGO_ENABLED=1
+
 USER root
 WORKDIR /che-machine-exec/
 COPY . .
+# to test FIPS compliance, run https://github.com/openshift/check-payload#scan-a-container-or-operator-image against a built image
 RUN adduser unprivilegeduser && \
-    CGO_ENABLED=0 GOOS=linux go build -mod=vendor -a -ldflags '-w -s' -a -installsuffix cgo -o che-machine-exec . && \
+    GOOS=linux go build -mod=vendor -a -ldflags '-w -s' -a -installsuffix cgo -o che-machine-exec . && \
     mkdir -p /rootfs/tmp /rootfs/etc /rootfs/go/bin && \
     # In the `scratch` you can't use Dockerfile#RUN, because there is no shell and no standard commands (mkdir and so on).
     # That's why prepare absent `/tmp` folder for scratch image

diff --git a/build/dockerfiles/rhel.Dockerfile b/build/dockerfiles/rhel.Dockerfile
@@ -11,12 +11,14 @@
 
 # https://registry.access.redhat.com/ubi8/go-toolset
 FROM registry.access.redhat.com/ubi8/go-toolset:1.19.10-3 as builder
-ENV GOPATH=/go/
+ENV GOPATH=/go/ \
+    CGO_ENABLED=1
 USER root
 WORKDIR /che-machine-exec/
 COPY . .
+# to test FIPS compliance, run https://github.com/openshift/check-payload#scan-a-container-or-operator-image against a built image
 RUN adduser unprivilegeduser && \
-    CGO_ENABLED=0 GOOS=linux go build -mod=vendor -a -ldflags '-w -s' -a -installsuffix cgo -o che-machine-exec . && \
+    GOOS=linux go build -mod=vendor -a -ldflags '-w -s' -a -installsuffix cgo -o che-machine-exec . && \
     mkdir -p /rootfs/tmp /rootfs/etc /rootfs/go/bin && \
     # In the `scratch` you can't use Dockerfile#RUN, because there is no shell and no standard commands (mkdir and so on).
     # That's why prepare absent `/tmp` folder for scratch image