[SECCOMP-31582] - FIPS support

alxbxbx · web-flow · commit e71e0ec19120 · 2024-12-16T09:59:23.000+01:00
diff --git a/.circleci/config.yml b/.circleci/config.yml
@@ -37,6 +37,8 @@ jobs:
     environment:
       DATA_SOURCE_NAME: 'postgresql://postgres:test@localhost:5432/circle_test?sslmode=disable'
       GOOPTS: '-v -tags integration'
+      CGO_ENABLED: 1
+      GOEXPERIMENT: boringcrypto
 
     steps:
     - checkout
diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml
@@ -21,6 +21,9 @@ jobs:
         docker: ['scratch','ubi']
     # The type of runner that the job will run on
     runs-on: ubuntu-latest
+    env:
+      CGO_ENABLED: 1
+      GOEXPERIMENT: boringcrypto
     name: ${{ matrix.docker }}
     steps:
     - name: Login to Quay.io
@@ -38,4 +41,4 @@ jobs:
         sysdig_secure_token: ${{ secrets.SYSDIG_SECURE_TOKEN }}
         tag_name: dev
         target: ${{ matrix.docker }}
-        repository: us-docker.pkg.dev
+        repository: us-docker.pkg.dev
diff --git a/.github/workflows/golangci-lint.yml b/.github/workflows/golangci-lint.yml
@@ -16,6 +16,9 @@ jobs:
   golangci:
     name: lint
     runs-on: ubuntu-latest
+    env:
+      CGO_ENABLED: 1
+      GOEXPERIMENT: boringcrypto
     steps:
       - name: Checkout repository
         uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
diff --git a/.promu.yml b/.promu.yml
@@ -1,6 +1,7 @@
 go:
     # This must match .circle/config.yml.
     version: 1.21
+    cgo: true
 repository:
     path: github.com/prometheus-community/postgres_exporter
 build:
diff --git a/Dockerfile b/Dockerfile
@@ -8,6 +8,10 @@ WORKDIR /go/src/github.com/prometheus-community/postgres_exporter
 
 FROM base AS builder
 COPY . .
+
+ENV CGO_ENABLED=1
+ENV GOEXPERIMENT=boringcrypto
+
 RUN go mod tidy
 RUN make build
 RUN cp postgres_exporter /bin/postgres_exporter
@@ -22,4 +26,4 @@ FROM quay.io/sysdig/sysdig-stig-mini-ubi9:1.2.0 AS ubi
 COPY --from=builder /bin/postgres_exporter /bin/postgres_exporter
 EXPOSE     9187
 USER       59000:59000
-ENTRYPOINT [ "/bin/postgres_exporter" ]
+ENTRYPOINT [ "/bin/postgres_exporter" ]
diff --git a/Makefile.common b/Makefile.common
@@ -36,6 +36,9 @@ GO_VERSION        ?= $(shell $(GO) version)
 GO_VERSION_NUMBER ?= $(word 3, $(GO_VERSION))
 PRE_GO_111        ?= $(shell echo $(GO_VERSION_NUMBER) | grep -E 'go1\.(10|[0-9])\.')
 
+export CGO_ENABLED := 1
+export GOEXPERIMENT := boringcrypto
+
 PROMU        := $(FIRST_GOPATH)/bin/promu
 pkgs          = ./...
 
diff --git a/build/Jenkinsfile b/build/Jenkinsfile
@@ -11,19 +11,21 @@ pipeline {
     environment {
         registryCredential = 'jenkins-artifactory'
         ARTIFACTORY_URL = 'docker.internal.sysdig.com'
+        CGO_ENABLED = '1'
+        GOEXPERIMENT = 'boringcrypto'
     }
 
     parameters {
         booleanParam(name: 'DRY_RUN', defaultValue: true, description: 'Perform a dry run (does not push images)')
         string(name: 'EXPORTER', defaultValue: "exporter", description: 'Exporter name')
     }
-    
+
     stages {
         stage('Pull image from artifactory') {
             agent any
             steps {
                 script {
-                    docker.withRegistry("https://${env.ARTIFACTORY_URL}",  registryCredential) {        
+                    docker.withRegistry("https://${env.ARTIFACTORY_URL}",  registryCredential) {
                         sh """docker pull ${env.ARTIFACTORY_URL}/${env.EXPORTER}:latest"""
                         env.VERSION = sh(script:"""docker inspect --format '{{ index .Config.Labels "release" }}' ${env.ARTIFACTORY_URL}/${env.EXPORTER}:latest""", returnStdout: true).trim()
                         echo "VERSION = ${env.VERSION}"
@@ -53,4 +55,4 @@ pipeline {
             }
         }
     } //stages
-}
+}
diff --git a/cmd/postgres_exporter/main.go b/cmd/postgres_exporter/main.go
@@ -19,6 +19,8 @@ import (
 	"os"
 	"strings"
 
+	_ "crypto/tls/fipsonly"
+
 	"github.com/alecthomas/kingpin/v2"
 	"github.com/go-kit/log"
 	"github.com/go-kit/log/level"
