RHCLOUD-37203: updates build and code to add FIPS support

[tonytheleg]

PR Template:

Describe your changes

Adds fips.go:

• new package to restrict all TLS configuration to FIPS-approved settings (See fipsonly.go)

Rolls back go version:

• go-toolset currently installs go 1.22.9, so go.mod has been updated to ensure a supported version of Go is used for builds to work

Updates to Dockerfile:

• adds the go-toolset package to both the builder container and the final container versus installing Go from upstream
  • the version of Go from go-toolset contains modifications made for RHEL which replaces BoringSSL with OpenSSL. OpenSSL is approved and validated for FedRAMP and FIPS, BoringSSL is not
  • making go tool available on the final image will also aid in proving FIPS compliance for audits
• installs fips-detect to simplify proving FIPS validation during audits as well (More on fips-detect

Updates to Makefile:

• adds a FIPS_ENABLED var that defaults to true
• adds some GO env vars to be more explicit for builds, including setting GOBUILDFLAGS to remove paths with compiler and assembler (cleaner errors for things like panic's by stripping full paths to packages)
• adds conditional to enforce FIPS during build if FIPS_ENABLED=true
• updates build command to use new buildflags and account for FIPS or not
• adds local-build target since building with FIPS_ENABLED will fail locally and wanted to make it easier to build locally without having to set FIPS_ENABLED=false

Updates to README:

• adds info on building locally
• adds notes on testing the API in stage and how to test creating/deleting notifications-integrations which work in stage
• adds info on how to validate FIPS for audits/any other reason

Some notes/useful links:

• many of the FIPS changes to build flags, fips.go etc are well tested in SREP for ensuring all operators deployed for managed openshift are FIPS compliant as they run in FedRAMP. Some info on those changes are available HERE and can also be found in the Makefile in the same repo path
• Is your Go Application FIPS Compliant?
• long term we probably dont want to install go onto the running image, or install fips-detect at all but for the purpose of the FedRAMP build out and SCR ive added them now to simplify testing. We can remove them at a later day and come up with a better validation proof method

Ticket reference (if applicable)

For RHCLOUD-37203

Checklist

• Are the agreed upon acceptance criteria fulfilled?

• Was the 4-eye-principle applied? (async PR review, pairing, ensembling)

• Do your changes have passing automated tests and sufficient observability?

• Are the work steps you introduced repeatable by others, either through automation or documentation?

  • If automation is possible but not done due to other constraints, a ticket to the tech debt sprint is added
  • An SOP (Standard Operating Procedure) was created

• The Changes were automatically built, tested, and - if needed, behind a feature flag - deployed to our production environment. (Please check this when the new deployment is done and you could verify it.)

• Are the agreed upon coding/architectural practices applied?

• Are security needs fullfilled? (e.g. no internal URL)

• Is the corresponding Ticket in the right state? (should be on "review" now, put to done when this change made it to production)

• For changes to the public API / code dependencies: Was the whole team (or a sufficient amount of ppl) able to review?

[tylercreller]

Looks reasonable to me, I do have concerns that downgrading go might back us into a corner in the future but we can deal with that if it comes.

[tonytheleg]

Looks reasonable to me, I do have concerns that downgrading go might back us into a corner in the future but we can deal with that if it comes.

Same here, hopefully we won't hit that issue often if at all but we'll cross that bridge when it comes. I haven't been able to find a release cadence for go toolset yet, if we know how far behind it is from go (go 1.23 release august and looks like a 6 month cycle) it may not be a huge deal.

UPDATE: some findings -- currently 1.23 is scheduled for RHEL 9.6, which is tentatively in may 2025 some time

[tonytheleg]

There also appears to be a go-toolset base image if ever needed, but i imagine the release cycle will be the same.

[tonytheleg]

One minor final tweak that moves the fips.go file under the cmd package to ensure it gets called on any commands. I did not see the expected init function print out in logs, now I do which ensures the fipsonly is getting set

$ oc logs kessel-inventory-api-55d879c4f4-lbxqp | head
Defaulted container "kessel-inventory-api" out of: kessel-inventory-api, caddy-tls, migration-init (init)
***** Starting with FIPS crypto enabled *****  <--- fips.go init function output
INFO msg=Using config file: /inventory/inventory-api-config.yaml
Log Level is set to: info
Log Level is set to: info
INFO ts=2025-01-16T17:30:15Z caller=log/log.go:30 service.name=inventory-api service.version=0.1.0 trace.id= span.id= subsystem=storage msg=Persistence disabled: true
INFO ts=2025-01-16T17:30:15Z caller=log/log.go:30 service.name=inventory-api service.version=0.1.0 trace.id= span.id= subsystem=storage msg=Persistence disabled, skipping database connection...

Full validation of non-fedramp and fedramp cluster testing available in Jira card