[SECCOMP-31579] - FIPS support

sysdiglabs · Dec 13, 2024 · ffacb22 · ffacb22
1 parent 0be31e1
commit ffacb22
Show file tree

Hide file tree

Showing 3 changed files with 11 additions and 1 deletion.
diff --git a/Dockerfile b/Dockerfile
@@ -8,6 +8,10 @@ WORKDIR /go/src/github.com/prometheus-community/postgres_exporter
 
 FROM base AS builder
 COPY . .
+
+ENV CGO_ENABLED=1
+ENV GOEXPERIMENT=boringcrypto
+
 RUN go mod tidy
 RUN make build
 RUN cp postgres_exporter /bin/postgres_exporter
@@ -22,4 +26,4 @@ FROM quay.io/sysdig/sysdig-stig-mini-ubi9:1.2.0 AS ubi
 COPY --from=builder /bin/postgres_exporter /bin/postgres_exporter
 EXPOSE     9187
 USER       59000:59000
-ENTRYPOINT [ "/bin/postgres_exporter" ]
+ENTRYPOINT [ "/bin/postgres_exporter" ]
diff --git a/Makefile.common b/Makefile.common
@@ -25,6 +25,10 @@
 # Ensure GOBIN is not set during build so that promu is installed to the correct path
 unexport GOBIN
 
+# Export flags required for FIPS compliance
+export CGO_ENABLED=1
+export GOEXPERIMENT=boringcrypto
+
 GO           ?= go
 GOFMT        ?= $(GO)fmt
 FIRST_GOPATH := $(firstword $(subst :, ,$(shell $(GO) env GOPATH)))

diff --git a/cmd/postgres_exporter/main.go b/cmd/postgres_exporter/main.go
@@ -19,6 +19,8 @@ import (
 	"os"
 	"strings"
 
+	_ "crypto/tls/fipsonly"
+
 	"github.com/alecthomas/kingpin/v2"
 	"github.com/go-kit/log"
 	"github.com/go-kit/log/level"