Epic Goal

Make the Argo CD Rollouts image for RHEL 8 from CPaaS and Konflux CI systems, FIPS compliant

golang.org/x/crypto library is being used by argo-rollouts (https://github.com/argoproj/argo-rollouts/blob/master/go.mod), so it requires to be built for FIPS compliancy.
 

Technical Work

• Enable CGO builds by setting environment variable CGO_ENABLED=1
• Enable Strict FIPS compliance by setting environment variable GO_EXPERIMENT=strictfipsruntime.
• Set build tags to include strictfipsruntime when building the binaries using go build
  • For eg:  go build -tags strictfipstruntime cmd/main.go
• Ensure that the base image for go build phase use the latest golang 1.22 based images which has the required go-toolset for ensuring FIPS compliance.
• Ensure that there are no static flags in the build command (e.g. -ldflags '-extldflags "-static"')

Binaries to build for FIPS compliance.

• argo-rollouts

NOTE: If some of the upstream projects does not the required overrides for enabling these compiler options, make the required changes upstream and use those overrides for building the binaries in the downstream Dockerfile.

Acceptance Criteria

Use the new check tool to scan images
https://github.com/openshift/check-payload : Checks CGO_ENABLED=1 , presence of openssl, strictfipsruntime tag, no_openssl tag, dynamic linking
All existing acceptance tests should pass when run against an OCP cluster with FIPS enabled.
All existing acceptance tests should pass when run against an OCP cluster with FIPS enabled.