Epic Goal

Make the Argo CD container image for RHEL 8 and RHEL 9, from CPaaS and Konflux CI systems, FIPS compliant

Technical Work

• Build git-lfs from source instead of installing pre-build rpm binaries from Red Hat registries which are not FIPS compliant.
• Enable CGO builds by setting environment variable CGO_ENABLED=1
• Enable Strict FIPS compliance by setting environment variable GO_EXPERIMENT=strictfipsruntime.
• Set build tags to include strictfipsruntime when building the binaries using go build
  • For eg:  go build -tags strictfipstruntime cmd/main.go

• Ensure that the base image for go build phase use the latest golang 1.22 based images which has the required go-toolset for ensuring FIPS compliance.

Binaries to build for FIPS compliance.

• argocd
• kustomize
• helm
• git-lfs

NOTE: If some of the upstream projects does not the required overrides for enabling these compiler options, make the required changes upstream and use those overrides for building the binaries in the downstream Dockerfile.