Epic Goal

Make the Argo CD container image for RHEL 8 and RHEL 9, from CPaaS and Konflux CI systems, FIPS compliant

Technical Work

• Build git-lfs from source instead of installing pre-build rpm binaries from Red Hat registries which are not FIPS compliant.
• Enable CGO builds by setting environment variable CGO_ENABLED=1
• Enable Strict FIPS compliance by setting environment variable GO_EXPERIMENT=strictfipsruntime.
• Set build tags to include strictfipsruntime when building the binaries using go build
  • For eg:  go build -tags strictfipstruntime cmd/main.go

• Ensure that the base image for go build phase use the latest golang 1.22 based images which has the required go-toolset for ensuring FIPS compliance.
• Ensure that the flags for static linking is not present in the go build command (e.g. -ldflags '-extldflags "-static"')

Binaries to build for FIPS compliance.

• argocd
• kustomize
• helm
• git-lfs

NOTE: If some of the upstream projects does not the required overrides for enabling these compiler options, make the required changes upstream and use those overrides for building the binaries in the downstream Dockerfile.

Acceptance Criteria

• Use the new check tool to scan images
  https://github.com/openshift/check-payload : Checks CGO_ENABLED=1 , presence of openssl, strictfipsruntime tag, no_openssl tag, dynamic linking
• All existing acceptance tests should pass when run against an OCP cluster with FIPS enabled.
• All existing acceptance tests should pass when run against an OCP cluster with FIPS enabled.