[SECCOMP-31582] - FIPS support

[SECCOMP-31582] - FIPS support

.circleci/config.yml

@@ -37,6 +37,8 @@ jobs:
     environment:
       DATA_SOURCE_NAME: 'postgresql://postgres:test@localhost:5432/circle_test?sslmode=disable'
       GOOPTS: '-v -tags integration'
+      CGO_ENABLED: 1
+      GOEXPERIMENT: boringcrypto
 
     steps:
     - checkout

.github/workflows/build.yaml

@@ -21,6 +21,9 @@ jobs:
         docker: ['scratch','ubi']
     # The type of runner that the job will run on
     runs-on: ubuntu-latest
+    env:
+      CGO_ENABLED: 1
+      GOEXPERIMENT: boringcrypto
     name: ${{ matrix.docker }}
     steps:
     - name: Login to Quay.io
@@ -38,4 +41,4 @@ jobs:
         sysdig_secure_token: ${{ secrets.SYSDIG_SECURE_TOKEN }}
         tag_name: dev
         target: ${{ matrix.docker }}
-        repository: us-docker.pkg.dev
+        repository: us-docker.pkg.dev

.github/workflows/golangci-lint.yml

@@ -16,6 +16,9 @@ jobs:
   golangci:
     name: lint
     runs-on: ubuntu-latest
+    env:
+      CGO_ENABLED: 1
+      GOEXPERIMENT: boringcrypto
     steps:
       - name: Checkout repository
         uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1

.promu.yml

@@ -1,6 +1,7 @@
 go:
     # This must match .circle/config.yml.
     version: 1.21
+    cgo: true
 repository:
     path: github.com/prometheus-community/postgres_exporter
 build:

Dockerfile

@@ -8,6 +8,10 @@ WORKDIR /go/src/github.com/prometheus-community/postgres_exporter
 
 FROM base AS builder
 COPY . .
+
+ENV CGO_ENABLED=1
+ENV GOEXPERIMENT=boringcrypto
+
 RUN go mod tidy
 RUN make build
 RUN cp postgres_exporter /bin/postgres_exporter
@@ -22,4 +26,4 @@ FROM quay.io/sysdig/sysdig-stig-mini-ubi9:1.2.0 AS ubi
 COPY --from=builder /bin/postgres_exporter /bin/postgres_exporter
 EXPOSE     9187
 USER       59000:59000
-ENTRYPOINT [ "/bin/postgres_exporter" ]
+ENTRYPOINT [ "/bin/postgres_exporter" ]

Makefile.common

@@ -36,6 +36,9 @@ GO_VERSION        ?= $(shell $(GO) version)
 GO_VERSION_NUMBER ?= $(word 3, $(GO_VERSION))
 PRE_GO_111        ?= $(shell echo $(GO_VERSION_NUMBER) | grep -E 'go1\.(10|[0-9])\.')
 
+export CGO_ENABLED := 1
+export GOEXPERIMENT := boringcrypto
+
 PROMU        := $(FIRST_GOPATH)/bin/promu
 pkgs          = ./...
 

build/Jenkinsfile

@@ -11,19 +11,21 @@ pipeline {
     environment {
         registryCredential = 'jenkins-artifactory'
         ARTIFACTORY_URL = 'docker.internal.sysdig.com'
+        CGO_ENABLED = '1'
+        GOEXPERIMENT = 'boringcrypto'
     }
 
     parameters {
         booleanParam(name: 'DRY_RUN', defaultValue: true, description: 'Perform a dry run (does not push images)')
         string(name: 'EXPORTER', defaultValue: "exporter", description: 'Exporter name')
     }
-    
+
     stages {
         stage('Pull image from artifactory') {
             agent any
             steps {
                 script {
-                    docker.withRegistry("https://${env.ARTIFACTORY_URL}",  registryCredential) {        
+                    docker.withRegistry("https://${env.ARTIFACTORY_URL}",  registryCredential) {
                         sh """docker pull ${env.ARTIFACTORY_URL}/${env.EXPORTER}:latest"""
                         env.VERSION = sh(script:"""docker inspect --format '{{ index .Config.Labels "release" }}' ${env.ARTIFACTORY_URL}/${env.EXPORTER}:latest""", returnStdout: true).trim()
                         echo "VERSION = ${env.VERSION}"
@@ -53,4 +55,4 @@ pipeline {
             }
         }
     } //stages
-}
+}

cmd/postgres_exporter/main.go

@@ -19,6 +19,8 @@ import (
 	"os"
 	"strings"
 
+	_ "crypto/tls/fipsonly"
+
 	"github.com/alecthomas/kingpin/v2"
 	"github.com/go-kit/log"
 	"github.com/go-kit/log/level"