Introduce FIPS compatibility

Signed-off-by: Margo Crawford <margaretc@vmware.com>

hack/Dockerfile_fips

@@ -0,0 +1,45 @@
+# syntax = docker/dockerfile:1.0-experimental
+
+# Copyright 2020-2022 the Pinniped contributors. All Rights Reserved.
+# SPDX-License-Identifier: Apache-2.0
+
+# this dockerfile is used to produce a binary of Pinniped that uses
+# only fips-allowable ciphers.
+
+# use go-boringcrypto rather than main go
+FROM us-docker.pkg.dev/google.com/api-project-999119582588/go-boringcrypto/golang:1.17.8b7 as build-env
+
+WORKDIR /work
+COPY . .
+ARG GOPROXY
+
+# Build the executable binary (CGO_ENABLED=1 is required for go boring)
+# Pass in GOCACHE (build cache) and GOMODCACHE (module cache) so they
+# can be re-used between image builds.
+RUN \
+  --mount=type=cache,target=/cache/gocache \
+  --mount=type=cache,target=/cache/gomodcache \
+  mkdir out && \
+  export CGO_ENABLED=1 GOOS=linux GOARCH=amd64 && \
+  go build -tags fips_strict,osusergo,netgo -v -trimpath -ldflags "$(hack/get-ldflags.sh) -w -linkmode=external -extldflags -static" -o /usr/local/bin/pinniped-concierge-kube-cert-agent ./cmd/pinniped-concierge-kube-cert-agent/... && \
+  go build -tags fips_strict,osusergo,netgo -v -trimpath -ldflags "$(hack/get-ldflags.sh) -w -linkmode=external -extldflags -static" -o /usr/local/bin/pinniped-server ./cmd/pinniped-server/... && \
+  ln -s /usr/local/bin/pinniped-server /usr/local/bin/pinniped-concierge && \
+  ln -s /usr/local/bin/pinniped-server /usr/local/bin/pinniped-supervisor && \
+  ln -s /usr/local/bin/pinniped-server /usr/local/bin/local-user-authenticator
+
+# Use a distroless runtime image with CA certificates, timezone data, and not much else.
+FROM gcr.io/distroless/static:nonroot@sha256:80c956fb0836a17a565c43a4026c9c80b2013c83bea09f74fa4da195a59b7a99
+
+# Copy the server binary from the build-env stage.
+COPY --from=build-env /usr/local/bin /usr/local/bin
+
+# Document the default server ports for the various server apps
+EXPOSE 8443 8444 10250
+
+# Run as non-root for security posture
+# Use the same non-root user as https://github.com/GoogleContainerTools/distroless/blob/fc3c4eaceb0518900f886aae90407c43be0a42d9/base/base.bzl#L9
+# This is a workaround for https://github.com/GoogleContainerTools/distroless/issues/718
+USER 65532:65532
+
+# Set the entrypoint
+ENTRYPOINT ["/usr/local/bin/pinniped-server"]

hack/prepare-for-integration-tests.sh

@@ -49,6 +49,7 @@ help=no
 skip_build=no
 clean_kind=no
 api_group_suffix="pinniped.dev" # same default as in the values.yaml ytt file
+dockerfile_path=""
 skip_chromedriver_check=no
 get_active_directory_vars="" # specify a filename for a script to get AD related env variables
 alternate_deploy="undefined"
@@ -91,6 +92,16 @@ while (("$#")); do
     get_active_directory_vars=$1
     shift
     ;;
+  --dockerfile-path)
+    shift
+    # If there are no more command line arguments, or there is another command line argument but it starts with a dash, then error
+    if [[ "$#" == "0" || "$1" == -* ]]; then
+      log_error "--dockerfile-path requires a script name to be specified"
+      exit 1
+    fi
+    dockerfile_path=$1
+    shift
+    ;;
   --alternate-deploy)
     shift
     if [[ "$#" == "0" || "$1" == -* ]]; then
@@ -219,9 +230,14 @@ registry_repo_tag="${registry_repo}:${tag}"
 
 if [[ "$do_build" == "yes" ]]; then
   # Rebuild the code
-  log_note "Docker building the app..."
-  # DOCKER_BUILDKIT=1 is optional on MacOS but required on linux.
-  DOCKER_BUILDKIT=1 docker build . --tag "$registry_repo_tag"
+  if [[ "$dockerfile_path"  != "" ]]; then
+    log_note "Docker building the app with dockerfile $dockerfile_path..."
+    DOCKER_BUILDKIT=1 docker build . --tag "$registry_repo_tag" --file "$dockerfile_path"
+  else
+    log_note "Docker building the app..."
+    # DOCKER_BUILDKIT=1 is optional on MacOS but required on linux.
+    DOCKER_BUILDKIT=1 docker build . --tag "$registry_repo_tag"
+  fi
 fi
 
 # Load it into the cluster