From 51d387764cddc170dbfe7b638a2647a6ae1ab387 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Fri, 14 Feb 2025 04:02:35 +0000 Subject: [PATCH 1/2] core: bump oss/go/microsoft/golang Bumps oss/go/microsoft/golang from 1.23-fips-bookworm to 1.24-fips-bookworm. --- updated-dependencies: - dependency-name: oss/go/microsoft/golang dependency-type: direct:production ... Signed-off-by: dependabot[bot] --- Dockerfile | 2 +- ldap.Dockerfile | 2 +- proxy.Dockerfile | 2 +- rac.Dockerfile | 2 +- radius.Dockerfile | 2 +- 5 files changed, 5 insertions(+), 5 deletions(-) diff --git a/Dockerfile b/Dockerfile index 3d1404af3545..666d01b985f5 100644 --- a/Dockerfile +++ b/Dockerfile @@ -43,7 +43,7 @@ COPY ./gen-ts-api /work/web/node_modules/@goauthentik/api RUN npm run build # Stage 3: Build go proxy -FROM --platform=${BUILDPLATFORM} mcr.microsoft.com/oss/go/microsoft/golang:1.23-fips-bookworm AS go-builder +FROM --platform=${BUILDPLATFORM} mcr.microsoft.com/oss/go/microsoft/golang:1.24-fips-bookworm AS go-builder ARG TARGETOS ARG TARGETARCH diff --git a/ldap.Dockerfile b/ldap.Dockerfile index 088204382798..f37aa37c3ce9 100644 --- a/ldap.Dockerfile +++ b/ldap.Dockerfile @@ -1,7 +1,7 @@ # syntax=docker/dockerfile:1 # Stage 1: Build -FROM --platform=${BUILDPLATFORM} mcr.microsoft.com/oss/go/microsoft/golang:1.23-fips-bookworm AS builder +FROM --platform=${BUILDPLATFORM} mcr.microsoft.com/oss/go/microsoft/golang:1.24-fips-bookworm AS builder ARG TARGETOS ARG TARGETARCH diff --git a/proxy.Dockerfile b/proxy.Dockerfile index 363d0729e80a..ca515f8a1424 100644 --- a/proxy.Dockerfile +++ b/proxy.Dockerfile @@ -17,7 +17,7 @@ COPY web . RUN npm run build-proxy # Stage 2: Build -FROM --platform=${BUILDPLATFORM} mcr.microsoft.com/oss/go/microsoft/golang:1.23-fips-bookworm AS builder +FROM --platform=${BUILDPLATFORM} mcr.microsoft.com/oss/go/microsoft/golang:1.24-fips-bookworm AS builder ARG TARGETOS ARG TARGETARCH diff --git a/rac.Dockerfile b/rac.Dockerfile index 892d0a407d9b..e57ed09d7425 100644 --- a/rac.Dockerfile +++ b/rac.Dockerfile @@ -1,7 +1,7 @@ # syntax=docker/dockerfile:1 # Stage 1: Build -FROM --platform=${BUILDPLATFORM} mcr.microsoft.com/oss/go/microsoft/golang:1.23-fips-bookworm AS builder +FROM --platform=${BUILDPLATFORM} mcr.microsoft.com/oss/go/microsoft/golang:1.24-fips-bookworm AS builder ARG TARGETOS ARG TARGETARCH diff --git a/radius.Dockerfile b/radius.Dockerfile index b488b3b6b3a3..394204625374 100644 --- a/radius.Dockerfile +++ b/radius.Dockerfile @@ -1,7 +1,7 @@ # syntax=docker/dockerfile:1 # Stage 1: Build -FROM --platform=${BUILDPLATFORM} mcr.microsoft.com/oss/go/microsoft/golang:1.23-fips-bookworm AS builder +FROM --platform=${BUILDPLATFORM} mcr.microsoft.com/oss/go/microsoft/golang:1.24-fips-bookworm AS builder ARG TARGETOS ARG TARGETARCH From 13122dda44a7323108b6a92c901c811c7812599e Mon Sep 17 00:00:00 2001 From: Jens Langhammer Date: Wed, 19 Feb 2025 14:29:58 +0100 Subject: [PATCH 2/2] upstream docker image, use native fips Signed-off-by: Jens Langhammer --- Dockerfile | 4 ++-- internal/crypto/backend/fips_disabled.go | 5 ----- internal/crypto/backend/fips_enabled.go | 5 ----- internal/outpost/ak/api.go | 3 ++- ldap.Dockerfile | 4 ++-- proxy.Dockerfile | 4 ++-- rac.Dockerfile | 4 ++-- radius.Dockerfile | 4 ++-- 8 files changed, 12 insertions(+), 21 deletions(-) delete mode 100644 internal/crypto/backend/fips_disabled.go delete mode 100644 internal/crypto/backend/fips_enabled.go diff --git a/Dockerfile b/Dockerfile index 666d01b985f5..e42892374dd0 100644 --- a/Dockerfile +++ b/Dockerfile @@ -43,7 +43,7 @@ COPY ./gen-ts-api /work/web/node_modules/@goauthentik/api RUN npm run build # Stage 3: Build go proxy -FROM --platform=${BUILDPLATFORM} mcr.microsoft.com/oss/go/microsoft/golang:1.24-fips-bookworm AS go-builder +FROM --platform=${BUILDPLATFORM} docker.io/library/golang:1.24-bookworm AS go-builder ARG TARGETOS ARG TARGETARCH @@ -76,7 +76,7 @@ COPY ./go.sum /go/src/goauthentik.io/go.sum RUN --mount=type=cache,sharing=locked,target=/go/pkg/mod \ --mount=type=cache,id=go-build-$TARGETARCH$TARGETVARIANT,sharing=locked,target=/root/.cache/go-build \ if [ "$TARGETARCH" = "arm64" ]; then export CC=aarch64-linux-gnu-gcc && export CC_FOR_TARGET=gcc-aarch64-linux-gnu; fi && \ - CGO_ENABLED=1 GOEXPERIMENT="systemcrypto" GOFLAGS="-tags=requirefips" GOARM="${TARGETVARIANT#v}" \ + CGO_ENABLED=1 GOFIPS140=latest GOARM="${TARGETVARIANT#v}" \ go build -o /go/authentik ./cmd/server # Stage 4: MaxMind GeoIP diff --git a/internal/crypto/backend/fips_disabled.go b/internal/crypto/backend/fips_disabled.go deleted file mode 100644 index 418cd1a144a1..000000000000 --- a/internal/crypto/backend/fips_disabled.go +++ /dev/null @@ -1,5 +0,0 @@ -//go:build requirefips - -package backend - -var FipsEnabled = true diff --git a/internal/crypto/backend/fips_enabled.go b/internal/crypto/backend/fips_enabled.go deleted file mode 100644 index 49a0c95bb456..000000000000 --- a/internal/crypto/backend/fips_enabled.go +++ /dev/null @@ -1,5 +0,0 @@ -//go:build !requirefips - -package backend - -var FipsEnabled = false diff --git a/internal/outpost/ak/api.go b/internal/outpost/ak/api.go index fd8050042a0d..11a69fba3019 100644 --- a/internal/outpost/ak/api.go +++ b/internal/outpost/ak/api.go @@ -2,6 +2,7 @@ package ak import ( "context" + "crypto/fips140" "fmt" "math/rand" "net/http" @@ -203,7 +204,7 @@ func (a *APIController) getWebsocketPingArgs() map[string]interface{} { "golangVersion": runtime.Version(), "opensslEnabled": cryptobackend.OpensslEnabled, "opensslVersion": cryptobackend.OpensslVersion(), - "fipsEnabled": cryptobackend.FipsEnabled, + "fipsEnabled": fips140.Enabled(), } hostname, err := os.Hostname() if err == nil { diff --git a/ldap.Dockerfile b/ldap.Dockerfile index f37aa37c3ce9..53df209ccefd 100644 --- a/ldap.Dockerfile +++ b/ldap.Dockerfile @@ -1,7 +1,7 @@ # syntax=docker/dockerfile:1 # Stage 1: Build -FROM --platform=${BUILDPLATFORM} mcr.microsoft.com/oss/go/microsoft/golang:1.24-fips-bookworm AS builder +FROM --platform=${BUILDPLATFORM} docker.io/library/golang:1.24-bookworm AS builder ARG TARGETOS ARG TARGETARCH @@ -27,7 +27,7 @@ COPY . . RUN --mount=type=cache,sharing=locked,target=/go/pkg/mod \ --mount=type=cache,id=go-build-$TARGETARCH$TARGETVARIANT,sharing=locked,target=/root/.cache/go-build \ if [ "$TARGETARCH" = "arm64" ]; then export CC=aarch64-linux-gnu-gcc && export CC_FOR_TARGET=gcc-aarch64-linux-gnu; fi && \ - CGO_ENABLED=1 GOEXPERIMENT="systemcrypto" GOFLAGS="-tags=requirefips" GOARM="${TARGETVARIANT#v}" \ + CGO_ENABLED=1 GOFIPS140=latest GOARM="${TARGETVARIANT#v}" \ go build -o /go/ldap ./cmd/ldap # Stage 2: Run diff --git a/proxy.Dockerfile b/proxy.Dockerfile index ca515f8a1424..95000c86b5b5 100644 --- a/proxy.Dockerfile +++ b/proxy.Dockerfile @@ -17,7 +17,7 @@ COPY web . RUN npm run build-proxy # Stage 2: Build -FROM --platform=${BUILDPLATFORM} mcr.microsoft.com/oss/go/microsoft/golang:1.24-fips-bookworm AS builder +FROM --platform=${BUILDPLATFORM} docker.io/library/golang:1.24-bookworm AS builder ARG TARGETOS ARG TARGETARCH @@ -43,7 +43,7 @@ COPY . . RUN --mount=type=cache,sharing=locked,target=/go/pkg/mod \ --mount=type=cache,id=go-build-$TARGETARCH$TARGETVARIANT,sharing=locked,target=/root/.cache/go-build \ if [ "$TARGETARCH" = "arm64" ]; then export CC=aarch64-linux-gnu-gcc && export CC_FOR_TARGET=gcc-aarch64-linux-gnu; fi && \ - CGO_ENABLED=1 GOEXPERIMENT="systemcrypto" GOFLAGS="-tags=requirefips" GOARM="${TARGETVARIANT#v}" \ + CGO_ENABLED=1 GOFIPS140=latest GOARM="${TARGETVARIANT#v}" \ go build -o /go/proxy ./cmd/proxy # Stage 3: Run diff --git a/rac.Dockerfile b/rac.Dockerfile index e57ed09d7425..cede3972d0cf 100644 --- a/rac.Dockerfile +++ b/rac.Dockerfile @@ -1,7 +1,7 @@ # syntax=docker/dockerfile:1 # Stage 1: Build -FROM --platform=${BUILDPLATFORM} mcr.microsoft.com/oss/go/microsoft/golang:1.24-fips-bookworm AS builder +FROM --platform=${BUILDPLATFORM} docker.io/library/golang:1.24-bookworm AS builder ARG TARGETOS ARG TARGETARCH @@ -27,7 +27,7 @@ COPY . . RUN --mount=type=cache,sharing=locked,target=/go/pkg/mod \ --mount=type=cache,id=go-build-$TARGETARCH$TARGETVARIANT,sharing=locked,target=/root/.cache/go-build \ if [ "$TARGETARCH" = "arm64" ]; then export CC=aarch64-linux-gnu-gcc && export CC_FOR_TARGET=gcc-aarch64-linux-gnu; fi && \ - CGO_ENABLED=1 GOEXPERIMENT="systemcrypto" GOFLAGS="-tags=requirefips" GOARM="${TARGETVARIANT#v}" \ + CGO_ENABLED=1 GOFIPS140=latest GOARM="${TARGETVARIANT#v}" \ go build -o /go/rac ./cmd/rac # Stage 2: Run diff --git a/radius.Dockerfile b/radius.Dockerfile index 394204625374..af7d246d8c01 100644 --- a/radius.Dockerfile +++ b/radius.Dockerfile @@ -1,7 +1,7 @@ # syntax=docker/dockerfile:1 # Stage 1: Build -FROM --platform=${BUILDPLATFORM} mcr.microsoft.com/oss/go/microsoft/golang:1.24-fips-bookworm AS builder +FROM --platform=${BUILDPLATFORM} docker.io/library/golang:1.24-bookworm AS builder ARG TARGETOS ARG TARGETARCH @@ -27,7 +27,7 @@ COPY . . RUN --mount=type=cache,sharing=locked,target=/go/pkg/mod \ --mount=type=cache,id=go-build-$TARGETARCH$TARGETVARIANT,sharing=locked,target=/root/.cache/go-build \ if [ "$TARGETARCH" = "arm64" ]; then export CC=aarch64-linux-gnu-gcc && export CC_FOR_TARGET=gcc-aarch64-linux-gnu; fi && \ - CGO_ENABLED=1 GOEXPERIMENT="systemcrypto" GOFLAGS="-tags=requirefips" GOARM="${TARGETVARIANT#v}" \ + CGO_ENABLED=1 GOFIPS140=latest GOARM="${TARGETVARIANT#v}" \ go build -o /go/radius ./cmd/radius # Stage 2: Run