From 385ab14ec23886da0329752ad3e1b495e4eb0bf1 Mon Sep 17 00:00:00 2001
From: Aitor Perez <1515757+Zerpet@users.noreply.github.com>
Date: Tue, 27 May 2025 12:09:25 +0100
Subject: [PATCH] fips: log a message if fips is enabled

This helps to determine whether FIPS is enabled. It is not necssary to
build the Operator in FIPS mode. The env variable GODEBUG allows to
enable FIPS in Go 1.24+, like so: `GODEBUG=fips140=on`
---
 Dockerfile | 3 +++
 Makefile   | 3 ++-
 main.go    | 6 +++++-
 3 files changed, 10 insertions(+), 2 deletions(-)

diff --git a/Dockerfile b/Dockerfile
index f7047fcd..96d33775 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -22,6 +22,9 @@ ARG TARGETARCH
 ENV GOOS=$TARGETOS
 ENV GOARCH=$TARGETARCH
 
+ARG FIPS_MODE=off
+ENV GOFIPS140=$FIPS_MODE
+
 # Build
 RUN CGO_ENABLED=0 GO111MODULE=on go build -a -tags timetzdata -o manager main.go
 
diff --git a/Makefile b/Makefile
index fb8eae7c..008112b3 100644
--- a/Makefile
+++ b/Makefile
@@ -192,10 +192,11 @@ generate-client-set:
 
 GIT_COMMIT=$(shell git rev-parse --short HEAD)-dev
 OPERATOR_IMAGE ?= rabbitmqoperator/messaging-topology-operator
+GOFIPS140 ?= off
 .PHONY: docker-build-dev
 docker-build-dev:
 	$(call check_defined, DOCKER_REGISTRY_SERVER, URL of docker registry containing the Operator image (e.g. registry.my-company.com))
-	$(BUILD_KIT) buildx build --build-arg=GIT_COMMIT=$(GIT_COMMIT) -t $(DOCKER_REGISTRY_SERVER)/$(OPERATOR_IMAGE):$(GIT_COMMIT) .
+	$(BUILD_KIT) buildx build --build-arg=FIPS_MODE=$(GOFIPS140) --build-arg=GIT_COMMIT=$(GIT_COMMIT) -t $(DOCKER_REGISTRY_SERVER)/$(OPERATOR_IMAGE):$(GIT_COMMIT) .
 	$(BUILD_KIT) push $(DOCKER_REGISTRY_SERVER)/$(OPERATOR_IMAGE):$(GIT_COMMIT)
 
 # docker-build-local and deploy-local work in local Kubernetes installations where the Kubernetes API
diff --git a/main.go b/main.go
index 955660dc..83f4b9d2 100644
--- a/main.go
+++ b/main.go
@@ -10,6 +10,7 @@ This product may include a number of subcomponents with separate copyright notic
 package main
 
 import (
+	"crypto/fips140"
 	"flag"
 	"fmt"
 	"os"
@@ -387,6 +388,7 @@ func main() {
 		log.Error(err, "unable to create controller", "controller", controllers.SuperStreamControllerName)
 		os.Exit(1)
 	}
+	// +kubebuilder:scaffold:builder
 
 	if os.Getenv(controllers.EnableWebhooksEnvVar) != "false" {
 		if err = (&topology.Binding{}).SetupWebhookWithManager(mgr); err != nil {
@@ -443,7 +445,9 @@ func main() {
 		}
 	}
 
-	// +kubebuilder:scaffold:builder
+	if fips140.Enabled() {
+		log.Info("FIPS 140-3 mode enabled")
+	}
 
 	log.Info("starting manager")
 	if err := mgr.Start(ctrl.SetupSignalHandler()); err != nil {