Making pipeline (and entrypoint) FIPS complitant

[vdemeester]

Some users (customers of Red Hat and users of tektoncd/pipeline) may require their software to be FIPS compliant.

The Federal Information Processing Standards (FIPS) of the United States are a set of publicly announced standards that the National Institute of Standards and Technology (NIST) has developed for use in computer situs of non-military United States government agencies and contractors.[1] FIPS standards establish requirements for ensuring computer security and interoperability, and are intended for cases in which suitable industry standards do not already exist

In short, to be FIPS compliant, you need to compile the project with a Go FIPS compliant compiler (see golang-fips and use dynamic linking.

This works for most binaries in tektoncd/pipeline except the entrypoint which is required to be build statically to be able to run in any environment (where libs would be at different places, different versions, …). To be able to mark a statically compiled binary as FIPS compliant, we need to ensure there is no crypto symbols in it (crypto/*, golang.org/x/crypto, …).

This issue aims to track the work that would help making the entrypoint FIPS compliant.

• Add an option to disable SPIRE github.com/tektoncd/pipeline/pkg/spire and some metrics packages
  • This can be done by using a buildtag
• Split pkg/credentials into 2 pieces :
  • one that is used in cmd/entrypoint and that doesn't import corev1 "k8s.io/api/core/v1". This is the Write part.
  • one that is used in the controller's code. This is the MachingAnnotations part, that uses corev1 for Secrets
• Remove imports of the apis package for just constants
  • This implies refactoring packages a bit to not import a huge set of dependencies for just a few constants or very simple functions
• Remove the use of go.uber.org/zap in entrypoint's dependent packages (can rely on log or log/slog if need be)
• … There might be even more, let's update this as neede.

Some imports are effectively bringing a lot of dependencies, such as corev1 "k8s.io/api/core/v1".

Quick note on this work : it will also come with the benefit of reducing the size of the binary 👼🏼 so, imo, it's a net gain.

A patch is exists showcasing some of these approach, but in a very rough way.

cc @jkhelil @afrittoli

[waveywaves]

/assign @PuneetPunamiya @waveywaves

[tekton-robot]

@waveywaves: GitHub didn't allow me to assign the following users: PuneetPunamiya.

Note that only tektoncd members, repo collaborators and people who have commented on this issue/PR can be assigned. Additionally, issues/PRs can only have 10 assignees at the same time.
For more information please see the contributor guide

In response to this:

/assign @PuneetPunamiya @waveywaves

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[waveywaves]

created a PR #8542 which should cover checkbox 2 where the credentials package needs to be split between writer and matcher

[vdemeester]

/assign @PuneetPunamiya

[tekton-robot]

@vdemeester: GitHub didn't allow me to assign the following users: PuneetPunamiya.

Note that only tektoncd members, repo collaborators and people who have commented on this issue/PR can be assigned. Additionally, issues/PRs can only have 10 assignees at the same time.
For more information please see the contributor guide

In response to this:

/assign @PuneetPunamiya

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.