add cgo-enabled build to pass fips check (#296) (#327)

bcaton85 · Marcusk19 · web-flow · commit befca3dcd533 · 2025-11-04T09:35:07.000-05:00
Co-authored-by: Marcus Kok &lt;47163063+Marcusk19@users.noreply.github.com&gt;
diff --git a/.tekton/quay-builder-v3-15-pull-request.yaml b/.tekton/quay-builder-v3-15-pull-request.yaml
@@ -33,7 +33,7 @@ spec:
     - linux/ppc64le
     - linux/s390x
   - name: dockerfile
-    value: Dockerfile
+    value: Containerfile.quay-builder
   - name: build-source-image
     value: "true"
   - name: hermetic
diff --git a/.tekton/quay-builder-v3-15-push.yaml b/.tekton/quay-builder-v3-15-push.yaml
@@ -30,7 +30,7 @@ spec:
     - linux/ppc64le
     - linux/s390x
   - name: dockerfile
-    value: Dockerfile
+    value: Containerfile.quay-builder
   - name: build-source-image
     value: "true"
   - name: hermetic
diff --git a/Containerfile.quay-builder b/Containerfile.quay-builder
@@ -0,0 +1,41 @@
+# Strictly for fips build
+FROM registry.access.redhat.com/ubi8/go-toolset:1.23.6-2 as build
+USER root
+RUN dnf install -y --setopt=tsflags=nodocs git
+COPY . /go/src/
+
+RUN sed -i 's/CGO_ENABLED=0 /CGO_ENABLED=1 /;s/containers_image_openpgp/& strictfipsruntime/' /go/src/Makefile
+
+RUN cd /go/src/ && make build
+
+FROM registry.access.redhat.com/ubi8/podman
+LABEL maintainer "Quay devel<quay-devel@redhat.com>"
+
+
+RUN set -ex\
+	; dnf install -y --setopt=tsflags=nodocs --setopt=skip_missing_names_on_install=False git wget \
+	; dnf -y -q clean all
+
+COPY --from=build /go/src/bin/quay-builder /usr/local/bin
+COPY buildpack/ssh-git.sh /
+COPY entrypoint.sh /home/podman/entrypoint.sh
+
+# Rootless/unprivileged buildah configurations
+# https://github.com/containers/buildah/blob/main/docs/tutorials/05-openshift-rootless-build.md
+RUN touch /etc/subgid /etc/subuid && \
+    chmod g=u /etc/subgid /etc/subuid /etc/passwd && \
+    echo 'podman:100000:65536' > /etc/subuid && echo 'podman:100000:65536' > /etc/subgid && \
+	# Set driver to VFS, which doesn't require host modifications compared to overlay
+	# Set shortname aliasing to permissive - https://www.redhat.com/sysadmin/container-image-short-names
+	mkdir -p /home/podman/.config/containers && \
+    (echo '[storage]';echo 'driver = "vfs"') > /home/podman/.config/containers/storage.conf && \ 
+    sed -i 's/short-name-mode="enforcing"/short-name-mode="permissive"/g' /etc/containers/registries.conf && \
+	mkdir /certs /home/podman/.config/cni && chown podman:podman /certs /home/podman/.config/cni
+
+VOLUME [ "/certs" ]
+
+WORKDIR /home/podman
+
+USER podman
+
+ENTRYPOINT ["sh", "/home/podman/entrypoint.sh"]
