feat: create fips binary for deployment operator

Makefile

@@ -124,6 +124,20 @@ docker-run-harness: docker-build-harness-terraform docker-build-harness-ansible
 			--console-token=${PLURAL_DEPLOY_TOKEN} \
 			--stack-run-id=${PLURAL_STACK_RUN_ID}
 
+.PHONY: docker-build-go-fips
+docker-build-go-fips: ## build base docker go fips image
+	docker build \
+    	  	-t go-fips \
+    		-f dockerfiles/fips/go.Dockerfile \
+    		.
+
+.PHONY: docker-build-fips
+docker-build-fips: ## build docker fips agent image
+	docker build \
+    	  	-t deployment-agent-fips \
+    		-f dockerfiles/agent/fips.Dockerfile \
+    		.
+
 velero-crds:
 	@curl -L $(VELERO_CHART_URL) --output velero.tgz
 	@tar zxvf velero.tgz velero/crds

dockerfiles/agent/fips.Dockerfile

@@ -0,0 +1,53 @@
+ARG GO_FIPS_IMAGE_TAG=latest
+ARG GO_FIPS_IMAGE_REPO=go-fips
+ARG GO_FIPS_BASE_IMAGE=$GO_FIPS_IMAGE_REPO:$GO_FIPS_IMAGE_TAG
+
+FROM ${GO_FIPS_BASE_IMAGE} AS builder
+
+# Set environment variables for FIPS compliance
+ENV OPENSSL_FIPS=1
+ENV FIPS_MODE=true
+
+# Set up Go environment
+ENV CGO_ENABLED=1
+ENV CC=gcc
+
+ARG TARGETARCH
+
+WORKDIR /workspace
+# Copy the Go Modules manifests
+COPY go.mod go.mod
+COPY go.sum go.sum
+# cache deps before building and copying source so that we don't need to re-download as much
+# and so that source changes don't invalidate our downloaded layer
+RUN go mod download
+
+# Copy the go source
+COPY /cmd/agent cmd/agent
+COPY /pkg pkg/
+COPY /api api/
+COPY /internal internal/
+
+RUN go install github.com/acardace/fips-detect@latest
+
+# Build
+RUN GOOS=linux GOARCH=${TARGETARCH} GO111MODULE=on go build -a -o deployment-agent cmd/agent/*.go
+
+
+FROM registry.access.redhat.com/ubi8/ubi
+WORKDIR /workspace
+
+# Set environment variables for FIPS
+ENV OPENSSL_FIPS=1
+ENV FIPS_MODE=true
+
+# Install required packages, including openssl and fips-initramfs
+RUN yum install -y openssl podman && \
+    yum clean all
+
+# Enable FIPS mode
+RUN fips-mode-setup --enable
+RUN mkdir /.kube && chown 65532:65532 /.kube
+COPY --from=builder /workspace/deployment-agent .
+USER 65532:65532
+ENTRYPOINT ["/workspace/deployment-agent"]

dockerfiles/fips/go.Dockerfile

@@ -0,0 +1,60 @@
+# Use Red Hat UBI8 base image
+FROM registry.access.redhat.com/ubi8/ubi AS go
+
+ARG GO_VERSION=1.23.2
+ARG TARGETARCH
+ARG PLATFORM_ARCH=amd64
+WORKDIR /workspace
+
+# Install FIPS-compliant OpenSSL
+RUN yum install -y git openssl-devel glibc-devel tar gzip gcc make && yum clean all
+
+# Set environment variables for FIPS compliance
+ENV OPENSSL_FIPS=1
+ENV FIPS_MODE=true
+
+
+RUN curl -LO https://go.dev/dl/go${GO_VERSION}.linux-${PLATFORM_ARCH}.tar.gz && \
+    tar -C /usr/ -xzf go${GO_VERSION}.linux-${PLATFORM_ARCH}.tar.gz
+
+ENV PATH="$PATH:/usr/go/bin"
+
+ARG GO_RELEASE_VERSION=${GO_VERSION}-2
+RUN git clone \
+    https://github.com/golang-fips/go \
+    --branch go${GO_RELEASE_VERSION}-openssl-fips \
+    --single-branch \
+    --depth 1 \
+    /tmp/go
+
+RUN cd /tmp/go && \
+    chmod +x scripts/* && \
+    git config --global user.email "[email protected]" && \
+    git config --global user.name "Your Name" && \
+    scripts/full-initialize-repo.sh && \
+    pushd go/src && \
+    CGO_ENABLED=1 ./make.bash && \
+    popd && \
+    mv go /usr/local/
+
+RUN cd /usr/local/go/src && \
+    rm -rf \
+        /usr/local/go/pkg/*/cmd \
+        /usr/local/go/pkg/bootstrap \
+        /usr/local/go/pkg/obj \
+        /usr/local/go/pkg/tool/*/api \
+        /usr/local/go/pkg/tool/*/go_bootstrap \
+        /usr/local/go/src/cmd/dist/dist \
+        /usr/local/go/.git*
+
+FROM registry.access.redhat.com/ubi8/ubi
+
+RUN yum install -y openssl-devel glibc-devel tar gzip gcc make && yum clean all
+
+COPY --from=go /usr/local/go /usr/local/go
+ENV OPENSSL_FIPS=1
+ENV FIPS_MODE=true
+ENV GOPATH /go
+ENV PATH $GOPATH/bin:/usr/local/go/bin:$PATH
+RUN mkdir -p "$GOPATH/src" "$GOPATH/bin" && chmod -R 777 "$GOPATH" && go install std
+WORKDIR $GOPATH