feat: Add FIPS 140-3 support using Microsoft Go and Azure Linux

[kaovilai]

Summary

Add FIPS 140-3 support to hypershift-oadp-plugin using Microsoft's Go fork and Azure Linux base images for OpenShift OADP 1.5, consistent with Velero and Azure plugin implementations.

Changes

• Builder: Switch to mcr.microsoft.com/oss/go/microsoft/golang:1.25-azurelinux3.0
• Runtime: Switch to mcr.microsoft.com/azurelinux/distroless/base:3.0
• FIPS Config: Add CGO_ENABLED=1 GOFIPS140=latest at build time
• Documentation: Add inline comments explaining Azure Linux FIPS configuration

Why Microsoft Go + Azure Linux?

1. Consistency: Matches FIPS approach across all OADP components (Velero, Azure plugin)
2. Azure Integration: Microsoft's Go fork is optimized for Azure environments
3. FIPS 140-3 Compliance: Azure Linux 3.0 provides FIPS compliance via SCOSSL/SymCrypt
4. Minimal Attack Surface: Distroless base contains only essential components
5. Reference Architecture: Follows ARO-HCP pattern from https://github.com/Azure/ARO-HCP/blob/main/frontend/Dockerfile

FIPS Implementation Details

Uses Microsoft's Go fork with platform-dependent crypto:

• ✅ Integrated FIPS support in Microsoft's Go
• ✅ Azure Linux 3.0 FIPS 140-3 certified (SCOSSL/SymCrypt)
• ✅ Plugin processes inherit GODEBUG=fips140=on from parent Velero
• ✅ Distroless base minimizes security exposure

Why No Runtime GODEBUG?

Plugin processes are spawned by Velero and automatically inherit the parent's GODEBUG=fips140=on environment variable. No additional configuration needed in the plugin container.

Companion PRs

• Velero FIPS support: feat: Add FIPS 140-3 support using Microsoft Go and Azure Linux velero#492
• Azure plugin FIPS support: feat: Add FIPS 140-3 support using Microsoft Go and Azure Linux velero-plugin-for-microsoft-azure#125

Testing

Build and verify:

podman build -f Dockerfile.oadp -t hypershift-oadp-plugin:fips-test .
# Verify binary exists
podman run --rm hypershift-oadp-plugin:fips-test ls -lh /plugins/

Multi-arch build and push:

podman build -f Dockerfile.oadp . --platform linux/amd64,linux/arm64 --manifest quay.io/oadp-aro/hypershift-oadp-plugin:oadp-1.5-latest
podman manifest push quay.io/oadp-aro/hypershift-oadp-plugin:oadp-1.5-latest

Note

Responses generated with Claude

/cc @kaovilai

[coderabbitai]

Important

Review skipped

Auto reviews are limited based on label configuration.

🚫 Excluded labels (none allowed) (1)

• do-not-merge/work-in-progress

Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: ff396e08-8785-418f-918f-2535c03f6e6e

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

• 🔍 Trigger review

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[openshift-ci]

Skipping CI for Draft Pull Request.
If you want CI signal for your change, please convert it to an actual PR.
You can still manually trigger a test run with /test all

[openshift-ci]

@kaovilai: GitHub didn't allow me to request PR reviews from the following users: kaovilai.

Note that only openshift members and repo collaborators can review this PR, and authors cannot review their own PRs.

Details

In response to this:

Summary

Add FIPS 140-3 support to hypershift-oadp-plugin using Go Cryptographic Module v1.26.0 for OpenShift OADP 1.5, consistent with Velero and Azure plugin implementations.

Changes

• Add GOFIPS140=v1.26.0 environment variable for FIPS-capable build
• Use CGO_ENABLED=1 for build (backward compatibility)
• Add inline documentation explaining FIPS configuration
• Switch from strictfipsruntime approach to native Go FIPS module

FIPS Implementation Details

Uses upstream Go's native FIPS 140-3 module:

• ✅ Official FIPS 140-3 certified (module A6650)
• ✅ Pure Go implementation (CGO not required but used for compatibility)
• ✅ Plugin processes inherit GODEBUG=fips140=on from parent Velero
• ✅ Cross-compilation supported natively

Why This Approach?

• Consistency: Matches FIPS approach across OADP components
• Pure Go: Unlike Microsoft Go approach in Velero/Azure plugin, this uses upstream Go
• Plugin Model: Inherits GODEBUG from Velero parent process

Related

• Companion PR for Velero with Microsoft Go + Azure Linux: feat: Add FIPS 140-3 support using Microsoft Go and Azure Linux velero#492
• Companion PR for Azure plugin with Microsoft Go + Azure Linux: feat: Add FIPS 140-3 support using Microsoft Go and Azure Linux velero-plugin-for-microsoft-azure#125

[!Note]
Responses generated with Claude

/cc @kaovilai

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: kaovilai

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• OWNERS [kaovilai]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment