fips: log a line when fips is enabled

Zerpet · Zerpet · commit c5d97ad8cfea · 2025-05-27T12:12:55.000+01:00
This helps to determine whether FIPS is enabled. It is not necssary to
build the Operator in FIPS mode. The env variable GODEBUG allows to
enable FIPS in Go 1.24+, like so: `GODEBUG=fips140=on`
diff --git a/Dockerfile b/Dockerfile
@@ -20,6 +20,11 @@ ARG TARGETOS
 ARG TARGETARCH
 ENV GOOS=$TARGETOS
 ENV GOARCH=$TARGETARCH
+
+# FIPS
+ARG FIPS_MODE=off
+ENV GOFIPS140=$FIPS_MODE
+
 RUN CGO_ENABLED=0 GO111MODULE=on go build -a -tags timetzdata -o manager main.go
 
 # ---------------------------------------
diff --git a/Makefile b/Makefile
@@ -49,6 +49,7 @@ $(KUBEBUILDER_ASSETS):
 
 .PHONY: kubebuilder-assets
 kubebuilder-assets: $(KUBEBUILDER_ASSETS)
+	@echo "export KUBEBUILDER_ASSETS=$(KUBEBUILDER_ASSETS)"
 
 .PHONY: kubebuilder-assets-rm
 kubebuilder-assets-rm:
diff --git a/main.go b/main.go
@@ -9,6 +9,7 @@
 package main
 
 import (
+	"crypto/fips140"
 	"flag"
 	"fmt"
 	"os"
@@ -192,7 +193,7 @@ func main() {
 
 	clusterConfig := config.GetConfigOrDie()
 
-	err = (&controllers.RabbitmqClusterReconciler{
+	if err = (&controllers.RabbitmqClusterReconciler{
 		Client:                  mgr.GetClient(),
 		APIReader:               mgr.GetAPIReader(),
 		Scheme:                  mgr.GetScheme(),
@@ -205,14 +206,16 @@ func main() {
 		DefaultUserUpdaterImage: defaultUserUpdaterImage,
 		DefaultImagePullSecrets: defaultImagePullSecrets,
 		ControlRabbitmqImage:    controlRabbitmqImage,
-	}).SetupWithManager(mgr)
-	if err != nil {
+	}).SetupWithManager(mgr); err != nil {
 		log.Error(err, "unable to create controller", controllerName)
 		os.Exit(1)
 	}
-	log.Info("started controller")
 	// +kubebuilder:scaffold:builder
 
+	if fips140.Enabled() {
+		log.Info("FIPS 140-3 mode enabled")
+	}
+
 	log.Info("starting manager")
 	if err := mgr.Start(ctrl.SetupSignalHandler()); err != nil {
 		log.Error(err, "problem running manager")
