From a2f06349948869ff106258bb7135916c6c7e92ba Mon Sep 17 00:00:00 2001
From: Alexander Greene <greene.al1991@gmail.com>
Date: Mon, 24 Jul 2023 11:39:26 -0700
Subject: [PATCH] Allow cpb to be statically compiled / exempt from FIPS
 compliance

To be FIPS compliant, all binaries shipped in OCP must be dynamically
linked against openssl unless they are specifically exempted
(e.g. they do not perform any cryptography). The golang builder images
made available for CI by ART will enforce this requirement
(overriding any attempt to statically link) unless the binary is
identified in this environment variable.

Signed-off-by: Alexander Greene <greene.al1991@gmail.com>
---
 Dockerfile | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/Dockerfile b/Dockerfile
index 46d817b5d4..6bb60933e4 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -4,6 +4,10 @@ ENV GO111MODULE auto
 ENV GOPATH /go
 ENV PATH $GOPATH/bin:/usr/local/go/bin:$PATH
 
+# Permit the cpb binary to be compiled statically. The Red Hat compiler
+# provided by ART will otherwise force FIPS compliant dynamic compilation.
+ENV GO_COMPLIANCE_EXCLUDE="*util/cpb"
+
 WORKDIR /build
 
 # copy just enough of the git repo to parse HEAD, used to record version in OLM binaries