How to build entry point without SPIRE? #8034
Labels
kind/feature
Categorizes issue or PR as related to a new feature.
Comments
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Feature request
Could you please add build tags to be able to compile entry point without SPIRE support? Or split spire support into a secondary binary?
Use case
FIPS requires cryptographic functionality to use FIPS validated implementations. One way to comply with this requirement is to do that (for example by compiling entry point with go-fips OpenSSL tool chain, or Microsoft/go tool chain). However that puts additional runtime requirements on the shell-image and task image from which entry point is executed.
Alternative way to comply is to not do any cryptography. As far as I can tell prior to introduction of SPIRE support entry point did not do any cryptography.
It would help if one could use go build tags to build entry point without SPIRE support, or to have spire support in a separate binary (i.e. entrypoint-spire). Which one reexecs too, or calls out to. Or even built as a go plugin.
Currently as is shell-image must be FIPS capable (i.e. cgd.dev/chainguard-private/busybox-fips instead of just busybox) and the tasks too, even when SPIRE is not used and/or tasks do not do any cryptography. As FIPS binaries init crypto subsystem and perform self tests before main function is executed even if later none of the spire codepaths are triggered.
The text was updated successfully, but these errors were encountered: