feat: remove custom goreleaser image for fips and use upstream image instead

Part of https://gitlab.com/gitlab-com/gl-infra/gitlab-dedicated/team/-/issues/1312

So it turns out that we need to use CGO with Golang 1.19 in order to use the "boringcrypto"
flag to build go apps in a fips compliant way. The upstream goreleaser image can't do this
as it's based off alpine, so binaries come out depending on musl as their libc.

However, goreleaser also provide a goreleaser image based off debian which we can use
for fips builds, and will allow us to build binaries linked against regular glibc instead,
allowing consumping in ubi images and other non-alpine images.

This means we can drop our own goreleaser image as the upstream one (provided you use
the right flags inside goreleaser) will give you what you need.

.gitlab-ci-other-versions.yml

 # This file is managed manually
 variables:
   GL_COMMON_CI_TASKS_DEFAULT_GITLEAKS_VERSION: "v8.15.2"  # datasource=github-releases depName=zricethezav/gitleaks
-  GL_COMMON_CI_TASKS_DEFAULT_UBI_IMAGE_VERSION: "8.6-990"  # datasource=docker depName=registry.access.redhat.com/ubi8/ubi versioning=docker
-  GL_COMMON_CI_TASKS_GOFIPS_VERSION: "go1.18.7-2-openssl-fips"  # datasource: github-releases depName: golang-fips/go

.gitlab-ci.yml

@@ -57,40 +57,3 @@ container_image_tagged:
     - .container_builds
   rules:
     - if: '$CI_COMMIT_TAG'
-
-##############################################################################
-# Builds an image for running a version of goreleaser with golang fips fork
-##############################################################################
-
-container_image_build_goreleaser_fips:
-  variables:
-    KANIKO_BUILD_FILE: Dockerfile.goreleaser-fips
-    KANIKO_DESTINATION: $CI_REGISTRY_IMAGE/goreleaser-fips:${CI_COMMIT_REF_SLUG}
-  extends:
-    - .container_builds
-  rules:
-    - if: '$CI_PIPELINE_SOURCE == "merge_request_event"'
-    - if: $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH
-
-container_image_test_goreleaser_fips:
-  stage: validate
-  image:
-    name: $CI_REGISTRY_IMAGE/goreleaser-fips:${CI_COMMIT_REF_SLUG}
-    entrypoint: [""]
-  needs:
-    - container_image_build_goreleaser_fips
-  script:
-    - bash -x ./test/validate-goreleaser-fips-container-image.sh
-  rules:
-    - if: '$CI_PIPELINE_SOURCE == "merge_request_event"'
-    - if: $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH
-
-# Tags use the git tag, not the slug
-container_image_tagged_goreleaser_fips:
-  variables:
-    KANIKO_BUILD_FILE: Dockerfile.goreleaser-fips
-    KANIKO_DESTINATION: $CI_REGISTRY_IMAGE/goreleaser-fips:${CI_COMMIT_TAG}
-  extends:
-    - .container_builds
-  rules:
-    - if: '$CI_COMMIT_TAG'

Dockerfile.goreleaser-fips

-ARG GL_ASDF_GORELEASER_VERSION
-
-FROM goreleaser/goreleaser:v$GL_ASDF_GORELEASER_VERSION as GORELEASER
-FROM registry.access.redhat.com/ubi8/ubi:$GL_COMMON_CI_TASKS_DEFAULT_UBI_IMAGE_VERSION
-
-ARG GL_ASDF_GORELEASER_VERSION
-ARG GL_COMMON_CI_TASKS_DEFAULT_UBI_IMAGE_VERSION
-ARG GL_COMMON_CI_TASKS_GOFIPS_VERSION
-
-RUN INSTALL_PKGS="openssl-devel glibc-devel gcc git golang" &&  \
-    dnf update -y && \
-    dnf install -y --setopt=tsflags=nodocs $INSTALL_PKGS && \
-    dnf clean all -y
-
-RUN git clone \
-    https://github.com/golang-fips/go.git \
-    --branch $GL_COMMON_CI_TASKS_GOFIPS_VERSION \
-    --single-branch \
-    --depth 1 \
-    /assets/usr/local/go
-
-RUN cd /assets/usr/local/go/src && \
-    CGO_ENABLED=1 ./make.bash && \
-    rm -rf \
-        /assets/usr/local/go/pkg/*/cmd \
-        /assets/usr/local/go/pkg/bootstrap \
-        /assets/usr/local/go/pkg/obj \
-        /assets/usr/local/go/pkg/tool/*/api \
-        /assets/usr/local/go/pkg/tool/*/go_bootstrap \
-        /assets/usr/local/go/src/cmd/dist/dist \
-        /assets/usr/local/go/.git*
-
-RUN dnf remove -y golang
-
-ENV PATH=/assets/usr/local/go/bin:/root/go/bin:${PATH}
-
-RUN go install github.com/goreleaser/goreleaser@v$GL_ASDF_GORELEASER_VERSION
-
-COPY --from=GORELEASER /entrypoint.sh /entrypoint.sh
-
-ENTRYPOINT ["/entrypoint.sh"]
-CMD [ "-h" ]

goreleaser.md

@@ -93,7 +93,8 @@ Additional command line options for Goreleaser can be set using the `GORELEASER_
 If you wish to use `goreleaser` to build your project in a way that is fips compliant, you will need to specify the following variables when using the `goreleaser` tasks from this repository
 `FIPS_MODE`: This instructs the CI pipeline to use the gorelease job specifically for creating fips compliant releases
-`GL_COMMON_CI_TASKS_VERSION`: This is needed so the right version of the goreleaser image we build in `common-ci-tasks` is used. Typically set to the same ref as you use on the `include` stanza for `goreleaser.yml`
+`GL_ASDF_GORELEASER_VERSION`: The version of goreleaser to use, minimum 1.13.1
+`GL_ASDF_GOLANG_VERSION`: The version of golang to use to compile, minimum 1.19
 An example
@@ -104,8 +105,8 @@ stages:
 variables:
   GL_ASDF_GORELEASER_VERSION: ...
+  GGL_ASDF_GOLANG_VERSION: ...
   FIPS_MODE: 1
-  GL_COMMON_CI_TASKS_VERSION: v1.52.1 # datasource=gitlab-releases depName=gitlab-com/gl-infra/common-ci-tasks
 include:
   # build binary release artifacts with goreleaser

goreleaser.yml

@@ -94,7 +94,7 @@ goreleaser-fips:
       -e CI_SERVER_URL \
       -e GL_ASDF_GORELEASER_VERSION \
       ${GORELEASER_DOCKER_EXTRA_ARGS:-} \
-      registry.gitlab.com/gitlab-com/gl-infra/common-ci-tasks/goreleaser-fips:${GL_COMMON_CI_TASKS_VERSION} release --rm-dist ${GORELEASER_EXTRA_ARGS:-}
+      goreleaser/goreleaser-cross:v${GL_ASDF_GOLANG_VERSION}-v${GL_ASDF_GORELEASER_VERSION} release --rm-dist ${GORELEASER_EXTRA_ARGS:-}
   after_script: |
     cat <<-EOD
     ----------------------------------------------------------

test/validate-goreleaser-fips-container-image.sh

-#!/usr/bin/env bash
-
-set -euo pipefail
-IFS=$'\n\t'
-
-go version
-goreleaser -v