Merge branch 'goexperiment-fips-mode' into 'master'

Use goexperiment boringcrypto for golang 1.19 fips

See merge request https://gitlab.com/gitlab-org/omnibus-gitlab/-/merge_requests/6813



Merged-by: Balasankar 'Balu' C <balasankar@gitlab.com>
Approved-by: Balasankar 'Balu' C <balasankar@gitlab.com>
Co-authored-by: DJ Mountney <dj@gitlab.com>

config/software/gitlab-pages.rb

@@ -35,7 +35,10 @@ build do
   # Pages compiles with CGO_ENABLED=0 by default, so we need to activate
   # FIPS mode explicitly.
-  env['FIPS_MODE'] = '1' if Build::Check.use_system_ssl?
+  if Build::Check.use_system_ssl?
+    env['FIPS_MODE'] = '1'
+    env['GOEXPERIMENT'] = 'boringcrypto' if Build::Check.boringcrypto_supported?
+  end
   make 'gitlab-pages', env: env

lib/gitlab/build/check.rb

@@ -21,6 +21,10 @@ module Build
         false
       end
+      def boringcrypto_supported?
+        system({ 'GOEXPERIMENT' => 'boringcrypto' }, *%w(go version))
+      end
+
       def use_system_ssl?
         # Once we implement the above TODO, we can get rid of this variable and
         # gate on `fips?` alone.

spec/lib/gitlab/build/check_spec.rb

@@ -322,4 +322,26 @@ RSpec.describe Build::Check do
       end
     end
   end
+
+  describe 'boringcrypto_supported?' do
+    context 'when using a golang with boringcrypto support' do
+      before do
+        allow(described_class).to receive(:system).with(hash_including('GOEXPERIMENT'), 'go', 'version').and_return(true)
+      end
+
+      it 'returns true' do
+        expect(described_class.boringcrypto_supported?).to be_truthy
+      end
+    end
+
+    context 'when using a golang withou boringcrypto support' do
+      before do
+        allow(described_class).to receive(:system).with(hash_including('GOEXPERIMENT'), 'go', 'version').and_return(false)
+      end
+
+      it 'returns true' do
+        expect(described_class.boringcrypto_supported?).to be_falsey
+      end
+    end
+  end
 end