WIP to jumpstart PR pipeline

Dockerfile

@@ -1,6 +1,6 @@
 # syntax=docker/dockerfile:1
 
-# Copyright 2020-2022 the Pinniped contributors. All Rights Reserved.
+# Copyright 2020-2023 the Pinniped contributors. All Rights Reserved.
 # SPDX-License-Identifier: Apache-2.0
 
 FROM golang:1.19.5 as build-env
@@ -16,7 +16,11 @@ RUN \
   --mount=type=cache,target=/cache/gocache \
   --mount=type=cache,target=/cache/gomodcache \
   mkdir out && \
-  export GOCACHE=/cache/gocache GOMODCACHE=/cache/gomodcache CGO_ENABLED=0 GOOS=linux GOARCH=amd64 && \
+  export GOCACHE=/cache/gocache && \
+  export GOMODCACHE=/cache/gomodcache && \
+  export CGO_ENABLED=0 && \
+  export GOOS=linux && \
+  export GOARCH=amd64 && \
   go build -v -trimpath -ldflags "$(hack/get-ldflags.sh) -w -s" -o /usr/local/bin/pinniped-concierge-kube-cert-agent ./cmd/pinniped-concierge-kube-cert-agent/... && \
   go build -v -trimpath -ldflags "$(hack/get-ldflags.sh) -w -s" -o /usr/local/bin/pinniped-server ./cmd/pinniped-server/... && \
   ln -s /usr/local/bin/pinniped-server /usr/local/bin/pinniped-concierge && \

hack/Dockerfile_fips

@@ -3,13 +3,13 @@
 # Copyright 2022-2023 the Pinniped contributors. All Rights Reserved.
 # SPDX-License-Identifier: Apache-2.0
 
-# this dockerfile is used to produce a binary of Pinniped that uses
-# only fips-allowable ciphers.  Note that this is provided only as
-# an example.  Pinniped has no official support for fips and using
+# This dockerfile is used to produce a binary of Pinniped that uses
+# only FIPS-allowable ciphers.  Note that this is provided only as
+# an example.  Pinniped has no official support for FIPS and using
 # a version built from this dockerfile may have unforseen consquences.
 # Please do not create issues in regards to problems encountered by
 # using this dockerfile.  Using this dockerfile does not convey
-# any type of fips certification.
+# any type of FIPS certification.
 
 # Starting in 1.19, go-boringcrypto has been added to the main Go toolchain,
 # hidden behind a `GOEXPERIMENT=boringcrypto` env var.
@@ -47,9 +47,19 @@ ARG GOPROXY
 # https://github.com/golang/go/blob/9d6ab825f6fe125f7ce630e103b887e580403802/misc/boring/README.md?plain=1#L95
 # Thus trying to compile the pinniped CLI with boring crypto is meaningless
 # since we would not be able to ship windows and macOS binaries.
+
+# Pass in GOCACHE (build cache) and GOMODCACHE (module cache) so they
+# can be re-used between image builds.
 RUN \
+  --mount=type=cache,target=/cache/gocache \
+  --mount=type=cache,target=/cache/gomodcache \
   mkdir out && \
-  export CGO_ENABLED=1 GOOS=linux GOARCH=amd64 GOEXPERIMENT=boringcrypto && \
+  export GOCACHE=/cache/gocache && \
+  export GOMODCACHE=/cache/gomodcache && \
+  export CGO_ENABLED=1 &&\
+  export GOOS=linux && \
+  export GOARCH=amd64 &&  \
+  export GOEXPERIMENT=boringcrypto && \
   go build -tags fips_strict,osusergo,netgo -v -trimpath -ldflags "$(hack/get-ldflags.sh) -w -linkmode=external -extldflags -static" -o /usr/local/bin/pinniped-concierge-kube-cert-agent ./cmd/pinniped-concierge-kube-cert-agent/... && \
   go build -tags fips_strict,osusergo,netgo -v -trimpath -ldflags "$(hack/get-ldflags.sh) -w -linkmode=external -extldflags -static" -o /usr/local/bin/pinniped-server ./cmd/pinniped-server/... && \
   ln -s /usr/local/bin/pinniped-server /usr/local/bin/pinniped-concierge && \

site/content/docs/reference/fips.md

@@ -9,14 +9,13 @@ menu:
     weight: 30
     parent: reference
 ---
-By default, the Pinniped supervisor and concierge use ciphers that
-are not supported by FIPS 140-2. If you are deploying Pinniped in an
-environment with FIPS compliance requirements, you will have to build
-the binaries yourself using the `fips_strict` build tag and Golang's
-`go-boringcrypto` fork.
+By default, the Pinniped supervisor and concierge use ciphers that are not supported by FIPS 140-2.
+If you are deploying Pinniped in an environment with FIPS compliance requirements, you will have to build
+the binaries yourself using the `fips_strict` build tag and Golang's `go-boringcrypto` fork.
 
 The Pinniped team provides an [example Dockerfile](https://github.com/vmware-tanzu/pinniped/blob/main/hack/Dockerfile_fips)
 demonstrating how you can build Pinniped images in a FIPS compatible way.
+
 However, we do not provide official support for FIPS configuration, and we may not
 respond to GitHub issues opened related to FIPS support.
 We provide this for informational purposes only.