Add the fipsonly package when building with boringcrypto

[sgagniere]

Release Notes

Breaking Changes

• PLACEHOLDER

New Features

• PLACEHOLDER

Bug Fixes

• PLACEHOLDER

Checklist

• I have successfully built and used a custom CLI binary, without linter issues from this PR.
• I have clearly specified in the What section below whether this PR applies to Confluent Cloud, Confluent Platform, or both.
• I have verified this PR in Confluent Cloud pre-prod or production environment, if applicable.
• I have verified this PR in Confluent Platform on-premises environment, if applicable.
• I have attached manual CLI verification results or screenshots in the Test & Review section below.
• I have added appropriate CLI integration or unit tests for any new or updated commands and functionality.
• I confirm that this PR introduces no breaking changes or backward compatibility issues.
• I have indicated the potential customer impact if something goes wrong in the Blast Radius section below.
• I have put checkmarks below confirming that the feature associated with this PR is enabled in:
  • Confluent Cloud prod
  • Confluent Cloud stag
  • Confluent Platform
  • Check this box if the feature is enabled for certain organizations only

What

The fipsonly package forces the use of fips configuration settings for TLS to prevent the binary from falling back to a non fips approved setting.

This PR only adds this import for builds that export GOEXPERIMENT=boringcrypto because package is empty otherwise (causing non-fips builds to fail to compile).

Blast Radius

Any impact would be limited to FIPS enabled builds. The impact itself should be minimal since it should only restrict the set of allowed cipher suites, which we aren't setting anyway.

References

Test & Review

Manual testing: https://docs.google.com/document/d/18oTfJEL2X-uZxDGuHj3is6x2rMWOarj8nPAUmeHJm_I/edit?usp=sharing

[confluent-cla-assistant]

🎉 All Contributor License Agreements have been signed. Ready to merge.
_{Please push an empty commit if you would like to re-run the checks to verify CLA status for all contributors.}

[Copilot]

Pull request overview

This PR adds FIPS-only TLS enforcement for builds that use BoringCrypto. The implementation uses Go build tags to conditionally import the crypto/tls/fipsonly package only when GOEXPERIMENT=boringcrypto is set, ensuring non-FIPS builds continue to compile successfully.

Key changes:

• Created a new fips package with conditional build support
• Added blank import of the fips package to enforce FIPS settings at runtime

Reviewed changes

Copilot reviewed 3 out of 3 changed files in this pull request and generated 1 comment.

File	Description
pkg/fips/fips.go	Conditionally imports crypto/tls/fipsonly when building with boringcrypto to enforce FIPS-only TLS settings
pkg/fips/no_fips.go	Empty placeholder file to allow compilation when not building with boringcrypto
cmd/confluent/main.go	Adds blank import of the fips package to activate FIPS enforcement at application startup

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

Missing build tag constraint. This file should have //go:build !boringcrypto as the first line to ensure it's only compiled when the boringcrypto build tag is not set, preventing conflicts with fips.go.

[sgagniere]

Unnecessary since there's no real code in this file anyway, so there are no conflicts when compiling both files.

[sonarqube-confluent]

Quality Gate passed

Issues
0 New issues
0 Fixed issues
0 Accepted issues

Measures
0 Security Hotspots
No data about Coverage
0.0% Duplication on New Code

See analysis details on SonarQube