[Dev-Build] support building with FIPS feature

[wuhuizuo]

Requirements

Support building binaries and images for these components:

• TiDB pingcap/tidb
• TiKV tikv/tikv
• PD tikv/pd
• TiCDC pingcap/tiflow
• BR pingcap/tidb
• Dashboard pingcap/tidb-dashboard
• Operator pingcap/tidb-operator
• Ng-monitoring pingcap/ng-monitoring

Required informations

Go version

go 1.19+ （v6.5.x: 1.19, trunk branches: 1.21)

How to build

• TiDB pingcap/tidb
• TiKV tikv/tikv
• PD tikv/pd
• TiCDC pingcap/tiflow
• BR pingcap/tidb
• Dashboard pingcap/tidb-dashboard
• Operator pingcap/tidb-operator
• Ng-monitoring pingcap/ng-monitoring

Which one is need to change the runtime base images?

• TiKV's base image: https://github.com/tikv/tikv/pull/15944/files#diff-ee3aa9f430cddf671a78d1a6c60b26067bfe2f1c4d6f5be04dd8731fd1474ea5

[overvenus]

To build such binary, we can add an env variable "ENABLE_FIPS=1".

E.g.,

PD: make build -> ENABLE_FIPS=1 make build
TiDB: make server -> ENABLE_FIPS=1 make server
TiKV: ROCKSDB_SYS_STATIC=1 make dist_release -> ENABLE_FIPS=1 ROCKSDB_SYS_STATIC=1 make dist_release

[jayl1e]

Is it enough, do we need to change buider image and product image?

[wuhuizuo]

Implementation of building logic:

• feat: support env and product dockerfile #2615

[overvenus]

We need to support one more project:

• https://github.com/pingcap/ng-monitoring, ENABLE_FIPS=1 make

[wuhuizuo]

After communicating with @csuzhangxc(the owner of tidb-operator), a consensus was reached. Considering the release frequency of the FIPS targets, tidb-operator does not need to be supported in nightly build. It can be supported in dev-build. When it is officially released, its product will be re-released with the official tag.

[wuhuizuo]

complete tidb-dashboard in #2721

[wuhuizuo]

tikv runtime dockerfile: https://github.com/PingCAP-QE/artifacts/blob/main/dockerfiles/products/tikv-fips.Dockerfile