acquia · theadarshsaxena · Nov 25, 2025 · Nov 25, 2025 · Nov 19, 2025 · Nov 26, 2025
diff --git a/.acquia/.cortex/cortex.yaml b/.acquia/.cortex/cortex.yaml
@@ -0,0 +1,19 @@
+openapi: 3.0.1
+info:
+  title: acquia/argo-rollouts
+  description: Fork of argo/argo-rollouts to manage Argo Rollouts CVEs, fips image
+  x-cortex-tag: acquia/argo-rollouts
+  x-cortex-git:
+    github:
+      repository: acquia/argo-rollouts
+  x-cortex-owners:
+    - type: GROUP
+      name: acquia/k8s-core-services
+      provider: GITHUB
+      description: Kubernetes Core Services
+    - type: SLACK
+      channel: cloud-eng-core-services
+      notificationsEnabled: true
+      description: Core services team public channel for cross team communication
+  x-cortex-groups:
+    - drupal-cloud
diff --git a/.acquia/Dockerfile.ci b/.acquia/Dockerfile.ci
@@ -0,0 +1,44 @@
+FROM jfrog.ais.acquia.io/devops-pipeline-prod/acquia/amazonlinux:2023 as fips-golang-builder
+
+# Update packages
+USER root
+RUN yum makecache \
+  && yum update -y \
+  && yum install -y tar gcc git \
+  && yum clean all \
+  && rm -rf /var/cache/yum
+
+ARG TARGETOS=linux
+ARG TARGETARCH=amd64
+
+# Install Go
+RUN GOLANG_VERSION=$(curl -s https://go.dev/VERSION?m=text | head -n 1 | sed 's/go//') && \
+    echo "Installing Go version ${GOLANG_VERSION}" && \
+    curl -LO "https://go.dev/dl/go${GOLANG_VERSION}.${TARGETOS}-${TARGETARCH}.tar.gz" && \
+    tar -C /usr/local -xzf "go${GOLANG_VERSION}.${TARGETOS}-${TARGETARCH}.tar.gz" && \
+    rm -f "go${GOLANG_VERSION}.${TARGETOS}-${TARGETARCH}.tar.gz" && \
+    ls -la /usr/local/go/bin && \
+    chmod +x /usr/local/go/bin/go
+
+# Set Golang environment variables
+ENV GOPATH="/go"
+ENV GOROOT="/usr/local/go"
+ENV GOBIN="${GOPATH}/bin"
+ENV GO111MODULE="on"
+ENV GOOS=${TARGETOS}
+ENV GOARCH=${TARGETARCH}
+ENV GOPRIVATE=github.com/acquia
+
+# FIPS
+ENV GOEXPERIMENT=boringcrypto
+ENV CGO_ENABLED=1
+
+# Add path to go binaries
+ENV PATH="${PATH}:${GOROOT}/bin:${GOBIN}"
+
+WORKDIR /argo-rollouts
+
+RUN git config --global --add safe.directory '*'
+
+# Perform the build
+COPY . .
diff --git a/.acquia/pipeline.yaml b/.acquia/pipeline.yaml
@@ -0,0 +1,42 @@
+type: default
+team: KCS
+group: platform
+service: argo-rollouts
+
+# Validate the formatting of the pipeline.yaml file.
+validate_config: true
+
+environment_image:
+  file: ".acquia/Dockerfile.ci"
+  context: "."
+  build_args:
+    - secrets:
+      - type: vault
+        key: SSH_KEY
+        value: GIT_SSH_KEY
+        path: secret/pipeline-default/GIT_SSH_KEY
+
+pre_build:
+  code_analysis:
+    required: false
+  check_fips:
+    - steps:
+      - cd /argo-rollouts
+      - make check-fips
+
+build:
+  service_image:
+    - name: argo-rollouts/rollouts-controller
+      file: "Dockerfile-FIPS"
+      context: "."
+      build_args:
+        - secrets:
+          - type: vault
+            key: SSH_KEY
+            value: GIT_SSH_KEY
+            path: secret/pipeline-default/GIT_SSH_KEY
+
+security_scan:
+  scanner: orca
+  ignore_failures: true
+  reason: This service is only used for building base FIPS complaint image
diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml
@@ -78,7 +78,7 @@ jobs:
   release-artifacts:
     permissions:
       contents: write # for softprops/action-gh-release to create GitHub release
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-latest-4-cores
     outputs:
       hashes: ${{ steps.hash.outputs.hashes }}
 
@@ -154,7 +154,7 @@ jobs:
     permissions:
       contents: write # Needed for release uploads
       id-token: write # Needed for signing Sbom
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-latest-4-cores
     steps:
       - name: Checkout code
         uses: actions/checkout@v5 # v3.3.0
@@ -227,7 +227,7 @@ jobs:
       - generate-sbom
     permissions:
       contents: write # Needed to push commit to update stable tag
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-latest-4-cores
     steps:
       - name: Checkout code
         uses: actions/checkout@v5 # v3.3.0

diff --git a/Dockerfile-FIPS b/Dockerfile-FIPS
@@ -0,0 +1,55 @@
+FROM jfrog.ais.acquia.io/devops-pipeline-prod/acquia/amazonlinux:2023 as argo-rollouts-builder
+
+# Update packages
+USER root
+RUN yum makecache \
+  && yum update -y \
+  && yum install -y tar gcc git \
+  && yum clean all \
+  && rm -rf /var/cache/yum
+
+ARG TARGETOS=linux
+ARG TARGETARCH=amd64
+
+# Install Go
+RUN GOLANG_VERSION=$(curl -s https://go.dev/VERSION?m=text | head -n 1 | sed 's/go//') && \
+    echo "Installing Go version ${GOLANG_VERSION}" && \
+    curl -LO "https://go.dev/dl/go${GOLANG_VERSION}.${TARGETOS}-${TARGETARCH}.tar.gz" && \
+    tar -C /usr/local -xzf "go${GOLANG_VERSION}.${TARGETOS}-${TARGETARCH}.tar.gz" && \
+    rm -f "go${GOLANG_VERSION}.${TARGETOS}-${TARGETARCH}.tar.gz" && \
+    ls -la /usr/local/go/bin && \
+    chmod +x /usr/local/go/bin/go
+
+# Set Golang environment variables
+ENV GOPATH="/go"
+ENV GOROOT="/usr/local/go"
+ENV GOBIN="${GOPATH}/bin"
+ENV GO111MODULE="on"
+ENV GOOS=${TARGETOS}
+ENV GOARCH=${TARGETARCH}
+ENV GOPRIVATE=github.com/acquia
+
+# FIPS
+ENV GOEXPERIMENT=boringcrypto
+ENV CGO_ENABLED=1
+
+# Add path to go binaries
+ENV PATH="${PATH}:${GOROOT}/bin:${GOBIN}"
+
+WORKDIR /go/src/github.com/argoproj/argo-rollouts
+
+# Perform the build
+COPY . .
+
+ARG MAKE_TARGET="controller-fips"
+RUN GOOS=$TARGETOS GOARCH=$TARGETARCH make ${MAKE_TARGET}
+
+#####################################################################################################
+## Final image
+#####################################################################################################
+FROM jfrog.ais.acquia.io/devops-pipeline-prod/acquia/amazonlinux:2023
+COPY --from=argo-rollouts-builder /go/src/github.com/argoproj/argo-rollouts/dist/rollouts-controller /bin/
+
+USER 999
+
+ENTRYPOINT [ "/bin/rollouts-controller" ]
diff --git a/Makefile b/Makefile
@@ -349,3 +349,23 @@ checksums:
 
 help: ## Display this help.
 	@awk 'BEGIN {FS = ":.*##"; printf "\nUsage:\n  make \033[36m<target>\033[0m\n"} /^[a-zA-Z_0-9-]+:.*?##/ { printf "  \033[36m%-15s\033[0m %s\n", $$1, $$2 } /^##@/ { printf "\n\033[1m%s\033[0m\n", substr($$0, 5) } ' $(MAKEFILE_LIST)
+
+
+###############################
+## Acquia specific make targets
+###############################
+
+IMAGE_TAG=fips-v1.8.0
+
+.PHONY: build-fips
+build-fips:
+	DOCKER_BUILDKIT=1 docker build --platform=linux/amd64 -t argo-rollouts:$(IMAGE_TAG) -f Dockerfile-FIPS .
+
+.PHONY: controller-fips
+controller-fips:
+	GOEXPERIMENT=boringcrypto CGO_ENABLED=1 go build -v -ldflags '${LDFLAGS}' -o ${DIST_DIR}/rollouts-controller ./cmd/rollouts-controller
+
+# Note: This target might not work as expected on arm64 architecture.
+.PHONY: check-fips
+check-fips: controller-fips
+	go tool nm ${DIST_DIR}/rollouts-controller | grep "_Cfunc__goboringcrypto_" || (echo "CGO boringcrypto could not be detected in the go application binary" && exit 1)
diff --git a/experiments/analysisrun_test.go b/experiments/analysisrun_test.go
@@ -178,7 +178,7 @@ func TestClusterAnalysisTemplateNotExists(t *testing.T) {
 	e.Spec.Analyses = []v1alpha1.ExperimentAnalysisTemplateRef{
 		{
 			Name:         "success-rate",
-			ClusterScope: true,
+			ClusterScope: ptr.To(true),
 		},
 	}
 	rs := templateToRS(e, templates[0], 1)
@@ -236,7 +236,7 @@ func TestCreateAnalysisRunWithClusterTemplate(t *testing.T) {
 		{
 			Name:         "cluster-success-rate",
 			TemplateName: aTemplates[0].Name,
-			ClusterScope: true,
+			ClusterScope: ptr.To(true),
 			Args: []v1alpha1.Argument{{
 				Name:  "test",
 				Value: ptr.To[string]("sss"),
@@ -801,7 +801,7 @@ func TestCreateAnalysisRunWithMetadataAndDryRunWithClusterScope(t *testing.T) {
 		{
 			Name:         "success-rate",
 			TemplateName: aTemplates[0].Name,
-			ClusterScope: true,
+			ClusterScope: ptr.To(true),
 		},
 	}
 	e.Status.Phase = v1alpha1.AnalysisPhaseRunning

diff --git a/experiments/experiment.go b/experiments/experiment.go
@@ -437,7 +437,7 @@ func (ec *experimentContext) reconcileAnalysisRun(analysis v1alpha1.ExperimentAn
 
 	if ec.ex.Status.AvailableAt == nil {
 		// If we are not not available yet, don't start any runs
-		if analysis.ClusterScope {
+		if analysis.IsClusterScope() {
 			if err := ec.verifyClusterAnalysisTemplate(analysis); err != nil {
 				msg := fmt.Sprintf("ClusterAnalysisTemplate verification failed for analysis '%s': %v", analysis.Name, err.Error())
 				newStatus.Phase = v1alpha1.AnalysisPhaseError
@@ -642,7 +642,7 @@ func (ec *experimentContext) assessAnalysisRuns() (v1alpha1.AnalysisPhase, strin
 
 // newAnalysisRun generates an AnalysisRun from the experiment and template
 func (ec *experimentContext) newAnalysisRun(analysis v1alpha1.ExperimentAnalysisTemplateRef, args []v1alpha1.Argument, dryRunMetrics []v1alpha1.DryRun, measurementRetentionMetrics []v1alpha1.MeasurementRetention, analysisRunMetadata *v1alpha1.AnalysisRunMetadata) (*v1alpha1.AnalysisRun, error) {
-	if analysis.ClusterScope {
+	if analysis.IsClusterScope() {
 		analysisTemplates, clusterAnalysisTemplates, err := ec.getAnalysisTemplatesFromClusterAnalysis(analysis)
 		if err != nil {
 			return nil, err
@@ -749,7 +749,7 @@ func (ec *experimentContext) getAnalysisTemplatesFromRefs(templateRefs *[]v1alph
 	templates := make([]*v1alpha1.AnalysisTemplate, 0)
 	clusterTemplates := make([]*v1alpha1.ClusterAnalysisTemplate, 0)
 	for _, templateRef := range *templateRefs {
-		if templateRef.ClusterScope {
+		if templateRef.IsClusterScope() {
 			template, err := ec.clusterAnalysisTemplateLister.Get(templateRef.TemplateName)
 			if err != nil {
 				if k8serrors.IsNotFound(err) {

diff --git a/experiments/experiment_test.go b/experiments/experiment_test.go
@@ -623,12 +623,12 @@ func TestCreatenalysisRunWithClusterTemplatesAndTemplateAndInnerTemplates(t *tes
 		{
 			Name:         "exp-bar",
 			TemplateName: "bar",
-			ClusterScope: false,
+			ClusterScope: ptr.To(false),
 		},
 		{
 			Name:         "exp-bar-2",
 			TemplateName: "clusterbar4",
-			ClusterScope: true,
+			ClusterScope: ptr.To(true),
 		},
 	}
 
@@ -721,12 +721,12 @@ func TestCreatenalysisRunWithTemplatesAndNoMetricsAtRoot(t *testing.T) {
 		{
 			Name:         "exp-bar",
 			TemplateName: "bar",
-			ClusterScope: false,
+			ClusterScope: ptr.To(false),
 		},
 		{
 			Name:         "exp-bar-2",
 			TemplateName: "clusterbar4",
-			ClusterScope: true,
+			ClusterScope: ptr.To(true),
 		},
 	}
 
@@ -812,7 +812,7 @@ func TestAnalysisTemplateNotFoundShouldFailTheExperiment(t *testing.T) {
 		{
 			Name:         "exp-bar",
 			TemplateName: "bar",
-			ClusterScope: false,
+			ClusterScope: ptr.To(false),
 		},
 	}
 
@@ -829,7 +829,7 @@ func TestClusterAnalysisTemplateNotFoundShouldFailTheExperiment(t *testing.T) {
 		{
 			Name:         "exp-bar",
 			TemplateName: "cluster-bar",
-			ClusterScope: true,
+			ClusterScope: ptr.To(true),
 		},
 	}
 
@@ -848,7 +848,7 @@ func TestInnerAnalysisTemplateNotFoundShouldFailTheExperiment(t *testing.T) {
 		{
 			Name:         "exp-bar",
 			TemplateName: "bar",
-			ClusterScope: false,
+			ClusterScope: ptr.To(false),
 		},
 	}
 
@@ -868,7 +868,7 @@ func TestInnerClusterAnalysisTemplateNotFoundShouldFailTheExperiment(t *testing.
 		{
 			Name:         "exp-bar",
 			TemplateName: "clusterbar",
-			ClusterScope: true,
+			ClusterScope: ptr.To(true),
 		},
 	}
 	rs := templateToRS(e, templates[0], 0)
@@ -942,7 +942,7 @@ func analysisTemplateWithAnalysisRefs(name string, clusterScope bool, innerRefsN
 	for _, innerTplName := range innerRefsName {
 		templatesRefs = append(templatesRefs, v1alpha1.AnalysisTemplateRef{
 			TemplateName: innerTplName,
-			ClusterScope: clusterScope,
+			ClusterScope: ptr.To(clusterScope),
 		})
 	}
 	return &v1alpha1.AnalysisTemplate{
@@ -974,7 +974,7 @@ func analysisTemplateWithOnlyRefs(name string, clusterScope bool, innerRefsName
 	for _, innerTplName := range innerRefsName {
 		templatesRefs = append(templatesRefs, v1alpha1.AnalysisTemplateRef{
 			TemplateName: innerTplName,
-			ClusterScope: clusterScope,
+			ClusterScope: ptr.To(clusterScope),
 		})
 	}
 	return &v1alpha1.AnalysisTemplate{
@@ -1009,7 +1009,7 @@ func clusterAnalysisTemplateWithAnalysisRefs(name string, innerRefsName ...strin
 	for _, innerTplName := range innerRefsName {
 		templatesRefs = append(templatesRefs, v1alpha1.AnalysisTemplateRef{
 			TemplateName: innerTplName,
-			ClusterScope: true,
+			ClusterScope: ptr.To(true),
 		})
 	}
 	return &v1alpha1.ClusterAnalysisTemplate{

diff --git a/pkg/apis/rollouts/v1alpha1/experiment_types.go b/pkg/apis/rollouts/v1alpha1/experiment_types.go
@@ -225,7 +225,7 @@ type ExperimentAnalysisTemplateRef struct {
 	TemplateName string `json:"templateName" protobuf:"bytes,2,opt,name=templateName"`
 	// Whether to look for the templateName at cluster scope or namespace scope
 	// +optional
-	ClusterScope bool `json:"clusterScope,omitempty" protobuf:"varint,3,opt,name=clusterScope"`
+	ClusterScope *bool `json:"clusterScope,omitempty" protobuf:"varint,3,opt,name=clusterScope"`
 	// Args are the arguments that will be added to the AnalysisRuns
 	// +optional
 	// +patchMergeKey=name
@@ -235,6 +235,12 @@ type ExperimentAnalysisTemplateRef struct {
 	RequiredForCompletion bool `json:"requiredForCompletion,omitempty" protobuf:"varint,5,opt,name=requiredForCompletion"`
 }
 
+// IsClusterScope returns true if the template should be looked up at cluster scope.
+// Defaults to false (namespace scope) if ClusterScope is nil.
+func (ref *ExperimentAnalysisTemplateRef) IsClusterScope() bool {
+	return ref.ClusterScope != nil && *ref.ClusterScope
+}
+
 type ExperimentAnalysisRunStatus struct {
 	// Name is the name of the analysis
 	Name string `json:"name" protobuf:"bytes,1,opt,name=name"`