feat: enable native go FIPS, create FIPS safe builds

[JasonPowr]

Summary

• Enables Go 1.26 native FIPS 140 support (GOFIPS140=v1.0.0 + godebug fips140=auto) across all Red Hat Dockerfiles, producing both a standard and a -fips binary per image that pass check-payload scanning
• Adds build-tagged _fips.go file variants that restrict TLS CurvePreferences to FIPS-approved curves (P-256, P-384), activated only with -tags fips (Failing on strict mode)
• Patches CI workflows to drop the godebug fips140=auto directive before compilation since upstream Go 1.26 does not support fips140=auto

Changes

• go.mod: Bump to Go 1.26, add godebug fips140=auto for module-wide FIPS activation
• Dockerfiles (.rh): Set GOFIPS140=v1.0.0 globally, build both regular (-tags no_openssl) and FIPS (-tags fips,no_openssl) binaries
• Build-clis.mak: Add FIPS cross-platform targets
• FIPS TLS files: New _fips.go variants for serverutil, rpcflags, k8s/provider, and mysql/provider restricting curves under -tags fips
• CI workflows: Add go mod edit -dropgodebug=fips140 step before Go compilation in golangci-lint.yml, test_crdb.yaml, test_pgdb.yaml
• fips-pair-check.yml: New workflow validating every cmd/ binary has a matching _fips.go variant

[JasonPowr]

EC can be ignored in this case, none of the failures are related to my changes

[osmman]

The _fips.go file duplication pattern (650+ lines across 4 files) is unnecessary.

This PR already correctly sets godebug fips140=auto in go.mod and GOFIPS140=v1.0.0 in Dockerfiles. That's all that's needed. When Go's native FIPS mode is active, crypto/tls automatically restricts all curve preferences, cipher suites, TLS versions, and signature algorithms to FIPS-approved values — no application code changes required.

From the official docs:

"the crypto/tls package will ignore and not negotiate any protocol version, cipher suite, signature algorithm, or key exchange mechanism that is not FIPS 140-3 approved."

The filtering is built into Go itself (crypto/tls/defaults_fips140.go). Duplicating application code to manually set CurvePreferences is redundant — Go does it for you. CockroachDB had the same manual workaround and removed it for this exact reason.

Remove: all _fips.go files, //go:build !fips/fips tags on existing files, fips-pair-check.yml, -tags fips from build commands.

Keep: go.mod changes, Dockerfile changes (GOFIPS140, CGO_ENABLED=0), CI dropgodebug steps. These are the correct, non-invasive way to enable FIPS.

[JasonPowr]

@osmman The auto-filtering in crypto/tls/defaults_fips140.go does exist, but it has a known bug in Go 1.26, it keeps X25519MLKEM768 in the allowed curve list, which internally uses X25519, and the FIPS runtime then rejects it at handshake time.

This is the error I hit when deploying the non-fips binary with fips140=only:
transport: authentication handshake failed: crypto/ecdh: use of X25519 is not allowed in FIPS 140-only mode

issue: golang/go#78178

[JasonPowr]

The failures in Red Hat Konflux / trillian-cli-stack-on-pull-request seem unrelated to my changes