From aa928e4c1aa5bae9fbb632905699f20596a49e96 Mon Sep 17 00:00:00 2001 From: Lukasz Zajaczkowski Date: Wed, 30 Oct 2024 10:16:11 +0100 Subject: [PATCH] improvments --- Makefile | 4 ++-- dockerfiles/agent/fips.Dockerfile | 21 ++++++++------------- dockerfiles/fips/go.Dockerfile | 18 +++++++++++------- 3 files changed, 21 insertions(+), 22 deletions(-) diff --git a/Makefile b/Makefile index 5e23c8e3..fe1aa534 100644 --- a/Makefile +++ b/Makefile @@ -131,8 +131,8 @@ docker-build-go-fips: ## build base docker go fips image -f dockerfiles/fips/go.Dockerfile \ . -.PHONY: docker-build-fips -docker-build-fips: ## build docker fips agent image +.PHONY: docker-build-agent-fips +docker-build-agent-fips: ## build docker fips agent image docker build \ -t deployment-agent-fips \ -f dockerfiles/agent/fips.Dockerfile \ diff --git a/dockerfiles/agent/fips.Dockerfile b/dockerfiles/agent/fips.Dockerfile index 52af340a..1567a960 100644 --- a/dockerfiles/agent/fips.Dockerfile +++ b/dockerfiles/agent/fips.Dockerfile @@ -1,3 +1,4 @@ +ARG UBI_MINIMAL_VERSION="latest" ARG GO_FIPS_IMAGE_TAG=latest ARG GO_FIPS_IMAGE_REPO=go-fips ARG GO_FIPS_BASE_IMAGE=$GO_FIPS_IMAGE_REPO:$GO_FIPS_IMAGE_TAG @@ -7,7 +8,6 @@ FROM ${GO_FIPS_BASE_IMAGE} AS builder # Set environment variables for FIPS compliance ENV OPENSSL_FIPS=1 ENV FIPS_MODE=true - # Set up Go environment ENV CGO_ENABLED=1 ENV CC=gcc @@ -27,27 +27,22 @@ COPY /cmd/agent cmd/agent COPY /pkg pkg/ COPY /api api/ COPY /internal internal/ - -RUN go install github.com/acardace/fips-detect@latest - # Build RUN GOOS=linux GOARCH=${TARGETARCH} GO111MODULE=on go build -a -o deployment-agent cmd/agent/*.go - -FROM registry.access.redhat.com/ubi8/ubi +# This the minimal UBI FIPS compliance image +FROM registry.access.redhat.com/ubi8/ubi-minimal:$UBI_MINIMAL_VERSION WORKDIR /workspace - -# Set environment variables for FIPS +# Set environment variables for FIPS compliance in the runtime ENV OPENSSL_FIPS=1 ENV FIPS_MODE=true -# Install required packages, including openssl and fips-initramfs -RUN yum install -y openssl podman && \ - yum clean all +RUN microdnf install -y openssl && \ + microdnf clean all -# Enable FIPS mode -RUN fips-mode-setup --enable RUN mkdir /.kube && chown 65532:65532 /.kube + COPY --from=builder /workspace/deployment-agent . USER 65532:65532 + ENTRYPOINT ["/workspace/deployment-agent"] \ No newline at end of file diff --git a/dockerfiles/fips/go.Dockerfile b/dockerfiles/fips/go.Dockerfile index 1be16d1a..2b2e110c 100644 --- a/dockerfiles/fips/go.Dockerfile +++ b/dockerfiles/fips/go.Dockerfile @@ -1,13 +1,16 @@ -# Use Red Hat UBI8 base image -FROM registry.access.redhat.com/ubi8/ubi AS go +# This Dockerfile builds Go FIPS with OpenSSL +ARG UBI_MINIMAL_VERSION="latest" +FROM registry.access.redhat.com/ubi8/ubi-minimal:${UBI_MINIMAL_VERSION} AS go ARG GO_VERSION=1.23.2 ARG TARGETARCH ARG PLATFORM_ARCH=amd64 + WORKDIR /workspace # Install FIPS-compliant OpenSSL -RUN yum install -y git openssl-devel glibc-devel tar gzip gcc make && yum clean all +RUN microdnf --nodocs install yum && yum --nodocs -q update -y +RUN yum install --nodocs -y git openssl-devel glibc-devel tar gzip gcc make && yum clean all # Set environment variables for FIPS compliance ENV OPENSSL_FIPS=1 @@ -29,8 +32,8 @@ RUN git clone \ RUN cd /tmp/go && \ chmod +x scripts/* && \ - git config --global user.email "you@example.com" && \ - git config --global user.name "Your Name" && \ + git config --global user.email "plural@plural.sh" && \ + git config --global user.name "plural" && \ scripts/full-initialize-repo.sh && \ pushd go/src && \ CGO_ENABLED=1 ./make.bash && \ @@ -47,9 +50,10 @@ RUN cd /usr/local/go/src && \ /usr/local/go/src/cmd/dist/dist \ /usr/local/go/.git* -FROM registry.access.redhat.com/ubi8/ubi +FROM registry.access.redhat.com/ubi8/ubi-minimal:${UBI_MINIMAL_VERSION} -RUN yum install -y openssl-devel glibc-devel tar gzip gcc make && yum clean all +RUN microdnf --nodocs install yum && yum --nodocs -q update -y +RUN yum install --nodocs -y openssl-devel glibc-devel tar gzip gcc make && yum clean all COPY --from=go /usr/local/go /usr/local/go ENV OPENSSL_FIPS=1