From 8430a214c3d7ddf40cfd842059a6ae73cfd41d40 Mon Sep 17 00:00:00 2001 From: Lukasz Zajaczkowski Date: Tue, 29 Oct 2024 15:54:04 +0100 Subject: [PATCH 01/16] create fips binary for deployment operator --- Makefile | 14 ++++++++ dockerfiles/agent/fips.Dockerfile | 53 +++++++++++++++++++++++++++ dockerfiles/fips/go.Dockerfile | 60 +++++++++++++++++++++++++++++++ 3 files changed, 127 insertions(+) create mode 100644 dockerfiles/agent/fips.Dockerfile create mode 100644 dockerfiles/fips/go.Dockerfile diff --git a/Makefile b/Makefile index 83725b69..5e23c8e3 100644 --- a/Makefile +++ b/Makefile @@ -124,6 +124,20 @@ docker-run-harness: docker-build-harness-terraform docker-build-harness-ansible --console-token=${PLURAL_DEPLOY_TOKEN} \ --stack-run-id=${PLURAL_STACK_RUN_ID} +.PHONY: docker-build-go-fips +docker-build-go-fips: ## build base docker go fips image + docker build \ + -t go-fips \ + -f dockerfiles/fips/go.Dockerfile \ + . + +.PHONY: docker-build-fips +docker-build-fips: ## build docker fips agent image + docker build \ + -t deployment-agent-fips \ + -f dockerfiles/agent/fips.Dockerfile \ + . + velero-crds: @curl -L $(VELERO_CHART_URL) --output velero.tgz @tar zxvf velero.tgz velero/crds diff --git a/dockerfiles/agent/fips.Dockerfile b/dockerfiles/agent/fips.Dockerfile new file mode 100644 index 00000000..52af340a --- /dev/null +++ b/dockerfiles/agent/fips.Dockerfile @@ -0,0 +1,53 @@ +ARG GO_FIPS_IMAGE_TAG=latest +ARG GO_FIPS_IMAGE_REPO=go-fips +ARG GO_FIPS_BASE_IMAGE=$GO_FIPS_IMAGE_REPO:$GO_FIPS_IMAGE_TAG + +FROM ${GO_FIPS_BASE_IMAGE} AS builder + +# Set environment variables for FIPS compliance +ENV OPENSSL_FIPS=1 +ENV FIPS_MODE=true + +# Set up Go environment +ENV CGO_ENABLED=1 +ENV CC=gcc + +ARG TARGETARCH + +WORKDIR /workspace +# Copy the Go Modules manifests +COPY go.mod go.mod +COPY go.sum go.sum +# cache deps before building and copying source so that we don't need to re-download as much +# and so that source changes don't invalidate our downloaded layer +RUN go mod download + +# Copy the go source +COPY /cmd/agent cmd/agent +COPY /pkg pkg/ +COPY /api api/ +COPY /internal internal/ + +RUN go install github.com/acardace/fips-detect@latest + +# Build +RUN GOOS=linux GOARCH=${TARGETARCH} GO111MODULE=on go build -a -o deployment-agent cmd/agent/*.go + + +FROM registry.access.redhat.com/ubi8/ubi +WORKDIR /workspace + +# Set environment variables for FIPS +ENV OPENSSL_FIPS=1 +ENV FIPS_MODE=true + +# Install required packages, including openssl and fips-initramfs +RUN yum install -y openssl podman && \ + yum clean all + +# Enable FIPS mode +RUN fips-mode-setup --enable +RUN mkdir /.kube && chown 65532:65532 /.kube +COPY --from=builder /workspace/deployment-agent . +USER 65532:65532 +ENTRYPOINT ["/workspace/deployment-agent"] \ No newline at end of file diff --git a/dockerfiles/fips/go.Dockerfile b/dockerfiles/fips/go.Dockerfile new file mode 100644 index 00000000..1be16d1a --- /dev/null +++ b/dockerfiles/fips/go.Dockerfile @@ -0,0 +1,60 @@ +# Use Red Hat UBI8 base image +FROM registry.access.redhat.com/ubi8/ubi AS go + +ARG GO_VERSION=1.23.2 +ARG TARGETARCH +ARG PLATFORM_ARCH=amd64 +WORKDIR /workspace + +# Install FIPS-compliant OpenSSL +RUN yum install -y git openssl-devel glibc-devel tar gzip gcc make && yum clean all + +# Set environment variables for FIPS compliance +ENV OPENSSL_FIPS=1 +ENV FIPS_MODE=true + + +RUN curl -LO https://go.dev/dl/go${GO_VERSION}.linux-${PLATFORM_ARCH}.tar.gz && \ + tar -C /usr/ -xzf go${GO_VERSION}.linux-${PLATFORM_ARCH}.tar.gz + +ENV PATH="$PATH:/usr/go/bin" + +ARG GO_RELEASE_VERSION=${GO_VERSION}-2 +RUN git clone \ + https://github.com/golang-fips/go \ + --branch go${GO_RELEASE_VERSION}-openssl-fips \ + --single-branch \ + --depth 1 \ + /tmp/go + +RUN cd /tmp/go && \ + chmod +x scripts/* && \ + git config --global user.email "you@example.com" && \ + git config --global user.name "Your Name" && \ + scripts/full-initialize-repo.sh && \ + pushd go/src && \ + CGO_ENABLED=1 ./make.bash && \ + popd && \ + mv go /usr/local/ + +RUN cd /usr/local/go/src && \ + rm -rf \ + /usr/local/go/pkg/*/cmd \ + /usr/local/go/pkg/bootstrap \ + /usr/local/go/pkg/obj \ + /usr/local/go/pkg/tool/*/api \ + /usr/local/go/pkg/tool/*/go_bootstrap \ + /usr/local/go/src/cmd/dist/dist \ + /usr/local/go/.git* + +FROM registry.access.redhat.com/ubi8/ubi + +RUN yum install -y openssl-devel glibc-devel tar gzip gcc make && yum clean all + +COPY --from=go /usr/local/go /usr/local/go +ENV OPENSSL_FIPS=1 +ENV FIPS_MODE=true +ENV GOPATH /go +ENV PATH $GOPATH/bin:/usr/local/go/bin:$PATH +RUN mkdir -p "$GOPATH/src" "$GOPATH/bin" && chmod -R 777 "$GOPATH" && go install std +WORKDIR $GOPATH From aa928e4c1aa5bae9fbb632905699f20596a49e96 Mon Sep 17 00:00:00 2001 From: Lukasz Zajaczkowski Date: Wed, 30 Oct 2024 10:16:11 +0100 Subject: [PATCH 02/16] improvments --- Makefile | 4 ++-- dockerfiles/agent/fips.Dockerfile | 21 ++++++++------------- dockerfiles/fips/go.Dockerfile | 18 +++++++++++------- 3 files changed, 21 insertions(+), 22 deletions(-) diff --git a/Makefile b/Makefile index 5e23c8e3..fe1aa534 100644 --- a/Makefile +++ b/Makefile @@ -131,8 +131,8 @@ docker-build-go-fips: ## build base docker go fips image -f dockerfiles/fips/go.Dockerfile \ . -.PHONY: docker-build-fips -docker-build-fips: ## build docker fips agent image +.PHONY: docker-build-agent-fips +docker-build-agent-fips: ## build docker fips agent image docker build \ -t deployment-agent-fips \ -f dockerfiles/agent/fips.Dockerfile \ diff --git a/dockerfiles/agent/fips.Dockerfile b/dockerfiles/agent/fips.Dockerfile index 52af340a..1567a960 100644 --- a/dockerfiles/agent/fips.Dockerfile +++ b/dockerfiles/agent/fips.Dockerfile @@ -1,3 +1,4 @@ +ARG UBI_MINIMAL_VERSION="latest" ARG GO_FIPS_IMAGE_TAG=latest ARG GO_FIPS_IMAGE_REPO=go-fips ARG GO_FIPS_BASE_IMAGE=$GO_FIPS_IMAGE_REPO:$GO_FIPS_IMAGE_TAG @@ -7,7 +8,6 @@ FROM ${GO_FIPS_BASE_IMAGE} AS builder # Set environment variables for FIPS compliance ENV OPENSSL_FIPS=1 ENV FIPS_MODE=true - # Set up Go environment ENV CGO_ENABLED=1 ENV CC=gcc @@ -27,27 +27,22 @@ COPY /cmd/agent cmd/agent COPY /pkg pkg/ COPY /api api/ COPY /internal internal/ - -RUN go install github.com/acardace/fips-detect@latest - # Build RUN GOOS=linux GOARCH=${TARGETARCH} GO111MODULE=on go build -a -o deployment-agent cmd/agent/*.go - -FROM registry.access.redhat.com/ubi8/ubi +# This the minimal UBI FIPS compliance image +FROM registry.access.redhat.com/ubi8/ubi-minimal:$UBI_MINIMAL_VERSION WORKDIR /workspace - -# Set environment variables for FIPS +# Set environment variables for FIPS compliance in the runtime ENV OPENSSL_FIPS=1 ENV FIPS_MODE=true -# Install required packages, including openssl and fips-initramfs -RUN yum install -y openssl podman && \ - yum clean all +RUN microdnf install -y openssl && \ + microdnf clean all -# Enable FIPS mode -RUN fips-mode-setup --enable RUN mkdir /.kube && chown 65532:65532 /.kube + COPY --from=builder /workspace/deployment-agent . USER 65532:65532 + ENTRYPOINT ["/workspace/deployment-agent"] \ No newline at end of file diff --git a/dockerfiles/fips/go.Dockerfile b/dockerfiles/fips/go.Dockerfile index 1be16d1a..2b2e110c 100644 --- a/dockerfiles/fips/go.Dockerfile +++ b/dockerfiles/fips/go.Dockerfile @@ -1,13 +1,16 @@ -# Use Red Hat UBI8 base image -FROM registry.access.redhat.com/ubi8/ubi AS go +# This Dockerfile builds Go FIPS with OpenSSL +ARG UBI_MINIMAL_VERSION="latest" +FROM registry.access.redhat.com/ubi8/ubi-minimal:${UBI_MINIMAL_VERSION} AS go ARG GO_VERSION=1.23.2 ARG TARGETARCH ARG PLATFORM_ARCH=amd64 + WORKDIR /workspace # Install FIPS-compliant OpenSSL -RUN yum install -y git openssl-devel glibc-devel tar gzip gcc make && yum clean all +RUN microdnf --nodocs install yum && yum --nodocs -q update -y +RUN yum install --nodocs -y git openssl-devel glibc-devel tar gzip gcc make && yum clean all # Set environment variables for FIPS compliance ENV OPENSSL_FIPS=1 @@ -29,8 +32,8 @@ RUN git clone \ RUN cd /tmp/go && \ chmod +x scripts/* && \ - git config --global user.email "you@example.com" && \ - git config --global user.name "Your Name" && \ + git config --global user.email "plural@plural.sh" && \ + git config --global user.name "plural" && \ scripts/full-initialize-repo.sh && \ pushd go/src && \ CGO_ENABLED=1 ./make.bash && \ @@ -47,9 +50,10 @@ RUN cd /usr/local/go/src && \ /usr/local/go/src/cmd/dist/dist \ /usr/local/go/.git* -FROM registry.access.redhat.com/ubi8/ubi +FROM registry.access.redhat.com/ubi8/ubi-minimal:${UBI_MINIMAL_VERSION} -RUN yum install -y openssl-devel glibc-devel tar gzip gcc make && yum clean all +RUN microdnf --nodocs install yum && yum --nodocs -q update -y +RUN yum install --nodocs -y openssl-devel glibc-devel tar gzip gcc make && yum clean all COPY --from=go /usr/local/go /usr/local/go ENV OPENSSL_FIPS=1 From b0a93e158fe6013b2620d454ddc74962b2487d9b Mon Sep 17 00:00:00 2001 From: Lukasz Zajaczkowski Date: Wed, 30 Oct 2024 12:51:27 +0100 Subject: [PATCH 03/16] disable flags --- dockerfiles/agent/fips.Dockerfile | 3 --- 1 file changed, 3 deletions(-) diff --git a/dockerfiles/agent/fips.Dockerfile b/dockerfiles/agent/fips.Dockerfile index 1567a960..0ddc1373 100644 --- a/dockerfiles/agent/fips.Dockerfile +++ b/dockerfiles/agent/fips.Dockerfile @@ -33,9 +33,6 @@ RUN GOOS=linux GOARCH=${TARGETARCH} GO111MODULE=on go build -a -o deployment-age # This the minimal UBI FIPS compliance image FROM registry.access.redhat.com/ubi8/ubi-minimal:$UBI_MINIMAL_VERSION WORKDIR /workspace -# Set environment variables for FIPS compliance in the runtime -ENV OPENSSL_FIPS=1 -ENV FIPS_MODE=true RUN microdnf install -y openssl && \ microdnf clean all From bf44e8df537d7a2a516eff23c85e43abafc1371a Mon Sep 17 00:00:00 2001 From: Lukasz Zajaczkowski Date: Wed, 30 Oct 2024 13:10:12 +0100 Subject: [PATCH 04/16] add github action --- .github/workflows/publish-fips.yaml | 120 ++++++++++++++++++++++++++++ 1 file changed, 120 insertions(+) create mode 100644 .github/workflows/publish-fips.yaml diff --git a/.github/workflows/publish-fips.yaml b/.github/workflows/publish-fips.yaml new file mode 100644 index 00000000..a8ef385c --- /dev/null +++ b/.github/workflows/publish-fips.yaml @@ -0,0 +1,120 @@ +name: Publish agent FIPS + +on: + pull_request: + branches: + - "main" + push: + tags: + - 'v*.*.*' + +env: + GOPATH: /home/runner/go/ + GOPROXY: "https://proxy.golang.org" + +jobs: + publish-go-fips: + name: Build and push go fips container + runs-on: ubuntu-20.04 + permissions: + contents: 'read' + id-token: 'write' + packages: 'write' + outputs: + version: ${{ steps.meta.outputs.version }} + steps: + - name: Checkout + uses: actions/checkout@v4 + with: + fetch-depth: 0 + - name: Docker meta + id: meta + uses: docker/metadata-action@v5 + with: + # list of Docker images to use as base name for tags + images: | + ghcr.io/pluralsh/go-fips + docker.io/pluralsh/go-fips + tags: | + type=semver,pattern={{version}},priority=1000 + - name: Set up QEMU + uses: docker/setup-qemu-action@v3 + - name: Set up Docker Buildx + uses: docker/setup-buildx-action@v3 + - name: Login to GHCR + uses: docker/login-action@v3 + with: + registry: ghcr.io + username: ${{ github.repository_owner }} + password: ${{ secrets.GITHUB_TOKEN }} + - name: Login to Docker + uses: docker/login-action@v3 + with: + username: mjgpluralsh + password: ${{ secrets.DOCKER_ACCESS_TOKEN }} + - name: Build and push + uses: docker/build-push-action@v5 + with: + context: "." + file: "./dockerfiles/fips/go.Dockerfile" + push: true + tags: ${{ steps.meta.outputs.tags }} + labels: ${{ steps.meta.outputs.labels }} + platforms: linux/amd64,linux/arm64 + cache-from: type=gha + cache-to: type=gha,mode=max + build-args: | + VERSION=${{ steps.meta.outputs.version }} + + publish-agent-fips: + name: Build and push agent FIPS container + runs-on: ubuntu-20.04 + permissions: + contents: 'read' + id-token: 'write' + packages: 'write' + outputs: + version: ${{ steps.meta.outputs.version }} + steps: + - name: Checkout + uses: actions/checkout@v4 + with: + fetch-depth: 0 + - name: Docker meta + id: meta + uses: docker/metadata-action@v5 + with: + images: | + ghcr.io/pluralsh/deployment-operator + docker.io/pluralsh/deployment-operator + tags: | + type=semver,pattern={{version}},suffix=-fips + - name: Set up QEMU + uses: docker/setup-qemu-action@v3 + - name: Set up Docker Buildx + uses: docker/setup-buildx-action@v3 + - name: Login to GHCR + uses: docker/login-action@v3 + with: + registry: ghcr.io + username: ${{ github.repository_owner }} + password: ${{ secrets.GITHUB_TOKEN }} + - name: Login to Docker + uses: docker/login-action@v3 + with: + username: mjgpluralsh + password: ${{ secrets.DOCKER_ACCESS_TOKEN }} + - name: Build and push + uses: docker/build-push-action@v5 + with: + context: "." + file: "./dockerfiles/agent/fips.Dockerfile" + push: true + tags: ${{ steps.meta.outputs.tags }} + labels: ${{ steps.meta.outputs.labels }} + platforms: linux/amd64,linux/arm64 + cache-from: type=gha + cache-to: type=gha,mode=max + build-args: | + VERSION=${{ steps.meta.outputs.version }} + From b2d8ce5bd9cfb3a0bc81381ea1d96e5a5f8fc0f5 Mon Sep 17 00:00:00 2001 From: Lukasz Zajaczkowski Date: Wed, 30 Oct 2024 13:17:59 +0100 Subject: [PATCH 05/16] fix github action --- .github/workflows/publish-fips.yaml | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/.github/workflows/publish-fips.yaml b/.github/workflows/publish-fips.yaml index a8ef385c..fcfe0ef3 100644 --- a/.github/workflows/publish-fips.yaml +++ b/.github/workflows/publish-fips.yaml @@ -37,6 +37,8 @@ jobs: docker.io/pluralsh/go-fips tags: | type=semver,pattern={{version}},priority=1000 + type=sha,priority=800 + type=ref,event=pr,priority=600 - name: Set up QEMU uses: docker/setup-qemu-action@v3 - name: Set up Docker Buildx @@ -88,7 +90,9 @@ jobs: ghcr.io/pluralsh/deployment-operator docker.io/pluralsh/deployment-operator tags: | - type=semver,pattern={{version}},suffix=-fips + type=semver,pattern={{version}},suffix=-fips,priority=1000 + type=sha,suffix=-fips,priority=800 + type=ref,event=pr,suffix=-fips,priority=600 - name: Set up QEMU uses: docker/setup-qemu-action@v3 - name: Set up Docker Buildx From 63b1835fb4cd9a42276e29ca8c34cc3d25127b62 Mon Sep 17 00:00:00 2001 From: Lukasz Zajaczkowski Date: Wed, 30 Oct 2024 13:50:17 +0100 Subject: [PATCH 06/16] improve github action --- .github/workflows/publish-fips.yaml | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/.github/workflows/publish-fips.yaml b/.github/workflows/publish-fips.yaml index fcfe0ef3..5171ba8c 100644 --- a/.github/workflows/publish-fips.yaml +++ b/.github/workflows/publish-fips.yaml @@ -66,7 +66,7 @@ jobs: cache-from: type=gha cache-to: type=gha,mode=max build-args: | - VERSION=${{ steps.meta.outputs.version }} + GO_VERSION=1.23.2 publish-agent-fips: name: Build and push agent FIPS container @@ -120,5 +120,6 @@ jobs: cache-from: type=gha cache-to: type=gha,mode=max build-args: | - VERSION=${{ steps.meta.outputs.version }} + GO_FIPS_IMAGE_REPO=ghcr.io/pluralsh/go-fips + GO_FIPS_IMAGE_TAG=${{ needs.publish-go-fips.outputs.version }} From e2b9c8d4b7c4fcc70b9ed0c550fc9de4d376e162 Mon Sep 17 00:00:00 2001 From: Lukasz Zajaczkowski Date: Wed, 30 Oct 2024 13:53:59 +0100 Subject: [PATCH 07/16] fix github action --- .github/workflows/publish-fips.yaml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/publish-fips.yaml b/.github/workflows/publish-fips.yaml index 5171ba8c..250eae6a 100644 --- a/.github/workflows/publish-fips.yaml +++ b/.github/workflows/publish-fips.yaml @@ -71,6 +71,7 @@ jobs: publish-agent-fips: name: Build and push agent FIPS container runs-on: ubuntu-20.04 + needs: [publish-go-fips] permissions: contents: 'read' id-token: 'write' From e17bb6953555118796b6be5ac9d4d915f87b4308 Mon Sep 17 00:00:00 2001 From: Lukasz Zajaczkowski Date: Wed, 30 Oct 2024 14:15:53 +0100 Subject: [PATCH 08/16] go-fips static version --- .github/workflows/publish-fips.yaml | 8 ++------ 1 file changed, 2 insertions(+), 6 deletions(-) diff --git a/.github/workflows/publish-fips.yaml b/.github/workflows/publish-fips.yaml index 250eae6a..e6e8585f 100644 --- a/.github/workflows/publish-fips.yaml +++ b/.github/workflows/publish-fips.yaml @@ -35,10 +35,6 @@ jobs: images: | ghcr.io/pluralsh/go-fips docker.io/pluralsh/go-fips - tags: | - type=semver,pattern={{version}},priority=1000 - type=sha,priority=800 - type=ref,event=pr,priority=600 - name: Set up QEMU uses: docker/setup-qemu-action@v3 - name: Set up Docker Buildx @@ -60,7 +56,7 @@ jobs: context: "." file: "./dockerfiles/fips/go.Dockerfile" push: true - tags: ${{ steps.meta.outputs.tags }} + tags: 1.23.2 labels: ${{ steps.meta.outputs.labels }} platforms: linux/amd64,linux/arm64 cache-from: type=gha @@ -122,5 +118,5 @@ jobs: cache-to: type=gha,mode=max build-args: | GO_FIPS_IMAGE_REPO=ghcr.io/pluralsh/go-fips - GO_FIPS_IMAGE_TAG=${{ needs.publish-go-fips.outputs.version }} + GO_FIPS_IMAGE_TAG=1.23.2 From 873c7fa6b4b144e99f074cc49a1c5f5e8b3f3f55 Mon Sep 17 00:00:00 2001 From: Lukasz Zajaczkowski Date: Wed, 30 Oct 2024 15:11:42 +0100 Subject: [PATCH 09/16] fix static version --- .github/workflows/publish-fips.yaml | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/.github/workflows/publish-fips.yaml b/.github/workflows/publish-fips.yaml index e6e8585f..a3cdd3df 100644 --- a/.github/workflows/publish-fips.yaml +++ b/.github/workflows/publish-fips.yaml @@ -35,6 +35,8 @@ jobs: images: | ghcr.io/pluralsh/go-fips docker.io/pluralsh/go-fips + tags: | + type=raw,value=1.23.2 - name: Set up QEMU uses: docker/setup-qemu-action@v3 - name: Set up Docker Buildx @@ -56,7 +58,7 @@ jobs: context: "." file: "./dockerfiles/fips/go.Dockerfile" push: true - tags: 1.23.2 + tags: ${{ steps.meta.outputs.tags }} labels: ${{ steps.meta.outputs.labels }} platforms: linux/amd64,linux/arm64 cache-from: type=gha From 4e5a0e82662a316739a461ec7082af232fa33a4a Mon Sep 17 00:00:00 2001 From: Lukasz Zajaczkowski Date: Wed, 30 Oct 2024 16:03:04 +0100 Subject: [PATCH 10/16] on push tag --- .github/workflows/publish-fips.yaml | 3 --- 1 file changed, 3 deletions(-) diff --git a/.github/workflows/publish-fips.yaml b/.github/workflows/publish-fips.yaml index a3cdd3df..2bb3d013 100644 --- a/.github/workflows/publish-fips.yaml +++ b/.github/workflows/publish-fips.yaml @@ -1,9 +1,6 @@ name: Publish agent FIPS on: - pull_request: - branches: - - "main" push: tags: - 'v*.*.*' From 8dcffe2597401ff13c882da04145bf23b81887e9 Mon Sep 17 00:00:00 2001 From: Lukasz Zajaczkowski Date: Thu, 31 Oct 2024 10:07:47 +0100 Subject: [PATCH 11/16] move go-fips to another repo --- .github/workflows/publish-fips.yaml | 56 ------------------------- Makefile | 7 ---- dockerfiles/agent/fips.Dockerfile | 2 +- dockerfiles/fips/go.Dockerfile | 64 ----------------------------- 4 files changed, 1 insertion(+), 128 deletions(-) delete mode 100644 dockerfiles/fips/go.Dockerfile diff --git a/.github/workflows/publish-fips.yaml b/.github/workflows/publish-fips.yaml index 2bb3d013..f927cfe3 100644 --- a/.github/workflows/publish-fips.yaml +++ b/.github/workflows/publish-fips.yaml @@ -10,63 +10,9 @@ env: GOPROXY: "https://proxy.golang.org" jobs: - publish-go-fips: - name: Build and push go fips container - runs-on: ubuntu-20.04 - permissions: - contents: 'read' - id-token: 'write' - packages: 'write' - outputs: - version: ${{ steps.meta.outputs.version }} - steps: - - name: Checkout - uses: actions/checkout@v4 - with: - fetch-depth: 0 - - name: Docker meta - id: meta - uses: docker/metadata-action@v5 - with: - # list of Docker images to use as base name for tags - images: | - ghcr.io/pluralsh/go-fips - docker.io/pluralsh/go-fips - tags: | - type=raw,value=1.23.2 - - name: Set up QEMU - uses: docker/setup-qemu-action@v3 - - name: Set up Docker Buildx - uses: docker/setup-buildx-action@v3 - - name: Login to GHCR - uses: docker/login-action@v3 - with: - registry: ghcr.io - username: ${{ github.repository_owner }} - password: ${{ secrets.GITHUB_TOKEN }} - - name: Login to Docker - uses: docker/login-action@v3 - with: - username: mjgpluralsh - password: ${{ secrets.DOCKER_ACCESS_TOKEN }} - - name: Build and push - uses: docker/build-push-action@v5 - with: - context: "." - file: "./dockerfiles/fips/go.Dockerfile" - push: true - tags: ${{ steps.meta.outputs.tags }} - labels: ${{ steps.meta.outputs.labels }} - platforms: linux/amd64,linux/arm64 - cache-from: type=gha - cache-to: type=gha,mode=max - build-args: | - GO_VERSION=1.23.2 - publish-agent-fips: name: Build and push agent FIPS container runs-on: ubuntu-20.04 - needs: [publish-go-fips] permissions: contents: 'read' id-token: 'write' @@ -87,8 +33,6 @@ jobs: docker.io/pluralsh/deployment-operator tags: | type=semver,pattern={{version}},suffix=-fips,priority=1000 - type=sha,suffix=-fips,priority=800 - type=ref,event=pr,suffix=-fips,priority=600 - name: Set up QEMU uses: docker/setup-qemu-action@v3 - name: Set up Docker Buildx diff --git a/Makefile b/Makefile index fe1aa534..ed4360bb 100644 --- a/Makefile +++ b/Makefile @@ -124,13 +124,6 @@ docker-run-harness: docker-build-harness-terraform docker-build-harness-ansible --console-token=${PLURAL_DEPLOY_TOKEN} \ --stack-run-id=${PLURAL_STACK_RUN_ID} -.PHONY: docker-build-go-fips -docker-build-go-fips: ## build base docker go fips image - docker build \ - -t go-fips \ - -f dockerfiles/fips/go.Dockerfile \ - . - .PHONY: docker-build-agent-fips docker-build-agent-fips: ## build docker fips agent image docker build \ diff --git a/dockerfiles/agent/fips.Dockerfile b/dockerfiles/agent/fips.Dockerfile index 0ddc1373..27ab2709 100644 --- a/dockerfiles/agent/fips.Dockerfile +++ b/dockerfiles/agent/fips.Dockerfile @@ -1,6 +1,6 @@ ARG UBI_MINIMAL_VERSION="latest" ARG GO_FIPS_IMAGE_TAG=latest -ARG GO_FIPS_IMAGE_REPO=go-fips +ARG GO_FIPS_IMAGE_REPO=ghcr.io/pluralsh/go-fips ARG GO_FIPS_BASE_IMAGE=$GO_FIPS_IMAGE_REPO:$GO_FIPS_IMAGE_TAG FROM ${GO_FIPS_BASE_IMAGE} AS builder diff --git a/dockerfiles/fips/go.Dockerfile b/dockerfiles/fips/go.Dockerfile deleted file mode 100644 index 2b2e110c..00000000 --- a/dockerfiles/fips/go.Dockerfile +++ /dev/null @@ -1,64 +0,0 @@ -# This Dockerfile builds Go FIPS with OpenSSL - -ARG UBI_MINIMAL_VERSION="latest" -FROM registry.access.redhat.com/ubi8/ubi-minimal:${UBI_MINIMAL_VERSION} AS go -ARG GO_VERSION=1.23.2 -ARG TARGETARCH -ARG PLATFORM_ARCH=amd64 - -WORKDIR /workspace - -# Install FIPS-compliant OpenSSL -RUN microdnf --nodocs install yum && yum --nodocs -q update -y -RUN yum install --nodocs -y git openssl-devel glibc-devel tar gzip gcc make && yum clean all - -# Set environment variables for FIPS compliance -ENV OPENSSL_FIPS=1 -ENV FIPS_MODE=true - - -RUN curl -LO https://go.dev/dl/go${GO_VERSION}.linux-${PLATFORM_ARCH}.tar.gz && \ - tar -C /usr/ -xzf go${GO_VERSION}.linux-${PLATFORM_ARCH}.tar.gz - -ENV PATH="$PATH:/usr/go/bin" - -ARG GO_RELEASE_VERSION=${GO_VERSION}-2 -RUN git clone \ - https://github.com/golang-fips/go \ - --branch go${GO_RELEASE_VERSION}-openssl-fips \ - --single-branch \ - --depth 1 \ - /tmp/go - -RUN cd /tmp/go && \ - chmod +x scripts/* && \ - git config --global user.email "plural@plural.sh" && \ - git config --global user.name "plural" && \ - scripts/full-initialize-repo.sh && \ - pushd go/src && \ - CGO_ENABLED=1 ./make.bash && \ - popd && \ - mv go /usr/local/ - -RUN cd /usr/local/go/src && \ - rm -rf \ - /usr/local/go/pkg/*/cmd \ - /usr/local/go/pkg/bootstrap \ - /usr/local/go/pkg/obj \ - /usr/local/go/pkg/tool/*/api \ - /usr/local/go/pkg/tool/*/go_bootstrap \ - /usr/local/go/src/cmd/dist/dist \ - /usr/local/go/.git* - -FROM registry.access.redhat.com/ubi8/ubi-minimal:${UBI_MINIMAL_VERSION} - -RUN microdnf --nodocs install yum && yum --nodocs -q update -y -RUN yum install --nodocs -y openssl-devel glibc-devel tar gzip gcc make && yum clean all - -COPY --from=go /usr/local/go /usr/local/go -ENV OPENSSL_FIPS=1 -ENV FIPS_MODE=true -ENV GOPATH /go -ENV PATH $GOPATH/bin:/usr/local/go/bin:$PATH -RUN mkdir -p "$GOPATH/src" "$GOPATH/bin" && chmod -R 777 "$GOPATH" && go install std -WORKDIR $GOPATH From 647005181984ebd3a04f23bf855a5c00b9780ccb Mon Sep 17 00:00:00 2001 From: Lukasz Zajaczkowski Date: Thu, 31 Oct 2024 14:03:17 +0100 Subject: [PATCH 12/16] add fips ansible --- Makefile | 18 +++++++ dockerfiles/agent/fips.Dockerfile | 2 +- dockerfiles/harness/fips.ansible.Dockerfile | 49 ++++++++++++++++++ dockerfiles/harness/fips.base.Dockerfile | 55 +++++++++++++++++++++ 4 files changed, 123 insertions(+), 1 deletion(-) create mode 100644 dockerfiles/harness/fips.ansible.Dockerfile create mode 100644 dockerfiles/harness/fips.base.Dockerfile diff --git a/Makefile b/Makefile index ed4360bb..fb3f7917 100644 --- a/Makefile +++ b/Makefile @@ -91,6 +91,24 @@ docker-build: ## build image docker-push: ## push image docker push ${IMG} +.PHONY: docker-build-harness-base-fips +docker-build-harness-base-fips: ## build fips base docker harness image + docker build \ + --no-cache \ + --build-arg=VERSION="0.0.0-dev" \ + -t harness-base-fips \ + -f dockerfiles/harness/fips.base.Dockerfile \ + . + +.PHONY: docker-build-harness-ansible-fips +docker-build-harness-ansible-fips: docker-build-harness-base-fips ## build fips ansible docker harness image + docker build \ + --no-cache \ + --build-arg=HARNESS_IMAGE_TAG="latest" \ + -t harness-fips \ + -f dockerfiles/harness/fips.ansible.Dockerfile \ + . + .PHONY: docker-build-harness-base docker-build-harness-base: ## build base docker harness image docker build \ diff --git a/dockerfiles/agent/fips.Dockerfile b/dockerfiles/agent/fips.Dockerfile index 27ab2709..81c244c4 100644 --- a/dockerfiles/agent/fips.Dockerfile +++ b/dockerfiles/agent/fips.Dockerfile @@ -1,5 +1,5 @@ ARG UBI_MINIMAL_VERSION="latest" -ARG GO_FIPS_IMAGE_TAG=latest +ARG GO_FIPS_IMAGE_TAG=1.23.2 ARG GO_FIPS_IMAGE_REPO=ghcr.io/pluralsh/go-fips ARG GO_FIPS_BASE_IMAGE=$GO_FIPS_IMAGE_REPO:$GO_FIPS_IMAGE_TAG diff --git a/dockerfiles/harness/fips.ansible.Dockerfile b/dockerfiles/harness/fips.ansible.Dockerfile new file mode 100644 index 00000000..769d85ce --- /dev/null +++ b/dockerfiles/harness/fips.ansible.Dockerfile @@ -0,0 +1,49 @@ +ARG HARNESS_BASE_IMAGE_TAG=latest +ARG HARNESS_BASE_IMAGE_REPO=harness-base-fips +ARG HARNESS_BASE_IMAGE=$HARNESS_BASE_IMAGE_REPO:$HARNESS_BASE_IMAGE_TAG +ARG PYTHON_VERSION=3.12 + + +# Use harness base image +FROM ${HARNESS_BASE_IMAGE} as harness + +FROM deployment-agent-fips:latest as agent + +# Build Ansible from Python Image +FROM registry.access.redhat.com/ubi8/ubi:latest as final + +# Set environment variables for FIPS compliance +ENV OPENSSL_FIPS=1 +ENV FIPS_MODE=true + +# Copy Harness bin from the Harness Image +COPY --from=harness /harness /usr/local/bin/harness +# Change ownership of the harness binary to UID/GID 65532 +RUN chown -R 65532:65532 /usr/local/bin/harness + +# Install build dependencies, Ansible, and openssh-client +ARG ANSIBLE_VERSION=9.0.0 +ARG PYTHON_VERSION=3.12 + +# Install dependencies for building Python +RUN INSTALL_PKGS="python${PYTHON_VERSION} python${PYTHON_VERSION}-devel python${PYTHON_VERSION}-setuptools python${PYTHON_VERSION}-pip nss_wrapper \ + httpd httpd-devel mod_ssl mod_auth_gssapi mod_ldap \ + mod_session atlas-devel gcc-gfortran libffi-devel libtool-ltdl \ + enchant krb5-devel gcc openssl make" && \ + yum -y module enable httpd:2.4 && \ + yum -y --setopt=tsflags=nodocs install $INSTALL_PKGS && \ + rpm -V $INSTALL_PKGS && \ + # Remove redhat-logos-httpd (httpd dependency) to keep image size smaller. + rpm -e --nodeps redhat-logos-httpd && \ + yum -y clean all --enablerepo='*' + +# Install Ansible via Pip. +RUN pip3 install --upgrade pip \ + && pip3 install setuptools-rust +RUN pip3 install --no-cache-dir ansible==${ANSIBLE_VERSION} + +# Switch to the non-root user +USER 65532:65532 +WORKDIR /plural + +ENTRYPOINT ["harness", "--working-dir=/plural"] diff --git a/dockerfiles/harness/fips.base.Dockerfile b/dockerfiles/harness/fips.base.Dockerfile new file mode 100644 index 00000000..28e9b3c5 --- /dev/null +++ b/dockerfiles/harness/fips.base.Dockerfile @@ -0,0 +1,55 @@ +ARG GO_FIPS_IMAGE_TAG=1.23.2 +ARG GO_FIPS_IMAGE_REPO=ghcr.io/pluralsh/go-fips +ARG GO_FIPS_BASE_IMAGE=$GO_FIPS_IMAGE_REPO:$GO_FIPS_IMAGE_TAG + +FROM $GO_FIPS_BASE_IMAGE AS builder + +# Set environment variables for FIPS compliance +ENV OPENSSL_FIPS=1 +ENV FIPS_MODE=true +# Set up Go environment +ENV CGO_ENABLED=1 +ENV CC=gcc + +ARG TARGETARCH +ARG TARGETOS +ARG VERSION + + + +WORKDIR /workspace + +# Retrieve application dependencies. +# This allows the container build to reuse cached dependencies. +# Expecting to copy go.mod and if present go.sum. +COPY go.mod go.mod +COPY go.sum go.sum +RUN go mod download + +COPY cmd/harness ./cmd/harness +COPY pkg ./pkg +COPY internal ./internal +COPY api ./api + + +RUN CGO_ENABLED=1 CC=gcc GOOS=linux GOARCH=${TARGETARCH} GO111MODULE=on go build -a \ + -ldflags="-s -w -X github.com/pluralsh/deployment-operator/pkg/harness/environment.Version=${VERSION}" \ + -o harness \ + cmd/harness/*.go + +FROM registry.access.redhat.com/ubi8/ubi-minimal:latest AS final + +RUN microdnf install -y git openssl && \ + microdnf clean all + +# Switch to the nonroot user +USER 65532:65532 + +# Set up the environment +# 3. copy the harness binary +# 4. copy the terraform binary +COPY --from=builder /workspace/harness /harness + +WORKDIR /plural + +ENTRYPOINT ["/harness", "--working-dir=/plural"] From 3233324ea01112121b2d7ea358fc8aef11a188b0 Mon Sep 17 00:00:00 2001 From: Marcin Maciaszczyk Date: Thu, 31 Oct 2024 14:59:19 +0100 Subject: [PATCH 13/16] workflow for harness fips --- .github/workflows/publish-harness-fips.yaml | 152 ++++++++++++++++++ Makefile | 4 +- ...ble.Dockerfile => ansible.fips.Dockerfile} | 0 ...s.base.Dockerfile => base.fips.Dockerfile} | 0 4 files changed, 154 insertions(+), 2 deletions(-) create mode 100644 .github/workflows/publish-harness-fips.yaml rename dockerfiles/harness/{fips.ansible.Dockerfile => ansible.fips.Dockerfile} (100%) rename dockerfiles/harness/{fips.base.Dockerfile => base.fips.Dockerfile} (100%) diff --git a/.github/workflows/publish-harness-fips.yaml b/.github/workflows/publish-harness-fips.yaml new file mode 100644 index 00000000..cda86ccb --- /dev/null +++ b/.github/workflows/publish-harness-fips.yaml @@ -0,0 +1,152 @@ +name: Publish Harness FIPS +on: + pull_request: + branches: + - "main" + push: + tags: + - 'v*.*.*' +env: + GOPATH: /home/runner/go/ + GOPROXY: "https://proxy.golang.org" +jobs: + + publish-harness-base: + name: Build and push harness base FIPS container + runs-on: ubuntu-20.04 + permissions: + contents: 'read' + id-token: 'write' + packages: 'write' + outputs: + version: ${{ steps.meta.outputs.version }} + steps: + - name: Checkout + uses: actions/checkout@v4 + with: + fetch-depth: 0 + - name: Docker meta + id: meta + uses: docker/metadata-action@v5 + with: + # list of Docker images to use as base name for tags + images: | + ghcr.io/pluralsh/stackrun-harness-base + docker.io/pluralsh/stackrun-harness-base + tags: | + type=semver,pattern={{version}},suffix=-fips,priority=1000 + type=sha,suffix=-fips,priority=800 + type=ref,event=pr,suffix=-fips,priority=600 + - name: Set up QEMU + uses: docker/setup-qemu-action@v3 + - name: Set up Docker Buildx + uses: docker/setup-buildx-action@v3 + - name: Login to GHCR + uses: docker/login-action@v3 + with: + registry: ghcr.io + username: ${{ github.repository_owner }} + password: ${{ secrets.GITHUB_TOKEN }} + - name: Login to Docker + uses: docker/login-action@v3 + with: + username: mjgpluralsh + password: ${{ secrets.DOCKER_ACCESS_TOKEN }} + - name: Build and push + uses: docker/build-push-action@v5 + with: + context: "." + file: "./dockerfiles/harness/base.fips.Dockerfile" + push: true + tags: ${{ steps.meta.outputs.tags }} + labels: ${{ steps.meta.outputs.labels }} + platforms: linux/amd64,linux/arm64 + cache-from: type=gha + cache-to: type=gha,mode=max + build-args: | + VERSION=${{ steps.meta.outputs.version }} + GO_FIPS_IMAGE_REPO=ghcr.io/pluralsh/go-fips + GO_FIPS_IMAGE_TAG=1.23.2 + + publish-harness-ansible: + name: Build and push harness ansible FIPS container + runs-on: ubuntu-20.04 + needs: [publish-harness-base] + strategy: + matrix: + versions: + - ansible: '4.10.0' + python: '3.9' + tag: '4.10' + - ansible: '5.7.0' + python: '3.10' + tag: '5.7' + - ansible: '6.7.0' + python: '3.10' + tag: '6.7' + - ansible: '7.7.0' + python: '3.11' + tag: '7.7' + - ansible: '8.7.0' + python: '3.11' + tag: '8.7' + - ansible: '9.0.0' + python: '3.12' + tag: '9.0' + - ansible: '10.0.0' + python: '3.12' + tag: '10.0' + permissions: + contents: write + discussions: write + pull-requests: write + packages: write + steps: + - name: Checkout + uses: actions/checkout@v4 + with: + fetch-depth: 0 + - name: Docker meta + id: meta + uses: docker/metadata-action@v5 + with: + images: | + ghcr.io/pluralsh/harness + docker.io/pluralsh/harness + tags: | + type=semver,pattern={{version}},suffix=-ansible-${{ matrix.versions.tag }}-fips,priority=1000 + type=sha,suffix=-ansible-${{ matrix.versions.tag }}-fips,priority=800 + type=ref,event=pr,suffix=-ansible-${{ matrix.versions.tag }}-fips,priority=600 + - name: Set up QEMU + uses: docker/setup-qemu-action@v3 + - name: Set up Docker Buildx + uses: docker/setup-buildx-action@v3 + - name: Login to GHCR + uses: docker/login-action@v3 + with: + registry: ghcr.io + username: ${{ github.repository_owner }} + password: ${{ secrets.GITHUB_TOKEN }} + - name: Login to Docker + uses: docker/login-action@v3 + with: + username: mjgpluralsh + password: ${{ secrets.DOCKER_ACCESS_TOKEN }} + - name: Build and push + uses: docker/build-push-action@v5 + with: + context: "." + file: "./dockerfiles/harness/ansible.fips.Dockerfile" + push: true + tags: ${{ steps.meta.outputs.tags }} + labels: ${{ steps.meta.outputs.labels }} + platforms: linux/amd64,linux/arm64 + cache-from: type=gha + cache-to: type=gha,mode=max + build-args: | + ANSIBLE_VERSION=${{ matrix.versions.ansible }} + PYTHON_VERSION=${{ matrix.versions.python }} + HARNESS_BASE_IMAGE_REPO=ghcr.io/pluralsh/stackrun-harness-base + HARNESS_BASE_IMAGE_TAG=${{ needs.publish-harness-base.outputs.version }}-fips + GO_FIPS_IMAGE_REPO=ghcr.io/pluralsh/go-fips + GO_FIPS_IMAGE_TAG=1.23.2 diff --git a/Makefile b/Makefile index fb3f7917..0121b4cf 100644 --- a/Makefile +++ b/Makefile @@ -97,7 +97,7 @@ docker-build-harness-base-fips: ## build fips base docker harness image --no-cache \ --build-arg=VERSION="0.0.0-dev" \ -t harness-base-fips \ - -f dockerfiles/harness/fips.base.Dockerfile \ + -f dockerfiles/harness/base.fips.Dockerfile \ . .PHONY: docker-build-harness-ansible-fips @@ -106,7 +106,7 @@ docker-build-harness-ansible-fips: docker-build-harness-base-fips ## build fips --no-cache \ --build-arg=HARNESS_IMAGE_TAG="latest" \ -t harness-fips \ - -f dockerfiles/harness/fips.ansible.Dockerfile \ + -f dockerfiles/harness/ansible.fips.Dockerfile \ . .PHONY: docker-build-harness-base diff --git a/dockerfiles/harness/fips.ansible.Dockerfile b/dockerfiles/harness/ansible.fips.Dockerfile similarity index 100% rename from dockerfiles/harness/fips.ansible.Dockerfile rename to dockerfiles/harness/ansible.fips.Dockerfile diff --git a/dockerfiles/harness/fips.base.Dockerfile b/dockerfiles/harness/base.fips.Dockerfile similarity index 100% rename from dockerfiles/harness/fips.base.Dockerfile rename to dockerfiles/harness/base.fips.Dockerfile From 8d2d8574fb1a74116b07eeabb1d996b67cc8818c Mon Sep 17 00:00:00 2001 From: Lukasz Zajaczkowski Date: Thu, 31 Oct 2024 15:39:20 +0100 Subject: [PATCH 14/16] fix ansible --- dockerfiles/harness/ansible.fips.Dockerfile | 2 -- 1 file changed, 2 deletions(-) diff --git a/dockerfiles/harness/ansible.fips.Dockerfile b/dockerfiles/harness/ansible.fips.Dockerfile index 769d85ce..77a525a9 100644 --- a/dockerfiles/harness/ansible.fips.Dockerfile +++ b/dockerfiles/harness/ansible.fips.Dockerfile @@ -7,8 +7,6 @@ ARG PYTHON_VERSION=3.12 # Use harness base image FROM ${HARNESS_BASE_IMAGE} as harness -FROM deployment-agent-fips:latest as agent - # Build Ansible from Python Image FROM registry.access.redhat.com/ubi8/ubi:latest as final From 3ebff7c7e7527bdff5e40ba561c4533a36536b46 Mon Sep 17 00:00:00 2001 From: Lukasz Zajaczkowski Date: Thu, 31 Oct 2024 16:32:27 +0100 Subject: [PATCH 15/16] fix tag --- .github/workflows/publish-harness-fips.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/publish-harness-fips.yaml b/.github/workflows/publish-harness-fips.yaml index cda86ccb..726b6f0f 100644 --- a/.github/workflows/publish-harness-fips.yaml +++ b/.github/workflows/publish-harness-fips.yaml @@ -147,6 +147,6 @@ jobs: ANSIBLE_VERSION=${{ matrix.versions.ansible }} PYTHON_VERSION=${{ matrix.versions.python }} HARNESS_BASE_IMAGE_REPO=ghcr.io/pluralsh/stackrun-harness-base - HARNESS_BASE_IMAGE_TAG=${{ needs.publish-harness-base.outputs.version }}-fips + HARNESS_BASE_IMAGE_TAG=${{ needs.publish-harness-base.outputs.version }} GO_FIPS_IMAGE_REPO=ghcr.io/pluralsh/go-fips GO_FIPS_IMAGE_TAG=1.23.2 From b1029fc8f1069517a323e6d3d314576ca14c6126 Mon Sep 17 00:00:00 2001 From: Lukasz Zajaczkowski Date: Thu, 31 Oct 2024 17:02:18 +0100 Subject: [PATCH 16/16] add supported versions --- .github/workflows/publish-harness-fips.yaml | 9 --------- 1 file changed, 9 deletions(-) diff --git a/.github/workflows/publish-harness-fips.yaml b/.github/workflows/publish-harness-fips.yaml index 726b6f0f..2e8f3629 100644 --- a/.github/workflows/publish-harness-fips.yaml +++ b/.github/workflows/publish-harness-fips.yaml @@ -75,15 +75,6 @@ jobs: strategy: matrix: versions: - - ansible: '4.10.0' - python: '3.9' - tag: '4.10' - - ansible: '5.7.0' - python: '3.10' - tag: '5.7' - - ansible: '6.7.0' - python: '3.10' - tag: '6.7' - ansible: '7.7.0' python: '3.11' tag: '7.7'