Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat: create fips binary for deployment operator #308

Merged
merged 18 commits into from
Nov 6, 2024
Merged
65 changes: 65 additions & 0 deletions .github/workflows/publish-fips.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,65 @@
name: Publish agent FIPS

on:
push:
tags:
- 'v*.*.*'

env:
GOPATH: /home/runner/go/
GOPROXY: "https://proxy.golang.org"

jobs:
publish-agent-fips:
name: Build and push agent FIPS container
runs-on: ubuntu-20.04
permissions:
contents: 'read'
id-token: 'write'
packages: 'write'
outputs:
version: ${{ steps.meta.outputs.version }}
steps:
- name: Checkout
uses: actions/checkout@v4
with:
fetch-depth: 0
- name: Docker meta
id: meta
uses: docker/metadata-action@v5
with:
images: |
ghcr.io/pluralsh/deployment-operator
docker.io/pluralsh/deployment-operator
tags: |
type=semver,pattern={{version}},suffix=-fips,priority=1000
- name: Set up QEMU
uses: docker/setup-qemu-action@v3
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v3
- name: Login to GHCR
uses: docker/login-action@v3
with:
registry: ghcr.io
username: ${{ github.repository_owner }}
password: ${{ secrets.GITHUB_TOKEN }}
- name: Login to Docker
uses: docker/login-action@v3
with:
username: mjgpluralsh
password: ${{ secrets.DOCKER_ACCESS_TOKEN }}
- name: Build and push
uses: docker/build-push-action@v5
with:
context: "."
file: "./dockerfiles/agent/fips.Dockerfile"
push: true
tags: ${{ steps.meta.outputs.tags }}
labels: ${{ steps.meta.outputs.labels }}
platforms: linux/amd64,linux/arm64
cache-from: type=gha
cache-to: type=gha,mode=max
build-args: |
GO_FIPS_IMAGE_REPO=ghcr.io/pluralsh/go-fips
GO_FIPS_IMAGE_TAG=1.23.2

7 changes: 7 additions & 0 deletions Makefile
Original file line number Diff line number Diff line change
Expand Up @@ -124,6 +124,13 @@ docker-run-harness: docker-build-harness-terraform docker-build-harness-ansible
--console-token=${PLURAL_DEPLOY_TOKEN} \
--stack-run-id=${PLURAL_STACK_RUN_ID}

.PHONY: docker-build-agent-fips
docker-build-agent-fips: ## build docker fips agent image
docker build \
-t deployment-agent-fips \
-f dockerfiles/agent/fips.Dockerfile \
.

velero-crds:
@curl -L $(VELERO_CHART_URL) --output velero.tgz
@tar zxvf velero.tgz velero/crds
Expand Down
45 changes: 45 additions & 0 deletions dockerfiles/agent/fips.Dockerfile
Original file line number Diff line number Diff line change
@@ -0,0 +1,45 @@
ARG UBI_MINIMAL_VERSION="latest"
Fixed Show fixed Hide fixed

Check notice

Code scanning / Trivy

No HEALTHCHECK defined Low

Artifact: dockerfiles/agent/fips.Dockerfile
Type: dockerfile
Vulnerability DS026
Severity: LOW
Message: Add HEALTHCHECK instruction in your Dockerfile
Link: DS026
ARG GO_FIPS_IMAGE_TAG=latest
Fixed Show fixed Hide fixed
ARG GO_FIPS_IMAGE_REPO=ghcr.io/pluralsh/go-fips
ARG GO_FIPS_BASE_IMAGE=$GO_FIPS_IMAGE_REPO:$GO_FIPS_IMAGE_TAG

FROM ${GO_FIPS_BASE_IMAGE} AS builder

# Set environment variables for FIPS compliance
ENV OPENSSL_FIPS=1
ENV FIPS_MODE=true
# Set up Go environment
ENV CGO_ENABLED=1
ENV CC=gcc

ARG TARGETARCH

WORKDIR /workspace
# Copy the Go Modules manifests
COPY go.mod go.mod
COPY go.sum go.sum
# cache deps before building and copying source so that we don't need to re-download as much
# and so that source changes don't invalidate our downloaded layer
RUN go mod download

# Copy the go source
COPY /cmd/agent cmd/agent
COPY /pkg pkg/
COPY /api api/
COPY /internal internal/
# Build
RUN GOOS=linux GOARCH=${TARGETARCH} GO111MODULE=on go build -a -o deployment-agent cmd/agent/*.go

# This the minimal UBI FIPS compliance image
FROM registry.access.redhat.com/ubi8/ubi-minimal:$UBI_MINIMAL_VERSION
WORKDIR /workspace

RUN microdnf install -y openssl && \
microdnf clean all

RUN mkdir /.kube && chown 65532:65532 /.kube

COPY --from=builder /workspace/deployment-agent .
USER 65532:65532

ENTRYPOINT ["/workspace/deployment-agent"]
Loading