Skip to content

Commit 9ebef28

Browse files
Razeen-Abdal-RahmanGromitilijabojanovic
authored
Add docker images built using FIPS binaries (#894)
* Auto generated from templates by gromit * add dist folder to gitignore for testing goreleaser * Auto generated from templates by gromit * Auto generated from templates by gromit * Auto generated from templates by gromit --------- Co-authored-by: Gromit <policy@gromit> Co-authored-by: Ilija Bojanovic <ilijabojanovic@gmail.com>
1 parent e90a695 commit 9ebef28

4 files changed

Lines changed: 167 additions & 6 deletions

File tree

.github/workflows/release.yml

Lines changed: 66 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -49,6 +49,7 @@ jobs:
4949
rpmvers: 'el/7 el/8 el/9 amazon/2 amazon/2023'
5050
debvers: 'ubuntu/xenial ubuntu/bionic ubuntu/focal ubuntu/jammy ubuntu/noble debian/jessie debian/buster debian/bullseye debian/bookworm debian/trixie'
5151
outputs:
52+
fips_tags: ${{ steps.ci_metadata_fips.outputs.tags }}
5253
std_tags: ${{ steps.ci_metadata_std.outputs.tags }}
5354
commit_author: ${{ steps.set_outputs.outputs.commit_author}}
5455
steps:
@@ -130,6 +131,71 @@ jobs:
130131
if: ${{ matrix.golang_cross == '1.24-bookworm' }}
131132
with:
132133
mask-password: 'true'
134+
- name: Docker metadata for fips CI
135+
id: ci_metadata_fips
136+
if: ${{ matrix.golang_cross == '1.24-bookworm' }}
137+
uses: docker/metadata-action@v5
138+
with:
139+
images: |
140+
${{ steps.ecr.outputs.registry }}/tyk-pump-fips
141+
flavor: |
142+
latest=false
143+
tags: |
144+
type=ref,event=branch
145+
type=ref,event=pr
146+
type=sha,format=long
147+
type=semver,pattern={{major}},prefix=v
148+
type=semver,pattern={{major}}.{{minor}},prefix=v
149+
type=semver,pattern={{version}},prefix=v
150+
- name: push fips image to CI
151+
if: ${{ matrix.golang_cross == '1.24-bookworm' }}
152+
uses: docker/build-push-action@v6
153+
with:
154+
context: "dist"
155+
platforms: linux/amd64
156+
file: ci/Dockerfile.distroless
157+
provenance: mode=max
158+
sbom: true
159+
push: true
160+
cache-from: type=gha
161+
cache-to: type=gha,mode=max
162+
tags: ${{ steps.ci_metadata_fips.outputs.tags }}
163+
labels: ${{ steps.ci_metadata_fips.outputs.labels }}
164+
build-args: |
165+
BUILD_PACKAGE_NAME=tyk-pump-fips
166+
- name: Docker metadata for fips tag push
167+
id: tag_metadata_fips
168+
uses: docker/metadata-action@v5
169+
with:
170+
images: |
171+
tykio/tyk-pump-fips
172+
flavor: |
173+
latest=false
174+
prefix=v
175+
tags: |
176+
type=semver,pattern={{major}}.{{minor}}
177+
type=semver,pattern={{version}}
178+
labels: |
179+
org.opencontainers.image.title=Tyk Analytics Pump FIPS
180+
org.opencontainers.image.description=Tyk Analytics Pump to move analytics data from Redis to any supported back end (multiple back ends can be written to at once). This version is compiled with boringssl.
181+
org.opencontainers.image.vendor=tyk.io
182+
org.opencontainers.image.version=${{ github.ref_name }}
183+
- name: push fips image to prod
184+
if: ${{ matrix.golang_cross == '1.24-bookworm' }}
185+
uses: docker/build-push-action@v6
186+
with:
187+
context: "dist"
188+
platforms: linux/amd64
189+
file: ci/Dockerfile.distroless
190+
provenance: mode=max
191+
sbom: true
192+
cache-from: type=gha
193+
cache-to: type=gha,mode=max
194+
push: ${{ startsWith(github.ref, 'refs/tags') }}
195+
tags: ${{ steps.tag_metadata_fips.outputs.tags }}
196+
labels: ${{ steps.tag_metadata_fips.outputs.labels }}
197+
build-args: |
198+
BUILD_PACKAGE_NAME=tyk-pump-fips
133199
- name: Docker metadata for std CI
134200
id: ci_metadata_std
135201
if: ${{ matrix.golang_cross == '1.24-bookworm' }}

.gitignore

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -21,3 +21,4 @@ migrate.js
2121
utils/release_rc.sh
2222
.terraform**
2323
.claude/settings.local.json
24+
dist/

ci/Dockerfile.std

Lines changed: 5 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -13,17 +13,17 @@ RUN apt-get update \
1313
RUN dpkg --purge --force-remove-essential curl ncurses-base || true
1414
RUN rm -fv /usr/bin/passwd /usr/sbin/adduser || true
1515

16+
# Comment this to test in dev
17+
COPY dist/${BUILD_PACKAGE_NAME}_*_${TARGETARCH}.deb /
18+
RUN dpkg -i /${BUILD_PACKAGE_NAME}_*_${TARGETARCH}.deb && find / -maxdepth 1 -name "*.deb" -delete
19+
1620
# Clean up caches, unwanted .a and .o files
1721
RUN rm -rf /root/.cache \
1822
&& apt-get -y autoremove \
1923
&& apt-get clean \
20-
&& rm -rf /usr/include/* /var/cache/apt/archives /var/lib/{apt,dpkg,cache,log} \
24+
&& rm -rf /usr/include/* /var/cache/apt/archives /var/lib/apt /var/lib/cache /var/log/* \
2125
&& find /usr/lib -type f -name '*.a' -o -name '*.o' -delete
2226

23-
# Comment this to test in dev
24-
COPY ${BUILD_PACKAGE_NAME}_*${TARGETARCH}.deb /
25-
RUN dpkg -i /${BUILD_PACKAGE_NAME}*${TARGETARCH}.deb && rm /*.deb
26-
2727
ARG PORTS
2828

2929
EXPOSE $PORTS

ci/goreleaser/goreleaser.yml

Lines changed: 95 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -11,7 +11,7 @@ builds:
1111
- -tags=fips,boringcrypto
1212
env:
1313
- NOP=nop # ignore this, it is jsut to avoid a complex conditional in the templates
14-
- $env
14+
- GOEXPERIMENT=boringcrypto
1515
ldflags:
1616
- -X github.com/TykTechnologies/tyk-pump/pumps.Version={{.Version}}
1717
- -X github.com/TykTechnologies/tyk-pump/pumps.Commit={{.FullCommit}}
@@ -157,6 +157,100 @@ publishers:
157157
env:
158158
- PACKAGECLOUD_TOKEN={{ .Env.PACKAGECLOUD_TOKEN }}
159159
cmd: packagecloud publish --debvers "{{ .Env.DEBVERS }}" --rpmvers "{{ .Env.RPMVERS }}" tyk/tyk-pump-unstable {{ .ArtifactPath }}
160+
dockers:
161+
# Build tykio/tyk-pump-fips fips (amd64)
162+
- ids:
163+
- fips-amd64
164+
image_templates:
165+
- "tykio/tyk-pump-fips:{{.Tag}}-fips-amd64"
166+
build_flag_templates:
167+
- "--build-arg=PORTS=80"
168+
- "--build-arg=BUILD_PACKAGE_NAME=tyk-pump-fips"
169+
- "--platform=linux/amd64"
170+
- "--label=org.opencontainers.image.created={{.Date}}"
171+
- "--label=org.opencontainers.image.title={{.ProjectName}} FIPS"
172+
- "--label=org.opencontainers.image.revision={{.FullCommit}}"
173+
- "--label=org.opencontainers.image.version={{.Version}}"
174+
use: buildx
175+
goarch: amd64
176+
goos: linux
177+
dockerfile: ci/Dockerfile.std
178+
extra_files:
179+
- "ci/install/"
180+
- "README.md"
181+
- "dist/"
182+
- "LICENSE.md"
183+
- "pump.example.conf"
184+
# Build tykio/tyk-pump-docker-pub std (amd64)
185+
- ids:
186+
- std-amd64
187+
image_templates:
188+
- "tykio/tyk-pump-docker-pub:{{.Tag}}-std-amd64"
189+
build_flag_templates:
190+
- "--build-arg=PORTS=80"
191+
- "--build-arg=BUILD_PACKAGE_NAME=tyk-pump"
192+
- "--platform=linux/amd64"
193+
- "--label=org.opencontainers.image.created={{.Date}}"
194+
- "--label=org.opencontainers.image.title={{.ProjectName}}"
195+
- "--label=org.opencontainers.image.revision={{.FullCommit}}"
196+
- "--label=org.opencontainers.image.version={{.Version}}"
197+
use: buildx
198+
goarch: amd64
199+
goos: linux
200+
dockerfile: ci/Dockerfile.std
201+
extra_files:
202+
- "ci/install/"
203+
- "README.md"
204+
- "dist/"
205+
- "LICENSE.md"
206+
- "pump.example.conf"
207+
# Build tykio/tyk-pump-docker-pub std (arm64)
208+
- ids:
209+
- std-arm64
210+
image_templates:
211+
- "tykio/tyk-pump-docker-pub:{{.Tag}}-std-arm64"
212+
build_flag_templates:
213+
- "--build-arg=PORTS=80"
214+
- "--build-arg=BUILD_PACKAGE_NAME=tyk-pump"
215+
- "--platform=linux/arm64"
216+
- "--label=org.opencontainers.image.created={{.Date}}"
217+
- "--label=org.opencontainers.image.title={{.ProjectName}}"
218+
- "--label=org.opencontainers.image.revision={{.FullCommit}}"
219+
- "--label=org.opencontainers.image.version={{.Version}}"
220+
use: buildx
221+
goarch: arm64
222+
goos: linux
223+
dockerfile: ci/Dockerfile.std
224+
extra_files:
225+
- "ci/install/"
226+
- "README.md"
227+
- "dist/"
228+
- "LICENSE.md"
229+
- "pump.example.conf"
230+
docker_manifests:
231+
# Single-arch manifest for tykio/tyk-pump-fips fips
232+
- name_template: tykio/tyk-pump-fips:{{ .Tag }}-fips
233+
image_templates:
234+
- tykio/tyk-pump-fips:{{`{{ .Tag }}`}}-fips-amd64
235+
- name_template: tykio/tyk-pump-fips:v{{ .Major }}.{{ .Minor }}{{.Prerelease}}-fips
236+
image_templates:
237+
- tykio/tyk-pump-fips:{{`{{ .Tag }}`}}-fips-amd64
238+
- name_template: tykio/tyk-pump-fips:v{{ .Major }}{{.Prerelease}}-fips
239+
image_templates:
240+
- tykio/tyk-pump-fips:{{`{{ .Tag }}`}}-fips-amd64
241+
# Multi-arch manifest for tykio/tyk-pump-docker-pub std
242+
- name_template: tykio/tyk-pump-docker-pub:{{ .Tag }}
243+
image_templates:
244+
- tykio/tyk-pump-docker-pub:{{`{{ .Tag }}`}}-std-amd64
245+
- tykio/tyk-pump-docker-pub:{{`{{ .Tag }}`}}-std-arm64
246+
- name_template: tykio/tyk-pump-docker-pub:v{{ .Major }}.{{ .Minor }}{{.Prerelease}}
247+
image_templates:
248+
- tykio/tyk-pump-docker-pub:{{`{{ .Tag }}`}}-std-amd64
249+
- tykio/tyk-pump-docker-pub:{{`{{ .Tag }}`}}-std-arm64
250+
- name_template: tykio/tyk-pump-docker-pub:v{{ .Major }}{{.Prerelease}}
251+
image_templates:
252+
- tykio/tyk-pump-docker-pub:{{`{{ .Tag }}`}}-std-amd64
253+
- tykio/tyk-pump-docker-pub:{{`{{ .Tag }}`}}-std-arm64
160254
# This disables archives
161255
archives:
162256
- formats: ['binary']

0 commit comments

Comments
 (0)