Add docker images built using FIPS binaries (#894)

* Auto generated from templates by gromit

* add dist folder to gitignore for testing goreleaser

* Auto generated from templates by gromit

* Auto generated from templates by gromit

* Auto generated from templates by gromit

---------

Co-authored-by: Gromit <policy@gromit>
Co-authored-by: Ilija Bojanovic <ilijabojanovic@gmail.com>

Author: 3 people

.github/workflows/release.yml

@@ -49,6 +49,7 @@ jobs:
             rpmvers: 'el/7 el/8 el/9 amazon/2 amazon/2023'
             debvers: 'ubuntu/xenial ubuntu/bionic ubuntu/focal ubuntu/jammy ubuntu/noble debian/jessie debian/buster debian/bullseye debian/bookworm debian/trixie'
     outputs:
+      fips_tags: ${{ steps.ci_metadata_fips.outputs.tags }}
       std_tags: ${{ steps.ci_metadata_std.outputs.tags }}
       commit_author: ${{ steps.set_outputs.outputs.commit_author}}
     steps:
@@ -130,6 +131,71 @@ jobs:
         if: ${{ matrix.golang_cross == '1.24-bookworm' }}
         with:
           mask-password: 'true'
+      - name: Docker metadata for fips CI
+        id: ci_metadata_fips
+        if: ${{ matrix.golang_cross == '1.24-bookworm' }}
+        uses: docker/metadata-action@v5
+        with:
+          images: |
+            ${{ steps.ecr.outputs.registry }}/tyk-pump-fips
+          flavor: |
+            latest=false
+          tags: |
+            type=ref,event=branch
+            type=ref,event=pr
+            type=sha,format=long
+            type=semver,pattern={{major}},prefix=v
+            type=semver,pattern={{major}}.{{minor}},prefix=v
+            type=semver,pattern={{version}},prefix=v
+      - name: push fips image to CI
+        if: ${{ matrix.golang_cross == '1.24-bookworm' }}
+        uses: docker/build-push-action@v6
+        with:
+          context: "dist"
+          platforms: linux/amd64
+          file: ci/Dockerfile.distroless
+          provenance: mode=max
+          sbom: true
+          push: true
+          cache-from: type=gha
+          cache-to: type=gha,mode=max
+          tags: ${{ steps.ci_metadata_fips.outputs.tags }}
+          labels: ${{ steps.ci_metadata_fips.outputs.labels }}
+          build-args: |
+            BUILD_PACKAGE_NAME=tyk-pump-fips
+      - name: Docker metadata for fips tag push
+        id: tag_metadata_fips
+        uses: docker/metadata-action@v5
+        with:
+          images: |
+            tykio/tyk-pump-fips
+          flavor: |
+            latest=false
+            prefix=v
+          tags: |
+            type=semver,pattern={{major}}.{{minor}}
+            type=semver,pattern={{version}}
+          labels: |
+            org.opencontainers.image.title=Tyk Analytics Pump FIPS
+            org.opencontainers.image.description=Tyk Analytics Pump to move analytics data from Redis to any supported back end (multiple back ends can be written to at once). This version is compiled with boringssl.
+            org.opencontainers.image.vendor=tyk.io
+            org.opencontainers.image.version=${{ github.ref_name }}
+      - name: push fips image to prod
+        if: ${{ matrix.golang_cross == '1.24-bookworm' }}
+        uses: docker/build-push-action@v6
+        with:
+          context: "dist"
+          platforms: linux/amd64
+          file: ci/Dockerfile.distroless
+          provenance: mode=max
+          sbom: true
+          cache-from: type=gha
+          cache-to: type=gha,mode=max
+          push: ${{ startsWith(github.ref, 'refs/tags') }}
+          tags: ${{ steps.tag_metadata_fips.outputs.tags }}
+          labels: ${{ steps.tag_metadata_fips.outputs.labels }}
+          build-args: |
+            BUILD_PACKAGE_NAME=tyk-pump-fips
       - name: Docker metadata for std CI
         id: ci_metadata_std
         if: ${{ matrix.golang_cross == '1.24-bookworm' }}

.gitignore

@@ -21,3 +21,4 @@ migrate.js
 utils/release_rc.sh
 .terraform**
 .claude/settings.local.json
+dist/

ci/Dockerfile.std

@@ -13,17 +13,17 @@ RUN apt-get update \
 RUN dpkg --purge --force-remove-essential curl ncurses-base || true
 RUN rm -fv /usr/bin/passwd /usr/sbin/adduser || true
 
+# Comment this to test in dev
+COPY dist/${BUILD_PACKAGE_NAME}_*_${TARGETARCH}.deb /
+RUN dpkg -i /${BUILD_PACKAGE_NAME}_*_${TARGETARCH}.deb && find / -maxdepth 1 -name "*.deb" -delete
+
 # Clean up caches, unwanted .a and .o files
 RUN rm -rf /root/.cache \
     && apt-get -y autoremove \
     && apt-get clean \
-    && rm -rf /usr/include/* /var/cache/apt/archives /var/lib/{apt,dpkg,cache,log} \
+    && rm -rf /usr/include/* /var/cache/apt/archives /var/lib/apt /var/lib/cache /var/log/* \
     && find /usr/lib -type f -name '*.a' -o -name '*.o' -delete
 
-# Comment this to test in dev
-COPY ${BUILD_PACKAGE_NAME}_*${TARGETARCH}.deb /
-RUN dpkg -i /${BUILD_PACKAGE_NAME}*${TARGETARCH}.deb && rm /*.deb
-
 ARG PORTS
 
 EXPOSE $PORTS

ci/goreleaser/goreleaser.yml

@@ -11,7 +11,7 @@ builds:
       - -tags=fips,boringcrypto
     env:
       - NOP=nop # ignore this, it is jsut to avoid a complex conditional in the templates
-      - $env
+      - GOEXPERIMENT=boringcrypto
     ldflags:
       - -X github.com/TykTechnologies/tyk-pump/pumps.Version={{.Version}}
       - -X github.com/TykTechnologies/tyk-pump/pumps.Commit={{.FullCommit}}
@@ -157,6 +157,100 @@ publishers:
     env:
       - PACKAGECLOUD_TOKEN={{ .Env.PACKAGECLOUD_TOKEN }}
     cmd: packagecloud publish --debvers "{{ .Env.DEBVERS }}" --rpmvers "{{ .Env.RPMVERS }}" tyk/tyk-pump-unstable {{ .ArtifactPath }}
+dockers:
+  # Build tykio/tyk-pump-fips fips (amd64)
+  - ids:
+      - fips-amd64
+    image_templates:
+      - "tykio/tyk-pump-fips:{{.Tag}}-fips-amd64"
+    build_flag_templates:
+      - "--build-arg=PORTS=80"
+      - "--build-arg=BUILD_PACKAGE_NAME=tyk-pump-fips"
+      - "--platform=linux/amd64"
+      - "--label=org.opencontainers.image.created={{.Date}}"
+      - "--label=org.opencontainers.image.title={{.ProjectName}} FIPS"
+      - "--label=org.opencontainers.image.revision={{.FullCommit}}"
+      - "--label=org.opencontainers.image.version={{.Version}}"
+    use: buildx
+    goarch: amd64
+    goos: linux
+    dockerfile: ci/Dockerfile.std
+    extra_files:
+      - "ci/install/"
+      - "README.md"
+      - "dist/"
+      - "LICENSE.md"
+      - "pump.example.conf"
+  # Build tykio/tyk-pump-docker-pub std (amd64)
+  - ids:
+      - std-amd64
+    image_templates:
+      - "tykio/tyk-pump-docker-pub:{{.Tag}}-std-amd64"
+    build_flag_templates:
+      - "--build-arg=PORTS=80"
+      - "--build-arg=BUILD_PACKAGE_NAME=tyk-pump"
+      - "--platform=linux/amd64"
+      - "--label=org.opencontainers.image.created={{.Date}}"
+      - "--label=org.opencontainers.image.title={{.ProjectName}}"
+      - "--label=org.opencontainers.image.revision={{.FullCommit}}"
+      - "--label=org.opencontainers.image.version={{.Version}}"
+    use: buildx
+    goarch: amd64
+    goos: linux
+    dockerfile: ci/Dockerfile.std
+    extra_files:
+      - "ci/install/"
+      - "README.md"
+      - "dist/"
+      - "LICENSE.md"
+      - "pump.example.conf"
+  # Build tykio/tyk-pump-docker-pub std (arm64)
+  - ids:
+      - std-arm64
+    image_templates:
+      - "tykio/tyk-pump-docker-pub:{{.Tag}}-std-arm64"
+    build_flag_templates:
+      - "--build-arg=PORTS=80"
+      - "--build-arg=BUILD_PACKAGE_NAME=tyk-pump"
+      - "--platform=linux/arm64"
+      - "--label=org.opencontainers.image.created={{.Date}}"
+      - "--label=org.opencontainers.image.title={{.ProjectName}}"
+      - "--label=org.opencontainers.image.revision={{.FullCommit}}"
+      - "--label=org.opencontainers.image.version={{.Version}}"
+    use: buildx
+    goarch: arm64
+    goos: linux
+    dockerfile: ci/Dockerfile.std
+    extra_files:
+      - "ci/install/"
+      - "README.md"
+      - "dist/"
+      - "LICENSE.md"
+      - "pump.example.conf"
+docker_manifests:
+  # Single-arch manifest for tykio/tyk-pump-fips fips
+  - name_template: tykio/tyk-pump-fips:{{ .Tag }}-fips
+    image_templates:
+      - tykio/tyk-pump-fips:{{`{{ .Tag }}`}}-fips-amd64
+  - name_template: tykio/tyk-pump-fips:v{{ .Major }}.{{ .Minor }}{{.Prerelease}}-fips
+    image_templates:
+      - tykio/tyk-pump-fips:{{`{{ .Tag }}`}}-fips-amd64
+  - name_template: tykio/tyk-pump-fips:v{{ .Major }}{{.Prerelease}}-fips
+    image_templates:
+      - tykio/tyk-pump-fips:{{`{{ .Tag }}`}}-fips-amd64
+  # Multi-arch manifest for tykio/tyk-pump-docker-pub std
+  - name_template: tykio/tyk-pump-docker-pub:{{ .Tag }}
+    image_templates:
+      - tykio/tyk-pump-docker-pub:{{`{{ .Tag }}`}}-std-amd64
+      - tykio/tyk-pump-docker-pub:{{`{{ .Tag }}`}}-std-arm64
+  - name_template: tykio/tyk-pump-docker-pub:v{{ .Major }}.{{ .Minor }}{{.Prerelease}}
+    image_templates:
+      - tykio/tyk-pump-docker-pub:{{`{{ .Tag }}`}}-std-amd64
+      - tykio/tyk-pump-docker-pub:{{`{{ .Tag }}`}}-std-arm64
+  - name_template: tykio/tyk-pump-docker-pub:v{{ .Major }}{{.Prerelease}}
+    image_templates:
+      - tykio/tyk-pump-docker-pub:{{`{{ .Tag }}`}}-std-amd64
+      - tykio/tyk-pump-docker-pub:{{`{{ .Tag }}`}}-std-arm64
 # This disables archives
 archives:
   - formats: ['binary']