Skip to content

Add docker images built using FIPS binaries #894

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
ilijabojanovic merged 6 commits into from
Sep 23, 2025
+167 −6

Merge branch 'master' into TT-15334/docker-fips

571a7c4
Select commit
Loading
Failed to load commit list.
Merged

Add docker images built using FIPS binaries #894

Merge branch 'master' into TT-15334/docker-fips
571a7c4
Select commit
Loading
Failed to load commit list.
probelabs / Visor: overview succeeded Sep 23, 2025 in 4m 31s

✅ Check Passed

overview check completed successfully with no issues found.

Details

📊 Summary

  • Total Issues: 1

🐛 Issues by Category

📚 Documentation (1)

  • ℹ️ AI_RESPONSE:1 - An analysis of the pull request is provided below, based on the submitted changes.

1. Change Impact Analysis

What this PR accomplishes

This pull request introduces the capability to build and release FIPS-compliant Docker images for Tyk Pump. This is a new feature driven by a customer requirement for environments that need FIPS compliance. The key outcome is a new Docker image, tykio/tyk-pump-fips, which is built using a FIPS-compliant Go binary.

Key technical changes introduced

  1. FIPS-Compliant Go Build: The GoReleaser configuration (ci/goreleaser/goreleaser.yml) is updated to use the GOEXPERIMENT=boringcrypto flag when building the fips-amd64 binary. This flag enables Go's integration with BoringCrypto, which provides FIPS 140-2 validated cryptographic modules.

  2. New Docker Image for FIPS: The GoReleaser configuration now defines a new Docker image build process for tykio/tyk-pump-fips. This image is specifically for the amd64 architecture.

  3. CI/CD Workflow Updates: The GitHub Actions release workflow (.github/workflows/release.yml) has been significantly extended. It now includes steps to:

    • Generate metadata (tags and labels) for the FIPS Docker image.
    • Build and push the FIPS image to both a CI registry (ECR) and the production registry (tykio/tyk-pump-fips) upon a tag event.
    • The build process uses a distroless base image for a smaller footprint, as specified by file: ci/Dockerfile.distroless.

  4. Configuration Refactoring:

    • The ci/Dockerfile.std has been slightly modified to be more generic. It now uses a BUILD_PACKAGE_NAME argument to locate the correct .deb package, allowing the same Dockerfile to be used for both standard and FIPS builds.
    • The .gitignore file is updated to exclude the dist/ directory, which is where GoReleaser places build artifacts.

Affected system components

  • Build & Release Pipeline: The primary impact is on the project's CI/CD pipeline. The release process is now more complex, producing two distinct sets of Docker images (standard multi-arch and FIPS single-arch).
  • Docker Image Consumers: Users and customers now have the option to pull a FIPS-compliant image. This affects deployment scripts, documentation, and operational procedures for teams that require FIPS compliance.
  • GoReleaser Configuration: The goreleaser.yml file is now the central point for defining all Docker image builds and manifests, consolidating what might have been separate processes before.

2. Architecture Visualization

The following diagram illustrates the updated build and release process, highlighting the new FIPS image pipeline alongside the existing standard one.

graph TD
    subgraph "GitHub Actions: release.yml"
        A[Git Tag Push] --> B{Prepare Job};

        B --> C[Run GoReleaser];
        
        subgraph "GoReleaser Build"
            C --> D{Build Binaries};
            D -- GOEXPERIMENT=boringcrypto --> E[tyk-pump-fips amd64 binary];
            D -- Standard build --> F[tyk-pump std amd64/arm64 binaries];
        end

        subgraph "Docker Image Build & Push"
            C --> G{Build Docker Images};
            G -- Based on FIPS binary --> H(Build tyk-pump-fips Image);
            G -- Based on std binaries --> I(Build tyk-pump Images);

            H --> J[Push to tykio/tyk-pump-fips];
            I --> K[Push to tykio/tyk-pump-docker-pub];
        end

        subgraph "Docker Manifests"
            J --> L[Create Single-Arch FIPS Manifest];
            K --> M[Create Multi-Arch Standard Manifest];
        end
    end

    subgraph "Artifacts"
        L --> N[Image: tykio/tyk-pump-fips:vX.Y.Z-fips];
        M --> O[Image: tykio/tyk-pump-docker-pub:vX.Y.Z];
    end

    style E fill:#cce5ff,stroke:#333,stroke-width:2px
    style H fill:#cce5ff,stroke:#333,stroke-width:2px
    style J fill:#cce5ff,stroke:#333,stroke-width:2px
    style L fill:#cce5ff,stroke:#333,stroke-width:2px
    style N fill:#cce5ff,stroke:#333,stroke-width:2px
Loading

Diagram Explanation:

  1. The process starts when a new Git tag is pushed, triggering the release.yml workflow.
  2. The central GoReleaser step now has two parallel paths for building binaries: one for standard (std) and a new one for FIPS. The FIPS path is distinguished by the GOEXPERIMENT=boringcrypto flag.
  3. Based on these binaries, corresponding Docker images are built. The new tyk-pump-fips image is created from the FIPS binary.
  4. Finally, the images are pushed to Docker Hub (tykio), and manifests are created. The FIPS image gets a single-architecture manifest, while the standard image gets a multi-architecture manifest for amd64 and arm64.

Generated by Visor - AI-powered code review

Annotations

Check notice on line 1 in AI_RESPONSE

See this annotation in the file changed.

@probelabs probelabs / Visor: overview

documentation Issue 

An analysis of the pull request is provided below, based on the submitted changes.

### 1. Change Impact Analysis

#### What this PR accomplishes

This pull request introduces the capability to build and release FIPS-compliant Docker images for Tyk Pump. This is a new feature driven by a customer requirement for environments that need FIPS compliance. The key outcome is a new Docker image, `tykio/tyk-pump-fips`, which is built using a FIPS-compliant Go binary.

#### Key technical changes introduced

1.  **FIPS-Compliant Go Build**: The GoReleaser configuration (`ci/goreleaser/goreleaser.yml`) is updated to use the `GOEXPERIMENT=boringcrypto` flag when building the `fips-amd64` binary. This flag enables Go's integration with BoringCrypto, which provides FIPS 140-2 validated cryptographic modules.

2.  **New Docker Image for FIPS**: The GoReleaser configuration now defines a new Docker image build process for `tykio/tyk-pump-fips`. This image is specifically for the `amd64` architecture.

3.  **CI/CD Workflow Updates**: The GitHub Actions release workflow (`.github/workflows/release.yml`) has been significantly extended. It now includes steps to:
    *   Generate metadata (tags and labels) for the FIPS Docker image.
    *   Build and push the FIPS image to both a CI registry (ECR) and the production registry (`tykio/tyk-pump-fips`) upon a tag event.
    *   The build process uses a distroless base image for a smaller footprint, as specified by `file: ci/Dockerfile.distroless`.

4.  **Configuration Refactoring**:
    *   The `ci/Dockerfile.std` has been slightly modified to be more generic. It now uses a `BUILD_PACKAGE_NAME` argument to locate the correct `.deb` package, allowing the same Dockerfile to be used for both standard and FIPS builds.
    *   The `.gitignore` file is updated to exclude the `dist/` directory, which is where GoReleaser places build artifacts.

#### Affected system components

*   **Build & Release Pipeline**: The primary impact is on the project's CI/CD pipeline. The release process is now more complex, producing two distinct sets of Docker images (standard multi-arch and FIPS single-arch).
*   **Docker Image Consumers**: Users and customers now have the option to pull a FIPS-compliant image. This affects deployment scripts, documentation, and operational procedures for teams that require FIPS compliance.
*   **GoReleaser Configuration**: The `goreleaser.yml` file is now the central point for defining all Docker image builds and manifests, consolidating what might have been separate processes before.

### 2. Architecture Visualization

The following diagram illustrates the updated build and release process, highlighting the new FIPS image pipeline alongside the existing standard one.

```mermaid
graph TD
    subgraph "GitHub Actions: release.yml"
        A[Git Tag Push] --> B{Prepare Job};

        B --> C[Run GoReleaser];
        
        subgraph "GoReleaser Build"
            C --> D{Build Binaries};
            D -- GOEXPERIMENT=boringcrypto --> E[tyk-pump-fips amd64 binary];
            D -- Standard build --> F[tyk-pump std amd64/arm64 binaries];
        end

        subgraph "Docker Image Build & Push"
            C --> G{Build Docker Images};
            G -- Based on FIPS binary --> H(Build tyk-pump-fips Image);
            G -- Based on std binaries --> I(Build tyk-pump Images);

            H --> J[Push to tykio/tyk-pump-fips];
            I --> K[Push to tykio/tyk-pump-docker-pub];
        end

        subgraph "Docker Manifests"
            J --> L[Create Single-Arch FIPS Manifest];
            K --> M[Create Multi-Arch Standard Manifest];
        end
    end

    subgraph "Artifacts"
        L --> N[Image: tykio/tyk-pump-fips:vX.Y.Z-fips];
        M --> O[Image: tykio/tyk-pump-docker-pub:vX.Y.Z];
    end

    style E fill:#cce5ff,stroke:#333,stroke-width:2px
    style H fill:#cce5ff,stroke:#333,stroke-width:2px
    style J fill:#cce5ff,stroke:#333,stroke-width:2px
    style L fill:#cce5ff,stroke:#333,stroke-width:2px
    style N fill:#cce5ff,stroke:#333,stroke-width:2px
```

**Diagram Explanation:**

1.  The process starts when a new Git tag is pushed, triggering the `release.yml` workflow.
2.  The central `GoReleaser` step now has two parallel paths for building binaries: one for standard (`std`) and a new one for `FIPS`. The FIPS path is distinguished by the `GOEXPERIMENT=boringcrypto` flag.
3.  Based on these binaries, corresponding Docker images are built. The new `tyk-pump-fips` image is created from the FIPS binary.
4.  Finally, the images are pushed to Docker Hub (`tykio`), and manifests are created. The FIPS image gets a single-architecture manifest, while the standard image gets a multi-architecture manifest for `amd64` and `arm64`.
View more details on probelabs