Skip to content

Add docker images built using FIPS binaries #894

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
ilijabojanovic merged 6 commits into from
Sep 23, 2025
Merged

Add docker images built using FIPS binaries #894

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
6 commits
Select commit Hold shift + click to select a range
d6e9ff8
Auto generated from templates by gromit
Sep 11, 2025
9aaf706
add dist folder to gitignore for testing goreleaser
Razeen-Abdal-Rahman Sep 11, 2025
e1c37c5
Auto generated from templates by gromit
Sep 11, 2025
9b49195
Auto generated from templates by gromit
Sep 11, 2025
957ff8d
Auto generated from templates by gromit
Razeen-Abdal-Rahman Sep 11, 2025
571a7c4
Merge branch 'master' into TT-15334/docker-fips
ilijabojanovic Sep 23, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
66 changes: 66 additions & 0 deletions .github/workflows/release.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -48,7 +48,8 @@
cgo: 0
rpmvers: 'el/7 el/8 el/9 amazon/2 amazon/2023'
debvers: 'ubuntu/xenial ubuntu/bionic ubuntu/focal ubuntu/jammy ubuntu/noble debian/jessie debian/buster debian/bullseye debian/bookworm debian/trixie'
outputs:

Check notice on line 51 in .github/workflows/release.yml

View check run for this annotation

probelabs / Visor: security

security Issue 

The GitHub Actions workflow does not define job-level permissions, causing it to run with default, potentially overly broad, permissions for the `GITHUB_TOKEN`. This violates the principle of least privilege.
Raw output 
Add a `permissions` block to the `release` job to scope the `GITHUB_TOKEN`'s access to the minimum required for its tasks. For example:
```yaml
permissions:
  contents: read
  id-token: write
  packages: write
```
fips_tags: ${{ steps.ci_metadata_fips.outputs.tags }}
std_tags: ${{ steps.ci_metadata_std.outputs.tags }}
commit_author: ${{ steps.set_outputs.outputs.commit_author}}
steps:
Expand All @@ -56,71 +57,71 @@
uses: actions/checkout@v4
with:
fetch-depth: 1
- name: Set some outputs for later
id: set_outputs
shell: bash
env:
HEAD_REF: ${{github.head_ref}}
run: |
echo "commit_author=$(git show -s --format='%ae' HEAD)" >> $GITHUB_OUTPUT
echo "branch=${HEAD_REF##*/}" >> $GITHUB_OUTPUT
- uses: docker/setup-qemu-action@v3
- uses: docker/setup-buildx-action@v3
- name: Login to DockerHub
if: startsWith(github.ref, 'refs/tags')
uses: docker/login-action@v3
with:
username: ${{ secrets.DOCKER_USERNAME }}
password: ${{ secrets.DOCKER_PASSWORD }}
- name: Login to Cloudsmith
if: startsWith(github.ref, 'refs/tags')
uses: docker/login-action@v3
with:
registry: docker.tyk.io
username: ${{ secrets.CLOUDSMITH_USERNAME }}
password: ${{ secrets.CLOUDSMITH_API_KEY }}
- uses: actions/cache@v4
with:
path: |
~/.cache/go-build
~/go/pkg/mod
key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }}
restore-keys: |
${{ runner.os }}-go-${{ hashFiles('**/go.sum') }}
- name: Build
env:
NFPM_PASSPHRASE: ${{ secrets.SIGNING_KEY_PASSPHRASE }}
PKG_SIGNING_KEY: ${{ secrets.SIGNING_KEY }}
PACKAGECLOUD_TOKEN: ${{ secrets.PACKAGECLOUD_TOKEN }}
run: |
echo '#!/bin/sh
ci/bin/unlock-agent.sh
git config --global url."https://${{ secrets.ORG_GH_TOKEN }}@github.com".insteadOf "https://github.com"
git config --global --add safe.directory /go/src/github.com/TykTechnologies/tyk-pump
goreleaser release --clean -f ${{ matrix.goreleaser }} ${{ !startsWith(github.ref, 'refs/tags/') && ' --snapshot --skip=sign' || '' }}' | tee /tmp/build.sh
chmod +x /tmp/build.sh
docker run --rm --privileged -e GITHUB_TOKEN=${{ github.token }} \
-e GOPRIVATE=github.com/TykTechnologies \
-e DEBVERS='${{ matrix.debvers }}' \
-e RPMVERS='${{ matrix.rpmvers }}' \
-e CGO_ENABLED=${{ matrix.cgo }} \
-e NFPM_PASSPHRASE="$NFPM_PASSPHRASE" \
-e GPG_FINGERPRINT=12B5D62C28F57592D1575BD51ED14C59E37DAC20 \
-e PKG_SIGNING_KEY="$PKG_SIGNING_KEY" \
-e PACKAGECLOUD_TOKEN=$PACKAGECLOUD_TOKEN \
-v ${{github.workspace}}:/go/src/github.com/TykTechnologies/tyk-pump \
-v /var/run/docker.sock:/var/run/docker.sock \
-v ~/.docker/config.json:/root/.docker/config.json \
-e GOCACHE=/cache/go-build \
-e GOMODCACHE=/go/pkg/mod \
-v ~/go/pkg/mod:/go/pkg/mod \
-v ~/.cache/go-build:/cache/go-build \
-v /tmp/build.sh:/tmp/build.sh \
-w /go/src/github.com/TykTechnologies/tyk-pump \
tykio/golang-cross:${{ matrix.golang_cross }} /tmp/build.sh
- uses: aws-actions/configure-aws-credentials@v4
with:
role-to-assume: arn:aws:iam::754489498669:role/ecr_rw_tyk

Check notice on line 124 in .github/workflows/release.yml

View check run for this annotation

probelabs / Visor: performance

performance Issue 

Adding steps to build and push FIPS-compliant Docker images will increase the overall execution time of the release workflow. This is an expected trade-off for supporting an additional build artifact.
Raw output 
The workflow correctly utilizes GitHub Actions caching (`cache-from: type=gha`, `cache-to: type=gha,mode=max`), which is a best practice that helps mitigate the increased build time by reusing cached layers from previous runs. No immediate action is required, but it's good to monitor the pipeline's duration.
role-session-name: cipush
aws-region: eu-central-1
# Don't mask to pass it across job boundaries
Expand All @@ -128,12 +129,77 @@
- uses: aws-actions/amazon-ecr-login@v2
id: ecr
if: ${{ matrix.golang_cross == '1.24-bookworm' }}
with:
mask-password: 'true'
- name: Docker metadata for fips CI
id: ci_metadata_fips
if: ${{ matrix.golang_cross == '1.24-bookworm' }}
uses: docker/metadata-action@v5
with:
images: |
${{ steps.ecr.outputs.registry }}/tyk-pump-fips
flavor: |
latest=false
tags: |
type=ref,event=branch
type=ref,event=pr
type=sha,format=long
type=semver,pattern={{major}},prefix=v
type=semver,pattern={{major}}.{{minor}},prefix=v
type=semver,pattern={{version}},prefix=v
- name: push fips image to CI
if: ${{ matrix.golang_cross == '1.24-bookworm' }}
uses: docker/build-push-action@v6
with:
context: "dist"
platforms: linux/amd64
file: ci/Dockerfile.distroless
provenance: mode=max
sbom: true
push: true
cache-from: type=gha
cache-to: type=gha,mode=max
tags: ${{ steps.ci_metadata_fips.outputs.tags }}
labels: ${{ steps.ci_metadata_fips.outputs.labels }}
build-args: |
BUILD_PACKAGE_NAME=tyk-pump-fips
- name: Docker metadata for fips tag push
id: tag_metadata_fips
uses: docker/metadata-action@v5
with:
images: |
tykio/tyk-pump-fips
flavor: |
latest=false
prefix=v
tags: |
type=semver,pattern={{major}}.{{minor}}
type=semver,pattern={{version}}
labels: |
org.opencontainers.image.title=Tyk Analytics Pump FIPS
org.opencontainers.image.description=Tyk Analytics Pump to move analytics data from Redis to any supported back end (multiple back ends can be written to at once). This version is compiled with boringssl.
org.opencontainers.image.vendor=tyk.io
org.opencontainers.image.version=${{ github.ref_name }}
- name: push fips image to prod
if: ${{ matrix.golang_cross == '1.24-bookworm' }}
uses: docker/build-push-action@v6
with:
context: "dist"
platforms: linux/amd64
file: ci/Dockerfile.distroless
provenance: mode=max
sbom: true
cache-from: type=gha
cache-to: type=gha,mode=max
push: ${{ startsWith(github.ref, 'refs/tags') }}
tags: ${{ steps.tag_metadata_fips.outputs.tags }}
labels: ${{ steps.tag_metadata_fips.outputs.labels }}
build-args: |
BUILD_PACKAGE_NAME=tyk-pump-fips
- name: Docker metadata for std CI
id: ci_metadata_std
if: ${{ matrix.golang_cross == '1.24-bookworm' }}
uses: docker/metadata-action@v5

Check warning on line 202 in .github/workflows/release.yml

View check run for this annotation

probelabs / Visor: quality

maintainability Issue 

The GitHub Actions workflow introduces a set of steps for building and pushing the FIPS Docker image that are nearly identical to the steps for the standard image. This includes metadata generation, building, and pushing for both CI and production releases. This duplication makes the workflow file longer and more difficult to maintain. A change in the build process (e.g., updating the build action version, changing labels, or modifying caching strategy) would need to be manually synchronized across both FIPS and standard build steps.
Raw output 
To make the workflow more maintainable and adhere to the DRY (Don't Repeat Yourself) principle, refactor the duplicated steps into a reusable workflow or a composite action. This would allow you to define the build-and-push logic once and invoke it with different parameters (e.g., image name, build arguments) for the FIPS and standard images.
with:
images: |
${{ steps.ecr.outputs.registry }}/tyk-pump
Expand Down
1 change: 1 addition & 0 deletions .gitignore
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -21,3 +21,4 @@ migrate.js
utils/release_rc.sh
.terraform**
.claude/settings.local.json
dist/
10 changes: 5 additions & 5 deletions ci/Dockerfile.std
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -13,17 +13,17 @@
RUN dpkg --purge --force-remove-essential curl ncurses-base || true
RUN rm -fv /usr/bin/passwd /usr/sbin/adduser || true

# Comment this to test in dev
COPY dist/${BUILD_PACKAGE_NAME}_*_${TARGETARCH}.deb /
RUN dpkg -i /${BUILD_PACKAGE_NAME}_*_${TARGETARCH}.deb && find / -maxdepth 1 -name "*.deb" -delete

# Clean up caches, unwanted .a and .o files
RUN rm -rf /root/.cache \
&& apt-get -y autoremove \
&& apt-get clean \
&& rm -rf /usr/include/* /var/cache/apt/archives /var/lib/{apt,dpkg,cache,log} \
&& rm -rf /usr/include/* /var/cache/apt/archives /var/lib/apt /var/lib/cache /var/log/* \

Check notice on line 24 in ci/Dockerfile.std

View check run for this annotation

probelabs / Visor: security

security Issue 

The Dockerfile does not create or switch to a non-root user. Running containers as the root user is a security risk, as it reduces the defense-in-depth against container breakout vulnerabilities.
Raw output 
Modify the Dockerfile to create a non-privileged user and switch to it before setting the `ENTRYPOINT` or `CMD`. This hardening step should be applied to the `ci/Dockerfile.distroless` used in the final release build. Example:
```dockerfile
RUN groupadd --system nonroot && useradd --system --gid nonroot nonroot
USER nonroot
```
&& find /usr/lib -type f -name '*.a' -o -name '*.o' -delete

# Comment this to test in dev
COPY ${BUILD_PACKAGE_NAME}_*${TARGETARCH}.deb /
RUN dpkg -i /${BUILD_PACKAGE_NAME}*${TARGETARCH}.deb && rm /*.deb

ARG PORTS

EXPOSE $PORTS
Expand Down
96 changes: 95 additions & 1 deletion ci/goreleaser/goreleaser.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -11,8 +11,8 @@
- -tags=fips,boringcrypto
env:
- NOP=nop # ignore this, it is jsut to avoid a complex conditional in the templates
- $env
- GOEXPERIMENT=boringcrypto
ldflags:

Check notice on line 15 in ci/goreleaser/goreleaser.yml

View check run for this annotation

probelabs / Visor: performance

performance Issue 

The introduction of `GOEXPERIMENT=boringcrypto` and the `fips,boringcrypto` build tags switches the underlying cryptographic implementation to BoringSSL for the FIPS build. This will alter the performance characteristics of cryptographic functions compared to the standard Go crypto library. While this is necessary for FIPS compliance, it's important to be aware of the potential performance shift.
Raw output 
If cryptographic performance is a critical aspect of the service, consider benchmarking the FIPS-enabled binary against the standard version to quantify any differences and ensure they are within acceptable limits.
- -X github.com/TykTechnologies/tyk-pump/pumps.Version={{.Version}}
- -X github.com/TykTechnologies/tyk-pump/pumps.Commit={{.FullCommit}}
- -X github.com/TykTechnologies/tyk-pump/pumps.BuildDate={{.Date}}
Expand Down Expand Up @@ -157,8 +157,102 @@
env:
- PACKAGECLOUD_TOKEN={{ .Env.PACKAGECLOUD_TOKEN }}
cmd: packagecloud publish --debvers "{{ .Env.DEBVERS }}" --rpmvers "{{ .Env.RPMVERS }}" tyk/tyk-pump-unstable {{ .ArtifactPath }}
dockers:
# Build tykio/tyk-pump-fips fips (amd64)
- ids:
- fips-amd64
image_templates:
- "tykio/tyk-pump-fips:{{.Tag}}-fips-amd64"
build_flag_templates:
- "--build-arg=PORTS=80"
- "--build-arg=BUILD_PACKAGE_NAME=tyk-pump-fips"
- "--platform=linux/amd64"
- "--label=org.opencontainers.image.created={{.Date}}"
- "--label=org.opencontainers.image.title={{.ProjectName}} FIPS"
- "--label=org.opencontainers.image.revision={{.FullCommit}}"
- "--label=org.opencontainers.image.version={{.Version}}"
use: buildx
goarch: amd64
goos: linux
dockerfile: ci/Dockerfile.std
extra_files:
- "ci/install/"
- "README.md"
- "dist/"
- "LICENSE.md"
- "pump.example.conf"
# Build tykio/tyk-pump-docker-pub std (amd64)
- ids:
- std-amd64
image_templates:
- "tykio/tyk-pump-docker-pub:{{.Tag}}-std-amd64"
build_flag_templates:
- "--build-arg=PORTS=80"
- "--build-arg=BUILD_PACKAGE_NAME=tyk-pump"
- "--platform=linux/amd64"
- "--label=org.opencontainers.image.created={{.Date}}"
- "--label=org.opencontainers.image.title={{.ProjectName}}"
- "--label=org.opencontainers.image.revision={{.FullCommit}}"
- "--label=org.opencontainers.image.version={{.Version}}"
use: buildx
goarch: amd64
goos: linux
dockerfile: ci/Dockerfile.std
extra_files:
- "ci/install/"
- "README.md"
- "dist/"
- "LICENSE.md"
- "pump.example.conf"
# Build tykio/tyk-pump-docker-pub std (arm64)
- ids:
- std-arm64
image_templates:
- "tykio/tyk-pump-docker-pub:{{.Tag}}-std-arm64"
build_flag_templates:
- "--build-arg=PORTS=80"
- "--build-arg=BUILD_PACKAGE_NAME=tyk-pump"
- "--platform=linux/arm64"
- "--label=org.opencontainers.image.created={{.Date}}"
- "--label=org.opencontainers.image.title={{.ProjectName}}"
- "--label=org.opencontainers.image.revision={{.FullCommit}}"
- "--label=org.opencontainers.image.version={{.Version}}"
use: buildx
goarch: arm64
goos: linux
dockerfile: ci/Dockerfile.std
extra_files:
- "ci/install/"
- "README.md"
- "dist/"
- "LICENSE.md"
- "pump.example.conf"
docker_manifests:
# Single-arch manifest for tykio/tyk-pump-fips fips
- name_template: tykio/tyk-pump-fips:{{ .Tag }}-fips
image_templates:
- tykio/tyk-pump-fips:{{`{{ .Tag }}`}}-fips-amd64
- name_template: tykio/tyk-pump-fips:v{{ .Major }}.{{ .Minor }}{{.Prerelease}}-fips
image_templates:
- tykio/tyk-pump-fips:{{`{{ .Tag }}`}}-fips-amd64
- name_template: tykio/tyk-pump-fips:v{{ .Major }}{{.Prerelease}}-fips
image_templates:
- tykio/tyk-pump-fips:{{`{{ .Tag }}`}}-fips-amd64
# Multi-arch manifest for tykio/tyk-pump-docker-pub std
- name_template: tykio/tyk-pump-docker-pub:{{ .Tag }}
image_templates:
- tykio/tyk-pump-docker-pub:{{`{{ .Tag }}`}}-std-amd64
- tykio/tyk-pump-docker-pub:{{`{{ .Tag }}`}}-std-arm64
- name_template: tykio/tyk-pump-docker-pub:v{{ .Major }}.{{ .Minor }}{{.Prerelease}}
image_templates:
- tykio/tyk-pump-docker-pub:{{`{{ .Tag }}`}}-std-amd64
- tykio/tyk-pump-docker-pub:{{`{{ .Tag }}`}}-std-arm64
- name_template: tykio/tyk-pump-docker-pub:v{{ .Major }}{{.Prerelease}}
image_templates:
- tykio/tyk-pump-docker-pub:{{`{{ .Tag }}`}}-std-amd64
- tykio/tyk-pump-docker-pub:{{`{{ .Tag }}`}}-std-arm64
# This disables archives
archives:

Check warning on line 255 in ci/goreleaser/goreleaser.yml

View check run for this annotation

probelabs / Visor: quality

maintainability Issue 

The `dockers` and `docker_manifests` configurations contain significant duplication. The definitions for `fips-amd64`, `std-amd64`, and `std-arm64` share many common properties like `use`, `goos`, `dockerfile`, and `extra_files`. Similarly, the `docker_manifests` for different tags are repetitive. This duplication makes the configuration harder to maintain, as changes may need to be applied in multiple places, increasing the risk of inconsistencies.
Raw output 
To improve maintainability and reduce redundancy, consider using YAML anchors and aliases. You can define a base template for the docker build and manifest configurations and then extend it for each specific variant (fips, std, amd64, arm64). This would centralize the common configuration and make future updates simpler.
- formats: ['binary']
allow_different_binary_count: true
checksum:
Expand Down
Loading