Skip to content

Add docker images built using FIPS binaries #897

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
Razeen-Abdal-Rahman wants to merge 1 commit into
base: master
Choose a base branch
from
+116 −4

Auto generated from templates by gromit

2bf9ec9
Select commit
Loading
Failed to load commit list.
Open

Add docker images built using FIPS binaries #897

Auto generated from templates by gromit
2bf9ec9
Select commit
Loading
Failed to load commit list.
probelabs / Visor: overview succeeded Oct 1, 2025 in 4m 32s

✅ Check Passed

overview check completed successfully with no issues found.

Details

📊 Summary

  • Total Issues: 1

🐛 Issues by Category

📚 Documentation (1)

  • ℹ️ AI_RESPONSE:1 - ### 1. Change Impact Analysis

What this PR accomplishes

This pull request introduces the capability to build and release FIPS-compliant, multi-architecture Docker images for tyk-pump. Responding to a customer request, it extends FIPS support beyond the existing amd64 architecture to include arm64 and s390x. This is achieved by using Go's boringcrypto library to compile FIPS-compliant binaries for each architecture and then packaging them into separate Docker images. Finally, these images are grouped under a single multi-architecture manifest, simplifying distribution and usage for consumers on different platforms. The PR also adds s390x support for the standard (non-FIPS) Docker image.

Key Technical Changes

The core of the changes lies in the CI/CD configuration files:

  1. GoReleaser Configuration (ci/goreleaser/goreleaser.yml):

    • New Build Definitions: Two new build IDs, fips-arm64 and fips-s390x, are added. These builds are configured with the fips,boringcrypto tags and the GOEXPERIMENT=boringcrypto environment variable, which instructs the Go compiler to use the FIPS 140-2 validated BoringCrypto module.
    • Multi-Arch Docker Builds: The dockers section is expanded to create architecture-specific Docker images for fips-arm64 and fips-s390x.
    • Multi-Arch Manifests: The docker_manifests section is updated to group the newly created arm64 and s390x images with the existing amd64 image. This allows users to pull a tag like tykio/tyk-pump-fips:vX.Y.Z-fips and have the container runtime automatically select the correct image for their machine's architecture.

  2. GitHub Actions Workflow (.github/workflows/release.yml):

    • The docker/build-push-action steps are modified to build for multiple platforms simultaneously by changing platforms: linux/amd64 to platforms: linux/amd64,linux/arm64,linux/s390x. This enables the workflow to produce the multi-architecture images required by the GoReleaser configuration.

Affected System Components

  • CI/CD Release Pipeline: The primary impact is on the release process. The pipeline will now execute additional build steps for the new architectures, create corresponding Docker images, and publish multi-arch manifests to the container registry.
  • Release Artifacts: The set of release artifacts is expanded to include:
    • FIPS-compliant binaries for linux/arm64 and linux/s390x.
    • Multi-architecture Docker images for both FIPS (tykio/tyk-pump-fips) and standard (tykio/tyk-pump-docker-pub) builds.

2. Architecture Visualization

The following diagram illustrates the updated build and release process for FIPS-compliant Docker images.

flowchart TD
    subgraph "GoReleaser Build Process"
        A[Trigger Release] --> B{Build Binaries};
        B --> C1[Build fips-amd64];
        B --> C2[Build fips-arm64];
        B --> C3[Build fips-s390x];
    end

    subgraph "Docker Image Creation (via buildx)"
        C1 --> D1[Create tyk-pump-fips:tag-fips-amd64 Image];
        C2 --> D2[Create tyk-pump-fips:tag-fips-arm64 Image];
        C3 --> D3[Create tyk-pump-fips:tag-fips-s390x Image];
    end

    subgraph "Docker Manifest Publication"
        D1 --> E{Combine into Multi-Arch Manifest};
        D2 --> E;
        D3 --> E;
        E -- "tykio/tyk-pump-fips:tag-fips" --> F[Push to Container Registry];
    end

    subgraph "End User"
        G[User on amd64] -- "docker pull" --> F;
        H[User on arm64] -- "docker pull" --> F;
        I[User on s390x] -- "docker pull" --> F;
    end

    style F fill:#cde4ff,stroke:#333,stroke-width:2px
Loading

This diagram shows how GoReleaser now builds binaries for three different architectures in parallel. Each binary is then used to create a platform-specific Docker image. Finally, these individual images are linked together by a single multi-architecture manifest, which is pushed to the container registry. This allows users on any of the supported platforms to pull the correct image using a single, consistent tag.

Generated by Visor - AI-powered code review

Annotations

Check notice on line 1 in AI_RESPONSE

See this annotation in the file changed.

@probelabs probelabs / Visor: overview

documentation Issue 

### **1. Change Impact Analysis**

#### **What this PR accomplishes**

This pull request introduces the capability to build and release FIPS-compliant, multi-architecture Docker images for `tyk-pump`. Responding to a customer request, it extends FIPS support beyond the existing `amd64` architecture to include `arm64` and `s390x`. This is achieved by using Go's `boringcrypto` library to compile FIPS-compliant binaries for each architecture and then packaging them into separate Docker images. Finally, these images are grouped under a single multi-architecture manifest, simplifying distribution and usage for consumers on different platforms. The PR also adds `s390x` support for the standard (non-FIPS) Docker image.

#### **Key Technical Changes**

The core of the changes lies in the CI/CD configuration files:

1.  **GoReleaser Configuration (`ci/goreleaser/goreleaser.yml`):**
    *   **New Build Definitions:** Two new build IDs, `fips-arm64` and `fips-s390x`, are added. These builds are configured with the `fips,boringcrypto` tags and the `GOEXPERIMENT=boringcrypto` environment variable, which instructs the Go compiler to use the FIPS 140-2 validated BoringCrypto module.
    *   **Multi-Arch Docker Builds:** The `dockers` section is expanded to create architecture-specific Docker images for `fips-arm64` and `fips-s390x`.
    *   **Multi-Arch Manifests:** The `docker_manifests` section is updated to group the newly created `arm64` and `s390x` images with the existing `amd64` image. This allows users to pull a tag like `tykio/tyk-pump-fips:vX.Y.Z-fips` and have the container runtime automatically select the correct image for their machine's architecture.

2.  **GitHub Actions Workflow (`.github/workflows/release.yml`):**
    *   The `docker/build-push-action` steps are modified to build for multiple platforms simultaneously by changing `platforms: linux/amd64` to `platforms: linux/amd64,linux/arm64,linux/s390x`. This enables the workflow to produce the multi-architecture images required by the GoReleaser configuration.

#### **Affected System Components**

*   **CI/CD Release Pipeline:** The primary impact is on the release process. The pipeline will now execute additional build steps for the new architectures, create corresponding Docker images, and publish multi-arch manifests to the container registry.
*   **Release Artifacts:** The set of release artifacts is expanded to include:
    *   FIPS-compliant binaries for `linux/arm64` and `linux/s390x`.
    *   Multi-architecture Docker images for both FIPS (`tykio/tyk-pump-fips`) and standard (`tykio/tyk-pump-docker-pub`) builds.

### **2. Architecture Visualization**

The following diagram illustrates the updated build and release process for FIPS-compliant Docker images.

```mermaid
flowchart TD
    subgraph "GoReleaser Build Process"
        A[Trigger Release] --> B{Build Binaries};
        B --> C1[Build fips-amd64];
        B --> C2[Build fips-arm64];
        B --> C3[Build fips-s390x];
    end

    subgraph "Docker Image Creation (via buildx)"
        C1 --> D1[Create tyk-pump-fips:tag-fips-amd64 Image];
        C2 --> D2[Create tyk-pump-fips:tag-fips-arm64 Image];
        C3 --> D3[Create tyk-pump-fips:tag-fips-s390x Image];
    end

    subgraph "Docker Manifest Publication"
        D1 --> E{Combine into Multi-Arch Manifest};
        D2 --> E;
        D3 --> E;
        E -- "tykio/tyk-pump-fips:tag-fips" --> F[Push to Container Registry];
    end

    subgraph "End User"
        G[User on amd64] -- "docker pull" --> F;
        H[User on arm64] -- "docker pull" --> F;
        I[User on s390x] -- "docker pull" --> F;
    end

    style F fill:#cde4ff,stroke:#333,stroke-width:2px
```

This diagram shows how GoReleaser now builds binaries for three different architectures in parallel. Each binary is then used to create a platform-specific Docker image. Finally, these individual images are linked together by a single multi-architecture manifest, which is pushed to the container registry. This allows users on any of the supported platforms to pull the correct image using a single, consistent tag.
View more details on probelabs