Skip to content

Add docker images built using FIPS binaries #897

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
Razeen-Abdal-Rahman wants to merge 1 commit into
base: master
Choose a base branch
from
+116 −4
Open

Add docker images built using FIPS binaries #897

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
6 changes: 3 additions & 3 deletions .github/workflows/release.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -137,7 +137,7 @@
uses: docker/metadata-action@v5
with:
images: |
${{ steps.ecr.outputs.registry }}/tyk-pump-fips
${{ steps.ecr.outputs.registry }}/tyk-pump
flavor: |
latest=false
tags: |
Expand All @@ -151,8 +151,8 @@
if: ${{ matrix.golang_cross == '1.24-bookworm' }}
uses: docker/build-push-action@v6
with:
context: "dist"

Check notice on line 154 in .github/workflows/release.yml

View check run for this annotation

probelabs / Visor: performance

performance Issue 

Building Docker images for multiple platforms (`linux/amd64`, `linux/arm64`, `linux/s390x`) in a single step will increase the duration of the 'build-push-action'. This change is also present on line 187.
Raw output 
This is an expected consequence of supporting multi-arch images. Ensure that Docker layer caching is effectively configured for the `build-push-action` to minimize rebuilds of unchanged layers, which can help mitigate the increase in build time.
platforms: linux/amd64
platforms: linux/amd64,linux/arm64,linux/s390x
file: ci/Dockerfile.distroless
provenance: mode=max
sbom: true
Expand Down Expand Up @@ -185,7 +185,7 @@
uses: docker/build-push-action@v6
with:
context: "dist"
platforms: linux/amd64
platforms: linux/amd64,linux/arm64,linux/s390x
file: ci/Dockerfile.distroless
provenance: mode=max
sbom: true
Expand Down
114 changes: 113 additions & 1 deletion ci/goreleaser/goreleaser.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
# Generated by: gromit policy

Check notice on line 1 in ci/goreleaser/goreleaser.yml

View check run for this annotation

probelabs / Visor: security

documentation Issue 

The term 'FIPS compliant' can be misinterpreted. While the binaries are built with FIPS-enabled cryptographic libraries, the resulting Docker images are not officially FIPS 140-2/3 validated. This distinction is important for users in regulated environments.
Raw output 
Ensure that all public-facing documentation, release notes, and image descriptions clearly state that the images are 'built with FIPS-compliant binaries' but are not themselves 'FIPS validated'. This manages user expectations and prevents potential compliance issues on their end.

# Check the documentation at http://goreleaser.com
# This project needs CGO_ENABLED=1 and the cross-compiler toolchains for
Expand All @@ -21,166 +21,246 @@
- linux
goarch:
- amd64
binary: tyk-pump
- id: fips-arm64
flags:
- -tags=fips,boringcrypto
env:
- NOP=nop # ignore this, it is jsut to avoid a complex conditional in the templates
- GOEXPERIMENT=boringcrypto
ldflags:
- -X github.com/TykTechnologies/tyk-pump/pumps.Version={{.Version}}
- -X github.com/TykTechnologies/tyk-pump/pumps.Commit={{.FullCommit}}
- -X github.com/TykTechnologies/tyk-pump/pumps.BuildDate={{.Date}}
- -X github.com/TykTechnologies/tyk-pump/pumps.BuiltBy=goreleaser
goos:
- linux
goarch:
- arm64
binary: tyk-pump
- id: fips-s390x
flags:
- -tags=fips,boringcrypto
env:
- NOP=nop # ignore this, it is jsut to avoid a complex conditional in the templates
- GOEXPERIMENT=boringcrypto
ldflags:
- -X github.com/TykTechnologies/tyk-pump/pumps.Version={{.Version}}
- -X github.com/TykTechnologies/tyk-pump/pumps.Commit={{.FullCommit}}
- -X github.com/TykTechnologies/tyk-pump/pumps.BuildDate={{.Date}}
- -X github.com/TykTechnologies/tyk-pump/pumps.BuiltBy=goreleaser
goos:
- linux
goarch:
- s390x
binary: tyk-pump
- id: std-amd64
env:
- NOP=nop # ignore this, it is jsut to avoid a complex conditional in the templates
ldflags:

Check notice on line 60 in ci/goreleaser/goreleaser.yml

View check run for this annotation

probelabs / Visor: performance

performance Issue 

The addition of `fips-arm64` and `fips-s390x` builds, along with corresponding Docker image creation and manifest updates, will increase the overall CI pipeline execution time and resource consumption. While necessary for multi-architecture support, this can slow down the release process.
Raw output 
Monitor the execution time of the release workflow. If it becomes excessively long, consider optimizing the build process. This could involve using more powerful self-hosted runners, optimizing Docker layer caching across workflow runs, or investigating if `goreleaser` can parallelize more of the build steps.
- -X github.com/TykTechnologies/tyk-pump/pumps.Version={{.Version}}
- -X github.com/TykTechnologies/tyk-pump/pumps.Commit={{.FullCommit}}
- -X github.com/TykTechnologies/tyk-pump/pumps.BuildDate={{.Date}}
- -X github.com/TykTechnologies/tyk-pump/pumps.BuiltBy=goreleaser
goos:
- linux
goarch:
- amd64
binary: tyk-pump
- id: std-arm64
env:
- NOP=nop # ignore this, it is jsut to avoid a complex conditional in the templates
ldflags:
- -X github.com/TykTechnologies/tyk-pump/pumps.Version={{.Version}}
- -X github.com/TykTechnologies/tyk-pump/pumps.Commit={{.FullCommit}}
- -X github.com/TykTechnologies/tyk-pump/pumps.BuildDate={{.Date}}
- -X github.com/TykTechnologies/tyk-pump/pumps.BuiltBy=goreleaser
goos:
- linux
goarch:
- arm64
binary: tyk-pump
- id: std-s390x
env:
- NOP=nop # ignore this, it is jsut to avoid a complex conditional in the templates
ldflags:
- -X github.com/TykTechnologies/tyk-pump/pumps.Version={{.Version}}
- -X github.com/TykTechnologies/tyk-pump/pumps.Commit={{.FullCommit}}
- -X github.com/TykTechnologies/tyk-pump/pumps.BuildDate={{.Date}}
- -X github.com/TykTechnologies/tyk-pump/pumps.BuiltBy=goreleaser
goos:
- linux
goarch:
- s390x
binary: tyk-pump
nfpms:
- id: fips
vendor: "Tyk Technologies Ltd"
homepage: "https://tyk.io"
maintainer: "Tyk <info@tyk.io>"
description: Tyk Analytics Pump to move analytics data from Redis to any supported back end (multiple back ends can be written to at once). This version is compiled with boringssl.
package_name: tyk-pump-fips
file_name_template: "{{ .ConventionalFileName }}"
ids:
- fips-amd64
- fips-arm64
- fips-s390x
formats:
- deb
- rpm
contents:
- src: "README.md"
dst: "/opt/share/docs/tyk-pump/README.md"
- src: "ci/install/*"
dst: "/opt/tyk-pump/install"
- src: ci/install/inits/systemd/system/tyk-pump.service
dst: /lib/systemd/system/tyk-pump.service
- src: ci/install/inits/sysv/init.d/tyk-pump
dst: /etc/init.d/tyk-pump
- src: "LICENSE.md"
dst: "/opt/share/docs/tyk-pump/LICENSE.md"
- src: pump.example.conf
dst: /opt/tyk-pump/pump.conf
type: "config|noreplace"
scripts:
preinstall: "ci/install/before_install.sh"
postinstall: "ci/install/post_install.sh"
postremove: "ci/install/post_remove.sh"
bindir: "/opt/tyk-pump"
rpm:
scripts:
posttrans: ci/install/post_trans.sh
signature:
key_file: tyk.io.signing.key
deb:
signature:
key_file: tyk.io.signing.key
type: origin
- id: std
vendor: "Tyk Technologies Ltd"
homepage: "https://tyk.io"
maintainer: "Tyk <info@tyk.io>"
description: Tyk Analytics Pump to move analytics data from Redis to any supported back end (multiple back ends can be written to at once).
package_name: tyk-pump
file_name_template: "{{ .ConventionalFileName }}"
ids:
- std-amd64
- std-arm64
- std-s390x
formats:
- deb
- rpm
contents:
- src: "README.md"
dst: "/opt/share/docs/tyk-pump/README.md"
- src: "ci/install/*"
dst: "/opt/tyk-pump/install"
- src: ci/install/inits/systemd/system/tyk-pump.service
dst: /lib/systemd/system/tyk-pump.service
- src: ci/install/inits/sysv/init.d/tyk-pump
dst: /etc/init.d/tyk-pump
- src: "LICENSE.md"
dst: "/opt/share/docs/tyk-pump/LICENSE.md"
- src: pump.example.conf
dst: /opt/tyk-pump/pump.conf
type: "config|noreplace"
scripts:
preinstall: "ci/install/before_install.sh"
postinstall: "ci/install/post_install.sh"
postremove: "ci/install/post_remove.sh"
bindir: "/opt/tyk-pump"
rpm:
scripts:
posttrans: ci/install/post_trans.sh
signature:
key_file: tyk.io.signing.key
deb:
signature:
key_file: tyk.io.signing.key
type: origin
publishers:
- name: fips
ids:
- fips
env:
- PACKAGECLOUD_TOKEN={{ .Env.PACKAGECLOUD_TOKEN }}
cmd: packagecloud publish --debvers "{{ .Env.DEBVERS }}" --rpmvers "{{ .Env.RPMVERS }}" tyk/tyk-ee-unstable {{ .ArtifactPath }}
- name: std
ids:
- std
env:
- PACKAGECLOUD_TOKEN={{ .Env.PACKAGECLOUD_TOKEN }}
cmd: packagecloud publish --debvers "{{ .Env.DEBVERS }}" --rpmvers "{{ .Env.RPMVERS }}" tyk/tyk-pump-unstable {{ .ArtifactPath }}
dockers:
# Build tykio/tyk-pump-fips fips (amd64)
- ids:
- fips-amd64
image_templates:
- "tykio/tyk-pump-fips:{{.Tag}}-fips-amd64"
build_flag_templates:
- "--build-arg=PORTS=80"
- "--build-arg=BUILD_PACKAGE_NAME=tyk-pump-fips"
- "--platform=linux/amd64"
- "--label=org.opencontainers.image.created={{.Date}}"
- "--label=org.opencontainers.image.title={{.ProjectName}} FIPS"
- "--label=org.opencontainers.image.revision={{.FullCommit}}"
- "--label=org.opencontainers.image.version={{.Version}}"
use: buildx
goarch: amd64
goos: linux
dockerfile: ci/Dockerfile.std
extra_files:
- "ci/install/"
- "README.md"
- "dist/"
- "LICENSE.md"
- "pump.example.conf"
# Build tykio/tyk-pump-fips fips (arm64)
- ids:
- fips-arm64
image_templates:
- "tykio/tyk-pump-fips:{{.Tag}}-fips-arm64"
build_flag_templates:
- "--build-arg=PORTS=80"
- "--build-arg=BUILD_PACKAGE_NAME=tyk-pump-fips"
- "--platform=linux/arm64"
- "--label=org.opencontainers.image.created={{.Date}}"
- "--label=org.opencontainers.image.title={{.ProjectName}} FIPS"
- "--label=org.opencontainers.image.revision={{.FullCommit}}"
- "--label=org.opencontainers.image.version={{.Version}}"
use: buildx
goarch: arm64

Check warning on line 232 in ci/goreleaser/goreleaser.yml

View check run for this annotation

probelabs / Visor: style

architecture Issue 

The configuration for `arm64` and `s390x` architectures in the `builds` and `dockers` sections is heavily duplicated from the existing `amd64` configuration. This copy-paste approach increases maintenance overhead, as any future changes to build flags, labels, or file lists must be manually replicated across all architecture-specific blocks. This makes the configuration file verbose, error-prone, and difficult to manage.
Raw output 
To improve maintainability and reduce redundancy, refactor the `builds` and `dockers` configurations to use GoReleaser's `matrix` feature. A matrix allows you to define a single configuration block that generates multiple builds and Docker images based on a set of variables, such as the target architecture. This will significantly simplify the file and ensure consistency across all builds.

**Example for `builds`:**
```yaml
builds:
  - id: fips
    matrix:
      goarch:
        - amd64
        - arm64
        - s390x
    flags:
      - -tags=fips,boringcrypto
    env:
      - GOEXPERIMENT=boringcrypto
    ldflags:
      - -X github.com/TykTechnologies/tyk-pump/pumps.Version={{.Version}}
      - -X github.com/TykTechnologies/tyk-pump/pumps.Commit={{.FullCommit}}
      - -X github.com/TykTechnologies/tyk-pump/pumps.BuildDate={{.Date}}
      - -X github.com/TykTechnologies/tyk-pump/pumps.BuiltBy=goreleaser
    goos:
      - linux
    binary: tyk-pump
```

**Example for `dockers`:**
```yaml
dockers:
  - matrix:
      goarch:
        - amd64
        - arm64
        - s390x
    ids:
      - fips
    image_templates:
      - "tykio/tyk-pump-fips:{{.Tag}}-fips-{{.Arch}}"
    build_flag_templates:
      - "--platform=linux/{{.Arch}}"
      # ... other flags
    use: buildx
    goos: linux
    dockerfile: ci/Dockerfile.std
    extra_files:
      - "ci/install/"
      - "README.md"
      - "dist/"
      - "LICENSE.md"
      - "pump.example.conf"
```
goos: linux
dockerfile: ci/Dockerfile.std
extra_files:
- "ci/install/"
- "README.md"
- "dist/"
- "LICENSE.md"
- "pump.example.conf"
# Build tykio/tyk-pump-fips fips (s390x)
- ids:
- fips-s390x
image_templates:
- "tykio/tyk-pump-fips:{{.Tag}}-fips-s390x"
build_flag_templates:
- "--build-arg=PORTS=80"
- "--build-arg=BUILD_PACKAGE_NAME=tyk-pump-fips"
- "--platform=linux/s390x"
- "--label=org.opencontainers.image.created={{.Date}}"
- "--label=org.opencontainers.image.title={{.ProjectName}} FIPS"
- "--label=org.opencontainers.image.revision={{.FullCommit}}"
- "--label=org.opencontainers.image.version={{.Version}}"
use: buildx
goarch: s390x
goos: linux
dockerfile: ci/Dockerfile.std
extra_files:
- "ci/install/"
- "README.md"

Check warning on line 260 in ci/goreleaser/goreleaser.yml

View check run for this annotation

probelabs / Visor: quality

architecture Issue 

The `goreleaser.yml` configuration contains significant duplication across the `builds` and `dockers` sections for different architectures (amd64, arm64, s390x). Common properties like `ldflags`, `env`, `build_flag_templates`, and `extra_files` are repeated for each architecture.
Raw output 
To improve maintainability and reduce redundancy, use YAML anchors and aliases. Define common configuration blocks once and reference them where needed. This will make the file shorter, easier to read, and less error-prone when making future changes.
- "dist/"
- "LICENSE.md"
- "pump.example.conf"
# Build tykio/tyk-pump-docker-pub std (amd64)
- ids:
- std-amd64
Expand Down Expand Up @@ -227,30 +307,62 @@
- "dist/"
- "LICENSE.md"
- "pump.example.conf"
# Build tykio/tyk-pump-docker-pub std (s390x)
- ids:
- std-s390x
image_templates:
- "tykio/tyk-pump-docker-pub:{{.Tag}}-std-s390x"
build_flag_templates:
- "--build-arg=PORTS=80"
- "--build-arg=BUILD_PACKAGE_NAME=tyk-pump"
- "--platform=linux/s390x"
- "--label=org.opencontainers.image.created={{.Date}}"
- "--label=org.opencontainers.image.title={{.ProjectName}}"
- "--label=org.opencontainers.image.revision={{.FullCommit}}"
- "--label=org.opencontainers.image.version={{.Version}}"
use: buildx
goarch: s390x
goos: linux
dockerfile: ci/Dockerfile.std
extra_files:
- "ci/install/"
- "README.md"
- "dist/"
- "LICENSE.md"
- "pump.example.conf"
docker_manifests:
# Single-arch manifest for tykio/tyk-pump-fips fips
# Multi-arch manifest for tykio/tyk-pump-fips fips
- name_template: tykio/tyk-pump-fips:{{ .Tag }}-fips
image_templates:
- tykio/tyk-pump-fips:{{`{{ .Tag }}`}}-fips-amd64
- tykio/tyk-pump-fips:{{`{{ .Tag }}`}}-fips-arm64
- tykio/tyk-pump-fips:{{`{{ .Tag }}`}}-fips-s390x
- name_template: tykio/tyk-pump-fips:v{{ .Major }}.{{ .Minor }}{{.Prerelease}}-fips
image_templates:
- tykio/tyk-pump-fips:{{`{{ .Tag }}`}}-fips-amd64
- tykio/tyk-pump-fips:{{`{{ .Tag }}`}}-fips-arm64
- tykio/tyk-pump-fips:{{`{{ .Tag }}`}}-fips-s390x
- name_template: tykio/tyk-pump-fips:v{{ .Major }}{{.Prerelease}}-fips
image_templates:
- tykio/tyk-pump-fips:{{`{{ .Tag }}`}}-fips-amd64
- tykio/tyk-pump-fips:{{`{{ .Tag }}`}}-fips-arm64
- tykio/tyk-pump-fips:{{`{{ .Tag }}`}}-fips-s390x
# Multi-arch manifest for tykio/tyk-pump-docker-pub std
- name_template: tykio/tyk-pump-docker-pub:{{ .Tag }}
image_templates:
- tykio/tyk-pump-docker-pub:{{`{{ .Tag }}`}}-std-amd64
- tykio/tyk-pump-docker-pub:{{`{{ .Tag }}`}}-std-arm64
- tykio/tyk-pump-docker-pub:{{`{{ .Tag }}`}}-std-s390x
- name_template: tykio/tyk-pump-docker-pub:v{{ .Major }}.{{ .Minor }}{{.Prerelease}}
image_templates:
- tykio/tyk-pump-docker-pub:{{`{{ .Tag }}`}}-std-amd64
- tykio/tyk-pump-docker-pub:{{`{{ .Tag }}`}}-std-arm64
- tykio/tyk-pump-docker-pub:{{`{{ .Tag }}`}}-std-s390x
- name_template: tykio/tyk-pump-docker-pub:v{{ .Major }}{{.Prerelease}}
image_templates:
- tykio/tyk-pump-docker-pub:{{`{{ .Tag }}`}}-std-amd64
- tykio/tyk-pump-docker-pub:{{`{{ .Tag }}`}}-std-arm64
- tykio/tyk-pump-docker-pub:{{`{{ .Tag }}`}}-std-s390x
# This disables archives
archives:
- formats: ['binary']
Expand Down
Loading