Merge branch 'master' into feat/zombie-on-policy-fail

Author: edsonmichaque

.github/workflows/release.yml

@@ -76,7 +76,6 @@ main
 /coprocess/*.pb.go-e
 ci/tests/specs/tmp
 ci/tests/specs/node_modules
-ci/tests/specs/package-lock.json
 ci/tests/specs/gateway.collection.postman.json
 ci/tests/specs/.env
 ci/tests/specs/apps

.gitignore

@@ -1,5 +1,7 @@
 # Generated by: gromit policy
 
+ARG BASE_IMAGE=gcr.io/distroless/base-debian13:nonroot
+
 FROM debian:trixie-slim AS deb
 ARG TARGETARCH
 ARG BUILD_PACKAGE_NAME
@@ -10,7 +12,7 @@ ENV DEBIAN_FRONTEND=noninteractive
 COPY ${BUILD_PACKAGE_NAME}_*${TARGETARCH}.deb /
 RUN dpkg -i /${BUILD_PACKAGE_NAME}_*${TARGETARCH}.deb && rm /*.deb
 
-FROM gcr.io/distroless/base-debian12:latest
+FROM ${BASE_IMAGE}
 
 COPY --from=deb /opt/tyk-gateway /opt/tyk-gateway
 

ci/Dockerfile.distroless

@@ -57,6 +57,60 @@ builds:
     goarch:
       - s390x
     binary: tyk
+  - id: fips-amd64
+    flags:
+      - -tags=goplugin,ee,fips
+      - -trimpath
+    env:
+      - NOP=nop # ignore this, it is jsut to avoid a complex conditional in the templates
+      - CC=gcc
+      - GOFIPS140=v1.0.0
+    ldflags:
+      - -X github.com/TykTechnologies/tyk/internal/build.Version={{.Version}}
+      - -X github.com/TykTechnologies/tyk/internal/build.Commit={{.FullCommit}}
+      - -X github.com/TykTechnologies/tyk/internal/build.BuildDate={{.Date}}
+      - -X github.com/TykTechnologies/tyk/internal/build.BuiltBy=goreleaser
+    goos:
+      - linux
+    goarch:
+      - amd64
+    binary: tyk
+  - id: fips-arm64
+    flags:
+      - -tags=goplugin,ee,fips
+      - -trimpath
+    env:
+      - NOP=nop # ignore this, it is jsut to avoid a complex conditional in the templates
+      - CC=aarch64-linux-gnu-gcc
+      - GOFIPS140=v1.0.0
+    ldflags:
+      - -X github.com/TykTechnologies/tyk/internal/build.Version={{.Version}}
+      - -X github.com/TykTechnologies/tyk/internal/build.Commit={{.FullCommit}}
+      - -X github.com/TykTechnologies/tyk/internal/build.BuildDate={{.Date}}
+      - -X github.com/TykTechnologies/tyk/internal/build.BuiltBy=goreleaser
+    goos:
+      - linux
+    goarch:
+      - arm64
+    binary: tyk
+  - id: fips-s390x
+    flags:
+      - -tags=goplugin,ee,fips
+      - -trimpath
+    env:
+      - NOP=nop # ignore this, it is jsut to avoid a complex conditional in the templates
+      - CC=s390x-linux-gnu-gcc
+      - GOFIPS140=v1.0.0
+    ldflags:
+      - -X github.com/TykTechnologies/tyk/internal/build.Version={{.Version}}
+      - -X github.com/TykTechnologies/tyk/internal/build.Commit={{.FullCommit}}
+      - -X github.com/TykTechnologies/tyk/internal/build.BuildDate={{.Date}}
+      - -X github.com/TykTechnologies/tyk/internal/build.BuiltBy=goreleaser
+    goos:
+      - linux
+    goarch:
+      - s390x
+    binary: tyk
   - id: std-amd64
     flags:
       - -tags=goplugin
@@ -168,6 +222,65 @@ nfpms:
       signature:
         key_file: tyk.io.signing.key
         type: origin
+  - id: fips
+    vendor: "Tyk Technologies Ltd"
+    homepage: "https://tyk.io"
+    maintainer: "Tyk <info@tyk.io>"
+    description: Tyk API Gateway Enterprise Edition written in Go, supporting REST, GraphQL, TCP and gRPC protocols Built with FIPS 140-3 compliant cryptography
+    package_name: tyk-gateway-fips
+    file_name_template: "{{ .ConventionalFileName }}"
+    ids:
+      - fips-amd64
+      - fips-arm64
+      - fips-s390x
+    formats:
+      - deb
+      - rpm
+    contents:
+      - src: "README.md"
+        dst: "/opt/share/docs/tyk-gateway/README.md"
+      - src: "ci/install/*"
+        dst: "/opt/tyk-gateway/install"
+      - src: ci/install/inits/systemd/system/tyk-gateway.service
+        dst: /lib/systemd/system/tyk-gateway.service
+      - src: ci/install/inits/sysv/init.d/tyk-gateway
+        dst: /etc/init.d/tyk-gateway
+      - src: /opt/tyk-gateway
+        dst: /opt/tyk
+        type: "symlink"
+      - src: "LICENSE.md"
+        dst: "/opt/share/docs/tyk-gateway/LICENSE.md"
+      - src: "apps/app_sample.*"
+        dst: "/opt/tyk-gateway/apps"
+      - src: "templates/*.json"
+        dst: "/opt/tyk-gateway/templates"
+      - src: "templates/playground/*"
+        dst: "/opt/tyk-gateway/templates/playground"
+      - src: "middleware/*.js"
+        dst: "/opt/tyk-gateway/middleware"
+      - src: "event_handlers/sample/*.js"
+        dst: "/opt/tyk-gateway/event_handlers/sample"
+      - src: "policies/*.json"
+        dst: "/opt/tyk-gateway/policies"
+      - src: "coprocess/*"
+        dst: "/opt/tyk-gateway/coprocess"
+      - src: tyk.conf.example
+        dst: /opt/tyk-gateway/tyk.conf
+        type: "config|noreplace"
+    scripts:
+      preinstall: "ci/install/before_install.sh"
+      postinstall: "ci/install/post_install.sh"
+      postremove: "ci/install/post_remove.sh"
+    bindir: "/opt/tyk-gateway"
+    rpm:
+      scripts:
+        posttrans: ci/install/post_trans.sh
+      signature:
+        key_file: tyk.io.signing.key
+    deb:
+      signature:
+        key_file: tyk.io.signing.key
+        type: origin
   - id: std
     vendor: "Tyk Technologies Ltd"
     homepage: "https://tyk.io"
@@ -234,6 +347,12 @@ publishers:
     env:
       - PACKAGECLOUD_TOKEN={{ .Env.PACKAGECLOUD_TOKEN }}
     cmd: packagecloud publish --debvers "{{ .Env.DEBVERS }}" --rpmvers "{{ .Env.RPMVERS }}" tyk/tyk-ee-unstable {{ .ArtifactPath }}
+  - name: fips
+    ids:
+      - fips
+    env:
+      - PACKAGECLOUD_TOKEN={{ .Env.PACKAGECLOUD_TOKEN }}
+    cmd: packagecloud publish --debvers "{{ .Env.DEBVERS }}" --rpmvers "{{ .Env.RPMVERS }}" tyk/tyk-ee-unstable {{ .ArtifactPath }}
   - name: std
     ids:
       - std

ci/goreleaser/goreleaser.yml

@@ -13,7 +13,7 @@ tasks:
     desc: "Run the OpenAPI specification tests"
     cmds:
       - venom run testdata/populate_gateway_test_data.yaml --var bearerToken=$PORTMAN_API_Key  --stop-on-failure && rm venom*.log
-      - npm install
+      - npm ci
       - npm start
 
   build: