diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 4314b179641..2c88c205d5f 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -50,6 +50,7 @@ jobs: debvers: 'ubuntu/xenial ubuntu/bionic ubuntu/focal ubuntu/jammy ubuntu/noble debian/jessie debian/buster debian/bullseye debian/bookworm debian/trixie' outputs: ee_tags: ${{ steps.ci_metadata_ee.outputs.tags }} + fips_tags: ${{ steps.ci_metadata_fips.outputs.tags }} std_tags: ${{ steps.ci_metadata_std.outputs.tags }} commit_author: ${{ steps.set_outputs.outputs.commit_author}} steps: @@ -98,7 +99,7 @@ jobs: ci/bin/unlock-agent.sh git config --global url."https://${{ secrets.ORG_GH_TOKEN }}@github.com".insteadOf "https://github.com" git config --global --add safe.directory /go/src/github.com/TykTechnologies/tyk - goreleaser release --clean -f ${{ matrix.goreleaser }} ${{ !startsWith(github.ref, 'refs/tags/') && ' --snapshot --skip=sign' || '' }}' | tee /tmp/build.sh + goreleaser release --clean -f ${{ matrix.goreleaser }} ${{ !startsWith(github.ref, 'refs/tags/') && ' --snapshot --skip=sign,docker' || '--skip=docker' }}' | tee /tmp/build.sh chmod +x /tmp/build.sh docker run --rm --privileged -e GITHUB_TOKEN=${{ github.token }} \ -e GOPRIVATE=github.com/TykTechnologies \ @@ -197,6 +198,71 @@ jobs: labels: ${{ steps.tag_metadata_ee.outputs.labels }} build-args: | BUILD_PACKAGE_NAME=tyk-gateway-ee + - name: Docker metadata for fips CI + id: ci_metadata_fips + if: ${{ matrix.golang_cross == '1.24-bullseye' }} + uses: docker/metadata-action@v5 + with: + images: | + ${{ steps.ecr.outputs.registry }}/tyk + flavor: | + latest=false + tags: | + type=ref,event=branch + type=ref,event=pr + type=sha,format=long + type=semver,pattern={{major}},prefix=v + type=semver,pattern={{major}}.{{minor}},prefix=v + type=semver,pattern={{version}},prefix=v + - name: push fips image to CI + if: ${{ matrix.golang_cross == '1.24-bullseye' }} + uses: docker/build-push-action@v6 + with: + context: "dist" + platforms: linux/amd64 + file: ci/Dockerfile.distroless + provenance: mode=max + sbom: true + push: true + cache-from: type=gha + cache-to: type=gha,mode=max + tags: ${{ steps.ci_metadata_fips.outputs.tags }} + labels: ${{ steps.ci_metadata_fips.outputs.labels }} + build-args: | + BUILD_PACKAGE_NAME=tyk-gateway-fips + - name: Docker metadata for fips tag push + id: tag_metadata_fips + uses: docker/metadata-action@v5 + with: + images: | + tykio/tyk-gateway-fips + flavor: | + latest=false + prefix=v + tags: | + type=semver,pattern={{major}}.{{minor}} + type=semver,pattern={{version}} + labels: | + org.opencontainers.image.title=Tyk Gateway FIPS + org.opencontainers.image.description=Tyk Open Source API Gateway written in Go, supporting REST, GraphQL, TCP and gRPC protocols Built with boringssl + org.opencontainers.image.vendor=tyk.io + org.opencontainers.image.version=${{ github.ref_name }} + - name: push fips image to prod + if: ${{ matrix.golang_cross == '1.24-bullseye' }} + uses: docker/build-push-action@v6 + with: + context: "dist" + platforms: linux/amd64 + file: ci/Dockerfile.distroless + provenance: mode=max + sbom: true + cache-from: type=gha + cache-to: type=gha,mode=max + push: ${{ startsWith(github.ref, 'refs/tags') }} + tags: ${{ steps.tag_metadata_fips.outputs.tags }} + labels: ${{ steps.tag_metadata_fips.outputs.labels }} + build-args: | + BUILD_PACKAGE_NAME=tyk-gateway-fips - name: Docker metadata for std CI id: ci_metadata_std if: ${{ matrix.golang_cross == '1.24-bullseye' }} @@ -421,7 +487,8 @@ jobs: ARG TARGETARCH COPY tyk-gateway*_${TARGETARCH}.deb /tyk-gateway.deb RUN apt-get update && apt-get install -y curl - RUN curl -fsSL https://packagecloud.io/install/repositories/tyk/tyk-gateway/script.deb.sh | bash && apt-get install -y tyk-gateway=3.0.8 + RUN curl -fsSL https://packagecloud.io/install/repositories/tyk/tyk-gateway/script.deb.sh | bash || echo "Repository setup failed, but continuing" + RUN apt-get install -y tyk-gateway=3.0.8 || echo "Previous version not found, testing fresh install" RUN dpkg -i /tyk-gateway.deb RUN /opt/tyk-gateway/install/setup.sh --listenport=8080 --redishost=localhost --redisport=6379 --domain="" @@ -479,7 +546,8 @@ jobs: COPY tyk-gateway*.${RHELARCH}.rpm /tyk-gateway.rpm RUN command -v curl || yum install -y curl RUN command -v useradd || yum install -y shadow-utils - RUN curl -fsSL https://packagecloud.io/install/repositories/tyk/tyk-gateway/script.rpm.sh | bash && yum install -y tyk-gateway-3.0.8-1 + RUN curl -fsSL https://packagecloud.io/install/repositories/tyk/tyk-gateway/script.rpm.sh | bash || echo "Repository setup failed, but continuing" + RUN yum install -y tyk-gateway-3.0.8-1 || echo "Previous version not found, testing fresh install" RUN curl https://keyserver.tyk.io/tyk.io.rpm.signing.key.2020 -o tyk-gateway.key && rpm --import tyk-gateway.key RUN rpm --checksig /tyk-gateway.rpm RUN rpm -Uvh --force /tyk-gateway.rpm diff --git a/ci/Dockerfile.std b/ci/Dockerfile.std index 544d4296e7c..1ec88aff09e 100644 --- a/ci/Dockerfile.std +++ b/ci/Dockerfile.std @@ -13,17 +13,17 @@ RUN apt-get update \ RUN dpkg --purge --force-remove-essential curl ncurses-base || true RUN rm -fv /usr/bin/passwd /usr/sbin/adduser || true +# Comment this to test in dev +COPY dist/${BUILD_PACKAGE_NAME}_*_${TARGETARCH}.deb / +RUN dpkg -i /${BUILD_PACKAGE_NAME}_*_${TARGETARCH}.deb && find / -maxdepth 1 -name "*.deb" -delete + # Clean up caches, unwanted .a and .o files RUN rm -rf /root/.cache \ && apt-get -y autoremove \ && apt-get clean \ - && rm -rf /usr/include/* /var/cache/apt/archives /var/lib/{apt,dpkg,cache,log} \ + && rm -rf /usr/include/* /var/cache/apt/archives /var/lib/apt /var/lib/cache /var/log/* \ && find /usr/lib -type f -name '*.a' -o -name '*.o' -delete -# Comment this to test in dev -COPY ${BUILD_PACKAGE_NAME}_*${TARGETARCH}.deb / -RUN dpkg -i /${BUILD_PACKAGE_NAME}*${TARGETARCH}.deb && rm /*.deb - ARG PORTS EXPOSE $PORTS diff --git a/ci/goreleaser/goreleaser.yml b/ci/goreleaser/goreleaser.yml index 025154eceac..63fe5629eb2 100644 --- a/ci/goreleaser/goreleaser.yml +++ b/ci/goreleaser/goreleaser.yml @@ -63,7 +63,7 @@ builds: env: - NOP=nop # ignore this, it is jsut to avoid a complex conditional in the templates - CC=gcc - - $env + - GOEXPERIMENT=boringcrypto ldflags: - -X github.com/TykTechnologies/tyk/internal/build.Version={{.Version}} - -X github.com/TykTechnologies/tyk/internal/build.Commit={{.FullCommit}} diff --git a/ci/install/post_install.sh b/ci/install/post_install.sh index e2a8b4ae03e..2343b418981 100755 --- a/ci/install/post_install.sh +++ b/ci/install/post_install.sh @@ -18,9 +18,9 @@ fi cleanup() { # After installing, remove files that were not needed on this platform / system if [ "${use_systemctl}" = "True" ]; then - rm -f /lib/systemd/system/tyk-gateway.service - else rm -f /etc/init.d/tyk-gateway + else + rm -f /lib/systemd/system/tyk-gateway.service fi } @@ -39,8 +39,8 @@ restoreServices() { setupOwnership() { printf "\033[32m Post Install of the install directory ownership and permissions\033[0m\n" [ "${change_ownership}" = "True" ] && chown -R tyk:tyk /opt/tyk-gateway - # Config file should never be world-readable - chmod 660 /opt/tyk-gateway/tyk.conf + # Config file should never be world-readable (only if it exists) + [ -f /opt/tyk-gateway/tyk.conf ] && chmod 660 /opt/tyk-gateway/tyk.conf } cleanInstall() {