Skip to content

Gromit sync with tyk repo TT-16131 #7542

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
lghiur merged 3 commits into from
Nov 18, 2025
Merged

Gromit sync with tyk repo TT-16131 #7542

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
ab0c1f9
Auto generated from templates by gromit
Nov 17, 2025
45bf38d
Merge branch 'master' into releng/master
Razeen-Abdal-Rahman Nov 17, 2025
a57cbbc
Merge branch 'master' into releng/master
buger Nov 18, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
74 changes: 71 additions & 3 deletions .github/workflows/release.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -50,6 +50,7 @@
debvers: 'ubuntu/xenial ubuntu/bionic ubuntu/focal ubuntu/jammy ubuntu/noble debian/jessie debian/buster debian/bullseye debian/bookworm debian/trixie'
outputs:
ee_tags: ${{ steps.ci_metadata_ee.outputs.tags }}
fips_tags: ${{ steps.ci_metadata_fips.outputs.tags }}
std_tags: ${{ steps.ci_metadata_std.outputs.tags }}
commit_author: ${{ steps.set_outputs.outputs.commit_author}}
steps:
Expand Down Expand Up @@ -98,7 +99,7 @@
ci/bin/unlock-agent.sh
git config --global url."https://${{ secrets.ORG_GH_TOKEN }}@github.com".insteadOf "https://github.com"
git config --global --add safe.directory /go/src/github.com/TykTechnologies/tyk
goreleaser release --clean -f ${{ matrix.goreleaser }} ${{ !startsWith(github.ref, 'refs/tags/') && ' --snapshot --skip=sign' || '' }}' | tee /tmp/build.sh
goreleaser release --clean -f ${{ matrix.goreleaser }} ${{ !startsWith(github.ref, 'refs/tags/') && ' --snapshot --skip=sign,docker' || '--skip=docker' }}' | tee /tmp/build.sh
chmod +x /tmp/build.sh
docker run --rm --privileged -e GITHUB_TOKEN=${{ github.token }} \
-e GOPRIVATE=github.com/TykTechnologies \
Expand Down Expand Up @@ -196,8 +197,73 @@
tags: ${{ steps.tag_metadata_ee.outputs.tags }}
labels: ${{ steps.tag_metadata_ee.outputs.labels }}
build-args: |
BUILD_PACKAGE_NAME=tyk-gateway-ee
- name: Docker metadata for fips CI
id: ci_metadata_fips
if: ${{ matrix.golang_cross == '1.24-bullseye' }}
uses: docker/metadata-action@v5
with:
images: |
${{ steps.ecr.outputs.registry }}/tyk
flavor: |
latest=false
tags: |
type=ref,event=branch
type=ref,event=pr
type=sha,format=long
type=semver,pattern={{major}},prefix=v
type=semver,pattern={{major}}.{{minor}},prefix=v
type=semver,pattern={{version}},prefix=v
- name: push fips image to CI
if: ${{ matrix.golang_cross == '1.24-bullseye' }}
uses: docker/build-push-action@v6
with:
context: "dist"
platforms: linux/amd64
file: ci/Dockerfile.distroless
provenance: mode=max
sbom: true
push: true
cache-from: type=gha
cache-to: type=gha,mode=max
tags: ${{ steps.ci_metadata_fips.outputs.tags }}
labels: ${{ steps.ci_metadata_fips.outputs.labels }}
build-args: |
BUILD_PACKAGE_NAME=tyk-gateway-fips
- name: Docker metadata for fips tag push
id: tag_metadata_fips
uses: docker/metadata-action@v5
with:
images: |
tykio/tyk-gateway-fips
flavor: |
latest=false
prefix=v
tags: |
type=semver,pattern={{major}}.{{minor}}
type=semver,pattern={{version}}
labels: |
org.opencontainers.image.title=Tyk Gateway FIPS
org.opencontainers.image.description=Tyk Open Source API Gateway written in Go, supporting REST, GraphQL, TCP and gRPC protocols Built with boringssl
org.opencontainers.image.vendor=tyk.io
org.opencontainers.image.version=${{ github.ref_name }}
- name: push fips image to prod
if: ${{ matrix.golang_cross == '1.24-bullseye' }}
uses: docker/build-push-action@v6
with:
context: "dist"
platforms: linux/amd64
file: ci/Dockerfile.distroless
provenance: mode=max
sbom: true
cache-from: type=gha
cache-to: type=gha,mode=max
push: ${{ startsWith(github.ref, 'refs/tags') }}
tags: ${{ steps.tag_metadata_fips.outputs.tags }}
labels: ${{ steps.tag_metadata_fips.outputs.labels }}
build-args: |
BUILD_PACKAGE_NAME=tyk-gateway-fips

Check warning on line 265 in .github/workflows/release.yml

View check run for this annotation

probelabs / Visor: architecture

architecture Issue 

The newly added steps for building and pushing the FIPS Docker image are a near-exact copy of the existing steps for the `ee` (lines 131-197) and `std` (lines 268-334) images. This introduces significant code duplication into the CI/CD pipeline, making it harder to maintain and increasing the risk of inconsistencies. A change in the build process would need to be replicated in three places.
Raw output 
To adhere to the DRY (Don't Repeat Yourself) principle, refactor the common Docker build-and-push logic into a reusable GitHub Actions workflow (`workflow_call`) or a composite action. This reusable component can then be called three times with different parameters for each image variant (`ee`, `fips`, `std`), such as the image name, build arguments, and labels. This will simplify the main workflow and centralize the build logic.
- name: Docker metadata for std CI

Check warning on line 266 in .github/workflows/release.yml

View check run for this annotation

probelabs / Visor: dependency

architecture Issue 

The introduction of the `tyk-gateway-fips` Docker image creates a new deployment variant that requires corresponding updates in downstream deployment tools. The `tyk-charts` and `tyk-operator` repositories must be updated to allow users to select and configure this FIPS-compliant image. This PR is not linked to any changes in those repositories, which could leave the new feature undeployable through standard methods.
Raw output 
Ensure that corresponding pull requests or tickets are created and linked for `tyk-charts` and `tyk-operator` to add support for deploying the `tyk-gateway-fips` image. This typically involves adding new values to the Helm chart and updating the operator's logic to handle the new image variant.
id: ci_metadata_std
if: ${{ matrix.golang_cross == '1.24-bullseye' }}
uses: docker/metadata-action@v5
Expand Down Expand Up @@ -421,7 +487,8 @@
ARG TARGETARCH
COPY tyk-gateway*_${TARGETARCH}.deb /tyk-gateway.deb
RUN apt-get update && apt-get install -y curl
RUN curl -fsSL https://packagecloud.io/install/repositories/tyk/tyk-gateway/script.deb.sh | bash && apt-get install -y tyk-gateway=3.0.8
RUN curl -fsSL https://packagecloud.io/install/repositories/tyk/tyk-gateway/script.deb.sh | bash || echo "Repository setup failed, but continuing"
RUN apt-get install -y tyk-gateway=3.0.8 || echo "Previous version not found, testing fresh install"

Check warning on line 491 in .github/workflows/release.yml

View check run for this annotation

probelabs / Visor: security

security Issue 

Error suppression in the Debian upgrade test pipeline using `|| echo` can mask legitimate installation failures. This may cause upgrade tests to be skipped silently, preventing the detection of regressions in the upgrade process, which could have security implications. The current implementation hides errors from `curl`, `bash`, and `apt-get`.
Raw output 
Fail the CI job on unexpected errors. If the goal is to handle cases where a previous version is not found, explicitly check for the 'package not found' error from `apt-get` and only then proceed. Other errors (e.g., from `curl` or repository setup) should cause the job to fail to ensure pipeline integrity.
RUN dpkg -i /tyk-gateway.deb

RUN /opt/tyk-gateway/install/setup.sh --listenport=8080 --redishost=localhost --redisport=6379 --domain=""
Expand Down Expand Up @@ -479,7 +546,8 @@
COPY tyk-gateway*.${RHELARCH}.rpm /tyk-gateway.rpm
RUN command -v curl || yum install -y curl
RUN command -v useradd || yum install -y shadow-utils
RUN curl -fsSL https://packagecloud.io/install/repositories/tyk/tyk-gateway/script.rpm.sh | bash && yum install -y tyk-gateway-3.0.8-1
RUN curl -fsSL https://packagecloud.io/install/repositories/tyk/tyk-gateway/script.rpm.sh | bash || echo "Repository setup failed, but continuing"
RUN yum install -y tyk-gateway-3.0.8-1 || echo "Previous version not found, testing fresh install"

Check warning on line 550 in .github/workflows/release.yml

View check run for this annotation

probelabs / Visor: security

security Issue 

Error suppression in the RPM upgrade test pipeline using `|| echo` can mask legitimate installation failures. This may cause upgrade tests to be skipped silently, preventing the detection of regressions in the upgrade process, which could have security implications. The current implementation hides errors from `curl`, `bash`, and `yum`.
Raw output 
Fail the CI job on unexpected errors. If the goal is to handle cases where a previous version is not found, explicitly check for the 'package not found' error from `yum` and only then proceed. Other errors (e.g., from `curl` or repository setup) should cause the job to fail to ensure pipeline integrity.
RUN curl https://keyserver.tyk.io/tyk.io.rpm.signing.key.2020 -o tyk-gateway.key && rpm --import tyk-gateway.key
RUN rpm --checksig /tyk-gateway.rpm
RUN rpm -Uvh --force /tyk-gateway.rpm
Expand Down
10 changes: 5 additions & 5 deletions ci/Dockerfile.std
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -13,17 +13,17 @@ RUN apt-get update \
RUN dpkg --purge --force-remove-essential curl ncurses-base || true
RUN rm -fv /usr/bin/passwd /usr/sbin/adduser || true

# Comment this to test in dev
COPY dist/${BUILD_PACKAGE_NAME}_*_${TARGETARCH}.deb /
RUN dpkg -i /${BUILD_PACKAGE_NAME}_*_${TARGETARCH}.deb && find / -maxdepth 1 -name "*.deb" -delete

# Clean up caches, unwanted .a and .o files
RUN rm -rf /root/.cache \
&& apt-get -y autoremove \
&& apt-get clean \
&& rm -rf /usr/include/* /var/cache/apt/archives /var/lib/{apt,dpkg,cache,log} \
&& rm -rf /usr/include/* /var/cache/apt/archives /var/lib/apt /var/lib/cache /var/log/* \
&& find /usr/lib -type f -name '*.a' -o -name '*.o' -delete

# Comment this to test in dev
COPY ${BUILD_PACKAGE_NAME}_*${TARGETARCH}.deb /
RUN dpkg -i /${BUILD_PACKAGE_NAME}*${TARGETARCH}.deb && rm /*.deb

ARG PORTS

EXPOSE $PORTS
Expand Down
2 changes: 1 addition & 1 deletion ci/goreleaser/goreleaser.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -63,10 +63,10 @@
env:
- NOP=nop # ignore this, it is jsut to avoid a complex conditional in the templates
- CC=gcc
- $env
- GOEXPERIMENT=boringcrypto
ldflags:
- -X github.com/TykTechnologies/tyk/internal/build.Version={{.Version}}
- -X github.com/TykTechnologies/tyk/internal/build.Commit={{.FullCommit}}

Check warning on line 69 in ci/goreleaser/goreleaser.yml

View check run for this annotation

probelabs / Visor: performance

performance Issue 

The build process now enables `GOEXPERIMENT=boringcrypto`, which substitutes the standard Go cryptographic libraries with the FIPS-compliant BoringCrypto library. This change can alter the performance characteristics of cryptographic operations, such as TLS termination, JWT validation, and request signing, potentially leading to performance regressions in CPU-bound workloads.
Raw output 
It is recommended to conduct performance benchmarks on critical paths involving cryptographic functions to quantify the impact of this change. This will validate that the switch to BoringCrypto does not introduce unacceptable performance degradation for the gateway's typical workload.
- -X github.com/TykTechnologies/tyk/internal/build.BuildDate={{.Date}}
- -X github.com/TykTechnologies/tyk/internal/build.BuiltBy=goreleaser
goos:
Expand Down
8 changes: 4 additions & 4 deletions ci/install/post_install.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -18,9 +18,9 @@ fi
cleanup() {
# After installing, remove files that were not needed on this platform / system
if [ "${use_systemctl}" = "True" ]; then
rm -f /lib/systemd/system/tyk-gateway.service
else
rm -f /etc/init.d/tyk-gateway
else
rm -f /lib/systemd/system/tyk-gateway.service
fi
}

Expand All @@ -39,8 +39,8 @@ restoreServices() {
setupOwnership() {
printf "\033[32m Post Install of the install directory ownership and permissions\033[0m\n"
[ "${change_ownership}" = "True" ] && chown -R tyk:tyk /opt/tyk-gateway
# Config file should never be world-readable
chmod 660 /opt/tyk-gateway/tyk.conf
# Config file should never be world-readable (only if it exists)
[ -f /opt/tyk-gateway/tyk.conf ] && chmod 660 /opt/tyk-gateway/tyk.conf
}

cleanInstall() {
Expand Down
Loading