Skip to content

[TT-16951] fix: plugin compiler FIPS support + goplugin tag #8012

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
buger merged 1 commit into from
Apr 15, 2026
Merged

[TT-16951] fix: plugin compiler FIPS support + goplugin tag #8012

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
33 changes: 33 additions & 0 deletions .github/workflows/plugin-compiler-build.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -112,3 +112,36 @@
GITHUB_SHA=${{ github.sha }}
GITHUB_TAG=${{ github.ref_name }}
BUILD_TAG=ee

- name: Set docker metadata FIPS
id: set-metadata-fips
uses: docker/metadata-action@v4
with:
images: |
tykio/tyk-plugin-compiler-fips,enable=${{ startsWith(github.ref, 'refs/tags') }}
${{ steps.login-ecr.outputs.registry }}/tyk-plugin-compiler-fips
labels: |
org.opencontainers.image.title=tyk-plugin-compiler-fips
org.opencontainers.image.description=Plugin compiler for the Tyk API Gateway FIPS Edition
tags: |
type=ref,event=pr
type=semver,pattern=v{{version}}
type=semver,pattern=v{{major}}.{{minor}}
type=semver,pattern={{raw}}
type=sha,format=long

- name: Build and push to dockerhub/ECR FIPS
uses: docker/build-push-action@v4
with:
context: .
file: ci/images/plugin-compiler/Dockerfile
platforms: linux/amd64
push: true
labels: ${{ steps.set-metadata-fips.outputs.labels }}
tags: ${{ steps.set-metadata-fips.outputs.tags }}
build-args: |
BASE_IMAGE=tykio/golang-cross:${{ env.GOLANG_CROSS }}
GITHUB_SHA=${{ github.sha }}
GITHUB_TAG=${{ github.ref_name }}
BUILD_TAG=ee,fips
GOFIPS140=v1.0.0

Check warning on line 147 in .github/workflows/plugin-compiler-build.yml

View check run for this annotation

probelabs / Visor: architecture

architecture Issue 

The new FIPS build job is largely a copy of the existing EE build job, leading to code duplication in the CI workflow. This approach increases maintenance overhead, as any changes to the build process will need to be replicated across all similar jobs. A more scalable and maintainable solution would be to use a matrix strategy.
Raw output 
Refactor the workflow to use a `strategy.matrix` to define the different build variants (e.g., standard, EE, FIPS). This would allow you to have a single, parameterized job definition that runs for each variant, eliminating code duplication and making it easier to add new variants in the future. Each matrix entry could define variables for the image name, description, build tags, and GOFIPS140 setting.

Check warning on line 147 in .github/workflows/plugin-compiler-build.yml

View check run for this annotation

probelabs / Visor: quality

architecture Issue 

The new FIPS build job is almost a complete copy of the existing build jobs for other variants. This introduces significant code duplication in the CI pipeline, making it harder to maintain and more prone to errors. Future changes to the build process will need to be replicated across all jobs.
Raw output 
To improve maintainability, refactor the workflow to use a matrix strategy. This would allow you to define the different build variants (e.g., standard, EE, FIPS) as matrix parameters and use a single, templatized job definition to handle all builds. This approach centralizes the build logic, eliminates duplication, and makes the workflow easier to manage.
4 changes: 2 additions & 2 deletions Taskfile.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -76,9 +76,9 @@ tasks:
test:plugin-compiler:
desc: "Plugin compiler local build/test"
cmds:
- docker build --build-arg GO_VERSION=1.22 --build-arg BASE_IMAGE=tykio/golang-cross:1.22-bullseye --build-arg GITHUB_TAG=v5.1.0-alpha18 --build-arg GITHUB_SHA=$(git rev-parse HEAD) --platform=linux/amd64 --rm -t internal/plugin-compiler -f ci/images/plugin-compiler/Dockerfile .
- docker build --build-arg GO_VERSION=1.24 --build-arg BASE_IMAGE=tykio/golang-cross:1.24-bullseye --build-arg GITHUB_TAG=v5.1.0-alpha18 --build-arg GITHUB_SHA=$(git rev-parse HEAD) --platform=linux/amd64 --rm -t internal/plugin-compiler -f ci/images/plugin-compiler/Dockerfile .
- docker run -it -e GOARCH=arm64 -e GOOS=linux --rm -v $(readlink -f .)/ci/images/plugin-compiler/data/basic-plugin:/plugin-source internal/plugin-compiler basic-plugin.so
- docker run -it --rm -v $PWD:/go/src/github.com/TykTechnologies/tyk -w /go/src/github.com/TykTechnologies/tyk tykio/golang-cross:1.22-bullseye go build -trimpath -tags=goplugin .
- docker run -it --rm -v $PWD:/go/src/github.com/TykTechnologies/tyk -w /go/src/github.com/TykTechnologies/tyk tykio/golang-cross:1.24-bullseye go build -trimpath -tags=goplugin .
- ./tyk plugin load -f ./ci/images/plugin-compiler/data/basic-plugin/basic-plugin*.so -s MyPluginPre
- docker rmi internal/plugin-compiler

Expand Down
13 changes: 8 additions & 5 deletions ci/images/plugin-compiler/Dockerfile
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -26,11 +26,6 @@

ADD . $TYK_GW_PATH

# Provide a gateway test binary for testing plugin loading.
RUN --mount=type=cache,mode=0755,target=/go/pkg/mod \
--mount=type=cache,mode=0755,target=/root/.cache/go-build \
GOBIN=/usr/local/bin go install -tags=goplugin -trimpath .

ARG GITHUB_SHA
ARG GITHUB_TAG
ENV GITHUB_SHA=${GITHUB_SHA}
Expand All @@ -39,6 +34,14 @@
ARG BUILD_TAG
ENV BUILD_TAG=${BUILD_TAG}

ARG GOFIPS140
ENV GOFIPS140=${GOFIPS140}

# Provide a gateway test binary for testing plugin loading.
RUN --mount=type=cache,mode=0755,target=/go/pkg/mod \
--mount=type=cache,mode=0755,target=/root/.cache/go-build \
GOBIN=/usr/local/bin go install -tags=goplugin${BUILD_TAG:+,$BUILD_TAG} -trimpath .

Check failure on line 44 in ci/images/plugin-compiler/Dockerfile

View check run for this annotation

probelabs / Visor: security

security Issue 

The `BUILD_TAG` build argument is used unquoted in the `go install` command, leading to a potential command injection vulnerability. A malicious value for `BUILD_TAG` (e.g., `foo; rm -rf /`) could allow arbitrary code execution during the Docker image build process. This could compromise the build environment and the source code added to the image.
Raw output 
Enclose the `-tags` argument in double quotes to prevent the shell from interpreting special characters in the `BUILD_TAG` variable.
COPY ci/images/plugin-compiler/data/build.sh /build.sh
RUN chmod +x /build.sh

Expand Down
6 changes: 1 addition & 5 deletions ci/images/plugin-compiler/data/build.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -145,14 +145,10 @@
git diff --cached
fi

if [ -n "$BUILD_TAG" ]; then
CC=$CC CGO_ENABLED=1 GOOS=$GOOS GOARCH=$GOARCH go build -buildmode=plugin -trimpath -tags=$BUILD_TAG -o $plugin_name
else
CC=$CC CGO_ENABLED=1 GOOS=$GOOS GOARCH=$GOARCH go build -buildmode=plugin -trimpath -o $plugin_name
fi
CC=$CC CGO_ENABLED=1 GOOS=$GOOS GOARCH=$GOARCH go build -buildmode=plugin -trimpath -tags=goplugin${BUILD_TAG:+,$BUILD_TAG} -o $plugin_name

set +x

Check failure on line 151 in ci/images/plugin-compiler/data/build.sh

View check run for this annotation

probelabs / Visor: security

security Issue 

The `BUILD_TAG` environment variable is used unquoted in the `go build` command, leading to a potential command injection vulnerability. A user of the plugin compiler image could set a malicious `BUILD_TAG` environment variable (e.g., `foo; rm -rf /`) to execute arbitrary code inside the container. This could be used to compromise the plugin source code or other sensitive data in the container's environment.
Raw output 
Enclose the `-tags` argument in double quotes to prevent the shell from interpreting special characters in the `BUILD_TAG` variable.
mv *.so $PLUGIN_SOURCE_PATH

# Clean up workspace
Expand Down
Loading