Publish boringcrypto image

Signed-off-by: Tiger Kaovilai <[email protected]>
vmware-tanzu · Nov 18, 2024 · 13d4d58 · 13d4d58
1 parent dacd5ef
commit 13d4d58
Show file tree

Hide file tree

Showing 5 changed files with 35 additions and 1 deletion.
diff --git a/.github/workflows/push.yml b/.github/workflows/push.yml
@@ -69,6 +69,7 @@ jobs:
           # Build and push Velero image to docker registry
           docker login -u ${{ secrets.DOCKER_USER }} -p ${{ secrets.DOCKER_PASSWORD }}
           VERSION=$(./hack/docker-push.sh | grep 'VERSION:' | awk -F: '{print $2}' | xargs)
+          GOEXPERIMENT=boringcrypto SUFFIX=boringcrypto ./hack/docker-push.sh && echo published boringcrypto image
 
           # Upload Velero image package to GCS
           source hack/ci/build_util.sh

diff --git a/Dockerfile b/Dockerfile
@@ -25,13 +25,15 @@ ARG GIT_TREE_STATE
 ARG TARGETOS
 ARG TARGETARCH
 ARG TARGETVARIANT
+ARG GOEXPERIMENT
 
 ENV CGO_ENABLED=0 \
     GO111MODULE=on \
     GOPROXY=${GOPROXY} \
     GOOS=${TARGETOS} \
     GOARCH=${TARGETARCH} \
     GOARM=${TARGETVARIANT} \
+    GOEXPERIMENT=${GOEXPERIMENT} \
     LDFLAGS="-X ${PKG}/pkg/buildinfo.Version=${VERSION} -X ${PKG}/pkg/buildinfo.GitSHA=${GIT_SHA} -X ${PKG}/pkg/buildinfo.GitTreeState=${GIT_TREE_STATE} -X ${PKG}/pkg/buildinfo.ImageRegistry=${REGISTRY}"
 
 WORKDIR /go/src/github.com/vmware-tanzu/velero
@@ -55,13 +57,15 @@ ARG TARGETOS
 ARG TARGETARCH
 ARG TARGETVARIANT
 ARG RESTIC_VERSION
+ARG GOEXPERIMENT
 
 ENV CGO_ENABLED=0 \
     GO111MODULE=on \
     GOPROXY=${GOPROXY} \
     GOOS=${TARGETOS} \
     GOARCH=${TARGETARCH} \
-    GOARM=${TARGETVARIANT}
+    GOARM=${TARGETVARIANT} \
+    GOEXPERIMENT=${GOEXPERIMENT}
 
 COPY . /go/src/github.com/vmware-tanzu/velero
 
@@ -70,6 +74,18 @@ RUN mkdir -p /output/usr/bin && \
     /go/src/github.com/vmware-tanzu/velero/hack/build-restic.sh && \
     go clean -modcache -cache
 
+# validate that FIPS is enabled in the binaries
+FROM --platform=$BUILDPLATFORM golang:1.22-bookworm AS fips-validator
+ARG GOEXPERIMENT
+ARG BIN
+COPY --from=velero-builder /output /
+COPY --from=restic-builder /output /
+RUN if [ "${GOEXPERIMENT}" = "boringcrypto" ]; then \
+        go tool nm ${BIN} | grep FIPS && \
+        go tool nm velero-helper | grep FIPS && \
+        go tool nm restic | grep FIPS; \
+    fi
+
 # Velero image packing section
 FROM paketobuildpacks/run-jammy-tiny:latest
 

diff --git a/Makefile b/Makefile
@@ -159,6 +159,7 @@ _output/bin/$(GOOS)/$(GOARCH)/$(BIN): build-dirs
 	$(MAKE) shell CMD="-c '\
 		GOOS=$(GOOS) \
 		GOARCH=$(GOARCH) \
+		GOEXPERIMENT=${GOEXPERIMENT} \
 		GOBIN=$(GOBIN) \
 		VERSION=$(VERSION) \
 		REGISTRY=$(REGISTRY) \
@@ -204,6 +205,7 @@ endif
 	$(addprefix -t , $(IMAGE_TAGS)) \
 	$(addprefix -t , $(GCR_IMAGE_TAGS)) \
 	--build-arg=GOPROXY=$(GOPROXY) \
+	--build-arg=GOEXPERIMENT=$(GOEXPERIMENT) \
 	--build-arg=PKG=$(PKG) \
 	--build-arg=BIN=$(BIN) \
 	--build-arg=VERSION=$(VERSION) \

diff --git a/hack/build.sh b/hack/build.sh
@@ -86,3 +86,13 @@ go build \
     -installsuffix "static" \
     -ldflags "${LDFLAGS}" \
     ${PKG}/cmd/${BIN}
+
+# verify fips
+if [[ -z "${GOEXPERIMENT:-}" ]]; then
+    GOEXPERIMENT=""
+fi
+if [[ ${GOEXPERIMENT} = "boringcrypto" ]]; then
+    echo "Verifying fips"
+    go tool nm ${OUTPUT} | grep FIPS || (echo "FIPS not found in binary" && exit 1)
+    echo "FIPS verified"
+fi
diff --git a/hack/docker-push.sh b/hack/docker-push.sh
@@ -92,6 +92,11 @@ if [[ -z "$BUILDX_PLATFORMS" ]]; then
     BUILDX_PLATFORMS="linux/amd64,linux/arm64"
 fi
 
+# if SUFFIX is set, append it to the version
+if [[ -n "$SUFFIX" ]]; then
+    VERSION="$VERSION-$SUFFIX"
+fi
+
 # Debugging info
 echo "Highest tag found: $HIGHEST"
 echo "BRANCH: $BRANCH"