From 13d4d5848e9ec549a5e6878ef2d4b1780d4bb59f Mon Sep 17 00:00:00 2001 From: Tiger Kaovilai Date: Mon, 18 Nov 2024 00:22:55 -0500 Subject: [PATCH] Publish boringcrypto image Signed-off-by: Tiger Kaovilai --- .github/workflows/push.yml | 1 + Dockerfile | 18 +++++++++++++++++- Makefile | 2 ++ hack/build.sh | 10 ++++++++++ hack/docker-push.sh | 5 +++++ 5 files changed, 35 insertions(+), 1 deletion(-) diff --git a/.github/workflows/push.yml b/.github/workflows/push.yml index a4d2371734b..871e14bc214 100644 --- a/.github/workflows/push.yml +++ b/.github/workflows/push.yml @@ -69,6 +69,7 @@ jobs: # Build and push Velero image to docker registry docker login -u ${{ secrets.DOCKER_USER }} -p ${{ secrets.DOCKER_PASSWORD }} VERSION=$(./hack/docker-push.sh | grep 'VERSION:' | awk -F: '{print $2}' | xargs) + GOEXPERIMENT=boringcrypto SUFFIX=boringcrypto ./hack/docker-push.sh && echo published boringcrypto image # Upload Velero image package to GCS source hack/ci/build_util.sh diff --git a/Dockerfile b/Dockerfile index 25b314a1115..fdf87710a37 100644 --- a/Dockerfile +++ b/Dockerfile @@ -25,6 +25,7 @@ ARG GIT_TREE_STATE ARG TARGETOS ARG TARGETARCH ARG TARGETVARIANT +ARG GOEXPERIMENT ENV CGO_ENABLED=0 \ GO111MODULE=on \ @@ -32,6 +33,7 @@ ENV CGO_ENABLED=0 \ GOOS=${TARGETOS} \ GOARCH=${TARGETARCH} \ GOARM=${TARGETVARIANT} \ + GOEXPERIMENT=${GOEXPERIMENT} \ LDFLAGS="-X ${PKG}/pkg/buildinfo.Version=${VERSION} -X ${PKG}/pkg/buildinfo.GitSHA=${GIT_SHA} -X ${PKG}/pkg/buildinfo.GitTreeState=${GIT_TREE_STATE} -X ${PKG}/pkg/buildinfo.ImageRegistry=${REGISTRY}" WORKDIR /go/src/github.com/vmware-tanzu/velero @@ -55,13 +57,15 @@ ARG TARGETOS ARG TARGETARCH ARG TARGETVARIANT ARG RESTIC_VERSION +ARG GOEXPERIMENT ENV CGO_ENABLED=0 \ GO111MODULE=on \ GOPROXY=${GOPROXY} \ GOOS=${TARGETOS} \ GOARCH=${TARGETARCH} \ - GOARM=${TARGETVARIANT} + GOARM=${TARGETVARIANT} \ + GOEXPERIMENT=${GOEXPERIMENT} COPY . /go/src/github.com/vmware-tanzu/velero @@ -70,6 +74,18 @@ RUN mkdir -p /output/usr/bin && \ /go/src/github.com/vmware-tanzu/velero/hack/build-restic.sh && \ go clean -modcache -cache +# validate that FIPS is enabled in the binaries +FROM --platform=$BUILDPLATFORM golang:1.22-bookworm AS fips-validator +ARG GOEXPERIMENT +ARG BIN +COPY --from=velero-builder /output / +COPY --from=restic-builder /output / +RUN if [ "${GOEXPERIMENT}" = "boringcrypto" ]; then \ + go tool nm ${BIN} | grep FIPS && \ + go tool nm velero-helper | grep FIPS && \ + go tool nm restic | grep FIPS; \ + fi + # Velero image packing section FROM paketobuildpacks/run-jammy-tiny:latest diff --git a/Makefile b/Makefile index 98fd436eb41..46ec9fd7a8d 100644 --- a/Makefile +++ b/Makefile @@ -159,6 +159,7 @@ _output/bin/$(GOOS)/$(GOARCH)/$(BIN): build-dirs $(MAKE) shell CMD="-c '\ GOOS=$(GOOS) \ GOARCH=$(GOARCH) \ + GOEXPERIMENT=${GOEXPERIMENT} \ GOBIN=$(GOBIN) \ VERSION=$(VERSION) \ REGISTRY=$(REGISTRY) \ @@ -204,6 +205,7 @@ endif $(addprefix -t , $(IMAGE_TAGS)) \ $(addprefix -t , $(GCR_IMAGE_TAGS)) \ --build-arg=GOPROXY=$(GOPROXY) \ + --build-arg=GOEXPERIMENT=$(GOEXPERIMENT) \ --build-arg=PKG=$(PKG) \ --build-arg=BIN=$(BIN) \ --build-arg=VERSION=$(VERSION) \ diff --git a/hack/build.sh b/hack/build.sh index 064b583ef4d..f8985fff3da 100755 --- a/hack/build.sh +++ b/hack/build.sh @@ -86,3 +86,13 @@ go build \ -installsuffix "static" \ -ldflags "${LDFLAGS}" \ ${PKG}/cmd/${BIN} + +# verify fips +if [[ -z "${GOEXPERIMENT:-}" ]]; then + GOEXPERIMENT="" +fi +if [[ ${GOEXPERIMENT} = "boringcrypto" ]]; then + echo "Verifying fips" + go tool nm ${OUTPUT} | grep FIPS || (echo "FIPS not found in binary" && exit 1) + echo "FIPS verified" +fi diff --git a/hack/docker-push.sh b/hack/docker-push.sh index e503358c9f8..5372bbfc57f 100755 --- a/hack/docker-push.sh +++ b/hack/docker-push.sh @@ -92,6 +92,11 @@ if [[ -z "$BUILDX_PLATFORMS" ]]; then BUILDX_PLATFORMS="linux/amd64,linux/arm64" fi +# if SUFFIX is set, append it to the version +if [[ -n "$SUFFIX" ]]; then + VERSION="$VERSION-$SUFFIX" +fi + # Debugging info echo "Highest tag found: $HIGHEST" echo "BRANCH: $BRANCH"