Skip to content

Commit

Permalink
Publish boringcrypto image
Browse files Browse the repository at this point in the history
Signed-off-by: Tiger Kaovilai <[email protected]>
  • Loading branch information
kaovilai committed Nov 18, 2024
1 parent dacd5ef commit 9cbcfc4
Show file tree
Hide file tree
Showing 6 changed files with 53 additions and 1 deletion.
15 changes: 15 additions & 0 deletions .github/workflows/e2e-test-kind.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -44,6 +44,21 @@ jobs:
run: |
IMAGE=velero VERSION=pr-test make container
docker save velero:pr-test -o ./velero.tar
# validate boringcrypto
# make local uses build.sh that verifies boringcrypto
build-boring:
runs-on: ubuntu-latest
steps:
- name: Check out the code
uses: actions/checkout@v4
- name: Set up Go
uses: actions/setup-go@v5
with:
go-version-file: 'go.mod'
- name: Build Velero CLI
if: steps.cli-cache.outputs.cache-hit != 'true'
run: |
GOEXPERIMENT=boringcrypto make local
# Create json of k8s versions to test
# from guide: https://stackoverflow.com/a/65094398/4590470
setup-test-matrix:
Expand Down
1 change: 1 addition & 0 deletions .github/workflows/push.yml
Original file line number Diff line number Diff line change
Expand Up @@ -69,6 +69,7 @@ jobs:
# Build and push Velero image to docker registry
docker login -u ${{ secrets.DOCKER_USER }} -p ${{ secrets.DOCKER_PASSWORD }}
VERSION=$(./hack/docker-push.sh | grep 'VERSION:' | awk -F: '{print $2}' | xargs)
GOEXPERIMENT=boringcrypto SUFFIX=boringcrypto ./hack/docker-push.sh && echo published boringcrypto image
# Upload Velero image package to GCS
source hack/ci/build_util.sh
Expand Down
18 changes: 17 additions & 1 deletion Dockerfile
Original file line number Diff line number Diff line change
Expand Up @@ -25,13 +25,15 @@ ARG GIT_TREE_STATE
ARG TARGETOS
ARG TARGETARCH
ARG TARGETVARIANT
ARG GOEXPERIMENT

ENV CGO_ENABLED=0 \
GO111MODULE=on \
GOPROXY=${GOPROXY} \
GOOS=${TARGETOS} \
GOARCH=${TARGETARCH} \
GOARM=${TARGETVARIANT} \
GOEXPERIMENT=${GOEXPERIMENT} \
LDFLAGS="-X ${PKG}/pkg/buildinfo.Version=${VERSION} -X ${PKG}/pkg/buildinfo.GitSHA=${GIT_SHA} -X ${PKG}/pkg/buildinfo.GitTreeState=${GIT_TREE_STATE} -X ${PKG}/pkg/buildinfo.ImageRegistry=${REGISTRY}"

WORKDIR /go/src/github.com/vmware-tanzu/velero
Expand All @@ -55,13 +57,15 @@ ARG TARGETOS
ARG TARGETARCH
ARG TARGETVARIANT
ARG RESTIC_VERSION
ARG GOEXPERIMENT

ENV CGO_ENABLED=0 \
GO111MODULE=on \
GOPROXY=${GOPROXY} \
GOOS=${TARGETOS} \
GOARCH=${TARGETARCH} \
GOARM=${TARGETVARIANT}
GOARM=${TARGETVARIANT} \
GOEXPERIMENT=${GOEXPERIMENT}

COPY . /go/src/github.com/vmware-tanzu/velero

Expand All @@ -70,6 +74,18 @@ RUN mkdir -p /output/usr/bin && \
/go/src/github.com/vmware-tanzu/velero/hack/build-restic.sh && \
go clean -modcache -cache

# validate that FIPS is enabled in the binaries
FROM --platform=$BUILDPLATFORM golang:1.22-bookworm AS fips-validator
ARG GOEXPERIMENT
ARG BIN
COPY --from=velero-builder /output /
COPY --from=restic-builder /output /
RUN if [ "${GOEXPERIMENT}" = "boringcrypto" ]; then \
go tool nm ${BIN} | grep -q crypto/internal/boring/fipstls.required && \
go tool nm velero-helper | grep -q crypto/internal/boring/fipstls.required && \
go tool nm restic | grep -q crypto/internal/boring/fipstls.required; \
fi

# Velero image packing section
FROM paketobuildpacks/run-jammy-tiny:latest

Expand Down
3 changes: 3 additions & 0 deletions Makefile
Original file line number Diff line number Diff line change
Expand Up @@ -143,6 +143,7 @@ local: build-dirs
GOOS=$(GOOS) \
GOARCH=$(GOARCH) \
GOBIN=$(GOBIN) \
GOEXPERIMENT=${GOEXPERIMENT} \
VERSION=$(VERSION) \
REGISTRY=$(REGISTRY) \
PKG=$(PKG) \
Expand All @@ -159,6 +160,7 @@ _output/bin/$(GOOS)/$(GOARCH)/$(BIN): build-dirs
$(MAKE) shell CMD="-c '\
GOOS=$(GOOS) \
GOARCH=$(GOARCH) \
GOEXPERIMENT=${GOEXPERIMENT} \
GOBIN=$(GOBIN) \
VERSION=$(VERSION) \
REGISTRY=$(REGISTRY) \
Expand Down Expand Up @@ -204,6 +206,7 @@ endif
$(addprefix -t , $(IMAGE_TAGS)) \
$(addprefix -t , $(GCR_IMAGE_TAGS)) \
--build-arg=GOPROXY=$(GOPROXY) \
--build-arg=GOEXPERIMENT=$(GOEXPERIMENT) \
--build-arg=PKG=$(PKG) \
--build-arg=BIN=$(BIN) \
--build-arg=VERSION=$(VERSION) \
Expand Down
12 changes: 12 additions & 0 deletions hack/build.sh
Original file line number Diff line number Diff line change
Expand Up @@ -86,3 +86,15 @@ go build \
-installsuffix "static" \
-ldflags "${LDFLAGS}" \
${PKG}/cmd/${BIN}

# verify fips
if [[ -z "${GOEXPERIMENT:-}" ]]; then
GOEXPERIMENT=""
fi
if [[ ${GOEXPERIMENT} = "boringcrypto" ]]; then
# workaround for broken pipe
tempfile=$(mktemp)
go tool nm ${OUTPUT} > ${tempfile}
(cat ${tempfile} | grep -q crypto/internal/boring/fipstls.required && rm ${tempfile} && echo "FIPS verified for ${OUTPUT}") || (echo "FIPS not found in ${OUTPUT}" && rm ${tempfile} && exit 1)

fi
5 changes: 5 additions & 0 deletions hack/docker-push.sh
Original file line number Diff line number Diff line change
Expand Up @@ -92,6 +92,11 @@ if [[ -z "$BUILDX_PLATFORMS" ]]; then
BUILDX_PLATFORMS="linux/amd64,linux/arm64"
fi

# if SUFFIX is set, append it to the version
if [[ -n "$SUFFIX" ]]; then
VERSION="$VERSION-$SUFFIX"
fi

# Debugging info
echo "Highest tag found: $HIGHEST"
echo "BRANCH: $BRANCH"
Expand Down

0 comments on commit 9cbcfc4

Please sign in to comment.