diff --git a/.github/workflows/e2e-test-kind.yaml b/.github/workflows/e2e-test-kind.yaml index 6df789f894..5228e2a5f4 100644 --- a/.github/workflows/e2e-test-kind.yaml +++ b/.github/workflows/e2e-test-kind.yaml @@ -44,6 +44,21 @@ jobs: run: | IMAGE=velero VERSION=pr-test make container docker save velero:pr-test -o ./velero.tar + # validate boringcrypto + # make local uses build.sh that verifies boringcrypto + build-boring: + runs-on: ubuntu-latest + steps: + - name: Check out the code + uses: actions/checkout@v4 + - name: Set up Go + uses: actions/setup-go@v5 + with: + go-version-file: 'go.mod' + - name: Build Velero CLI + if: steps.cli-cache.outputs.cache-hit != 'true' + run: | + GOEXPERIMENT=boringcrypto make local # Create json of k8s versions to test # from guide: https://stackoverflow.com/a/65094398/4590470 setup-test-matrix: diff --git a/.github/workflows/push.yml b/.github/workflows/push.yml index a4d2371734..871e14bc21 100644 --- a/.github/workflows/push.yml +++ b/.github/workflows/push.yml @@ -69,6 +69,7 @@ jobs: # Build and push Velero image to docker registry docker login -u ${{ secrets.DOCKER_USER }} -p ${{ secrets.DOCKER_PASSWORD }} VERSION=$(./hack/docker-push.sh | grep 'VERSION:' | awk -F: '{print $2}' | xargs) + GOEXPERIMENT=boringcrypto SUFFIX=boringcrypto ./hack/docker-push.sh && echo published boringcrypto image # Upload Velero image package to GCS source hack/ci/build_util.sh diff --git a/Dockerfile b/Dockerfile index 25b314a111..42de1de1ad 100644 --- a/Dockerfile +++ b/Dockerfile @@ -25,6 +25,7 @@ ARG GIT_TREE_STATE ARG TARGETOS ARG TARGETARCH ARG TARGETVARIANT +ARG GOEXPERIMENT ENV CGO_ENABLED=0 \ GO111MODULE=on \ @@ -32,6 +33,7 @@ ENV CGO_ENABLED=0 \ GOOS=${TARGETOS} \ GOARCH=${TARGETARCH} \ GOARM=${TARGETVARIANT} \ + GOEXPERIMENT=${GOEXPERIMENT} \ LDFLAGS="-X ${PKG}/pkg/buildinfo.Version=${VERSION} -X ${PKG}/pkg/buildinfo.GitSHA=${GIT_SHA} -X ${PKG}/pkg/buildinfo.GitTreeState=${GIT_TREE_STATE} -X ${PKG}/pkg/buildinfo.ImageRegistry=${REGISTRY}" WORKDIR /go/src/github.com/vmware-tanzu/velero @@ -55,13 +57,15 @@ ARG TARGETOS ARG TARGETARCH ARG TARGETVARIANT ARG RESTIC_VERSION +ARG GOEXPERIMENT ENV CGO_ENABLED=0 \ GO111MODULE=on \ GOPROXY=${GOPROXY} \ GOOS=${TARGETOS} \ GOARCH=${TARGETARCH} \ - GOARM=${TARGETVARIANT} + GOARM=${TARGETVARIANT} \ + GOEXPERIMENT=${GOEXPERIMENT} COPY . /go/src/github.com/vmware-tanzu/velero @@ -70,6 +74,18 @@ RUN mkdir -p /output/usr/bin && \ /go/src/github.com/vmware-tanzu/velero/hack/build-restic.sh && \ go clean -modcache -cache +# validate that FIPS is enabled in the binaries +FROM --platform=$BUILDPLATFORM golang:1.22-bookworm AS fips-validator +ARG GOEXPERIMENT +ARG BIN +COPY --from=velero-builder /output / +COPY --from=restic-builder /output / +RUN if [ "${GOEXPERIMENT}" = "boringcrypto" ]; then \ + go tool nm ${BIN} | grep -q crypto/internal/boring/fipstls.required && \ + go tool nm velero-helper | grep -q crypto/internal/boring/fipstls.required && \ + go tool nm restic | grep -q crypto/internal/boring/fipstls.required; \ + fi + # Velero image packing section FROM paketobuildpacks/run-jammy-tiny:latest diff --git a/Makefile b/Makefile index 98fd436eb4..b21f353367 100644 --- a/Makefile +++ b/Makefile @@ -143,6 +143,7 @@ local: build-dirs GOOS=$(GOOS) \ GOARCH=$(GOARCH) \ GOBIN=$(GOBIN) \ + GOEXPERIMENT=${GOEXPERIMENT} \ VERSION=$(VERSION) \ REGISTRY=$(REGISTRY) \ PKG=$(PKG) \ @@ -159,6 +160,7 @@ _output/bin/$(GOOS)/$(GOARCH)/$(BIN): build-dirs $(MAKE) shell CMD="-c '\ GOOS=$(GOOS) \ GOARCH=$(GOARCH) \ + GOEXPERIMENT=${GOEXPERIMENT} \ GOBIN=$(GOBIN) \ VERSION=$(VERSION) \ REGISTRY=$(REGISTRY) \ @@ -204,6 +206,7 @@ endif $(addprefix -t , $(IMAGE_TAGS)) \ $(addprefix -t , $(GCR_IMAGE_TAGS)) \ --build-arg=GOPROXY=$(GOPROXY) \ + --build-arg=GOEXPERIMENT=$(GOEXPERIMENT) \ --build-arg=PKG=$(PKG) \ --build-arg=BIN=$(BIN) \ --build-arg=VERSION=$(VERSION) \ diff --git a/hack/build.sh b/hack/build.sh index 064b583ef4..f12b67f381 100755 --- a/hack/build.sh +++ b/hack/build.sh @@ -86,3 +86,12 @@ go build \ -installsuffix "static" \ -ldflags "${LDFLAGS}" \ ${PKG}/cmd/${BIN} + +# verify fips +if [[ -z "${GOEXPERIMENT:-}" ]]; then + GOEXPERIMENT="" +fi +if [[ ${GOEXPERIMENT} = "boringcrypto" ]]; then + (go tool nm ${OUTPUT} | grep -q crypto/internal/boring/fipstls.required && echo "FIPS verified for ${OUTPUT}") || (echo "FIPS not found in ${OUTPUT}" && exit 1) + +fi diff --git a/hack/docker-push.sh b/hack/docker-push.sh index e503358c9f..5372bbfc57 100755 --- a/hack/docker-push.sh +++ b/hack/docker-push.sh @@ -92,6 +92,11 @@ if [[ -z "$BUILDX_PLATFORMS" ]]; then BUILDX_PLATFORMS="linux/amd64,linux/arm64" fi +# if SUFFIX is set, append it to the version +if [[ -n "$SUFFIX" ]]; then + VERSION="$VERSION-$SUFFIX" +fi + # Debugging info echo "Highest tag found: $HIGHEST" echo "BRANCH: $BRANCH"