Publish boringcrypto image

Signed-off-by: Tiger Kaovilai <[email protected]>
vmware-tanzu · Nov 18, 2024 · faa74a8 · faa74a8
1 parent dacd5ef
commit faa74a8
Show file tree

Hide file tree

Showing 9 changed files with 84 additions and 5 deletions.
diff --git a/.github/workflows/e2e-test-kind.yaml b/.github/workflows/e2e-test-kind.yaml
@@ -44,6 +44,21 @@ jobs:
         run: |
           IMAGE=velero VERSION=pr-test make container
           docker save velero:pr-test -o ./velero.tar
+  # validate boringcrypto
+  # make local uses build.sh that verifies boringcrypto
+  build-boring:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Check out the code
+        uses: actions/checkout@v4
+      - name: Set up Go
+        uses: actions/setup-go@v5
+        with:
+          go-version-file: 'go.mod'
+      - name: Build Velero CLI
+        if: steps.cli-cache.outputs.cache-hit != 'true'
+        run: |
+          GOEXPERIMENT=boringcrypto make local
   # Create json of k8s versions to test
   # from guide: https://stackoverflow.com/a/65094398/4590470
   setup-test-matrix:

diff --git a/.github/workflows/push.yml b/.github/workflows/push.yml
@@ -69,6 +69,7 @@ jobs:
           # Build and push Velero image to docker registry
           docker login -u ${{ secrets.DOCKER_USER }} -p ${{ secrets.DOCKER_PASSWORD }}
           VERSION=$(./hack/docker-push.sh | grep 'VERSION:' | awk -F: '{print $2}' | xargs)
+          GOEXPERIMENT=boringcrypto SUFFIX=boringcrypto ./hack/docker-push.sh && echo published boringcrypto image
 
           # Upload Velero image package to GCS
           source hack/ci/build_util.sh

diff --git a/Dockerfile b/Dockerfile
@@ -25,19 +25,24 @@ ARG GIT_TREE_STATE
 ARG TARGETOS
 ARG TARGETARCH
 ARG TARGETVARIANT
+ARG GOEXPERIMENT
 
 ENV CGO_ENABLED=0 \
     GO111MODULE=on \
     GOPROXY=${GOPROXY} \
     GOOS=${TARGETOS} \
     GOARCH=${TARGETARCH} \
     GOARM=${TARGETVARIANT} \
+    GOEXPERIMENT=${GOEXPERIMENT} \
     LDFLAGS="-X ${PKG}/pkg/buildinfo.Version=${VERSION} -X ${PKG}/pkg/buildinfo.GitSHA=${GIT_SHA} -X ${PKG}/pkg/buildinfo.GitTreeState=${GIT_TREE_STATE} -X ${PKG}/pkg/buildinfo.ImageRegistry=${REGISTRY}"
 
 WORKDIR /go/src/github.com/vmware-tanzu/velero
+# verifies go cli has boring
+RUN if [ "${GOEXPERIMENT}" = "boringcrypto" ]; then \
+        go tool nm $(which go) | grep sig.BoringCrypto \
+    fi
 
 COPY . /go/src/github.com/vmware-tanzu/velero
-
 RUN mkdir -p /output/usr/bin && \
     export GOARM=$( echo "${GOARM}" | cut -c2-) && \
     go build -o /output/${BIN} \
@@ -55,13 +60,19 @@ ARG TARGETOS
 ARG TARGETARCH
 ARG TARGETVARIANT
 ARG RESTIC_VERSION
+ARG GOEXPERIMENT
 
 ENV CGO_ENABLED=0 \
     GO111MODULE=on \
     GOPROXY=${GOPROXY} \
     GOOS=${TARGETOS} \
     GOARCH=${TARGETARCH} \
-    GOARM=${TARGETVARIANT}
+    GOARM=${TARGETVARIANT} \
+    GOEXPERIMENT=${GOEXPERIMENT}
+# verifies go cli has boring
+RUN if [ "${GOEXPERIMENT}" = "boringcrypto" ]; then \
+        go tool nm $(which go) | grep sig.BoringCrypto \
+    fi
 
 COPY . /go/src/github.com/vmware-tanzu/velero
 
@@ -70,6 +81,21 @@ RUN mkdir -p /output/usr/bin && \
     /go/src/github.com/vmware-tanzu/velero/hack/build-restic.sh && \
     go clean -modcache -cache
 
+# validate that FIPS is enabled in the binaries
+FROM --platform=$BUILDPLATFORM golang:1.22-bookworm AS fips-validator
+ARG GOEXPERIMENT
+ARG BIN
+COPY --from=velero-builder /output /
+COPY --from=restic-builder /output /
+RUN if [ "${GOEXPERIMENT}" = "boringcrypto" ]; then \
+        go tool nm ${BIN} > ${BIN}nm && \
+        go tool nm velero-helper > velero-helpernm && \
+        go tool nm restic > resticnm && \
+        grep ${BIN}nm -qe sig.BoringCrypto && \
+        grep velero-helpernm -qe sig.BoringCrypto && \
+        grep resticnm -qe sig.BoringCrypto && \
+    fi
+
 # Velero image packing section
 FROM paketobuildpacks/run-jammy-tiny:latest
 

diff --git a/Makefile b/Makefile
@@ -121,7 +121,10 @@ GOOS = $(word 1, $(platform_temp))
 GOARCH = $(word 2, $(platform_temp))
 GOPROXY ?= https://proxy.golang.org
 GOBIN=$$(pwd)/.go/bin
-
+ifeq ($(GOEXPERIMENT), boringcrypto)
+	EE=$(shell echo hi)
+# $(shell (go tool nm $(shell which go) | grep "crypto/internal/boring/sig.BoringCrypto") || echo "go installed cannot use boringcrypto")
+endif
 # If you want to build all binaries, see the 'all-build' rule.
 # If you want to build all containers, see the 'all-containers' rule.
 all:
@@ -143,6 +146,7 @@ local: build-dirs
 	GOOS=$(GOOS) \
 	GOARCH=$(GOARCH) \
 	GOBIN=$(GOBIN) \
+	GOEXPERIMENT=${GOEXPERIMENT} \
 	VERSION=$(VERSION) \
 	REGISTRY=$(REGISTRY) \
 	PKG=$(PKG) \
@@ -159,6 +163,7 @@ _output/bin/$(GOOS)/$(GOARCH)/$(BIN): build-dirs
 	$(MAKE) shell CMD="-c '\
 		GOOS=$(GOOS) \
 		GOARCH=$(GOARCH) \
+		GOEXPERIMENT=${GOEXPERIMENT} \
 		GOBIN=$(GOBIN) \
 		VERSION=$(VERSION) \
 		REGISTRY=$(REGISTRY) \
@@ -204,6 +209,7 @@ endif
 	$(addprefix -t , $(IMAGE_TAGS)) \
 	$(addprefix -t , $(GCR_IMAGE_TAGS)) \
 	--build-arg=GOPROXY=$(GOPROXY) \
+	--build-arg=GOEXPERIMENT=$(GOEXPERIMENT) \
 	--build-arg=PKG=$(PKG) \
 	--build-arg=BIN=$(BIN) \
 	--build-arg=VERSION=$(VERSION) \

diff --git a/changelogs/unreleased/8412-kaovilai b/changelogs/unreleased/8412-kaovilai
@@ -0,0 +1 @@
+Make creating boringcrypto image/bin possible
diff --git a/hack/build.sh b/hack/build.sh
@@ -59,7 +59,10 @@ if [[ -z "${GIT_TREE_STATE}" ]]; then
     echo "GIT_TREE_STATE must be set"
     exit 1
 fi
-
+# verifies go cli has boring
+if [[ "${GOEXPERIMENT}" = "boringcrypto" ]]; then \
+    (go tool nm $(which go) | grep sig.BoringCrypto) || (echo "go CLI is not boringcrypto enabled"; exit 1)
+fi
 GCFLAGS=""
 if [[ ${DEBUG:-} = "1" ]]; then
     GCFLAGS="all=-N -l"
@@ -86,3 +89,13 @@ go build \
     -installsuffix "static" \
     -ldflags "${LDFLAGS}" \
     ${PKG}/cmd/${BIN}
+
+# verify fips
+if [[ -z "${GOEXPERIMENT:-}" ]]; then
+    GOEXPERIMENT=""
+fi
+if [[ ${GOEXPERIMENT} = "boringcrypto" ]]; then
+    # workaround for broken pipe is to write to file and grep file
+    tempfile=$(mktemp)
+    (go tool nm ${OUTPUT} > ${tempfile} && grep ${tempfile} -qe sig.BoringCrypto && rm ${tempfile} && echo "FIPS verified for ${OUTPUT}") || (echo "FIPS not found in ${OUTPUT}" && rm ${tempfile} && exit 1)
+fi
diff --git a/hack/docker-push.sh b/hack/docker-push.sh
@@ -92,6 +92,11 @@ if [[ -z "$BUILDX_PLATFORMS" ]]; then
     BUILDX_PLATFORMS="linux/amd64,linux/arm64"
 fi
 
+# if SUFFIX is set, append it to the version
+if [[ -n "$SUFFIX" ]]; then
+    VERSION="$VERSION-$SUFFIX"
+fi
+
 # Debugging info
 echo "Highest tag found: $HIGHEST"
 echo "BRANCH: $BRANCH"

diff --git a/pkg/cmd/cli/version/fips.go b/pkg/cmd/cli/version/fips.go
@@ -0,0 +1,9 @@
+//go:build goexperiment.boringcrypto
+
+package version
+
+import "crypto/boring"
+
+func init() {
+	fipsEnabled = boring.Enabled()
+}
diff --git a/pkg/cmd/cli/version/version.go b/pkg/cmd/cli/version/version.go
@@ -64,11 +64,14 @@ func NewCommand(f client.Factory) *cobra.Command {
 
 	return c
 }
+// to support buildtag added funcs
+var fipsEnabled = false
 
 func printVersion(w io.Writer, clientOnly bool, kbClient kbclient.Client, serverStatusGetter serverstatus.Getter) {
 	fmt.Fprintln(w, "Client:")
 	fmt.Fprintf(w, "\tVersion: %s\n", buildinfo.Version)
 	fmt.Fprintf(w, "\tGit commit: %s\n", buildinfo.FormattedGitSHA())
+	fmt.Fprintf(w, "\tBoring: %v\n", fipsEnabled)
 
 	if clientOnly {
 		return
@@ -93,4 +96,4 @@ func printVersion(w io.Writer, clientOnly bool, kbClient kbclient.Client, server
 		}
 		fmt.Fprintf(w, "# WARNING: the client version does not match the server version. Please update %s\n", upgrade)
 	}
-}
+}