From faa74a82499aaaeeb726aaa2dc58bea3a545e406 Mon Sep 17 00:00:00 2001 From: Tiger Kaovilai Date: Mon, 18 Nov 2024 00:22:55 -0500 Subject: [PATCH] Publish boringcrypto image Signed-off-by: Tiger Kaovilai --- .github/workflows/e2e-test-kind.yaml | 15 ++++++++++++++ .github/workflows/push.yml | 1 + Dockerfile | 30 ++++++++++++++++++++++++++-- Makefile | 8 +++++++- changelogs/unreleased/8412-kaovilai | 1 + hack/build.sh | 15 +++++++++++++- hack/docker-push.sh | 5 +++++ pkg/cmd/cli/version/fips.go | 9 +++++++++ pkg/cmd/cli/version/version.go | 5 ++++- 9 files changed, 84 insertions(+), 5 deletions(-) create mode 100644 changelogs/unreleased/8412-kaovilai create mode 100644 pkg/cmd/cli/version/fips.go diff --git a/.github/workflows/e2e-test-kind.yaml b/.github/workflows/e2e-test-kind.yaml index 6df789f894..5228e2a5f4 100644 --- a/.github/workflows/e2e-test-kind.yaml +++ b/.github/workflows/e2e-test-kind.yaml @@ -44,6 +44,21 @@ jobs: run: | IMAGE=velero VERSION=pr-test make container docker save velero:pr-test -o ./velero.tar + # validate boringcrypto + # make local uses build.sh that verifies boringcrypto + build-boring: + runs-on: ubuntu-latest + steps: + - name: Check out the code + uses: actions/checkout@v4 + - name: Set up Go + uses: actions/setup-go@v5 + with: + go-version-file: 'go.mod' + - name: Build Velero CLI + if: steps.cli-cache.outputs.cache-hit != 'true' + run: | + GOEXPERIMENT=boringcrypto make local # Create json of k8s versions to test # from guide: https://stackoverflow.com/a/65094398/4590470 setup-test-matrix: diff --git a/.github/workflows/push.yml b/.github/workflows/push.yml index a4d2371734..871e14bc21 100644 --- a/.github/workflows/push.yml +++ b/.github/workflows/push.yml @@ -69,6 +69,7 @@ jobs: # Build and push Velero image to docker registry docker login -u ${{ secrets.DOCKER_USER }} -p ${{ secrets.DOCKER_PASSWORD }} VERSION=$(./hack/docker-push.sh | grep 'VERSION:' | awk -F: '{print $2}' | xargs) + GOEXPERIMENT=boringcrypto SUFFIX=boringcrypto ./hack/docker-push.sh && echo published boringcrypto image # Upload Velero image package to GCS source hack/ci/build_util.sh diff --git a/Dockerfile b/Dockerfile index 25b314a111..f9fa3c4d1d 100644 --- a/Dockerfile +++ b/Dockerfile @@ -25,6 +25,7 @@ ARG GIT_TREE_STATE ARG TARGETOS ARG TARGETARCH ARG TARGETVARIANT +ARG GOEXPERIMENT ENV CGO_ENABLED=0 \ GO111MODULE=on \ @@ -32,12 +33,16 @@ ENV CGO_ENABLED=0 \ GOOS=${TARGETOS} \ GOARCH=${TARGETARCH} \ GOARM=${TARGETVARIANT} \ + GOEXPERIMENT=${GOEXPERIMENT} \ LDFLAGS="-X ${PKG}/pkg/buildinfo.Version=${VERSION} -X ${PKG}/pkg/buildinfo.GitSHA=${GIT_SHA} -X ${PKG}/pkg/buildinfo.GitTreeState=${GIT_TREE_STATE} -X ${PKG}/pkg/buildinfo.ImageRegistry=${REGISTRY}" WORKDIR /go/src/github.com/vmware-tanzu/velero +# verifies go cli has boring +RUN if [ "${GOEXPERIMENT}" = "boringcrypto" ]; then \ + go tool nm $(which go) | grep sig.BoringCrypto \ + fi COPY . /go/src/github.com/vmware-tanzu/velero - RUN mkdir -p /output/usr/bin && \ export GOARM=$( echo "${GOARM}" | cut -c2-) && \ go build -o /output/${BIN} \ @@ -55,13 +60,19 @@ ARG TARGETOS ARG TARGETARCH ARG TARGETVARIANT ARG RESTIC_VERSION +ARG GOEXPERIMENT ENV CGO_ENABLED=0 \ GO111MODULE=on \ GOPROXY=${GOPROXY} \ GOOS=${TARGETOS} \ GOARCH=${TARGETARCH} \ - GOARM=${TARGETVARIANT} + GOARM=${TARGETVARIANT} \ + GOEXPERIMENT=${GOEXPERIMENT} +# verifies go cli has boring +RUN if [ "${GOEXPERIMENT}" = "boringcrypto" ]; then \ + go tool nm $(which go) | grep sig.BoringCrypto \ + fi COPY . /go/src/github.com/vmware-tanzu/velero @@ -70,6 +81,21 @@ RUN mkdir -p /output/usr/bin && \ /go/src/github.com/vmware-tanzu/velero/hack/build-restic.sh && \ go clean -modcache -cache +# validate that FIPS is enabled in the binaries +FROM --platform=$BUILDPLATFORM golang:1.22-bookworm AS fips-validator +ARG GOEXPERIMENT +ARG BIN +COPY --from=velero-builder /output / +COPY --from=restic-builder /output / +RUN if [ "${GOEXPERIMENT}" = "boringcrypto" ]; then \ + go tool nm ${BIN} > ${BIN}nm && \ + go tool nm velero-helper > velero-helpernm && \ + go tool nm restic > resticnm && \ + grep ${BIN}nm -qe sig.BoringCrypto && \ + grep velero-helpernm -qe sig.BoringCrypto && \ + grep resticnm -qe sig.BoringCrypto && \ + fi + # Velero image packing section FROM paketobuildpacks/run-jammy-tiny:latest diff --git a/Makefile b/Makefile index 98fd436eb4..0668142479 100644 --- a/Makefile +++ b/Makefile @@ -121,7 +121,10 @@ GOOS = $(word 1, $(platform_temp)) GOARCH = $(word 2, $(platform_temp)) GOPROXY ?= https://proxy.golang.org GOBIN=$$(pwd)/.go/bin - +ifeq ($(GOEXPERIMENT), boringcrypto) + EE=$(shell echo hi) +# $(shell (go tool nm $(shell which go) | grep "crypto/internal/boring/sig.BoringCrypto") || echo "go installed cannot use boringcrypto") +endif # If you want to build all binaries, see the 'all-build' rule. # If you want to build all containers, see the 'all-containers' rule. all: @@ -143,6 +146,7 @@ local: build-dirs GOOS=$(GOOS) \ GOARCH=$(GOARCH) \ GOBIN=$(GOBIN) \ + GOEXPERIMENT=${GOEXPERIMENT} \ VERSION=$(VERSION) \ REGISTRY=$(REGISTRY) \ PKG=$(PKG) \ @@ -159,6 +163,7 @@ _output/bin/$(GOOS)/$(GOARCH)/$(BIN): build-dirs $(MAKE) shell CMD="-c '\ GOOS=$(GOOS) \ GOARCH=$(GOARCH) \ + GOEXPERIMENT=${GOEXPERIMENT} \ GOBIN=$(GOBIN) \ VERSION=$(VERSION) \ REGISTRY=$(REGISTRY) \ @@ -204,6 +209,7 @@ endif $(addprefix -t , $(IMAGE_TAGS)) \ $(addprefix -t , $(GCR_IMAGE_TAGS)) \ --build-arg=GOPROXY=$(GOPROXY) \ + --build-arg=GOEXPERIMENT=$(GOEXPERIMENT) \ --build-arg=PKG=$(PKG) \ --build-arg=BIN=$(BIN) \ --build-arg=VERSION=$(VERSION) \ diff --git a/changelogs/unreleased/8412-kaovilai b/changelogs/unreleased/8412-kaovilai new file mode 100644 index 0000000000..49f98703c8 --- /dev/null +++ b/changelogs/unreleased/8412-kaovilai @@ -0,0 +1 @@ +Make creating boringcrypto image/bin possible diff --git a/hack/build.sh b/hack/build.sh index 064b583ef4..21a056863e 100755 --- a/hack/build.sh +++ b/hack/build.sh @@ -59,7 +59,10 @@ if [[ -z "${GIT_TREE_STATE}" ]]; then echo "GIT_TREE_STATE must be set" exit 1 fi - +# verifies go cli has boring +if [[ "${GOEXPERIMENT}" = "boringcrypto" ]]; then \ + (go tool nm $(which go) | grep sig.BoringCrypto) || (echo "go CLI is not boringcrypto enabled"; exit 1) +fi GCFLAGS="" if [[ ${DEBUG:-} = "1" ]]; then GCFLAGS="all=-N -l" @@ -86,3 +89,13 @@ go build \ -installsuffix "static" \ -ldflags "${LDFLAGS}" \ ${PKG}/cmd/${BIN} + +# verify fips +if [[ -z "${GOEXPERIMENT:-}" ]]; then + GOEXPERIMENT="" +fi +if [[ ${GOEXPERIMENT} = "boringcrypto" ]]; then + # workaround for broken pipe is to write to file and grep file + tempfile=$(mktemp) + (go tool nm ${OUTPUT} > ${tempfile} && grep ${tempfile} -qe sig.BoringCrypto && rm ${tempfile} && echo "FIPS verified for ${OUTPUT}") || (echo "FIPS not found in ${OUTPUT}" && rm ${tempfile} && exit 1) +fi diff --git a/hack/docker-push.sh b/hack/docker-push.sh index e503358c9f..5372bbfc57 100755 --- a/hack/docker-push.sh +++ b/hack/docker-push.sh @@ -92,6 +92,11 @@ if [[ -z "$BUILDX_PLATFORMS" ]]; then BUILDX_PLATFORMS="linux/amd64,linux/arm64" fi +# if SUFFIX is set, append it to the version +if [[ -n "$SUFFIX" ]]; then + VERSION="$VERSION-$SUFFIX" +fi + # Debugging info echo "Highest tag found: $HIGHEST" echo "BRANCH: $BRANCH" diff --git a/pkg/cmd/cli/version/fips.go b/pkg/cmd/cli/version/fips.go new file mode 100644 index 0000000000..a44cc8fee1 --- /dev/null +++ b/pkg/cmd/cli/version/fips.go @@ -0,0 +1,9 @@ +//go:build goexperiment.boringcrypto + +package version + +import "crypto/boring" + +func init() { + fipsEnabled = boring.Enabled() +} \ No newline at end of file diff --git a/pkg/cmd/cli/version/version.go b/pkg/cmd/cli/version/version.go index f8d2611161..0d60b6f25e 100644 --- a/pkg/cmd/cli/version/version.go +++ b/pkg/cmd/cli/version/version.go @@ -64,11 +64,14 @@ func NewCommand(f client.Factory) *cobra.Command { return c } +// to support buildtag added funcs +var fipsEnabled = false func printVersion(w io.Writer, clientOnly bool, kbClient kbclient.Client, serverStatusGetter serverstatus.Getter) { fmt.Fprintln(w, "Client:") fmt.Fprintf(w, "\tVersion: %s\n", buildinfo.Version) fmt.Fprintf(w, "\tGit commit: %s\n", buildinfo.FormattedGitSHA()) + fmt.Fprintf(w, "\tBoring: %v\n", fipsEnabled) if clientOnly { return @@ -93,4 +96,4 @@ func printVersion(w io.Writer, clientOnly bool, kbClient kbclient.Client, server } fmt.Fprintf(w, "# WARNING: the client version does not match the server version. Please update %s\n", upgrade) } -} +} \ No newline at end of file