Merge pull request #28 from tetrateio/fips

Build and test fips images
zhaohuabing · May 8, 2024 · 43f292b · 43f292b
2 parents 2f6e3d2 + 39cfd26
commit 43f292b
Show file tree

Hide file tree

Showing 3 changed files with 240 additions and 4 deletions.
diff --git a/.github/workflows/release-fips.yaml b/.github/workflows/release-fips.yaml
@@ -0,0 +1,173 @@
+name: "FIPS Release"
+
+on:
+  push:
+    # Sequence of patterns matched against refs/tags
+    tags:
+      - "v*.*.*"
+
+permissions:
+  contents: read
+
+env:
+  PLATFORMS: "linux_amd64"
+  IMAGE_PLATFORMS: "linux/amd64"
+
+jobs:
+  lint:
+    runs-on: [self-hosted, linux, x64]
+    steps:
+      - uses: actions/checkout@1d96c772d19495a3b5c517cd2bc0cb401ea0529f  # v4.1.3
+      - uses: ./tools/github-actions/setup-deps
+      - uses: azure/setup-helm@fe7b79cd5ee1e45176fcad797de68ecaf3ca4814  # v4.2.0
+        with:
+          version: v3.5.0
+      # Generate the install manifests first so it can checked
+      # for errors while running `make -k lint`
+      - run: make generate-manifests
+      - run: make lint-deps
+      - run: make -k lint
+
+  gen-check:
+    runs-on: [self-hosted, linux, x64]
+    steps:
+      - uses: actions/checkout@1d96c772d19495a3b5c517cd2bc0cb401ea0529f  # v4.1.3
+      - uses: ./tools/github-actions/setup-deps
+      - uses: azure/setup-helm@fe7b79cd5ee1e45176fcad797de68ecaf3ca4814  # v4.2.0
+        with:
+          version: v3.5.0
+      - run: make -k gen-check
+
+  license-check:
+    runs-on: [self-hosted, linux, x64]
+    steps:
+      - uses: actions/checkout@1d96c772d19495a3b5c517cd2bc0cb401ea0529f  # v4.1.3
+      - uses: ./tools/github-actions/setup-deps
+      - run: make -k licensecheck
+
+  coverage-test:
+    runs-on: [self-hosted, linux, x64]
+    steps:
+      - uses: actions/checkout@1d96c772d19495a3b5c517cd2bc0cb401ea0529f  # v4.1.3
+      - uses: ./tools/github-actions/setup-deps
+
+      # test
+      - name: Run Coverage Tests
+        run: make go.test.coverage
+      - name: Upload coverage to Codecov
+        uses: codecov/codecov-action@4fe8c5f003fae66aa5ebb77cfd3e7bfbbda0b6b0  # v3.1.5
+        with:
+          fail_ci_if_error: false
+          files: ./coverage.xml
+          name: codecov-envoy-gateway
+          verbose: true
+
+  build:
+    runs-on: [self-hosted, linux, x64]
+    needs: [lint, gen-check, license-check, coverage-test]
+    steps:
+      - uses: actions/checkout@1d96c772d19495a3b5c517cd2bc0cb401ea0529f  # v4.1.3
+      - uses: ./tools/github-actions/setup-deps
+
+      - name: Build EG Multiarch Binaries
+        run: make build-multiarch PLATFORMS=${{ env.PLATFORMS }}
+
+      - name: Upload EG Binaries
+        uses: actions/upload-artifact@1746f4ab65b179e0ea60a494b83293b640dd5bba  # v4.3.2
+        with:
+          name: envoy-gateway
+          path: bin/
+
+  # Enable once https://github.com/tetrateio/gateway/issues/15 is completed
+  conformance-test:
+    runs-on: [self-hosted, linux, x64]
+    needs: [build]
+    strategy:
+      matrix:
+        version: [ v1.26.14, v1.27.11, v1.28.7, v1.29.2 ]
+    steps:
+      - uses: actions/checkout@1d96c772d19495a3b5c517cd2bc0cb401ea0529f  # v4.1.3
+      - uses: ./tools/github-actions/setup-deps
+      - uses: azure/setup-helm@fe7b79cd5ee1e45176fcad797de68ecaf3ca4814  # v4.2.0
+        with:
+          version: v3.5.0
+      - name: Download EG Binaries
+        uses: actions/download-artifact@8caf195ad4b1dee92908e23f56eeb0696f1dd42d  # v4.1.5
+        with:
+          name: envoy-gateway
+          path: bin/
+      - name: Give Privileges To EG Binaries
+        run: chmod +x bin/linux/amd64/envoy-gateway
+
+      # conformance
+      #    - name: Run Standard Conformance Tests
+      #      env:
+      #        KIND_NODE_TAG: ${{ matrix.version }}
+      #        IMAGE_PULL_POLICY: IfNotPresent
+      #      run: make conformance
+
+  e2e-test:
+    runs-on: [self-hosted, linux, x64]
+    needs: [build]
+    strategy:
+      matrix:
+        version: [ v1.26.14, v1.27.11, v1.28.7, v1.29.2 ]
+    steps:
+      - uses: actions/checkout@1d96c772d19495a3b5c517cd2bc0cb401ea0529f  # v4.1.3
+      - uses: ./tools/github-actions/setup-deps
+      - uses: azure/setup-helm@fe7b79cd5ee1e45176fcad797de68ecaf3ca4814  # v4.2.0
+        with:
+          version: v3.5.0
+      - name: Download EG Binaries
+        uses: actions/download-artifact@8caf195ad4b1dee92908e23f56eeb0696f1dd42d  # v4.1.5
+        with:
+          name: envoy-gateway
+          path: bin/
+      - name: Give Privileges To EG Binaries
+        run: chmod +x bin/linux/amd64/envoy-gateway
+
+      # E2E
+      #    - name: Run E2E Tests
+      #      env:
+      #        KIND_NODE_TAG: ${{ matrix.version }}
+      #        IMAGE_PULL_POLICY: IfNotPresent
+      #      run: make e2e
+
+  publish:
+    runs-on: [self-hosted, linux, x64]
+    needs: [conformance-test, e2e-test]
+    steps:
+      - uses: actions/checkout@1d96c772d19495a3b5c517cd2bc0cb401ea0529f  # v4.1.3
+      - uses: ./tools/github-actions/setup-deps
+
+      - name: Download EG Binaries
+        uses: actions/download-artifact@8caf195ad4b1dee92908e23f56eeb0696f1dd42d  # v4.1.5
+        with:
+          name: envoy-gateway
+          path: bin/
+
+      - name: Give Privileges To EG Binaries
+        run: chmod +x bin/linux/amd64/envoy-gateway
+
+      - name: Setup Multiarch Environment
+        if: github.event_name == 'push'
+        run: make image.multiarch.setup
+
+      - name: Extract Release Tag
+        id: vars
+        shell: bash
+        run: echo "release_tag=$(echo ${GITHUB_REF##*/})" >> $GITHUB_ENV
+
+      # build and push image
+      - name: Login to Cloudsmith Registry
+        if: github.event_name == 'push'
+        uses: docker/login-action@v2
+        with:
+          registry: docker.cloudsmith.io
+          username: ${{ secrets.CLOUDSMITH_USERNAME }}
+          password: ${{ secrets.CLOUDSMITH_SECRET }}
+
+      - name: Build and Push TEG Commit Image to Cloudsmith Registry
+        if: github.event_name == 'push'
+        # tag is set to the short SHA of the commit
+        run: make image.push.multiarch TAG=${{ env.release_tag }} PLATFORMS=${{ env.PLATFORMS }} IMAGE_PLATFORMS=${{ env.IMAGE_PLATFORMS }} IMAGE=fips-containers.teg.tetratelabs.com/gateway
diff --git a/tools/hack/verify_fips.sh b/tools/hack/verify_fips.sh
@@ -0,0 +1,20 @@
+#!/bin/bash
+
+binary=$1
+
+echo "Checking whether compiled binaries have BoringSSL enabled ..."
+echo "* checking ${binary} ..."
+
+echo "  * checking 'go version' ..."
+if ! go version "${binary}" | grep 'X:boringcrypto' ; then
+    echo "  ! 'go version <binary>' returned value without 'X:boringcrypto': $(go version "${binary}")"
+    exit 2
+fi
+
+echo "  * checking 'strings' ..."
+if ! strings "${binary}" | grep --quiet '_Cfunc__goboringcrypto_' ; then
+    echo "  ! 'strings <binary>' did not return expected BoringSSL symbol names"
+    exit 2
+fi
+
+echo "  + BoringSSL is enabled in ${binary}"
diff --git a/tools/make/golang.mk b/tools/make/golang.mk
@@ -4,7 +4,7 @@
 
 VERSION_PACKAGE := github.com/envoyproxy/gateway/internal/cmd/version
 
-GO_LDFLAGS += -X $(VERSION_PACKAGE).envoyGatewayVersion=$(shell cat VERSION) \
+GO_LD_FLAGS += -X $(VERSION_PACKAGE).envoyGatewayVersion=$(shell cat VERSION) \
 	-X $(VERSION_PACKAGE).shutdownManagerVersion=$(TAG) \
 	-X $(VERSION_PACKAGE).gitCommitID=$(GIT_COMMIT)
 
@@ -17,9 +17,18 @@ endif
 
 GO_VERSION = $(shell grep -oE "^go [[:digit:]]*\.[[:digit:]]*" go.mod | cut -d' ' -f2)
 
+DEBUG ?= false
+
+# as per https://projectcontour.io/docs/1.24/guides/fips/
+FIPS_BUILD_FLAGS = CGO_ENABLED=1 GOEXPERIMENT=boringcrypto VERIFY_FIPS=true
+FIPS_LD_FLAGS = GO_LD_FLAGS
+ifneq ($(DEBUG),true)
+  FIPS_LD_FLAGS += -extldflags -static -s -w -linkmode=external
+endif
+
 # Build the target binary in target platform.
 # The pattern of build.% is `build.{Platform}.{Command}`.
-# If we want to build envoy-gateway in linux amd64 platform, 
+# If we want to build envoy-gateway in linux amd64 platform,
 # just execute make go.build.linux_amd64.envoy-gateway.
 .PHONY: go.build.%
 go.build.%:
@@ -29,17 +38,43 @@ go.build.%:
 	$(eval OS := $(word 1,$(subst _, ,$(PLATFORM))))
 	$(eval ARCH := $(word 2,$(subst _, ,$(PLATFORM))))
 	@$(call log, "Building binary $(COMMAND) with commit $(REV) for $(OS) $(ARCH)")
-	CGO_ENABLED=0 GOOS=$(OS) GOARCH=$(ARCH) go build -o $(OUTPUT_DIR)/$(OS)/$(ARCH)/$(COMMAND) -ldflags "$(GO_LDFLAGS)" $(ROOT_PACKAGE)/cmd/$(COMMAND)
+	CGO_ENABLED=0 GOOS=$(OS) GOARCH=$(ARCH) go build -o $(OUTPUT_DIR)/$(OS)/$(ARCH)/$(COMMAND) -ldflags "$(GO_LD_FLAGS)" $(ROOT_PACKAGE)/cmd/$(COMMAND)
+
+.PHONY: go.fips.build.%
+go.fips.build.%:
+	@$(LOG_TARGET)
+	$(eval COMMAND := $(word 2,$(subst ., ,$*)))
+	$(eval PLATFORM := $(word 1,$(subst ., ,$*)))
+	$(eval OS := $(word 1,$(subst _, ,$(PLATFORM))))
+	$(eval ARCH := $(word 2,$(subst _, ,$(PLATFORM))))
+	@$(call log, "Building binary $(COMMAND) with commit $(REV) for $(OS) $(ARCH)")
+	CGO_ENABLED=0 GOOS=$(OS) GOARCH=$(ARCH) $(FIPS_BUILD_FLAGS) go build -o $(OUTPUT_DIR)/$(OS)/$(ARCH)/$(COMMAND) -ldflags "$(FIPS_LD_FLAGS)" $(ROOT_PACKAGE)/cmd/$(COMMAND)
+
+go.fips.verify.%:
+	@$(LOG_TARGET)
+	$(eval COMMAND := $(word 2,$(subst ., ,$*)))
+	$(eval PLATFORM := $(word 1,$(subst ., ,$*)))
+	$(eval OS := $(word 1,$(subst _, ,$(PLATFORM))))
+	$(eval ARCH := $(word 2,$(subst _, ,$(PLATFORM))))
+	@$(call log, "Verifying binary $(COMMAND)")
+	tools/hack/verify_fips.sh $(OUTPUT_DIR)/$(OS)/$(ARCH)/$(COMMAND)
 
 # Build the envoy-gateway binaries in the hosted platforms.
 .PHONY: go.build
 go.build: $(addprefix go.build., $(addprefix $(PLATFORM)., $(BINS)))
 
+# Build the FIPS envoy-gateway binaries in the hosted platforms.
+.PHONY: go.fips.build
+go.fips.build: $(addprefix go.fips.build., $(addprefix $(PLATFORM)., $(BINS))) $(addprefix go.fips.verify., $(addprefix $(PLATFORM)., $(BINS)))
+
 # Build the envoy-gateway binaries in multi platforms
 # It will build the linux/amd64, linux/arm64, darwin/amd64, darwin/arm64 binaries out.
 .PHONY: go.build.multiarch
 go.build.multiarch: $(foreach p,$(PLATFORMS),$(addprefix go.build., $(addprefix $(p)., $(BINS))))
 
+# Build the FIPS envoy-gateway binaries in multi platforms.
+.PHONY: go.fips.build.multiarch
+go.fips.build.multiarch: $(foreach p,$(PLATFORMS),$(addprefix go.fips.build., $(addprefix $(p)., $(BINS)))) $(foreach p,$(PLATFORMS),$(addprefix go.fips.verify., $(addprefix $(p)., $(BINS))))
 
 .PHONY: go.test.unit
 go.test.unit: ## Run go unit tests
@@ -101,10 +136,18 @@ go.generate: ## Generate code from templates
 build: ## Build envoy-gateway for host platform. See Option PLATFORM and BINS.
 build: go.build
 
+.PHONY: fips.build
+fips.build: ## Build FIPS envoy-gateway for host platform. See Option PLATFORM and BINS.
+fips.build: go.fips.build
+
 .PHONY: build-multiarch
 build-multiarch: ## Build envoy-gateway for multiple platforms. See Option PLATFORMS and IMAGES.
 build-multiarch: go.build.multiarch
 
+.PHONY: fips.build-multiarch
+fips.build-multiarch: ## Build FIPS envoy-gateway for multiple platforms. See Option PLATFORMS and IMAGES.
+fips.build-multiarch: go.fips.build.multiarch
+
 .PHONY: test
 test: ## Run all Go test of code sources.
 test: go.test.unit
@@ -119,4 +162,4 @@ clean: go.clean
 
 .PHONY: testdata
 testdata: ## Override the testdata with new configurations.
-testdata: go.testdata.complete
+testdata: go.testdata.complete