Skip to content

Commit 946f7f4

Browse files
levan-mlevan-m
authored
Generate fips image compiled with Go boringcrypto (#1731) (#1737)
* checkpoint: builds both with cli arg * fips image for main build * add jobs for generating fips image and publishing main-fips tag * fix main fips job references * fix param naming
1 parent 0716a4a commit 946f7f4

File tree

4 files changed

+48
-6
lines changed

4 files changed

+48
-6
lines changed

.gitlab-ci.yml

Lines changed: 23 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -16,6 +16,7 @@ variables:
1616
TEST_INFRA_DEFINITIONS_BUILDIMAGES: f61405297d57
1717
PUSH_IMAGES_TO_STAGING:
1818
description: "Set PUSH_IMAGE_TO_STAGING to 'true' if you want to push the operator to internal staging registry."
19+
FIPS_ENABLED: false
1920

2021
cache: &global_cache
2122
key: ${CI_COMMIT_REF_SLUG}
@@ -144,9 +145,16 @@ build_operator_image_amd64:
144145
# DockerHub login for build to limit rate limit when pulling base images
145146
- DOCKER_REGISTRY_LOGIN=$(aws ssm get-parameter --region us-east-1 --name ci.datadog-operator.$DOCKER_REGISTRY_LOGIN_SSM_KEY --with-decryption --query "Parameter.Value" --out text)
146147
- aws ssm get-parameter --region us-east-1 --name ci.datadog-operator.$DOCKER_REGISTRY_PWD_SSM_KEY --with-decryption --query "Parameter.Value" --out text | docker login --username "$DOCKER_REGISTRY_LOGIN" --password-stdin "$DOCKER_REGISTRY_URL"
147-
- IMG=$TARGET_IMAGE make docker-build-push-ci
148+
- IMG=$TARGET_IMAGE FIPS_ENABLED=$FIPS_ENABLED make docker-build-push-ci
148149
- if [ -n "$CI_COMMIT_TAG" ]; then docker buildx imagetools create $TARGET_IMAGE --tag $RELEASE_IMAGE; fi
149150

151+
build_operator_image_fips_amd64:
152+
extends: build_operator_image_amd64
153+
variables:
154+
TARGET_IMAGE: $BUILD_DOCKER_REGISTRY/$PROJECTNAME:v${CI_PIPELINE_ID}-${CI_COMMIT_SHORT_SHA}-fips-amd64
155+
RELEASE_IMAGE: $BUILD_DOCKER_REGISTRY/$PROJECTNAME:$CI_COMMIT_TAG-fips-amd64
156+
FIPS_ENABLED: "true"
157+
150158
build_operator_image_arm64:
151159
stage: image
152160
rules: !reference [.on_build_images]
@@ -161,9 +169,16 @@ build_operator_image_arm64:
161169
# DockerHub login for build to limit rate limit when pulling base images
162170
- DOCKER_REGISTRY_LOGIN=$(aws ssm get-parameter --region us-east-1 --name ci.datadog-operator.$DOCKER_REGISTRY_LOGIN_SSM_KEY --with-decryption --query "Parameter.Value" --out text)
163171
- aws ssm get-parameter --region us-east-1 --name ci.datadog-operator.$DOCKER_REGISTRY_PWD_SSM_KEY --with-decryption --query "Parameter.Value" --out text | docker login --username "$DOCKER_REGISTRY_LOGIN" --password-stdin "$DOCKER_REGISTRY_URL"
164-
- IMG=$TARGET_IMAGE make docker-build-push-ci
172+
- IMG=$TARGET_IMAGE FIPS_ENABLED=$FIPS_ENABLED make docker-build-push-ci
165173
- if [ -n "$CI_COMMIT_TAG" ]; then docker buildx imagetools create $TARGET_IMAGE --tag $RELEASE_IMAGE; fi
166174

175+
build_operator_image_fips_arm64:
176+
extends: build_operator_image_arm64
177+
variables:
178+
TARGET_IMAGE: $BUILD_DOCKER_REGISTRY/$PROJECTNAME:v${CI_PIPELINE_ID}-${CI_COMMIT_SHORT_SHA}-fips-arm64
179+
RELEASE_IMAGE: $BUILD_DOCKER_REGISTRY/$PROJECTNAME:$CI_COMMIT_TAG-fips-arm64
180+
FIPS_ENABLED: "true"
181+
167182
build_operator_check_image_amd64:
168183
stage: image
169184
rules: !reference [.on_build_images]
@@ -227,6 +242,12 @@ publish_public_main:
227242
IMG_DESTINATIONS: operator:main
228243
IMG_SIGNING: "false"
229244

245+
publish_public_main_fips:
246+
extends: publish_public_main
247+
variables:
248+
IMG_SOURCES: $BUILD_DOCKER_REGISTRY/$PROJECTNAME:v${CI_PIPELINE_ID}-${CI_COMMIT_SHORT_SHA}-fips-amd64,$BUILD_DOCKER_REGISTRY/$PROJECTNAME:v${CI_PIPELINE_ID}-${CI_COMMIT_SHORT_SHA}-fips-arm64
249+
IMG_DESTINATIONS: operator:main-fips
250+
230251
publish_public_tag:
231252
stage: release
232253
rules:

Dockerfile

Lines changed: 11 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1,3 +1,6 @@
1+
#
2+
ARG FIPS_ENABLED=false
3+
14
# Build the manager binary
25
FROM golang:1.23.6 AS builder
36

@@ -32,7 +35,14 @@ COPY cmd/helpers/ cmd/helpers/
3235
# Build
3336
ARG LDFLAGS
3437
ARG GOARCH
35-
RUN CGO_ENABLED=0 GOOS=linux GOARCH=${GOARCH} GO111MODULE=on go build -a -ldflags "${LDFLAGS}" -o manager cmd/main.go
38+
ARG FIPS_ENABLED
39+
RUN echo "FIPS_ENABLED is: $FIPS_ENABLED"
40+
RUN if [ "$FIPS_ENABLED" = "true" ]; then \
41+
CGO_ENABLED=1 GOEXPERIMENT=boringcrypto GOOS=linux GOARCH=${GOARCH} GO111MODULE=on go build -tags fips -a -ldflags "${LDFLAGS}" -o manager cmd/main.go; \
42+
else \
43+
CGO_ENABLED=0 GOOS=linux GOARCH=${GOARCH} GO111MODULE=on go build -a -ldflags "${LDFLAGS}" -o manager cmd/main.go; \
44+
fi
45+
3646
RUN CGO_ENABLED=0 GOOS=linux GOARCH=${GOARCH} GO111MODULE=on go build -a -ldflags "${LDFLAGS}" -o helpers cmd/helpers/main.go
3747

3848
FROM registry.access.redhat.com/ubi9/ubi-minimal:latest

Makefile

Lines changed: 4 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -14,13 +14,14 @@ IMG_VERSION?=$(if $(VERSION),$(VERSION),latest)
1414
VERSION?=$(if $(GIT_TAG),$(GIT_TAG),$(TAG_HASH))
1515
GIT_COMMIT?=$(shell git rev-parse HEAD)
1616
DATE=$(shell date +%Y-%m-%d/%H:%M:%S )
17-
LDFLAGS=-w -s -X ${BUILDINFOPKG}.Commit=${GIT_COMMIT} -X ${BUILDINFOPKG}.Version=${VERSION} -X ${BUILDINFOPKG}.BuildTime=${DATE}
17+
LDFLAGS=-X ${BUILDINFOPKG}.Commit=${GIT_COMMIT} -X ${BUILDINFOPKG}.Version=${VERSION} -X ${BUILDINFOPKG}.BuildTime=${DATE}
1818
CHANNELS=stable
1919
DEFAULT_CHANNEL=stable
2020
GOARCH?=
2121
PLATFORM=$(shell uname -s | tr '[:upper:]' '[:lower:]')-$(shell uname -m)
2222
ROOT=$(dir $(abspath $(firstword $(MAKEFILE_LIST))))
2323
KUSTOMIZE_CONFIG?=config/default
24+
FIPS_ENABLED?=false
2425

2526
# Default bundle image tag
2627
BUNDLE_IMG ?= controller-bundle:$(VERSION)
@@ -157,7 +158,7 @@ docker-build: generate docker-build-ci docker-build-check-ci
157158
# For local use
158159
.PHONY: docker-build-ci
159160
docker-build-ci:
160-
docker build . -t ${IMG} --build-arg LDFLAGS="${LDFLAGS}" --build-arg GOARCH="${GOARCH}"
161+
docker build . -t ${IMG} --build-arg FIPS_ENABLED="${FIPS_ENABLED}" --build-arg LDFLAGS="${LDFLAGS}" --build-arg GOARCH="${GOARCH}"
161162

162163
# For local use
163164
.PHONY: docker-build-check-ci
@@ -168,7 +169,7 @@ docker-build-check-ci:
168169
# For Gitlab use
169170
.PHONY: docker-build-push-ci
170171
docker-build-push-ci:
171-
docker buildx build . -t ${IMG} --build-arg LDFLAGS="${LDFLAGS}" --build-arg GOARCH="${GOARCH}" --platform=linux/${GOARCH} --provenance=false --push
172+
docker buildx build . -t ${IMG} --build-arg FIPS_ENABLED="${FIPS_ENABLED}" --build-arg LDFLAGS="${LDFLAGS}" --build-arg GOARCH="${GOARCH}" --platform=linux/${GOARCH} --provenance=false --push
172173

173174
# For Gitlab use
174175
.PHONY: docker-build-push-check-ci

internal/controller/fipsonly.go

Lines changed: 10 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,10 @@
1+
// Unless explicitly stated otherwise all files in this repository are licensed
2+
// under the Apache License Version 2.0.
3+
// This product includes software developed at Datadog (https://www.datadoghq.com/).
4+
// Copyright 2016-present Datadog, Inc.
5+
6+
//go:build fips
7+
8+
package controller
9+
10+
import _ "crypto/tls/fipsonly"

0 commit comments

Comments
 (0)