TT-12103 Adding FIPS Support (#831)

* chore: Update Dockerfile.std for fips-linux build * feat: Update binary name for fips-linux build to tyk-pump-fips * feat: Update binary name for fips-linux build to tyk-pump-fips * Update binary name for fips-linux build to tyk-pump-fips * Update Dockerfile.std and build configuration for fips-linux build * Update Dockerfile.std and build configuration for fips-linux build * Update Dockerfile.std and build configuration for fips-linux build * removing duplicated jobs * Update Dockerfile.std and build configuration for fips-linux build * Update Dockerfile.distroless for standard package installation * Update Dockerfile.distroless for standard package installation * Update Dockerfile.distroless for standard package installation * Update Dockerfile.distroless for standard package installation * Update binary name for fips-linux build to tyk-pump-fips * Update Dockerfile.distroless for standard package installation * adding dockerfile to locally build a pips compliant option * fixing CI * uncommenting fips related * removing unused dockerfile * restoring release.yml
TykTechnologies · Jun 6, 2024 · 206c1d0 · 206c1d0
1 parent db9e582
commit 206c1d0
Show file tree

Hide file tree

Showing 5 changed files with 129 additions and 8 deletions.
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -496,4 +496,4 @@ jobs:
     secrets:
       DEPDASH_URL: ${{ secrets.DEPDASH_URL }}
       DEPDASH_KEY: ${{ secrets.DEPDASH_KEY }}
-      ORG_GH_TOKEN: ${{ secrets.ORG_GH_TOKEN }}
+      ORG_GH_TOKEN: ${{ secrets.ORG_GH_TOKEN }}
diff --git a/bin/ci-test.sh b/bin/ci-test.sh
@@ -56,4 +56,7 @@ do
         coveragefile=`echo "$pkg" | awk -F/ '{print $NF}'`
         show go test -timeout ${TEST_TIMEOUT} ${race} --coverprofile=${coveragefile}.cov -v ${pkg}
     fi
+    echo "Running tests with GOEXPERIMENT=boringcrypto"
+    export GOEXPERIMENT=boringcrypto
+    show go test -tags=boringcrypto -timeout ${TEST_TIMEOUT} ${race} --coverprofile=${coveragefile}.cov -v ${pkg}
 done
diff --git a/ci/Dockerfile.distroless b/ci/Dockerfile.distroless
@@ -5,8 +5,8 @@ ARG TARGETARCH
 
 ENV DEBIAN_FRONTEND=noninteractive
 
-COPY *${TARGETARCH}.deb /
-RUN dpkg -i /tyk-pump*${TARGETARCH}.deb && rm /*.deb
+COPY tyk-pump*${TARGETARCH}.deb /tyk-pump.deb
+RUN dpkg -i /tyk-pump.deb && rm /tyk-pump.deb
 
 FROM gcr.io/distroless/static-debian12:nonroot
 
@@ -17,4 +17,4 @@ EXPOSE $PORTS
 
 WORKDIR /opt/tyk-pump/
 ENTRYPOINT ["/opt/tyk-pump/tyk-pump" ]
-CMD [ "--conf=/opt/tyk-pump/pump.conf" ]
+CMD [ "--conf=/opt/tyk-pump/pump.conf" ]
diff --git a/ci/goreleaser/goreleaser.yml b/ci/goreleaser/goreleaser.yml
@@ -18,6 +18,24 @@ builds:
       - arm64
       - s390x
     binary: tyk-pump
+
+  - id: fips-linux
+    flags:
+      - -tags=boringcrypto
+    ldflags:
+      - -X github.com/TykTechnologies/tyk-pump/pumps.Version={{.Version}}
+      - -X github.com/TykTechnologies/tyk-pump/pumps.Commit={{.FullCommit}}
+      - -X github.com/TykTechnologies/tyk-pump/pumps.BuildDate={{.Date}}
+      - -X github.com/TykTechnologies/tyk-pump/pumps.BuiltBy=goreleaser
+    env:
+      - GOEXPERIMENT=boringcrypto
+    goos:
+      - linux
+    goarch:
+      - amd64
+      - arm64
+    binary: tyk-pump-fips
+
 dockers:
   # Build tykio/tyk-pump-docker-pub, docker.tyk.io/tyk-pump/tyk-pump (amd64)
   - ids:
@@ -41,6 +59,27 @@ dockers:
       - "README.md"
       - "LICENSE.md"
       - "pump.example.conf"
+  - ids:
+      - std
+    image_templates:
+      - "tykio/tyk-pump-docker-pub:{{.Tag}}-fips-amd64"
+      - "docker.tyk.io/tyk-pump/tyk-pump:{{.Tag}}-fips-amd64"
+    build_flag_templates:
+      - "--build-arg=PORTS=80"
+      - "--platform=linux/amd64"
+      - "--label=org.opencontainers.image.created={{.Date}}"
+      - "--label=org.opencontainers.image.title={{.ProjectName}}"
+      - "--label=org.opencontainers.image.revision={{.FullCommit}}"
+      - "--label=org.opencontainers.image.version={{.Version}}"
+    use: buildx
+    goarch: amd64
+    goos: linux
+    dockerfile: ci/Dockerfile.std
+    extra_files:
+      - "ci/install/"
+      - "README.md"
+      - "LICENSE.md"
+      - "pump.example.conf"
   # Build tykio/tyk-pump-docker-pub, docker.tyk.io/tyk-pump/tyk-pump (arm64)
   - ids:
       - std
@@ -63,29 +102,60 @@ dockers:
       - "README.md"
       - "LICENSE.md"
       - "pump.example.conf"
+  - ids:
+      - std
+    image_templates:
+      - "tykio/tyk-pump-docker-pub:{{.Tag}}-fips-arm64"
+      - "docker.tyk.io/tyk-pump/tyk-pump:{{.Tag}}-fips-arm64"
+    build_flag_templates:
+      - "--build-arg=PORTS=80"
+      - "--platform=linux/arm64"
+      - "--label=org.opencontainers.image.created={{.Date}}"
+      - "--label=org.opencontainers.image.title={{.ProjectName}}"
+      - "--label=org.opencontainers.image.revision={{.FullCommit}}"
+      - "--label=org.opencontainers.image.version={{.Version}}"
+    use: buildx
+    goarch: arm64
+    goos: linux
+    dockerfile: ci/Dockerfile.std
+    extra_files:
+      - "ci/install/"
+      - "README.md"
+      - "LICENSE.md"
+      - "pump.example.conf"
+
 docker_manifests:
   - name_template: tykio/tyk-pump-docker-pub:{{ .Tag }}
     image_templates:
       - tykio/tyk-pump-docker-pub:{{ .Tag }}-amd64
+      - tykio/tyk-pump-docker-pub:{{ .Tag }}-fips-amd64
       - tykio/tyk-pump-docker-pub:{{ .Tag }}-arm64
+      - tykio/tyk-pump-docker-pub:{{ .Tag }}-fips-arm64
   - name_template: tykio/tyk-pump-docker-pub:v{{ .Major }}.{{ .Minor }}{{.Prerelease}}
     image_templates:
       - tykio/tyk-pump-docker-pub:{{ .Tag }}-amd64
+      - tykio/tyk-pump-docker-pub:{{ .Tag }}-fips-amd64
       - tykio/tyk-pump-docker-pub:{{ .Tag }}-arm64
+      - tykio/tyk-pump-docker-pub:{{ .Tag }}-fips-arm64
   - name_template: tykio/tyk-pump-docker-pub:v{{ .Major }}{{.Prerelease}}
     image_templates:
       - tykio/tyk-pump-docker-pub:{{ .Tag }}-amd64
+      - tykio/tyk-pump-docker-pub:{{ .Tag }}-fips-amd64
       - tykio/tyk-pump-docker-pub:{{ .Tag }}-arm64
+      - tykio/tyk-pump-docker-pub:{{ .Tag }}-fips-arm64
   - name_template: docker.tyk.io/tyk-pump/tyk-pump:{{ .Tag }}
     image_templates:
       - docker.tyk.io/tyk-pump/tyk-pump:{{ .Tag }}-amd64
+      - docker.tyk.io/tyk-pump/tyk-pump:{{ .Tag }}-fips-amd64
       - docker.tyk.io/tyk-pump/tyk-pump:{{ .Tag }}-arm64
+      - docker.tyk.io/tyk-pump/tyk-pump:{{ .Tag }}-fips-arm64
+
 nfpms:
   - id: std
     vendor: "Tyk Technologies Ltd"
     homepage: "https://tyk.io"
     maintainer: "Tyk <info@tyk.io>"
-    description: Tyk Analytics Pump to move analytics data from Redis to any supported back end (multiple back ends can be written to at once).
+    description: Tyk Analytics Pump to move analytics data from Redis to any supported backend (multiple backends can be written to at once).
     package_name: tyk-pump
     file_name_template: "{{ .ConventionalFileName }}"
     builds:
@@ -99,13 +169,13 @@ nfpms:
       - src: "ci/install/*"
         dst: "/opt/tyk-pump/install"
       - src: ci/install/inits/systemd/system/tyk-pump.service
-        dst: /lib/systemd/system/tyk-pump.service
+        dst: "/lib/systemd/system/tyk-pump.service"
       - src: ci/install/inits/sysv/init.d/tyk-pump
-        dst: /etc/init.d/tyk-pump
+        dst: "/etc/init.d/tyk-pump"
       - src: "LICENSE.md"
         dst: "/opt/share/docs/tyk-pump/LICENSE.md"
       - src: pump.example.conf
-        dst: /opt/tyk-pump/pump.conf
+        dst: "/opt/tyk-pump/pump.conf"
         type: "config|noreplace"
     scripts:
       preinstall: "ci/install/before_install.sh"
@@ -121,11 +191,53 @@ nfpms:
       signature:
         key_file: tyk.io.signing.key
         type: origin
+
+  - id: fips
+    vendor: "Tyk Technologies Ltd"
+    homepage: "https://tyk.io"
+    maintainer: "Tyk <info@tyk.io>"
+    description: Tyk Analytics Pump to move analytics data from Redis to any supported backend (multiple backends can be written to at once).
+    package_name: tyk-pump-fips
+    file_name_template: "{{ .ConventionalFileName }}"
+    builds:
+      - fips-linux
+    formats:
+      - deb
+      - rpm
+    contents:
+      - src: "README.md"
+        dst: "/opt/share/docs/tyk-pump-fips/README.md"
+      - src: "ci/install/*"
+        dst: "/opt/tyk-pump-fips/install"
+      - src: ci/install/inits/systemd/system/tyk-pump.service
+        dst: "/lib/systemd/system/tyk-pump.service"
+      - src: ci/install/inits/sysv/init.d/tyk-pump
+        dst: "/etc/init.d/tyk-pump"
+      - src: "LICENSE.md"
+        dst: "/opt/share/docs/tyk-pump-fips/LICENSE.md"
+      - src: pump.example.conf
+        dst: "/opt/tyk-pump/pump.conf"
+    scripts:
+      preinstall: "ci/install/before_install.sh"
+      postinstall: "ci/install/post_install.sh"
+      postremove: "ci/install/post_remove.sh"
+    bindir: "/opt/tyk-pump/fips"
+    rpm:
+      scripts:
+        posttrans: ci/install/post_trans.sh
+      signature:
+        key_file: tyk.io.signing.key
+    deb:
+      signature:
+        key_file: tyk.io.signing.key
+        type: origin
+
 publishers:
   - name: tyk-pump-unstable
     env:
       - PACKAGECLOUD_TOKEN={{ .Env.PACKAGECLOUD_TOKEN }}
     cmd: packagecloud publish --debvers "{{ .Env.DEBVERS }}" --rpmvers "{{ .Env.RPMVERS }}" tyk/tyk-pump-unstable {{ .ArtifactPath }}
+
 # This disables archives
 archives:
   - format: binary

diff --git a/pumps/fips.go b/pumps/fips.go
@@ -0,0 +1,6 @@
+//go:build boringcrypto
+// +build boringcrypto
+
+package pumps
+
+import _ "crypto/tls/fipsonly"