Create new docker FIPS images (#1982)

Author: alvarocabanas

.github/workflows/component_docker_packaging.yml

@@ -19,6 +19,10 @@ on:
       TAG:
         required: true
         type: string
+      FIPS:
+        required: false
+        type: boolean
+        default: false
 
 env:
   GITHUB_TOKEN: ${{ secrets.GH_TOKEN }}
@@ -29,6 +33,7 @@ env:
   DOCKER_HUB_ID: ${{ secrets.DOCKER_HUB_ID }}
   DOCKER_HUB_PASSWORD: ${{ secrets.DOCKER_HUB_PASSWORD }}
   DOCKER_PUBLISH: true
+  FIPS: ${{ inputs.FIPS == true && '-fips' || '' }}
 
 jobs:
   packaging:
@@ -47,7 +52,7 @@ jobs:
           password: ${{ env.DOCKER_HUB_PASSWORD }}
 
       - name: Compiling binaries for linux amd64, arm, arm64
-        run: make ci/prerelease/linux-for-docker
+        run: make ci/prerelease/linux-for-docker${{env.FIPS}}
 
       - name: Set up QEMU
         uses: docker/setup-qemu-action@v1
@@ -58,10 +63,10 @@ jobs:
           version: v0.9.1
 
       - name: Build and publish Release Candidate (RC) of base Docker image
-        run: AGENT_VERSION=${{env.TAG}} make -C build/container/ clean publish/multi-arch-base-rc
+        run: AGENT_VERSION=${{env.TAG}} FIPS=${{env.FIPS}} make -C build/container/ clean publish/multi-arch-base-rc
 
       - name: Build and publish Release Candidate (RC) of forwarder Docker image
-        run: AGENT_VERSION=${{env.TAG}} make -C build/container/ clean publish/multi-arch-forwarder-rc
+        run: AGENT_VERSION=${{env.TAG}} FIPS=${{env.FIPS}} make -C build/container/ clean publish/multi-arch-forwarder-rc
 
       - name: Build and publish Release Candidate (RC) of k8s-events-forwarders Docker image
-        run: AGENT_VERSION=${{env.TAG}} make -C build/container/ clean publish/multi-arch-k8s-events-forwarder-rc
+        run: AGENT_VERSION=${{env.TAG}} FIPS=${{env.FIPS}} make -C build/container/ clean publish/multi-arch-k8s-events-forwarder-rc

.github/workflows/component_docker_publish.yml

@@ -53,4 +53,22 @@ jobs:
         run: make -C build/container/ clean publish/multi-arch-k8s-events-forwarder-tag AGENT_VERSION=${{env.TAG}}
 
       - name: Publish latest of k8s-events-forwarders Docker image
-        run: make -C build/container/ clean publish/multi-arch-k8s-events-forwarder-latest AGENT_VERSION=${{env.TAG}}
+        run: make -C build/container/ clean publish/multi-arch-k8s-events-forwarder-latest AGENT_VERSION=${{env.TAG}}
+
+      - name: Publish tag of base Docker image FIPS
+        run: make -C build/container/ clean publish/multi-arch-base-tag AGENT_VERSION=${{env.TAG}} FIPS=${{env.FIPS}}
+
+      - name: Publish latest of base Docker image FIPS
+        run: make -C build/container/ clean publish/multi-arch-base-latest AGENT_VERSION=${{env.TAG}} FIPS=${{env.FIPS}}
+
+      - name: Publish tag of forwarder Docker image FIPS
+        run: make -C build/container/ clean publish/multi-arch-forwarder-tag AGENT_VERSION=${{env.TAG}} FIPS=${{env.FIPS}}
+
+      - name: Publish latest of forwarder Docker image FIPS
+        run: make -C build/container/ clean publish/multi-arch-forwarder-latest AGENT_VERSION=${{env.TAG}} FIPS=${{env.FIPS}}
+
+      - name: Publish tag of k8s-events-forwarders Docker image FIPS
+        run: make -C build/container/ clean publish/multi-arch-k8s-events-forwarder-tag AGENT_VERSION=${{env.TAG}} FIPS=${{env.FIPS}}
+
+      - name: Publish latest of k8s-events-forwarders Docker image FIPS
+        run: make -C build/container/ clean publish/multi-arch-k8s-events-forwarder-latest AGENT_VERSION=${{env.TAG}} FIPS=${{env.FIPS}}

.github/workflows/component_trivy.yml

@@ -12,6 +12,13 @@ on:
       severity:
         required: true
         type: string
+      FIPS:
+        required: false
+        type: boolean
+        default: false
+
+env:
+  FIPS: ${{ inputs.FIPS == true && '-fips' || '' }}
 
 jobs:
   trivy_scanner:
@@ -22,7 +29,7 @@ jobs:
       - name: newrelic/infrastructure
         uses: aquasecurity/trivy-action@master
         with:
-          image-ref: "docker.io/newrelic/infrastructure:${{ inputs.tag }}"
+          image-ref: "docker.io/newrelic/infrastructure${{ env.FIPS }}:${{ inputs.tag }}"
           format: 'table'
           exit-code: '1'
           ignore-unfixed: true
@@ -35,7 +42,7 @@ jobs:
       - name: newrelic/k8s-events-forwarder
         uses: aquasecurity/trivy-action@master
         with:
-          image-ref: "docker.io/newrelic/k8s-events-forwarder:${{ inputs.tag }}"
+          image-ref: "docker.io/newrelic/k8s-events-forwarder${{ env.FIPS }}:${{ inputs.tag }}"
           format: 'table'
           exit-code: '1'
           ignore-unfixed: true
@@ -48,7 +55,7 @@ jobs:
       - name: newrelic/nri-forwarder
         uses: aquasecurity/trivy-action@master
         with:
-          image-ref: "docker.io/newrelic/nri-forwarder:${{ inputs.tag }}"
+          image-ref: "docker.io/newrelic/nri-forwarder${{ env.FIPS }}:${{ inputs.tag }}"
           format: 'table'
           exit-code: '1'
           ignore-unfixed: true
@@ -69,7 +76,7 @@ jobs:
       - name: Sarif newrelic/infrastructure
         uses: aquasecurity/trivy-action@master
         with:
-          image-ref: "docker.io/newrelic/infrastructure:${{ inputs.tag }}"
+          image-ref: "docker.io/newrelic/infrastructure${{ env.FIPS }}:${{ inputs.tag }}"
           format: 'sarif'
           output: 'trivy-results.sarif'
           vuln-type: 'os,library'

.github/workflows/prerelease_linux.yml

@@ -124,6 +124,28 @@ jobs:
       tag: "${{ github.event.release.tag_name }}-rc"
       severity: "CRITICAL"
 
+  packaging-docker-fips:
+    needs: [unit-test, proxy-tests]
+    uses: ./.github/workflows/component_docker_packaging.yml
+    secrets:
+      DOCKER_HUB_ID: ${{secrets.OHAI_DOCKER_HUB_ID}}
+      DOCKER_HUB_PASSWORD: ${{secrets.OHAI_DOCKER_HUB_PASSWORD}}
+      GPG_MAIL: '[email protected]'
+      GPG_PASSPHRASE: ${{ secrets.OHAI_GPG_PASSPHRASE }}
+      GPG_PRIVATE_KEY_BASE64: ${{ secrets.OHAI_GPG_PRIVATE_KEY_BASE64 }} # base64 encoded
+      GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+    with:
+      TAG:  ${{ github.event.release.tag_name }}
+      FIPS: true
+
+  docker-fips-trivy-critical:
+    needs: [packaging-docker-fips]
+    uses: ./.github/workflows/component_trivy.yml
+    with:
+      tag: "${{ github.event.release.tag_name }}-rc"
+      severity: "CRITICAL"
+      FIPS: true
+
   publishing-to-s3:
     # point to staging after tests
     name: Publish linux artifacts into s3 staging bucket

build/ci.mk

@@ -84,6 +84,10 @@ ci/prerelease/linux-legacy:
 ci/prerelease/linux-for-docker:
 	TARGET_OS=linux-for-docker $(MAKE) ci/prerelease
 
+.PHONY : ci/prerelease/linux-for-docker-fips
+ci/prerelease/linux-for-docker-fips:
+	TARGET_OS=linux-for-docker-fips $(MAKE) ci/prerelease
+
 
 .PHONY : ci/prerelease/macos
 ci/prerelease/macos:

build/container/Dockerfile

@@ -36,8 +36,12 @@ RUN apk add --no-cache --upgrade \
     #   libpthread.so.0 => /lib64/ld-linux-x86-64.so.2 (0x7f2bbbd0f000)
     #   libc.so.6 => /lib64/ld-linux-x86-64.so.2 (0x7f2bbbd0f000)
     # As musl and glibc are compatible, this symlink fixes the missing dependency
+    # The simlink is added both for amd64 and arm64 architectures
     && mkdir /lib64 \
     && ln -s /lib/libc.musl-x86_64.so.1 /lib64/ld-linux-x86-64.so.2 \
+    && ln -s /lib/libc.musl-aarch64.so.1 /lib64/ld-linux-aarch64.so.1 \
+    # libresolv.so.2 is needed when CGO is enabled so we add the glibc compatibility for Alpine
+    && apk add --no-cache gcompat \
     && apk add --no-cache tini
 
 # Tini is now available at /sbin/tini

build/container/Makefile

@@ -16,6 +16,7 @@ DOCKER_BUILD_TAG_PREFIX	?= build
 DOCKER_TAG_LATEST	?= latest
 USE_BUILDX			?= false
 DOCKER_PUBLISH		?= false
+FIPS                ?=
 
 AGENT_ARCH ?= $(DOCKER_ARCH)
 
@@ -50,12 +51,12 @@ AGENT_VERSION                  ?= 0.0.0
 IMAGE_VERSION                  ?= $(AGENT_VERSION)
 
 NS                             ?= newrelic
-REPO                           ?= infrastructure
+REPO                           ?= infrastructure${FIPS}
 IMAGE_NAME                     ?= ${NS}/${REPO}
 CORE_IMAGE_NAME                ?= ${IMAGE_NAME}-core
 BASE_IMAGE_NAME                ?= ${IMAGE_NAME}
-K8S_FWD_IMAGE_NAME			   ?= ${NS}/k8s-events-forwarder
-FWD_IMAGE_NAME			   	   ?= ${NS}/nri-forwarder
+K8S_FWD_IMAGE_NAME			   ?= ${NS}/k8s-events-forwarder${FIPS}
+FWD_IMAGE_NAME			   	   ?= ${NS}/nri-forwarder${FIPS}
 DOCKER_IMAGE_NAME			   ?= ${BASE_IMAGE_NAME}
 
 AGENT_BIN                      ?= newrelic-infra
@@ -265,19 +266,29 @@ publish/multi-arch-base-manifest :
 	@printf 'Target: publish/base-manifest\n'
 	@printf 'Image: $(DOCKER_IMAGE_NAME):$(IMAGE_VERSION)'
 	@printf '\n================================================================\n'
+ifeq ($(FIPS),)
 	@(docker manifest create \
     $(DOCKER_IMAGE_NAME):$(IMAGE_VERSION) \
     	$(DOCKER_IMAGE_NAME):$(DOCKER_BUILD_TAG_PREFIX)-arm64 \
     	$(DOCKER_IMAGE_NAME):$(DOCKER_BUILD_TAG_PREFIX)-arm \
     	$(DOCKER_IMAGE_NAME):$(DOCKER_BUILD_TAG_PREFIX)-amd64)
+else
+	@(docker manifest create \
+    $(DOCKER_IMAGE_NAME):$(IMAGE_VERSION) \
+    	$(DOCKER_IMAGE_NAME):$(DOCKER_BUILD_TAG_PREFIX)-arm64 \
+    	$(DOCKER_IMAGE_NAME):$(DOCKER_BUILD_TAG_PREFIX)-amd64)
+endif
 	@docker manifest push $(DOCKER_IMAGE_NAME):$(IMAGE_VERSION)
 
+
 # [RC] Shortcut to build all supported multi arch bases and publish as RC
 .PHONY : publish/multi-arch-base-rc
 publish/multi-arch-base-rc : export IMAGE_VERSION=$(AGENT_VERSION)-rc
 publish/multi-arch-base-rc : export DOCKER_BUILD_TAG_PREFIX=$(IMAGE_VERSION)
 publish/multi-arch-base-rc : build/base-arm64
+ifeq ($(FIPS),)
 publish/multi-arch-base-rc : build/base-arm
+endif
 publish/multi-arch-base-rc : build/base-amd64
 publish/multi-arch-base-rc : publish/multi-arch-base-manifest
 
@@ -301,19 +312,28 @@ publish/multi-arch-k8s-events-forwarder-manifest :
 	@printf 'Target: publish/k8s-events-forwarder-manifest\n'
 	@printf 'Image: $(DOCKER_IMAGE_NAME):$(IMAGE_VERSION)'
 	@printf '\n================================================================\n'
+ifeq ($(FIPS),)
 	@(docker manifest create \
     $(DOCKER_IMAGE_NAME):$(IMAGE_VERSION) \
     	$(DOCKER_IMAGE_NAME):$(DOCKER_BUILD_TAG_PREFIX)-arm64 \
     	$(DOCKER_IMAGE_NAME):$(DOCKER_BUILD_TAG_PREFIX)-arm \
     	$(DOCKER_IMAGE_NAME):$(DOCKER_BUILD_TAG_PREFIX)-amd64)
+else
+	@(docker manifest create \
+    $(DOCKER_IMAGE_NAME):$(IMAGE_VERSION) \
+    	$(DOCKER_IMAGE_NAME):$(DOCKER_BUILD_TAG_PREFIX)-arm64 \
+    	$(DOCKER_IMAGE_NAME):$(DOCKER_BUILD_TAG_PREFIX)-amd64)
+endif
 	@docker manifest push $(DOCKER_IMAGE_NAME):$(IMAGE_VERSION)
 
 # [RC] Shortcut to build all supported multi arch k8s-events-forwarders and publish as RC
 .PHONY : publish/multi-arch-k8s-events-forwarder-rc
 publish/multi-arch-k8s-events-forwarder-rc : export IMAGE_VERSION=$(AGENT_VERSION)-rc
 publish/multi-arch-k8s-events-forwarder-rc : export DOCKER_BUILD_TAG_PREFIX=$(IMAGE_VERSION)
 publish/multi-arch-k8s-events-forwarder-rc : build/k8s-events-forwarder-arm64
+ifeq ($(FIPS),)
 publish/multi-arch-k8s-events-forwarder-rc : build/k8s-events-forwarder-arm
+endif
 publish/multi-arch-k8s-events-forwarder-rc : build/k8s-events-forwarder-amd64
 publish/multi-arch-k8s-events-forwarder-rc : publish/multi-arch-k8s-events-forwarder-manifest
 
@@ -337,11 +357,18 @@ publish/multi-arch-forwarder-manifest :
 	@printf 'Target: publish/forwarder-manifest\n'
 	@printf 'Image: $(DOCKER_IMAGE_NAME):$(IMAGE_VERSION)'
 	@printf '\n================================================================\n'
+ifeq ($(FIPS),)
 	@(docker manifest create \
     $(DOCKER_IMAGE_NAME):$(IMAGE_VERSION) \
     	$(DOCKER_IMAGE_NAME):$(DOCKER_BUILD_TAG_PREFIX)-arm64 \
     	$(DOCKER_IMAGE_NAME):$(DOCKER_BUILD_TAG_PREFIX)-arm \
     	$(DOCKER_IMAGE_NAME):$(DOCKER_BUILD_TAG_PREFIX)-amd64)
+else
+	@(docker manifest create \
+    $(DOCKER_IMAGE_NAME):$(IMAGE_VERSION) \
+    	$(DOCKER_IMAGE_NAME):$(DOCKER_BUILD_TAG_PREFIX)-arm64 \
+    	$(DOCKER_IMAGE_NAME):$(DOCKER_BUILD_TAG_PREFIX)-amd64)
+endif
 	@docker manifest push $(DOCKER_IMAGE_NAME):$(IMAGE_VERSION)
 
 
@@ -350,7 +377,9 @@ publish/multi-arch-forwarder-manifest :
 publish/multi-arch-forwarder-rc : export IMAGE_VERSION=$(AGENT_VERSION)-rc
 publish/multi-arch-forwarder-rc : export DOCKER_BUILD_TAG_PREFIX=$(IMAGE_VERSION)
 publish/multi-arch-forwarder-rc : build/forwarder-arm64
+ifeq ($(FIPS),)
 publish/multi-arch-forwarder-rc : build/forwarder-arm
+endif
 publish/multi-arch-forwarder-rc : build/forwarder-amd64
 publish/multi-arch-forwarder-rc : publish/multi-arch-forwarder-manifest
 

build/release.mk

@@ -110,6 +110,11 @@ release/pkg-linux-for-docker: release/deps release/clean generate-goreleaser-for
 	@echo "=== [release/pkg-linux-for-docker] PRE-RELEASE compiling all binaries"
 	$(GORELEASER_BIN) release --config $(GORELEASER_CONFIG_LINUX) $(PKG_FLAGS)
 
+.PHONY : release/pkg-linux-for-docker-fips
+release/pkg-linux-for-docker-fips: release/deps release/clean generate-goreleaser-for-docker-fips
+	@echo "=== [release/pkg-linux-for-docker-fips] PRE-RELEASE compiling all binaries"
+	$(GORELEASER_BIN) release --config $(GORELEASER_CONFIG_LINUX) $(PKG_FLAGS)
+
 .PHONY : release/pkg-macos
 release/pkg-macos: release/deps release/clean
 #release/pkg-macos: release/get-integrations-amd64-macos NO ASSETS AVAILABLE FOR NOW
@@ -169,6 +174,10 @@ release-linux-arm64: release/pkg-linux-arm64 release/fix-tarballs-linux release/
 release-linux-for-docker: release/pkg-linux-for-docker
 	@echo "=== [release-linux-for-docker] compiling assets for docker"
 
+.PHONY : release-linux-for-docker-fips
+release-linux-for-docker-fips: release/pkg-linux-for-docker-fips
+	@echo "=== [release-linux-for-docker-fips] compiling assets for docker - FIPS"
+
 .PHONY : release-macos
 release-macos: release/pkg-macos release/fix-tarballs-macos
 	@echo "=== [release-macos] full pre-release cycle complete for macOS"
@@ -371,6 +380,13 @@ generate-goreleaser-for-docker:
 		$(CURDIR)/build/goreleaser/linux/build_arm64.yml\
   		 > $(GORELEASER_CONFIG_LINUX)
 
+.PHONY : generate-goreleaser-for-docker-fips
+generate-goreleaser-for-docker-fips:
+	cat $(CURDIR)/build/goreleaser/linux/header.yml\
+		$(CURDIR)/build/goreleaser/linux/build_amd64_fips.yml\
+		$(CURDIR)/build/goreleaser/linux/build_arm64_fips.yml\
+  		 > $(GORELEASER_CONFIG_LINUX)
+
 ifndef SNAPSHOT
 	$(error SNAPSHOT is undefined)
 endif