Skip to content

Commit

Permalink
Create new docker FIPS images (#1982)
Browse files Browse the repository at this point in the history
  • Loading branch information
alvarocabanas committed Jan 13, 2025
1 parent 46c2f65 commit b8c4968
Show file tree
Hide file tree
Showing 8 changed files with 117 additions and 12 deletions.
13 changes: 9 additions & 4 deletions .github/workflows/component_docker_packaging.yml
Original file line number Diff line number Diff line change
Expand Up @@ -19,6 +19,10 @@ on:
TAG:
required: true
type: string
FIPS:
required: false
type: boolean
default: false

env:
GITHUB_TOKEN: ${{ secrets.GH_TOKEN }}
Expand All @@ -29,6 +33,7 @@ env:
DOCKER_HUB_ID: ${{ secrets.DOCKER_HUB_ID }}
DOCKER_HUB_PASSWORD: ${{ secrets.DOCKER_HUB_PASSWORD }}
DOCKER_PUBLISH: true
FIPS: ${{ inputs.FIPS == true && '-fips' || '' }}

jobs:
packaging:
Expand All @@ -47,7 +52,7 @@ jobs:
password: ${{ env.DOCKER_HUB_PASSWORD }}

- name: Compiling binaries for linux amd64, arm, arm64
run: make ci/prerelease/linux-for-docker
run: make ci/prerelease/linux-for-docker${{env.FIPS}}

- name: Set up QEMU
uses: docker/setup-qemu-action@v1
Expand All @@ -58,10 +63,10 @@ jobs:
version: v0.9.1

- name: Build and publish Release Candidate (RC) of base Docker image
run: AGENT_VERSION=${{env.TAG}} make -C build/container/ clean publish/multi-arch-base-rc
run: AGENT_VERSION=${{env.TAG}} FIPS=${{env.FIPS}} make -C build/container/ clean publish/multi-arch-base-rc

- name: Build and publish Release Candidate (RC) of forwarder Docker image
run: AGENT_VERSION=${{env.TAG}} make -C build/container/ clean publish/multi-arch-forwarder-rc
run: AGENT_VERSION=${{env.TAG}} FIPS=${{env.FIPS}} make -C build/container/ clean publish/multi-arch-forwarder-rc

- name: Build and publish Release Candidate (RC) of k8s-events-forwarders Docker image
run: AGENT_VERSION=${{env.TAG}} make -C build/container/ clean publish/multi-arch-k8s-events-forwarder-rc
run: AGENT_VERSION=${{env.TAG}} FIPS=${{env.FIPS}} make -C build/container/ clean publish/multi-arch-k8s-events-forwarder-rc
20 changes: 19 additions & 1 deletion .github/workflows/component_docker_publish.yml
Original file line number Diff line number Diff line change
Expand Up @@ -53,4 +53,22 @@ jobs:
run: make -C build/container/ clean publish/multi-arch-k8s-events-forwarder-tag AGENT_VERSION=${{env.TAG}}

- name: Publish latest of k8s-events-forwarders Docker image
run: make -C build/container/ clean publish/multi-arch-k8s-events-forwarder-latest AGENT_VERSION=${{env.TAG}}
run: make -C build/container/ clean publish/multi-arch-k8s-events-forwarder-latest AGENT_VERSION=${{env.TAG}}

- name: Publish tag of base Docker image FIPS
run: make -C build/container/ clean publish/multi-arch-base-tag AGENT_VERSION=${{env.TAG}} FIPS=${{env.FIPS}}

- name: Publish latest of base Docker image FIPS
run: make -C build/container/ clean publish/multi-arch-base-latest AGENT_VERSION=${{env.TAG}} FIPS=${{env.FIPS}}

- name: Publish tag of forwarder Docker image FIPS
run: make -C build/container/ clean publish/multi-arch-forwarder-tag AGENT_VERSION=${{env.TAG}} FIPS=${{env.FIPS}}

- name: Publish latest of forwarder Docker image FIPS
run: make -C build/container/ clean publish/multi-arch-forwarder-latest AGENT_VERSION=${{env.TAG}} FIPS=${{env.FIPS}}

- name: Publish tag of k8s-events-forwarders Docker image FIPS
run: make -C build/container/ clean publish/multi-arch-k8s-events-forwarder-tag AGENT_VERSION=${{env.TAG}} FIPS=${{env.FIPS}}

- name: Publish latest of k8s-events-forwarders Docker image FIPS
run: make -C build/container/ clean publish/multi-arch-k8s-events-forwarder-latest AGENT_VERSION=${{env.TAG}} FIPS=${{env.FIPS}}
15 changes: 11 additions & 4 deletions .github/workflows/component_trivy.yml
Original file line number Diff line number Diff line change
Expand Up @@ -12,6 +12,13 @@ on:
severity:
required: true
type: string
FIPS:
required: false
type: boolean
default: false

env:
FIPS: ${{ inputs.FIPS == true && '-fips' || '' }}

jobs:
trivy_scanner:
Expand All @@ -22,7 +29,7 @@ jobs:
- name: newrelic/infrastructure
uses: aquasecurity/trivy-action@master
with:
image-ref: "docker.io/newrelic/infrastructure:${{ inputs.tag }}"
image-ref: "docker.io/newrelic/infrastructure${{ env.FIPS }}:${{ inputs.tag }}"
format: 'table'
exit-code: '1'
ignore-unfixed: true
Expand All @@ -35,7 +42,7 @@ jobs:
- name: newrelic/k8s-events-forwarder
uses: aquasecurity/trivy-action@master
with:
image-ref: "docker.io/newrelic/k8s-events-forwarder:${{ inputs.tag }}"
image-ref: "docker.io/newrelic/k8s-events-forwarder${{ env.FIPS }}:${{ inputs.tag }}"
format: 'table'
exit-code: '1'
ignore-unfixed: true
Expand All @@ -48,7 +55,7 @@ jobs:
- name: newrelic/nri-forwarder
uses: aquasecurity/trivy-action@master
with:
image-ref: "docker.io/newrelic/nri-forwarder:${{ inputs.tag }}"
image-ref: "docker.io/newrelic/nri-forwarder${{ env.FIPS }}:${{ inputs.tag }}"
format: 'table'
exit-code: '1'
ignore-unfixed: true
Expand All @@ -69,7 +76,7 @@ jobs:
- name: Sarif newrelic/infrastructure
uses: aquasecurity/trivy-action@master
with:
image-ref: "docker.io/newrelic/infrastructure:${{ inputs.tag }}"
image-ref: "docker.io/newrelic/infrastructure${{ env.FIPS }}:${{ inputs.tag }}"
format: 'sarif'
output: 'trivy-results.sarif'
vuln-type: 'os,library'
Expand Down
22 changes: 22 additions & 0 deletions .github/workflows/prerelease_linux.yml
Original file line number Diff line number Diff line change
Expand Up @@ -124,6 +124,28 @@ jobs:
tag: "${{ github.event.release.tag_name }}-rc"
severity: "CRITICAL"

packaging-docker-fips:
needs: [unit-test, proxy-tests]
uses: ./.github/workflows/component_docker_packaging.yml
secrets:
DOCKER_HUB_ID: ${{secrets.OHAI_DOCKER_HUB_ID}}
DOCKER_HUB_PASSWORD: ${{secrets.OHAI_DOCKER_HUB_PASSWORD}}
GPG_MAIL: '[email protected]'
GPG_PASSPHRASE: ${{ secrets.OHAI_GPG_PASSPHRASE }}
GPG_PRIVATE_KEY_BASE64: ${{ secrets.OHAI_GPG_PRIVATE_KEY_BASE64 }} # base64 encoded
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
with:
TAG: ${{ github.event.release.tag_name }}
FIPS: true

docker-fips-trivy-critical:
needs: [packaging-docker-fips]
uses: ./.github/workflows/component_trivy.yml
with:
tag: "${{ github.event.release.tag_name }}-rc"
severity: "CRITICAL"
FIPS: true

publishing-to-s3:
# point to staging after tests
name: Publish linux artifacts into s3 staging bucket
Expand Down
4 changes: 4 additions & 0 deletions build/ci.mk
Original file line number Diff line number Diff line change
Expand Up @@ -84,6 +84,10 @@ ci/prerelease/linux-legacy:
ci/prerelease/linux-for-docker:
TARGET_OS=linux-for-docker $(MAKE) ci/prerelease

.PHONY : ci/prerelease/linux-for-docker-fips
ci/prerelease/linux-for-docker-fips:
TARGET_OS=linux-for-docker-fips $(MAKE) ci/prerelease


.PHONY : ci/prerelease/macos
ci/prerelease/macos:
Expand Down
4 changes: 4 additions & 0 deletions build/container/Dockerfile
Original file line number Diff line number Diff line change
Expand Up @@ -36,8 +36,12 @@ RUN apk add --no-cache --upgrade \
# libpthread.so.0 => /lib64/ld-linux-x86-64.so.2 (0x7f2bbbd0f000)
# libc.so.6 => /lib64/ld-linux-x86-64.so.2 (0x7f2bbbd0f000)
# As musl and glibc are compatible, this symlink fixes the missing dependency
# The simlink is added both for amd64 and arm64 architectures
&& mkdir /lib64 \
&& ln -s /lib/libc.musl-x86_64.so.1 /lib64/ld-linux-x86-64.so.2 \
&& ln -s /lib/libc.musl-aarch64.so.1 /lib64/ld-linux-aarch64.so.1 \
# libresolv.so.2 is needed when CGO is enabled so we add the glibc compatibility for Alpine
&& apk add --no-cache gcompat \
&& apk add --no-cache tini

# Tini is now available at /sbin/tini
Expand Down
35 changes: 32 additions & 3 deletions build/container/Makefile
Original file line number Diff line number Diff line change
Expand Up @@ -16,6 +16,7 @@ DOCKER_BUILD_TAG_PREFIX ?= build
DOCKER_TAG_LATEST ?= latest
USE_BUILDX ?= false
DOCKER_PUBLISH ?= false
FIPS ?=

AGENT_ARCH ?= $(DOCKER_ARCH)

Expand Down Expand Up @@ -50,12 +51,12 @@ AGENT_VERSION ?= 0.0.0
IMAGE_VERSION ?= $(AGENT_VERSION)

NS ?= newrelic
REPO ?= infrastructure
REPO ?= infrastructure${FIPS}
IMAGE_NAME ?= ${NS}/${REPO}
CORE_IMAGE_NAME ?= ${IMAGE_NAME}-core
BASE_IMAGE_NAME ?= ${IMAGE_NAME}
K8S_FWD_IMAGE_NAME ?= ${NS}/k8s-events-forwarder
FWD_IMAGE_NAME ?= ${NS}/nri-forwarder
K8S_FWD_IMAGE_NAME ?= ${NS}/k8s-events-forwarder${FIPS}
FWD_IMAGE_NAME ?= ${NS}/nri-forwarder${FIPS}
DOCKER_IMAGE_NAME ?= ${BASE_IMAGE_NAME}

AGENT_BIN ?= newrelic-infra
Expand Down Expand Up @@ -265,19 +266,29 @@ publish/multi-arch-base-manifest :
@printf 'Target: publish/base-manifest\n'
@printf 'Image: $(DOCKER_IMAGE_NAME):$(IMAGE_VERSION)'
@printf '\n================================================================\n'
ifeq ($(FIPS),)
@(docker manifest create \
$(DOCKER_IMAGE_NAME):$(IMAGE_VERSION) \
$(DOCKER_IMAGE_NAME):$(DOCKER_BUILD_TAG_PREFIX)-arm64 \
$(DOCKER_IMAGE_NAME):$(DOCKER_BUILD_TAG_PREFIX)-arm \
$(DOCKER_IMAGE_NAME):$(DOCKER_BUILD_TAG_PREFIX)-amd64)
else
@(docker manifest create \
$(DOCKER_IMAGE_NAME):$(IMAGE_VERSION) \
$(DOCKER_IMAGE_NAME):$(DOCKER_BUILD_TAG_PREFIX)-arm64 \
$(DOCKER_IMAGE_NAME):$(DOCKER_BUILD_TAG_PREFIX)-amd64)
endif
@docker manifest push $(DOCKER_IMAGE_NAME):$(IMAGE_VERSION)


# [RC] Shortcut to build all supported multi arch bases and publish as RC
.PHONY : publish/multi-arch-base-rc
publish/multi-arch-base-rc : export IMAGE_VERSION=$(AGENT_VERSION)-rc
publish/multi-arch-base-rc : export DOCKER_BUILD_TAG_PREFIX=$(IMAGE_VERSION)
publish/multi-arch-base-rc : build/base-arm64
ifeq ($(FIPS),)
publish/multi-arch-base-rc : build/base-arm
endif
publish/multi-arch-base-rc : build/base-amd64
publish/multi-arch-base-rc : publish/multi-arch-base-manifest

Expand All @@ -301,19 +312,28 @@ publish/multi-arch-k8s-events-forwarder-manifest :
@printf 'Target: publish/k8s-events-forwarder-manifest\n'
@printf 'Image: $(DOCKER_IMAGE_NAME):$(IMAGE_VERSION)'
@printf '\n================================================================\n'
ifeq ($(FIPS),)
@(docker manifest create \
$(DOCKER_IMAGE_NAME):$(IMAGE_VERSION) \
$(DOCKER_IMAGE_NAME):$(DOCKER_BUILD_TAG_PREFIX)-arm64 \
$(DOCKER_IMAGE_NAME):$(DOCKER_BUILD_TAG_PREFIX)-arm \
$(DOCKER_IMAGE_NAME):$(DOCKER_BUILD_TAG_PREFIX)-amd64)
else
@(docker manifest create \
$(DOCKER_IMAGE_NAME):$(IMAGE_VERSION) \
$(DOCKER_IMAGE_NAME):$(DOCKER_BUILD_TAG_PREFIX)-arm64 \
$(DOCKER_IMAGE_NAME):$(DOCKER_BUILD_TAG_PREFIX)-amd64)
endif
@docker manifest push $(DOCKER_IMAGE_NAME):$(IMAGE_VERSION)

# [RC] Shortcut to build all supported multi arch k8s-events-forwarders and publish as RC
.PHONY : publish/multi-arch-k8s-events-forwarder-rc
publish/multi-arch-k8s-events-forwarder-rc : export IMAGE_VERSION=$(AGENT_VERSION)-rc
publish/multi-arch-k8s-events-forwarder-rc : export DOCKER_BUILD_TAG_PREFIX=$(IMAGE_VERSION)
publish/multi-arch-k8s-events-forwarder-rc : build/k8s-events-forwarder-arm64
ifeq ($(FIPS),)
publish/multi-arch-k8s-events-forwarder-rc : build/k8s-events-forwarder-arm
endif
publish/multi-arch-k8s-events-forwarder-rc : build/k8s-events-forwarder-amd64
publish/multi-arch-k8s-events-forwarder-rc : publish/multi-arch-k8s-events-forwarder-manifest

Expand All @@ -337,11 +357,18 @@ publish/multi-arch-forwarder-manifest :
@printf 'Target: publish/forwarder-manifest\n'
@printf 'Image: $(DOCKER_IMAGE_NAME):$(IMAGE_VERSION)'
@printf '\n================================================================\n'
ifeq ($(FIPS),)
@(docker manifest create \
$(DOCKER_IMAGE_NAME):$(IMAGE_VERSION) \
$(DOCKER_IMAGE_NAME):$(DOCKER_BUILD_TAG_PREFIX)-arm64 \
$(DOCKER_IMAGE_NAME):$(DOCKER_BUILD_TAG_PREFIX)-arm \
$(DOCKER_IMAGE_NAME):$(DOCKER_BUILD_TAG_PREFIX)-amd64)
else
@(docker manifest create \
$(DOCKER_IMAGE_NAME):$(IMAGE_VERSION) \
$(DOCKER_IMAGE_NAME):$(DOCKER_BUILD_TAG_PREFIX)-arm64 \
$(DOCKER_IMAGE_NAME):$(DOCKER_BUILD_TAG_PREFIX)-amd64)
endif
@docker manifest push $(DOCKER_IMAGE_NAME):$(IMAGE_VERSION)


Expand All @@ -350,7 +377,9 @@ publish/multi-arch-forwarder-manifest :
publish/multi-arch-forwarder-rc : export IMAGE_VERSION=$(AGENT_VERSION)-rc
publish/multi-arch-forwarder-rc : export DOCKER_BUILD_TAG_PREFIX=$(IMAGE_VERSION)
publish/multi-arch-forwarder-rc : build/forwarder-arm64
ifeq ($(FIPS),)
publish/multi-arch-forwarder-rc : build/forwarder-arm
endif
publish/multi-arch-forwarder-rc : build/forwarder-amd64
publish/multi-arch-forwarder-rc : publish/multi-arch-forwarder-manifest

Expand Down
16 changes: 16 additions & 0 deletions build/release.mk
Original file line number Diff line number Diff line change
Expand Up @@ -110,6 +110,11 @@ release/pkg-linux-for-docker: release/deps release/clean generate-goreleaser-for
@echo "=== [release/pkg-linux-for-docker] PRE-RELEASE compiling all binaries"
$(GORELEASER_BIN) release --config $(GORELEASER_CONFIG_LINUX) $(PKG_FLAGS)

.PHONY : release/pkg-linux-for-docker-fips
release/pkg-linux-for-docker-fips: release/deps release/clean generate-goreleaser-for-docker-fips
@echo "=== [release/pkg-linux-for-docker-fips] PRE-RELEASE compiling all binaries"
$(GORELEASER_BIN) release --config $(GORELEASER_CONFIG_LINUX) $(PKG_FLAGS)

.PHONY : release/pkg-macos
release/pkg-macos: release/deps release/clean
#release/pkg-macos: release/get-integrations-amd64-macos NO ASSETS AVAILABLE FOR NOW
Expand Down Expand Up @@ -169,6 +174,10 @@ release-linux-arm64: release/pkg-linux-arm64 release/fix-tarballs-linux release/
release-linux-for-docker: release/pkg-linux-for-docker
@echo "=== [release-linux-for-docker] compiling assets for docker"

.PHONY : release-linux-for-docker-fips
release-linux-for-docker-fips: release/pkg-linux-for-docker-fips
@echo "=== [release-linux-for-docker-fips] compiling assets for docker - FIPS"

.PHONY : release-macos
release-macos: release/pkg-macos release/fix-tarballs-macos
@echo "=== [release-macos] full pre-release cycle complete for macOS"
Expand Down Expand Up @@ -371,6 +380,13 @@ generate-goreleaser-for-docker:
$(CURDIR)/build/goreleaser/linux/build_arm64.yml\
> $(GORELEASER_CONFIG_LINUX)

.PHONY : generate-goreleaser-for-docker-fips
generate-goreleaser-for-docker-fips:
cat $(CURDIR)/build/goreleaser/linux/header.yml\
$(CURDIR)/build/goreleaser/linux/build_amd64_fips.yml\
$(CURDIR)/build/goreleaser/linux/build_arm64_fips.yml\
> $(GORELEASER_CONFIG_LINUX)

ifndef SNAPSHOT
$(error SNAPSHOT is undefined)
endif
Expand Down

0 comments on commit b8c4968

Please sign in to comment.