From b8c4968be7fdc93a9b4b4c64fb54ac15933edd43 Mon Sep 17 00:00:00 2001 From: Alvaro Cabanas Date: Wed, 8 Jan 2025 12:28:03 +0100 Subject: [PATCH] Create new docker FIPS images (#1982) --- .../workflows/component_docker_packaging.yml | 13 ++++--- .../workflows/component_docker_publish.yml | 20 ++++++++++- .github/workflows/component_trivy.yml | 15 +++++--- .github/workflows/prerelease_linux.yml | 22 ++++++++++++ build/ci.mk | 4 +++ build/container/Dockerfile | 4 +++ build/container/Makefile | 35 +++++++++++++++++-- build/release.mk | 16 +++++++++ 8 files changed, 117 insertions(+), 12 deletions(-) diff --git a/.github/workflows/component_docker_packaging.yml b/.github/workflows/component_docker_packaging.yml index 0cde9fa44..31ab715b1 100644 --- a/.github/workflows/component_docker_packaging.yml +++ b/.github/workflows/component_docker_packaging.yml @@ -19,6 +19,10 @@ on: TAG: required: true type: string + FIPS: + required: false + type: boolean + default: false env: GITHUB_TOKEN: ${{ secrets.GH_TOKEN }} @@ -29,6 +33,7 @@ env: DOCKER_HUB_ID: ${{ secrets.DOCKER_HUB_ID }} DOCKER_HUB_PASSWORD: ${{ secrets.DOCKER_HUB_PASSWORD }} DOCKER_PUBLISH: true + FIPS: ${{ inputs.FIPS == true && '-fips' || '' }} jobs: packaging: @@ -47,7 +52,7 @@ jobs: password: ${{ env.DOCKER_HUB_PASSWORD }} - name: Compiling binaries for linux amd64, arm, arm64 - run: make ci/prerelease/linux-for-docker + run: make ci/prerelease/linux-for-docker${{env.FIPS}} - name: Set up QEMU uses: docker/setup-qemu-action@v1 @@ -58,10 +63,10 @@ jobs: version: v0.9.1 - name: Build and publish Release Candidate (RC) of base Docker image - run: AGENT_VERSION=${{env.TAG}} make -C build/container/ clean publish/multi-arch-base-rc + run: AGENT_VERSION=${{env.TAG}} FIPS=${{env.FIPS}} make -C build/container/ clean publish/multi-arch-base-rc - name: Build and publish Release Candidate (RC) of forwarder Docker image - run: AGENT_VERSION=${{env.TAG}} make -C build/container/ clean publish/multi-arch-forwarder-rc + run: AGENT_VERSION=${{env.TAG}} FIPS=${{env.FIPS}} make -C build/container/ clean publish/multi-arch-forwarder-rc - name: Build and publish Release Candidate (RC) of k8s-events-forwarders Docker image - run: AGENT_VERSION=${{env.TAG}} make -C build/container/ clean publish/multi-arch-k8s-events-forwarder-rc \ No newline at end of file + run: AGENT_VERSION=${{env.TAG}} FIPS=${{env.FIPS}} make -C build/container/ clean publish/multi-arch-k8s-events-forwarder-rc diff --git a/.github/workflows/component_docker_publish.yml b/.github/workflows/component_docker_publish.yml index 7e49fca41..1de55a1ab 100644 --- a/.github/workflows/component_docker_publish.yml +++ b/.github/workflows/component_docker_publish.yml @@ -53,4 +53,22 @@ jobs: run: make -C build/container/ clean publish/multi-arch-k8s-events-forwarder-tag AGENT_VERSION=${{env.TAG}} - name: Publish latest of k8s-events-forwarders Docker image - run: make -C build/container/ clean publish/multi-arch-k8s-events-forwarder-latest AGENT_VERSION=${{env.TAG}} \ No newline at end of file + run: make -C build/container/ clean publish/multi-arch-k8s-events-forwarder-latest AGENT_VERSION=${{env.TAG}} + + - name: Publish tag of base Docker image FIPS + run: make -C build/container/ clean publish/multi-arch-base-tag AGENT_VERSION=${{env.TAG}} FIPS=${{env.FIPS}} + + - name: Publish latest of base Docker image FIPS + run: make -C build/container/ clean publish/multi-arch-base-latest AGENT_VERSION=${{env.TAG}} FIPS=${{env.FIPS}} + + - name: Publish tag of forwarder Docker image FIPS + run: make -C build/container/ clean publish/multi-arch-forwarder-tag AGENT_VERSION=${{env.TAG}} FIPS=${{env.FIPS}} + + - name: Publish latest of forwarder Docker image FIPS + run: make -C build/container/ clean publish/multi-arch-forwarder-latest AGENT_VERSION=${{env.TAG}} FIPS=${{env.FIPS}} + + - name: Publish tag of k8s-events-forwarders Docker image FIPS + run: make -C build/container/ clean publish/multi-arch-k8s-events-forwarder-tag AGENT_VERSION=${{env.TAG}} FIPS=${{env.FIPS}} + + - name: Publish latest of k8s-events-forwarders Docker image FIPS + run: make -C build/container/ clean publish/multi-arch-k8s-events-forwarder-latest AGENT_VERSION=${{env.TAG}} FIPS=${{env.FIPS}} diff --git a/.github/workflows/component_trivy.yml b/.github/workflows/component_trivy.yml index 0420f2aae..5a4daea8d 100644 --- a/.github/workflows/component_trivy.yml +++ b/.github/workflows/component_trivy.yml @@ -12,6 +12,13 @@ on: severity: required: true type: string + FIPS: + required: false + type: boolean + default: false + +env: + FIPS: ${{ inputs.FIPS == true && '-fips' || '' }} jobs: trivy_scanner: @@ -22,7 +29,7 @@ jobs: - name: newrelic/infrastructure uses: aquasecurity/trivy-action@master with: - image-ref: "docker.io/newrelic/infrastructure:${{ inputs.tag }}" + image-ref: "docker.io/newrelic/infrastructure${{ env.FIPS }}:${{ inputs.tag }}" format: 'table' exit-code: '1' ignore-unfixed: true @@ -35,7 +42,7 @@ jobs: - name: newrelic/k8s-events-forwarder uses: aquasecurity/trivy-action@master with: - image-ref: "docker.io/newrelic/k8s-events-forwarder:${{ inputs.tag }}" + image-ref: "docker.io/newrelic/k8s-events-forwarder${{ env.FIPS }}:${{ inputs.tag }}" format: 'table' exit-code: '1' ignore-unfixed: true @@ -48,7 +55,7 @@ jobs: - name: newrelic/nri-forwarder uses: aquasecurity/trivy-action@master with: - image-ref: "docker.io/newrelic/nri-forwarder:${{ inputs.tag }}" + image-ref: "docker.io/newrelic/nri-forwarder${{ env.FIPS }}:${{ inputs.tag }}" format: 'table' exit-code: '1' ignore-unfixed: true @@ -69,7 +76,7 @@ jobs: - name: Sarif newrelic/infrastructure uses: aquasecurity/trivy-action@master with: - image-ref: "docker.io/newrelic/infrastructure:${{ inputs.tag }}" + image-ref: "docker.io/newrelic/infrastructure${{ env.FIPS }}:${{ inputs.tag }}" format: 'sarif' output: 'trivy-results.sarif' vuln-type: 'os,library' diff --git a/.github/workflows/prerelease_linux.yml b/.github/workflows/prerelease_linux.yml index d7ce2192d..3ce0a6b35 100644 --- a/.github/workflows/prerelease_linux.yml +++ b/.github/workflows/prerelease_linux.yml @@ -124,6 +124,28 @@ jobs: tag: "${{ github.event.release.tag_name }}-rc" severity: "CRITICAL" + packaging-docker-fips: + needs: [unit-test, proxy-tests] + uses: ./.github/workflows/component_docker_packaging.yml + secrets: + DOCKER_HUB_ID: ${{secrets.OHAI_DOCKER_HUB_ID}} + DOCKER_HUB_PASSWORD: ${{secrets.OHAI_DOCKER_HUB_PASSWORD}} + GPG_MAIL: 'infrastructure-eng@newrelic.com' + GPG_PASSPHRASE: ${{ secrets.OHAI_GPG_PASSPHRASE }} + GPG_PRIVATE_KEY_BASE64: ${{ secrets.OHAI_GPG_PRIVATE_KEY_BASE64 }} # base64 encoded + GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} + with: + TAG: ${{ github.event.release.tag_name }} + FIPS: true + + docker-fips-trivy-critical: + needs: [packaging-docker-fips] + uses: ./.github/workflows/component_trivy.yml + with: + tag: "${{ github.event.release.tag_name }}-rc" + severity: "CRITICAL" + FIPS: true + publishing-to-s3: # point to staging after tests name: Publish linux artifacts into s3 staging bucket diff --git a/build/ci.mk b/build/ci.mk index eeb8cd6d2..1c55b58b9 100644 --- a/build/ci.mk +++ b/build/ci.mk @@ -84,6 +84,10 @@ ci/prerelease/linux-legacy: ci/prerelease/linux-for-docker: TARGET_OS=linux-for-docker $(MAKE) ci/prerelease +.PHONY : ci/prerelease/linux-for-docker-fips +ci/prerelease/linux-for-docker-fips: + TARGET_OS=linux-for-docker-fips $(MAKE) ci/prerelease + .PHONY : ci/prerelease/macos ci/prerelease/macos: diff --git a/build/container/Dockerfile b/build/container/Dockerfile index 85e979e8c..d5ef608fa 100644 --- a/build/container/Dockerfile +++ b/build/container/Dockerfile @@ -36,8 +36,12 @@ RUN apk add --no-cache --upgrade \ # libpthread.so.0 => /lib64/ld-linux-x86-64.so.2 (0x7f2bbbd0f000) # libc.so.6 => /lib64/ld-linux-x86-64.so.2 (0x7f2bbbd0f000) # As musl and glibc are compatible, this symlink fixes the missing dependency + # The simlink is added both for amd64 and arm64 architectures && mkdir /lib64 \ && ln -s /lib/libc.musl-x86_64.so.1 /lib64/ld-linux-x86-64.so.2 \ + && ln -s /lib/libc.musl-aarch64.so.1 /lib64/ld-linux-aarch64.so.1 \ + # libresolv.so.2 is needed when CGO is enabled so we add the glibc compatibility for Alpine + && apk add --no-cache gcompat \ && apk add --no-cache tini # Tini is now available at /sbin/tini diff --git a/build/container/Makefile b/build/container/Makefile index 33a2b89b6..d4f60295e 100644 --- a/build/container/Makefile +++ b/build/container/Makefile @@ -16,6 +16,7 @@ DOCKER_BUILD_TAG_PREFIX ?= build DOCKER_TAG_LATEST ?= latest USE_BUILDX ?= false DOCKER_PUBLISH ?= false +FIPS ?= AGENT_ARCH ?= $(DOCKER_ARCH) @@ -50,12 +51,12 @@ AGENT_VERSION ?= 0.0.0 IMAGE_VERSION ?= $(AGENT_VERSION) NS ?= newrelic -REPO ?= infrastructure +REPO ?= infrastructure${FIPS} IMAGE_NAME ?= ${NS}/${REPO} CORE_IMAGE_NAME ?= ${IMAGE_NAME}-core BASE_IMAGE_NAME ?= ${IMAGE_NAME} -K8S_FWD_IMAGE_NAME ?= ${NS}/k8s-events-forwarder -FWD_IMAGE_NAME ?= ${NS}/nri-forwarder +K8S_FWD_IMAGE_NAME ?= ${NS}/k8s-events-forwarder${FIPS} +FWD_IMAGE_NAME ?= ${NS}/nri-forwarder${FIPS} DOCKER_IMAGE_NAME ?= ${BASE_IMAGE_NAME} AGENT_BIN ?= newrelic-infra @@ -265,19 +266,29 @@ publish/multi-arch-base-manifest : @printf 'Target: publish/base-manifest\n' @printf 'Image: $(DOCKER_IMAGE_NAME):$(IMAGE_VERSION)' @printf '\n================================================================\n' +ifeq ($(FIPS),) @(docker manifest create \ $(DOCKER_IMAGE_NAME):$(IMAGE_VERSION) \ $(DOCKER_IMAGE_NAME):$(DOCKER_BUILD_TAG_PREFIX)-arm64 \ $(DOCKER_IMAGE_NAME):$(DOCKER_BUILD_TAG_PREFIX)-arm \ $(DOCKER_IMAGE_NAME):$(DOCKER_BUILD_TAG_PREFIX)-amd64) +else + @(docker manifest create \ + $(DOCKER_IMAGE_NAME):$(IMAGE_VERSION) \ + $(DOCKER_IMAGE_NAME):$(DOCKER_BUILD_TAG_PREFIX)-arm64 \ + $(DOCKER_IMAGE_NAME):$(DOCKER_BUILD_TAG_PREFIX)-amd64) +endif @docker manifest push $(DOCKER_IMAGE_NAME):$(IMAGE_VERSION) + # [RC] Shortcut to build all supported multi arch bases and publish as RC .PHONY : publish/multi-arch-base-rc publish/multi-arch-base-rc : export IMAGE_VERSION=$(AGENT_VERSION)-rc publish/multi-arch-base-rc : export DOCKER_BUILD_TAG_PREFIX=$(IMAGE_VERSION) publish/multi-arch-base-rc : build/base-arm64 +ifeq ($(FIPS),) publish/multi-arch-base-rc : build/base-arm +endif publish/multi-arch-base-rc : build/base-amd64 publish/multi-arch-base-rc : publish/multi-arch-base-manifest @@ -301,11 +312,18 @@ publish/multi-arch-k8s-events-forwarder-manifest : @printf 'Target: publish/k8s-events-forwarder-manifest\n' @printf 'Image: $(DOCKER_IMAGE_NAME):$(IMAGE_VERSION)' @printf '\n================================================================\n' +ifeq ($(FIPS),) @(docker manifest create \ $(DOCKER_IMAGE_NAME):$(IMAGE_VERSION) \ $(DOCKER_IMAGE_NAME):$(DOCKER_BUILD_TAG_PREFIX)-arm64 \ $(DOCKER_IMAGE_NAME):$(DOCKER_BUILD_TAG_PREFIX)-arm \ $(DOCKER_IMAGE_NAME):$(DOCKER_BUILD_TAG_PREFIX)-amd64) +else + @(docker manifest create \ + $(DOCKER_IMAGE_NAME):$(IMAGE_VERSION) \ + $(DOCKER_IMAGE_NAME):$(DOCKER_BUILD_TAG_PREFIX)-arm64 \ + $(DOCKER_IMAGE_NAME):$(DOCKER_BUILD_TAG_PREFIX)-amd64) +endif @docker manifest push $(DOCKER_IMAGE_NAME):$(IMAGE_VERSION) # [RC] Shortcut to build all supported multi arch k8s-events-forwarders and publish as RC @@ -313,7 +331,9 @@ publish/multi-arch-k8s-events-forwarder-manifest : publish/multi-arch-k8s-events-forwarder-rc : export IMAGE_VERSION=$(AGENT_VERSION)-rc publish/multi-arch-k8s-events-forwarder-rc : export DOCKER_BUILD_TAG_PREFIX=$(IMAGE_VERSION) publish/multi-arch-k8s-events-forwarder-rc : build/k8s-events-forwarder-arm64 +ifeq ($(FIPS),) publish/multi-arch-k8s-events-forwarder-rc : build/k8s-events-forwarder-arm +endif publish/multi-arch-k8s-events-forwarder-rc : build/k8s-events-forwarder-amd64 publish/multi-arch-k8s-events-forwarder-rc : publish/multi-arch-k8s-events-forwarder-manifest @@ -337,11 +357,18 @@ publish/multi-arch-forwarder-manifest : @printf 'Target: publish/forwarder-manifest\n' @printf 'Image: $(DOCKER_IMAGE_NAME):$(IMAGE_VERSION)' @printf '\n================================================================\n' +ifeq ($(FIPS),) @(docker manifest create \ $(DOCKER_IMAGE_NAME):$(IMAGE_VERSION) \ $(DOCKER_IMAGE_NAME):$(DOCKER_BUILD_TAG_PREFIX)-arm64 \ $(DOCKER_IMAGE_NAME):$(DOCKER_BUILD_TAG_PREFIX)-arm \ $(DOCKER_IMAGE_NAME):$(DOCKER_BUILD_TAG_PREFIX)-amd64) +else + @(docker manifest create \ + $(DOCKER_IMAGE_NAME):$(IMAGE_VERSION) \ + $(DOCKER_IMAGE_NAME):$(DOCKER_BUILD_TAG_PREFIX)-arm64 \ + $(DOCKER_IMAGE_NAME):$(DOCKER_BUILD_TAG_PREFIX)-amd64) +endif @docker manifest push $(DOCKER_IMAGE_NAME):$(IMAGE_VERSION) @@ -350,7 +377,9 @@ publish/multi-arch-forwarder-manifest : publish/multi-arch-forwarder-rc : export IMAGE_VERSION=$(AGENT_VERSION)-rc publish/multi-arch-forwarder-rc : export DOCKER_BUILD_TAG_PREFIX=$(IMAGE_VERSION) publish/multi-arch-forwarder-rc : build/forwarder-arm64 +ifeq ($(FIPS),) publish/multi-arch-forwarder-rc : build/forwarder-arm +endif publish/multi-arch-forwarder-rc : build/forwarder-amd64 publish/multi-arch-forwarder-rc : publish/multi-arch-forwarder-manifest diff --git a/build/release.mk b/build/release.mk index c0fed2057..e1ff64a0b 100644 --- a/build/release.mk +++ b/build/release.mk @@ -110,6 +110,11 @@ release/pkg-linux-for-docker: release/deps release/clean generate-goreleaser-for @echo "=== [release/pkg-linux-for-docker] PRE-RELEASE compiling all binaries" $(GORELEASER_BIN) release --config $(GORELEASER_CONFIG_LINUX) $(PKG_FLAGS) +.PHONY : release/pkg-linux-for-docker-fips +release/pkg-linux-for-docker-fips: release/deps release/clean generate-goreleaser-for-docker-fips + @echo "=== [release/pkg-linux-for-docker-fips] PRE-RELEASE compiling all binaries" + $(GORELEASER_BIN) release --config $(GORELEASER_CONFIG_LINUX) $(PKG_FLAGS) + .PHONY : release/pkg-macos release/pkg-macos: release/deps release/clean #release/pkg-macos: release/get-integrations-amd64-macos NO ASSETS AVAILABLE FOR NOW @@ -169,6 +174,10 @@ release-linux-arm64: release/pkg-linux-arm64 release/fix-tarballs-linux release/ release-linux-for-docker: release/pkg-linux-for-docker @echo "=== [release-linux-for-docker] compiling assets for docker" +.PHONY : release-linux-for-docker-fips +release-linux-for-docker-fips: release/pkg-linux-for-docker-fips + @echo "=== [release-linux-for-docker-fips] compiling assets for docker - FIPS" + .PHONY : release-macos release-macos: release/pkg-macos release/fix-tarballs-macos @echo "=== [release-macos] full pre-release cycle complete for macOS" @@ -371,6 +380,13 @@ generate-goreleaser-for-docker: $(CURDIR)/build/goreleaser/linux/build_arm64.yml\ > $(GORELEASER_CONFIG_LINUX) +.PHONY : generate-goreleaser-for-docker-fips +generate-goreleaser-for-docker-fips: + cat $(CURDIR)/build/goreleaser/linux/header.yml\ + $(CURDIR)/build/goreleaser/linux/build_amd64_fips.yml\ + $(CURDIR)/build/goreleaser/linux/build_arm64_fips.yml\ + > $(GORELEASER_CONFIG_LINUX) + ifndef SNAPSHOT $(error SNAPSHOT is undefined) endif