Skip to content

Commit

Permalink
FIPs compliant builds
Browse files Browse the repository at this point in the history
- Changed the build image to ubi9/go-toolkit
- Changed the base image to ubi9/minimal
- Added the default GO_BUILD_EXTRA_ARGS="-tags strictfipsruntime"
- Added the GO_BUILD_EXTRA_ENV_ARGS build argument to allow custom build arguments at build time. It defaults to "CGO_ENABLED=1 GO111MODULE=on"
- Those default parameters have been added to enable FIPS compliance
- Fixed indentation
- Removed TARGETOS and TARGETARCH env vars.
- Added DOCKER_BUILD_ARGS variable in Makefile to pass custom parameters during podman build
- Added export FAIL_FIPS_CHECK=true in .prow_ci.env file

Signed-off-by: Brendan Shephard <[email protected]>
  • Loading branch information
bshephar committed Feb 19, 2024
1 parent 2bce701 commit abe7136
Show file tree
Hide file tree
Showing 5 changed files with 22 additions and 7 deletions.
1 change: 1 addition & 0 deletions .prow_ci.env
Original file line number Diff line number Diff line change
@@ -1,2 +1,3 @@
export USE_IMAGE_DIGESTS=true
export BUNDLE_DOCKERFILE=custom-bundle.Dockerfile
export FAIL_FIPS_CHECK=true
11 changes: 6 additions & 5 deletions Dockerfile
Original file line number Diff line number Diff line change
@@ -1,6 +1,5 @@
ARG GOLANG_BUILDER=docker.io/library/golang:1.20
ARG OPERATOR_BASE_IMAGE=gcr.io/distroless/static:nonroot

ARG GOLANG_BUILDER=registry.access.redhat.com/ubi9/go-toolset:1.20
ARG OPERATOR_BASE_IMAGE=registry.access.redhat.com/ubi9/ubi-minimal:latest
# Build the manager binary
FROM $GOLANG_BUILDER AS builder

Expand All @@ -12,19 +11,21 @@ ARG REMOTE_SOURCE_DIR=/remote-source
ARG REMOTE_SOURCE_SUBDIR=
ARG DEST_ROOT=/dest-root

ARG GO_BUILD_EXTRA_ARGS=
ARG GO_BUILD_EXTRA_ARGS="-tags strictfipsruntime"
ARG GO_BUILD_EXTRA_ENV_ARGS="CGO_ENABLED=1 GO111MODULE=on"

COPY $REMOTE_SOURCE $REMOTE_SOURCE_DIR
WORKDIR $REMOTE_SOURCE_DIR/$REMOTE_SOURCE_SUBDIR

USER root
RUN mkdir -p ${DEST_ROOT}/usr/local/bin/

# cache deps before building and copying source so that we don't need to re-download as much
# and so that source changes don't invalidate our downloaded layer
RUN if [ ! -f $CACHITO_ENV_FILE ]; then go mod download ; fi

# Build manager
RUN if [ -f $CACHITO_ENV_FILE ] ; then source $CACHITO_ENV_FILE ; fi ; CGO_ENABLED=0 GO111MODULE=on go build ${GO_BUILD_EXTRA_ARGS} -a -o ${DEST_ROOT}/manager main.go
RUN if [ -f $CACHITO_ENV_FILE ] ; then source $CACHITO_ENV_FILE ; fi ; env ${GO_BUILD_EXTRA_ENV_ARGS} go build ${GO_BUILD_EXTRA_ARGS} -a -o ${DEST_ROOT}/manager main.go

# Use distroless as minimal base image to package the manager binary
# Refer to https://github.com/GoogleContainerTools/distroless for more details
Expand Down
5 changes: 4 additions & 1 deletion Makefile
Original file line number Diff line number Diff line change
Expand Up @@ -70,6 +70,9 @@ endif
SHELL = /usr/bin/env bash -o pipefail
.SHELLFLAGS = -ec

# Extra vars which will be passed to the Docker-build
DOCKER_BUILD_ARGS ?=

.PHONY: all
all: build

Expand Down Expand Up @@ -152,7 +155,7 @@ run: manifests generate fmt vet ## Run a controller from your host.

.PHONY: docker-build
docker-build: test ## Build docker image with the manager.
podman build -t ${IMG} .
podman build -t ${IMG} . ${DOCKER_BUILD_ARGS}

.PHONY: docker-push
docker-push: ## Push docker image with the manager.
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -5,6 +5,7 @@ metadata:
alm-examples: '[]'
capabilities: Basic Install
features.operators.openshift.io/disconnected: "true"
features.operators.openshift.io/fips-compliant: "true"
operatorframework.io/suggested-namespace: openstack-operators
operators.openshift.io/infrastructure-features: '["disconnected"]'
operators.operatorframework.io/builder: operator-sdk-v1.26.0
Expand Down
11 changes: 10 additions & 1 deletion custom-bundle.Dockerfile
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
ARG GOLANG_CTX=golang:1.20
ARG GOLANG_CTX=registry.access.redhat.com/ubi9/go-toolset:1.20

FROM $GOLANG_CTX as builder

Expand All @@ -14,16 +14,20 @@ COPY apis/ apis/
RUN go mod download

# Copy the go source
USER root
COPY cmd/csv-merger/csv-merger.go csv-merger.go
COPY pkg/ pkg/

# Build the csv-merger
RUN CGO_ENABLED=0 GOOS=linux GOARCH=amd64 go build -a -o csv-merger csv-merger.go

USER $USER_ID

FROM $GOLANG_CTX as merger
WORKDIR /workspace
COPY --from=builder /workspace/csv-merger .

USER root
# local operator manifests
COPY bundle/manifests /manifests/
COPY bundle_extra_data /bundle_extra_data
Expand All @@ -40,6 +44,8 @@ RUN /workspace/csv-merger \
# remove all individual operator CSV's
RUN rm /manifests/*clusterserviceversion.yaml

USER $USER_ID

### Put everything together
FROM scratch

Expand All @@ -58,6 +64,7 @@ LABEL operators.operatorframework.io.test.mediatype.v1=scorecard+v1
LABEL operators.operatorframework.io.test.config.v1=tests/scorecard/

# Copy files to locations specified by labels.
USER root
COPY bundle/metadata /metadata/
COPY bundle/tests/scorecard /tests/scorecard/

Expand All @@ -67,3 +74,5 @@ COPY --from=merger /manifests/* /manifests/

# overwrite with the final merged CSV
COPY --from=merger /openstack-operator.clusterserviceversion.yaml.new /manifests/openstack-operator.clusterserviceversion.yaml

USER $USER_ID

0 comments on commit abe7136

Please sign in to comment.