test fips enable (#39)

nirmata · Feb 11, 2025 · ab98c3e · ab98c3e
1 parent 67f9f81
commit ab98c3e
Show file tree

Hide file tree

Showing 15 changed files with 1,678 additions and 248 deletions.
diff --git a/.github/actions/failure-logs/action.yaml b/.github/actions/failure-logs/action.yaml
@@ -5,14 +5,16 @@ description: Show pods logs
 runs:
   using: composite
   steps:
-    - shell: bash
-      run: |
-        kubectl get apiservices v1alpha2.wgpolicyk8s.io v1.reports.kyverno.io
-        kubectl -n reports-server get pod
-        kubectl -n reports-server describe pod | grep -i events -A10
-    - shell: bash
-      run: |
-        kubectl -n reports-server logs deploy/reports-server --all-containers -p || true
-    - shell: bash
-      run: |
-        kubectl -n reports-server logs deploy/reports-server --all-containers
+  - shell: bash
+    run: |
+      kubectl get apiservices v1alpha2.wgpolicyk8s.io v1.reports.kyverno.io
+      kubectl -n reports-server get pod
+      kubectl -n reports-server describe pod | grep -i events -A10
+  - shell: bash
+    run: |
+      kubectl -n reports-server logs deploy/reports-server --all-containers -p || true
+  - shell: bash
+    run: |
+      kubectl -n reports-server logs deploy/reports-server --all-containers
+      kubectl -n reports-server logs statefulset/etcd --all-containers
+      kubectl -n reports-server logs job/reports-server-post-install-install-api-services
diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml
@@ -7,9 +7,24 @@ permissions: {}
 on:
   push:
     tags:
-      - 'v*'
+    - 'v*'
 
 jobs:
+  release-reports-server:
+    permissions:
+      contents: read
+      packages: write
+      id-token: write
+    uses: ./.github/workflows/reuse.yaml
+    with:
+      publish_command: docker-publish-reports-server-fips
+      digest_command: docker-get-reports-server-digest
+      image_name: reports-server-fips
+      tag: release
+      main: ./
+    secrets:
+      registry_username: ${{ github.actor }}
+      registry_password: ${{ secrets.GITHUB_TOKEN }}
   goreleaser:
     permissions:
       contents: write

diff --git a/.github/workflows/reuse.yaml b/.github/workflows/reuse.yaml
@@ -0,0 +1,244 @@
+name: Create Publish and Sign Docker Image for FIPS Compliance
+on:
+  workflow_call:
+    inputs:
+      publish_command:
+        required: true
+        type: string
+      digest_command:
+        required: true
+        type: string
+      image_name:
+        required: true
+        type: string
+      tag:
+        required: true
+        type: string
+      main:
+        type: string
+    secrets:
+      registry_username:
+        required: true
+      registry_password:
+        required: true
+jobs:
+  build:
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      packages: write
+      id-token: write
+    steps:
+    - name: Detect Runner Architecture
+      run: |
+        ARCH=$(uname -m)
+        echo "Detected architecture: $ARCH"
+        echo "ARCH=$ARCH" >> $GITHUB_ENV
+
+    - name: Print Disk & Memory Usage (Before Cleanup)
+      run: |
+        echo "==== Disk Usage Before Cleanup ($ARCH) ===="
+        df -h
+        echo "==== Memory Usage Before Cleanup ($ARCH) ===="
+        free -h
+        echo "==== Docker Disk Usage Before Cleanup ($ARCH) ===="
+        docker system df
+
+    - name: Cleanup Space on Runner
+      run: |
+        echo "Running cleanup for $ARCH..."
+
+        # Remove unnecessary packages
+        sudo apt-get autoremove -y
+        sudo apt-get clean
+
+        # Remove dangling Docker images & containers
+        # docker system prune -af --volumes
+
+        # Remove cached Go modules
+        go clean -modcache
+
+        # Remove unnecessary system logs
+        sudo journalctl --vacuum-time=1s
+
+        # Remove npm cache (if applicable)
+        rm -rf ~/.npm
+        rm -rf ~/.cache
+
+        # Extra cleanup for ARM64 (if needed)
+        if [[ "$ARCH" == "aarch64" ]]; then
+          echo "Applying additional cleanup for ARM64..."
+          # Add ARM64-specific cleanup commands here if needed
+        fi
+
+    - name: Print Disk & Memory Usage (After Cleanup)
+      run: |
+        echo "==== Disk Usage After Cleanup ($ARCH) ===="
+        df -h
+        echo "==== Memory Usage After Cleanup ($ARCH) ===="
+        free -h
+        echo "==== Docker Disk Usage After Cleanup ($ARCH) ===="
+        docker system df
+
+    - name: Checkout release
+      if: ${{ inputs.tag == 'release'}}
+      uses: actions/checkout@ec3a7ce113134d7a93b817d10a8272cb61118579 # v2.4.0
+      with:
+        fetch-depth: 0
+
+    - name: Checkout image
+      if: ${{ inputs.tag == 'image'}}
+      uses: actions/checkout@ec3a7ce113134d7a93b817d10a8272cb61118579 # v2.4.0
+
+    - name: Unshallow
+      if: ${{ inputs.tag == 'image'}}
+      run: git fetch --prune --unshallow --tags
+
+    - name: Set up Go
+      uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2
+      with:
+        go-version: ~1.23.5
+
+    - name: Install Cosign
+      uses: sigstore/cosign-installer@4959ce089c160fddf62f7b42464195ba1a56d382 # v3.6.0
+
+    - name: Cache Go modules
+      uses: actions/cache@0c45773b623bea8c8e75f6c82b208c3cf94ea4f9 # v4.0.2
+      with:
+        path: ~/go/pkg/mod
+        key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }}
+        restore-keys: |
+          ${{ runner.os }}-go-
+
+    - name: Log into ghcr.io
+      uses: docker/#-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0
+      with:
+        registry: ghcr.io
+        username: ${{ github.actor }}
+        password: ${{ secrets.GITHUB_TOKEN }}
+    # - name: Set up QEMU
+    #   # if: runner.arch != 'X64' # Only set up QEMU on non-x86_64 architectures
+    #   uses: docker/setup-qemu-action@53851d14592bedcffcf25ea515637cff71ef929a # v3.3.0
+    - name: Set up Docker Buildx
+      uses: docker/setup-buildx-action@6524bf65af31da8d45b59e8c27de4bd072b392f5 #v3.8.0
+      id: buildx
+      with:
+        install: true
+
+    - name: Run Trivy vulnerability scanner in repo mode
+      if: ${{inputs.tag == 'release'}}
+      uses: aquasecurity/trivy-action@40c4ca9e7421287d0c5576712fdff370978f9c3c
+      with:
+        scan-type: 'fs'
+        ignore-unfixed: true
+        format: 'sarif'
+        output: 'trivy-results.sarif'
+        severity: 'CRITICAL,HIGH'
+
+    - name: Set Version
+      if: ${{ inputs.tag == 'release'}}
+      run: |
+        echo "REPORTS_SERVER_VERSION=$(git describe --match "v[0-9]*" --tags $(git rev-list --tags --max-count=1))" >> $GITHUB_ENV
+    - name: Generate SBOM JSON
+      if: ${{inputs.tag == 'release'}}
+      uses: CycloneDX/gh-gomod-generate-sbom@c18e41a4e3defe6dbf69b594e4d831a89db82ead # v1.0.0
+      with:
+        version: v1
+        args: app -licenses -json -output ${{inputs.image_name}}-${{ env.REPORTS_SERVER_VERSION }}-bom.cdx.json -main ${{inputs.main}}
+
+    - name: Upload SBOM JSON
+      if: ${{inputs.tag == 'release'}}
+      uses: actions/upload-artifact@50769540e7f4bd5e21e526ee35c689e35e0d6874 # v4.4.0
+      with:
+        name: ${{inputs.image_name}}-bom-cdx
+        path: ${{inputs.image_name}}-v*-bom.cdx.json
+
+    - name: Extract branch name
+      if: ${{inputs.tag == 'image'}}
+      shell: bash
+      run: echo "##[set-output name=branch;]$(echo ${GITHUB_REF#refs/heads/})"
+      id: extract_branch
+
+    - name: Check branch
+      if: ${{inputs.tag == 'image' && steps.extract_branch.outputs.branch != 'main'}}
+      id: check-branch
+      run: |
+        if [[ ${{ steps.extract_branch.outputs.branch }} =~ ^release-[0-9]+\.[0-9]$ ]]; then
+            echo ::set-output name=match::true
+        fi
+    - name: Debug Inputs
+      run: |
+        echo "Tag: ${{ inputs.tag }}"
+        echo "publish_command : ${{ inputs.publish_command}}"
+        echo "Digest Command: ${{ inputs.digest_command }}"
+        echo "Image Name: ${{ inputs.image_name }}"
+        echo "Repository: ${{ github.repository }}"
+        echo "Workflow: ${{ github.workflow }}"
+        echo "SHA: ${{ github.sha }}"
+        echo "secrets.GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}"
+        echo "github.actor: ${{ github.actor }}"
+        echo "Branch: ${{ steps.extract_branch.outputs.branch }}"
+    - name: Docker images publish
+      if: ${{inputs.tag == 'image' && steps.extract_branch.outputs.branch == 'main'}}
+      run: make ${{inputs.publish_command}} FIPS_ENABLED=1
+
+    - name: get image digest
+      if: ${{inputs.tag == 'image' && steps.extract_branch.outputs.branch == 'main'}}
+      id: get-step-image
+      run: |
+        digest=$(make ${{inputs.digest_command}} FIPS_ENABLED=1) 
+        echo "digest=${digest}" >> $GITHUB_ENV
+    - name: Docker release-images publish
+      if: ${{inputs.tag == 'release' || inputs.tag == 'image' }}
+      run: make ${{inputs.publish_command}} FIPS_ENABLED=1
+
+    - name: Clear Sigstore TUF Cache
+      run: |
+        rm -rf ~/.sigstore
+    - name: Get release-image digest
+      if: ${{ inputs.tag == 'release' || (inputs.tag == 'image' && steps.check-branch.outputs.match == 'true') }}
+      id: get-step
+      run: |
+        digest=$(make ${{inputs.digest_command}} FIPS_ENABLED=1  2>/dev/null || true)
+        if [[ -z "$digest" ]]; then
+          echo "Error: Unable to generate digest. Ensure the repository exists and credentials are valid." >&2
+          exit 1
+        fi
+        echo "digest=$digest" >> $GITHUB_ENV
+        echo "Digest: $digest"
+    - name: Debug Digest
+      run: |
+        echo "Digest: ${{ env.digest }}"
+        if [[ -z "${{ env.digest }}" || "${{ env.digest }}" == "e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855" ]]; then
+          echo "Error: Digest is empty or invalid." >&2
+          exit 1
+        fi
+    - name: Sign image
+      if: ${{ inputs.tag == 'image' && steps.extract_branch.outputs.branch == 'main' }}
+      env:
+        COSIGN_EXPERIMENTAL: "true"
+        COSIGN_REPOSITORY: "ghcr.io/${{ github.repository_owner }}/${{ github.repository }}/signatures"
+      run: |
+        cosign sign --yes \
+          -a "repo=${{ github.repository }}" \
+          -a "workflow=${{ github.workflow }}" \
+          -a "ref=${{ github.sha }}" \
+          ghcr.io/${{ github.repository_owner }}/${{ inputs.image_name }}@sha256:${digest}
+    - name: Sign release-image
+      if: ${{ inputs.tag == 'release' || (inputs.tag == 'image' && steps.check-branch.outputs.match == 'true') }}
+      env:
+        COSIGN_EXPERIMENTAL: "true"
+        COSIGN_REPOSITORY: "ghcr.io/${{ github.repository_owner }}/${{ github.repository }}/signatures"
+        digest: ${{ env.digest }}
+      run: |
+        echo "Signing with digest: $digest"
+        cosign sign --yes \
+          -a "repo=${{ github.repository }}" \
+          -a "workflow=${{ github.workflow }}" \
+          -a "ref=${{ github.sha }}" \
+          ghcr.io/${{ github.repository_owner }}/${{ inputs.image_name }}@sha256:$digest
+    - name: Attach SBOM
+      if: ${{inputs.tag == 'release'}}
+      env:
+        COSIGN_REPOSITORY: "ghcr.io/${{ github.repository_owner }}/${{ github.repository }}/sbom"
+      run: cosign attach sbom --sbom ./${{inputs.image_name}}-v*-bom.cdx.json --type cyclonedx  ghcr.io/${{ github.repository_owner }}/${{inputs.image_name}}@sha256:${{ env.digest }}
diff --git a/Dockerfile.fips b/Dockerfile.fips
@@ -0,0 +1,44 @@
+FROM mcr.microsoft.com/oss/go/microsoft/golang:1.23.4-fips-cbl-mariner2.0 AS builder
+
+ENV GOPATH=/go \
+    PATH=/usr/local/go/bin:/go/bin:/usr/local/bin:/usr/bin:$PATH \
+    CGO_ENABLED=1 \
+    FIPS_ENABLED=1
+
+RUN mkdir -p /go && \
+    tdnf install -y \
+        ca-certificates \
+        build-essential \
+        openssl-devel \
+        gcc \
+        shadow-utils && \
+    tdnf clean all
+
+WORKDIR /app
+COPY . .
+
+ARG LD_FLAGS
+
+ARG TARGETARCH
+RUN GOOS=linux GOARCH=$TARGETARCH \
+    BUILD_TAGS=fips GOEXPERIMENT=systemcrypto \
+    CGO_ENABLED=1 FIPS_ENABLED=1 \
+    go build -p 1  -ldflags="-s -w" -o /app/reports-server ./
+
+RUN groupadd --system appgroup && \
+    useradd --system --uid 1001 --gid appgroup --home-dir /nonexistent --shell /usr/sbin/nologin appuser && \
+    chown appuser:appgroup /app/reports-server
+
+FROM mcr.microsoft.com/cbl-mariner/distroless/base:2.0-nonroot
+
+COPY --from=builder /etc/passwd /etc/passwd
+
+COPY --from=builder /etc/group /etc/group
+
+COPY --from=builder /app/reports-server /reports-server
+
+COPY --from=builder /etc/ssl/certs /etc/ssl/certs
+
+USER 1001
+
+ENTRYPOINT ["/reports-server"]
diff --git a/Makefile b/Makefile
@@ -289,3 +289,46 @@ ko-login: $(KO)
 ko-publish-reports-server: ko-login ## Build and publish reports-server image (with ko)
 	@LD_FLAGS=$(LD_FLAGS) KOCACHE=$(KOCACHE) KO_DOCKER_REPO=$(REPO_REPORTS_SERVER) \
 		$(KO) build . --bare --tags=$(KO_TAGS) --platform=$(PLATFORMS)
+
+
+##################################
+# FIPS VARIABLES
+##################################
+FIPS_ENABLED := 0 # Default to FIPS disabled
+
+ifeq ($(FIPS_ENABLED), 1)
+IMAGE_TAG    := $(shell git describe --tags --abbrev=0)
+LD_FLAGS     :="-s -w"
+endif
+
+REPORTS_SERVER_FIPS     := reports-server-fips
+REPO_REPORTS_SERVER_FIPS := $(REGISTRY)/$(ORG)/$(REPORTS_SERVER_FIPS)
+
+##################################
+# REPORTS-SERVER FIPS CONTAINER
+##################################
+
+.PHONY: docker-build-and-push-reports-server-fips
+docker-buildx-builder:
+	if ! docker buildx ls | grep -q reports-server-fips; then \
+		docker buildx create --name reports-server-fips --use; \
+	else \
+		docker buildx use reports-server-fips; \
+	fi
+
+reports-server-fips: fmt vet
+	GOOS=linux GOARCH=amd64 CGO_ENABLED=$(CGO_ENABLED) go build ./ -o $(PWD)/$(REPO_REPORTS_SERVER_FIPS) -tags "$(BUILD_TAGS)" -ldflags="$(LD_FLAGS)" $(PWD)/
+
+docker-publish-reports-server-fips: docker-buildx-builder docker-build-and-push-reports-server-fips
+
+docker-build-and-push-reports-server-fips: docker-buildx-builder
+	@docker buildx build --file $(PWD)/Dockerfile.fips \
+		--progress plain \
+		--platform linux/amd64,linux/arm64 \
+		--tag $(REPO_REPORTS_SERVER_FIPS):$(IMAGE_TAG) \
+		. \
+		--build-arg LD_FLAGS=$(LD_FLAGS) \
+		--push
+
+docker-get-reports-server-digest:
+	@docker buildx imagetools inspect --raw $(REPO_REPORTS_SERVER_FIPS):$(IMAGE_TAG) | perl -pe 'chomp if eof' | openssl dgst -sha256 | sed 's/^.* //'