Create new docker FIPS images

newrelic · Jan 2, 2025 · 0b3a6a1 · 0b3a6a1
1 parent 191d5b1
commit 0b3a6a1
Show file tree

Hide file tree

Showing 6 changed files with 61 additions and 9 deletions.
diff --git a/.github/workflows/component_docker_packaging.yml b/.github/workflows/component_docker_packaging.yml
@@ -19,6 +19,10 @@ on:
       TAG:
         required: true
         type: string
+      FIPS:
+        required: false
+        type: boolean
+        default: false
 
 env:
   GITHUB_TOKEN: ${{ secrets.GH_TOKEN }}
@@ -29,6 +33,7 @@ env:
   DOCKER_HUB_ID: ${{ secrets.DOCKER_HUB_ID }}
   DOCKER_HUB_PASSWORD: ${{ secrets.DOCKER_HUB_PASSWORD }}
   DOCKER_PUBLISH: true
+  FIPS: ${{ inputs.FIPS == true && '-fips' || '' }}
 
 jobs:
   packaging:
@@ -47,7 +52,7 @@ jobs:
           password: ${{ env.DOCKER_HUB_PASSWORD }}
 
       - name: Compiling binaries for linux amd64, arm, arm64
-        run: make ci/prerelease/linux-for-docker
+        run: make ci/prerelease/linux-for-docker${{env.FIPS}}
 
       - name: Set up QEMU
         uses: docker/setup-qemu-action@v1
@@ -58,10 +63,10 @@ jobs:
           version: v0.9.1
 
       - name: Build and publish Release Candidate (RC) of base Docker image
-        run: AGENT_VERSION=${{env.TAG}} make -C build/container/ clean publish/multi-arch-base-rc
+        run: AGENT_VERSION=${{env.TAG}} FIPS=${{env.FIPS}} make -C build/container/ clean publish/multi-arch-base-rc
 
       - name: Build and publish Release Candidate (RC) of forwarder Docker image
-        run: AGENT_VERSION=${{env.TAG}} make -C build/container/ clean publish/multi-arch-forwarder-rc
+        run: AGENT_VERSION=${{env.TAG}} FIPS=${{env.FIPS}} make -C build/container/ clean publish/multi-arch-forwarder-rc
 
       - name: Build and publish Release Candidate (RC) of k8s-events-forwarders Docker image
-        run: AGENT_VERSION=${{env.TAG}} make -C build/container/ clean publish/multi-arch-k8s-events-forwarder-rc
+        run: AGENT_VERSION=${{env.TAG}} FIPS=${{env.FIPS}} make -C build/container/ clean publish/multi-arch-k8s-events-forwarder-rc
diff --git a/.github/workflows/component_trivy.yml b/.github/workflows/component_trivy.yml
@@ -12,6 +12,13 @@ on:
       severity:
         required: true
         type: string
+      FIPS:
+        required: false
+        type: boolean
+        default: false
+
+env:
+  FIPS: ${{ inputs.FIPS == true && '-fips' || '' }}
 
 jobs:
   trivy_scanner:
@@ -22,7 +29,7 @@ jobs:
       - name: newrelic/infrastructure
         uses: aquasecurity/trivy-action@master
         with:
-          image-ref: "docker.io/newrelic/infrastructure:${{ inputs.tag }}"
+          image-ref: "docker.io/newrelic/infrastructure${{ env.FIPS }}:${{ inputs.tag }}"
           format: 'table'
           exit-code: '1'
           ignore-unfixed: true
@@ -35,7 +42,7 @@ jobs:
       - name: newrelic/k8s-events-forwarder
         uses: aquasecurity/trivy-action@master
         with:
-          image-ref: "docker.io/newrelic/k8s-events-forwarder:${{ inputs.tag }}"
+          image-ref: "docker.io/newrelic/k8s-events-forwarder${{ env.FIPS }}:${{ inputs.tag }}"
           format: 'table'
           exit-code: '1'
           ignore-unfixed: true
@@ -48,7 +55,7 @@ jobs:
       - name: newrelic/nri-forwarder
         uses: aquasecurity/trivy-action@master
         with:
-          image-ref: "docker.io/newrelic/nri-forwarder:${{ inputs.tag }}"
+          image-ref: "docker.io/newrelic/nri-forwarder${{ env.FIPS }}:${{ inputs.tag }}"
           format: 'table'
           exit-code: '1'
           ignore-unfixed: true
@@ -69,7 +76,7 @@ jobs:
       - name: Sarif newrelic/infrastructure
         uses: aquasecurity/trivy-action@master
         with:
-          image-ref: "docker.io/newrelic/infrastructure:${{ inputs.tag }}"
+          image-ref: "docker.io/newrelic/infrastructure${{ env.FIPS }}:${{ inputs.tag }}"
           format: 'sarif'
           output: 'trivy-results.sarif'
           vuln-type: 'os,library'

diff --git a/.github/workflows/prerelease_linux.yml b/.github/workflows/prerelease_linux.yml
@@ -124,6 +124,28 @@ jobs:
       tag: "${{ github.event.release.tag_name }}-rc"
       severity: "CRITICAL"
 
+  packaging-docker-fips:
+    needs: [unit-test, proxy-tests]
+    uses: ./.github/workflows/component_docker_packaging.yml
+    secrets:
+      DOCKER_HUB_ID: ${{secrets.OHAI_DOCKER_HUB_ID}}
+      DOCKER_HUB_PASSWORD: ${{secrets.OHAI_DOCKER_HUB_PASSWORD}}
+      GPG_MAIL: '[email protected]'
+      GPG_PASSPHRASE: ${{ secrets.OHAI_GPG_PASSPHRASE }}
+      GPG_PRIVATE_KEY_BASE64: ${{ secrets.OHAI_GPG_PRIVATE_KEY_BASE64 }} # base64 encoded
+      GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+    with:
+      TAG:  ${{ github.event.release.tag_name }}
+      FIPS: true
+
+  docker-fips-trivy-critical:
+    needs: [packaging-docker-fips]
+    uses: ./.github/workflows/component_trivy.yml
+    with:
+      tag: "${{ github.event.release.tag_name }}-rc"
+      severity: "CRITICAL"
+      FIPS: true
+
   publishing-to-s3:
     # point to staging after tests
     name: Publish linux artifacts into s3 staging bucket

diff --git a/build/ci.mk b/build/ci.mk
@@ -84,6 +84,10 @@ ci/prerelease/linux-legacy:
 ci/prerelease/linux-for-docker:
 	TARGET_OS=linux-for-docker $(MAKE) ci/prerelease
 
+.PHONY : ci/prerelease/linux-for-docker-fips
+ci/prerelease/linux-for-docker:
+	TARGET_OS=linux-for-docker-fips $(MAKE) ci/prerelease
+
 
 .PHONY : ci/prerelease/macos
 ci/prerelease/macos:

diff --git a/build/container/Makefile b/build/container/Makefile
@@ -16,6 +16,7 @@ DOCKER_BUILD_TAG_PREFIX	?= build
 DOCKER_TAG_LATEST	?= latest
 USE_BUILDX			?= false
 DOCKER_PUBLISH		?= false
+FIPS                ?=
 
 AGENT_ARCH ?= $(DOCKER_ARCH)
 
@@ -50,7 +51,7 @@ AGENT_VERSION                  ?= 0.0.0
 IMAGE_VERSION                  ?= $(AGENT_VERSION)
 
 NS                             ?= newrelic
-REPO                           ?= infrastructure
+REPO                           ?= infrastructure${FIPS}
 IMAGE_NAME                     ?= ${NS}/${REPO}
 CORE_IMAGE_NAME                ?= ${IMAGE_NAME}-core
 BASE_IMAGE_NAME                ?= ${IMAGE_NAME}
@@ -126,6 +127,7 @@ base/get-integrations : ${NRI_PKG_DIR}
 base/get-integrations : NRI_DOCKER_ARCH=$(DOCKER_ARCH)
 base/get-integrations : NRI_PROMETHEUS_ARCH=$(DOCKER_ARCH)
 base/get-integrations : NRI_FLEX_ARCH=$(DOCKER_ARCH)
+base/get-integrations : FIPS=$(FIPS)
 base/get-integrations : get-integrations
 base/get-integrations : embed-integrations
 

diff --git a/build/release.mk b/build/release.mk
@@ -110,6 +110,11 @@ release/pkg-linux-for-docker: release/deps release/clean generate-goreleaser-for
 	@echo "=== [release/pkg-linux-for-docker] PRE-RELEASE compiling all binaries"
 	$(GORELEASER_BIN) release --config $(GORELEASER_CONFIG_LINUX) $(PKG_FLAGS)
 
+.PHONY : release/pkg-linux-for-docker-fips
+release/pkg-linux-for-docker-fips: release/deps release/clean generate-goreleaser-for-docker-fips
+	@echo "=== [release/pkg-linux-for-docker-fips] PRE-RELEASE compiling all binaries"
+	$(GORELEASER_BIN) release --config $(GORELEASER_CONFIG_LINUX) $(PKG_FLAGS)
+
 .PHONY : release/pkg-macos
 release/pkg-macos: release/deps release/clean
 #release/pkg-macos: release/get-integrations-amd64-macos NO ASSETS AVAILABLE FOR NOW
@@ -371,6 +376,13 @@ generate-goreleaser-for-docker:
 		$(CURDIR)/build/goreleaser/linux/build_arm64.yml\
   		 > $(GORELEASER_CONFIG_LINUX)
 
+.PHONY : generate-goreleaser-for-docker-fips
+generate-goreleaser-for-docker-fips:
+	cat $(CURDIR)/build/goreleaser/linux/header.yml\
+		$(CURDIR)/build/goreleaser/linux/build_amd64_fips.yml\
+		$(CURDIR)/build/goreleaser/linux/build_arm64_fips.yml\
+  		 > $(GORELEASER_CONFIG_LINUX)
+
 ifndef SNAPSHOT
 	$(error SNAPSHOT is undefined)
 endif