diff --git a/.github/workflows/component_docker_packaging.yml b/.github/workflows/component_docker_packaging.yml index 0cde9fa44..4d6eab43d 100644 --- a/.github/workflows/component_docker_packaging.yml +++ b/.github/workflows/component_docker_packaging.yml @@ -19,6 +19,10 @@ on: TAG: required: true type: string + FIPS: + required: false + type: boolean + default: false env: GITHUB_TOKEN: ${{ secrets.GH_TOKEN }} @@ -29,6 +33,7 @@ env: DOCKER_HUB_ID: ${{ secrets.DOCKER_HUB_ID }} DOCKER_HUB_PASSWORD: ${{ secrets.DOCKER_HUB_PASSWORD }} DOCKER_PUBLISH: true + FIPS: ${{ inputs.FIPS == true && '-fips' || '' }} jobs: packaging: @@ -47,7 +52,7 @@ jobs: password: ${{ env.DOCKER_HUB_PASSWORD }} - name: Compiling binaries for linux amd64, arm, arm64 - run: make ci/prerelease/linux-for-docker + run: make ci/prerelease/linux-for-docker${{env.FIPS}} - name: Set up QEMU uses: docker/setup-qemu-action@v1 @@ -58,10 +63,10 @@ jobs: version: v0.9.1 - name: Build and publish Release Candidate (RC) of base Docker image - run: AGENT_VERSION=${{env.TAG}} make -C build/container/ clean publish/multi-arch-base-rc + run: AGENT_VERSION=${{env.TAG}} FIPS=${{env.FIPS}} make -C build/container/ clean publish/multi-arch-base-rc - name: Build and publish Release Candidate (RC) of forwarder Docker image - run: AGENT_VERSION=${{env.TAG}} make -C build/container/ clean publish/multi-arch-forwarder-rc + run: AGENT_VERSION=${{env.TAG}} FIPS=${{env.FIPS}} make -C build/container/ clean publish/multi-arch-forwarder-rc - name: Build and publish Release Candidate (RC) of k8s-events-forwarders Docker image - run: AGENT_VERSION=${{env.TAG}} make -C build/container/ clean publish/multi-arch-k8s-events-forwarder-rc \ No newline at end of file + run: AGENT_VERSION=${{env.TAG}} FIPS=${{env.FIPS}} make -C build/container/ clean publish/multi-arch-k8s-events-forwarder-rc \ No newline at end of file diff --git a/.github/workflows/component_trivy.yml b/.github/workflows/component_trivy.yml index 0420f2aae..5a4daea8d 100644 --- a/.github/workflows/component_trivy.yml +++ b/.github/workflows/component_trivy.yml @@ -12,6 +12,13 @@ on: severity: required: true type: string + FIPS: + required: false + type: boolean + default: false + +env: + FIPS: ${{ inputs.FIPS == true && '-fips' || '' }} jobs: trivy_scanner: @@ -22,7 +29,7 @@ jobs: - name: newrelic/infrastructure uses: aquasecurity/trivy-action@master with: - image-ref: "docker.io/newrelic/infrastructure:${{ inputs.tag }}" + image-ref: "docker.io/newrelic/infrastructure${{ env.FIPS }}:${{ inputs.tag }}" format: 'table' exit-code: '1' ignore-unfixed: true @@ -35,7 +42,7 @@ jobs: - name: newrelic/k8s-events-forwarder uses: aquasecurity/trivy-action@master with: - image-ref: "docker.io/newrelic/k8s-events-forwarder:${{ inputs.tag }}" + image-ref: "docker.io/newrelic/k8s-events-forwarder${{ env.FIPS }}:${{ inputs.tag }}" format: 'table' exit-code: '1' ignore-unfixed: true @@ -48,7 +55,7 @@ jobs: - name: newrelic/nri-forwarder uses: aquasecurity/trivy-action@master with: - image-ref: "docker.io/newrelic/nri-forwarder:${{ inputs.tag }}" + image-ref: "docker.io/newrelic/nri-forwarder${{ env.FIPS }}:${{ inputs.tag }}" format: 'table' exit-code: '1' ignore-unfixed: true @@ -69,7 +76,7 @@ jobs: - name: Sarif newrelic/infrastructure uses: aquasecurity/trivy-action@master with: - image-ref: "docker.io/newrelic/infrastructure:${{ inputs.tag }}" + image-ref: "docker.io/newrelic/infrastructure${{ env.FIPS }}:${{ inputs.tag }}" format: 'sarif' output: 'trivy-results.sarif' vuln-type: 'os,library' diff --git a/.github/workflows/prerelease_linux.yml b/.github/workflows/prerelease_linux.yml index d7ce2192d..3ce0a6b35 100644 --- a/.github/workflows/prerelease_linux.yml +++ b/.github/workflows/prerelease_linux.yml @@ -124,6 +124,28 @@ jobs: tag: "${{ github.event.release.tag_name }}-rc" severity: "CRITICAL" + packaging-docker-fips: + needs: [unit-test, proxy-tests] + uses: ./.github/workflows/component_docker_packaging.yml + secrets: + DOCKER_HUB_ID: ${{secrets.OHAI_DOCKER_HUB_ID}} + DOCKER_HUB_PASSWORD: ${{secrets.OHAI_DOCKER_HUB_PASSWORD}} + GPG_MAIL: 'infrastructure-eng@newrelic.com' + GPG_PASSPHRASE: ${{ secrets.OHAI_GPG_PASSPHRASE }} + GPG_PRIVATE_KEY_BASE64: ${{ secrets.OHAI_GPG_PRIVATE_KEY_BASE64 }} # base64 encoded + GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} + with: + TAG: ${{ github.event.release.tag_name }} + FIPS: true + + docker-fips-trivy-critical: + needs: [packaging-docker-fips] + uses: ./.github/workflows/component_trivy.yml + with: + tag: "${{ github.event.release.tag_name }}-rc" + severity: "CRITICAL" + FIPS: true + publishing-to-s3: # point to staging after tests name: Publish linux artifacts into s3 staging bucket diff --git a/build/ci.mk b/build/ci.mk index eeb8cd6d2..d2e610ac0 100644 --- a/build/ci.mk +++ b/build/ci.mk @@ -84,6 +84,10 @@ ci/prerelease/linux-legacy: ci/prerelease/linux-for-docker: TARGET_OS=linux-for-docker $(MAKE) ci/prerelease +.PHONY : ci/prerelease/linux-for-docker-fips +ci/prerelease/linux-for-docker: + TARGET_OS=linux-for-docker-fips $(MAKE) ci/prerelease + .PHONY : ci/prerelease/macos ci/prerelease/macos: diff --git a/build/container/Makefile b/build/container/Makefile index 33a2b89b6..5aad61426 100644 --- a/build/container/Makefile +++ b/build/container/Makefile @@ -16,6 +16,7 @@ DOCKER_BUILD_TAG_PREFIX ?= build DOCKER_TAG_LATEST ?= latest USE_BUILDX ?= false DOCKER_PUBLISH ?= false +FIPS ?= AGENT_ARCH ?= $(DOCKER_ARCH) @@ -50,7 +51,7 @@ AGENT_VERSION ?= 0.0.0 IMAGE_VERSION ?= $(AGENT_VERSION) NS ?= newrelic -REPO ?= infrastructure +REPO ?= infrastructure${FIPS} IMAGE_NAME ?= ${NS}/${REPO} CORE_IMAGE_NAME ?= ${IMAGE_NAME}-core BASE_IMAGE_NAME ?= ${IMAGE_NAME} @@ -126,6 +127,7 @@ base/get-integrations : ${NRI_PKG_DIR} base/get-integrations : NRI_DOCKER_ARCH=$(DOCKER_ARCH) base/get-integrations : NRI_PROMETHEUS_ARCH=$(DOCKER_ARCH) base/get-integrations : NRI_FLEX_ARCH=$(DOCKER_ARCH) +base/get-integrations : FIPS=$(FIPS) base/get-integrations : get-integrations base/get-integrations : embed-integrations diff --git a/build/release.mk b/build/release.mk index c0fed2057..beb43646d 100644 --- a/build/release.mk +++ b/build/release.mk @@ -110,6 +110,11 @@ release/pkg-linux-for-docker: release/deps release/clean generate-goreleaser-for @echo "=== [release/pkg-linux-for-docker] PRE-RELEASE compiling all binaries" $(GORELEASER_BIN) release --config $(GORELEASER_CONFIG_LINUX) $(PKG_FLAGS) +.PHONY : release/pkg-linux-for-docker-fips +release/pkg-linux-for-docker-fips: release/deps release/clean generate-goreleaser-for-docker-fips + @echo "=== [release/pkg-linux-for-docker-fips] PRE-RELEASE compiling all binaries" + $(GORELEASER_BIN) release --config $(GORELEASER_CONFIG_LINUX) $(PKG_FLAGS) + .PHONY : release/pkg-macos release/pkg-macos: release/deps release/clean #release/pkg-macos: release/get-integrations-amd64-macos NO ASSETS AVAILABLE FOR NOW @@ -371,6 +376,13 @@ generate-goreleaser-for-docker: $(CURDIR)/build/goreleaser/linux/build_arm64.yml\ > $(GORELEASER_CONFIG_LINUX) +.PHONY : generate-goreleaser-for-docker-fips +generate-goreleaser-for-docker-fips: + cat $(CURDIR)/build/goreleaser/linux/header.yml\ + $(CURDIR)/build/goreleaser/linux/build_amd64_fips.yml\ + $(CURDIR)/build/goreleaser/linux/build_arm64_fips.yml\ + > $(GORELEASER_CONFIG_LINUX) + ifndef SNAPSHOT $(error SNAPSHOT is undefined) endif