add fips compliant package builds

rajrohanyadav · rajrohanyadav · commit ad6d65d7cada · 2024-11-12T13:09:34.000+05:30
diff --git a/.github/renovate.json5 b/.github/renovate.json5
@@ -9,6 +9,28 @@
         "ubuntu"
       ],
       "enabled": false
+    },
+    {
+      // Skip updating package builder image
+      "matchDatasources": ["docker"],
+      "matchPackageNames": ["ubuntu"],
+      "enabled": false,
+    },
+    {
+      "matchDatasources": [
+        "dockerfile",
+        "gomod"
+      ],
+      "matchPackageNames": [
+        "golang",
+        "*"
+      ],
+      "matchPaths": [
+        "build/Dockerfile",
+        "go.mod"
+      ],
+      "extractVersion": "^ARG GO_VERSION=(?<version>.*)$",
+      "groupName": "go-updates"
     }
   ]
 }
diff --git a/build/.goreleaser.yml b/build/.goreleaser.yml
@@ -1,3 +1,5 @@
+---
+project_name: nri-flex
 builds:
   - id: nri-nix
     main: ./src
@@ -13,7 +15,25 @@ builds:
       - amd64
       - arm
       - arm64
-
+  - id: nri-nix-fips
+    main: ./src
+    binary: nri-docker
+    ldflags:
+      - -s -w -X main.integrationVersion={{.Version}} -X main.gitCommit={{.Commit}} -X main.buildDate={{.Date}}
+    env:
+      - CGO_ENABLED=1
+      - GOEXPERIMENT=boringcrypto
+      - >-
+        {{- if eq .Arch "arm64" -}}
+        CC=aarch64-linux-gnu-gcc
+        {{- end }}
+    goos:
+      - linux
+    goarch:
+      - amd64
+      - arm64
+    tags:
+      - fips
 archives:
   - id: nri-nix
     builds:
@@ -23,6 +43,14 @@ archives:
       - docker-config.yml
       - docker-definition.yml
     format: tar.gz
+  - id: nri-nix-fips
+    builds:
+      - nri-nix-fips
+    name_template: "{{ .ProjectName }}_{{ .Os }}_{{ .Version }}_{{ .Arch }}_fips_dirty"
+    files:
+      - docker-config.yml
+      - docker-definition.yml
+    format: tar.gz
 
 # we use custom publisher for fixing archives and signing them
 release:
diff --git a/build/Dockerfile b/build/Dockerfile
@@ -1,15 +1,46 @@
-FROM golang:1.23.2-bookworm
+# Use Ubuntu 16.04 as the base image
+FROM ubuntu:16.04
 
-ARG GH_VERSION='2.23.0'
+# Define Go version
+ARG GO_VERSION=1.23.2
+ARG ARCH='amd64'
+ARG GH_VERSION='2.61.0'
 
-RUN apt-get update \
-    && apt-get -y install \
-        rpm \
-        gnupg2 \
-        gpg-agent \
-        debsigs \
-        unzip \
-        zip
+# Install dependencies
+RUN apt-get update && apt-get install -y \
+    gnupg-agent \
+    unzip \
+    zip \
+    curl \
+    wget \
+    expect \
+    git \
+    tar \
+    gcc \
+    jq \
+    g++ \
+    gnupg2 \
+    gnupg-agent \
+    debsigs \
+    rpm \
+    build-essential \
+    software-properties-common \
+    python-software-properties \
+    gcc-arm-linux-gnueabi \
+    dpkg-sig \
+    gcc-aarch64-linux-gnu
+
+# Install Go
+RUN curl -sSL https://golang.org/dl/go${GO_VERSION}.linux-${ARCH}.tar.gz -o go${GO_VERSION}.linux-${ARCH}.tar.gz && \
+    tar -C /usr/local -xzf go${GO_VERSION}.linux-${ARCH}.tar.gz && \
+    rm go${GO_VERSION}.linux-${ARCH}.tar.gz
+
+# Set Go environment variables
+ENV PATH="/usr/local/go/bin:${PATH}"
+ENV GOPATH="/go"
+
+# Optional: Set Go environment flags
+ENV GOFLAGS="-buildvcs=false"
 
 # Since the user does not match the owners of the repo "git rev-parse --is-inside-work-tree" fails and goreleaser does not populate projectName
 # https://stackoverflow.com/questions/72978485/git-submodule-update-failed-with-fatal-detected-dubious-ownership-in-repositor
diff --git a/build/release.mk b/build/release.mk
@@ -1,5 +1,5 @@
 BUILD_DIR    := ./bin/
-GORELEASER_VERSION := v0.172.1
+GORELEASER_VERSION := v2.4.4
 GORELEASER_BIN ?= bin/goreleaser
 
 bin:
@@ -27,10 +27,10 @@ release/deps: $(GORELEASER_BIN)
 release/build: release/deps release/clean
 ifeq ($(PRERELEASE), true)
 	@echo "===> $(INTEGRATION) === [release/build] PRE-RELEASE compiling all binaries, creating packages, archives"
-	@$(GORELEASER_BIN) release --config $(CURDIR)/build/.goreleaser.yml --rm-dist
+	@$(GORELEASER_BIN) release --config $(CURDIR)/build/.goreleaser.yml --clean
 else
 	@echo "===> $(INTEGRATION) === [release/build] build compiling all binaries"
-	@$(GORELEASER_BIN) build --config $(CURDIR)/build/.goreleaser.yml --snapshot --rm-dist
+	@$(GORELEASER_BIN) build --config $(CURDIR)/build/.goreleaser.yml --snapshot --clean
 endif
 
 .PHONY : release/fix-archive
diff --git a/build/s3-publish-schema.yml b/build/s3-publish-schema.yml
@@ -11,3 +11,11 @@
     - 386
     - arm
     - arm64
+
+- src: "{app_name}_linux_{version}_{arch}_fips.tar.gz"
+  uploads:
+    - type: file
+      dest: "{dest_prefix}binaries/linux/{arch}/{src}"
+  arch:
+    - amd64
+    - arm64
diff --git a/src/fips.go b/src/fips.go
@@ -0,0 +1,11 @@
+// Copyright 2024 New Relic Corporation. All rights reserved.
+// SPDX-License-Identifier: Apache-2.0
+
+//go:build fips
+// +build fips
+
+package main
+
+import (
+	_ "crypto/tls/fipsonly"
+)
