Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Build kanister-tools Go binaries in fipsonly mode #2492

Merged
merged 3 commits into from
Jan 10, 2024
Merged

Build kanister-tools Go binaries in fipsonly mode #2492

merged 3 commits into from
Jan 10, 2024

Conversation

sukhil-suresh
Copy link
Contributor

@sukhil-suresh sukhil-suresh commented Nov 22, 2023
edited
Loading

Change Overview

The kanister-tools image is shipped with 3 binaries - restic, kopia and kando. They are already built to use the
goboring library. This PR makes changes to restrict all TLS configurations to FIPS-approved settings for these binaries.

  • Modified docker/tools/Dockerfile for building restic and kopia in fipsonly mode
  • Added cmd/kando/fipsonly.go and updated .goreleaser.yaml for building kando in fipsonly mode

Pull request type

  • 🌈 Refactoring (no functional changes, no api changes)
  • 🐹 Trivial/Minor

Test Plan

  • 💪 Manual

Manually verified that the kanister-tools binaries were built in fipsonly mode using the goversion tool.

  • Built kando in a Linux container: 
    $ goreleaser build --id kando --rm-dist --debug --snapshot
  • Copied newly built kando and LICENSE (from root folder) to docker/tools folder
  • Built fipsonly kanister-tools image: 
    $ docker build -t kanister-tools docker/tools
  • Copied binaries over from kanister-tools container: 
    $ docker create --name debug kanister-tools

$ docker cp debug:/usr/local/bin/restic .
$ docker cp debug:/usr/local/bin/kopia .
$ docker cp debug:/usr/local/bin/kando .
  • Verified binaries were in fipsonly mode: 
    $ goversion --crypto restic | grep fips     
restic go1.21.4 X:boringcrypto (standard crypto) +crypto/tls/fipsonly

$ goversion --crypto kando | grep fips
kando go1.21.3 X:boringcrypto (boring crypto) +crypto/tls/fipsonly

$ goversion --crypto kopia | grep fips
kopia go1.21.4 X:boringcrypto (boring crypto) +crypto/tls/fipsonly
    The goversion tool was installed from the master branch of https://github.com/rsc/goversion.

@sukhil-suresh sukhil-suresh marked this pull request as ready for review November 23, 2023 20:43
@pavannd1 pavannd1 requested a review from bathina2 November 28, 2023 02:07
@sukhil-suresh
Copy link
Contributor Author

@pavannd1 this PR never got merged.

@pavannd1 pavannd1 added the kueue label Jan 9, 2024
@pavannd1 pavannd1 enabled auto-merge (squash) January 9, 2024 23:31
@pavannd1 Mergify
Copy link
Contributor

pavannd1 commented Jan 9, 2024

@Mergifyio update

@mergify Mergify
Copy link
Contributor

mergify bot commented Jan 9, 2024

update

❌ Pull request can't be updated with latest base branch changes

Mergify needs the author permission to update the base branch of the pull request.
@sukhil-suresh needs to authorize modification on its head branch.

@pavannd1 pavannd1 disabled auto-merge January 9, 2024 23:35
@sukhil-suresh
Copy link
Contributor Author

@pavannd1 I enabled the Allow edits by maintainers. Can you try again, please?

Screenshot 2024-01-09 at 6 38 29 PM

@sukhil-suresh sukhil-suresh force-pushed the fipsonly-kanister-tools branch from e541fad to 103fce0 Compare January 9, 2024 23:46
@mergify mergify bot merged commit 1d9e89b into kanisterio:master Jan 10, 2024
14 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@pavannd1 pavannd1 pavannd1 approved these changes

@bathina2 bathina2 bathina2 approved these changes

Assignees
No one assigned
Labels
kueue
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@sukhil-suresh @pavannd1 @bathina2