Merge pull request #9 from spectrocloud/fips-cicd

Spectro FIPS and CICD
spectrocloud · Jun 14, 2023 · d826237 · d826237
2 parents 268d905 + 2e6f6ed
commit d826237
Show file tree

Hide file tree

Showing 3 changed files with 87 additions and 6 deletions.
diff --git a/.github/workflows/spectro-release.yaml b/.github/workflows/spectro-release.yaml
@@ -0,0 +1,67 @@
+name: Spectro Release
+run-name: Release for Kube-VIP ${{ github.event.inputs.release_version }}
+on:
+  workflow_dispatch:
+    inputs:
+      release_version:
+        description: 'Version to Build'
+        required: true
+        default: '0.0.0'
+jobs:
+  builder:
+    # edge-runner machine group is a bunch of machines in US Datacenter
+    runs-on: ubuntu-latest
+    # Initialize all secrets required for the job
+    # Ensure that the credentials are provided as encrypted secrets
+    env:
+      SPECTRO_VERSION: ${{ github.event.inputs.release_version }}
+    steps:
+      -
+        uses: mukunku/[email protected]
+        id: checkTag
+        with:
+          tag: spectro-v${{ github.event.inputs.release_version }}
+      -
+        if: ${{ steps.checkTag.outputs.exists == 'true' }}
+        run: |
+          echo "Tag already exists for spectro-v${{ github.event.inputs.release_version }}..."
+          exit 1
+      -
+        uses: actions/checkout@v3
+      -
+        name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v1
+      -
+        name: Login to private registry
+        uses: docker/login-action@v1
+        with:
+          registry: ${{ secrets.REGISTRY_URL }}
+          username: ${{ secrets.REGISTRY_USERNAME }}
+          password: ${{ secrets.REGISTRY_PASSWORD }}
+      -
+        name: Build Image
+        env:
+          REGISTRY: gcr.io/spectro-images-public/release/kube-vip
+        run: |
+          make docker
+      -
+        name: Build Image - FIPS Mode
+        env:
+          FIPS_ENABLE: yes
+          REGISTRY: gcr.io/spectro-images-public/release-fips/kube-vip
+        run: |
+          make docker
+      -
+        name: Create Release
+        id: create_release
+        uses: actions/create-release@v1
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        with:
+          tag_name: spectro-v${{ github.event.inputs.release_version }}
+          release_name: Release spectro-v${{ github.event.inputs.release_version }}
+          body: |
+            Release version ${{ github.event.inputs.release_version }}
+          draft: false
+          prerelease: false
+
diff --git a/Dockerfile b/Dockerfile
@@ -1,6 +1,10 @@
 # syntax=docker/dockerfile:experimental
 
 FROM golang:1.19.8-alpine3.17 as dev
+# FIPS
+ARG CRYPTO_LIB
+ENV GOEXPERIMENT=${CRYPTO_LIB:+boringcrypto}
+
 RUN apk add --no-cache git ca-certificates make
 RUN adduser -D appuser
 COPY . /src/
@@ -16,4 +20,4 @@ FROM scratch
 COPY --from=dev /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/ca-certificates.crt
 # Add kube-vip binary
 COPY --from=dev /src/kube-vip /
-ENTRYPOINT ["/kube-vip"]
+ENTRYPOINT ["/kube-vip"]
diff --git a/Makefile b/Makefile
@@ -4,8 +4,18 @@ SHELL := /bin/sh
 TARGET := kube-vip
 .DEFAULT_GOAL: $(TARGET)
 
+# Fips Flags
+FIPS_ENABLE ?= ""
+
+RELEASE_LOC := release
+ifeq ($(FIPS_ENABLE),yes)
+  CGO_ENABLED := 1
+  RELEASE_LOC := release-fips
+endif
+
 # These will be provided to the target
 VERSION := v0.4.0
+SPECTRO_VERSION ?= 4.0.0-dev
 BUILD := `git rev-parse HEAD`
 
 # Operating System Default (LINUX)
@@ -17,9 +27,9 @@ DOCKERTAG ?= $(VERSION)
 REPOSITORY = plndr
 
 IMAGE_NAME := kube-vip
-IMG_URL ?= gcr.io/spectro-dev-public/release
-IMG_TAG ?= spectro-v0.4.0-v1beta1-20230502
-IMG ?= ${IMG_URL}/${IMAGE_NAME}:${IMG_TAG}
+REGISTRY ?= gcr.io/spectro-dev-public/$(USER)/${RELEASE_LOC}
+IMG_TAG ?= v0.4.0-spectro-${SPECTRO_VERSION}
+IMG ?= ${REGISTRY}/${IMAGE_NAME}:${IMG_TAG}
 
 RELEASE_REGISTRY := gcr.io/spectro-images-public/release/kube-vip
 RELEASE_CONTROLLER_IMG := $(RELEASE_REGISTRY)/$(IMAGE_NAME)
@@ -49,7 +59,7 @@ fmt:
 
 demo:
 	@cd demo
-	@docker buildx build  --platform linux/amd64,linux/arm64,linux/arm/v7,linux/ppc64le --push -t $(REPOSITORY)/$(TARGET):$(DOCKERTAG) .
+	@docker buildx build  --platform linux/amd64,linux/arm64,linux/arm/v7,linux/ppc64le --push -t ${IMG} .
 	@echo New Multi Architecture Docker image created
 	@cd ..
 
@@ -73,7 +83,7 @@ release-dockerx86:
 
 docker:
 	@-rm ./kube-vip
-	@docker buildx build  --platform linux/amd64,linux/arm64,linux/arm/v7,linux/ppc64le --push -t $(REPOSITORY)/$(TARGET):$(DOCKERTAG) .
+	@docker buildx build --build-arg CRYPTO_LIB=${FIPS_ENABLE}  --platform linux/amd64 --push -t ${IMG} .
 	@echo New Multi Architecture Docker image created
 
 ## Local (docker load of images)