feat: generate fips compliant container image for Harvest (NetApp#3113)

* feat: generate fips compliant container image for Harvest * feat: generate fips compliant container image for Harvest * feat: remove zig from asup build
embusalacchi · Aug 21, 2024 · 7753ca6 · 7753ca6
1 parent 43e984b
commit 7753ca6
Show file tree

Hide file tree

Showing 6 changed files with 231 additions and 120 deletions.
diff --git a/Makefile b/Makefile
@@ -4,7 +4,7 @@
 .PHONY: help deps clean build test fmt lint package asup dev fetch-asup ci
 
 SHELL := /bin/bash
-REQUIRED_GO_VERSION := 1.22
+REQUIRED_GO_VERSION := 1.23
 GOLANGCI_LINT_VERSION := latest
 GOVULNCHECK_VERSION := latest
 ifneq (, $(shell which go))
@@ -40,6 +40,9 @@ ifneq (,$(wildcard $(HARVEST_ENV)))
 	export $(shell sed '/^\#/d; s/=.*//' $(HARVEST_ENV))
 endif
 
+# FIPS flag
+FIPS ?= 0
+
 help:  ## Display this help
 	@awk 'BEGIN {FS = ":.*##"; printf "\nUsage:\n  make \033[36m\033[0m\n\nTargets:\n"} /^[a-zA-Z_-]+:.*?##/ { printf "  \033[36m%-11s\033[0m %s\n", $$1, $$2 }' $(MAKEFILE_LIST)
 
@@ -100,9 +103,13 @@ all: package ## Build, Test, Package
 harvest: deps
 	@mkdir -p bin
 	@# Build the harvest and poller cli
+ifeq ($(FIPS), 1)
+	@echo "Building with BoringCrypto (FIPS compliance)"
+	GOEXPERIMENT=boringcrypto GOOS=$(GOOS) GOARCH=$(GOARCH) CGO_ENABLED=1 go build -trimpath -tags boringcrypto -o bin -ldflags=$(LD_FLAGS) ./cmd/harvest ./cmd/poller
+else
 	@echo "Building"
 	@GOOS=$(GOOS) GOARCH=$(GOARCH) CGO_ENABLED=$(CGO_ENABLED) go build -trimpath -o bin -ldflags=$(LD_FLAGS) ./cmd/harvest ./cmd/poller
-
+endif
 	@cp service/contrib/grafana bin; chmod +x bin/grafana
 
 ###############################################################################
@@ -131,7 +138,7 @@ asup:
 	else\
 		git clone -b ${BRANCH} https://${GIT_TOKEN}@github.com/NetApp/harvest-private.git ${ASUP_TMP};\
 	fi
-	@cd ${ASUP_TMP}/harvest-asup && CGO_ENABLED=0 make ${ASUP_MAKE_TARGET} VERSION=${VERSION} RELEASE=${RELEASE}
+	@cd ${ASUP_TMP}/harvest-asup && make ${ASUP_MAKE_TARGET} VERSION=${VERSION} RELEASE=${RELEASE} FIPS=${FIPS}
 	@mkdir -p ${CURRENT_DIR}/autosupport
 	@cp ${ASUP_TMP}/harvest-asup/bin/asup ${CURRENT_DIR}/autosupport
 

diff --git a/cmd/harvest/fips.go b/cmd/harvest/fips.go
@@ -0,0 +1,7 @@
+//go:build boringcrypto
+
+package main
+
+import (
+	_ "crypto/tls/fipsonly"
+)
diff --git a/cmd/poller/fips.go b/cmd/poller/fips.go
@@ -0,0 +1,7 @@
+//go:build boringcrypto
+
+package main
+
+import (
+	_ "crypto/tls/fipsonly"
+)
diff --git a/container/onePollerPerContainer/Dockerfile b/container/onePollerPerContainer/Dockerfile
@@ -9,6 +9,7 @@ ARG BUILD_DIR=/opt/home
 ARG VERSION=2.0
 ARG RELEASE=nightly
 ARG ASUP_MAKE_TARGET=build
+ARG FIPS=0
 
 # Set the Current Working Directory inside the container
 WORKDIR $BUILD_DIR
@@ -19,25 +20,35 @@ COPY . .
 
 RUN --mount=type=secret,id=git_token \
     if [[ -n "$ASUP_MAKE_TARGET" && -f "/run/secrets/git_token" ]]; then \
-    GIT_TOKEN=$(cat /run/secrets/git_token) && \
-    make build asup VERSION=$VERSION RELEASE=$RELEASE ASUP_MAKE_TARGET=$ASUP_MAKE_TARGET GIT_TOKEN=$GIT_TOKEN ; \
+    make build asup VERSION=$VERSION RELEASE=$RELEASE ASUP_MAKE_TARGET=$ASUP_MAKE_TARGET GIT_TOKEN=$(cat /run/secrets/git_token) FIPS=$FIPS ; \
     else \
-    make build VERSION=$VERSION RELEASE=$RELEASE BIN_PLATFORM=linux ;\
+    make build VERSION=$VERSION RELEASE=$RELEASE BIN_PLATFORM=linux FIPS=$FIPS ;\
     fi
 
-RUN cp -a $BUILD_DIR/harvest.yml $INSTALL_DIR/harvest.yml.example
-
-RUN cp -aR bin $BUILD_DIR/conf $BUILD_DIR/grafana $BUILD_DIR/autosupport $BUILD_DIR/prom-stack.tmpl $INSTALL_DIR
-
-RUN cp -a $BUILD_DIR/container/onePollerPerContainer/docker-compose.tmpl $INSTALL_DIR/container/onePollerPerContainer
-
-RUN cp -aR $BUILD_DIR/container/prometheus $INSTALL_DIR/container/
+RUN cp -a $BUILD_DIR/harvest.yml $INSTALL_DIR/harvest.yml.example \
+    && cp -aR bin $BUILD_DIR/conf $BUILD_DIR/grafana $BUILD_DIR/autosupport $BUILD_DIR/prom-stack.tmpl $INSTALL_DIR \
+    && cp -a $BUILD_DIR/container/onePollerPerContainer/docker-compose.tmpl $INSTALL_DIR/container/onePollerPerContainer \
+    && cp -aR $BUILD_DIR/container/prometheus $INSTALL_DIR/container/
+
+# Create directories and conditionally copy .so files if FIPS is enabled
+RUN mkdir -p /temp_libs/x86_64-linux-gnu /temp_libs/lib64 && \
+    if [ "$FIPS" -eq "1" ]; then \
+    cp /lib/x86_64-linux-gnu/libresolv.so.2 /temp_libs/x86_64-linux-gnu/ && \
+    cp /lib/x86_64-linux-gnu/libpthread.so.0 /temp_libs/x86_64-linux-gnu/ && \
+    cp /lib/x86_64-linux-gnu/libc.so.6 /temp_libs/x86_64-linux-gnu/ && \
+    cp /lib64/ld-linux-x86-64.so.2 /temp_libs/lib64/; \
+    fi
 
 FROM gcr.io/distroless/static-debian12:debug
 
 ARG INSTALL_DIR=/opt/harvest
 ENV HARVEST_DOCKER=yes
 COPY --from=builder $INSTALL_DIR $INSTALL_DIR
+
+# Conditionally copy .so files from builder stage if they exist
+COPY --from=builder /temp_libs/x86_64-linux-gnu/ /lib/x86_64-linux-gnu/
+COPY --from=builder /temp_libs/lib64/ /lib64/
+
 WORKDIR $INSTALL_DIR
 
 ENTRYPOINT ["bin/poller"]
diff --git a/integration/Jenkinsfile b/integration/Jenkinsfile
@@ -12,14 +12,15 @@ pipeline {
         string(name: 'VERSION', defaultValue: '', description: 'Version')
         string(name: 'BRANCH',  defaultValue: 'main', description: '[Optional] Branch name to clone. Default (main) ')
         string(name: 'DOCKER',  defaultValue: '', description: 'http url of docker tar build or docker image')
+        string(name: 'DOCKER_FIPS',  defaultValue: '', description: 'http url of fips complaint docker tar build or docker image')
         string(name: 'RPM',     defaultValue: '', description: 'http url of rpm file')
         string(name: 'NATIVE',  defaultValue: '', description: 'http url of native tar file')
     }
     environment {
         BUILD_ID="dontKillMe"
         JENKINS_NODE_COOKIE="dontKillMe"
     }
-    
+
     stages {
         stage('Setup') {
             agent {
@@ -150,7 +151,7 @@ pipeline {
                     agent {
                         label "docker"
                     }
-                    stages('Test on docker Pkg') {
+                    stages('Test on Docker Pkg') {
                         stage('Setup') {
                             steps {
                                 printNodeInfo()
@@ -162,7 +163,7 @@ pipeline {
                         stage('Install Docker') {
                             steps {
                                 sh '''
-                                echo "Installing"
+                                echo "Installing Docker"
                                 curl -O $DOCKER && docker load -i docker_harvest.tar
                                 rm -rf $WORKSPACE/docker
                                 mkdir $WORKSPACE/docker
@@ -172,9 +173,10 @@ pipeline {
                                   --entrypoint "bin/harvest" \
                                   --volume "$(pwd):/opt/temp" \
                                   --volume "$(pwd)/harvest.yml:/opt/harvest/harvest.yml" \
-                                  ghcr.io/netapp/harvest \
+                                  ghcr.io/netapp/harvest:latest \
                                   generate docker full \
-                                  --output harvest-compose.yml
+                                  --output harvest-compose.yml \
+                                  --image ghcr.io/netapp/harvest:latest
                                 docker compose -f prom-stack.yml -f harvest-compose.yml up -d --remove-orphans
                                 sleep 1m
                                 INSTALL_DOCKER=1 bash $WORKSPACE/harvest/integration/test/test.sh
@@ -205,6 +207,66 @@ pipeline {
                         }
                     }
                 }
+                stage('DOCKER_FIPS') {
+                    agent {
+                        label "docker"
+                    }
+                    stages('Test on Docker FIPS Pkg') {
+                        stage('Setup') {
+                            steps {
+                                printNodeInfo()
+                                cleanWs()
+                                stopAndRemoveDockers()
+                                setupWorkspace()
+                            }
+                        }
+                        stage('Install Docker FIPS') {
+                            steps {
+                                sh '''
+                                echo "Installing Docker FIPS"
+                                curl -O $DOCKER_FIPS && docker load -i docker_harvest_fips.tar
+                                rm -rf $WORKSPACE/docker
+                                mkdir $WORKSPACE/docker
+                                cd $WORKSPACE/docker
+                                cp -rf $WORKSPACE/harvest/integration/test/harvest.yml .
+                                docker run --rm \
+                                  --entrypoint "bin/harvest" \
+                                  --volume "$(pwd):/opt/temp" \
+                                  --volume "$(pwd)/harvest.yml:/opt/harvest/harvest.yml" \
+                                  ghcr.io/netapp/harvest:latest-fips \
+                                  generate docker full \
+                                  --output harvest-compose.yml \
+                                  --image ghcr.io/netapp/harvest:latest-fips
+                                docker compose -f prom-stack.yml -f harvest-compose.yml up -d --remove-orphans
+                                sleep 1m
+                                INSTALL_DOCKER=1 bash $WORKSPACE/harvest/integration/test/test.sh
+                                '''
+                            }
+                        }
+                        stage('Running Test') {
+                            steps {
+                                sh """
+                                export VERSION=$VERSION
+                                REGRESSION=1 bash $WORKSPACE/harvest/integration/test/test.sh
+                                """
+
+                            }
+                            post {
+                                always {
+                                    sh """
+                                        COPY_DOCKER_LOGS=1 bash $WORKSPACE/harvest/integration/test/test.sh
+                                        rm -f docker_fips_logs.zip
+                                        zip -r docker_fips_logs.zip /var/log/harvest
+                                        cd $WORKSPACE/docker
+                                        ANALYZE_DOCKER_LOGS=1 bash $WORKSPACE/harvest/integration/test/test.sh
+                                        docker ps -q | xargs docker stop | xargs docker rm --force
+                                    """
+                                    archiveArtifacts artifacts: "docker_fips_logs.zip", fingerprint: true
+                                }
+                            }
+                        }
+                    }
+                }
             }
         }
     }
@@ -238,4 +300,4 @@ def void printNodeInfo() {
         socket.connect(InetAddress.getByName("8.8.8.8"), 10002);
         nodeIp = socket.getLocalAddress().getHostAddress();
         println("The Node IP Address is: ${nodeIp}")
-}
+}