From 08dbe2f9fde2d82206290e16309adbffcfd3dcb8 Mon Sep 17 00:00:00 2001 From: Devendra Turkar Date: Thu, 1 Feb 2024 17:24:16 +0530 Subject: [PATCH] chore: add alpine based fips image (#1381) * chore: update go version to 1.21 update go version in go mod and in build pipeline * chore: add alpine based fips image - add alpine based fips image - fix ubi9 build image --- .goreleaser.yaml | 80 +++++++++++++++++++ build/starboard-operator/Dockerfile.fips | 11 +++ build/starboard-operator/Dockerfile.fips.ubi8 | 2 +- build/starboard-operator/Dockerfile.fips.ubi9 | 2 +- build/starboard-operator/Dockerfile.ubi8 | 2 +- build/starboard-operator/Dockerfile.ubi9 | 2 +- 6 files changed, 95 insertions(+), 4 deletions(-) create mode 100644 build/starboard-operator/Dockerfile.fips diff --git a/.goreleaser.yaml b/.goreleaser.yaml index ae1723773..d6640d6c2 100644 --- a/.goreleaser.yaml +++ b/.goreleaser.yaml @@ -45,6 +45,8 @@ builds: binary: starboard-operator-fips flags: - -tags=fipsonly + env: + - GOEXPERIMENT=boringcrypto goos: - linux goarch: @@ -592,6 +594,78 @@ dockers: - "--platform=linux/ppc64le" extra_files: - LICENSE + - image_templates: + - "docker.io/aquasec/starboard-operator:{{ .Version }}-fips-amd64" + use: buildx + goos: linux + dockerfile: build/starboard-operator/Dockerfile.fips + goarch: amd64 + ids: + - starboard-operator + build_flag_templates: + - "--label=org.opencontainers.image.title=starboard-operator" + - "--label=org.opencontainers.image.description=Keeps Starboard resources updated" + - "--label=org.opencontainers.image.vendor=Aqua Security" + - "--label=org.opencontainers.image.version={{ .Version }}" + - "--label=org.opencontainers.image.created={{ .Date }}" + - "--label=org.opencontainers.image.source=https://github.com/aquasecurity/starboard" + - "--label=org.opencontainers.image.revision={{ .FullCommit }}" + - "--label=org.opencontainers.image.documentation=https://aquasecurity.github.io/starboard/v{{ .Version }}/" + - "--platform=linux/amd64" + - image_templates: + - "docker.io/aquasec/starboard-operator:{{ .Version }}-fips-arm64" + use: buildx + goos: linux + dockerfile: build/starboard-operator/Dockerfile.fips + goarch: arm64 + ids: + - starboard-operator + build_flag_templates: + - "--label=org.opencontainers.image.title=starboard-operator" + - "--label=org.opencontainers.image.description=Keeps Starboard resources updated" + - "--label=org.opencontainers.image.vendor=Aqua Security" + - "--label=org.opencontainers.image.version={{ .Version }}" + - "--label=org.opencontainers.image.created={{ .Date }}" + - "--label=org.opencontainers.image.source=https://github.com/aquasecurity/starboard" + - "--label=org.opencontainers.image.revision={{ .FullCommit }}" + - "--label=org.opencontainers.image.documentation=https://aquasecurity.github.io/starboard/v{{ .Version }}/" + - "--platform=linux/arm64" + - image_templates: + - "docker.io/aquasec/starboard-operator:{{ .Version }}-fips-s390x" + use: buildx + goos: linux + dockerfile: build/starboard-operator/Dockerfile.fips + goarch: s390x + ids: + - starboard-operator + build_flag_templates: + - "--label=org.opencontainers.image.title=starboard-operator" + - "--label=org.opencontainers.image.description=Keeps Starboard resources updated" + - "--label=org.opencontainers.image.vendor=Aqua Security" + - "--label=org.opencontainers.image.version={{ .Version }}" + - "--label=org.opencontainers.image.created={{ .Date }}" + - "--label=org.opencontainers.image.source=https://github.com/aquasecurity/starboard" + - "--label=org.opencontainers.image.revision={{ .FullCommit }}" + - "--label=org.opencontainers.image.documentation=https://aquasecurity.github.io/starboard/v{{ .Version }}/" + - "--platform=linux/s390x" + - image_templates: + - "docker.io/aquasec/starboard-operator:{{ .Version }}-fips-ppc64le" + use: buildx + goos: linux + dockerfile: build/starboard-operator/Dockerfile.fips + goarch: ppc64le + ids: + - starboard-operator + build_flag_templates: + - "--label=org.opencontainers.image.title=starboard-operator" + - "--label=org.opencontainers.image.description=Keeps Starboard resources updated" + - "--label=org.opencontainers.image.vendor=Aqua Security" + - "--label=org.opencontainers.image.version={{ .Version }}" + - "--label=org.opencontainers.image.created={{ .Date }}" + - "--label=org.opencontainers.image.source=https://github.com/aquasecurity/starboard" + - "--label=org.opencontainers.image.revision={{ .FullCommit }}" + - "--label=org.opencontainers.image.documentation=https://aquasecurity.github.io/starboard/v{{ .Version }}/" + - "--platform=linux/ppc64le" docker_manifests: - name_template: "aquasec/starboard:{{ .Version }}" image_templates: @@ -604,6 +678,12 @@ docker_manifests: - "aquasec/starboard-operator:{{ .Version }}-arm64" - "aquasec/starboard-operator:{{ .Version }}-s390x" - "aquasec/starboard-operator:{{ .Version }}-ppc64le" + - name_template: "aquasec/starboard-operator:{{ .Version }}-fips" + image_templates: + - "aquasec/starboard-operator:{{ .Version }}-fips-amd64" + - "aquasec/starboard-operator:{{ .Version }}-fips-arm64" + - "aquasec/starboard-operator:{{ .Version }}-fips-s390x" + - "aquasec/starboard-operator:{{ .Version }}-fips-ppc64le" - name_template: "aquasec/starboard-operator:{{ .Version }}-ubi8" image_templates: - "aquasec/starboard-operator:{{ .Version }}-ubi8-amd64" diff --git a/build/starboard-operator/Dockerfile.fips b/build/starboard-operator/Dockerfile.fips new file mode 100644 index 000000000..434a70104 --- /dev/null +++ b/build/starboard-operator/Dockerfile.fips @@ -0,0 +1,11 @@ +FROM alpine:3.17 + +RUN apk update && apk upgrade + +RUN adduser -u 10000 -D -g '' starboard starboard + +COPY starboard-operator-fips /usr/local/bin/starboard-operator + +USER starboard + +ENTRYPOINT ["starboard-operator"] diff --git a/build/starboard-operator/Dockerfile.fips.ubi8 b/build/starboard-operator/Dockerfile.fips.ubi8 index cda96d729..d68077304 100644 --- a/build/starboard-operator/Dockerfile.fips.ubi8 +++ b/build/starboard-operator/Dockerfile.fips.ubi8 @@ -5,7 +5,7 @@ LABEL name="Starboard" \ version="v0.15.19" \ summary="Starboard Operator." -RUN microdnf install shadow-utils +RUN microdnf install -y shadow-utils RUN useradd -u 10000 starboard WORKDIR /opt/bin/ COPY starboard-operator-fips /usr/local/bin/starboard-operator diff --git a/build/starboard-operator/Dockerfile.fips.ubi9 b/build/starboard-operator/Dockerfile.fips.ubi9 index 3bf4648bd..6f877de04 100644 --- a/build/starboard-operator/Dockerfile.fips.ubi9 +++ b/build/starboard-operator/Dockerfile.fips.ubi9 @@ -5,7 +5,7 @@ LABEL name="Starboard" \ version="v0.15.19" \ summary="Starboard Operator." -RUN microdnf install shadow-utils +RUN microdnf install -y shadow-utils RUN useradd -u 10000 starboard WORKDIR /opt/bin/ COPY starboard-operator-fips /usr/local/bin/starboard-operator diff --git a/build/starboard-operator/Dockerfile.ubi8 b/build/starboard-operator/Dockerfile.ubi8 index 0395c7a31..739d975f6 100644 --- a/build/starboard-operator/Dockerfile.ubi8 +++ b/build/starboard-operator/Dockerfile.ubi8 @@ -5,7 +5,7 @@ LABEL name="Starboard" \ version="v0.15.19" \ summary="Starboard Operator." -RUN microdnf install shadow-utils +RUN microdnf install -y shadow-utils RUN useradd -u 10000 starboard WORKDIR /opt/bin/ COPY starboard-operator /usr/local/bin/starboard-operator diff --git a/build/starboard-operator/Dockerfile.ubi9 b/build/starboard-operator/Dockerfile.ubi9 index 3395f8ed4..6c618dda3 100644 --- a/build/starboard-operator/Dockerfile.ubi9 +++ b/build/starboard-operator/Dockerfile.ubi9 @@ -5,7 +5,7 @@ LABEL name="Starboard" \ version="v0.15.19" \ summary="Starboard Operator." -RUN microdnf install shadow-utils +RUN microdnf install -y shadow-utils RUN useradd -u 10000 starboard WORKDIR /opt/bin/ COPY starboard-operator /usr/local/bin/starboard-operator