Build a GOLANG-FIPS telegraf binary

The build is done inside a docker container using Redhat’s continer image for golang-fips. The same commands (`build.sh <arch> build`) as before should yield a telegraf binary for the different architectures (arm64, mips, amd64 etc.). The legacy behavior of building the code using the host’s go is now available as `build.sh <arch> host`. Depending on the golang toolchain this might/might not yield a binary that uses OpenSSL for crypto. The telegraf binary will run in FIPS mode if: - The kernel is in FIPS mode (i.e. /proc/sys/crypto/fips_enabled) - The environment varilable GOLANGS_FIPS=1 is set
extremenetworks · Dec 30, 2024 · 6839847 · 6839847
1 parent 723569d
commit 6839847
Show file tree

Hide file tree

Showing 3 changed files with 84 additions and 21 deletions.
diff --git a/Dockerfile b/Dockerfile
@@ -0,0 +1,36 @@
+FROM registry.access.redhat.com/ubi8/go-toolset:latest as golang
+    WORKDIR /root/go/src/github.com/extremenetworks/telegraf
+
+    COPY .git               .git
+    COPY agent              agent
+    COPY cmd                cmd
+    COPY config             config
+    COPY filter             filter
+    COPY internal           internal
+    COPY logger             logger
+    COPY metric             metric
+    COPY models             models
+    COPY plugins            plugins
+    COPY selfstat           selfstat
+    COPY *.go go.*          ./
+    COPY build_version.txt  ./
+    COPY Makefile           ./
+
+
+FROM golang as builder
+    ARG OPTS
+
+    RUN \
+        git config --global user.email "[email protected]" && git config --global user.name "Dev Extreme" \
+        && \
+        git config --global --add safe.directory /root/go/src/github.com/extremenetworks/telegraf \
+        && \
+        make ${OPTS} all go-install
+
+
+FROM scratch as extract
+    COPY --from=builder /opt/app-root/src/go/bin/telegraf /telegraf
+
+
+FROM registry.access.redhat.com/ubi8/ubi-micro:latest as final
+    COPY --from=extract /telegraf /usr/bin/telegraf
diff --git a/build.sh b/build.sh
@@ -17,26 +17,49 @@ arm_type=5
 
 usage()
 {
-    echo "usage: $0 arch {build | upload}"
+    echo "usage: $0 arch {host | docker | upload}"
     echo " . arch  : valid architectures: arm, arm64, x86_64, mips"
-    echo " . build : build and tar utility for specified architecture"
+    echo " . host  : build on the host and tar utility for specified architecture"
+    echo " . build : build using docker and tar utility for specified architecture"
     echo " . upload: upload specified architecture's tar to Artifactory"
 }
 
-build()
+__build()
 {
+    local opts="GOOS=linux GOARCH=${bld_arch} GOARM=${arm_type} GOPROXY=https://proxy.golang.org,direct GOSUMDB=sum.golang.org"
+
     make clean
     rm -f ${target}
-    make CGO_ENABLED=0 GOOS=linux GOARCH=${bld_arch} GOARM=${arm_type} GOPROXY=https://proxy.golang.org,direct GOSUMDB=sum.golang.org
+
+    if [ ${use_docker} -eq 1 ]; then
+        docker buildx build --build-arg OPTS="CGO_ENABLED=1 ${opts}" -f Dockerfile --target extract --tag "telegraf/extract:latest" .
+        docker image save "telegraf/extract:latest" | tar -xOf - --wildcards "*layer.tar" | tar -xf - telegraf
+        docker image rm "telegraf/extract:latest"
+    else
+        make CGO_ENABLED=0 ${opts}
+    fi
+
     tar -cf ${target} telegraf MIT generic_MIT
     rm -f telegraf
 }
 
-upload()
+build_in_docker()
+{
+    use_docker=1
+    __build
+}
+
+build_on_host()
+{
+    use_docker=0
+    __build
+}
+
+jfrog_upload()
 {
     if [ ! -f ${target} ]; then
         echo "info: ${target} not found; building first..."
-        build
+        build_in_docker
         if [ ! -f ${target} ]; then
             echo "error: could not find or build '${target}' tarball"
             exit 1
@@ -81,21 +104,25 @@ else
 fi
 target=telegraf_${arch}_${telegraf_version}.${extr_version}.tar
 
-# check action argument
-case $2 in
-    build | upload)
-        action=$2
-        ;;
-    *)
-        echo "error: invalid action '$2'"
-        usage
-        exit 1
-esac
-
-# perform action
-case $1 in
+# check arch
+case $arch in
     arm64 | mips | x86_64 | arm)
-        $action
+        # check and perform action argument
+        case $2 in
+            host)
+                build_on_host
+                ;;
+            build)
+                build_in_docker
+                ;;
+            upload)
+                jfrog_upload
+                ;;
+            *)
+                echo "error: invalid action '$2'"
+                usage
+                exit 1
+        esac
         ;;
     *)
         echo "error: invalid architecture '$1'"

diff --git a/extr_version.txt b/extr_version.txt
@@ -1 +1 @@
-12
+13