From ce1117d094ee8d8bf63b0e3669e4157d0421fa14 Mon Sep 17 00:00:00 2001 From: Joshua Casey Date: Mon, 30 Jan 2023 11:10:58 -0600 Subject: [PATCH] WIP to jumpstart PR pipeline --- Dockerfile | 8 ++++++-- hack/Dockerfile_fips | 20 +++++++++++++++----- site/content/docs/reference/fips.md | 9 ++++----- 3 files changed, 25 insertions(+), 12 deletions(-) diff --git a/Dockerfile b/Dockerfile index 6faa3f2429..75b49918b4 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,6 +1,6 @@ # syntax=docker/dockerfile:1 -# Copyright 2020-2022 the Pinniped contributors. All Rights Reserved. +# Copyright 2020-2023 the Pinniped contributors. All Rights Reserved. # SPDX-License-Identifier: Apache-2.0 FROM golang:1.19.5 as build-env @@ -16,7 +16,11 @@ RUN \ --mount=type=cache,target=/cache/gocache \ --mount=type=cache,target=/cache/gomodcache \ mkdir out && \ - export GOCACHE=/cache/gocache GOMODCACHE=/cache/gomodcache CGO_ENABLED=0 GOOS=linux GOARCH=amd64 && \ + export GOCACHE=/cache/gocache && \ + export GOMODCACHE=/cache/gomodcache && \ + export CGO_ENABLED=0 && \ + export GOOS=linux && \ + export GOARCH=amd64 && \ go build -v -trimpath -ldflags "$(hack/get-ldflags.sh) -w -s" -o /usr/local/bin/pinniped-concierge-kube-cert-agent ./cmd/pinniped-concierge-kube-cert-agent/... && \ go build -v -trimpath -ldflags "$(hack/get-ldflags.sh) -w -s" -o /usr/local/bin/pinniped-server ./cmd/pinniped-server/... && \ ln -s /usr/local/bin/pinniped-server /usr/local/bin/pinniped-concierge && \ diff --git a/hack/Dockerfile_fips b/hack/Dockerfile_fips index acf63042fc..9560377a5e 100644 --- a/hack/Dockerfile_fips +++ b/hack/Dockerfile_fips @@ -3,13 +3,13 @@ # Copyright 2022-2023 the Pinniped contributors. All Rights Reserved. # SPDX-License-Identifier: Apache-2.0 -# this dockerfile is used to produce a binary of Pinniped that uses -# only fips-allowable ciphers. Note that this is provided only as -# an example. Pinniped has no official support for fips and using +# This dockerfile is used to produce a binary of Pinniped that uses +# only FIPS-allowable ciphers. Note that this is provided only as +# an example. Pinniped has no official support for FIPS and using # a version built from this dockerfile may have unforseen consquences. # Please do not create issues in regards to problems encountered by # using this dockerfile. Using this dockerfile does not convey -# any type of fips certification. +# any type of FIPS certification. # Starting in 1.19, go-boringcrypto has been added to the main Go toolchain, # hidden behind a `GOEXPERIMENT=boringcrypto` env var. @@ -47,9 +47,19 @@ ARG GOPROXY # https://github.com/golang/go/blob/9d6ab825f6fe125f7ce630e103b887e580403802/misc/boring/README.md?plain=1#L95 # Thus trying to compile the pinniped CLI with boring crypto is meaningless # since we would not be able to ship windows and macOS binaries. + +# Pass in GOCACHE (build cache) and GOMODCACHE (module cache) so they +# can be re-used between image builds. RUN \ + --mount=type=cache,target=/cache/gocache \ + --mount=type=cache,target=/cache/gomodcache \ mkdir out && \ - export CGO_ENABLED=1 GOOS=linux GOARCH=amd64 GOEXPERIMENT=boringcrypto && \ + export GOCACHE=/cache/gocache && \ + export GOMODCACHE=/cache/gomodcache && \ + export CGO_ENABLED=1 &&\ + export GOOS=linux && \ + export GOARCH=amd64 && \ + export GOEXPERIMENT=boringcrypto && \ go build -tags fips_strict,osusergo,netgo -v -trimpath -ldflags "$(hack/get-ldflags.sh) -w -linkmode=external -extldflags -static" -o /usr/local/bin/pinniped-concierge-kube-cert-agent ./cmd/pinniped-concierge-kube-cert-agent/... && \ go build -tags fips_strict,osusergo,netgo -v -trimpath -ldflags "$(hack/get-ldflags.sh) -w -linkmode=external -extldflags -static" -o /usr/local/bin/pinniped-server ./cmd/pinniped-server/... && \ ln -s /usr/local/bin/pinniped-server /usr/local/bin/pinniped-concierge && \ diff --git a/site/content/docs/reference/fips.md b/site/content/docs/reference/fips.md index 2e012c8120..b9eab7e89d 100644 --- a/site/content/docs/reference/fips.md +++ b/site/content/docs/reference/fips.md @@ -9,14 +9,13 @@ menu: weight: 30 parent: reference --- -By default, the Pinniped supervisor and concierge use ciphers that -are not supported by FIPS 140-2. If you are deploying Pinniped in an -environment with FIPS compliance requirements, you will have to build -the binaries yourself using the `fips_strict` build tag and Golang's -`go-boringcrypto` fork. +By default, the Pinniped supervisor and concierge use ciphers that are not supported by FIPS 140-2. +If you are deploying Pinniped in an environment with FIPS compliance requirements, you will have to build +the binaries yourself using the `fips_strict` build tag and Golang's `go-boringcrypto` fork. The Pinniped team provides an [example Dockerfile](https://github.com/vmware-tanzu/pinniped/blob/main/hack/Dockerfile_fips) demonstrating how you can build Pinniped images in a FIPS compatible way. + However, we do not provide official support for FIPS configuration, and we may not respond to GitHub issues opened related to FIPS support. We provide this for informational purposes only.