From 764524d390cbc316369773a546dca8b674203b98 Mon Sep 17 00:00:00 2001 From: Amit Tiwari Date: Fri, 24 Jan 2025 18:51:04 +0530 Subject: [PATCH] retry build --- .github/workflows/ah-lint.yaml | 29 ---- .github/workflows/check-actions.yaml | 31 ---- .github/workflows/codegen.yaml | 30 ---- .github/workflows/codeql.yaml | 48 ------ .github/workflows/conformance-tests.yaml | 111 ------------- .github/workflows/ct-lint.yaml | 40 ----- .github/workflows/helm-install.yaml | 34 ---- .github/workflows/helm-release.yaml | 94 ----------- .github/workflows/lint.yaml | 32 ---- .github/workflows/migration-tests.yaml | 125 --------------- .github/workflows/publish-images.yaml | 75 --------- .github/workflows/release.yaml | 130 ++------------- .github/workflows/reuse.yaml | 191 +++++++++++++++++++++++ .github/workflows/tests.yaml | 51 ------ Dockerfile.fips | 42 +++++ Makefile | 36 +++++ fips.go | 20 +++ 17 files changed, 305 insertions(+), 814 deletions(-) delete mode 100644 .github/workflows/ah-lint.yaml delete mode 100644 .github/workflows/check-actions.yaml delete mode 100644 .github/workflows/codegen.yaml delete mode 100644 .github/workflows/codeql.yaml delete mode 100644 .github/workflows/conformance-tests.yaml delete mode 100644 .github/workflows/ct-lint.yaml delete mode 100644 .github/workflows/helm-install.yaml delete mode 100644 .github/workflows/helm-release.yaml delete mode 100644 .github/workflows/lint.yaml delete mode 100644 .github/workflows/migration-tests.yaml delete mode 100644 .github/workflows/publish-images.yaml create mode 100644 .github/workflows/reuse.yaml delete mode 100644 .github/workflows/tests.yaml create mode 100644 Dockerfile.fips create mode 100644 fips.go diff --git a/.github/workflows/ah-lint.yaml b/.github/workflows/ah-lint.yaml deleted file mode 100644 index b4401b25..00000000 --- a/.github/workflows/ah-lint.yaml +++ /dev/null @@ -1,29 +0,0 @@ -# yaml-language-server: $schema=https://json.schemastore.org/github-workflow.json - -name: ArtifactHub Lint - -permissions: {} - -on: - pull_request: - branches: - - '*' - -concurrency: - group: ${{ github.workflow }}-${{ github.ref }} - cancel-in-progress: true - -jobs: - required: - runs-on: ubuntu-latest - container: - image: artifacthub/ah - options: --user root - steps: - - name: Checkout - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - - name: Run ah lint - working-directory: ./charts/ - run: | - set -e - ah lint diff --git a/.github/workflows/check-actions.yaml b/.github/workflows/check-actions.yaml deleted file mode 100644 index cd4a19cd..00000000 --- a/.github/workflows/check-actions.yaml +++ /dev/null @@ -1,31 +0,0 @@ -# yaml-language-server: $schema=https://json.schemastore.org/github-workflow.json - -name: Check actions - -permissions: {} - -on: - pull_request: - branches: - - main - push: - branches: - - main - -concurrency: - group: ${{ github.workflow }}-${{ github.ref }} - cancel-in-progress: true - -jobs: - required: - runs-on: ubuntu-latest - steps: - - name: Checkout - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - - name: Ensure SHA pinned actions - uses: zgosalvez/github-actions-ensure-sha-pinned-actions@ba37328d4ea95eaf8b3bd6c6cef308f709a5f2ec # v3.0.3 - with: - # slsa-github-generator requires using a semver tag for reusable workflows. - # See: https://github.com/slsa-framework/slsa-github-generator#referencing-slsa-builders-and-generators - allowlist: | - slsa-framework/slsa-github-generator diff --git a/.github/workflows/codegen.yaml b/.github/workflows/codegen.yaml deleted file mode 100644 index 162f19aa..00000000 --- a/.github/workflows/codegen.yaml +++ /dev/null @@ -1,30 +0,0 @@ -# yaml-language-server: $schema=https://json.schemastore.org/github-workflow.json - -name: Verify codegen - -permissions: {} - -on: - pull_request: - branches: - - 'main' - - 'release*' - -concurrency: - group: ${{ github.workflow }}-${{ github.ref }} - cancel-in-progress: true - -jobs: - required: - runs-on: ubuntu-latest - steps: - - name: Checkout - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - - uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0 - with: - go-version-file: go.mod - cache-dependency-path: go.sum - - name: Verify codegen - run: | - set -e - make verify-codegen diff --git a/.github/workflows/codeql.yaml b/.github/workflows/codeql.yaml deleted file mode 100644 index cfaff7d2..00000000 --- a/.github/workflows/codeql.yaml +++ /dev/null @@ -1,48 +0,0 @@ -# yaml-language-server: $schema=https://json.schemastore.org/github-workflow.json - -name: CodeQL - -permissions: {} - -on: - pull_request: - branches: - - main - push: - branches: - - main - -concurrency: - group: ${{ github.workflow }}-${{ github.ref }} - cancel-in-progress: true - -jobs: - required: - runs-on: ubuntu-latest - permissions: - security-events: write - steps: - - name: Checkout - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - with: - fetch-depth: 0 - - name: Run Trivy vulnerability scanner in repo mode - uses: aquasecurity/trivy-action@6e7b7d1fd3e4fef0c5fa8cce1229c54b2c9bd0d8 # v0.24.0 - with: - scan-type: fs - ignore-unfixed: false - format: sarif - output: trivy-results.sarif - severity: CRITICAL,HIGH,MEDIUM - scanners: vuln,secret - exit-code: '0' - vuln-type: os,library - env: - # Trivy is returning TOOMANYREQUESTS - # See: https://github.com/aquasecurity/trivy-action/issues/389#issuecomment-2385416577 - TRIVY_DB_REPOSITORY: 'public.ecr.aws/aquasecurity/trivy-db:2' - - name: Upload Trivy scan results to GitHub Security tab - uses: github/codeql-action/upload-sarif@cdcdbb579706841c47f7063dda365e292e5cad7a # v2.13.4 - with: - sarif_file: trivy-results.sarif - category: code diff --git a/.github/workflows/conformance-tests.yaml b/.github/workflows/conformance-tests.yaml deleted file mode 100644 index 726bd9b0..00000000 --- a/.github/workflows/conformance-tests.yaml +++ /dev/null @@ -1,111 +0,0 @@ -name: E2E Tests - -permissions: {} - -on: - workflow_dispatch: {} - pull_request: - branches: - - "main" - - push: - branches: - - main - -concurrency: - group: ${{ github.workflow }}-${{ github.ref }} - cancel-in-progress: true - -jobs: - required: - strategy: - fail-fast: false - matrix: - k8s-version: - - name: v1.25 - version: v1.25.16 - - name: v1.26 - version: v1.26.13 - - name: v1.27 - version: v1.27.10 - - name: v1.28 - version: v1.28.6 - - name: v1.29 - version: v1.29.1 - - name: v1.30 - version: v1.30.0 - tests: - - ^reports$ - runs-on: ubuntu-latest - name: ${{ matrix.k8s-version.name }} - ${{ matrix.tests }} - steps: - - name: Checkout - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - - name: Checkout kyverno/kyverno - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - with: - repository: kyverno/kyverno - path: kyverno - - name: Setup Go - uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0 - with: - go-version: ~1.22.2 - - name: Install helm - id: helm - uses: azure/setup-helm@5119fcb9089d432beecbf79bb2c7915207344b78 # v3.5 - with: - token: ${{ secrets.GITHUB_TOKEN }} - - name: Install Tools - run: | - set -e - curl -LO "https://dl.k8s.io/release/${{ matrix.k8s-version.version }}/bin/linux/amd64/kubectl" - sudo install -o root -g root -m 0755 kubectl /usr/local/bin/kubectl - - name: Install kind - shell: bash - run: | - set -e - # For AMD64 / x86_64 - [ $(uname -m) = x86_64 ] && curl -Lo ./kind https://kind.sigs.k8s.io/dl/v0.20.0/kind-linux-amd64 - # For ARM64 - [ $(uname -m) = aarch64 ] && curl -Lo ./kind https://kind.sigs.k8s.io/dl/v0.20.0/kind-linux-arm64 - chmod +x ./kind - sudo mv ./kind /usr/local/bin/kind - - name: Create kind cluster - run: | - set -e - kind create cluster --image kindest/node:${{ matrix.k8s-version.version }} --config ./.github/kind.yml - - name: Install report server testing - run: | - set -e - export HELM=${{ steps.helm.outputs.helm-path }} - make kind-install - - name: Wait for report server ready - run: | - set -e - kubectl wait --namespace reports-server --for=condition=ready pod --selector '!job-name' --timeout=120s - - name: Install latest kyverno - run: | - set -e - set -e - export HELM=${{ steps.helm.outputs.helm-path }} - curl https://raw.githubusercontent.com/kyverno/kyverno/refs/heads/main/scripts/config/standard/kyverno.yaml > values.yaml - helm install kyverno -n kyverno --create-namespace ./kyverno/charts/kyverno --wait --values values.yaml - - name: Wait for kyverno ready - run: | - set -e - kubectl wait --namespace kyverno --for=condition=ready pod --selector '!job-name' --timeout=120s - - name: API Service status - run: | - set -e - kubectl get apiservices v1alpha2.wgpolicyk8s.io v1.reports.kyverno.io - - name: Install Chainsaw - uses: kyverno/action-install-chainsaw@d311eacde764f806c9658574ff64c9c3b21f8397 # v0.2.11 - - name: Test with Chainsaw - env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - run: | - set -e - cd ./kyverno/test/conformance/chainsaw/reports && chainsaw test --config ./../../../../../.chainsaw.yaml --exclude-test-regex '^chainsaw$/^admission$/^label' - - name: Debug failure - if: failure() - uses: ./.github/actions/failure-logs diff --git a/.github/workflows/ct-lint.yaml b/.github/workflows/ct-lint.yaml deleted file mode 100644 index 03f59ea5..00000000 --- a/.github/workflows/ct-lint.yaml +++ /dev/null @@ -1,40 +0,0 @@ -# yaml-language-server: $schema=https://json.schemastore.org/github-workflow.json - -name: CT Lint - -permissions: {} - -on: - pull_request: - branches: - - '*' - -concurrency: - group: ${{ github.workflow }}-${{ github.ref }} - cancel-in-progress: true - -jobs: - required: - runs-on: ubuntu-latest - steps: - - name: Checkout - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - with: - fetch-depth: 0 - - name: Set up Helm - uses: azure/setup-helm@5119fcb9089d432beecbf79bb2c7915207344b78 # v3.5 - - name: Setup python - uses: actions/setup-python@0a5c61591373683505ea898e09a3ea4f39ef2b9c # v5.0.0 - with: - python-version: 3.8 - - name: Set up chart-testing - uses: helm/chart-testing-action@e6669bcd63d7cb57cb4380c33043eebe5d111992 # v2.6.1 - - name: Add missing Helm repositories - run: | - set -e - helm repo add cloudnative-pg https://cloudnative-pg.github.io/charts - helm repo update - - name: Run chart-testing (lint) - run: | - set -e - ct lint --target-branch=main --check-version-increment=false diff --git a/.github/workflows/helm-install.yaml b/.github/workflows/helm-install.yaml deleted file mode 100644 index 43dbddd3..00000000 --- a/.github/workflows/helm-install.yaml +++ /dev/null @@ -1,34 +0,0 @@ -# yaml-language-server: $schema=https://json.schemastore.org/github-workflow.json - -name: Helm install - -permissions: {} - -on: - pull_request: - branches: - - '*' - -concurrency: - group: ${{ github.workflow }}-${{ github.ref }} - cancel-in-progress: true - -jobs: - required: - runs-on: ubuntu-latest - steps: - - name: Checkout - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - - name: Set up Go - uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0 - with: - go-version-file: go.mod - cache-dependency-path: go.sum - - name: Create cluster - run: | - set -e - make kind-create - - name: Install chart - run: | - set -e - make kind-install diff --git a/.github/workflows/helm-release.yaml b/.github/workflows/helm-release.yaml deleted file mode 100644 index 570273d3..00000000 --- a/.github/workflows/helm-release.yaml +++ /dev/null @@ -1,94 +0,0 @@ -# yaml-language-server: $schema=https://json.schemastore.org/github-workflow.json - -name: helm-release - -permissions: {} - -on: - push: - tags: - - 'reports-server-chart-*' - -jobs: - helm-tests: - runs-on: ubuntu-latest - steps: - - name: Checkout - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - with: - fetch-depth: 0 - - name: Set up Helm - uses: azure/setup-helm@5119fcb9089d432beecbf79bb2c7915207344b78 # v3.5 - - uses: actions/setup-python@0a5c61591373683505ea898e09a3ea4f39ef2b9c # v5.0.0 - with: - python-version: 3.8 - - name: Set up chart-testing - uses: helm/chart-testing-action@e6669bcd63d7cb57cb4380c33043eebe5d111992 # v2.6.1 - - name: Run chart-testing (lint) - run: | - set -e - ct lint --target-branch=main --check-version-increment=false - - linter-artifacthub: - runs-on: ubuntu-latest - container: - image: artifacthub/ah - options: --user root - steps: - - name: Checkout - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - - name: Run ah lint - working-directory: ./charts/ - run: ah lint - - create-release: - runs-on: ubuntu-latest - needs: helm-tests - permissions: - contents: write - packages: write - id-token: write - pages: write - steps: - - name: Checkout - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - - - name: Install Helm - uses: azure/setup-helm@5119fcb9089d432beecbf79bb2c7915207344b78 # v3.5 - with: - version: v3.10.3 - - - name: Install Cosign - uses: sigstore/cosign-installer@e1523de7571e31dbe865fd2e80c5c7c23ae71eb4 # v3.4.0 - - - name: Set version - run: echo "RELEASE_VERSION=${GITHUB_REF#refs/*/}" >> $GITHUB_ENV - - - name: Create charts tmp directory - run: | - mkdir charts-tmp - if [[ "$RELEASE_VERSION" = "reports-server-chart-"* ]]; then - cp -a charts/reports-server charts-tmp/reports-server - fi - - - name: Run chart-releaser - uses: stefanprodan/helm-gh-pages@0ad2bb377311d61ac04ad9eb6f252fb68e207260 #v1.7.0 - with: - token: "${{ secrets.GITHUB_TOKEN }}" - linting: off - charts_dir: charts-tmp - - - name: Login to GitHub Container Registry - run: | - helm registry login --username ${GITHUB_ACTOR} --password ${{ secrets.GITHUB_TOKEN }} ghcr.io - - - name: Publish OCI Charts - run: | - for dir in `find charts-tmp -maxdepth 1 -mindepth 1 -type d -print`; do - chart=${dir##*/} - echo "Found chart: ${chart}" - helm package charts-tmp/${chart} --destination .dist - helm push .dist/${chart}-*.tgz oci://ghcr.io/${{ github.repository_owner }}/charts |& tee .digest - cosign login --username ${GITHUB_ACTOR} --password ${{ secrets.GITHUB_TOKEN }} ghcr.io - cosign sign --yes ghcr.io/${{ github.repository_owner }}/charts/${chart}@$(cat .digest | awk -F "[, ]+" '/Digest/{print $NF}') - done diff --git a/.github/workflows/lint.yaml b/.github/workflows/lint.yaml deleted file mode 100644 index f3dcea49..00000000 --- a/.github/workflows/lint.yaml +++ /dev/null @@ -1,32 +0,0 @@ -# yaml-language-server: $schema=https://json.schemastore.org/github-workflow.json - -name: Lint - -permissions: {} - -on: - pull_request: - branches: - - main - push: - branches: - - main - -concurrency: - group: ${{ github.workflow }}-${{ github.ref }} - cancel-in-progress: true - -jobs: - required: - runs-on: ubuntu-latest - steps: - - name: Checkout - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - - uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0 - with: - go-version-file: go.mod - cache-dependency-path: go.sum - - name: golangci-lint - uses: golangci/golangci-lint-action@3cfe3a4abbb849e10058ce4af15d205b6da42804 # v4.0.0 - with: - skip-cache: true \ No newline at end of file diff --git a/.github/workflows/migration-tests.yaml b/.github/workflows/migration-tests.yaml deleted file mode 100644 index 665d791b..00000000 --- a/.github/workflows/migration-tests.yaml +++ /dev/null @@ -1,125 +0,0 @@ -name: Migration Tests - -permissions: {} - -on: - workflow_dispatch: {} - pull_request: - branches: - - "main" - - push: - branches: - - main - -concurrency: - group: ${{ github.workflow }}-${{ github.ref }} - cancel-in-progress: true - -jobs: - required: - strategy: - fail-fast: false - matrix: - k8s-version: - - name: v1.25 - version: v1.25.16 - - name: v1.26 - version: v1.26.13 - - name: v1.27 - version: v1.27.10 - - name: v1.28 - version: v1.28.6 - - name: v1.29 - version: v1.29.1 - - name: v1.30 - version: v1.30.0 - tests: - - ^reports$ - runs-on: ubuntu-latest - name: ${{ matrix.k8s-version.name }} - ${{ matrix.tests }} - steps: - - name: Checkout - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - - name: Checkout kyverno/kyverno - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - with: - repository: kyverno/kyverno - path: kyverno - - name: Setup Go - uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0 - with: - go-version: ~1.22.2 - - name: Install helm - id: helm - uses: azure/setup-helm@5119fcb9089d432beecbf79bb2c7915207344b78 # v3.5 - with: - token: ${{ secrets.GITHUB_TOKEN }} - - name: Install Tools - run: | - set -e - curl -LO "https://dl.k8s.io/release/${{ matrix.k8s-version.version }}/bin/linux/amd64/kubectl" - sudo install -o root -g root -m 0755 kubectl /usr/local/bin/kubectl - - name: Install kind - shell: bash - run: | - set -e - # For AMD64 / x86_64 - [ $(uname -m) = x86_64 ] && curl -Lo ./kind https://kind.sigs.k8s.io/dl/v0.20.0/kind-linux-amd64 - # For ARM64 - [ $(uname -m) = aarch64 ] && curl -Lo ./kind https://kind.sigs.k8s.io/dl/v0.20.0/kind-linux-arm64 - chmod +x ./kind - sudo mv ./kind /usr/local/bin/kind - - name: Create kind cluster - run: | - set -e - kind create cluster --image kindest/node:${{ matrix.k8s-version.version }} --config ./.github/kind.yml - - name: Install kyverno - run: | - set -e - export HELM=${{ steps.helm.outputs.helm-path }} - curl https://raw.githubusercontent.com/kyverno/kyverno/refs/heads/main/scripts/config/standard/kyverno.yaml > values.yaml - helm install kyverno -n kyverno --create-namespace ./kyverno/charts/kyverno --wait --values values.yaml - - name: Wait for kyverno ready - run: | - set -e - kubectl wait --namespace kyverno --for=condition=ready pod --selector '!job-name' --timeout=120s - # - name: Install PSS policies - # run: | - # set -e - # export HELM=${{ steps.helm.outputs.helm-path }} - # make install-pss-policies - - name: API Service status before migation - run: | - set -e - kubectl get apiservices v1alpha2.wgpolicyk8s.io v1.reports.kyverno.io - - name: Install report server - run: | - set -e - kubectl create ns reports-server - export HELM=${{ steps.helm.outputs.helm-path }} - make kind-install - - name: Wait for report server ready - run: | - set -e - kubectl wait --namespace reports-server --for=condition=ready pod --selector '!job-name' --timeout=120s - kubectl wait --for condition="available" apiservices v1alpha2.wgpolicyk8s.io v1.reports.kyverno.io --timeout=120s - - name: Wait for kyverno to pick up the change - run: | - set -e - sleep 600 - - name: API Service status post migration - run: | - set -e - kubectl get apiservices v1alpha2.wgpolicyk8s.io v1.reports.kyverno.io - - name: Install Chainsaw - uses: kyverno/action-install-chainsaw@d311eacde764f806c9658574ff64c9c3b21f8397 # v0.2.11 - - name: Test with Chainsaw - env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - run: | - set -e - cd ./kyverno/test/conformance/chainsaw/reports && chainsaw test --config ./../../../../../.chainsaw.yaml --exclude-test-regex '^chainsaw$/^admission$/^label' - - name: Debug failure - if: failure() - uses: ./.github/actions/failure-logs diff --git a/.github/workflows/publish-images.yaml b/.github/workflows/publish-images.yaml deleted file mode 100644 index db3100a5..00000000 --- a/.github/workflows/publish-images.yaml +++ /dev/null @@ -1,75 +0,0 @@ -# yaml-language-server: $schema=https://json.schemastore.org/github-workflow.json - -name: Publish images - -permissions: {} - -on: - push: - branches: - - 'main' - - 'release*' - -concurrency: - group: ${{ github.workflow }}-${{ github.ref }} - cancel-in-progress: true - -jobs: - publish-images: - runs-on: ubuntu-latest - permissions: - packages: write - id-token: write - outputs: - reports-server-digest: ${{ steps.publish-reports-server.outputs.digest }} - steps: - - name: Checkout - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - - name: Setup caches - uses: ./.github/actions/setup-caches - timeout-minutes: 5 - continue-on-error: true - with: - build-cache-key: publish-images - - name: Setup build env - uses: ./.github/actions/setup-build-env - timeout-minutes: 30 - - name: Run Trivy vulnerability scanner in repo mode - uses: aquasecurity/trivy-action@d43c1f16c00cfd3978dde6c07f4bbcf9eb6993ca # v0.16.1 - with: - scan-type: 'fs' - ignore-unfixed: true - format: 'sarif' - output: 'trivy-results.sarif' - severity: 'CRITICAL,HIGH' - - name: Install Cosign - uses: sigstore/cosign-installer@e1523de7571e31dbe865fd2e80c5c7c23ae71eb4 # v3.4.0 - - name: Publish reports server - id: publish-reports-server - uses: ./.github/actions/publish-image - with: - makefile-target: ko-publish-reports-server - registry: ghcr.io - registry-username: ${{ github.actor }} - registry-password: ${{ secrets.GITHUB_TOKEN }} - repository: reports-server - version: ${{ github.ref_name }} - sign-image: true - sbom-name: reports-server - sbom-repository: ghcr.io/${{ github.repository_owner }}/reports-server/sbom - signature-repository: ghcr.io/${{ github.repository_owner }}/reports-server/signatures - main-path: . - generate-reports-server-provenance: - needs: publish-images - permissions: - id-token: write # To sign the provenance. - packages: write # To upload assets to release. - actions: read # To read the workflow path. - # NOTE: The container generator workflow is not officially released as GA. - uses: slsa-framework/slsa-github-generator/.github/workflows/generator_container_slsa3.yml@v2.0.0 - with: - image: ghcr.io/${{ github.repository_owner }}/reports-server - digest: "${{ needs.publish-images.outputs.reports-server-digest }}" - registry-username: ${{ github.actor }} - secrets: - registry-password: ${{ secrets.GITHUB_TOKEN }} diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml index f04868ed..156b2185 100644 --- a/.github/workflows/release.yaml +++ b/.github/workflows/release.yaml @@ -1,123 +1,25 @@ # yaml-language-server: $schema=https://json.schemastore.org/github-workflow.json - name: Release - permissions: {} - on: push: tags: - - 'v*' - + - 'v*' + branches: + - fips-support jobs: - goreleaser: + release-reports-server: permissions: - contents: write - id-token: write + contents: read packages: write - pull-requests: write - outputs: - hashes: ${{ steps.hash.outputs.hashes }} - image: ${{ steps.digest.outputs.image }} - digest: ${{ steps.digest.outputs.digest }} - runs-on: ubuntu-latest - steps: - - name: Free disk space - uses: jlumbroso/free-disk-space@54081f138730dfa15788a46383842cd2f914a1be # v1.3.1 - with: - tool-cache: true - android: true - dotnet: true - haskell: true - large-packages: false - docker-images: true - swap-storage: false - - name: Checkout - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - with: - fetch-depth: 0 - - name: Fetch all tags - run: | - set -e - git fetch --force --tags - - name: Set up Go - uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0 - with: - go-version-file: go.mod - cache-dependency-path: go.sum - - name: Install Cosign - uses: sigstore/cosign-installer@e1523de7571e31dbe865fd2e80c5c7c23ae71eb4 # v3.4.0 - - name: Install Syft - uses: anchore/sbom-action/download-syft@b6a39da80722a2cb0ef5d197531764a89b5d48c3 # v0.15.8 - - name: Install Ko - uses: ko-build/setup-ko@ace48d793556083a76f1e3e6068850c1f4a369aa # v0.6 - - name: Run GoReleaser - id: goreleaser - uses: goreleaser/goreleaser-action@7ec5c2b0c6cdda6e8bbb49444bc797dd33d74dd8 # v5.0.0 - with: - distribution: goreleaser - version: latest - args: release --clean --timeout 90m - env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - - name: Upload artifacts.json - uses: svenstaro/upload-release-action@04733e069f2d7f7f0b4aebc4fbdbce8613b03ccd # 2.9.0 - with: - repo_token: ${{ secrets.GITHUB_TOKEN }} - file: dist/artifacts.json - asset_name: artifacts.json - tag: ${{ github.ref }} - - name: Upload metadata.json - uses: svenstaro/upload-release-action@04733e069f2d7f7f0b4aebc4fbdbce8613b03ccd # 2.9.0 - with: - repo_token: ${{ secrets.GITHUB_TOKEN }} - file: dist/metadata.json - asset_name: metadata.json - tag: ${{ github.ref }} - - name: Generate subject - id: hash - env: - ARTIFACTS: "${{ steps.goreleaser.outputs.artifacts }}" - run: | - set -euo pipefail - checksum_file=$(echo "$ARTIFACTS" | jq -r '.[] | select (.type=="Checksum") | .path') - hashes=$(cat $checksum_file | base64 -w0) - echo "hashes=$hashes" >> $GITHUB_OUTPUT - - name: Image digest - id: digest - env: - ARTIFACTS: "${{ steps.goreleaser.outputs.artifacts }}" - run: | - set -euo pipefail - image_and_digest=$(echo "$ARTIFACTS" | jq -r '.[] | select (.type=="Docker Manifest") | .path') - image=$(echo "${image_and_digest}" | cut -d'@' -f1 | cut -d':' -f1) - digest=$(echo "${image_and_digest}" | cut -d'@' -f2) - echo "image=$image" >> "$GITHUB_OUTPUT" - echo "digest=$digest" >> "$GITHUB_OUTPUT" - - # provenance: - # needs: - # - goreleaser - # permissions: - # actions: read - # id-token: write - # contents: write - # uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v1.9.0 - # with: - # base64-subjects: "${{ needs.goreleaser.outputs.hashes }}" - # upload-assets: true - - # image-provenance: - # needs: - # - goreleaser - # permissions: - # actions: read - # id-token: write - # packages: write - # uses: slsa-framework/slsa-github-generator/.github/workflows/generator_container_slsa3.yml@v1.9.0 - # with: - # image: ${{ needs.goreleaser.outputs.image }} - # digest: ${{ needs.goreleaser.outputs.digest }} - # registry-username: ${{ github.actor }} - # secrets: - # registry-password: ${{ secrets.GITHUB_TOKEN }} + id-token: write + uses: ./.github/workflows/reuse.yaml + with: + publish_command: docker-publish-reports-server-fips + digest_command: docker-get-reports-server-digest + image_name: reports-server-fips + tag: release + main: ./ + secrets: + registry_username: ${{ github.actor }} + registry_password: ${{ secrets.GITHUB_TOKEN }} diff --git a/.github/workflows/reuse.yaml b/.github/workflows/reuse.yaml new file mode 100644 index 00000000..951e090f --- /dev/null +++ b/.github/workflows/reuse.yaml @@ -0,0 +1,191 @@ +name: Create Publish and Sign Docker Image for FIPS Compliance +on: + workflow_call: + inputs: + publish_command: + required: true + type: string + digest_command: + required: true + type: string + image_name: + required: true + type: string + tag: + required: true + type: string + main: + type: string + secrets: + registry_username: + required: true + registry_password: + required: true +jobs: + build: + runs-on: ubuntu-latest + permissions: + contents: read + packages: write + id-token: write + steps: + - name: Checkout release + if: ${{ inputs.tag == 'release'}} + uses: actions/checkout@ec3a7ce113134d7a93b817d10a8272cb61118579 # v2.4.0 + with: + fetch-depth: 0 + + - name: Checkout image + if: ${{ inputs.tag == 'image'}} + uses: actions/checkout@ec3a7ce113134d7a93b817d10a8272cb61118579 # v2.4.0 + + - name: Unshallow + if: ${{ inputs.tag == 'image'}} + run: git fetch --prune --unshallow --tags + + - name: Set up Go + uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2 + with: + go-version: ~1.23.1 + + - name: Install Cosign + uses: sigstore/cosign-installer@4959ce089c160fddf62f7b42464195ba1a56d382 # v3.6.0 + + - name: Cache Go modules + uses: actions/cache@0c45773b623bea8c8e75f6c82b208c3cf94ea4f9 # v4.0.2 + with: + path: ~/go/pkg/mod + key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }} + restore-keys: | + ${{ runner.os }}-go- + - name: Log into ghcr.io + uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0 + with: + registry: ghcr.io + username: ${{ github.actor }} + password: ${{ secrets.GITHUB_TOKEN }} + - name: Set up QEMU + uses: docker/setup-qemu-action@27d0a4f181a40b142cce983c5393082c365d1480 # v1.2.0 + - name: Set up Docker Buildx + uses: docker/setup-buildx-action@c47758b77c9736f4b2ef4073d4d51994fabfe349 #v3.7.1 + id: buildx + with: + install: true + + - name: Run Trivy vulnerability scanner in repo mode + if: ${{inputs.tag == 'release'}} + uses: aquasecurity/trivy-action@40c4ca9e7421287d0c5576712fdff370978f9c3c + with: + scan-type: 'fs' + ignore-unfixed: true + format: 'sarif' + output: 'trivy-results.sarif' + severity: 'CRITICAL,HIGH' + + - name: Set Version + if: ${{ inputs.tag == 'release'}} + run: | + echo "KYVERNO_VERSION=$(git describe --match "v[0-9]*" --tags $(git rev-list --tags --max-count=1))" >> $GITHUB_ENV + - name: Generate SBOM JSON + if: ${{inputs.tag == 'release'}} + uses: CycloneDX/gh-gomod-generate-sbom@c18e41a4e3defe6dbf69b594e4d831a89db82ead # v1.0.0 + with: + version: v1 + args: app -licenses -json -output ${{inputs.image_name}}-${{ env.KYVERNO_VERSION }}-bom.cdx.json -main ${{inputs.main}} + + - name: Upload SBOM JSON + if: ${{inputs.tag == 'release'}} + uses: actions/upload-artifact@50769540e7f4bd5e21e526ee35c689e35e0d6874 # v4.4.0 + with: + name: ${{inputs.image_name}}-bom-cdx + path: ${{inputs.image_name}}-v*-bom.cdx.json + + - name: Extract branch name + if: ${{inputs.tag == 'image'}} + shell: bash + run: echo "##[set-output name=branch;]$(echo ${GITHUB_REF#refs/heads/})" + id: extract_branch + + - name: Check branch + if: ${{inputs.tag == 'image' && steps.extract_branch.outputs.branch != 'main'}} + id: check-branch + run: | + if [[ ${{ steps.extract_branch.outputs.branch }} =~ ^release-[0-9]+\.[0-9]$ ]]; then + echo ::set-output name=match::true + fi + - name: Debug Inputs + run: | + echo "Tag: ${{ inputs.tag }}" + echo "publish_command : ${{ inputs.publish_command}}" + echo "Digest Command: ${{ inputs.digest_command }}" + echo "Image Name: ${{ inputs.image_name }}" + echo "Repository: ${{ github.repository }}" + echo "Workflow: ${{ github.workflow }}" + echo "SHA: ${{ github.sha }}" + echo "secrets.GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}" + echo "github.actor: ${{ github.actor }}" + echo "Branch: ${{ steps.extract_branch.outputs.branch }}" + - name: Docker images publish + if: ${{inputs.tag == 'image' && steps.extract_branch.outputs.branch == 'main'}} + run: make ${{inputs.publish_command}} FIPS_ENABLED=1 + + - name: get image digest + if: ${{inputs.tag == 'image' && steps.extract_branch.outputs.branch == 'main'}} + id: get-step-image + run: | + digest=$(make ${{inputs.digest_command}} FIPS_ENABLED=1) + echo "digest=${digest}" >> $GITHUB_ENV + - name: Docker release-images publish + if: ${{inputs.tag == 'release' || inputs.tag == 'image' }} + run: make ${{inputs.publish_command}} FIPS_ENABLED=1 + + - name: Clear Sigstore TUF Cache + run: | + rm -rf ~/.sigstore + - name: Get release-image digest + if: ${{ inputs.tag == 'release' || (inputs.tag == 'image' && steps.check-branch.outputs.match == 'true') }} + id: get-step + run: | + digest=$(make ${{inputs.digest_command}} FIPS_ENABLED=1 2>/dev/null || true) + if [[ -z "$digest" ]]; then + echo "Error: Unable to generate digest. Ensure the repository exists and credentials are valid." >&2 + exit 1 + fi + echo "digest=$digest" >> $GITHUB_ENV + echo "Digest: $digest" + - name: Debug Digest + run: | + echo "Digest: ${{ env.digest }}" + if [[ -z "${{ env.digest }}" || "${{ env.digest }}" == "e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855" ]]; then + echo "Error: Digest is empty or invalid." >&2 + exit 1 + fi + - name: Sign image + if: ${{ inputs.tag == 'image' && steps.extract_branch.outputs.branch == 'main' }} + env: + COSIGN_EXPERIMENTAL: "true" + COSIGN_REPOSITORY: "ghcr.io/${{ github.repository_owner }}/${{ github.repository }}/signatures" + run: | + cosign sign --yes \ + -a "repo=${{ github.repository }}" \ + -a "workflow=${{ github.workflow }}" \ + -a "ref=${{ github.sha }}" \ + ghcr.io/${{ github.repository_owner }}/${{ inputs.image_name }}@sha256:${digest} + - name: Sign release-image + if: ${{ inputs.tag == 'release' || (inputs.tag == 'image' && steps.check-branch.outputs.match == 'true') }} + env: + COSIGN_EXPERIMENTAL: "true" + COSIGN_REPOSITORY: "ghcr.io/${{ github.repository_owner }}/${{ github.repository }}/signatures" + digest: ${{ env.digest }} + run: | + echo "Signing with digest: $digest" + cosign sign --yes \ + -a "repo=${{ github.repository }}" \ + -a "workflow=${{ github.workflow }}" \ + -a "ref=${{ github.sha }}" \ + ghcr.io/${{ github.repository_owner }}/${{ inputs.image_name }}@sha256:$digest + - name: Attach SBOM + if: ${{inputs.tag == 'release'}} + env: + COSIGN_REPOSITORY: "ghcr.io/${{ github.repository_owner }}/sbom" + run: cosign attach sbom --sbom ./${{inputs.image_name}}-v*-bom.cdx.json --type cyclonedx ghcr.io/${{ github.repository_owner }}/${{ github.repository }}/${{inputs.image_name}}@sha256:${{ env.digest }} diff --git a/.github/workflows/tests.yaml b/.github/workflows/tests.yaml deleted file mode 100644 index 805f85eb..00000000 --- a/.github/workflows/tests.yaml +++ /dev/null @@ -1,51 +0,0 @@ -# yaml-language-server: $schema=https://json.schemastore.org/github-workflow.json - -name: Tests - -permissions: {} - -on: - pull_request: - branches: - - main - push: - branches: - - main - -concurrency: - group: ${{ github.workflow }}-${{ github.ref }} - cancel-in-progress: true - -jobs: - unit-tests: - runs-on: ubuntu-latest - steps: - - name: Checkout - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - - uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0 - with: - go-version-file: go.mod - cache-dependency-path: go.sum - # - name: Create test cluster - # run: | - # set -e - # make kind-cluster - - name: Run tests - run: | - set -e - make tests - - name: Upload Report to Codecov - uses: codecov/codecov-action@eaaf4bedf32dbdc6b720b63067d99c4d77d6047d # v3.1.4 - with: - files: ./coverage.out - fail_ci_if_error: true - verbose: true - env: - CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }} - - required: - needs: - - unit-tests - runs-on: ubuntu-latest - steps: - - run: echo "Required jobs success!" \ No newline at end of file diff --git a/Dockerfile.fips b/Dockerfile.fips new file mode 100644 index 00000000..1fb49a61 --- /dev/null +++ b/Dockerfile.fips @@ -0,0 +1,42 @@ +FROM mcr.microsoft.com/oss/go/microsoft/golang:1.23.5-fips-cbl-mariner2.0 AS builder + +ENV GOPATH=/go \ + PATH=/usr/local/go/bin:/go/bin:/usr/local/bin:/usr/bin:$PATH \ + CGO_ENABLED=1 \ + FIPS_ENABLED=1 + +RUN mkdir -p /go && \ + tdnf install -y \ + ca-certificates \ + build-essential \ + shadow-utils && \ + tdnf clean all + +WORKDIR /app +COPY . . + +ARG LD_FLAGS + +ARG TARGETARCH +RUN GOOS=linux GOARCH=$TARGETARCH \ + BUILD_TAGS=fips GOEXPERIMENT=systemcrypto \ + CGO_ENABLED=1 FIPS_ENABLED=1 \ + go build -ldflags="-s -w" -o /app/reports-server ./ + +RUN groupadd --system appgroup && \ + useradd --system --uid 1001 --gid appgroup --home-dir /nonexistent --shell /usr/sbin/nologin appuser && \ + chown appuser:appgroup /app/reports-server + +FROM mcr.microsoft.com/cbl-mariner/distroless/base:2.0-nonroot + +COPY --from=builder /etc/passwd /etc/passwd + +COPY --from=builder /etc/group /etc/group + +COPY --from=builder /app/reports-server /reports-server + +COPY --from=builder /etc/ssl/certs /etc/ssl/certs + +USER 1001 + +ENTRYPOINT ["/reports-server"] diff --git a/Makefile b/Makefile index 31ff2ca2..8f7a9b3b 100644 --- a/Makefile +++ b/Makefile @@ -289,3 +289,39 @@ ko-login: $(KO) ko-publish-reports-server: ko-login ## Build and publish reports-server image (with ko) @LD_FLAGS=$(LD_FLAGS) KOCACHE=$(KOCACHE) KO_DOCKER_REPO=$(REPO_REPORTS_SERVER) \ $(KO) build . --bare --tags=$(KO_TAGS) --platform=$(PLATFORMS) + + +################################## +# FIPS VARIABLES +################################## +FIPS_ENABLED := 0 # Default to FIPS disabled + +ifeq ($(FIPS_ENABLED), 1) +# IMAGE_TAG := $(shell git describe --tags --abbrev=0 2>/dev/null || echo "latest") +IMAGE_TAG := $(shell git describe --tags --abbrev=0) +IMAGE_TAG := "amit-fips" +endif + +################################## +# KYVERNO FIPS CONTAINER +################################## +.PHONY: docker-build-and-push-reports-server-fips +docker-buildx-builder: + if ! docker buildx ls | grep -q reports-server-fips; then \ + docker buildx create --name reports-server-fips --use; \ + else \ + docker buildx use reports-server-fips; \ + fi + +docker-publish-reports-server-fips: docker-buildx-builder docker-build-and-push-reports-server-fips +docker-build-and-push-reports-server-fips: docker-buildx-builder + @docker buildx build --file $(PWD)/Dockerfile.fips \ + --progress plain \ + --platform linux/amd64,linux/arm64 \ + --tag $(REPO_REPORTS_SERVER_FIPS)$(IMAGE_TAG) \ + . \ + --build-arg LD_FLAGS=$(LD_FLAGS) \ + --push + +docker-get-reports-server-digest: + @docker buildx imagetools inspect --raw $(REPO_REPORTS_SERVER_FIPS):$(IMAGE_TAG) | perl -pe 'chomp if eof' | openssl dgst -sha256 | sed 's/^.* //' diff --git a/fips.go b/fips.go new file mode 100644 index 00000000..e52db27e --- /dev/null +++ b/fips.go @@ -0,0 +1,20 @@ +//go:build fips +// +build fips + +package main + +/* +This file will only be compiled when BUILD_TAGS=fips. + +Package fipsonly enforces FIPS settings via init() function which + 1. Forces the application to use FIPS-compliant TLS configurations. + 2. Restricts cryptographic operations to those allowed under FIPS standards. + +This package is available when Go is compiled with GOEXPERIMENT=systemcrypto for Go version 1.21 and above. + +Refer Link: https://go.dev/src/crypto/tls/fipsonly/fipsonly.go +*/ + +import ( + _ "crypto/tls/fipsonly" +) //nolint:golint,unused