Fips v1.5.1

.acquia/Dockerfile.ci

@@ -0,0 +1,43 @@
+FROM jfrog.ais.acquia.io/devops-pipeline/acq-aws:2 as fips-golang-builder
+
+# Update packages
+USER root
+RUN yum makecache \
+  && yum update -y \
+  && yum install -y tar gcc git curl \
+  && yum clean all \
+  && rm -rf /var/cache/yum
+
+ARG TARGETOS=linux
+ARG TARGETARCH=amd64
+
+# Install Go
+ARG GOLANG_VERSION=1.20
+RUN curl -LO "https://go.dev/dl/go${GOLANG_VERSION}.${TARGETOS}-${TARGETARCH}.tar.gz" && \
+  tar -C /usr/local -xzf "go${GOLANG_VERSION}.${TARGETOS}-${TARGETARCH}.tar.gz" && \
+  rm -f "go${GOLANG_VERSION}.${TARGETOS}-${TARGETARCH}.tar.gz" && \
+  ls -la /usr/local/go/bin && \
+  chmod +x /usr/local/go/bin/go
+
+# Set Golang environment variables
+ENV GOPATH="/go"
+ENV GOROOT="/usr/local/go"
+ENV GOBIN="${GOPATH}/bin"
+ENV GO111MODULE="on"
+ENV GOOS=${TARGETOS}
+ENV GOARCH=${TARGETARCH}
+ENV GOPRIVATE=github.com/acquia
+
+# FIPS
+ENV GOEXPERIMENT=boringcrypto
+ENV CGO_ENABLED=1
+
+# Add path to go binaries
+ENV PATH="${PATH}:${GOROOT}/bin:${GOBIN}"
+
+WORKDIR /argo-rollouts
+
+RUN git config --global --add safe.directory '*'
+
+# Perform the build
+COPY . .

.acquia/pipeline.yaml

@@ -0,0 +1,42 @@
+type: default
+team: KCS
+group: platform
+service: argo-rollouts
+
+# Validate the formatting of the pipeline.yaml file.
+validate_config: true
+
+environment_image:
+  file: ".acquia/Dockerfile.ci"
+  context: "."
+  build_args:
+    - secrets:
+      - type: vault
+        key: SSH_KEY
+        value: GIT_SSH_KEY
+        path: secret/pipeline-default/GIT_SSH_KEY
+
+pre_build:
+  code_analysis:
+    required: false
+  check_fips:
+    - steps:
+      - cd /argo-rollouts
+      - make check-fips
+
+build:
+  service_image:
+    - name: argo-rollouts/rollouts-controller
+      file: "Dockerfile-FIPS"
+      context: "."
+      build_args:
+        - secrets:
+          - type: vault
+            key: SSH_KEY
+            value: GIT_SSH_KEY
+            path: secret/pipeline-default/GIT_SSH_KEY
+
+security_scan:
+  scanner: orca
+  ignore_failures: true
+  reason: This service is only used for building base FIPS complaint image

.github/workflows/docker-publish.yml

@@ -9,66 +9,42 @@ on:
   # Run tests for any PRs.
   pull_request:
 
-permissions:
-  contents: read
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
+permissions: {}
 
 jobs:
-  docker:
+  set-vars:
+    permissions:
+      contents: read
     runs-on: ubuntu-latest
+    outputs:
+      controller-meta-tags: ${{ steps.controller-meta.outputs.tags }}
+      plugin-meta-tags: ${{ steps.plugin-meta.outputs.tags }}
+      platforms: ${{ steps.platform-matrix.outputs.platform-matrix }}
 
     steps:
-      - name: Checkout
-        uses: actions/[email protected]
-
-      - name: Set up QEMU
-        uses: docker/setup-qemu-action@v2
-
-      - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v2
-        with:
-          config-inline: |
-            [worker.oci]
-            gc = false
-
       - name: Docker meta (controller)
         id: controller-meta
         uses: docker/metadata-action@v4
         with:
           images: |
             quay.io/argoproj/argo-rollouts
-          # ghcr.io/argoproj/argo-rollouts
           tags: |
-            type=ref,event=branch
-          flavor: |
-            latest=${{ github.ref == 'refs/heads/master' }}
+            type=ref,event=branch,enable=${{ github.ref != 'refs/heads/master'}}
+            type=raw,value=latest,enable=${{ github.ref == 'refs/heads/master' }}
 
       - name: Docker meta (plugin)
         id: plugin-meta
         uses: docker/metadata-action@v4
         with:
           images: |
             quay.io/argoproj/kubectl-argo-rollouts
-          # ghcr.io/argoproj/kubectl-argo-rollouts
           tags: |
-            type=ref,event=branch
-          flavor: |
-            latest=${{ github.ref == 'refs/heads/master' }}
-
-      # - name: Login to GitHub Container Registry
-      #   if: github.event_name != 'pull_request'
-      #   uses: docker/login-action@v2 
-      #   with:
-      #     registry: ghcr.io
-      #     username: ${{ github.repository_owner }}
-      #     password: ${{ secrets.GITHUB_TOKEN }}
-
-      - name: Login to Quay.io
-        if: github.event_name != 'pull_request'
-        uses: docker/login-action@v2
-        with:
-          registry: quay.io
-          username: ${{ secrets.QUAY_USERNAME }}
-          password: ${{ secrets.QUAY_ROBOT_TOKEN }}
+            type=ref,event=branch,enable=${{ github.ref != 'refs/heads/master'}}
+            type=raw,value=latest,enable=${{ github.ref == 'refs/heads/master' }}
 
       # avoid building linux/arm64 for PRs since it takes so long
       - name: Set Platform Matrix
@@ -79,73 +55,39 @@ jobs:
           then
             PLATFORM_MATRIX=$PLATFORM_MATRIX,linux/arm64
           fi
-          echo "::set-output name=platform-matrix::$PLATFORM_MATRIX"
-
-      - name: Build and push (controller-image)
-        uses: docker/build-push-action@3b5e8027fcad23fda98b2e3ac259d8d67585f671 # v4.0.0
-        with:
-          platforms: ${{ steps.platform-matrix.outputs.platform-matrix }}
-          push: ${{ github.event_name != 'pull_request' }}
-          tags: ${{ steps.controller-meta.outputs.tags }}
-          provenance: false
-          sbom: false
-
-      - name: Build and push (plugin-image)
-        uses: docker/build-push-action@3b5e8027fcad23fda98b2e3ac259d8d67585f671 # v4.0.0
-        with:
-          target: kubectl-argo-rollouts
-          platforms: ${{ steps.platform-matrix.outputs.platform-matrix }}
-          push: ${{ github.event_name != 'pull_request' }}
-          tags: ${{ steps.plugin-meta.outputs.tags }}
-          provenance: false
-          sbom: false
-
-      - name: Install cosign
-        uses: sigstore/cosign-installer@main
-        with:
-          cosign-release: 'v1.13.1'
-
-      - name: Install crane to get digest of image
-        uses: imjasonh/[email protected]
-
-      - name: Get digest of controller-image
-        run: |
-          if [[ "${{ github.ref == 'refs/heads/master' }}" ]]
-          then
-            echo "CONTROLLER_DIGEST=$(crane digest quay.io/argoproj/argo-rollouts:latest)" >> $GITHUB_ENV
-          fi
-          if [[ "${{ github.ref != 'refs/heads/master' }}" ]]
-          then
-            echo "CONTROLLER_DIGEST=$(crane digest ${{ steps.controller-meta.outputs.tags }})" >> $GITHUB_ENV
-          fi
-        if: github.event_name != 'pull_request'
-
-      - name: Get digest of plugin-image
-        run: |
-          if [[ "${{ github.ref == 'refs/heads/master' }}" ]]
-          then
-            echo "PLUGIN_DIGEST=$(crane digest quay.io/argoproj/kubectl-argo-rollouts:latest)" >> $GITHUB_ENV
-          fi
-          if [[ "${{ github.ref != 'refs/heads/master' }}" ]]
-          then
-            echo "PLUGIN_DIGEST=$(crane digest ${{ steps.plugin-meta.outputs.tags }})" >> $GITHUB_ENV
-          fi
-        if: github.event_name != 'pull_request'
-
-      - name: Sign Argo Rollouts Images
-        run: |
-          cosign sign --key env://COSIGN_PRIVATE_KEY quay.io/argoproj/argo-rollouts@${{ env.CONTROLLER_DIGEST }}
-          cosign sign --key env://COSIGN_PRIVATE_KEY quay.io/argoproj/kubectl-argo-rollouts@${{ env.PLUGIN_DIGEST }}
-        env:
-          COSIGN_PRIVATE_KEY: ${{secrets.COSIGN_PRIVATE_KEY}}
-          COSIGN_PASSWORD: ${{secrets.COSIGN_PASSWORD}}
-        if: ${{ github.event_name == 'push' }}
-
-      - name: Display the public key to share.
-        run: |
-          # Displays the public key to share
-          cosign public-key --key env://COSIGN_PRIVATE_KEY
-        env:
-          COSIGN_PRIVATE_KEY: ${{secrets.COSIGN_PRIVATE_KEY}}
-          COSIGN_PASSWORD: ${{secrets.COSIGN_PASSWORD}}
-        if: ${{ github.event_name == 'push' }}
+          echo "platform-matrix=$PLATFORM_MATRIX" >> $GITHUB_OUTPUT
+
+  build-and-push-controller-image:
+    needs: [set-vars]
+    permissions:
+      contents: read
+      packages: write  # for pushing packages to GHCR, which is used by cd.apps.argoproj.io to avoid polluting Quay with tags
+      id-token: write # for creating OIDC tokens for signing.
+    uses: ./.github/workflows/image-reuse.yaml
+    with:
+      quay_image_name: ${{ needs.set-vars.outputs.controller-meta-tags }}
+      # Note: cannot use env variables to set go-version (https://docs.github.com/en/actions/using-workflows/reusing-workflows#limitations)
+      go-version: 1.19
+      platforms: ${{ needs.set-vars.outputs.platforms }}
+      push: ${{ github.event_name != 'pull_request' }}
+    secrets:
+      quay_username: ${{ secrets.QUAY_USERNAME }}
+      quay_password: ${{ secrets.QUAY_ROBOT_TOKEN }}
+
+  build-and-push-plugin-image:
+    needs: [set-vars]
+    permissions:
+      contents: read
+      packages: write  # for pushing packages to GHCR, which is used by cd.apps.argoproj.io to avoid polluting Quay with tags
+      id-token: write # for creating OIDC tokens for signing.
+    uses: ./.github/workflows/image-reuse.yaml
+    with:
+      quay_image_name: ${{ needs.set-vars.outputs.plugin-meta-tags }}
+      # Note: cannot use env variables to set go-version (https://docs.github.com/en/actions/using-workflows/reusing-workflows#limitations)
+      go-version: 1.19
+      platforms: ${{ needs.set-vars.outputs.platforms }}
+      push: ${{ github.event_name != 'pull_request' }}
+      target: kubectl-argo-rollouts
+    secrets:
+      quay_username: ${{ secrets.QUAY_USERNAME }}
+      quay_password: ${{ secrets.QUAY_ROBOT_TOKEN }}