update docker images & minor fixes in Makefile

.github/workflows/ci.yml

@@ -54,7 +54,8 @@ jobs:
     runs-on: ubuntu-latest
     strategy:
       matrix:
-        mode: [synchronizer, proxy]
+        app: [synchronizer, proxy]
+        fips-mode: [enabled, disabled]
     steps:
       - name: Checkout code
         uses: actions/checkout@v3
@@ -63,25 +64,27 @@ jobs:
         uses: docker/build-push-action@v4
         with:
           context: .
-          file: docker/Dockerfile.${{ matrix.mode }}
+          file: docker/Dockerfile.${{ matrix.app }}
           push: false
-          tags: splitio-docker.jfrog.io/split-${{ matrix.mode }}:latest
+          tags: splitio-docker.jfrog.io/split-${{ matrix.app }}:latest
+          build-args: |
+            FIPS_MODE=${{ fips-mode }}
 
       - name: Scan container using Lacework
         uses: lacework/[email protected]
         with:
           LW_ACCOUNT_NAME: ${{ secrets.LW_ACCOUNT_NAME }}
           LW_ACCESS_TOKEN: ${{ secrets.LW_ACCESS_TOKEN }}
-          IMAGE_NAME: splitio-docker.jfrog.io/split-${{ matrix.mode }}
+          IMAGE_NAME: splitio-docker.jfrog.io/split-${{ matrix.app }}
           IMAGE_TAG: latest
           SAVE_RESULTS_IN_LACEWORK: true
           SAVE_BUILD_REPORT: true
-          BUILD_REPORT_FILE_NAME: split-${{ matrix.mode }}.html
+          BUILD_REPORT_FILE_NAME: split-${{ matrix.app }}.html
 
       - name: Save vulnerability report
         if: always()
         uses: actions/upload-artifact@v3
         with:
           name: vulnerability_report
-          path: split-${{ matrix.mode }}.html
+          path: split-${{ matrix.app }}.html
           retention-days: 7

.gitignore

@@ -1,7 +1,8 @@
 #Project files
-split-synchronizer
 split-sync
 split-proxy
+split-sync-fips
+split-proxy-fips
 proxy-opts.md
 sync-opts.md
 

CHANGES.txt

@@ -1,3 +1,6 @@
+5.6.0 (TD)
+ - Add support for FIPS-compliant binaries & docker images
+
 5.5.0 (Dec 12, 2023)
  - Added support for Flag Sets on Split Proxy and Synchronizer, which enables SDKs to interacting with the flag sets features (more details in our documentation):
     - Updated Proxy endpoints used by SDKs to fetch flags have been updated to handle any SDKs downloading flags in certain flag sets.

Makefile

@@ -17,8 +17,8 @@ PLATFORM ?=
 EXTRA_BUILD_ARGS ?=
 
 # don't depend on commit version, to avoid rebuilding unnecessarily
-sources			:= $(shell find . -name *.go -not -name "commitversion.go")
-version			:= $(shell cat splitio/version.go | grep 'const Version' | sed 's/const Version = //' | tr -d '"')
+sources				:= $(shell find . -name *.go -not -name "commitversion.go")
+version				:= $(shell cat splitio/version.go | grep 'const Version' | sed 's/const Version = //' | tr -d '"')
 commit_version		:= $(shell git rev-parse --short HEAD)
 installer_tpl		:= ./release/install_script_template
 installer_tpl_lines	:= $(shell echo $$(( $$(wc -l $(installer_tpl) | awk '{print $$1}') +1 )))
@@ -56,6 +56,14 @@ split-sync: $(sources) go.sum
 split-proxy: $(sources) go.sum
 	$(GO) build $(EXTRA_BUILD_ARGS) -o $@ cmd/proxy/main.go
 
+## Build the split-sync executable
+split-sync-fips: $(sources) go.sum
+	GOEXPERIMENT=boringcrypto $(GO) build $(EXTRA_BUILD_ARGS) -o $@ $(ENFORCE_FIPS) cmd/synchronizer/main.go
+
+## Build the split-proxy executable
+split-proxy-fips: $(sources) go.sum
+	GOEXPERIMENT=boringcrypto $(GO) build $(EXTRA_BUILD_ARGS) -o $@ $(ENFORCE_FIPS) cmd/proxy/main.go
+
 ## Run the unit tests
 test: $(sources) go.sum
 	$(GO) test ./... -count=1 -race $(ARGS)
@@ -97,13 +105,29 @@ entrypoints: entrypoint.synchronizer.sh entrypoint.proxy.sh
 
 ## Build release-ready docker images with proper tags and output push commands in stdout
 images_release: # entrypoints
-	$(DOCKER) build $(platform_str) -t splitsoftware/split-synchronizer:latest -t splitsoftware/split-synchronizer:$(version) -f docker/Dockerfile.synchronizer .
-	$(DOCKER) build $(platform_str) -t splitsoftware/split-proxy:latest -t splitsoftware/split-proxy:$(version) -f docker/Dockerfile.proxy .
+	$(DOCKER) build $(platform_str) \
+		-t splitsoftware/split-synchronizer:latest -t splitsoftware/split-synchronizer:$(version) \
+		-f docker/Dockerfile.synchronizer .
+	$(DOCKER) build $(platform_str) \
+		-t splitsoftware/split-proxy:latest -t splitsoftware/split-proxy:$(version) \
+		-f docker/Dockerfile.proxy .
+	$(DOCKER) build $(platform_str) \
+		-t splitsoftware/split-synchronizer-fips:latest -t splitsoftware/split-synchronizer-fips:$(version) \
+		--build-arg FIPS_MODE=1 \
+		-f docker/Dockerfile.synchronizer .
+	$(DOCKER) build $(platform_str) \
+		-t splitsoftware/split-proxy-fips:latest -t splitsoftware/split-proxy-fips:$(version) \
+		--build-arg FIPS_MODE=1 \
+		-f docker/Dockerfile.proxy .
 	@echo "Images created. Make sure everything works ok, and then run the following commands to push them."
 	@echo "$(DOCKER) push splitsoftware/split-synchronizer:$(version)"
 	@echo "$(DOCKER) push splitsoftware/split-synchronizer:latest"
 	@echo "$(DOCKER) push splitsoftware/split-proxy:$(version)"
 	@echo "$(DOCKER) push splitsoftware/split-proxy:latest"
+	@echo "$(DOCKER) push splitsoftware/split-synchronizer-fips:$(version)"
+	@echo "$(DOCKER) push splitsoftware/split-synchronizer-fips:latest"
+	@echo "$(DOCKER) push splitsoftware/split-proxy-fips:$(version)"
+	@echo "$(DOCKER) push splitsoftware/split-proxy-fips:latest"
 
 # --------------------------------------------------------------------------
 #
@@ -242,11 +266,11 @@ to_uppercase		= $(shell echo '$1' | tr a-z A-Z)
 remove_ext_path		= $(basename $(notdir $1))
 normalize_os		= $(if $(subst osx,,$1),$1,darwin)
 parse_os			= $(call normalize_os,$(word 3,$(subst _, ,$(call remove_ext_path,$1))))
-mkexec 				= $(if $(findstring windows,$1),$1.exe,$1)
-installed_from_zip 	= $(if $(findstring split_sync,$1),split-sync,split-proxy)
+mkexec				= $(if $(findstring windows,$1),$1.exe,$1)
+installed_from_zip	= $(if $(findstring split_sync,$1),split-sync,split-proxy)
 apptitle_from_zip	= $(if $(findstring split_sync,$1),Synchronizer,Proxy)
 cmdfolder_from_bin	= $(if $(findstring split_sync,$1),synchronizer,proxy)
-platform_str = $(if $(PLATFORM),--platform=$(PLATFORM),)
+platform_str		= $(if $(PLATFORM),--platform=$(PLATFORM),)
 
 # "constants"
 null  :=

docker/Dockerfile.proxy

@@ -2,6 +2,7 @@
 FROM golang:1.21.3-alpine3.18 AS builder
 
 ARG EXTRA_BUILD_ARGS
+ARG FIPS_MODE
 
 RUN apk add \
     bash \
@@ -13,7 +14,10 @@ WORKDIR /code
 
 COPY . .
 
-RUN make clean split-proxy entrypoints EXTRA_BUILD_ARGS="${EXTRA_BUILD_ARGS}"
+RUN if [[ "${FIPS_MODE}" = "enabled" ]]; \
+    then echo "building in standard mode"; make clean split-proxy entrypoints EXTRA_BUILD_ARGS="${EXTRA_BUILD_ARGS}"; \
+    else echo "building in fips mode"; make clean split-proxy-fips entrypoints EXTRA_BUILD_ARGS="${EXTRA_BUILD_ARGS}"; mv split-proxy-fips split-proxy; \
+    fi
 
 # Runner stage
 FROM alpine:3.18.4 AS runner

docker/Dockerfile.synchronizer

@@ -2,6 +2,7 @@
 FROM golang:1.21.3-alpine3.18 AS builder
 
 ARG EXTRA_BUILD_ARGS
+ARG FIPS_MODE
 
 RUN apk add \
     bash \
@@ -13,7 +14,10 @@ WORKDIR /code
 
 COPY . .
 
-RUN make clean split-sync entrypoints EXTRA_BUILD_ARGS="${EXTRA_BUILD_ARGS}"
+RUN if [[ "${FIPS_MODE}" = "enabled" ]]; \
+    then echo "building in standard mode"; make clean split-sync entrypoints EXTRA_BUILD_ARGS="${EXTRA_BUILD_ARGS}"; \
+    else echo "building in fips mode"; make clean split-sync-fips entrypoints EXTRA_BUILD_ARGS="${EXTRA_BUILD_ARGS}"; mv split-sync-fips split-sync; \
+    fi
 
 # Runner stage
 FROM alpine:3.18.4 AS runner

splitio/commitversion.go

@@ -5,4 +5,4 @@ This file is created automatically, please do not edit
 */
 
 // CommitVersion is the version of the last commit previous to release
-const CommitVersion = "779ab29"
+const CommitVersion = "fe6882b"