diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index ccffde93..1291d35c 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -54,7 +54,8 @@ jobs: runs-on: ubuntu-latest strategy: matrix: - mode: [synchronizer, proxy] + app: [synchronizer, proxy] + fips-mode: [enabled, disabled] steps: - name: Checkout code uses: actions/checkout@v3 @@ -63,25 +64,27 @@ jobs: uses: docker/build-push-action@v4 with: context: . - file: docker/Dockerfile.${{ matrix.mode }} + file: docker/Dockerfile.${{ matrix.app }} push: false - tags: splitio-docker.jfrog.io/split-${{ matrix.mode }}:latest + tags: splitio-docker.jfrog.io/split-${{ matrix.app }}:latest + build-args: | + FIPS_MODE=${{ fips-mode }} - name: Scan container using Lacework uses: lacework/lw-scanner-action@v1.3.2 with: LW_ACCOUNT_NAME: ${{ secrets.LW_ACCOUNT_NAME }} LW_ACCESS_TOKEN: ${{ secrets.LW_ACCESS_TOKEN }} - IMAGE_NAME: splitio-docker.jfrog.io/split-${{ matrix.mode }} + IMAGE_NAME: splitio-docker.jfrog.io/split-${{ matrix.app }} IMAGE_TAG: latest SAVE_RESULTS_IN_LACEWORK: true SAVE_BUILD_REPORT: true - BUILD_REPORT_FILE_NAME: split-${{ matrix.mode }}.html + BUILD_REPORT_FILE_NAME: split-${{ matrix.app }}.html - name: Save vulnerability report if: always() uses: actions/upload-artifact@v3 with: name: vulnerability_report - path: split-${{ matrix.mode }}.html + path: split-${{ matrix.app }}.html retention-days: 7 diff --git a/.gitignore b/.gitignore index a70fc78e..7b269831 100644 --- a/.gitignore +++ b/.gitignore @@ -1,7 +1,8 @@ #Project files -split-synchronizer split-sync split-proxy +split-sync-fips +split-proxy-fips proxy-opts.md sync-opts.md diff --git a/CHANGES.txt b/CHANGES.txt index f483093f..aeebdc33 100644 --- a/CHANGES.txt +++ b/CHANGES.txt @@ -1,3 +1,6 @@ +5.6.0 (TD) + - Add support for FIPS-compliant binaries & docker images + 5.5.0 (Dec 12, 2023) - Added support for Flag Sets on Split Proxy and Synchronizer, which enables SDKs to interacting with the flag sets features (more details in our documentation): - Updated Proxy endpoints used by SDKs to fetch flags have been updated to handle any SDKs downloading flags in certain flag sets. diff --git a/Makefile b/Makefile index b6f13abd..4a09221f 100644 --- a/Makefile +++ b/Makefile @@ -17,8 +17,8 @@ PLATFORM ?= EXTRA_BUILD_ARGS ?= # don't depend on commit version, to avoid rebuilding unnecessarily -sources := $(shell find . -name *.go -not -name "commitversion.go") -version := $(shell cat splitio/version.go | grep 'const Version' | sed 's/const Version = //' | tr -d '"') +sources := $(shell find . -name *.go -not -name "commitversion.go") +version := $(shell cat splitio/version.go | grep 'const Version' | sed 's/const Version = //' | tr -d '"') commit_version := $(shell git rev-parse --short HEAD) installer_tpl := ./release/install_script_template installer_tpl_lines := $(shell echo $$(( $$(wc -l $(installer_tpl) | awk '{print $$1}') +1 ))) @@ -56,6 +56,14 @@ split-sync: $(sources) go.sum split-proxy: $(sources) go.sum $(GO) build $(EXTRA_BUILD_ARGS) -o $@ cmd/proxy/main.go +## Build the split-sync executable +split-sync-fips: $(sources) go.sum + GOEXPERIMENT=boringcrypto $(GO) build $(EXTRA_BUILD_ARGS) -o $@ $(ENFORCE_FIPS) cmd/synchronizer/main.go + +## Build the split-proxy executable +split-proxy-fips: $(sources) go.sum + GOEXPERIMENT=boringcrypto $(GO) build $(EXTRA_BUILD_ARGS) -o $@ $(ENFORCE_FIPS) cmd/proxy/main.go + ## Run the unit tests test: $(sources) go.sum $(GO) test ./... -count=1 -race $(ARGS) @@ -97,13 +105,29 @@ entrypoints: entrypoint.synchronizer.sh entrypoint.proxy.sh ## Build release-ready docker images with proper tags and output push commands in stdout images_release: # entrypoints - $(DOCKER) build $(platform_str) -t splitsoftware/split-synchronizer:latest -t splitsoftware/split-synchronizer:$(version) -f docker/Dockerfile.synchronizer . - $(DOCKER) build $(platform_str) -t splitsoftware/split-proxy:latest -t splitsoftware/split-proxy:$(version) -f docker/Dockerfile.proxy . + $(DOCKER) build $(platform_str) \ + -t splitsoftware/split-synchronizer:latest -t splitsoftware/split-synchronizer:$(version) \ + -f docker/Dockerfile.synchronizer . + $(DOCKER) build $(platform_str) \ + -t splitsoftware/split-proxy:latest -t splitsoftware/split-proxy:$(version) \ + -f docker/Dockerfile.proxy . + $(DOCKER) build $(platform_str) \ + -t splitsoftware/split-synchronizer-fips:latest -t splitsoftware/split-synchronizer-fips:$(version) \ + --build-arg FIPS_MODE=1 \ + -f docker/Dockerfile.synchronizer . + $(DOCKER) build $(platform_str) \ + -t splitsoftware/split-proxy-fips:latest -t splitsoftware/split-proxy-fips:$(version) \ + --build-arg FIPS_MODE=1 \ + -f docker/Dockerfile.proxy . @echo "Images created. Make sure everything works ok, and then run the following commands to push them." @echo "$(DOCKER) push splitsoftware/split-synchronizer:$(version)" @echo "$(DOCKER) push splitsoftware/split-synchronizer:latest" @echo "$(DOCKER) push splitsoftware/split-proxy:$(version)" @echo "$(DOCKER) push splitsoftware/split-proxy:latest" + @echo "$(DOCKER) push splitsoftware/split-synchronizer-fips:$(version)" + @echo "$(DOCKER) push splitsoftware/split-synchronizer-fips:latest" + @echo "$(DOCKER) push splitsoftware/split-proxy-fips:$(version)" + @echo "$(DOCKER) push splitsoftware/split-proxy-fips:latest" # -------------------------------------------------------------------------- # @@ -242,11 +266,11 @@ to_uppercase = $(shell echo '$1' | tr a-z A-Z) remove_ext_path = $(basename $(notdir $1)) normalize_os = $(if $(subst osx,,$1),$1,darwin) parse_os = $(call normalize_os,$(word 3,$(subst _, ,$(call remove_ext_path,$1)))) -mkexec = $(if $(findstring windows,$1),$1.exe,$1) -installed_from_zip = $(if $(findstring split_sync,$1),split-sync,split-proxy) +mkexec = $(if $(findstring windows,$1),$1.exe,$1) +installed_from_zip = $(if $(findstring split_sync,$1),split-sync,split-proxy) apptitle_from_zip = $(if $(findstring split_sync,$1),Synchronizer,Proxy) cmdfolder_from_bin = $(if $(findstring split_sync,$1),synchronizer,proxy) -platform_str = $(if $(PLATFORM),--platform=$(PLATFORM),) +platform_str = $(if $(PLATFORM),--platform=$(PLATFORM),) # "constants" null := diff --git a/docker/Dockerfile.proxy b/docker/Dockerfile.proxy index 0c7e9131..bed2b99f 100644 --- a/docker/Dockerfile.proxy +++ b/docker/Dockerfile.proxy @@ -2,6 +2,7 @@ FROM golang:1.21.3-alpine3.18 AS builder ARG EXTRA_BUILD_ARGS +ARG FIPS_MODE RUN apk add \ bash \ @@ -13,7 +14,10 @@ WORKDIR /code COPY . . -RUN make clean split-proxy entrypoints EXTRA_BUILD_ARGS="${EXTRA_BUILD_ARGS}" +RUN if [[ "${FIPS_MODE}" = "enabled" ]]; \ + then echo "building in standard mode"; make clean split-proxy entrypoints EXTRA_BUILD_ARGS="${EXTRA_BUILD_ARGS}"; \ + else echo "building in fips mode"; make clean split-proxy-fips entrypoints EXTRA_BUILD_ARGS="${EXTRA_BUILD_ARGS}"; mv split-proxy-fips split-proxy; \ + fi # Runner stage FROM alpine:3.18.4 AS runner diff --git a/docker/Dockerfile.synchronizer b/docker/Dockerfile.synchronizer index b0854347..8c710b2c 100644 --- a/docker/Dockerfile.synchronizer +++ b/docker/Dockerfile.synchronizer @@ -2,6 +2,7 @@ FROM golang:1.21.3-alpine3.18 AS builder ARG EXTRA_BUILD_ARGS +ARG FIPS_MODE RUN apk add \ bash \ @@ -13,7 +14,10 @@ WORKDIR /code COPY . . -RUN make clean split-sync entrypoints EXTRA_BUILD_ARGS="${EXTRA_BUILD_ARGS}" +RUN if [[ "${FIPS_MODE}" = "enabled" ]]; \ + then echo "building in standard mode"; make clean split-sync entrypoints EXTRA_BUILD_ARGS="${EXTRA_BUILD_ARGS}"; \ + else echo "building in fips mode"; make clean split-sync-fips entrypoints EXTRA_BUILD_ARGS="${EXTRA_BUILD_ARGS}"; mv split-sync-fips split-sync; \ + fi # Runner stage FROM alpine:3.18.4 AS runner diff --git a/splitio/commitversion.go b/splitio/commitversion.go index 0463666a..63576ae5 100644 --- a/splitio/commitversion.go +++ b/splitio/commitversion.go @@ -5,4 +5,4 @@ This file is created automatically, please do not edit */ // CommitVersion is the version of the last commit previous to release -const CommitVersion = "779ab29" +const CommitVersion = "fe6882b"