Simplify buildtags and Dockerfiles

This commit is contained in:
Joshua Casey 2023-03-08 22:32:03 -06:00
parent bed9a74b58
commit 8ec22b9a73
20 changed files with 114 additions and 104 deletions

View File

@ -19,7 +19,11 @@ RUN \
--mount=type=cache,target=/cache/gocache \
--mount=type=cache,target=/cache/gomodcache \
mkdir out && \
export GOCACHE=/cache/gocache GOMODCACHE=/cache/gomodcache CGO_ENABLED=0 GOOS=linux GOARCH=amd64 && \
export GOCACHE=/cache/gocache && \
export GOMODCACHE=/cache/gomodcache && \
export CGO_ENABLED=0 && \
export GOOS=linux && \
export GOARCH=amd64 && \
go build -v -trimpath -ldflags "$(hack/get-ldflags.sh) -w -s" -o /usr/local/bin/pinniped-concierge-kube-cert-agent ./cmd/pinniped-concierge-kube-cert-agent/... && \
go build -v -trimpath -ldflags "$(hack/get-ldflags.sh) -w -s" -o /usr/local/bin/pinniped-server ./cmd/pinniped-server/... && \
ln -s /usr/local/bin/pinniped-server /usr/local/bin/pinniped-concierge && \

View File

@ -13,7 +13,7 @@ import (
"os"
"time"
// This side effect import ensures that we use fipsonly crypto during TLS in fips_strict mode.
// This side effect import ensures that we use fipsonly crypto in boringcrypto mode.
//
// Commenting this out because it causes the runtime memory consumption of this binary to increase
// from ~1 MB to ~8 MB (as measured when running the sleep subcommand). This binary does not use TLS,
@ -25,11 +25,8 @@ import (
//nolint:godot // This is not sentence, it is a commented out line of import code.
// _ "go.pinniped.dev/internal/crypto/ptls"
// This side effect imports cgo so that runtime/cgo gets linked, when in fips_strict mode.
// Without this line, the binary will exit 133 upon startup in fips_strict mode.
// It also enables fipsonly tls mode, just to be absolutely sure that the fips code is enabled,
// even though it shouldn't be used currently by this binary.
_ "go.pinniped.dev/internal/crypto/fips"
// This side effect ensures building with at least go1.19.
_ "go.pinniped.dev/internal/build"
)
//nolint:gochecknoglobals // these are swapped during unit tests.

View File

@ -15,11 +15,15 @@ import (
"k8s.io/apimachinery/pkg/util/sets"
concierge "go.pinniped.dev/internal/concierge/server"
// this side effect import ensures that we use fipsonly crypto in fips_strict mode.
_ "go.pinniped.dev/internal/crypto/ptls"
lua "go.pinniped.dev/internal/localuserauthenticator"
"go.pinniped.dev/internal/plog"
supervisor "go.pinniped.dev/internal/supervisor/server"
// this side effect import ensures that we use fipsonly crypto in boringcrypto mode.
_ "go.pinniped.dev/internal/crypto/ptls"
// This side effect ensures building with at least go1.19.
_ "go.pinniped.dev/internal/build"
)
//nolint:gochecknoglobals // these are swapped during unit tests.

View File

@ -1,4 +1,4 @@
// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved.
// Copyright 2020-2023 the Pinniped contributors. All Rights Reserved.
// SPDX-License-Identifier: Apache-2.0
package main
@ -9,8 +9,11 @@ import (
"github.com/pkg/browser"
"go.pinniped.dev/cmd/pinniped/cmd"
// this side effect import ensures that we use fipsonly crypto in fips_strict mode.
// this side effect import ensures that we use fipsonly crypto in boringcrypto mode.
_ "go.pinniped.dev/internal/crypto/ptls"
// This side effect ensures building with at least go1.19.
_ "go.pinniped.dev/internal/build"
)
//nolint:gochecknoinits

View File

@ -3,13 +3,13 @@
# Copyright 2022-2023 the Pinniped contributors. All Rights Reserved.
# SPDX-License-Identifier: Apache-2.0
# this dockerfile is used to produce a binary of Pinniped that uses
# only fips-allowable ciphers. Note that this is provided only as
# an example. Pinniped has no official support for fips and using
# This dockerfile is used to produce a binary of Pinniped that uses
# only FIPS-allowable ciphers. Note that this is provided only as
# an example. Pinniped has no official support for FIPS and using
# a version built from this dockerfile may have unforseen consquences.
# Please do not create issues in regards to problems encountered by
# using this dockerfile. Using this dockerfile does not convey
# any type of fips certification.
# any type of FIPS certification.
# Starting in 1.19, go-boringcrypto has been added to the main Go toolchain,
# hidden behind a `GOEXPERIMENT=boringcrypto` env var.
@ -21,37 +21,15 @@ WORKDIR /work
COPY . .
ARG GOPROXY
# Build the executable binary (CGO_ENABLED=1 is required for go boring).
# Even though we need cgo to call the boring crypto C functions, these
# functions are statically linked into the binary. We also want to statically
# link any libc bits hence we pass "-linkmode=external -extldflags -static"
# to the ldflags directive. We do not pass "-s" to ldflags because we do
# not want to strip symbols - those are used to verify if we compiled correctly.
# We do not pass in GOCACHE (build cache) and GOMODCACHE (module cache)
# because there have been bugs in the Go compiler caching when using cgo
# (it will sometimes use cached artifiacts when it should not). Since we
# use gcc as the C compiler, the following warning is emitted:
# /boring/boringssl/build/../crypto/bio/socket_helper.c:55: warning:
# Using 'getaddrinfo' in statically linked applications requires at
# runtime the shared libraries from the glibc version used for linking
# This is referring to the code in
# https://github.com/google/boringssl/blob/af34f6460f0bf99dc267818f02b2936f60a30de7/crypto/bio/socket_helper.c#L55
# which calls the getaddrinfo function. This function, even when statically linked,
# uses dlopen to dynamically fetch networking config. It is safe for us to ignore
# this warning because the go boring cypto code does not create netowrking connections:
# https://github.com/golang/go/blob/9d6ab825f6fe125f7ce630e103b887e580403802/src/crypto/internal/boring/goboringcrypto.h
# The osusergo and netgo tags are used to make sure that the Go implementations of these
# standard library packages are used instead of the libc based versions.
# We want to have no reliance on any C code other than the boring crypto bits.
# Setting GOOS=linux GOARCH=amd64 is a hard requirment for boring crypto:
# https://github.com/golang/go/blob/9d6ab825f6fe125f7ce630e103b887e580403802/misc/boring/README.md?plain=1#L95
# Thus trying to compile the pinniped CLI with boring crypto is meaningless
# since we would not be able to ship windows and macOS binaries.
# GOEXPERIMENT=boringcrypto will tell both Pinniped source code and Golang to use boringcrypto
RUN \
mkdir out && \
export CGO_ENABLED=1 GOOS=linux GOARCH=amd64 GOEXPERIMENT=boringcrypto && \
go build -tags fips_strict,osusergo,netgo -v -trimpath -ldflags "$(hack/get-ldflags.sh) -w -linkmode=external -extldflags -static" -o /usr/local/bin/pinniped-concierge-kube-cert-agent ./cmd/pinniped-concierge-kube-cert-agent/... && \
go build -tags fips_strict,osusergo,netgo -v -trimpath -ldflags "$(hack/get-ldflags.sh) -w -linkmode=external -extldflags -static" -o /usr/local/bin/pinniped-server ./cmd/pinniped-server/... && \
export CGO_ENABLED=1 && \
export GOOS=linux && \
export GOARCH=amd64 && \
export GOEXPERIMENT=boringcrypto && \
go build -tags osusergo,netgo -v -trimpath -ldflags "$(hack/get-ldflags.sh) -w -linkmode=external -extldflags -static" -o /usr/local/bin/pinniped-concierge-kube-cert-agent ./cmd/pinniped-concierge-kube-cert-agent/... && \
go build -tags osusergo,netgo -v -trimpath -ldflags "$(hack/get-ldflags.sh) -w -linkmode=external -extldflags -static" -o /usr/local/bin/pinniped-server ./cmd/pinniped-server/... && \
ln -s /usr/local/bin/pinniped-server /usr/local/bin/pinniped-concierge && \
ln -s /usr/local/bin/pinniped-server /usr/local/bin/pinniped-supervisor && \
ln -s /usr/local/bin/pinniped-server /usr/local/bin/local-user-authenticator

View File

@ -24,6 +24,6 @@ if [[ "${#missing_copyright_files[@]}" -gt "0" ]]; then
for f in "${missing_copyright_files[@]}"; do
echo " $f"
done
echo "Try using hack/update-copyright-year.sh to update the copyright automatically in staged files."
echo "Try using ./hack/update-copyright-year.sh to update the copyright automatically in staged files."
exit 1
fi

View File

@ -0,0 +1,4 @@
// Copyright 2023 the Pinniped contributors. All Rights Reserved.
// SPDX-License-Identifier: Apache-2.0
package build

View File

@ -0,0 +1,11 @@
// Copyright 2023 the Pinniped contributors. All Rights Reserved.
// SPDX-License-Identifier: Apache-2.0
//go:build !go1.19
package build
func init() {
// fail unless compiling with 1.19+
"requires go1.19 or greater"
}

View File

@ -1,6 +0,0 @@
// Copyright 2023 the Pinniped contributors. All Rights Reserved.
// SPDX-License-Identifier: Apache-2.0
// Package fips can be imported to enable fipsonly tls mode when compiling with fips_strict.
// It will also cause cgo to be explicitly imported when compiling with fips_strict.
package fips

View File

@ -1,11 +0,0 @@
// Copyright 2023 the Pinniped contributors. All Rights Reserved.
// SPDX-License-Identifier: Apache-2.0
//go:build fips_strict
package fips
import (
"C" // explicitly import cgo so that runtime/cgo gets linked into the kube-cert-agent
_ "crypto/tls/fipsonly" // restricts all TLS configuration to FIPS-approved settings.
)

View File

@ -0,0 +1,28 @@
// Copyright 2022-2023 the Pinniped contributors. All Rights Reserved.
// SPDX-License-Identifier: Apache-2.0
//go:build boringcrypto
package ptls
import (
"C" // explicitly import cgo
_ "crypto/tls/fipsonly" // restricts all TLS configuration to FIPS-approved settings.
"os"
"path/filepath"
"runtime"
"go.pinniped.dev/internal/plog"
)
func init() {
switch filepath.Base(os.Args[0]) {
case "pinniped-server", "pinniped-supervisor", "pinniped-concierge", "pinniped-concierge-kube-cert-agent":
default:
return // do not print FIPS logs if we cannot confirm that we are running a server binary
}
// this init runs before we have parsed our config to determine our log level
// thus we must use a log statement that will always print instead of conditionally print
plog.Always("using boring crypto in fips only mode", "go version", runtime.Version())
}

View File

@ -1,7 +1,7 @@
// Copyright 2021-2023 the Pinniped contributors. All Rights Reserved.
// SPDX-License-Identifier: Apache-2.0
//go:build !fips_strict
//go:build !boringcrypto
package ptls

View File

@ -1,10 +1,7 @@
// Copyright 2022-2023 the Pinniped contributors. All Rights Reserved.
// SPDX-License-Identifier: Apache-2.0
// The configurations here override the usual ptls.Secure, ptls.Default, and ptls.DefaultLDAP
// configs when Pinniped is built in fips-only mode.
// All of these are the same because FIPs is already so limited.
//go:build fips_strict
//go:build boringcrypto
package ptls
@ -15,17 +12,9 @@ import (
"path/filepath"
"runtime"
"k8s.io/apiserver/pkg/server/options"
// Cause fipsonly tls mode with this side effect import.
_ "go.pinniped.dev/internal/crypto/fips"
"go.pinniped.dev/internal/plog"
)
// Always use TLS 1.2 for FIPs
const secureServingOptionsMinTLSVersion = "VersionTLS12"
const SecureTLSConfigMinTLSVersion = tls.VersionTLS12
func init() {
switch filepath.Base(os.Args[0]) {
case "pinniped-server", "pinniped-supervisor", "pinniped-concierge", "pinniped-concierge-kube-cert-agent":
@ -52,7 +41,7 @@ func Default(rootCAs *x509.CertPool) *tls.Config {
// optional root CAs, nil means use the host's root CA set
RootCAs: rootCAs,
// This is all of the fips-approved ciphers.
// This is all the fips-approved ciphers.
// The list is hard-coded for convenience of testing.
// This is kept in sync with the boring crypto compiler via TestFIPSCipherSuites.
CipherSuites: []uint16{
@ -66,14 +55,6 @@ func Default(rootCAs *x509.CertPool) *tls.Config {
}
}
func Secure(rootCAs *x509.CertPool) *tls.Config {
return Default(rootCAs)
}
func DefaultLDAP(rootCAs *x509.CertPool) *tls.Config {
return Default(rootCAs)
}
func secureServing(opts *options.SecureServingOptionsWithLoopback) {
defaultServing(opts)
}

View File

@ -1,14 +0,0 @@
// Copyright 2021-2023 the Pinniped contributors. All Rights Reserved.
// SPDX-License-Identifier: Apache-2.0
//go:build !go1.19
package ptls
func init() {
// cause compile time failure if an older version of Go is used
`Pinniped's TLS configuration makes assumptions about how the Go standard library implementation of TLS works.
It particular, we rely on the server controlling cipher suite selection. For these assumptions to hold, Pinniped
must be compiled with Go 1.19+. If you are seeing this error message, your attempt to compile Pinniped with an
older Go compiler was explicitly failed to prevent an unsafe configuration.`
}

View File

@ -1,7 +1,7 @@
// Copyright 2021-2023 the Pinniped contributors. All Rights Reserved.
// SPDX-License-Identifier: Apache-2.0
//go:build !fips_strict
//go:build !boringcrypto
package ptls

View File

@ -0,0 +1,32 @@
// Copyright 2021-2023 the Pinniped contributors. All Rights Reserved.
// SPDX-License-Identifier: Apache-2.0
//go:build boringcrypto
package ptls
import (
"crypto/tls"
"crypto/x509"
"k8s.io/apiserver/pkg/server/options"
)
// secureServingOptionsMinTLSVersion is the minimum tls version in the format
// expected by SecureServingOptions.MinTLSVersion from
// k8s.io/apiserver/pkg/server/options.
//
// Always use TLS 1.2 for FIPs.
const secureServingOptionsMinTLSVersion = "VersionTLS12"
// SecureTLSConfigMinTLSVersion is the minimum tls version in the format expected
// by tls.Config.
const SecureTLSConfigMinTLSVersion = tls.VersionTLS12
func Secure(rootCAs *x509.CertPool) *tls.Config {
return Default(rootCAs)
}
func secureServing(opts *options.SecureServingOptionsWithLoopback) {
defaultServing(opts)
}

View File

@ -12,8 +12,7 @@ menu:
By default, the Pinniped supervisor and concierge use ciphers that
are not supported by FIPS 140-2. If you are deploying Pinniped in an
environment with FIPS compliance requirements, you will have to build
the binaries yourself using the `fips_strict` build tag and Golang's
`go-boringcrypto` fork.
the binaries yourself using Golang 1.19 and the `GOEXPERIMENT=boringcrypto` build tag.
The Pinniped team provides an [example Dockerfile](https://github.com/vmware-tanzu/pinniped/blob/main/hack/Dockerfile_fips)
demonstrating how you can build Pinniped images in a FIPS compatible way.

View File

@ -1,7 +1,7 @@
// Copyright 2021-2023 the Pinniped contributors. All Rights Reserved.
// SPDX-License-Identifier: Apache-2.0
//go:build fips_strict
//go:build boringcrypto
package integration

View File

@ -1,7 +1,7 @@
// Copyright 2022-2023 the Pinniped contributors. All Rights Reserved.
// SPDX-License-Identifier: Apache-2.0
//go:build fips_strict
//go:build boringcrypto
package testlib

View File

@ -1,7 +1,7 @@
// Copyright 2022-2023 the Pinniped contributors. All Rights Reserved.
// SPDX-License-Identifier: Apache-2.0
//go:build !fips_strict
//go:build !boringcrypto
package testlib