ContainerImage.Pinniped/hack/Dockerfile_fips
2023-10-16 08:28:13 -05:00

84 lines
4.8 KiB
Docker

# syntax=docker/dockerfile:1
# Copyright 2022-2023 the Pinniped contributors. All Rights Reserved.
# SPDX-License-Identifier: Apache-2.0
# this dockerfile is used to produce a binary of Pinniped that uses
# only fips-allowable ciphers. Note that this is provided only as
# an example. Pinniped has no official support for fips and using
# a version built from this dockerfile may have unforseen consquences.
# Please do not create issues in regards to problems encountered by
# using this dockerfile. Using this dockerfile does not convey
# any type of fips certification.
# Starting in 1.19, go-boringcrypto has been added to the main Go toolchain,
# hidden behind a `GOEXPERIMENT=boringcrypto` env var.
# See https://go.googlesource.com/go/+/dev.boringcrypto/README.boringcrypto.md
# and https://kupczynski.info/posts/fips-golang/ for details.
# This is not currently using --platform to prepare to cross-compile because we use gcc below to build
# platform-specific GCO code. This makes multi-arch builds slow due to target platform emulation.
FROM golang:1.21.3 as build-env
WORKDIR /work
ARG GOPROXY
ARG KUBE_GIT_VERSION
ENV KUBE_GIT_VERSION=$KUBE_GIT_VERSION
# These will be set by buildkit automatically, e.g. TARGETOS set to "linux" and TARGETARCH set to "amd64" or "arm64".
# Useful for building multi-arch container images.
ARG TARGETOS
ARG TARGETARCH
# Build the executable binary (CGO_ENABLED=1 is required for go boring).
# Even though we need cgo to call the boring crypto C functions, these
# functions are statically linked into the binary. We also want to statically
# link any libc bits hence we pass "-linkmode=external -extldflags -static"
# to the ldflags directive. We do not pass "-s" to ldflags because we do
# not want to strip symbols - those are used to verify if we compiled correctly.
# Since we use gcc as the C compiler, the following warning is emitted:
# /boring/boringssl/build/../crypto/bio/socket_helper.c:55: warning:
# Using 'getaddrinfo' in statically linked applications requires at
# runtime the shared libraries from the glibc version used for linking
# This is referring to the code in
# https://github.com/google/boringssl/blob/af34f6460f0bf99dc267818f02b2936f60a30de7/crypto/bio/socket_helper.c#L55
# which calls the getaddrinfo function. This function, even when statically linked,
# uses dlopen to dynamically fetch networking config. It is safe for us to ignore
# this warning because the go boring cypto code does not create netowrking connections:
# https://github.com/golang/go/blob/9d6ab825f6fe125f7ce630e103b887e580403802/src/crypto/internal/boring/goboringcrypto.h
# The osusergo and netgo tags are used to make sure that the Go implementations of these
# standard library packages are used instead of the libc based versions.
# We want to have no reliance on any C code other than the boring crypto bits.
RUN \
--mount=target=. \
--mount=type=cache,target=/cache/gocache \
--mount=type=cache,target=/cache/gomodcache \
export GOCACHE=/cache/gocache GOMODCACHE=/cache/gomodcache CGO_ENABLED=1 GOOS=$TARGETOS GOARCH=$TARGETARCH GOEXPERIMENT=boringcrypto && \
go build -tags fips_strict,osusergo,netgo -v -trimpath -ldflags "$(hack/get-ldflags.sh) -w -linkmode=external -extldflags -static" -o /usr/local/bin/pinniped-concierge-kube-cert-agent ./cmd/pinniped-concierge-kube-cert-agent/... && \
go build -tags fips_strict,osusergo,netgo -v -trimpath -ldflags "$(hack/get-ldflags.sh) -w -linkmode=external -extldflags -static" -o /usr/local/bin/pinniped-server ./cmd/pinniped-server/... && \
ln -s /usr/local/bin/pinniped-server /usr/local/bin/pinniped-concierge && \
ln -s /usr/local/bin/pinniped-server /usr/local/bin/pinniped-supervisor && \
ln -s /usr/local/bin/pinniped-server /usr/local/bin/local-user-authenticator
# Use a distroless runtime image with CA certificates, timezone data, and not much else.
# Note that we are not using --platform here, so it will choose the base image for the target platform, not the build platform.
# By using "distroless/static" instead of "distroless/static-debianXX" we can float on the latest stable version of debian.
# See https://github.com/GoogleContainerTools/distroless#base-operating-system
FROM gcr.io/distroless/static:nonroot@sha256:2a9e2b4fa771d31fe3346a873be845bfc2159695b9f90ca08e950497006ccc2e
# Copy the server binary from the build-env stage.
COPY --from=build-env /usr/local/bin /usr/local/bin
# Document the default server ports for the various server apps
EXPOSE 8443 8444 10250
# Run as non-root for security posture
# Use the same non-root user as https://github.com/GoogleContainerTools/distroless/blob/fc3c4eaceb0518900f886aae90407c43be0a42d9/base/base.bzl#L9
# This is a workaround for https://github.com/GoogleContainerTools/distroless/issues/718
USER 65532:65532
# Set the entrypoint
ENTRYPOINT ["/usr/local/bin/pinniped-server"]