From 310a3dacf6b702d664da3f241304f895cfa9879d Mon Sep 17 00:00:00 2001 From: Felipe Vianna Date: Tue, 23 Jun 2026 16:51:34 -0300 Subject: [PATCH] ci: add distroless-fips image variant built with --config=aws-lc-fips Adds a new `distroless-fips-v{X}.{Y}.{Z}` Docker image published alongside each standard release, built with `--config=aws-lc-fips`. Changes: - ci/do_ci.sh: add `release.server_only.fips` target that appends --config=aws-lc-fips to BAZEL_RELEASE_OPTIONS and outputs the binary as release.fips.tar.zst - distribution/docker/Dockerfile-envoy: add ENVOY_RELEASE_TARBALL build arg (default: release.tar.zst) to allow the FIPS build to supply an alternative tarball - distribution/docker/build.sh: add -distroless-fips to BUILD_TYPES; update build_args to strip -fips when deriving the Docker target and pass --build-arg ENVOY_RELEASE_TARBALL=release.fips.tar.zst for FIPS builds - .github/workflows/_publish_build.yml: add binary-fips and docker-fips jobs mirroring the existing binary/docker jobs - .github/workflows/_publish_release_container.yml: add distroless-fips-dev and distroless-fips-v{X}.{Y}.{Z} manifest entries Closes #45812 Signed-off-by: Felipe Vianna --- .github/workflows/_publish_build.yml | 58 +++++++++++++++++++ .../workflows/_publish_release_container.yml | 18 ++++++ ci/do_ci.sh | 11 +++- distribution/docker/Dockerfile-envoy | 3 +- distribution/docker/build.sh | 7 ++- 5 files changed, 93 insertions(+), 4 deletions(-) diff --git a/.github/workflows/_publish_build.yml b/.github/workflows/_publish_build.yml index 8976aa87d6583..079bad7599bc4 100644 --- a/.github/workflows/_publish_build.yml +++ b/.github/workflows/_publish_build.yml @@ -60,6 +60,33 @@ jobs: upload-name: release.${{ inputs.arch }} upload-path: container/envoy/${{ inputs.arch }}/bin/ + binary-fips: + secrets: + dockerhub-token: ${{ secrets.dockerhub-token }} + permissions: + actions: read + contents: read + packages: read + name: Binary (FIPS) + uses: ./.github/workflows/_run.yml + with: + arch: ${{ inputs.arch }} + bazel-cache: true + bazel-extra: >- + --config=rbe + target: release.server_only.fips + target-suffix: ${{ inputs.arch }}-fips + cache-build-image: ${{ fromJSON(inputs.request).request.build-image.default }} + cache-build-image-key-suffix: ${{ inputs.arch == 'arm64' && '-arm64' || '' }} + concurrency-suffix: -${{ inputs.arch }}-fips + rbe: true + request: ${{ inputs.request }} + runs-on: ${{ inputs.arch == 'arm64' && (vars.ENVOY_ARM_VM || 'ubuntu-24.04-arm') || null }} + timeout-minutes: 180 + trusted: ${{ inputs.trusted }} + upload-name: release-fips.${{ inputs.arch }} + upload-path: container/envoy/${{ inputs.arch }}/bin/ + docker: secrets: dockerhub-token: ${{ secrets.dockerhub-token }} @@ -91,6 +118,37 @@ jobs: upload-path: container/envoy/${{ inputs.arch }}/build_images runs-on: ${{ inputs.arch == 'arm64' && (vars.ENVOY_ARM_VM || 'ubuntu-24.04-arm') || null }} + docker-fips: + secrets: + dockerhub-token: ${{ secrets.dockerhub-token }} + permissions: + actions: read + contents: read + packages: read + name: Docker OCI (FIPS) + needs: + - binary-fips + uses: ./.github/workflows/_run.yml + with: + arch: ${{ inputs.arch }} + target: docker + target-suffix: ${{ inputs.arch }}-fips + cache-build-image: ${{ fromJSON(inputs.request).request.build-image.default }} + cache-build-image-key-suffix: ${{ inputs.arch == 'arm64' && '-arm64' || '' }} + concurrency-suffix: -${{ inputs.arch }}-fips + downloads: | + release-fips.${{ inputs.arch }}: container/envoy/${{ inputs.arch }}/bin/ + request: ${{ inputs.request }} + source: | + export NO_BUILD_SETUP=1 + export ENVOY_DOCKER_IN_DOCKER=1 + export ENVOY_DOCKER_SAVE_IMAGE=true + export ENVOY_OCI_DIR=build_images_fips + trusted: ${{ inputs.trusted }} + upload-name: oci-fips.${{ inputs.arch }} + upload-path: container/envoy/${{ inputs.arch }}/build_images_fips + runs-on: ${{ inputs.arch == 'arm64' && (vars.ENVOY_ARM_VM || 'ubuntu-24.04-arm') || null }} + distribution: secrets: dockerhub-token: ${{ secrets.dockerhub-token }} diff --git a/.github/workflows/_publish_release_container.yml b/.github/workflows/_publish_release_container.yml index 5a23c59651593..5388d5a8c4d52 100644 --- a/.github/workflows/_publish_release_container.yml +++ b/.github/workflows/_publish_release_container.yml @@ -118,6 +118,15 @@ jobs: artifact-pattern: envoy-distroless.{arch}.tar additional-tags: - distroless-dev-${{ github.sha }} + - name: ${{ inputs.dockerhub-repo }} + tag: distroless-fips-dev + registry: docker.io/envoyproxy + architectures: + - amd64 + - arm64 + artifact-pattern: envoy-distroless-fips.{arch}.tar + additional-tags: + - distroless-fips-dev-${{ github.sha }} - name: ${{ inputs.dockerhub-repo }} tag: google-vrp-dev registry: docker.io/envoyproxy @@ -208,6 +217,15 @@ jobs: artifact-pattern: envoy-distroless.{arch}.tar additional-tags: - distroless-v${{ inputs.version-major }}.${{ inputs.version-minor }}-latest + - name: ${{ inputs.dockerhub-repo }} + tag: distroless-fips-v${{ inputs.version-major }}.${{ inputs.version-minor }}.${{ inputs.version-patch }} + registry: docker.io/envoyproxy + architectures: + - amd64 + - arm64 + artifact-pattern: envoy-distroless-fips.{arch}.tar + additional-tags: + - distroless-fips-v${{ inputs.version-major }}.${{ inputs.version-minor }}-latest - name: ${{ inputs.dockerhub-repo }} tag: google-vrp-v${{ inputs.version-major }}.${{ inputs.version-minor }}.${{ inputs.version-patch }} registry: docker.io/envoyproxy diff --git a/ci/do_ci.sh b/ci/do_ci.sh index 06c5a80f7c307..eb08085c966a7 100755 --- a/ci/do_ci.sh +++ b/ci/do_ci.sh @@ -854,7 +854,7 @@ case $CI_TARGET in "${PUBLISH_ARGS[@]}" ;; - release|release.server_only|release.test_only) + release|release.server_only|release.server_only.fips|release.test_only) if [[ "$CI_TARGET" == "release" || "$CI_TARGET" == "release.test_only" ]]; then # When testing memory consumption, we want to test against exact byte-counts # where possible. As these differ between platforms and compile options, we @@ -873,6 +873,9 @@ case $CI_TARGET in BAZEL_RELEASE_OPTIONS=( --stripopt=--strip-all -c opt) + if [[ "$CI_TARGET" == "release.server_only.fips" ]]; then + BAZEL_RELEASE_OPTIONS+=(--config=aws-lc-fips) + fi if [[ "$CI_TARGET" == "release" || "$CI_TARGET" == "release.test_only" ]]; then # Run release tests echo "Testing with:" @@ -909,9 +912,13 @@ case $CI_TARGET in --remote_download_outputs=toplevel \ //distribution/binary:release # Copy release binaries to binary export directory + RELEASE_TARBALL_NAME="release.tar.zst" + if [[ "$CI_TARGET" == "release.server_only.fips" ]]; then + RELEASE_TARBALL_NAME="release.fips.tar.zst" + fi cp -a \ "bazel-bin/distribution/binary/release.tar.zst" \ - "${ENVOY_BINARY_DIR}/release.tar.zst" + "${ENVOY_BINARY_DIR}/${RELEASE_TARBALL_NAME}" # Grab the schema_validator_tool # TODO(phlax): bundle this with the release when #26390 is resolved bazel build "${BAZEL_BUILD_OPTIONS[@]}" "${BAZEL_RELEASE_OPTIONS[@]}" \ diff --git a/distribution/docker/Dockerfile-envoy b/distribution/docker/Dockerfile-envoy index 6b20482ee9edd..0b4aeb7e87f7e 100644 --- a/distribution/docker/Dockerfile-envoy +++ b/distribution/docker/Dockerfile-envoy @@ -10,7 +10,8 @@ ADD configs/envoyproxy_io_proxy.yaml /etc/envoy/envoy.yaml # See https://github.com/docker/buildx/issues/510 for why this _must_ be this way ARG TARGETPLATFORM ENV TARGETPLATFORM="${TARGETPLATFORM:-linux/amd64}" -ADD "${TARGETPLATFORM}/release.tar.zst" /usr/local/bin/ +ARG ENVOY_RELEASE_TARBALL=release.tar.zst +ADD "${TARGETPLATFORM}/${ENVOY_RELEASE_TARBALL}" /usr/local/bin/ # STAGE: envoy-base diff --git a/distribution/docker/build.sh b/distribution/docker/build.sh index a5d10d617d57d..e2d2a78cc654e 100755 --- a/distribution/docker/build.sh +++ b/distribution/docker/build.sh @@ -64,7 +64,7 @@ config_env() { docker buildx create --use --name envoy-builder --platform "${DOCKER_PLATFORM}" --driver-opt "image=moby/buildkit:${BUILDKIT_VERSION}" } -BUILD_TYPES=("" "-debug" "-contrib" "-contrib-debug" "-contrib-distroless" "-distroless" "-tools") +BUILD_TYPES=("" "-debug" "-contrib" "-contrib-debug" "-contrib-distroless" "-distroless" "-distroless-fips" "-tools") if [[ "$DOCKER_PLATFORM" == "linux/amd64" ]]; then BUILD_TYPES+=("-google-vrp") @@ -97,6 +97,7 @@ build_args() { target="${build_type/-debug/}" target="${target/-contrib/}" + target="${target/-fips/}" printf ' -f distribution/docker/Dockerfile-envoy --target %s' "envoy${target}" if [[ "${build_type}" == *-contrib* ]]; then @@ -106,6 +107,10 @@ build_args() { if [[ "${build_type}" == *-debug ]]; then printf ' --build-arg ENVOY_BINARY_PREFIX=dbg/' fi + + if [[ "${build_type}" == *-fips* ]]; then + printf ' --build-arg ENVOY_RELEASE_TARBALL=release.fips.tar.zst' + fi } use_builder() {