From 990717d9893578684cc024f70b86f288dc4b6aed Mon Sep 17 00:00:00 2001 From: Walt Date: Tue, 20 Jun 2023 17:21:19 +0200 Subject: [PATCH] Remove further unused fips infrastructure (#27900) * Remove Dockerfile-arm-fips We don't build fips for arm, as documented in https://github.com/gravitational/teleport/issues/10581. * Stop building buildbox-fips We do not use this buildbox for anything. This step is failing because the supporting infrastructure for buildbox-fips was removed in https://github.com/gravitational/teleport/pull/26859. * Fix fips buildbox BUILDBOX_FIPS was removed, replaced by BUILDBOX_CENTOS7_FIPS. Unfortunately I missed updating this target in #26859. This subsequently broke e CI. (cherry picked from commit 6ef118636ff481d598e8ad53c48b89c4b5d42f57) --- .drone.yml | 23 ----------------------- build.assets/Dockerfile-arm-fips | 6 ------ build.assets/Makefile | 5 ++--- dronegen/buildbox.go | 4 ++-- 4 files changed, 4 insertions(+), 34 deletions(-) delete mode 100644 build.assets/Dockerfile-arm-fips diff --git a/.drone.yml b/.drone.yml index ac5ca95911a45..43cc029e5853c 100644 --- a/.drone.yml +++ b/.drone.yml @@ -6098,29 +6098,6 @@ steps: path: /var/run - name: dockerconfig path: /root/.docker -- name: Build and push buildbox-fips - image: docker - pull: if-not-exists - commands: - - apk add --no-cache make aws-cli - - chown -R $UID:$GID /go - - aws ecr get-login-password --profile staging --region=us-west-2 | docker login - -u="AWS" --password-stdin 146628656107.dkr.ecr.us-west-2.amazonaws.com - - make -C build.assets buildbox-fips - - docker tag public.ecr.aws/gravitational/teleport-buildbox-fips:$BUILDBOX_VERSION - 146628656107.dkr.ecr.us-west-2.amazonaws.com/gravitational/teleport-buildbox-fips:$BUILDBOX_VERSION-$DRONE_COMMIT_SHA - - docker push 146628656107.dkr.ecr.us-west-2.amazonaws.com/gravitational/teleport-buildbox-fips:$BUILDBOX_VERSION-$DRONE_COMMIT_SHA - - docker logout 146628656107.dkr.ecr.us-west-2.amazonaws.com - - aws ecr-public get-login-password --profile production --region=us-east-1 | docker - login -u="AWS" --password-stdin public.ecr.aws - - docker push public.ecr.aws/gravitational/teleport-buildbox-fips:$BUILDBOX_VERSION - volumes: - - name: awsconfig - path: /root/.aws - - name: dockersock - path: /var/run - - name: dockerconfig - path: /root/.docker - name: Build and push buildbox-arm image: docker pull: if-not-exists diff --git a/build.assets/Dockerfile-arm-fips b/build.assets/Dockerfile-arm-fips deleted file mode 100644 index 3096fc5bf0634..0000000000000 --- a/build.assets/Dockerfile-arm-fips +++ /dev/null @@ -1,6 +0,0 @@ -ARG BUILDBOX_VERSION -FROM public.ecr.aws/gravitational/teleport-buildbox-fips:$BUILDBOX_VERSION - -RUN apt-get -y update && \ - apt-get -y install gcc-arm-linux-gnueabihf gcc-aarch64-linux-gnu && \ - apt-get -y autoclean && apt-get -y clean diff --git a/build.assets/Makefile b/build.assets/Makefile index e9e39dea692b6..4f1ed58691218 100644 --- a/build.assets/Makefile +++ b/build.assets/Makefile @@ -40,7 +40,6 @@ include grpcbox.mk # Requires images.mk # target. The other solution was to remove the 'buildbox' dependency from the 'release' target, but this would # make it harder to run `make -C build.assets release` locally as the buildbox would not automatically be built. BUILDBOX_NAME=$(BUILDBOX) -BUILDBOX_FIPS_NAME=$(BUILDBOX_FIPS) DOCSBOX=ghcr.io/gravitational/docs @@ -466,9 +465,9 @@ release-enterprise: # CI should not use this target, it should use named Makefile targets like release-amd64-fips. # .PHONY:release-fips -release-fips: buildbox-fips webassets +release-fips: buildbox-centos7-fips webassets @if [ -z ${VERSION} ]; then echo "VERSION is not set"; exit 1; fi - docker run $(DOCKERFLAGS) -i $(NOROOT) $(BUILDBOX_FIPS_NAME) \ + docker run $(DOCKERFLAGS) -i $(NOROOT) $(BUILDBOX_CENTOS7_FIPS) \ /usr/bin/make -C e release -e ADDFLAGS="$(ADDFLAGS)" OS=$(OS) ARCH=$(ARCH) RUNTIME=$(GOLANG_VERSION) FIPS=yes VERSION=$(VERSION) GITTAG=v$(VERSION) REPRODUCIBLE=yes # diff --git a/dronegen/buildbox.go b/dronegen/buildbox.go index b4a696ca03feb..293ab96f7d449 100644 --- a/dronegen/buildbox.go +++ b/dronegen/buildbox.go @@ -52,8 +52,8 @@ func buildboxPipelineSteps() []step { for _, name := range []string{"buildbox", "buildbox-arm", "buildbox-centos7"} { for _, fips := range []bool{false, true} { - // FIPS is unsupported on ARM/ARM64 - if name == "buildbox-arm" && fips { + // FIPS is only supported on centos7 + if fips && name != "buildbox-centos7" { continue } steps = append(steps, buildboxPipelineStep(name, fips))