[v13] Remove unused FIPS infrastructure

.drone.yml

@@ -6100,29 +6100,6 @@ steps:
     path: /var/run
   - name: dockerconfig
     path: /root/.docker
-- name: Build and push buildbox-fips
-  image: docker
-  pull: if-not-exists
-  commands:
-  - apk add --no-cache make aws-cli
-  - chown -R $UID:$GID /go
-  - aws ecr get-login-password --profile staging --region=us-west-2 | docker login
-    -u="AWS" --password-stdin 146628656107.dkr.ecr.us-west-2.amazonaws.com
-  - make -C build.assets buildbox-fips
-  - docker tag public.ecr.aws/gravitational/teleport-buildbox-fips:$BUILDBOX_VERSION
-    146628656107.dkr.ecr.us-west-2.amazonaws.com/gravitational/teleport-buildbox-fips:$BUILDBOX_VERSION-$DRONE_COMMIT_SHA
-  - docker push 146628656107.dkr.ecr.us-west-2.amazonaws.com/gravitational/teleport-buildbox-fips:$BUILDBOX_VERSION-$DRONE_COMMIT_SHA
-  - docker logout 146628656107.dkr.ecr.us-west-2.amazonaws.com
-  - aws ecr-public get-login-password --profile production --region=us-east-1 | docker
-    login -u="AWS" --password-stdin public.ecr.aws
-  - docker push public.ecr.aws/gravitational/teleport-buildbox-fips:$BUILDBOX_VERSION
-  volumes:
-  - name: awsconfig
-    path: /root/.aws
-  - name: dockersock
-    path: /var/run
-  - name: dockerconfig
-    path: /root/.docker
 - name: Build and push buildbox-arm
   image: docker
   pull: if-not-exists
@@ -17166,6 +17143,6 @@ image_pull_secrets:
 - DOCKERHUB_CREDENTIALS
 ---
 kind: signature
-hmac: a3a67d99406db9b0bc8012209e4dd7c3ba76984ce1a2b3d5b487b310a0c4f0cd
+hmac: 5c2bc182fb858e4e9d8ee897d13604c9e6841e0c874c5b9cfc1ff971fafe55d3
 
 ...

build.assets/Makefile

@@ -40,7 +40,6 @@ include grpcbox.mk # Requires images.mk
 # target. The other solution was to remove the 'buildbox' dependency from the 'release' target, but this would
 # make it harder to run `make -C build.assets release` locally as the buildbox would not automatically be built.
 BUILDBOX_NAME=$(BUILDBOX)
-BUILDBOX_FIPS_NAME=$(BUILDBOX_FIPS)
 
 DOCSBOX=ghcr.io/gravitational/docs
 
@@ -143,20 +142,7 @@ buildbox:
 # Builds a Docker buildbox for FIPS
 #
 .PHONY:buildbox-fips
-buildbox-fips:
-	if [[ "$(BUILDBOX_FIPS_NAME)" == "$(BUILDBOX_FIPS)" ]]; then \
-		if [[ $${DRONE} == "true" ]] && ! docker inspect --type=image $(BUILDBOX_FIPS) 2>&1 >/dev/null; then docker pull $(BUILDBOX_FIPS) || true; fi; \
-		docker build \
-			--build-arg UID=$(UID) \
-			--build-arg GID=$(GID) \
-			--build-arg BUILDARCH=$(RUNTIME_ARCH) \
-			--build-arg GOLANG_VERSION=$(GOLANG_VERSION) \
-			--build-arg NODE_VERSION=$(NODE_VERSION) \
-			--build-arg RUST_VERSION=$(RUST_VERSION) \
-			--build-arg LIBBPF_VERSION=$(LIBBPF_VERSION) \
-			--cache-from $(BUILDBOX_FIPS) \
-			--tag $(BUILDBOX_FIPS) -f Dockerfile-fips . ; \
-	fi
+buildbox-fips: buildbox-centos7-fips
 
 #
 # Builds a Docker buildbox for CentOS 7 builds
@@ -206,20 +192,6 @@ buildbox-arm: buildbox
 		--cache-from $(BUILDBOX_ARM) \
 		--tag $(BUILDBOX_ARM) -f Dockerfile-arm .
 
-#
-# Builds a Docker buildbox for ARMv7/ARM64 FIPS builds
-# ARM buildboxes use a regular Teleport buildbox as a base which already has a user
-# with the correct UID and GID created, so those arguments are not needed here.
-#
-.PHONY:buildbox-arm-fips
-buildbox-arm-fips: buildbox-fips
-	@if [[ $${DRONE} == "true" ]] && ! docker inspect --type=image $(BUILDBOX_ARM_FIPS) 2>&1 >/dev/null; then docker pull $(BUILDBOX_ARM_FIPS) || true; fi;
-	docker build \
-		--build-arg BUILDBOX_VERSION=$(BUILDBOX_VERSION) \
-		--cache-from $(BUILDBOX_FIPS) \
-		--cache-from $(BUILDBOX_ARM_FIPS) \
-		--tag $(BUILDBOX_ARM_FIPS) -f Dockerfile-arm-fips .
-
 CONNECT_VERSION ?= $(VERSION)
 ifeq ($(CONNECT_VERSION),)
 CONNECT_VERSION := $(BUILDBOX_VERSION)-dev
@@ -408,8 +380,7 @@ release-amd64:
 	$(MAKE) release ARCH=amd64 FIDO2=yes
 
 .PHONY: release-amd64-fips
-release-amd64-fips:
-	$(MAKE) release-fips ARCH=amd64 FIPS=yes BUILDBOX_FIPS_NAME=$(BUILDBOX_FIPS)
+release-amd64-fips: release-amd64-centos7-fips
 
 .PHONY: release-386
 release-386:
@@ -494,9 +465,9 @@ release-enterprise:
 # CI should not use this target, it should use named Makefile targets like release-amd64-fips.
 #
 .PHONY:release-fips
-release-fips: buildbox-fips webassets
+release-fips: buildbox-centos7-fips webassets
 	@if [ -z ${VERSION} ]; then echo "VERSION is not set"; exit 1; fi
-	docker run $(DOCKERFLAGS) -i $(NOROOT) $(BUILDBOX_FIPS_NAME) \
+	docker run $(DOCKERFLAGS) -i $(NOROOT) $(BUILDBOX_CENTOS7_FIPS) \
 		/usr/bin/make -C e release -e ADDFLAGS="$(ADDFLAGS)" OS=$(OS) ARCH=$(ARCH) RUNTIME=$(GOLANG_VERSION) FIPS=yes VERSION=$(VERSION) GITTAG=v$(VERSION) REPRODUCIBLE=yes
 
 #

build.assets/images.mk

@@ -6,11 +6,9 @@ BUILDBOX_VERSION ?= teleport13
 BUILDBOX_BASE_NAME ?= public.ecr.aws/gravitational/teleport-buildbox
 
 BUILDBOX=$(BUILDBOX_BASE_NAME):$(BUILDBOX_VERSION)
-BUILDBOX_FIPS=$(BUILDBOX_BASE_NAME)-fips:$(BUILDBOX_VERSION)
 BUILDBOX_CENTOS7=$(BUILDBOX_BASE_NAME)-centos7:$(BUILDBOX_VERSION)
 BUILDBOX_CENTOS7_FIPS=$(BUILDBOX_BASE_NAME)-centos7-fips:$(BUILDBOX_VERSION)
 BUILDBOX_ARM=$(BUILDBOX_BASE_NAME)-arm:$(BUILDBOX_VERSION)
-BUILDBOX_ARM_FIPS=$(BUILDBOX_BASE_NAME)-arm-fips:$(BUILDBOX_VERSION)
 BUILDBOX_UI=$(BUILDBOX_BASE_NAME)-ui:$(BUILDBOX_VERSION)
 BUILDBOX_CONNECT=$(BUILDBOX_BASE_NAME)-connect:$(BUILDBOX_VERSION)
 BUILDBOX_CENTOS7_ASSETS=$(BUILDBOX_BASE_NAME)-centos7-assets:$(BUILDBOX_VERSION)

dronegen/buildbox.go

@@ -52,8 +52,8 @@ func buildboxPipelineSteps() []step {
 
 	for _, name := range []string{"buildbox", "buildbox-arm", "buildbox-centos7"} {
 		for _, fips := range []bool{false, true} {
-			// FIPS is unsupported on ARM/ARM64
-			if name == "buildbox-arm" && fips {
+			// FIPS is only supported on centos7
+			if fips && name != "buildbox-centos7" {
 				continue
 			}
 			steps = append(steps, buildboxPipelineStep(name, fips))