diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 8974768..94c2fb2 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -19,12 +19,14 @@ jobs: DOCKER_IMAGE: smallstep/step-kms-plugin CLOUD_TAG: cloud DEBIAN_TAG: bullseye + WOLFI_TAG: wolfi outputs: version: ${{ steps.extract-tag.outputs.VERSION }} is_prerelease: ${{ steps.is_prerelease.outputs.IS_PRERELEASE }} docker_tags: ${{ env.DOCKER_TAGS }} docker_tags_cloud: ${{ env.DOCKER_TAGS_CLOUD }} docker_tags_debian: ${{ env.DOCKER_TAGS_DEBIAN }} + docker_tags_wolfi: ${{ env.DOCKER_TAGS_WOLFI }} steps: - name: Is Pre-release id: is_prerelease @@ -43,6 +45,7 @@ jobs: echo "DOCKER_TAGS=${{ env.DOCKER_IMAGE }}:${VERSION}" >> "${GITHUB_ENV}" echo "DOCKER_TAGS_CLOUD=${{ env.DOCKER_IMAGE }}:${VERSION}-${CLOUD_TAG}" >> "${GITHUB_ENV}" echo "DOCKER_TAGS_DEBIAN=${{ env.DOCKER_IMAGE }}:${VERSION}-${DEBIAN_TAG}" >> "${GITHUB_ENV}" + echo "DOCKER_TAGS_WOLFI=${{ env.DOCKER_IMAGE }}:${VERSION}-${WOLFI_TAG}" >> "${GITHUB_ENV}" - name: Add Latest Tag if: steps.is_prerelease.outputs.IS_PRERELEASE == 'false' run: | @@ -50,6 +53,7 @@ jobs: echo "DOCKER_TAGS=${{ env.DOCKER_TAGS }},${{ env.DOCKER_IMAGE }}:latest" >> "${GITHUB_ENV}" echo "DOCKER_TAGS_CLOUD=${{ env.DOCKER_IMAGE }}:${CLOUD_TAG}" >> "${GITHUB_ENV}" echo "DOCKER_TAGS_DEBIAN=${{ env.DOCKER_IMAGE }}:${DEBIAN_TAG}" >> "${GITHUB_ENV}" + echo "DOCKER_TAGS_WOLFI=${{ env.DOCKER_IMAGE }}:${WOLFI_TAG}" >> "${GITHUB_ENV}" - name: Create Release id: create_release uses: actions/create-release@v1 @@ -117,3 +121,17 @@ jobs: docker_image: smallstep/step-kms-plugin docker_file: docker/Dockerfile.cloud secrets: inherit + + build_upload_docker_wolfi: + name: Build & Upload Wolfi Docker Image + needs: create_release + permissions: + id-token: write + contents: write + uses: smallstep/workflows/.github/workflows/docker-buildx-push.yml@main + with: + platforms: linux/amd64 + tags: ${{ needs.create_release.outputs.docker_tags_wolfi }} + docker_image: smallstep/step-kms-plugin + docker_file: docker/Dockerfile.wolfi + secrets: inherit diff --git a/Makefile b/Makefile index 41ab91f..4e6ed1c 100644 --- a/Makefile +++ b/Makefile @@ -62,7 +62,11 @@ build: $Q go build -v -o $(PREFIX)bin/$(BINNAME) $(LDFLAGS) $(PKG) @echo "Build Complete!" -.PHONY: build +build-fips: + $Q GOEXPERIMENT="boringcrypto" go build -v -tags fips,noyubikey -o $(PREFIX)bin/$(BINNAME) $(LDFLAGS) $(PKG) + @echo "Build Complete!" + +.PHONY: build build-fips ######################################### # Go generate diff --git a/cmd/fips.go b/cmd/fips.go new file mode 100644 index 0000000..b13de5e --- /dev/null +++ b/cmd/fips.go @@ -0,0 +1,20 @@ +// Copyright 2022 Smallstep Labs, Inc. +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +//go:build fips +// +build fips + +package cmd + +import _ "crypto/tls/fipsonly" diff --git a/docker/Dockerfile.wolfi b/docker/Dockerfile.wolfi new file mode 100644 index 0000000..599c55b --- /dev/null +++ b/docker/Dockerfile.wolfi @@ -0,0 +1,18 @@ +FROM cgr.dev/chainguard/wolfi-base:latest AS builder + +WORKDIR /src +COPY . . + +RUN apk update +RUN apk add git make pkgconf gcc go +RUN make V=1 build-fips + +FROM cgr.dev/chainguard/wolfi-base:latest + +COPY --from=builder /src/bin/step-kms-plugin /usr/bin/step-kms-plugin + +USER root +RUN apk update +RUN apk add p11-kit + +CMD ["/bin/sh"]