sspaeth-r7 · February 21, 2024 21:04 · sspaeth-r7 · Feb 21, 2024
diff --git a/istio-fips-build.sh b/istio-fips-build.sh
 #!/bin/bash -xeu
 # -e used in shebang and pipefail because if there's
 # a failure somewhere mid-pipe chain WE NEED TO KNOW
 # -u throws an error when using undefined variables
 set -o pipefail

 git clone https://github.com/istio/tools.git --depth 1
 pushd tools/docker/build-tools
 git fetch --tags
 git checkout "${ISTIO_VERSION}"

 # Patch tools so a newer Ubuntu is used, fixes missing libtinfo.so.6 error
 sed -i'' \
  -e 's/^FROM ubuntu:xenial AS clang_context_amd64$/FROM ubuntu:focal AS clang_context_amd64/g' \
  -e 's/^FROM ubuntu:xenial AS build_env_proxy_amd64$/FROM ubuntu:focal AS build_env_proxy_amd64/g' \
  -e 's/^FROM ubuntu:xenial AS bazel_context_amd64$/FROM ubuntu:focal AS bazel_context_amd64/g' \
  -e 's/^ENV UBUNTU_RELEASE_CODE_NAME=xenial$/ENV UBUNTU_RELEASE_CODE_NAME=focal/g' \
  -e 's/^ENV UBUNTU_RELEASE_CODE_NAME=bionic$/ENV UBUNTU_RELEASE_CODE_NAME=focal/g' \
  -e 's/^FROM ubuntu:bionic AS clang_context_arm64$/FROM ubuntu:focal AS clang_context_arm64/g' \
  -e 's/^FROM ubuntu:bionic AS bazel_context_arm64$/FROM ubuntu:focal AS bazel_context_arm64/g' \
  -e 's/^FROM ubuntu:bionic AS build_env_proxy_arm64$/FROM ubuntu:focal AS build_env_proxy_arm64/g' \
  -e 's/^FROM ubuntu:18.04 AS clang_context_amd64$/FROM ubuntu:20.04 AS clang_context_amd64/g' \
  -e 's/^FROM ubuntu:18.04 AS build_env_proxy_amd64$/FROM ubuntu:20.04 AS build_env_proxy_amd64/g' \
  -e 's/^ENV UBUNTU_RELEASE_VERSION=18.04$/ENV UBUNTU_RELEASE_VERSION=20.04/g' \
  -e 's/^ENV DOCKER_VERSION=5:20.10.7~3-0~ubuntu/ENV DOCKER_VERSION=5:20.10.14~3-0~ubuntu/' \
  -e 's/^ENV CONTAINERD_VERSION=1.4.6-1/ENV CONTAINERD_VERSION=1.6.12-1/' \
  -e 's/python \\\\/#python \\\\/' \
  Dockerfile

 # Build tools
 DRY_RUN=true ./build-and-push.sh
 popd

 git clone https://github.com/istio/proxy.git --depth 1
 pushd proxy
 git fetch --tags
 git checkout "${ISTIO_VERSION}"
 export GOOS=linux

 # Compile envoy with FIPS: https://www.envoyproxy.io/docs/envoy/latest/intro/arch_overview/security/ssl#fips-140-2
 echo "build --define boringssl=fips" >> .bazelrc

 # Make the targets using the build tools image built above which is now in local registry
 IMG=gcr.io/istio-testing/build-tools-proxy:release-${MAJOR_ISTIO_VERSION}-latest-amd64 BAZEL_BUILD_ARGS=--config=release VERSION="${TAG}" BUILD_WITH_CONTAINER=1 TARGET_OS=linux make build build_envoy exportcache

 popd

 git clone https://github.com/istio/istio.git --depth 1
 pushd istio
 git fetch --tags
 git checkout "${ISTIO_VERSION}"

 # Pre-built binaries need to copied with SHA in name, otherwise build process will download it from gc bucket
 # https://github.com/istio/istio/blob/1.18.1/bin/init.sh#L106

 # Populate the git version for istio/proxy (i.e. Envoy)
 PROXY_REPO_SHA=$(jq -r '.[] | select(.name == "PROXY_REPO_SHA").lastStableSHA' istio.deps)

 # Copy locally built binaries
 mkdir -p out/linux_amd64/release
 cp -f ../proxy/out/linux_amd64/envoy out/linux_amd64/release/envoy-${PROXY_REPO_SHA}
 cp -f out/linux_amd64/release/envoy-${PROXY_REPO_SHA} out/linux_amd64/release/envoy

 # Patch Makefile to use BoringCrypto: https://github.com/tetratelabs/istio/blob/tetrate-workflow/tetrateci/docs/fips.md
 sed -i'' -e 's%GOOS=linux%CGO_ENABLED=1 GOEXPERIMENT=boringcrypto GOOS=linux%' Makefile.core.mk

 # Envoy built with BoringSSL requires libc++ installed in the docker image, patch Dockerfile to install libc++
 # Both dockerfiles are also patched to remove extra junk when building, giving us minified images
 for FILE in "Dockerfile.proxyv2" "Dockerfile.pilot"; do
  PATCH="$WORKSPACE/$SCRIPT_DIR/patches/$FILE.patch"
  [[ -f "$PATCH" ]] || { echo "Patch file '$PATCH' not found. Failing..."; exit 1; }
  sed -i'' "/FROM \\${BASE_DISTRIBUTION/r $PATCH" pilot/docker/$FILE
 done

 # Build pilot and proxy (need to tag here to correctly report when doing istioctl version)
 DOCKER_SOCKET_MOUNT='-v /docker-socket/docker.sock:/docker-socket/docker.sock' BAZEL_BUILD_ARGS=--config=release VERSION="${TAG}" BUILD_WITH_CONTAINER=1 TARGET_OS=linux make docker.pilot docker.proxyv2

 # Prove to anyone inspecting build output that images were built with FIPS-compliant libraries
 docker run --rm --entrypoint="" localhost:5000/proxyv2:$TAG envoy --version
 docker run --rm --entrypoint="" localhost:5000/proxyv2:$TAG pilot-agent version
 docker run --rm --entrypoint="" localhost:5000/pilot:$TAG pilot-discovery version
diff --git a/z-Dockerfile.pilot.patch b/z-Dockerfile.pilot.patch
 RUN apt-get update \
  && apt remove -y curl libkrb5-3 netcat-openbsd netcat procps tcpdump xz-utils || true \
  && apt-get upgrade -y \
  && apt-get autoremove -y \
  && apt-get clean \
  && rm -rf /tmp/* /var/tmp/* \
  && rm -rf /var/lib/apt/lists/*
diff --git a/z-Dockerfile.proxyv2.patch b/z-Dockerfile.proxyv2.patch
 RUN apt-get update \
  && apt remove -y curl libkrb5-3 netcat-openbsd netcat procps tcpdump xz-utils || true \
  && apt-get upgrade -y \
  && apt-get install -y libc++1 \
  && apt-get autoremove -y \
  && apt-get clean \
  && rm -rf /tmp/* /var/tmp/* \
  && rm -rf /var/lib/apt/lists/*
	#!/bin/bash -xeu
	# -e used in shebang and pipefail because if there's
	# a failure somewhere mid-pipe chain WE NEED TO KNOW
	# -u throws an error when using undefined variables
	set -o pipefail

	git clone https://github.com/istio/tools.git --depth 1
	pushd tools/docker/build-tools
	git fetch --tags
	git checkout "${ISTIO_VERSION}"

	# Patch tools so a newer Ubuntu is used, fixes missing libtinfo.so.6 error
	sed -i'' \
	-e 's/^FROM ubuntu:xenial AS clang_context_amd64$/FROM ubuntu:focal AS clang_context_amd64/g' \
	-e 's/^FROM ubuntu:xenial AS build_env_proxy_amd64$/FROM ubuntu:focal AS build_env_proxy_amd64/g' \
	-e 's/^FROM ubuntu:xenial AS bazel_context_amd64$/FROM ubuntu:focal AS bazel_context_amd64/g' \
	-e 's/^ENV UBUNTU_RELEASE_CODE_NAME=xenial$/ENV UBUNTU_RELEASE_CODE_NAME=focal/g' \
	-e 's/^ENV UBUNTU_RELEASE_CODE_NAME=bionic$/ENV UBUNTU_RELEASE_CODE_NAME=focal/g' \
	-e 's/^FROM ubuntu:bionic AS clang_context_arm64$/FROM ubuntu:focal AS clang_context_arm64/g' \
	-e 's/^FROM ubuntu:bionic AS bazel_context_arm64$/FROM ubuntu:focal AS bazel_context_arm64/g' \
	-e 's/^FROM ubuntu:bionic AS build_env_proxy_arm64$/FROM ubuntu:focal AS build_env_proxy_arm64/g' \
	-e 's/^FROM ubuntu:18.04 AS clang_context_amd64$/FROM ubuntu:20.04 AS clang_context_amd64/g' \
	-e 's/^FROM ubuntu:18.04 AS build_env_proxy_amd64$/FROM ubuntu:20.04 AS build_env_proxy_amd64/g' \
	-e 's/^ENV UBUNTU_RELEASE_VERSION=18.04$/ENV UBUNTU_RELEASE_VERSION=20.04/g' \
	-e 's/^ENV DOCKER_VERSION=5:20.10.7~3-0~ubuntu/ENV DOCKER_VERSION=5:20.10.14~3-0~ubuntu/' \
	-e 's/^ENV CONTAINERD_VERSION=1.4.6-1/ENV CONTAINERD_VERSION=1.6.12-1/' \
	-e 's/python \\\\/#python \\\\/' \
	Dockerfile

	# Build tools
	DRY_RUN=true ./build-and-push.sh
	popd

	git clone https://github.com/istio/proxy.git --depth 1
	pushd proxy
	git fetch --tags
	git checkout "${ISTIO_VERSION}"
	export GOOS=linux

	# Compile envoy with FIPS: https://www.envoyproxy.io/docs/envoy/latest/intro/arch_overview/security/ssl#fips-140-2
	echo "build --define boringssl=fips" >> .bazelrc

	# Make the targets using the build tools image built above which is now in local registry
	IMG=gcr.io/istio-testing/build-tools-proxy:release-${MAJOR_ISTIO_VERSION}-latest-amd64 BAZEL_BUILD_ARGS=--config=release VERSION="${TAG}" BUILD_WITH_CONTAINER=1 TARGET_OS=linux make build build_envoy exportcache

	popd

	git clone https://github.com/istio/istio.git --depth 1
	pushd istio
	git fetch --tags
	git checkout "${ISTIO_VERSION}"

	# Pre-built binaries need to copied with SHA in name, otherwise build process will download it from gc bucket
	# https://github.com/istio/istio/blob/1.18.1/bin/init.sh#L106

	# Populate the git version for istio/proxy (i.e. Envoy)
	PROXY_REPO_SHA=$(jq -r '.[] \| select(.name == "PROXY_REPO_SHA").lastStableSHA' istio.deps)

	# Copy locally built binaries
	mkdir -p out/linux_amd64/release
	cp -f ../proxy/out/linux_amd64/envoy out/linux_amd64/release/envoy-${PROXY_REPO_SHA}
	cp -f out/linux_amd64/release/envoy-${PROXY_REPO_SHA} out/linux_amd64/release/envoy

	# Patch Makefile to use BoringCrypto: https://github.com/tetratelabs/istio/blob/tetrate-workflow/tetrateci/docs/fips.md
	sed -i'' -e 's%GOOS=linux%CGO_ENABLED=1 GOEXPERIMENT=boringcrypto GOOS=linux%' Makefile.core.mk

	# Envoy built with BoringSSL requires libc++ installed in the docker image, patch Dockerfile to install libc++
	# Both dockerfiles are also patched to remove extra junk when building, giving us minified images
	for FILE in "Dockerfile.proxyv2" "Dockerfile.pilot"; do
	PATCH="$WORKSPACE/$SCRIPT_DIR/patches/$FILE.patch"
	[[ -f "$PATCH" ]] \|\| { echo "Patch file '$PATCH' not found. Failing..."; exit 1; }
	sed -i'' "/FROM \\${BASE_DISTRIBUTION/r $PATCH" pilot/docker/$FILE
	done

	# Build pilot and proxy (need to tag here to correctly report when doing istioctl version)
	DOCKER_SOCKET_MOUNT='-v /docker-socket/docker.sock:/docker-socket/docker.sock' BAZEL_BUILD_ARGS=--config=release VERSION="${TAG}" BUILD_WITH_CONTAINER=1 TARGET_OS=linux make docker.pilot docker.proxyv2

	# Prove to anyone inspecting build output that images were built with FIPS-compliant libraries
	docker run --rm --entrypoint="" localhost:5000/proxyv2:$TAG envoy --version
	docker run --rm --entrypoint="" localhost:5000/proxyv2:$TAG pilot-agent version
	docker run --rm --entrypoint="" localhost:5000/pilot:$TAG pilot-discovery version
	RUN apt-get update \
	&& apt remove -y curl libkrb5-3 netcat-openbsd netcat procps tcpdump xz-utils \|\| true \
	&& apt-get upgrade -y \
	&& apt-get autoremove -y \
	&& apt-get clean \
	&& rm -rf /tmp/* /var/tmp/* \
	&& rm -rf /var/lib/apt/lists/*