TykTechnologies · andrei-tyk · May 30, 2024 · May 30, 2024 · May 30, 2024 · Jun 3, 2024
@@ -31,6 +31,7 @@ jobs:
         redis-version: [5, 7]
         python-version: ["3.11"]
         go-version: [1.21.x]
+        fips: [1]
 
     steps:
       - name: Checkout Tyk
@@ -43,6 +44,11 @@ jobs:
         with:
           go-version: ${{ matrix.go-version }}
 
+      - name: Setup Golang FIPS
+        if: ${{ contains(matrix.fips, '1') }}
+        run: |
+          echo "GOEXPERIMENT=boringcrypto" >> $GITHUB_ENV
+
       - name: Setup Python
         uses: actions/setup-python@v4
         with:

diff --git a/.github/workflows/plugin-compiler-build.yml b/.github/workflows/plugin-compiler-build.yml
@@ -65,7 +65,9 @@ jobs:
           platforms: linux/amd64
           push: true
           labels: ${{ steps.set-metadata.outputs.labels }}
-          tags: ${{ steps.set-metadata.outputs.tags }}
+          tags: |
+            ${{ steps.set-metadata.outputs.tags }}
+            ${{ steps.login-ecr.outputs.registry }}/tyk-plugin-compiler:sha-${{ github.sha }}-fips-amd64
           build-args: |
             BASE-IMAGE=tykio/golang-cross:${{ env.GOLANG_CROSS }}
             GITHUB_SHA=${{ github.sha }}

@@ -28,9 +28,11 @@ jobs:
         run: task opentelemetry
 
   ci-tests:
-    name: CI Tests
+    name: 'CI Tests with fips: ${{ matrix.fips }}'
     runs-on: ubuntu-latest
-
+    strategy:
+      matrix:
+        fips: [1]
     steps:
       - uses: actions/checkout@v4
         with:
@@ -39,12 +41,18 @@ jobs:
       - id: ecr-login
         uses: ./.github/actions/ecr-login
 
+      - name: Setup Golang FIPS
+        if: ${{ contains(matrix.fips, '1') }}
+        run: |
+          echo "GOEXPERIMENT=boringcrypto" >> $GITHUB_ENV
+
       - name: Run /ci/tests
         shell: bash
         env:
           GITHUB_TAG: ${{ github.ref }}
-          GATEWAY_IMAGE: ${{ steps.ecr-login.outputs.registry }}/tyk:sha-${{ github.sha }}
-          PLUGIN_COMPILER_IMAGE: ${{ steps.ecr-login.outputs.registry }}/tyk-plugin-compiler:sha-${{ github.sha }}
+          GATEWAY_IMAGE: ${{ steps.ecr-login.outputs.registry }}/tyk:sha-${{ github.sha }}-fips-amd64
+          PLUGIN_COMPILER_IMAGE: ${{ steps.ecr-login.outputs.registry }}/tyk-plugin-compiler:sha-${{ github.sha }}-fips-amd64
+          GOEXPERIMENT: ${{ env.GOEXPERIMENT }}
         run: |
           set -eaxo pipefail
           for d in ci/tests/*/

@@ -143,7 +143,11 @@ jobs:
              for arch in amd64 arm64; do
                  docker tag tykio/tyk-gateway:${build_tag}-${arch} ${tag}-${arch} && docker push ${tag}-${arch}
              done
+             for arch in amd64; do
+                 docker tag tykio/tyk-gateway:${build_tag}-fips-${arch} ${tag}-fips-${arch} && docker push ${tag}-fips-${arch}
+              done
              docker manifest create ${tag} ${tag}-amd64 ${tag}-arm64 && docker manifest push ${tag}
+             docker manifest create ${tag}-fips ${tag}-fips-amd64 && docker manifest push ${tag}-fips
           done
       - uses: actions/upload-artifact@v4
         if: ${{ matrix.golang_cross == '1.21-bullseye' }}

diff --git a/bin/ci-tests.sh b/bin/ci-tests.sh
@@ -17,12 +17,16 @@ set -e
 
 # set tags for the CI tests run / plugin builds
 
-tags="goplugin dev"
+tags="goplugin"
+
+if [[ "$GOEXPERIMENT" == "boringcrypto" ]]; then
+    tags+=" boringcrypto"
+fi
 
 # build Go-plugin used in tests
 echo "Building go plugin"
-go build -tags "${tags}" -buildmode=plugin       -o ./test/goplugins/goplugins.so      ./test/goplugins
-go build -tags "${tags}" -buildmode=plugin -race -o ./test/goplugins/goplugins_race.so ./test/goplugins
+GOEXPERIMENT=boringcrypto go build -tags "${tags}" -buildmode=plugin       -o ./test/goplugins/goplugins.so      ./test/goplugins
+GOEXPERIMENT=boringcrypto go build -tags "${tags}" -buildmode=plugin -race -o ./test/goplugins/goplugins_race.so ./test/goplugins
 
 for pkg in ${PKGS}; do
     coveragefile=`echo "$pkg" | awk -F/ '{print $NF}'`

@@ -51,8 +51,50 @@ builds:
     goarch:
       - s390x
     binary: tyk
+  - id: fips-std-linux
+    flags:
+      - -tags=goplugin,boringcrypto
+    ldflags:
+      - -X github.com/TykTechnologies/tyk/internal/build.Version={{.Version}}
+      - -X github.com/TykTechnologies/tyk/internal/build.Commit={{.FullCommit}}
+      - -X github.com/TykTechnologies/tyk/internal/build.BuildDate={{.Date}}
+      - -X github.com/TykTechnologies/tyk/internal/build.BuiltBy=goreleaser
+    env:
+      - GOEXPERIMENT=boringcrypto
+    goos:
+      - linux
+    goarch:
+      - amd64
+    binary: tyk
 dockers:
   # Build tykio/tyk-gateway, docker.tyk.io/tyk-gateway/tyk-gateway (amd64)
+  - ids:
+      - fips
+    image_templates:
+        - "tykio/tyk-gateway:{{.Tag}}-fips-amd64"
+        - "docker.tyk.io/tyk-gateway/tyk-gateway:{{.Tag}}-fips-amd64"
+    build_flag_templates:
+      - "--build-arg=PORTS=8080"
+      - "--platform=linux/amd64"
+      - "--label=org.opencontainers.image.created={{.Date}}"
+      - "--label=org.opencontainers.image.title={{.ProjectName}}"
+      - "--label=org.opencontainers.image.revision={{.FullCommit}}"
+      - "--label=org.opencontainers.image.version={{.Version}}"
+    use: buildx
+    goarch: amd64
+    goos: linux
+    dockerfile: ci/Dockerfile.std
+    extra_files:
+      - "ci/install/"
+      - "README.md"
+      - "LICENSE.md"
+      - "apps/app_sample.json"
+      - "templates"
+      - "middleware"
+      - "event_handlers/sample"
+      - "policies"
+      - "coprocess"
+      - "tyk.conf.example"
   - ids:
       - std
     image_templates:
@@ -150,22 +192,27 @@ docker_manifests:
   - name_template: tykio/tyk-gateway:{{ .Tag }}
     image_templates:
       - tykio/tyk-gateway:{{ .Tag }}-amd64
+      - tykio/tyk-gateway:{{ .Tag }}-fips-amd64
       - tykio/tyk-gateway:{{ .Tag }}-arm64
   - name_template: tykio/tyk-gateway:v{{ .Major }}.{{ .Minor }}{{.Prerelease}}
     image_templates:
       - tykio/tyk-gateway:{{ .Tag }}-amd64
+      - tykio/tyk-gateway:{{ .Tag }}-fips-amd64
       - tykio/tyk-gateway:{{ .Tag }}-arm64
   - name_template: tykio/tyk-gateway:v{{ .Major }}{{.Prerelease}}
     image_templates:
       - tykio/tyk-gateway:{{ .Tag }}-amd64
+      - tykio/tyk-gateway:{{ .Tag }}-fips-amd64
       - tykio/tyk-gateway:{{ .Tag }}-arm64
   - name_template: tykio/tyk-hybrid-docker:{{ .Tag }}
     image_templates:
       - tykio/tyk-hybrid-docker:{{ .Tag }}-amd64
+        tykio/tyk-hybrid-docker:{{ .Tag }}-fips-amd64
       - tykio/tyk-hybrid-docker:{{ .Tag }}-arm64
   - name_template: docker.tyk.io/tyk-gateway/tyk-gateway:{{ .Tag }}
     image_templates:
       - docker.tyk.io/tyk-gateway/tyk-gateway:{{ .Tag }}-amd64
+      - docker.tyk.io/tyk-gateway/tyk-gateway:{{ .Tag }}-fips-amd64
       - docker.tyk.io/tyk-gateway/tyk-gateway:{{ .Tag }}-arm64
 nfpms:
   - id: std
@@ -227,6 +274,63 @@ nfpms:
       signature:
         key_file: tyk.io.signing.key
         type: origin
+  - id: fips
+    vendor: "Tyk Technologies Ltd"
+    homepage: "https://tyk.io"
+    maintainer: "Tyk <[email protected]>"
+    description: Tyk Open Source API Gateway written in Go, supporting REST, GraphQL, TCP and gRPC protocols
+    package_name: tyk-gateway
+    file_name_template: "{{ .ConventionalFileName }}"
+    builds:
+      - fips-std-linux
+    formats:
+      - deb
+      - rpm
+    contents:
+      - src: "README.md"
+        dst: "/opt/share/docs/tyk-gateway/README.md"
+      - src: "ci/install/*"
+        dst: "/opt/tyk-gateway/install"
+      - src: ci/install/inits/systemd/system/tyk-gateway.service
+        dst: /lib/systemd/system/tyk-gateway.service
+      - src: ci/install/inits/sysv/init.d/tyk-gateway
+        dst: /etc/init.d/tyk-gateway
+      - src: /opt/tyk-gateway
+        dst: /opt/tyk
+        type: "symlink"
+      - src: "LICENSE.md"
+        dst: "/opt/share/docs/tyk-gateway/LICENSE.md"
+      - src: "apps/app_sample.*"
+        dst: "/opt/tyk-gateway/apps"
+      - src: "templates/*.json"
+        dst: "/opt/tyk-gateway/templates"
+      - src: "templates/playground/*"
+        dst: "/opt/tyk-gateway/templates/playground"
+      - src: "middleware/*.js"
+        dst: "/opt/tyk-gateway/middleware"
+      - src: "event_handlers/sample/*.js"
+        dst: "/opt/tyk-gateway/event_handlers/sample"
+      - src: "policies/*.json"
+        dst: "/opt/tyk-gateway/policies"
+      - src: "coprocess/*"
+        dst: "/opt/tyk-gateway/coprocess"
+      - src: tyk.conf.example
+        dst: /opt/tyk-gateway/tyk.conf
+        type: "config|noreplace"
+    scripts:
+      preinstall: "ci/install/before_install.sh"
+      postinstall: "ci/install/post_install.sh"
+      postremove: "ci/install/post_remove.sh"
+    bindir: "/opt/tyk-gateway"
+    rpm:
+      scripts:
+        posttrans: ci/install/post_trans.sh
+      signature:
+        key_file: tyk.io.signing.key
+    deb:
+      signature:
+        key_file: tyk.io.signing.key
+        type: origin
 publishers:
   - name: tyk-gateway-unstable
     env:

@@ -25,12 +25,15 @@ RUN --mount=type=cache,mode=0755,target=/go/pkg/mod go mod download
 ADD . $TYK_GW_PATH
 
 # Provide a gateway test binary for testing plugin loading.
-RUN --mount=type=cache,mode=0755,target=/go/pkg/mod GOBIN=/usr/local/bin go install -tags=goplugin -trimpath .
+RUN --mount=type=cache,mode=0755,target=/go/pkg/mod GOBIN=/usr/local/bin go install -tags=goplugin,boringcrypto -trimpath .
 
 ARG GITHUB_SHA
 ARG GITHUB_TAG
 ENV GITHUB_SHA ${GITHUB_SHA}
 ENV GITHUB_TAG ${GITHUB_TAG}
+ENV GOEXPERIMENT ${GOEXPERIMENT}
+
+RUN echo "GOEXPERIMENT: $GOEXPERIMENT"
 
 COPY ci/images/plugin-compiler/data/build.sh /build.sh
 RUN chmod +x /build.sh

@@ -145,7 +145,15 @@ if [[ "$DEBUG" == "1" ]] ; then
 	git diff --cached
 fi
 
-CC=$CC CGO_ENABLED=1 GOOS=$GOOS GOARCH=$GOARCH go build -buildmode=plugin -trimpath -o $plugin_name
+tags="goplugin"
+
+#if [[ "$GOEXPERIMENT" == "boringcrypto" ]]; then
+tags+=" boringcrypto"
+#fi
+
+echo "Tags: $tags"
+
+CC=$CC GOEXPERIMENT=boringcrypto CGO_ENABLED=1 GOOS=$GOOS GOARCH=$GOARCH go build -buildmode=plugin -tags=goplugin,boringcrypto -trimpath -o $plugin_name
 
 set +x
 

@@ -0,0 +1,6 @@
+//go:build boringcrypto
+// +build boringcrypto
+
+package main
+
+import _ "crypto/tls/fipsonly"
@@ -1,5 +1,3 @@
 module github.com/TykTechnologies/tyk/smoke-tests/plugin-compiler/foobar-plugin
 
 go 1.21
-
-require github.com/kr/pretty v0.3.1 // indirect
@@ -0,0 +1,6 @@
+//go:build boringcrypto
+// +build boringcrypto
+
+package main
+
+import _ "crypto/tls/fipsonly"
@@ -1,5 +1,5 @@
 module github.com/TykTechnologies/tyk/smoke-tests/plugin-compiler/helloworld-plugin
 
-go 1.21
+go 1.21.0
 
-require github.com/kr/pretty v0.3.1 // indirect
+toolchain go1.21.4
@@ -19,7 +19,7 @@ trap "docker compose down --remove-orphans" EXIT
 # Clean up loose .so files, rebuild plugin and normalize plugin name.
 PLUGIN_SOURCE_PATH=$PWD/testdata/test-plugin
 rm -fv $PLUGIN_SOURCE_PATH/*.so || true
-docker run --rm -v $PLUGIN_SOURCE_PATH:/plugin-source $PLUGIN_COMPILER_IMAGE plugin.so
+docker run --rm -v $PLUGIN_SOURCE_PATH:/plugin-source -e GOEXPERIMENT='boringcrypto' $PLUGIN_COMPILER_IMAGE plugin.so
 cp $PLUGIN_SOURCE_PATH/*.so $PLUGIN_SOURCE_PATH/plugin.so 
 
 docker compose up -d --wait --force-recreate || { docker compose logs gw; exit 1; }

@@ -0,0 +1,6 @@
+//go:build boringcrypto
+// +build boringcrypto
+
+package main
+
+import _ "crypto/tls/fipsonly"
@@ -1,3 +1,5 @@
 module example.com/basic-plugin
 
-go 1.21
+go 1.21.0
+
+toolchain go1.21.4
@@ -0,0 +1,6 @@
+//go:build boringcrypto
+// +build boringcrypto
+
+package main
+
+import _ "crypto/tls/fipsonly"
@@ -1,3 +1,6 @@
 module example.com/basic-plugin
 
-go 1.19
+go 1.21.0
+
+toolchain go1.21.4
+
@@ -0,0 +1,6 @@
+//go:build boringcrypto
+// +build boringcrypto
+
+package main
+
+import _ "crypto/tls/fipsonly"
@@ -0,0 +1,6 @@
+//go:build boringcrypto
+// +build boringcrypto
+
+package main
+
+import _ "crypto/tls/fipsonly"
@@ -8,4 +8,4 @@ require (
 	github.com/kr/pretty v0.2.1
 )
 
-replace github.com/jensneuse/graphql-go-tools => github.com/TykTechnologies/graphql-go-tools v1.6.2-0.20210609111804-af8c15678972
+replace github.com/jensneuse/graphql-go-tools => github.com/TykTechnologies/graphql-go-tools v1.6.2-0.20210609111804-af8c15678972