From a5ecec4feb14e3905550d6c77548f438236ac07c Mon Sep 17 00:00:00 2001 From: Matias Melograno Date: Fri, 26 Jan 2024 14:44:28 -0300 Subject: [PATCH 1/8] added entrypoint for flagsets --- infra/entrypoint.sh | 15 +++++++++++++++ infra/sidecar.Dockerfile | 4 ++-- 2 files changed, 17 insertions(+), 2 deletions(-) diff --git a/infra/entrypoint.sh b/infra/entrypoint.sh index ecaa72e..f01517d 100755 --- a/infra/entrypoint.sh +++ b/infra/entrypoint.sh @@ -9,6 +9,16 @@ TPL_FILE="${TPL_FILE:-${SCRIPT_DIR}/splitd.yaml.tpl}" SPLITD_CFG_OUTPUT="${SPLITD_CFG_OUTPUT:-/etc/splitd.yaml}" SPLITD_EXEC="${SPLITD_EXEC:-/opt/splitd/splitd}" +function prepare_sets() { + local RES="[" + local IFS=',' + read -ra SETS <<< "${1}" + for SET in "${SETS[@]}"; do + RES="${RES}\"${SET}\"," + done + echo "${RES/%,}]" +} + # Validate mandatory arguments and initialize the template with those values [ -z ${SPLITD_APIKEY+x} ] && echo "SPLITD_APIKEY env var is mandatory." && exit 1 [ -z ${SPLITD_LINK_ADDRESS+x} ] && echo "SPLITD_LINK_ADDRESS env var is mandatory." && exit 1 @@ -45,6 +55,11 @@ accum=$(yq '.sdk.apikey = env(SPLITD_APIKEY) | .link.address = env(SPLITD_LINK_A [ ! -z ${SPLITD_EVENTS_REFRESH_SECS+x} ] && accum=$(echo "${accum}" | yq '.sdk.events.refreshRateSeconds = env(SPLITD_EVENTS_REFRESH_SECS)') [ ! -z ${SPLITD_EVENTS_QUEUE_SIZE+x} ] && accum=$(echo "${accum}" | yq '.sdk.events.queueSize = env(SPLITD_EVENTS_QUEUE_SIZE)') +if [ ! -z ${SPLITD_FLAG_SETS_FILTER+x} ]; then + export PARSED_FLAGSETS=$(prepare_sets "${SPLITD_FLAG_SETS_FILTER}") + accum=$(echo "${accum}" | yq '.sdk.flagSetsFilter += env(PARSED_FLAGSETS)') +fi + # link configs [ ! -z ${SPLITD_LINK_TYPE+x} ] && accum=$(echo "${accum}" | yq '.link.type = env(SPLITD_LINK_TYPE)') [ ! -z ${SPLITD_LINK_SERIALIZATION+x} ] && accum=$(echo "${accum}" | yq '.link.serialization = env(SPLITD_LINK_SERIALIZATION)') diff --git a/infra/sidecar.Dockerfile b/infra/sidecar.Dockerfile index a3450a9..53d7e40 100644 --- a/infra/sidecar.Dockerfile +++ b/infra/sidecar.Dockerfile @@ -1,5 +1,5 @@ # ----- Builder image -FROM golang:1.20.7-alpine3.18 AS builder +FROM golang:1.21.6-alpine3.19 AS builder RUN apk add git build-base bash @@ -8,7 +8,7 @@ COPY . . RUN make clean splitd splitd.yaml.tpl # ----- Runner image -FROM alpine:3.18 AS runner +FROM alpine:3.19.0 AS runner RUN apk add gettext yq bash RUN mkdir -p /opt/splitd From b49c4cfcd5dc6567a55c55a91bcbd514414ade31 Mon Sep 17 00:00:00 2001 From: Martin Redolatti Date: Mon, 5 Feb 2024 18:43:23 -0300 Subject: [PATCH 2/8] fips compliant binaries --- .dockerignore | 4 ++++ .github/workflows/ci.yml | 1 + .github/workflows/docker.yml | 8 +++++++- .gitignore | 1 + Makefile | 22 +++++++++++++++++++--- go.mod | 2 +- go.sum | 2 ++ infra/sidecar.Dockerfile | 26 +++++++++++++++++++++----- splitio/enforce_fips.go | 8 ++++++++ 9 files changed, 64 insertions(+), 10 deletions(-) create mode 100644 splitio/enforce_fips.go diff --git a/.dockerignore b/.dockerignore index c8e58da..beae83b 100644 --- a/.dockerignore +++ b/.dockerignore @@ -3,10 +3,14 @@ .gitignore .netrc splitd +splitd-fips splitcli shared testcfg TODO +splitio/commitsha.go + splitd.linux.* splitd.darwin.* + diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 71b0cd4..00e0580 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -81,6 +81,7 @@ jobs: tag_name: v${{ env.VERSION }} files: | splitd-darwin-amd64-${{ env.VERSION }}.bin + splitd-darwin-amd64-fips-${{ env.VERSION }}.bin splitd-darwin-arm-${{ env.VERSION }}.bin splitd-linux-amd64-${{ env.VERSION }}.bin splitd-linux-arm-${{ env.VERSION }}.bin diff --git a/.github/workflows/docker.yml b/.github/workflows/docker.yml index 76ccd05..e309e27 100644 --- a/.github/workflows/docker.yml +++ b/.github/workflows/docker.yml @@ -9,6 +9,9 @@ jobs: build-docker-image: name: Build and push Docker image runs-on: ubuntu-latest + strategy: + matrix: + fips-mode: [enabled, disabled] steps: - name: Login to Artifactory uses: docker/login-action@v2 @@ -29,4 +32,7 @@ jobs: context: . file: "infra/sidecar.Dockerfile" push: true - tags: splitio-docker.jfrog.io/splitd/sidecar:latest,splitio-docker.jfrog.io/splitd/sidecar:${{ env.VERSION }} + tags: splitio-docker.jfrog.io/splitd/sidecar${{ matrix.fips-mode == "enabled" && "-fips" || ""}}:${{ env.VERSION }} + build-args: | + FIPS_MODE=${{ matrix.fips-mode }} +, diff --git a/.gitignore b/.gitignore index 45f25e5..3965a63 100644 --- a/.gitignore +++ b/.gitignore @@ -15,6 +15,7 @@ # vendor/ /splitd +/splitd-fips /splitcli /sdhelper /splitd.yaml diff --git a/Makefile b/Makefile index 98cb2a5..35346f1 100644 --- a/Makefile +++ b/Makefile @@ -10,10 +10,11 @@ PLATFORM ?= PLATFORM_STR := $(if $(PLATFORM),--platform=$(PLATFORM),) VERSION := $(shell cat splitio/version.go | grep 'const Version' | sed 's/const Version = //' | tr -d '"') -COMMIT_SHA := $(shell bash -c '[ ! -z $${GITHUB_SHA} ] && echo $${GITHUB_SHA:0:7} || git rev-parse --short=7 HEAD') +COMMIT_SHA := $(shell bash -c '[[ ! -z $${GITHUB_SHA} ]] && echo $${GITHUB_SHA:0:7} || git rev-parse --short=7 HEAD') COMMIT_SHA_FILE := splitio/commitsha.go GO_FILES := $(shell find . -name "*.go" -not -name "$(COMMIT_SHA_FILE)") go.sum +ENFORCE_FIPS := -tags enforce_fips CONFIG_TEMPLATE ?= splitd.yaml.tpl COVERAGE_FILE ?= coverage.out @@ -58,9 +59,13 @@ entrypoint-test: splitd # requires splitd binary to generate a config and valida bash infra/test/test_entrypoint.sh ## build splitd for local machine -splitd: $(GO_FILES) +splitd: $(GO_FILES) $(COMMIT_SHA_FILE) go build -o splitd cmd/splitd/main.go +## build splitd for local machine +splitd-fips: $(GO_FILES) $(COMMIT_SHA_FILE) + GOEXPERIMENT=boringcrypto go build -o $@ $(ENFORCE_FIPS) cmd/splitd/main.go + ## build splitcli for local machine splitcli: $(GO_FILES) go build -o splitcli cmd/splitcli/main.go @@ -74,10 +79,18 @@ sdhelper: $(GO_FILES) ## build docker images for sidecar images_release: # entrypoints - $(DOCKER) build $(PLATFORM_STR) -t splitsoftware/splitd-sidecar:latest -t splitsoftware/splitd-sidecar:$(VERSION) -f infra/sidecar.Dockerfile . + $(DOCKER) build $(PLATFORM_STR) \ + -t splitsoftware/splitd-sidecar:latest -t splitsoftware/splitd-sidecar:$(VERSION) \ + --build-arg COMMIT_SHA=$(COMMIT_SHA) \ + -f infra/sidecar.Dockerfile . + $(DOCKER) build $(PLATFORM_STR) -t splitsoftware/splitd-sidecar-fips:latest -t splitsoftware/splitd-sidecar-fips:$(VERSION) \ + --build-arg FIPS_MODE=1 --build-arg COMMIT_SHA=$(COMMIT_SHA) \ + -f infra/sidecar.Dockerfile . @echo "Image created. Make sure everything works ok, and then run the following commands to push them." @echo "$(DOCKER) push splitsoftware/splitd-sidecar:latest" @echo "$(DOCKER) push splitsoftware/splitd-sidecar:$(VERSION)" + @echo "$(DOCKER) push splitsoftware/splitd-sidecar-fips:latest" + @echo "$(DOCKER) push splitsoftware/splitd-sidecar-fips:$(VERSION)" ## build release for binaires binaries_release: splitd-linux-amd64-$(VERSION).bin splitd-darwin-amd64-$(VERSION).bin splitd-linux-arm-$(VERSION).bin splitd-darwin-arm-$(VERSION).bin @@ -92,6 +105,9 @@ $(COMMIT_SHA_FILE): splitd-linux-amd64-$(VERSION).bin: $(GO_FILES) GOARCH=amd64 GOOS=linux $(GO) build -o $@ cmd/splitd/main.go +splitd-linux-amd64-fips-$(VERSION).bin: $(GO_FILES) + GOEXPERIMENT=boringcrypto GOARCH=amd64 GOOS=linux $(GO) build -o $@ $(ENFORCE_FIPS) cmd/splitd/main.go + splitd-darwin-amd64-$(VERSION).bin: $(GO_FILES) GOARCH=amd64 GOOS=darwin $(GO) build -o $@ cmd/splitd/main.go diff --git a/go.mod b/go.mod index e6e8160..c789d2f 100644 --- a/go.mod +++ b/go.mod @@ -1,6 +1,6 @@ module github.com/splitio/splitd -go 1.20 +go 1.21 require ( github.com/splitio/go-split-commons/v5 v5.1.0 diff --git a/go.sum b/go.sum index 0f681e8..2b0fcce 100644 --- a/go.sum +++ b/go.sum @@ -1,5 +1,7 @@ github.com/bits-and-blooms/bitset v1.3.1 h1:y+qrlmq3XsWi+xZqSaueaE8ry8Y127iMxlMfqcK8p0g= +github.com/bits-and-blooms/bitset v1.3.1/go.mod h1:gIdJ4wp64HaoK2YrL1Q5/N7Y16edYb8uY+O0FJTyyDA= github.com/bits-and-blooms/bloom/v3 v3.3.1 h1:K2+A19bXT8gJR5mU7y+1yW6hsKfNCjcP2uNfLFKncjQ= +github.com/bits-and-blooms/bloom/v3 v3.3.1/go.mod h1:bhUUknWd5khVbTe4UgMCSiOOVJzr3tMoijSK3WwvW90= github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c= github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= diff --git a/infra/sidecar.Dockerfile b/infra/sidecar.Dockerfile index a3450a9..7c8d193 100644 --- a/infra/sidecar.Dockerfile +++ b/infra/sidecar.Dockerfile @@ -1,16 +1,32 @@ # ----- Builder image -FROM golang:1.20.7-alpine3.18 AS builder +FROM golang:1.21.6-bookworm AS builder -RUN apk add git build-base bash +ARG FIPS_MODE +ARG COMMIT_SHA + +RUN apt update -y +RUN apt install -y build-essential ca-certificates python3 git WORKDIR /splitd COPY . . -RUN make clean splitd splitd.yaml.tpl + +RUN export GITHUB_SHA="${COMMIT_SHA}" && \ + if [[ "${FIPS_MODE}" = "enabled" ]]; \ + then echo "building in fips mode"; make clean splitd-fips splitd.yaml.tpl EXTRA_BUILD_ARGS="${EXTRA_BUILD_ARGS}"; mv split-sync-fips split-sync; \ + else echo "building in standard mode"; make clean splitd splitd.yaml.tpl EXTRA_BUILD_ARGS="${EXTRA_BUILD_ARGS}"; \ + fi # ----- Runner image -FROM alpine:3.18 AS runner -RUN apk add gettext yq bash +FROM debian:12.4 AS runner + +RUN apt update -y +RUN apt install -y bash ca-certificates wget + +RUN wget https://github.com/mikefarah/yq/releases/download/v4.40.5/yq_linux_amd64 +RUN chmod +x yq_linux_amd64 +RUN mv yq_linux_amd64 /usr/local/bin/yq + RUN mkdir -p /opt/splitd COPY --from=builder /splitd/splitd /opt/splitd COPY --from=builder /splitd/splitd.yaml.tpl /opt/splitd diff --git a/splitio/enforce_fips.go b/splitio/enforce_fips.go new file mode 100644 index 0000000..7e288b3 --- /dev/null +++ b/splitio/enforce_fips.go @@ -0,0 +1,8 @@ +//go:build enforce_fips +// +build enforce_fips + +package splitio + +import ( + _ "crypto/tls/fipsonly" +) From 247fb2b4826630df407569640d273599cf2ec5e1 Mon Sep 17 00:00:00 2001 From: Martin Redolatti Date: Mon, 5 Feb 2024 19:02:23 -0300 Subject: [PATCH 3/8] bump version --- splitio/version.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/splitio/version.go b/splitio/version.go index 92af151..0e6815e 100644 --- a/splitio/version.go +++ b/splitio/version.go @@ -1,3 +1,3 @@ package splitio -const Version = "1.2.0" +const Version = "1.3.0-rc1" From a0e4d4a77618548cda0ad55ae85bd47b3cecb927 Mon Sep 17 00:00:00 2001 From: Martin Redolatti Date: Wed, 21 Feb 2024 22:39:31 -0300 Subject: [PATCH 4/8] gha --- .github/workflows/docker.yml | 7 +++---- .github/workflows/unstable.yml | 5 ++++- 2 files changed, 7 insertions(+), 5 deletions(-) diff --git a/.github/workflows/docker.yml b/.github/workflows/docker.yml index e309e27..09bfdf3 100644 --- a/.github/workflows/docker.yml +++ b/.github/workflows/docker.yml @@ -11,7 +11,7 @@ jobs: runs-on: ubuntu-latest strategy: matrix: - fips-mode: [enabled, disabled] + fips_mode: [enabled, disabled] steps: - name: Login to Artifactory uses: docker/login-action@v2 @@ -32,7 +32,6 @@ jobs: context: . file: "infra/sidecar.Dockerfile" push: true - tags: splitio-docker.jfrog.io/splitd/sidecar${{ matrix.fips-mode == "enabled" && "-fips" || ""}}:${{ env.VERSION }} + tags: splitio-docker.jfrog.io/splitd/sidecar${{ matrix.fips_mode == 'enabled' && '-fips' || ''}}:${{ env.VERSION }} build-args: | - FIPS_MODE=${{ matrix.fips-mode }} -, + FIPS_MODE=${{ matrix.fips_mode }} diff --git a/.github/workflows/unstable.yml b/.github/workflows/unstable.yml index f0c0c7d..76cd7c0 100644 --- a/.github/workflows/unstable.yml +++ b/.github/workflows/unstable.yml @@ -8,6 +8,9 @@ jobs: push-docker-image: name: Build and Push Docker Image runs-on: ubuntu-latest + strategy: + matrix: + fips_mode: [enabled, disabled] steps: - name: Login to Artifactory uses: docker/login-action@v2 @@ -28,4 +31,4 @@ jobs: context: . file: "infra/sidecar.Dockerfile" push: true - tags: splitio-docker-dev.jfrog.io/splitd/sidecar:${{ env.SHORT_SHA }} + tags: splitio-docker-dev.jfrog.io/splitd/sidecar${{ matrix.fips_mode == 'enabled' && '-fips' || '' }}:${{ env.SHORT_SHA }} From 3f5eb7e21725a4a869f5ed6815c878f99ca992b2 Mon Sep 17 00:00:00 2001 From: Martin Redolatti Date: Wed, 21 Feb 2024 22:46:33 -0300 Subject: [PATCH 5/8] use bash --- infra/sidecar.Dockerfile | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/infra/sidecar.Dockerfile b/infra/sidecar.Dockerfile index 7c8d193..f4169d1 100644 --- a/infra/sidecar.Dockerfile +++ b/infra/sidecar.Dockerfile @@ -10,11 +10,11 @@ RUN apt install -y build-essential ca-certificates python3 git WORKDIR /splitd COPY . . -RUN export GITHUB_SHA="${COMMIT_SHA}" && \ +RUN export GITHUB_SHA="${COMMIT_SHA}" && bash -c '\ if [[ "${FIPS_MODE}" = "enabled" ]]; \ then echo "building in fips mode"; make clean splitd-fips splitd.yaml.tpl EXTRA_BUILD_ARGS="${EXTRA_BUILD_ARGS}"; mv split-sync-fips split-sync; \ else echo "building in standard mode"; make clean splitd splitd.yaml.tpl EXTRA_BUILD_ARGS="${EXTRA_BUILD_ARGS}"; \ - fi + fi' # ----- Runner image From a1366323a53a4c02d3a865da8a8e568ebe4cb9be Mon Sep 17 00:00:00 2001 From: Martin Redolatti Date: Thu, 22 Feb 2024 18:44:02 -0300 Subject: [PATCH 6/8] prepare for release --- .github/workflows/ci.yml | 2 +- CHANGES | 3 +++ Makefile | 9 +++++++-- splitio/commitsha.go | 2 +- splitio/version.go | 2 +- 5 files changed, 13 insertions(+), 5 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 00e0580..d146814 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -81,7 +81,7 @@ jobs: tag_name: v${{ env.VERSION }} files: | splitd-darwin-amd64-${{ env.VERSION }}.bin - splitd-darwin-amd64-fips-${{ env.VERSION }}.bin splitd-darwin-arm-${{ env.VERSION }}.bin splitd-linux-amd64-${{ env.VERSION }}.bin + splitd-linux-amd64-fips-${{ env.VERSION }}.bin splitd-linux-arm-${{ env.VERSION }}.bin diff --git a/CHANGES b/CHANGES index 5b7c582..348977e 100644 --- a/CHANGES +++ b/CHANGES @@ -1,3 +1,6 @@ +1.3.4 (Feb 22, 2024): +- Add FIPS-compliant build for amd64/linux + 1.2.0 (Jan 25, 2024): - Added support for Flag Sets on the SDK, which enables grouping feature flags and interacting with the group rather than individually (more details in our documentation): - Added new variations of the get treatment methods to support evaluating flags in given flag set/s. diff --git a/Makefile b/Makefile index 35346f1..e58bec3 100644 --- a/Makefile +++ b/Makefile @@ -33,7 +33,8 @@ clean: splitd-linux-amd64-$(VERSION).bin \ splitd-darwin-amd64-$(VERSION).bin \ splitd-linux-arm-$(VERSION).bin \ - splitd-darwin-arm-$(VERSION).bin + splitd-darwin-arm-$(VERSION).bin \ + splitd-linux-amd64-fips-$(VERSION).bin ## build binaries for this platform build: splitd splitcli sdhelper @@ -93,7 +94,11 @@ images_release: # entrypoints @echo "$(DOCKER) push splitsoftware/splitd-sidecar-fips:$(VERSION)" ## build release for binaires -binaries_release: splitd-linux-amd64-$(VERSION).bin splitd-darwin-amd64-$(VERSION).bin splitd-linux-arm-$(VERSION).bin splitd-darwin-arm-$(VERSION).bin +binaries_release: splitd-linux-amd64-$(VERSION).bin \ + splitd-darwin-amd64-$(VERSION).bin \ + splitd-linux-arm-$(VERSION).bin \ + splitd-darwin-arm-$(VERSION).bin \ + splitd-linux-amd64-fips-$(VERSION).bin $(COVERAGE_FILE): unit-tests diff --git a/splitio/commitsha.go b/splitio/commitsha.go index 2a9b130..9589ceb 100644 --- a/splitio/commitsha.go +++ b/splitio/commitsha.go @@ -1,3 +1,3 @@ package splitio -const CommitSHA = "15ef04f" +const CommitSHA = "3f5eb7e" diff --git a/splitio/version.go b/splitio/version.go index 0e6815e..e236846 100644 --- a/splitio/version.go +++ b/splitio/version.go @@ -1,3 +1,3 @@ package splitio -const Version = "1.3.0-rc1" +const Version = "1.3.0" From 3994d36b45563fdb9155abe200fc985686d6cfd8 Mon Sep 17 00:00:00 2001 From: Martin Redolatti Date: Thu, 22 Feb 2024 19:11:18 -0300 Subject: [PATCH 7/8] include socat --- infra/sidecar.Dockerfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/infra/sidecar.Dockerfile b/infra/sidecar.Dockerfile index f7c0ef2..5d2842a 100644 --- a/infra/sidecar.Dockerfile +++ b/infra/sidecar.Dockerfile @@ -5,7 +5,7 @@ ARG FIPS_MODE ARG COMMIT_SHA RUN apt update -y -RUN apt install -y build-essential ca-certificates python3 git +RUN apt install -y build-essential ca-certificates python3 git socat WORKDIR /splitd COPY . . From 68c62f737edf0782aeb79c5c7c5ec23c6b04db8b Mon Sep 17 00:00:00 2001 From: Martin Redolatti Date: Thu, 22 Feb 2024 20:10:55 -0300 Subject: [PATCH 8/8] update changelog --- CHANGES | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/CHANGES b/CHANGES index 348977e..f4659f2 100644 --- a/CHANGES +++ b/CHANGES @@ -1,5 +1,5 @@ 1.3.4 (Feb 22, 2024): -- Add FIPS-compliant build for amd64/linux +- Add boringcrypto-based FIPS-compliant build for amd64/linux 1.2.0 (Jan 25, 2024): - Added support for Flag Sets on the SDK, which enables grouping feature flags and interacting with the group rather than individually (more details in our documentation):