Add docker images built using FIPS binaries #7392

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Open

Razeen-Abdal-Rahman wants to merge 1 commit into release-5.8

from TT-15334/release-5.8

Open

Add docker images built using FIPS binaries #7392

Razeen-Abdal-Rahman wants to merge 1 commit into release-5.8 from TT-15334/release-5.8

Conversation

Razeen-Abdal-Rahman

Copy link

@Razeen-Abdal-Rahman Razeen-Abdal-Rahman commented Sep 30, 2025 •

edited by github-actions bot

Loading

User description

Description

Auto generated changes by gromit to add fips compliant docker images to releases. These changes are in response to a customer request for fips compliant docker images. These are provided by using our existing fips binaries in a distroless image. THESE ARE NOT FIPS VALIDATED IMAGES. Tyk's FIPS documentation has been updated as a result of this request.

Related Issue

see this ticket. A PR has also been made against branch release-5.8 on tyk-analytics

Motivation and Context

These images were request to be included in regular releases by a client.

How This Has Been Tested

goreleaser was run locally, everything seems okay a fips image is built using the fips binary. More end to end testing is needed with the other fips components.

Types of changes

Bug fix (non-breaking change which fixes an issue)
New feature (non-breaking change which adds functionality)
Breaking change (fix or feature that would cause existing functionality to change)
Refactoring or add test (improvements in base code or adds test coverage to functionality)

Checklist

I ensured that the documentation is up to date
I explained why this PR updates go.mod in detail with reasoning why it's required
I would like a code coverage CI quality gate exception and have explained why

PR Type

Enhancement, Other

Description

Add FIPS Docker builds and manifests
Enable multi-arch FIPS packages (amd64/arm64/s390x)
CI workflow pushes FIPS images to CI/prod
Adjust std Dockerfile install and cleanup

Diagram Walkthrough

flowchart LR
 Goreleaser["Goreleaser config updates"]
 DockerfileStd["Dockerfile.std adjustments"]
 Workflow["GitHub Actions release workflow"]
 FIPSBuilds["FIPS builds: amd64/arm64/s390x"]
 Images["Docker images + manifests"]
 Goreleaser -- "add fips builds, images, manifests" --> FIPSBuilds
 Workflow -- "metadata + build-push fips" --> FIPSBuilds
 DockerfileStd -- "install from dist, cleanup" --> Images
 FIPSBuilds -- "publish CI/prod" --> Images

File Walkthrough

Relevant files

Relevant files
Configuration changes	release.yml `CI pipeline to build and publish FIPS images` .github/workflows/release.yml Add FIPS CI metadata and tags output Build/push FIPS images for CI and tags Use distroless Dockerfile with build args Set image labels and multi-arch platforms +66/-0
Enhancement	Dockerfile.std `Standard Dockerfile installs from dist and cleans` ci/Dockerfile.std Install .deb from dist path by arch Adjust cleanup paths for logs/apt/cache Reorder install before cleanup +5/-5 goreleaser.yml `Goreleaser: FIPS multi-arch builds and manifests` ci/goreleaser/goreleaser.yml Add GOEXPERIMENT=boringcrypto to FIPS builds Add FIPS arm64 and s390x builds/packages Define FIPS/EE/STD docker images per arch Add multi-arch docker manifests for FIPS/EE/STD +348/-1

Configuration changes

release.yml

CI pipeline to build and publish FIPS images

.github/workflows/release.yml

Add FIPS CI metadata and tags output
Build/push FIPS images for CI and tags
Use distroless Dockerfile with build args
Set image labels and multi-arch platforms

+66/-0

Enhancement

Dockerfile.std

Standard Dockerfile installs from dist and cleans

ci/Dockerfile.std

Install .deb from dist path by arch
Adjust cleanup paths for logs/apt/cache
Reorder install before cleanup

+5/-5

goreleaser.yml

Goreleaser: FIPS multi-arch builds and manifests

ci/goreleaser/goreleaser.yml

Add GOEXPERIMENT=boringcrypto to FIPS builds
Add FIPS arm64 and s390x builds/packages
Define FIPS/EE/STD docker images per arch
Add multi-arch docker manifests for FIPS/EE/STD

+348/-1


 Auto generated from templates by gromit

edb3eac

@Razeen-Abdal-Rahman Razeen-Abdal-Rahman requested a review from a team as a code owner

September 30, 2025 17:01

@github-actions GitHub Actions

Copy link

Contributor

github-actions bot commented Sep 30, 2025

API Changes

no api changes detected

@github-actions github-actions bot added the Review effort 3/5 label

Sep 30, 2025

@github-actions GitHub Actions

Copy link

Contributor

github-actions bot commented Sep 30, 2025

PR Reviewer Guide 🔍

Here are some key observations to aid the review process:

⏱️ Estimated effort to review: 3 🔵🔵🔵⚪⚪

🧪 No relevant tests

🔒 No security concerns identified

⚡ Recommended focus areas for review

CI Consistency

FIPS CI/prod builds use distroless Dockerfile and push multi-arch images, but image names/tags differ from std/ee; verify that downstream consumers and promotion rules expect 'tykio/tyk-gateway' with '-fips' suffix and that manifests are created only on tag pushes to avoid accidental CI pollution.

- name: Docker metadata for fips CI
 id: ci_metadata_fips
 if: ${{ matrix.golang_cross == '1.24-bullseye' }}
 uses: docker/metadata-action@v5
 with:
 images: |
 ${{ steps.ecr.outputs.registry }}/tyk
 flavor: |
 latest=false
 tags: |
 type=ref,event=branch
 type=ref,event=pr
 type=sha,format=long
 type=semver,pattern={{major}},prefix=v
 type=semver,pattern={{major}}.{{minor}},prefix=v
 type=semver,pattern={{version}},prefix=v
- name: push fips image to CI
 if: ${{ matrix.golang_cross == '1.24-bullseye' }}
 uses: docker/build-push-action@v6
 with:
 context: "dist"
 platforms: linux/amd64,linux/arm64,linux/s390x
 file: ci/Dockerfile.distroless
 provenance: mode=max
 sbom: true
 push: true
 cache-from: type=gha
 cache-to: type=gha,mode=max
 tags: ${{ steps.ci_metadata_fips.outputs.tags }}
 labels: ${{ steps.ci_metadata_fips.outputs.labels }}
 build-args: |
 BUILD_PACKAGE_NAME=tyk-gateway-fips
- name: Docker metadata for fips tag push
 id: tag_metadata_fips
 uses: docker/metadata-action@v5
 with:
 images: |
 tykio/tyk-gateway
 flavor: |
 latest=false
 prefix=v
 tags: |
 type=semver,pattern={{major}}.{{minor}}
 type=semver,pattern={{version}}
 labels: |
 org.opencontainers.image.title=Tyk Gateway FIPS
 org.opencontainers.image.description=Tyk Open Source API Gateway written in Go, supporting REST, GraphQL, TCP and gRPC protocols Built with boringssl
 org.opencontainers.image.vendor=tyk.io
 org.opencontainers.image.version=${{ github.ref_name }}
- name: push fips image to prod
 if: ${{ matrix.golang_cross == '1.24-bullseye' }}
 uses: docker/build-push-action@v6
 with:
 context: "dist"
 platforms: linux/amd64,linux/arm64,linux/s390x
 file: ci/Dockerfile.distroless
 provenance: mode=max
 sbom: true
 cache-from: type=gha
 cache-to: type=gha,mode=max
 push: ${{ startsWith(github.ref, 'refs/tags') }}
 tags: ${{ steps.tag_metadata_fips.outputs.tags }}
 labels: ${{ steps.tag_metadata_fips.outputs.labels }}
 build-args: |
 BUILD_PACKAGE_NAME=tyk-gateway-fips
- name: Docker metadata for std CI

Cleanup Change

The cleanup path removal now omits '/var/lib/dpkg' from deletion; confirm this is intentional and won't leave residual apt metadata increasing image size or CVE surface compared to previous state.

# Clean up caches, unwanted .a and .o files
RUN rm -rf /root/.cache \
 && apt-get -y autoremove \
 && apt-get clean \
 && rm -rf /usr/include/* /var/cache/apt/archives /var/lib/apt /var/lib/cache /var/log/* \
 && find /usr/lib -type f -name '*.a' -o -name '*.o' -delete

FIPS Build Flags

New FIPS builds add GOEXPERIMENT=boringcrypto and boringssl description; verify toolchain actually links boringcrypto for all arches (amd64/arm64/s390x) and that cross-compilers CC=... exist in the build env to avoid mismatched crypto backends.

 - s390x
 binary: tyk
- id: fips-amd64
 flags:
 - -tags=goplugin,fips,boringcrypto
 env:
 - NOP=nop # ignore this, it is jsut to avoid a complex conditional in the templates
 - CC=gcc
 - GOEXPERIMENT=boringcrypto
 ldflags:
 - -X github.com/TykTechnologies/tyk/internal/build.Version={{.Version}}
 - -X github.com/TykTechnologies/tyk/internal/build.Commit={{.FullCommit}}
 - -X github.com/TykTechnologies/tyk/internal/build.BuildDate={{.Date}}
 - -X github.com/TykTechnologies/tyk/internal/build.BuiltBy=goreleaser
 goos:
 - linux
 goarch:
 - amd64
 binary: tyk
- id: fips-arm64
 flags:
 - -tags=goplugin,fips,boringcrypto
 env:
 - NOP=nop # ignore this, it is jsut to avoid a complex conditional in the templates
 - CC=aarch64-linux-gnu-gcc
 - GOEXPERIMENT=boringcrypto
 ldflags:
 - -X github.com/TykTechnologies/tyk/internal/build.Version={{.Version}}
 - -X github.com/TykTechnologies/tyk/internal/build.Commit={{.FullCommit}}
 - -X github.com/TykTechnologies/tyk/internal/build.BuildDate={{.Date}}
 - -X github.com/TykTechnologies/tyk/internal/build.BuiltBy=goreleaser
 goos:
 - linux
 goarch:
 - arm64
 binary: tyk
- id: fips-s390x
 flags:
 - -tags=goplugin,fips,boringcrypto
 env:
 - NOP=nop # ignore this, it is jsut to avoid a complex conditional in the templates
 - CC=s390x-linux-gnu-gcc
 - GOEXPERIMENT=boringcrypto
 ldflags:
 - -X github.com/TykTechnologies/tyk/internal/build.Version={{.Version}}
 - -X github.com/TykTechnologies/tyk/internal/build.Commit={{.FullCommit}}
 - -X github.com/TykTechnologies/tyk/internal/build.BuildDate={{.Date}}
 - -X github.com/TykTechnologies/tyk/internal/build.BuiltBy=goreleaser
 goos:
 - linux
 goarch:
 - s390x
 binary: tyk

@github-actions GitHub Actions

Copy link

Contributor

github-actions bot commented Sep 30, 2025

PR Code Suggestions ✨

Explore these optional code suggestions:

Category	Suggestion	Impact
Possible issue	Gate CI push on tags Ensure CI images don't push on non-tag branches to avoid publishing unversioned FIPS images accidentally. Align with the EE job and use the same gated push condition. .github/workflows/release.yml [217-233] - name: push fips image to CI if: ${{ matrix.golang_cross == '1.24-bullseye' }} uses: docker/build-push-action@v6 with: context: "dist" platforms: linux/amd64,linux/arm64,linux/s390x file: ci/Dockerfile.distroless provenance: mode=max sbom: true - push: true + push: ${{ startsWith(github.ref, 'refs/tags') }} cache-from: type=gha cache-to: type=gha,mode=max tags: ${{ steps.ci_metadata_fips.outputs.tags }} labels: ${{ steps.ci_metadata_fips.outputs.labels }} build-args: \| BUILD_PACKAGE_NAME=tyk-gateway-fips Suggestion importance[1-10]: 7 __ Why: Accurate match to the new CI FIPS push step and correctly proposes gating `push` by tags to avoid unintended image publication; impact is moderate as it reduces risk without changing build outputs.	Medium
Possible issue	Preserve apt state directories Avoid deleting entire `/var/lib/apt` during the same layer as package operations; it can break future apt or post-install scripts. Remove apt lists and archives instead. ci/Dockerfile.std [21-25] RUN rm -rf /root/.cache \ && apt-get -y autoremove \ && apt-get clean \ - && rm -rf /usr/include/* /var/cache/apt/archives /var/lib/apt /var/lib/cache /var/log/* \ + && rm -rf /usr/include/* /var/cache/apt/archives /var/lib/apt/lists/* /var/lib/cache /var/log/* \ && find /usr/lib -type f -name '.a' -o -name '.o' -delete Suggestion importance[1-10]: 6 __ Why: The snippet matches the new hunk and the change is reasonable to avoid breaking apt in later layers; impact is minor since this image is later stripped, but it improves maintainability.	Low
General	Ensure amd64 baseline compatibility Explicitly set `GOAMD64=v1` for maximum compatibility when distributing FIPS binaries; default higher levels can crash on older CPUs. This mitigates runtime illegal instruction issues. ci/goreleaser/goreleaser.yml [61-67] - id: fips-amd64 flags: - -tags=goplugin,fips,boringcrypto env: - NOP=nop # ignore this, it is jsut to avoid a complex conditional in the templates - CC=gcc - GOEXPERIMENT=boringcrypto + - GOAMD64=v1 Suggestion importance[1-10]: 5 __ Why: Matches the fips-amd64 env block and adding `GOAMD64=v1` can improve compatibility on older CPUs; however, relevance depends on project’s current baseline and may affect performance, so impact is moderate.	Low