Skip to content

Instantly share code, notes, and snippets.

@jeesmon

jeesmon/istio-fips-distroless-build.sh

Last active April 5, 2024 07:31
Show Gist options
  • Save jeesmon/e5672fdc6362156ad756295e1b5b1521 to your computer and use it in GitHub Desktop.
Save jeesmon/e5672fdc6362156ad756295e1b5b1521 to your computer and use it in GitHub Desktop.
Download ZIP
Raw
istio-fips-distroless-build.sh
#!/bin/bash -ex
# yum install -y docker git patch jq
# systemctl start docker
# docker info
ISTIO_VERSION=${ISTIO_VERSION:-1.19.3}
MAJOR_ISTIO_VERSION=$(cut -f1-2 -d. <<< ${ISTIO_VERSION})
# Need a custom build-tools-proxy image for 1.18.3+
# https://istio.slack.com/archives/C6FCV6WN4/p1696463622534729
# https://github.com/istio/tools/pull/2566
git clone https://github.com/istio/tools.git --depth 1
cd tools
git fetch --tags
git checkout "${ISTIO_VERSION}"
# Patch tools
sed -i'' \
-e 's/FROM ubuntu:xenial AS clang_context_amd64/FROM ubuntu:jammy AS clang_context_amd64/' \
-e 's/FROM ubuntu:xenial AS build_env_proxy_amd64/FROM ubuntu:jammy AS build_env_proxy_amd64/' \
-e 's/ENV UBUNTU_RELEASE_CODE_NAME=xenial/ENV UBUNTU_RELEASE_CODE_NAME=jammy/' \
-e 's/ENV DOCKER_VERSION=5:20.10.7~3-0~ubuntu/ENV DOCKER_VERSION=5:20.10.14~3-0~ubuntu/' \
-e 's/ENV CONTAINERD_VERSION=1.4.6-1/ENV CONTAINERD_VERSION=1.6.12-1/' \
-e 's/python \\/#python \\/' \
docker/build-tools/Dockerfile
# Build tools
cd docker/build-tools/
DRY_RUN=true ./build-and-push.sh
cd ../../..
git clone https://github.com/istio/proxy.git --depth 1
pushd proxy
git fetch --tags
git checkout "${ISTIO_VERSION}"
export GOOS=linux
# Patch Makefile for BAZEL_BIN_PATH in 1.19.3
# https://github.com/istio/proxy/pull/5087
sed -i '/exportcache:/i \
exportcache: BAZEL_BIN_PATH ?= $(shell bazel info $(BAZEL_BUILD_ARGS) $(BAZEL_CONFIG_CURRENT) bazel-bin)' \
Makefile.core.mk
# Compile envoy with FIPS: https://www.envoyproxy.io/docs/envoy/latest/intro/arch_overview/security/ssl#fips-140-2
echo "build --define boringssl=fips" >> .bazelrc
IMG=gcr.io/istio-testing/build-tools-proxy:release-${MAJOR_ISTIO_VERSION}-latest-amd64 BUILD_WITH_CONTAINER=1 BAZEL_BUILD_ARGS=--config=release TARGET_OS=linux make build_wasm build build_envoy exportcache
popd
git clone https://github.com/istio/istio.git --depth 1
pushd istio
git fetch --tags
git checkout "${ISTIO_VERSION}"
# Pre-built binaries need to copied with SHA in name, otherwise build process will download it from gc bucket
# https://github.com/istio/istio/blob/1.18.1/bin/init.sh#L106
# Populate the git version for istio/proxy (i.e. Envoy)
# PROXY_REPO_SHA="${PROXY_REPO_SHA:-$(grep PROXY_REPO_SHA istio.deps -A 4 | grep lastStableSHA | cut -f 4 -d '"')}"
PROXY_REPO_SHA=$(jq -r '.[] | select(.name == "PROXY_REPO_SHA").lastStableSHA' istio.deps)
# Copy locally built binaries
mkdir -p out/linux_amd64/release
cp -f ../proxy/out/linux_amd64/envoy out/linux_amd64/release/envoy-${PROXY_REPO_SHA}
cp -f out/linux_amd64/release/envoy-${PROXY_REPO_SHA} out/linux_amd64/release/envoy
# Patch Makefile to use BoringCrypto: https://github.com/tetratelabs/istio/blob/tetrate-workflow/tetrateci/docs/fips.md
sed -i'' -e 's%GOOS=linux%CGO_ENABLED=1 GOEXPERIMENT=boringcrypto GOOS=linux%' Makefile.core.mk
# Envoy built with BoringSSL requires libc++ installed in the docker image
# Patch pilot/docker/Dockerfile.proxyv2 to install libc++
cat > Dockerfile.patch << EOF
COPY --from=debug /lib/x86_64-linux-gnu/libm.so.6 /lib/x86_64-linux-gnu/libm.so.6
COPY --from=debug /lib/x86_64-linux-gnu/librt.so.1 /lib/x86_64-linux-gnu/librt.so.1
COPY --from=debug /lib64/ld-linux-x86-64.so.2 /lib64/ld-linux-x86-64.so.2
COPY --from=debug /lib/x86_64-linux-gnu/libdl.so.2 /lib/x86_64-linux-gnu/libdl.so.2
COPY --from=debug /lib/x86_64-linux-gnu/libpthread.so.0 /lib/x86_64-linux-gnu/libpthread.so.0
COPY --from=debug /lib/x86_64-linux-gnu/libc.so.6 /lib/x86_64-linux-gnu/libc.so.6
EOF
cat Dockerfile.patch >> pilot/docker/Dockerfile.proxyv2
cat Dockerfile.patch >> pilot/docker/Dockerfile.pilot
rm Dockerfile.patch
# Build pilot and proxy
DOCKER_BUILD_VARIANTS="distroless" TARGET_OS=linux make docker.pilot docker.proxyv2
# Confirm version
docker run --rm --entrypoint="" localhost:5000/proxyv2:latest-distroless envoy --version
docker run --rm --entrypoint="" localhost:5000/proxyv2:latest-distroless pilot-agent version
docker run --rm --entrypoint="" localhost:5000/pilot:latest-distroless pilot-discovery version
# docker tag localhost:5000/proxyv2:latest-distroless quay.io/jeesmon/proxyv2:${ISTIO_VERSION}-distroless
# docker tag localhost:5000/pilot:latest-distroless quay.io/jeesmon/pilot:${ISTIO_VERSION}-distroless
# docker login quay.io
# docker push quay.io/jeesmon/proxyv2:${ISTIO_VERSION}-distroless
# docker push quay.io/jeesmon/pilot:${ISTIO_VERSION}-distroless
@jeesmon
Copy link
Author

jeesmon commented Oct 25, 2023

Experimental, not well tested other than the version check

docker run --rm --entrypoint="" localhost:5000/proxyv2:latest-distroless envoy --version
envoy  version: a1ff538a63890e27dd2add4b2680ba8dc49293ca/1.27.1-dev/Modified/RELEASE/BoringSSL-FIPS

docker run --rm --entrypoint="" localhost:5000/proxyv2:latest-distroless pilot-agent version
version.BuildInfo{Version:"1.19-dev", GitRevision:"41218ffa66c12acf77ad08b3ef07d296218d0929-dirty", GolangVersion:"go1.21.3 X:boringcrypto", BuildStatus:"Modified", GitTag:"1.19.3"}

docker run --rm --entrypoint="" localhost:5000/pilot:latest-distroless pilot-discovery version
version.BuildInfo{Version:"1.19-dev", GitRevision:"41218ffa66c12acf77ad08b3ef07d296218d0929-dirty", GolangVersion:"go1.21.3 X:boringcrypto", BuildStatus:"Modified", GitTag:"1.19.3"}

@jeesmon
Copy link
Author

jeesmon commented Oct 25, 2023

You can try pre-built image from

quay.io/jeesmon/proxyv2:1.19.3-distroless
quay.io/jeesmon/pilot:1.19.3-distroless

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment