sspaeth-r7/istio-fips-build.sh

## istio-fips-build.sh
#!/bin/bash -xeu
# -e used in shebang and pipefail because if there's
# a failure somewhere mid-pipe chain WE NEED TO KNOW
# -u throws an error when using undefined variables
set -o pipefail

git clone https://github.com/istio/tools.git --depth 1
pushd tools/docker/build-tools
git fetch --tags
git checkout "${ISTIO_VERSION}"

# Patch tools so a newer Ubuntu is used, fixes missing libtinfo.so.6 error
sed -i'' \
  -e 's/^FROM ubuntu:xenial AS clang_context_amd64$/FROM ubuntu:focal AS clang_context_amd64/g' \
  -e 's/^FROM ubuntu:xenial AS build_env_proxy_amd64$/FROM ubuntu:focal AS build_env_proxy_amd64/g' \
  -e 's/^FROM ubuntu:xenial AS bazel_context_amd64$/FROM ubuntu:focal AS bazel_context_amd64/g' \
  -e 's/^ENV UBUNTU_RELEASE_CODE_NAME=xenial$/ENV UBUNTU_RELEASE_CODE_NAME=focal/g' \
  -e 's/^ENV UBUNTU_RELEASE_CODE_NAME=bionic$/ENV UBUNTU_RELEASE_CODE_NAME=focal/g' \
  -e 's/^FROM ubuntu:bionic AS clang_context_arm64$/FROM ubuntu:focal AS clang_context_arm64/g' \
  -e 's/^FROM ubuntu:bionic AS bazel_context_arm64$/FROM ubuntu:focal AS bazel_context_arm64/g' \
  -e 's/^FROM ubuntu:bionic AS build_env_proxy_arm64$/FROM ubuntu:focal AS build_env_proxy_arm64/g' \
  -e 's/^FROM ubuntu:18.04 AS clang_context_amd64$/FROM ubuntu:20.04 AS clang_context_amd64/g' \
  -e 's/^FROM ubuntu:18.04 AS build_env_proxy_amd64$/FROM ubuntu:20.04 AS build_env_proxy_amd64/g' \
  -e 's/^ENV UBUNTU_RELEASE_VERSION=18.04$/ENV UBUNTU_RELEASE_VERSION=20.04/g' \
  -e 's/^ENV DOCKER_VERSION=5:20.10.7~3-0~ubuntu/ENV DOCKER_VERSION=5:20.10.14~3-0~ubuntu/' \
  -e 's/^ENV CONTAINERD_VERSION=1.4.6-1/ENV CONTAINERD_VERSION=1.6.12-1/' \
  -e 's/python \\\\/#python \\\\/' \
  Dockerfile

# Build tools
DRY_RUN=true ./build-and-push.sh
popd

git clone https://github.com/istio/proxy.git --depth 1
pushd proxy
git fetch --tags
git checkout "${ISTIO_VERSION}"
export GOOS=linux

# Compile envoy with FIPS: https://www.envoyproxy.io/docs/envoy/latest/intro/arch_overview/security/ssl#fips-140-2
echo "build --define boringssl=fips" >> .bazelrc

# Make the targets using the build tools image built above which is now in local registry
IMG=gcr.io/istio-testing/build-tools-proxy:release-${MAJOR_ISTIO_VERSION}-latest-amd64 BAZEL_BUILD_ARGS=--config=release VERSION="${TAG}" BUILD_WITH_CONTAINER=1 TARGET_OS=linux make build build_envoy exportcache

popd

git clone https://github.com/istio/istio.git --depth 1
pushd istio
git fetch --tags
git checkout "${ISTIO_VERSION}"

# Pre-built binaries need to copied with SHA in name, otherwise build process will download it from gc bucket
# https://github.com/istio/istio/blob/1.18.1/bin/init.sh#L106

# Populate the git version for istio/proxy (i.e. Envoy)
PROXY_REPO_SHA=$(jq -r '.[] | select(.name == "PROXY_REPO_SHA").lastStableSHA' istio.deps)

# Copy locally built binaries
mkdir -p out/linux_amd64/release
cp -f ../proxy/out/linux_amd64/envoy out/linux_amd64/release/envoy-${PROXY_REPO_SHA}
cp -f out/linux_amd64/release/envoy-${PROXY_REPO_SHA} out/linux_amd64/release/envoy

# Patch Makefile to use BoringCrypto: https://github.com/tetratelabs/istio/blob/tetrate-workflow/tetrateci/docs/fips.md
sed -i'' -e 's%GOOS=linux%CGO_ENABLED=1 GOEXPERIMENT=boringcrypto GOOS=linux%' Makefile.core.mk

# Envoy built with BoringSSL requires libc++ installed in the docker image, patch Dockerfile to install libc++
# Both dockerfiles are also patched to remove extra junk when building, giving us minified images
for FILE in "Dockerfile.proxyv2" "Dockerfile.pilot"; do
  PATCH="$WORKSPACE/$SCRIPT_DIR/patches/$FILE.patch"
  [[ -f "$PATCH" ]] || { echo "Patch file '$PATCH' not found. Failing..."; exit 1; }
  sed -i'' "/FROM \\${BASE_DISTRIBUTION/r $PATCH" pilot/docker/$FILE
done

# Build pilot and proxy (need to tag here to correctly report when doing istioctl version)
DOCKER_SOCKET_MOUNT='-v /docker-socket/docker.sock:/docker-socket/docker.sock' BAZEL_BUILD_ARGS=--config=release VERSION="${TAG}" BUILD_WITH_CONTAINER=1 TARGET_OS=linux make docker.pilot docker.proxyv2

# Prove to anyone inspecting build output that images were built with FIPS-compliant libraries
docker run --rm --entrypoint="" localhost:5000/proxyv2:$TAG envoy --version
docker run --rm --entrypoint="" localhost:5000/proxyv2:$TAG pilot-agent version
docker run --rm --entrypoint="" localhost:5000/pilot:$TAG pilot-discovery version

## z-Dockerfile.pilot.patch
RUN apt-get update \
  && apt remove -y curl libkrb5-3 netcat-openbsd netcat procps tcpdump xz-utils || true \
  && apt-get upgrade -y \
  && apt-get autoremove -y \
  && apt-get clean \
  && rm -rf /tmp/* /var/tmp/* \
  && rm -rf /var/lib/apt/lists/*

## z-Dockerfile.proxyv2.patch
RUN apt-get update \
  && apt remove -y curl libkrb5-3 netcat-openbsd netcat procps tcpdump xz-utils || true \
  && apt-get upgrade -y \
  && apt-get install -y libc++1 \
  && apt-get autoremove -y \
  && apt-get clean \
  && rm -rf /tmp/* /var/tmp/* \
  && rm -rf /var/lib/apt/lists/*
	#!/bin/bash -xeu
	# -e used in shebang and pipefail because if there's
	# a failure somewhere mid-pipe chain WE NEED TO KNOW
	# -u throws an error when using undefined variables
	set -o pipefail

	git clone https://github.com/istio/tools.git --depth 1
	pushd tools/docker/build-tools
	git fetch --tags
	git checkout "${ISTIO_VERSION}"

	# Patch tools so a newer Ubuntu is used, fixes missing libtinfo.so.6 error
	sed -i'' \
	-e 's/^FROM ubuntu:xenial AS clang_context_amd64$/FROM ubuntu:focal AS clang_context_amd64/g' \
	-e 's/^FROM ubuntu:xenial AS build_env_proxy_amd64$/FROM ubuntu:focal AS build_env_proxy_amd64/g' \
	-e 's/^FROM ubuntu:xenial AS bazel_context_amd64$/FROM ubuntu:focal AS bazel_context_amd64/g' \
	-e 's/^ENV UBUNTU_RELEASE_CODE_NAME=xenial$/ENV UBUNTU_RELEASE_CODE_NAME=focal/g' \
	-e 's/^ENV UBUNTU_RELEASE_CODE_NAME=bionic$/ENV UBUNTU_RELEASE_CODE_NAME=focal/g' \
	-e 's/^FROM ubuntu:bionic AS clang_context_arm64$/FROM ubuntu:focal AS clang_context_arm64/g' \
	-e 's/^FROM ubuntu:bionic AS bazel_context_arm64$/FROM ubuntu:focal AS bazel_context_arm64/g' \
	-e 's/^FROM ubuntu:bionic AS build_env_proxy_arm64$/FROM ubuntu:focal AS build_env_proxy_arm64/g' \
	-e 's/^FROM ubuntu:18.04 AS clang_context_amd64$/FROM ubuntu:20.04 AS clang_context_amd64/g' \
	-e 's/^FROM ubuntu:18.04 AS build_env_proxy_amd64$/FROM ubuntu:20.04 AS build_env_proxy_amd64/g' \
	-e 's/^ENV UBUNTU_RELEASE_VERSION=18.04$/ENV UBUNTU_RELEASE_VERSION=20.04/g' \
	-e 's/^ENV DOCKER_VERSION=5:20.10.7~3-0~ubuntu/ENV DOCKER_VERSION=5:20.10.14~3-0~ubuntu/' \
	-e 's/^ENV CONTAINERD_VERSION=1.4.6-1/ENV CONTAINERD_VERSION=1.6.12-1/' \
	-e 's/python \\\\/#python \\\\/' \
	Dockerfile

	# Build tools
	DRY_RUN=true ./build-and-push.sh
	popd

	git clone https://github.com/istio/proxy.git --depth 1
	pushd proxy
	git fetch --tags
	git checkout "${ISTIO_VERSION}"
	export GOOS=linux

	# Compile envoy with FIPS: https://www.envoyproxy.io/docs/envoy/latest/intro/arch_overview/security/ssl#fips-140-2
	echo "build --define boringssl=fips" >> .bazelrc

	# Make the targets using the build tools image built above which is now in local registry
	IMG=gcr.io/istio-testing/build-tools-proxy:release-${MAJOR_ISTIO_VERSION}-latest-amd64 BAZEL_BUILD_ARGS=--config=release VERSION="${TAG}" BUILD_WITH_CONTAINER=1 TARGET_OS=linux make build build_envoy exportcache

	popd

	git clone https://github.com/istio/istio.git --depth 1
	pushd istio
	git fetch --tags
	git checkout "${ISTIO_VERSION}"

	# Pre-built binaries need to copied with SHA in name, otherwise build process will download it from gc bucket
	# https://github.com/istio/istio/blob/1.18.1/bin/init.sh#L106

	# Populate the git version for istio/proxy (i.e. Envoy)
	PROXY_REPO_SHA=$(jq -r '.[] \| select(.name == "PROXY_REPO_SHA").lastStableSHA' istio.deps)

	# Copy locally built binaries
	mkdir -p out/linux_amd64/release
	cp -f ../proxy/out/linux_amd64/envoy out/linux_amd64/release/envoy-${PROXY_REPO_SHA}
	cp -f out/linux_amd64/release/envoy-${PROXY_REPO_SHA} out/linux_amd64/release/envoy

	# Patch Makefile to use BoringCrypto: https://github.com/tetratelabs/istio/blob/tetrate-workflow/tetrateci/docs/fips.md
	sed -i'' -e 's%GOOS=linux%CGO_ENABLED=1 GOEXPERIMENT=boringcrypto GOOS=linux%' Makefile.core.mk

	# Envoy built with BoringSSL requires libc++ installed in the docker image, patch Dockerfile to install libc++
	# Both dockerfiles are also patched to remove extra junk when building, giving us minified images
	for FILE in "Dockerfile.proxyv2" "Dockerfile.pilot"; do
	PATCH="$WORKSPACE/$SCRIPT_DIR/patches/$FILE.patch"
	[[ -f "$PATCH" ]] \|\| { echo "Patch file '$PATCH' not found. Failing..."; exit 1; }
	sed -i'' "/FROM \\${BASE_DISTRIBUTION/r $PATCH" pilot/docker/$FILE
	done

	# Build pilot and proxy (need to tag here to correctly report when doing istioctl version)
	DOCKER_SOCKET_MOUNT='-v /docker-socket/docker.sock:/docker-socket/docker.sock' BAZEL_BUILD_ARGS=--config=release VERSION="${TAG}" BUILD_WITH_CONTAINER=1 TARGET_OS=linux make docker.pilot docker.proxyv2

	# Prove to anyone inspecting build output that images were built with FIPS-compliant libraries
	docker run --rm --entrypoint="" localhost:5000/proxyv2:$TAG envoy --version
	docker run --rm --entrypoint="" localhost:5000/proxyv2:$TAG pilot-agent version
	docker run --rm --entrypoint="" localhost:5000/pilot:$TAG pilot-discovery version
	RUN apt-get update \
	&& apt remove -y curl libkrb5-3 netcat-openbsd netcat procps tcpdump xz-utils \|\| true \
	&& apt-get upgrade -y \
	&& apt-get autoremove -y \
	&& apt-get clean \
	&& rm -rf /tmp/* /var/tmp/* \
	&& rm -rf /var/lib/apt/lists/*