Skip to content

Commit 242be9c

Browse files
mredolattimredolatti
authored
Merge pull request #31 from splitio/fips_binaries
fips compliant binaries
2 parents 639a07b + 68c62f7 commit 242be9c

File tree

14 files changed

+93
-15
lines changed

14 files changed

+93
-15
lines changed

.dockerignore

Lines changed: 4 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -3,10 +3,14 @@
33
.gitignore
44
.netrc
55
splitd
6+
splitd-fips
67
splitcli
78
shared
89
testcfg
910
TODO
1011

12+
splitio/commitsha.go
13+
1114
splitd.linux.*
1215
splitd.darwin.*
16+

.github/workflows/ci.yml

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -83,4 +83,5 @@ jobs:
8383
splitd-darwin-amd64-${{ env.VERSION }}.bin
8484
splitd-darwin-arm-${{ env.VERSION }}.bin
8585
splitd-linux-amd64-${{ env.VERSION }}.bin
86+
splitd-linux-amd64-fips-${{ env.VERSION }}.bin
8687
splitd-linux-arm-${{ env.VERSION }}.bin

.github/workflows/docker.yml

Lines changed: 6 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -9,6 +9,9 @@ jobs:
99
build-docker-image:
1010
name: Build and push Docker image
1111
runs-on: ubuntu-latest
12+
strategy:
13+
matrix:
14+
fips_mode: [enabled, disabled]
1215
steps:
1316
- name: Login to Artifactory
1417
uses: docker/login-action@v3
@@ -29,4 +32,6 @@ jobs:
2932
context: .
3033
file: "infra/sidecar.Dockerfile"
3134
push: true
32-
tags: splitio-docker.jfrog.io/splitd/sidecar:latest,splitio-docker.jfrog.io/splitd/sidecar:${{ env.VERSION }}
35+
tags: splitio-docker.jfrog.io/splitd/sidecar${{ matrix.fips_mode == 'enabled' && '-fips' || ''}}:${{ env.VERSION }}
36+
build-args: |
37+
FIPS_MODE=${{ matrix.fips_mode }}

.github/workflows/unstable.yml

Lines changed: 4 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -8,6 +8,9 @@ jobs:
88
push-docker-image:
99
name: Build and Push Docker Image
1010
runs-on: ubuntu-latest
11+
strategy:
12+
matrix:
13+
fips_mode: [enabled, disabled]
1114
steps:
1215
- name: Login to Artifactory
1316
uses: docker/login-action@v3
@@ -28,4 +31,4 @@ jobs:
2831
context: .
2932
file: "infra/sidecar.Dockerfile"
3033
push: true
31-
tags: splitio-docker-dev.jfrog.io/splitd/sidecar:${{ env.SHORT_SHA }}
34+
tags: splitio-docker-dev.jfrog.io/splitd/sidecar${{ matrix.fips_mode == 'enabled' && '-fips' || '' }}:${{ env.SHORT_SHA }}

.gitignore

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -15,6 +15,7 @@
1515
# vendor/
1616

1717
/splitd
18+
/splitd-fips
1819
/splitcli
1920
/sdhelper
2021
/splitd.yaml

CHANGES

Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -1,3 +1,6 @@
1+
1.3.4 (Feb 22, 2024):
2+
- Add boringcrypto-based FIPS-compliant build for amd64/linux
3+
14
1.2.0 (Jan 25, 2024):
25
- Added support for Flag Sets on the SDK, which enables grouping feature flags and interacting with the group rather than individually (more details in our documentation):
36
- Added new variations of the get treatment methods to support evaluating flags in given flag set/s.

Makefile

Lines changed: 26 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -10,10 +10,11 @@ PLATFORM ?=
1010
PLATFORM_STR := $(if $(PLATFORM),--platform=$(PLATFORM),)
1111

1212
VERSION := $(shell cat splitio/version.go | grep 'const Version' | sed 's/const Version = //' | tr -d '"')
13-
COMMIT_SHA := $(shell bash -c '[ ! -z $${GITHUB_SHA} ] && echo $${GITHUB_SHA:0:7} || git rev-parse --short=7 HEAD')
13+
COMMIT_SHA := $(shell bash -c '[[ ! -z $${GITHUB_SHA} ]] && echo $${GITHUB_SHA:0:7} || git rev-parse --short=7 HEAD')
1414
COMMIT_SHA_FILE := splitio/commitsha.go
1515

1616
GO_FILES := $(shell find . -name "*.go" -not -name "$(COMMIT_SHA_FILE)") go.sum
17+
ENFORCE_FIPS := -tags enforce_fips
1718

1819
CONFIG_TEMPLATE ?= splitd.yaml.tpl
1920
COVERAGE_FILE ?= coverage.out
@@ -32,7 +33,8 @@ clean:
3233
splitd-linux-amd64-$(VERSION).bin \
3334
splitd-darwin-amd64-$(VERSION).bin \
3435
splitd-linux-arm-$(VERSION).bin \
35-
splitd-darwin-arm-$(VERSION).bin
36+
splitd-darwin-arm-$(VERSION).bin \
37+
splitd-linux-amd64-fips-$(VERSION).bin
3638

3739
## build binaries for this platform
3840
build: splitd splitcli sdhelper
@@ -58,9 +60,13 @@ entrypoint-test: splitd # requires splitd binary to generate a config and valida
5860
bash infra/test/test_entrypoint.sh
5961

6062
## build splitd for local machine
61-
splitd: $(GO_FILES)
63+
splitd: $(GO_FILES) $(COMMIT_SHA_FILE)
6264
go build -o splitd cmd/splitd/main.go
6365

66+
## build splitd for local machine
67+
splitd-fips: $(GO_FILES) $(COMMIT_SHA_FILE)
68+
GOEXPERIMENT=boringcrypto go build -o $@ $(ENFORCE_FIPS) cmd/splitd/main.go
69+
6470
## build splitcli for local machine
6571
splitcli: $(GO_FILES)
6672
go build -o splitcli cmd/splitcli/main.go
@@ -74,13 +80,25 @@ sdhelper: $(GO_FILES)
7480

7581
## build docker images for sidecar
7682
images_release: # entrypoints
77-
$(DOCKER) build $(PLATFORM_STR) -t splitsoftware/splitd-sidecar:latest -t splitsoftware/splitd-sidecar:$(VERSION) -f infra/sidecar.Dockerfile .
83+
$(DOCKER) build $(PLATFORM_STR) \
84+
-t splitsoftware/splitd-sidecar:latest -t splitsoftware/splitd-sidecar:$(VERSION) \
85+
--build-arg COMMIT_SHA=$(COMMIT_SHA) \
86+
-f infra/sidecar.Dockerfile .
87+
$(DOCKER) build $(PLATFORM_STR) -t splitsoftware/splitd-sidecar-fips:latest -t splitsoftware/splitd-sidecar-fips:$(VERSION) \
88+
--build-arg FIPS_MODE=1 --build-arg COMMIT_SHA=$(COMMIT_SHA) \
89+
-f infra/sidecar.Dockerfile .
7890
@echo "Image created. Make sure everything works ok, and then run the following commands to push them."
7991
@echo "$(DOCKER) push splitsoftware/splitd-sidecar:latest"
8092
@echo "$(DOCKER) push splitsoftware/splitd-sidecar:$(VERSION)"
93+
@echo "$(DOCKER) push splitsoftware/splitd-sidecar-fips:latest"
94+
@echo "$(DOCKER) push splitsoftware/splitd-sidecar-fips:$(VERSION)"
8195

8296
## build release for binaires
83-
binaries_release: splitd-linux-amd64-$(VERSION).bin splitd-darwin-amd64-$(VERSION).bin splitd-linux-arm-$(VERSION).bin splitd-darwin-arm-$(VERSION).bin
97+
binaries_release: splitd-linux-amd64-$(VERSION).bin \
98+
splitd-darwin-amd64-$(VERSION).bin \
99+
splitd-linux-arm-$(VERSION).bin \
100+
splitd-darwin-arm-$(VERSION).bin \
101+
splitd-linux-amd64-fips-$(VERSION).bin
84102

85103
$(COVERAGE_FILE): unit-tests
86104

@@ -92,6 +110,9 @@ $(COMMIT_SHA_FILE):
92110
splitd-linux-amd64-$(VERSION).bin: $(GO_FILES)
93111
GOARCH=amd64 GOOS=linux $(GO) build -o $@ cmd/splitd/main.go
94112

113+
splitd-linux-amd64-fips-$(VERSION).bin: $(GO_FILES)
114+
GOEXPERIMENT=boringcrypto GOARCH=amd64 GOOS=linux $(GO) build -o $@ $(ENFORCE_FIPS) cmd/splitd/main.go
115+
95116
splitd-darwin-amd64-$(VERSION).bin: $(GO_FILES)
96117
GOARCH=amd64 GOOS=darwin $(GO) build -o $@ cmd/splitd/main.go
97118

go.mod

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1,6 +1,6 @@
11
module github.com/splitio/splitd
22

3-
go 1.20
3+
go 1.21
44

55
require (
66
github.com/splitio/go-split-commons/v5 v5.1.0

go.sum

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -1,5 +1,7 @@
11
github.com/bits-and-blooms/bitset v1.3.1 h1:y+qrlmq3XsWi+xZqSaueaE8ry8Y127iMxlMfqcK8p0g=
2+
github.com/bits-and-blooms/bitset v1.3.1/go.mod h1:gIdJ4wp64HaoK2YrL1Q5/N7Y16edYb8uY+O0FJTyyDA=
23
github.com/bits-and-blooms/bloom/v3 v3.3.1 h1:K2+A19bXT8gJR5mU7y+1yW6hsKfNCjcP2uNfLFKncjQ=
4+
github.com/bits-and-blooms/bloom/v3 v3.3.1/go.mod h1:bhUUknWd5khVbTe4UgMCSiOOVJzr3tMoijSK3WwvW90=
35
github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
46
github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c=
57
github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=

infra/entrypoint.sh

Lines changed: 15 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -9,6 +9,16 @@ TPL_FILE="${TPL_FILE:-${SCRIPT_DIR}/splitd.yaml.tpl}"
99
SPLITD_CFG_OUTPUT="${SPLITD_CFG_OUTPUT:-/etc/splitd.yaml}"
1010
SPLITD_EXEC="${SPLITD_EXEC:-/opt/splitd/splitd}"
1111

12+
function prepare_sets() {
13+
local RES="["
14+
local IFS=','
15+
read -ra SETS <<< "${1}"
16+
for SET in "${SETS[@]}"; do
17+
RES="${RES}\"${SET}\","
18+
done
19+
echo "${RES/%,}]"
20+
}
21+
1222
# Validate mandatory arguments and initialize the template with those values
1323
[ -z ${SPLITD_APIKEY+x} ] && echo "SPLITD_APIKEY env var is mandatory." && exit 1
1424
[ -z ${SPLITD_LINK_ADDRESS+x} ] && echo "SPLITD_LINK_ADDRESS env var is mandatory." && exit 1
@@ -45,6 +55,11 @@ accum=$(yq '.sdk.apikey = env(SPLITD_APIKEY) | .link.address = env(SPLITD_LINK_A
4555
[ ! -z ${SPLITD_EVENTS_REFRESH_SECS+x} ] && accum=$(echo "${accum}" | yq '.sdk.events.refreshRateSeconds = env(SPLITD_EVENTS_REFRESH_SECS)')
4656
[ ! -z ${SPLITD_EVENTS_QUEUE_SIZE+x} ] && accum=$(echo "${accum}" | yq '.sdk.events.queueSize = env(SPLITD_EVENTS_QUEUE_SIZE)')
4757

58+
if [ ! -z ${SPLITD_FLAG_SETS_FILTER+x} ]; then
59+
export PARSED_FLAGSETS=$(prepare_sets "${SPLITD_FLAG_SETS_FILTER}")
60+
accum=$(echo "${accum}" | yq '.sdk.flagSetsFilter += env(PARSED_FLAGSETS)')
61+
fi
62+
4863
# link configs
4964
[ ! -z ${SPLITD_LINK_TYPE+x} ] && accum=$(echo "${accum}" | yq '.link.type = env(SPLITD_LINK_TYPE)')
5065
[ ! -z ${SPLITD_LINK_SERIALIZATION+x} ] && accum=$(echo "${accum}" | yq '.link.serialization = env(SPLITD_LINK_SERIALIZATION)')

0 commit comments

Comments
 (0)