You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Auto generated changes by gromit to add fips compliant docker images to releases. These changes are in response to a customer request for fips compliant docker images. These are provided by using our existing fips binaries in a distroless image. THESE ARE NOT FIPS VALIDATED IMAGES. Tyk's FIPS documentation has been updated as a result of this request.
Related Issue
see this ticket. A PR has also been made against branch release-5.8 on tyk-analytics
Motivation and Context
These images were request to be included in regular releases by a client.
How This Has Been Tested
goreleaser was run locally, everything seems okay a fips image is built using the fips binary. More end to end testing is needed with the other fips components.
Types of changes
Bug fix (non-breaking change which fixes an issue)
New feature (non-breaking change which adds functionality)
Breaking change (fix or feature that would cause existing functionality to change)
Refactoring or add test (improvements in base code or adds test coverage to functionality)
Checklist
I ensured that the documentation is up to date
I explained why this PR updates go.mod in detail with reasoning why it's required
I would like a code coverage CI quality gate exception and have explained why
PR Type
Enhancement, Other
Description
Add FIPS Docker builds and manifests
Enable multi-arch FIPS packages (amd64/arm64/s390x)
FIPS CI/prod builds use distroless Dockerfile and push multi-arch images, but image names/tags differ from std/ee; verify that downstream consumers and promotion rules expect 'tykio/tyk-gateway' with '-fips' suffix and that manifests are created only on tag pushes to avoid accidental CI pollution.
- name: Docker metadata for fips CIid: ci_metadata_fipsif: ${{ matrix.golang_cross == '1.24-bullseye' }}uses: docker/metadata-action@v5with:
images: | ${{ steps.ecr.outputs.registry }}/tykflavor: | latest=falsetags: | type=ref,event=branch type=ref,event=pr type=sha,format=long type=semver,pattern={{major}},prefix=v type=semver,pattern={{major}}.{{minor}},prefix=v type=semver,pattern={{version}},prefix=v
- name: push fips image to CIif: ${{ matrix.golang_cross == '1.24-bullseye' }}uses: docker/build-push-action@v6with:
context: "dist"platforms: linux/amd64,linux/arm64,linux/s390xfile: ci/Dockerfile.distrolessprovenance: mode=maxsbom: truepush: truecache-from: type=ghacache-to: type=gha,mode=maxtags: ${{ steps.ci_metadata_fips.outputs.tags }}labels: ${{ steps.ci_metadata_fips.outputs.labels }}build-args: | BUILD_PACKAGE_NAME=tyk-gateway-fips
- name: Docker metadata for fips tag pushid: tag_metadata_fipsuses: docker/metadata-action@v5with:
images: | tykio/tyk-gatewayflavor: | latest=false prefix=vtags: | type=semver,pattern={{major}}.{{minor}} type=semver,pattern={{version}}labels: | org.opencontainers.image.title=Tyk Gateway FIPS org.opencontainers.image.description=Tyk Open Source API Gateway written in Go, supporting REST, GraphQL, TCP and gRPC protocols Built with boringssl org.opencontainers.image.vendor=tyk.io org.opencontainers.image.version=${{ github.ref_name }}
- name: push fips image to prodif: ${{ matrix.golang_cross == '1.24-bullseye' }}uses: docker/build-push-action@v6with:
context: "dist"platforms: linux/amd64,linux/arm64,linux/s390xfile: ci/Dockerfile.distrolessprovenance: mode=maxsbom: truecache-from: type=ghacache-to: type=gha,mode=maxpush: ${{ startsWith(github.ref, 'refs/tags') }}tags: ${{ steps.tag_metadata_fips.outputs.tags }}labels: ${{ steps.tag_metadata_fips.outputs.labels }}build-args: | BUILD_PACKAGE_NAME=tyk-gateway-fips
- name: Docker metadata for std CI
The cleanup path removal now omits '/var/lib/dpkg' from deletion; confirm this is intentional and won't leave residual apt metadata increasing image size or CVE surface compared to previous state.
New FIPS builds add GOEXPERIMENT=boringcrypto and boringssl description; verify toolchain actually links boringcrypto for all arches (amd64/arm64/s390x) and that cross-compilers CC=... exist in the build env to avoid mismatched crypto backends.
- s390xbinary: tyk
- id: fips-amd64flags:
- -tags=goplugin,fips,boringcryptoenv:
- NOP=nop # ignore this, it is jsut to avoid a complex conditional in the templates
- CC=gcc
- GOEXPERIMENT=boringcryptoldflags:
- -X github.com/TykTechnologies/tyk/internal/build.Version={{.Version}}
- -X github.com/TykTechnologies/tyk/internal/build.Commit={{.FullCommit}}
- -X github.com/TykTechnologies/tyk/internal/build.BuildDate={{.Date}}
- -X github.com/TykTechnologies/tyk/internal/build.BuiltBy=goreleasergoos:
- linuxgoarch:
- amd64binary: tyk
- id: fips-arm64flags:
- -tags=goplugin,fips,boringcryptoenv:
- NOP=nop # ignore this, it is jsut to avoid a complex conditional in the templates
- CC=aarch64-linux-gnu-gcc
- GOEXPERIMENT=boringcryptoldflags:
- -X github.com/TykTechnologies/tyk/internal/build.Version={{.Version}}
- -X github.com/TykTechnologies/tyk/internal/build.Commit={{.FullCommit}}
- -X github.com/TykTechnologies/tyk/internal/build.BuildDate={{.Date}}
- -X github.com/TykTechnologies/tyk/internal/build.BuiltBy=goreleasergoos:
- linuxgoarch:
- arm64binary: tyk
- id: fips-s390xflags:
- -tags=goplugin,fips,boringcryptoenv:
- NOP=nop # ignore this, it is jsut to avoid a complex conditional in the templates
- CC=s390x-linux-gnu-gcc
- GOEXPERIMENT=boringcryptoldflags:
- -X github.com/TykTechnologies/tyk/internal/build.Version={{.Version}}
- -X github.com/TykTechnologies/tyk/internal/build.Commit={{.FullCommit}}
- -X github.com/TykTechnologies/tyk/internal/build.BuildDate={{.Date}}
- -X github.com/TykTechnologies/tyk/internal/build.BuiltBy=goreleasergoos:
- linuxgoarch:
- s390xbinary: tyk
Ensure CI images don't push on non-tag branches to avoid publishing unversioned FIPS images accidentally. Align with the EE job and use the same gated push condition.
Why: Accurate match to the new CI FIPS push step and correctly proposes gating push by tags to avoid unintended image publication; impact is moderate as it reduces risk without changing build outputs.
Medium
Preserve apt state directories
Avoid deleting entire /var/lib/apt during the same layer as package operations; it can break future apt or post-install scripts. Remove apt lists and archives instead.
Why: The snippet matches the new hunk and the change is reasonable to avoid breaking apt in later layers; impact is minor since this image is later stripped, but it improves maintainability.
Low
General
Ensure amd64 baseline compatibility
Explicitly set GOAMD64=v1 for maximum compatibility when distributing FIPS binaries; default higher levels can crash on older CPUs. This mitigates runtime illegal instruction issues.
- id: fips-amd64
flags:
- -tags=goplugin,fips,boringcrypto
env:
- NOP=nop # ignore this, it is jsut to avoid a complex conditional in the templates
- CC=gcc
- GOEXPERIMENT=boringcrypto
+ - GOAMD64=v1
Suggestion importance[1-10]: 5
__
Why: Matches the fips-amd64 env block and adding GOAMD64=v1 can improve compatibility on older CPUs; however, relevance depends on project’s current baseline and may affect performance, so impact is moderate.
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
User description
Description
Auto generated changes by gromit to add fips compliant docker images to releases. These changes are in response to a customer request for fips compliant docker images. These are provided by using our existing fips binaries in a distroless image. THESE ARE NOT FIPS VALIDATED IMAGES. Tyk's FIPS documentation has been updated as a result of this request.
Related Issue
see this ticket. A PR has also been made against branch
release-5.8ontyk-analyticsMotivation and Context
These images were request to be included in regular releases by a client.
How This Has Been Tested
goreleaser was run locally, everything seems okay a fips image is built using the fips binary. More end to end testing is needed with the other fips components.
Types of changes
Checklist
PR Type
Enhancement, Other
Description
Add FIPS Docker builds and manifests
Enable multi-arch FIPS packages (amd64/arm64/s390x)
CI workflow pushes FIPS images to CI/prod
Adjust std Dockerfile install and cleanup
Diagram Walkthrough
File Walkthrough
release.yml
CI pipeline to build and publish FIPS images.github/workflows/release.yml
Dockerfile.std
Standard Dockerfile installs from dist and cleansci/Dockerfile.std
goreleaser.yml
Goreleaser: FIPS multi-arch builds and manifestsci/goreleaser/goreleaser.yml