Add wolfi image with boringcrypto

This PR adds a new docker image using wolfi with step-kms-plugin
compiled with boringcrypto

Author: maraino

.github/workflows/release.yml

@@ -19,12 +19,14 @@ jobs:
       DOCKER_IMAGE: smallstep/step-kms-plugin
       CLOUD_TAG: cloud
       DEBIAN_TAG: bullseye
+      WOLFI_TAG: wolfi
     outputs:
       version: ${{ steps.extract-tag.outputs.VERSION }}
       is_prerelease: ${{ steps.is_prerelease.outputs.IS_PRERELEASE }}
       docker_tags: ${{ env.DOCKER_TAGS }}
       docker_tags_cloud: ${{ env.DOCKER_TAGS_CLOUD }}
       docker_tags_debian: ${{ env.DOCKER_TAGS_DEBIAN }}
+      docker_tags_wolfi: ${{ env.DOCKER_TAGS_WOLFI }}
     steps:
       - name: Is Pre-release
         id: is_prerelease
@@ -43,13 +45,15 @@ jobs:
           echo "DOCKER_TAGS=${{ env.DOCKER_IMAGE }}:${VERSION}" >> "${GITHUB_ENV}"
           echo "DOCKER_TAGS_CLOUD=${{ env.DOCKER_IMAGE }}:${VERSION}-${CLOUD_TAG}" >> "${GITHUB_ENV}"
           echo "DOCKER_TAGS_DEBIAN=${{ env.DOCKER_IMAGE }}:${VERSION}-${DEBIAN_TAG}" >> "${GITHUB_ENV}"
+          echo "DOCKER_TAGS_WOLFI=${{ env.DOCKER_IMAGE }}:${VERSION}-${WOLFI_TAG}" >> "${GITHUB_ENV}"
       - name: Add Latest Tag
         if: steps.is_prerelease.outputs.IS_PRERELEASE == 'false'
         run: |
           # shellcheck disable=SC2129
           echo "DOCKER_TAGS=${{ env.DOCKER_TAGS }},${{ env.DOCKER_IMAGE }}:latest" >> "${GITHUB_ENV}"
           echo "DOCKER_TAGS_CLOUD=${{ env.DOCKER_IMAGE }}:${CLOUD_TAG}" >> "${GITHUB_ENV}"
           echo "DOCKER_TAGS_DEBIAN=${{ env.DOCKER_IMAGE }}:${DEBIAN_TAG}" >> "${GITHUB_ENV}"
+          echo "DOCKER_TAGS_WOLFI=${{ env.DOCKER_IMAGE }}:${WOLFI_TAG}" >> "${GITHUB_ENV}"
       - name: Create Release
         id: create_release
         uses: actions/create-release@v1
@@ -117,3 +121,17 @@ jobs:
       docker_image: smallstep/step-kms-plugin
       docker_file: docker/Dockerfile.cloud
     secrets: inherit
+
+  build_upload_docker_wolfi:
+    name: Build & Upload Wolfi Docker Image
+    needs: create_release
+    permissions:
+      id-token: write
+      contents: write
+    uses: smallstep/workflows/.github/workflows/docker-buildx-push.yml@main
+    with:
+      platforms: linux/amd64
+      tags: ${{ needs.create_release.outputs.docker_tags_wolfi }}
+      docker_image: smallstep/step-kms-plugin
+      docker_file: docker/Dockerfile.wolfi
+    secrets: inherit

Makefile

@@ -62,7 +62,11 @@ build:
 	$Q go build -v -o $(PREFIX)bin/$(BINNAME) $(LDFLAGS) $(PKG)
 	@echo "Build Complete!"
 
-.PHONY: build
+build-fips:
+	$Q GOEXPERIMENT="boringcrypto" go build -v -tags fips,noyubikey -o $(PREFIX)bin/$(BINNAME) $(LDFLAGS) $(PKG)
+	@echo "Build Complete!"
+
+.PHONY: build build-fips
 
 #########################################
 # Go generate

cmd/fips.go

@@ -0,0 +1,20 @@
+// Copyright 2022 Smallstep Labs, Inc.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//	http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+//go:build fips
+// +build fips
+
+package cmd
+
+import _ "crypto/tls/fipsonly"

docker/Dockerfile.wolfi

@@ -0,0 +1,18 @@
+FROM cgr.dev/chainguard/wolfi-base:latest AS builder
+
+WORKDIR /src
+COPY . .
+
+RUN apk update
+RUN apk add git make pkgconf gcc go
+RUN make V=1 build-fips
+
+FROM cgr.dev/chainguard/wolfi-base:latest
+
+COPY --from=builder /src/bin/step-kms-plugin /usr/bin/step-kms-plugin
+
+USER root
+RUN apk update
+RUN apk add p11-kit
+
+CMD ["/bin/sh"]