From 99277c713d5de1fbf5dd9b210d1427af5f6aa2bb Mon Sep 17 00:00:00 2001 From: Josh Drake Date: Mon, 4 Dec 2023 10:11:13 -0600 Subject: [PATCH] Add FIPS build. --- Makefile | 7 +++++++ docker/Dockerfile.fips | 32 ++++++++++++++++++++++++++++++++ 2 files changed, 39 insertions(+) create mode 100644 docker/Dockerfile.fips diff --git a/Makefile b/Makefile index 630b54b9..69d3fecb 100644 --- a/Makefile +++ b/Makefile @@ -85,10 +85,17 @@ download: build: $(PREFIX)bin/$(BINNAME) @echo "Build Complete!" +build-fips: $(PREFIX)bin/$(BINNAME).fips + @echo "Build Complete!" + $(PREFIX)bin/$(BINNAME): download $(call rwildcard,*.go) $Q mkdir -p $(@D) $Q $(GOOS_OVERRIDE) GOFLAGS="$(GOFLAGS)" $(GO_ENVS) go build -v -o $(PREFIX)bin/$(BINNAME) $(LDFLAGS) $(PKG) +$(PREFIX)bin/$(BINNAME).fips: download $(call rwildcard,*.go) + $Q mkdir -p $(@D) + $Q $(GOOS_OVERRIDE) GOFLAGS="$(GOFLAGS)" $(GO_ENVS) GOEXPERIMENT="boringcrypto" go build -v -o $(PREFIX)bin/$(BINNAME).fips $(LDFLAGS) $(PKG) + # Target to force a build of step-ca without running tests simple: build diff --git a/docker/Dockerfile.fips b/docker/Dockerfile.fips new file mode 100644 index 00000000..bd907985 --- /dev/null +++ b/docker/Dockerfile.fips @@ -0,0 +1,32 @@ +FROM golang:alpine AS builder + +WORKDIR /src +COPY . . + +RUN apk add --no-cache curl git make libcap +RUN make V=1 build-fips +RUN setcap CAP_NET_BIND_SERVICE=+eip bin/step-ca.fips + +FROM smallstep/step-kms-plugin:fips AS kms + +FROM smallstep/step-cli:fips AS cli + +FROM smallstep/alpine-fips + +COPY --from=builder /src/bin/step-ca.fips /usr/local/bin/step-ca +COPY --from=kms /usr/local/bin/step-kms-plugin /usr/local/bin/step-kms-plugin +COPY --from=cli /usr/local/bin/step /usr/local/bin/step + +USER step + +ENV CONFIGPATH="/home/step/config/ca.json" +ENV PWDPATH="/home/step/secrets/password" + +VOLUME ["/home/step"] +STOPSIGNAL SIGTERM +HEALTHCHECK CMD step ca health 2>/dev/null | grep "^ok" >/dev/null + +COPY docker/entrypoint.sh /entrypoint.sh + +ENTRYPOINT ["/bin/bash", "/entrypoint.sh"] +CMD exec /usr/local/bin/step-ca --password-file $PWDPATH $CONFIGPATH