Build Windows image for FIPS use cases (#5725)

atoulme · web-flow · commit 3231ccd15af7 · 2024-12-17T22:59:23.000-08:00
* add windows fips image

* fix trigger

* trigger

* matrix

* more fixes

* ci changes

* path to windows executable

* build directory

* fix working directory

* wait for fips image to be ready

* missing hyphen

* fix the latest tag tagging

* more multiarch fixes

* remove the branch trigger

* add changelog
diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml
@@ -1069,16 +1069,161 @@ build-push-windows-image:
     paths:
       - tags_to_sign_${WIN_VERSION}
 
+build-push-windows-fips-image:
+  extends: .trigger-filter
+  stage: release
+  parallel:
+    matrix:
+      - WIN_VERSION: ["2019", "2022"]
+  dependencies:
+    - sign-exe
+  tags:
+    - splunk-otel-collector-windows${WIN_VERSION}
+  retry: 2
+  variables:
+    ErrorActionPreference: stop
+  before_script:
+    - New-Item -Type dir .\cmd\otelcol\fips\dist
+    - Copy-Item .\dist\signed\otelcol-fips_windows_amd64.exe .\cmd\otelcol\fips\dist\otelcol-fips_windows_amd64.exe
+    - &get-base-image |
+      if ($env:WIN_VERSION -eq "2019") {
+        $BASE_IMAGE = $env:WIN_2019_BASE_IMAGE
+      } else {
+        $BASE_IMAGE = $env:WIN_2022_BASE_IMAGE
+      }
+    - |
+      docker pull $BASE_IMAGE
+      if ($LASTEXITCODE -ne 0) { exit 1 }
+    - &delete-all-images-except-base |
+      # Delete all images except the base image
+      $base_id = $(docker images -q $BASE_IMAGE)
+      foreach ($id in $(docker images -a -q | Get-Unique)) {
+        if ($id -ne $base_id) {
+          docker rmi -f $id
+        }
+      }
+    - docker system prune --force
+  script:
+    - |
+      docker login -u $env:CIRCLECI_QUAY_USERNAME -p $env:CIRCLECI_QUAY_PASSWORD quay.io
+      if ($LASTEXITCODE -ne 0) { exit 1 }
+    - |
+      # Set env vars
+      if ($env:CI_COMMIT_TAG) {
+        $IMAGE_NAME = "quay.io/signalfx/splunk-otel-collector-fips"
+        $OLD_IMAGE_NAME = "quay.io/signalfx/splunk-otel-collector-fips-windows"
+        $tagNumber = $env:CI_COMMIT_TAG.TrimStart("v")
+        $IMAGE_TAG = "${tagNumber}-${env:WIN_VERSION}"
+      } else {
+        $IMAGE_NAME = "quay.io/signalfx/splunk-otel-collector-fips-dev"
+        $OLD_IMAGE_NAME = "quay.io/signalfx/splunk-otel-collector-fips-windows-dev"
+        $IMAGE_TAG = "${env:CI_COMMIT_SHA}-${env:WIN_VERSION}"
+      }
+      $LATEST_TAG = ""
+      if ($env:CI_COMMIT_BRANCH -eq "main" -or $env:CI_COMMIT_TAG -match '^v\d+\.\d+\.\d+$') {
+        # Only push latest tag for main and stable releases
+        $LATEST_TAG = "latest-${env:WIN_VERSION}"
+      }
+    - $JMX_METRIC_GATHERER_RELEASE = $(Get-Content packaging\jmx-metric-gatherer-release.txt)
+    - |
+      echo "Building ${IMAGE_NAME}:${IMAGE_TAG}"
+      docker build -t ${IMAGE_NAME}:${IMAGE_TAG} --build-arg BASE_IMAGE=${BASE_IMAGE} --build-arg JMX_METRIC_GATHERER_RELEASE=${JMX_METRIC_GATHERER_RELEASE} -f .\cmd\otelcol\fips\Dockerfile.windows .\cmd\otelcol\fips
+      if ($LASTEXITCODE -ne 0) { exit 1 }
+    - |
+      echo "Pushing ${IMAGE_NAME}:${IMAGE_TAG}"
+      docker push ${IMAGE_NAME}:${IMAGE_TAG}
+      if ($LASTEXITCODE -ne 0) { exit 1 }
+    - |
+      # DEPRECATED: Push image to the windows repo
+      echo "Tagging and pushing ${OLD_IMAGE_NAME}:${IMAGE_TAG}"
+      docker tag ${IMAGE_NAME}:${IMAGE_TAG} ${OLD_IMAGE_NAME}:${IMAGE_TAG}
+      if ($LASTEXITCODE -ne 0) { exit 1 }
+      docker push ${OLD_IMAGE_NAME}:${IMAGE_TAG}
+      if ($LASTEXITCODE -ne 0) { exit 1 }
+    - |
+      echo "Getting os.version from ${BASE_IMAGE}"
+      $os_version = (docker manifest inspect $BASE_IMAGE | ConvertFrom-Json).manifests[0].platform."os.version"
+      if ($LASTEXITCODE -ne 0) { exit 1 }
+      echo "$os_version"
+    - |
+      echo "Creating and pushing ${IMAGE_NAME}:${IMAGE_TAG} manifest"
+      docker manifest rm ${IMAGE_NAME}:${IMAGE_TAG}
+      docker manifest create ${IMAGE_NAME}:${IMAGE_TAG} ${IMAGE_NAME}:${IMAGE_TAG}
+      if ($LASTEXITCODE -ne 0) { exit 1 }
+      docker manifest annotate --os "windows" --arch "amd64" --os-version ${os_version} ${IMAGE_NAME}:${IMAGE_TAG} ${IMAGE_NAME}:${IMAGE_TAG}
+      if ($LASTEXITCODE -ne 0) { exit 1 }
+      docker manifest push ${IMAGE_NAME}:${IMAGE_TAG} --purge
+      if ($LASTEXITCODE -ne 0) { exit 1 }
+    - |
+      # DEPRECATED: Push manifest to the windows repo
+      echo "Creating and pushing ${OLD_IMAGE_NAME}:${IMAGE_TAG} manifest"
+      docker manifest rm ${OLD_IMAGE_NAME}:${IMAGE_TAG}
+      docker manifest create ${OLD_IMAGE_NAME}:${IMAGE_TAG} ${OLD_IMAGE_NAME}:${IMAGE_TAG}
+      if ($LASTEXITCODE -ne 0) { exit 1 }
+      docker manifest annotate --os "windows" --arch "amd64" --os-version ${os_version} ${OLD_IMAGE_NAME}:${IMAGE_TAG} ${OLD_IMAGE_NAME}:${IMAGE_TAG}
+      if ($LASTEXITCODE -ne 0) { exit 1 }
+      docker manifest push ${OLD_IMAGE_NAME}:${IMAGE_TAG} --purge
+      if ($LASTEXITCODE -ne 0) { exit 1 }
+    - |
+      if ($LATEST_TAG) {
+        echo "Tagging and pushing ${IMAGE_NAME}:${LATEST_TAG}"
+        docker tag ${IMAGE_NAME}:${IMAGE_TAG} ${IMAGE_NAME}:${LATEST_TAG}
+        if ($LASTEXITCODE -ne 0) { exit 1 }
+        docker push ${IMAGE_NAME}:${LATEST_TAG}
+        if ($LASTEXITCODE -ne 0) { exit 1 }
+        echo "Creating and pushing ${IMAGE_NAME}:${LATEST_TAG} manifest"
+        docker manifest rm ${IMAGE_NAME}:${LATEST_TAG}
+        docker manifest create ${IMAGE_NAME}:${LATEST_TAG} ${IMAGE_NAME}:${LATEST_TAG}
+        if ($LASTEXITCODE -ne 0) { exit 1 }
+        docker manifest annotate --os "windows" --arch "amd64" --os-version ${os_version} ${IMAGE_NAME}:${LATEST_TAG} ${IMAGE_NAME}:${LATEST_TAG}
+        if ($LASTEXITCODE -ne 0) { exit 1 }
+        docker manifest push ${IMAGE_NAME}:${LATEST_TAG} --purge
+        if ($LASTEXITCODE -ne 0) { exit 1 }
+      }
+    - |
+      # DEPRECATED: Push latest tag to the windows repo
+      if ($LATEST_TAG) {
+        echo "Tagging and pushing ${OLD_IMAGE_NAME}:${LATEST_TAG}"
+        docker tag ${OLD_IMAGE_NAME}:${IMAGE_TAG} ${OLD_IMAGE_NAME}:${LATEST_TAG}
+        if ($LASTEXITCODE -ne 0) { exit 1 }
+        docker push ${OLD_IMAGE_NAME}:${LATEST_TAG}
+        if ($LASTEXITCODE -ne 0) { exit 1 }
+        echo "Creating and pushing ${OLD_IMAGE_NAME}:${LATEST_TAG} manifest"
+        docker manifest rm ${OLD_IMAGE_NAME}:${LATEST_TAG}
+        docker manifest create ${OLD_IMAGE_NAME}:${LATEST_TAG} ${OLD_IMAGE_NAME}:${LATEST_TAG}
+        if ($LASTEXITCODE -ne 0) { exit 1 }
+        docker manifest annotate --os "windows" --arch "amd64" --os-version ${os_version} ${OLD_IMAGE_NAME}:${LATEST_TAG} ${OLD_IMAGE_NAME}:${LATEST_TAG}
+        if ($LASTEXITCODE -ne 0) { exit 1 }
+        docker manifest push ${OLD_IMAGE_NAME}:${LATEST_TAG} --purge
+        if ($LASTEXITCODE -ne 0) { exit 1 }
+      }
+    - echo "${IMAGE_NAME}:${IMAGE_TAG}" > tags
+    - echo "${OLD_IMAGE_NAME}:${IMAGE_TAG}" >> tags
+    - (Get-Content -Raw -Path tags) -replace "`r`n", "`n"| Set-Content -NoNewline tags_to_sign_${env:WIN_VERSION}-fips
+  after_script:
+    - *get-base-image
+    - *delete-all-images-except-base
+    - docker system prune --force
+    - |
+      if (Test-Path -Path C:\Users\Administrator\Desktop\ops-scripts\docker-leak-check.exe) {
+        C:\Users\Administrator\Desktop\ops-scripts\docker-leak-check.exe -remove
+      }
+  artifacts:
+    paths:
+      - tags_to_sign_${WIN_VERSION}-fips
+
 sign-windows-image:
   extends: .sign-docker
   stage: release
   parallel:
     matrix:
       - WIN_VERSION: ["2019", "2022"]
+        FIPS: ["-fips", ""]
   needs:
     - build-push-windows-image
+    - build-push-windows-fips-image
   before_script:
-    - mv tags_to_sign_${WIN_VERSION} tags_to_sign
+    - mv tags_to_sign_${WIN_VERSION}${FIPS} tags_to_sign
 
 release-debs:
   extends:
@@ -1244,6 +1389,7 @@ push-multiarch-manifest:
   parallel:
     matrix:
       - MANIFEST: [multiarch, windows_multiarch]
+        FIPS: ["-fips",""]
   needs:
     - sign-linux-image
     - sign-windows-image
@@ -1256,12 +1402,12 @@ push-multiarch-manifest:
     - |
       # Set env vars
       if [[ -n "${CI_COMMIT_TAG:-}" ]]; then
-        MANIFEST_NAME="quay.io/signalfx/splunk-otel-collector"
-        WIN_MANIFEST_NAME="quay.io/signalfx/splunk-otel-collector-windows"
+        MANIFEST_NAME="quay.io/signalfx/splunk-otel-collector${FIPS}"
+        WIN_MANIFEST_NAME="quay.io/signalfx/splunk-otel-collector${FIPS}-windows"
         MANIFEST_TAG=${CI_COMMIT_TAG#v}
       else
-        MANIFEST_NAME="quay.io/signalfx/splunk-otel-collector-dev"
-        WIN_MANIFEST_NAME="quay.io/signalfx/splunk-otel-collector-windows-dev"
+        MANIFEST_NAME="quay.io/signalfx/splunk-otel-collector${FIPS}-dev"
+        WIN_MANIFEST_NAME="quay.io/signalfx/splunk-otel-collector${FIPS}-windows-dev"
         MANIFEST_TAG=${CI_COMMIT_SHA}
       fi
       LATEST_TAG=""
@@ -1303,14 +1449,19 @@ push-multiarch-manifest:
         echo "$json"
         # Check number of images in the manifest
         count=$( echo "$json" | jq -r ".manifests | length" )
-        if [[ "$MANIFEST" = "multiarch" && $count -ne 5 ]]; then
+        if [[ "$MANIFEST" = "multiarch" && "$FIPS" == "" && $count -ne 5 ]]; then
+          exit 1
+        elif [[ "$MANIFEST" = "multiarch" && "$FIPS" == "-fips" && $count -ne 4 ]]; then
           exit 1
         elif [[ "$MANIFEST" = "windows_multiarch" && $count -ne 2 ]]; then
           exit 1
         fi
         # Check the manifest for the linux images
         if [[ "$MANIFEST" != "windows_multiarch" ]]; then
           for arch in "amd64" "arm64" "ppc64le"; do
+            if [[ "$FIPS" != "" && "$arch" == "ppc64le" ]]; then
+              continue
+            fi
             found=$( echo "$json" | jq -r ".manifests[] | select(.platform.architecture == \"${arch}\" and .platform.os == \"linux\")" )
             if [[ -z "$found" ]]; then
               echo "linux/${arch} not found in ${MANIFEST_NAME}:${tag}"
@@ -1342,7 +1493,7 @@ push-multiarch-manifest:
       fi
     - mkdir -p dist
     - echo "[${MANIFEST_NAME}@${digest}]" | tee dist/${MANIFEST}_digest.txt
-    - echo "${MANIFEST_NAME}:${MANIFEST_TAG}" > tags_to_sign_${MANIFEST}
+    - echo "${MANIFEST_NAME}:${MANIFEST_TAG}" > tags_to_sign_${MANIFEST}${FIPS}
     - if [[ "$CI_COMMIT_BRANCH" != "main" || "$MANIFEST" != "multiarch" ]]; then exit 0; fi
     # Push the multiarch manifest for the main branch to the docker-test artifactory repo for xray scanning
     # TODO: Add new job to trigger xray scanning for the manifest whenever it is supported
@@ -1354,18 +1505,19 @@ push-multiarch-manifest:
   artifacts:
     paths:
       - dist/${MANIFEST}_digest.txt
-      - tags_to_sign_${MANIFEST}
+      - tags_to_sign_${MANIFEST}${FIPS}
 
 sign-multiarch-manifest:
   extends: .sign-docker
   stage: docker-manifest-release
   parallel:
     matrix:
       - MANIFEST: [multiarch, windows_multiarch]
+        FIPS: ["-fips",""]
   needs:
     - push-multiarch-manifest
   before_script:
-    - mv tags_to_sign_${MANIFEST} tags_to_sign
+    - mv tags_to_sign_${MANIFEST}${FIPS} tags_to_sign
 
 xray-scan-docker:
   only:
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -38,6 +38,7 @@
                   port: 8888
   ```
   This also removes a warning about deprecated `service::telemetry::metrics::address`.
+- (Splunk) Publish a FIPS-140 compliant Docker [images](https://quay.io/repository/signalfx/splunk-otel-collector-fips?tab=tags) and binaries for Linux and Windows. ([#5725](https://github.com/signalfx/splunk-otel-collector/pull/5725))
 - (Core) `exporterqueue`: Introduce a feature gate exporter.UsePullingBasedExporterQueueBatcher to use the new pulling model in exporter queue batching. ([#8122](https://github.com/open-telemetry/opentelemetry-collector/pull/8122), [#10368](https://github.com/open-telemetry/opentelemetry-collector/pull/10368))
   If both queuing and batching is enabled for exporter, we now use a pulling model instead of a
   pushing model. num_consumer in queue configuration is now used to specify the maximum number of
