TykTechnologies · mativm02 · May 14, 2024 · May 14, 2024 · May 14, 2024 · May 16, 2024
@@ -9,7 +9,7 @@
 
 name: Release
 on:
-  # Trigger release every monday at midnight for master CI images
+  # Trigger release every Monday at midnight for master CI images
   schedule:
     - cron: "0 0 * * 1"
   pull_request:
@@ -41,7 +41,7 @@ jobs:
             debvers: 'ubuntu/xenial ubuntu/bionic ubuntu/focal ubuntu/jammy debian/jessie debian/buster debian/bullseye debian/bookworm'
     outputs:
       tags: ${{ steps.ci_metadata.outputs.tags }}
-      commit_author: ${{ steps.fetch-author.outputs.commit_author}}
+      commit_author: ${{ steps.fetch-author.outputs.commit_author }}
     steps:
       - name: Checkout of tyk-pump
         uses: actions/checkout@v4
@@ -104,6 +104,40 @@ jobs:
           -v /tmp/build.sh:/tmp/build.sh                                         \
           -w /go/src/github.com/TykTechnologies/tyk-pump                      \
           tykio/golang-cross:${{ matrix.golang_cross }} /tmp/build.sh
+
+      - name: Build boringcrypto variant
+        env:
+          NFPM_STD_PASSPHRASE: ${{ secrets.SIGNING_KEY_PASSPHRASE }}
+          PKG_SIGNING_KEY: ${{ secrets.SIGNING_KEY }}
+          PACKAGECLOUD_TOKEN: ${{ secrets.PACKAGECLOUD_TOKEN }}
+          GOEXPERIMENT: boringcrypto
+        run: |
+          echo '#!/bin/sh
+          ci/bin/unlock-agent.sh
+          git config --global url."https://${{ secrets.ORG_GH_TOKEN }}@github.com".insteadOf "https://github.com"
+          git config --global --add safe.directory /go/src/github.com/TykTechnologies/tyk-pump
+          goreleaser release --clean -f ci/goreleaser/goreleaser-boringcrypto.yml ${{ !startsWith(github.ref, 'refs/tags/') && ' --snapshot --skip=sign' || '' }}' | tee /tmp/build-boringcrypto.sh
+          chmod +x /tmp/build-boringcrypto.sh
+          docker run --rm --privileged -e GITHUB_TOKEN=${{ github.token }} \
+          -e GOPRIVATE=github.com/TykTechnologies                                \
+          -e DEBVERS='${{ matrix.debvers }}'                               \
+          -e RPMVERS='${{ matrix.rpmvers }}'                               \
+          -e CGO_ENABLED=${{ matrix.cgo }}                                 \
+          -e NFPM_STD_PASSPHRASE="$NFPM_STD_PASSPHRASE"                          \
+          -e GPG_FINGERPRINT=12B5D62C28F57592D1575BD51ED14C59E37DAC20            \
+          -e PKG_SIGNING_KEY="$PKG_SIGNING_KEY"                                  \
+          -e PACKAGECLOUD_TOKEN=$PACKAGECLOUD_TOKEN                              \
+          -e GOEXPERIMENT=$GOEXPERIMENT                                          \
+          -v ${{github.workspace}}:/go/src/github.com/TykTechnologies/tyk-pump \
+          -v /var/run/docker.sock:/var/run/docker.sock                           \
+          -v ~/.docker/config.json:/root/.docker/config.json                     \
+          -e GOCACHE=/cache/go-build                                             \
+          -e GOMODCACHE=/go/pkg/mod                                              \
+          -v ~/go/pkg/mod:/go/pkg/mod                                            \
+          -v ~/.cache/go-build:/cache/go-build                                   \
+          -v /tmp/build-boringcrypto.sh:/tmp/build-boringcrypto.sh               \
+          -w /go/src/github.com/TykTechnologies/tyk-pump                      \
+          tykio/golang-cross:${{ matrix.golang_cross }} /tmp/build-boringcrypto.sh
       - uses: aws-actions/configure-aws-credentials@v4
         with:
           role-to-assume: arn:aws:iam::754489498669:role/ecr_rw_tyk
@@ -143,7 +177,44 @@ jobs:
              for arch in amd64 arm64; do
                  docker tag tykio/tyk-pump-docker-pub:${build_tag}-${arch} ${tag}-${arch} && docker push ${tag}-${arch}
              done
-             docker manifest create ${tag} ${tag}-amd64 ${tag}-arm64 && docker manifest push ${tag}
+             if docker manifest inspect ${tag}; then
+                docker manifest create --amend ${tag} ${tag}-amd64 ${tag}-arm64
+             else
+                docker manifest create ${tag} ${tag}-amd64 ${tag}-arm64
+             fi
+             docker manifest push ${tag}
+          done
+      - name: Docker metadata for boringcrypto
+        id: boringcrypto_metadata
+        uses: docker/metadata-action@v5
+        with:
+          images: ${{ steps.ecr.outputs.registry }}/tyk-pump
+          flavor: |
+            latest=false
+          tags: |
+            type=ref,event=branch
+            type=ref,event=pr
+            type=sha,format=long
+            type=semver,pattern=v{{major}}.{{minor}}-boringcrypto,prefix=v
+            type=semver,pattern=v{{version}}-boringcrypto,prefix=v
+      - name: Push boringcrypto image
+        shell: bash
+        env:
+          t: ${{ steps.boringcrypto_metadata.outputs.tags }}
+          build_tag: ${{ startswith(github.ref, 'refs/tags') && github.ref_name || 'v0.0.0' }}
+        run: |
+          set +e
+          IFS=$'\n' tags=($t)
+          for tag in "${tags[@]}"; do
+             for arch in amd64; do
+                 docker tag tykio/tyk-pump-docker-pub:${build_tag}-${arch} ${tag}-${arch} && docker push ${tag}-${arch}
+             done
+             if docker manifest inspect ${tag}; then
+                docker manifest create --amend ${tag} ${tag}-amd64
+             else
+                docker manifest create ${tag} ${tag}-amd64
+             fi
+             docker manifest push ${tag}
           done
       - uses: actions/upload-artifact@v4
         if: ${{ matrix.golang_cross == '1.21-bookworm' }}
@@ -161,6 +232,7 @@ jobs:
           path: |
             dist/*.rpm
             !dist/*PAYG*.rpm
+
   test-controller-api:
     needs: goreleaser
     runs-on: ubuntu-latest-m-2
@@ -353,6 +425,7 @@ jobs:
           SLACK_USERNAME: API INTEGRATION TESTS
           SLACK_MESSAGE: "*Test*: ${{ matrix.db }}-${{ matrix.conf }}, *Author*: ${{ steps.fetch_slack_user.outputs.slack-user-name }}"
           SLACK_FOOTER: "<https://github.com/${{ github.repository }}/actions/runs/${{ github.run_id }}|SEE EXECUTION DETAILS HERE>"
+
   distroless:
     runs-on: ubuntu-latest
     needs: goreleaser
@@ -406,6 +479,7 @@ jobs:
           push: ${{ startsWith(github.ref, 'refs/tags') }}
           tags: ${{ steps.distroless_metadata.outputs.tags }}
           labels: ${{ steps.distroless_metadata.outputs.labels }}
+
   upgrade-deb:
     services:
       httpbin.org:
@@ -450,6 +524,7 @@ jobs:
           platforms: linux/${{ matrix.arch }}
           file: Dockerfile
           push: false
+
   upgrade-rpm:
     services:
       httpbin.org:
@@ -490,6 +565,7 @@ jobs:
           context: "."
           file: Dockerfile
           push: false
+
   sbom:
     needs: goreleaser
     uses: TykTechnologies/github-actions/.github/workflows/sbom.yaml@main

diff --git a/bin/ci-test.sh b/bin/ci-test.sh
@@ -49,11 +49,15 @@ do
         for mongo_driver in "${MONGO_DRIVERS[@]}"; do
             echo "Running tests with MONGO_DRIVER=$mongo_driver"
             export MONGO_DRIVER=$mongo_driver
-            coveragefile=`echo "$pkg" | awk -F/ '{print $NF}'`
+            coveragefile=$(echo "$pkg" | awk -F/ '{print $NF}')
             show go test -timeout ${TEST_TIMEOUT} ${race} --coverprofile=${coveragefile}.cov -v ${pkg}
         done
     else
-        coveragefile=`echo "$pkg" | awk -F/ '{print $NF}'`
+        coveragefile=$(echo "$pkg" | awk -F/ '{print $NF}')
         show go test -timeout ${TEST_TIMEOUT} ${race} --coverprofile=${coveragefile}.cov -v ${pkg}
     fi
+
+    echo "Running tests with GOEXPERIMENT=boringcrypto"
+    export GOEXPERIMENT=boringcrypto
+    show go test -tags=boringcrypto -timeout ${TEST_TIMEOUT} ${race} --coverprofile=${coveragefile}.cov -v ${pkg}
 done
@@ -1,9 +1,11 @@
-# Generated by: gromit policy
+# ci/Dockerfile.std
 
 FROM debian:bookworm-slim
 ARG TARGETARCH
+ARG GOEXPERIMENT
 
 ENV DEBIAN_FRONTEND=noninteractive
+ENV GOEXPERIMENT=${GOEXPERIMENT}
 
 RUN apt-get update \
     && apt-get dist-upgrade -y ca-certificates

@@ -0,0 +1,100 @@
+# ci/goreleaser/goreleaser-boringcrypto.yml
+# Similar to the existing goreleaser.yml but with boringcrypto tags
+builds:
+  - id: std
+    ldflags:
+      - -X github.com/TykTechnologies/tyk-pump/pumps.Version={{.Version}}
+      - -X github.com/TykTechnologies/tyk-pump/pumps.Commit={{.FullCommit}}
+      - -X github.com/TykTechnologies/tyk-pump/pumps.BuildDate={{.Date}}
+      - -X github.com/TykTechnologies/tyk-pump/pumps.BuiltBy=goreleaser
+    goos:
+      - linux
+    goarch:
+      - amd64
+    binary: tyk-pump
+    tags:
+      - boringcrypto
+dockers:
+  - ids:
+      - std
+    image_templates:
+      - "tykio/tyk-pump-docker-pub:{{.Tag}}-amd64-boringcrypto"
+    build_flag_templates:
+      - "--build-arg=PORTS=80"
+      - "--platform=linux/amd64"
+      - "--label=org.opencontainers.image.created={{.Date}}"
+      - "--label=org.opencontainers.image.title={{.ProjectName}}"
+      - "--label=org.opencontainers.image.revision={{.FullCommit}}"
+      - "--label=org.opencontainers.image.version={{.Version}}"
+    use: buildx
+    goarch: amd64
+    goos: linux
+    dockerfile: ci/Dockerfile.std
+    extra_files:
+      - "ci/install/"
+      - "README.md"
+      - "LICENSE.md"
+      - "pump.example.conf"
+docker_manifests:
+  - name_template: tykio/tyk-pump-docker-pub:{{ .Tag }}-boringcrypto
+    image_templates:
+      - tykio/tyk-pump-docker-pub:{{ .Tag }}-amd64-boringcrypto
+nfpms:
+  - id: std
+    vendor: "Tyk Technologies Ltd"
+    homepage: "https://tyk.io"
+    maintainer: "Tyk <info@tyk.io>"
+    description: Tyk Analytics Pump to move analytics data from Redis to any supported back end (multiple back ends can be written to at once).
+    package_name: tyk-pump
+    file_name_template: "{{ .ConventionalFileName }}"
+    builds:
+      - std
+    formats:
+      - deb
+      - rpm
+    contents:
+      - src: "README.md"
+        dst: "/opt/share/docs/tyk-pump/README.md"
+      - src: "ci/install/*"
+        dst: "/opt/tyk-pump/install"
+      - src: ci/install/inits/systemd/system/tyk-pump.service
+        dst: /lib/systemd/system/tyk-pump.service
+      - src: ci/install/inits/sysv/init.d/tyk-pump
+        dst: /etc/init.d/tyk-pump
+      - src: "LICENSE.md"
+        dst: "/opt/share/docs/tyk-pump/LICENSE.md"
+      - src: pump.example.conf
+        dst: /opt/tyk-pump/pump.conf
+        type: "config|noreplace"
+    scripts:
+      preinstall: "ci/install/before_install.sh"
+      postinstall: "ci/install/post_install.sh"
+      postremove: "ci/install/post_remove.sh"
+    bindir: "/opt/tyk-pump"
+    rpm:
+      scripts:
+        posttrans: ci/install/post_trans.sh
+      signature:
+        key_file: tyk.io.signing.key
+    deb:
+      signature:
+        key_file: tyk.io.signing.key
+        type: origin
+publishers:
+  - name: tyk-pump-unstable
+    env:
+      - PACKAGECLOUD_TOKEN={{ .Env.PACKAGECLOUD_TOKEN }}
+    cmd: packagecloud publish --debvers "{{ .Env.DEBVERS }}" --rpmvers "{{ .Env.RPMVERS }}" tyk/tyk-pump-unstable {{ .ArtifactPath }}
+archives:
+  - format: binary
+    allow_different_binary_count: true
+checksum:
+  disable: true
+release:
+  disable: true
+  github:
+    owner: TykTechnologies
+    name: tyk-pump
+  prerelease: auto
+  draft: true
+  name_template: "{{.ProjectName}}-v{{.Version}}"
@@ -139,4 +139,4 @@ release:
     name: tyk-pump
   prerelease: auto
   draft: true
-  name_template: "{{.ProjectName}}-v{{.Version}}"
+  name_template: "{{.ProjectName}}-v{{.Version}}"
diff --git a/pumps/fips.go b/pumps/fips.go
@@ -0,0 +1,6 @@
+//go:build boringcrypto
+// +build boringcrypto
+
+package pumps
+
+import _ "crypto/tls/fipsonly"