Link Kubernetes against BoringCrypto, release-1.20 edition

This commit includes support both for the dockerized make build flow as well as bazel, though bazel builds require the glibc-source package to be installed with apt. Key changes compared to upstream: * force all binaries to be dynamically linked * force fipsonly encryption on kubectl * include glibc source in kubernetes-src.tar.gz * include glibc, go stdlib, and boringSSL licenses in LICENSES This was cherry-picked from the release-1.19 branch. Original Change-Id: Ic6fdb03f3340e0b4548c2c586570ab2d35fc7ef3 - OSS changed a singular LICENSES file to a LICENSES directory tree in kubernetes#90575 This commit: * restores OSS changes in build/lib/release.sh and build/root/BUILD.root * rewrites the boringcrypto build additions to copy licenses into LICENSES/host/... subdirs This commit should be squashed into the BoringCrypto commit. Original Change-Id: I1346440f0be318e40bcdae74afe1b7dbc87f51ef - Rebase core images on an internal go-runner which contains glibc. GKE's boringcrypto-patched binaries require glibc at runtime. bug=167220504 bug=170986849 Original Change-Id: I1dbc0ca45379e80b746a1a334a214087408f716f Change-Id: I56c4148b1a0e665ce5c86a945bb35a98bd5ea581
jingxu97 · Feb 26, 2021 · e2b5809 · e2b5809
1 parent 345b02c
commit e2b5809
Show file tree

Hide file tree

Showing 24 changed files with 290 additions and 64 deletions.
diff --git a/build/build-image/Dockerfile b/build/build-image/Dockerfile
@@ -13,7 +13,7 @@
 # limitations under the License.
 
 # This file creates a standard build environment for building Kubernetes
-FROM k8s.gcr.io/build-image/kube-cross:KUBE_BUILD_IMAGE_CROSS_TAG
+FROM gcr.io/gke-release-staging/kube-cross:KUBE_BUILD_IMAGE_CROSS_TAG
 
 # Mark this as a kube-build container
 RUN touch /kube-build-image

diff --git a/build/build-image/cross/VERSION b/build/build-image/cross/VERSION
@@ -1 +1 @@
-v1.15.8-legacy-1
+v1.15.8b5-1
diff --git a/build/common.sh b/build/common.sh
@@ -94,13 +94,19 @@ readonly KUBE_CONTAINER_RSYNC_PORT=8730
 # $1 - server architecture
 kube::build::get_docker_wrapped_binaries() {
   local debian_iptables_version=buster-v1.3.0
-  local go_runner_version=buster-v2.3.1
+  local go_runner_version=20200918_1114_RC0
   ### If you change any of these lists, please also update DOCKERIZED_BINARIES
   ### in build/BUILD. And kube::golang::server_image_targets
   local targets=(
-    "kube-apiserver,${KUBE_BASE_IMAGE_REGISTRY}/go-runner:${go_runner_version}"
-    "kube-controller-manager,${KUBE_BASE_IMAGE_REGISTRY}/go-runner:${go_runner_version}"
-    "kube-scheduler,${KUBE_BASE_IMAGE_REGISTRY}/go-runner:${go_runner_version}"
+    # GKE's boringcrypto-patched binaries require glibc, which is not present
+    # in the OSS `go-runner` image. `go-runner-libc` is based on
+    # `gke-distroless/libc` image with a `go-runner` binary mirrored into google3 from
+    # https://github.com/kubernetes/release/blob/master/images/build/go-runner/go-runner.go
+    # For release history, see: http://rapid/gke_distroless
+    # For source, see: http://google3/cloud/kubernetes/distro/images/base/BUILD
+    "kube-apiserver,gke.gcr.io/gke-distroless/go-runner-libc:${go_runner_version}"
+    "kube-controller-manager,gke.gcr.io/gke-distroless/go-runner-libc:${go_runner_version}"
+    "kube-scheduler,gke.gcr.io/gke-distroless/go-runner-libc:${go_runner_version}"
     "kube-proxy,${KUBE_BASE_IMAGE_REGISTRY}/debian-iptables:${debian_iptables_version}"
   )
 
@@ -741,6 +747,7 @@ function kube::build::copy_output() {
     --filter='+ /vendor/' \
     --filter='+ /staging/***/Godeps/**' \
     --filter='+ /_output/dockerized/bin/**' \
+    --filter='+ /_output/dockerized/src/**' \
     --filter='+ zz_generated.*' \
     --filter='+ generated.proto' \
     --filter='+ *.pb.go' \

diff --git a/build/copy-host-source.sh b/build/copy-host-source.sh
@@ -0,0 +1,51 @@
+#!/bin/bash
+
+# Copyright 2017 The Kubernetes Authors.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+# Tars up host source dependences into the _output directory, and licenses into a _output/src/LICENSES/host directory.
+
+set -o errexit
+set -o nounset
+set -o pipefail
+
+KUBE_ROOT=$(dirname "${BASH_SOURCE}")/..
+source "${KUBE_ROOT}/build/common.sh"
+
+mkdir -p "${KUBE_OUTPUT}/src"
+rm -f "${KUBE_OUTPUT}/src/*.tar"
+tar cf "${KUBE_OUTPUT}/src/glibc.tar" -C /usr/src glibc
+
+HOST_LICENSES_DIR="${KUBE_OUTPUT}/src/LICENSES/host"
+rm -fr "${HOST_LICENSES_DIR}"
+
+format_license() {
+  local -r host_licenses_dir=$1
+  local -r dep=$2
+  local -r src_license=$3
+  local dep_license_dir="${host_licenses_dir}/${dep}"
+  mkdir -p "${dep_license_dir}"
+  (
+    echo
+    echo "= ${dep} licensed under: ="
+    echo
+    cat "${src_license}"
+    echo
+  ) >"${dep_license_dir}/LICENSE"
+}
+
+# If you change this list, also be sure to change build/licenses.bzl.
+format_license "${HOST_LICENSES_DIR}" "glibc"    /usr/src/glibc/debian/copyright
+format_license "${HOST_LICENSES_DIR}" "go"       /usr/local/go/LICENSE
+format_license "${HOST_LICENSES_DIR}" "goboring" /usr/local/go/src/crypto/internal/boring/LICENSE
diff --git a/build/lib/release.sh b/build/lib/release.sh
@@ -105,21 +105,32 @@ function kube::release::package_tarballs() {
 
 # Package the source code we built, for compliance/licensing/audit/yadda.
 function kube::release::package_src_tarball() {
-  local -r src_tarball="${RELEASE_TARS}/kubernetes-src.tar.gz"
+  local -r src_tarball="${RELEASE_TARS}/kubernetes-src.tar"
   kube::log::status "Building tarball: src"
-  if [[ "${KUBE_GIT_TREE_STATE-}" = 'clean' ]]; then
-    git archive -o "${src_tarball}" HEAD
+  if [[ "${KUBE_GIT_TREE_STATE-}" == "clean" ]]; then
+    git archive -o "${src_tarball}" HEAD --prefix=kubernetes/
   else
-    find "${KUBE_ROOT}" -mindepth 1 -maxdepth 1 \
-      ! \( \
-        \( -path "${KUBE_ROOT}"/_\*       -o \
-           -path "${KUBE_ROOT}"/.git\*    -o \
-           -path "${KUBE_ROOT}"/.config\* -o \
-           -path "${KUBE_ROOT}"/.gsutil\*    \
-        \) -prune \
-      \) -print0 \
-    | "${TAR}" czf "${src_tarball}" --transform "s|${KUBE_ROOT#/*}|kubernetes|" --null -T -
+    local source_files=(
+      $(cd "${KUBE_ROOT}" && find . -mindepth 1 -maxdepth 1 \
+        -not \( \
+          \( -path ./_\*        -o \
+             -path ./.git\*     -o \
+             -path ./.config\* -o \
+             -path ./.gsutil\*    \
+          \) -prune \
+        \))
+    )
+    "${TAR}" cf "${src_tarball}" --transform "flags=r;s|^\./|kubernetes/|" \
+      -C "${KUBE_ROOT}" "${source_files[@]}"
   fi
+  # Include sources of host build dependencies for compliance.
+  # The tarballs in here were generated by running build/copy-host-source.sh
+  # inside the build container.
+  local dep_src_tar
+  for dep_src_tar in "${LOCAL_OUTPUT_SUBPATH}"/src/*.tar; do
+    "${TAR}" Af "${src_tarball}" "${dep_src_tar}"
+  done
+  gzip "${src_tarball}"
 }
 
 # Package up all of the cross compiled clients. Over time this should grow into
@@ -204,6 +215,7 @@ function kube::release::package_node_tarballs() {
       "${release_stage}/node/bin/"
 
     cp -R "${KUBE_ROOT}/LICENSES" "${release_stage}/"
+    cp -R "${LOCAL_OUTPUT_SUBPATH}/src/LICENSES/host" "${release_stage}/LICENSES/"
 
     cp "${RELEASE_TARS}/kubernetes-src.tar.gz" "${release_stage}/"
 
@@ -276,6 +288,7 @@ function kube::release::package_server_tarballs() {
       "${release_stage}/server/bin/"
 
     cp -R "${KUBE_ROOT}/LICENSES" "${release_stage}/"
+    cp -R "${LOCAL_OUTPUT_SUBPATH}/src/LICENSES/host" "${release_stage}/LICENSES/"
 
     cp "${RELEASE_TARS}/kubernetes-src.tar.gz" "${release_stage}/"
 
@@ -566,6 +579,7 @@ EOF
   cp -R "${KUBE_ROOT}/docs" "${release_stage}/"
   cp "${KUBE_ROOT}/README.md" "${release_stage}/"
   cp -R "${KUBE_ROOT}/LICENSES" "${release_stage}/"
+  cp -R "${LOCAL_OUTPUT_SUBPATH}/src/LICENSES/host" "${release_stage}/LICENSES/"
 
   echo "${KUBE_GIT_VERSION}" > "${release_stage}/version"
 

diff --git a/build/licenses.bzl b/build/licenses.bzl
@@ -0,0 +1,51 @@
+# Copyright 2018 The Kubernetes Authors.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+# This is a rough transliteration of build/copy-host-source.sh, using the
+# Bazel workspace dependencies instead of the _output directory.
+
+_separator = "================================================================================"
+
+def _format_license(host_licenses_dir, pkg_name, read_cmd):
+    dep_license_dir = "%s/%s" % (host_licenses_dir, pkg_name)
+    dep_license_file = "%s/LICENSE" % (dep_license_dir)
+    return ";".join([
+      "mkdir -p %s" % (dep_license_dir),
+      "echo -e '= %s licensed under: =\n' >> %s" % (pkg_name, dep_license_file),
+      "%s > %s" % (read_cmd, dep_license_file),
+    ])
+
+# Creates a file named HOST_LICENSES.tar containing a LICENSES/host/... directory structure 
+# containing licenses of glibc, and the Go std library and BoringCrypto / BoringSSL.
+def gen_licenses(**kwargs):
+    srcs = [
+        "@glibc_src//:debian-copyright",
+        "@go_src//file",
+    ]
+
+    # If you change this list, also be sure to change build/copy-host-source.sh.
+    cmds = [
+        _format_license("LICENSES/host", "glibc",    "cat $(location @glibc_src//:debian-copyright)"),
+        _format_license("LICENSES/host", "go",       "tar -Oxf $(location @go_src//file) go/LICENSE"),
+        _format_license("LICENSES/host", "goboring", "tar -Oxf $(location @go_src//file) go/src/crypto/internal/boring/LICENSE"),
+        "tar -cf $@ --owner=0 --group=0 --numeric-owner LICENSES",
+    ]
+
+    native.genrule(
+        name = "gen_licenses",
+        srcs = srcs,
+        outs = ["HOST_LICENSES.tar"],
+        cmd = ";".join(cmds),
+        **kwargs
+    )
diff --git a/build/release-tars/BUILD b/build/release-tars/BUILD
@@ -12,6 +12,7 @@ load(
 load("@io_k8s_repo_infra//defs:build.bzl", "release_filegroup")
 load("@io_k8s_repo_infra//defs:pkg.bzl", "pkg_tar")
 load("//staging:repos_generated.bzl", "staging_repos")
+load("//build:licenses.bzl", "gen_licenses")
 
 # Bazel doesn't make the output filename
 # (such as kubernetes-server-{OS}-{ARCH}.tar.gz) configurable, so we instead
@@ -54,9 +55,8 @@ filegroup(
 )
 
 pkg_tar(
-    name = "kubernetes-src",
+    name = "_kubernetes-srcs",
     srcs = ["//:all-srcs"],
-    extension = "tar.gz",
     package_dir = "kubernetes",
     strip_prefix = "//",
     symlinks = {
@@ -67,8 +67,36 @@ pkg_tar(
         "manual",
         "no-cache",
     ],
+    visibility = ["//visibility:private"],
+)
+
+pkg_tar(
+    name = "_glibc-srcs",
+    srcs = ["@glibc_src//:srcs"],
+    package_dir = "glibc",
+    tags = [
+        "manual",
+        "no-cache",
+    ],
+    visibility = ["//visibility:private"],
 )
 
+pkg_tar(
+    name = "kubernetes-src",
+    extension = "tar.gz",
+    tags = [
+        "manual",
+        "no-cache",
+    ],
+    deps = [
+        ":_glibc-srcs",
+        ":_kubernetes-srcs",
+        "@go_src//file",
+    ],
+)
+
+gen_licenses()
+
 # Included in node and server tarballs.
 pkg_tar(
     name = "license-artifacts",

diff --git a/build/release.sh b/build/release.sh
@@ -34,6 +34,7 @@ KUBE_RELEASE_RUN_TESTS=${KUBE_RELEASE_RUN_TESTS-y}
 kube::build::verify_prereqs
 kube::build::build_image
 kube::build::run_build_command make cross
+kube::build::run_build_command build/copy-host-source.sh
 
 if [[ $KUBE_RELEASE_RUN_TESTS =~ ^[yY]$ ]]; then
   kube::build::run_build_command make test

diff --git a/build/root/BUILD.root b/build/root/BUILD.root
@@ -19,6 +19,7 @@ package(default_visibility = ["//visibility:public"])
 load("@io_k8s_repo_infra//defs:build.bzl", "gcs_upload")
 load("@io_k8s_repo_infra//defs:pkg.bzl", "pkg_tar")
 load("//build:platforms.bzl", "for_platforms")
+load("//build:licenses.bzl", "gen_licenses")
 
 filegroup(
     name = "_binary-artifacts-and-hashes",
@@ -126,13 +127,16 @@ platform(
     """,
 )
 
+gen_licenses()
+
 pkg_tar(
     name = "LICENSES",
     srcs = glob(
         ["LICENSES/**/LICENSE"],
         allow_empty = False,
         exclude_directories = 0,
     ),
+    deps = ["HOST_LICENSES.tar"],
     mode = "0755",
     strip_prefix = "//",
     tags = [

diff --git a/build/root/WORKSPACE b/build/root/WORKSPACE
@@ -18,15 +18,43 @@ repo_infra_repositories()
 
 load("@io_k8s_repo_infra//:repos.bzl", repo_infra_configure = "configure", repo_infra_go_repositories = "go_repositories")
 
-# IMPORTANT: Only one go version may be specified at a time
-#            'go_version':          used to specify a published upstream go version
-#            'override_go_version': used to specify an alternate go version provided
-#                                   by kubernetes/repo-infra
+load("@io_bazel_rules_go//go:deps.bzl", "go_download_sdk", "go_register_toolchains", "go_rules_dependencies")
+
+go_rules_dependencies()
+
+GOBORING_VERSION = "go1.15.8b5"
+
+go_download_sdk(
+    name = "go_sdk",
+    sdks = {
+        "linux_amd64": (
+            GOBORING_VERSION + ".linux-amd64.tar.gz",
+            "9d897bf42a962b064cfc9bed182c18ade0a3f5857d6a075d93b73ca8fe3b1f3a",
+        ),
+    },
+    urls = ["https://storage.googleapis.com/go-boringcrypto/{}"],
+)
+
+http_file(
+    name = "go_src",
+    downloaded_file_path = GOBORING_VERSION + ".src.tar.gz",
+    sha256 = "57964e7762ab03f0ad17bc787585b1709decccf095b7f7d2e9fca61a71e09010",
+    urls = ["https://storage.googleapis.com/go-boringcrypto/" + GOBORING_VERSION + ".src.tar.gz"],
+)
+
+go_register_toolchains()
+
 repo_infra_configure(
-    go_version = "1.15.8",
     minimum_bazel_version = "2.2.0",
 )
 
+# Install this dependency by running apt-get install glibc-source
+new_local_repository(
+    name = "glibc_src",
+    build_file = "third_party/glibc.BUILD",
+    path = "/usr/src/glibc",
+)
+
 repo_infra_go_repositories()
 
 # begin setup rules_docker
@@ -60,11 +88,11 @@ load(
 # end setup rules_docker
 
 container_pull(
-    name = "distroless_base",
-    digest = "sha256:7fa7445dfbebae4f4b7ab0e6ef99276e96075ae42584af6286ba080750d6dfe5",
-    registry = "gcr.io",
-    repository = "distroless/base",
-    tag = "latest",  # ignored when digest provided, but kept here for documentation.
+    name = "official_busybox_glibc",
+    digest = "sha256:6b438394f0ac955edd27aa2fc819ff8ee3371ca315ec83f53ed8541c502f71ca",
+    registry = "index.docker.io",
+    repository = "library/busybox",
+    tag = "glibc",  # ignored, but kept here for documentation
 )
 
 load("//build:workspace.bzl", "release_dependencies")