[ci] add FIPS image build

Author: efaure

.github/workflows/cd-publish-and-deploy.yml

@@ -8,12 +8,22 @@ on:
 jobs:
 
   wf-build-image:
-      name: Build and push image
+      name: Build and push alpine image
       uses: ./.github/workflows/ci-docker-build.yml
       with:
         image_tag: ${{ github.ref_name == 'master'  && 'rolling' || github.ref_name == 'release/current' && 'prerelease' || github.ref_name == 'issue/13571-build-images' && 'test-13571'  }}
-        client_python_local: true
-        publish_to_registry: true
+        is_client_python_local: true
+        is_publish_to_registry: true
+      secrets: inherit
+
+  wf-build-fips-image:
+      name: Build and push FIPS image
+      uses: ./.github/workflows/ci-docker-build.yml
+      with:
+        image_tag: ${{ github.ref_name == 'master'  && 'rolling' || github.ref_name == 'release/current' && 'prerelease' || github.ref_name == 'issue/13571-build-images' && 'test-13571'  }}
+        is_client_python_local: true
+        is_publish_to_registry: true
+        is_fips: true
       secrets: inherit
 
   wf-publish-package:

.github/workflows/ci-docker-build.yml

@@ -11,17 +11,22 @@ on:
         description: "Reference of the branch or commit sha"
         type: string
         default: ${{ github.sha }}
-      client_python_local:
+      dockerfile_target:
+        description: "Target to build in the multi stage docker file - testing or app"
+        type: string
+        required: false
+        default: app
+      is_client_python_local:
         description: "Use client python from the same commit"
         type: boolean
         required: false
         default: false
-      dockerfile_target:
-        description: "Target to build in the multi stage docker file - testing or app"
+      is_fips:
+        description: "Registry used to publish the image"
         type: string
         required: false
-        default: app
-      publish_to_registry:
+        default: false
+      is_publish_to_registry:
         description: "Publish image to registry. If false, will save the image as github artifact"
         type: string
         required: false
@@ -53,7 +58,7 @@ jobs:
         ref: ${{ inputs.checkout_ref }}
 
     - name: Use client-python in OpenCTI from same branch
-      if: ${{ inputs.client_python_local == true }}
+      if: ${{ inputs.is_client_python_local == true }}
       run: sed -i 's|^pycti==.*$|pycti @ git+https://github.com/OpenCTI-Platform/opencti@${{ inputs.checkout_ref }}#subdirectory=client-python|' -i ./opencti-platform/opencti-graphql/src/python/requirements.txt
 
     - name: Set up Docker Buildx
@@ -62,7 +67,7 @@ jobs:
         name: gha-builder-platform
 
     - name: Login to DockerHub
-      if: inputs.publish_to_registry == 'true'
+      if: inputs.is_publish_to_registry == 'true'
       uses: docker/login-action@v3
       with:
         username: ${{ secrets.DOCKERHUB_USERNAME }}
@@ -73,21 +78,23 @@ jobs:
       uses: docker/metadata-action@v5
       with:
         images: ${{ inputs.registry }}/platform
-        tags: type=raw,value=${{ inputs.image_tag }}
+        tags: type=raw,value=${{ inputs.image_tag }}${{ inputs.fips  && '-fips' }}
 
-    - name: Build and ${{ inputs.publish_to_registry  && 'push' || 'export as tar' }}
+    - name: Build and ${{ inputs.is_publish_to_registry  && 'push' || 'export as tar' }}
       uses: docker/build-push-action@v6
       with:
         context: opencti-platform
         file: opencti-platform/Dockerfile_featurebranch
         target: ${{ inputs.dockerfile_target }}
-        push: ${{ inputs.publish_to_registry == 'true' }}
-        outputs: ${{ inputs.publish_to_registry == 'false' && 'type=docker,dest=/tmp/opencti-platform.tar' }}
+        build-args: |
+          "BASE_TYPE= ${{ inputs.fips  && 'fips' || 'alpine' }}"
+        push: ${{ inputs.is_publish_to_registry == 'true' }}
+        outputs: ${{ inputs.is_publish_to_registry == 'false' && 'type=docker,dest=/tmp/opencti-platform.tar' }}
         tags: ${{ steps.meta.outputs.tags }}
         labels: ${{ steps.meta.outputs.labels }}
 
     - name: Upload opencti docker image artifact
-      if: ${{ inputs.publish_to_registry == 'false' }}
+      if: ${{ inputs.is_publish_to_registry == 'false' }}
       uses: actions/upload-artifact@v4
       with:
         name: docker-image-opencti-platform
@@ -107,7 +114,7 @@ jobs:
         ref: ${{ inputs.checkout_ref }}
 
     - name: Use client-python in worker from same branch
-      if: ${{ inputs.client_python_local == true }}
+      if: ${{ inputs.is_client_python_local == true }}
       run: sed -i 's|^pycti==.*$|pycti @ git+https://github.com/OpenCTI-Platform/opencti@${{ inputs.checkout_ref }}#subdirectory=client-python|' -i ./opencti-worker/src/requirements.txt
 
     - name: Set up Docker Buildx
@@ -116,7 +123,7 @@ jobs:
         name: gha-builder-worker
 
     - name: Login to DockerHub
-      if: inputs.publish_to_registry == 'true'
+      if: inputs.is_publish_to_registry == 'true'
       uses: docker/login-action@v3
       with:
         username: ${{ secrets.DOCKERHUB_USERNAME }}
@@ -127,15 +134,17 @@ jobs:
       uses: docker/metadata-action@v5
       with:
         images: ${{ inputs.registry }}/worker
-        tags: type=raw,value=${{ inputs.image_tag }}
+        tags: type=raw,value=${{ inputs.image_tag }}${{ inputs.fips  && '-fips' }}
 
-    - name: Build and ${{ inputs.publish_to_registry  && 'push' || 'export as tar' }}
+    - name: Build and ${{ inputs.is_publish_to_registry  && 'push' || 'export as tar' }}
       uses: docker/build-push-action@v6
       with:
         context: opencti-worker
         file: opencti-worker/Dockerfile
-        push: ${{ inputs.publish_to_registry == 'true' }}
-        outputs: ${{ inputs.publish_to_registry == 'false' && 'type=docker,dest=/tmp/opencti-worker.tar' }}
+        build-args: |
+          "BASE_TYPE= ${{ inputs.fips  && 'fips' || 'alpine' }}"
+        push: ${{ inputs.is_publish_to_registry == 'true' }}
+        outputs: ${{ inputs.is_publish_to_registry == 'false' && 'type=docker,dest=/tmp/opencti-worker.tar' }}
         tags: ${{ steps.meta.outputs.tags }}
         labels: ${{ steps.meta.outputs.labels }}
 

.github/workflows/ci-main.yml

@@ -12,7 +12,7 @@ jobs:
       with:
         checkout_ref: ${{ github.event_name == 'pull_request'  && format('refs/pull/{0}/merge', github.event.pull_request.number) || github.sha }}
         dockerfile_target: testing
-        client_python_local: true
+        is_client_python_local: true
       secrets: inherit
 
 ## Commenting test step for quicker testing of cd-publish-and-deploy.yml

.github/workflows/test-feature-branch.yml

@@ -24,7 +24,7 @@ jobs:
       uses: ./.github/workflows/ci-docker-build.yml
       with:
         image_tag: ${{ github.ref_name }}
-        publish_to_registry: true
+        is_publish_to_registry: true
       secrets: inherit
 
   deploy:

opencti-platform/Dockerfile_featurebranch

@@ -1,5 +1,20 @@
-FROM node:22-alpine AS base
+##############################
+### Create base image fips or alpine
+##############################
+
+ARG BASE_TYPE=alpine
+ARG BASE_IMAGE_ALPINE=node:22-alpine
+ARG BASE_IMAGE_FIPS=filigran/python-nodejs-fips:latest
+
+FROM ${BASE_IMAGE_ALPINE} AS base-alpine
+ENV EXTRA_NODE_OPTIONS=""
+ENV EXTRA_PACKAGES="python3 python3-dev g++"
 
+FROM ${BASE_IMAGE_FIPS} AS base-fips
+ENV EXTRA_NODE_OPTIONS="--force-fips "
+ENV EXTRA_PACKAGES="gettext-dev"
+
+FROM base-${BASE_TYPE} AS base
 
 ##############################
 ### Build builder
@@ -9,7 +24,7 @@ FROM base AS builder
 
 # For layer optimisation, start by installing resources not dependant from source code
 RUN set -eux; \
-    apk add --no-cache g++ make python3 python3-dev; \
+    apk add --no-cache g++ make ${EXTRA_PACKAGES} ; \
     npm install -g node-gyp; \
     npm install -g corepack
 
@@ -103,12 +118,12 @@ FROM base AS app
 
 COPY opencti-graphql/src/python/requirements.txt /opt/opencti/src/python/requirements.txt
 
-RUN apk add --no-cache tini python3 python3-dev
+RUN apk add --no-cache tini ${EXTRA_PACKAGES}
 RUN set -eux; \
     apk add --no-cache gcc git; \
     rm -f /usr/lib/python3.12/EXTERNALLY-MANAGED; \
     python3 -m ensurepip; \
-    rm -rv /usr/lib/python*/ensurepip; \
+    rm -rfv /usr/lib/python*/ensurepip; \
     pip3 install --no-cache-dir --upgrade pip setuptools wheel; \
     ln -sf python3 /usr/bin/python; \
     pip3 install --no-cache-dir --requirement /opt/opencti/src/python/requirements.txt ; \
@@ -123,7 +138,7 @@ COPY opencti-graphql/src/python/ ./src/python/
 COPY opencti-graphql/config/ ./config/
 
 ENV PYTHONUNBUFFERED="1"
-ENV NODE_OPTIONS="--max_old_space_size=12288"
+ENV NODE_OPTIONS="${EXTRA_NODE_OPTIONS}--max_old_space_size=12288"
 ENV NODE_ENV="production"
 
 RUN set -eux; \

opencti-worker/Dockerfile

@@ -1,4 +1,16 @@
-FROM python:3-alpine
+##############################
+### Create base image fips or alpine
+##############################
+
+ARG BASE_TYPE=alpine
+ARG BASE_IMAGE_ALPINE=python:3-alpine
+ARG BASE_IMAGE_FIPS=filigran/python-nodejs-fips:latest
+
+FROM ${BASE_IMAGE_ALPINE} AS base-alpine
+
+FROM ${BASE_IMAGE_FIPS} AS base-fips
+
+FROM base-${BASE_TYPE}
 
 COPY src /opt/opencti-worker