coder · ericpaulsen · Feb 7, 2023 · Jan 31, 2023 · Jan 31, 2023 · Jan 31, 2023
diff --git a/ironbank/.gitignore b/ironbank/.gitignore
@@ -0,0 +1,3 @@
+coder.tar.gz
+terraform.zip
+terraform-provider-coder.zip
diff --git a/ironbank/Dockerfile b/ironbank/Dockerfile
@@ -0,0 +1,93 @@
+ARG BASE_REGISTRY=registry1.dso.mil
+ARG BASE_IMAGE=ironbank/redhat/ubi/ubi8-minimal
+ARG BASE_TAG=8.7
+
+FROM ${BASE_REGISTRY}/${BASE_IMAGE}:${BASE_TAG}
+
+SHELL ["/bin/bash", "-c"]
+
+ENV LANG=en_US.UTF-8
+
+RUN microdnf update --assumeyes && \
+    microdnf install --assumeyes \
+      ca-certificates \
+      git \
+      gzip \
+      shadow-utils \
+      tar \
+      unzip && \
+    microdnf clean all
+
+# Configure the cryptography policy manually. These policies likely
+# have no impact, since Go doesn't link against these libraries.
+#
+# Normally, one uses the update-crypto-policies script to create these
+# links, which is included in the crypto-policies-scripts package, but
+# that pulls in Python, so we create the links manually here. This
+# list of links comes from running strace on the update-crypto-policies
+# script (strace update-crypto-policies --set FIPS) in Fedora, since
+# RHEL and UBI do not provide an strace package by default.
+RUN echo "FIPS" >/etc/crypto-policies/config && \
+    cp --force /usr/share/crypto-policies/policies/FIPS.pol /etc/crypto-policies/state/CURRENT.pol && \
+    echo "FIPS" >/etc/crypto-policies/state/current && \
+    ln --symbolic --force /usr/share/crypto-policies/FIPS/bind.txt /etc/crypto-policies/back-ends/bind.config && \
+    ln --symbolic --force /usr/share/crypto-policies/FIPS/gnutls.txt /etc/crypto-policies/back-ends/gnutls.config && \
+    ln --symbolic --force /usr/share/crypto-policies/FIPS/java.txt /etc/crypto-policies/back-ends/java.config && \
+    ln --symbolic --force /usr/share/crypto-policies/FIPS/krb5.txt /etc/crypto-policies/back-ends/krb5.config && \
+    ln --symbolic --force /usr/share/crypto-policies/FIPS/libreswan.txt /etc/crypto-policies/back-ends/libreswan.config && \
+    ln --symbolic --force /usr/share/crypto-policies/FIPS/libssh.txt /etc/crypto-policies/back-ends/libssh.config && \
+    ln --symbolic --force /usr/share/crypto-policies/FIPS/nss.txt /etc/crypto-policies/back-ends/nss.config && \
+    ln --symbolic --force /usr/share/crypto-policies/FIPS/openssh.txt /etc/crypto-policies/back-ends/openssh.config && \
+    ln --symbolic --force /usr/share/crypto-policies/FIPS/opensshserver.txt /etc/crypto-policies/back-ends/opensshserver.config && \
+    ln --symbolic --force /usr/share/crypto-policies/FIPS/openssl.txt /etc/crypto-policies/back-ends/openssl.config && \
+    ln --symbolic --force /usr/share/crypto-policies/FIPS/opensslcnf.txt /etc/crypto-policies/back-ends/opensslcnf.config
+
+# Copy and extract Coder binary from tar file.
+ARG CODER_BIN=/opt/coder
+RUN mkdir -p /opt
+ARG CODER_BIN_TAR_GZ=coder.tar.gz
+COPY "$CODER_BIN_TAR_GZ" /tmp/coder.tar.gz
+RUN tar -xzvf /tmp/coder.tar.gz --directory /opt --strip-components=1 ./coder && \
+    rm /tmp/coder.tar.gz
+
+# Copy and extract Terraform binary from zip file.
+ARG TERRAFORM_BIN_DIR=/opt/terraform
+RUN mkdir -p "$TERRAFORM_BIN_DIR"
+ARG TERRAFORM_BIN_ZIP=terraform.zip
+COPY "$TERRAFORM_BIN_ZIP" /tmp/terraform.zip
+RUN unzip /tmp/terraform.zip -d "$CODER_BIN_DIR" && \
+	  rm /tmp/terraform.zip
+ENV PATH="${TERRAFORM_BIN_DIR}:${PATH}"
+
+# Install the Coder Terraform provider to a well-known location.
+ARG TERRAFORM_PLUGINS_DIR=/opt/terraform/plugins
+ARG TERRAFORM_CODER_PROVIDER_VERSION
+ARG TERRAFORM_CODER_PROVIDER_ZIP=terraform-provider-coder.zip
+COPY "$TERRAFORM_CODER_PROVIDER_ZIP" "${TERRAFORM_PLUGINS_DIR}/registry.terraform.io/coder/coder/terraform-provider-coder_${TERRAFORM_CODER_PROVIDER_VERSION}_linux_amd64.zip"
+
+# Configure Terraform to use plugins from this dir.
+COPY terraform-filesystem-mirror.tfrc /opt/terraform/config.tfrc
+ENV TF_CLI_CONFIG_FILE=/opt/terraform/config.tfrc
+
+# Uninstall the build dependencies.
+RUN microdnf remove --assumeyes \
+      tar \
+      unzip && \
+    microdnf clean all
+
+# Transfer ownership of the binaries to the 'coder' user.
+RUN useradd coder \
+      --create-home \
+      --shell=/bin/bash \
+      --uid=1000 \
+      --user-group && \
+    chown --recursive --quiet coder:coder "$CODER_BIN" && \
+    chown --recursive --quiet coder:coder "$TERRAFORM_BIN_DIR" && \
+    chown --recursive --quiet coder:coder "$TERRAFORM_PLUGINS_DIR" && \
+    chmod 0755 /home/coder
+
+USER 1000
+ENV HOME /home/coder
+ENV USER=coder
+
+ENTRYPOINT [ "/opt/coder", "server" ]
diff --git a/ironbank/hardening_manifest.yaml b/ironbank/hardening_manifest.yaml
@@ -0,0 +1,64 @@
+apiVersion: v1
+
+# The repository name in registry1, excluding /ironbank/
+name: "coder/coder-enterprise/coder-service-2"
+
+# List of tags to push for the repository in registry1
+# The most specific version should be the first tag and will be shown
+# on ironbank.dso.mil
+tags:
+- "0.15.3"
+- "latest"
+
+# Build args passed to Dockerfile ARGs
+args:
+  BASE_IMAGE: "redhat/ubi/ubi8"
+  BASE_TAG: "8.7"
+  # Needs to be kept in sync with the resource below.
+  TERRAFORM_CODER_PROVIDER_VERSION: "0.6.9"
+
+# Docker image labels
+labels:
+  org.opencontainers.image.title: "coder-service-v2"
+  # Human-readable description of the software packaged in the image
+  org.opencontainers.image.description: "Coder server binary, includes REST API, Terraform, and dashboard"
+  # License(s) under which contained software is distributed
+  org.opencontainers.image.licenses: "APGL"
+  # URL to find more information on the image
+  org.opencontainers.image.url: "https://coder.com/docs"
+  # Name of the distributing entity, organization or individual
+  org.opencontainers.image.vendor: "Coder Technologies"
+  org.opencontainers.image.version: "0.15.3"
+  # Keywords to help with search (ex. "cicd,gitops,golang")
+  mil.dso.ironbank.image.keywords: "remote, workspaces"
+
+# List of resources to make available to the offline build context
+resources:
+# Coder binary
+- url: "https://github.com/coder/coder/releases/download/v0.15.3/coder_0.15.3_linux_amd64.tar.gz"
+  filename: "coder.tar.gz"
+  validation:
+    type: sha256
+    value: 2c88555777f1d9cc77a8f049093f4002472dc43d52b026e6784ef477bdced4a2
+# Terraform binary, bundled inside of Coder to support air-gapped installs.
+- url: https://releases.hashicorp.com/terraform/1.3.7/terraform_1.3.7_linux_amd64.zip
+  filename: "terraform.zip"
+  validation:
+    type: sha256
+    value: b8cf184dee15dfa89713fe56085313ab23db22e17284a9a27c0999c67ce3021e
+# Coder Terraform provider, bundled inside of Coder to support air-gapped
+# installs.
+- url: https://github.com/coder/terraform-provider-coder/releases/download/v0.6.9/terraform-provider-coder_0.6.9_linux_amd64.zip
+  filename: "terraform-provider-coder.zip"
+  validation:
+    type: sha256
+    value: de6db7814d4995938dcfa46a6d5b28bf9efb095fecf737285f52cfd4c85948c5
+
+# List of project maintainers
+maintainers:
+- email: "[email protected]"
+  name: "Eric Paulsen"
+  username: "ericpaulsen"
+- email: "[email protected]"
+  name: "Dean Sheather"
+  username: "cdrdean"