Fips kcrypt packages (#267)

2025-09-13 05:49:47 +00:00 · 2023-06-05 13:18:03 +00:00
parent 818d2dfd48
commit 42965de3d9
8 changed files with 122 additions and 60 deletions
--- a/packages/system/immucore/build.yaml
+++ b/packages/system/immucore/build.yaml
@@ -1,26 +1,32 @@
-image: golang:1.20
+requires:
+  - name: "toolchain-go-ubuntu"
+    category: "development"
+    version: ">=0"

 prelude:
+{{if eq .Values.category "fips" }}
+  - apt-get update && apt-get install gcc
+{{end}}
  - mkdir go/src/github.com/${GITHUB_ORG}/ -p
  - cd go/src/github.com/${GITHUB_ORG}/ && git clone https://github.com/${GITHUB_ORG}/{{ .Values.name }}.git
 env:
  - GOPATH=/luetbuild/go/
  - GITHUB_ORG={{ ( index .Values.labels "github.owner" ) }}
-  {{if eq .Values.category "fips" }}
+{{if eq .Values.category "fips" }}
  - CGO_ENABLED=1
  - GOEXPERIMENT=boringcrypto
  - LDFLAGS="-w -X github.com/kairos-io/immucore/internal/version.version=v${PACKAGE_VERSION}"
-  {{else}}
+{{else}}
  - CGO_ENABLED=0
  - LDFLAGS="-s -w -X github.com/kairos-io/immucore/internal/version.version=v${PACKAGE_VERSION}"
-  {{end}}
+{{end}}
 steps:
  - |
    PACKAGE_VERSION=${PACKAGE_VERSION%\+*} && \
    cd go/src/github.com/${GITHUB_ORG}/{{ .Values.name }}/ && git checkout v"${PACKAGE_VERSION}" -b build && go build -o {{ .Values.name }} -ldflags="${LDFLAGS}" && mv {{.Values.name}} /usr/bin/
  - chmod +x /usr/bin/{{.Values.name}}
-  {{if eq .Values.category "fips" }}
+{{if eq .Values.category "fips" }}
  - go tool nm /usr/bin/{{.Values.name}} | grep -i "FIPS_mode"
-  {{end}}
+{{end}}
 includes:
  - /usr/bin/{{.Values.name}}
--- a/packages/system/kairos-agent/build.yaml
+++ b/packages/system/kairos-agent/build.yaml
@@ -1,16 +1,20 @@
-image: golang:1.20
+requires:
+  - name: "toolchain-go-ubuntu"
+    category: "development"
+    version: ">=0"
+
 env:
  - GITHUB_ORG={{ ( index .Values.labels "github.owner" ) }}
  - HUGO_VERSION=0.110.0
-  {{if eq .Values.category "fips" }}
+{{if eq .Values.category "fips" }}
  - CGO_ENABLED=1
  - GOEXPERIMENT=boringcrypto
  # Because we don't track the compiled-with version on the agent we need to keep the symbols in order to checks FIPS compliance
  - LDFLAGS="-w -X github.com/kairos-io/kairos/v2/internal/common.VERSION=v${PACKAGE_VERSION}"
-  {{else}}
+{{else}}
  - CGO_ENABLED=0
  - LDFLAGS="-s -w -X github.com/kairos-io/kairos/v2/internal/common.VERSION=v${PACKAGE_VERSION}"
-  {{end}}
+{{end}}
 copy:
  - package:
      category: "static"
@@ -19,7 +23,7 @@ copy:
    source: "/usr/share/doc/kairos"
    destination: "/kairos-docs/"
 prelude:
-  - apt-get update && apt-get install -y npm
+  - apt-get update && apt-get install -y npm gcc
  - mkdir /go/src/github.com/${GITHUB_ORG}/ -p
  - cd /go/src/github.com/${GITHUB_ORG}/ && git clone --branch v${PACKAGE_VERSION} https://github.com/${GITHUB_ORG}/{{ .Values.name }}.git
 steps:
@@ -34,8 +38,8 @@ steps:
    cd /go/src/github.com/${GITHUB_ORG}/{{ .Values.name }}/ && \
    go build -o /usr/bin/{{ .Values.name }} -ldflags="${LDFLAGS}"
  - chmod +x /usr/bin/{{.Values.name}}
-  {{if eq .Values.category "fips" }}
+{{if eq .Values.category "fips" }}
  - go tool nm /usr/bin/{{.Values.name}} | grep -i "FIPS_mode"
-  {{end}}
+{{end}}
 includes:
  - /usr/bin/{{.Values.name}}
--- a/packages/system/kcrypt-challenger/build.yaml
+++ b/packages/system/kcrypt-challenger/build.yaml
@@ -3,22 +3,34 @@ requires:
  category: "development"
  version: ">=0"
 prelude:
- mkdir go/src/github.com/${GITHUB_ORG}/ -p
- apt-get update && apt-get install -y gcc libssl-dev
- cd go/src/github.com/${GITHUB_ORG}/ && git clone https://github.com/${GITHUB_ORG}/{{ .Values.name }}.git
+{{if eq .Values.category "fips" }}
+  - apt-get update && apt-get install -y gcc
+{{end}}
+  - mkdir go/src/github.com/${GITHUB_ORG}/ -p
+  - apt-get update && apt-get install -y gcc libssl-dev
+  - cd go/src/github.com/${GITHUB_ORG}/ && git clone https://github.com/${GITHUB_ORG}/{{ .Values.name }}.git
 {{ if ne .Values.live "yes" }}
- cd go/src/github.com/${GITHUB_ORG}/ && git checkout v"${PACKAGE_VERSION}" -b build
+  - cd go/src/github.com/${GITHUB_ORG}/ && git checkout v"${PACKAGE_VERSION}" -b build
 {{ end }}
 env:
- GOPATH=/luetbuild/go/
- DEBIAN_FRONTEND=noninteractive
- GITHUB_ORG={{ ( index .Values.labels "github.owner" ) }}
- CGO_ENABLED=0
+  - GOPATH=/luetbuild/go/
+  - DEBIAN_FRONTEND=noninteractive
+  - GITHUB_ORG={{ ( index .Values.labels "github.owner" ) }}
+{{if eq .Values.category "fips" }}
+  - CGO_ENABLED=1
+  - GOEXPERIMENT=boringcrypto
+{{else}}
+  - CGO_ENABLED=0
+{{end}}
+
 steps:
- |
-  PACKAGE_VERSION=${PACKAGE_VERSION%\-*} && \
-  mkdir -p /system/discovery && \
-  cd go/src/github.com/${GITHUB_ORG}/{{ .Values.name }}/  && go build -o kcrypt-discovery-challenger ./cmd/discovery/main.go && mv kcrypt-discovery-challenger /system/discovery
- chmod +x /system/discovery/kcrypt-discovery-challenger
+  - |
+    PACKAGE_VERSION=${PACKAGE_VERSION%\-*} && \
+    mkdir -p /system/discovery && \
+    cd go/src/github.com/${GITHUB_ORG}/{{ .Values.name }}/ && go build -o {{ .Values.binary_name }} ./cmd/discovery/main.go && mv {{ .Values.binary_name }} /system/discovery
+  - chmod +x /system/discovery/{{ .Values.binary_name }}
+{{if eq .Values.category "fips" }}
+  - go tool nm /system/discovery/{{ .Values.binary_name }} | grep -i "FIPS_mode"
+{{end}}
 includes:
- /system/discovery/kcrypt-discovery-challenger
+  - /system/discovery/{{ .Values.binary_name }}
--- a/packages/system/kcrypt-challenger/collection.yaml
+++ b/packages/system/kcrypt-challenger/collection.yaml
@@ -0,0 +1,26 @@
+packages:
+  - name: kcrypt-challenger
+    binary_name: kcrypt-discovery-challenger
+    category: system
+    live: "yes"
+    version: "0.4.0"
+    labels:
+      github.repo: "kcrypt-challenger"
+      github.owner: "kairos-io"
+    uri:
+      - https://github.com/kairos-io/kcrypt-challenger
+    license: "Apache License v2"
+    description: "Cloud native guardian for persistent data in the edge"
+  - name: kcrypt-challenger
+    binary_name: kcrypt-discovery-challenger
+    category: fips
+    live: "yes"
+    version: "0.4.0"
+    labels:
+      github.repo: "kcrypt-challenger"
+      github.owner: "kairos-io"
+    uri:
+      - https://github.com/kairos-io/kcrypt-challenger
+    license: "Apache License v2"
+    description: "Cloud native guardian for persistent data in the edge"
+
--- a/packages/system/kcrypt-challenger/definition.yaml
+++ b/packages/system/kcrypt-challenger/definition.yaml
@@ -1,11 +0,0 @@
-name: kcrypt-challenger
-category: system
-live: "yes"
-version: "0.4.0"
-labels:
-  github.repo: "kcrypt-challenger"
-  github.owner: "kairos-io"
-uri:
-  - https://github.com/kairos-io/kcrypt-challenger
-license: "Apache License v2"
-description: "Cloud native guardian for persistent data in the edge"
--- a/packages/system/kcrypt/build.yaml
+++ b/packages/system/kcrypt/build.yaml
@@ -1,18 +1,31 @@
 requires:
- name: "toolchain-go"
+- name: "toolchain-go-ubuntu"
  category: "development"
  version: ">=0"
 prelude:
- mkdir go/src/github.com/${GITHUB_ORG}/ -p
- cd go/src/github.com/${GITHUB_ORG}/ && git clone https://github.com/${GITHUB_ORG}/{{ .Values.name }}.git
+{{if eq .Values.category "fips" }}
+  - apt-get update && apt-get install -y gcc
+{{end}}
+  - mkdir go/src/github.com/${GITHUB_ORG}/ -p
+  - cd go/src/github.com/${GITHUB_ORG}/ && git clone https://github.com/${GITHUB_ORG}/{{ .Values.name }}.git
 env:
- GOPATH=/luetbuild/go/
- GITHUB_ORG={{ ( index .Values.labels "github.owner" ) }}
- CGO_ENABLED=0
+  - GOPATH=/luetbuild/go/
+  - GITHUB_ORG={{ ( index .Values.labels "github.owner" ) }}
+{{if eq .Values.category "fips" }}
+  - CGO_ENABLED=1
+  - GOEXPERIMENT=boringcrypto
+  - LDFLAGS="-w"
+{{else}}
+  - CGO_ENABLED=0
+  - LDFLAGS="-s -w"
+{{end}}
 steps:
- |
-  PACKAGE_VERSION=${PACKAGE_VERSION%\+*} && \
-  cd go/src/github.com/${GITHUB_ORG}/{{ .Values.name }}/  && git checkout v"${PACKAGE_VERSION}" -b build && go build -ldflags="-w -s" && mv {{.Values.name}} /usr/bin/
- chmod +x /usr/bin/{{.Values.name}}
+  - |
+    PACKAGE_VERSION=${PACKAGE_VERSION%\+*} && \
+    cd go/src/github.com/${GITHUB_ORG}/{{ .Values.name }}/ && git checkout v"${PACKAGE_VERSION}" -b build && go build -ldflags="${LDFLAGS}" && mv {{.Values.name}} /usr/bin/
+  - chmod +x /usr/bin/{{.Values.name}}
+{{if eq .Values.category "fips" }}
+  - go tool nm /usr/bin/{{.Values.name}} | grep -i "FIPS_mode"
+{{end}}
 includes:
- /usr/bin/{{.Values.name}}
+  - /usr/bin/{{.Values.name}}
--- a/packages/system/kcrypt/collection.yaml
+++ b/packages/system/kcrypt/collection.yaml
@@ -0,0 +1,23 @@
+packages:
+  - name: kcrypt
+    category: system
+    version: "0.6.0"
+    labels:
+      github.repo: "kcrypt"
+      autobump.revdeps: "true"
+      github.owner: "kairos-io"
+    uri:
+      - https://github.com/kairos-io/kcrypt
+    license: "Apache License v2"
+    description: "Cloud native guardian for persistent data in the edge"
+  - name: kcrypt
+    category: fips
+    version: "0.6.0"
+    labels:
+      github.repo: "kcrypt"
+      autobump.revdeps: "true"
+      github.owner: "kairos-io"
+    uri:
+      - https://github.com/kairos-io/kcrypt
+    license: "Apache License v2"
+    description: "Cloud native guardian for persistent data in the edge"
--- a/packages/system/kcrypt/definition.yaml
+++ b/packages/system/kcrypt/definition.yaml
@@ -1,11 +0,0 @@
-name: kcrypt
-category: system
-version: "0.6.0-rc2"
-labels:
-  github.repo: "kcrypt"
-  autobump.revdeps: "true"
-  github.owner: "kairos-io"
-uri:
-  - https://github.com/kairos-io/kcrypt
-license: "Apache License v2"
-description: "Cloud native guardian for persistent data in the edge"