Immucore+kairos-agent FIPS version (#266)

2025-09-16 07:18:36 +00:00 · 2023-06-05 12:26:36 +00:00
parent c7cd283c40
commit 96b17b625d
6 changed files with 82 additions and 48 deletions
--- a/packages/system/immucore/build.yaml
+++ b/packages/system/immucore/build.yaml
@@ -1,19 +1,26 @@
-requires:
-  - name: "toolchain-go"
-    category: "development"
-    version: ">=0"
+image: golang:1.20
+
 prelude:
  - mkdir go/src/github.com/${GITHUB_ORG}/ -p
  - cd go/src/github.com/${GITHUB_ORG}/ && git clone https://github.com/${GITHUB_ORG}/{{ .Values.name }}.git
 env:
  - GOPATH=/luetbuild/go/
  - GITHUB_ORG={{ ( index .Values.labels "github.owner" ) }}
+  {{if eq .Values.category "fips" }}
+  - CGO_ENABLED=1
+  - GOEXPERIMENT=boringcrypto
+  - LDFLAGS="-w -X github.com/kairos-io/immucore/internal/version.version=v${PACKAGE_VERSION}"
+  {{else}}
  - CGO_ENABLED=0
  - LDFLAGS="-s -w -X github.com/kairos-io/immucore/internal/version.version=v${PACKAGE_VERSION}"
+  {{end}}
 steps:
  - |
    PACKAGE_VERSION=${PACKAGE_VERSION%\+*} && \
-    cd go/src/github.com/${GITHUB_ORG}/{{ .Values.name }}/  && git checkout v"${PACKAGE_VERSION}" -b build && go build -o {{ .Values.name }} -ldflags="${LDFLAGS}" && mv {{.Values.name}} /usr/bin/
+    cd go/src/github.com/${GITHUB_ORG}/{{ .Values.name }}/ && git checkout v"${PACKAGE_VERSION}" -b build && go build -o {{ .Values.name }} -ldflags="${LDFLAGS}" && mv {{.Values.name}} /usr/bin/
  - chmod +x /usr/bin/{{.Values.name}}
+  {{if eq .Values.category "fips" }}
+  - go tool nm /usr/bin/{{.Values.name}} | grep -i "FIPS_mode"
+  {{end}}
 includes:
  - /usr/bin/{{.Values.name}}
--- a/packages/system/immucore/collection.yaml
+++ b/packages/system/immucore/collection.yaml
@@ -0,0 +1,23 @@
+packages:
+  - name: "immucore"
+    category: "system"
+    version: "0.1.1-rc1"
+    labels:
+      github.repo: "immucore"
+      autobump.revdeps: "true"
+      github.owner: "kairos-io"
+    uri:
+      - https://github.com/kairos-io/immucore
+    license: "Apache License v2"
+    description: "The Kairos immutability management interface"
+  - name: "immucore"
+    category: "fips"
+    version: "0.1.1-rc1"
+    labels:
+      github.repo: "immucore"
+      autobump.revdeps: "true"
+      github.owner: "kairos-io"
+    uri:
+      - https://github.com/kairos-io/immucore
+    license: "Apache License v2"
+    description: "The Kairos immutability management interface"
--- a/packages/system/immucore/definition.yaml
+++ b/packages/system/immucore/definition.yaml
@@ -1,11 +0,0 @@
-name: "immucore"
-category: "system"
-version: "0.1.1-rc1"
-labels:
-  github.repo: "immucore"
-  autobump.revdeps: "true"
-  github.owner: "kairos-io"
-uri:
-  - https://github.com/kairos-io/immucore
-license: "Apache License v2"
-description: "The Kairos immutability management interface"
--- a/packages/system/kairos-agent/build.yaml
+++ b/packages/system/kairos-agent/build.yaml
@@ -1,33 +1,32 @@
-image: opensuse/tumbleweed
+image: golang:1.20
 env:
  - GITHUB_ORG={{ ( index .Values.labels "github.owner" ) }}
+  - HUGO_VERSION=0.110.0
+  {{if eq .Values.category "fips" }}
+  - CGO_ENABLED=1
+  - GOEXPERIMENT=boringcrypto
+  # Because we don't track the compiled-with version on the agent we need to keep the symbols in order to checks FIPS compliance
+  - LDFLAGS="-w -X github.com/kairos-io/kairos/v2/internal/common.VERSION=v${PACKAGE_VERSION}"
+  {{else}}
  - CGO_ENABLED=0
  - LDFLAGS="-s -w -X github.com/kairos-io/kairos/v2/internal/common.VERSION=v${PACKAGE_VERSION}"
-  - HUGO_VERSION=0.110.0
+  {{end}}
+copy:
+  - package:
+      category: "static"
+      name: "kairos-docs"
+      version: ">=0"
+    source: "/usr/share/doc/kairos"
+    destination: "/kairos-docs/"
 prelude:
-  - zypper removerepo repo-openh264 || true 
-  - zypper ref && zypper in -y git wget tar nodejs-default gzip npm go
+  - apt-get update && apt-get install -y npm
  - mkdir /go/src/github.com/${GITHUB_ORG}/ -p
  - cd /go/src/github.com/${GITHUB_ORG}/ && git clone --branch v${PACKAGE_VERSION} https://github.com/${GITHUB_ORG}/{{ .Values.name }}.git
-  - cd /go/src/github.com/${GITHUB_ORG}/ && git clone https://github.com/${GITHUB_ORG}/kairos-docs.git
 steps:
-  # Docs for webui
-  # TODO: build this as a package and use requires
+  # Docs for webui, copy them from the package
  - mkdir -p /go/src/github.com/${GITHUB_ORG}/{{ .Values.name }}/internal/webui/public/local
-  - |
-    wget "https://github.com/gohugoio/hugo/releases/download/v${HUGO_VERSION}/hugo_extended_${HUGO_VERSION}_linux-{{ .Values.arch }}.tar.gz" && \
-    tar xzf hugo_extended_${HUGO_VERSION}_linux-{{ .Values.arch }}.tar.gz && \
-    rm -r hugo_extended_${HUGO_VERSION}_linux-{{ .Values.arch }}.tar.gz && \
-    chmod +x hugo && \
-    mv hugo /usr/bin && \
-    cd /go/src/github.com/${GITHUB_ORG}/kairos-docs && \
-    npm install postcss-cli && \
-    npm run prepare && \
-    HUGO_ENV="production" /usr/bin/hugo --gc -b "/local/" -d "public/"
-
-  - cp -r /go/src/github.com/${GITHUB_ORG}/kairos-docs/public/* /go/src/github.com/${GITHUB_ORG}/{{ .Values.name }}/internal/webui/public/local
+  - cp -r /kairos-docs/* /go/src/github.com/${GITHUB_ORG}/{{ .Values.name }}/internal/webui/public/local/
  # Deps for webui
-  # TODO: If we use requires we cannot run this unless we package nodejs...
  - cd /go/src/github.com/${GITHUB_ORG}/{{ .Values.name }}/internal/webui/public && npm install
  # Now for the real binary with everything bundled!
  - |
@@ -35,5 +34,8 @@ steps:
    cd /go/src/github.com/${GITHUB_ORG}/{{ .Values.name }}/ && \
    go build -o /usr/bin/{{ .Values.name }} -ldflags="${LDFLAGS}"
  - chmod +x /usr/bin/{{.Values.name}}
+  {{if eq .Values.category "fips" }}
+  - go tool nm /usr/bin/{{.Values.name}} | grep -i "FIPS_mode"
+  {{end}}
 includes:
  - /usr/bin/{{.Values.name}}
--- a/packages/system/kairos-agent/collection.yaml
+++ b/packages/system/kairos-agent/collection.yaml
@@ -0,0 +1,25 @@
+packages:
+  - name: "kairos-agent"
+    category: "system"
+    version: "2.1.0-rc5"
+    arch: "amd64"
+    labels:
+      github.repo: "kairos-agent"
+      autobump.revdeps: "true"
+      github.owner: "kairos-io"
+    uri:
+      - https://github.com/kairos-io/kairos-agent
+    license: "Apache License v2"
+    description: "Lyfecycle agent for kairos"
+  - name: "kairos-agent"
+    category: "fips"
+    version: "2.1.0-rc5"
+    arch: "amd64"
+    labels:
+      github.repo: "kairos-agent"
+      autobump.revdeps: "true"
+      github.owner: "kairos-io"
+    uri:
+      - https://github.com/kairos-io/kairos-agent
+    license: "Apache License v2"
+    description: "Lyfecycle agent for kairos"
--- a/packages/system/kairos-agent/definition.yaml
+++ b/packages/system/kairos-agent/definition.yaml
@@ -1,12 +0,0 @@
-name: "kairos-agent"
-category: "system"
-version: "2.1.0-rc5"
-arch: "amd64"
-labels:
-  github.repo: "kairos-agent"
-  autobump.revdeps: "true"
-  github.owner: "kairos-io"
-uri:
-  - https://github.com/kairos-io/kairos-agent
-license: "Apache License v2"
-description: "Lyfecycle agent for kairos"