From f9ea91100ac288024c64e18bb40527c2b8529aa7 Mon Sep 17 00:00:00 2001 From: Ettore Di Giacinto Date: Thu, 6 Jul 2023 11:57:04 +0200 Subject: [PATCH] Add fips-static version of kairos packages (#324) * Add fips-static version of kairos packages So we can use them in all the flavors Signed-off-by: mudler * Add ldl flags Signed-off-by: mudler --------- Signed-off-by: mudler --- packages/system/immucore/build.yaml | 12 ++++++------ packages/system/immucore/collection.yaml | 12 ++++++++++++ packages/system/kairos-agent/build.yaml | 12 ++++++------ packages/system/kairos-agent/collection.yaml | 12 ++++++++++++ packages/system/kcrypt-challenger/build.yaml | 11 ++++++----- packages/system/kcrypt-challenger/collection.yaml | 14 +++++++++++++- packages/system/kcrypt/build.yaml | 12 ++++++------ packages/system/kcrypt/collection.yaml | 12 ++++++++++++ 8 files changed, 73 insertions(+), 24 deletions(-) diff --git a/packages/system/immucore/build.yaml b/packages/system/immucore/build.yaml index 951e490..9dd6993 100644 --- a/packages/system/immucore/build.yaml +++ b/packages/system/immucore/build.yaml @@ -1,4 +1,4 @@ -{{if eq .Values.category "fips" }} +{{if or (eq .Values.category "fips") (eq .Values.category "fips-static")}} requires: - name: "toolchain-go-ubuntu" category: "fips" @@ -10,7 +10,7 @@ requires: version: ">=0" {{end}} prelude: -{{if eq .Values.category "fips" }} +{{if or (eq .Values.category "fips") (eq .Values.category "fips-static")}} - apt-get update && apt-get install gcc {{end}} - mkdir go/src/github.com/${GITHUB_ORG}/ -p @@ -18,20 +18,20 @@ prelude: env: - GOPATH=/luetbuild/go/ - GITHUB_ORG={{ ( index .Values.labels "github.owner" ) }} -{{if eq .Values.category "fips" }} +{{if or (eq .Values.category "fips") (eq .Values.category "fips-static")}} - CGO_ENABLED=1 - GOEXPERIMENT=boringcrypto - - LDFLAGS="-w -X github.com/kairos-io/immucore/internal/version.version=v${PACKAGE_VERSION}" + - LDFLAGS="-w -X github.com/kairos-io/immucore/internal/version.version=v${PACKAGE_VERSION} {{with .Values.ldflags}}{{.}}{{end}}" {{else}} - CGO_ENABLED=0 - - LDFLAGS="-s -w -X github.com/kairos-io/immucore/internal/version.version=v${PACKAGE_VERSION}" + - LDFLAGS="-s -w -X github.com/kairos-io/immucore/internal/version.version=v${PACKAGE_VERSION} {{with .Values.ldflags}}{{.}}{{end}}" {{end}} steps: - | PACKAGE_VERSION=${PACKAGE_VERSION%\+*} && \ cd go/src/github.com/${GITHUB_ORG}/{{ .Values.name }}/ && git checkout v"${PACKAGE_VERSION}" -b build && go build -o {{ .Values.name }} -ldflags="${LDFLAGS}" && mv {{.Values.name}} /usr/bin/ - chmod +x /usr/bin/{{.Values.name}} -{{if eq .Values.category "fips" }} +{{if or (eq .Values.category "fips") (eq .Values.category "fips-static")}} - /usr/bin/{{.Values.name}} version 2>&1 >/dev/null | grep -i boringcrypto {{end}} includes: diff --git a/packages/system/immucore/collection.yaml b/packages/system/immucore/collection.yaml index 56a4427..d688f47 100644 --- a/packages/system/immucore/collection.yaml +++ b/packages/system/immucore/collection.yaml @@ -21,3 +21,15 @@ packages: - https://github.com/kairos-io/immucore license: "Apache License v2" description: "The Kairos immutability management interface" + - name: "immucore" + category: "fips-static" + ldflags: "-linkmode external -extldflags -static" + version: "0.1.2" + labels: + github.repo: "immucore" + autobump.revdeps: "true" + github.owner: "kairos-io" + uri: + - https://github.com/kairos-io/immucore + license: "Apache License v2" + description: "The Kairos immutability management interface" \ No newline at end of file diff --git a/packages/system/kairos-agent/build.yaml b/packages/system/kairos-agent/build.yaml index 18ec2e9..dd730a8 100644 --- a/packages/system/kairos-agent/build.yaml +++ b/packages/system/kairos-agent/build.yaml @@ -1,4 +1,4 @@ -{{if eq .Values.category "fips" }} +{{if or (eq .Values.category "fips") (eq .Values.category "fips-static")}} requires: - name: "toolchain-go-ubuntu" category: "fips" @@ -16,14 +16,14 @@ prelude: env: - GITHUB_ORG={{ ( index .Values.labels "github.owner" ) }} - HUGO_VERSION=0.110.0 -{{if eq .Values.category "fips" }} +{{if or (eq .Values.category "fips") (eq .Values.category "fips-static")}} - CGO_ENABLED=1 - GOEXPERIMENT=boringcrypto # Because we don't track the compiled-with version on the agent we need to keep the symbols in order to checks FIPS compliance - - LDFLAGS="-w -X github.com/kairos-io/kairos/v2/internal/common.VERSION=v${PACKAGE_VERSION}" + - LDFLAGS="-w -X github.com/kairos-io/kairos/v2/internal/common.VERSION=v${PACKAGE_VERSION} {{with .Values.ldflags}}{{.}}{{end}}" {{else}} - CGO_ENABLED=0 - - LDFLAGS="-s -w -X github.com/kairos-io/kairos/v2/internal/common.VERSION=v${PACKAGE_VERSION}" + - LDFLAGS="-s -w -X github.com/kairos-io/kairos/v2/internal/common.VERSION=v${PACKAGE_VERSION} {{with .Values.ldflags}}{{.}}{{end}}" {{end}} copy: - package: @@ -42,9 +42,9 @@ steps: - | PACKAGE_VERSION=${PACKAGE_VERSION%\+*} && \ cd /go/src/github.com/${GITHUB_ORG}/{{ .Values.name }}/ && \ - go build -o /usr/bin/{{ .Values.name }} -ldflags="${LDFLAGS}" + go build -ldflags="${LDFLAGS}" -o /usr/bin/{{ .Values.name }} - chmod +x /usr/bin/{{.Values.name}} -{{if eq .Values.category "fips" }} +{{if or (eq .Values.category "fips") (eq .Values.category "fips-static")}} {{ if .Values.arch }} {{ if eq .Values.arch "amd64" }} - go tool nm /usr/bin/{{.Values.name}} | grep -i "FIPS_mode" diff --git a/packages/system/kairos-agent/collection.yaml b/packages/system/kairos-agent/collection.yaml index 1b6e5d0..7e56aae 100644 --- a/packages/system/kairos-agent/collection.yaml +++ b/packages/system/kairos-agent/collection.yaml @@ -21,3 +21,15 @@ packages: - https://github.com/kairos-io/kairos-agent license: "Apache License v2" description: "Lyfecycle agent for kairos" + - name: "kairos-agent" + category: "fips-static" + ldflags: "-linkmode external -extldflags -static" + version: "2.1.8" + labels: + github.repo: "kairos-agent" + autobump.revdeps: "true" + github.owner: "kairos-io" + uri: + - https://github.com/kairos-io/kairos-agent + license: "Apache License v2" + description: "Lyfecycle agent for kairos" diff --git a/packages/system/kcrypt-challenger/build.yaml b/packages/system/kcrypt-challenger/build.yaml index 1af28e7..5f5b636 100644 --- a/packages/system/kcrypt-challenger/build.yaml +++ b/packages/system/kcrypt-challenger/build.yaml @@ -1,4 +1,4 @@ -{{if eq .Values.category "fips" }} +{{if or (eq .Values.category "fips") (eq .Values.category "fips-static")}} requires: - name: "toolchain-go-ubuntu" category: "fips" @@ -10,7 +10,7 @@ requires: version: ">=0" {{end}} prelude: -{{if eq .Values.category "fips" }} +{{if or (eq .Values.category "fips") (eq .Values.category "fips-static")}} - apt-get update && apt-get install -y gcc {{end}} - mkdir go/src/github.com/${GITHUB_ORG}/ -p @@ -22,8 +22,9 @@ prelude: env: - GOPATH=/luetbuild/go/ - DEBIAN_FRONTEND=noninteractive + - CGO_LDFLAGS="-ldl" - GITHUB_ORG={{ ( index .Values.labels "github.owner" ) }} -{{if eq .Values.category "fips" }} +{{if or (eq .Values.category "fips") (eq .Values.category "fips-static")}} - CGO_ENABLED=1 - GOEXPERIMENT=boringcrypto {{else}} @@ -34,9 +35,9 @@ steps: - | PACKAGE_VERSION=${PACKAGE_VERSION%\+*} && \ mkdir -p /system/discovery && \ - cd go/src/github.com/${GITHUB_ORG}/{{ .Values.name }}/ && go build -o {{ .Values.binary_name }} ./cmd/discovery/main.go && mv {{ .Values.binary_name }} /system/discovery + cd go/src/github.com/${GITHUB_ORG}/{{ .Values.name }}/ && go build -ldflags="{{with .Values.ldflags}}{{.}}{{end}}" -o {{ .Values.binary_name }} ./cmd/discovery/main.go && mv {{ .Values.binary_name }} /system/discovery - chmod +x /system/discovery/{{ .Values.binary_name }} -{{if eq .Values.category "fips" }} +{{if or (eq .Values.category "fips") (eq .Values.category "fips-static")}} {{ if .Values.arch }} {{ if eq .Values.arch "amd64" }} - go tool nm /system/discovery/{{ .Values.binary_name }} | grep -i "FIPS_mode" diff --git a/packages/system/kcrypt-challenger/collection.yaml b/packages/system/kcrypt-challenger/collection.yaml index bcc84cc..9c401c4 100644 --- a/packages/system/kcrypt-challenger/collection.yaml +++ b/packages/system/kcrypt-challenger/collection.yaml @@ -23,4 +23,16 @@ packages: - https://github.com/kairos-io/kcrypt-challenger license: "Apache License v2" description: "Cloud native guardian for persistent data in the edge" - + - name: kcrypt-challenger + binary_name: kcrypt-discovery-challenger + ldflags: "-linkmode external -extldflags -static" + category: fips-static + live: "yes" + version: "0.5.0" + labels: + github.repo: "kcrypt-challenger" + github.owner: "kairos-io" + uri: + - https://github.com/kairos-io/kcrypt-challenger + license: "Apache License v2" + description: "Cloud native guardian for persistent data in the edge" \ No newline at end of file diff --git a/packages/system/kcrypt/build.yaml b/packages/system/kcrypt/build.yaml index 3e98de1..1b918d0 100644 --- a/packages/system/kcrypt/build.yaml +++ b/packages/system/kcrypt/build.yaml @@ -1,4 +1,4 @@ -{{if eq .Values.category "fips" }} +{{if or (eq .Values.category "fips") (eq .Values.category "fips-static")}} requires: - name: "toolchain-go-ubuntu" category: "fips" @@ -10,7 +10,7 @@ requires: version: ">=0" {{end}} prelude: -{{if eq .Values.category "fips" }} +{{if or (eq .Values.category "fips") (eq .Values.category "fips-static")}} - apt-get update && apt-get install -y gcc {{end}} - mkdir go/src/github.com/${GITHUB_ORG}/ -p @@ -18,20 +18,20 @@ prelude: env: - GOPATH=/luetbuild/go/ - GITHUB_ORG={{ ( index .Values.labels "github.owner" ) }} -{{if eq .Values.category "fips" }} +{{if or (eq .Values.category "fips") (eq .Values.category "fips-static")}} - CGO_ENABLED=1 - GOEXPERIMENT=boringcrypto - - LDFLAGS="-w" + - LDFLAGS="-w {{with .Values.ldflags}}{{.}}{{end}}" {{else}} - CGO_ENABLED=0 - - LDFLAGS="-s -w" + - LDFLAGS="-s -w {{with .Values.ldflags}}{{.}}{{end}}" {{end}} steps: - | PACKAGE_VERSION=${PACKAGE_VERSION%\+*} && \ cd go/src/github.com/${GITHUB_ORG}/{{ .Values.name }}/ && git checkout v"${PACKAGE_VERSION}" -b build && go build -ldflags="${LDFLAGS}" && mv {{.Values.name}} /usr/bin/ - chmod +x /usr/bin/{{.Values.name}} -{{if eq .Values.category "fips" }} +{{if or (eq .Values.category "fips") (eq .Values.category "fips-static")}} {{ if .Values.arch }} {{ if eq .Values.arch "amd64" }} - go tool nm /usr/bin/{{.Values.name}} | grep -i "FIPS_mode" diff --git a/packages/system/kcrypt/collection.yaml b/packages/system/kcrypt/collection.yaml index 20ac36f..d4d3098 100644 --- a/packages/system/kcrypt/collection.yaml +++ b/packages/system/kcrypt/collection.yaml @@ -21,3 +21,15 @@ packages: - https://github.com/kairos-io/kcrypt license: "Apache License v2" description: "Cloud native guardian for persistent data in the edge" + - name: kcrypt + ldflags: "-linkmode external -extldflags -static" + category: fips-static + version: "0.7.0" + labels: + github.repo: "kcrypt" + autobump.revdeps: "true" + github.owner: "kairos-io" + uri: + - https://github.com/kairos-io/kcrypt + license: "Apache License v2" + description: "Cloud native guardian for persistent data in the edge" \ No newline at end of file