Add fips-static version of kairos packages (#324)

* Add fips-static version of kairos packages

So we can use them in all the flavors

Signed-off-by: mudler <mudler@kairos.io>

* Add ldl flags

Signed-off-by: mudler <mudler@kairos.io>

---------

Signed-off-by: mudler <mudler@kairos.io>

packages/system/immucore/build.yaml

@@ -1,4 +1,4 @@
-{{if eq .Values.category "fips" }}
+{{if or (eq .Values.category "fips") (eq .Values.category "fips-static")}}
 requires:
   - name: "toolchain-go-ubuntu"
     category: "fips"
@@ -10,7 +10,7 @@ requires:
     version: ">=0"
 {{end}}
 prelude:
-{{if eq .Values.category "fips" }}
+{{if or (eq .Values.category "fips") (eq .Values.category "fips-static")}}
   - apt-get update && apt-get install gcc
 {{end}}
   - mkdir go/src/github.com/${GITHUB_ORG}/ -p
@@ -18,20 +18,20 @@ prelude:
 env:
   - GOPATH=/luetbuild/go/
   - GITHUB_ORG={{ ( index .Values.labels "github.owner" ) }}
-{{if eq .Values.category "fips" }}
+{{if or (eq .Values.category "fips") (eq .Values.category "fips-static")}}
   - CGO_ENABLED=1
   - GOEXPERIMENT=boringcrypto
-  - LDFLAGS="-w -X github.com/kairos-io/immucore/internal/version.version=v${PACKAGE_VERSION}"
+  - LDFLAGS="-w -X github.com/kairos-io/immucore/internal/version.version=v${PACKAGE_VERSION} {{with .Values.ldflags}}{{.}}{{end}}"
 {{else}}
   - CGO_ENABLED=0
-  - LDFLAGS="-s -w -X github.com/kairos-io/immucore/internal/version.version=v${PACKAGE_VERSION}"
+  - LDFLAGS="-s -w -X github.com/kairos-io/immucore/internal/version.version=v${PACKAGE_VERSION} {{with .Values.ldflags}}{{.}}{{end}}"
 {{end}}
 steps:
   - |
     PACKAGE_VERSION=${PACKAGE_VERSION%\+*} && \
     cd go/src/github.com/${GITHUB_ORG}/{{ .Values.name }}/ && git checkout v"${PACKAGE_VERSION}" -b build && go build -o {{ .Values.name }} -ldflags="${LDFLAGS}" && mv {{.Values.name}} /usr/bin/
   - chmod +x /usr/bin/{{.Values.name}}
-{{if eq .Values.category "fips" }}
+{{if or (eq .Values.category "fips") (eq .Values.category "fips-static")}}
   - /usr/bin/{{.Values.name}} version 2>&1 >/dev/null | grep -i boringcrypto
 {{end}}
 includes:

packages/system/immucore/collection.yaml

@@ -21,3 +21,15 @@ packages:
       - https://github.com/kairos-io/immucore
     license: "Apache License v2"
     description: "The Kairos immutability management interface"
+  - name: "immucore"
+    category: "fips-static"
+    ldflags: "-linkmode external -extldflags -static"
+    version: "0.1.2"
+    labels:
+      github.repo: "immucore"
+      autobump.revdeps: "true"
+      github.owner: "kairos-io"
+    uri:
+      - https://github.com/kairos-io/immucore
+    license: "Apache License v2"
+    description: "The Kairos immutability management interface"

packages/system/kairos-agent/build.yaml

@@ -1,4 +1,4 @@
-{{if eq .Values.category "fips" }}
+{{if or (eq .Values.category "fips") (eq .Values.category "fips-static")}}
 requires:
   - name: "toolchain-go-ubuntu"
     category: "fips"
@@ -16,14 +16,14 @@ prelude:
 env:
   - GITHUB_ORG={{ ( index .Values.labels "github.owner" ) }}
   - HUGO_VERSION=0.110.0
-{{if eq .Values.category "fips" }}
+{{if or (eq .Values.category "fips") (eq .Values.category "fips-static")}}
   - CGO_ENABLED=1
   - GOEXPERIMENT=boringcrypto
   # Because we don't track the compiled-with version on the agent we need to keep the symbols in order to checks FIPS compliance
-  - LDFLAGS="-w -X github.com/kairos-io/kairos/v2/internal/common.VERSION=v${PACKAGE_VERSION}"
+  - LDFLAGS="-w -X github.com/kairos-io/kairos/v2/internal/common.VERSION=v${PACKAGE_VERSION} {{with .Values.ldflags}}{{.}}{{end}}"
 {{else}}
   - CGO_ENABLED=0
-  - LDFLAGS="-s -w -X github.com/kairos-io/kairos/v2/internal/common.VERSION=v${PACKAGE_VERSION}"
+  - LDFLAGS="-s -w -X github.com/kairos-io/kairos/v2/internal/common.VERSION=v${PACKAGE_VERSION} {{with .Values.ldflags}}{{.}}{{end}}"
 {{end}}
 copy:
   - package:
@@ -42,9 +42,9 @@ steps:
   - |
     PACKAGE_VERSION=${PACKAGE_VERSION%\+*} && \
     cd /go/src/github.com/${GITHUB_ORG}/{{ .Values.name }}/ && \
-    go build -o /usr/bin/{{ .Values.name }} -ldflags="${LDFLAGS}"
+    go build -ldflags="${LDFLAGS}" -o /usr/bin/{{ .Values.name }}
   - chmod +x /usr/bin/{{.Values.name}}
-{{if eq .Values.category "fips" }}
+{{if or (eq .Values.category "fips") (eq .Values.category "fips-static")}}
   {{ if .Values.arch }}
     {{ if eq .Values.arch "amd64" }}
   - go tool nm /usr/bin/{{.Values.name}} | grep -i "FIPS_mode"

packages/system/kairos-agent/collection.yaml

@@ -21,3 +21,15 @@ packages:
       - https://github.com/kairos-io/kairos-agent
     license: "Apache License v2"
     description: "Lyfecycle agent for kairos"
+  - name: "kairos-agent"
+    category: "fips-static"
+    ldflags: "-linkmode external -extldflags -static"
+    version: "2.1.8"
+    labels:
+      github.repo: "kairos-agent"
+      autobump.revdeps: "true"
+      github.owner: "kairos-io"
+    uri:
+      - https://github.com/kairos-io/kairos-agent
+    license: "Apache License v2"
+    description: "Lyfecycle agent for kairos"

packages/system/kcrypt-challenger/build.yaml

@@ -1,4 +1,4 @@
-{{if eq .Values.category "fips" }}
+{{if or (eq .Values.category "fips") (eq .Values.category "fips-static")}}
 requires:
   - name: "toolchain-go-ubuntu"
     category: "fips"
@@ -10,7 +10,7 @@ requires:
     version: ">=0"
 {{end}}
 prelude:
-{{if eq .Values.category "fips" }}
+{{if or (eq .Values.category "fips") (eq .Values.category "fips-static")}}
   - apt-get update && apt-get install -y gcc
 {{end}}
   - mkdir go/src/github.com/${GITHUB_ORG}/ -p
@@ -22,8 +22,9 @@ prelude:
 env:
   - GOPATH=/luetbuild/go/
   - DEBIAN_FRONTEND=noninteractive
+  - CGO_LDFLAGS="-ldl"
   - GITHUB_ORG={{ ( index .Values.labels "github.owner" ) }}
-{{if eq .Values.category "fips" }}
+{{if or (eq .Values.category "fips") (eq .Values.category "fips-static")}}
   - CGO_ENABLED=1
   - GOEXPERIMENT=boringcrypto
 {{else}}
@@ -34,9 +35,9 @@ steps:
   - |
     PACKAGE_VERSION=${PACKAGE_VERSION%\+*} && \
     mkdir -p /system/discovery && \
-    cd go/src/github.com/${GITHUB_ORG}/{{ .Values.name }}/ && go build -o {{ .Values.binary_name }} ./cmd/discovery/main.go && mv {{ .Values.binary_name }} /system/discovery
+    cd go/src/github.com/${GITHUB_ORG}/{{ .Values.name }}/ && go build -ldflags="{{with .Values.ldflags}}{{.}}{{end}}" -o {{ .Values.binary_name }}  ./cmd/discovery/main.go && mv {{ .Values.binary_name }} /system/discovery
   - chmod +x /system/discovery/{{ .Values.binary_name }}
-{{if eq .Values.category "fips" }}
+{{if or (eq .Values.category "fips") (eq .Values.category "fips-static")}}
   {{ if .Values.arch }}
     {{ if eq .Values.arch "amd64" }}
   - go tool nm /system/discovery/{{ .Values.binary_name }} | grep -i "FIPS_mode"

packages/system/kcrypt-challenger/collection.yaml

@@ -23,4 +23,16 @@ packages:
       - https://github.com/kairos-io/kcrypt-challenger
     license: "Apache License v2"
     description: "Cloud native guardian for persistent data in the edge"
-
+  - name: kcrypt-challenger
+    binary_name: kcrypt-discovery-challenger
+    ldflags: "-linkmode external -extldflags -static"
+    category: fips-static
+    live: "yes"
+    version: "0.5.0"
+    labels:
+      github.repo: "kcrypt-challenger"
+      github.owner: "kairos-io"
+    uri:
+      - https://github.com/kairos-io/kcrypt-challenger
+    license: "Apache License v2"
+    description: "Cloud native guardian for persistent data in the edge"

packages/system/kcrypt/build.yaml

@@ -1,4 +1,4 @@
-{{if eq .Values.category "fips" }}
+{{if or (eq .Values.category "fips") (eq .Values.category "fips-static")}}
 requires:
   - name: "toolchain-go-ubuntu"
     category: "fips"
@@ -10,7 +10,7 @@ requires:
     version: ">=0"
 {{end}}
 prelude:
-{{if eq .Values.category "fips" }}
+{{if or (eq .Values.category "fips") (eq .Values.category "fips-static")}}
   - apt-get update && apt-get install -y gcc
 {{end}}
   - mkdir go/src/github.com/${GITHUB_ORG}/ -p
@@ -18,20 +18,20 @@ prelude:
 env:
   - GOPATH=/luetbuild/go/
   - GITHUB_ORG={{ ( index .Values.labels "github.owner" ) }}
-{{if eq .Values.category "fips" }}
+{{if or (eq .Values.category "fips") (eq .Values.category "fips-static")}}
   - CGO_ENABLED=1
   - GOEXPERIMENT=boringcrypto
-  - LDFLAGS="-w"
+  - LDFLAGS="-w {{with .Values.ldflags}}{{.}}{{end}}"
 {{else}}
   - CGO_ENABLED=0
-  - LDFLAGS="-s -w"
+  - LDFLAGS="-s -w {{with .Values.ldflags}}{{.}}{{end}}"
 {{end}}
 steps:
   - |
     PACKAGE_VERSION=${PACKAGE_VERSION%\+*} && \
     cd go/src/github.com/${GITHUB_ORG}/{{ .Values.name }}/ && git checkout v"${PACKAGE_VERSION}" -b build && go build -ldflags="${LDFLAGS}" && mv {{.Values.name}} /usr/bin/
   - chmod +x /usr/bin/{{.Values.name}}
-{{if eq .Values.category "fips" }}
+{{if or (eq .Values.category "fips") (eq .Values.category "fips-static")}}
   {{ if .Values.arch }}
     {{ if eq .Values.arch "amd64" }}
   - go tool nm /usr/bin/{{.Values.name}} | grep -i "FIPS_mode"

packages/system/kcrypt/collection.yaml

@@ -21,3 +21,15 @@ packages:
       - https://github.com/kairos-io/kcrypt
     license: "Apache License v2"
     description: "Cloud native guardian for persistent data in the edge"
+  - name: kcrypt
+    ldflags: "-linkmode external -extldflags -static"
+    category: fips-static
+    version: "0.7.0"
+    labels:
+      github.repo: "kcrypt"
+      autobump.revdeps: "true"
+      github.owner: "kairos-io"
+    uri:
+      - https://github.com/kairos-io/kcrypt
+    license: "Apache License v2"
+    description: "Cloud native guardian for persistent data in the edge"