From a55910917fd43aff113abf2f7cb2b5844389c41b Mon Sep 17 00:00:00 2001 From: Angelos Kolaitis Date: Fri, 27 Oct 2023 19:31:53 +0300 Subject: [PATCH] FIPS --- .../components/cluster-agent/build.sh | 5 ++- build-scripts/components/etcd/build.sh | 3 +- build-scripts/components/flanneld/build.sh | 3 +- .../patches/default/0002-enable-cgo.patch | 33 +++++++++++++++++++ build-scripts/components/k8s-dqlite/build.sh | 12 ++++--- build-scripts/components/kubernetes/build.sh | 2 +- microk8s-resources/default-args/fips-env | 16 +++++++++ .../wrappers/microk8s-helm.wrapper | 6 ++++ .../wrappers/microk8s-helm3.wrapper | 6 ++++ .../wrappers/microk8s-kubectl.wrapper | 6 ++++ microk8s-resources/wrappers/openssl.wrapper | 16 ++++++--- .../wrappers/run-apiserver-proxy-with-args | 6 ++++ .../wrappers/run-cluster-agent-with-args | 6 ++++ .../wrappers/run-etcd-with-args | 6 ++++ .../wrappers/run-flanneld-with-args | 6 ++++ .../wrappers/run-k8s-dqlite-with-args | 4 +++ .../wrappers/run-kubelite-with-args | 6 ++++ snap/hooks/install | 6 ++++ snap/snapcraft.yaml | 10 ++++-- 19 files changed, 143 insertions(+), 15 deletions(-) create mode 100644 build-scripts/components/helm/patches/default/0002-enable-cgo.patch create mode 100644 microk8s-resources/default-args/fips-env diff --git a/build-scripts/components/cluster-agent/build.sh b/build-scripts/components/cluster-agent/build.sh index 86282e7f67..149a5f47a8 100755 --- a/build-scripts/components/cluster-agent/build.sh +++ b/build-scripts/components/cluster-agent/build.sh @@ -3,5 +3,8 @@ export INSTALL="${1}/bin" mkdir -p "${INSTALL}" -make cluster-agent +export GOEXPERIMENT=opensslcrypto +export CGO_ENABLED=1 +go build -ldflags '-s -w' -o cluster-agent ./main.go + cp cluster-agent "${INSTALL}" diff --git a/build-scripts/components/etcd/build.sh b/build-scripts/components/etcd/build.sh index 3eaaa9df3b..a58ed1cf3c 100755 --- a/build-scripts/components/etcd/build.sh +++ b/build-scripts/components/etcd/build.sh @@ -3,7 +3,8 @@ export INSTALL="${1}" mkdir -p "${INSTALL}" -GO_LDFLAGS="-s -w" GO_BUILD_FLAGS="-v" ./build.sh +sed -i 's/CGO_ENABLED=0/CGO_ENABLED=1/' build.sh +GOEXPERIMENT=opensslcrypto GO_LDFLAGS="-s -w" GO_BUILD_FLAGS="-v" ./build.sh for bin in etcd etcdctl; do cp "bin/${bin}" "${INSTALL}/${bin}" diff --git a/build-scripts/components/flanneld/build.sh b/build-scripts/components/flanneld/build.sh index c2904a77b5..ee0e5f4fb0 100755 --- a/build-scripts/components/flanneld/build.sh +++ b/build-scripts/components/flanneld/build.sh @@ -5,7 +5,8 @@ mkdir -p "${INSTALL}" VERSION="${2}" -export CGO_ENABLED=0 +export CGO_ENABLED=1 +export GOEXPERIMENT=opensslcrypto go build -o dist/flanneld -ldflags "-s -w -X github.com/flannel-io/flannel/version.Version=${VERSION} -extldflags -static" cp dist/flanneld "${INSTALL}/flanneld" diff --git a/build-scripts/components/helm/patches/default/0002-enable-cgo.patch b/build-scripts/components/helm/patches/default/0002-enable-cgo.patch new file mode 100644 index 0000000000..9f8a4f90fe --- /dev/null +++ b/build-scripts/components/helm/patches/default/0002-enable-cgo.patch @@ -0,0 +1,33 @@ +From 76f154cf345ffc7f2b4b9c0e623551c744249d60 Mon Sep 17 00:00:00 2001 +From: Angelos Kolaitis +Date: Fri, 27 Oct 2023 17:01:33 +0000 +Subject: [PATCH] enable cgo + +--- + Makefile | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/Makefile b/Makefile +index 0a7b326..39cee3f 100644 +--- a/Makefile ++++ b/Makefile +@@ -77,7 +77,7 @@ all: build + build: $(BINDIR)/$(BINNAME) + + $(BINDIR)/$(BINNAME): $(SRC) +- GO111MODULE=on CGO_ENABLED=0 go build $(GOFLAGS) -trimpath -tags '$(TAGS)' -ldflags '$(LDFLAGS)' -o '$(BINDIR)'/$(BINNAME) ./cmd/helm ++ GO111MODULE=on CGO_ENABLED=1 go build $(GOFLAGS) -trimpath -tags '$(TAGS)' -ldflags '$(LDFLAGS)' -o '$(BINDIR)'/$(BINNAME) ./cmd/helm + + # ------------------------------------------------------------------------------ + # install +@@ -165,7 +165,7 @@ $(GOIMPORTS): + .PHONY: build-cross + build-cross: LDFLAGS += -extldflags "-static" + build-cross: $(GOX) +- GOFLAGS="-trimpath" GO111MODULE=on CGO_ENABLED=0 $(GOX) -parallel=3 -output="_dist/{{.OS}}-{{.Arch}}/$(BINNAME)" -osarch='$(TARGETS)' $(GOFLAGS) -tags '$(TAGS)' -ldflags '$(LDFLAGS)' ./cmd/helm ++ GOFLAGS="-trimpath" GO111MODULE=on CGO_ENABLED=1 $(GOX) -parallel=3 -output="_dist/{{.OS}}-{{.Arch}}/$(BINNAME)" -osarch='$(TARGETS)' $(GOFLAGS) -tags '$(TAGS)' -ldflags '$(LDFLAGS)' ./cmd/helm + + .PHONY: dist + dist: +-- +2.25.1 diff --git a/build-scripts/components/k8s-dqlite/build.sh b/build-scripts/components/k8s-dqlite/build.sh index c9672777f9..e833afae67 100755 --- a/build-scripts/components/k8s-dqlite/build.sh +++ b/build-scripts/components/k8s-dqlite/build.sh @@ -1,9 +1,11 @@ #!/bin/bash -INSTALL="${1}/bin" -mkdir -p "${INSTALL}" +INSTALL="${1}" +mkdir -p "${INSTALL}/bin" "${INSTALL}/usr/lib" -make static -j +export GOEXPERIMENT=opensslcrypto +make dynamic -j -cp bin/static/dqlite "${INSTALL}/dqlite" -cp bin/static/k8s-dqlite "${INSTALL}/k8s-dqlite" +cp bin/dynamic/dqlite "${INSTALL}/bin/dqlite" +cp bin/dynamic/k8s-dqlite "${INSTALL}/bin/k8s-dqlite" +cp bin/dynamic/lib/*so* "${INSTALL}/usr/lib" diff --git a/build-scripts/components/kubernetes/build.sh b/build-scripts/components/kubernetes/build.sh index 542ba9f64f..b8f30bc819 100755 --- a/build-scripts/components/kubernetes/build.sh +++ b/build-scripts/components/kubernetes/build.sh @@ -5,7 +5,7 @@ INSTALL="${1}" export KUBE_GIT_VERSION_FILE="${PWD}/.version.sh" for app in kubectl kubelite; do - make WHAT="cmd/${app}" KUBE_STATIC_OVERRIDES=kubelite + make WHAT="cmd/${app}" KUBE_CGO_OVERRIDES="${app}" cp _output/bin/"${app}" "${INSTALL}/${app}" done diff --git a/microk8s-resources/default-args/fips-env b/microk8s-resources/default-args/fips-env new file mode 100644 index 0000000000..46e6877480 --- /dev/null +++ b/microk8s-resources/default-args/fips-env @@ -0,0 +1,16 @@ +# For FIPS-enabled hosts, i.e. when /proc/sys/crypto/fips_enabled is 1, +# the following configuration is required to use the fips enabled crypto +# libraries from the host. +# +# The paths below are for FIPS enabled Ubuntu 20.04, make sure to adjust +# accordingly for other distributions. + +# Uncomment and specify the binary path and config file for openssl. +# OPENSSL_EXECUTABLE="/usr/bin/openssl" +# OPENSSL_CONF="/etc/ssl/openssl.cnf" + +# Uncomment and prepend the FIPS libcrypto location to the LD_LIBRARY_PATH +# LD_LIBRARY_PATH="/usr/lib/x86_64-linux-gnu:$LD_LIBRARY_PATH" + +# Set GOFIPS=1 so that Go binaries use the FIPS-enabled libcrypto +GOFIPS=0 diff --git a/microk8s-resources/wrappers/microk8s-helm.wrapper b/microk8s-resources/wrappers/microk8s-helm.wrapper index dee8fe5f9d..22c5b1fc76 100755 --- a/microk8s-resources/wrappers/microk8s-helm.wrapper +++ b/microk8s-resources/wrappers/microk8s-helm.wrapper @@ -12,4 +12,10 @@ fi exit_if_stopped +set -a +if [ -e "${SNAP_DATA}/args/fips-env" ]; then + . "${SNAP_DATA}/args/fips-env" +fi +set +a + "${SNAP}/bin/helm" --kubeconfig="${SNAP_DATA}"/credentials/client.config "$@" diff --git a/microk8s-resources/wrappers/microk8s-helm3.wrapper b/microk8s-resources/wrappers/microk8s-helm3.wrapper index dee8fe5f9d..22c5b1fc76 100755 --- a/microk8s-resources/wrappers/microk8s-helm3.wrapper +++ b/microk8s-resources/wrappers/microk8s-helm3.wrapper @@ -12,4 +12,10 @@ fi exit_if_stopped +set -a +if [ -e "${SNAP_DATA}/args/fips-env" ]; then + . "${SNAP_DATA}/args/fips-env" +fi +set +a + "${SNAP}/bin/helm" --kubeconfig="${SNAP_DATA}"/credentials/client.config "$@" diff --git a/microk8s-resources/wrappers/microk8s-kubectl.wrapper b/microk8s-resources/wrappers/microk8s-kubectl.wrapper index ea15160297..2ead1fe9c4 100755 --- a/microk8s-resources/wrappers/microk8s-kubectl.wrapper +++ b/microk8s-resources/wrappers/microk8s-kubectl.wrapper @@ -28,6 +28,12 @@ then export EDITOR="${SNAP}/bin/nano" fi +set -a +if [ -e "${SNAP_DATA}/args/fips-env" ]; then + . "${SNAP_DATA}/args/fips-env" +fi +set +a + declare -a args="($(cat $SNAP_DATA/args/kubectl))" if [ -n "${args[@]-}" ] then diff --git a/microk8s-resources/wrappers/openssl.wrapper b/microk8s-resources/wrappers/openssl.wrapper index 550029a668..528991c137 100755 --- a/microk8s-resources/wrappers/openssl.wrapper +++ b/microk8s-resources/wrappers/openssl.wrapper @@ -4,8 +4,16 @@ set -eu source $SNAP/actions/common/utils.sh -use_snap_env +set -a +if [ -e "${SNAP_DATA}/args/fips-env" ]; then + . "${SNAP_DATA}/args/fips-env" +fi +set +a -export OPENSSL_CONF="${SNAP}/etc/ssl/openssl.cnf" - -"${SNAP}/usr/bin/openssl" "${@}" +if [[ -v OPENSSL_EXECUTABLE ]]; then + exec "${OPENSSL_EXECUTABLE}" "${@}" +else + use_snap_env + export OPENSSL_CONF="${SNAP}/etc/ssl/openssl.cnf" + ${SNAP}/usr/bin/openssl "$@" +fi diff --git a/microk8s-resources/wrappers/run-apiserver-proxy-with-args b/microk8s-resources/wrappers/run-apiserver-proxy-with-args index 71edf93a60..91da9a7758 100755 --- a/microk8s-resources/wrappers/run-apiserver-proxy-with-args +++ b/microk8s-resources/wrappers/run-apiserver-proxy-with-args @@ -21,6 +21,12 @@ fi sed 's@${SNAP}@'"${SNAP}"'@g;s@${SNAP_DATA}@'"${SNAP_DATA}"'@g' $SNAP_DATA/args/traefik/traefik-template.yaml > $SNAP_DATA/args/traefik/traefik.yaml +set -a +if [ -e "${SNAP_DATA}/args/fips-env" ]; then + . "${SNAP_DATA}/args/fips-env" +fi +set +a + # This is really the only way I could find to get the args passed in correctly. declare -a args="($(cat $SNAP_DATA/args/apiserver-proxy))" exec "$SNAP/bin/cluster-agent" apiserver-proxy "${args[@]}" diff --git a/microk8s-resources/wrappers/run-cluster-agent-with-args b/microk8s-resources/wrappers/run-cluster-agent-with-args index ac447438af..fe7b0fd810 100755 --- a/microk8s-resources/wrappers/run-cluster-agent-with-args +++ b/microk8s-resources/wrappers/run-cluster-agent-with-args @@ -12,6 +12,12 @@ set -eu use_snap_env +set -a +if [ -e "${SNAP_DATA}/args/fips-env" ]; then + . "${SNAP_DATA}/args/fips-env" +fi +set +a + # This is really the only way I could find to get the args passed in correctly. declare -a args="($(cat $SNAP_DATA/args/cluster-agent))" diff --git a/microk8s-resources/wrappers/run-etcd-with-args b/microk8s-resources/wrappers/run-etcd-with-args index a17304cec6..38027cee96 100755 --- a/microk8s-resources/wrappers/run-etcd-with-args +++ b/microk8s-resources/wrappers/run-etcd-with-args @@ -26,6 +26,12 @@ fi export DEFAULT_INTERFACE_IP_ADDR="$(get_default_ip)" +set -a +if [ -e "${SNAP_DATA}/args/fips-env" ]; then + . "${SNAP_DATA}/args/fips-env" +fi +set +a + # This is really the only way I could find to get the args passed in correctly. declare -a args="($(cat $SNAP_DATA/args/etcd))" exec "$SNAP/etcd" "${args[@]}" diff --git a/microk8s-resources/wrappers/run-flanneld-with-args b/microk8s-resources/wrappers/run-flanneld-with-args index abbe79f6f4..21ce369800 100755 --- a/microk8s-resources/wrappers/run-flanneld-with-args +++ b/microk8s-resources/wrappers/run-flanneld-with-args @@ -32,6 +32,12 @@ export ETCDCTL_API=3 # TODO get this from a file data="$(cat $SNAP_DATA/args/flannel-network-mgr-config)" +set -a +if [ -e "${SNAP_DATA}/args/fips-env" ]; then + . "${SNAP_DATA}/args/fips-env" +fi +set +a + # Prepare etcd configuration for flannel, iff an etcd endpoint is set. # Skip this part if an alternate data store is used (e.g. Kubernetes). if [ ! -z "$etcd_endpoints" ]; then diff --git a/microk8s-resources/wrappers/run-k8s-dqlite-with-args b/microk8s-resources/wrappers/run-k8s-dqlite-with-args index 3314b89a94..e8c8050bf5 100755 --- a/microk8s-resources/wrappers/run-k8s-dqlite-with-args +++ b/microk8s-resources/wrappers/run-k8s-dqlite-with-args @@ -40,6 +40,10 @@ if [ -e "${SNAP_DATA}/args/${app}-env" ] then . "${SNAP_DATA}/args/${app}-env" fi + +if [ -e "${SNAP_DATA}/args/fips-env" ]; then + . "${SNAP_DATA}/args/fips-env" +fi set +a declare -a args="($(cat $SNAP_DATA/args/$app))" diff --git a/microk8s-resources/wrappers/run-kubelite-with-args b/microk8s-resources/wrappers/run-kubelite-with-args index 16060143b0..0809c4d8ea 100755 --- a/microk8s-resources/wrappers/run-kubelite-with-args +++ b/microk8s-resources/wrappers/run-kubelite-with-args @@ -217,5 +217,11 @@ then echo "1" > /proc/sys/net/bridge/bridge-nf-call-iptables fi +set -a +if [ -e "${SNAP_DATA}/args/fips-env" ]; then + . "${SNAP_DATA}/args/fips-env" +fi +set +a + declare -a args="($(cat $SNAP_DATA/args/$app))" exec "$SNAP/$app" "${args[@]}" diff --git a/snap/hooks/install b/snap/hooks/install index dbaeebb2e4..5d639d80a5 100755 --- a/snap/hooks/install +++ b/snap/hooks/install @@ -28,6 +28,12 @@ fi cp -r --preserve=mode ${SNAP}/default-args ${SNAP_DATA}/args mv ${SNAP_DATA}/args/certs.d/localhost__32000 ${SNAP_DATA}/args/certs.d/localhost:32000 +if -e "${SNAP_DATA}/args/fips-env"; then + set -a + . "${SNAP_DATA}/args/fips-env" + set +a +fi + SNAP_DATA_CURRENT=`echo "${SNAP_DATA}" | sed -e "s,${SNAP_REVISION},current,"` # Try to symlink /var/lib/kubelet so that most kubelet device plugins work out of the box. diff --git a/snap/snapcraft.yaml b/snap/snapcraft.yaml index 03a5e910e1..b656ffddf0 100644 --- a/snap/snapcraft.yaml +++ b/snap/snapcraft.yaml @@ -22,8 +22,8 @@ parts: build-deps: plugin: nil override-build: | - snap install go --classic --channel 1.20/stable - snap refresh go --channel 1.20/stable + snap install go --classic --channel 1.20-fips/stable + snap refresh go --channel 1.20-fips/stable build-packages: - autoconf - automake @@ -50,12 +50,14 @@ parts: k8s-dqlite: after: [build-deps] + build-attributes: [no-patchelf] source: build-scripts/components/k8s-dqlite plugin: nil override-build: $SNAPCRAFT_PROJECT_DIR/build-scripts/build-component.sh k8s-dqlite etcd: after: [build-deps] + build-attributes: [no-patchelf] plugin: nil source: build-scripts/components/etcd override-build: $SNAPCRAFT_PROJECT_DIR/build-scripts/build-component.sh etcd @@ -74,12 +76,14 @@ parts: flanneld: after: [build-deps] + build-attributes: [no-patchelf] plugin: nil source: build-scripts/components/flanneld override-build: $SNAPCRAFT_PROJECT_DIR/build-scripts/build-component.sh flanneld kubernetes: after: [build-deps] + build-attributes: [no-patchelf] plugin: nil source: build-scripts/components/kubernetes override-build: $SNAPCRAFT_PROJECT_DIR/build-scripts/build-component.sh kubernetes @@ -91,6 +95,7 @@ parts: helm: after: [build-deps] + build-attributes: [no-patchelf] plugin: nil source: build-scripts/components/helm override-build: $SNAPCRAFT_PROJECT_DIR/build-scripts/build-component.sh helm @@ -201,6 +206,7 @@ parts: cluster-agent: after: [build-deps] + build-attributes: [no-patchelf] plugin: nil source: build-scripts/components/cluster-agent override-build: $SNAPCRAFT_PROJECT_DIR/build-scripts/build-component.sh cluster-agent