FIPS

build-scripts/components/cluster-agent/build.sh

@@ -3,5 +3,8 @@
 export INSTALL="${1}/bin"
 mkdir -p "${INSTALL}"
 
-make cluster-agent
+export GOEXPERIMENT=opensslcrypto
+export CGO_ENABLED=1
+go build -ldflags '-s -w' -o cluster-agent ./main.go
+
 cp cluster-agent "${INSTALL}"

build-scripts/components/etcd/build.sh

@@ -3,7 +3,8 @@
 export INSTALL="${1}"
 mkdir -p "${INSTALL}"
 
-GO_LDFLAGS="-s -w" GO_BUILD_FLAGS="-v" ./build.sh
+sed -i 's/CGO_ENABLED=0/CGO_ENABLED=1/' build.sh
+GOEXPERIMENT=opensslcrypto GO_LDFLAGS="-s -w" GO_BUILD_FLAGS="-v" ./build.sh
 
 for bin in etcd etcdctl; do
   cp "bin/${bin}" "${INSTALL}/${bin}"

build-scripts/components/flanneld/build.sh

@@ -5,7 +5,8 @@ mkdir -p "${INSTALL}"
 
 VERSION="${2}"
 
-export CGO_ENABLED=0
+export CGO_ENABLED=1
+export GOEXPERIMENT=opensslcrypto
 go build -o dist/flanneld -ldflags "-s -w -X github.com/flannel-io/flannel/version.Version=${VERSION} -extldflags -static"
 
 cp dist/flanneld "${INSTALL}/flanneld"

build-scripts/components/helm/patches/v3.14.4/0002-enable-cgo.patch

@@ -0,0 +1,19 @@
+From 88e5f3826d2b8343609824d0224c313f8c929853 Mon Sep 17 00:00:00 2001
+From: louiseschmidtgen <[email protected]>
+Date: Fri, 10 Jan 2025 12:41:56 +0100
+Subject: [PATCH] enable cgo
+
+---
+diff --git a/Makefile b/Makefile
+index c8ced67..0a32341 100644
+--- a/Makefile
++++ b/Makefile
+@@ -24,7 +24,7 @@ TESTS       := .
+ TESTFLAGS   :=
+ LDFLAGS     := -w -s
+ GOFLAGS     :=
+-CGO_ENABLED ?= 0
++CGO_ENABLED := 1
+
+ # Rebuild the binary if any of these files change
+ SRC := $(shell find . -type f -name '*.go' -print) go.mod go.sum

build-scripts/components/helm/patches/v3.16.3/0001-disable-warnings-for-kubeconfig-permissions.patch

@@ -0,0 +1,24 @@
+From d08d2604a9f0f925b93b87d74ee0a2c26c785467 Mon Sep 17 00:00:00 2001
+From: Angelos Kolaitis <[email protected]>
+Date: Thu, 14 Jul 2022 18:18:09 +0300
+Subject: [PATCH] disable warnings for kubeconfig permissions
+
+---
+ cmd/helm/root.go | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/cmd/helm/root.go b/cmd/helm/root.go
+index ef92fea9..512f823f 100644
+--- a/cmd/helm/root.go
++++ b/cmd/helm/root.go
+@@ -206,7 +206,7 @@ func newRootCmd(actionConfig *action.Configuration, out io.Writer, args []string
+ 	loadPlugins(cmd, out)
+
+ 	// Check permissions on critical files
+-	checkPerms()
++	// checkPerms()
+
+ 	// Check for expired repositories
+ 	checkForExpiredRepos(settings.RepositoryConfig)
+--
+2.25.1

build-scripts/components/helm/patches/v3.16.3/0002-enable-cgo.patch

@@ -0,0 +1,19 @@
+From 88e5f3826d2b8343609824d0224c313f8c929853 Mon Sep 17 00:00:00 2001
+From: louiseschmidtgen <[email protected]>
+Date: Fri, 10 Jan 2025 12:41:56 +0100
+Subject: [PATCH] enable cgo
+
+---
+diff --git a/Makefile b/Makefile
+index c8ced67..0a32341 100644
+--- a/Makefile
++++ b/Makefile
+@@ -24,7 +24,7 @@ TESTS       := .
+ TESTFLAGS   :=
+ LDFLAGS     := -w -s
+ GOFLAGS     :=
+-CGO_ENABLED ?= 0
++CGO_ENABLED := 1
+
+ # Rebuild the binary if any of these files change
+ SRC := $(shell find . -type f -name '*.go' -print) go.mod go.sum

build-scripts/components/helm/patches/v3.9.1/0001-disable-warnings-for-kubeconfig-permissions.patch

@@ -0,0 +1,24 @@
+From d08d2604a9f0f925b93b87d74ee0a2c26c785467 Mon Sep 17 00:00:00 2001
+From: Angelos Kolaitis <[email protected]>
+Date: Thu, 14 Jul 2022 18:18:09 +0300
+Subject: [PATCH] disable warnings for kubeconfig permissions
+
+---
+ cmd/helm/root.go | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/cmd/helm/root.go b/cmd/helm/root.go
+index ef92fea9..512f823f 100644
+--- a/cmd/helm/root.go
++++ b/cmd/helm/root.go
+@@ -206,7 +206,7 @@ func newRootCmd(actionConfig *action.Configuration, out io.Writer, args []string
+ 	loadPlugins(cmd, out)
+
+ 	// Check permissions on critical files
+-	checkPerms()
++	// checkPerms()
+
+ 	// Check for expired repositories
+ 	checkForExpiredRepos(settings.RepositoryConfig)
+--
+2.25.1

build-scripts/components/helm/patches/v3.9.1/0002-enable-cgo.patch

@@ -0,0 +1,33 @@
+From 76f154cf345ffc7f2b4b9c0e623551c744249d60 Mon Sep 17 00:00:00 2001
+From: Angelos Kolaitis <[email protected]>
+Date: Fri, 27 Oct 2023 17:01:33 +0000
+Subject: [PATCH] enable cgo
+
+---
+ Makefile | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/Makefile b/Makefile
+index 0a7b326..39cee3f 100644
+--- a/Makefile
++++ b/Makefile
+@@ -77,7 +77,7 @@ all: build
+ build: $(BINDIR)/$(BINNAME)
+
+ $(BINDIR)/$(BINNAME): $(SRC)
+-	GO111MODULE=on CGO_ENABLED=0 go build $(GOFLAGS) -trimpath -tags '$(TAGS)' -ldflags '$(LDFLAGS)' -o '$(BINDIR)'/$(BINNAME) ./cmd/helm
++	GO111MODULE=on CGO_ENABLED=1 go build $(GOFLAGS) -trimpath -tags '$(TAGS)' -ldflags '$(LDFLAGS)' -o '$(BINDIR)'/$(BINNAME) ./cmd/helm
+
+ # ------------------------------------------------------------------------------
+ #  install
+@@ -165,7 +165,7 @@ $(GOIMPORTS):
+ .PHONY: build-cross
+ build-cross: LDFLAGS += -extldflags "-static"
+ build-cross: $(GOX)
+-	GOFLAGS="-trimpath" GO111MODULE=on CGO_ENABLED=0 $(GOX) -parallel=3 -output="_dist/{{.OS}}-{{.Arch}}/$(BINNAME)" -osarch='$(TARGETS)' $(GOFLAGS) -tags '$(TAGS)' -ldflags '$(LDFLAGS)' ./cmd/helm
++	GOFLAGS="-trimpath" GO111MODULE=on CGO_ENABLED=1 $(GOX) -parallel=3 -output="_dist/{{.OS}}-{{.Arch}}/$(BINNAME)" -osarch='$(TARGETS)' $(GOFLAGS) -tags '$(TAGS)' -ldflags '$(LDFLAGS)' ./cmd/helm
+
+ .PHONY: dist
+ dist:
+--
+2.25.1

build-scripts/components/k8s-dqlite/build.sh

@@ -1,9 +1,11 @@
 #!/bin/bash
 
-INSTALL="${1}/bin"
-mkdir -p "${INSTALL}"
+INSTALL="${1}"
+mkdir -p "${INSTALL}/bin" "${INSTALL}/usr/lib"
 
-make static -j
+export GOEXPERIMENT=opensslcrypto
+make dynamic -j
 
-cp bin/static/dqlite "${INSTALL}/dqlite"
-cp bin/static/k8s-dqlite "${INSTALL}/k8s-dqlite"
+cp bin/dynamic/dqlite "${INSTALL}/bin/dqlite"
+cp bin/dynamic/k8s-dqlite "${INSTALL}/bin/k8s-dqlite"
+cp bin/dynamic/lib/*so* "${INSTALL}/usr/lib"

build-scripts/components/kubernetes/build.sh

@@ -5,7 +5,7 @@ INSTALL="${1}"
 export KUBE_GIT_VERSION_FILE="${PWD}/.version.sh"
 
 for app in kubectl kubelite; do
-  make WHAT="cmd/${app}" KUBE_STATIC_OVERRIDES=kubelite
+  make WHAT="cmd/${app}" KUBE_CGO_OVERRIDES="${app}"
   cp _output/bin/"${app}" "${INSTALL}/${app}"
 done
 

microk8s-resources/default-args/fips-env

@@ -0,0 +1,16 @@
+# For FIPS-enabled hosts, i.e. when /proc/sys/crypto/fips_enabled is 1,
+# the following configuration is required to use the fips enabled crypto
+# libraries from the host.
+#
+# The paths below are for FIPS enabled Ubuntu 20.04, make sure to adjust
+# accordingly for other distributions.
+
+# Uncomment and specify the binary path and config file for openssl.
+# OPENSSL_EXECUTABLE="/usr/bin/openssl"
+# OPENSSL_CONF="/etc/ssl/openssl.cnf"
+
+# Uncomment and prepend the FIPS libcrypto location to the LD_LIBRARY_PATH
+# LD_LIBRARY_PATH="/usr/lib/x86_64-linux-gnu:$LD_LIBRARY_PATH"
+
+# Set GOFIPS=1 so that Go binaries use the FIPS-enabled libcrypto
+GOFIPS=0

microk8s-resources/wrappers/microk8s-helm.wrapper

@@ -12,4 +12,10 @@ fi
 
 exit_if_stopped
 
+set -a
+if [ -e "${SNAP_DATA}/args/fips-env" ]; then
+  . "${SNAP_DATA}/args/fips-env"
+fi
+set +a
+
 "${SNAP}/bin/helm" --kubeconfig="${SNAP_DATA}"/credentials/client.config "$@"

microk8s-resources/wrappers/microk8s-helm3.wrapper

@@ -12,4 +12,10 @@ fi
 
 exit_if_stopped
 
+set -a
+if [ -e "${SNAP_DATA}/args/fips-env" ]; then
+  . "${SNAP_DATA}/args/fips-env"
+fi
+set +a
+
 "${SNAP}/bin/helm" --kubeconfig="${SNAP_DATA}"/credentials/client.config "$@"

microk8s-resources/wrappers/microk8s-kubectl.wrapper

@@ -28,6 +28,12 @@ then
   export EDITOR="${SNAP}/bin/nano"
 fi
 
+set -a
+if [ -e "${SNAP_DATA}/args/fips-env" ]; then
+  . "${SNAP_DATA}/args/fips-env"
+fi
+set +a
+
 declare -a args="($(cat $SNAP_DATA/args/kubectl))"
 if [ -n "${args[@]-}" ]
 then

microk8s-resources/wrappers/openssl.wrapper

@@ -4,8 +4,16 @@ set -eu
 
 source $SNAP/actions/common/utils.sh
 
-use_snap_env
+set -a
+if [ -e "${SNAP_DATA}/args/fips-env" ]; then
+  . "${SNAP_DATA}/args/fips-env"
+fi
+set +a
 
-export OPENSSL_CONF="${SNAP}/etc/ssl/openssl.cnf"
-
-"${SNAP}/usr/bin/openssl" "${@}"
+if [[ -v OPENSSL_EXECUTABLE ]]; then
+  exec "${OPENSSL_EXECUTABLE}" "${@}"
+else
+  use_snap_env
+  export OPENSSL_CONF="${SNAP}/etc/ssl/openssl.cnf"
+  ${SNAP}/usr/bin/openssl "$@"
+fi

microk8s-resources/wrappers/run-apiserver-proxy-with-args

@@ -21,6 +21,12 @@ fi
 
 sed 's@${SNAP}@'"${SNAP}"'@g;s@${SNAP_DATA}@'"${SNAP_DATA}"'@g' $SNAP_DATA/args/traefik/traefik-template.yaml > $SNAP_DATA/args/traefik/traefik.yaml
 
+set -a
+if [ -e "${SNAP_DATA}/args/fips-env" ]; then
+  . "${SNAP_DATA}/args/fips-env"
+fi
+set +a
+
 # This is really the only way I could find to get the args passed in correctly.
 declare -a args="($(cat $SNAP_DATA/args/apiserver-proxy))"
 exec "$SNAP/bin/cluster-agent" apiserver-proxy "${args[@]}"

microk8s-resources/wrappers/run-cluster-agent-with-args

@@ -12,6 +12,12 @@ set -eu
 
 use_snap_env
 
+set -a
+if [ -e "${SNAP_DATA}/args/fips-env" ]; then
+  . "${SNAP_DATA}/args/fips-env"
+fi
+set +a
+
 # This is really the only way I could find to get the args passed in correctly.
 declare -a args="($(cat $SNAP_DATA/args/cluster-agent))"
 

microk8s-resources/wrappers/run-etcd-with-args

@@ -26,6 +26,12 @@ fi
 
 export DEFAULT_INTERFACE_IP_ADDR="$(get_default_ip)"
 
+set -a
+if [ -e "${SNAP_DATA}/args/fips-env" ]; then
+  . "${SNAP_DATA}/args/fips-env"
+fi
+set +a
+
 # This is really the only way I could find to get the args passed in correctly.
 declare -a args="($(cat $SNAP_DATA/args/etcd))"
 exec "$SNAP/etcd" "${args[@]}"

microk8s-resources/wrappers/run-flanneld-with-args

@@ -32,6 +32,12 @@ export ETCDCTL_API=3
 # TODO get this from a file
 data="$(cat $SNAP_DATA/args/flannel-network-mgr-config)"
 
+set -a
+if [ -e "${SNAP_DATA}/args/fips-env" ]; then
+  . "${SNAP_DATA}/args/fips-env"
+fi
+set +a
+
 # Prepare etcd configuration for flannel, iff an etcd endpoint is set.
 # Skip this part if an alternate data store is used (e.g. Kubernetes).
 if [ ! -z "$etcd_endpoints" ]; then

microk8s-resources/wrappers/run-k8s-dqlite-with-args

@@ -40,6 +40,10 @@ if [ -e "${SNAP_DATA}/args/${app}-env" ]
 then
   . "${SNAP_DATA}/args/${app}-env"
 fi
+
+if [ -e "${SNAP_DATA}/args/fips-env" ]; then
+  . "${SNAP_DATA}/args/fips-env"
+fi
 set +a
 
 declare -a args="($(cat $SNAP_DATA/args/$app))"

microk8s-resources/wrappers/run-kubelite-with-args

@@ -217,5 +217,11 @@ then
   echo "1" > /proc/sys/net/bridge/bridge-nf-call-iptables
 fi
 
+set -a
+if [ -e "${SNAP_DATA}/args/fips-env" ]; then
+  . "${SNAP_DATA}/args/fips-env"
+fi
+set +a
+
 declare -a args="($(cat $SNAP_DATA/args/$app))"
 exec "$SNAP/$app" "${args[@]}"

snap/hooks/install

@@ -28,6 +28,12 @@ fi
 cp -r --preserve=mode ${SNAP}/default-args ${SNAP_DATA}/args
 mv ${SNAP_DATA}/args/certs.d/localhost__32000 ${SNAP_DATA}/args/certs.d/localhost:32000
 
+if -e "${SNAP_DATA}/args/fips-env"; then
+  set -a
+  . "${SNAP_DATA}/args/fips-env"
+  set +a
+fi
+
 SNAP_DATA_CURRENT=`echo "${SNAP_DATA}" | sed -e "s,${SNAP_REVISION},current,"`
 
 # Try to symlink /var/lib/kubelet so that most kubelet device plugins work out of the box.

snap/snapcraft.yaml

@@ -22,8 +22,8 @@ parts:
   build-deps:
     plugin: nil
     override-build: |
-      snap install go --classic --channel 1.20/stable
-      snap refresh go --channel 1.20/stable
+      snap install go --classic --channel 1.20-fips/stable
+      snap refresh go --channel 1.20-fips/stable
     build-packages:
       - autoconf
       - automake
@@ -50,12 +50,14 @@ parts:
 
   k8s-dqlite:
     after: [build-deps]
+    build-attributes: [no-patchelf]
     source: build-scripts/components/k8s-dqlite
     plugin: nil
     override-build: $SNAPCRAFT_PROJECT_DIR/build-scripts/build-component.sh k8s-dqlite
 
   etcd:
     after: [build-deps]
+    build-attributes: [no-patchelf]
     plugin: nil
     source: build-scripts/components/etcd
     override-build: $SNAPCRAFT_PROJECT_DIR/build-scripts/build-component.sh etcd
@@ -74,12 +76,14 @@ parts:
 
   flanneld:
     after: [build-deps]
+    build-attributes: [no-patchelf]
     plugin: nil
     source: build-scripts/components/flanneld
     override-build: $SNAPCRAFT_PROJECT_DIR/build-scripts/build-component.sh flanneld
 
   kubernetes:
     after: [build-deps]
+    build-attributes: [no-patchelf]
     plugin: nil
     source: build-scripts/components/kubernetes
     override-build: $SNAPCRAFT_PROJECT_DIR/build-scripts/build-component.sh kubernetes
@@ -91,6 +95,7 @@ parts:
 
   helm:
     after: [build-deps]
+    build-attributes: [no-patchelf]
     plugin: nil
     source: build-scripts/components/helm
     override-build: $SNAPCRAFT_PROJECT_DIR/build-scripts/build-component.sh helm
@@ -201,6 +206,7 @@ parts:
 
   cluster-agent:
     after: [build-deps]
+    build-attributes: [no-patchelf]
     plugin: nil
     source: build-scripts/components/cluster-agent
     override-build: $SNAPCRAFT_PROJECT_DIR/build-scripts/build-component.sh cluster-agent