Build ubuntu fips framework image

to allow users to build fips enabled ubuntu flavors from scratch https://kairos.io/docs/reference/build-from-scratch/ Signed-off-by: Dimitris Karakasilis <dimitris@spectrocloud.com>
kairos-io · Jun 22, 2023 · 6f26714 · 6f26714
1 parent dbacc56
commit 6f26714
Show file tree

Hide file tree

Showing 3 changed files with 77 additions and 12 deletions.
diff --git a/.github/flavors.json b/.github/flavors.json
@@ -1,16 +1,20 @@
 [
     {
-       "flavor": "opensuse-leap"
+        "flavor": "opensuse-leap"
     },
     {
-       "flavor": "opensuse-tumbleweed"
+        "flavor": "opensuse-tumbleweed"
     },
     {
         "flavor": "ubuntu"
     },
     {
         "flavor": "ubuntu-20-lts"
     },
+    {
+        "flavor": "ubuntu-20-lts-fips",
+        "frameworkonly": "true"
+    },
     {
         "flavor": "ubuntu-22-lts"
     },
@@ -32,4 +36,4 @@
     {
         "flavor": "almalinux"
     }
-]
+]
diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml
@@ -77,6 +77,7 @@ jobs:
 
   build:
     runs-on: ubuntu-latest
+    if: ${{ matrix.frameworkonly != "true" }}
     needs:
     - get-matrix
     permissions:

diff --git a/framework-profile.yaml b/framework-profile.yaml
@@ -1,69 +1,104 @@
-common:
-  - dracut/immucore
-  - static/grub-config
-  - system/kcrypt
-  - system/kcrypt-challenger
-  - system/suc-upgrade
-  - system/grub2-efi
-  - system/immucore
-  - system/kairos-agent
+# Additional common packages to be added to all the FLAVORS
+## common:
+##  - category/name@version
 flavors:
   debian:
+    - common-packages
+    - kairos-toolchain-nonfips
     - systemd-base
     - dracut-network-legacy
   ubuntu:
+    - common-packages
+    - kairos-toolchain-nonfips
     - systemd-base
     - dracut-network-legacy
   ubuntu-arm-rpi:
+    - common-packages
+    - kairos-toolchain-nonfips
     - systemd-base
     - dracut-network-legacy
   ubuntu-20-lts-arm-nvidia-jetson-agx-orin:
+    - common-packages
+    - kairos-toolchain-nonfips
     - systemd-base
     - dracut-network-legacy-compat
   ubuntu-20-lts-arm-rpi:
+    - common-packages
+    - kairos-toolchain-nonfips
     - systemd-base
     - dracut-network-legacy-compat
   ubuntu-22-lts-arm-rpi:
+    - common-packages
+    - kairos-toolchain-nonfips
     - systemd-base
     - dracut-network-legacy-compat
   ubuntu-22-lts:
+    - common-packages
+    - kairos-toolchain-nonfips
     - systemd-base
     - dracut-network-legacy-compat
   ubuntu-20-lts:
+    - common-packages
+    - kairos-toolchain-nonfips
+    - systemd-base
+    - dracut-network-legacy-compat
+  ubuntu-20-lts-fips:
+    - common-packages
+    - kairos-toolchain-fips
     - systemd-base
     - dracut-network-legacy-compat
   fedora:
+    - common-packages
+    - kairos-toolchain-nonfips
     - systemd-base
     - dracut-network-legacy-compat
   rockylinux:
+    - common-packages
+    - kairos-toolchain-nonfips
     - systemd-base
     - dracut-network-legacy-compat
   almalinux:
+    - common-packages
+    - kairos-toolchain-nonfips
     - systemd-base
     - dracut-network-legacy-compat
   opensuse-tumbleweed:
+    - common-packages
+    - kairos-toolchain-nonfips
     - systemd-base
     - systemd-latest
     - dracut-network-legacy
   opensuse-tumbleweed-arm-rpi:
+    - common-packages
+    - kairos-toolchain-nonfips
     - systemd-base
     - systemd-latest
     - dracut-network-legacy
   opensuse-leap:
+    - common-packages
+    - kairos-toolchain-nonfips
     - systemd-base
     - systemd-latest
     - dracut-network-legacy
   opensuse-leap-arm-rpi:
+    - common-packages
+    - kairos-toolchain-nonfips
     - systemd-base
     - systemd-latest
     - dracut-network-legacy
   alpine-arm-rpi:
+    - common-packages
+    - kairos-toolchain-nonfips
     - opensuse-leap-kernel
     - openrc
   alpine-opensuse-leap:
+    - common-packages
+    - kairos-toolchain-nonfips
     - openrc
     - opensuse-leap-kernel
   alpine-ubuntu:
+    - common-packages
+    - kairos-toolchain-nonfips
     - ubuntu-kernel
     - openrc
 # See https://github.com/kairos-io/packages/pull/67 for rationale
@@ -84,6 +119,31 @@ opensuse-leap-kernel:
   packages:
     - distro-kernels/opensuse-leap
     - distro-initrd/opensuse-leap
+
+## Packages (cat/name@version) that are added to ALL flavors
+## Static files, no binary
+common-packages:
+  packages:
+  - static/grub-config
+  - dracut/immucore
+  - system/suc-upgrade
+  - system/grub2-efi
+
+kairos-toolchain-fips:
+  packages:
+  - fips/kcrypt
+  - fips/kcrypt-challenger
+  - fips/immucore
+  - fips/kairos-agent
+
+kairos-toolchain-nonfips:
+  packages:
+  - system/kcrypt
+  - system/kcrypt-challenger
+  - system/suc-upgrade
+  - system/grub2-efi
+  - system/immucore
+  - system/kairos-agent
 ubuntu-kernel:
   packages:
     - distro-kernels/ubuntu