From 6f2671476ac9c560685e142aeaa26b2fc7292634 Mon Sep 17 00:00:00 2001
From: Ettore Di Giacinto <ettore@spectrocloud.com>
Date: Thu, 22 Jun 2023 13:01:03 +0300
Subject: [PATCH 1/4] Build ubuntu fips framework image

to allow users to build fips enabled ubuntu flavors from scratch

https://kairos.io/docs/reference/build-from-scratch/

Signed-off-by: Dimitris Karakasilis <dimitris@spectrocloud.com>
---
 .github/flavors.json           | 10 +++--
 .github/workflows/release.yaml |  1 +
 framework-profile.yaml         | 78 ++++++++++++++++++++++++++++++----
 3 files changed, 77 insertions(+), 12 deletions(-)

diff --git a/.github/flavors.json b/.github/flavors.json
index 032dbebc4..493a1b683 100644
--- a/.github/flavors.json
+++ b/.github/flavors.json
@@ -1,9 +1,9 @@
 [
     {
-       "flavor": "opensuse-leap"
+        "flavor": "opensuse-leap"
     },
     {
-       "flavor": "opensuse-tumbleweed"
+        "flavor": "opensuse-tumbleweed"
     },
     {
         "flavor": "ubuntu"
@@ -11,6 +11,10 @@
     {
         "flavor": "ubuntu-20-lts"
     },
+    {
+        "flavor": "ubuntu-20-lts-fips",
+        "frameworkonly": "true"
+    },
     {
         "flavor": "ubuntu-22-lts"
     },
@@ -32,4 +36,4 @@
     {
         "flavor": "almalinux"
     }
-]
\ No newline at end of file
+]
diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml
index c6521986c..049674b81 100644
--- a/.github/workflows/release.yaml
+++ b/.github/workflows/release.yaml
@@ -77,6 +77,7 @@ jobs:
 
   build:
     runs-on: ubuntu-latest
+    if: ${{ matrix.frameworkonly != "true" }}
     needs:
     - get-matrix
     permissions:
diff --git a/framework-profile.yaml b/framework-profile.yaml
index 25318a0f2..d339bdf82 100755
--- a/framework-profile.yaml
+++ b/framework-profile.yaml
@@ -1,69 +1,104 @@
-common:
-  - dracut/immucore
-  - static/grub-config
-  - system/kcrypt
-  - system/kcrypt-challenger
-  - system/suc-upgrade
-  - system/grub2-efi
-  - system/immucore
-  - system/kairos-agent
+# Additional common packages to be added to all the FLAVORS
+## common:
+##  - category/name@version
 flavors:
   debian:
+    - common-packages
+    - kairos-toolchain-nonfips
     - systemd-base
     - dracut-network-legacy
   ubuntu:
+    - common-packages
+    - kairos-toolchain-nonfips
     - systemd-base
     - dracut-network-legacy
   ubuntu-arm-rpi:
+    - common-packages
+    - kairos-toolchain-nonfips
     - systemd-base
     - dracut-network-legacy
   ubuntu-20-lts-arm-nvidia-jetson-agx-orin:
+    - common-packages
+    - kairos-toolchain-nonfips
     - systemd-base
     - dracut-network-legacy-compat
   ubuntu-20-lts-arm-rpi:
+    - common-packages
+    - kairos-toolchain-nonfips
     - systemd-base
     - dracut-network-legacy-compat
   ubuntu-22-lts-arm-rpi:
+    - common-packages
+    - kairos-toolchain-nonfips
     - systemd-base
     - dracut-network-legacy-compat
   ubuntu-22-lts:
+    - common-packages
+    - kairos-toolchain-nonfips
     - systemd-base
     - dracut-network-legacy-compat
   ubuntu-20-lts:
+    - common-packages
+    - kairos-toolchain-nonfips
+    - systemd-base
+    - dracut-network-legacy-compat
+  ubuntu-20-lts-fips:
+    - common-packages
+    - kairos-toolchain-fips
     - systemd-base
     - dracut-network-legacy-compat
   fedora:
+    - common-packages
+    - kairos-toolchain-nonfips
     - systemd-base
     - dracut-network-legacy-compat
   rockylinux:
+    - common-packages
+    - kairos-toolchain-nonfips
     - systemd-base
     - dracut-network-legacy-compat
   almalinux:
+    - common-packages
+    - kairos-toolchain-nonfips
     - systemd-base
     - dracut-network-legacy-compat
   opensuse-tumbleweed:
+    - common-packages
+    - kairos-toolchain-nonfips
     - systemd-base
     - systemd-latest
     - dracut-network-legacy
   opensuse-tumbleweed-arm-rpi:
+    - common-packages
+    - kairos-toolchain-nonfips
     - systemd-base
     - systemd-latest
     - dracut-network-legacy
   opensuse-leap:
+    - common-packages
+    - kairos-toolchain-nonfips
     - systemd-base
     - systemd-latest
     - dracut-network-legacy
   opensuse-leap-arm-rpi:
+    - common-packages
+    - kairos-toolchain-nonfips
     - systemd-base
     - systemd-latest
     - dracut-network-legacy
   alpine-arm-rpi:
+    - common-packages
+    - kairos-toolchain-nonfips
     - opensuse-leap-kernel
     - openrc
   alpine-opensuse-leap:
+    - common-packages
+    - kairos-toolchain-nonfips
     - openrc
     - opensuse-leap-kernel
   alpine-ubuntu:
+    - common-packages
+    - kairos-toolchain-nonfips
     - ubuntu-kernel
     - openrc
 # See https://github.com/kairos-io/packages/pull/67 for rationale
@@ -84,6 +119,31 @@ opensuse-leap-kernel:
   packages:
     - distro-kernels/opensuse-leap
     - distro-initrd/opensuse-leap
+
+## Packages (cat/name@version) that are added to ALL flavors
+## Static files, no binary
+common-packages:
+  packages:
+  - static/grub-config
+  - dracut/immucore
+  - system/suc-upgrade
+  - system/grub2-efi
+
+kairos-toolchain-fips:
+  packages:
+  - fips/kcrypt
+  - fips/kcrypt-challenger
+  - fips/immucore
+  - fips/kairos-agent
+
+kairos-toolchain-nonfips:
+  packages:
+  - system/kcrypt
+  - system/kcrypt-challenger
+  - system/suc-upgrade
+  - system/grub2-efi
+  - system/immucore
+  - system/kairos-agent
 ubuntu-kernel:
   packages:
     - distro-kernels/ubuntu

From 69f8c9c5cd28fdfe2000a100720a51a1f792f8bd Mon Sep 17 00:00:00 2001
From: Dimitris Karakasilis <dimitris@spectrocloud.com>
Date: Thu, 22 Jun 2023 13:04:19 +0300
Subject: [PATCH 2/4] Build only framework images for fips

since we don't need isos for them. Isos need to be built manually (from
scratch) because to have a fips enabled flavor you need to have a fips
enabled OS in general.

Signed-off-by: Ettore Di Giacinto <ettore@spectrocloud.com>
---
 .github/workflows/image.yaml   | 28 +++++++++++++++++++++++++---
 .github/workflows/release.yaml | 28 +++++++++++++++++++++++-----
 framework-profile.yaml         |  2 --
 3 files changed, 48 insertions(+), 10 deletions(-)

diff --git a/.github/workflows/image.yaml b/.github/workflows/image.yaml
index da5d6f2a6..fae43b40c 100644
--- a/.github/workflows/image.yaml
+++ b/.github/workflows/image.yaml
@@ -23,9 +23,10 @@ jobs:
       - uses: actions/checkout@v3
       - run: |
           git fetch --prune --unshallow
+          sudo apt update && sudo apt install -y jq
       - id: set-matrix
         run: |
-          content=`cat ./.github/flavors.json`
+          content=`cat .github/flavors.json  | jq 'map(select(.frameworkonly != "true"))'`
           # the following lines are only required for multi line json
           # the following lines are only required for multi line json
           content="${content//'%'/'%25'}"
@@ -34,6 +35,27 @@ jobs:
           # end of optional handling for multi line json
           # end of optional handling for multi line json
           echo "::set-output name=matrix::{\"include\": $content }"
+
+  get-framework-matrix:
+    runs-on: ubuntu-latest
+    outputs:
+      matrix: ${{ steps.set-matrix.outputs.matrix }}
+    steps:
+    - uses: actions/checkout@v3
+    - run: |
+        git fetch --prune --unshallow
+    - id: set-matrix
+      run: |
+          content=`cat .github/flavors.json`
+          # the following lines are only required for multi line json
+          # the following lines are only required for multi line json
+          content="${content//'%'/'%25'}"
+          content="${content//$'\n'/'%0A'}"
+          content="${content//$'\r'/'%0D'}"
+          # end of optional handling for multi line json
+          # end of optional handling for multi line json
+          echo "::set-output name=matrix::{\"include\": $content }"
+
   build:
     runs-on: ubuntu-latest
     needs:
@@ -128,13 +150,13 @@ jobs:
   build-framework:
     if: ${{ github.event_name == 'push' && github.ref == 'refs/heads/master' }}
     needs:
-      - get-matrix
+      - get-framework-matrix
     runs-on: self-hosted
     permissions:
       id-token: write
     strategy:
       fail-fast: false
-      matrix: ${{fromJson(needs.get-matrix.outputs.matrix)}}
+      matrix: ${{fromJson(needs.get-framework-matrix.outputs.matrix)}}
     steps:
       - uses: actions/checkout@v3
       - run: |
diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml
index 049674b81..3f9f6f35f 100644
--- a/.github/workflows/release.yaml
+++ b/.github/workflows/release.yaml
@@ -13,9 +13,28 @@ jobs:
     - uses: actions/checkout@v3
     - run: |
         git fetch --prune --unshallow
+        sudo apt update && sudo apt install -y jq
     - id: set-matrix
       run: |
-          content=`cat ./.github/flavors.json`
+          content=`cat .github/flavors.json  | jq 'map(select(.frameworkonly != "true"))'`
+          # the following lines are only required for multi line json
+          content="${content//'%'/'%25'}"
+          content="${content//$'\n'/'%0A'}"
+          content="${content//$'\r'/'%0D'}"
+          # end of optional handling for multi line json
+          echo "::set-output name=matrix::{\"include\": $content }"
+
+  get-framework-matrix:
+    runs-on: ubuntu-latest
+    outputs:
+      matrix: ${{ steps.set-matrix.outputs.matrix }}
+    steps:
+    - uses: actions/checkout@v3
+    - run: |
+        git fetch --prune --unshallow
+    - id: set-matrix
+      run: |
+          content=`cat .github/flavors.json`
           # the following lines are only required for multi line json
           content="${content//'%'/'%25'}"
           content="${content//$'\n'/'%0A'}"
@@ -26,13 +45,13 @@ jobs:
   build-framework:
     runs-on: self-hosted
     needs:
-    - get-matrix
+    - get-framework-matrix
     permissions:
       id-token: write  # OIDC support
       contents: write
     strategy:
       fail-fast: false
-      matrix: ${{fromJson(needs.get-matrix.outputs.matrix)}}
+      matrix: ${{fromJson(needs.get-framework-matrix.outputs.matrix)}}
     steps:
       - uses: actions/checkout@v3
       - run: |
@@ -77,7 +96,6 @@ jobs:
 
   build:
     runs-on: ubuntu-latest
-    if: ${{ matrix.frameworkonly != "true" }}
     needs:
     - get-matrix
     permissions:
@@ -87,7 +105,7 @@ jobs:
       security-events: write
     strategy:
       fail-fast: false
-      matrix: ${{fromJson(needs.get-matrix.outputs.matrix)}}
+      matrix: ${{ fromJson(needs.get-matrix.outputs.matrix) }}
     steps:
       - uses: actions/checkout@v3
       - run: |
diff --git a/framework-profile.yaml b/framework-profile.yaml
index d339bdf82..c834ed556 100755
--- a/framework-profile.yaml
+++ b/framework-profile.yaml
@@ -140,8 +140,6 @@ kairos-toolchain-nonfips:
   packages:
   - system/kcrypt
   - system/kcrypt-challenger
-  - system/suc-upgrade
-  - system/grub2-efi
   - system/immucore
   - system/kairos-agent
 ubuntu-kernel:

From 78c5f03e73efe4ced3253cf77c795ca7181082c6 Mon Sep 17 00:00:00 2001
From: Dimitris Karakasilis <dimitris@karakasilis.me>
Date: Thu, 22 Jun 2023 17:57:24 +0300
Subject: [PATCH 3/4] Use a name that allows us to have other certifications in
 the future

This was a PR suggestion

Signed-off-by: Dimitris Karakasilis <dimitris@karakasilis.me>
---
 framework-profile.yaml | 38 +++++++++++++++++++-------------------
 1 file changed, 19 insertions(+), 19 deletions(-)

diff --git a/framework-profile.yaml b/framework-profile.yaml
index c834ed556..4bdd2de0f 100755
--- a/framework-profile.yaml
+++ b/framework-profile.yaml
@@ -4,42 +4,42 @@
 flavors:
   debian:
     - common-packages
-    - kairos-toolchain-nonfips
+    - kairos-toolchain
     - systemd-base
     - dracut-network-legacy
   ubuntu:
     - common-packages
-    - kairos-toolchain-nonfips
+    - kairos-toolchain
     - systemd-base
     - dracut-network-legacy
   ubuntu-arm-rpi:
     - common-packages
-    - kairos-toolchain-nonfips
+    - kairos-toolchain
     - systemd-base
     - dracut-network-legacy
   ubuntu-20-lts-arm-nvidia-jetson-agx-orin:
     - common-packages
-    - kairos-toolchain-nonfips
+    - kairos-toolchain
     - systemd-base
     - dracut-network-legacy-compat
   ubuntu-20-lts-arm-rpi:
     - common-packages
-    - kairos-toolchain-nonfips
+    - kairos-toolchain
     - systemd-base
     - dracut-network-legacy-compat
   ubuntu-22-lts-arm-rpi:
     - common-packages
-    - kairos-toolchain-nonfips
+    - kairos-toolchain
     - systemd-base
     - dracut-network-legacy-compat
   ubuntu-22-lts:
     - common-packages
-    - kairos-toolchain-nonfips
+    - kairos-toolchain
     - systemd-base
     - dracut-network-legacy-compat
   ubuntu-20-lts:
     - common-packages
-    - kairos-toolchain-nonfips
+    - kairos-toolchain
     - systemd-base
     - dracut-network-legacy-compat
   ubuntu-20-lts-fips:
@@ -49,56 +49,56 @@ flavors:
     - dracut-network-legacy-compat
   fedora:
     - common-packages
-    - kairos-toolchain-nonfips
+    - kairos-toolchain
     - systemd-base
     - dracut-network-legacy-compat
   rockylinux:
     - common-packages
-    - kairos-toolchain-nonfips
+    - kairos-toolchain
     - systemd-base
     - dracut-network-legacy-compat
   almalinux:
     - common-packages
-    - kairos-toolchain-nonfips
+    - kairos-toolchain
     - systemd-base
     - dracut-network-legacy-compat
   opensuse-tumbleweed:
     - common-packages
-    - kairos-toolchain-nonfips
+    - kairos-toolchain
     - systemd-base
     - systemd-latest
     - dracut-network-legacy
   opensuse-tumbleweed-arm-rpi:
     - common-packages
-    - kairos-toolchain-nonfips
+    - kairos-toolchain
     - systemd-base
     - systemd-latest
     - dracut-network-legacy
   opensuse-leap:
     - common-packages
-    - kairos-toolchain-nonfips
+    - kairos-toolchain
     - systemd-base
     - systemd-latest
     - dracut-network-legacy
   opensuse-leap-arm-rpi:
     - common-packages
-    - kairos-toolchain-nonfips
+    - kairos-toolchain
     - systemd-base
     - systemd-latest
     - dracut-network-legacy
   alpine-arm-rpi:
     - common-packages
-    - kairos-toolchain-nonfips
+    - kairos-toolchain
     - opensuse-leap-kernel
     - openrc
   alpine-opensuse-leap:
     - common-packages
-    - kairos-toolchain-nonfips
+    - kairos-toolchain
     - openrc
     - opensuse-leap-kernel
   alpine-ubuntu:
     - common-packages
-    - kairos-toolchain-nonfips
+    - kairos-toolchain
     - ubuntu-kernel
     - openrc
 # See https://github.com/kairos-io/packages/pull/67 for rationale
@@ -136,7 +136,7 @@ kairos-toolchain-fips:
   - fips/immucore
   - fips/kairos-agent
 
-kairos-toolchain-nonfips:
+kairos-toolchain:
   packages:
   - system/kcrypt
   - system/kcrypt-challenger

From 8e65bf58e9048a925c76838e8e5e0b51bff5591a Mon Sep 17 00:00:00 2001
From: Dimitris Karakasilis <dimitris@karakasilis.me>
Date: Thu, 22 Jun 2023 22:44:10 +0300
Subject: [PATCH 4/4] Don't use deprecated flag for upgrade

Signed-off-by: Dimitris Karakasilis <dimitris@karakasilis.me>
---
 tests/upgrade_cli_test.go | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/tests/upgrade_cli_test.go b/tests/upgrade_cli_test.go
index 04e63a2c2..79a3c1eec 100644
--- a/tests/upgrade_cli_test.go
+++ b/tests/upgrade_cli_test.go
@@ -60,7 +60,7 @@ var _ = Describe("k3s upgrade manual test", Label("upgrade-with-cli"), func() {
 			Expect(currentVersion).To(ContainSubstring("v"))
 
 			By(fmt.Sprintf("Upgrading to: %s", containerImage))
-			out, err := vm.Sudo("kairos-agent --debug upgrade --force --image " + containerImage)
+			out, err := vm.Sudo("kairos-agent --debug upgrade --force --source " + containerImage)
 			Expect(err).ToNot(HaveOccurred(), string(out))
 			Expect(out).To(ContainSubstring("Upgrade completed"))
 			Expect(out).To(ContainSubstring(containerImage))