fips dqlite/k8s-dqlite

canonical · Feb 7, 2025 · ce1c2db · ce1c2db
1 parent 740c3e2
commit ce1c2db
Show file tree

Hide file tree

Showing 4 changed files with 18 additions and 9 deletions.
diff --git a/build-scripts/components/k8s-dqlite/build.sh b/build-scripts/components/k8s-dqlite/build.sh
@@ -3,13 +3,14 @@
 INSTALL="${1}/bin"
 
 ## Use built dqlite dependencies (if any)
-if [ -d "${SNAPCRAFT_STAGE}/static-dqlite-deps" ]; then
-  export DQLITE_BUILD_SCRIPTS_DIR="${SNAPCRAFT_STAGE}/static-dqlite-deps"
+if [ -d "${SNAPCRAFT_STAGE}/dynamic-dqlite-deps" ]; then
+  export DQLITE_BUILD_SCRIPTS_DIR="${SNAPCRAFT_STAGE}/dynamic-dqlite-deps"
 fi
 
-make static -j
+export GOEXPERIMENT=opensslcrypto
+make dynamic -j
 
 mkdir -p "${INSTALL}"
 for binary in k8s-dqlite dqlite; do
-  cp -P "bin/static/${binary}" "${INSTALL}/${binary}"
+  cp -P "bin/dynamic/${binary}" "${INSTALL}/${binary}"
 done
diff --git a/build-scripts/components/kubernetes/build.sh b/build-scripts/components/kubernetes/build.sh
@@ -6,7 +6,11 @@ mkdir -p "${INSTALL}"
 export KUBE_GIT_VERSION_FILE="${PWD}/.version.sh"
 
 for app in kubernetes; do
-  make GOEXPERIMENT=opensslcrypto WHAT="cmd/${app}" KUBE_CGO_OVERRIDES="${app}" GOFLAGS="-tags=providerless,goexperiment.systemcrypto,linux,cgo"
+  # We are setting allowcryptofallback here. Normally this is not recommended because the user could
+  # be led to think their system is compliant when the binaries have actually fallen back to non-FIPS compliant crypto.
+  # We do this because we want to have a single branch/track for FIPS and non-FIPS deployments. In this scenario,
+  # we don't have a choice to allow fallback.
+  make GOEXPERIMENT=opensslcrypto WHAT="cmd/${app}" KUBE_CGO_OVERRIDES="${app}" GOFLAGS="-tags=providerless,goexperiment.systemcrypto,linux,cgo,allowcryptofallback"
   cp _output/bin/"${app}" "${INSTALL}/${app}"
 done
 

diff --git a/k8s/lib.sh b/k8s/lib.sh
@@ -5,7 +5,7 @@
 # Configure execution environment, locales and XDG to use paths from SNAP
 # Example: 'k8s::common::setup_env'
 k8s::common::setup_env() {
-  GOFIPS=1
+  [ -f "${SNAP_COMMON}/fips-env" ] && source "${SNAP_COMMON}/fips-env"
 
   if [ -n "$_K8S_ENV_SETUP_ONCE" ]; then
     return 0

diff --git a/snap/snapcraft.yaml b/snap/snapcraft.yaml
@@ -52,31 +52,34 @@ parts:
     plugin: nil
     source: src/k8s/hack
     override-prime: ""
+    build-attributes: [no-patchelf]
     override-build: |
-      DQLITE_STAGING_DIR="${SNAPCRAFT_STAGE}/static-dqlite-deps"
+      DQLITE_STAGING_DIR="${SNAPCRAFT_STAGE}/dynamic-dqlite-deps"
       if [ -d "${DQLITE_STAGING_DIR}" ]; then
         rm -rf "${DQLITE_STAGING_DIR}"
       fi
       mkdir "${DQLITE_STAGING_DIR}"
       cp -rv * "${DQLITE_STAGING_DIR}"
 
       # Build dqlite libraries on the staging area
-      "${DQLITE_STAGING_DIR}/static-dqlite.sh"
+      "${DQLITE_STAGING_DIR}/dynamic-dqlite.sh"
 
   k8s-dqlite:
     after: [dqlite]
     plugin: nil
+    build-attributes: [no-patchelf]
     source: build-scripts/components/k8s-dqlite
     override-build: $SNAPCRAFT_PROJECT_DIR/build-scripts/build-component.sh k8s-dqlite
 
   k8s-binaries:
     after: [dqlite]
     source: src/k8s
+    build-attributes: [no-patchelf]
     plugin: nil
     override-build: |
       INSTALL="${SNAPCRAFT_PART_INSTALL}"
 
-      export DQLITE_BUILD_SCRIPTS_DIR="${SNAPCRAFT_STAGE}/static-dqlite-deps"
+      export DQLITE_BUILD_SCRIPTS_DIR="${SNAPCRAFT_STAGE}/dynamic-dqlite-deps"
       make static -j
 
       mkdir -p "${INSTALL}/bin"
@@ -172,6 +175,7 @@ parts:
       - libnss-resolve
       - libnss-myhostname
       - libnss-mymachines
+      - libuv1
       - members
       - nano
       - net-tools