From 1f84cbdde79111fe350c6b55e4c1f4b1aaddf652 Mon Sep 17 00:00:00 2001 From: Kasturi Narra Date: Tue, 23 Sep 2025 17:26:46 +0530 Subject: [PATCH] Enable fips support for release scenarios --- ...c-brew-ec-with-optional-fips.containerfile | 16 ++++++++ ...c-brew-rc-with-optional-fips.containerfile | 16 ++++++++ ...w-zstream-with-optional-fips.containerfile | 16 ++++++++ .../rhel96-brew-ec-with-optionals-fips.toml | 32 ++++++++++++++++ .../rhel96-brew-rc-with-optionals-fips.toml | 32 ++++++++++++++++ ...el96-brew-zstream-with-optionals-fips.toml | 32 ++++++++++++++++ .../releases/el96-lrel@fips.sh.disabled | 37 +++++++++++++++++++ .../releases/el96-lrel@fips.sh.disabled | 37 +++++++++++++++++++ 8 files changed, 218 insertions(+) create mode 100644 test/image-blueprints-bootc/layer1-base/group3/rhel96-bootc-brew-ec-with-optional-fips.containerfile create mode 100644 test/image-blueprints-bootc/layer1-base/group3/rhel96-bootc-brew-rc-with-optional-fips.containerfile create mode 100644 test/image-blueprints-bootc/layer1-base/group3/rhel96-bootc-brew-zstream-with-optional-fips.containerfile create mode 100644 test/image-blueprints/layer1-base/group5/rhel96-brew-ec-with-optionals-fips.toml create mode 100644 test/image-blueprints/layer1-base/group5/rhel96-brew-rc-with-optionals-fips.toml create mode 100644 test/image-blueprints/layer1-base/group5/rhel96-brew-zstream-with-optionals-fips.toml create mode 100644 test/scenarios-bootc/releases/el96-lrel@fips.sh.disabled create mode 100644 test/scenarios/releases/el96-lrel@fips.sh.disabled diff --git a/test/image-blueprints-bootc/layer1-base/group3/rhel96-bootc-brew-ec-with-optional-fips.containerfile b/test/image-blueprints-bootc/layer1-base/group3/rhel96-bootc-brew-ec-with-optional-fips.containerfile new file mode 100644 index 0000000000..ca75d6ce19 --- /dev/null +++ b/test/image-blueprints-bootc/layer1-base/group3/rhel96-bootc-brew-ec-with-optional-fips.containerfile @@ -0,0 +1,16 @@ +# {{- if env.Getenv "BREW_EC_RELEASE_VERSION" "" -}} +# Note: This comment makes templating add a new line before the code +FROM localhost/rhel96-bootc-brew-ec-with-optional:latest + +# Add fips=1 kernel argument +# See https://containers.github.io/bootc/building/kernel-arguments.html +RUN cat > /usr/lib/bootc/kargs.d/01-fips.toml <<'EOF' +kargs = ["fips=1"] +match-architectures = ["x86_64"] +EOF + +# Enable the FIPS crypto policy +RUN dnf install -y crypto-policies-scripts && \ + update-crypto-policies --no-reload --set FIPS && \ + dnf clean all +# {{- end -}} diff --git a/test/image-blueprints-bootc/layer1-base/group3/rhel96-bootc-brew-rc-with-optional-fips.containerfile b/test/image-blueprints-bootc/layer1-base/group3/rhel96-bootc-brew-rc-with-optional-fips.containerfile new file mode 100644 index 0000000000..f6e4f43e4d --- /dev/null +++ b/test/image-blueprints-bootc/layer1-base/group3/rhel96-bootc-brew-rc-with-optional-fips.containerfile @@ -0,0 +1,16 @@ +# {{- if env.Getenv "BREW_RC_RELEASE_VERSION" "" -}} +# Note: This comment makes templating add a new line before the code +FROM localhost/rhel96-bootc-brew-rc-with-optional:latest + +# Add fips=1 kernel argument +# See https://containers.github.io/bootc/building/kernel-arguments.html +RUN cat > /usr/lib/bootc/kargs.d/01-fips.toml <<'EOF' +kargs = ["fips=1"] +match-architectures = ["x86_64"] +EOF + +# Enable the FIPS crypto policy +RUN dnf install -y crypto-policies-scripts && \ + update-crypto-policies --no-reload --set FIPS && \ + dnf clean all +# {{- end -}} diff --git a/test/image-blueprints-bootc/layer1-base/group3/rhel96-bootc-brew-zstream-with-optional-fips.containerfile b/test/image-blueprints-bootc/layer1-base/group3/rhel96-bootc-brew-zstream-with-optional-fips.containerfile new file mode 100644 index 0000000000..89607633a3 --- /dev/null +++ b/test/image-blueprints-bootc/layer1-base/group3/rhel96-bootc-brew-zstream-with-optional-fips.containerfile @@ -0,0 +1,16 @@ +# {{- if env.Getenv "BREW_Y0_RELEASE_VERSION" "" -}} +# Note: This comment makes templating add a new line before the code +FROM localhost/rhel96-bootc-brew-zstream-with-optional:latest + +# Add fips=1 kernel argument +# See https://containers.github.io/bootc/building/kernel-arguments.html +RUN cat > /usr/lib/bootc/kargs.d/01-fips.toml <<'EOF' +kargs = ["fips=1"] +match-architectures = ["x86_64"] +EOF + +# Enable the FIPS crypto policy +RUN dnf install -y crypto-policies-scripts && \ + update-crypto-policies --no-reload --set FIPS && \ + dnf clean all +# {{- end -}} diff --git a/test/image-blueprints/layer1-base/group5/rhel96-brew-ec-with-optionals-fips.toml b/test/image-blueprints/layer1-base/group5/rhel96-brew-ec-with-optionals-fips.toml new file mode 100644 index 0000000000..2e3c223c2f --- /dev/null +++ b/test/image-blueprints/layer1-base/group5/rhel96-brew-ec-with-optionals-fips.toml @@ -0,0 +1,32 @@ +{{- if and (env.Getenv "BREW_EC_RELEASE_VERSION" "") (env.Getenv "BREW_Y1_RELEASE_VERSION" "") -}} +{{- /* + + We wrap this template in a test so that the body of the output is + empty when there is no "current" version release. The output file + must end up completely empty, so we need to remove whitespace from + around the first and last template instructions. + +*/ -}} + +name = "rhel-9.6-microshift-brew-optionals-4.{{ .Env.MINOR_VERSION}}-ec-fips" +description = "FIPS-enabled version of rhel-9.6-microshift-brew-optionals-4.{{ .Env.MINOR_VERSION}}-ec" +version = "0.0.1" +modules = [] +groups = [] +distro = "rhel-96" + +# Use the base brewery blueprint as parent +parent = "rhel-9.6-microshift-brew-optionals-4.{{ .Env.MINOR_VERSION}}-ec" + +# Add only FIPS-specific configuration +[[packages]] +name = "crypto-policies-scripts" +version = "*" + +[customizations.kernel] +append = "fips=1" + +[[customizations.files]] +path = "/etc/crypto-policies/config" +data = "FIPS" +{{- end -}} diff --git a/test/image-blueprints/layer1-base/group5/rhel96-brew-rc-with-optionals-fips.toml b/test/image-blueprints/layer1-base/group5/rhel96-brew-rc-with-optionals-fips.toml new file mode 100644 index 0000000000..18fd441189 --- /dev/null +++ b/test/image-blueprints/layer1-base/group5/rhel96-brew-rc-with-optionals-fips.toml @@ -0,0 +1,32 @@ +{{- if and (env.Getenv "BREW_RC_RELEASE_VERSION" "") (env.Getenv "BREW_Y1_RELEASE_VERSION" "") -}} +{{- /* + + We wrap this template in a test so that the body of the output is + empty when there is no "current" version release. The output file + must end up completely empty, so we need to remove whitespace from + around the first and last template instructions. + +*/ -}} + +name = "rhel-9.6-microshift-brew-optionals-4.{{ .Env.MINOR_VERSION}}-rc-fips" +description = "FIPS-enabled version of rhel-9.6-microshift-brew-optionals-4.{{ .Env.MINOR_VERSION}}-rc" +version = "0.0.1" +modules = [] +groups = [] +distro = "rhel-96" + +# Use the base brewery blueprint as parent +parent = "rhel-9.6-microshift-brew-optionals-4.{{ .Env.MINOR_VERSION}}-rc" + +# Add only FIPS-specific configuration +[[packages]] +name = "crypto-policies-scripts" +version = "*" + +[customizations.kernel] +append = "fips=1" + +[[customizations.files]] +path = "/etc/crypto-policies/config" +data = "FIPS" +{{- end -}} diff --git a/test/image-blueprints/layer1-base/group5/rhel96-brew-zstream-with-optionals-fips.toml b/test/image-blueprints/layer1-base/group5/rhel96-brew-zstream-with-optionals-fips.toml new file mode 100644 index 0000000000..8e40390bf3 --- /dev/null +++ b/test/image-blueprints/layer1-base/group5/rhel96-brew-zstream-with-optionals-fips.toml @@ -0,0 +1,32 @@ +{{- if and (env.Getenv "BREW_Y0_RELEASE_VERSION" "") (env.Getenv "BREW_Y1_RELEASE_VERSION" "") -}} +{{- /* + + We wrap this template in a test so that the body of the output is + empty when there is no "current" version release. The output file + must end up completely empty, so we need to remove whitespace from + around the first and last template instructions. + +*/ -}} + +name = "rhel-9.6-microshift-brew-optionals-4.{{ .Env.MINOR_VERSION }}-zstream-fips" +description = "FIPS-enabled version of rhel-9.6-microshift-brew-optionals-4.{{ .Env.MINOR_VERSION }}-zstream" +version = "0.0.1" +modules = [] +groups = [] +distro = "rhel-96" + +# Use the base brewery blueprint as parent +parent = "rhel-9.6-microshift-brew-optionals-4.{{ .Env.MINOR_VERSION }}-zstream" + +# Add only FIPS-specific configuration +[[packages]] +name = "crypto-policies-scripts" +version = "*" + +[customizations.kernel] +append = "fips=1" + +[[customizations.files]] +path = "/etc/crypto-policies/config" +data = "FIPS" +{{- end -}} diff --git a/test/scenarios-bootc/releases/el96-lrel@fips.sh.disabled b/test/scenarios-bootc/releases/el96-lrel@fips.sh.disabled new file mode 100644 index 0000000000..a73d5b3756 --- /dev/null +++ b/test/scenarios-bootc/releases/el96-lrel@fips.sh.disabled @@ -0,0 +1,37 @@ +#!/bin/bash + +# Sourced from scenario.sh and uses functions defined there. + +start_image="rhel96-bootc-brew-${LATEST_RELEASE_TYPE}-with-optional-fips" + +check_platform() { + if [[ "${UNAME_M}" =~ aarch64 ]] ; then + record_junit "setup" "scenario_create_vms" "SKIPPED" + exit 0 + fi +} + +scenario_create_vms() { + if ! does_commit_exist "${start_image}"; then + echo "Image '${start_image}' not found - skipping test" + return 0 + fi + + check_platform + + prepare_kickstart host1 kickstart-bootc.ks.template "${start_image}" + launch_vm --boot_blueprint rhel96-bootc --fips +} + +scenario_remove_vms() { + check_platform + + remove_vm host1 +} + +scenario_run_tests() { + check_platform + + run_tests host1 suites/fips/ +} + diff --git a/test/scenarios/releases/el96-lrel@fips.sh.disabled b/test/scenarios/releases/el96-lrel@fips.sh.disabled new file mode 100644 index 0000000000..6c20afe2ac --- /dev/null +++ b/test/scenarios/releases/el96-lrel@fips.sh.disabled @@ -0,0 +1,37 @@ +#!/bin/bash + +# Sourced from scenario.sh and uses functions defined there. + +start_image="rhel-9.6-microshift-brew-optionals-4.${MINOR_VERSION}-${LATEST_RELEASE_TYPE}-fips" + +check_platform() { + if [[ "${UNAME_M}" =~ aarch64 ]] ; then + record_junit "setup" "scenario_create_vms" "SKIPPED" + exit 0 + fi +} + +scenario_create_vms() { + if ! does_commit_exist "${start_image}"; then + echo "Image '${start_image}' not found - skipping test" + return 0 + fi + + check_platform + + prepare_kickstart host1 kickstart.ks.template "${start_image}" + launch_vm --fips +} + +scenario_remove_vms() { + check_platform + + remove_vm host1 +} + +scenario_run_tests() { + check_platform + + run_tests host1 suites/fips/ +} +