Skip to content
Open
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view

Large diffs are not rendered by default.

Large diffs are not rendered by default.

8 changes: 8 additions & 0 deletions ci-operator/step-registry/ipi/aws/pre/fips/OWNERS
Original file line number Diff line number Diff line change
@@ -0,0 +1,8 @@
approvers:
- taimurhafeez
- Anna-Koudelkova
- yuumasato
reviewers:
- taimurhafeez
- Anna-Koudelkova
- yuumasato
Original file line number Diff line number Diff line change
@@ -0,0 +1,15 @@
{
"path": "ipi/aws/pre/fips/ipi-aws-pre-fips-chain.yaml",
"owners": {
"approvers": [
"taimurhafeez",
"Anna-Koudelkova",
"yuumasato"
],
"reviewers": [
"taimurhafeez",
"Anna-Koudelkova",
"yuumasato"
]
}
}
Original file line number Diff line number Diff line change
@@ -0,0 +1,12 @@
chain:
as: ipi-aws-pre-fips
steps:
- chain: ipi-conf-aws
- ref: ipi-conf-fips-sshkey
- chain: aws-provision-iam-user-minimal-permission
- ref: rhcos-conf-osstream
- chain: ipi-install
- ref: fips-check
documentation: |-
AWS IPI pre chain for FIPS clusters on profiles that ship ed25519 SSH keys.
Replaces the cluster-profile sshKey with ecdsa/rsa keys before installation.
8 changes: 8 additions & 0 deletions ci-operator/step-registry/ipi/conf/fips-sshkey/OWNERS
Original file line number Diff line number Diff line change
@@ -0,0 +1,8 @@
approvers:
- taimurhafeez
- Anna-Koudelkova
- yuumasato
reviewers:
- taimurhafeez
- Anna-Koudelkova
- yuumasato
Original file line number Diff line number Diff line change
@@ -0,0 +1,57 @@
#!/bin/bash

set -o nounset
set -o errexit
set -o pipefail

# Ensure our UID, which is randomly generated, is in /etc/passwd. This is required
# to be able to SSH.
if ! whoami &> /dev/null; then
if [[ -w /etc/passwd ]]; then
echo "${USER_NAME:-default}:x:$(id -u):0:${USER_NAME:-default} user:${HOME}:/sbin/nologin" >> /etc/passwd
else
echo "/etc/passwd is not writeable, and user matching this uid is not found."
exit 1
fi
fi

if [[ -z "${SSH_KEY_TYPE_LIST}" ]]; then
echo "ERROR: not specify any ssh key types via ENV 'SSH_KEY_TYPE_LIST'!"
exit 1
fi

CONFIG="${SHARED_DIR}/install-config.yaml"
CONFIG_PATCH="/tmp/install-config-fips-sshkey.patch"

# Replace the cluster-profile sshKey with FIPS-compatible keys only. Ed25519 keys
# from the cluster profile are rejected by openshift-install when fips: true.
cat > "${CONFIG_PATCH}" << EOF
sshKey: |
EOF

for key_type in ${SSH_KEY_TYPE_LIST}; do
key_file="/tmp/key-${key_type}"
keygen_options=()
case "${key_type}" in
ecdsa)
keygen_options=(-b 521)
;;
rsa)
keygen_options=(-b 4096)
;;
*)
echo "ERROR: unsupported FIPS SSH key type '${key_type}'; use ecdsa or rsa"
exit 1
;;
esac
echo "Generating FIPS-compatible ssh key with type ${key_type}..."
ssh-keygen -t "${key_type}" "${keygen_options[@]}" -N '' -f "${key_file}"
cp "${key_file}" "${SHARED_DIR}/"
cat >> "${CONFIG_PATCH}" << EOF
$(<"${key_file}.pub")
EOF
done

yq-go m -x -i "${CONFIG}" "${CONFIG_PATCH}"

cat "${CONFIG_PATCH}"
Original file line number Diff line number Diff line change
@@ -0,0 +1,15 @@
{
"path": "ipi/conf/fips-sshkey/ipi-conf-fips-sshkey-ref.yaml",
"owners": {
"approvers": [
"taimurhafeez",
"Anna-Koudelkova",
"yuumasato"
],
"reviewers": [
"taimurhafeez",
"Anna-Koudelkova",
"yuumasato"
]
}
}
Original file line number Diff line number Diff line change
@@ -0,0 +1,15 @@
ref:
as: ipi-conf-fips-sshkey
from: upi-installer
commands: ipi-conf-fips-sshkey-commands.sh
resources:
requests:
cpu: 10m
memory: 100Mi
env:
- name: SSH_KEY_TYPE_LIST
default: "ecdsa rsa"
documentation: FIPS-compatible SSH key types to generate for the core user. Only ecdsa and rsa are accepted.
documentation: |-
Replace install-config sshKey with FIPS-compatible keys (ecdsa/rsa only),
omitting the cluster-profile ed25519 key.