PE-4024: Edge-forge changes to embed public-key in predefined path (#159

) * PE-4024: Edge-forge changes to embed public-key in predefined path
spectrocloud · Jun 18, 2024 · 3b8f6dd · 3b8f6dd
1 parent 99c40b5
commit 3b8f6dd
Show file tree

Hide file tree

Showing 4 changed files with 35 additions and 0 deletions.
diff --git a/.arg.template b/.arg.template
@@ -12,6 +12,7 @@ PROXY_CERT_PATH=
 UPDATE_KERNEL=false
 CLUSTERCONFIG=spc.tgz
 CIS_HARDENING=false
+EDGE_CUSTOM_CONFIG=.edge-custom-config.yaml
 
 # If you have Ubuntu Pro, use the UBUNTU_PRO_KEY variable to activate it as part of the image build
 # UBUNTU_PRO_KEY=your-key

diff --git a/.edge-custom-config.yaml.template b/.edge-custom-config.yaml.template
@@ -0,0 +1,5 @@
+content:
+ signing:
+  publicKey:
+   base64EncodedValue: ""
+   description: "This is a public key used for signing content and cluster-config"
diff --git a/Earthfile b/Earthfile
@@ -33,6 +33,7 @@ ARG ISO_NAME=installer
 ARG K8S_DISTRIBUTION
 ARG CUSTOM_TAG
 ARG CLUSTERCONFIG
+ARG EDGE_CUSTOM_CONFIG=.edge-custom-config.yaml
 ARG ARCH
 ARG DISABLE_SELINUX=true
 ARG CIS_HARDENING=true
@@ -274,6 +275,7 @@ uki-provider-image:
     COPY +kairos-agent/kairos-agent /usr/bin/kairos-agent
     COPY --platform=linux/${ARCH} +trust-boot-unpack/ /trusted-boot
     COPY --platform=linux/${ARCH} +install-k8s/ /k8s
+    COPY --if-exists "$EDGE_CUSTOM_CONFIG" /oem/.edge_custom_config.yaml
     SAVE IMAGE --push $IMAGE_PATH
 
 trust-boot-unpack:
@@ -343,6 +345,7 @@ build-uki-iso:
     COPY --platform=linux/${ARCH} +luet/luet /overlay/luet
 
     COPY --if-exists content-*/*.zst /overlay/opt/spectrocloud/content/
+    COPY --if-exists "$EDGE_CUSTOM_CONFIG" /overlay/.edge_custom_config.yaml
     RUN if [ -n "$(ls /overlay/opt/spectrocloud/content/*.zst 2>/dev/null)" ]; then \
         for file in /overlay/opt/spectrocloud/content/*.zst; do \
             split --bytes=3GB --numeric-suffixes "$file" /overlay/opt/spectrocloud/content/$(basename "$file")_part; \
@@ -396,6 +399,7 @@ build-iso:
     COPY overlay/files-iso/ /overlay/
     COPY --if-exists user-data /overlay/files-iso/config.yaml
     COPY --if-exists content-*/*.zst /overlay/opt/spectrocloud/content/
+    COPY --if-exists "$EDGE_CUSTOM_CONFIG" /overlay/.edge_custom_config.yaml
     RUN if [ -n "$(ls /overlay/opt/spectrocloud/content/*.zst 2>/dev/null)" ]; then \
         for file in /overlay/opt/spectrocloud/content/*.zst; do \
             split --bytes=3GB --numeric-suffixes "$file" /overlay/opt/spectrocloud/content/$(basename "$file")_part; \
@@ -557,6 +561,7 @@ provider-image:
     COPY +stylus-image/etc/kairos/branding /etc/kairos/branding
     COPY +stylus-image/oem/stylus_config.yaml /etc/kairos/branding/stylus_config.yaml
     COPY +stylus-image/etc/elemental/config.yaml /etc/elemental/config.yaml
+    COPY --if-exists "$EDGE_CUSTOM_CONFIG" /oem/.edge_custom_config.yaml
 
     IF [ "$IS_UKI" = "true" ]
         COPY +internal-slink/slink /usr/bin/slink

diff --git a/README.md b/README.md
@@ -138,6 +138,7 @@ cp .arg.template .arg
 | UKI_BRING_YOUR_OWN_KEYS     | Bring your own public/private key pairs if this is set to true. Otherwise, CanvOS will generate the key pair.                                                                                                                                                                                                                                  | boolean | `false`                  |
 | INCLUDE_MS_SECUREBOOT_KEYS  | Include Microsoft 3rd Party UEFI CA certificate in generated keys                                                                                                                                                                                                                                                                              | boolean | `true`                   |
 | AUTO_ENROLL_SECUREBOOT_KEYS | Auto enroll SecureBoot keys when device boots up and is in setup mode of secure boot                                                                                                                                                                                                                                                           | boolean | `true`                   |
+| EDGE_CUSTOM_CONFIG | Path to edge custom configuration file                                                                                                                                                                                                                                                            | string | `.edge-custom-config.yaml`                   |
 
 1. (Optional) If you are building the images behind a proxy server, you may need to modify your docker daemon settings to let it use your proxy server. You can refer this [tutorial](https://docs.docker.com/config/daemon/systemd/#httphttps-proxy).
 
@@ -322,3 +323,26 @@ cp spectro-luet-auth.yaml.template spectro-luet-auth.yaml
 ```shell
 earthly --push +build-all-images
 ```
+
+### Building Installer Image with public key for verifying signed content
+
+1. Copy the .edge.custom-config.yaml.template file to .edge.custom-config.yaml 
+
+```shell
+cp .edge.custom-config.yaml.template .edge.custom-config.yaml
+```
+
+2. Edit the property signing.publicKey in `.edge.custom-config.yaml`
+
+3. Include the following property in `.arg` file
+```
+...
+
+EDGE_CUSTOM_CONFIG=/path/to/.edge.custom-config.yaml
+```
+
+4. Build the image using earthly installed on the host
+
+```shell
+earthly --push +build-all-images
+```