From 6e1c16b171dc3670f3cd4e87b94f3354c829ba1c Mon Sep 17 00:00:00 2001 From: LochanRn Date: Thu, 11 Apr 2024 13:08:57 +0530 Subject: [PATCH 1/7] PE-4024: Edge-forge changes to embed public-key in predefined path --- Earthfile | 1 + 1 file changed, 1 insertion(+) diff --git a/Earthfile b/Earthfile index f0d0ef5..48e32b8 100644 --- a/Earthfile +++ b/Earthfile @@ -335,6 +335,7 @@ build-uki-iso: ENV ISO_NAME=${ISO_NAME} COPY overlay/files-iso/ /overlay/ COPY --if-exists user-data /overlay/config.yaml + COPY --if-exists public-key /overlay/oem/.signing-public-key COPY --platform=linux/${ARCH} +stylus-image-pack/stylus-image.tar /overlay/stylus-image.tar COPY --platform=linux/${ARCH} +luet/luet /overlay/luet From 0d796b71bc0da6f44505b74fcf5cb92ea68dbfc7 Mon Sep 17 00:00:00 2001 From: Kiran Kilingar Nadumane Date: Tue, 28 May 2024 17:41:33 -0700 Subject: [PATCH 2/7] implment edge-custom-congi.yaml as arg --- Earthfile | 4 +++- edge_custom_config.yaml.template | 5 +++++ 2 files changed, 8 insertions(+), 1 deletion(-) create mode 100644 edge_custom_config.yaml.template diff --git a/Earthfile b/Earthfile index 48e32b8..5c16977 100644 --- a/Earthfile +++ b/Earthfile @@ -33,6 +33,7 @@ ARG ISO_NAME=installer ARG K8S_DISTRIBUTION ARG CUSTOM_TAG ARG CLUSTERCONFIG +ARG EDGE_CUSTOM_CONFIG=edge_custom_config.yaml ARG ARCH ARG DISABLE_SELINUX=true ARG CIS_HARDENING=true @@ -335,11 +336,11 @@ build-uki-iso: ENV ISO_NAME=${ISO_NAME} COPY overlay/files-iso/ /overlay/ COPY --if-exists user-data /overlay/config.yaml - COPY --if-exists public-key /overlay/oem/.signing-public-key COPY --platform=linux/${ARCH} +stylus-image-pack/stylus-image.tar /overlay/stylus-image.tar COPY --platform=linux/${ARCH} +luet/luet /overlay/luet COPY --if-exists content-*/*.zst /overlay/opt/spectrocloud/content/ + COPY --if-exists "$EDGE_CUSTOM_CONFIG" /overlay/.edge_custom_config.yaml RUN if [ -n "$(ls /overlay/opt/spectrocloud/content/*.zst 2>/dev/null)" ]; then \ for file in /overlay/opt/spectrocloud/content/*.zst; do \ split --bytes=3GB --numeric-suffixes "$file" /overlay/opt/spectrocloud/content/$(basename "$file")_part; \ @@ -393,6 +394,7 @@ build-iso: COPY overlay/files-iso/ /overlay/ COPY --if-exists user-data /overlay/files-iso/config.yaml COPY --if-exists content-*/*.zst /overlay/opt/spectrocloud/content/ + COPY --if-exists "$EDGE_CUSTOM_CONFIG" /overlay/.edge_custom_config.yaml RUN if [ -n "$(ls /overlay/opt/spectrocloud/content/*.zst 2>/dev/null)" ]; then \ for file in /overlay/opt/spectrocloud/content/*.zst; do \ split --bytes=3GB --numeric-suffixes "$file" /overlay/opt/spectrocloud/content/$(basename "$file")_part; \ diff --git a/edge_custom_config.yaml.template b/edge_custom_config.yaml.template new file mode 100644 index 0000000..ece45ef --- /dev/null +++ b/edge_custom_config.yaml.template @@ -0,0 +1,5 @@ +content: + signing: + publicKey: + base64EncodedValue: "" + description: "This is a public key used for signing content and cluster-config" \ No newline at end of file From fa7bb2b0729952c2ff9537eb29d11a098a77dcad Mon Sep 17 00:00:00 2001 From: Kiran Kilingar Nadumane Date: Mon, 3 Jun 2024 19:44:17 -0700 Subject: [PATCH 3/7] add readme --- ...plate => .edge-custom-config.yaml.template | 0 Earthfile | 2 +- README.md | 24 +++++++++++++++++++ 3 files changed, 25 insertions(+), 1 deletion(-) rename edge_custom_config.yaml.template => .edge-custom-config.yaml.template (100%) diff --git a/edge_custom_config.yaml.template b/.edge-custom-config.yaml.template similarity index 100% rename from edge_custom_config.yaml.template rename to .edge-custom-config.yaml.template diff --git a/Earthfile b/Earthfile index 5c16977..8d73df6 100644 --- a/Earthfile +++ b/Earthfile @@ -33,7 +33,7 @@ ARG ISO_NAME=installer ARG K8S_DISTRIBUTION ARG CUSTOM_TAG ARG CLUSTERCONFIG -ARG EDGE_CUSTOM_CONFIG=edge_custom_config.yaml +ARG EDGE_CUSTOM_CONFIG=.edge-custom-config.yaml ARG ARCH ARG DISABLE_SELINUX=true ARG CIS_HARDENING=true diff --git a/README.md b/README.md index 65dc5d2..f856648 100644 --- a/README.md +++ b/README.md @@ -138,6 +138,7 @@ cp .arg.template .arg | UKI_BRING_YOUR_OWN_KEYS | Bring your own public/private key pairs if this is set to true. Otherwise, CanvOS will generate the key pair. | boolean | `false` | | INCLUDE_MS_SECUREBOOT_KEYS | Include Microsoft 3rd Party UEFI CA certificate in generated keys | boolean | `true` | | AUTO_ENROLL_SECUREBOOT_KEYS | Auto enroll SecureBoot keys when device boots up and is in setup mode of secure boot | boolean | `true` | +| EDGE_CUSTOM_CONFIG | Path to edge custom configuration file | string | `.edge-custom-config.yaml` | 1. (Optional) If you are building the images behind a proxy server, you may need to modify your docker daemon settings to let it use your proxy server. You can refer this [tutorial](https://docs.docker.com/config/daemon/systemd/#httphttps-proxy). @@ -322,3 +323,26 @@ cp spectro-luet-auth.yaml.template spectro-luet-auth.yaml ```shell earthly --push +build-all-images ``` + +### Building Installer Image with public key for verifying signed content + +1. Copy the .edge.custom-config.yaml.template file to .edge.custom-config.yaml + +```shell +cp .edge.custom-config.yaml.template .edge.custom-config.yaml +``` + +2. Edit the property signing.publicKey in `.edge.custom-config.yaml` + +3. Include the following property in `.arg` file +``` +... + +EDGE_CUSTOM_CONFIG=/path/to/.edge.custom-config.yaml +``` + +4. Build the image using earthly installed on the host + +```shell +earthly --push +build-all-images +``` From 457b2d75b18cdd0460731d42e3a910108cceb3ff Mon Sep 17 00:00:00 2001 From: Kiran Kilingar Nadumane Date: Mon, 3 Jun 2024 22:05:20 -0700 Subject: [PATCH 4/7] update arg template --- .arg.template | 1 + 1 file changed, 1 insertion(+) diff --git a/.arg.template b/.arg.template index 9839f94..da6e377 100644 --- a/.arg.template +++ b/.arg.template @@ -12,6 +12,7 @@ PROXY_CERT_PATH= UPDATE_KERNEL=false CLUSTERCONFIG=spc.tgz CIS_HARDENING=false +EDGE_CUSTOM_CONFIG=.edge-custom-config.yaml # If you have Ubuntu Pro, use the UBUNTU_PRO_KEY variable to activate it as part of the image build # UBUNTU_PRO_KEY=your-key From 57ad1bf42204c988e090b7b87e508fe1b4476f64 Mon Sep 17 00:00:00 2001 From: Kiran Kilingar Nadumane Date: Tue, 4 Jun 2024 10:42:54 -0700 Subject: [PATCH 5/7] support public key on provider image --- Earthfile | 2 ++ 1 file changed, 2 insertions(+) diff --git a/Earthfile b/Earthfile index 8d73df6..b8e845f 100644 --- a/Earthfile +++ b/Earthfile @@ -271,6 +271,7 @@ uki-provider-image: COPY +kairos-agent/kairos-agent /usr/bin/kairos-agent COPY --platform=linux/${ARCH} +trust-boot-unpack/ /trusted-boot COPY --platform=linux/${ARCH} +install-k8s/ /k8s + COPY --if-exists "$EDGE_CUSTOM_CONFIG" /overlay/.edge_custom_config.yaml SAVE IMAGE --push $IMAGE_PATH trust-boot-unpack: @@ -556,6 +557,7 @@ provider-image: COPY +stylus-image/etc/kairos/branding /etc/kairos/branding COPY +stylus-image/oem/stylus_config.yaml /etc/kairos/branding/stylus_config.yaml COPY +stylus-image/etc/elemental/config.yaml /etc/elemental/config.yaml + COPY --if-exists "$EDGE_CUSTOM_CONFIG" /overlay/.edge_custom_config.yaml IF [ "$IS_UKI" = "true" ] COPY +internal-slink/slink /usr/bin/slink From c9af5b23bb00823ddd55f5bc846929a0ae95db46 Mon Sep 17 00:00:00 2001 From: Kiran Kilingar Nadumane Date: Tue, 4 Jun 2024 21:08:57 -0700 Subject: [PATCH 6/7] support public key on provider image --- Earthfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Earthfile b/Earthfile index b8e845f..638179d 100644 --- a/Earthfile +++ b/Earthfile @@ -557,7 +557,7 @@ provider-image: COPY +stylus-image/etc/kairos/branding /etc/kairos/branding COPY +stylus-image/oem/stylus_config.yaml /etc/kairos/branding/stylus_config.yaml COPY +stylus-image/etc/elemental/config.yaml /etc/elemental/config.yaml - COPY --if-exists "$EDGE_CUSTOM_CONFIG" /overlay/.edge_custom_config.yaml + COPY --if-exists "$EDGE_CUSTOM_CONFIG" /oem/.edge_custom_config.yaml IF [ "$IS_UKI" = "true" ] COPY +internal-slink/slink /usr/bin/slink From 68f122b980fa58067dd5df398c79be41b75aa32b Mon Sep 17 00:00:00 2001 From: Kiran Kilingar Nadumane Date: Thu, 6 Jun 2024 19:27:35 -0700 Subject: [PATCH 7/7] fix provider image for uki --- Earthfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Earthfile b/Earthfile index 638179d..15d3d96 100644 --- a/Earthfile +++ b/Earthfile @@ -271,7 +271,7 @@ uki-provider-image: COPY +kairos-agent/kairos-agent /usr/bin/kairos-agent COPY --platform=linux/${ARCH} +trust-boot-unpack/ /trusted-boot COPY --platform=linux/${ARCH} +install-k8s/ /k8s - COPY --if-exists "$EDGE_CUSTOM_CONFIG" /overlay/.edge_custom_config.yaml + COPY --if-exists "$EDGE_CUSTOM_CONFIG" /oem/.edge_custom_config.yaml SAVE IMAGE --push $IMAGE_PATH trust-boot-unpack: