Add FIPS Support, with Autodetection of AWS ECR Endpoint

Makefile

@@ -1,5 +1,5 @@
 PACKER_BINARY ?= packer
-PACKER_VARIABLES := aws_region ami_name binary_bucket_name binary_bucket_region kubernetes_version kubernetes_build_date kernel_version docker_version containerd_version runc_version cni_plugin_version source_ami_id source_ami_owners source_ami_filter_name arch instance_type security_group_id additional_yum_repos pull_cni_from_github sonobuoy_e2e_registry ami_regions
+PACKER_VARIABLES := aws_region ami_name binary_bucket_name binary_bucket_region kubernetes_version kubernetes_build_date kernel_version docker_version containerd_version runc_version cni_plugin_version source_ami_id source_ami_owners source_ami_filter_name arch instance_type security_group_id additional_yum_repos pull_cni_from_github sonobuoy_e2e_registry ami_regions enable_fips_mode
 
 K8S_VERSION_PARTS := $(subst ., ,$(kubernetes_version))
 K8S_VERSION_MINOR := $(word 1,${K8S_VERSION_PARTS}).$(word 2,${K8S_VERSION_PARTS})

eks-worker-al2.json

@@ -18,6 +18,7 @@
     "runc_version": "1.1.3-1.amzn2",
     "cni_plugin_version": "v0.8.6",
     "pull_cni_from_github": "true",
+    "enable_fips_mode": "false",
     "source_ami_id": "",
     "source_ami_owners": "137112412989",
     "source_ami_filter_name": "amzn2-ami-minimal-hvm-*",
@@ -115,7 +116,6 @@
     {
       "type": "shell",
       "remote_folder": "{{ user `remote_folder`}}",
-      "expect_disconnect": true,
       "script": "{{template_dir}}/scripts/upgrade_kernel.sh",
       "environment_vars": [
         "KUBERNETES_VERSION={{user `kubernetes_version`}}",
@@ -124,7 +124,20 @@
     },
     {
       "type": "shell",
-      "pause_before": "90s",
+      "remote_folder": "{{ user `remote_folder`}}",
+      "script": "{{template_dir}}/scripts/enable_fips.sh",
+      "environment_vars": [
+        "ENABLE_FIPS_MODE={{user `enable_fips_mode`}}",
+      ]
+    },
+    {
+      "type": "shell",
+      "inline": ["sudo reboot"],
+      "expect_disconnect": true,
+      "pause_after": "90s"
+    },
+    {
+      "type": "shell",
       "remote_folder": "{{ user `remote_folder`}}",
       "inline": [
         "mkdir -p /tmp/worker/log-collector-script/"

files/bootstrap.sh

@@ -343,8 +343,14 @@ if [[ "$MACHINE" != "x86_64" && "$MACHINE" != "aarch64" ]]; then
     exit 1
 fi
 
+AWS_ECR_SUBDOMAIN="ecr"
+# If FIPS is enabled on the machine, use the FIPS endpoint for AWS ECR.
+if grep "fips=1" /etc/default/grub; then
+    AWS_ECR_SUBDOMAIN="ecr-fips"
+fi
+
 PAUSE_CONTAINER_ACCOUNT=$(get_pause_container_account_for_region "${AWS_DEFAULT_REGION}")
-PAUSE_CONTAINER_IMAGE=${PAUSE_CONTAINER_IMAGE:-$PAUSE_CONTAINER_ACCOUNT.dkr.ecr.$AWS_DEFAULT_REGION.$AWS_SERVICES_DOMAIN/eks/pause}
+PAUSE_CONTAINER_IMAGE=${PAUSE_CONTAINER_IMAGE:-$PAUSE_CONTAINER_ACCOUNT.dkr.$AWS_ECR_SUBDOMAIN.$AWS_DEFAULT_REGION.$AWS_SERVICES_DOMAIN/eks/pause}
 PAUSE_CONTAINER="$PAUSE_CONTAINER_IMAGE:$PAUSE_CONTAINER_VERSION"
 
 ### kubelet kubeconfig

scripts/enable_fips.sh

@@ -0,0 +1,13 @@
+#!/bin/bash
+# Install the necessary software and rebuild GRUB if we're instructed to enable FIPS support.
+if [[ "$ENABLE_FIPS_MODE" == "true" ]]; then
+  # install and enable fips modules
+  sudo yum install -y dracut-fips openssl
+  sudo dracut -f
+
+  # enable fips in the boot command
+  sudo sed -i 's/^\(GRUB_CMDLINE_LINUX_DEFAULT=.*\)"$/\1 fips=1"/' /etc/default/grub
+
+  # rebuild grub
+  sudo grub2-mkconfig -o /etc/grub2.cfg
+fi

scripts/upgrade_kernel.sh

@@ -33,5 +33,3 @@ else
     echo "$KERNEL_VERSION is not a valid kernel version"
     exit 1
 fi
-
-sudo reboot