Extend packer configuration steps for FIPS builds

João Alexandre Cunharequested to merge
Alexand-master-patch-28133 into master

What does this MR do and why?

The process to build a FIPS image seems outdated. Trying the make command without installing the amazon packer plugin will return:

Error: Failed to initialize build "amazon-ebs"

So we need to install the plugin first. Then, attempting the make command, will start the build process, but eventually will fail with:

   amazon-ebs: Loaded plugins: priorities, update-motd, versionlock
    amazon-ebs: Adding versionlock on: 0:containerd-1.4.6-8.amzn2
    amazon-ebs: versionlock added: 1
    amazon-ebs: Loaded plugins: priorities, update-motd, versionlock
    amazon-ebs: Resolving Dependencies
    amazon-ebs: --> Running transaction check
    amazon-ebs: ---> Package docker.x86_64 0:20.10.7-5.amzn2 will be installed
    amazon-ebs: --> Processing Dependency: libcgroup >= 0.40.rc1-5.15 for package: docker-20.10.7-5.amzn2.x86_64
    amazon-ebs: --> Processing Dependency: pigz for package: docker-20.10.7-5.amzn2.x86_64
    amazon-ebs: --> Running transaction check
    amazon-ebs: ---> Package libcgroup.x86_64 0:0.41-21.amzn2 will be installed
    amazon-ebs: ---> Package pigz.x86_64 0:2.3.4-1.amzn2.0.1 will be installed
    amazon-ebs: --> Processing Conflict: libseccomp-2.5.2-1.amzn2.0.1.x86_64 conflicts docker < 20.10.25
    amazon-ebs: --> Finished Dependency Resolution
    amazon-ebs: Error: libseccomp conflicts with docker-20.10.7-5.amzn2.x86_64

Although it appears that FIPS building was merged to the default branch as part of: https://github.com/awslabs/amazon-eks-ami/pull/1458

So now we don't need to checkout the working branch anymore, and the new process is to specify enable_fips=true to the make command. Additionally, the upstream docs recommend that we detect the latest binaries with the hack/latest-binaries.sh script, and use slightly different command arguments to build:

hack/latest-binaries.sh 1.30
kubernetes_version=1.30.8 kubernetes_build_date=2025-01-10

make k8s \
  kubernetes_version=1.30.8 \
  kubernetes_build_date=2025-01-10 \
  arch=x86_64 \
  enable_fips=true

MR acceptance checklist

Please evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.

How to set up and validate locally

Try to run the steps we have currently documented with a fresh packer installation without the plugin installed, to validate you see the errors described above.

Then go back to the master branch and attempt the new proposed commands.

Edited by João Alexandre Cunha

Merge request reports