Merge pull request #1172 from cloudfoundry/integrate_fips_validation

Integrate fips validation
cloudfoundry · Apr 29, 2024 · f13fc21 · f13fc21
2 parents 2a7a128 + 7ff2068
commit f13fc21
Show file tree

Hide file tree

Showing 6 changed files with 103 additions and 8 deletions.
diff --git a/ci/input/inputs.yml b/ci/input/inputs.yml
@@ -131,6 +131,7 @@ untestedOpsReleases:
 
 windowsStemcells:
 - name: windows2019
+  stack: windows2019
   opsFile: windows2019-cell.yml
   opsFileDir: operations
 

diff --git a/ci/pipelines/update-releases.yml b/ci/pipelines/update-releases.yml
@@ -119,6 +119,9 @@ groups:
   jobs:
   - update-windows2019-stemcell
   - update-windows2019fs-offline-release
+- name: update-fips-stemcell
+  jobs:
+  - update-fips-stemcell
 - name: debug
   jobs: []
 - name: cleanup
@@ -143,6 +146,11 @@ resource_types:
   source:
     repository: cfcommunity/slack-notification-resource
     tag: latest
+- name: bosh-io-stemcell
+  source:
+    repository: foundationalinfrastructure/bosh-io-stemcell-resource
+    tag: v1.2.1
+  type: docker-image
 resources:
 - name: cf-deployment-all-branches
   type: git
@@ -213,6 +221,14 @@ resources:
   icon: dna
   source:
     name: bosh-google-kvm-ubuntu-jammy-go_agent
+- name: fips-stemcell
+  type: bosh-io-stemcell
+  icon: dna
+  source:
+    name: bosh-aws-xen-hvm-ubuntu-jammy-fips-go_agent
+    auth:
+      access_key: ((ci_dev_gcp_service_account_hmac_access_key))
+      secret_key: ((ci_dev_gcp_service_account_hmac_secret))
 - name: stemcell-version-bump-detect
   type: stemcell-version-bump
   icon: dna
@@ -14067,13 +14083,38 @@ jobs:
       params:
         tarball: false
   - task: update-windows-stemcell-ops
-    file: runtime-ci/tasks/update-windows-stemcell-ops/task.yml
+    file: runtime-ci/tasks/update-stemcell-ops/task.yml
+    input_mapping:
+      ops-files: cf-deployment-develop
+      stemcell: windows2019-stemcell
+    params:
+      STEMCELL_STACK: windows2019
+      ORIGINAL_OPS_FILE_PATH: operations/windows2019-cell.yml
+      UPDATED_OPS_FILE_PATH: operations/windows2019-cell.yml
+  - put: cf-deployment-develop
+    params:
+      rebase: true
+      repository: updated-stemcell-ops-file
+- name: update-fips-stemcell
+  public: true
+  serial: true
+  plan:
+  - in_parallel:
+    - get: runtime-ci
+    - get: cf-deployment-develop
+    - get: fips-stemcell
+      trigger: true
+      params:
+        tarball: false
+  - task: update-stemcell-ops
+    file: runtime-ci/tasks/update-stemcell-ops/task.yml
     input_mapping:
       ops-files: cf-deployment-develop
-      windows-stemcell: windows2019-stemcell
+      stemcell: fips-stemcell
     params:
-      ORIGINAL_WINDOWS_OPS_FILE_PATH: operations/windows2019-cell.yml
-      UPDATED_WINDOWS_OPS_FILE_PATH: operations/windows2019-cell.yml
+      STEMCELL_STACK: ubuntu-jammy
+      ORIGINAL_OPS_FILE_PATH: operations/test/fips-stemcell.yml
+      UPDATED_OPS_FILE_PATH: operations/test/fips-stemcell.yml
   - put: cf-deployment-develop
     params:
       rebase: true

diff --git a/ci/template/update-releases.yml b/ci/template/update-releases.yml
@@ -53,6 +53,9 @@ groups:
   #@ for r in data.values.windowsOfflineReleases:
   - #@ "update-" + r.name + "-offline-release"
   #@ end
+- name: update-fips-stemcell
+  jobs:
+    - update-fips-stemcell
 - name: debug
   jobs:
   #@ for r in data.values.baseReleases:
@@ -103,6 +106,13 @@ resource_types:
     repository: cfcommunity/slack-notification-resource
     tag: latest
 
+#! TODO remove this resource type declaration when a final release of the resource is available
+- name: bosh-io-stemcell
+  source:
+    repository: foundationalinfrastructure/bosh-io-stemcell-resource
+    tag: v1.2.1
+  type: docker-image
+
 resources:
 - name: cf-deployment-all-branches
   type: git
@@ -184,6 +194,15 @@ resources:
   source:
     name: bosh-google-kvm-ubuntu-jammy-go_agent
 
+- name: fips-stemcell
+  type: bosh-io-stemcell
+  icon: dna
+  source:
+    name: bosh-aws-xen-hvm-ubuntu-jammy-fips-go_agent
+    auth:
+      access_key: ((ci_dev_gcp_service_account_hmac_access_key))
+      secret_key: ((ci_dev_gcp_service_account_hmac_secret))
+
 - name: stemcell-version-bump-detect
   type: stemcell-version-bump
   icon: dna
@@ -716,19 +735,45 @@ jobs:
       params:
         tarball: false
   - task: update-windows-stemcell-ops
-    file: runtime-ci/tasks/update-windows-stemcell-ops/task.yml
+    file: runtime-ci/tasks/update-stemcell-ops/task.yml
     input_mapping:
       ops-files: cf-deployment-develop
-      windows-stemcell: #@ s.name + "-stemcell"
+      stemcell: #@ s.name + "-stemcell"
     params:
-      ORIGINAL_WINDOWS_OPS_FILE_PATH: #@ "{}/{}".format(s.opsFileDir, s.opsFile)
-      UPDATED_WINDOWS_OPS_FILE_PATH: #@ "{}/{}".format(s.opsFileDir, s.opsFile)
+      STEMCELL_STACK: #@ s.stack
+      ORIGINAL_OPS_FILE_PATH: #@ "{}/{}".format(s.opsFileDir, s.opsFile)
+      UPDATED_OPS_FILE_PATH: #@ "{}/{}".format(s.opsFileDir, s.opsFile)
   - put: cf-deployment-develop
     params:
       rebase: true
       repository: updated-stemcell-ops-file
 #@ end
 
+- name: update-fips-stemcell
+  public: true
+  serial: true
+  plan:
+    - in_parallel:
+        - get: runtime-ci
+        - get: cf-deployment-develop
+        - get: fips-stemcell
+          trigger: true
+          params:
+            tarball: false
+    - task: update-stemcell-ops
+      file: runtime-ci/tasks/update-stemcell-ops/task.yml
+      input_mapping:
+        ops-files: cf-deployment-develop
+        stemcell: fips-stemcell
+      params:
+        STEMCELL_STACK: ubuntu-jammy
+        ORIGINAL_OPS_FILE_PATH: operations/test/fips-stemcell.yml
+        UPDATED_OPS_FILE_PATH: operations/test/fips-stemcell.yml
+    - put: cf-deployment-develop
+      params:
+        rebase: true
+        repository: updated-stemcell-ops-file
+
 - name: detect-stemcell-bump
   plan:
   - in_parallel:

diff --git a/operations/test/README.md b/operations/test/README.md
@@ -18,5 +18,6 @@ They may change without notice.
 | [`enable-nfs-test-server.yml`](enable-nfs-test-server.yml) | adds an NFS server to the deployment | nfstestserver can be reached at nfstestserver.service.cf.internal for acceptance testing purposes |
 | [`enable-nfs-test-ldapserver.yml`](enable-nfs-test-ldapserver.yml) | Adds an LDAP server to the deployment to allow testing of NFS volume services configured with LDAP authentication | Requires enable-nfs-volume-service.yml and enable-nfs-test-server.yml. nfstestldapserver can be reached at nfstestldapserver.service.cf.internal |
 | [`enable-smb-test-server.yml`](enable-smb-test-server.yml) | adds an SMB server to the deployment | smbtestserver can be reached at smbtestserver.service.cf.internal for acceptance testing purposes |
+| [`fips-stemcell.yml`](fips-stemcell.yml) | Contains the validated version of the FIPS-compliant stemcell |
 | [`speed-up-dynamic-asgs.yml`](speed-up-dynamic-asgs.yml) | decreases the polling time for policy-server-asg-syncer and vxlan-policy-agent to speed up cf-acceptance-tests | Not suitable for production envs |
 | [`set-smoke-test-timeout-scale.yml`](set-smoke-test-timeout-scale.yml) | set the timeout scale to 5 | used when retrieving logs in the smoke tests timeout. usualy happens with gcp enviorments that do not have a ephemeral ips |
diff --git a/operations/test/fips-stemcell.yml b/operations/test/fips-stemcell.yml
@@ -0,0 +1,6 @@
+- type: replace
+  path: /stemcells/-
+  value:
+    alias: default
+    os: ubuntu-jammy
+    version: "1.406"
diff --git a/units/tests/test_test/operations.yml b/units/tests/test_test/operations.yml
@@ -19,6 +19,7 @@ enable-smb-test-server.yml:
   vars:
   - smb-password=FOO.PASS
   - smb-username=BAR.USER
+fips-stemcell.yml: {}
 scale-to-one-az-addon-parallel-cats.yml:
   ops:
   - ../scale-to-one-az.yml