FIPS Override Files

Cloud provisioners

Online FIPS Override File (Non-air-gapped)

Add the following FIPS Overrides file to your environment:

--overrides overrides/fips.yaml

---
k8s_image_registry: docker.io/mesosphere

fips:
  enabled: true

build_name_extra: -fips
kubernetes_build_metadata: fips.0
default_image_repo: hub.docker.io/mesosphere
kubernetes_rpm_repository_url: "https://packages.d2iq.com/konvoy/stable/linux/repos/el/kubernetes-v{{ kubernetes_version }}-fips/x86_64"
docker_rpm_repository_url: "\
  https://containerd-fips.s3.us-east-2.amazonaws.com\
  /{{ ansible_distribution_major_version|int }}\
  /x86_64"

You can find all available Overrides files in the Konvoy Image Builder repo.

Offline FIPS Override File (Air-gapped)

Add the following FIPS Overrides file to your environment:

--overrides overrides/offline-fips.yaml

# fips os-packages
os_packages_local_bundle_file: "{{ playbook_dir }}/../artifacts/{{ kubernetes_version }}_{{ ansible_distribution|lower }}_{{ ansible_distribution_major_version }}_x86_64_fips.tar.gz"
containerd_local_bundle_file: "{{ playbook_dir }}/../artifacts/{{ containerd_tar_file }}"
pip_packages_local_bundle_file: "{{ playbook_dir }}/../artifacts/pip-packages.tar.gz"
images_local_bundle_dir: "{{ playbook_dir}}/../artifacts/images"

You can find all available Overrides files in the Konvoy Image Builder repo.

Pre-provisioned environments

Online FIPS Override File (Pre-provisioned)

Add the following FIPS Overrides file to your environment:

1. If your pre-provisioned machines need to have a default Override file like FIPS, create a secret that includes the overrides in a file:

   cat > fips.yaml << EOF 
   ---
   k8s_image_registry: docker.io/mesosphere
   
   fips:
     enabled: true
   
   build_name_extra: -fips
   kubernetes_build_metadata: fips.0
   default_image_repo: hub.docker.io/mesosphere
   kubernetes_rpm_repository_url: "https://packages.d2iq.com/konvoy/stable/linux/repos/el/kubernetes-v{{ kubernetes_version }}-fips/x86_64"
   docker_rpm_repository_url: "\
     https://containerd-fips.s3.us-east-2.amazonaws.com\
     /{{ ansible_distribution_major_version|int }}\
     /x86_64"
   EOF

   CODE

2. Create the related secret by running the following command:

   kubectl create secret generic $CLUSTER_NAME-user-overrides --from-file=fips.yaml=fips.yaml
   kubectl label secret $CLUSTER_NAME-user-overrides clusterctl.cluster.x-k8s.io/move=

   CODE

You can find all available Overrides files in the Konvoy Image Builder repo.

Offline FIPS Override File (Pre-provisioned Air-gapped)

Add the following FIPS Overrides file to your environment:

1. If your pre-provisioned machines need to have a default Override file like FIPS, create a secret that includes the overrides in a file:

   cat > fips.yaml << EOF 
   # fips os-packages
   os_packages_local_bundle_file: "{{ playbook_dir }}/../artifacts/{{ kubernetes_version }}_{{ ansible_distribution|lower }}_{{ ansible_distribution_major_version }}_x86_64_fips.tar.gz"
   containerd_local_bundle_file: "{{ playbook_dir }}/../artifacts/{{ containerd_tar_file }}"
   pip_packages_local_bundle_file: "{{ playbook_dir }}/../artifacts/pip-packages.tar.gz"
   images_local_bundle_dir: "{{ playbook_dir}}/../artifacts/images"
   EOF

   CODE

2. Create the related secret by running the following command:

   kubectl create secret generic $CLUSTER_NAME-user-overrides --from-file=fips.yaml=fips.yaml
   kubectl label secret $CLUSTER_NAME-user-overrides clusterctl.cluster.x-k8s.io/move=

   CODE

You can find all available Overrides files in the Konvoy Image Builder repo.