Cloud provisioners

Online FIPS Override File (Non-air-gapped)

Add the following FIPS Overrides file to your environment:

--overrides overrides/fips.yaml

---
k8s_image_registry: docker.io/mesosphere

fips:
  enabled: true

build_name_extra: -fips
kubernetes_build_metadata: fips.0
default_image_repo: hub.docker.io/mesosphere
kubernetes_rpm_repository_url: "https://packages.d2iq.com/konvoy/stable/linux/repos/el/kubernetes-v{{ kubernetes_version }}-fips/x86_64"
docker_rpm_repository_url: "\
  https://containerd-fips.s3.us-east-2.amazonaws.com\
  /{{ ansible_distribution_major_version|int }}\
  /x86_64"
CODE

You can find all available Overrides files in the Konvoy Image Builder repo.

Offline FIPS Override File (Air-gapped)

Add the following FIPS Overrides file to your environment:

--overrides overrides/offline-fips.yaml

# fips os-packages
os_packages_local_bundle_file: "{{ playbook_dir }}/../artifacts/{{ kubernetes_version }}_{{ ansible_distribution|lower }}_{{ ansible_distribution_major_version }}_x86_64_fips.tar.gz"
containerd_local_bundle_file: "{{ playbook_dir }}/../artifacts/{{ containerd_tar_file }}"
pip_packages_local_bundle_file: "{{ playbook_dir }}/../artifacts/pip-packages.tar.gz"
images_local_bundle_dir: "{{ playbook_dir}}/../artifacts/images"
CODE

You can find all available Overrides files in the Konvoy Image Builder repo.

Pre-provisioned environments

Online FIPS Override File (Pre-provisioned)

Add the following FIPS Overrides file to your environment:

  1. If your pre-provisioned machines need to have a default Override file like FIPS, create a secret that includes the overrides in a file:

    cat > fips.yaml << EOF 
    ---
    k8s_image_registry: docker.io/mesosphere
    
    fips:
      enabled: true
    
    build_name_extra: -fips
    kubernetes_build_metadata: fips.0
    default_image_repo: hub.docker.io/mesosphere
    kubernetes_rpm_repository_url: "https://packages.d2iq.com/konvoy/stable/linux/repos/el/kubernetes-v{{ kubernetes_version }}-fips/x86_64"
    docker_rpm_repository_url: "\
      https://containerd-fips.s3.us-east-2.amazonaws.com\
      /{{ ansible_distribution_major_version|int }}\
      /x86_64"
    EOF
    CODE
  2. Create the related secret by running the following command:

    kubectl create secret generic $CLUSTER_NAME-user-overrides --from-file=fips.yaml=fips.yaml
    kubectl label secret $CLUSTER_NAME-user-overrides clusterctl.cluster.x-k8s.io/move=
    CODE

You can find all available Overrides files in the Konvoy Image Builder repo.

Offline FIPS Override File (Pre-provisioned Air-gapped)

Add the following FIPS Overrides file to your environment:

  1. If your pre-provisioned machines need to have a default Override file like FIPS, create a secret that includes the overrides in a file:

    cat > fips.yaml << EOF 
    # fips os-packages
    os_packages_local_bundle_file: "{{ playbook_dir }}/../artifacts/{{ kubernetes_version }}_{{ ansible_distribution|lower }}_{{ ansible_distribution_major_version }}_x86_64_fips.tar.gz"
    containerd_local_bundle_file: "{{ playbook_dir }}/../artifacts/{{ containerd_tar_file }}"
    pip_packages_local_bundle_file: "{{ playbook_dir }}/../artifacts/pip-packages.tar.gz"
    images_local_bundle_dir: "{{ playbook_dir}}/../artifacts/images"
    EOF
    CODE
  2. Create the related secret by running the following command:

    kubectl create secret generic $CLUSTER_NAME-user-overrides --from-file=fips.yaml=fips.yaml
    kubectl label secret $CLUSTER_NAME-user-overrides clusterctl.cluster.x-k8s.io/move=
    CODE

You can find all available Overrides files in the Konvoy Image Builder repo.