spectrocloud · nianyush · Nov 18, 2024 · Sep 16, 2024 · Sep 16, 2024 · Sep 16, 2024
diff --git a/.arg.template b/.arg.template
@@ -8,7 +8,6 @@ ISO_NAME=palette-edge-installer
 ARCH=amd64
 HTTPS_PROXY=
 HTTP_PROXY=
-PROXY_CERT_PATH=
 UPDATE_KERNEL=false
 CLUSTERCONFIG=spc.tgz
 CIS_HARDENING=false
@@ -20,6 +19,6 @@ EDGE_CUSTOM_CONFIG=.edge-custom-config.yaml
 # For enabling Secure Boot with Full Disk Encryption
 # IS_UKI=true
 # MY_ORG="ACME Corporation"
-# UKI_BRING_YOUR_OWN_KEYS=false         # See sb-private-ca/howto.md for instructions on bringing your own certiticates
+# UKI_BRING_YOUR_OWN_KEYS=false         # See sb-private-ca/howto.md for instructions on bringing your own certificates
 # INCLUDE_MS_SECUREBOOT_KEYS=true       # Adds Microsoft Secure Boot certificates; if you export existing keys from a device, you typically won't need this
 # AUTO_ENROLL_SECUREBOOT_KEYS=false     # Set to true to automatically enroll certificates on devices in Setup Mode, useful for flashing devices without user interaction
diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml
@@ -21,4 +21,4 @@ repos:
   - repo: https://github.com/crate-ci/typos
     rev: v1.24.5
     hooks:
-      - id: typos
+      - id: typos
diff --git a/Dockerfile b/Dockerfile
@@ -7,16 +7,23 @@ ARG HTTP_PROXY
 ARG HTTPS_PROXY
 ARG NO_PROXY
 
-COPY sc.cr[t] /tmp/sc.crt
-RUN if [ "${OS_DISTRIBUTION}" = "ubuntu" ] && [ "${PROXY_CERT_PATH}" != "" ]; then \
-    cp /tmp/sc.crt /etc/ssl/certs && \
+WORKDIR /certs
+COPY certs/ /certs/
+RUN if [ "${OS_DISTRIBUTION}" = "ubuntu" ]; then \
+    cp -f /certs/* /usr/local/share/ca-certificates/ && \
     update-ca-certificates; \
     fi 
-RUN if [ "${OS_DISTRIBUTION}" = "opensuse-leap" ] && [ "${PROXY_CERT_PATH}" != "" ]; then \
-    cp /tmp/sc.crt /usr/share/pki/trust/anchors && \
+RUN if [ "${OS_DISTRIBUTION}" = "opensuse-leap" ]; then \
+    cp -f /certs/* /usr/share/pki/trust/anchors/ && \
     update-ca-certificates; \
     fi
 
+RUN if [ "${OS_DISTRIBUTION}" = "rhel" ]; then \
+    cp -f /certs/* /etc/pki/ca-trust/source/anchors/ && \
+    update-ca-trust; \
+    fi
+RUN rm -rf /certs
+
 ########################### Add any other image customizations here #######################
 
 ####  Examples  ####

diff --git a/Earthfile b/Earthfile
@@ -55,7 +55,6 @@ ARG NO_PROXY
 ARG http_proxy=${HTTP_PROXY}
 ARG https_proxy=${HTTPS_PROXY}
 ARG no_proxy=${NO_PROXY}
-ARG PROXY_CERT_PATH
 
 ARG UPDATE_KERNEL=false
 ARG ETCD_VERSION="v3.5.13"
@@ -179,10 +178,8 @@ build-provider-images-fips:
 
 BASE_ALPINE:
     COMMAND
-    IF [ ! -z $PROXY_CERT_PATH ]
-        COPY sc.crt /etc/ssl/certs
-        RUN update-ca-certificates
-    END
+    COPY --if-exists certs/ /etc/ssl/certs/
+    RUN update-ca-certificates
     RUN apk add curl
 
 iso-image-rootfs:
@@ -604,7 +601,7 @@ kairos-provider-image:
 
 # base build image used to create the base image for all other image types
 base-image:
-    FROM DOCKERFILE --build-arg BASE=$BASE_IMAGE --build-arg PROXY_CERT_PATH=$PROXY_CERT_PATH \ 
+    FROM DOCKERFILE --build-arg BASE=$BASE_IMAGE \ 
     --build-arg OS_DISTRIBUTION=$OS_DISTRIBUTION --build-arg OS_VERSION=$OS_VERSION \ 
     --build-arg HTTP_PROXY=$HTTP_PROXY --build-arg HTTPS_PROXY=$HTTPS_PROXY \
     --build-arg NO_PROXY=$NO_PROXY .
@@ -625,12 +622,6 @@ base-image:
             pro attach $UBUNTU_PRO_KEY
         END
 
-        # Add proxy certificate if present
-        IF [ ! -z $PROXY_CERT_PATH ]
-            COPY sc.crt /etc/ssl/certs
-            RUN  update-ca-certificates
-        END
-
         RUN apt-get update && \
             apt-get install --no-install-recommends kbd zstd vim iputils-ping bridge-utils curl tcpdump ethtool rsyslog logrotate -y
 
@@ -669,11 +660,6 @@ base-image:
 
     # OS == Opensuse
     ELSE IF [ "$OS_DISTRIBUTION" = "opensuse-leap" ] && [ "$ARCH" = "amd64" ]
-        # Add proxy certificate if present
-        IF [ ! -z $PROXY_CERT_PATH ]
-            COPY sc.crt /usr/share/pki/trust/anchors
-            RUN update-ca-certificates
-        END
         # Enable or Disable Kernel Updates
         IF [ "$UPDATE_KERNEL" = "false" ]
             RUN zypper al kernel-de*

diff --git a/README.md b/README.md
diff --git a/certs/.gitkeep b/certs/.gitkeep
diff --git a/cis-harden/harden.sh b/cis-harden/harden.sh
@@ -517,7 +517,7 @@ harden_system() {
 	echo "Error out if there are users with empty password"
 	cat /etc/shadow |awk -F : '($2 == "" ){ exit 1}'
 	if [[ $? -ne 0 ]]; then
-		echo "Users present with empty password. Remove the user or set pasword for the users"
+		echo "Users present with empty password. Remove the user or set password for the users"
 		exit 1
 	fi
 
@@ -540,7 +540,7 @@ harden_system() {
 	fi
 	done
 
-	echo "Remove cron and at deny files anf have allow files in place"
+	echo "Remove cron and at deny files and have allow files in place"
 	rm -f /etc/cron.deny
 	rm -f /etc/at.deny
 	touch /etc/cron.allow

diff --git a/earthly-cert.sh b/earthly-cert.sh
@@ -0,0 +1,6 @@
+#!/bin/sh
+# uncomment the line below to enable debug mode
+set -x
+
+update-ca-certificates
+earthly $@
diff --git a/earthly-entrypoint.sh b/earthly-entrypoint.sh
@@ -1,7 +1,6 @@
 #!/bin/sh
 # uncomment the line below to enable debug mode
 set -ex
-cp /workspace/sc.crt /usr/local/share/ca-certificates/sc.crt
 update-ca-certificates
 
 # reference: https://github.com/earthly/earthly/blob/main/earthly-entrypoint.sh

diff --git a/earthly.sh b/earthly.sh
@@ -25,7 +25,7 @@ function build_with_proxy() {
         -e NO_PROXY=$NO_PROXY \
         -e no_proxy=$NO_PROXY \
         -e EARTHLY_GIT_CONFIG=$gitconfig \
-        -v "$PROXY_CERT_PATH:/usr/local/share/ca-certificates/sc.crt:ro" \
+        -v "$(pwd)/certs:/usr/local/share/ca-certificates:ro" \
         -v earthly-tmp:/tmp/earthly:rw \
         -p 8372:8372 \
         $SPECTRO_PUB_REPO/third-party/edge/earthly/buildkitd:$EARTHLY_VERSION
@@ -47,7 +47,7 @@ function build_with_proxy() {
         -e NO_PROXY=$NO_PROXY \
         -e no_proxy=$NO_PROXY \
         -v "$(pwd)":/workspace \
-        -v "$PROXY_CERT_PATH:/workspace/sc.crt:ro" \
+        -v "$(pwd)/certs:/usr/local/share/ca-certificates:ro" \
         --entrypoint /workspace/earthly-entrypoint.sh \
         $SPECTRO_PUB_REPO/third-party/edge/earthly/earthly:$EARTHLY_VERSION --allow-privileged "$@"
 }
@@ -94,6 +94,14 @@ PE_VERSION=$(git describe --abbrev=0 --tags)
 SPECTRO_PUB_REPO=us-docker.pkg.dev/palette-images
 EARTHLY_VERSION=v0.8.15
 source .arg
+
+# Workaround to support deprecated field PROXY_CERT_PATH
+if [ -n "$PROXY_CERT_PATH" ]; then
+    echo "PROXY_CERT_PATH is deprecated. Please place your certificates in the certs directory."
+    echo "Copying the certificates from $PROXY_CERT_PATH to certs/"
+    cp $PROXY_CERT_PATH certs/
+fi
+
 ALPINE_IMG=$SPECTRO_PUB_REPO/edge/canvos/alpine:3.20
 ### Verify Dependencies
 # Check if Docker is installed

diff --git a/overlay/files/etc/rsyslog.d/49-stylus.conf b/overlay/files/etc/rsyslog.d/49-stylus.conf
@@ -4,7 +4,7 @@ $PrivDropToGroup root
 # default config has $Umask 0022 set. That breaks any config related to masks and modes.
 $Umask 0000
 
-# Mesage format as per rfc5424.
+# Message format as per rfc5424.
 $template ForwardFormat,"<%pri%>1 %timestamp:::date-rfc3339% %HOSTNAME% %syslogtag% %procid% - - %msg%\n"
 
 # route messages with facility local7 and severity notice to /var/log/stylus-audit.log

diff --git a/rhel-core-images/README.md b/rhel-core-images/README.md
@@ -28,7 +28,7 @@ This scenario is for the environment where Red Hat Satellite must be used and ac
 
 2. Mirror Kairos framework image (`quay.io/kairos/framework:v2.11.7`) to the internal Container registry. Provide image path for the build process by using argument `KAIROS_FRAMEWORK_IMAGE`. 
 
-3. Have the following repostiories synced and available on Red Hat Satellite:
+3. Have the following repositories synced and available on Red Hat Satellite:
 
 For RHEL9:
 * rhel-9-for-x86_64-appstream-rpms

diff --git a/test/templates/two-node-cluster-profile.json.tmpl b/test/templates/two-node-cluster-profile.json.tmpl
diff --git a/test/templates/two-node-master-master.json.tmpl b/test/templates/two-node-master-master.json.tmpl
diff --git a/test/test-two-node.sh b/test/test-two-node.sh
@@ -65,7 +65,6 @@ ISO_NAME=palette-edge-installer
 ARCH=amd64
 HTTPS_PROXY=
 HTTP_PROXY=
-PROXY_CERT_PATH=
 UPDATE_KERNEL=false
 EOF
 }
@@ -208,7 +207,7 @@ function get_ready_edge_hosts() {
         '
             {
                 "filter": {
-                    "conjuction": "and",
+                    "conjunction": "and",
                     "filterGroups": [
                         {
                             "conjunction": "and",
@@ -274,7 +273,7 @@ function destroy_edge_hosts() {
     '
         {
             "filter": {
-                "conjuction": "and",
+                "conjunction": "and",
                 "filterGroups": [
                     {
                         "conjunction": "and",

diff --git a/ubuntu-fips/dracut-broken-iscsi-ubuntu-20.patch b/ubuntu-fips/dracut-broken-iscsi-ubuntu-20.patch
@@ -7,7 +7,7 @@ index 59ea5e089..fe40547d1 100755
              echo "Before=dracut-initqueue.service"
          ) > "${initdir}/$systemdsystemunitdir/iscsid.service.d/dracut.conf"
 +
-+        # The iscsi deamon does not need to wait for any storage inside initrd
++        # The iscsi daemon does not need to wait for any storage inside initrd
 +        mkdir -p "${initdir}/$systemdsystemunitdir/iscsid.socket.d"
 +        (
 +            echo "[Unit]"