PE-4574 accept certs from dir instead of .arg

.arg.template

@@ -8,7 +8,6 @@ ISO_NAME=palette-edge-installer
 ARCH=amd64
 HTTPS_PROXY=
 HTTP_PROXY=
-PROXY_CERT_PATH=
 UPDATE_KERNEL=false
 CLUSTERCONFIG=spc.tgz
 CIS_HARDENING=false
@@ -20,6 +19,6 @@ EDGE_CUSTOM_CONFIG=.edge-custom-config.yaml
 # For enabling Secure Boot with Full Disk Encryption
 # IS_UKI=true
 # MY_ORG="ACME Corporation"
-# UKI_BRING_YOUR_OWN_KEYS=false         # See sb-private-ca/howto.md for instructions on bringing your own certiticates
+# UKI_BRING_YOUR_OWN_KEYS=false         # See sb-private-ca/howto.md for instructions on bringing your own certificates
 # INCLUDE_MS_SECUREBOOT_KEYS=true       # Adds Microsoft Secure Boot certificates; if you export existing keys from a device, you typically won't need this
 # AUTO_ENROLL_SECUREBOOT_KEYS=false     # Set to true to automatically enroll certificates on devices in Setup Mode, useful for flashing devices without user interaction

.pre-commit-config.yaml

@@ -21,4 +21,4 @@ repos:
   - repo: https://github.com/crate-ci/typos
     rev: v1.24.5
     hooks:
-      - id: typos
+      - id: typos

Dockerfile

@@ -7,16 +7,23 @@ ARG HTTP_PROXY
 ARG HTTPS_PROXY
 ARG NO_PROXY
 
-COPY sc.cr[t] /tmp/sc.crt
-RUN if [ "${OS_DISTRIBUTION}" = "ubuntu" ] && [ "${PROXY_CERT_PATH}" != "" ]; then \
-    cp /tmp/sc.crt /etc/ssl/certs && \
+WORKDIR /certs
+COPY certs/ /certs/
+RUN if [ "${OS_DISTRIBUTION}" = "ubuntu" ]; then \
+    cp -f /certs/* /usr/local/share/ca-certificates/ && \
     update-ca-certificates; \
     fi 
-RUN if [ "${OS_DISTRIBUTION}" = "opensuse-leap" ] && [ "${PROXY_CERT_PATH}" != "" ]; then \
-    cp /tmp/sc.crt /usr/share/pki/trust/anchors && \
+RUN if [ "${OS_DISTRIBUTION}" = "opensuse-leap" ]; then \
+    cp -f /certs/* /tmp//usr/share/pki/trust/anchors/ && \
     update-ca-certificates; \
     fi
 
+RUN if [ "${OS_DISTRIBUTION}" = "rhel" ]; then \
+    cp -f /certs/* /etc/pki/ca-trust/source/anchors/ && \
+    update-ca-trust; \
+    fi
+RUN rm -rf /certs
+
 ########################### Add any other image customizations here #######################
 
 ####  Examples  ####

Earthfile

@@ -55,7 +55,6 @@ ARG NO_PROXY
 ARG http_proxy=${HTTP_PROXY}
 ARG https_proxy=${HTTPS_PROXY}
 ARG no_proxy=${NO_PROXY}
-ARG PROXY_CERT_PATH
 
 ARG UPDATE_KERNEL=false
 ARG ETCD_VERSION="v3.5.13"
@@ -179,10 +178,8 @@ build-provider-images-fips:
 
 BASE_ALPINE:
     COMMAND
-    IF [ ! -z $PROXY_CERT_PATH ]
-        COPY sc.crt /etc/ssl/certs
-        RUN update-ca-certificates
-    END
+    COPY --if-exists certs/ /etc/ssl/certs/
+    RUN update-ca-certificates
     RUN apk add curl
 
 iso-image-rootfs:
@@ -604,7 +601,7 @@ kairos-provider-image:
 
 # base build image used to create the base image for all other image types
 base-image:
-    FROM DOCKERFILE --build-arg BASE=$BASE_IMAGE --build-arg PROXY_CERT_PATH=$PROXY_CERT_PATH \ 
+    FROM DOCKERFILE --build-arg BASE=$BASE_IMAGE \ 
     --build-arg OS_DISTRIBUTION=$OS_DISTRIBUTION --build-arg OS_VERSION=$OS_VERSION \ 
     --build-arg HTTP_PROXY=$HTTP_PROXY --build-arg HTTPS_PROXY=$HTTPS_PROXY \
     --build-arg NO_PROXY=$NO_PROXY .
@@ -625,12 +622,6 @@ base-image:
             pro attach $UBUNTU_PRO_KEY
         END
 
-        # Add proxy certificate if present
-        IF [ ! -z $PROXY_CERT_PATH ]
-            COPY sc.crt /etc/ssl/certs
-            RUN  update-ca-certificates
-        END
-
         RUN apt-get update && \
             apt-get install --no-install-recommends kbd zstd vim iputils-ping bridge-utils curl tcpdump ethtool rsyslog logrotate -y
 
@@ -669,11 +660,6 @@ base-image:
 
     # OS == Opensuse
     ELSE IF [ "$OS_DISTRIBUTION" = "opensuse-leap" ] && [ "$ARCH" = "amd64" ]
-        # Add proxy certificate if present
-        IF [ ! -z $PROXY_CERT_PATH ]
-            COPY sc.crt /usr/share/pki/trust/anchors
-            RUN update-ca-certificates
-        END
         # Enable or Disable Kernel Updates
         IF [ "$UPDATE_KERNEL" = "false" ]
             RUN zypper al kernel-de*

README.md

@@ -24,7 +24,7 @@ From the Base Image, the provider image is used to package in the Kubernetes dis
 
 ### Installer Image
 
-From the base image, this image is used to provide the initial flashing of a device (bare-metal or virtual machine). This image contains the user-data configuration that has been provided in `user-data`. It will also contain the contents of any content bundle for pre-staged builds. Pre-staged builds can be used to embed all of the artifacts that are required to build a cluster. These artifacts include Helm charts, manifests, and container images. These images are loaded into containerd when the cluster is initialized elminating the need for the initial download. For more information on how to build pre-loaded content checkout the Palette Docs at [Build your Own Content](https://docs.spectrocloud.com/clusters/edge/edgeforge-workflow/build-content-bundle).
+From the base image, this image is used to provide the initial flashing of a device (bare-metal or virtual machine). This image contains the user-data configuration that has been provided in `user-data`. It will also contain the contents of any content bundle for pre-staged builds. Pre-staged builds can be used to embed all of the artifacts that are required to build a cluster. These artifacts include Helm charts, manifests, and container images. These images are loaded into containerd when the cluster is initialized eliminating the need for the initial download. For more information on how to build pre-loaded content checkout the Palette Docs at [Build your Own Content](https://docs.spectrocloud.com/clusters/edge/edgeforge-workflow/build-content-bundle).
 
 ### Custom Configuration
 
@@ -129,8 +129,7 @@ cp .arg.template .arg
 | FIPS_ENABLED                | to generate FIPS compliant binaries. `true` or `false`                                                                                                                                                                                                                                                                                         | string  | `false`                  |
 | HTTP_PROXY                  | URL of the HTTP Proxy server to be used if needed (Optional)                                                                                                                                                                                                                                                                                   | string  |                          |
 | HTTPS_PROXY                 | URL of the HTTPS Proxy server to be used if needed (Optional)                                                                                                                                                                                                                                                                                  | string  |                          |
-| NO_PROXY                    | URLS that should be excluded from proxying (Optional)                                                                                                                                                                                                                                                                                          | string  |                          |
-| PROXY_CERT_PATH             | Absolute path of the SSL Proxy certificate in PEM format if needed (Optional)                                                                                                                                                                                                                                                                  | string  |                          |
+| NO_PROXY                    | URLS that should be excluded from proxying (Optional)                                                                                                                                                                                                                                                                                                                                                                                                                                                              | string  |                          |
 | UPDATE_KERNEL               | Determines whether to upgrade the Kernel version to the latest from the upstream OS provider                                                                                                                                                                                                                                                   | boolean | `false`                  |
 | DISABLE_SELINUX             | Disable selinux in the operating system. Some applications (like Kubevirt) do not like selinux                                                                                                                                                                                                                                                 | boolean | `true`                   |
 | CLUSTERCONFIG               | Path of the cluster config                                                                                                                                                                                                                                                                                                                     | string  |                          |
@@ -220,7 +219,7 @@ docker push ttl.sh/ubuntu:k3s-1.25.2-v4.2.3-demo
 
 12. Create a cluster profile using the command output. Use the [Model Edge Cluster Profile](https://docs.spectrocloud.com/clusters/edge/site-deployment/model-profile) to help you complete this step.
 
-13. Flash VM or Baremetal device with the generated ISO. Refer to the [Prepare Edge Host for Installation](https://docs.spectrocloud.com/clusters/edge/site-deployment/stage) guide for additonal guidance.
+13. Flash VM or Baremetal device with the generated ISO. Refer to the [Prepare Edge Host for Installation](https://docs.spectrocloud.com/clusters/edge/site-deployment/stage) guide for additional guidance.
 
 14. Register the Edge host with Palette. Checkout the [Register Edge Host](https://docs.spectrocloud.com/clusters/edge/site-deployment/site-installation/edge-host-registration) guide.
 
@@ -395,7 +394,7 @@ To display user audit entries on the Local UI dashboard, audit entries must be l
 
 Example syslog entry
 ```
-<189>1 2024-07-23T15:35:32.644461+00:00 edge-ce0a38422e4662887313fb673bbfb2a2 stylus-audit[2911]: 2911 - - {"edgeHostId":"edge-ce0a38422e4662887313fb6 73bbfb2a2","contentMsg":"kairos password reset failed","action":"activity","actor":"kairos","actorType":"user","resourceId":"kairos","resourceName":"kairos","resourceKi nd":"user"}
+<189>1 2024-07-23T15:35:32.644461+00:00 edge-ce0a38422e4662887313fb673bbfb2a2 stylus-audit[2911]: 2911 - - {"edgeHostId":"edge-ce0a38422e4662887313fb6 73bbfb2a2","contentMsg":"kairos password reset failed","action":"activity","actor":"kairos","actorType":"user","resourceId":"kairos","resourceName":"kairos","resourceKi and":"user"}
 ```
 
 Entries without these keys in the MSG part of RFC 5424 will still be logged to the stylus-audit.log file but will not be displayed on LocalUI.

cis-harden/harden.sh

@@ -517,7 +517,7 @@ harden_system() {
 	echo "Error out if there are users with empty password"
 	cat /etc/shadow |awk -F : '($2 == "" ){ exit 1}'
 	if [[ $? -ne 0 ]]; then
-		echo "Users present with empty password. Remove the user or set pasword for the users"
+		echo "Users present with empty password. Remove the user or set password for the users"
 		exit 1
 	fi
 
@@ -540,7 +540,7 @@ harden_system() {
 	fi
 	done
 
-	echo "Remove cron and at deny files anf have allow files in place"
+	echo "Remove cron and at deny files and have allow files in place"
 	rm -f /etc/cron.deny
 	rm -f /etc/at.deny
 	touch /etc/cron.allow

earthly-cert.sh

@@ -0,0 +1,6 @@
+#!/bin/sh
+# uncomment the line below to enable debug mode
+set -x
+
+update-ca-certificates
+earthly $@

earthly-entrypoint.sh

@@ -1,7 +1,6 @@
 #!/bin/sh
 # uncomment the line below to enable debug mode
 set -ex
-cp /workspace/sc.crt /usr/local/share/ca-certificates/sc.crt
 update-ca-certificates
 
 # reference: https://github.com/earthly/earthly/blob/main/earthly-entrypoint.sh

earthly.sh

@@ -25,7 +25,7 @@ function build_with_proxy() {
         -e NO_PROXY=$NO_PROXY \
         -e no_proxy=$NO_PROXY \
         -e EARTHLY_GIT_CONFIG=$gitconfig \
-        -v "$PROXY_CERT_PATH:/usr/local/share/ca-certificates/sc.crt:ro" \
+        -v "$(pwd)/certs:/usr/local/share/ca-certificates:ro" \
         -v earthly-tmp:/tmp/earthly:rw \
         -p 8372:8372 \
         $SPECTRO_PUB_REPO/third-party/edge/earthly/buildkitd:$EARTHLY_VERSION
@@ -47,7 +47,7 @@ function build_with_proxy() {
         -e NO_PROXY=$NO_PROXY \
         -e no_proxy=$NO_PROXY \
         -v "$(pwd)":/workspace \
-        -v "$PROXY_CERT_PATH:/workspace/sc.crt:ro" \
+        -v "$(pwd)/certs:/usr/local/share/ca-certificates:ro" \
         --entrypoint /workspace/earthly-entrypoint.sh \
         $SPECTRO_PUB_REPO/third-party/edge/earthly/earthly:$EARTHLY_VERSION --allow-privileged "$@"
 }

overlay/files/etc/rsyslog.d/49-stylus.conf

@@ -4,7 +4,7 @@ $PrivDropToGroup root
 # default config has $Umask 0022 set. That breaks any config related to masks and modes.
 $Umask 0000
 
-# Mesage format as per rfc5424.
+# Message format as per rfc5424.
 $template ForwardFormat,"<%pri%>1 %timestamp:::date-rfc3339% %HOSTNAME% %syslogtag% %procid% - - %msg%\n"
 
 # route messages with facility local7 and severity notice to /var/log/stylus-audit.log

rhel-core-images/README.md

@@ -28,7 +28,7 @@ This scenario is for the environment where Red Hat Satellite must be used and ac
 
 2. Mirror Kairos framework image (`quay.io/kairos/framework:v2.11.7`) to the internal Container registry. Provide image path for the build process by using argument `KAIROS_FRAMEWORK_IMAGE`. 
 
-3. Have the following repostiories synced and available on Red Hat Satellite:
+3. Have the following repositories synced and available on Red Hat Satellite:
 
 For RHEL9:
 * rhel-9-for-x86_64-appstream-rpms