Skip to content

feat(vhd): add FIPS-compliant AzureLinux v3 gen2 Kata host VHD#8820

Draft
Bickor wants to merge 1 commit into
mainfrom
mheberling/kata-fips
Draft

feat(vhd): add FIPS-compliant AzureLinux v3 gen2 Kata host VHD#8820
Bickor wants to merge 1 commit into
mainfrom
mheberling/kata-fips

Conversation

@Bickor

@Bickor Bickor commented Jul 2, 2026

Copy link
Copy Markdown
Contributor

Summary

  • Adds a new aks-azurelinux-v3-gen2-kata-fips distro that builds the AzureLinux 3 gen2 Kata host VHD with host-side FIPS enabled (ENABLE_FIPS=True, ENABLE_CGROUPV2=True).
  • Wires the new distro end-to-end: release pipeline build job, distro const + Kata/cgroupv2 classification, SIG image config template + mapping, and unit test coverage.

Changes

  • .pipelines/.vsts-vhd-builder-release.yaml — new param buildAzureLinuxV3gen2katafips and build job (OS_VERSION=V3kata, SKU azure-linux-3-gen2, FEATURE_FLAGS=kata, ENABLE_FIPS=True, ENABLE_CGROUPV2=True, VM size Standard_D16ads_v5, artifact azurelinuxv3-gen2-kata-fips).
  • pkg/agent/datamodel/types.go — const AKSAzureLinuxV3Gen2KataFIPS; added to IsKataDistro().
  • pkg/agent/datamodel/sig_config.goSIGAzureLinuxV3KataFIPSImageConfigTemplate; added to the Kata / cgroupv2 / AzureLinux classification lists; wired distro → template in the AzureLinux image map.
  • Testssig_config_test.go, types_test.go, bakerapi_test.go updated for the new distro.

Scope / Notes

  • Host FIPS only. installFIPS() installs dracut-fips and sets fips=1 on the host kernel cmdline. This does not propagate into the Kata guest microVM.
  • True guest-UVM FIPS (guest kernel fips=1, OpenSSL FIPS provider, FIPS Go binaries) lives in the kernel-uvm / CloudNativeCompute pipeline (417429), not AgentBaker, and is tracked separately.

Validation

  • make generate — passes, no testdata drift.
  • go test ./pkg/agent/... — passes (agent, datamodel, toggles).

Draft: opening for early review / pipeline validation.

Copilot AI review requested due to automatic review settings July 2, 2026 21:34

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Adds a new Azure Linux 3 Gen2 Kata host VHD variant with host-side FIPS enabled, wiring it through the VHD build pipeline and AgentBaker’s distro/SIG image configuration so it can be built and selected end-to-end.

Changes:

  • Introduces new distro aks-azurelinux-v3-gen2-kata-fips and classifies it as a Kata distro.
  • Adds SIG image config template/mapping (V3katagen2fips) and includes the distro in relevant Azure Linux / Gen2 / cgroupv2 lists.
  • Extends unit tests and adds a new Azure DevOps pipeline build job for the new VHD artifact.

Reviewed changes

Copilot reviewed 6 out of 6 changed files in this pull request and generated 1 comment.

Show a summary per file
File Description
.pipelines/.vsts-vhd-builder-release.yaml Adds a new pipeline parameter + build job to produce the AzureLinux V3 Gen2 Kata FIPS VHD artifact.
pkg/agent/datamodel/types.go Adds the new distro constant and includes it in IsKataDistro() classification.
pkg/agent/datamodel/types_test.go Adds test coverage asserting the new distro is treated as AzureLinux cgroupv2-capable.
pkg/agent/datamodel/sig_config.go Adds a new SIG image template (V3katagen2fips) and wires it into distro availability lists and the AzureLinux image map.
pkg/agent/datamodel/sig_config_test.go Updates SIG config tests for the new maintained distro entry and expected map size.
pkg/agent/bakerapi_test.go Extends API implementation tests to include the new distro in supported distros.

Comment thread pkg/agent/datamodel/types.go Outdated
Comment on lines 159 to 163
AKSCBLMarinerV2Gen2Kata Distro = "aks-cblmariner-v2-gen2-kata"
AKSAzureLinuxV2Gen2Kata Distro = "aks-azurelinux-v2-gen2-kata"
AKSAzureLinuxV3Gen2Kata Distro = "aks-azurelinux-v3-gen2-kata"
AKSAzureLinuxV3Gen2KataFIPS Distro = "aks-azurelinux-v3-gen2-kata-fips"
AKSCBLMarinerV2Gen2TL Distro = "aks-cblmariner-v2-gen2-tl"
Wire a new aks-azurelinux-v3-gen2-kata-fips distro that builds the
AzureLinux 3 gen2 Kata host VHD with host-side FIPS enabled (ENABLE_FIPS,
ENABLE_CGROUPV2). Adds the release pipeline build job, the distro const and
Kata/cgroupv2 classification, the SIG image config template and mapping, and
corresponding unit test coverage.

Note: host FIPS (dracut-fips + fips=1 host cmdline) does not propagate to the
guest microVM; true guest UVM FIPS is tracked separately (kernel-uvm).
@Bickor Bickor force-pushed the mheberling/kata-fips branch from 681d5f7 to 273683e Compare July 2, 2026 21:42
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants